Обсуждение: pgsql: SSL TAP test backend library independence refactoring
SSL TAP test backend library independence refactoring The SSL TAP tests were tightly coupled to the OpenSSL implementation, making it hard to add support for additional SSL/TLS backends. This refactoring makes the test avoid depending on specific implementations The SSLServer Perl module is renamed SSL::Server, which in turn use SSL::Backend::X where X is the backend pointed to by with_ssl. Each backend will implement its own module responsible for setting up keys, certs and to resolve sslkey values to their implementation specific value (file paths or vault nicknames etc). Further, switch_server_cert now takes a set of named parameters rather than a fixed set which used defaults. The modules also come with POD documentation. There are a few testcases which still use OpenSSL specifics, but it's not entirely clear how to abstract those until we have another library implemented. Original patch by me, with lots of rework by Andrew Dunstan to turn it into better Perl. Discussion: https://postgr.es/m/AA18A362-CA65-4F9A-AF61-76AE318FE97C@yesql.se Branch ------ master Details ------- https://git.postgresql.org/pg/commitdiff/4a7e964fc67a541b6ea1b72729ad3f8e632d003c Modified Files -------------- src/test/ssl/t/001_ssltests.pl | 143 ++++++-------- src/test/ssl/t/002_scram.pl | 17 +- src/test/ssl/t/003_sslinfo.pl | 28 ++- src/test/ssl/t/SSL/Backend/OpenSSL.pm | 226 ++++++++++++++++++++++ src/test/ssl/t/SSL/Server.pm | 353 ++++++++++++++++++++++++++++++++++ src/test/ssl/t/SSLServer.pm | 219 --------------------- 6 files changed, 664 insertions(+), 322 deletions(-)
> On 26 Mar 2022, at 22:06, Daniel Gustafsson <dgustafsson@postgresql.org> wrote: > > SSL TAP test backend library independence refactoring crake complained in the Perl check due to not being able to locate the new backend specific module: Mar 26 17:54:33 ./src/test/ssl/t/SSL/Backend/OpenSSL.pm syntax OK Mar 26 17:54:33 Can't locate SSL/Backend/OpenSSL.pm in @INC (you may need to install the SSL::Backend::OpenSSL module) (@INCcontains: src/test/perl src/tools/msvc src/backend/catalog src/backend/utils/mb/Unicode src/bin/pg_rewind src/test/sslsrc/tools/msvc/dummylib /usr/local/lib64/perl5/5.34 /usr/local/share/perl5/5.34 /usr/lib64/perl5/vendor_perl/usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5) at ./src/test/ssl/t/SSL/Server.pmline 71. Mar 26 17:54:33 BEGIN failed--compilation aborted at ./src/test/ssl/t/SSL/Server.pm line 71. Off the top of my head I'm not sure how to best solve this, do you have any smart insights Andrew? -- Daniel Gustafsson https://vmware.com/
Daniel Gustafsson <daniel@yesql.se> writes:
> crake complained in the Perl check due to not being able to locate the new
> backend specific module:
> Mar 26 17:54:33 ./src/test/ssl/t/SSL/Backend/OpenSSL.pm syntax OK
> Mar 26 17:54:33 Can't locate SSL/Backend/OpenSSL.pm in @INC (you may need to install the SSL::Backend::OpenSSL
module)(@INC contains: src/test/perl src/tools/msvc src/backend/catalog src/backend/utils/mb/Unicode src/bin/pg_rewind
src/test/sslsrc/tools/msvc/dummylib /usr/local/lib64/perl5/5.34 /usr/local/share/perl5/5.34
/usr/lib64/perl5/vendor_perl/usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5) at
./src/test/ssl/t/SSL/Server.pmline 71.
> Mar 26 17:54:33 BEGIN failed--compilation aborted at ./src/test/ssl/t/SSL/Server.pm line 71.
> Off the top of my head I'm not sure how to best solve this, do you have any
> smart insights Andrew?
Looks like crake has a hard-wired list of INC directories for this step,
that now needs to be extended to include src/test/ssl/t/.
regards, tom lane
On 3/26/22 18:15, Tom Lane wrote: > Daniel Gustafsson <daniel@yesql.se> writes: >> crake complained in the Perl check due to not being able to locate the new >> backend specific module: >> Mar 26 17:54:33 ./src/test/ssl/t/SSL/Backend/OpenSSL.pm syntax OK >> Mar 26 17:54:33 Can't locate SSL/Backend/OpenSSL.pm in @INC (you may need to install the SSL::Backend::OpenSSL module)(@INC contains: src/test/perl src/tools/msvc src/backend/catalog src/backend/utils/mb/Unicode src/bin/pg_rewind src/test/sslsrc/tools/msvc/dummylib /usr/local/lib64/perl5/5.34 /usr/local/share/perl5/5.34 /usr/lib64/perl5/vendor_perl/usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5) at ./src/test/ssl/t/SSL/Server.pmline 71. >> Mar 26 17:54:33 BEGIN failed--compilation aborted at ./src/test/ssl/t/SSL/Server.pm line 71. >> Off the top of my head I'm not sure how to best solve this, do you have any >> smart insights Andrew? > Looks like crake has a hard-wired list of INC directories for this step, > that now needs to be extended to include src/test/ssl/t/. > > Exactly. New run is currently executing. cheers andrew -- Andrew Dunstan EDB: https://www.enterprisedb.com
> On 26 Mar 2022, at 23:19, Andrew Dunstan <andrew@dunslane.net> wrote: > On 3/26/22 18:15, Tom Lane wrote: >> Looks like crake has a hard-wired list of INC directories for this step, >> that now needs to be extended to include src/test/ssl/t/. > Exactly. New run is currently executing. Thanks, I'm keeping an eye on the status page for the new run for not just that check but also the ssl-check which runs on crake. A semi-related comment, I wish more of the animals ran ssl-check and not just compiled with OpenSSL, it would be nice to have the SSL test excercised more. -- Daniel Gustafsson https://vmware.com/
Daniel Gustafsson <daniel@yesql.se> writes:
> A semi-related comment, I wish more of the animals ran ssl-check and not just
> compiled with OpenSSL, it would be nice to have the SSL test excercised more.
FWIW, the following active animals seem to have that enabled:
chipmunk
crake
drongo
eelpout
elver
fairywren
gaur
jacana
longfin
prairiedog
Not sure why I don't have it enabled on florican, will fix that.
regards, tom lane
> On 27 Mar 2022, at 00:19, Tom Lane <tgl@sss.pgh.pa.us> wrote: > Not sure why I don't have it enabled on florican, will fix that. Thanks, much appreciated! -- Daniel Gustafsson https://vmware.com/