blob: 55db5b3811fdd40d8d67d6919bb4d44ddcfc4ba5 [file] [log] [blame]
Philippe Mathieu-Daudé11a82d12019-03-07 15:58:38 +01001#!/usr/bin/env bash
Vladimir Sementsov-Ogievskiy9dd003a2021-01-16 16:44:19 +03002# group: quick
Daniel P. Berrangéafcd1c22018-11-16 15:53:25 +00003#
4# Test NBD TLS certificate / authorization integration
5#
Eric Blaked0898052019-01-17 13:36:38 -06006# Copyright (C) 2018-2019 Red Hat, Inc.
Daniel P. Berrangéafcd1c22018-11-16 15:53:25 +00007#
8# This program is free software; you can redistribute it and/or modify
9# it under the terms of the GNU General Public License as published by
10# the Free Software Foundation; either version 2 of the License, or
11# (at your option) any later version.
12#
13# This program is distributed in the hope that it will be useful,
14# but WITHOUT ANY WARRANTY; without even the implied warranty of
15# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16# GNU General Public License for more details.
17#
18# You should have received a copy of the GNU General Public License
19# along with this program. If not, see <http://www.gnu.org/licenses/>.
20#
21
22# creator
23owner=berrange@redhat.com
24
25seq=$(basename $0)
26echo "QA output created by $seq"
27
28status=1 # failure is the default!
29
30_cleanup()
31{
32 nbd_server_stop
33 _cleanup_test_img
Daniel P. Berrangé84f8b842019-02-20 14:58:18 +000034 # If we aborted early we want to see this log for diagnosis
35 test -f "$TEST_DIR/server.log" && cat "$TEST_DIR/server.log"
Eric Blaked0898052019-01-17 13:36:38 -060036 rm -f "$TEST_DIR/server.log"
Daniel P. Berrangéafcd1c22018-11-16 15:53:25 +000037 tls_x509_cleanup
38}
39trap "_cleanup; exit \$status" 0 1 2 3 15
40
41# get standard environment, filters and checks
42. ./common.rc
43. ./common.filter
44. ./common.pattern
45. ./common.tls
46. ./common.nbd
47
48_supported_fmt raw qcow2
49_supported_proto file
50# If porting to non-Linux, consider using socat instead of ss in common.nbd
Daniel P. Berrangéafcd1c22018-11-16 15:53:25 +000051_require_command QEMU_NBD
52
Daniel P. Berrangéafcd1c22018-11-16 15:53:25 +000053tls_x509_init
54
55echo
56echo "== preparing TLS creds =="
57
58tls_x509_create_root_ca "ca1"
59tls_x509_create_root_ca "ca2"
60tls_x509_create_server "ca1" "server1"
61tls_x509_create_client "ca1" "client1"
62tls_x509_create_client "ca2" "client2"
Daniel P. Berrangeb25e12d2019-02-27 16:20:33 +000063tls_x509_create_client "ca1" "client3"
Daniel P. Berrangé10cc95c2022-03-04 19:36:10 +000064tls_psk_create_creds "psk1"
65tls_psk_create_creds "psk2"
Daniel P. Berrangéafcd1c22018-11-16 15:53:25 +000066
67echo
68echo "== preparing image =="
69_make_test_img 64M
Daniel P. Berrangéebc01412022-03-04 19:36:07 +000070$QEMU_IO -c 'w -P 0x11 1m 1m' "$TEST_IMG" 2>&1 | _filter_qemu_io
Daniel P. Berrangéafcd1c22018-11-16 15:53:25 +000071
72echo
73echo "== check TLS client to plain server fails =="
Eric Blaked0898052019-01-17 13:36:38 -060074nbd_server_start_tcp_socket -f $IMGFMT "$TEST_IMG" 2> "$TEST_DIR/server.log"
Daniel P. Berrangéafcd1c22018-11-16 15:53:25 +000075
Eric Blakeddd09442019-01-17 13:36:58 -060076obj=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0
77$QEMU_IMG info --image-opts --object $obj \
Daniel P. Berrangéafcd1c22018-11-16 15:53:25 +000078 driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \
Daniel P. Berrangéebc01412022-03-04 19:36:07 +000079 2>&1 | _filter_nbd
Eric Blakeddd09442019-01-17 13:36:58 -060080$QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port --object $obj \
Daniel P. Berrangéebc01412022-03-04 19:36:07 +000081 --tls-creds=tls0 2>&1 | _filter_qemu_nbd_exports
Daniel P. Berrangéafcd1c22018-11-16 15:53:25 +000082
83nbd_server_stop
84
85echo
86echo "== check plain client to TLS server fails =="
87
Daniel P. Berrangée4c8f292018-11-20 17:56:46 +000088nbd_server_start_tcp_socket \
