qemu-e2k/tests/qemu-iotests/233

#!/usr/bin/env bash
# group: quick
#
# Test NBD TLS certificate / authorization integration
#
# Copyright (C) 2018-2019 Red Hat, Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
#

# creator
owner=berrange@redhat.com

seq=$(basename $0)
echo "QA output created by $seq"

status=1	# failure is the default!

_cleanup()
{
    nbd_server_stop
    _cleanup_test_img
    # If we aborted early we want to see this log for diagnosis
    test -f "$TEST_DIR/server.log" && cat "$TEST_DIR/server.log"
    rm -f "$TEST_DIR/server.log"
    tls_x509_cleanup
}
trap "_cleanup; exit \$status" 0 1 2 3 15

# get standard environment, filters and checks
. ./common.rc
. ./common.filter
. ./common.pattern
. ./common.tls
. ./common.nbd

_supported_fmt raw qcow2
_supported_proto file
# If porting to non-Linux, consider using socat instead of ss in common.nbd
_require_command QEMU_NBD

tls_x509_init

echo
echo "== preparing TLS creds =="

tls_x509_create_root_ca "ca1"
tls_x509_create_root_ca "ca2"
tls_x509_create_server "ca1" "server1"
tls_x509_create_client "ca1" "client1"
tls_x509_create_client "ca2" "client2"
tls_x509_create_client "ca1" "client3"
tls_psk_create_creds "psk1"
tls_psk_create_creds "psk2"

echo
echo "== preparing image =="
_make_test_img 64M
$QEMU_IO -c 'w -P 0x11 1m 1m' "$TEST_IMG" 2>&1 | _filter_qemu_io

echo
echo "== check TLS client to plain server fails =="
nbd_server_start_tcp_socket -f $IMGFMT "$TEST_IMG" 2> "$TEST_DIR/server.log"

obj=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0
$QEMU_IMG info --image-opts --object $obj \
    driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \
    2>&1 | _filter_nbd
$QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port --object $obj \
    --tls-creds=tls0 2>&1 | _filter_qemu_nbd_exports

nbd_server_stop

echo
echo "== check plain client to TLS server fails =="

nbd_server_start_tcp_socket \
    --object tls-creds-x509,dir=${tls_dir}/server1,endpoint=server,id=tls0,verify-peer=on \
    --tls-creds tls0 \
    -f $IMGFMT "$TEST_IMG" 2>> "$TEST_DIR/server.log"

$QEMU_IMG info nbd://localhost:$nbd_tcp_port \
    2>&1 | _filter_nbd
$QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port \
    2>&1 | _filter_qemu_nbd_exports

echo
echo "== check TLS works =="
obj1=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0
obj2=tls-creds-x509,dir=${tls_dir}/client3,endpoint=client,id=tls0
$QEMU_IMG info --image-opts --object $obj1 \
    driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \
    2>&1 | _filter_nbd
$QEMU_IMG info --image-opts --object $obj2 \
    driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \
    2>&1 | _filter_nbd
$QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port --object $obj1 \
    --tls-creds=tls0 2>&1 | _filter_qemu_nbd_exports

echo
echo "== check TLS fail over TCP with mismatched hostname =="
obj1=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0
$QEMU_IMG info --image-opts --object $obj1 \
    driver=nbd,host=localhost,port=$nbd_tcp_port,tls-creds=tls0 \
    2>&1 | _filter_nbd
$QEMU_NBD_PROG -L -b localhost -p $nbd_tcp_port --object $obj1 \
    --tls-creds=tls0 | _filter_qemu_nbd_exports

echo
echo "== check TLS works over TCP with mismatched hostname and override =="
obj1=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0
$QEMU_IMG info --image-opts --object $obj1 \
    driver=nbd,host=localhost,port=$nbd_tcp_port,tls-creds=tls0,tls-hostname=127.0.0.1 \
    2>&1 | _filter_nbd
$QEMU_NBD_PROG -L -b localhost -p $nbd_tcp_port --object $obj1 \
    --tls-creds=tls0 --tls-hostname=127.0.0.1 | _filter_qemu_nbd_exports

echo
echo "== check TLS with different CA fails =="
obj=tls-creds-x509,dir=${tls_dir}/client2,endpoint=client,id=tls0
$QEMU_IMG info --image-opts --object $obj \
    driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \
    2>&1 | _filter_nbd
$QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port --object $obj \
    --tls-creds=tls0 2>&1 | _filter_qemu_nbd_exports

echo
echo "== perform I/O over TLS =="
QEMU_IO_OPTIONS=$QEMU_IO_OPTIONS_NO_FMT
$QEMU_IO -c 'r -P 0x11 1m 1m' -c 'w -P 0x22 1m 1m' --image-opts \
    --object tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0 \
    driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \
    2>&1 | _filter_qemu_io

