You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by ac...@apache.org on 2017/11/16 20:45:31 UTC
qpid-cpp git commit: NO-JIRA: Better error reporting from
run_ssl_tests
Repository: qpid-cpp
Updated Branches:
refs/heads/master ab748b4d4 -> 598ce6b3d
NO-JIRA: Better error reporting from run_ssl_tests
Two scripts were using the idiom
if `cmd ...`; then...
which should be
if cmd ...; then ...
The first version executes cmd and then tries to execute the output of cmd
as a commnd. If the output is empty this will pass, but if non-emtpy it causes
a confusing "command not found" error.
Also added some logging to show what tests are being executed, and allow
multiple failing tests to run and report failure on exiting the script.
Project: http://git-wip-us.apache.org/repos/asf/qpid-cpp/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-cpp/commit/598ce6b3
Tree: http://git-wip-us.apache.org/repos/asf/qpid-cpp/tree/598ce6b3
Diff: http://git-wip-us.apache.org/repos/asf/qpid-cpp/diff/598ce6b3
Branch: refs/heads/master
Commit: 598ce6b3d06b8cc041013a6d3e86dcf8d9c432f2
Parents: ab748b4
Author: Alan Conway <ac...@redhat.com>
Authored: Thu Nov 16 15:41:55 2017 -0500
Committer: Alan Conway <ac...@redhat.com>
Committed: Thu Nov 16 15:41:55 2017 -0500
----------------------------------------------------------------------
CMakeLists.txt | 1 -
src/tests/CMakeLists.txt | 2 +-
src/tests/run_ssl_tests | 88 +++++------
src/tests/ssl_test | 335 ------------------------------------------
4 files changed, 47 insertions(+), 379 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/qpid-cpp/blob/598ce6b3/CMakeLists.txt
----------------------------------------------------------------------
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 180b41d..d0b8b1f 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -150,7 +150,6 @@ if (CMAKE_CXX_COMPILER_ID STREQUAL GNU)
"-Werror -pedantic -Wall -Wextra -Wno-shadow -Wpointer-arith -Wcast-qual -Wcast-align -Wno-long-long -Wvolatile-register-var -Winvalid-pch -Wno-system-headers -Woverloaded-virtual -Wno-deprecated-declarations")
if (CMAKE_CXX_COMPILER_VERSION VERSION_GREATER 7)
- message("FIXME FLAGGING")
set(WARNING_FLAGS "${WARNING_FLAGS} -Wno-implicit-fallthrough")
endif()
http://git-wip-us.apache.org/repos/asf/qpid-cpp/blob/598ce6b3/src/tests/CMakeLists.txt
----------------------------------------------------------------------
diff --git a/src/tests/CMakeLists.txt b/src/tests/CMakeLists.txt
index 5c4ba79..5d92fbc 100644
--- a/src/tests/CMakeLists.txt
+++ b/src/tests/CMakeLists.txt
@@ -320,7 +320,7 @@ else (CMAKE_SYSTEM_NAME STREQUAL Windows)
add_test(NAME sasl_tests COMMAND run_sasl_tests)
if (BUILD_SSL)
- add_test(NAME ssl_tests COMMAND run_ssl_tests)
+ add_test(NAME ssl_tests COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/run_ssl_tests)
endif (BUILD_SSL)
endif (BUILD_SASL)
endif (CMAKE_SYSTEM_NAME STREQUAL Windows)
http://git-wip-us.apache.org/repos/asf/qpid-cpp/blob/598ce6b3/src/tests/run_ssl_tests
----------------------------------------------------------------------
diff --git a/src/tests/run_ssl_tests b/src/tests/run_ssl_tests
index 896893e..97776af 100755
--- a/src/tests/run_ssl_tests
+++ b/src/tests/run_ssl_tests
@@ -22,8 +22,8 @@
# Run a simple test over SSL
source env.sh
-
-#set -x
+set -e # Fail on any un-checked error
+trap stop_brokers EXIT
CONFIG=$(dirname $0)/qpidd-empty.conf
TEST_CERT_DIR=`pwd`/test_cert_dir
@@ -41,9 +41,20 @@ if [[ -a $AMQP_LIB ]] ; then
MODULES="--load-module $AMQP_LIB"
fi
-trap cleanup EXIT
+RET=0 # Return value for script
