cpp/src/tests/ssl_test - qpid - Git at Google

 #!/bin/bash

 #
 # Licensed to the Apache Software Foundation (ASF) under one
 # or more contributor license agreements.  See the NOTICE file
 # distributed with this work for additional information
 # regarding copyright ownership.  The ASF licenses this file
 # to you under the Apache License, Version 2.0 (the
 # "License"); you may not use this file except in compliance
 # with the License.  You may obtain a copy of the License at
 #
 #   http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing,
 # software distributed under the License is distributed on an
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
 #

 # Run a simple test over SSL
 source ./test_env.sh

 CONFIG=$(dirname $0)/config.null
 CERT_DIR=`pwd`/test_cert_db
 CERT_PW_FILE=`pwd`/cert.password
 TEST_HOSTNAME=127.0.0.1
 TEST_CLIENT_CERT=rumplestiltskin
 COUNT=10

 trap cleanup EXIT

 error() { echo $*; exit 1; }

 create_certs() {
     #create certificate and key databases with single, simple, self-signed certificate in it
     mkdir ${CERT_DIR}
     certutil -N -d ${CERT_DIR} -f ${CERT_PW_FILE}
     certutil -S -d ${CERT_DIR} -n ${TEST_HOSTNAME} -s "CN=${TEST_HOSTNAME}" -t "CT,," -x -f ${CERT_PW_FILE} -z /usr/bin/certutil
     certutil -S -d ${CERT_DIR} -n ${TEST_CLIENT_CERT} -s "CN=${TEST_CLIENT_CERT}" -t "CT,," -x -f ${CERT_PW_FILE} -z /usr/bin/certutil
 }

 delete_certs() {
     if [[ -e ${CERT_DIR} ]] ;  then
         rm -rf ${CERT_DIR}
     fi
 }

 COMMON_OPTS="--daemon --no-data-dir --no-module-dir --config $CONFIG --load-module $SSL_LIB --ssl-cert-db $CERT_DIR --ssl-cert-password-file $CERT_PW_FILE --ssl-cert-name $TEST_HOSTNAME"
 start_broker() { # $1 = extra opts
     ../qpidd --transport ssl --port 0 --ssl-port 0 $COMMON_OPTS --require-encryption --auth no $1;
 }

 start_authenticating_broker() {
     ../qpidd --transport ssl --port 0 --ssl-port 0 $COMMON_OPTS --require-encryption --ssl-sasl-no-dict --ssl-require-client-authentication --auth yes;
 }

 stop_brokers() {
     test -n "$PORT" && ../qpidd --no-module-dir -qp $PORT
     test -n "$PORT2" && ../qpidd --no-module-dir -qp $PORT2
     PORT=""
     PORT2=""
 }

 cleanup() {
     stop_brokers
     delete_certs
 }

 pick_port() {
     # We need a fixed port to set --cluster-url. Use qpidd to pick a free port.
     PICK=`../qpidd --no-module-dir -dp0`
     ../qpidd --no-module-dir -qp $PICK
     echo $PICK
 }

 CERTUTIL=$(type -p certutil)
 if [[ !(-x $CERTUTIL) ]] ; then
     echo "No certutil, skipping ssl test";
     exit 0;
 fi

 if [[ !(-e ${CERT_PW_FILE}) ]] ;  then
     echo password > ${CERT_PW_FILE}
 fi
 delete_certs
 create_certs || error "Could not create test certificate"
 PORT=`start_broker` || error "Could not start broker"
 echo "Running SSL test on port $PORT"
 export QPID_NO_MODULE_DIR=1
 export QPID_LOAD_MODULE=$SSLCONNECTOR_LIB
 export QPID_SSL_CERT_DB=${CERT_DIR}
 export QPID_SSL_CERT_PASSWORD_FILE=${CERT_PW_FILE}

 ## Test connection via connection settings
 ./qpid-perftest --count ${COUNT} --port ${PORT} -P ssl -b $TEST_HOSTNAME --summary