$QEMU_IO -f $IMGFMT -r -U -c 'r -P 0x22 1m 1m' "$TEST_IMG" \
    2>&1 | _filter_qemu_io

echo
echo "== check TLS with authorization =="

nbd_server_stop

nbd_server_start_tcp_socket \
    --object tls-creds-x509,dir=${tls_dir}/server1,endpoint=server,id=tls0,verify-peer=on \
    --object "authz-simple,id=authz0,identity=CN=localhost,, \
      O=Cthulu Dark Lord Enterprises client1,,L=R'lyeh,,C=South Pacific" \
    --tls-authz authz0 \
    --tls-creds tls0 \
    -f $IMGFMT "$TEST_IMG" 2>> "$TEST_DIR/server.log"

$QEMU_IMG info --image-opts \
    --object tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0 \
    driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \
    2>&1 | _filter_nbd

$QEMU_IMG info --image-opts \
    --object tls-creds-x509,dir=${tls_dir}/client3,endpoint=client,id=tls0 \
    driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \
    2>&1 | _filter_nbd

nbd_server_stop

nbd_server_start_unix_socket \
    --object tls-creds-x509,dir=${tls_dir}/server1,endpoint=server,id=tls0,verify-peer=on \
    --tls-creds tls0 \
    -f $IMGFMT "$TEST_IMG" 2>> "$TEST_DIR/server.log"

echo
echo "== check TLS fail over UNIX with no hostname =="
obj1=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0
$QEMU_IMG info --image-opts --object $obj1 \
    driver=nbd,path=$nbd_unix_socket,tls-creds=tls0 2>&1 | _filter_nbd
$QEMU_NBD_PROG -L -k $nbd_unix_socket --object $obj1 --tls-creds=tls0 \
    2>&1 | _filter_qemu_nbd_exports

echo
echo "== check TLS works over UNIX with hostname override =="
obj1=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0
$QEMU_IMG info --image-opts --object $obj1 \
    driver=nbd,path=$nbd_unix_socket,tls-creds=tls0,tls-hostname=127.0.0.1 \
    2>&1 | _filter_nbd
$QEMU_NBD_PROG -L -k $nbd_unix_socket --object $obj1 \
    --tls-creds=tls0 --tls-hostname=127.0.0.1  2>&1 | _filter_qemu_nbd_exports


echo
echo "== check TLS works over UNIX with PSK =="
nbd_server_stop

nbd_server_start_unix_socket \
    --object tls-creds-psk,dir=${tls_dir}/psk1,endpoint=server,id=tls0,verify-peer=on \
    --tls-creds tls0 \
    -f $IMGFMT "$TEST_IMG" 2>> "$TEST_DIR/server.log"

obj1=tls-creds-psk,dir=${tls_dir}/psk1,username=psk1,endpoint=client,id=tls0
$QEMU_IMG info --image-opts --object $obj1 \
    driver=nbd,path=$nbd_unix_socket,tls-creds=tls0 \
    2>&1 | _filter_nbd
$QEMU_NBD_PROG -L -k $nbd_unix_socket --object $obj1 \
    --tls-creds=tls0 2>&1 | _filter_qemu_nbd_exports

echo
echo "== check TLS fails over UNIX with mismatch PSK =="
obj1=tls-creds-psk,dir=${tls_dir}/psk2,username=psk2,endpoint=client,id=tls0
$QEMU_IMG info --image-opts --object $obj1 \
    driver=nbd,path=$nbd_unix_socket,tls-creds=tls0 \
    2>&1 | _filter_nbd
$QEMU_NBD_PROG -L -k $nbd_unix_socket --object $obj1 \
    --tls-creds=tls0 2>&1 | _filter_qemu_nbd_exports

echo
echo "== final server log =="
cat "$TEST_DIR/server.log" | _filter_authz_check_tls
rm -f "$TEST_DIR/server.log"

# success, all done
echo "*** done"
rm -f $seq.full
status=0