myproxy-test

代理服务器源代码 供大家学习使用,希望大家喜欢

#!/usr/bin/perl -w

# myproxy test script
# written by Jim Basney <jbasney@ncsa.uiuc.edu>

# Assumes myproxy-server running as root on the local machine if
# MYPROXY_SERVER not set.
# Requires a valid proxy credential with lifetime of atleast 3 hours.
# Assumes myproxy-server.config has:
#   1. accepted_credentials, authorized_retrievers, and
#      authorized_renewers matching the proxy credential
#   2. default_renewers "none"
#
# Test cases are:
#   1. Store a credential (myproxy-init).
#   2. Get info on the stored credential (myproxy-info).
#   3. Retrieve stored credential (myproxy-get-delegation).
#   4. Verify myproxy-get-delegation fails on bad passphrase.
#   5. Change passphrase (myproxy-change-pass-phrase).
#   6. Retrieve with new passphrase.
#   7. Verify old passphrase no longer accepted.
#   8. Verify renewal fails by default.
#   9. Remove credential from repository (myproxy-destroy).
#  10. Verify credential is removed (myproxy_info).
#  11. Store credentials with retrieval policies.
#  12. Verify retrieval policies (one accept, one deny).
#  13. Store renewable credentials.
#  14. Get info on stored renewable credentials (myproxy-info -d).
#  15. Verify renewal policies (one accept, one deny).
#  16. Verify correct lifetime of retrieved credentials.
#
#  17. Store credential (myproxy-store -v -t 1)
#  18. Get info on the stored credential (myproxy-info)
#  19. Create proxy from stored credential (myproxy-get-delegation).
#  20. Retrieve stored credential (myproxy-retrieve)
#  21. Verify passphrase checking (myproxy-get-delegation).
#  22. Verify passphrase checking (myproxy-retrieve).
#  23. Verify renewal fails by default (myproxy-get-delegation).
#  24. Verify renewal fails by default (myproxy-retrieve).
#  25. Remove credential from repository (myproxy-destroy).
#  26. Verify credential is removed (myproxy_info).
#  27. Store credentials with retrieval policies (myproxy-store).
#  28. Verify retrieval policies (one accept, one deny) (myproxy-get-delegation).
#  29. Verify retrieval policies (one accept, one deny) (myproxy-retrieve).
#  30. Store renewable credentials.
#  31. Get info on stored renewable credentials (myproxy-info -d).
#  32. Verify renewal policies.
#  33. Verify correct lifetime of retrieved credentials.
#  34. Store credentials with retrieve key policies.
#  35. Get info for stored retrieve key credentials.
#  36. Verify myproxy-retrieve key retrieval policies.
#
# CoG test cases are:
#   1. CoG anonget of myproxy-init stored credential.
#   2. CoG get of myproxy-init stored credential.
#   3. (pending) Store a credential (CoG myproxy put).

use IPC::Open3;

#
# handle cmdline options
#
$usage = "usage: myproxy-test [-help] [-verbose] [-startserver]\n" .
         "                    [-performance iterations clients]\n" .
         "                    [-dbperformance] [-valgrind]\n";
$startserver = 0;
$performance = 0;
$dbperformance = 0;
$perfiters = 0;
$perfclients = 0;
$verbose = 0;
while (($arg = shift @ARGV)) {
    if ($arg eq "-h" || $arg eq "-help") {
	print STDERR $usage;
	exit 1;
    } elsif ($arg eq "-v" || $arg eq "-verbose") {
	$verbose = 1;
    } elsif ($arg eq "-startserver") {
	$startserver = 1;
    } elsif ($arg eq "-performance") {
	$performance = 1;
	$perfiters = shift @ARGV;
	$perfclients = shift @ARGV;
    } elsif ($arg eq "-dbperformance") {
	$dbperformance = 1;
    } elsif ($arg eq "-valgrind") {
	chomp($valgrind = `which valgrind 2>/dev/null`);
	die "valgrind not in PATH, stopped" if (!(-x $valgrind));
	$valgrind .= " --tool=addrcheck -q";
	$valgrind .= " --leak-check=full";
	$valgrind .= " --suppressions=$ENV{HOME}/.valgrind.supp";
	$valgrind .= " --log-file=/tmp/valgrind.log.$$";
	$valgrind .= " --num-callers=50 ";
    } else {
	print STDERR $usage;
	exit 1;
    }
}

