Message ID | 20b4b5408c5249437f7efc02a884f4a925ad840e.1614945892.git.frode.nordahl@canonical.com |
---|---|
State | Accepted |
Headers | show |
Series | Fix missing RBAC rules and enable testing | expand |
On 3/5/21 7:16 AM, Frode Nordahl wrote: > In preparation for enabling testing with SSL and RBAC enabled by > default, rework the certificate generation so that we can easily > add generation of more certificates/CN on demand. > > A side erffect of the change is a more generic naming scheme for > the certificate files so the patch also contains an update to > existing tests so that they use the new filenames. I initially had the same problems as Numan with patches 8 and 9, but after performing a `make distclean` all worked well. That being said, for patches 8 and 9: Acked-by: Mark Michelson <mmichels@redhat.com> > > Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com> > --- > tests/automake.mk | 48 ++++++++++++++++++++++------------------------- > tests/ovn.at | 48 +++++++++++++++++++++++------------------------ > 2 files changed, 46 insertions(+), 50 deletions(-) > > diff --git a/tests/automake.mk b/tests/automake.mk > index df6d0a2a9..771dddea2 100644 > --- a/tests/automake.mk > +++ b/tests/automake.mk > @@ -236,39 +236,35 @@ PYCOV_CLEAN_FILES += $(CHECK_PYFILES:.py=.py,cover) .coverage > FLAKE8_PYFILES += $(CHECK_PYFILES) > > if HAVE_OPENSSL > -TESTPKI_FILES = \ > - tests/testpki-cacert.pem \ > - tests/testpki-cert.pem \ > - tests/testpki-privkey.pem \ > - tests/testpki-req.pem \ > - tests/testpki-cert2.pem \ > - tests/testpki-privkey2.pem \ > - tests/testpki-req2.pem > +OVS_PKI_DIR = $(CURDIR)/tests/pki > +TESTPKI_CNS = test test2 > +TESTPKI_FILES = $(shell \ > + for cn in $(TESTPKI_CNS); do \ > + echo tests/testpki-$$cn-cert.pem ; \ > + echo tests/testpki-$$cn-privkey.pem ; \ > + echo tests/testpki-$$cn-req.pem ; \ > + done) > + > +tests/testpki-cacert.pem: tests/pki/stamp > + $(AM_V_GEN)cp $(OVS_PKI_DIR)/switchca/cacert.pem $@ > + > +$(TESTPKI_FILES): tests/pki/stamp > + $(AM_V_GEN)cp $(OVS_PKI_DIR)/$(notdir $(subst testpki-,,$@)) $@ > + > +check_DATA += tests/testpki-cacert.pem > check_DATA += $(TESTPKI_FILES) > +CLEANFILES += tests/testpki-cacert.pem > CLEANFILES += $(TESTPKI_FILES) > > -tests/testpki-cacert.pem: tests/pki/stamp > - $(AM_V_GEN)cp tests/pki/switchca/cacert.pem $@ > -tests/testpki-cert.pem: tests/pki/stamp > - $(AM_V_GEN)cp tests/pki/test-cert.pem $@ > -tests/testpki-req.pem: tests/pki/stamp > - $(AM_V_GEN)cp tests/pki/test-req.pem $@ > -tests/testpki-privkey.pem: tests/pki/stamp > - $(AM_V_GEN)cp tests/pki/test-privkey.pem $@ > -tests/testpki-cert2.pem: tests/pki/stamp > - $(AM_V_GEN)cp tests/pki/test2-cert.pem $@ > -tests/testpki-req2.pem: tests/pki/stamp > - $(AM_V_GEN)cp tests/pki/test2-req.pem $@ > -tests/testpki-privkey2.pem: tests/pki/stamp > - $(AM_V_GEN)cp tests/pki/test2-privkey.pem $@ > - > -OVS_PKI = $(SHELL) $(ovs_srcdir)/utilities/ovs-pki.in --dir=tests/pki --log=tests/ovs-pki.log > + > +OVS_PKI = $(SHELL) $(ovs_srcdir)/utilities/ovs-pki.in --dir=$(OVS_PKI_DIR) --log=tests/ovs-pki.log > tests/pki/stamp: > $(AM_V_at)rm -f tests/pki/stamp > $(AM_V_at)rm -rf tests/pki > $(AM_V_GEN)$(OVS_PKI) init && \ > - $(OVS_PKI) req+sign tests/pki/test && \ > - $(OVS_PKI) req+sign tests/pki/test2 && \ > + for cn in $(TESTPKI_CNS); do \ > + $(OVS_PKI) req+sign tests/pki/$$cn; \ > + done && \ > : > tests/pki/stamp > CLEANFILES += tests/ovs-pki.log > > diff --git a/tests/ovn.at b/tests/ovn.at > index ca9623fee..5cd8b34d7 