qemu

FORK: QEMU emulator
git clone https://git.neptards.moe/neptards/qemu.git
Log | Files | Refs | Submodules | LICENSE

233 (7921B)

      1 #!/usr/bin/env bash
      2 # group: quick
      3 #
      4 # Test NBD TLS certificate / authorization integration
      5 #
      6 # Copyright (C) 2018-2019 Red Hat, Inc.
      7 #
      8 # This program is free software; you can redistribute it and/or modify
      9 # it under the terms of the GNU General Public License as published by
     10 # the Free Software Foundation; either version 2 of the License, or
     11 # (at your option) any later version.
     12 #
     13 # This program is distributed in the hope that it will be useful,
     14 # but WITHOUT ANY WARRANTY; without even the implied warranty of
     15 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     16 # GNU General Public License for more details.
     17 #
     18 # You should have received a copy of the GNU General Public License
     19 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     20 #
     21 
     22 # creator
     23 owner=berrange@redhat.com
     24 
     25 seq=$(basename $0)
     26 echo "QA output created by $seq"
     27 
     28 status=1	# failure is the default!
     29 
     30 _cleanup()
     31 {
     32     nbd_server_stop
     33     _cleanup_test_img
     34     # If we aborted early we want to see this log for diagnosis
     35     test -f "$TEST_DIR/server.log" && cat "$TEST_DIR/server.log"
     36     rm -f "$TEST_DIR/server.log"
     37     tls_x509_cleanup
     38 }
     39 trap "_cleanup; exit \$status" 0 1 2 3 15
     40 
     41 # get standard environment, filters and checks
     42 . ./common.rc
     43 . ./common.filter
     44 . ./common.pattern
     45 . ./common.tls
     46 . ./common.nbd
     47 
     48 _supported_fmt raw qcow2
     49 _supported_proto file
     50 # If porting to non-Linux, consider using socat instead of ss in common.nbd
     51 _require_command QEMU_NBD
     52 
     53 tls_x509_init
     54 
     55 echo
     56 echo "== preparing TLS creds =="
     57 
     58 tls_x509_create_root_ca "ca1"
     59 tls_x509_create_root_ca "ca2"
     60 tls_x509_create_server "ca1" "server1"
     61 tls_x509_create_client "ca1" "client1"
     62 tls_x509_create_client "ca2" "client2"
     63 tls_x509_create_client "ca1" "client3"
     64 tls_psk_create_creds "psk1"
     65 tls_psk_create_creds "psk2"
     66 
     67 echo
     68 echo "== preparing image =="
     69 _make_test_img 64M
     70 $QEMU_IO -c 'w -P 0x11 1m 1m' "$TEST_IMG" 2>&1 | _filter_qemu_io
     71 
     72 echo
     73 echo "== check TLS client to plain server fails =="
     74 nbd_server_start_tcp_socket -f $IMGFMT "$TEST_IMG" 2> "$TEST_DIR/server.log"
     75 
     76 obj=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0
     77 $QEMU_IMG info --image-opts --object $obj \
     78     driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \
     79     2>&1 | _filter_nbd
     80 $QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port --object $obj \
     81     --tls-creds=tls0 2>&1 | _filter_qemu_nbd_exports
     82 
     83 nbd_server_stop
     84 
     85 echo
     86 echo "== check plain client to TLS server fails =="
     87 
     88 nbd_server_start_tcp_socket \
     89     --object tls-creds-x509,dir=${tls_dir}/server1,endpoint=server,id=tls0,verify-peer=on \
     90     --tls-creds tls0 \
     91     -f $IMGFMT "$TEST_IMG" 2>> "$TEST_DIR/server.log"
     92 
     93 $QEMU_IMG info nbd://localhost:$nbd_tcp_port \
     94     2>&1 | _filter_nbd
     95 $QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port \
     96     2>&1 | _filter_qemu_nbd_exports
     97 
     98 echo
     99 echo "== check TLS works =="
    100 obj1=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0
    101 obj2=tls-creds-x509,dir=${tls_dir}/client3,endpoint=client,id=tls0
    102 $QEMU_IMG info --image-opts --object $obj1 \
    103     driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \
    104     2>&1 | _filter_nbd
    105 $QEMU_IMG info --image-opts --object $obj2 \
    106     driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \
    107     2>&1 | _filter_nbd
    108 $QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port --object $obj1 \
    109     --tls-creds=tls0 2>&1 | _filter_qemu_nbd_exports
    110 
    111 echo
    112 echo "== check TLS fail over TCP with mismatched hostname =="
    113 obj1=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0
    114 $QEMU_IMG info --image-opts --object $obj1 \
    115     driver=nbd,host=localhost,port=$nbd_tcp_port,tls-creds=tls0 \
    116     2>&1 | _filter_nbd
    117 $QEMU_NBD_PROG -L -b localhost -p $nbd_tcp_port --object $obj1 \
    118     --tls-creds=tls0 | _filter_qemu_nbd_exports
    119 
    120 echo
    121 echo "== check TLS works over TCP with mismatched hostname and override =="