#
# make sure I have a valid proxy
#
chomp($grid_proxy_init = `which grid-proxy-init 2>/dev/null`);
die "grid-proxy-init not found, stopped" if (!(-x $grid_proxy_init));
chomp($grid_proxy_info = `which grid-proxy-info 2>/dev/null`);
die "grid-proxy-info not found, stopped" if (!(-x $grid_proxy_info));
$timeleft = `$grid_proxy_info -timeleft 2>/dev/null`;
if (!defined($timeleft) || $timeleft eq "" || ($timeleft < 60*60*3)) {
    &debug("Problem with proxy.  Will try to create a new one.");
    `$grid_proxy_init -pwstdin </dev/null >/dev/null 2>&1`;
    $timeleft = `$grid_proxy_info -timeleft 2>/dev/null`;
}
die "grid-proxy-info failed, stopped"
    if (!defined($timeleft) || $timeleft eq "");
die "proxy expired, stopped" if ($timeleft < 60);
die "proxy lifetime too short, stopped" if ($timeleft < 60*60*3);
$cert_subject = `$grid_proxy_info -subject`;
die "grid-proxy-info -subject failed, stopped"
    if (!defined($cert_subject) || $cert_subject eq "");
$cert_subject = (split(/\/CN=proxy|\/CN=limited proxy|\/CN=\d+/,
		       $cert_subject))[0];

#
# check for the commands I want to run
#
chomp($myproxy_store = `which myproxy-store 2>/dev/null`);
die "myproxy-store not in PATH, stopped" if (!(-x $myproxy_store));
chomp($myproxy_init = `which myproxy-init 2>/dev/null`);
die "myproxy-init not in PATH, stopped" if (!(-x $myproxy_init));
chomp($myproxy_retrieve = `which myproxy-retrieve 2>/dev/null`);
die "myproxy-retrieve not in PATH, stopped" if (!(-x $myproxy_retrieve));
chomp($myproxy_info = `which myproxy-info 2>/dev/null`);
die "myproxy-info not in PATH, stopped" if (!(-x $myproxy_info));
chomp($myproxy_destroy = `which myproxy-destroy 2>/dev/null`);
die "myproxy-destroy not in PATH, stopped" if (!(-x $myproxy_destroy));
chomp($myproxy_get = `which myproxy-get-delegation 2>/dev/null`);
die "myproxy-get-delegation not in PATH, stopped" if (!(-x $myproxy_get));
chomp($myproxy_passwd = `which myproxy-change-pass-phrase 2>/dev/null`);
die "myproxy-change-pass-phrase not in PATH, stopped"
    if (!(-x $myproxy_passwd));
chomp($bintrue = `which true 2>/dev/null`);

#
# setup environment variables
#
if (!defined($ENV{'MYPROXY_SERVER'})) {
    chomp($hostname = `hostname 2>/dev/null`);
    $ENV{'MYPROXY_SERVER'} = $hostname;
}
if (!defined($ENV{'X509_USER_PROXY'})) {
    $ENV{'X509_USER_PROXY'} = "/tmp/x509up_u$<";
}
# make proxy from existing proxy, so we don't need to deal with long-term cred
$ENV{'X509_USER_CERT'} = $ENV{'X509_USER_PROXY'};
$ENV{'X509_USER_KEY'} = $ENV{'X509_USER_PROXY'};
$ENV{'LOGNAME'} = $ENV{'LOGNAME'} . ".myproxy-test";

srand(time||$$);
$passphrase = sprintf "%010.d", int(rand(0x7fffffff));

# all temporary files accessible only by running user
umask(0077);

# only test trusted certificates management if no certificates directory
# exists for us to mess up
if (!defined($ENV{X509_CERT_DIR}) &&
    defined($ENV{HOME}) && !(-e "$ENV{HOME}/.globus/certificates")) {
    $test_trustroots = 1;
    print STDERR "Testing with $ENV{HOME}/.globus/certificates.\n"
	if ($verbose);
} else {
    $test_trustroots = 0;
    print STDERR "Not testing CA certificate management because $ENV{HOME}/.globus/certificates exists.\n" if ($verbose);
}

