From: Aliasgar Ginwala <aginw...@ebay.com> Signed-off-by: Aliasgar Ginwala <aginw...@ebay.com> --- tests/ovn-controller.at | 26 ++++++ tests/ovn.at | 182 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 208 insertions(+)
diff --git a/tests/ovn-controller.at b/tests/ovn-controller.at index 9d2a37c72..df5662527 100644 --- a/tests/ovn-controller.at +++ b/tests/ovn-controller.at @@ -2712,3 +2712,29 @@ AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=40 | grep -q controller], [1] OVN_CLEANUP([hv1]) AT_CLEANUP ]) + + +AT_SETUP([ovn-controller - ssl ciphers using command line options]) +AT_KEYWORDS([ovn]) +AT_SKIP_IF([test "$HAVE_OPENSSL" = no]) +PKIDIR="$(cd $abs_top_builddir/tests && pwd)" +AT_SKIP_IF([expr "$PKIDIR" : ".*[[ '\" +\\]]"]) +ovn_start + +net_add n1 +sim_add hv1 +ovs-vsctl add-br br-phys +ovn_attach n1 br-phys 192.168.0.20 + +# Set cipher and and it should connect +OVS_APP_EXIT_AND_WAIT([ovn-controller]) +start_daemon ovn-controller --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' + +OVS_WAIT_FOR_OUTPUT([ovn-appctl -t ovn-controller connection-status], [0], [connected +]) + +cat hv1/ovn-controller.log + +OVN_CLEANUP([hv1]) +AT_CLEANUP diff --git a/tests/ovn.at b/tests/ovn.at index c3644ac78..34f277ef9 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -37588,3 +37588,185 @@ OVN_CLEANUP([hv1]) AT_CLEANUP ]) + +AT_SETUP([read-only sb db:pssl access with ssl-ciphers and ssl-protocols]) +AT_SKIP_IF([test "$HAVE_OPENSSL" = no]) +PKIDIR="$(cd $abs_top_builddir/tests && pwd)" +AT_SKIP_IF([expr "$PKIDIR" : ".*[[ '\" +\\]]"]) + +: > .$1.db.~lock~ +ovsdb-tool create ovn-sb.db "$abs_top_srcdir"/ovn-sb.ovsschema + +# Add read-only remote to sb ovsdb-server +AT_CHECK( + [ovsdb-tool transact ovn-sb.db \ + ['["OVN_Southbound", + {"op": "insert", + "table": "SB_Global", + "row": { + "connections": ["set", [["named-uuid", "xyz"]]]}}, + {"op": "insert", + "table": "Connection", + "uuid-name": "xyz", + "row": {"target": "pssl:0:127.0.0.1", + "read_only": true}}]']], [0], [ignore], [ignore]) + +start_daemon ovsdb-server --remote=punix:ovn-sb.sock \ + --remote=db:OVN_Southbound,SB_Global,connections \ + --private-key="$PKIDIR/testpki-test2-privkey.pem" \ + --certificate="$PKIDIR/testpki-test2-cert.pem" \ + --ca-cert="$PKIDIR/testpki-cacert.pem" \ + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + ovn-sb.db + +PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) + +# read-only accesses should succeed +AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ + --ca-cert=$PKIDIR/testpki-cacert.pem \ + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + list SB_Global], [0], [stdout], [ignore]) +AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ + --ca-cert=$PKIDIR/testpki-cacert.pem \ + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + list Connection], [0], [stdout], [ignore]) + +# write access should fail +AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ + --ca-cert=$PKIDIR/testpki-cacert.pem \ + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + chassis-add ch vxlan 1.2.4.8], [1], [ignore], +[ovn-sbctl: transaction error: {"details":"insert operation not allowed when database server is in read only mode","error":"not allowed"} +]) + +OVS_APP_EXIT_AND_WAIT([ovsdb-server]) +AT_CLEANUP + +AT_SETUP([nb connection/ssl commands with ssl-ciphers and ssl-protocols]) +AT_SKIP_IF([test "$HAVE_OPENSSL" = no]) +PKIDIR="$(cd $abs_top_builddir/tests && pwd)" +AT_SKIP_IF([expr "$PKIDIR" : ".