Fixed ssl client certs for evhtp.

* Added SSL cert info as options: CLICON_SSL_SERVER_CERT, CLICON_SSL_SERVER_KEY, CLICON_SSL_CA_CERT Added config.sh for testing for autotools
2020-07-01 15:11:22 +02:00 · 2020-07-01 15:11:22 +02:00 · c049a397b0
commit c049a397b0
parent 9c82e97072
22 changed files with 515 additions and 80 deletions
--- a/test/README.md
+++ b/test/README.md
@ -97,3 +97,17 @@ For example, in FreeBSD, add:
  make=gmake
 ```

+## https
+
+If you use evhtp with `configure --with-restconf=evhtp`, you can prepend the tests with RCPROTO=https which will run all restconf tests with SSL https and server certs.
+
+Ensure the server keys are in order, as follows.
+
+If you already have server certs, ensure CLICON_SSL_SERVER_CERT and CLICON_SSL_SERVER_KEY points to them.
+
+If you do not have them, generate self-signed certs, eg as follows:
+```
+  openssl req -x509 -nodes -newkey rsa:4096 -keyout /etc/ssl/private/clixon-server-key.pem -out /etc/ssl/certs/clixon-server-crt.pem -days 365
+```
+
+There are also client-cert tests, eg test_ssl*.sh
--- a/test/config.sh.in
+++ b/test/config.sh.in
@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+# Generated from autotools
+
+WITH_RESTCONF=@with_restconf@
--- a/test/lib.sh
+++ b/test/lib.sh
@ -26,6 +26,14 @@ version=4

 >&2 echo "Running $testfile"

+# Generated config file from autotools / configure
+if [ -f ./config.sh ]; then
+    . ./config.sh
+    if [ $? -ne 0 ]; then
+	return -1 # error
+    fi
+fi
+
 # Site file, an example of this file in README.md
 if [ -f ./site.sh ]; then
    . ./site.sh
@ -139,10 +147,11 @@ if [ ! -G $dir ]; then
    sudo chgrp $u $dir
 fi

-# If you bring your own backend BE=0 (it is already started),the backend may
+# If you bring your own backend BE=0 (it is already started), the backend may
 # have created some files (eg unix socket) in $dir and therefore cannot
-# be deleted
-if [ $BE -ne 0 ]; then
+# be deleted.
+# Same with RC=0
+if [ $BE -ne 0 -a $RC -ne 0 ]; then
    rm -rf $dir/*
 fi

@ -232,7 +241,7 @@ wait_backend(){
 start_restconf(){
    # Start in background 
    if [ $RCPROTO = https ]; then
-	EXTRA="-s"
+	EXTRA="-s" # server certs
    else
 	EXTRA=
    fi
--- a/test/test_nacm.sh
+++ b/test/test_nacm.sh
@ -31,7 +31,6 @@ cat <<EOF > $cfg
  <CLICON_XMLDB_DIR>/usr/local/var/$APPNAME</CLICON_XMLDB_DIR>
  <CLICON_RESTCONF_PRETTY>false</CLICON_RESTCONF_PRETTY>
  <CLICON_NACM_MODE>internal</CLICON_NACM_MODE>
-  <CLICON_NACM_CREDENTIALS>none</CLICON_NACM_CREDENTIALS>
 </clixon-config>
 EOF

--- a/test/test_nacm_datanode.sh
+++ b/test/test_nacm_datanode.sh
@ -62,7 +62,6 @@ cat <<EOF > $cfg
  <CLICON_XMLDB_DIR>/usr/local/var/$APPNAME</CLICON_XMLDB_DIR>
  <CLICON_RESTCONF_PRETTY>false</CLICON_RESTCONF_PRETTY>
  <CLICON_NACM_MODE>internal</CLICON_NACM_MODE>
-  <CLICON_NACM_CREDENTIALS>none</CLICON_NACM_CREDENTIALS>
 </clixon-config>
 EOF

--- a/test/test_nacm_datanode_read.sh
+++ b/test/test_nacm_datanode_read.sh
@ -42,7 +42,6 @@ cat <<EOF > $cfg
  <CLICON_XMLDB_DIR>/usr/local/var/$APPNAME</CLICON_XMLDB_DIR>
  <CLICON_RESTCONF_PRETTY>false</CLICON_RESTCONF_PRETTY>
  <CLICON_NACM_MODE>internal</CLICON_NACM_MODE>
-  <CLICON_NACM_CREDENTIALS>none</CLICON_NACM_CREDENTIALS>
 </clixon-config>
