#1 Add CI tests using the standard test interface
Merged 2 years ago by kengert. Opened 2 years ago by sturivny.
git://fedorapeople.org/~sturivny/nspr new_tests  into  master

Add CI tests using the standard test interface
Serhii Turivny • 2 years ago  
tests/NSS-tools-should-not-use-SHA1-by-default-when/Makefile
file added
+64

@@ -0,0 +1,64 @@

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   Makefile of /CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when

+ #   Description: NSS tools should not use SHA1 by default when

+ #   Author: Hubert Kario <hkario@redhat.com>

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   Copyright (c) 2016 Red Hat, Inc.

+ #

+ #   This copyrighted material is made available to anyone wishing

+ #   to use, modify, copy, or redistribute it subject to the terms

+ #   and conditions of the GNU General Public License version 2.

+ #

+ #   This program is distributed in the hope that it will be

+ #   useful, but WITHOUT ANY WARRANTY; without even the implied

+ #   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR

+ #   PURPOSE. See the GNU General Public License for more details.

+ #

+ #   You should have received a copy of the GNU General Public

+ #   License along with this program; if not, write to the Free

+ #   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,

+ #   Boston, MA 02110-1301, USA.

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ 

+ export TEST=/CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when

+ export TESTVERSION=1.0

+ 

+ BUILT_FILES=

+ 

+ FILES=$(METADATA) runtest.sh Makefile PURPOSE

+ 

+ .PHONY: all install download clean

+ 

+ run: $(FILES) build

+ 	./runtest.sh

+ 

+ build: $(BUILT_FILES)

+ 	test -x runtest.sh || chmod a+x runtest.sh

+ 

+ clean:

+ 	rm -f *~ $(BUILT_FILES)

+ 

+ 

+ include /usr/share/rhts/lib/rhts-make.include

+ 

+ $(METADATA): Makefile

+ 	@echo "Owner:           Hubert Kario <hkario@redhat.com>" > $(METADATA)

+ 	@echo "Name:            $(TEST)" >> $(METADATA)

+ 	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)

+ 	@echo "Path:            $(TEST_DIR)" >> $(METADATA)

+ 	@echo "Description:     NSS tools should not use SHA1 by default when" >> $(METADATA)

+ 	@echo "Type:            Regression" >> $(METADATA)

+ 	@echo "TestTime:        10m" >> $(METADATA)

+ 	@echo "RunFor:          nss openssl" >> $(METADATA)

+ 	@echo "Requires:        nss nss-tools openssl" >> $(METADATA)

+ 	@echo "Priority:        Normal" >> $(METADATA)

+ 	@echo "License:         GPLv2" >> $(METADATA)

+ 	@echo "Confidential:    no" >> $(METADATA)

+ 	@echo "Destructive:     no" >> $(METADATA)

+ 	@echo "Releases:        -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)

+ 

+ 	rhts-lint $(METADATA)

tests/NSS-tools-should-not-use-SHA1-by-default-when/PURPOSE
file added
+4

@@ -0,0 +1,4 @@

+ PURPOSE of NSS-tools-should-not-use-SHA1-by-default-when

+ Description: NSS tools should not use SHA1 by default when

+ Author: Hubert Kario <hkario@redhat.com>

+ Summary: NSS tools should not use SHA1 by default when generating digital signatures/certificates

tests/NSS-tools-should-not-use-SHA1-by-default-when/runtest.sh
file added
+125

@@ -0,0 +1,125 @@

+ #!/bin/bash

+ # vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   runtest.sh of NSS-tools-should-not-use-SHA1-by-default-when

+ #   Description: NSS tools should not use SHA1 by default when

+ #   Author: Hubert Kario <hkario@redhat.com>

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   Copyright (c) 2016 Red Hat, Inc.

+ #

+ #   This copyrighted material is made available to anyone wishing

+ #   to use, modify, copy, or redistribute it subject to the terms

+ #   and conditions of the GNU General Public License version 2.