+fatal() { echo $*; exit 1; }
+error() { echo $*; RET=$((RET + 1)); } # Contine with other tests but fail the script
-error() { echo $*; exit 1; }
+expect_pass() {
+ line=$1; shift;
+ echo "expect pass: $*"
+ "$@" || error "$0:$line: failed"
+}
+expect_fail() {
+ line=$1; shift;
+ echo "expect fail: $*"
+ if "$@"; then /dev/null 2>&1 && error "$0:$line: unexpected pass"; else true; fi
+}
# create the test certificate database
# $1 = string used as Subject in server's certificate
@@ -105,7 +116,7 @@ COMMON_OPTS="--daemon --config $CONFIG --ssl-cert-db $CERT_DB --ssl-cert-passwor
start_brokers() {
local -a ports
for (( i=0; $i<$1; i++)) do
- ports[$i]=$(qpidd --port 0 --interface 127.0.0.1 $COMMON_OPTS $2) || error "Could not start broker $i"
+ ports[$i]=$(qpidd --port 0 --interface 127.0.0.1 $COMMON_OPTS $2) || fatal "Could not start broker $i"
done
PORTS=( ${PORTS[@]} ${ports[@]} )
}
@@ -120,9 +131,8 @@ stop_broker() {
}
stop_brokers() {
- for port in "${PORTS[@]}";
- do
- qpidd -qp $port
+ for port in "${PORTS[@]}"; do
+ qpidd -qp $port || true
done
PORTS=()
}
@@ -134,12 +144,6 @@ pick_port() {
echo $PICK
}
-cleanup() {
- stop_brokers
- delete_certs
- rm -f ${CERT_PW_FILE}
-}
-
start_ssl_broker() {
start_brokers 1 "--transport ssl --ssl-port 0 --require-encryption --auth no $MODULES"
}
@@ -165,14 +169,14 @@ ssl_cluster_broker() { # $1 = port
CERTUTIL=$(type -p certutil)
if [[ !(-x $CERTUTIL) ]] ; then
echo "No certutil, skipping ssl test";
- exit 0;
+ exit $RET
fi
if [[ !(-e ${CERT_PW_FILE}) ]] ; then
echo password > ${CERT_PW_FILE}
fi
delete_certs
-create_certs || error "Could not create test certificate database"
+create_certs || fatal "Could not create test certificate database"
start_ssl_broker
PORT=${PORTS[0]}
@@ -207,7 +211,7 @@ test "$MSG" = "hello again" || { echo "receive failed '$MSG' != 'hello again'";
if test -d $PYTHON_DIR; then
echo "Testing Non-Authenticating with Python Client..."
URL=amqps://$TEST_HOSTNAME:$PORT
- if `$PY_PING_BROKER -b $URL`; then echo " Passed"; else { echo " Failed"; exit 1; }; fi
+ expect_pass $LINENO $PY_PING_BROKER -b $URL
else
echo "Skipping python part of ssl_test, no python dir."
fi
@@ -225,22 +229,20 @@ MSG2=`qpid-receive -b $URL --connection-options "{ssl-cert-name: $TEST_CLIENT_C
test "$MSG2" = "hello" || { echo "receive failed '$MSG2' != 'hello'"; exit 1; }
## Make sure that connect fails with an invalid SSL cert-name
-qpid-send -b $URL --connection-options "{ssl-cert-name: pignose }" --content-string=hello -a "baz;{create:always}" 2>/dev/null 1>/dev/null
-MSG3=`qpid-receive -b $URL --connection-options "{ssl-cert-name: pignose }" -a "baz;{create:always}" --messages 1 2>/dev/null`
-test "$MSG3" = "" || { echo "receive succeeded without valid ssl cert '$MSG3' != ''"; exit 1; }
-
+expect_fail $LINENO qpid-send -b $URL --connection-options "{ssl-cert-name: pignose }" --content-string=hello -a "baz;{create:always}"
+expect_fail $LINENO qpid-receive -b $URL --connection-options "{ssl-cert-name: pignose }" -a "baz;{create:always}" --messages 1
stop_brokers
# Test ssl muxed with plain TCP on the same connection
# Test a specified port number - since tcp/ssl are the same port don't need to specify --transport ssl
PORT=`pick_port`
-start_ssl_mux_broker $PORT || error "Could not start broker"
+start_ssl_mux_broker $PORT || fatal "Could not start broker"
echo "Running SSL/TCP mux test on fixed port $PORT"
## Test connection via connection settings
-qpid-perftest --count ${COUNT} --port ${PORT} -P ssl -b $TEST_HOSTNAME --summary || error "SSL connection failed!"
