[mirror_ovs.git] / tests / ovs-monitor-ipsec.at

AT_BANNER([ovs-monitor-ipsec])

AT_SETUP([ovs-monitor-ipsec])
AT_SKIP_IF([test $HAVE_PYTHON = no])

OVS_RUNDIR=`pwd`; export OVS_RUNDIR
OVS_DBDIR=`pwd`; export OVS_DBDIR
OVS_PKGDATADIR=`pwd`; export OVS_PKGDATADIR
cp "$top_srcdir/vswitchd/vswitch.ovsschema" .

ON_EXIT([kill `cat pid ovs-monitor-ipsec.pid`])

mkdir etc etc/init.d etc/racoon etc/racoon/certs
mkdir usr usr/sbin

AT_DATA([etc/init.d/racoon], [dnl
#! /bin/sh
echo "racoon: $@" >&3
exit 0
])
chmod +x etc/init.d/racoon

AT_DATA([usr/sbin/setkey], [dnl
#! /bin/sh
exec >&3
echo "setkey:"
while read line; do
      echo "> $line"
done
])
chmod +x usr/sbin/setkey

touch etc/racoon/certs/ovs-stale.pem

ovs_vsctl () {
    ovs-vsctl --no-wait -vreconnect:emer --db=unix:socket "$@"
}
trim () {  # Removes blank lines and lines starting with # from input.
    sed -e '/^#/d' -e '/^[       ]*$/d' "$@"
}

###
### Start ovsdb-server.
###
OVS_VSCTL_SETUP

###
### Start ovs-monitor-ipsec and wait for it to delete the stale cert.
###
AT_CHECK(
  [$PYTHON $top_srcdir/debian/ovs-monitor-ipsec "--root-prefix=`pwd`" \
        "--pidfile=`pwd`/ovs-monitor-ipsec.pid" \
        unix:socket 2>log 3>actions &])
AT_CAPTURE_FILE([log])
AT_CAPTURE_FILE([actions])
OVS_WAIT_UNTIL([test ! -f etc/racoon/certs/ovs-stale.pem])

###
### Add an ipsec_gre psk interface and check what ovs-monitor-ipsec does
###
AT_CHECK([ovs_vsctl \
              -- add-br br0 \
              -- add-port br0 gre0 \
              -- set interface gre0 type=ipsec_gre \
                                    options:remote_ip=1.2.3.4 \
                                    options:psk=swordfish])
OVS_WAIT_UNTIL([test -f actions && grep 'spdadd 1.2.3.4' actions >/dev/null])
AT_CHECK([cat actions], [0], [dnl
setkey:
> flush;
setkey:
> spdflush;
racoon: reload
racoon: reload
setkey:
> spdadd 0.0.0.0/0 1.2.3.4 gre -P out ipsec esp/transport//require;
> spdadd 1.2.3.4 0.0.0.0/0 gre -P in ipsec esp/transport//require;
])
AT_CHECK([trim etc/racoon/psk.txt], [0], [1.2.3.4   swordfish
])
AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
remote 1.2.3.4 {
        exchange_mode main;
        nat_traversal on;
        proposal {
                encryption_algorithm aes;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2;
        }
}
sainfo anonymous {
        pfs_group 2;
        lifetime time 1 hour;
        encryption_algorithm aes;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}
])

###
### Delete the ipsec_gre interface and check what ovs-monitor-ipsec does
###
AT_CHECK([ovs_vsctl del-port gre0])
OVS_WAIT_UNTIL([test `wc -l < actions` -ge 17])
AT_CHECK([sed '1,9d' actions], [0], [dnl
racoon: reload
setkey:
> spddelete 0.0.0.0/0 1.2.3.4 gre -P out;
> spddelete 1.2.3.4 0.0.0.0/0 gre -P in;
setkey:
> dump ;
setkey:
> dump ;
])
AT_CHECK([trim etc/racoon/psk.txt], [0], [])
AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
sainfo anonymous {
        pfs_group 2;
        lifetime time 1 hour;
        encryption_algorithm aes;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}
])

###
### Add ipsec_gre certificate interface and check what ovs-monitor-ipsec does
###
AT_DATA([cert.pem], [dnl
-----BEGIN CERTIFICATE-----
(not a real certificate)
-----END CERTIFICATE-----
])
AT_DATA([key.pem], [dnl
-----BEGIN RSA PRIVATE KEY-----
(not a real private key)
-----END RSA PRIVATE KEY-----
])
AT_CHECK([ovs_vsctl \
              -- add-port br0 gre1 \
              -- set Interface gre1 type=ipsec_gre \
                 options:remote_ip=2.3.4.5 \
                 options:peer_cert='"-----BEGIN CERTIFICATE-----
(not a real peer certificate)
-----END CERTIFICATE-----
"' \
                 options:certificate='"/cert.pem"' \
                 options:private_key='"/key.pem"'])
OVS_WAIT_UNTIL([test `wc -l < actions` -ge 21])
AT_CHECK([sed '1,17d' actions], [0], [dnl
racoon: reload
setkey:
> spdadd 0.0.0.0/0 2.3.4.5 gre -P out ipsec esp/transport//require;
> spdadd 2.3.4.5 0.0.0.0/0 gre -P in ipsec esp/transport//require;
])
AT_CHECK([trim etc/racoon/psk.txt], [0], [])
AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
remote 2.3.4.5 {
        exchange_mode main;
        nat_traversal on;
        ike_frag on;
        certificate_type x509 "/cert.pem" "/key.pem";
        my_identifier asn1dn;
        peers_identifier asn1dn;
        peers_certfile x509 "/etc/racoon/certs/ovs-2.3.4.5.pem";
        verify_identifier on;
        proposal {
                encryption_algorithm aes;
                hash_algorithm sha1;
                authentication_method rsasig;
                dh_group 2;
        }
}
sainfo anonymous {
        pfs_group 2;
        lifetime time 1 hour;
        encryption_algorithm aes;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}
])
AT_CHECK([cat etc/racoon/certs/ovs-2.3.4.5.pem], [0], [dnl
-----BEGIN CERTIFICATE-----
(not a real peer certificate)
-----END CERTIFICATE-----
])

###
### Delete the ipsec_gre certificate interface.
###
AT_CHECK([ovs_vsctl del-port gre1])
OVS_WAIT_UNTIL([test `wc -l < actions` -ge 29])
AT_CHECK([sed '1,21d' actions], [0], [dnl
racoon: reload
setkey:
> spddelete 0.0.0.0/0 2.3.4.5 gre -P out;
> spddelete 2.3.4.5 0.0.0.0/0 gre -P in;
setkey:
> dump ;
setkey:
> dump ;
])
AT_CHECK([trim etc/racoon/psk.txt], [0], [])
AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
sainfo anonymous {
        pfs_group 2;
        lifetime time 1 hour;
        encryption_algorithm aes;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}
])
AT_CHECK([test ! -f etc/racoon/certs/ovs-2.3.4.5.pem])

###
### Add an SSL certificate interface.
###
cp cert.pem ssl-cert.pem
cp key.pem ssl-key.pem
AT_DATA([ssl-cacert.pem], [dnl
-----BEGIN CERTIFICATE-----
(not a real CA certificate)
-----END CERTIFICATE-----
])
AT_CHECK([ovs_vsctl set-ssl /ssl-key.pem /ssl-cert.pem /ssl-cacert.pem \
              -- add-port br0 gre2 \
              -- set Interface gre2 type=ipsec_gre \
                 options:remote_ip=3.4.5.6 \
                 options:peer_cert='"-----BEGIN CERTIFICATE-----
(not a real peer certificate)
-----END CERTIFICATE-----
"' \
                 options:use_ssl_cert='"true"'])
OVS_WAIT_UNTIL([test `wc -l < actions` -ge 33])
AT_CHECK([sed '1,29d' actions], [0], [dnl
racoon: reload
setkey:
> spdadd 0.0.0.0/0 3.4.5.6 gre -P out ipsec esp/transport//require;
> spdadd 3.4.5.6 0.0.0.0/0 gre -P in ipsec esp/transport//require;
])
AT_CHECK([trim etc/racoon/psk.txt], [0], [])
AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
remote 3.4.5.6 {
        exchange_mode main;
        nat_traversal on;
        ike_frag on;
        certificate_type x509 "/ssl-cert.pem" "/ssl-key.pem";
        my_identifier asn1dn;
        peers_identifier asn1dn;
        peers_certfile x509 "/etc/racoon/certs/ovs-3.4.5.6.pem";
        verify_identifier on;
        proposal {
                encryption_algorithm aes;
                hash_algorithm sha1;
                authentication_method rsasig;
                dh_group 2;
        }
}
sainfo anonymous {
        pfs_group 2;
        lifetime time 1 hour;
        encryption_algorithm aes;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}
])
AT_CHECK([cat etc/racoon/certs/ovs-3.4.5.6.pem], [0], [dnl
-----BEGIN CERTIFICATE-----
(not a real peer certificate)
-----END CERTIFICATE-----
])

###
### Delete the SSL certificate interface.
###
AT_CHECK([ovs_vsctl del-port gre2])
OVS_WAIT_UNTIL([test `wc -l < actions` -ge 41])
AT_CHECK([sed '1,33d' actions], [0], [dnl
racoon: reload
setkey:
> spddelete 0.0.0.0/0 3.4.5.6 gre -P out;
> spddelete 3.4.5.6 0.0.0.0/0 gre -P in;
setkey:
> dump ;
setkey:
> dump ;
])
AT_CHECK([trim etc/racoon/psk.txt], [0], [])
AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
sainfo anonymous {
        pfs_group 2;
        lifetime time 1 hour;
        encryption_algorithm aes;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}
])
AT_CHECK([test ! -f etc/racoon/certs/ovs-3.4.5.6.pem])

OVSDB_SERVER_SHUTDOWN

AT_CLEANUP
Commit	Line	Data
b54bdbe9 BP	1	AT_BANNER([ovs-monitor-ipsec])
	2
	3	AT_SETUP([ovs-monitor-ipsec])
	4	AT_SKIP_IF([test $HAVE_PYTHON = no])
	5
bb474bb3	6	OVS_RUNDIR=`pwd`; export OVS_RUNDIR
f973f2af	7	OVS_DBDIR=`pwd`; export OVS_DBDIR
b54bdbe9 BP	8	OVS_PKGDATADIR=`pwd`; export OVS_PKGDATADIR
	9	cp "$top_srcdir/vswitchd/vswitch.ovsschema" .
	10
0b7140bb	11	ON_EXIT([kill `cat pid ovs-monitor-ipsec.pid`])
b54bdbe9 BP	12
	13	mkdir etc etc/init.d etc/racoon etc/racoon/certs
	14	mkdir usr usr/sbin
	15
	16	AT_DATA([etc/init.d/racoon], [dnl
	17	#! /bin/sh
	18	echo "racoon: $@" >&3
	19	exit 0
	20	])
	21	chmod +x etc/init.d/racoon
	22
	23	AT_DATA([usr/sbin/setkey], [dnl
	24	#! /bin/sh
	25	exec >&3
	26	echo "setkey:"
	27	while read line; do
	28	echo "> $line"
	29	done
	30	])
	31	chmod +x usr/sbin/setkey
	32
	33	touch etc/racoon/certs/ovs-stale.pem
	34
	35	ovs_vsctl () {
fba6bd1d	36	ovs-vsctl --no-wait -vreconnect:emer --db=unix:socket "$@"
b54bdbe9 BP	37	}
	38	trim () { # Removes blank lines and lines starting with # from input.
	39	sed -e '/^#/d' -e '/^[ ]*$/d' "$@"
	40	}
	41
	42	###
	43	### Start ovsdb-server.
	44	###
	45	OVS_VSCTL_SETUP
	46
	47	###
	48	### Start ovs-monitor-ipsec and wait for it to delete the stale cert.
	49	###
	50	AT_CHECK(
	51	[$PYTHON $top_srcdir/debian/ovs-monitor-ipsec "--root-prefix=`pwd`" \
b153e667	52	"--pidfile=`pwd`/ovs-monitor-ipsec.pid" \
b54bdbe9 BP	53	unix:socket 2>log 3>actions &])
	54	AT_CAPTURE_FILE([log])
	55	AT_CAPTURE_FILE([actions])
	56	OVS_WAIT_UNTIL([test ! -f etc/racoon/certs/ovs-stale.pem])
	57
	58	###
	59	### Add an ipsec_gre psk interface and check what ovs-monitor-ipsec does
	60	###
	61	AT_CHECK([ovs_vsctl \
	62	-- add-br br0 \
	63	-- add-port br0 gre0 \
	64	-- set interface gre0 type=ipsec_gre \
	65	options:remote_ip=1.2.3.4 \
	66	options:psk=swordfish])
	67	OVS_WAIT_UNTIL([test -f actions && grep 'spdadd 1.2.3.4' actions >/dev/null])
	68	AT_CHECK([cat actions], [0], [dnl
	69	setkey:
	70	> flush;
	71	setkey:
	72	> spdflush;
	73	racoon: reload
	74	racoon: reload
	75	setkey:
	76	> spdadd 0.0.0.0/0 1.2.3.4 gre -P out ipsec esp/transport//require;
	77	> spdadd 1.2.3.4 0.0.0.0/0 gre -P in ipsec esp/transport//require;
	78	])
	79	AT_CHECK([trim etc/racoon/psk.txt], [0], [1.2.3.4 swordfish
	80	])
	81	AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
	82	path pre_shared_key "/etc/racoon/psk.txt";
	83	path certificate "/etc/racoon/certs";
	84	remote 1.2.3.4 {
	85	exchange_mode main;
	86	nat_traversal on;
	87	proposal {
	88	encryption_algorithm aes;
	89	hash_algorithm sha1;
	90	authentication_method pre_shared_key;
	91	dh_group 2;
	92	}
	93	}
	94	sainfo anonymous {
	95	pfs_group 2;
	96	lifetime time 1 hour;
	97	encryption_algorithm aes;
	98	authentication_algorithm hmac_sha1, hmac_md5;
	99	compression_algorithm deflate;
	100	}
	101	])
	102
	103	###
	104	### Delete the ipsec_gre interface and check what ovs-monitor-ipsec does
	105	###
	106	AT_CHECK([ovs_vsctl del-port gre0])
	107	OVS_WAIT_UNTIL([test `wc -l < actions` -ge 17])
	108	AT_CHECK([sed '1,9d' actions], [0], [dnl
	109	racoon: reload
