[ovs-dev] [PATCH ovn v2 8/9] tests: Make certificate generation extendable

Frode Nordahl frode.nordahl at canonical.com
Fri Mar 5 12:16:30 UTC 2021


In preparation for enabling testing with SSL and RBAC enabled by
default, rework the certificate generation so that we can easily
add generation of more certificates/CN on demand.

A side erffect of the change is a more generic naming scheme for
the certificate files so the patch also contains an update to
existing tests so that they use the new filenames.

Signed-off-by: Frode Nordahl <frode.nordahl at canonical.com>
---
 tests/automake.mk | 48 ++++++++++++++++++++++-------------------------
 tests/ovn.at      | 48 +++++++++++++++++++++++------------------------
 2 files changed, 46 insertions(+), 50 deletions(-)

diff --git a/tests/automake.mk b/tests/automake.mk
index df6d0a2a9..771dddea2 100644
--- a/tests/automake.mk
+++ b/tests/automake.mk
@@ -236,39 +236,35 @@ PYCOV_CLEAN_FILES += $(CHECK_PYFILES:.py=.py,cover) .coverage
 FLAKE8_PYFILES += $(CHECK_PYFILES)
 
 if HAVE_OPENSSL
-TESTPKI_FILES = \
-	tests/testpki-cacert.pem \
-	tests/testpki-cert.pem \
-	tests/testpki-privkey.pem \
-	tests/testpki-req.pem \
-	tests/testpki-cert2.pem \
-	tests/testpki-privkey2.pem \
-	tests/testpki-req2.pem
+OVS_PKI_DIR = $(CURDIR)/tests/pki
+TESTPKI_CNS = test test2
+TESTPKI_FILES = $(shell \
+	for cn in $(TESTPKI_CNS); do \
+		echo tests/testpki-$$cn-cert.pem ; \
+		echo tests/testpki-$$cn-privkey.pem ; \
+		echo tests/testpki-$$cn-req.pem ; \
+	done)
+
+tests/testpki-cacert.pem: tests/pki/stamp
+	$(AM_V_GEN)cp $(OVS_PKI_DIR)/switchca/cacert.pem $@
+
+$(TESTPKI_FILES): tests/pki/stamp
+	$(AM_V_GEN)cp $(OVS_PKI_DIR)/$(notdir $(subst testpki-,,$@)) $@
+
+check_DATA += tests/testpki-cacert.pem
 check_DATA += $(TESTPKI_FILES)
+CLEANFILES += tests/testpki-cacert.pem
 CLEANFILES += $(TESTPKI_FILES)
 
-tests/testpki-cacert.pem: tests/pki/stamp
-	$(AM_V_GEN)cp tests/pki/switchca/cacert.pem $@
-tests/testpki-cert.pem: tests/pki/stamp
-	$(AM_V_GEN)cp tests/pki/test-cert.pem $@
-tests/testpki-req.pem: tests/pki/stamp
-	$(AM_V_GEN)cp tests/pki/test-req.pem $@
-tests/testpki-privkey.pem: tests/pki/stamp
-	$(AM_V_GEN)cp tests/pki/test-privkey.pem $@
-tests/testpki-cert2.pem: tests/pki/stamp
-	$(AM_V_GEN)cp tests/pki/test2-cert.pem $@
-tests/testpki-req2.pem: tests/pki/stamp
-	$(AM_V_GEN)cp tests/pki/test2-req.pem $@
-tests/testpki-privkey2.pem: tests/pki/stamp
-	$(AM_V_GEN)cp tests/pki/test2-privkey.pem $@
-
-OVS_PKI = $(SHELL) $(ovs_srcdir)/utilities/ovs-pki.in --dir=tests/pki --log=tests/ovs-pki.log
+
+OVS_PKI = $(SHELL) $(ovs_srcdir)/utilities/ovs-pki.in --dir=$(OVS_PKI_DIR) --log=tests/ovs-pki.log
 tests/pki/stamp:
 	$(AM_V_at)rm -f tests/pki/stamp
 	$(AM_V_at)rm -rf tests/pki
 	$(AM_V_GEN)$(OVS_PKI) init && \
-	$(OVS_PKI) req+sign tests/pki/test && \
-	$(OVS_PKI) req+sign tests/pki/test2 && \
+	for cn in $(TESTPKI_CNS); do \
+		$(OVS_PKI) req+sign tests/pki/$$cn; \
+	done && \
 	: > tests/pki/stamp
 CLEANFILES += tests/ovs-pki.log
 
diff --git a/tests/ovn.at b/tests/ovn.at
index ca9623fee..5cd8b34d7 100644
--- a/tests/ovn.at
+++ b/tests/ovn.at
@@ -8810,8 +8810,8 @@ AT_CHECK(
 
 start_daemon ovsdb-server --remote=punix:ovn-sb.sock \
                           --remote=db:OVN_Southbound,SB_Global,connections \
-                          --private-key="$PKIDIR/testpki-privkey2.pem" \
-                          --certificate="$PKIDIR/testpki-cert2.pem" \
+                          --private-key="$PKIDIR/testpki-test2-privkey.pem" \
+                          --certificate="$PKIDIR/testpki-test2-cert.pem" \
                           --ca-cert="$PKIDIR/testpki-cacert.pem" \
                           ovn-sb.db
 
@@ -8819,20 +8819,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT])
 