-qpid-perftest --count ${COUNT} --port ${PORT} -P tcp -b $TEST_HOSTNAME --summary || error "TCP connection failed!"
+qpid-perftest --count ${COUNT} --port ${PORT} -P ssl -b $TEST_HOSTNAME --summary || fatal "SSL connection failed!"
+qpid-perftest --count ${COUNT} --port ${PORT} -P tcp -b $TEST_HOSTNAME --summary || fatal "TCP connection failed!"
# Test a broker chosen port - since ssl chooses port need to use --transport ssl here
start_ssl_broker
@@ -248,8 +250,8 @@ PORT=${PORTS[0]}
echo "Running SSL/TCP mux test on random port $PORT"
## Test connection via connection settings
-qpid-perftest --count ${COUNT} --port ${PORT} -P ssl -b $TEST_HOSTNAME --summary || error "SSL connection failed!"
-qpid-perftest --count ${COUNT} --port ${PORT} -P tcp -b $TEST_HOSTNAME --summary || error "TCP connection failed!"
+qpid-perftest --count ${COUNT} --port ${PORT} -P ssl -b $TEST_HOSTNAME --summary || fatal "SSL connection failed!"
+qpid-perftest --count ${COUNT} --port ${PORT} -P tcp -b $TEST_HOSTNAME --summary || fatal "TCP connection failed!"
stop_brokers
@@ -258,20 +260,20 @@ stop_brokers
PK12UTIL=$(type -p pk12util)
if [[ !(-x $PK12UTIL) ]] ; then
echo >&2 "'pk12util' command not available, skipping remaining tests"
- exit 0
+ exit $RET
fi
OPENSSL=$(type -p openssl)
if [[ !(-x $OPENSSL) ]] ; then
echo >&2 "'openssl' command not available, skipping remaining tests"
- exit 0
+ exit $RET
fi
## verify python version > 2.5 (only 2.6+ does certificate checking)
PY_VERSION=$(python -c "import sys; print hex(sys.hexversion)")
if (( PY_VERSION < 0x02060000 )); then
echo >&2 "Detected python version < 2.6 - skipping certificate verification tests"
- exit 0
+ exit $RET
fi
echo "Testing Certificate validation and Authentication with the Python Client..."
@@ -284,26 +286,26 @@ get_ca_certs() {
$OPENSSL pkcs12 -in ${TEST_CERT_DIR}/other_CA_pk12.out -out ${OTHER_CA_PEM_FILE} -nokeys -passin file:${CERT_PW_FILE} >/dev/null
}
-get_ca_certs || error "Could not extract CA certificates as PEM files"
+get_ca_certs || fatal "Could not extract CA certificates as PEM files"
start_ssl_broker
PORT=${PORTS[0]}
URL=amqps://$TEST_HOSTNAME:$PORT
# verify the python client can authenticate the broker using the CA
-if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE}`; then echo " Passed"; else { echo " Failed"; exit 1; }; fi
+expect_pass $LINENO ${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE}
# verify the python client fails to authenticate the broker when using the other CA
-if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${OTHER_CA_PEM_FILE} > /dev/null 2>&1`; then { echo " Failed"; exit 1; }; else echo " Passed"; fi
+expect_fail $LINENO ${PY_PING_BROKER} -b $URL --ssl-trustfile=${OTHER_CA_PEM_FILE}
stop_brokers
# create a certificate without matching TEST_HOSTNAME, should fail to verify
-create_certs "O=MyCo" "*.${TEST_HOSTNAME}.com" || error "Could not create server test certificate"
-get_ca_certs || error "Could not extract CA certificates as PEM files"
+create_certs "O=MyCo" "*.${TEST_HOSTNAME}.com" || fatal "Could not create server test certificate"
+get_ca_certs || fatal "Could not extract CA certificates as PEM files"
start_ssl_broker
PORT=${PORTS[0]}
URL=amqps://$TEST_HOSTNAME:$PORT
