Philippe Mathieu-Daudé | 11a82d1 | 2019-03-07 15:58:38 +0100 | [diff] [blame] | 1 | #!/usr/bin/env bash |
Vladimir Sementsov-Ogievskiy | 9dd003a | 2021-01-16 16:44:19 +0300 | [diff] [blame] | 2 | # group: quick |
Daniel P. Berrangé | afcd1c2 | 2018-11-16 15:53:25 +0000 | [diff] [blame] | 3 | # |
| 4 | # Test NBD TLS certificate / authorization integration |
| 5 | # |
Eric Blake | d089805 | 2019-01-17 13:36:38 -0600 | [diff] [blame] | 6 | # Copyright (C) 2018-2019 Red Hat, Inc. |
Daniel P. Berrangé | afcd1c2 | 2018-11-16 15:53:25 +0000 | [diff] [blame] | 7 | # |
| 8 | # This program is free software; you can redistribute it and/or modify |
| 9 | # it under the terms of the GNU General Public License as published by |
| 10 | # the Free Software Foundation; either version 2 of the License, or |
| 11 | # (at your option) any later version. |
| 12 | # |
| 13 | # This program is distributed in the hope that it will be useful, |
| 14 | # but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 15 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 16 | # GNU General Public License for more details. |
| 17 | # |
| 18 | # You should have received a copy of the GNU General Public License |
| 19 | # along with this program. If not, see <http://www.gnu.org/licenses/>. |
| 20 | # |
| 21 | |
| 22 | # creator |
| 23 | owner=berrange@redhat.com |
| 24 | |
| 25 | seq=$(basename $0) |
| 26 | echo "QA output created by $seq" |
| 27 | |
| 28 | status=1 # failure is the default! |
| 29 | |
| 30 | _cleanup() |
| 31 | { |
| 32 | nbd_server_stop |
| 33 | _cleanup_test_img |
Daniel P. Berrangé | 84f8b84 | 2019-02-20 14:58:18 +0000 | [diff] [blame] | 34 | # If we aborted early we want to see this log for diagnosis |
| 35 | test -f "$TEST_DIR/server.log" && cat "$TEST_DIR/server.log" |
Eric Blake | d089805 | 2019-01-17 13:36:38 -0600 | [diff] [blame] | 36 | rm -f "$TEST_DIR/server.log" |
Daniel P. Berrangé | afcd1c2 | 2018-11-16 15:53:25 +0000 | [diff] [blame] | 37 | tls_x509_cleanup |
| 38 | } |
| 39 | trap "_cleanup; exit \$status" 0 1 2 3 15 |
| 40 | |
| 41 | # get standard environment, filters and checks |
| 42 | . ./common.rc |
| 43 | . ./common.filter |
| 44 | . ./common.pattern |
| 45 | . ./common.tls |
| 46 | . ./common.nbd |
| 47 | |
| 48 | _supported_fmt raw qcow2 |
| 49 | _supported_proto file |
| 50 | # If porting to non-Linux, consider using socat instead of ss in common.nbd |
Daniel P. Berrangé | afcd1c2 | 2018-11-16 15:53:25 +0000 | [diff] [blame] | 51 | _require_command QEMU_NBD |
| 52 | |
Daniel P. Berrangé | afcd1c2 | 2018-11-16 15:53:25 +0000 | [diff] [blame] | 53 | tls_x509_init |
| 54 | |
| 55 | echo |
| 56 | echo "== preparing TLS creds ==" |
| 57 | |
| 58 | tls_x509_create_root_ca "ca1" |
| 59 | tls_x509_create_root_ca "ca2" |
| 60 | tls_x509_create_server "ca1" "server1" |
| 61 | tls_x509_create_client "ca1" "client1" |
| 62 | tls_x509_create_client "ca2" "client2" |