 # read-only accesses should succeed
 AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
-                    --private-key=$PKIDIR/testpki-privkey.pem \
-                    --certificate=$PKIDIR/testpki-cert.pem \
+                    --private-key=$PKIDIR/testpki-test-privkey.pem \
+                    --certificate=$PKIDIR/testpki-test-cert.pem \
                     --ca-cert=$PKIDIR/testpki-cacert.pem \
                     list SB_Global], [0], [stdout], [ignore])
 AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
-                    --private-key=$PKIDIR/testpki-privkey.pem \
-                    --certificate=$PKIDIR/testpki-cert.pem \
+                    --private-key=$PKIDIR/testpki-test-privkey.pem \
+                    --certificate=$PKIDIR/testpki-test-cert.pem \
                     --ca-cert=$PKIDIR/testpki-cacert.pem \
                     list Connection], [0], [stdout], [ignore])
 
 # write access should fail
 AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
-                    --private-key=$PKIDIR/testpki-privkey.pem \
-                    --certificate=$PKIDIR/testpki-cert.pem \
+                    --private-key=$PKIDIR/testpki-test-privkey.pem \
+                    --certificate=$PKIDIR/testpki-test-cert.pem \
                     --ca-cert=$PKIDIR/testpki-cacert.pem \
                     chassis-add ch vxlan 1.2.4.8], [1], [ignore],
 [ovn-sbctl: transaction error: {"details":"insert operation not allowed when database server is in read only mode","error":"not allowed"}
@@ -8860,8 +8860,8 @@ start_daemon ovsdb-server --remote=punix:ovnnb_db.sock \
 
 # Populate SSL configuration entries in nb db
 AT_CHECK(
-    [ovn-nbctl set-ssl $PKIDIR/testpki-privkey.pem \
-                       $PKIDIR/testpki-cert.pem \
+    [ovn-nbctl set-ssl $PKIDIR/testpki-test-privkey.pem \
+                       $PKIDIR/testpki-test-cert.pem \
                        $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore])
 
 # Populate a passive SSL connection in nb db
@@ -8871,20 +8871,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT])
 
 # Verify SSL connetivity to nb db server
 AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \
-                    --private-key=$PKIDIR/testpki-privkey.pem \
-                    --certificate=$PKIDIR/testpki-cert.pem \
+                    --private-key=$PKIDIR/testpki-test-privkey.pem \
+                    --certificate=$PKIDIR/testpki-test-cert.pem \
                     --ca-cert=$PKIDIR/testpki-cacert.pem \
           list NB_Global],
          [0], [stdout], [ignore])
 AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \
-                    --private-key=$PKIDIR/testpki-privkey.pem \
-                    --certificate=$PKIDIR/testpki-cert.pem \
+                    --private-key=$PKIDIR/testpki-test-privkey.pem \
+                    --certificate=$PKIDIR/testpki-test-cert.pem \
                     --ca-cert=$PKIDIR/testpki-cacert.pem \
           list Connection],
          [0], [stdout], [ignore])
 AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \
-                    --private-key=$PKIDIR/testpki-privkey.pem \
-                    --certificate=$PKIDIR/testpki-cert.pem \
+                    --private-key=$PKIDIR/testpki-test-privkey.pem \
+                    --certificate=$PKIDIR/testpki-test-cert.pem \
                     --ca-cert=$PKIDIR/testpki-cacert.pem \
           get-connection],
          [0], [stdout], [ignore])
@@ -8911,8 +8911,8 @@ start_daemon ovsdb-server --remote=punix:ovnsb_db.sock \
 
 # Populate SSL configuration entries in sb db
 AT_CHECK(
-    [ovn-sbctl set-ssl $PKIDIR/testpki-privkey.pem \
-                       $PKIDIR/testpki-cert.pem \
+    [ovn-sbctl set-ssl $PKIDIR/testpki-test-privkey.pem \
+                       $PKIDIR/testpki-test-cert.pem \
                        $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore])
 
 # Populate a passive SSL connection in sb db
@@ -8922,20 +8922,20 @@ PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT])
 
 # Verify SSL connetivity to sb db server
 AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
-                    --private-key=$PKIDIR/testpki-privkey.pem \
-                    --certificate=$PKIDIR/testpki-cert.pem \
+                    --private-key=$PKIDIR/testpki-test-privkey.pem \
+                    --certificate=$PKIDIR/testpki-test-cert.pem \
                     --ca-cert=$PKIDIR/testpki-cacert.pem \
           list SB_Global],
          [0], [stdout], [ignore])
 AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
-                    --private-key=$PKIDIR/testpki-privkey.pem \
-                    --certificate=$PKIDIR/testpki-cert.pem \
+                    --private-key=$PKIDIR/testpki-test-privkey.pem \
+                    --certificate=$PKIDIR/testpki-test-cert.pem \
                     --ca-cert=$PKIDIR/testpki-cacert.pem \
           list Connection],
          [0], [stdout], [ignore])
 AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
-                    --private-key=$PKIDIR/testpki-privkey.pem \
-                    --certificate=$PKIDIR/testpki-cert.pem \
+                    --private-key=$PKIDIR/testpki-test-privkey.pem \
+                    --certificate=$PKIDIR/testpki-test-cert.pem \
                     --ca-cert=$PKIDIR/testpki-cacert.pem \
           get-connection],
          [0], [stdout], [ignore])
-- 
2.30.0



More information about the dev mailing list