testprogs/blackbox: add test_ldap_tls_reload.sh

This tests the reload (and if needed regeneration) of
tls certificates.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Jule Anger <janger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index cc3703373a93ac565b954f26090147e332f6f5a4..8456ec1f1c58441af48abbff832b282535263182 100755 (executable)
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -156,6 +156,11 @@ for env in ["ad_dc_ntvfs", "fl2008r2dc", "fl2003dc"]:
     plantestsuite("samba4.ldb.simple.ldaps with SASL-BIND %s(%s)" % (options, env),
                   env, "%s/test_ldb_simple.sh ldaps $SERVER %s" % (bbdir, options))
 
+envraw = "fl2008r2dc"
+env = "%s:local" % envraw
+plantestsuite("samba4.ldap_tls_reload(%s)" % (env), env,
+              "%s/test_ldap_tls_reload.sh $PREFIX_ABS $PREFIX_ABS/%s/private/tls $SERVER.$REALM" % (bbdir, envraw))
+
 for options in ['-U"$USERNAME%$PASSWORD"']:
     plantestsuite("samba4.ldb.ldapi with options %s(ad_dc_ntvfs:local)" % options, "ad_dc_ntvfs:local",
                   "%s/test_ldb.sh ldapi $PREFIX_ABS/ad_dc_ntvfs/private/ldapi %s" % (bbdir, options))

diff --git a/testprogs/blackbox/test_ldap_tls_reload.sh b/testprogs/blackbox/test_ldap_tls_reload.sh
new file mode 100755 (executable)
index 0000000..d0c9af1
--- /dev/null
+++ b/testprogs/blackbox/test_ldap_tls_reload.sh
@@ -0,0 +1,64 @@
+#!/bin/bash
+#
+
+if [ $# -ne 3 ]; then
+       cat <<EOF
+Usage: test_ldap_tls_reload.sh PREFIX TLSDIR SERVER
+EOF
+       exit 1
+fi
+
+PREFIX=$1
+TLSDIR=$2
+SERVER=$3
+
+. $(dirname $0)/subunit.sh
+. "$(dirname "${0}")/common_test_fns.inc"
+
+ldbsearch="${VALGRIND} $(system_or_builddir_binary ldbsearch "${BINDIR}")"
+smbcontrol="${VALGRIND} ${BINDIR}/smbcontrol"
+
+rm -rf "$PREFIX/ldap_tls_reload"
+
+store_cert() {
+       FILE=$1
+       gnutls-cli --save-cert="$FILE" --no-ca-verification --verify-hostname=$SERVER --port 636 $SERVER < /dev/null
+       return $?
+}
+
+delete_certs() {
+       ls "${TLSDIR}/"*.pem
+       rm -v "${TLSDIR}/ca.pem" "${TLSDIR}/cert.pem" "${TLSDIR}/key.pem"
+       return $?
+}
+
+reload_certs() {
+       $smbcontrol ldap_server reload-certs
+       return $?
+}
+
+testit "mkdir $PREFIX/ldap_tls_reload" mkdir $PREFIX/ldap_tls_reload || failed=$(expr $failed + 1)
+
+testit "currentTime 1" $ldbsearch --basedn='' -H ldaps://$SERVER --scope=base currentTime || failed=$(expr $failed + 1)
+
+testit "store cert output 1a" store_cert $PREFIX/ldap_tls_reload/cert1a.pem || failed=$(expr $failed + 1)
+
+testit "delete certs" delete_certs || failed=$(expr $failed + 1)
+
+testit "store cert output 1b" store_cert $PREFIX/ldap_tls_reload/cert1b.pem || failed=$(expr $failed + 1)
+
+testit "check cert1a == cert1b" cmp $PREFIX/ldap_tls_reload/cert1a.pem $PREFIX/ldap_tls_reload/cert1b.pem || failed=$(expr $failed + 1)
+
+testit "reload certs " reload_certs || failed=$(expr $failed + 1)
+
+testit "sleep 10" sleep 10 || failed=$(expr $failed + 1)
+
+testit "store cert output 2" store_cert $PREFIX/ldap_tls_reload/cert2.pem || failed=$(expr $failed + 1)
+
+testit_expect_failure "check cert1a != cert2" cmp $PREFIX/ldap_tls_reload/cert1a.pem $PREFIX/ldap_tls_reload/cert2.pem || failed=$(expr $failed + 1)
+
+testit "currentTime 2" $ldbsearch $CONFIGURATION --basedn='' -H ldaps://$SERVER --scope=base currentTime || failed=$(expr $failed + 1)
+
+rm -rf "$PREFIX/ldap_tls_reload"
+
+testok $0 $failed