[qemu.git] / tests / qemu-iotests / 233

#!/usr/bin/env bash
#
# Test NBD TLS certificate / authorization integration
#
# Copyright (C) 2018-2019 Red Hat, Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
#

# creator
[email protected]

seq=$(basename $0)
echo "QA output created by $seq"

status=1	# failure is the default!

_cleanup()
{
    nbd_server_stop
    _cleanup_test_img
    # If we aborted early we want to see this log for diagnosis
    test -f "$TEST_DIR/server.log" && cat "$TEST_DIR/server.log"
    rm -f "$TEST_DIR/server.log"
    tls_x509_cleanup
}
trap "_cleanup; exit \$status" 0 1 2 3 15

# get standard environment, filters and checks
. ./common.rc
. ./common.filter
. ./common.pattern
. ./common.tls
. ./common.nbd

_supported_fmt raw qcow2
_supported_proto file
# If porting to non-Linux, consider using socat instead of ss in common.nbd
_require_command QEMU_NBD

tls_x509_init

echo
echo "== preparing TLS creds =="

tls_x509_create_root_ca "ca1"
tls_x509_create_root_ca "ca2"
tls_x509_create_server "ca1" "server1"
tls_x509_create_client "ca1" "client1"
tls_x509_create_client "ca2" "client2"
tls_x509_create_client "ca1" "client3"

echo
echo "== preparing image =="
_make_test_img 64M
$QEMU_IO -c 'w -P 0x11 1m 1m' "$TEST_IMG" | _filter_qemu_io

echo
echo "== check TLS client to plain server fails =="
nbd_server_start_tcp_socket -f $IMGFMT "$TEST_IMG" 2> "$TEST_DIR/server.log"

obj=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0
$QEMU_IMG info --image-opts --object $obj \
    driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \
    2>&1 | sed "s/$nbd_tcp_port/PORT/g"
$QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port --object $obj \
    --tls-creds=tls0

nbd_server_stop

echo
echo "== check plain client to TLS server fails =="

nbd_server_start_tcp_socket \
    --object tls-creds-x509,dir=${tls_dir}/server1,endpoint=server,id=tls0,verify-peer=yes \
    --tls-creds tls0 \
    -f $IMGFMT "$TEST_IMG" 2>> "$TEST_DIR/server.log"

$QEMU_IMG info nbd://localhost:$nbd_tcp_port 2>&1 | sed "s/$nbd_tcp_port/PORT/g"
$QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port

echo
echo "== check TLS works =="
obj1=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0
obj2=tls-creds-x509,dir=${tls_dir}/client3,endpoint=client,id=tls0
$QEMU_IMG info --image-opts --object $obj1 \
    driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \
    2>&1 | sed "s/$nbd_tcp_port/PORT/g"
$QEMU_IMG info --image-opts --object $obj2 \
    driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \
    2>&1 | sed "s/$nbd_tcp_port/PORT/g"
$QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port --object $obj1 \
    --tls-creds=tls0

echo
echo "== check TLS with different CA fails =="
obj=tls-creds-x509,dir=${tls_dir}/client2,endpoint=client,id=tls0
$QEMU_IMG info --image-opts --object $obj \
    driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \
    2>&1 | sed "s/$nbd_tcp_port/PORT/g"
$QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port --object $obj \
    --tls-creds=tls0

echo
echo "== perform I/O over TLS =="
QEMU_IO_OPTIONS=$QEMU_IO_OPTIONS_NO_FMT
$QEMU_IO -c 'r -P 0x11 1m 1m' -c 'w -P 0x22 1m 1m' --image-opts \
    --object tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0 \
    driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \
    2>&1 | _filter_qemu_io

$QEMU_IO -f $IMGFMT -r -U -c 'r -P 0x22 1m 1m' "$TEST_IMG" | _filter_qemu_io

echo
echo "== check TLS with authorization =="

nbd_server_stop

nbd_server_start_tcp_socket \
    --object tls-creds-x509,dir=${tls_dir}/server1,endpoint=server,id=tls0,verify-peer=yes \
    --object "authz-simple,id=authz0,identity=CN=localhost,, \
      O=Cthulu Dark Lord Enterprises client1,,L=R'lyeh,,C=South Pacific" \
    --tls-authz authz0 \
    --tls-creds tls0 \
    -f $IMGFMT "$TEST_IMG" 2>> "$TEST_DIR/server.log"

