tests/test-nbd-tls.sh

   1 #!/usr/bin/env bash
   2 # nbdkit
   3 # Copyright Red Hat
   4 #
   5 # Redistribution and use in source and binary forms, with or without
   6 # modification, are permitted provided that the following conditions are
   7 # met:
   8 #
   9 # * Redistributions of source code must retain the above copyright
  10 # notice, this list of conditions and the following disclaimer.
  11 #
  12 # * Redistributions in binary form must reproduce the above copyright
  13 # notice, this list of conditions and the following disclaimer in the
  14 # documentation and/or other materials provided with the distribution.
  15 #
  16 # * Neither the name of Red Hat nor the names of its contributors may be
  17 # used to endorse or promote products derived from this software without
  18 # specific prior written permission.
  19 #
  20 # THIS SOFTWARE IS PROVIDED BY RED HAT AND CONTRIBUTORS ''AS IS'' AND
  21 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
  22 # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
  23 # PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RED HAT OR
  24 # CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  25 # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
  26 # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
  27 # USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
  28 # ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
  29 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
  30 # OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  31 # SUCH DAMAGE.
  32
  33 source ./functions.sh
  34 set -e
  35 set -x
  36
  37 requires qemu-img --version
  38
  39 # Does the nbdkit binary support TLS?
  40 if ! nbdkit --dump-config | grep -sq tls=yes; then
  41     echo "$0: nbdkit built without TLS support"
  42     exit 77
  43 fi
  44
  45 # Does the nbd plugin support TLS?
  46 if ! nbdkit --dump-plugin nbd | grep -sq libnbd_tls=1; then
  47     echo "$0: nbd plugin built without TLS support"
  48     exit 77
  49 fi
  50
  51 # Did we create the PKI files?
  52 # Probably 'certtool' is missing.
  53 pkidir="$PWD/pki"
  54 if [ ! -f "$pkidir/ca-cert.pem" ]; then
  55     echo "$0: PKI files were not created by the test harness"
  56     exit 77
  57 fi
  58
  59 sock1=$(mktemp -u /tmp/nbdkit-test-sock.XXXXXX)
  60 sock2=$(mktemp -u /tmp/nbdkit-test-sock.XXXXXX)
  61 pid1="test-nbd-tls.pid1"
  62 pid2="test-nbd-tls.pid2"
  63
  64 files="$sock1 $sock2 $pid1 $pid2 nbd-tls.out"
  65 rm -f $files
  66 cleanup_fn rm -f $files
  67
  68 # Run nbd plugin as intermediary. Start this first, so it will be
  69 # terminated before the encrypted server (terminating a client is
  70 # easy, while terminating a server waits until there are no clients)
  71 start_nbdkit -P "$pid2" -U "$sock2" --tls=off \
  72     nbd tls=require tls-certificates="$pkidir" socket="$sock1"
  73
  74 # Run encrypted server
  75 start_nbdkit -P "$pid1" -U "$sock1" \
  76     --tls=require --tls-certificates="$pkidir" -D nbdkit.tls.session=1 \
  77     example1
  78
  79 # Run unencrypted client
  80 qemu-img info --output=json -f raw "nbd+unix:///?socket=$sock2" > nbd-tls.out
  81
  82 cat nbd-tls.out
  83
  84 grep -sq '"format": *"raw"' nbd-tls.out
  85 grep -sq '"virtual-size": *104857600\b' nbd-tls.out