Daniel P. Berrangé4d7beea2020-11-04 13:57:21 +000089 --object tls-creds-x509,dir=${tls_dir}/server1,endpoint=server,id=tls0,verify-peer=on \
Daniel P. Berrangée4c8f292018-11-20 17:56:46 +000090 --tls-creds tls0 \
Eric Blaked0898052019-01-17 13:36:38 -060091 -f $IMGFMT "$TEST_IMG" 2>> "$TEST_DIR/server.log"
Daniel P. Berrangéafcd1c22018-11-16 15:53:25 +000092
Daniel P. Berrangéebc01412022-03-04 19:36:07 +000093$QEMU_IMG info nbd://localhost:$nbd_tcp_port \
94 2>&1 | _filter_nbd
95$QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port \
96 2>&1 | _filter_qemu_nbd_exports
Daniel P. Berrangéafcd1c22018-11-16 15:53:25 +000097
98echo
99echo "== check TLS works =="
Daniel P. Berrangeb25e12d2019-02-27 16:20:33 +0000100obj1=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0
101obj2=tls-creds-x509,dir=${tls_dir}/client3,endpoint=client,id=tls0
102$QEMU_IMG info --image-opts --object $obj1 \
Daniel P. Berrangéafcd1c22018-11-16 15:53:25 +0000103 driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \
Daniel P. Berrangéebc01412022-03-04 19:36:07 +0000104 2>&1 | _filter_nbd
Daniel P. Berrangeb25e12d2019-02-27 16:20:33 +0000105$QEMU_IMG info --image-opts --object $obj2 \
106 driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \
Daniel P. Berrangéebc01412022-03-04 19:36:07 +0000107 2>&1 | _filter_nbd
Daniel P. Berrangeb25e12d2019-02-27 16:20:33 +0000108$QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port --object $obj1 \
Daniel P. Berrangéebc01412022-03-04 19:36:07 +0000109 --tls-creds=tls0 2>&1 | _filter_qemu_nbd_exports
Daniel P. Berrangéafcd1c22018-11-16 15:53:25 +0000110
111echo
Daniel P. Berrangé3da93d42022-03-04 19:36:08 +0000112echo "== check TLS fail over TCP with mismatched hostname =="
113obj1=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0
114$QEMU_IMG info --image-opts --object $obj1 \
115 driver=nbd,host=localhost,port=$nbd_tcp_port,tls-creds=tls0 \
116 2>&1 | _filter_nbd
117$QEMU_NBD_PROG -L -b localhost -p $nbd_tcp_port --object $obj1 \
118 --tls-creds=tls0 | _filter_qemu_nbd_exports
119
120echo
121echo "== check TLS works over TCP with mismatched hostname and override =="
122obj1=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0
123$QEMU_IMG info --image-opts --object $obj1 \
124 driver=nbd,host=localhost,port=$nbd_tcp_port,tls-creds=tls0,tls-hostname=127.0.0.1 \
125 2>&1 | _filter_nbd
126$QEMU_NBD_PROG -L -b localhost -p $nbd_tcp_port --object $obj1 \
127 --tls-creds=tls0 --tls-hostname=127.0.0.1 | _filter_qemu_nbd_exports
128
129echo
Daniel P. Berrangéafcd1c22018-11-16 15:53:25 +0000130echo "== check TLS with different CA fails =="
Eric Blakeddd09442019-01-17 13:36:58 -0600131obj=tls-creds-x509,dir=${tls_dir}/client2,endpoint=client,id=tls0
132$QEMU_IMG info --image-opts --object $obj \
Daniel P. Berrangéafcd1c22018-11-16 15:53:25 +0000133 driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \
Daniel P. Berrangéebc01412022-03-04 19:36:07 +0000134 2>&1 | _filter_nbd
Eric Blakeddd09442019-01-17 13:36:58 -0600135$QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port --object $obj \
Daniel P. Berrangéebc01412022-03-04 19:36:07 +0000136 --tls-creds=tls0 2>&1 | _filter_qemu_nbd_exports
Daniel P. Berrangéafcd1c22018-11-16 15:53:25 +0000137
Eric Blakebb39c472018-11-17 20:24:03 -0600138echo
139echo "== perform I/O over TLS =="
140QEMU_IO_OPTIONS=$QEMU_IO_OPTIONS_NO_FMT
141$QEMU_IO -c 'r -P 0x11 1m 1m' -c 'w -P 0x22 1m 1m' --image-opts \
142 --object tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0 \
143 driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \
144 2>&1 | _filter_qemu_io
145
Daniel P. Berrangéebc01412022-03-04 19:36:07 +0000146$QEMU_IO -f $IMGFMT -r -U -c 'r -P 0x22 1m 1m' "$TEST_IMG" \
147 2>&1 | _filter_qemu_io
Eric Blakebb39c472018-11-17 20:24:03 -0600148
Eric Blaked0898052019-01-17 13:36:38 -0600149echo
