[mirror_ovs.git] / tests / ovs-monitor-ipsec.at

AT_BANNER([ovs-monitor-ipsec])

AT_SETUP([ovs-monitor-ipsec])
AT_SKIP_IF([test $HAVE_PYTHON = no])

OVS_PKGDATADIR=`pwd`; export OVS_PKGDATADIR
cp "$top_srcdir/vswitchd/vswitch.ovsschema" .

trap 'kill `cat pid ovs-monitor-ipsec.pid`' 0

mkdir etc etc/init.d etc/racoon etc/racoon/certs
mkdir usr usr/sbin

AT_DATA([etc/init.d/racoon], [dnl
#! /bin/sh
echo "racoon: $@" >&3
exit 0
])
chmod +x etc/init.d/racoon

AT_DATA([usr/sbin/setkey], [dnl
#! /bin/sh
exec >&3
echo "setkey:"
while read line; do
      echo "> $line"
done
])
chmod +x usr/sbin/setkey

touch etc/racoon/certs/ovs-stale.pem

ovs_vsctl () {
    ovs-vsctl --timeout=5 --no-wait -vreconnect:ANY:emer --db=unix:socket "$@"
}
trim () {  # Removes blank lines and lines starting with # from input.
    sed -e '/^#/d' -e '/^[       ]*$/d' "$@"
}

###
### Start ovsdb-server.
###
OVS_VSCTL_SETUP

###
### Start ovs-monitor-ipsec and wait for it to delete the stale cert.
###
AT_CHECK(
  [$PYTHON $top_srcdir/debian/ovs-monitor-ipsec "--root-prefix=`pwd`" \
        "--pidfile=`pwd`/ovs-monitor-ipsec.pid" \
        unix:socket 2>log 3>actions &])
AT_CAPTURE_FILE([log])
AT_CAPTURE_FILE([actions])
OVS_WAIT_UNTIL([test ! -f etc/racoon/certs/ovs-stale.pem])

###
### Add an ipsec_gre psk interface and check what ovs-monitor-ipsec does
###
AT_CHECK([ovs_vsctl \
              -- add-br br0 \
              -- add-port br0 gre0 \
              -- set interface gre0 type=ipsec_gre \
                                    options:remote_ip=1.2.3.4 \
                                    options:psk=swordfish])
OVS_WAIT_UNTIL([test -f actions && grep 'spdadd 1.2.3.4' actions >/dev/null])
AT_CHECK([cat actions], [0], [dnl
setkey:
> flush;
setkey:
> spdflush;
racoon: reload
racoon: reload
setkey:
> spdadd 0.0.0.0/0 1.2.3.4 gre -P out ipsec esp/transport//require;
> spdadd 1.2.3.4 0.0.0.0/0 gre -P in ipsec esp/transport//require;
])
AT_CHECK([trim etc/racoon/psk.txt], [0], [1.2.3.4   swordfish
])
AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
remote 1.2.3.4 {
        exchange_mode main;
        nat_traversal on;
        proposal {
                encryption_algorithm aes;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2;
        }
}
sainfo anonymous {
        pfs_group 2;
        lifetime time 1 hour;
        encryption_algorithm aes;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}
])

###
### Delete the ipsec_gre interface and check what ovs-monitor-ipsec does
###
AT_CHECK([ovs_vsctl del-port gre0])
OVS_WAIT_UNTIL([test `wc -l < actions` -ge 17])
AT_CHECK([sed '1,9d' actions], [0], [dnl
racoon: reload
setkey:
> spddelete 0.0.0.0/0 1.2.3.4 gre -P out;
> spddelete 1.2.3.4 0.0.0.0/0 gre -P in;
setkey:
> dump ;
setkey:
> dump ;
])
AT_CHECK([trim etc/racoon/psk.txt], [0], [])
AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
sainfo anonymous {
        pfs_group 2;
        lifetime time 1 hour;
        encryption_algorithm aes;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}
])

###
### Add ipsec_gre certificate interface and check what ovs-monitor-ipsec does
###
AT_DATA([cert.pem], [dnl
-----BEGIN CERTIFICATE-----
(not a real certificate)
-----END CERTIFICATE-----
])
AT_DATA([key.pem], [dnl
-----BEGIN RSA PRIVATE KEY-----
(not a real private key)
-----END RSA PRIVATE KEY-----
])
AT_CHECK([ovs_vsctl \
              -- add-port br0 gre1 \
              -- set Interface gre1 type=ipsec_gre \
                 options:remote_ip=2.3.4.5 \
                 options:peer_cert='"-----BEGIN CERTIFICATE-----
(not a real peer certificate)
-----END CERTIFICATE-----
"' \
                 options:certificate='"/cert.pem"' \
                 options:private_key='"/key.pem"'])
OVS_WAIT_UNTIL([test `wc -l < actions` -ge 21])
AT_CHECK([sed '1,17d' actions], [0], [dnl
racoon: reload
setkey:
> spdadd 0.0.0.0/0 2.3.4.5 gre -P out ipsec esp/transport//require;
> spdadd 2.3.4.5 0.0.0.0/0 gre -P in ipsec esp/transport//require;
])
AT_CHECK([trim etc/racoon/psk.txt], [0], [])
AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
remote 2.3.4.5 {
        exchange_mode main;
        nat_traversal on;
        ike_frag on;
        certificate_type x509 "/cert.pem" "/key.pem";
        my_identifier asn1dn;
        peers_identifier asn1dn;
        peers_certfile x509 "/etc/racoon/certs/ovs-2.3.4.5.pem";
        verify_identifier on;
        proposal {
                encryption_algorithm aes;
                hash_algorithm sha1;
                authentication_method rsasig;
                dh_group 2;
        }
}
sainfo anonymous {
        pfs_group 2;
        lifetime time 1 hour;
        encryption_algorithm aes;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}
])
AT_CHECK([cat etc/racoon/certs/ovs-2.3.4.5.pem], [0], [dnl
-----BEGIN CERTIFICATE-----
(not a real peer certificate)
-----END CERTIFICATE-----
])

###
### Delete the ipsec_gre certificate interface.
###
AT_CHECK([ovs_vsctl del-port gre1])
OVS_WAIT_UNTIL([test `wc -l < actions` -ge 29])
AT_CHECK([sed '1,21d' actions], [0], [dnl
racoon: reload
setkey:
> spddelete 0.0.0.0/0 2.3.4.5 gre -P out;
> spddelete 2.3.4.5 0.0.0.0/0 gre -P in;
setkey:
> dump ;
setkey:
> dump ;
])
AT_CHECK([trim etc/racoon/psk.txt], [0], [])
AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
sainfo anonymous {
        pfs_group 2;
        lifetime time 1 hour;
        encryption_algorithm aes;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}
])
AT_CHECK([test ! -f etc/racoon/certs/ovs-2.3.4.5.pem])

AT_CLEANUP
Commit	Line	Data
b54bdbe9 BP	1	AT_BANNER([ovs-monitor-ipsec])
	2
	3	AT_SETUP([ovs-monitor-ipsec])
	4	AT_SKIP_IF([test $HAVE_PYTHON = no])
	5
	6	OVS_PKGDATADIR=`pwd`; export OVS_PKGDATADIR
	7	cp "$top_srcdir/vswitchd/vswitch.ovsschema" .
	8
	9	trap 'kill `cat pid ovs-monitor-ipsec.pid`' 0
	10
	11	mkdir etc etc/init.d etc/racoon etc/racoon/certs
	12	mkdir usr usr/sbin
	13
	14	AT_DATA([etc/init.d/racoon], [dnl
	15	#! /bin/sh
	16	echo "racoon: $@" >&3
	17	exit 0
	18	])
	19	chmod +x etc/init.d/racoon
	20
	21	AT_DATA([usr/sbin/setkey], [dnl
	22	#! /bin/sh
	23	exec >&3
	24	echo "setkey:"
	25	while read line; do
	26	echo "> $line"
	27	done
	28	])
	29	chmod +x usr/sbin/setkey
	30
	31	touch etc/racoon/certs/ovs-stale.pem
	32
	33	ovs_vsctl () {
	34	ovs-vsctl --timeout=5 --no-wait -vreconnect:ANY:emer --db=unix:socket "$@"
	35	}
	36	trim () { # Removes blank lines and lines starting with # from input.
	37	sed -e '/^#/d' -e '/^[ ]*$/d' "$@"
	38	}
	39
	40	###
	41	### Start ovsdb-server.
	42	###
	43	OVS_VSCTL_SETUP
	44
	45	###
	46	### Start ovs-monitor-ipsec and wait for it to delete the stale cert.
	47	###
	48	AT_CHECK(
	49	[$PYTHON $top_srcdir/debian/ovs-monitor-ipsec "--root-prefix=`pwd`" \
b153e667	50	"--pidfile=`pwd`/ovs-monitor-ipsec.pid" \
b54bdbe9 BP	51	unix:socket 2>log 3>actions &])
	52	AT_CAPTURE_FILE([log])
	53	AT_CAPTURE_FILE([actions])
	54	OVS_WAIT_UNTIL([test ! -f etc/racoon/certs/ovs-stale.pem])
	55
	56	###
	57	### Add an ipsec_gre psk interface and check what ovs-monitor-ipsec does
	58	###
	59	AT_CHECK([ovs_vsctl \
	60	-- add-br br0 \
	61	-- add-port br0 gre0 \
	62	-- set interface gre0 type=ipsec_gre \
	63	options:remote_ip=1.2.3.4 \
	64	options:psk=swordfish])
	65	OVS_WAIT_UNTIL([test -f actions && grep 'spdadd 1.2.3.4' actions >/dev/null])
	66	AT_CHECK([cat actions], [0], [dnl
	67	setkey:
	68	> flush;
	69	setkey:
	70	> spdflush;
	71	racoon: reload
	72	racoon: reload
	73	setkey:
	74	> spdadd 0.0.0.0/0 1.2.3.4 gre -P out ipsec esp/transport//require;
	75	> spdadd 1.2.3.4 0.0.0.0/0 gre -P in ipsec esp/transport//require;
	76	])
	77	AT_CHECK([trim etc/racoon/psk.txt], [0], [1.2.3.4 swordfish
	78	])
	79	AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
	80	path pre_shared_key "/etc/racoon/psk.txt";
	81	path certificate "/etc/racoon/certs";
	82	remote 1.2.3.4 {
	83	exchange_mode main;
	84	nat_traversal on;
	85	proposal {
	86	encryption_algorithm aes;
	87	hash_algorithm sha1;
	88	authentication_method pre_shared_key;
	89	dh_group 2;
	90	}
	91	}
	92	sainfo anonymous {
	93	pfs_group 2;
	94	lifetime time 1 hour;
	95	encryption_algorithm aes;
	96	authentication_algorithm hmac_sha1, hmac_md5;
	97	compression_algorithm deflate;
	98	}
	99	])
	100
	101	###
	102	### Delete the ipsec_gre interface and check what ovs-monitor-ipsec does
	103	###
	104	AT_CHECK([ovs_vsctl del-port gre0])
	105	OVS_WAIT_UNTIL([test `wc -l < actions` -ge 17])
	106	AT_CHECK([sed '1,9d' actions], [0], [dnl
	107	racoon: reload
	108	setkey:
	109	> spddelete 0.0.0.0/0 1.2.3.4 gre -P out;
	110	> spddelete 1.2.3.4 0.0.0.0/0 gre -P in;
	111	setkey:
	112	> dump ;
	113	setkey:
	114	> dump ;
115	])
116	AT_CHECK([trim etc/racoon/psk.txt], [0], [])
