1 # Don't attempt these tests if TOOL_OPTS=server has been specified. This is
2 # because TOOL_OPTS=server starts a server using setup_server which creates
3 # a dummy stap on the PATH which always specifies --use-server. We don't want
4 # that here. We want to use the real stap and supply client-side options
6 if {[use_server_p]} then {
7 untested "Compile-Server Client Tests"
11 # There is no server running as part of the test suite. So let's start with
12 # a clean slate in terms of trust.
13 exec rm -fr $env(SYSTEMTAP_DIR)/ssl
15 # Test the --list-servers option and return an array of the servers found.
16 proc list_servers { TEST_NAME SERVER_SPEC args } {
20 set cmd [concat stap --list-servers=$SERVER_SPEC $args]
21 send_log "executing: $cmd\n"
25 -re "^Systemtap Compile Server Status for '${SERVER_SPEC}'\r\n" {
28 -re {^No servers found\r\n} {
30 -re {^ host=[^\r]*\r\n} {
31 set ::servers($n) "$expect_out(0,string)"
39 exec kill -INT -[exp_pid]
53 # There may be other servers running. Let's keep track of them.
54 list_servers "List existing online servers" online
55 array unset existing_online_servers
56 array set existing_online_servers [array get servers]
58 # There may be existing trusted servers. Keep track of them.
59 list_servers "List existing trusted servers" trusted
60 array unset existing_trusted_servers
61 array set existing_trusted_servers [array get servers]
63 # There may be existing trusted signers. Keep track of them.
64 list_servers "List existing signing servers" signer
65 array unset existing_signing_servers
66 array set existing_signing_servers [array get servers]
68 # If we query all known servers, it should contain exactly the union of the
69 # above three queries.
70 list_servers "List all existing servers" all
71 array unset all_existing_servers
72 array set all_existing_servers [array get servers]
74 set test "Verify existing online server list"
76 foreach idx1 [array names existing_online_servers] {
78 foreach idx2 [array names all_existing_servers] {
79 if {"$existing_online_servers($idx1)" == "$all_existing_servers($idx2)"} {
92 set test "Verify existing trusted server list"
94 foreach idx1 [array names existing_trusted_servers] {
96 foreach idx2 [array names all_existing_servers] {
97 if {"$existing_trusted_servers($idx1)" == "$all_existing_servers($idx2)"} {
110 set test "Verify existing signing server list"
112 foreach idx1 [array names existing_signing_servers] {
114 foreach idx2 [array names all_existing_servers] {
115 if {"$existing_signing_servers($idx1)" == "$all_existing_servers($idx2)"} {
128 set test "Verify all existing server list"
130 foreach idx1 [array names all_existing_servers] {
132 foreach idx2 [array names existing_online_servers] {
133 if {"$existing_online_servers($idx2)" == "$all_existing_servers($idx1)"} {
139 foreach idx2 [array names existing_trusted_servers] {
140 if {"$existing_trusted_servers($idx2)" == "$all_existing_servers($idx1)"} {
146 foreach idx2 [array names existing_signing_servers] {
147 if {"$existing_signing_servers($idx2)" == "$all_existing_servers($idx1)"} {
163 # Now start our own server and make sure we can work with it.
164 if {! [start_server]} {
165 untested "Compile-server client tests against a server"
169 # Our server should now appear online, separate from the previously discovered
170 # online servers. Note that our server could generate serveral listings
171 # because it could appear at more than one ip address,
172 list_servers "List current online servers" online
173 array unset current_online_servers
174 array set current_online_servers [array get servers]
176 set test "New online servers"
178 foreach idx1 [array names current_online_servers] {
180 foreach idx2 [array names existing_online_servers] {
181 if {"$existing_online_servers($idx2)" == "$current_online_servers($idx1)"} {
187 set new_online_servers($n) "$current_online_servers($idx1)"
197 # Our server should now be trusted, separate from the previously discovered
199 list_servers "List current trusted servers" online,trusted
200 array unset current_trusted_servers
201 array set current_trusted_servers [array get servers]
203 set test "New trusted servers"
205 foreach idx1 [array names current_trusted_servers] {
207 foreach idx2 [array names existing_trusted_servers] {
208 if {"$existing_trusted_servers($idx2)" == "$current_trusted_servers($idx1)"} {
214 set new_trusted_servers($n) "$current_trusted_servers($idx1)"
224 # The new servers should automatically be trusted, so the new_trusted_servers
225 # array should be a subset of the new_online_servers
226 # array, but not necessarilty vice-versa, since new servers may have come
227 # online independently of our testing.
