diff mbox series

[ovs-dev,v2,8/9] tests: Make certificate generation extendable

Message ID 20b4b5408c5249437f7efc02a884f4a925ad840e.1614945892.git.frode.nordahl@canonical.com
State Accepted
Headers show
Series Fix missing RBAC rules and enable testing | expand

Commit Message

Frode Nordahl March 5, 2021, 12:16 p.m. UTC 
In preparation for enabling testing with SSL and RBAC enabled by
default, rework the certificate generation so that we can easily
add generation of more certificates/CN on demand.

A side erffect of the change is a more generic naming scheme for
the certificate files so the patch also contains an update to
existing tests so that they use the new filenames.

Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com>
---
 tests/automake.mk | 48 ++++++++++++++++++++++-------------------------
 tests/ovn.at      | 48 +++++++++++++++++++++++------------------------
 2 files changed, 46 insertions(+), 50 deletions(-)

Comments

Mark Michelson April 5, 2021, 2:56 p.m. UTC | #1 
On 3/5/21 7:16 AM, Frode Nordahl wrote:
> In preparation for enabling testing with SSL and RBAC enabled by
> default, rework the certificate generation so that we can easily
> add generation of more certificates/CN on demand.
> 
> A side erffect of the change is a more generic naming scheme for
> the certificate files so the patch also contains an update to
> existing tests so that they use the new filenames.

I initially had the same problems as Numan with patches 8 and 9, but 
after performing a `make distclean` all worked well.

That being said, for patches 8 and 9:

Acked-by: Mark Michelson <mmichels@redhat.com>

> 
> Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com>
> ---
>   tests/automake.mk | 48 ++++++++++++++++++++++-------------------------
>   tests/ovn.at      | 48 +++++++++++++++++++++++------------------------
>   2 files changed, 46 insertions(+), 50 deletions(-)
> 
> diff --git a/tests/automake.mk b/tests/automake.mk
> index df6d0a2a9..771dddea2 100644
> --- a/tests/automake.mk
> +++ b/tests/automake.mk
> @@ -236,39 +236,35 @@ PYCOV_CLEAN_FILES += $(CHECK_PYFILES:.py=.py,cover) .coverage
>   FLAKE8_PYFILES += $(CHECK_PYFILES)
>   
>   if HAVE_OPENSSL
> -TESTPKI_FILES = \
> -	tests/testpki-cacert.pem \
> -	tests/testpki-cert.pem \
> -	tests/testpki-privkey.pem \
> -	tests/testpki-req.pem \
> -	tests/testpki-cert2.pem \
> -	tests/testpki-privkey2.pem \
> -	tests/testpki-req2.pem
> +OVS_PKI_DIR = $(CURDIR)/tests/pki
> +TESTPKI_CNS = test test2
> +TESTPKI_FILES = $(shell \
> +	for cn in $(TESTPKI_CNS); do \
> +		echo tests/testpki-$$cn-cert.pem ; \
> +		echo tests/testpki-$$cn-privkey.pem ; \
> +		echo tests/testpki-$$cn-req.pem ; \
> +	done)
> +
> +tests/testpki-cacert.pem: tests/pki/stamp
> +	$(AM_V_GEN)cp $(OVS_PKI_DIR)/switchca/cacert.pem $@
> +
> +$(TESTPKI_FILES): tests/pki/stamp
> +	$(AM_V_GEN)cp $(OVS_PKI_DIR)/$(notdir $(subst testpki-,,$@)) $@
> +
> +check_DATA += tests/testpki-cacert.pem
>   check_DATA += $(TESTPKI_FILES)
> +CLEANFILES += tests/testpki-cacert.pem
>   CLEANFILES += $(TESTPKI_FILES)
>   
> -tests/testpki-cacert.pem: tests/pki/stamp
> -	$(AM_V_GEN)cp tests/pki/switchca/cacert.pem $@
> -tests/testpki-cert.pem: tests/pki/stamp
> -	$(AM_V_GEN)cp tests/pki/test-cert.pem $@
> -tests/testpki-req.pem: tests/pki/stamp
> -	$(AM_V_GEN)cp tests/pki/test-req.pem $@
> -tests/testpki-privkey.pem: tests/pki/stamp
> -	$(AM_V_GEN)cp tests/pki/test-privkey.pem $@
> -tests/testpki-cert2.pem: tests/pki/stamp
> -	$(AM_V_GEN)cp tests/pki/test2-cert.pem $@
> -tests/testpki-req2.pem: tests/pki/stamp
> -	$(AM_V_GEN)cp tests/pki/test2-req.pem $@
> -tests/testpki-privkey2.pem: tests/pki/stamp
> -	$(AM_V_GEN)cp tests/pki/test2-privkey.pem $@
> -
> -OVS_PKI = $(SHELL) $(ovs_srcdir)/utilities/ovs-pki.in --dir=tests/pki --log=tests/ovs-pki.log
> +
> +OVS_PKI = $(SHELL) $(ovs_srcdir)/utilities/ovs-pki.in --dir=$(OVS_PKI_DIR) --log=tests/ovs-pki.log
>   tests/pki/stamp:
>   	$(AM_V_at)rm -f tests/pki/stamp
>   	$(AM_V_at)rm -rf tests/pki
>   	$(AM_V_GEN)$(OVS_PKI) init && \
> -	$(OVS_PKI) req+sign tests/pki/test && \
> -	$(OVS_PKI) req+sign tests/pki/test2 && \
> +	for cn in $(TESTPKI_CNS); do \
> +		$(OVS_PKI) req+sign tests/pki/$$cn; \
> +	done && \
>   	: > tests/pki/stamp
>   CLEANFILES += tests/ovs-pki.log
>   
> diff --git a/tests/ovn.at b/tests/ovn.at
> index ca9623fee..5cd8b34d7 100644
> --- a/tests/ovn.at
> +++ b/tests/ovn.at
> @@ -8810,8 +8810,8 @@ AT_CHECK(
>   
>   start_daemon ovsdb-server --remote=punix:ovn-sb.sock \
>                             --remote=db:OVN_Southbound,SB_Global,connections \
> -                          --private-key="$PKIDIR/testpki-privkey2.pem" \
> -                          --certificate="$PKIDIR/testpki-cert2.pem" \
> +                          --private-key="$PKIDIR/testpki-test2-privkey.pem" \
> +                          --certificate="$PKIDIR/testpki-test2-cert.pem" \
>                             --ca-cert="$PKIDIR/testpki-cacert.pem" \
>                             ovn-sb.db
>   
> @@ -8819,20 +8819,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT])
>   
>   # read-only accesses should succeed
>   AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
> -                    --private-key=$PKIDIR/testpki-privkey.pem \
> -                    --certificate=$PKIDIR/testpki-cert.pem \
> +                    --private-key=$PKIDIR/testpki-test-privkey.pem \
> +                    --certificate=$PKIDIR/testpki-test-cert.pem \
>                       --ca-cert=$PKIDIR/testpki-cacert.pem \
>                       list SB_Global], [0], [stdout], [ignore])
>   AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
> -                    --private-key=$PKIDIR/testpki-privkey.pem \
> -                    --certificate=$PKIDIR/testpki-cert.pem \
> +                    --private-key=$PKIDIR/testpki-test-privkey.pem \
> +                    --certificate=$PKIDIR/testpki-test-cert.pem \
>                       --ca-cert=$PKIDIR/testpki-cacert.pem \
>                       list Connection], [0], [stdout], [ignore])
>   
>   # write access should fail
>   AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
> -                    --private-key=$PKIDIR/testpki-privkey.pem \
> -                    --certificate=$PKIDIR/testpki-cert.pem \
> +                    --private-key=$PKIDIR/testpki-test-privkey.pem \
> +                    --certificate=$PKIDIR/testpki-test-cert.pem \
>                       --ca-cert=$PKIDIR/testpki-cacert.pem \
>                       chassis-add ch vxlan 1.2.4.8], [1], [ignore],
