afcd1c2f2d
Add tests that validate it is possible to connect to an NBD server running TLS mode. Also test mis-matched TLS vs non-TLS connections correctly fail. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Message-Id: <20181116155325.22428-7-berrange@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Tested-by: Eric Blake <eblake@redhat.com> [eblake: rebase to iotests shell cleanups, use ss instead of socat for port probing, sanitize port number in expected output] Signed-off-by: Eric Blake <eblake@redhat.com>
103 lines
2.7 KiB
Bash
Executable File
103 lines
2.7 KiB
Bash
Executable File
#!/bin/bash
|
|
#
|
|
# Test NBD TLS certificate / authorization integration
|
|
#
|
|
# Copyright (C) 2018 Red Hat, Inc.
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation; either version 2 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
#
|
|
|
|
# creator
|
|
owner=berrange@redhat.com
|
|
|
|
seq=$(basename $0)
|
|
echo "QA output created by $seq"
|
|
|
|
status=1 # failure is the default!
|
|
|
|
_cleanup()
|
|
{
|
|
nbd_server_stop
|
|
_cleanup_test_img
|
|
tls_x509_cleanup
|
|
}
|
|
trap "_cleanup; exit \$status" 0 1 2 3 15
|
|
|
|
# get standard environment, filters and checks
|
|
. ./common.rc
|
|
. ./common.filter
|
|
. ./common.pattern
|
|
. ./common.tls
|
|
. ./common.nbd
|
|
|
|
_supported_fmt raw qcow2
|
|
_supported_proto file
|
|
# If porting to non-Linux, consider using socat instead of ss in common.nbd
|
|
_supported_os Linux
|
|
_require_command QEMU_NBD
|
|
|
|
nbd_server_set_tcp_port
|
|
tls_x509_init
|
|
|
|
echo
|
|
echo "== preparing TLS creds =="
|
|
|
|
tls_x509_create_root_ca "ca1"
|
|
tls_x509_create_root_ca "ca2"
|
|
tls_x509_create_server "ca1" "server1"
|
|
tls_x509_create_client "ca1" "client1"
|
|
tls_x509_create_client "ca2" "client2"
|
|
|
|
echo
|
|
echo "== preparing image =="
|
|
_make_test_img 64M
|
|
|
|
|
|
echo
|
|
echo "== check TLS client to plain server fails =="
|
|
nbd_server_start_tcp_socket "$TEST_IMG"
|
|
|
|
$QEMU_IMG info --image-opts \
|
|
--object tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0 \
|
|
driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \
|
|
2>&1 | sed "s/$nbd_tcp_port/PORT/g"
|
|
|
|
nbd_server_stop
|
|
|
|
echo
|
|
echo "== check plain client to TLS server fails =="
|
|
|
|
nbd_server_start_tcp_socket --object tls-creds-x509,dir=${tls_dir}/server1,endpoint=server,id=tls0,verify-peer=yes --tls-creds tls0 "$TEST_IMG"
|
|
|
|
$QEMU_IMG info nbd://localhost:$nbd_tcp_port 2>&1 | sed "s/$nbd_tcp_port/PORT/g"
|
|
|
|
echo
|
|
echo "== check TLS works =="
|
|
$QEMU_IMG info --image-opts \
|
|
--object tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0 \
|
|
driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \
|
|
2>&1 | sed "s/$nbd_tcp_port/PORT/g"
|
|
|
|
echo
|
|
echo "== check TLS with different CA fails =="
|
|
$QEMU_IMG info --image-opts \
|
|
--object tls-creds-x509,dir=${tls_dir}/client2,endpoint=client,id=tls0 \
|
|
driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \
|
|
2>&1 | sed "s/$nbd_tcp_port/PORT/g"
|
|
|
|
# success, all done
|
|
echo "*** done"
|
|
rm -f $seq.full
|
|
status=0
|