 ## Test connection with a URL
 URL=amqp:ssl:$TEST_HOSTNAME:$PORT
 ./qpid-send -b $URL --content-string=hello -a "foo;{create:always}"
 MSG=`./qpid-receive -b $URL -a "foo;{create:always}" --messages 1`
 test "$MSG" = "hello" || { echo "receive failed '$MSG' != 'hello'"; exit 1; }

 #### Client Authentication tests

 PORT2=`start_authenticating_broker`  || error "Could not start broker"
 echo "Running SSL client authentication test on port $PORT2"
 URL=amqp:ssl:$TEST_HOSTNAME:$PORT2

 ## See if you can set the SSL cert-name for the connection
 ./qpid-send -b $URL --connection-options "{ssl-cert-name: $TEST_CLIENT_CERT }"  --content-string=hello -a "bar;{create:always}"
 MSG2=`./qpid-receive -b $URL  --connection-options "{ssl-cert-name: $TEST_CLIENT_CERT }" -a "bar;{create:always}" --messages 1`
 test "$MSG2" = "hello" || { echo "receive failed '$MSG2' != 'hello'"; exit 1; }

 ## Make sure that connect fails with an invalid SSL cert-name
 ./qpid-send -b $URL --connection-options "{ssl-cert-name: pignose }" --content-string=hello -a "baz;{create:always}" 2>/dev/null 1>/dev/null
 MSG3=`./qpid-receive -b $URL  --connection-options "{ssl-cert-name: pignose }" -a "baz;{create:always}" --messages 1 2>/dev/null`
 test "$MSG3" = "" || { echo "receive succeeded without valid ssl cert '$MSG3' != ''"; exit 1; }

 stop_brokers

 #Test multiplexed connection where SSL and plain TCP are served by the same port
 PORT=`pick_port`; ../qpidd --port $PORT --ssl-port $PORT $COMMON_OPTS --transport ssl --auth no
 echo "Running multiplexed SSL/TCP test on $PORT"

 ./qpid-perftest --count ${COUNT} --port ${PORT} -P ssl -b $TEST_HOSTNAME --summary || { echo "SSL on multiplexed connection failed!"; exit 1; }
 ./qpid-perftest --count ${COUNT} --port ${PORT} -P tcp -b $TEST_HOSTNAME --summary || { echo "Plain TCP on multiplexed connection failed!"; exit 1; }

 stop_brokers

 test -z $CLUSTER_LIB && exit 0	# Exit if cluster not supported.

 ## Test failover in a cluster using SSL only
 . $srcdir/ais_check		# Will exit if clustering not enabled.

 ssl_cluster_broker() {		# $1 = port
     ../qpidd $COMMON_OPTS --require-encryption --auth no --load-module  $CLUSTER_LIB --cluster-name ssl_test.$HOSTNAME.$$ --cluster-url amqp:ssl:$TEST_HOSTNAME:$1 --port 0 --ssl-port $1 --transport ssl > /dev/null
     # Wait for broker to be ready
     qpid-ping -Pssl -b $TEST_HOSTNAME -qp $1 || { echo "Cannot connect to broker on $1"; exit 1; }
     echo "Running SSL cluster broker on port $1"
 }

 PORT1=`pick_port`; ssl_cluster_broker $PORT1
 PORT2=`pick_port`; ssl_cluster_broker $PORT2

 # Pipe receive output to uniq to remove duplicates
 ./qpid-receive --connection-options "{reconnect:true, reconnect-timeout:5}" --failover-updates -b amqp:ssl:$TEST_HOSTNAME:$PORT1 -a "foo;{create:always}" -f | uniq > ssl_test_receive.tmp &
 ./qpid-send -b amqp:ssl:$TEST_HOSTNAME:$PORT2 --content-string=one -a "foo;{create:always}"
 ../qpidd --no-module-dir -qp $PORT1 # Kill broker 1 receiver should fail-over.
 ./qpid-send -b amqp:ssl:$TEST_HOSTNAME:$PORT2 --content-string=two -a "foo;{create:always}" --send-eos 1
 wait				# Wait for qpid-receive
 { echo one; echo two; } > ssl_test_receive.cmp
 diff  ssl_test_receive.tmp ssl_test_receive.cmp || { echo "Failover failed"; exit 1; }
 rm -f ssl_test_receive.*
	#!/bin/bash

