123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451 |
- Subject: Tests: move tang tests to src/pins/tang
- Origin: v15-2-g3dedc5d <https://github.com/latchset/clevis/commit/v15-2-g3dedc5d>
- Upstream-Author: Sergio Correia <scorreia@redhat.com>
- Date: Thu Nov 19 11:54:49 2020 -0300
- So that we can organize them better.
- --- a/src/pins/tang/meson.build
- +++ b/src/pins/tang/meson.build
- @@ -1,33 +1,3 @@
- -actv = find_program(
- - 'systemd-socket-activate',
- - 'systemd-activate',
- - join_paths('/', 'usr', 'lib', 'systemd', 'systemd-activate'),
- - required: false
- -)
- -kgen = find_program(
- - join_paths(libexecdir, 'tangd-keygen'),
- - join_paths(get_option('prefix'), get_option('libdir'), 'tangd-keygen'),
- - join_paths(get_option('prefix'), get_option('libexecdir'), 'tangd-keygen'),
- - join_paths('/', 'usr', get_option('libdir'), 'tangd-keygen'),
- - join_paths('/', 'usr', get_option('libexecdir'), 'tangd-keygen'),
- - required: false
- -)
- -updt = find_program(
- - join_paths(libexecdir, 'tangd-update'),
- - join_paths(get_option('prefix'), get_option('libdir'), 'tangd-update'),
- - join_paths(get_option('prefix'), get_option('libexecdir'), 'tangd-update'),
- - join_paths('/', 'usr', get_option('libdir'), 'tangd-update'),
- - join_paths('/', 'usr', get_option('libexecdir'), 'tangd-update'),
- - required: false
- -)
- -tang = find_program(
- - join_paths(libexecdir, 'tangd'),
- - join_paths(get_option('prefix'), get_option('libdir'), 'tangd'),
- - join_paths(get_option('prefix'), get_option('libexecdir'), 'tangd'),
- - join_paths('/', 'usr', get_option('libdir'), 'tangd'),
- - join_paths('/', 'usr', get_option('libexecdir'), 'tangd'),
- - required: false
- -)
- curl = find_program('curl', required: false)
-
- if curl.found()
- @@ -35,22 +5,7 @@
- bins += join_paths(meson.current_source_dir(), 'clevis-encrypt-tang')
- mans += join_paths(meson.current_source_dir(), 'clevis-encrypt-tang.1')
-
- - if actv.found() and kgen.found() and updt.found() and tang.found()
- - env = environment()
- - env.set('SD_ACTIVATE', actv.path())
- - env.set('TANGD_KEYGEN', kgen.path())
- - env.set('TANGD_UPDATE', updt.path())
- - env.set('TANGD', tang.path())
- - env.prepend('PATH',
- - join_paths(meson.source_root(), 'src'),
- - meson.current_source_dir(),
- - separator: ':'
- - )
- -
- - test('pin-tang', find_program('./pin-tang'), env: env)
- - else
- - warning('Will not run tang tests due to missing dependencies!')
- - endif
- + subdir('tests')
- else
- warning('Will not install tang pin due to missing dependencies!')
- endif
- --- a/src/pins/tang/pin-tang
- +++ /dev/null
- @@ -1,65 +0,0 @@
- -#!/bin/bash -x
- -# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
- -#
- -# Copyright (c) 2016 Red Hat, Inc.
- -# Author: Nathaniel McCallum <npmccallum@redhat.com>
- -#
- -# This program is free software: you can redistribute it and/or modify
- -# it under the terms of the GNU General Public License as published by
- -# the Free Software Foundation, either version 3 of the License, or
- -# (at your option) any later version.
- -#
- -# This program is distributed in the hope that it will be useful,
- -# but WITHOUT ANY WARRANTY; without even the implied warranty of
- -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- -# GNU General Public License for more details.
- -#
- -# You should have received a copy of the GNU General Public License
- -# along with this program. If not, see <http://www.gnu.org/licenses/>.
