[ovs.git] / tests / ovs-monitor-ipsec.at

AT_BANNER([ovs-monitor-ipsec])

AT_SETUP([ovs-monitor-ipsec])
AT_SKIP_IF([test $HAVE_PYTHON = no])
AT_SKIP_IF([$non_ascii_cwd])

cp "$top_srcdir/vswitchd/vswitch.ovsschema" .

on_exit 'kill `cat pid ovs-monitor-ipsec.pid`'

mkdir etc etc/init.d etc/racoon etc/racoon/certs
mkdir usr usr/sbin

AT_DATA([etc/init.d/racoon], [dnl
#! /bin/sh
echo "racoon: $@" >&3
exit 0
])
chmod +x etc/init.d/racoon

AT_DATA([usr/sbin/setkey], [dnl
#! /bin/sh
exec >&3
echo "setkey:"
while read line; do
      echo "> $line"
done
])
chmod +x usr/sbin/setkey

touch etc/racoon/certs/ovs-stale.pem

ovs_vsctl () {
    ovs-vsctl --no-wait -vreconnect:emer --db=unix:socket "$@"
}
trim () {  # Removes blank lines and lines starting with # from input.
    sed -e '/^#/d' -e '/^[       ]*$/d' "$@"
}

###
### Start ovsdb-server.
###
OVS_VSCTL_SETUP

###
### Start ovs-monitor-ipsec and wait for it to delete the stale cert.
###
AT_CHECK(
  [$PYTHON $top_srcdir/debian/ovs-monitor-ipsec "--root-prefix=`pwd`" \
        "--pidfile=`pwd`/ovs-monitor-ipsec.pid" \
        unix:socket 2>log 3>actions &])
AT_CAPTURE_FILE([log])
AT_CAPTURE_FILE([actions])
OVS_WAIT_UNTIL([test ! -f etc/racoon/certs/ovs-stale.pem])

###
### Add an ipsec_gre psk interface and check what ovs-monitor-ipsec does
###
AT_CHECK([ovs_vsctl \
              -- add-br br0 \
              -- add-port br0 gre0 \
              -- set interface gre0 type=ipsec_gre \
                                    options:remote_ip=1.2.3.4 \
                                    options:psk=swordfish])
OVS_WAIT_UNTIL([test -f actions && grep 'spdadd 1.2.3.4' actions >/dev/null])
AT_CHECK([cat actions], [0], [dnl
setkey:
> flush;
setkey:
> spdflush;
racoon: reload
racoon: reload
setkey:
> spdadd 0.0.0.0/0 1.2.3.4 gre -P out ipsec esp/transport//require;
> spdadd 1.2.3.4 0.0.0.0/0 gre -P in ipsec esp/transport//require;
])
AT_CHECK([trim etc/racoon/psk.txt], [0], [1.2.3.4   swordfish
])
AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
remote 1.2.3.4 {
        exchange_mode main;
        nat_traversal on;
        proposal {
                encryption_algorithm aes;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2;
        }
}
sainfo anonymous {
        pfs_group 2;
        lifetime time 1 hour;
        encryption_algorithm aes;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}
])

###
### Delete the ipsec_gre interface and check what ovs-monitor-ipsec does
###
AT_CHECK([ovs_vsctl del-port gre0])
OVS_WAIT_UNTIL([test `wc -l < actions` -ge 17])
AT_CHECK([sed '1,9d' actions], [0], [dnl
racoon: reload
setkey:
> spddelete 0.0.0.0/0 1.2.3.4 gre -P out;
> spddelete 1.2.3.4 0.0.0.0/0 gre -P in;
setkey:
> dump ;
setkey:
> dump ;
])
AT_CHECK([trim etc/racoon/psk.txt], [0], [])
AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
sainfo anonymous {
        pfs_group 2;
        lifetime time 1 hour;
        encryption_algorithm aes;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}
])