117	AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
118	path pre_shared_key "/etc/racoon/psk.txt";
119	path certificate "/etc/racoon/certs";
120	sainfo anonymous {
121	pfs_group 2;
122	lifetime time 1 hour;
123	encryption_algorithm aes;
124	authentication_algorithm hmac_sha1, hmac_md5;
125	compression_algorithm deflate;
126	}
127	])
128
129	###
130	### Add ipsec_gre certificate interface and check what ovs-monitor-ipsec does
131	###
132	AT_DATA([cert.pem], [dnl
133	-----BEGIN CERTIFICATE-----
134	(not a real certificate)
135	-----END CERTIFICATE-----
136	])
137	AT_DATA([key.pem], [dnl
138	-----BEGIN RSA PRIVATE KEY-----
139	(not a real private key)
140	-----END RSA PRIVATE KEY-----
141	])
142	AT_CHECK([ovs_vsctl \
143	-- add-port br0 gre1 \
144	-- set Interface gre1 type=ipsec_gre \
145	options:remote_ip=2.3.4.5 \
146	options:peer_cert='"-----BEGIN CERTIFICATE-----
147	(not a real peer certificate)
148	-----END CERTIFICATE-----
149	"' \
150	options:certificate='"/cert.pem"' \
151	options:private_key='"/key.pem"'])
152	OVS_WAIT_UNTIL([test `wc -l < actions` -ge 21])
153	AT_CHECK([sed '1,17d' actions], [0], [dnl
154	racoon: reload
155	setkey:
156	> spdadd 0.0.0.0/0 2.3.4.5 gre -P out ipsec esp/transport//require;
157	> spdadd 2.3.4.5 0.0.0.0/0 gre -P in ipsec esp/transport//require;
158	])
159	AT_CHECK([trim etc/racoon/psk.txt], [0], [])
160	AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
161	path pre_shared_key "/etc/racoon/psk.txt";
162	path certificate "/etc/racoon/certs";
163	remote 2.3.4.5 {
164	exchange_mode main;
165	nat_traversal on;
166	ike_frag on;
167	certificate_type x509 "/cert.pem" "/key.pem";
168	my_identifier asn1dn;
169	peers_identifier asn1dn;
170	peers_certfile x509 "/etc/racoon/certs/ovs-2.3.4.5.pem";
171	verify_identifier on;
172	proposal {
173	encryption_algorithm aes;
174	hash_algorithm sha1;
175	authentication_method rsasig;
176	dh_group 2;
177	}
178	}
179	sainfo anonymous {
180	pfs_group 2;
181	lifetime time 1 hour;
182	encryption_algorithm aes;
183	authentication_algorithm hmac_sha1, hmac_md5;
184	compression_algorithm deflate;
185	}
186	])
187	AT_CHECK([cat etc/racoon/certs/ovs-2.3.4.5.pem], [0], [dnl
188	-----BEGIN CERTIFICATE-----
189	(not a real peer certificate)
190	-----END CERTIFICATE-----
191	])
192
193	###
194	### Delete the ipsec_gre certificate interface.
195	###
196	AT_CHECK([ovs_vsctl del-port gre1])
197	OVS_WAIT_UNTIL([test `wc -l < actions` -ge 29])
198	AT_CHECK([sed '1,21d' actions], [0], [dnl
199	racoon: reload
200	setkey:
201	> spddelete 0.0.0.0/0 2.3.4.5 gre -P out;
202	> spddelete 2.3.4.5 0.0.0.0/0 gre -P in;
203	setkey:
204	> dump ;
205	setkey:
206	> dump ;
207	])
208	AT_CHECK([trim etc/racoon/psk.txt], [0], [])
209	AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
210	path pre_shared_key "/etc/racoon/psk.txt";
211	path certificate "/etc/racoon/certs";
212	sainfo anonymous {
213	pfs_group 2;
214	lifetime time 1 hour;
215	encryption_algorithm aes;
216	authentication_algorithm hmac_sha1, hmac_md5;
217	compression_algorithm deflate;
218	}
219	])
220	AT_CHECK([test ! -f etc/racoon/certs/ovs-2.3.4.5.pem])
221
222	AT_CLEANUP