 EOF

--- a/test/test_nacm_datanode_write.sh
+++ b/test/test_nacm_datanode_write.sh
@ -34,7 +34,6 @@ cat <<EOF > $cfg
  <CLICON_XMLDB_DIR>/usr/local/var/$APPNAME</CLICON_XMLDB_DIR>
  <CLICON_RESTCONF_PRETTY>false</CLICON_RESTCONF_PRETTY>
  <CLICON_NACM_MODE>internal</CLICON_NACM_MODE>
-  <CLICON_NACM_CREDENTIALS>none</CLICON_NACM_CREDENTIALS>
 </clixon-config>
 EOF

--- a/test/test_nacm_default.sh
+++ b/test/test_nacm_default.sh
@ -30,7 +30,6 @@ cat <<EOF > $cfg
  <CLICON_XMLDB_DIR>$dir</CLICON_XMLDB_DIR>
  <CLICON_RESTCONF_PRETTY>false</CLICON_RESTCONF_PRETTY>
  <CLICON_NACM_MODE>internal</CLICON_NACM_MODE>
-  <CLICON_NACM_CREDENTIALS>none</CLICON_NACM_CREDENTIALS>
  <CLICON_XMLDB_FORMAT>$format</CLICON_XMLDB_FORMAT>
 </clixon-config>
 EOF
--- a/test/test_nacm_module_write.sh
+++ b/test/test_nacm_module_write.sh
@ -48,7 +48,6 @@ cat <<EOF > $cfg
  <CLICON_XMLDB_DIR>/usr/local/var/$APPNAME</CLICON_XMLDB_DIR>
  <CLICON_RESTCONF_PRETTY>false</CLICON_RESTCONF_PRETTY>
  <CLICON_NACM_MODE>internal</CLICON_NACM_MODE>
-  <CLICON_NACM_CREDENTIALS>none</CLICON_NACM_CREDENTIALS>
 </clixon-config>
 EOF

--- a/test/test_ssl_certs.sh
+++ b/test/test_ssl_certs.sh
@ -0,0 +1,263 @@
+#!/usr/bin/env bash
+# Restconf+NACM openssl functionality using server and client certs
+# The test creates certs and keys:
+# A CA, server key/cert, user key/cert for two users
+# Can we try illegal certs?
+
+# Magic line must be first in script (see README.md)
+s="$_" ; . ./lib.sh || if [ "$s" = $0 ]; then exit 0; else return 0; fi
+
+# Only works with evhtp and https
+if [ "${WITH_RESTCONF}" != "evhtp"  -o "$RCPROTO" = http ]; then
+    if [ "$s" = $0 ]; then exit 0; else return 0; fi # skip
+fi
+
+APPNAME=example
+
+# Common NACM scripts
+. ./nacm.sh
+
+# force it (or check it?)
+RCPROTO=https
+
+fyang=$dir/example.yang
+
+cfg=$dir/conf.xml
+certdir=$dir/certs
+
+srvkey=$certdir/srv_key.pem
+srvcert=$certdir/srv_cert.pem
+cakey=$certdir/ca_key.pem # needed?
+cacert=$certdir/ca_cert.pem
+users="andy guest" # generate certs for some users in nacm.sh
+
+# Whether to generate new keys or not (only if $dir is not removed)
+# Here dont generate keys if restconf started stand-alone
+genkeys=true
+if [ $RC -eq 0 ]; then
+    genkeys=false
+fi
+
+test -d $certdir || mkdir $certdir
+
+# Use yang in example
+
+cat <<EOF > $cfg
+<clixon-config xmlns="http://clicon.org/config">
+  <CLICON_CONFIGFILE>$cfg</CLICON_CONFIGFILE>
+  <CLICON_YANG_DIR>/usr/local/share/clixon</CLICON_YANG_DIR>
+  <CLICON_YANG_DIR>$IETFRFC</CLICON_YANG_DIR>
+  <CLICON_YANG_MAIN_FILE>$fyang</CLICON_YANG_MAIN_FILE>
+  <CLICON_CLISPEC_DIR>/usr/local/lib/$APPNAME/clispec</CLICON_CLISPEC_DIR>
+  <CLICON_BACKEND_DIR>/usr/local/lib/$APPNAME/backend</CLICON_BACKEND_DIR>
+  <CLICON_BACKEND_REGEXP>example_backend.so$</CLICON_BACKEND_REGEXP>
+  <CLICON_RESTCONF_DIR>/usr/local/lib/$APPNAME/restconf</CLICON_RESTCONF_DIR>
+  <CLICON_RESTCONF_PRETTY>false</CLICON_RESTCONF_PRETTY>
+  <CLICON_CLI_DIR>/usr/local/lib/$APPNAME/cli</CLICON_CLI_DIR>
+  <CLICON_CLI_MODE>$APPNAME</CLICON_CLI_MODE>
+  <CLICON_SOCK>/usr/local/var/$APPNAME/$APPNAME.sock</CLICON_SOCK>
+  <CLICON_BACKEND_PIDFILE>/usr/local/var/$APPNAME/$APPNAME.pidfile</CLICON_BACKEND_PIDFILE>