Daniel P. Berrange | b25e12d | 2019-02-27 16:20:33 +0000 | [diff] [blame] | 63 | tls_x509_create_client "ca1" "client3" |
Daniel P. Berrangé | 10cc95c | 2022-03-04 19:36:10 +0000 | [diff] [blame] | 64 | tls_psk_create_creds "psk1" |
| 65 | tls_psk_create_creds "psk2" |
Daniel P. Berrangé | afcd1c2 | 2018-11-16 15:53:25 +0000 | [diff] [blame] | 66 | |
| 67 | echo |
| 68 | echo "== preparing image ==" |
| 69 | _make_test_img 64M |
Daniel P. Berrangé | ebc0141 | 2022-03-04 19:36:07 +0000 | [diff] [blame] | 70 | $QEMU_IO -c 'w -P 0x11 1m 1m' "$TEST_IMG" 2>&1 | _filter_qemu_io |
Daniel P. Berrangé | afcd1c2 | 2018-11-16 15:53:25 +0000 | [diff] [blame] | 71 | |
| 72 | echo |
| 73 | echo "== check TLS client to plain server fails ==" |
Eric Blake | d089805 | 2019-01-17 13:36:38 -0600 | [diff] [blame] | 74 | nbd_server_start_tcp_socket -f $IMGFMT "$TEST_IMG" 2> "$TEST_DIR/server.log" |
Daniel P. Berrangé | afcd1c2 | 2018-11-16 15:53:25 +0000 | [diff] [blame] | 75 | |
Eric Blake | ddd0944 | 2019-01-17 13:36:58 -0600 | [diff] [blame] | 76 | obj=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0 |
| 77 | $QEMU_IMG info --image-opts --object $obj \ |
Daniel P. Berrangé | afcd1c2 | 2018-11-16 15:53:25 +0000 | [diff] [blame] | 78 | driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \ |
Daniel P. Berrangé | ebc0141 | 2022-03-04 19:36:07 +0000 | [diff] [blame] | 79 | 2>&1 | _filter_nbd |
Eric Blake | ddd0944 | 2019-01-17 13:36:58 -0600 | [diff] [blame] | 80 | $QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port --object $obj \ |
Daniel P. Berrangé | ebc0141 | 2022-03-04 19:36:07 +0000 | [diff] [blame] | 81 | --tls-creds=tls0 2>&1 | _filter_qemu_nbd_exports |
Daniel P. Berrangé | afcd1c2 | 2018-11-16 15:53:25 +0000 | [diff] [blame] | 82 | |
| 83 | nbd_server_stop |
| 84 | |
| 85 | echo |
| 86 | echo "== check plain client to TLS server fails ==" |
| 87 | |
Daniel P. Berrangé | e4c8f29 | 2018-11-20 17:56:46 +0000 | [diff] [blame] | 88 | nbd_server_start_tcp_socket \ |
Daniel P. Berrangé | 4d7beea | 2020-11-04 13:57:21 +0000 | [diff] [blame] | 89 | --object tls-creds-x509,dir=${tls_dir}/server1,endpoint=server,id=tls0,verify-peer=on \ |
Daniel P. Berrangé | e4c8f29 | 2018-11-20 17:56:46 +0000 | [diff] [blame] | 90 | --tls-creds tls0 \ |
Eric Blake | d089805 | 2019-01-17 13:36:38 -0600 | [diff] [blame] | 91 | -f $IMGFMT "$TEST_IMG" 2>> "$TEST_DIR/server.log" |
Daniel P. Berrangé | afcd1c2 | 2018-11-16 15:53:25 +0000 | [diff] [blame] | 92 | |
Daniel P. Berrangé | ebc0141 | 2022-03-04 19:36:07 +0000 | [diff] [blame] | 93 | $QEMU_IMG info nbd://localhost:$nbd_tcp_port \ |
| 94 | 2>&1 | _filter_nbd |
| 95 | $QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port \ |
| 96 | 2>&1 | _filter_qemu_nbd_exports |
Daniel P. Berrangé | afcd1c2 | 2018-11-16 15:53:25 +0000 | [diff] [blame] | 97 | |
| 98 | echo |
| 99 | echo "== check TLS works ==" |