+ #

+ #   This program is distributed in the hope that it will be

+ #   useful, but WITHOUT ANY WARRANTY; without even the implied

+ #   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR

+ #   PURPOSE. See the GNU General Public License for more details.

+ #

+ #   You should have received a copy of the GNU General Public

+ #   License along with this program; if not, write to the Free

+ #   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,

+ #   Boston, MA 02110-1301, USA.

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ 

+ # Include Beaker environment

+ . /usr/share/beakerlib/beakerlib.sh || exit 1

+ 

+ PACKAGE="nss"

+ PACKAGES="nss openssl"

+ DBDIR="nssdb"

+ 

+ rlJournalStart

+     rlPhaseStartSetup

+         rlAssertRpm --all

+         rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"

+         rlRun "pushd $TmpDir"

+         rlRun "mkdir nssdb"

+         rlRun "certutil -N -d $DBDIR --empty-password"

+         rlLogInfo "Create a JAR file"

+         rlRun "mkdir java-dir"

+         rlRun "pushd java-dir"

+         rlRun "mkdir META-INF mypackage"

+         rlRun "echo 'Main-Class: mypackage/MyMainFile' > META-INF/MANIFEST.MF"

+         rlRun "echo 'Those are not the droids you are looking for' > mypackage/MyMainFile.class"

+         #rlRun "jar -cfe package.jar mypackage/MyMainFile mypackage/MyMainFile.class"

+         rlRun "popd"

+         #rlRun "mv java-dir/package.jar ."

+     rlPhaseEnd

+ 

+     rlPhaseStartTest "Self signing certificates"

+         rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"

+         rlRun "certutil -d $DBDIR -S -n 'CA' -t 'cTC,cTC,cTC' -s 'CN=CA' -x -z noise"

+         rlRun -s "certutil -d $DBDIR -L -n 'CA' -a | openssl x509 -noout -text"

+         rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"

+         rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG

+     rlPhaseEnd

+ 

+     rlPhaseStartTest "Signing certificates"

+         rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"

+         rlRun "certutil -d $DBDIR -S -n 'server' -t 'u,u,u' -s 'CN=server.example.com' -c 'CA' -z noise --nsCertType sslClient,sslServer,objectSigning,smime"

+         rlRun -s "certutil -d $DBDIR -L -n 'server' -a | openssl x509 -noout -text"

+         rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"

+         rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG

+     rlPhaseEnd

+ 

+     rlPhaseStartTest "Certificate request"

+         rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"

+         rlRun "mkdir srv2db"

+         rlRun "certutil -d srv2db -N --empty-password"

+         rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise"

+         rlRun -s "openssl req -noout -text -in srv2.req"

+         rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"

+         rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG

+         rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt"

+         rlRun -s "openssl x509 -in srv2.crt -noout -text"

+         rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"

+         rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG

+         rlRun "rm -rf srv2db"

+     rlPhaseEnd

+ 

+     rlPhaseStartTest "Certificate request with SHA1"

+         rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"

+         rlRun "mkdir srv2db"

+         rlRun "certutil -d srv2db -N --empty-password"

+         rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise -Z SHA1"

+         rlRun -s "openssl req -noout -text -in srv2.req"

+         rlAssertGrep "Signature Algorithm: sha1WithRSAEncryption" "$rlRun_LOG"

+         rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt"

+         rlRun -s "openssl x509 -in srv2.crt -noout -text"

+         rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"

+         rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG

+         rlRun "rm -rf srv2db"

+     rlPhaseEnd

+ 

+     rlPhaseStartTest "Signing CMS messages"

+         rlRun "echo 'This is a document' > document.txt"

+         rlRun "cmsutil -S -d $DBDIR -N 'server' -i document.txt -o document.cms"

+         rlRun -s "openssl cms -in document.cms -inform der -noout -cmsout -print"