>   [ovn-sbctl: transaction error: {"details":"insert operation not allowed when database server is in read only mode","error":"not allowed"}
> @@ -8860,8 +8860,8 @@ start_daemon ovsdb-server --remote=punix:ovnnb_db.sock \
>   
>   # Populate SSL configuration entries in nb db
>   AT_CHECK(
> -    [ovn-nbctl set-ssl $PKIDIR/testpki-privkey.pem \
> -                       $PKIDIR/testpki-cert.pem \
> +    [ovn-nbctl set-ssl $PKIDIR/testpki-test-privkey.pem \
> +                       $PKIDIR/testpki-test-cert.pem \
>                          $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore])
>   
>   # Populate a passive SSL connection in nb db
> @@ -8871,20 +8871,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT])
>   
>   # Verify SSL connetivity to nb db server
>   AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \
> -                    --private-key=$PKIDIR/testpki-privkey.pem \
> -                    --certificate=$PKIDIR/testpki-cert.pem \
> +                    --private-key=$PKIDIR/testpki-test-privkey.pem \
> +                    --certificate=$PKIDIR/testpki-test-cert.pem \
>                       --ca-cert=$PKIDIR/testpki-cacert.pem \
>             list NB_Global],
>            [0], [stdout], [ignore])
>   AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \
> -                    --private-key=$PKIDIR/testpki-privkey.pem \
> -                    --certificate=$PKIDIR/testpki-cert.pem \
> +                    --private-key=$PKIDIR/testpki-test-privkey.pem \
> +                    --certificate=$PKIDIR/testpki-test-cert.pem \
>                       --ca-cert=$PKIDIR/testpki-cacert.pem \
>             list Connection],
>            [0], [stdout], [ignore])
>   AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \
> -                    --private-key=$PKIDIR/testpki-privkey.pem \
> -                    --certificate=$PKIDIR/testpki-cert.pem \
> +                    --private-key=$PKIDIR/testpki-test-privkey.pem \
> +                    --certificate=$PKIDIR/testpki-test-cert.pem \
>                       --ca-cert=$PKIDIR/testpki-cacert.pem \
>             get-connection],
>            [0], [stdout], [ignore])
> @@ -8911,8 +8911,8 @@ start_daemon ovsdb-server --remote=punix:ovnsb_db.sock \
>   
>   # Populate SSL configuration entries in sb db
>   AT_CHECK(
> -    [ovn-sbctl set-ssl $PKIDIR/testpki-privkey.pem \
> -                       $PKIDIR/testpki-cert.pem \
> +    [ovn-sbctl set-ssl $PKIDIR/testpki-test-privkey.pem \
> +                       $PKIDIR/testpki-test-cert.pem \
>                          $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore])
>   
>   # Populate a passive SSL connection in sb db
> @@ -8922,20 +8922,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT])
>   
>   # Verify SSL connetivity to sb db server
>   AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
> -                    --private-key=$PKIDIR/testpki-privkey.pem \
> -                    --certificate=$PKIDIR/testpki-cert.pem \
> +                    --private-key=$PKIDIR/testpki-test-privkey.pem \
> +                    --certificate=$PKIDIR/testpki-test-cert.pem \
>                       --ca-cert=$PKIDIR/testpki-cacert.pem \
>             list SB_Global],
>            [0], [stdout], [ignore])
>   AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
> -                    --private-key=$PKIDIR/testpki-privkey.pem \
> -                    --certificate=$PKIDIR/testpki-cert.pem \
> +                    --private-key=$PKIDIR/testpki-test-privkey.pem \
> +                    --certificate=$PKIDIR/testpki-test-cert.pem \
>                       --ca-cert=$PKIDIR/testpki-cacert.pem \
>             list Connection],
>            [0], [stdout], [ignore])
>   AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
> -                    --private-key=$PKIDIR/testpki-privkey.pem \
> -                    --certificate=$PKIDIR/testpki-cert.pem \
> +                    --private-key=$PKIDIR/testpki-test-privkey.pem \
> +                    --certificate=$PKIDIR/testpki-test-cert.pem \
>                       --ca-cert=$PKIDIR/testpki-cacert.pem \
>             get-connection],
>            [0], [stdout], [ignore])
>
Numan Siddique April 12, 2021, 7:19 p.m. UTC | #2 
On Mon, Apr 5, 2021 at 10:56 AM Mark Michelson <mmichels@redhat.com> wrote:
>
> On 3/5/21 7:16 AM, Frode Nordahl wrote:
> > In preparation for enabling testing with SSL and RBAC enabled by
> > default, rework the certificate generation so that we can easily
> > add generation of more certificates/CN on demand.
> >
> > A side erffect of the change is a more generic naming scheme for
> > the certificate files so the patch also contains an update to
> > existing tests so that they use the new filenames.
>
> I initially had the same problems as Numan with patches 8 and 9, but
> after performing a `make distclean` all worked well.
>
> That being said, for patches 8 and 9:
>
> Acked-by: Mark Michelson <mmichels@redhat.com>