###
### Add ipsec_gre certificate interface and check what ovs-monitor-ipsec does
###
AT_DATA([cert.pem], [dnl
-----BEGIN CERTIFICATE-----
(not a real certificate)
-----END CERTIFICATE-----
])
AT_DATA([key.pem], [dnl
-----BEGIN RSA PRIVATE KEY-----
(not a real private key)
-----END RSA PRIVATE KEY-----
])
AT_CHECK([ovs_vsctl \
              -- add-port br0 gre1 \
              -- set Interface gre1 type=ipsec_gre \
                 options:remote_ip=2.3.4.5 \
                 options:peer_cert='"-----BEGIN CERTIFICATE-----
(not a real peer certificate)
-----END CERTIFICATE-----
"' \
                 options:certificate='"/cert.pem"' \
                 options:private_key='"/key.pem"'])
OVS_WAIT_UNTIL([test `wc -l < actions` -ge 21])
AT_CHECK([sed '1,17d' actions], [0], [dnl
racoon: reload
setkey:
> spdadd 0.0.0.0/0 2.3.4.5 gre -P out ipsec esp/transport//require;
> spdadd 2.3.4.5 0.0.0.0/0 gre -P in ipsec esp/transport//require;
])
AT_CHECK([trim etc/racoon/psk.txt], [0], [])
AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
remote 2.3.4.5 {
        exchange_mode main;
        nat_traversal on;
        ike_frag on;
        certificate_type x509 "/cert.pem" "/key.pem";
        my_identifier asn1dn;
        peers_identifier asn1dn;
        peers_certfile x509 "/etc/racoon/certs/ovs-2.3.4.5.pem";
        verify_identifier on;
        proposal {
                encryption_algorithm aes;
                hash_algorithm sha1;
                authentication_method rsasig;
                dh_group 2;
        }
}
sainfo anonymous {
        pfs_group 2;
        lifetime time 1 hour;
        encryption_algorithm aes;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}
])
AT_CHECK([cat etc/racoon/certs/ovs-2.3.4.5.pem], [0], [dnl
-----BEGIN CERTIFICATE-----
(not a real peer certificate)
-----END CERTIFICATE-----
])

###
### Delete the ipsec_gre certificate interface.
###
AT_CHECK([ovs_vsctl del-port gre1])
OVS_WAIT_UNTIL([test `wc -l < actions` -ge 29])
AT_CHECK([sed '1,21d' actions], [0], [dnl
racoon: reload
setkey:
> spddelete 0.0.0.0/0 2.3.4.5 gre -P out;
> spddelete 2.3.4.5 0.0.0.0/0 gre -P in;
setkey:
> dump ;
setkey:
> dump ;
])
AT_CHECK([trim etc/racoon/psk.txt], [0], [])
AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
sainfo anonymous {
        pfs_group 2;
        lifetime time 1 hour;
        encryption_algorithm aes;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}
])
AT_CHECK([test ! -f etc/racoon/certs/ovs-2.3.4.5.pem])

###
### Add an SSL certificate interface.
###
cp cert.pem ssl-cert.pem
cp key.pem ssl-key.pem
AT_DATA([ssl-cacert.pem], [dnl
-----BEGIN CERTIFICATE-----
(not a real CA certificate)
-----END CERTIFICATE-----
])
AT_CHECK([ovs_vsctl set-ssl /ssl-key.pem /ssl-cert.pem /ssl-cacert.pem \
              -- add-port br0 gre2 \
              -- set Interface gre2 type=ipsec_gre \
                 options:remote_ip=3.4.5.6 \
                 options:peer_cert='"-----BEGIN CERTIFICATE-----
(not a real peer certificate)
-----END CERTIFICATE-----
"' \
                 options:use_ssl_cert='"true"'])
OVS_WAIT_UNTIL([test `wc -l < actions` -ge 33])
AT_CHECK([sed '1,29d' actions], [0], [dnl
racoon: reload
setkey:
> spdadd 0.0.0.0/0 3.4.5.6 gre -P out ipsec esp/transport//require;
> spdadd 3.4.5.6 0.0.0.0/0 gre -P in ipsec esp/transport//require;
])
AT_CHECK([trim etc/racoon/psk.txt], [0], [])
AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
remote 3.4.5.6 {
        exchange_mode main;
        nat_traversal on;
        ike_frag on;
        certificate_type x509 "/ssl-cert.pem" "/ssl-key.pem";
        my_identifier asn1dn;
        peers_identifier asn1dn;
        peers_certfile x509 "/etc/racoon/certs/ovs-3.4.5.6.pem";
        verify_identifier on;
        proposal {
                encryption_algorithm aes;
                hash_algorithm sha1;
                authentication_method rsasig;
                dh_group 2;
        }
}
sainfo anonymous {
        pfs_group 2;
        lifetime time 1 hour;
        encryption_algorithm aes;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}
])
AT_CHECK([cat etc/racoon/certs/ovs-3.4.5.6.pem], [0], [dnl
-----BEGIN CERTIFICATE-----
(not a real peer certificate)
-----END CERTIFICATE-----
])