-if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE} > /dev/null 2>&1`; then { echo " Failed"; exit 1; }; else echo " Passed"; fi
+expect_fail $LINENO ${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE}
# but disabling the check for the hostname should pass
-if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE} --ssl-skip-hostname-check`; then echo " Passed"; else { echo " Failed"; exit 1; }; fi
+expect_pass $LINENO ${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE} --ssl-skip-hostname-check
stop_brokers
# test SubjectAltName parsing
@@ -311,19 +313,21 @@ stop_brokers
if (( PY_VERSION >= 0x02070300 )); then
# python 2.7.3+ supports SubjectAltName extraction
# create a certificate with TEST_HOSTNAME only in SAN, should verify OK
- create_certs "O=MyCo" "*.foo.com,${TEST_HOSTNAME},*xyz.com" || error "Could not create server test certificate"
- get_ca_certs || error "Could not extract CA certificates as PEM files"
+ create_certs "O=MyCo" "*.foo.com,${TEST_HOSTNAME},*xyz.com" || fatal "Could not create server test certificate"
+ get_ca_certs || fatal "Could not extract CA certificates as PEM files"
start_ssl_broker
PORT=${PORTS[0]}
URL=amqps://$TEST_HOSTNAME:$PORT
- if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE}`; then echo " Passed"; else { echo " Failed"; exit 1; }; fi
+ expect_pass $LINENO ${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE}
stop_brokers
- create_certs "O=MyCo" "*${TEST_HOSTNAME}" || error "Could not create server test certificate"
- get_ca_certs || error "Could not extract CA certificates as PEM files"
+ create_certs "O=MyCo" "*${TEST_HOSTNAME}" || fatal "Could not create server test certificate"
+ get_ca_certs || fatal "Could not extract CA certificates as PEM files"
start_ssl_broker
PORT=${PORTS[0]}
URL=amqps://$TEST_HOSTNAME:$PORT
- if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE}`; then echo " Passed"; else { echo " Failed"; exit 1; }; fi
+ expect_pass $LINENO ${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE}
stop_brokers
fi
+
+exit $RET
http://git-wip-us.apache.org/repos/asf/qpid-cpp/blob/598ce6b3/src/tests/ssl_test
----------------------------------------------------------------------
diff --git a/src/tests/ssl_test b/src/tests/ssl_test
deleted file mode 100755
index 7c85087..0000000
--- a/src/tests/ssl_test
+++ /dev/null
@@ -1,335 +0,0 @@
-#!/usr/bin/env bash
-
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-
-# Run a simple test over SSL
-
-source env.sh
-
-#set -x
-
-CONFIG=$(dirname $0)/qpidd-empty.conf
-TEST_CERT_DIR=`pwd`/test_cert_dir
-CERT_DB=${TEST_CERT_DIR}/test_cert_db
-CERT_PW_FILE=`pwd`/cert.password
-TEST_HOSTNAME=127.0.0.1
-TEST_CLIENT_CERT=rumplestiltskin
-CA_PEM_FILE=${TEST_CERT_DIR}/ca_cert.pem
-OTHER_CA_CERT_DB=${TEST_CERT_DIR}/x_ca_cert_db
-OTHER_CA_PEM_FILE=${TEST_CERT_DIR}/other_ca_cert.pem
-PY_PING_BROKER=$SOURCE_DIR/src/tests/ping_broker
-COUNT=10
-
-if [[ -a $AMQP_LIB ]] ; then
- MODULES="--load-module $AMQP_LIB"
-fi
-
-trap cleanup EXIT
-
-error() { echo $*; exit 1; }
-
-# create the test certificate database
-# $1 = string used as Subject in server's certificate
-# $2 = string used as SubjectAlternateName (SAN) in server's certificate
-create_certs() {
-