- -#
- -
- -function on_exit() {
- - if [ "$PID" ]; then kill $PID; wait $PID || true; fi
- - [ -d "$TMP" ] && rm -rf "$TMP"
- -}
- -
- -trap 'on_exit' EXIT
- -trap 'exit' ERR
- -
- -TMP="$(mktemp -d)"
- -mkdir -p "$TMP"/db
- -mkdir -p "$TMP"/cache
- -
- -# Generate the server keys
- -"${TANGD_KEYGEN}" "$TMP"/db sig exc
- -"${TANGD_UPDATE}" "$TMP"/db "$TMP"/cache
- -
- -# Start the server
- -port="$(shuf -i 1024-65536 -n 1)"
- -
- -inetd='--inetd'
- -[ "${SD_ACTIVATE##*/}" = "systemd-activate" ] && inetd=
- -
- -"$SD_ACTIVATE" $inetd -l 127.0.0.1:"$port" -a "$TANGD" "$TMP"/cache &
- -PID=$!
- -sleep 0.25
- -
- -thp="$(jose jwk thp -i "$TMP/db/sig.jwk")"
- -adv="$TMP/cache/default.jws"
- -url="http://localhost:${port}"
- -
- -cfg="$(printf '{"url":"%s","adv":"%s"}' "$url" "$adv")"
- -enc="$(echo -n "hi" | clevis encrypt tang "$cfg")"
- -dec="$(echo -n "$enc" | clevis decrypt)"
- -test "$dec" == "hi"
- -
- -cfg="$(printf '{"url":"%s","thp":"%s"}' "$url" "$thp")"
- -enc="$(echo -n "hi" | clevis encrypt tang "$cfg")"
- -dec="$(echo -n "$enc" | clevis decrypt)"
- -test "$dec" == "hi"
- -
- -kill -9 $PID
- -! wait $PID
- -unset PID
- -
- -! echo "$enc" | clevis decrypt
- --- /dev/null
- +++ b/src/pins/tang/tests/meson.build
- @@ -0,0 +1,64 @@
- +kgen = find_program(
- + join_paths(libexecdir, 'tangd-keygen'),
- + join_paths(get_option('prefix'), get_option('libdir'), 'tangd-keygen'),
- + join_paths(get_option('prefix'), get_option('libexecdir'), 'tangd-keygen'),
- + join_paths('/', 'usr', get_option('libdir'), 'tangd-keygen'),
- + join_paths('/', 'usr', get_option('libexecdir'), 'tangd-keygen'),
- + required: false
- +)
- +updt = find_program(
- + join_paths(libexecdir, 'tangd-update'),
- + join_paths(get_option('prefix'), get_option('libdir'), 'tangd-update'),
- + join_paths(get_option('prefix'), get_option('libexecdir'), 'tangd-update'),
- + join_paths('/', 'usr', get_option('libdir'), 'tangd-update'),
- + join_paths('/', 'usr', get_option('libexecdir'), 'tangd-update'),
- + required: false
- +)
- +tang = find_program(
- + join_paths(libexecdir, 'tangd'),
- + join_paths(get_option('prefix'), get_option('libdir'), 'tangd'),
- + join_paths(get_option('prefix'), get_option('libexecdir'), 'tangd'),
- + join_paths('/', 'usr', get_option('libdir'), 'tangd'),
- + join_paths('/', 'usr', get_option('libexecdir'), 'tangd'),
- + required: false
- +)
- +
- +socat = find_program('socat', required: false)
- +
- +tang_data = configuration_data()
- +tang_data.set('SOCAT', '')
- +tang_data.set('TANGD_KEYGEN', '')
- +tang_data.set('TANGD_UPDATE', '')
- +tang_data.set('TANGD', '')
- +
- +if socat.found()
- + tang_data.set('SOCAT', socat.path())
- +endif
- +
- +if kgen.found()
- + tang_data.set('TANGD_KEYGEN', kgen.path())
- +endif
- +
- +if tang.found()
- + tang_data.set('TANGD', tang.path())
- +endif
- +
- +if updt.found()
- + tang_data.set('TANGD_UPDATE', updt.path())
- +endif
- +
- +tang_tests_common = configure_file(
- + input: 'tang-common-test-functions.in',
- + output: 'tang-common-test-functions',
- + configuration: tang_data
- +)
- +
- +env = environment()
- +env.prepend('PATH',
- + join_paths(meson.source_root(), 'src'),
- + join_paths(meson.source_root(), 'src', 'pins', 'tang'),
- + join_paths(meson.build_root(), 'src', 'pins', 'tang', 'tests'),
- + separator: ':'
- +)
- +
- +test('pin-tang', find_program('pin-tang'), env: env)
- --- /dev/null
- +++ b/src/pins/tang/tests/pin-tang
- @@ -0,0 +1,55 @@
- +#!/bin/bash -xe
- +# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
- +#
- +# Copyright (c) 2016 Red Hat, Inc.