I applied patches 8 and 9 to the main branch.

Thanks
Numan

>
> >
> > Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com>
> > ---
> >   tests/automake.mk | 48 ++++++++++++++++++++++-------------------------
> >   tests/ovn.at      | 48 +++++++++++++++++++++++------------------------
> >   2 files changed, 46 insertions(+), 50 deletions(-)
> >
> > diff --git a/tests/automake.mk b/tests/automake.mk
> > index df6d0a2a9..771dddea2 100644
> > --- a/tests/automake.mk
> > +++ b/tests/automake.mk
> > @@ -236,39 +236,35 @@ PYCOV_CLEAN_FILES += $(CHECK_PYFILES:.py=.py,cover) .coverage
> >   FLAKE8_PYFILES += $(CHECK_PYFILES)
> >
> >   if HAVE_OPENSSL
> > -TESTPKI_FILES = \
> > -     tests/testpki-cacert.pem \
> > -     tests/testpki-cert.pem \
> > -     tests/testpki-privkey.pem \
> > -     tests/testpki-req.pem \
> > -     tests/testpki-cert2.pem \
> > -     tests/testpki-privkey2.pem \
> > -     tests/testpki-req2.pem
> > +OVS_PKI_DIR = $(CURDIR)/tests/pki
> > +TESTPKI_CNS = test test2
> > +TESTPKI_FILES = $(shell \
> > +     for cn in $(TESTPKI_CNS); do \
> > +             echo tests/testpki-$$cn-cert.pem ; \
> > +             echo tests/testpki-$$cn-privkey.pem ; \
> > +             echo tests/testpki-$$cn-req.pem ; \
> > +     done)
> > +
> > +tests/testpki-cacert.pem: tests/pki/stamp
> > +     $(AM_V_GEN)cp $(OVS_PKI_DIR)/switchca/cacert.pem $@
> > +
> > +$(TESTPKI_FILES): tests/pki/stamp
> > +     $(AM_V_GEN)cp $(OVS_PKI_DIR)/$(notdir $(subst testpki-,,$@)) $@
> > +
> > +check_DATA += tests/testpki-cacert.pem
> >   check_DATA += $(TESTPKI_FILES)
> > +CLEANFILES += tests/testpki-cacert.pem
> >   CLEANFILES += $(TESTPKI_FILES)
> >
> > -tests/testpki-cacert.pem: tests/pki/stamp
> > -     $(AM_V_GEN)cp tests/pki/switchca/cacert.pem $@
> > -tests/testpki-cert.pem: tests/pki/stamp
> > -     $(AM_V_GEN)cp tests/pki/test-cert.pem $@
> > -tests/testpki-req.pem: tests/pki/stamp
> > -     $(AM_V_GEN)cp tests/pki/test-req.pem $@
> > -tests/testpki-privkey.pem: tests/pki/stamp
> > -     $(AM_V_GEN)cp tests/pki/test-privkey.pem $@
> > -tests/testpki-cert2.pem: tests/pki/stamp
> > -     $(AM_V_GEN)cp tests/pki/test2-cert.pem $@
> > -tests/testpki-req2.pem: tests/pki/stamp
> > -     $(AM_V_GEN)cp tests/pki/test2-req.pem $@
> > -tests/testpki-privkey2.pem: tests/pki/stamp
> > -     $(AM_V_GEN)cp tests/pki/test2-privkey.pem $@
> > -
> > -OVS_PKI = $(SHELL) $(ovs_srcdir)/utilities/ovs-pki.in --dir=tests/pki --log=tests/ovs-pki.log
> > +
> > +OVS_PKI = $(SHELL) $(ovs_srcdir)/utilities/ovs-pki.in --dir=$(OVS_PKI_DIR) --log=tests/ovs-pki.log
> >   tests/pki/stamp:
> >       $(AM_V_at)rm -f tests/pki/stamp
> >       $(AM_V_at)rm -rf tests/pki
> >       $(AM_V_GEN)$(OVS_PKI) init && \
> > -     $(OVS_PKI) req+sign tests/pki/test && \
> > -     $(OVS_PKI) req+sign tests/pki/test2 && \
> > +     for cn in $(TESTPKI_CNS); do \
> > +             $(OVS_PKI) req+sign tests/pki/$$cn; \
> > +     done && \
> >       : > tests/pki/stamp
> >   CLEANFILES += tests/ovs-pki.log
> >
> > diff --git a/tests/ovn.at b/tests/ovn.at
> > index ca9623fee..5cd8b34d7 100644
> > --- a/tests/ovn.at
> > +++ b/tests/ovn.at
> > @@ -8810,8 +8810,8 @@ AT_CHECK(
> >
> >   start_daemon ovsdb-server --remote=punix:ovn-sb.sock \
> >                             --remote=db:OVN_Southbound,SB_Global,connections \
> > -                          --private-key="$PKIDIR/testpki-privkey2.pem" \
> > -                          --certificate="$PKIDIR/testpki-cert2.pem" \
> > +                          --private-key="$PKIDIR/testpki-test2-privkey.pem" \
> > +                          --certificate="$PKIDIR/testpki-test2-cert.pem" \
> >                             --ca-cert="$PKIDIR/testpki-cacert.pem" \
> >                             ovn-sb.db
> >
> > @@ -8819,20 +8819,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT])
> >
> >   # read-only accesses should succeed
> >   AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
> > -                    --private-key=$PKIDIR/testpki-privkey.pem \
> > -                    --certificate=$PKIDIR/testpki-cert.pem \
> > +                    --private-key=$PKIDIR/testpki-test-privkey.pem \
> > +                    --certificate=$PKIDIR/testpki-test-cert.pem \
> >                       --ca-cert=$PKIDIR/testpki-cacert.pem \
> >                       list SB_Global], [0], [stdout], [ignore])
> >   AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
> > -                    --private-key=$PKIDIR/testpki-privkey.pem \
> > -                    --certificate=$PKIDIR/testpki-cert.pem \
> > +                    --private-key=$PKIDIR/testpki-test-privkey.pem \
> > +                    --certificate=$PKIDIR/testpki-test-cert.pem \
> >                       --ca-cert=$PKIDIR/testpki-cacert.pem \
> >                       list Connection], [0], [stdout], [ignore])
> >
> >   # write access should fail
> >   AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