Daniel P. Berrange | b25e12d | 2019-02-27 16:20:33 +0000 | [diff] [blame] | 100 | obj1=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0 |
| 101 | obj2=tls-creds-x509,dir=${tls_dir}/client3,endpoint=client,id=tls0 |
| 102 | $QEMU_IMG info --image-opts --object $obj1 \ |
Daniel P. Berrangé | afcd1c2 | 2018-11-16 15:53:25 +0000 | [diff] [blame] | 103 | driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \ |
Daniel P. Berrangé | ebc0141 | 2022-03-04 19:36:07 +0000 | [diff] [blame] | 104 | 2>&1 | _filter_nbd |
Daniel P. Berrange | b25e12d | 2019-02-27 16:20:33 +0000 | [diff] [blame] | 105 | $QEMU_IMG info --image-opts --object $obj2 \ |
| 106 | driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \ |
Daniel P. Berrangé | ebc0141 | 2022-03-04 19:36:07 +0000 | [diff] [blame] | 107 | 2>&1 | _filter_nbd |
Daniel P. Berrange | b25e12d | 2019-02-27 16:20:33 +0000 | [diff] [blame] | 108 | $QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port --object $obj1 \ |
Daniel P. Berrangé | ebc0141 | 2022-03-04 19:36:07 +0000 | [diff] [blame] | 109 | --tls-creds=tls0 2>&1 | _filter_qemu_nbd_exports |
Daniel P. Berrangé | afcd1c2 | 2018-11-16 15:53:25 +0000 | [diff] [blame] | 110 | |
| 111 | echo |
Daniel P. Berrangé | 3da93d4 | 2022-03-04 19:36:08 +0000 | [diff] [blame] | 112 | echo "== check TLS fail over TCP with mismatched hostname ==" |
| 113 | obj1=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0 |
| 114 | $QEMU_IMG info --image-opts --object $obj1 \ |
| 115 | driver=nbd,host=localhost,port=$nbd_tcp_port,tls-creds=tls0 \ |
| 116 | 2>&1 | _filter_nbd |
| 117 | $QEMU_NBD_PROG -L -b localhost -p $nbd_tcp_port --object $obj1 \ |
| 118 | --tls-creds=tls0 | _filter_qemu_nbd_exports |
| 119 | |
| 120 | echo |
| 121 | echo "== check TLS works over TCP with mismatched hostname and override ==" |
| 122 | obj1=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0 |
| 123 | $QEMU_IMG info --image-opts --object $obj1 \ |
| 124 | driver=nbd,host=localhost,port=$nbd_tcp_port,tls-creds=tls0,tls-hostname=127.0.0.1 \ |
| 125 | 2>&1 | _filter_nbd |
| 126 | $QEMU_NBD_PROG -L -b localhost -p $nbd_tcp_port --object $obj1 \ |
| 127 | --tls-creds=tls0 --tls-hostname=127.0.0.1 | _filter_qemu_nbd_exports |
| 128 | |
| 129 | echo |
Daniel P. Berrangé | afcd1c2 | 2018-11-16 15:53:25 +0000 | [diff] [blame] | 130 | echo "== check TLS with different CA fails ==" |
Eric Blake | ddd0944 | 2019-01-17 13:36:58 -0600 | [diff] [blame] | 131 | obj=tls-creds-x509,dir=${tls_dir}/client2,endpoint=client,id=tls0 |
| 132 | $QEMU_IMG info --image-opts --object $obj \ |
Daniel P. Berrangé | afcd1c2 | 2018-11-16 15:53:25 +0000 | [diff] [blame] | 133 | driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \ |
Daniel P. Berrangé | ebc0141 | 2022-03-04 19:36:07 +0000 | [diff] [blame] | 134 | 2>&1 | _filter_nbd |
Eric Blake | ddd0944 | 2019-01-17 13:36:58 -0600 | [diff] [blame] | 135 | $QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port --object $obj \ |