#
# start server if requested
#
if ($startserver) {
    $ENV{'MYPROXY_SERVER'} = "localhost";
    $ENV{'MYPROXY_SERVER_PORT'} = 49152 + ($< % 16384);
    $ENV{'MYPROXY_SERVER_DN'} = $cert_subject;
    chomp($myproxy_server = `which myproxy-server 2>/dev/null`);
    die "myproxy-server not in PATH, stopped" if (!(-x $myproxy_server));
    $serverdir = "/tmp/myproxy-test.serverdir.$$";
    mkdir($serverdir, 0700) ||
	die "failed to create $serverdir, stopped";
    $serverconf = "/tmp/myproxy-test.serverconf.$$";
    open(CONF, ">$serverconf") ||
	 die "failed to open $serverconf, stopped";
    print CONF "accepted_credentials  \"*\"\n";
    print CONF "authorized_retrievers \"*\"\n";
    print CONF "default_retrievers    \"*\"\n";
    print CONF "authorized_renewers   \"*\"\n";
    print CONF "default_renewers      \"none\"\n";
    print CONF "authorized_key_retrievers \"*\"\n";
    print CONF "default_key_retrievers    \"none\"\n";
    print CONF "passphrase_policy_program $bintrue\n" if (-x $bintrue);
    close(CONF);
    $SERVERPIDFILE = "/tmp/myproxy-test.serverpid.$$";
    $servercmd = "$myproxy_server -s $serverdir -c $serverconf";
    $servercmd .= " -p $ENV{MYPROXY_SERVER_PORT} -P $SERVERPIDFILE";
    $servercmd = $valgrind . $servercmd if (defined($valgrind));
    &debug("running '$servercmd'");
    `$servercmd`;
    sleep(1);			# give server a chance to startup
    sleep(4) if (defined($valgrind)); # valgrind slows things down
    if (open SERVERPIDFILE) {
	$serverpid = <SERVERPIDFILE>;
	close SERVERPIDFILE;
    }
    if (!defined($serverpid) || $serverpid eq "") {
	print STDERR "failed to start myproxy-server:\n";
	`$servercmd -d`;	# show output on terminal
	&docleanup();
	exit 1;
    }
}

#
# run performance tests if requested
#
if ($performance) {
    &doperftests();
    exit 0;
}

#
# BEGIN TESTS
#
$SUCCESSES = $FAILURES = 0;

# commands to test: myproxy-init, myproxy-info, myproxy-destroy,
#                   myproxy-get-delegation, and myproxy-change-pass-phrase

($exitstatus, $output) =
    &runtest("myproxy-init -v -a -c 1 -t 1 -S",
	     $passphrase . "\n");
print "MyProxy Test 1 (store credential with default name): ";
if ($exitstatus == 0) {
    print "SUCCEEDED\n"; $SUCCESSES++;
} else {
    print "FAILED\n"; $FAILURES++; print STDERR $output;
    print "Skipping remaining tests.\n";
    goto end_of_all_tests;
}

($exitstatus, $output) = &runtest("myproxy-info -v", undef);
print "MyProxy Test 2 (get info for stored credential): ";
if ($exitstatus == 0 && $output =~ /username/) {
    print "SUCCEEDED\n"; $SUCCESSES++;
} else {
    print "FAILED\n"; $FAILURES++; print STDERR $output;
}