	110	setkey:
	111	> spddelete 0.0.0.0/0 1.2.3.4 gre -P out;
	112	> spddelete 1.2.3.4 0.0.0.0/0 gre -P in;
	113	setkey:
	114	> dump ;
	115	setkey:
	116	> dump ;
117	])
118	AT_CHECK([trim etc/racoon/psk.txt], [0], [])
119	AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
120	path pre_shared_key "/etc/racoon/psk.txt";
121	path certificate "/etc/racoon/certs";
122	sainfo anonymous {
123	pfs_group 2;
124	lifetime time 1 hour;
125	encryption_algorithm aes;
126	authentication_algorithm hmac_sha1, hmac_md5;
127	compression_algorithm deflate;
128	}
129	])
130
131	###
132	### Add ipsec_gre certificate interface and check what ovs-monitor-ipsec does
133	###
134	AT_DATA([cert.pem], [dnl
135	-----BEGIN CERTIFICATE-----
136	(not a real certificate)
137	-----END CERTIFICATE-----
138	])
139	AT_DATA([key.pem], [dnl
140	-----BEGIN RSA PRIVATE KEY-----
141	(not a real private key)
142	-----END RSA PRIVATE KEY-----
143	])
144	AT_CHECK([ovs_vsctl \
145	-- add-port br0 gre1 \
146	-- set Interface gre1 type=ipsec_gre \
147	options:remote_ip=2.3.4.5 \
148	options:peer_cert='"-----BEGIN CERTIFICATE-----
149	(not a real peer certificate)
150	-----END CERTIFICATE-----
151	"' \
152	options:certificate='"/cert.pem"' \
153	options:private_key='"/key.pem"'])
154	OVS_WAIT_UNTIL([test `wc -l < actions` -ge 21])
155	AT_CHECK([sed '1,17d' actions], [0], [dnl
156	racoon: reload
157	setkey:
158	> spdadd 0.0.0.0/0 2.3.4.5 gre -P out ipsec esp/transport//require;
159	> spdadd 2.3.4.5 0.0.0.0/0 gre -P in ipsec esp/transport//require;
160	])
161	AT_CHECK([trim etc/racoon/psk.txt], [0], [])
162	AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
163	path pre_shared_key "/etc/racoon/psk.txt";
164	path certificate "/etc/racoon/certs";
165	remote 2.3.4.5 {
166	exchange_mode main;
167	nat_traversal on;
168	ike_frag on;
169	certificate_type x509 "/cert.pem" "/key.pem";
170	my_identifier asn1dn;
171	peers_identifier asn1dn;
172	peers_certfile x509 "/etc/racoon/certs/ovs-2.3.4.5.pem";
173	verify_identifier on;
174	proposal {
175	encryption_algorithm aes;
176	hash_algorithm sha1;
177	authentication_method rsasig;
178	dh_group 2;
179	}
180	}
181	sainfo anonymous {
182	pfs_group 2;
183	lifetime time 1 hour;
184	encryption_algorithm aes;
185	authentication_algorithm hmac_sha1, hmac_md5;
186	compression_algorithm deflate;
187	}
188	])
189	AT_CHECK([cat etc/racoon/certs/ovs-2.3.4.5.pem], [0], [dnl
190	-----BEGIN CERTIFICATE-----
191	(not a real peer certificate)
192	-----END CERTIFICATE-----
193	])
194
195	###
196	### Delete the ipsec_gre certificate interface.
197	###
198	AT_CHECK([ovs_vsctl del-port gre1])
199	OVS_WAIT_UNTIL([test `wc -l < actions` -ge 29])
200	AT_CHECK([sed '1,21d' actions], [0], [dnl
201	racoon: reload
202	setkey:
203	> spddelete 0.0.0.0/0 2.3.4.5 gre -P out;
204	> spddelete 2.3.4.5 0.0.0.0/0 gre -P in;
205	setkey:
206	> dump ;
207	setkey:
208	> dump ;
209	])
210	AT_CHECK([trim etc/racoon/psk.txt], [0], [])
211	AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
212	path pre_shared_key "/etc/racoon/psk.txt";
213	path certificate "/etc/racoon/certs";
214	sainfo anonymous {
215	pfs_group 2;
216	lifetime time 1 hour;
217	encryption_algorithm aes;
218	authentication_algorithm hmac_sha1, hmac_md5;
219	compression_algorithm deflate;
220	}
221	])
222	AT_CHECK([test ! -f etc/racoon/certs/ovs-2.3.4.5.pem])
223
ad6247f5 BP	224	###
	225	### Add an SSL certificate interface.
	226	###
	227	cp cert.pem ssl-cert.pem
	228	cp key.pem ssl-key.pem
	229	AT_DATA([ssl-cacert.pem], [dnl
	230	-----BEGIN CERTIFICATE-----
	231	(not a real CA certificate)
	232	-----END CERTIFICATE-----
	233	])
	234	AT_CHECK([ovs_vsctl set-ssl /ssl-key.pem /ssl-cert.pem /ssl-cacert.pem \
	235	-- add-port br0 gre2 \
	236	-- set Interface gre2 type=ipsec_gre \
	237	options:remote_ip=3.4.5.6 \
	238	options:peer_cert='"-----BEGIN CERTIFICATE-----
	239	(not a real peer certificate)
	240	-----END CERTIFICATE-----
	241	"' \
	242	options:use_ssl_cert='"true"'])
dfbf7f35	243	OVS_WAIT_UNTIL([test `wc -l < actions` -ge 33])
ad6247f5 BP	244	AT_CHECK([sed '1,29d' actions], [0], [dnl
	245	racoon: reload
	246	setkey:
	247	> spdadd 0.0.0.0/0 3.4.5.6 gre -P out ipsec esp/transport//require;
	248	> spdadd 3.4.5.6 0.0.0.0/0 gre -P in ipsec esp/transport//require;
	249	])
	250	AT_CHECK([trim etc/racoon/psk.txt], [0], [])
	251	AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
	252	path pre_shared_key "/etc/racoon/psk.txt";
	253	path certificate "/etc/racoon/certs";
	254	remote 3.4.5.6 {
	255	exchange_mode main;
	256	nat_traversal on;
	257	ike_frag on;
	258	certificate_type x509 "/ssl-cert.pem" "/ssl-key.pem";
	259	my_identifier asn1dn;
	260	peers_identifier asn1dn;
	261	peers_certfile x509 "/etc/racoon/certs/ovs-3.4.5.6.pem";
	262	verify_identifier on;
	263	proposal {
	264	encryption_algorithm aes;
	265	hash_algorithm sha1;
	266	authentication_method rsasig;
	267	dh_group 2;
	268	}
	269	}
	270	sainfo anonymous {
	271	pfs_group 2;
	272	lifetime time 1 hour;
	273	encryption_algorithm aes;
	274	authentication_algorithm hmac_sha1, hmac_md5;
	275	compression_algorithm deflate;
	276	}
	277	])
	278	AT_CHECK([cat etc/racoon/certs/ovs-3.4.5.6.pem], [0], [dnl
	279	-----BEGIN CERTIFICATE-----
	280	(not a real peer certificate)
	281	-----END CERTIFICATE-----
	282	])
	283
	284	###
	285	### Delete the SSL certificate interface.
	286	###
	287	AT_CHECK([ovs_vsctl del-port gre2])
dfbf7f35	288	OVS_WAIT_UNTIL([test `wc -l < actions` -ge 41])
ad6247f5 BP	289	AT_CHECK([sed '1,33d' actions], [0], [dnl
	290	racoon: reload
	291	setkey:
	292	> spddelete 0.0.0.0/0 3.4.5.6 gre -P out;
	293	> spddelete 3.4.5.6 0.0.0.0/0 gre -P in;
	294	setkey:
	295	> dump ;
	296	setkey:
	297	> dump ;
	298	])
	299	AT_CHECK([trim etc/racoon/psk.txt], [0], [])
	300	AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
	301	path pre_shared_key "/etc/racoon/psk.txt";
	302	path certificate "/etc/racoon/certs";
	303	sainfo anonymous {
	304	pfs_group 2;
	305	lifetime time 1 hour;
	306	encryption_algorithm aes;
	307	authentication_algorithm hmac_sha1, hmac_md5;
	308	compression_algorithm deflate;
	309	}
	310	])
	311	AT_CHECK([test ! -f etc/racoon/certs/ovs-3.4.5.6.pem])
	312
94c33672 BP	313	OVSDB_SERVER_SHUTDOWN
94c33672 BP	314
b54bdbe9	315	AT_CLEANUP