$QEMU_IMG info --image-opts \
    --object tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0 \
    driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \
    2>&1 | sed "s/$nbd_tcp_port/PORT/g"

$QEMU_IMG info --image-opts \
    --object tls-creds-x509,dir=${tls_dir}/client3,endpoint=client,id=tls0 \
    driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \
    2>&1 | sed "s/$nbd_tcp_port/PORT/g"

echo
echo "== final server log =="
cat "$TEST_DIR/server.log"
rm -f "$TEST_DIR/server.log"

# success, all done
echo "*** done"
rm -f $seq.full
status=0
Commit	Line	Data
11a82d14	1	#!/usr/bin/env bash
afcd1c2f DB	2	#
	3	# Test NBD TLS certificate / authorization integration
	4	#
d0898051	5	# Copyright (C) 2018-2019 Red Hat, Inc.
afcd1c2f DB	6	#
	7	# This program is free software; you can redistribute it and/or modify
	8	# it under the terms of the GNU General Public License as published by
	9	# the Free Software Foundation; either version 2 of the License, or
	10	# (at your option) any later version.
	11	#
	12	# This program is distributed in the hope that it will be useful,
	13	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	15	# GNU General Public License for more details.
	16	#
	17	# You should have received a copy of the GNU General Public License
	18	# along with this program. If not, see <http://www.gnu.org/licenses/>.
	19	#
	20
	21	# creator
	22	[email protected]
	23
	24	seq=$(basename $0)
	25	echo "QA output created by $seq"
	26
	27	status=1 # failure is the default!
	28
	29	_cleanup()
	30	{
	31	nbd_server_stop
	32	_cleanup_test_img
84f8b840 DB	33	# If we aborted early we want to see this log for diagnosis
84f8b840 DB	34	test -f "$TEST_DIR/server.log" && cat "$TEST_DIR/server.log"
d0898051	35	rm -f "$TEST_DIR/server.log"
afcd1c2f DB	36	tls_x509_cleanup
	37	}
	38	trap "_cleanup; exit \$status" 0 1 2 3 15
	39
	40	# get standard environment, filters and checks
	41	. ./common.rc
	42	. ./common.filter
	43	. ./common.pattern
	44	. ./common.tls
	45	. ./common.nbd
	46
	47	_supported_fmt raw qcow2
	48	_supported_proto file
	49	# If porting to non-Linux, consider using socat instead of ss in common.nbd
afcd1c2f DB	50	_require_command QEMU_NBD
afcd1c2f DB	51
afcd1c2f DB	52	tls_x509_init
	53
	54	echo
	55	echo "== preparing TLS creds =="
	56
	57	tls_x509_create_root_ca "ca1"
	58	tls_x509_create_root_ca "ca2"
	59	tls_x509_create_server "ca1" "server1"
	60	tls_x509_create_client "ca1" "client1"
	61	tls_x509_create_client "ca2" "client2"
b25e12da	62	tls_x509_create_client "ca1" "client3"
afcd1c2f DB	63
	64	echo
	65	echo "== preparing image =="
	66	_make_test_img 64M
bb39c47d	67	$QEMU_IO -c 'w -P 0x11 1m 1m' "$TEST_IMG" \| _filter_qemu_io
afcd1c2f DB	68
	69	echo
	70	echo "== check TLS client to plain server fails =="
d0898051	71	nbd_server_start_tcp_socket -f $IMGFMT "$TEST_IMG" 2> "$TEST_DIR/server.log"
afcd1c2f	72
ddd09448 EB	73	obj=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0
ddd09448 EB	74	$QEMU_IMG info --image-opts --object $obj \
afcd1c2f DB	75	driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \
afcd1c2f DB	76	2>&1 \| sed "s/$nbd_tcp_port/PORT/g"
ddd09448 EB	77	$QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port --object $obj \
ddd09448 EB	78	--tls-creds=tls0
afcd1c2f DB	79
	80	nbd_server_stop