- local CERT_SUBJECT=${1:-"CN=${TEST_HOSTNAME},O=MyCo,ST=Massachusetts,C=US"}
- local CERT_SAN=${2:-"*.server.com"}
-
- mkdir -p ${TEST_CERT_DIR}
- rm -rf ${TEST_CERT_DIR}/*
-
- # Set Up a CA with a self-signed Certificate
- #
- mkdir -p ${CERT_DB}
- certutil -N -d ${CERT_DB} -f ${CERT_PW_FILE}
- certutil -S -d ${CERT_DB} -n "Test-CA" -s "CN=Test-CA,O=MyCo,ST=Massachusetts,C=US" -t "CT,," -x -f ${CERT_PW_FILE} -z /bin/sh >/dev/null 2>&1
- certutil -L -d ${CERT_DB} -n "Test-CA" -a -o ${CERT_DB}/rootca.crt -f ${CERT_PW_FILE}
- #certutil -L -d ${CERT_DB} -f ${CERT_PW_FILE}
-
- # create server certificate signed by Test-CA
- #
- certutil -R -d ${CERT_DB} -s "${CERT_SUBJECT}" -o ${TEST_CERT_DIR}/server.req -f ${CERT_PW_FILE} -z /bin/sh > /dev/null 2>&1
- certutil -C -d ${CERT_DB} -c "Test-CA" -8 "${CERT_SAN}" -i ${TEST_CERT_DIR}/server.req -o ${TEST_CERT_DIR}/server.crt -f ${CERT_PW_FILE} -m ${RANDOM}
- certutil -A -d ${CERT_DB} -n ${TEST_HOSTNAME} -i ${TEST_CERT_DIR}/server.crt -t "Pu,,"
-
- # create a certificate to identify the client
- #
- certutil -R -d ${CERT_DB} -s "CN=${TEST_CLIENT_CERT}" -o ${TEST_CERT_DIR}/client.req -f ${CERT_PW_FILE} -z /bin/sh > /dev/null 2>&1
- certutil -C -d ${CERT_DB} -c "Test-CA" -8 "*.client.com" -i ${TEST_CERT_DIR}/client.req -o ${TEST_CERT_DIR}/client.crt -f ${CERT_PW_FILE} -m ${RANDOM}
- certutil -A -d ${CERT_DB} -n ${TEST_CLIENT_CERT} -i ${TEST_CERT_DIR}/client.crt -t "Pu,,"
- ###
- #certutil -N -d ${SERVER_CERT_DIR} -f ${CERT_PW_FILE}
- #certutil -S -d ${SERVER_CERT_DIR} -n ${TEST_HOSTNAME} -s "CN=${TEST_HOSTNAME}" -t "CT,," -x -f ${CERT_PW_FILE} -z /usr/bin/certutil
- #certutil -S -d ${SERVER_CERT_DIR} -n ${TEST_CLIENT_CERT} -s "CN=${TEST_CLIENT_CERT}" -t "CT,," -x -f ${CERT_PW_FILE} -z /usr/bin/certutil
-
- # Set up a separate DB with its own CA for testing failure to validate scenario
- #
- mkdir -p ${OTHER_CA_CERT_DB}
- certutil -N -d ${OTHER_CA_CERT_DB} -f ${CERT_PW_FILE}
- certutil -S -d ${OTHER_CA_CERT_DB} -n "Other-Test-CA" -s "CN=Another Test CA,O=MyCo,ST=Massachusetts,C=US" -t "CT,," -x -f ${CERT_PW_FILE} -z /bin/sh >/dev/null 2>&1
- certutil -L -d ${OTHER_CA_CERT_DB} -n "Other-Test-CA" -a -o ${OTHER_CA_CERT_DB}/rootca.crt -f ${CERT_PW_FILE}
- #certutil -L -d ${OTHER_CA_CERT_DB} -f ${CERT_PW_FILE}
-}
-
-delete_certs() {
- if [[ -e ${TEST_CERT_DIR} ]] ; then
- rm -rf ${TEST_CERT_DIR}
- fi
-}
-
-# Don't need --no-module-dir or --no-data-dir as they are set as env vars in env.sh
-COMMON_OPTS="--daemon --config $CONFIG --ssl-cert-db $CERT_DB --ssl-cert-password-file $CERT_PW_FILE --ssl-cert-name $TEST_HOSTNAME"
-
-# Start new brokers:
-# $1 must be integer
-# $2 = extra opts
-# Append used ports to PORTS variable
-start_brokers() {
- local -a ports
- for (( i=0; $i<$1; i++)) do
- ports[$i]=$(qpidd --port 0 --interface 127.0.0.1 $COMMON_OPTS $2) || error "Could not start broker $i"
- done
- PORTS=( ${PORTS[@]} ${ports[@]} )
-}
-
-# Stop single broker:
-# $1 is number of broker to stop (0 based)
-stop_broker() {
- qpidd -qp ${PORTS[$1]}
-
- # Remove from ports array
- unset PORTS[$1]
-}
-
-stop_brokers() {
- for port in "${PORTS[@]}";
- do
- qpidd -qp $port
- done
- PORTS=()
-}
-
-pick_port() {
- # We need a fixed port to set --cluster-url. Use qpidd to pick a free port.