> > -                    --private-key=$PKIDIR/testpki-privkey.pem \
> > -                    --certificate=$PKIDIR/testpki-cert.pem \
> > +                    --private-key=$PKIDIR/testpki-test-privkey.pem \
> > +                    --certificate=$PKIDIR/testpki-test-cert.pem \
> >                       --ca-cert=$PKIDIR/testpki-cacert.pem \
> >                       chassis-add ch vxlan 1.2.4.8], [1], [ignore],
> >   [ovn-sbctl: transaction error: {"details":"insert operation not allowed when database server is in read only mode","error":"not allowed"}
> > @@ -8860,8 +8860,8 @@ start_daemon ovsdb-server --remote=punix:ovnnb_db.sock \
> >
> >   # Populate SSL configuration entries in nb db
> >   AT_CHECK(
> > -    [ovn-nbctl set-ssl $PKIDIR/testpki-privkey.pem \
> > -                       $PKIDIR/testpki-cert.pem \
> > +    [ovn-nbctl set-ssl $PKIDIR/testpki-test-privkey.pem \
> > +                       $PKIDIR/testpki-test-cert.pem \
> >                          $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore])
> >
> >   # Populate a passive SSL connection in nb db
> > @@ -8871,20 +8871,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT])
> >
> >   # Verify SSL connetivity to nb db server
> >   AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \
> > -                    --private-key=$PKIDIR/testpki-privkey.pem \
> > -                    --certificate=$PKIDIR/testpki-cert.pem \
> > +                    --private-key=$PKIDIR/testpki-test-privkey.pem \
> > +                    --certificate=$PKIDIR/testpki-test-cert.pem \
> >                       --ca-cert=$PKIDIR/testpki-cacert.pem \
> >             list NB_Global],
> >            [0], [stdout], [ignore])
> >   AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \
> > -                    --private-key=$PKIDIR/testpki-privkey.pem \
> > -                    --certificate=$PKIDIR/testpki-cert.pem \
> > +                    --private-key=$PKIDIR/testpki-test-privkey.pem \
> > +                    --certificate=$PKIDIR/testpki-test-cert.pem \
> >                       --ca-cert=$PKIDIR/testpki-cacert.pem \
> >             list Connection],
> >            [0], [stdout], [ignore])
> >   AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \
> > -                    --private-key=$PKIDIR/testpki-privkey.pem \
> > -                    --certificate=$PKIDIR/testpki-cert.pem \
> > +                    --private-key=$PKIDIR/testpki-test-privkey.pem \
> > +                    --certificate=$PKIDIR/testpki-test-cert.pem \
> >                       --ca-cert=$PKIDIR/testpki-cacert.pem \
> >             get-connection],
> >            [0], [stdout], [ignore])
> > @@ -8911,8 +8911,8 @@ start_daemon ovsdb-server --remote=punix:ovnsb_db.sock \
> >
> >   # Populate SSL configuration entries in sb db
> >   AT_CHECK(
> > -    [ovn-sbctl set-ssl $PKIDIR/testpki-privkey.pem \
> > -                       $PKIDIR/testpki-cert.pem \
> > +    [ovn-sbctl set-ssl $PKIDIR/testpki-test-privkey.pem \
> > +                       $PKIDIR/testpki-test-cert.pem \
> >                          $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore])
> >
> >   # Populate a passive SSL connection in sb db
> > @@ -8922,20 +8922,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT])
> >
> >   # Verify SSL connetivity to sb db server
> >   AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
> > -                    --private-key=$PKIDIR/testpki-privkey.pem \
> > -                    --certificate=$PKIDIR/testpki-cert.pem \
> > +                    --private-key=$PKIDIR/testpki-test-privkey.pem \
> > +                    --certificate=$PKIDIR/testpki-test-cert.pem \
> >                       --ca-cert=$PKIDIR/testpki-cacert.pem \
> >             list SB_Global],
> >            [0], [stdout], [ignore])
> >   AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
> > -                    --private-key=$PKIDIR/testpki-privkey.pem \
> > -                    --certificate=$PKIDIR/testpki-cert.pem \
> > +                    --private-key=$PKIDIR/testpki-test-privkey.pem \
> > +                    --certificate=$PKIDIR/testpki-test-cert.pem \
> >                       --ca-cert=$PKIDIR/testpki-cacert.pem \
> >             list Connection],
> >            [0], [stdout], [ignore])
> >   AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
> > -                    --private-key=$PKIDIR/testpki-privkey.pem \
> > -                    --certificate=$PKIDIR/testpki-cert.pem \
> > +                    --private-key=$PKIDIR/testpki-test-privkey.pem \
> > +                    --certificate=$PKIDIR/testpki-test-cert.pem \
> >                       --ca-cert=$PKIDIR/testpki-cacert.pem \
> >             get-connection],
> >            [0], [stdout], [ignore])
> >
>
> _______________________________________________
> dev mailing list
> dev@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
diff mbox series