###
### Delete the SSL certificate interface.
###
AT_CHECK([ovs_vsctl del-port gre2])
OVS_WAIT_UNTIL([test `wc -l < actions` -ge 41])
AT_CHECK([sed '1,33d' actions], [0], [dnl
racoon: reload
setkey:
> spddelete 0.0.0.0/0 3.4.5.6 gre -P out;
> spddelete 3.4.5.6 0.0.0.0/0 gre -P in;
setkey:
> dump ;
setkey:
> dump ;
])
AT_CHECK([trim etc/racoon/psk.txt], [0], [])
AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
sainfo anonymous {
        pfs_group 2;
        lifetime time 1 hour;
        encryption_algorithm aes;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}
])
AT_CHECK([test ! -f etc/racoon/certs/ovs-3.4.5.6.pem])

OVSDB_SERVER_SHUTDOWN

AT_CLEANUP
Commit	Line	Data
b54bdbe9 BP	1	AT_BANNER([ovs-monitor-ipsec])
	2
	3	AT_SETUP([ovs-monitor-ipsec])
	4	AT_SKIP_IF([test $HAVE_PYTHON = no])
e6e590a7	5	AT_SKIP_IF([$non_ascii_cwd])
b54bdbe9	6
b54bdbe9 BP	7	cp "$top_srcdir/vswitchd/vswitch.ovsschema" .
b54bdbe9 BP	8
53eb8cb8	9	on_exit 'kill `cat pid ovs-monitor-ipsec.pid`'
b54bdbe9 BP	10
	11	mkdir etc etc/init.d etc/racoon etc/racoon/certs
	12	mkdir usr usr/sbin
	13
	14	AT_DATA([etc/init.d/racoon], [dnl
	15	#! /bin/sh
	16	echo "racoon: $@" >&3
	17	exit 0
	18	])
	19	chmod +x etc/init.d/racoon
	20
	21	AT_DATA([usr/sbin/setkey], [dnl
	22	#! /bin/sh
	23	exec >&3
	24	echo "setkey:"
	25	while read line; do
	26	echo "> $line"
	27	done
	28	])
	29	chmod +x usr/sbin/setkey
	30
	31	touch etc/racoon/certs/ovs-stale.pem
	32
	33	ovs_vsctl () {
fba6bd1d	34	ovs-vsctl --no-wait -vreconnect:emer --db=unix:socket "$@"
b54bdbe9 BP	35	}
	36	trim () { # Removes blank lines and lines starting with # from input.
	37	sed -e '/^#/d' -e '/^[ ]*$/d' "$@"
	38	}
	39
	40	###
	41	### Start ovsdb-server.
	42	###
	43	OVS_VSCTL_SETUP
	44
	45	###
	46	### Start ovs-monitor-ipsec and wait for it to delete the stale cert.
	47	###
	48	AT_CHECK(
	49	[$PYTHON $top_srcdir/debian/ovs-monitor-ipsec "--root-prefix=`pwd`" \
b153e667	50	"--pidfile=`pwd`/ovs-monitor-ipsec.pid" \
b54bdbe9 BP	51	unix:socket 2>log 3>actions &])
	52	AT_CAPTURE_FILE([log])
	53	AT_CAPTURE_FILE([actions])
	54	OVS_WAIT_UNTIL([test ! -f etc/racoon/certs/ovs-stale.pem])
	55
	56	###
	57	### Add an ipsec_gre psk interface and check what ovs-monitor-ipsec does
	58	###
	59	AT_CHECK([ovs_vsctl \
	60	-- add-br br0 \
	61	-- add-port br0 gre0 \
	62	-- set interface gre0 type=ipsec_gre \
	63	options:remote_ip=1.2.3.4 \
	64	options:psk=swordfish])
	65	OVS_WAIT_UNTIL([test -f actions && grep 'spdadd 1.2.3.4' actions >/dev/null])
	66	AT_CHECK([cat actions], [0], [dnl
	67	setkey:
	68	> flush;
	69	setkey:
	70	> spdflush;
	71	racoon: reload
	72	racoon: reload
	73	setkey:
	74	> spdadd 0.0.0.0/0 1.2.3.4 gre -P out ipsec esp/transport//require;
	75	> spdadd 1.2.3.4 0.0.0.0/0 gre -P in ipsec esp/transport//require;
	76	])
	77	AT_CHECK([trim etc/racoon/psk.txt], [0], [1.2.3.4 swordfish
	78	])
	79	AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
	80	path pre_shared_key "/etc/racoon/psk.txt";
	81	path certificate "/etc/racoon/certs";
	82	remote 1.2.3.4 {
	83	exchange_mode main;
	84	nat_traversal on;
	85	proposal {
	86	encryption_algorithm aes;
	87	hash_algorithm sha1;
	88	authentication_method pre_shared_key;
	89	dh_group 2;
	90	}
	91	}
	92	sainfo anonymous {
	93	pfs_group 2;
	94	lifetime time 1 hour;
	95	encryption_algorithm aes;