100644 > --- a/tests/ovn.at > +++ b/tests/ovn.at > @@ -8810,8 +8810,8 @@ AT_CHECK( > > start_daemon ovsdb-server --remote=punix:ovn-sb.sock \ > --remote=db:OVN_Southbound,SB_Global,connections \ > - --private-key="$PKIDIR/testpki-privkey2.pem" \ > - --certificate="$PKIDIR/testpki-cert2.pem" \ > + --private-key="$PKIDIR/testpki-test2-privkey.pem" \ > + --certificate="$PKIDIR/testpki-test2-cert.pem" \ > --ca-cert="$PKIDIR/testpki-cacert.pem" \ > ovn-sb.db > > @@ -8819,20 +8819,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) > > # read-only accesses should succeed > AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ > - --private-key=$PKIDIR/testpki-privkey.pem \ > - --certificate=$PKIDIR/testpki-cert.pem \ > + --private-key=$PKIDIR/testpki-test-privkey.pem \ > + --certificate=$PKIDIR/testpki-test-cert.pem \ > --ca-cert=$PKIDIR/testpki-cacert.pem \ > list SB_Global], [0], [stdout], [ignore]) > AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ > - --private-key=$PKIDIR/testpki-privkey.pem \ > - --certificate=$PKIDIR/testpki-cert.pem \ > + --private-key=$PKIDIR/testpki-test-privkey.pem \ > + --certificate=$PKIDIR/testpki-test-cert.pem \ > --ca-cert=$PKIDIR/testpki-cacert.pem \ > list Connection], [0], [stdout], [ignore]) > > # write access should fail > AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ > - --private-key=$PKIDIR/testpki-privkey.pem \ > - --certificate=$PKIDIR/testpki-cert.pem \ > + --private-key=$PKIDIR/testpki-test-privkey.pem \ > + --certificate=$PKIDIR/testpki-test-cert.pem \ > --ca-cert=$PKIDIR/testpki-cacert.pem \ > chassis-add ch vxlan 1.2.4.8], [1], [ignore], > [ovn-sbctl: transaction error: {"details":"insert operation not allowed when database server is in read only mode","error":"not allowed"} > @@ -8860,8 +8860,8 @@ start_daemon ovsdb-server --remote=punix:ovnnb_db.sock \ > > # Populate SSL configuration entries in nb db > AT_CHECK( > - [ovn-nbctl set-ssl $PKIDIR/testpki-privkey.pem \ > - $PKIDIR/testpki-cert.pem \ > + [ovn-nbctl set-ssl $PKIDIR/testpki-test-privkey.pem \ > + $PKIDIR/testpki-test-cert.pem \ > $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore]) > > # Populate a passive SSL connection in nb db > @@ -8871,20 +8871,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) > > # Verify SSL connetivity to nb db server > AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ > - --private-key=$PKIDIR/testpki-privkey.pem \ > - --certificate=$PKIDIR/testpki-cert.pem \ > + --private-key=$PKIDIR/testpki-test-privkey.pem \ > + --certificate=$PKIDIR/testpki-test-cert.pem \ > --ca-cert=$PKIDIR/testpki-cacert.pem \ > list NB_Global], > [0], [stdout], [ignore]) > AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ > - --private-key=$PKIDIR/testpki-privkey.pem \ > - --certificate=$PKIDIR/testpki-cert.pem \ > + --private-key=$PKIDIR/testpki-test-privkey.pem \ > + --certificate=$PKIDIR/testpki-test-cert.pem \ > --ca-cert=$PKIDIR/testpki-cacert.pem \ > list Connection], > [0], [stdout], [ignore]) > AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ > - --private-key=$PKIDIR/testpki-privkey.pem \ > - --certificate=$PKIDIR/testpki-cert.pem \ > + --private-key=$PKIDIR/testpki-test-privkey.pem \ > + --certificate=$PKIDIR/testpki-test-cert.pem \ > --ca-cert=$PKIDIR/testpki-cacert.pem \ > get-connection], > [0], [stdout], [ignore]) > @@ -8911,8 +8911,8 @@ start_daemon ovsdb-server --remote=punix:ovnsb_db.sock \ > > # Populate SSL configuration entries in sb db > AT_CHECK( > - [ovn-sbctl