diff options
Diffstat (limited to 'qa/common.secure')
-rw-r--r-- | qa/common.secure | 196 |
1 files changed, 196 insertions, 0 deletions
diff --git a/qa/common.secure b/qa/common.secure new file mode 100644 index 0000000..3916372 --- /dev/null +++ b/qa/common.secure @@ -0,0 +1,196 @@ +# +# Common shell routines for testing security extensions +# Copyright (c) 2012-2014 Red Hat. +# + +# get standard environment, filters and checks +. ./common.product +. ./common.filter +. ./common.check + +usersdb=${HOME}/.pki/nssdb +collectordb=$tmp/pki/nssdb +collectorpw=$tmp/pki/nssdb/pass +PCP_SECURE_DB_METHOD=${PCP_SECURE_DB_METHOD-'sql:'} +certopts="-d $PCP_SECURE_DB_METHOD$collectordb -f $collectorpw -z $tmp.rand" + +userid=`id -u` +groupid=`id -g` +username=`id -u -n` +groupname=`id -g -n` + +qahost=`_get_fqdn` +hostname=`hostname | sed -e 's/\..*//'` + +nss_notrun_checks() +{ + _get_libpcp_config + [ "$secure_sockets" = "true" ] || _notrun "Secure sockets not supported" + which certutil >/dev/null 2>&1 || _notrun "certutil not installed (NSS tools)" + [ -c /dev/urandom ] || _notrun "No random number generator special file found" + + fips=false # testing for exposure to Red Hat bug 1035509 + fipsfile=/proc/sys/crypto/fips_enabled + if [ -f $fipsfile ] + then + test `cat $fipsfile` -ne 0 && fips=true + fi + $fips && _notrun "FIPS mode interacts badly with system NSS databases" +} + +nss_cleanup() +{ + unset PCP_SECURE_SOCKETS + + # restore any modified pmcd configuration file + cf=$PCP_PMCDOPTIONS_PATH + if test -f $cf.$seq + then + $sudo rm -f $cf + $sudo mv $cf.$seq $cf + fi + + # restore user certificate DB from existing installation + if test -d $usersdb.$seq + then + $sudo rm -fr $usersdb + $sudo mv $usersdb.$seq $usersdb + fi +} + +# backup pmcd configuration and certificate DBs from existing installation +nss_backup() +{ + for f in $PCP_PMCDOPTIONS_PATH $usersdb + do + [ -e $f ] && $sudo mv $f $f.$seq + done +} + +nss_filter_pminfo() +{ + sed \ + -e "s/$qahost/QAHOST/g" \ + -e "s/$hostname/HOST/g" \ + -e "/^SHA1 fingerprint is .*/d" \ + -e 's/value [0-9][0-9]*/value NUMBER/' +} + +nss_setup_randomness() +{ + dd if=/dev/urandom of=$tmp.rand bs=1 count=10000 >/dev/null 2>&1 +} + +nss_subject_name() +{ + fqdn=$1 + host=$2 + echo $fqdn | sed -e "s/^$host\./dc=/g" -e 's/\./,dc=/g' +} + +nss_setup_certificates() +{ + certdomain=`nss_subject_name $qahost $hostname` + + echo "setup_certificates host details:" >> $seq.full + echo "HOST=$hostname" >> $seq.full + echo "QAHOST=$qahost" >> $seq.full + echo "DOMAIN=$certdomain" >> $seq.full + + # create self-signed (-x) server certificate locally + echo "== Creating local certificates" | tee -a $seq.full + $sudo certutil $certopts -S -x \ + -n "Local CA certificate" -s "cn=Local PCP Installation, $certdomain" \ + -t "CT,," >> $seq.full 2>&1 + sleep 1 # so that the next cert does not get the same serial number + $sudo certutil $certopts -S \ + -n "PCP Collector certificate" -s "cn=PCP Collector" \ + -c "Local CA certificate" -8 "$qahost,$hostname" \ + -t "P,," >> $seq.full 2>&1 + echo "== Certificate DB and local certificates created" | tee -a $seq.full + + # export ascii copy of the certificate for later use + $sudo certutil $certopts -L -n "Local CA certificate" -a > $tmp.cacert.asc + cat $tmp.cacert.asc >> $seq.full +} + +nss_setup_collector() +{ + withcerts=$1 + fqdn=$2 + host=$3 + + # prepare new locations for certificates + $sudo rm -fr $collectordb + $sudo mkdir -p -m 0755 $collectordb + + # prepare password file for certificates + echo "$seq.password" > $tmp.password + $sudo mv $tmp.password $collectorpw + + echo "== Creating empty certificate DB" | tee -a $seq.full + $sudo certutil $certopts -N + + $withcerts && nss_setup_certificates $fqdn $host + + if [ -d $collectordb ] + then + $sudo chmod -R 0644 $collectordb/* + $sudo chown -R pcp:pcp $collectordb + fi + + cat <<End-Of-File >$tmp.options +# Dummy lines added by PCP QA test $seq +# +-l $tmp.pmcd.log +-C $PCP_SECURE_DB_METHOD$collectordb +-P $collectorpw +End-Of-File + $sudo cp $tmp.options $PCP_PMCDOPTIONS_PATH + echo "Start pmcd, modified \$PCP_PMCDOPTIONS_PATH (pmcd.options):" | tee -a $seq.full + $sudo $PCP_RC_DIR/pcp restart | tee -a $seq.full >$tmp.out + _wait_for_pmcd + grep -i 'starting pmcd' $tmp.out | sed -e "s/$$/MYPID/" | _filter_pcp_start + echo "Checking pmcd.log for unexpected messages" | tee -a $seq.full + egrep 'Error:|Info:' $tmp.pmcd.log + cat $tmp.pmcd.log >> $seq.full + echo "--- end of pmcd.log ---" >> $seq.full +} + +nss_setup_empty_userdb() +{ + $sudo rm -fr $usersdb + echo > $tmp.empty + mkdir -p -m 0755 $usersdb + certutil -N -d $PCP_SECURE_DB_METHOD$usersdb -f $tmp.empty +} + +nss_import_cert_userdb() +{ + certutil -A -d $PCP_SECURE_DB_METHOD$usersdb -n "Local CA certificate" -t "CT,," -a -i $tmp.cacert.asc +} + +find_users() +{ + limit=$1 + tail -n $limit /etc/passwd | $PCP_AWK_PROG -F: '{ print $1 }' +} + +find_groups() +{ + limit=$1 + tail -n $limit /etc/group | $PCP_AWK_PROG -F: '{ print $1 }' +} + +filter_sample_log_credentials() +{ + grep Info $PCP_LOG_DIR/pmcd/sample.log | \ + sed \ + -e '/processid=/d' \ + -e '/ctx=[0-9][0-9]*/s//ctx=N/' \ + -e "s/userid=$userid/userid=UID/g" \ + -e "s/groupid=$groupid/groupid=GID/g" \ + -e "s/username=$username/username=USER/g" \ + -e '/pmdasample([0-9][0-9]*)/s//pmdasample(PID)/' \ + -e 's/^\[[A-Z].. [A-Z].. *[0-9][0-9]* ..:..:..]/[DATETIME]/' +} |