*[[ '\" +\\]]"]) + +: > .$1.db.~lock~ +ovsdb-tool create ovn-nb.db "$abs_top_srcdir"/ovn-nb.ovsschema + +# Start nb db server using db connection/ssl entries (unpopulated initially) +start_daemon ovsdb-server --remote=punix:ovnnb_db.sock \ + --remote=db:OVN_Northbound,NB_Global,connections \ + --private-key=db:OVN_Northbound,SSL,private_key \ + --certificate=db:OVN_Northbound,SSL,certificate \ + --ca-cert=db:OVN_Northbound,SSL,ca_cert \ + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + ovn-nb.db + +# Populate SSL configuration entries in nb db +AT_CHECK( + [ovn-nbctl set-ssl $PKIDIR/testpki-test-privkey.pem \ + $PKIDIR/testpki-test-cert.pem \ + $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore]) + +# Populate a passive SSL connection in nb db +AT_CHECK([ovn-nbctl set-connection pssl:0:127.0.0.1], [0], [stdout], [ignore]) + +PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) + +# Verify SSL connetivity to nb db server +AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ + --ca-cert=$PKIDIR/testpki-cacert.pem \ + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + list NB_Global], + [0], [stdout], [ignore]) +AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ + --ca-cert=$PKIDIR/testpki-cacert.pem \ + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + list Connection], + [0], [stdout], [ignore]) +AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ + --ca-cert=$PKIDIR/testpki-cacert.pem \ + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + get-connection], + [0], [stdout], [ignore]) + +OVS_APP_EXIT_AND_WAIT([ovsdb-server]) +AT_CLEANUP + +AT_SETUP([sb connection/ssl commands with ssl-ciphers and ssl-protocols]) +AT_SKIP_IF([test "$HAVE_OPENSSL" = no]) +PKIDIR="$(cd $abs_top_builddir/tests && pwd)" +AT_SKIP_IF([expr "$PKIDIR" : ".*[[ '\" +\\]]"]) + +: > .$1.db.~lock~ +ovsdb-tool create ovn-sb.db "$abs_top_srcdir"/ovn-sb.ovsschema + +# Start sb db server using db connection/ssl entries (unpopulated initially) +start_daemon ovsdb-server --remote=punix:ovnsb_db.sock \ + --remote=db:OVN_Southbound,SB_Global,connections \ + --private-key=db:OVN_Southbound,SSL,private_key \ + --certificate=db:OVN_Southbound,SSL,certificate \ + --ca-cert=db:OVN_Southbound,SSL,ca_cert \ + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + ovn-sb.db + +# Populate SSL configuration entries in sb db +AT_CHECK( + [ovn-sbctl set-ssl $PKIDIR/testpki-test-privkey.pem \ + $PKIDIR/testpki-test-cert.pem \ + $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore]) + +# Populate a passive SSL connection in sb db +AT_CHECK([ovn-sbctl set-connection pssl:0:127.0.0.1], [0], [stdout], [ignore]) + +PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) + +# Verify SSL connetivity to sb db server +AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ + --ca-cert=$PKIDIR/testpki-cacert.pem \ + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + list SB_Global], + [0], [stdout], [ignore]) +AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ + --ca-cert=$PKIDIR/testpki-cacert.pem \ + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + list Connection], + [0], [stdout], [ignore]) +AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ + --ca-cert=$PKIDIR/testpki-cacert.pem \ + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + get-connection], + [0], [stdout], [ignore]) + +OVS_APP_EXIT_AND_WAIT([ovsdb-server]) +AT_CLEANUP -- 2.39.3 (Apple Git-145) _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev