Re: [ovs-dev] [PATCH ovn v2 8/9] tests: Make certificate generation extendable

Mark Michelson Mon, 05 Apr 2021 07:56:40 -0700

On 3/5/21 7:16 AM, Frode Nordahl wrote:

In preparation for enabling testing with SSL and RBAC enabled by
default, rework the certificate generation so that we can easily
add generation of more certificates/CN on demand.


A side erffect of the change is a more generic naming scheme for
the certificate files so the patch also contains an update to
existing tests so that they use the new filenames.

I initially had the same problems as Numan with patches 8 and 9, butafter performing a `make distclean` all worked well.


That being said, for patches 8 and 9:

Acked-by: Mark Michelson <[email protected]>


Signed-off-by: Frode Nordahl <[email protected]>
---
  tests/automake.mk | 48 ++++++++++++++++++++++-------------------------
  tests/ovn.at      | 48 +++++++++++++++++++++++------------------------
  2 files changed, 46 insertions(+), 50 deletions(-)

diff --git a/tests/automake.mk b/tests/automake.mk
index df6d0a2a9..771dddea2 100644
--- a/tests/automake.mk
+++ b/tests/automake.mk
@@ -236,39 +236,35 @@ PYCOV_CLEAN_FILES += $(CHECK_PYFILES:.py=.py,cover) 
.coverage
  FLAKE8_PYFILES += $(CHECK_PYFILES)

if HAVE_OPENSSL

-TESTPKI_FILES = \
-       tests/testpki-cacert.pem \
-       tests/testpki-cert.pem \
-       tests/testpki-privkey.pem \
-       tests/testpki-req.pem \
-       tests/testpki-cert2.pem \
-       tests/testpki-privkey2.pem \
-       tests/testpki-req2.pem
+OVS_PKI_DIR = $(CURDIR)/tests/pki
+TESTPKI_CNS = test test2
+TESTPKI_FILES = $(shell \
+       for cn in $(TESTPKI_CNS); do \
+               echo tests/testpki-$$cn-cert.pem ; \
+               echo tests/testpki-$$cn-privkey.pem ; \
+               echo tests/testpki-$$cn-req.pem ; \
+       done)
+
+tests/testpki-cacert.pem: tests/pki/stamp
+       $(AM_V_GEN)cp $(OVS_PKI_DIR)/switchca/cacert.pem $@
+
+$(TESTPKI_FILES): tests/pki/stamp
+       $(AM_V_GEN)cp $(OVS_PKI_DIR)/$(notdir $(subst testpki-,,$@)) $@
+
+check_DATA += tests/testpki-cacert.pem
  check_DATA += $(TESTPKI_FILES)
+CLEANFILES += tests/testpki-cacert.pem
  CLEANFILES += $(TESTPKI_FILES)

-tests/testpki-cacert.pem: tests/pki/stamp

-       $(AM_V_GEN)cp tests/pki/switchca/cacert.pem $@
-tests/testpki-cert.pem: tests/pki/stamp
-       $(AM_V_GEN)cp tests/pki/test-cert.pem $@
-tests/testpki-req.pem: tests/pki/stamp
-       $(AM_V_GEN)cp tests/pki/test-req.pem $@
-tests/testpki-privkey.pem: tests/pki/stamp
-       $(AM_V_GEN)cp tests/pki/test-privkey.pem $@
-tests/testpki-cert2.pem: tests/pki/stamp
-       $(AM_V_GEN)cp tests/pki/test2-cert.pem $@
-tests/testpki-req2.pem: tests/pki/stamp
-       $(AM_V_GEN)cp tests/pki/test2-req.pem $@
-tests/testpki-privkey2.pem: tests/pki/stamp
-       $(AM_V_GEN)cp tests/pki/test2-privkey.pem $@
-
-OVS_PKI = $(SHELL) $(ovs_srcdir)/utilities/ovs-pki.in --dir=tests/pki 
--log=tests/ovs-pki.log
+
+OVS_PKI = $(SHELL) $(ovs_srcdir)/utilities/ovs-pki.in --dir=$(OVS_PKI_DIR) 
--log=tests/ovs-pki.log
  tests/pki/stamp:
        $(AM_V_at)rm -f tests/pki/stamp
        $(AM_V_at)rm -rf tests/pki
        $(AM_V_GEN)$(OVS_PKI) init && \
-       $(OVS_PKI) req+sign tests/pki/test && \
-       $(OVS_PKI) req+sign tests/pki/test2 && \
+       for cn in $(TESTPKI_CNS); do \
+               $(OVS_PKI) req+sign tests/pki/$$cn; \
+       done && \
        : > tests/pki/stamp
  CLEANFILES += tests/ovs-pki.log

diff --git a/tests/ovn.at b/tests/ovn.at

index ca9623fee..5cd8b34d7 100644
--- a/tests/ovn.at
+++ b/tests/ovn.at
@@ -8810,8 +8810,8 @@ AT_CHECK(

start_daemon ovsdb-server --remote=punix:ovn-sb.sock \

                            --remote=db:OVN_Southbound,SB_Global,connections \
-                          --private-key="$PKIDIR/testpki-privkey2.pem" \
-                          --certificate="$PKIDIR/testpki-cert2.pem" \
+                          --private-key="$PKIDIR/testpki-test2-privkey.pem" \
+                          --certificate="$PKIDIR/testpki-test2-cert.pem" \
                            --ca-cert="$PKIDIR/testpki-cacert.pem" \
                            ovn-sb.db