- PICK=`qpidd --no-module-dir --listen-disable ssl -dp0`
- qpidd --no-module-dir -qp $PICK
- echo $PICK
-}
-
-cleanup() {
- stop_brokers
- delete_certs
- rm -f ${CERT_PW_FILE}
-}
-
-start_ssl_broker() {
- start_brokers 1 "--transport ssl --ssl-port 0 --require-encryption --auth no $MODULES"
-}
-
-start_ssl_mux_broker() {
- qpidd $COMMON_OPTS --port $1 --ssl-port $1 --auth no
- PORTS=( ${PORTS[@]} $1 )
-}
-
-sasl_config_dir=$BUILD_DIR/src/tests/sasl_config
-
-start_authenticating_broker() {
- start_brokers 1 "--transport ssl --ssl-port 0 --require-encryption --ssl-sasl-no-dict --ssl-require-client-authentication --auth yes --sasl-config=${sasl_config_dir} $MODULES"
-}
-
-ssl_cluster_broker() { # $1 = port
- start_brokers 1 "--ssl-port $1 --auth no --load-module $CLUSTER_LIB --cluster-name ssl_test.$HOSTNAME.$$ --cluster-url amqp:ssl:$TEST_HOSTNAME:$1"
-
- # Wait for broker to be ready
- qpid-ping -Pssl -b $TEST_HOSTNAME:$1 -q || { echo "Cannot connect to broker on $1"; exit 1; }
-}
-
-CERTUTIL=$(type -p certutil)
-if [[ !(-x $CERTUTIL) ]] ; then
- echo "No certutil, skipping ssl test";
- exit 0;
-fi
-
-if [[ !(-e ${CERT_PW_FILE}) ]] ; then
- echo password > ${CERT_PW_FILE}
-fi
-delete_certs
-create_certs || error "Could not create test certificate database"
-
-start_ssl_broker
-PORT=${PORTS[0]}
-echo "Running SSL test on port $PORT"
-export QPID_NO_MODULE_DIR=1
-export QPID_SSL_CERT_DB=${CERT_DB}
-export QPID_SSL_CERT_PASSWORD_FILE=${CERT_PW_FILE}
-
-## Test connection via connection settings
-qpid-perftest --count ${COUNT} --port ${PORT} -P ssl -b $TEST_HOSTNAME --summary
-
-## Test connection with a URL
-URL=amqp:ssl:$TEST_HOSTNAME:$PORT
-qpid-send -b $URL --content-string=hello -a "foo;{create:always}"
-MSG=`qpid-receive -b $URL -a "foo;{create:always}" --messages 1`
-test "$MSG" = "hello" || { echo "receive failed '$MSG' != 'hello'"; exit 1; }
-
-if [[ -a $AMQP_LIB ]] ; then
- echo "Testing ssl over AMQP 1.0"
- qpid-send --connection-options '{protocol:amqp1.0}' -b $URL --content-string=hello -a "foo;{create:always}"
- MSG=`qpid-receive --connection-options '{protocol:amqp1.0}' -b $URL -a "foo;{create:always}" --messages 1`
- test "$MSG" = "hello" || { echo "receive failed for AMQP 1.0 '$MSG' != 'hello'"; exit 1; }
-fi
-
-## Test connection with a combination of URL and connection options (in messaging API)
-URL=$TEST_HOSTNAME:$PORT
-qpid-send -b $URL --connection-options '{transport:ssl,heartbeat:2}' --content-string='hello again' -a "foo;{create:always}"
-MSG=`qpid-receive -b $URL --connection-options '{transport:ssl,heartbeat:2}' -a "foo;{create:always}" --messages 1`
-test "$MSG" = "hello again" || { echo "receive failed '$MSG' != 'hello again'"; exit 1; }
-
-## Test using the Python client
-if test -d $PYTHON_DIR; then
- echo "Testing Non-Authenticating with Python Client..."
