git commit: TS-2058: add an integration test for SSL certificate loading

Fri, 21 Feb 2014 21:22:23 -0800 

Repository: trafficserver
Updated Branches:
  refs/heads/master a08f5da2b -> 5e8f12288


TS-2058: add an integration test for SSL certificate loading

Add the test-multicert-loading integration test to verify that SSL
certificate loading does not delay the proxy coming up and serving
traffic.


Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/5e8f1228
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/5e8f1228
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/5e8f1228

Branch: refs/heads/master
Commit: 5e8f122884b86dee1a4a59a29faf23537e44c986
Parents: a08f5da
Author: James Peach <[email protected]>
Authored: Fri Feb 14 13:54:55 2014 -0800
Committer: James Peach <[email protected]>
Committed: Fri Feb 21 21:06:36 2014 -0800

----------------------------------------------------------------------
 ci/tsqa/functions              |  3 +-
 ci/tsqa/test-multicert-loading | 81 +++++++++++++++++++++++++++++++++++++
 iocore/net/SSLConfig.cc        |  8 ++++
 lib/ts/ink_hrtime.h            |  7 ++++
 4 files changed, 98 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/trafficserver/blob/5e8f1228/ci/tsqa/functions
----------------------------------------------------------------------
diff --git a/ci/tsqa/functions b/ci/tsqa/functions
index cf3d9d4..472b453 100644
--- a/ci/tsqa/functions
+++ b/ci/tsqa/functions
@@ -160,7 +160,8 @@ alive() {
 # Start up Traffic Server. Test for all the processes so that we have a better
 # chance of delaying the test until traffic_server is ready.
 startup() {
-  tsexec traffic_cop &
+  local log=$TSQA_ROOT/$(logdir)/cop.log
+  ( tsexec traffic_cop --stdout > $log )&
   for proc in cop manager server; do
     for i in $(seq 10) ; do
       alive $proc && msg $proc is alive && break

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/5e8f1228/ci/tsqa/test-multicert-loading
----------------------------------------------------------------------
diff --git a/ci/tsqa/test-multicert-loading b/ci/tsqa/test-multicert-loading
new file mode 100755
index 0000000..cc0e49e
--- /dev/null
+++ b/ci/tsqa/test-multicert-loading
@@ -0,0 +1,81 @@
+#! /usr/bin/env bash
+
+#  Licensed to the Apache Software Foundation (ASF) under one
+#  or more contributor license agreements.  See the NOTICE file
+#  distributed with this work for additional information
+#  regarding copyright ownership.  The ASF licenses this file
+#  to you under the Apache License, Version 2.0 (the
+#  "License"); you may not use this file except in compliance
+#  with the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+
+# test-multicert-loading: test loading large numbers of SSL certificates.
+
+TSQA_TSXS=${TSQA_TSXS:-/opt/ats/bin/tsxs}
+TSQA_TESTNAME=$(basename $0)
+source $(dirname $0)/functions
+
+bootstrap
+
+# If Traffic Server is not up, bring it up ...
+alive cop || startup || fatal unable to start Traffic Server
+trap shutdown 0 EXIT
+
+#msg unpacking the SSL certificates into \$sysconfdir/ssl.
+#(
+#  tarball=$(cd $(dirname $0) && pwd)/ssl-multicert-bundle.tar.bz2
+#  conf=$TSQA_ROOT/$(sysconfdir)/ssl
+#
+#  cd $TSQA_ROOT/$(sysconfdir) && tar -xf $tarball
+#)
+
+msg updating SSL configuration paths
+tsexec traffic_line -s proxy.config.ssl.server.cert.path -v 
$TSQA_ROOT/$(sysconfdir)/ssl
+tsexec traffic_line -s proxy.config.ssl.server.multicert.filename -v 
$TSQA_ROOT/$(sysconfdir)/ssl/ssl_multicert.config
+
+# XXX configure an exampe plugin that uses the TS-2437 SSL lifecycle hooks
+
+# XXX hardcoding the ports is lame ...
+PORT=9443:ssl,10443:ssl,11443:ssl
+
+# Enable SSL and bounce Traffic Server.
+tsexec traffic_line -s proxy.config.diags.action.enabled -v 1
+tsexec traffic_line -s proxy.config.diags.action.tags -v test.multicert.delay
+
+tsexec traffic_line -s proxy.config.http.server_ports -v $PORT
+tsexec traffic_line -s proxy.config.diags.debug.enabled -v 1
+tsexec traffic_line -s proxy.config.diags.debug.tags -v ssl
+
+# Stash the admin port while we have traffic_server running. It won't be
+# available later if traffic_server does not come back up.
+admin_port=$(tsexec traffic_line -r proxy.config.process_manager.mgmt_port)
+
+# The sleep is needed to let Traffic Server schedule the config change.
+msgwait 2 to restart with SSL ports enabled
+tsexec traffic_line -L
+
+msgwait 6 for traffic_server to restart
+alive server || startup || fatal unable to start Traffic Server
+
+# XXX use the SSL lifecycle hooks in TS-2437 to verify that we loaded the
+# certificates.
+
+START=$(date +%s)
+
+# Verify that the healthcheck comes up within about 60 seconds.
+for c in $(seq 60) ; do
+  curl --silent --max-time 1 -o /dev/null 
http://127.0.0.1:${admin_port}/synthetic.txt && exit $TSQA_FAIL
+  sleep 1
+done
+
+fail unable to start traffic_server after $(( $(date +%s) - $START )) seconds
+exit $TSQA_FAIL
+
+# vim: set sw=2 ts=2 et :

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/5e8f1228/iocore/net/SSLConfig.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
index 9a20883..d86dbf3 100644
--- a/iocore/net/SSLConfig.cc
+++ b/iocore/net/SSLConfig.cc
@@ -286,6 +286,14 @@ SSLCertificateConfig::reconfigure()
   SSLConfig::scoped_config params;
   SSLCertLookup * lookup = NEW(new SSLCertLookup());
 
+  // Test SSL certificate loading startup. With large numbers of certificates, 
reloading can take time, so delay
+  // twice the healthcheck period to simulate a loading a large certificate 
set.
+  if (is_action_tag_set("test.multicert.delay")) {
+    const int secs = 60;
+    Debug("ssl", "delaying certificate reload by %dsecs", secs);
+    ink_hrtime_sleep(HRTIME_SECONDS(secs));
+  }
+
   if (SSLParseCertificateConfiguration(params, lookup)) {
     configid = configProcessor.set(configid, lookup);
   } else {

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/5e8f1228/lib/ts/ink_hrtime.h
----------------------------------------------------------------------
diff --git a/lib/ts/ink_hrtime.h b/lib/ts/ink_hrtime.h
index cfece39..bf7c9b7 100644
--- a/lib/ts/ink_hrtime.h
+++ b/lib/ts/ink_hrtime.h
@@ -326,4 +326,11 @@ ink_hrtime_add(ink_hrtime t1, ink_hrtime t2)
   return (t1 + t2);
 }
 
+static inline void
+ink_hrtime_sleep(ink_hrtime delay)
+{
+  struct timespec ts = ink_hrtime_to_timespec(delay);
+  nanosleep(&ts, NULL);
+}
+
 #endif /* _ink_hrtime_h_ */

Reply via email to