Patch

diff --git a/tests/automake.mk b/tests/automake.mk
index df6d0a2a9..771dddea2 100644
--- a/tests/automake.mk
+++ b/tests/automake.mk
@@ -236,39 +236,35 @@  PYCOV_CLEAN_FILES += $(CHECK_PYFILES:.py=.py,cover) .coverage
 FLAKE8_PYFILES += $(CHECK_PYFILES)
 
 if HAVE_OPENSSL
-TESTPKI_FILES = \
-	tests/testpki-cacert.pem \
-	tests/testpki-cert.pem \
-	tests/testpki-privkey.pem \
-	tests/testpki-req.pem \
-	tests/testpki-cert2.pem \
-	tests/testpki-privkey2.pem \
-	tests/testpki-req2.pem
+OVS_PKI_DIR = $(CURDIR)/tests/pki
+TESTPKI_CNS = test test2
+TESTPKI_FILES = $(shell \
+	for cn in $(TESTPKI_CNS); do \
+		echo tests/testpki-$$cn-cert.pem ; \
+		echo tests/testpki-$$cn-privkey.pem ; \
+		echo tests/testpki-$$cn-req.pem ; \
+	done)
+
+tests/testpki-cacert.pem: tests/pki/stamp
+	$(AM_V_GEN)cp $(OVS_PKI_DIR)/switchca/cacert.pem $@
+
+$(TESTPKI_FILES): tests/pki/stamp
+	$(AM_V_GEN)cp $(OVS_PKI_DIR)/$(notdir $(subst testpki-,,$@)) $@
+
+check_DATA += tests/testpki-cacert.pem
 check_DATA += $(TESTPKI_FILES)
+CLEANFILES += tests/testpki-cacert.pem
 CLEANFILES += $(TESTPKI_FILES)
 