($exitstatus, $output) =
    &runtest("myproxy-get-delegation -t 1 -o /tmp/myproxy-test.$$ -v -S",
	     $passphrase . "\n");
print "MyProxy Test 3 (retrieve stored credential): ";
if ($exitstatus == 0) {
    ($exitstatus, $output) =
	&verifyproxy("/tmp/myproxy-test.$$");
}
if ($exitstatus == 0) {
    print "SUCCEEDED\n"; $SUCCESSES++;
} else {
    print "FAILED\n"; $FAILURES++; print STDERR $output;
}

if ($test_trustroots) {
    ($exitstatus, $output) =
	&runtest("myproxy-get-delegation -T -t 1 -o /tmp/myproxy-test.$$ -v -S",
		 $passphrase . "\n");
    print "MyProxy Test 3T (retrieve stored credential w/ trustroots): ";
    if ($exitstatus == 0) {
	($exitstatus, $output) =
	    &verifyproxy("/tmp/myproxy-test.$$");
    }
    if ($exitstatus == 0) {
	($exitstatus, $output) =
	    &verifytrustroots();
    }
    if ($exitstatus == 0) {
	print "SUCCEEDED\n"; $SUCCESSES++;
    } else {
	print "FAILED\n"; $FAILURES++; print STDERR $output;
    }
}

($exitstatus, $output) =
    &runtest("myproxy-get-delegation -t 1 -o /tmp/myproxy-test.$$ -v -S",
	     "badpassphrase\n");
print "MyProxy Test 4 (verify passphrase checking on retrieve): ";
if ($exitstatus != 0 && $output =~ /invalid pass phrase/) {
    print "SUCCEEDED\n"; $SUCCESSES++;
} else {
    print "FAILED\n"; $FAILURES++; print STDERR $output;
}

$old_passphrase = $passphrase;
$passphrase = sprintf "%010.d", int(rand(0x7fffffff));
($exitstatus, $output) =
    &runtest("myproxy-change-pass-phrase -v -S",
	     "$old_passphrase\n$passphrase\n");
print "MyProxy Test 5 (change passphrase for credential): ";
if ($exitstatus == 0 && $output =~ /Pass phrase changed/) {
    print "SUCCEEDED\n"; $SUCCESSES++;
} else {
    print "FAILED\n"; $FAILURES++; print STDERR $output;
}

($exitstatus, $output) =
    &runtest("myproxy-get-delegation -t 1 -o /tmp/myproxy-test.$$ -v -S",
	     $passphrase . "\n");
print "MyProxy Test 6 (verify new passphrase): ";
if ($exitstatus == 0) {
    ($exitstatus, $output) =
	&verifyproxy("/tmp/myproxy-test.$$");
}
if ($exitstatus == 0) {
    print "SUCCEEDED\n"; $SUCCESSES++;
} else {
    print "FAILED\n"; $FAILURES++; print STDERR $output;
}

($exitstatus, $output) =
    &runtest("myproxy-get-delegation -t 1 -o /tmp/myproxy-test.$$ -v -S",
	     $old_passphrase . "\n");
print "MyProxy Test 7 (verify old passphrase fails): ";
if ($exitstatus != 0 && $output =~ /invalid pass phrase/) {
    print "SUCCEEDED\n"; $SUCCESSES++;
} else {
    print "FAILED\n"; $FAILURES++; print STDERR $output;
}

($exitstatus, $output) =
    &runtest("myproxy-get-delegation -a \$X509_USER_PROXY -t 1 -o /tmp/myproxy-test.$$ -v", undef);
print "MyProxy Test 8 (verify default renewal policy): ";
if ($exitstatus != 0) {
    print "SUCCEEDED\n"; $SUCCESSES++;
} else {
    print "FAILED\n"; $FAILURES++; print STDERR $output;
}

($exitstatus, $output) =
    &runtest("myproxy-destroy -v", undef);
print "MyProxy Test 9 (remove credential from repository): ";
if ($exitstatus == 0 && $output =~ /was successfully removed/) {
    print "SUCCEEDED\n"; $SUCCESSES++;
} else {
    print "FAILED\n"; $FAILURES++; print STDERR $output;
}

($exitstatus, $output) =
    &runtest("myproxy-info -v", undef);
print "MyProxy Test 10 (verify credentials are removed): ";
if (!($output =~ /default credential/)) {
    print "SUCCEEDED\n"; $SUCCESSES++;
} else {
    print "FAILED\n"; $FAILURES++; print STDERR $output;
}