set-ssl $PKIDIR/testpki-privkey.pem \ > - $PKIDIR/testpki-cert.pem \ > + [ovn-sbctl set-ssl $PKIDIR/testpki-test-privkey.pem \ > + $PKIDIR/testpki-test-cert.pem \ > $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore]) > > # Populate a passive SSL connection in sb db > @@ -8922,20 +8922,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) > > # Verify SSL connetivity to sb db server > AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ > - --private-key=$PKIDIR/testpki-privkey.pem \ > - --certificate=$PKIDIR/testpki-cert.pem \ > + --private-key=$PKIDIR/testpki-test-privkey.pem \ > + --certificate=$PKIDIR/testpki-test-cert.pem \ > --ca-cert=$PKIDIR/testpki-cacert.pem \ > list SB_Global], > [0], [stdout], [ignore]) > AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ > - --private-key=$PKIDIR/testpki-privkey.pem \ > - --certificate=$PKIDIR/testpki-cert.pem \ > + --private-key=$PKIDIR/testpki-test-privkey.pem \ > + --certificate=$PKIDIR/testpki-test-cert.pem \ > --ca-cert=$PKIDIR/testpki-cacert.pem \ > list Connection], > [0], [stdout], [ignore]) > AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ > - --private-key=$PKIDIR/testpki-privkey.pem \ > - --certificate=$PKIDIR/testpki-cert.pem \ > + --private-key=$PKIDIR/testpki-test-privkey.pem \ > + --certificate=$PKIDIR/testpki-test-cert.pem \ > --ca-cert=$PKIDIR/testpki-cacert.pem \ > get-connection], > [0], [stdout], [ignore]) >
On Mon, Apr 5, 2021 at 10:56 AM Mark Michelson <mmichels@redhat.com> wrote: > > On 3/5/21 7:16 AM, Frode Nordahl wrote: > > In preparation for enabling testing with SSL and RBAC enabled by > > default, rework the certificate generation so that we can easily > > add generation of more certificates/CN on demand. > > > > A side erffect of the change is a more generic naming scheme for > > the certificate files so the patch also contains an update to > > existing tests so that they use the new filenames. > > I initially had the same problems as Numan with patches 8 and 9, but > after performing a `make distclean` all worked well. > > That being said, for patches 8 and 9: > > Acked-by: Mark Michelson <mmichels@redhat.com> I applied patches 8 and 9 to the main branch. Thanks Numan > > > > > Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com> > > --- > > tests/automake.mk | 48 ++++++++++++++++++++++------------------------- > > tests/ovn.at | 48 +++++++++++++++++++++++------------------------ > > 2 files changed, 46 insertions(+), 50 deletions(-) > > > > diff --git a/tests/automake.mk b/tests/automake.mk > > index df6d0a2a9..771dddea2 100644 > > --- a/tests/automake.mk > > +++ b/tests/automake.mk > > @@ -236,39 +236,35 @@ PYCOV_CLEAN_FILES += $(CHECK_PYFILES:.py=.py,cover) .coverage > > FLAKE8_PYFILES += $(CHECK_PYFILES) > > > > if HAVE_OPENSSL > > -TESTPKI_FILES = \ > > - tests/testpki-cacert.pem \ > > - tests/testpki-cert.pem \ > > - tests/testpki-privkey.pem \ > > - tests/testpki-req.pem \ > > - tests/testpki-cert2.pem \ > > - tests/testpki-privkey2.pem \ > > - tests/testpki-req2.pem > > +OVS_PKI_DIR = $(CURDIR)/tests/pki > > +TESTPKI_CNS = test test2 > > +TESTPKI_FILES = $(shell \ > > + for cn in $(TESTPKI_CNS); do \ > > + echo tests/testpki-$$cn-cert.pem ; \ > > + echo tests/testpki-$$cn-privkey.pem ; \ > > + echo tests/testpki-$$cn-req.pem ; \ > > + done) > > + > > +tests/testpki-cacert.pem: tests/pki/stamp > > + $(AM_V_GEN)cp $(OVS_PKI_DIR)/switchca/cacert.pem $@ > > + > > +$(TESTPKI_FILES): tests/pki/stamp > > + $(AM_V_GEN)cp $(OVS_PKI_DIR)/$(notdir $(subst testpki-,,$@)) $@ > > + > > +check_DATA += tests/testpki-cacert.pem > > check_DATA += $(TESTPKI_FILES) > > +CLEANFILES += tests/testpki-cacert.pem > > CLEANFILES += $(TESTPKI_FILES) > > > > -tests/testpki-cacert.pem: tests/pki/stamp > > - $(AM_V_GEN)cp tests/pki/switchca/cacert.pem $@ > > -tests/testpki-cert.pem: tests/pki/stamp > > - $(AM_V_GEN)cp tests/pki/test-cert.pem $@ > > -tests/testpki-req.pem: tests/pki/stamp > > - $(AM_V_GEN)cp tests/pki/test-req.pem $@ > > -tests/testpki-privkey.pem: tests/pki/stamp > > - $(AM_V_GEN)cp tests/pki/test-privkey.pem $@ > > -tests/testpki-cert2.pem: tests/pki/stamp > > - $(AM_V_GEN)cp tests/pki/test2-cert.pem $@ > > -tests/testpki-req2.pem: tests/pki/stamp > > - $(AM_V_GEN)cp tests/pki/test2-req.pem $@ > > -tests/testpki-privkey2.pem: tests/pki/stamp > > - $(AM_V_GEN)cp tests/pki/test2-privkey.pem $@ > > - > > -OVS_PKI = $(SHELL) $(ovs_srcdir)/utilities/ovs-pki.in --dir=tests/pki --log=tests/ovs-pki.log > > + > > +OVS_PKI = $(SHELL) $(ovs_srcdir)/utilities/ovs-pki.in --dir=$(OVS_PKI_DIR) --log=tests/ovs-pki.log > > tests/pki/stamp: > > $(AM_V_at)rm -f tests/pki/stamp > > $(AM_V_at)rm -rf tests/pki > > $(AM_V_GEN)$(OVS_PKI) init && \ > > - $(OVS_PKI) req+sign tests/pki/test && \ > > - $(OVS_PKI) req+sign tests/pki/test2 && \ > > + for cn in $(TESTPKI_CNS); do \ > > + $(OVS_PKI) req+sign tests/pki/$$cn; \ > > + done && \ > > : > tests/pki/stamp > > CLEANFILES += tests/ovs-pki.log > > > > diff --git a/tests/ovn.at b/tests/ovn.at > > index ca9623fee..5cd8b34d7 100644 > > --- a/tests/ovn.at > > +++ b/tests/ovn.at > > @@ -8810,8 +8810,8 @@ AT_CHECK( > > > > start_daemon ovsdb-server --remote=punix:ovn-sb.sock \ > > --remote=db:OVN_Southbound,SB_Global,connections \ > > - --private-key="$PKIDIR/testpki-privkey2.pem" \ > > - --certificate="$PKIDIR/testpki-cert2.pem" \ > > + --private-key="$PKIDIR/testpki-test2-privkey.pem" \ > > + --certificate="$PKIDIR/testpki-test2-cert.pem" \ > > --ca-cert="$PKIDIR/testpki-cacert.pem" \ > > ovn-sb.db > > > > @@ -8819,20 +8819,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) > > > > # read-only accesses should succeed > > AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ > > - --private-key=$PKIDIR/testpki-privkey.pem \ > > - --certificate=$PKIDIR/testpki-cert.pem \ > > + --private-key=$PKIDIR/testpki-test-privkey.pem \ > > + --certificate=$PKIDIR/testpki-test-cert.pem \ > > --ca-cert=$PKIDIR/testpki-cacert.pem \ > > list SB_Global], [0], [stdout], [ignore]) > > AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ > > - --private-key=$PKIDIR/testpki-privkey.pem \ > > - --certificate=$PKIDIR/testpki-cert.pem \ > > + --private-key=$PKIDIR/testpki-test-privkey.pem \ > > + --certificate=$PKIDIR/testpki-test-cert.pem \ > > --ca-cert=$PKIDIR/testpki-cacert.pem \ > > list Connection], [0], [stdout], [ignore]) > > > > # write access should fail > > AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ > > - --private-key=$PKIDIR/testpki-privkey.pem \ > > - --certificate=$PKIDIR/testpki-cert.pem \ > > + --private-key=$PKIDIR/testpki-test-privkey.pem \ > > + --certificate=$PKIDIR/testpki-test-cert.pem \ > > --ca-cert=$PKIDIR/testpki-cacert.pem \ > > chassis-add ch vxlan 1.2.4.8], [1], [ignore], > > [ovn-sbctl: transaction error: {"details":"insert operation not allowed when database server is in read only mode","error":"not allowed"} > > @@ -8860,8 +8860,8 @@ start_daemon ovsdb-server --remote=punix:ovnnb_db.sock \ > > > > # Populate