From patchwork Fri Mar 5 12:16:30 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frode Nordahl X-Patchwork-Id: 1447799 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::133; helo=smtp2.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DsRc439STz9sSC for ; Fri, 5 Mar 2021 23:18:59 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 743EA432F6; Fri, 5 Mar 2021 12:18:57 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JboeVRZf1GJ4; Fri, 5 Mar 2021 12:18:55 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp2.osuosl.org (Postfix) with ESMTP id CAD684338D; Fri, 5 Mar 2021 12:18:52 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 99D76C0018; Fri, 5 Mar 2021 12:18:52 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 03F68C0001 for ; Fri, 5 Mar 2021 12:18:51 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 5130384579 for ; Fri, 5 Mar 2021 12:18:45 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AGa7QdgO4Qfq for ; Fri, 5 Mar 2021 12:18:44 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from ti0189a330-0925.bb.online.no (ti0189a330-0925.bb.online.no [88.88.218.161]) by smtp1.osuosl.org (Postfix) with ESMTP id 3454084553 for ; Fri, 5 Mar 2021 12:18:42 +0000 (UTC) From: Frode Nordahl To: dev@openvswitch.org Date: Fri, 5 Mar 2021 13:16:30 +0100 Message-Id: <20b4b5408c5249437f7efc02a884f4a925ad840e.1614945892.git.frode.nordahl@canonical.com> X-Mailer: git-send-email 2.30.0 In-Reply-To: References: MIME-Version: 1.0 Subject: [ovs-dev] [PATCH ovn v2 8/9] tests: Make certificate generation extendable X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" In preparation for enabling testing with SSL and RBAC enabled by default, rework the certificate generation so that we can easily add generation of more certificates/CN on demand. A side erffect of the change is a more generic naming scheme for the certificate files so the patch also contains an update to existing tests so that they use the new filenames. Signed-off-by: Frode Nordahl Acked-by: Mark Michelson --- tests/automake.mk | 48 ++++++++++++++++++++++------------------------- tests/ovn.at | 48 +++++++++++++++++++++++------------------------ 2 files changed, 46 insertions(+), 50 deletions(-) diff --git a/tests/automake.mk b/tests/automake.mk index df6d0a2a9..771dddea2 100644 --- a/tests/automake.mk +++ b/tests/automake.mk @@ -236,39 +236,35 @@ PYCOV_CLEAN_FILES += $(CHECK_PYFILES:.py=.py,cover) .coverage FLAKE8_PYFILES += $(CHECK_PYFILES) if HAVE_OPENSSL -TESTPKI_FILES = \ - tests/testpki-cacert.pem \ - tests/testpki-cert.pem \ - tests/testpki-privkey.pem \ - tests/testpki-req.pem \ - tests/testpki-cert2.pem \ - tests/testpki-privkey2.pem \ - tests/testpki-req2.pem +OVS_PKI_DIR = $(CURDIR)/tests/pki +TESTPKI_CNS = test test2 +TESTPKI_FILES = $(shell \ + for cn in $(TESTPKI_CNS); do \ + echo tests/testpki-$$cn-cert.pem ; \ + echo tests/testpki-$$cn-privkey.pem ; \ + echo tests/testpki-$$cn-req.pem ; \ + done) + +tests/testpki-cacert.pem: tests/pki/stamp + $(AM_V_GEN)cp $(OVS_PKI_DIR)/switchca/cacert.pem $@ + +$(TESTPKI_FILES): tests/pki/stamp + $(AM_V_GEN)cp $(OVS_PKI_DIR)/$(notdir $(subst testpki-,,$@)) $@ + +check_DATA += tests/testpki-cacert.pem check_DATA += $(TESTPKI_FILES) +CLEANFILES += tests/testpki-cacert.pem CLEANFILES += $(TESTPKI_FILES) -tests/testpki-cacert.pem: tests/pki/stamp - $(AM_V_GEN)cp tests/pki/switchca/cacert.pem $@ -tests/testpki-cert.pem: tests/pki/stamp - $(AM_V_GEN)cp tests/pki/test-cert.pem $@ -tests/testpki-req.pem: tests/pki/stamp - $(AM_V_GEN)cp tests/pki/test-req.pem $@ -tests/testpki-privkey.pem: tests/pki/stamp - $(AM_V_GEN)cp tests/pki/test-privkey.pem $@ -tests/testpki-cert2.pem: tests/pki/stamp - $(AM_V_GEN)cp tests/pki/test2-cert.pem $@ -tests/testpki-req2.pem: tests/pki/stamp - $(AM_V_GEN)cp tests/pki/test2-req.pem $@ -tests/testpki-privkey2.pem: tests/pki/stamp - $(AM_V_GEN)cp tests/pki/test2-privkey.pem $@ - -OVS_PKI = $(SHELL) $(ovs_srcdir)/utilities/ovs-pki.in --dir=tests/pki --log=tests/ovs-pki.log + +OVS_PKI = $(SHELL) $(ovs_srcdir)/utilities/ovs-pki.in --dir=$(OVS_PKI_DIR) --log=tests/ovs-pki.log tests/pki/stamp: $(AM_V_at)rm -f tests/pki/stamp $(AM_V_at)rm -rf tests/pki $(AM_V_GEN)$(OVS_PKI) init && \ - $(OVS_PKI) req+sign tests/pki/test && \ - $(OVS_PKI) req+sign tests/pki/test2 && \ + for cn in $(TESTPKI_CNS); do \ + $(OVS_PKI) req+sign tests/pki/$$cn; \ + done && \ : > tests/pki/stamp CLEANFILES += tests/ovs-pki.log diff --git a/tests/ovn.at b/tests/ovn.at index ca9623fee..5cd8b34d7 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -8810,8 +8810,8 @@ AT_CHECK( start_daemon ovsdb-server --remote=punix:ovn-sb.sock \ --remote=db:OVN_Southbound,SB_Global,connections \ - --private-key="$PKIDIR/testpki-privkey2.pem" \ - --certificate="$PKIDIR/testpki-cert2.pem" \ + --private-key="$PKIDIR/testpki-test2-privkey.pem" \ + --certificate="$PKIDIR/testpki-test2-cert.pem" \ --ca-cert="$PKIDIR/testpki-cacert.pem" \ ovn-sb.db @@ -8819,20 +8819,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) # read-only accesses should succeed AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ - --private-key=$PKIDIR/testpki-privkey.pem \ - --certificate=$PKIDIR/testpki-cert.pem \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ --ca-cert=$PKIDIR/testpki-cacert.pem \ list SB_Global], [0], [stdout], [ignore]) AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ - --private-key=$PKIDIR/testpki-privkey.pem \ - --certificate=$PKIDIR/testpki-cert.pem \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ --ca-cert=$PKIDIR/testpki-cacert.pem \ list Connection], [0], [stdout], [ignore]) # write access should fail AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ - --private-key=$PKIDIR/testpki-privkey.pem \ - --certificate=$PKIDIR/testpki-cert.pem \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ --ca-cert=$PKIDIR/testpki-cacert.pem \ chassis-add ch vxlan 1.2.4.8], [1], [ignore], [ovn-sbctl: transaction error: {"details":"insert operation not allowed when database server is in read only mode","error":"not allowed"} @@ -8860,8 +8860,8 @@ start_daemon ovsdb-server --remote=punix:ovnnb_db.sock \ # Populate SSL configuration entries in nb db AT_CHECK( - [ovn-nbctl set-ssl $PKIDIR/testpki-privkey.pem \ - $PKIDIR/testpki-cert.pem \ + [ovn-nbctl set-ssl $PKIDIR/testpki-test-privkey.pem \ + $PKIDIR/testpki-test-cert.pem \ $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore]) # Populate a passive SSL connection in nb db @@ -8871,20 +8871,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) # Verify SSL connetivity to nb db server AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ - --private-key=$PKIDIR/testpki-privkey.pem \ - --certificate=$PKIDIR/testpki-cert.pem \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ --ca-cert=$PKIDIR/testpki-cacert.pem \ list NB_Global], [0], [stdout], [ignore]) AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ - --private-key=$PKIDIR/testpki-privkey.pem \ - --certificate=$PKIDIR/testpki-cert.pem \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ --ca-cert=$PKIDIR/testpki-cacert.pem \ list Connection], [0], [stdout], [ignore]) AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ - --private-key=$PKIDIR/testpki-privkey.pem \ - --certificate=$PKIDIR/testpki-cert.pem \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ --ca-cert=$PKIDIR/testpki-cacert.pem \ get-connection], [0], [stdout], [ignore]) @@ -8911,8 +8911,8 @@ start_daemon ovsdb-server --remote=punix:ovnsb_db.sock \ # Populate SSL configuration entries in sb db AT_CHECK( - [ovn-sbctl set-ssl $PKIDIR/testpki-privkey.pem \ - $PKIDIR/testpki-cert.pem \ + [ovn-sbctl set-ssl $PKIDIR/testpki-test-privkey.pem \ + $PKIDIR/testpki-test-cert.pem \ $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore]) # Populate a passive SSL connection in sb db @@ -8922,20 +8922,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) # Verify SSL connetivity to sb db server AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ - --private-key=$PKIDIR/testpki-privkey.pem \ - --certificate=$PKIDIR/testpki-cert.pem \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ --ca-cert=$PKIDIR/testpki-cacert.pem \ list SB_Global], [0], [stdout], [ignore]) AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ - --private-key=$PKIDIR/testpki-privkey.pem \ - --certificate=$PKIDIR/testpki-cert.pem \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ --ca-cert=$PKIDIR/testpki-cacert.pem \ list Connection], [0], [stdout], [ignore]) AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ - --private-key=$PKIDIR/testpki-privkey.pem \ - --certificate=$PKIDIR/testpki-cert.pem \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ --ca-cert=$PKIDIR/testpki-cacert.pem \ get-connection], [0], [stdout], [ignore])