	96	authentication_algorithm hmac_sha1, hmac_md5;
	97	compression_algorithm deflate;
	98	}
	99	])
	100
	101	###
	102	### Delete the ipsec_gre interface and check what ovs-monitor-ipsec does
	103	###
	104	AT_CHECK([ovs_vsctl del-port gre0])
	105	OVS_WAIT_UNTIL([test `wc -l < actions` -ge 17])
	106	AT_CHECK([sed '1,9d' actions], [0], [dnl
	107	racoon: reload
	108	setkey:
	109	> spddelete 0.0.0.0/0 1.2.3.4 gre -P out;
	110	> spddelete 1.2.3.4 0.0.0.0/0 gre -P in;
	111	setkey:
	112	> dump ;
	113	setkey:
	114	> dump ;
115	])
116	AT_CHECK([trim etc/racoon/psk.txt], [0], [])
117	AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
118	path pre_shared_key "/etc/racoon/psk.txt";
119	path certificate "/etc/racoon/certs";
120	sainfo anonymous {
121	pfs_group 2;
122	lifetime time 1 hour;
123	encryption_algorithm aes;
124	authentication_algorithm hmac_sha1, hmac_md5;
125	compression_algorithm deflate;
126	}
127	])
128
129	###
130	### Add ipsec_gre certificate interface and check what ovs-monitor-ipsec does
131	###
132	AT_DATA([cert.pem], [dnl
133	-----BEGIN CERTIFICATE-----
134	(not a real certificate)
135	-----END CERTIFICATE-----
136	])
137	AT_DATA([key.pem], [dnl
138	-----BEGIN RSA PRIVATE KEY-----
139	(not a real private key)
140	-----END RSA PRIVATE KEY-----
141	])
142	AT_CHECK([ovs_vsctl \
143	-- add-port br0 gre1 \
144	-- set Interface gre1 type=ipsec_gre \
145	options:remote_ip=2.3.4.5 \
146	options:peer_cert='"-----BEGIN CERTIFICATE-----
147	(not a real peer certificate)
148	-----END CERTIFICATE-----
149	"' \
150	options:certificate='"/cert.pem"' \
151	options:private_key='"/key.pem"'])
152	OVS_WAIT_UNTIL([test `wc -l < actions` -ge 21])
153	AT_CHECK([sed '1,17d' actions], [0], [dnl
154	racoon: reload
155	setkey:
156	> spdadd 0.0.0.0/0 2.3.4.5 gre -P out ipsec esp/transport//require;
157	> spdadd 2.3.4.5 0.0.0.0/0 gre -P in ipsec esp/transport//require;
158	])
159	AT_CHECK([trim etc/racoon/psk.txt], [0], [])
160	AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
161	path pre_shared_key "/etc/racoon/psk.txt";
162	path certificate "/etc/racoon/certs";
163	remote 2.3.4.5 {
164	exchange_mode main;
165	nat_traversal on;
166	ike_frag on;
167	certificate_type x509 "/cert.pem" "/key.pem";
168	my_identifier asn1dn;
169	peers_identifier asn1dn;
170	peers_certfile x509 "/etc/racoon/certs/ovs-2.3.4.5.pem";
171	verify_identifier on;
172	proposal {
173	encryption_algorithm aes;
174	hash_algorithm sha1;
175	authentication_method rsasig;
176	dh_group 2;
177	}
178	}
179	sainfo anonymous {
180	pfs_group 2;
181	lifetime time 1 hour;
182	encryption_algorithm aes;
183	authentication_algorithm hmac_sha1, hmac_md5;
184	compression_algorithm deflate;
185	}
186	])
187	AT_CHECK([cat etc/racoon/certs/ovs-2.3.4.5.pem], [0], [dnl
188	-----BEGIN CERTIFICATE-----
189	(not a real peer certificate)
190	-----END CERTIFICATE-----
191	])
192
193	###
194	### Delete the ipsec_gre certificate interface.
195	###
196	AT_CHECK([ovs_vsctl del-port gre1])
197	OVS_WAIT_UNTIL([test `wc -l < actions` -ge 29])
198	AT_CHECK([sed '1,21d' actions], [0], [dnl
199	racoon: reload
200	setkey:
201	> spddelete 0.0.0.0/0 2.3.4.5 gre -P out;
202	> spddelete 2.3.4.5 0.0.0.0/0 gre -P in;
203	setkey:
204	> dump ;
205	setkey:
206	> dump ;
207	])
208	AT_CHECK([trim etc/racoon/psk.txt], [0], [])