	81
	82	echo
	83	echo "== check plain client to TLS server fails =="
	84
e4c8f292 DB	85	nbd_server_start_tcp_socket \
	86	--object tls-creds-x509,dir=${tls_dir}/server1,endpoint=server,id=tls0,verify-peer=yes \
	87	--tls-creds tls0 \
d0898051	88	-f $IMGFMT "$TEST_IMG" 2>> "$TEST_DIR/server.log"
afcd1c2f DB	89
afcd1c2f DB	90	$QEMU_IMG info nbd://localhost:$nbd_tcp_port 2>&1 \| sed "s/$nbd_tcp_port/PORT/g"
ddd09448	91	$QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port
afcd1c2f DB	92
	93	echo
	94	echo "== check TLS works =="
b25e12da DB	95	obj1=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0
	96	obj2=tls-creds-x509,dir=${tls_dir}/client3,endpoint=client,id=tls0
	97	$QEMU_IMG info --image-opts --object $obj1 \
afcd1c2f DB	98	driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \
afcd1c2f DB	99	2>&1 \| sed "s/$nbd_tcp_port/PORT/g"
b25e12da DB	100	$QEMU_IMG info --image-opts --object $obj2 \
	101	driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \
	102	2>&1 \| sed "s/$nbd_tcp_port/PORT/g"
	103	$QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port --object $obj1 \
ddd09448	104	--tls-creds=tls0
afcd1c2f DB	105
	106	echo
	107	echo "== check TLS with different CA fails =="
ddd09448 EB	108	obj=tls-creds-x509,dir=${tls_dir}/client2,endpoint=client,id=tls0
ddd09448 EB	109	$QEMU_IMG info --image-opts --object $obj \
afcd1c2f DB	110	driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \
afcd1c2f DB	111	2>&1 \| sed "s/$nbd_tcp_port/PORT/g"
ddd09448 EB	112	$QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port --object $obj \
ddd09448 EB	113	--tls-creds=tls0
afcd1c2f	114
bb39c47d EB	115	echo
	116	echo "== perform I/O over TLS =="
	117	QEMU_IO_OPTIONS=$QEMU_IO_OPTIONS_NO_FMT
	118	$QEMU_IO -c 'r -P 0x11 1m 1m' -c 'w -P 0x22 1m 1m' --image-opts \
	119	--object tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0 \
	120	driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \
	121	2>&1 \| _filter_qemu_io
	122
e4c8f292	123	$QEMU_IO -f $IMGFMT -r -U -c 'r -P 0x22 1m 1m' "$TEST_IMG" \| _filter_qemu_io
bb39c47d	124
b25e12da DB	125	echo
	126	echo "== check TLS with authorization =="
	127
	128	nbd_server_stop
	129
	130	nbd_server_start_tcp_socket \
	131	--object tls-creds-x509,dir=${tls_dir}/server1,endpoint=server,id=tls0,verify-peer=yes \
	132	--object "authz-simple,id=authz0,identity=CN=localhost,, \
	133	O=Cthulu Dark Lord Enterprises client1,,L=R'lyeh,,C=South Pacific" \
	134	--tls-authz authz0 \
	135	--tls-creds tls0 \
	136	-f $IMGFMT "$TEST_IMG" 2>> "$TEST_DIR/server.log"
	137
	138	$QEMU_IMG info --image-opts \
	139	--object tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0 \
876df72d HR	140	driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \
876df72d HR	141	2>&1 \| sed "s/$nbd_tcp_port/PORT/g"
b25e12da DB	142
	143	$QEMU_IMG info --image-opts \
	144	--object tls-creds-x509,dir=${tls_dir}/client3,endpoint=client,id=tls0 \
876df72d HR	145	driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \
876df72d HR	146	2>&1 \| sed "s/$nbd_tcp_port/PORT/g"
b25e12da	147
d0898051 EB	148	echo
	149	echo "== final server log =="
	150	cat "$TEST_DIR/server.log"
84f8b840	151	rm -f "$TEST_DIR/server.log"
d0898051	152
afcd1c2f DB	153	# success, all done
	154	echo "*** done"
	155	rm -f $seq.full
	156	status=0