($exitstatus, $output) =
    &runtest("myproxy-init -v -r 'nobody' -k 'nobody' -c 1 -t 1 -S",
	     $passphrase . "\n");
print "MyProxy Test 11 (store credentials with retrieval policies): ";
if ($exitstatus == 0) {
    ($exitstatus, $output) =
	&runtest("myproxy-init -v -x -r '$cert_subject' -k 'mine' -c 1 -t 1 -S",
		 $passphrase . "\n");
}
if ($exitstatus == 0) {
    print "SUCCEEDED\n"; $SUCCESSES++;
} else {
    print "FAILED\n"; $FAILURES++; print STDERR $output;
}

($exitstatus, $output) =
    &runtest("myproxy-get-delegation -k 'mine' -t 1 -o /tmp/myproxy-test.$$ -v -S",
	     $passphrase . "\n");
print "MyProxy Test 12 (verify retrieval policies): ";
if ($exitstatus == 0) {
    ($exitstatus, $output) =
	&verifyproxy("/tmp/myproxy-test.$$");
}
if ($exitstatus == 0) {
    ($exitstatus, $output) =
	&runtest("myproxy-get-delegation -k 'nobody' -t 1 -o /tmp/myproxy-test.$$ -v -S",
		 $passphrase . "\n");
    if ($exitstatus != 0) {
	print "SUCCEEDED\n"; $SUCCESSES++;
    } else {
	print "FAILED\n"; $FAILURES++;
	print STDERR "Shouldn't have allowed retrieval.\n";
	print STDERR $output;
    }
} else {
    print "FAILED\n"; $FAILURES++; print STDERR $output;
}
&runtest("myproxy-destroy -v -k 'mine'", undef);
&runtest("myproxy-destroy -v -k 'nobody'", undef);

($exitstatus, $output) =
    &runtest("myproxy-init -v -R 'nobody' -k 'nobody' -c 1 -t 1 -d -S",
	     $passphrase . "\n");
print "MyProxy Test 13 (store credentials with renewal policies): ";
if ($exitstatus == 0) {
    ($exitstatus, $output) =
	&runtest("myproxy-init -v -x -R '$cert_subject' -k 'mine' -c 1 -t 1 -d -S",
		 $passphrase . "\n");
}
if ($exitstatus == 0) {
    print "SUCCEEDED\n"; $SUCCESSES++;
} else {
    print "FAILED\n"; $FAILURES++; print STDERR $output;
}

($exitstatus, $output) = &runtest("myproxy-info -v -d", undef);
print "MyProxy Test 14 (get info for stored renewal credentials): ";
if ($exitstatus == 0 && $output =~ /username/) {
    print "SUCCEEDED\n"; $SUCCESSES++;
} else {
    print "FAILED\n"; $FAILURES++; print STDERR $output;
}

($exitstatus, $output) =
    &runtest("myproxy-get-delegation -k 'mine' -a $ENV{'X509_USER_PROXY'} -t 1 -o /tmp/myproxy-test.$$ -v -d",
	     undef);
print "MyProxy Test 15 (verify renewal policies): ";
if ($exitstatus == 0) {
    ($exitstatus, $output) =
	&verifyproxy("/tmp/myproxy-test.$$");
}
if ($exitstatus == 0) {
    ($exitstatus, $output) =
	&runtest("myproxy-get-delegation -k 'nobody' -a $ENV{'X509_USER_PROXY'} -t 1 -o /tmp/myproxy-test.$$ -v -d",
		 undef);
    if ($exitstatus != 0) {
	print "SUCCEEDED\n"; $SUCCESSES++;
    } else {
	print "FAILED\n"; $FAILURES++;
	print STDERR "Shouldn't have allowed retrieval.\n";
	print STDERR $output;
    }
} else {
    print "FAILED\n"; $FAILURES++; print STDERR $output;
}
&runtest("myproxy-destroy -v -k 'mine' -d", undef);
&runtest("myproxy-destroy -v -k 'nobody' -d", undef);

($exitstatus, $output) =
    &runtest("myproxy-init -v -a -c 3 -t 2 -S",
	     $passphrase . "\n");
print "MyProxy Test 16 (verify lifetime of retrieved credentials): ";
if ($exitstatus == 0) {
    ($exitstatus, $output) =
	&runtest("myproxy-get-delegation -o /tmp/myproxy-test.$$ -v -S",