Daniel P. Berrangé | ebc0141 | 2022-03-04 19:36:07 +0000 | [diff] [blame] | 136 | --tls-creds=tls0 2>&1 | _filter_qemu_nbd_exports |
Daniel P. Berrangé | afcd1c2 | 2018-11-16 15:53:25 +0000 | [diff] [blame] | 137 | |
Eric Blake | bb39c47 | 2018-11-17 20:24:03 -0600 | [diff] [blame] | 138 | echo |
| 139 | echo "== perform I/O over TLS ==" |
| 140 | QEMU_IO_OPTIONS=$QEMU_IO_OPTIONS_NO_FMT |
| 141 | $QEMU_IO -c 'r -P 0x11 1m 1m' -c 'w -P 0x22 1m 1m' --image-opts \ |
| 142 | --object tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0 \ |
| 143 | driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \ |
| 144 | 2>&1 | _filter_qemu_io |
| 145 | |
Daniel P. Berrangé | ebc0141 | 2022-03-04 19:36:07 +0000 | [diff] [blame] | 146 | $QEMU_IO -f $IMGFMT -r -U -c 'r -P 0x22 1m 1m' "$TEST_IMG" \ |
| 147 | 2>&1 | _filter_qemu_io |
Eric Blake | bb39c47 | 2018-11-17 20:24:03 -0600 | [diff] [blame] | 148 | |
Eric Blake | d089805 | 2019-01-17 13:36:38 -0600 | [diff] [blame] | 149 | echo |
Daniel P. Berrange | b25e12d | 2019-02-27 16:20:33 +0000 | [diff] [blame] | 150 | echo "== check TLS with authorization ==" |
| 151 | |
| 152 | nbd_server_stop |
| 153 | |
| 154 | nbd_server_start_tcp_socket \ |
Daniel P. Berrangé | 4d7beea | 2020-11-04 13:57:21 +0000 | [diff] [blame] | 155 | --object tls-creds-x509,dir=${tls_dir}/server1,endpoint=server,id=tls0,verify-peer=on \ |
Daniel P. Berrange | b25e12d | 2019-02-27 16:20:33 +0000 | [diff] [blame] | 156 | --object "authz-simple,id=authz0,identity=CN=localhost,, \ |
| 157 | O=Cthulu Dark Lord Enterprises client1,,L=R'lyeh,,C=South Pacific" \ |
| 158 | --tls-authz authz0 \ |
| 159 | --tls-creds tls0 \ |
| 160 | -f $IMGFMT "$TEST_IMG" 2>> "$TEST_DIR/server.log" |
| 161 | |
| 162 | $QEMU_IMG info --image-opts \ |
| 163 | --object tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0 \ |
Max Reitz | 876df72 | 2019-05-06 18:05:29 +0200 | [diff] [blame] | 164 | driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \ |
Daniel P. Berrangé | ebc0141 | 2022-03-04 19:36:07 +0000 | [diff] [blame] | 165 | 2>&1 | _filter_nbd |
Daniel P. Berrange | b25e12d | 2019-02-27 16:20:33 +0000 | [diff] [blame] | 166 | |
| 167 | $QEMU_IMG info --image-opts \ |
| 168 | --object tls-creds-x509,dir=${tls_dir}/client3,endpoint=client,id=tls0 \ |
Max Reitz | 876df72 | 2019-05-06 18:05:29 +0200 | [diff] [blame] | 169 | driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \ |
Daniel P. Berrangé | ebc0141 | 2022-03-04 19:36:07 +0000 | [diff] [blame] | 170 | 2>&1 | _filter_nbd |
Daniel P. Berrange | b25e12d | 2019-02-27 16:20:33 +0000 | [diff] [blame] | 171 | |
Daniel P. Berrangé | f062083 | 2022-03-04 19:36:09 +0000 | [diff] [blame] | 172 | nbd_server_stop |
| 173 | |
| 174 | nbd_server_start_unix_socket \ |
| 175 | --object tls-creds-x509,dir=${tls_dir}/server1,endpoint=server,id=tls0,verify-peer=on \ |
| 176 | --tls-creds tls0 \ |