SSL configuration entries in nb db > > AT_CHECK( > > - [ovn-nbctl set-ssl $PKIDIR/testpki-privkey.pem \ > > - $PKIDIR/testpki-cert.pem \ > > + [ovn-nbctl set-ssl $PKIDIR/testpki-test-privkey.pem \ > > + $PKIDIR/testpki-test-cert.pem \ > > $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore]) > > > > # Populate a passive SSL connection in nb db > > @@ -8871,20 +8871,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) > > > > # Verify SSL connetivity to nb db server > > AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ > > - --private-key=$PKIDIR/testpki-privkey.pem \ > > - --certificate=$PKIDIR/testpki-cert.pem \ > > + --private-key=$PKIDIR/testpki-test-privkey.pem \ > > + --certificate=$PKIDIR/testpki-test-cert.pem \ > > --ca-cert=$PKIDIR/testpki-cacert.pem \ > > list NB_Global], > > [0], [stdout], [ignore]) > > AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ > > - --private-key=$PKIDIR/testpki-privkey.pem \ > > - --certificate=$PKIDIR/testpki-cert.pem \ > > + --private-key=$PKIDIR/testpki-test-privkey.pem \ > > + --certificate=$PKIDIR/testpki-test-cert.pem \ > > --ca-cert=$PKIDIR/testpki-cacert.pem \ > > list Connection], > > [0], [stdout], [ignore]) > > AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ > > - --private-key=$PKIDIR/testpki-privkey.pem \ > > - --certificate=$PKIDIR/testpki-cert.pem \ > > + --private-key=$PKIDIR/testpki-test-privkey.pem \ > > + --certificate=$PKIDIR/testpki-test-cert.pem \ > > --ca-cert=$PKIDIR/testpki-cacert.pem \ > > get-connection], > > [0], [stdout], [ignore]) > > @@ -8911,8 +8911,8 @@ start_daemon ovsdb-server --remote=punix:ovnsb_db.sock \ > > > > # Populate SSL configuration entries in sb db > > AT_CHECK( > > - [ovn-sbctl set-ssl $PKIDIR/testpki-privkey.pem \ > > - $PKIDIR/testpki-cert.pem \ > > + [ovn-sbctl set-ssl $PKIDIR/testpki-test-privkey.pem \ > > + $PKIDIR/testpki-test-cert.pem \ > > $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore]) > > > > # Populate a passive SSL connection in sb db > > @@ -8922,20 +8922,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) > > > > # Verify SSL connetivity to sb db server > > AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ > > - --private-key=$PKIDIR/testpki-privkey.pem \ > > - --certificate=$PKIDIR/testpki-cert.pem \ > > + --private-key=$PKIDIR/testpki-test-privkey.pem \ > > + --certificate=$PKIDIR/testpki-test-cert.pem \ > > --ca-cert=$PKIDIR/testpki-cacert.pem \ > > list SB_Global], > > [0], [stdout], [ignore]) > > AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ > > - --private-key=$PKIDIR/testpki-privkey.pem \ > > - --certificate=$PKIDIR/testpki-cert.pem \ > > + --private-key=$PKIDIR/testpki-test-privkey.pem \ > > + --certificate=$PKIDIR/testpki-test-cert.pem \ > > --ca-cert=$PKIDIR/testpki-cacert.pem \ > > list Connection], > > [0], [stdout], [ignore]) > > AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ > > - --private-key=$PKIDIR/testpki-privkey.pem \ > > - --certificate=$PKIDIR/testpki-cert.pem \ > > + --private-key=$PKIDIR/testpki-test-privkey.pem \ > > + --certificate=$PKIDIR/testpki-test-cert.pem \ > > --ca-cert=$PKIDIR/testpki-cacert.pem \ > > get-connection], > > [0], [stdout], [ignore]) > > > > _______________________________________________ > dev mailing list > dev@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev >
diff --git a/tests/automake.mk b/tests/automake.mk index df6d0a2a9..771dddea2 100644 --- a/tests/automake.mk +++ b/tests/automake.mk @@ -236,39 +236,35 @@ PYCOV_CLEAN_FILES += $(CHECK_PYFILES:.py=.py,cover) .coverage FLAKE8_PYFILES += $(CHECK_PYFILES) if HAVE_OPENSSL -TESTPKI_FILES = \ - tests/testpki-cacert.pem \ - tests/testpki-cert.pem \ - tests/testpki-privkey.pem \ - tests/testpki-req.pem \ - tests/testpki-cert2.pem \ - tests/testpki-privkey2.pem \ - tests/testpki-req2.pem +OVS_PKI_DIR = $(CURDIR)/tests/pki +TESTPKI_CNS = test test2 +TESTPKI_FILES = $(shell \ + for cn in $(TESTPKI_CNS); do \ + echo tests/testpki-$$cn-cert.pem ; \ + echo tests/testpki-$$cn-privkey.pem ; \ + echo tests/testpki-$$cn-req.pem ; \ + done) + +tests/testpki-cacert.pem: tests/pki/stamp + $(AM_V_GEN)cp $(OVS_PKI_DIR)/switchca/cacert.pem $@ + +$(TESTPKI_FILES): tests/pki/stamp + $(AM_V_GEN)cp $(OVS_PKI_DIR)/$(notdir $(subst testpki-,,$@)) $@ + +check_DATA += tests/testpki-cacert.pem check_DATA += $(TESTPKI_FILES) +CLEANFILES += tests/testpki-cacert.pem CLEANFILES += $(TESTPKI_FILES) -tests/testpki-cacert.pem: tests/pki/stamp - $(AM_V_GEN)cp tests/pki/switchca/cacert.pem $@ -tests/testpki-cert.pem: tests/pki/stamp - $(AM_V_GEN)cp tests/pki/test-cert.pem $@ -tests/testpki-req.pem: tests/pki/stamp - $(AM_V_GEN)cp tests/pki/test-req.pem $@ -tests/testpki-privkey.pem: tests/pki/stamp - $(AM_V_GEN)cp tests/pki/test-privkey.pem $@ -tests/testpki-cert2.pem: tests/pki/stamp - $(AM_V_GEN)cp tests/pki/test2-cert.pem $@ -tests/testpki-req2.pem: tests/pki/stamp - $(AM_V_GEN)cp tests/pki/test2-req.pem $@ -tests/testpki-privkey2.pem: tests/pki/stamp - $(AM_V_GEN)cp tests/pki/test2-privkey.pem $@ - -OVS_PKI = $(SHELL) $(ovs_srcdir)/utilities/ovs-pki.in --dir=tests/pki --log=tests/ovs-pki.log + +OVS_PKI = $(SHELL) $(ovs_srcdir)/utilities/ovs-pki.in --dir=$(OVS_PKI_DIR) --log=tests/ovs-pki.log tests/pki/stamp: $(AM_V_at)rm -f tests/pki/stamp $(AM_V_at)rm -rf tests/pki $(AM_V_GEN)$(OVS_PKI) init && \ - $(OVS_PKI) req+sign tests/pki/test && \ - $(OVS_PKI) req+sign tests/pki/test2 && \ + for cn in $(TESTPKI_CNS); do \ + $(OVS_PKI) req+sign tests/pki/$$cn; \ + done && \ : > tests/pki/stamp CLEANFILES += tests/ovs-pki.log diff --git a/tests/ovn.at b/tests/ovn.at index ca9623fee..5cd8b34d7 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -8810,8 +8810,8 @@ AT_CHECK( start_daemon ovsdb-server --remote=punix:ovn-sb.sock \ --remote=db:OVN_Southbound,SB_Global,connections \ - --private-key="$PKIDIR/testpki-privkey2.pem" \ - --certificate="$PKIDIR/testpki-cert2.pem" \ + --private-key="$PKIDIR/testpki-test2-privkey.pem" \ + --certificate="$PKIDIR/testpki-test2-cert.pem" \ --ca-cert="$PKIDIR/testpki-cacert.pem" \ ovn-sb.db @@ -8819,20 +8819,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) # read-only accesses should succeed AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ - --private-key=$PKIDIR/testpki-privkey.pem \ - --certificate=$PKIDIR/testpki-cert.pem \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ --ca-cert=$PKIDIR/testpki-cacert.pem \ list SB_Global], [0], [stdout], [ignore]) AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ - --private-key=$PKIDIR/testpki-privkey.pem \ - --certificate=$PKIDIR/testpki-cert.pem \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ --ca-cert=$PKIDIR/testpki-cacert.pem \ list Connection], [0], [stdout], [ignore]) # write access should fail AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ - --private-key=$PKIDIR/testpki-privkey.pem \ - --certificate=$PKIDIR/testpki-cert.pem \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ --ca-cert=$PKIDIR/testpki-cacert.pem \ chassis-add