+  <CLICON_XMLDB_DIR>/usr/local/var/$APPNAME</CLICON_XMLDB_DIR>
+  <CLICON_MODULE_LIBRARY_RFC7895>true</CLICON_MODULE_LIBRARY_RFC7895>
+  <CLICON_NACM_MODE>internal</CLICON_NACM_MODE>
+  <CLICON_SSL_SERVER_CERT>$srvcert</CLICON_SSL_SERVER_CERT>
+  <CLICON_SSL_SERVER_KEY>$srvkey</CLICON_SSL_SERVER_KEY>
+  <CLICON_SSL_CA_CERT>$cacert</CLICON_SSL_CA_CERT>
+</clixon-config>
+EOF
+
+cat <<EOF > $fyang
+module example{
+  yang-version 1.1;
+  namespace "urn:example:example";
+  prefix ex;
+  import ietf-netconf-acm {
+	prefix nacm;
+  }
+  leaf x{
+    type int32;
+    description "something to edit";
+  }
+}
+EOF
+
+# Two groups: admin allow all, guest allow nothing
+RULES=$(cat <<EOF
+   <nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
+     <enable-nacm>false</enable-nacm>
+     <read-default>permit</read-default>
+     <write-default>deny</write-default>
+     <exec-default>deny</exec-default>
+
+     $NGROUPS
+
+     <rule-list>
+       <name>guest-acl</name>
+       <group>guest</group>
+       <rule>
+         <name>deny-ncm</name>
+         <module-name>*</module-name>
+         <access-operations>*</access-operations>
+         <action>deny</action>
+         <comment>
+             Do not allow guests any access to the NETCONF
+         </comment>
+       </rule>
+     </rule-list>
+
+     $NADMIN
+
+   </nacm>
+   <x xmlns="urn:example:example">0</x>
+EOF
+)
+
+if $genkeys; then
+# Create certs
+# 1. CA
+cat<<EOF > $dir/ca.cnf
+[ ca ]
+default_ca      = CA_default
+
+[ CA_default ]
+serial = ca-serial
+crl = ca-crl.pem
+database = ca-database.txt
+name_opt = CA_default
+cert_opt = CA_default
+default_crl_days = 9999
+default_md = md5
+
+[ req ]
+default_bits           = 2048
+days                   = 1
+distinguished_name     = req_distinguished_name
+attributes             = req_attributes
+prompt                 = no
+output_password        = password
+
+[ req_distinguished_name ]
+C                      = SE
+L                      = Stockholm
+O                      = Clixon
+OU                     = clixon
+CN                     = ca
+emailAddress           = olof@hagsand.se
+
+[ req_attributes ]
+challengePassword      = test
+
+EOF
+
+# Generate CA cert
+openssl req -x509 -days 1 -config $dir/ca.cnf -keyout $cakey -out $cacert
+
+cat<<EOF > $dir/srv.cnf
+[req]
+prompt = no
+distinguished_name = dn
+req_extensions = ext
+[dn]
+CN = www.clicon.org # localhost
+emailAddress = olof@hagsand.se
+O = Clixon
+L = Stockholm
+C = SE
+[ext]
+subjectAltName = DNS:clicon.org
+EOF
+
+# Generate server key
+openssl genrsa -out $srvkey 2048
+
+# Generate CSR (signing request)
+openssl req -new -config $dir/srv.cnf -key $srvkey -out $certdir/srv_csr.pem
+
+# Sign server cert by CA
+openssl x509 -req -extfile $dir/srv.cnf -days 1 -passin "pass:password" -in $certdir/srv_csr.pem -CA $cacert -CAkey $cakey -CAcreateserial -out $srvcert
+
+# create client certs
+for name in $users; do
+    cat<<EOF > $dir/$name.cnf
+[req]
+prompt = no
+distinguished_name = dn
+[dn]
+CN = $name
+emailAddress = $name@foo.bar
+O = Clixon
+L = Stockholm
+C = SE
+EOF
+    # Create client key
+    openssl genrsa -out "$certdir/$name.key" 2048
+
+    # Generate CSR (signing request)