-tests/testpki-cacert.pem: tests/pki/stamp
-	$(AM_V_GEN)cp tests/pki/switchca/cacert.pem $@
-tests/testpki-cert.pem: tests/pki/stamp
-	$(AM_V_GEN)cp tests/pki/test-cert.pem $@
-tests/testpki-req.pem: tests/pki/stamp
-	$(AM_V_GEN)cp tests/pki/test-req.pem $@
-tests/testpki-privkey.pem: tests/pki/stamp
-	$(AM_V_GEN)cp tests/pki/test-privkey.pem $@
-tests/testpki-cert2.pem: tests/pki/stamp
-	$(AM_V_GEN)cp tests/pki/test2-cert.pem $@
-tests/testpki-req2.pem: tests/pki/stamp
-	$(AM_V_GEN)cp tests/pki/test2-req.pem $@
-tests/testpki-privkey2.pem: tests/pki/stamp
-	$(AM_V_GEN)cp tests/pki/test2-privkey.pem $@
-
-OVS_PKI = $(SHELL) $(ovs_srcdir)/utilities/ovs-pki.in --dir=tests/pki --log=tests/ovs-pki.log
+
+OVS_PKI = $(SHELL) $(ovs_srcdir)/utilities/ovs-pki.in --dir=$(OVS_PKI_DIR) --log=tests/ovs-pki.log
 tests/pki/stamp:
 	$(AM_V_at)rm -f tests/pki/stamp
 	$(AM_V_at)rm -rf tests/pki
 	$(AM_V_GEN)$(OVS_PKI) init && \
-	$(OVS_PKI) req+sign tests/pki/test && \
-	$(OVS_PKI) req+sign tests/pki/test2 && \
+	for cn in $(TESTPKI_CNS); do \
+		$(OVS_PKI) req+sign tests/pki/$$cn; \
+	done && \
 	: > tests/pki/stamp
 CLEANFILES += tests/ovs-pki.log
 
diff --git a/tests/ovn.at b/tests/ovn.at
index ca9623fee..5cd8b34d7 100644
--- a/tests/ovn.at
+++ b/tests/ovn.at
@@ -8810,8 +8810,8 @@  AT_CHECK(
 
 start_daemon ovsdb-server --remote=punix:ovn-sb.sock \
                           --remote=db:OVN_Southbound,SB_Global,connections \
-                          --private-key="$PKIDIR/testpki-privkey2.pem" \
-                          --certificate="$PKIDIR/testpki-cert2.pem" \
+                          --private-key="$PKIDIR/testpki-test2-privkey.pem" \
+                          --certificate="$PKIDIR/testpki-test2-cert.pem" \
                           --ca-cert="$PKIDIR/testpki-cacert.pem" \
                           ovn-sb.db
 
@@ -8819,20 +8819,20 @@  PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT])
 
 # read-only accesses should succeed
 AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
-                    --private-key=$PKIDIR/testpki-privkey.pem \
-                    --certificate=$PKIDIR/testpki-cert.pem \
+                    --private-key=$PKIDIR/testpki-test-privkey.pem \
+                    --certificate=$PKIDIR/testpki-test-cert.pem \
                     --ca-cert=$PKIDIR/testpki-cacert.pem \
                     list SB_Global], [0], [stdout], [ignore])
 AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
-                    --private-key=$PKIDIR/testpki-privkey.pem \
-                    --certificate=$PKIDIR/testpki-cert.pem \
+                    --private-key=$PKIDIR/testpki-test-privkey.pem \
+                    --certificate=$PKIDIR/testpki-test-cert.pem \
                     --ca-cert=$PKIDIR/testpki-cacert.pem \
                     list Connection], [0], [stdout], [ignore])
 