- +# Author: Nathaniel McCallum <npmccallum@redhat.com>
- +#
- +# This program is free software: you can redistribute it and/or modify
- +# it under the terms of the GNU General Public License as published by
- +# the Free Software Foundation, either version 3 of the License, or
- +# (at your option) any later version.
- +#
- +# This program is distributed in the hope that it will be useful,
- +# but WITHOUT ANY WARRANTY; without even the implied warranty of
- +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- +# GNU General Public License for more details.
- +#
- +# You should have received a copy of the GNU General Public License
- +# along with this program. If not, see <http://www.gnu.org/licenses/>.
- +#
- +
- +. tang-common-test-functions
- +
- +on_exit() {
- + exit_status=$?
- + tang_stop "${TMP}"
- + [ -d "$TMP" ] && rm -rf "$TMP"
- + exit "${exit_status}"
- +}
- +
- +trap 'on_exit' EXIT
- +
- +TMP="$(mktemp -d)"
- +
- +port=$(tang_new_random_port)
- +
- +tang_run "${TMP}" "${port}" sig exc
- +
- +thp="$(jose jwk thp -i "$TMP/db/sig.jwk")"
- +adv="${TMP}/adv.jws"
- +tang_get_adv "${port}" "${adv}"
- +url="http://localhost:${port}"
- +
- +cfg="$(printf '{"url":"%s","adv":"%s"}' "$url" "$adv")"
- +enc="$(echo -n "hi" | clevis encrypt tang "$cfg")"
- +dec="$(echo -n "$enc" | clevis decrypt)"
- +test "$dec" == "hi"
- +
- +cfg="$(printf '{"url":"%s","thp":"%s"}' "$url" "$thp")"
- +enc="$(echo -n "hi" | clevis encrypt tang "$cfg")"
- +dec="$(echo -n "$enc" | clevis decrypt)"
- +test "$dec" == "hi"
- +
- +tang_stop "${TMP}"
- +
- +! echo "$enc" | clevis decrypt
- --- /dev/null
- +++ b/src/pins/tang/tests/tang-common-test-functions.in
- @@ -0,0 +1,188 @@
- +#!/bin/bash -ex
- +# vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
- +#
- +# Copyright (c) 2020 Red Hat, Inc.
- +# Author: Sergio Correia <scorreia@redhat.com>
- +#
- +# This program is free software: you can redistribute it and/or modify
- +# it under the terms of the GNU General Public License as published by
- +# the Free Software Foundation, either version 3 of the License, or
- +# (at your option) any later version.
- +#
- +# This program is distributed in the hope that it will be useful,
- +# but WITHOUT ANY WARRANTY; without even the implied warranty of
- +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- +# GNU General Public License for more details.
- +#
- +# You should have received a copy of the GNU General Public License
- +# along with this program. If not, see <http://www.gnu.org/licenses/>.
- +#
- +
- +SOCAT="@SOCAT@"
- +TANGD_KEYGEN="@TANGD_KEYGEN@"
- +TANGD_UPDATE="@TANGD_UPDATE@"
- +TANGD="@TANGD@"
- +
- +tang_error() {
- + echo "${1}" >&2
- + exit 1
- +}
- +
- +tang_skip() {
- + echo "${1}" >&2
- + exit 77
- +}
- +
- +tang_sanity_check() {
- + [ -n "${SOCAT}" ] && [ -n "${TANGD_KEYGEN}" ] && \
- + [ -n "${TANGD}" ] && return 0
- + tang_skip "tang is not enabled/supported. Check if you have met all the requirements"
- +}
- +
- +# Creates a tang adv to be used in the tests.
- +tang_create_adv() {
- + local basedir="${1}"
- + local adv="${2:-/dev/stdout}"
- +
- + local SIG="${basedir}/sig.jwk"
- + jose jwk gen --input='{"alg":"ES512"}' --output="${SIG}"
- +
- + local EXC="${basedir}/exc.jwk"
- + jose jwk gen --input='{"alg":"ECMR"}' --output="${EXC}"
- +
- + local TEMPLATE='{"protected":{"cty":"jwk-set+json"}}'
- + jose jwk pub --set --input="${SIG}" --input="${EXC}" \
- + | jose jws sig --detached=- --signature="${TEMPLATE}" \
- + --key="${SIG}" --output="${adv}"
- +}
- +
- +# Get a random port to be used with a test tang server.