- URL=amqps://$TEST_HOSTNAME:$PORT
- if `$PY_PING_BROKER -b $URL`; then echo " Passed"; else { echo " Failed"; exit 1; }; fi
-else
- echo "Skipping python part of ssl_test, no python dir."
-fi
-
-#### Client Authentication tests
-
-start_authenticating_broker
-PORT2=${PORTS[1]}
-echo "Running SSL client authentication test on port $PORT2"
-URL=amqp:ssl:$TEST_HOSTNAME:$PORT2
-
-## See if you can set the SSL cert-name for the connection
-qpid-send -b $URL --connection-options "{ssl-cert-name: $TEST_CLIENT_CERT }" --content-string=hello -a "bar;{create:always}"
-MSG2=`qpid-receive -b $URL --connection-options "{ssl-cert-name: $TEST_CLIENT_CERT }" -a "bar;{create:always}" --messages 1`
-test "$MSG2" = "hello" || { echo "receive failed '$MSG2' != 'hello'"; exit 1; }
-
-
-## Make sure that connect fails with an invalid SSL cert-name
-qpid-send -b $URL --connection-options "{ssl-cert-name: pignose }" --content-string=hello -a "baz;{create:always}" 2>/dev/null 1>/dev/null
-MSG3=`qpid-receive -b $URL --connection-options "{ssl-cert-name: pignose }" -a "baz;{create:always}" --messages 1 2>/dev/null`
-test "$MSG3" = "" || { echo "receive succeeded without valid ssl cert '$MSG3' != ''"; exit 1; }
-
-## Set the userid in the message to the authenticated username
-./qpid-send -b $URL --connection-options "{ssl-cert-name: $TEST_CLIENT_CERT }" --auto-user-id true --content-string=hello -a "bar;{create:always}"
-RECEIVED_USER=`./qpid-receive -b $URL --connection-options "{ssl-cert-name: $TEST_CLIENT_CERT }" -a "bar;{create:always}" --messages 1 --print-headers true | awk '/UserId/{print $2}'`
-test "$RECEIVED_USER" = $TEST_CLIENT_CERT || { echo "user id not as expected: $RECEIVED_USER"; exit 1; }
-
-stop_brokers
-
-# Test ssl muxed with plain TCP on the same connection
-
-# Test a specified port number - since tcp/ssl are the same port don't need to specify --transport ssl
-PORT=`pick_port`
-start_ssl_mux_broker $PORT || error "Could not start broker"
-echo "Running SSL/TCP mux test on fixed port $PORT"
-
-## Test connection via connection settings
-qpid-perftest --count ${COUNT} --port ${PORT} -P ssl -b $TEST_HOSTNAME --summary || error "SSL connection failed!"
-qpid-perftest --count ${COUNT} --port ${PORT} -P tcp -b $TEST_HOSTNAME --summary || error "TCP connection failed!"
-
-# Test a broker chosen port - since ssl chooses port need to use --transport ssl here
-start_ssl_broker
-PORT=${PORTS[0]}
-echo "Running SSL/TCP mux test on random port $PORT"
-
-## Test connection via connection settings
-qpid-perftest --count ${COUNT} --port ${PORT} -P ssl -b $TEST_HOSTNAME --summary || error "SSL connection failed!"
-qpid-perftest --count ${COUNT} --port ${PORT} -P tcp -b $TEST_HOSTNAME --summary || error "TCP connection failed!"