	#
	# Licensed to the Apache Software Foundation (ASF) under one
	# or more contributor license agreements. See the NOTICE file
	# distributed with this work for additional information
	# regarding copyright ownership. The ASF licenses this file
	# to you under the Apache License, Version 2.0 (the
	# "License"); you may not use this file except in compliance
	# with the License. You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing,
	# software distributed under the License is distributed on an
	# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	# KIND, either express or implied. See the License for the
	# specific language governing permissions and limitations
	# under the License.
	#

	# Run a simple test over SSL
	source ./test_env.sh

	CONFIG=$(dirname $0)/config.null
	CERT_DIR=`pwd`/test_cert_db
	CERT_PW_FILE=`pwd`/cert.password
	TEST_HOSTNAME=127.0.0.1
	TEST_CLIENT_CERT=rumplestiltskin
	COUNT=10

	trap cleanup EXIT

	error() { echo $*; exit 1; }

	create_certs() {
	#create certificate and key databases with single, simple, self-signed certificate in it
	mkdir ${CERT_DIR}
	certutil -N -d ${CERT_DIR} -f ${CERT_PW_FILE}
	certutil -S -d ${CERT_DIR} -n ${TEST_HOSTNAME} -s "CN=${TEST_HOSTNAME}" -t "CT,," -x -f ${CERT_PW_FILE} -z /usr/bin/certutil
	certutil -S -d ${CERT_DIR} -n ${TEST_CLIENT_CERT} -s "CN=${TEST_CLIENT_CERT}" -t "CT,," -x -f ${CERT_PW_FILE} -z /usr/bin/certutil
	}

	delete_certs() {
	if [[ -e ${CERT_DIR} ]] ; then
	rm -rf ${CERT_DIR}
	fi
	}

	COMMON_OPTS="--daemon --no-data-dir --no-module-dir --config $CONFIG --load-module $SSL_LIB --ssl-cert-db $CERT_DIR --ssl-cert-password-file $CERT_PW_FILE --ssl-cert-name $TEST_HOSTNAME"
	start_broker() { # $1 = extra opts
	../qpidd --transport ssl --port 0 --ssl-port 0 $COMMON_OPTS --require-encryption --auth no $1;
	}

	start_authenticating_broker() {
	../qpidd --transport ssl --port 0 --ssl-port 0 $COMMON_OPTS --require-encryption --ssl-sasl-no-dict --ssl-require-client-authentication --auth yes;
	}

	stop_brokers() {
	test -n "$PORT" && ../qpidd --no-module-dir -qp $PORT
	test -n "$PORT2" && ../qpidd --no-module-dir -qp $PORT2
	PORT=""
	PORT2=""
	}

	cleanup() {
	stop_brokers
	delete_certs
	}

	pick_port() {
	# We need a fixed port to set --cluster-url. Use qpidd to pick a free port.
	PICK=`../qpidd --no-module-dir -dp0`
	../qpidd --no-module-dir -qp $PICK
	echo $PICK
	}

	CERTUTIL=$(type -p certutil)
	if [[ !(-x $CERTUTIL) ]] ; then
	echo "No certutil, skipping ssl test";
	exit 0;
	fi

	if [[ !(-e ${CERT_PW_FILE}) ]] ; then
	echo password > ${CERT_PW_FILE}
	fi
	delete_certs
	create_certs \|\| error "Could not create test certificate"
	PORT=`start_broker` \|\| error "Could not start broker"
	echo "Running SSL test on port $PORT"
	export QPID_NO_MODULE_DIR=1
	export QPID_LOAD_MODULE=$SSLCONNECTOR_LIB
	export QPID_SSL_CERT_DB=${CERT_DIR}
	export QPID_SSL_CERT_PASSWORD_FILE=${CERT_PW_FILE}

	## Test connection via connection settings
	./qpid-perftest --count ${COUNT} --port ${PORT} -P ssl -b $TEST_HOSTNAME --summary

	## Test connection with a URL
	URL=amqp:ssl:$TEST_HOSTNAME:$PORT
	./qpid-send -b $URL --content-string=hello -a "foo;{create:always}"
	MSG=`./qpid-receive -b $URL -a "foo;{create:always}" --messages 1`
	test "$MSG" = "hello" \|\| { echo "receive failed '$MSG' != 'hello'"; exit 1; }

	#### Client Authentication tests

	PORT2=`start_authenticating_broker` \|\| error "Could not start broker"
	echo "Running SSL client authentication test on port $PORT2"
	URL=amqp:ssl:$TEST_HOSTNAME:$PORT2

	## See if you can set the SSL cert-name for the connection
	./qpid-send -b $URL --connection-options "{ssl-cert-name: $TEST_CLIENT_CERT }" --content-string=hello -a "bar;{create:always}"
	MSG2=`./qpid-receive -b $URL --connection-options "{ssl-cert-name: $TEST_CLIENT_CERT }" -a "bar;{create:always}" --messages 1`
	test "$MSG2" = "hello" \|\| { echo "receive failed '$MSG2' != 'hello'"; exit 1; }

	## Make sure that connect fails with an invalid SSL cert-name
	./qpid-send -b $URL --connection-options "{ssl-cert-name: pignose }" --content-string=hello -a "baz;{create:always}" 2>/dev/null 1>/dev/null
	MSG3=`./qpid-receive -b $URL --connection-options "{ssl-cert-name: pignose }" -a "baz;{create:always}" --messages 1 2>/dev/null`
	test "$MSG3" = "" \|\| { echo "receive succeeded without valid ssl cert '$MSG3' != ''"; exit 1; }

	stop_brokers

	#Test multiplexed connection where SSL and plain TCP are served by the same port
	PORT=`pick_port`; ../qpidd --port $PORT --ssl-port $PORT $COMMON_OPTS --transport ssl --auth no
	echo "Running multiplexed SSL/TCP test on $PORT"

	./qpid-perftest --count ${COUNT} --port ${PORT} -P ssl -b $TEST_HOSTNAME --summary \|\| { echo "SSL on multiplexed connection failed!"; exit 1; }
	./qpid-perftest --count ${COUNT} --port ${PORT} -P tcp -b $TEST_HOSTNAME --summary \|\| { echo "Plain TCP on multiplexed connection failed!"; exit 1; }

	stop_brokers

	test -z $CLUSTER_LIB && exit 0 # Exit if cluster not supported.

	## Test failover in a cluster using SSL only
	. $srcdir/ais_check # Will exit if clustering not enabled.

	ssl_cluster_broker() { # $1 = port
	../qpidd $COMMON_OPTS --require-encryption --auth no --load-module $CLUSTER_LIB --cluster-name ssl_test.$HOSTNAME.$$ --cluster-url amqp:ssl:$TEST_HOSTNAME:$1 --port 0 --ssl-port $1 --transport ssl > /dev/null
	# Wait for broker to be ready
	qpid-ping -Pssl -b $TEST_HOSTNAME -qp $1 \|\| { echo "Cannot connect to broker on $1"; exit 1; }
	echo "Running SSL cluster broker on port $1"
	}

	PORT1=`pick_port`; ssl_cluster_broker $PORT1
	PORT2=`pick_port`; ssl_cluster_broker $PORT2

	# Pipe receive output to uniq to remove duplicates
	./qpid-receive --connection-options "{reconnect:true, reconnect-timeout:5}" --failover-updates -b amqp:ssl:$TEST_HOSTNAME:$PORT1 -a "foo;{create:always}" -f \| uniq > ssl_test_receive.tmp &
	./qpid-send -b amqp:ssl:$TEST_HOSTNAME:$PORT2 --content-string=one -a "foo;{create:always}"
	../qpidd --no-module-dir -qp $PORT1 # Kill broker 1 receiver should fail-over.
	./qpid-send -b amqp:ssl:$TEST_HOSTNAME:$PORT2 --content-string=two -a "foo;{create:always}" --send-eos 1
	wait # Wait for qpid-receive
	{ echo one; echo two; } > ssl_test_receive.cmp
	diff ssl_test_receive.tmp ssl_test_receive.cmp \|\| { echo "Failover failed"; exit 1; }
	rm -f ssl_test_receive.*