- +tang_new_random_port() {
- + tang_sanity_check
- + shuf -i 1024-65535 -n 1
- +}
- +
- +# Removes tang rotated keys from the test server.
- +tang_remove_rotated_keys() {
- + tang_sanity_check
- + local basedir="${1}"
- +
- + [ -z "${basedir}" ] && \
- + tang_error "tang_remove_rotated_keys: please specify 'basedir'"
- +
- + local db="${basedir}/db"
- +
- + mkdir -p "${db}"
- + pushd "${db}"
- + find . -name ".*.jwk" -exec rm -f {} \;
- + popd
- +
- + [ -n "${TANGD_UPDATE}" ] && "${TANGD_UPDATE}" "${db}" "${basedir}/cache"
- + return 0
- +}
- +
- +# Creates new keys for the test tang server.
- +tang_new_keys() {
- + tang_sanity_check
- + local basedir="${1}"
- + local rotate="${2:-}"
- + local sig_name="${3:-}"
- + local exc_name="${4:-}"
- +
- + [ -z "${basedir}" ] && tang_error "tang_new_keys: please specify 'basedir'"
- +
- + local db="${basedir}/db"
- + mkdir -p "${db}"
- +
- + if [ -n "${rotate}" ]; then
- + pushd "${db}"
- + local k
- + k=$(find . -name "*.jwk" | wc -l)
- + if [ "${k}" -gt 0 ]; then
- + for k in *.jwk; do
- + mv -f -- "${k}" ".${k}"
- + done
- + fi
- + popd
- + fi
- +
- + "${TANGD_KEYGEN}" "${db}" ${sig_name} ${exc_name}
- + [ -n "${TANGD_UPDATE}" ] && "${TANGD_UPDATE}" "${db}" "${basedir}/cache"
- +
- + return 0
- +}
- +
- +# Wait for the tang server to be operational.
- +tang_wait_until_ready() {
- + tang_sanity_check
- + local port="${1}"
- +
- + [ -z "${port}" ] && \
- + tang_error "tang_wait_until_ready: please specify 'port'"
- +
- + local max_timeout_in_s=5
- + local start elapsed
- + start="${SECONDS}"
- + while ! curl --output /dev/null --silent --fail \
- + "http://localhost:${port}/adv"; do
- + elapsed=$((SECONDS - start))
- + if [ "${elapsed}" -gt "${max_timeout_in_s}" ]; then
- + tang_error "Timeout (${max_timeout_in_s}s) waiting for tang server"
- + fi
- + sleep 0.1
- + echo -n . >&2
- + done
- +}
- +
- +# Start a test tang server.
- +tang_run() {
- + tang_sanity_check
- + local basedir="${1}"
- + local port="${2}"
- + local sig_name="${3:-}"
- + local exc_name="${4:-}"
- +
- + [ -z "${basedir}" ] && tang_error "tang_run: please specify 'basedir'"
- + [ -z "${port}" ] && tang_error "tang_run: please specify 'port'"
- +
- + if ! tang_new_keys "${basedir}" "" "${sig_name}" "${exc_name}"; then
- + tang_error "Error creating new keys for tang server"
- + fi
- +
- + local KEYS="${basedir}/cache"
- + [ -z "${TANGD_UPDATE}" ] && KEYS="${basedir}/db"
- +
- + local pid pidfile
- + pidfile="${basedir}/tang.pid"
- +
- + "${SOCAT}" -v -v TCP-LISTEN:${port},reuseaddr,fork \
- + exec:"${TANGD} ${KEYS}" &
- +
- + pid=$!
- + echo "${pid}" > "${pidfile}"
- + tang_wait_until_ready "${port}"
- +}
- +
- +# Stop tang server.
- +tang_stop() {
- + tang_sanity_check
- + local basedir="${1}"
- + [ -z "${basedir}" ] && tang_error "tang_stop: please specify 'basedir'"
- +
- + local pidfile="${basedir}/tang.pid"
- + [ -f "${pidfile}" ] || return 0
- +
- + local pid
- + pid=$(<"${pidfile}")
- + kill -9 "${pid}" 2>/dev/null || :
- +}
- +
- +# Get tang advertisement.
- +tang_get_adv() {
- + tang_sanity_check
- + local port="${1}"
- + local adv="${2:-/dev/stdout}"
- +
- + [ -z "${port}" ] && tang_error "tang_get_adv: please specify 'port'"
- + curl -L -o "${adv}" "http://localhost:${port}/adv"
- +}
|