 # write access should fail
 AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
-                    --private-key=$PKIDIR/testpki-privkey.pem \
-                    --certificate=$PKIDIR/testpki-cert.pem \
+                    --private-key=$PKIDIR/testpki-test-privkey.pem \
+                    --certificate=$PKIDIR/testpki-test-cert.pem \
                     --ca-cert=$PKIDIR/testpki-cacert.pem \
                     chassis-add ch vxlan 1.2.4.8], [1], [ignore],
 [ovn-sbctl: transaction error: {"details":"insert operation not allowed when database server is in read only mode","error":"not allowed"}
@@ -8860,8 +8860,8 @@  start_daemon ovsdb-server --remote=punix:ovnnb_db.sock \
 
 # Populate SSL configuration entries in nb db
 AT_CHECK(
-    [ovn-nbctl set-ssl $PKIDIR/testpki-privkey.pem \
-                       $PKIDIR/testpki-cert.pem \
+    [ovn-nbctl set-ssl $PKIDIR/testpki-test-privkey.pem \
+                       $PKIDIR/testpki-test-cert.pem \
                        $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore])
 
 # Populate a passive SSL connection in nb db
@@ -8871,20 +8871,20 @@  PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT])
 
 # Verify SSL connetivity to nb db server
 AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \
-                    --private-key=$PKIDIR/testpki-privkey.pem \
-                    --certificate=$PKIDIR/testpki-cert.pem \
+                    --private-key=$PKIDIR/testpki-test-privkey.pem \
+                    --certificate=$PKIDIR/testpki-test-cert.pem \
                     --ca-cert=$PKIDIR/testpki-cacert.pem \
           list NB_Global],
          [0], [stdout], [ignore])
 AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \
-                    --private-key=$PKIDIR/testpki-privkey.pem \
-                    --certificate=$PKIDIR/testpki-cert.pem \
+                    --private-key=$PKIDIR/testpki-test-privkey.pem \
+                    --certificate=$PKIDIR/testpki-test-cert.pem \
                     --ca-cert=$PKIDIR/testpki-cacert.pem \
           list Connection],
          [0], [stdout], [ignore])
 AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \
-                    --private-key=$PKIDIR/testpki-privkey.pem \
-                    --certificate=$PKIDIR/testpki-cert.pem \
+                    --private-key=$PKIDIR/testpki-test-privkey.pem \
+                    --certificate=$PKIDIR/testpki-test-cert.pem \
                     --ca-cert=$PKIDIR/testpki-cacert.pem \
           get-connection],
          [0], [stdout], [ignore])
@@ -8911,8 +8911,8 @@  start_daemon ovsdb-server --remote=punix:ovnsb_db.sock \
 
 # Populate SSL configuration entries in sb db
 AT_CHECK(
-    [ovn-sbctl set-ssl $PKIDIR/testpki-privkey.pem \
-                       $PKIDIR/testpki-cert.pem \
+    [ovn-sbctl set-ssl $PKIDIR/testpki-test-privkey.pem \
+                       $PKIDIR/testpki-test-cert.pem \
                        $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore])
 
 # Populate a passive SSL connection in sb db
@@ -8922,20 +8922,20 @@  PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT])
 
 # Verify SSL connetivity to sb db server
 AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
-                    --private-key=$PKIDIR/testpki-privkey.pem \
-                    --certificate=$PKIDIR/testpki-cert.pem \
+                    --private-key=$PKIDIR/testpki-test-privkey.pem \
+                    --certificate=$PKIDIR/testpki-test-cert.pem \
                     --ca-cert=$PKIDIR/testpki-cacert.pem \
           list SB_Global],
          [0], [stdout], [ignore])
 AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
-                    --private-key=$PKIDIR/testpki-privkey.pem \
-                    --certificate=$PKIDIR/testpki-cert.pem \
+                    --private-key=$PKIDIR/testpki-test-privkey.pem \
+                    --certificate=$PKIDIR/testpki-test-cert.pem \
                     --ca-cert=$PKIDIR/testpki-cacert.pem \
           list Connection],
          [0], [stdout], [ignore])
 AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
-                    --private-key=$PKIDIR/testpki-privkey.pem \
-                    --certificate=$PKIDIR/testpki-cert.pem \
+                    --private-key=$PKIDIR/testpki-test-privkey.pem \
+                    --certificate=$PKIDIR/testpki-test-cert.pem \
                     --ca-cert=$PKIDIR/testpki-cacert.pem \
           get-connection],
          [0], [stdout], [ignore])