    122 obj1=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0
    123 $QEMU_IMG info --image-opts --object $obj1 \
    124     driver=nbd,host=localhost,port=$nbd_tcp_port,tls-creds=tls0,tls-hostname=127.0.0.1 \
    125     2>&1 | _filter_nbd
    126 $QEMU_NBD_PROG -L -b localhost -p $nbd_tcp_port --object $obj1 \
    127     --tls-creds=tls0 --tls-hostname=127.0.0.1 | _filter_qemu_nbd_exports
    128 
    129 echo
    130 echo "== check TLS with different CA fails =="
    131 obj=tls-creds-x509,dir=${tls_dir}/client2,endpoint=client,id=tls0
    132 $QEMU_IMG info --image-opts --object $obj \
    133     driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \
    134     2>&1 | _filter_nbd
    135 $QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port --object $obj \
    136     --tls-creds=tls0 2>&1 | _filter_qemu_nbd_exports
    137 
    138 echo
    139 echo "== perform I/O over TLS =="
    140 QEMU_IO_OPTIONS=$QEMU_IO_OPTIONS_NO_FMT
    141 $QEMU_IO -c 'r -P 0x11 1m 1m' -c 'w -P 0x22 1m 1m' --image-opts \
    142     --object tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0 \
    143     driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \
    144     2>&1 | _filter_qemu_io
    145 
    146 $QEMU_IO -f $IMGFMT -r -U -c 'r -P 0x22 1m 1m' "$TEST_IMG" \
    147     2>&1 | _filter_qemu_io
    148 
    149 echo
    150 echo "== check TLS with authorization =="
    151 
    152 nbd_server_stop
    153 
    154 nbd_server_start_tcp_socket \
    155     --object tls-creds-x509,dir=${tls_dir}/server1,endpoint=server,id=tls0,verify-peer=on \
    156     --object "authz-simple,id=authz0,identity=CN=localhost,, \
    157       O=Cthulu Dark Lord Enterprises client1,,L=R'lyeh,,C=South Pacific" \
    158     --tls-authz authz0 \
    159     --tls-creds tls0 \
    160     -f $IMGFMT "$TEST_IMG" 2>> "$TEST_DIR/server.log"
    161 
    162 $QEMU_IMG info --image-opts \
    163     --object tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0 \
    164     driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \
    165     2>&1 | _filter_nbd
    166 
    167 $QEMU_IMG info --image-opts \
    168     --object tls-creds-x509,dir=${tls_dir}/client3,endpoint=client,id=tls0 \
    169     driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \
    170     2>&1 | _filter_nbd
    171 
    172 nbd_server_stop
    173 
    174 nbd_server_start_unix_socket \
    175     --object tls-creds-x509,dir=${tls_dir}/server1,endpoint=server,id=tls0,verify-peer=on \
    176     --tls-creds tls0 \
    177     -f $IMGFMT "$TEST_IMG" 2>> "$TEST_DIR/server.log"
    178 
    179 echo
    180 echo "== check TLS fail over UNIX with no hostname =="
    181 obj1=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0
    182 $QEMU_IMG info --image-opts --object $obj1 \
    183     driver=nbd,path=$nbd_unix_socket,tls-creds=tls0 2>&1 | _filter_nbd
    184 $QEMU_NBD_PROG -L -k $nbd_unix_socket --object $obj1 --tls-creds=tls0 \
    185     2>&1 | _filter_qemu_nbd_exports
    186 
    187 echo
    188 echo "== check TLS works over UNIX with hostname override =="
    189 obj1=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0
    190 $QEMU_IMG info --image-opts --object $obj1 \
    191     driver=nbd,path=$nbd_unix_socket,tls-creds=tls0,tls-hostname=127.0.0.1 \
    192     2>&1 | _filter_nbd
    193 $QEMU_NBD_PROG -L -k $nbd_unix_socket --object $obj1 \
    194     --tls-creds=tls0 --tls-hostname=127.0.0.1  2>&1 | _filter_qemu_nbd_exports
    195 
    196 
    197 echo
    198 echo "== check TLS works over UNIX with PSK =="
    199 nbd_server_stop
    200 
    201 nbd_server_start_unix_socket \
    202     --object tls-creds-psk,dir=${tls_dir}/psk1,endpoint=server,id=tls0,verify-peer=on \
    203     --tls-creds tls0 \
    204     -f $IMGFMT "$TEST_IMG" 2>> "$TEST_DIR/server.log"
    205 
    206 obj1=tls-creds-psk,dir=${tls_dir}/psk1,username=psk1,endpoint=client,id=tls0
    207 $QEMU_IMG info --image-opts --object $obj1 \
    208     driver=nbd,path=$nbd_unix_socket,tls-creds=tls0 \
    209     2>&1 | _filter_nbd
    210 $QEMU_NBD_PROG -L -k $nbd_unix_socket --object $obj1 \
    211     --tls-creds=tls0 2>&1 | _filter_qemu_nbd_exports
    212 
    213 echo
    214 echo "== check TLS fails over UNIX with mismatch PSK =="
    215 obj1=tls-creds-psk,dir=${tls_dir}/psk2,username=psk2,endpoint=client,id=tls0
    216 $QEMU_IMG info --image-opts --object $obj1 \
    217     driver=nbd,path=$nbd_unix_socket,tls-creds=tls0 \
    218     2>&1 | _filter_nbd
    219 $QEMU_NBD_PROG -L -k $nbd_unix_socket --object $obj1 \
    220     --tls-creds=tls0 2>&1 | _filter_qemu_nbd_exports
    221 
    222 echo
    223 echo "== final server log =="
    224 cat "$TEST_DIR/server.log" | _filter_authz_check_tls
    225 rm -f "$TEST_DIR/server.log"
    226 
    227 # success, all done
    228 echo "*** done"
    229 rm -f $seq.full
    230 status=0