ch vxlan 1.2.4.8], [1], [ignore], [ovn-sbctl: transaction error: {"details":"insert operation not allowed when database server is in read only mode","error":"not allowed"} @@ -8860,8 +8860,8 @@ start_daemon ovsdb-server --remote=punix:ovnnb_db.sock \ # Populate SSL configuration entries in nb db AT_CHECK( - [ovn-nbctl set-ssl $PKIDIR/testpki-privkey.pem \ - $PKIDIR/testpki-cert.pem \ + [ovn-nbctl set-ssl $PKIDIR/testpki-test-privkey.pem \ + $PKIDIR/testpki-test-cert.pem \ $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore]) # Populate a passive SSL connection in nb db @@ -8871,20 +8871,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) # Verify SSL connetivity to nb db server AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ - --private-key=$PKIDIR/testpki-privkey.pem \ - --certificate=$PKIDIR/testpki-cert.pem \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ --ca-cert=$PKIDIR/testpki-cacert.pem \ list NB_Global], [0], [stdout], [ignore]) AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ - --private-key=$PKIDIR/testpki-privkey.pem \ - --certificate=$PKIDIR/testpki-cert.pem \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ --ca-cert=$PKIDIR/testpki-cacert.pem \ list Connection], [0], [stdout], [ignore]) AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ - --private-key=$PKIDIR/testpki-privkey.pem \ - --certificate=$PKIDIR/testpki-cert.pem \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ --ca-cert=$PKIDIR/testpki-cacert.pem \ get-connection], [0], [stdout], [ignore]) @@ -8911,8 +8911,8 @@ start_daemon ovsdb-server --remote=punix:ovnsb_db.sock \ # Populate SSL configuration entries in sb db AT_CHECK( - [ovn-sbctl set-ssl $PKIDIR/testpki-privkey.pem \ - $PKIDIR/testpki-cert.pem \ + [ovn-sbctl set-ssl $PKIDIR/testpki-test-privkey.pem \ + $PKIDIR/testpki-test-cert.pem \ $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore]) # Populate a passive SSL connection in sb db @@ -8922,20 +8922,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) # Verify SSL connetivity to sb db server AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ - --private-key=$PKIDIR/testpki-privkey.pem \ - --certificate=$PKIDIR/testpki-cert.pem \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ --ca-cert=$PKIDIR/testpki-cacert.pem \ list SB_Global], [0], [stdout], [ignore]) AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ - --private-key=$PKIDIR/testpki-privkey.pem \ - --certificate=$PKIDIR/testpki-cert.pem \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ --ca-cert=$PKIDIR/testpki-cacert.pem \ list Connection], [0], [stdout], [ignore]) AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ - --private-key=$PKIDIR/testpki-privkey.pem \ - --certificate=$PKIDIR/testpki-cert.pem \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ --ca-cert=$PKIDIR/testpki-cacert.pem \ get-connection], [0], [stdout], [ignore])
In preparation for enabling testing with SSL and RBAC enabled by default, rework the certificate generation so that we can easily add generation of more certificates/CN on demand. A side erffect of the change is a more generic naming scheme for the certificate files so the patch also contains an update to existing tests so that they use the new filenames. Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com> --- tests/automake.mk | 48 ++++++++++++++++++++++------------------------- tests/ovn.at | 48 +++++++++++++++++++++++------------------------ 2 files changed, 46 insertions(+), 50 deletions(-)