| 177 | -f $IMGFMT "$TEST_IMG" 2>> "$TEST_DIR/server.log" |
| 178 | |
| 179 | echo |
| 180 | echo "== check TLS fail over UNIX with no hostname ==" |
| 181 | obj1=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0 |
| 182 | $QEMU_IMG info --image-opts --object $obj1 \ |
| 183 | driver=nbd,path=$nbd_unix_socket,tls-creds=tls0 2>&1 | _filter_nbd |
| 184 | $QEMU_NBD_PROG -L -k $nbd_unix_socket --object $obj1 --tls-creds=tls0 \ |
| 185 | 2>&1 | _filter_qemu_nbd_exports |
| 186 | |
| 187 | echo |
| 188 | echo "== check TLS works over UNIX with hostname override ==" |
| 189 | obj1=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0 |
| 190 | $QEMU_IMG info --image-opts --object $obj1 \ |
| 191 | driver=nbd,path=$nbd_unix_socket,tls-creds=tls0,tls-hostname=127.0.0.1 \ |
| 192 | 2>&1 | _filter_nbd |
| 193 | $QEMU_NBD_PROG -L -k $nbd_unix_socket --object $obj1 \ |
| 194 | --tls-creds=tls0 --tls-hostname=127.0.0.1 2>&1 | _filter_qemu_nbd_exports |
| 195 | |
Daniel P. Berrangé | 10cc95c | 2022-03-04 19:36:10 +0000 | [diff] [blame] | 196 | |
| 197 | echo |
| 198 | echo "== check TLS works over UNIX with PSK ==" |
| 199 | nbd_server_stop |
| 200 | |
| 201 | nbd_server_start_unix_socket \ |
| 202 | --object tls-creds-psk,dir=${tls_dir}/psk1,endpoint=server,id=tls0,verify-peer=on \ |
| 203 | --tls-creds tls0 \ |
| 204 | -f $IMGFMT "$TEST_IMG" 2>> "$TEST_DIR/server.log" |
| 205 | |
| 206 | obj1=tls-creds-psk,dir=${tls_dir}/psk1,username=psk1,endpoint=client,id=tls0 |
| 207 | $QEMU_IMG info --image-opts --object $obj1 \ |
| 208 | driver=nbd,path=$nbd_unix_socket,tls-creds=tls0 \ |
| 209 | 2>&1 | _filter_nbd |
| 210 | $QEMU_NBD_PROG -L -k $nbd_unix_socket --object $obj1 \ |
| 211 | --tls-creds=tls0 2>&1 | _filter_qemu_nbd_exports |
| 212 | |
| 213 | echo |
| 214 | echo "== check TLS fails over UNIX with mismatch PSK ==" |
| 215 | obj1=tls-creds-psk,dir=${tls_dir}/psk2,username=psk2,endpoint=client,id=tls0 |
| 216 | $QEMU_IMG info --image-opts --object $obj1 \ |
| 217 | driver=nbd,path=$nbd_unix_socket,tls-creds=tls0 \ |
| 218 | 2>&1 | _filter_nbd |
| 219 | $QEMU_NBD_PROG -L -k $nbd_unix_socket --object $obj1 \ |
| 220 | --tls-creds=tls0 2>&1 | _filter_qemu_nbd_exports |
| 221 | |
Daniel P. Berrange | b25e12d | 2019-02-27 16:20:33 +0000 | [diff] [blame] | 222 | echo |
Eric Blake | d089805 | 2019-01-17 13:36:38 -0600 | [diff] [blame] | 223 | echo "== final server log ==" |
Daniel P. Berrangé | a6d2bb2 | 2021-08-04 19:03:30 +0100 | [diff] [blame] | 224 | cat "$TEST_DIR/server.log" | _filter_authz_check_tls |
Daniel P. Berrangé | 84f8b84 | 2019-02-20 14:58:18 +0000 | [diff] [blame] | 225 | rm -f "$TEST_DIR/server.log" |
Eric Blake | d089805 | 2019-01-17 13:36:38 -0600 | [diff] [blame] | 226 | |
Daniel P. Berrangé | afcd1c2 | 2018-11-16 15:53:25 +0000 | [diff] [blame] | 227 | # success, all done |
| 228 | echo "*** done" |
| 229 | rm -f $seq.full |
| 230 | status=0 |