@@ -8819,20 +8819,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT])# read-only accesses should succeed

  AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
-                    --private-key=$PKIDIR/testpki-privkey.pem \
-                    --certificate=$PKIDIR/testpki-cert.pem \
+                    --private-key=$PKIDIR/testpki-test-privkey.pem \
+                    --certificate=$PKIDIR/testpki-test-cert.pem \
                      --ca-cert=$PKIDIR/testpki-cacert.pem \
                      list SB_Global], [0], [stdout], [ignore])
  AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
-                    --private-key=$PKIDIR/testpki-privkey.pem \
-                    --certificate=$PKIDIR/testpki-cert.pem \
+                    --private-key=$PKIDIR/testpki-test-privkey.pem \
+                    --certificate=$PKIDIR/testpki-test-cert.pem \
                      --ca-cert=$PKIDIR/testpki-cacert.pem \
                      list Connection], [0], [stdout], [ignore])

# write access should fail

  AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
-                    --private-key=$PKIDIR/testpki-privkey.pem \
-                    --certificate=$PKIDIR/testpki-cert.pem \
+                    --private-key=$PKIDIR/testpki-test-privkey.pem \
+                    --certificate=$PKIDIR/testpki-test-cert.pem \
                      --ca-cert=$PKIDIR/testpki-cacert.pem \
                      chassis-add ch vxlan 1.2.4.8], [1], [ignore],
  [ovn-sbctl: transaction error: {"details":"insert operation not allowed when database server is in 
read only mode","error":"not allowed"}
@@ -8860,8 +8860,8 @@ start_daemon ovsdb-server --remote=punix:ovnnb_db.sock \

# Populate SSL configuration entries in nb db

  AT_CHECK(
-    [ovn-nbctl set-ssl $PKIDIR/testpki-privkey.pem \
-                       $PKIDIR/testpki-cert.pem \
+    [ovn-nbctl set-ssl $PKIDIR/testpki-test-privkey.pem \
+                       $PKIDIR/testpki-test-cert.pem \
                         $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore])

# Populate a passive SSL connection in nb db

@@ -8871,20 +8871,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT])

# Verify SSL connetivity to nb db server

  AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \
-                    --private-key=$PKIDIR/testpki-privkey.pem \
-                    --certificate=$PKIDIR/testpki-cert.pem \
+                    --private-key=$PKIDIR/testpki-test-privkey.pem \
+                    --certificate=$PKIDIR/testpki-test-cert.pem \
                      --ca-cert=$PKIDIR/testpki-cacert.pem \
            list NB_Global],
           [0], [stdout], [ignore])
  AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \
-                    --private-key=$PKIDIR/testpki-privkey.pem \
-                    --certificate=$PKIDIR/testpki-cert.pem \
+                    --private-key=$PKIDIR/testpki-test-privkey.pem \
+                    --certificate=$PKIDIR/testpki-test-cert.pem \
                      --ca-cert=$PKIDIR/testpki-cacert.pem \
            list Connection],
           [0], [stdout], [ignore])
  AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \
-                    --private-key=$PKIDIR/testpki-privkey.pem \
-                    --certificate=$PKIDIR/testpki-cert.pem \
+                    --private-key=$PKIDIR/testpki-test-privkey.pem \
+                    --certificate=$PKIDIR/testpki-test-cert.pem \
                      --ca-cert=$PKIDIR/testpki-cacert.pem \
            get-connection],
           [0], [stdout], [ignore])
@@ -8911,8 +8911,8 @@ start_daemon ovsdb-server --remote=punix:ovnsb_db.sock \

# Populate SSL configuration entries in sb db

  AT_CHECK(
-    [ovn-sbctl set-ssl $PKIDIR/testpki-privkey.pem \
-                       $PKIDIR/testpki-cert.pem \
+    [ovn-sbctl set-ssl $PKIDIR/testpki-test-privkey.pem \
+                       $PKIDIR/testpki-test-cert.pem \
                         $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore])

# Populate a passive SSL connection in sb db

@@ -8922,20 +8922,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT])

# Verify SSL connetivity to sb db server

  AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
-                    --private-key=$PKIDIR/testpki-privkey.pem \
-                    --certificate=$PKIDIR/testpki-cert.pem \
+                    --private-key=$PKIDIR/testpki-test-privkey.pem \
+                    --certificate=$PKIDIR/testpki-test-cert.pem \
                      --ca-cert=$PKIDIR/testpki-cacert.pem \
            list SB_Global],
           [0], [stdout], [ignore])
  AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
-                    --private-key=$PKIDIR/testpki-privkey.pem \
-                    --certificate=$PKIDIR/testpki-cert.pem \
+                    --private-key=$PKIDIR/testpki-test-privkey.pem \
+                    --certificate=$PKIDIR/testpki-test-cert.pem \
                      --ca-cert=$PKIDIR/testpki-cacert.pem \
            list Connection],
           [0], [stdout], [ignore])
  AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
-                    --private-key=$PKIDIR/testpki-privkey.pem \
-                    --certificate=$PKIDIR/testpki-cert.pem \
+                    --private-key=$PKIDIR/testpki-test-privkey.pem \
+                    --certificate=$PKIDIR/testpki-test-cert.pem \
                      --ca-cert=$PKIDIR/testpki-cacert.pem \
            get-connection],
           [0], [stdout], [ignore])


_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH ovn v2 8/9] tests: Make certificate generation extendable

Reply via email to