-
-stop_brokers
-
-### Additional tests that require 'openssl' and 'pk12util' to be installed (optional)
-
-PK12UTIL=$(type -p pk12util)
-if [[ !(-x $PK12UTIL) ]] ; then
- echo >&2 "'pk12util' command not available, skipping remaining tests"
- exit 0
-fi
-
-OPENSSL=$(type -p openssl)
-if [[ !(-x $OPENSSL) ]] ; then
- echo >&2 "'openssl' command not available, skipping remaining tests"
- exit 0
-fi
-
-## verify python version > 2.5 (only 2.6+ does certificate checking)
-PY_VERSION=$(python -c "import sys; print hex(sys.hexversion)")
-if (( PY_VERSION < 0x02060000 )); then
- echo >&2 "Detected python version < 2.6 - skipping certificate verification tests"
- exit 0
-fi
-
-echo "Testing Certificate validation and Authentication with the Python Client..."
-
-# extract the CA's certificate as a PEM file
-get_ca_certs() {
- $PK12UTIL -o ${TEST_CERT_DIR}/CA_pk12.out -d ${CERT_DB} -n "Test-CA" -w ${CERT_PW_FILE} -k ${CERT_PW_FILE} > /dev/null
- $OPENSSL pkcs12 -in ${TEST_CERT_DIR}/CA_pk12.out -out ${CA_PEM_FILE} -nokeys -passin file:${CERT_PW_FILE} >/dev/null
- $PK12UTIL -o ${TEST_CERT_DIR}/other_CA_pk12.out -d ${OTHER_CA_CERT_DB} -n "Other-Test-CA" -w ${CERT_PW_FILE} -k ${CERT_PW_FILE} > /dev/null
- $OPENSSL pkcs12 -in ${TEST_CERT_DIR}/other_CA_pk12.out -out ${OTHER_CA_PEM_FILE} -nokeys -passin file:${CERT_PW_FILE} >/dev/null
-}
-
-get_ca_certs || error "Could not extract CA certificates as PEM files"
-start_ssl_broker
-PORT=${PORTS[0]}
-URL=amqps://$TEST_HOSTNAME:$PORT
-# verify the python client can authenticate the broker using the CA
-if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE}`; then echo " Passed"; else { echo " Failed"; exit 1; }; fi
-# verify the python client fails to authenticate the broker when using the other CA
-if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${OTHER_CA_PEM_FILE} > /dev/null 2>&1`; then { echo " Failed"; exit 1; }; else echo " Passed"; fi
-stop_brokers
-
-# create a certificate without matching TEST_HOSTNAME, should fail to verify
-
-create_certs "O=MyCo" "*.${TEST_HOSTNAME}.com" || error "Could not create server test certificate"
-get_ca_certs || error "Could not extract CA certificates as PEM files"
-start_ssl_broker
-PORT=${PORTS[0]}
-URL=amqps://$TEST_HOSTNAME:$PORT
-if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE} > /dev/null 2>&1`; then { echo " Failed"; exit 1; }; else echo " Passed"; fi
-# but disabling the check for the hostname should pass
-if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE} --ssl-skip-hostname-check`; then echo " Passed"; else { echo " Failed"; exit 1; }; fi
-stop_brokers
-
-# test SubjectAltName parsing
-
-if (( PY_VERSION >= 0x02070300 )); then
-# python 2.7.3+ supports SubjectAltName extraction
-# create a certificate with TEST_HOSTNAME only in SAN, should verify OK
- create_certs "O=MyCo" "*.foo.com,${TEST_HOSTNAME},*xyz.com" || error "Could not create server test certificate"
- get_ca_certs || error "Could not extract CA certificates as PEM files"
- start_ssl_broker
- PORT=${PORTS[0]}
- URL=amqps://$TEST_HOSTNAME:$PORT
- if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE}`; then echo " Passed"; else { echo " Failed"; exit 1; }; fi
- stop_brokers
-
- create_certs "O=MyCo" "*${TEST_HOSTNAME}" || error "Could not create server test certificate"
- get_ca_certs || error "Could not extract CA certificates as PEM files"
- start_ssl_broker
- PORT=${PORTS[0]}
- URL=amqps://$TEST_HOSTNAME:$PORT
- if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE}`; then echo " Passed"; else { echo " Failed"; exit 1; }; fi
- stop_brokers
-fi
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org