tests/test-nbd-tls-psk.sh

   1 #!/usr/bin/env bash
   2 # nbdkit
   3 # Copyright Red Hat
   4 #
   5 # Redistribution and use in source and binary forms, with or without
   6 # modification, are permitted provided that the following conditions are
   7 # met:
   8 #
   9 # * Redistributions of source code must retain the above copyright
  10 # notice, this list of conditions and the following disclaimer.
  11 #
  12 # * Redistributions in binary form must reproduce the above copyright
  13 # notice, this list of conditions and the following disclaimer in the
  14 # documentation and/or other materials provided with the distribution.
  15 #
  16 # * Neither the name of Red Hat nor the names of its contributors may be
  17 # used to endorse or promote products derived from this software without
  18 # specific prior written permission.
  19 #
  20 # THIS SOFTWARE IS PROVIDED BY RED HAT AND CONTRIBUTORS ''AS IS'' AND
  21 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
  22 # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
  23 # PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RED HAT OR
  24 # CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  25 # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
  26 # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
  27 # USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
  28 # ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
  29 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
  30 # OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  31 # SUCH DAMAGE.
  32
  33 source ./functions.sh
  34 set -e
  35 set -x
  36
  37 requires qemu-img --version
  38
  39 # Does the nbdkit binary support TLS?
  40 if ! nbdkit --dump-config | grep -sq tls=yes; then
  41     echo "$0: nbdkit built without TLS support"
  42     exit 77
  43 fi
  44
  45 # Does the nbd plugin support TLS?
  46 if ! nbdkit --dump-plugin nbd | grep -sq libnbd_tls=1; then
  47     echo "$0: nbd plugin built without TLS support"
  48     exit 77
  49 fi
  50
  51 # Did we create the PSK keys file?
  52 # Probably 'certtool' is missing.
  53 if [ ! -s keys.psk ]; then
  54     echo "$0: PSK keys file was not created by the test harness"
  55     exit 77
  56 fi
  57
  58 sock1=$(mktemp -u /tmp/nbdkit-test-sock.XXXXXX)
  59 sock2=$(mktemp -u /tmp/nbdkit-test-sock.XXXXXX)
  60 pid1="test-nbd-tls-psk.pid1"
  61 pid2="test-nbd-tls-psk.pid2"
  62
  63 files="$sock1 $sock2 $pid1 $pid2 nbd-tls-psk.out"
  64 rm -f $files
  65 cleanup_fn rm -f $files
  66
  67 # Run nbd plugin as intermediary; also test our retry code.  We start this
  68 # instance of nbdkit first because the two nbdkit processes will be killed
  69 # in the same order; and it is easier to kill the nbd client (which is
  70 # poll()ing on a non-blocking socket) than the example1 server (which is
  71 # read()ing on a blocking socket) if both sides are waiting for the other
  72 # to perform gnutls_bye() before closing the socket.
  73 start_nbdkit -P "$pid2" -U "$sock2" --tls=off nbd retry=10 \
  74     tls=require tls-psk=keys.psk tls-username=qemu socket="$sock1"
  75
  76 # Run unencrypted client in background, so that retry will be required
  77 qemu-img info --output=json -f raw "nbd+unix:///?socket=$sock2" \
  78          > nbd-tls-psk.out &
  79 info_pid=$!
  80 sleep 1
  81
  82 # Run encrypted server
  83 start_nbdkit -P "$pid1" -U "$sock1" \
  84     --tls=require --tls-psk=keys.psk -D nbdkit.tls.session=1 example1
  85
  86 wait $info_pid
  87 cat nbd-tls-psk.out
  88
  89 grep -sq '"format": *"raw"' nbd-tls-psk.out
  90 grep -sq '"virtual-size": *104857600\b' nbd-tls-psk.out