228 set test "Verify new trusted server list"
230 foreach idx1 [array names new_trusted_servers] {
232 foreach idx2 [array names new_online_servers] {
233 if {"$new_trusted_servers($idx1)" == "$new_online_servers($idx2)"} {
247 # The newly trusted servers represent the server we just started.
248 array unset our_servers
249 array set our_servers [array get new_trusted_servers]
251 # The new servers should not be trusted as signers so there should be no new
253 list_servers "List current signing servers" signer
254 array unset current_signing_servers
255 array set current_signing_servers [array get servers]
257 set test "No new signing servers"
259 foreach idx1 [array names current_signing_servers] {
261 foreach idx2 [array names existing_signing_servers] {
262 if {"$existing_signing_servers($idx2)" == "$current_signing_servers($idx1)"} {
276 # Revoke trust in our server. Specify the server by host name.
277 set test "Server has host name"
278 if {[regexp {^ host=([^ ]*).*} $our_servers(0) match host_name]} {
283 set cmd [concat stap --trust-servers=ssl,revoke,no-prompt --use-server=$host_name]
284 send_log "executing: $cmd\n"
289 exec kill -INT -[exp_pid]
296 # Our server should no longer be trusted.
297 list_servers "List current trusted servers after revokation by host name" trusted
298 array unset current_trusted_servers
299 array set current_trusted_servers [array get servers]
301 set test "No longer trusted after revokation by host name"
303 foreach idx1 [array names current_trusted_servers] {
305 foreach idx2 [array names existing_trusted_servers] {
306 if {"$existing_trusted_servers($idx2)" == "$current_trusted_servers($idx1)"} {
320 # Reinstate trust in our server. Specify the server by ip address.
321 # The default for --trusted servers is 'ssl'.
322 set test "Server has ip address"
323 if {[regexp {^.*ip=([^ ]*).*} $our_servers(0) match ip_address]} {
328 set cmd [concat stap --trust-servers=no-prompt --use-server=$ip_address]
329 send_log "executing: $cmd\n"
334 exec kill -INT -[exp_pid]
341 # Our server should be trusted again, separate from the previously discovered
343 list_servers "List current trusted servers after reinstatement by ip address" online,trusted
344 array unset current_trusted_servers
345 array set current_trusted_servers [array get servers]
347 set test "New trusted servers after reinstatement by ip address"
348 array unset new_trusted_servers
350 foreach idx1 [array names current_trusted_servers] {
352 foreach idx2 [array names existing_trusted_servers] {
353 if {"$existing_trusted_servers($idx2)" == "$current_trusted_servers($idx1)"} {
359 set new_trusted_servers($n) "$current_trusted_servers($idx1)"
369 # The new_trusted_servers array should now match the our_servers array, since
370 # the our_servers array is a copy of the original new_trusted_servers array.
371 set test "Number of new trusted servers matches after reinstatement by ip address"
372 if {[array size new_trusted_servers] == [array size our_servers]} {
377 set test "New trusted servers matches after reinstatement by ip address"
379 foreach idx1 [array names new_trusted_servers] {
381 foreach idx2 [array names our_servers] {
382 if {"$our_servers($idx2)" == "$new_trusted_servers($idx1)"} {
391 if {$n != [array size new_trusted_servers]} {
397 # Trust our server as a module signer. This must be done as root. Specify
398 # the server by certificate serial number.
399 set test "Server has certificate serial number"
400 if {[regexp {^.*certinfo="([^ ]*)".*} $our_servers(0) match cert_info]} {
406 # Even though this action must be performed as root, Do not perform it if we
407 # are already root, since it alters the state of the install tree. See PR 11442.
408 # The related tests should then be expected failures.
409 set effective_pid [exec /usr/bin/id -u]
410 if {$effective_pid != 0} {
411 set cmd [concat [exec which stap] --trust-servers=signer,no-prompt --use-server=$cert_info]
412 eval as_root { $cmd }
415 # Our server should now be trusted as a signer, separate from the previously
416 # discovered trusted signing servers.