+    openssl req -new -config $dir/$name.cnf -key $certdir/$name.key -out $certdir/$name.csr
+
+    # Sign by CA
+    openssl x509 -req -extfile $dir/$name.cnf -days 1 -passin "pass:password" -in $certdir/$name.csr -CA $cacert -CAkey $cakey -CAcreateserial -out $certdir/$name.crt
+done
+
+fi # genkeys
+
+if [ $BE -ne 0 ]; then
+    new "kill old backend"
+    sudo clixon_backend -zf $cfg
+    if [ $? -ne 0 ]; then
+	err
+    fi
+    sudo pkill -f clixon_backend # to be sure
+
+    new "start backend -s init -f $cfg"
+    start_backend -s init -f $cfg
+fi
+
+new "wait for backend"
+wait_backend
+
+if [ $RC -ne 0 ]; then
+    new "kill old restconf daemon"
+    stop_restconf_pre
+
+    new "start restconf daemon -c means client certs, -- -s means ssl client cert authentication in example"
+    start_restconf -f $cfg -c -- -s
+
+fi
+#new "wait for restconf"
+#wait_restconf XXX
+
+new "auth set authentication config"
+expecteof "$clixon_netconf -qf $cfg" 0 "<rpc><edit-config><target><candidate/></target><config>$RULES</config></edit-config></rpc>]]>]]>" "^<rpc-reply><ok/></rpc-reply>]]>]]>$"
+
+new "commit it"
+expecteof "$clixon_netconf -qf $cfg" 0 "<rpc><commit/></rpc>]]>]]>" "^<rpc-reply><ok/></rpc-reply>]]>]]>$"
+
+new "enable nacm"
+expectpart "$(curl -sSik --key $certdir/andy.key --cert $certdir/andy.crt -X PUT -H "Content-Type: application/yang-data+json" -d '{"ietf-netconf-acm:enable-nacm": true}' $RCPROTO://localhost/restconf/data/ietf-netconf-acm:nacm/enable-nacm)" 0 "HTTP/1.1 204 No Content"
+
+new "admin get x"
+expectpart "$(curl -sSik --key $certdir/andy.key --cert $certdir/andy.crt -X GET $RCPROTO://localhost/restconf/data/example:x)" 0 "HTTP/1.1 200 OK" '{"example:x":0}'
+
+new "guest get x"
+expectpart "$(curl -sSik --key $certdir/guest.key --cert $certdir/guest.crt -X GET $RCPROTO://localhost/restconf/data/example:x)" 0 "HTTP/1.1 403 Forbidden" '{"ietf-restconf:errors":{"error":{"error-type":"application","error-tag":"access-denied","error-severity":"error","error-message":"access denied"}}}'
+
+if [ $RC -ne 0 ]; then
+    new "Kill restconf daemon"
+    stop_restconf
+fi
+
+if [ $BE -eq 0 ]; then
+    exit # BE
+fi
+
+new "Kill backend"
+# Check if premature kill
+pid=$(pgrep -u root -f clixon_backend)
+if [ -z "$pid" ]; then
+    err "backend already dead"
+fi
+# kill backend
+stop_backend -f $cfg
+
+rm -rf $dir
--- a/test/test_stream.sh
+++ b/test/test_stream.sh
@ -23,6 +23,11 @@
 # Magic line must be first in script (see README.md)
 s="$_" ; . ./lib.sh || if [ "$s" = $0 ]; then exit 0; else return 0; fi

+# Only works with fcgi and http
+if [ "${WITH_RESTCONF}" != "fcgi" -o "$RCPROTO" = https ]; then
+    if [ "$s" = $0 ]; then exit 0; else return 0; fi # skip
+fi
+
 APPNAME=example
 : ${clixon_util_stream:=clixon_util_stream}
 NCWAIT=10 # Wait (netconf valgrind may need more time)
--- a/test/test_submodule.sh
+++ b/test/test_submodule.sh
@ -158,7 +158,7 @@ if [ $BE -ne 0 ]; then
    start_backend -s init -f $cfg
 fi

-new "waiting"
+new "wait backend"
 wait_backend

 if [ $RC -ne 0 ]; then
@ -168,7 +168,7 @@ if [ $RC -ne 0 ]; then
    new "start restconf daemon"
    start_restconf -f $cfg

-    new "waiting"
+    new "wait restconf"
    wait_restconf
 fi