In preparation for enabling testing with SSL and RBAC enabled by default, rework the certificate generation so that we can easily add generation of more certificates/CN on demand.
A side erffect of the change is a more generic naming scheme for the certificate files so the patch also contains an update to existing tests so that they use the new filenames. Signed-off-by: Frode Nordahl <[email protected]> --- tests/automake.mk | 48 ++++++++++++++++++++++------------------------- tests/ovn.at | 48 +++++++++++++++++++++++------------------------ 2 files changed, 46 insertions(+), 50 deletions(-) diff --git a/tests/automake.mk b/tests/automake.mk index df6d0a2a9..771dddea2 100644 --- a/tests/automake.mk +++ b/tests/automake.mk @@ -236,39 +236,35 @@ PYCOV_CLEAN_FILES += $(CHECK_PYFILES:.py=.py,cover) .coverage FLAKE8_PYFILES += $(CHECK_PYFILES) if HAVE_OPENSSL -TESTPKI_FILES = \ - tests/testpki-cacert.pem \ - tests/testpki-cert.pem \ - tests/testpki-privkey.pem \ - tests/testpki-req.pem \ - tests/testpki-cert2.pem \ - tests/testpki-privkey2.pem \ - tests/testpki-req2.pem +OVS_PKI_DIR = $(CURDIR)/tests/pki +TESTPKI_CNS = test test2 +TESTPKI_FILES = $(shell \ + for cn in $(TESTPKI_CNS); do \ + echo tests/testpki-$$cn-cert.pem ; \ + echo tests/testpki-$$cn-privkey.pem ; \ + echo tests/testpki-$$cn-req.pem ; \ + done) + +tests/testpki-cacert.pem: tests/pki/stamp + $(AM_V_GEN)cp $(OVS_PKI_DIR)/switchca/cacert.pem $@ + +$(TESTPKI_FILES): tests/pki/stamp + $(AM_V_GEN)cp $(OVS_PKI_DIR)/$(notdir $(subst testpki-,,$@)) $@ + +check_DATA += tests/testpki-cacert.pem check_DATA += $(TESTPKI_FILES) +CLEANFILES += tests/testpki-cacert.pem CLEANFILES += $(TESTPKI_FILES) -tests/testpki-cacert.pem: tests/pki/stamp - $(AM_V_GEN)cp tests/pki/switchca/cacert.pem $@ -tests/testpki-cert.pem: tests/pki/stamp - $(AM_V_GEN)cp tests/pki/test-cert.pem $@ -tests/testpki-req.pem: tests/pki/stamp - $(AM_V_GEN)cp tests/pki/test-req.pem $@ -tests/testpki-privkey.pem: tests/pki/stamp - $(AM_V_GEN)cp tests/pki/test-privkey.pem $@ -tests/testpki-cert2.pem: tests/pki/stamp - $(AM_V_GEN)cp tests/pki/test2-cert.pem $@ -tests/testpki-req2.pem: tests/pki/stamp - $(AM_V_GEN)cp tests/pki/test2-req.pem $@ -tests/testpki-privkey2.pem: tests/pki/stamp - $(AM_V_GEN)cp tests/pki/test2-privkey.pem $@ - -OVS_PKI = $(SHELL) $(ovs_srcdir)/utilities/ovs-pki.in --dir=tests/pki --log=tests/ovs-pki.log + +OVS_PKI = $(SHELL) $(ovs_srcdir)/utilities/ovs-pki.in --dir=$(OVS_PKI_DIR) --log=tests/ovs-pki.log tests/pki/stamp: $(AM_V_at)rm -f tests/pki/stamp $(AM_V_at)rm -rf tests/pki $(AM_V_GEN)$(OVS_PKI) init && \ - $(OVS_PKI) req+sign tests/pki/test && \ - $(OVS_PKI) req+sign tests/pki/test2 && \ + for cn in $(TESTPKI_CNS); do \ + $(OVS_PKI) req+sign tests/pki/$$cn; \ + done && \ : > tests/pki/stamp CLEANFILES += tests/ovs-pki.log diff --git a/tests/ovn.at b/tests/ovn.at index ca9623fee..5cd8b34d7 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -8810,8 +8810,8 @@ AT_CHECK( start_daemon ovsdb-server --remote=punix:ovn-sb.sock \ --remote=db:OVN_Southbound,SB_Global,connections \ - --private-key="$PKIDIR/testpki-privkey2.pem" \ - --certificate="$PKIDIR/testpki-cert2.pem" \ + --private-key="$PKIDIR/testpki-test2-privkey.pem" \ + --certificate="$PKIDIR/testpki-test2-cert.pem" \ --ca-cert="$PKIDIR/testpki-cacert.pem" \ ovn-sb.db @@ -8819,20 +8819,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) # read-only accesses should succeed AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ - --private-key=$PKIDIR/testpki-privkey.pem \ - --certificate=$PKIDIR/testpki-cert.pem \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ --ca-cert=$PKIDIR/testpki-cacert.pem \ list SB_Global], [0], [stdout], [ignore]) AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ - --private-key=$PKIDIR/testpki-privkey.pem \ - --certificate=$PKIDIR/testpki-cert.pem \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ --ca-cert=$PKIDIR/testpki-cacert.pem \ list Connection], [0], [stdout], [ignore]) # write access should fail AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ - --private-key=$PKIDIR/testpki-privkey.pem \ - --certificate=$PKIDIR/testpki-cert.pem \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ --ca-cert=$PKIDIR/testpki-cacert.pem \ chassis-add ch vxlan 1.2.4.8], [1], [ignore], [ovn-sbctl: transaction error: {"details":"insert operation not allowed when database server is in read only mode","error":"not allowed"} @@ -8860,8 +8860,8 @@ start_daemon ovsdb-server --remote=punix:ovnnb_db.sock \ # Populate SSL configuration entries in nb db AT_CHECK( - [ovn-nbctl set-ssl $PKIDIR/testpki-privkey.pem \ - $PKIDIR/testpki-cert.pem \ + [ovn-nbctl set-ssl $PKIDIR/testpki-test-privkey.pem \ + $PKIDIR/testpki-test-cert.pem \ $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore]) # Populate a passive SSL connection in nb db @@ -8871,20 +8871,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) # Verify SSL connetivity to nb db server AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ - --private-key=$PKIDIR/testpki-privkey.pem \ - --certificate=$PKIDIR/testpki-cert.pem \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ --ca-cert=$PKIDIR/testpki-cacert.pem \ list NB_Global], [0], [stdout], [ignore]) AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ - --private-key=$PKIDIR/testpki-privkey.pem \ - --certificate=$PKIDIR/testpki-cert.pem \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ --ca-cert=$PKIDIR/testpki-cacert.pem \ list Connection], [0], [stdout], [ignore]) AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ - --private-key=$PKIDIR/testpki-privkey.pem \ - --certificate=$PKIDIR/testpki-cert.pem \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ --ca-cert=$PKIDIR/testpki-cacert.pem \ get-connection], [0], [stdout], [ignore]) @@ -8911,8 +8911,8 @@ start_daemon ovsdb-server --remote=punix:ovnsb_db.sock \ # Populate SSL configuration entries in sb db AT_CHECK( - [ovn-sbctl set-ssl $PKIDIR/testpki-privkey.pem \ - $PKIDIR/testpki-cert.pem \ + [ovn-sbctl set-ssl $PKIDIR/testpki-test-privkey.pem \ + $PKIDIR/testpki-test-cert.pem \ $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore]) # Populate a passive SSL connection in sb db @@ -8922,20 +8922,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) # Verify SSL connetivity to sb db server AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ - --private-key=$PKIDIR/testpki-privkey.pem \ - --certificate=$PKIDIR/testpki-cert.pem \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ --ca-cert=$PKIDIR/testpki-cacert.pem \ list SB_Global], [0], [stdout], [ignore]) AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ - --private-key=$PKIDIR/testpki-privkey.pem \ - --certificate=$PKIDIR/testpki-cert.pem \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ --ca-cert=$PKIDIR/testpki-cacert.pem \ list Connection], [0], [stdout], [ignore]) AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ - --private-key=$PKIDIR/testpki-privkey.pem \ - --certificate=$PKIDIR/testpki-cert.pem \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ --ca-cert=$PKIDIR/testpki-cacert.pem \ get-connection], [0], [stdout], [ignore]) -- 2.30.0 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
