On Thu, 2023-05-11 at 15:38 +0200, Stefan Hoffmann wrote:
> This tests stream.c and stream.py with ssl connection at
> CHECK_STREAM_OPEN_BLOCK.
> For the tests, ovsdb needs to be build with libssl.
>
> Signed-off-by: Stefan Hoffmann <[email protected]>
> ---
>
> Changes based on comments from Ilya Maximets:
> use m4_join; use m4_substr directly at call, without using variable in
> between
>
> Hint: at some places we can't use brackets, as m4 seems to not resolve the
> variables otherwise. Mail with comments at this places will follow.
>
> tests/ovsdb-idl.at | 31 +++++++++++++++++++++++++++----
> tests/test-stream.c | 12 +++++++++++-
> tests/test-stream.py | 18 ++++++++++++++++++
> 3 files changed, 56 insertions(+), 5 deletions(-)
>
> diff --git a/tests/ovsdb-idl.at b/tests/ovsdb-idl.at
> index 258d79fe9..978a6677b 100644
> --- a/tests/ovsdb-idl.at
> +++ b/tests/ovsdb-idl.at
> @@ -28,8 +28,13 @@ m4_define([OVSDB_START_IDLTEST],
> [
> AT_CHECK([ovsdb-tool create db dnl
> m4_if([$2], [], [$abs_srcdir/idltest.ovsschema], [$2])])
> + PKIDIR=$abs_top_builddir/tests
> AT_CHECK([ovsdb-server -vconsole:warn --log-file --detach --no-chdir dnl
> --pidfile --remote=punix:socket dnl
> + m4_if(m4_substr($1, 0, 5), [pssl:],
> + [--private-key=$PKIDIR/testpki-privkey2.pem dnl
> + --certificate=$PKIDIR/testpki-cert2.pem dnl
> + --ca-cert=$PKIDIR/testpki-cacert.pem], []) dnl
> m4_if([$1], [], [], [--remote=$1]) db dnl
> ])
> on_exit 'kill `cat ovsdb-server.pid`'
> @@ -2286,14 +2291,26 @@ m4_define([CHECK_STREAM_OPEN_BLOCK],
> [AT_SETUP([Check stream open block - $1 - $3])
> AT_SKIP_IF([test "$3" = "tcp6" && test "$IS_WIN32" = "yes"])
> AT_SKIP_IF([test "$3" = "tcp6" && test "$HAVE_IPV6" = "no"])
> + AT_SKIP_IF([test "$3" = "ssl6" && test "$IS_WIN32" = "yes"])
> + AT_SKIP_IF([test "$3" = "ssl6" && test "$HAVE_IPV6" = "no"])
> + AT_SKIP_IF([test "$3" = "ssl" && test "$HAVE_OPENSSL" = "no"])
> + $PYTHON3 -c "import ssl"
> + SSL_PRESENT=$?
> + AT_SKIP_IF([test "$3" = "ssl" && test $SSL_PRESENT != 0])
> + AT_SKIP_IF([test "$3" = "ssl6" && test "$HAVE_OPENSSL" = "no"])
> + AT_SKIP_IF([test "$3" = "ssl6" && test $SSL_PRESENT != 0])
> AT_KEYWORDS([ovsdb server stream open_block $3])
> - OVSDB_START_IDLTEST(["ptcp:0:$4"])
> + PKIDIR=$abs_top_builddir/tests
> + m4_define([PROTOCOL], [m4_substr([$3], [0], [3])])
> + OVSDB_START_IDLTEST([m4_join([], [p], PROTOCOL, [:0:], $4)])
Badly we must not use brackets here for the arguments that are
variables (PROTOCOL), we want to get resolved.
I guess, otherwise, m4 takes them as text instead.
Also we need to handover `$4` directly without brackets, else we get
issues with IPv6 IPs.
The ovsdb-server call would be '--remote=ptcp:0:[[::1]]' instead of '--
remote=ptcp:0:[::1]'.
We could use brackets here but would need to remove them above at
OVSDB_START_IDLTEST (--remote=$4 instead of [--remote=$4]). I decidet
to miss the brackets here is the better way.
Another solution would be to remove one pair of brackets at the
CHECK_STREAM_OPEN_BLOCK function call below, but than we also more or
less handover the plain value without brackets there.
Do you have a better idea how to solve that or should I add a comment
to the code therefore?
> PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT])
> WRONG_PORT=$(($TCP_PORT + 101))
> - AT_CHECK([$2 tcp:$4:$TCP_PORT], [0], [ignore])
> - AT_CHECK([$2 tcp:$4:$WRONG_PORT], [1], [ignore], [ignore])
> + SSL_KEY_ARGS="$PKIDIR/testpki-privkey.pem $PKIDIR/testpki-cert.pem
> $PKIDIR/testpki-cacert.pem"
> + AT_CHECK([$2 PROTOCOL:$4:$TCP_PORT $SSL_KEY_ARGS], [0], [ignore])
> + AT_CHECK([$2 PROTOCOL:$4:$WRONG_PORT $SSL_KEY_ARGS], [1], [ignore],
> + [ignore])
> OVSDB_SERVER_SHUTDOWN
> - AT_CHECK([$2 tcp:$4:$TCP_PORT], [1], [ignore], [ignore])
> + AT_CHECK([$2 PROTOCOL:$4:$TCP_PORT $SSL_KEY_ARGS], [1], [ignore],
> [ignore])
> AT_CLEANUP])
>
> CHECK_STREAM_OPEN_BLOCK([C], [test-stream], [tcp], [127.0.0.1])
> @@ -2302,6 +2319,12 @@ CHECK_STREAM_OPEN_BLOCK([Python3], [$PYTHON3
> $srcdir/test-stream.py],
> [tcp], [127.0.0.1])
> CHECK_STREAM_OPEN_BLOCK([Python3], [$PYTHON3 $srcdir/test-stream.py],
> [tcp6], [[[::1]]])
> +CHECK_STREAM_OPEN_BLOCK([C], [test-stream], [ssl], [127.0.0.1])
> +CHECK_STREAM_OPEN_BLOCK([C], [test-stream], [ssl6], [[[::1]]])
> +CHECK_STREAM_OPEN_BLOCK([Python3], [$PYTHON3 $srcdir/test-stream.py],
> + [ssl], [127.0.0.1])
> +CHECK_STREAM_OPEN_BLOCK([Python3], [$PYTHON3 $srcdir/test-stream.py],
> + [ssl6], [[[::1]]])
>
> # same as OVSDB_CHECK_IDL but uses Python IDL implementation with tcp
> # with multiple remotes to assert the idl connects to the leader of the Raft
> cluster
> diff --git a/tests/test-stream.c b/tests/test-stream.c
> index 68ce2c544..14e3bfe38 100644
> --- a/tests/test-stream.c
> +++ b/tests/test-stream.c
> @@ -19,6 +19,7 @@
> #include "fatal-signal.h"
> #include "openvswitch/vlog.h"
> #include "stream.h"
> +#include "stream-ssl.h"
> #include "util.h"
>
> VLOG_DEFINE_THIS_MODULE(test_stream);
> @@ -33,7 +34,16 @@ main(int argc, char *argv[])
> set_program_name(argv[0]);
>
> if (argc < 2) {
> - ovs_fatal(0, "usage: %s REMOTE", argv[0]);
> + ovs_fatal(0, "usage: %s REMOTE [SSL_KEY] [SSL_CERT] [SSL_CA]",
> + argv[0]);
> + }
> + if (strncmp("ssl:", argv[1], 4) == 0) {
> + if (argc < 5) {
> + ovs_fatal(0, "usage with ssl: %s REMOTE SSL_KEY SSL_CERT SSL_CA",
> + argv[0]);
> + }
> + stream_ssl_set_ca_cert_file(argv[4], false);
> + stream_ssl_set_key_and_cert(argv[2], argv[3]);
> }
>
> error = stream_open_block(stream_open(argv[1], &stream, DSCP_DEFAULT),
> diff --git a/tests/test-stream.py b/tests/test-stream.py
> index 93d63c019..a6a9c18b2 100644
> --- a/tests/test-stream.py
> +++ b/tests/test-stream.py
> @@ -15,10 +15,28 @@
> import sys
>
> import ovs.stream
> +import ovs.util
>
>
> def main(argv):
> + if len(argv) < 2:
> + ovs.util.ovs_fatal(0,
> + "usage: %s REMOTE [SSL_KEY] [SSL_CERT] [SSL_CA]",
> + argv[0],
> + )
> remote = argv[1]
> +
> + if remote.startswith("ssl:"):
> + if len(argv) < 5:
> + ovs.util.ovs_fatal(
> + 0,
> + "usage with ssl: %s REMOTE [SSL_KEY] [SSL_CERT] [SSL_CA]",
> + argv[0],
> + )
> + ovs.stream.SSLStream.ssl_set_ca_cert_file(argv[4])
> + ovs.stream.SSLStream.ssl_set_certificate_file(argv[3])
> + ovs.stream.SSLStream.ssl_set_private_key_file(argv[2])
> +
> err, stream = ovs.stream.Stream.open_block(
> ovs.stream.Stream.open(remote), 10000)
>
Thanks, Stefan
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