+         rlAssertGrep "algorithm: sha256" $rlRun_LOG

+         rlAssertNotGrep "algorithm: sha1" $rlRun_LOG

+     rlPhaseEnd

+ 

+     rlPhaseStartTest "CRL signing"

+         rlRun "echo $(date --utc +update=%Y%m%d%H%M%SZ) > script"

+         rlRun "echo $(date -d 'next week' --utc +nextupdate=%Y%m%d%H%M%SZ) >> script"

+         rlRun "echo addext crlNumber 0 1245 >>script"

+         rlRun "echo addcert 12 $(date -d 'yesterday' --utc +%Y%m%d%H%M%SZ) >>script"

+         rlRun "echo addext reasonCode 0 0 >>script"

+         rlRun "cat script"

+         rlRun "crlutil -G -c script -d $DBDIR -n CA -o ca.crl"

+         rlRun -s "openssl crl -in ca.crl -inform der -noout -text"

+         rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" $rlRun_LOG

+         rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG

+     rlPhaseEnd

+ 

+     rlPhaseStartCleanup

+         rlRun "popd"

+         rlRun "rm -r $TmpDir" 0 "Removing tmp directory"

+     rlPhaseEnd

+ rlJournalPrintText

+ rlJournalEnd

tests/tests.yml
file added
+12

@@ -0,0 +1,12 @@

+ ---

+ # This first play always runs on the local staging system

+ - hosts: localhost

+   roles:

+   - role: standard-test-beakerlib

+     tags:

+     - classic

+     tests:

+     - NSS-tools-should-not-use-SHA1-by-default-when

+     required_packages:

+     - nss-tools

+     - nss

no initial comment

Justification

Adds tests according to the CI wiki specifically the standard test interface in the spec.

The playbook includes Tier1 level test cases that have been tested in the following contexts and is passing reliably: Classic and Container. Test logs are stored in the artifacts directory.

The following steps are used to execute the tests using the standard test interface:

Test enveronment

Make sure you have installed packages from the spec

$ rpm -q ansible python2-dnf libselinux-python standard-test-roles
ansible-2.3.2.0-1.fc26.noarch
python2-dnf-2.6.3-11.fc26.noarch
libselinux-python-2.6-7.fc26.x86_64
standard-test-roles-2.4-1.fc26.noarch

Run tests for Classic

$ export TEST_SUBJECTS=
$ sudo ansible-playbook --tags classic tests.yml

Snip of the example test run for Classic tests:

TASK [standard-test-beakerlib : Check the results] ******************************************************************************************************************************************************************
changed: [localhost]

PLAY RECAP **********************************************************************************************************************************************************************************************************
localhost                  : ok=15   changed=8    unreachable=0    failed=0   

PASS NSS-tools-should-not-use-SHA1-by-default-when

Notes

Tests will be enabled in CI, yet gating is currently disabled, so nothing will change. Tests will run on each dist-git commit, they are not triggered on koji builds and if you are using FMN, it should notify you of failures normally.

The RH QE maintainer contact in case you have questions: szidek @redhat.com
The idea is that these tests become yours just as you're maintaining the package, there will of course be people around if you have questions or troubles.

Why do you run an NSS tool to test NSPR? Is it because we don't have any NSPR-only tools?
Did you know there is a NSPR test suite which we currently don't execute as part of the NSPR build?
There's a related upstream TODO:
https://bugzilla.mozilla.org/show_bug.cgi?id=1385039

Why do you run an NSS tool to test NSPR? Is it because we don't have any NSPR-only tools?
Did you know there is a NSPR test suite which we currently don't execute as part of the NSPR build?
There's a related upstream TODO:
https://bugzilla.mozilla.org/show_bug.cgi?id=1385039

Those tests were ported from https://upstreamfirst.fedorainfracloud.org/nspr

Pull-Request has been merged by kengert

2 years ago