Daniel P. Berrangeb25e12d2019-02-27 16:20:33 +0000150echo "== check TLS with authorization =="
151
152nbd_server_stop
153
154nbd_server_start_tcp_socket \
Daniel P. Berrangé4d7beea2020-11-04 13:57:21 +0000155 --object tls-creds-x509,dir=${tls_dir}/server1,endpoint=server,id=tls0,verify-peer=on \
Daniel P. Berrangeb25e12d2019-02-27 16:20:33 +0000156 --object "authz-simple,id=authz0,identity=CN=localhost,, \
157 O=Cthulu Dark Lord Enterprises client1,,L=R'lyeh,,C=South Pacific" \
158 --tls-authz authz0 \
159 --tls-creds tls0 \
160 -f $IMGFMT "$TEST_IMG" 2>> "$TEST_DIR/server.log"
161
162$QEMU_IMG info --image-opts \
163 --object tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0 \
Max Reitz876df722019-05-06 18:05:29 +0200164 driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \
Daniel P. Berrangéebc01412022-03-04 19:36:07 +0000165 2>&1 | _filter_nbd
Daniel P. Berrangeb25e12d2019-02-27 16:20:33 +0000166
167$QEMU_IMG info --image-opts \
168 --object tls-creds-x509,dir=${tls_dir}/client3,endpoint=client,id=tls0 \
Max Reitz876df722019-05-06 18:05:29 +0200169 driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \
Daniel P. Berrangéebc01412022-03-04 19:36:07 +0000170 2>&1 | _filter_nbd
Daniel P. Berrangeb25e12d2019-02-27 16:20:33 +0000171
Daniel P. Berrangéf0620832022-03-04 19:36:09 +0000172nbd_server_stop
173
174nbd_server_start_unix_socket \
175 --object tls-creds-x509,dir=${tls_dir}/server1,endpoint=server,id=tls0,verify-peer=on \
176 --tls-creds tls0 \
177 -f $IMGFMT "$TEST_IMG" 2>> "$TEST_DIR/server.log"
178
179echo
180echo "== check TLS fail over UNIX with no hostname =="
181obj1=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0
182$QEMU_IMG info --image-opts --object $obj1 \
183 driver=nbd,path=$nbd_unix_socket,tls-creds=tls0 2>&1 | _filter_nbd
184$QEMU_NBD_PROG -L -k $nbd_unix_socket --object $obj1 --tls-creds=tls0 \
185 2>&1 | _filter_qemu_nbd_exports
186
187echo
188echo "== check TLS works over UNIX with hostname override =="
189obj1=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0
190$QEMU_IMG info --image-opts --object $obj1 \
191 driver=nbd,path=$nbd_unix_socket,tls-creds=tls0,tls-hostname=127.0.0.1 \
192 2>&1 | _filter_nbd
193$QEMU_NBD_PROG -L -k $nbd_unix_socket --object $obj1 \
194 --tls-creds=tls0 --tls-hostname=127.0.0.1 2>&1 | _filter_qemu_nbd_exports
195
Daniel P. Berrangé10cc95c2022-03-04 19:36:10 +0000196
197echo
198echo "== check TLS works over UNIX with PSK =="
199nbd_server_stop
200
201nbd_server_start_unix_socket \
202 --object tls-creds-psk,dir=${tls_dir}/psk1,endpoint=server,id=tls0,verify-peer=on \
203 --tls-creds tls0 \
204 -f $IMGFMT "$TEST_IMG" 2>> "$TEST_DIR/server.log"
205
206obj1=tls-creds-psk,dir=${tls_dir}/psk1,username=psk1,endpoint=client,id=tls0
207$QEMU_IMG info --image-opts --object $obj1 \
208 driver=nbd,path=$nbd_unix_socket,tls-creds=tls0 \
209 2>&1 | _filter_nbd
210$QEMU_NBD_PROG -L -k $nbd_unix_socket --object $obj1 \
211 --tls-creds=tls0 2>&1 | _filter_qemu_nbd_exports
212
213echo
214echo "== check TLS fails over UNIX with mismatch PSK =="
215obj1=tls-creds-psk,dir=${tls_dir}/psk2,username=psk2,endpoint=client,id=tls0
216$QEMU_IMG info --image-opts --object $obj1 \
217 driver=nbd,path=$nbd_unix_socket,tls-creds=tls0 \
218 2>&1 | _filter_nbd
219$QEMU_NBD_PROG -L -k $nbd_unix_socket --object $obj1 \
220 --tls-creds=tls0 2>&1 | _filter_qemu_nbd_exports
221
Daniel P. Berrangeb25e12d2019-02-27 16:20:33 +0000222echo
Eric Blaked0898052019-01-17 13:36:38 -0600223echo "== final server log =="
Daniel P. Berrangéa6d2bb22021-08-04 19:03:30 +0100224cat "$TEST_DIR/server.log" | _filter_authz_check_tls
Daniel P. Berrangé84f8b842019-02-20 14:58:18 +0000225rm -f "$TEST_DIR/server.log"
Eric Blaked0898052019-01-17 13:36:38 -0600226
Daniel P. Berrangéafcd1c22018-11-16 15:53:25 +0000227# success, all done
228echo "*** done"
229rm -f $seq.full
230status=0