417 list_servers "List current signing servers" signer
418 array unset current_signing_servers
419 array set current_signing_servers [array get servers]
421 set test "New signing servers"
423 foreach idx1 [array names current_signing_servers] {
425 foreach idx2 [array names existing_signing_servers] {
426 if {"$existing_signing_servers($idx2)" == "$current_signing_servers($idx1)"} {
432 set new_signing_servers($n) "$current_signing_servers($idx1)"
436 if {$effective_pid == 0} {
445 # The new_signing_servers array should now match the our_servers array, since
446 # the we specified our server by certificate serial number so that we don't
447 # accidentally trust another server on the same host.
448 set test "Number of new signing servers matches"
449 if {$effective_pid == 0} {
452 if {[array size new_signing_servers] == [array size our_servers]} {
454 set test "New signing servers matches"
456 foreach idx1 [array names new_signing_servers] {
458 foreach idx2 [array names our_servers] {
459 if {"$our_servers($idx2)" == "$new_signing_servers($idx1)"} {
468 if {$effective_pid == 0} {
471 if {$n != [array size new_signing_servers]} {
478 set test "New signing servers matches"
479 if {$effective_pid == 0} {
485 # Compile a simple test using --unprivileged. This will ask the server to
486 # check and sign the module. Specify the server using host name and port.
487 set test "Server has port number"
488 if {[regexp {^.*port=([^ ]*).*} $our_servers(0) match port_num]} {
493 set test "Compile module using server"
496 set cmd [concat stap -p4 --unprivileged $srcdir/systemtap.server/hello.stp --use-server=$host_name:$port_num]
497 send_log "executing: $cmd\n"
501 -re {^stap_[0-9]*\.ko\r\n} {
502 set module_name [string trim "$expect_out(0,string)" \r\n]
505 exec kill -INT -[exp_pid]
514 send_log "'$module_name'\n"
516 # Make sure that the module was returned
517 set test "Module was created"
518 if {[file exists $module_name]} {
524 # Make sure that the module was signed
525 set test "Module was signed"
526 if {[file exists $module_name.sgn]} {
532 # Make sure we can load the module. This will verify that the signature
533 # is correct and trusted. If we are not root or a member of either
534 # the group stapdev or stapusr, then we still won't be able to load
537 if {$effective_pid == 0} {
540 set id_info [exec /usr/bin/id]
541 if {[regexp {.*\(stapdev\).*} "$id_info"]} {
543 } elseif {[regexp {.*\(stapusr\).*} "$id_info"]} {
544 if {$effective_pid != 0} {
549 if {$expect_failure} {
552 set test "Load and run signed module when trusted"
554 set cmd [concat staprun $module_name]
555 send_log "executing: $cmd\n"
559 -re {^Hello From Server\r\n} {
563 exec kill -INT -[exp_pid]
576 # Revoke trust in our server as a module signer. This must be done as root.
577 # Specify the server by certificate serial number so that we don't accidentally
578 # revoke trust in a previously trusted server.
579 # Even though this action must be performed as root, Do not perform it if we
580 # are already root, since it alters the state of the install tree. See PR 11442.
581 if {$effective_pid != 0} {
582 set cmd [concat [exec which stap] --trust-servers=revoke,signer,no-prompt --use-server=$cert_info]
583 eval as_root { $cmd }
586 # Our server should no longer be trusted as a signed
587 list_servers "List current signing servers after revokation" signer
588 array unset current_signing_servers
589 array set current_signing_servers [array get servers]
591 set test "No longer trusted as a signer after revokation"
593 foreach idx1 [array names current_signing_servers] {
595 foreach idx2 [array names existing_signing_servers] {
596 if {"$existing_signing_servers($idx2)" == "$current_signing_servers($idx1)"} {
610 # Since our server is no longer a trusted signer, attempting
611 # to load and run the module now should fail unless we
612 # are root or a member of the group stapdev.
614 if {[exec /usr/bin/id -u] == 0} {
617 if {[regexp {.*\(stapdev\).*} "$id_info"]} {
621 if {$expect_failure} {
624 set test "Load and run signed module when not trusted"
626 set cmd [concat staprun $module_name]
627 send_log "executing: $cmd\n"
631 -re {^Hello From Server\r\n} {
635 exec kill -INT -[exp_pid]
647 # Shutdown the server we started