209	AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
210	path pre_shared_key "/etc/racoon/psk.txt";
211	path certificate "/etc/racoon/certs";
212	sainfo anonymous {
213	pfs_group 2;
214	lifetime time 1 hour;
215	encryption_algorithm aes;
216	authentication_algorithm hmac_sha1, hmac_md5;
217	compression_algorithm deflate;
218	}
219	])
220	AT_CHECK([test ! -f etc/racoon/certs/ovs-2.3.4.5.pem])
221
ad6247f5 BP	222	###
	223	### Add an SSL certificate interface.
	224	###
	225	cp cert.pem ssl-cert.pem
	226	cp key.pem ssl-key.pem
	227	AT_DATA([ssl-cacert.pem], [dnl
	228	-----BEGIN CERTIFICATE-----
	229	(not a real CA certificate)
	230	-----END CERTIFICATE-----
	231	])
	232	AT_CHECK([ovs_vsctl set-ssl /ssl-key.pem /ssl-cert.pem /ssl-cacert.pem \
	233	-- add-port br0 gre2 \
	234	-- set Interface gre2 type=ipsec_gre \
	235	options:remote_ip=3.4.5.6 \
	236	options:peer_cert='"-----BEGIN CERTIFICATE-----
	237	(not a real peer certificate)
	238	-----END CERTIFICATE-----
	239	"' \
	240	options:use_ssl_cert='"true"'])
dfbf7f35	241	OVS_WAIT_UNTIL([test `wc -l < actions` -ge 33])
ad6247f5 BP	242	AT_CHECK([sed '1,29d' actions], [0], [dnl
	243	racoon: reload
	244	setkey:
	245	> spdadd 0.0.0.0/0 3.4.5.6 gre -P out ipsec esp/transport//require;
	246	> spdadd 3.4.5.6 0.0.0.0/0 gre -P in ipsec esp/transport//require;
	247	])
	248	AT_CHECK([trim etc/racoon/psk.txt], [0], [])
	249	AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
	250	path pre_shared_key "/etc/racoon/psk.txt";
	251	path certificate "/etc/racoon/certs";
	252	remote 3.4.5.6 {
	253	exchange_mode main;
	254	nat_traversal on;
	255	ike_frag on;
	256	certificate_type x509 "/ssl-cert.pem" "/ssl-key.pem";
	257	my_identifier asn1dn;
	258	peers_identifier asn1dn;
	259	peers_certfile x509 "/etc/racoon/certs/ovs-3.4.5.6.pem";
	260	verify_identifier on;
	261	proposal {
	262	encryption_algorithm aes;
	263	hash_algorithm sha1;
	264	authentication_method rsasig;
	265	dh_group 2;
	266	}
	267	}
	268	sainfo anonymous {
	269	pfs_group 2;
	270	lifetime time 1 hour;
	271	encryption_algorithm aes;
	272	authentication_algorithm hmac_sha1, hmac_md5;
	273	compression_algorithm deflate;
	274	}
	275	])
	276	AT_CHECK([cat etc/racoon/certs/ovs-3.4.5.6.pem], [0], [dnl
	277	-----BEGIN CERTIFICATE-----
	278	(not a real peer certificate)
	279	-----END CERTIFICATE-----
	280	])
	281
	282	###
	283	### Delete the SSL certificate interface.
	284	###
	285	AT_CHECK([ovs_vsctl del-port gre2])
dfbf7f35	286	OVS_WAIT_UNTIL([test `wc -l < actions` -ge 41])
ad6247f5 BP	287	AT_CHECK([sed '1,33d' actions], [0], [dnl
	288	racoon: reload
	289	setkey:
	290	> spddelete 0.0.0.0/0 3.4.5.6 gre -P out;
	291	> spddelete 3.4.5.6 0.0.0.0/0 gre -P in;
	292	setkey:
	293	> dump ;
	294	setkey:
	295	> dump ;
	296	])
	297	AT_CHECK([trim etc/racoon/psk.txt], [0], [])
	298	AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
	299	path pre_shared_key "/etc/racoon/psk.txt";
	300	path certificate "/etc/racoon/certs";
	301	sainfo anonymous {
	302	pfs_group 2;
	303	lifetime time 1 hour;
	304	encryption_algorithm aes;
	305	authentication_algorithm hmac_sha1, hmac_md5;
	306	compression_algorithm deflate;
	307	}
	308	])
	309	AT_CHECK([test ! -f etc/racoon/certs/ovs-3.4.5.6.pem])
	310
94c33672 BP	311	OVSDB_SERVER_SHUTDOWN
94c33672 BP	312
b54bdbe9	313	AT_CLEANUP