diff options
Diffstat (limited to '')
-rw-r--r-- | debian/tests/chroot | 39 | ||||
-rw-r--r-- | debian/tests/control | 29 | ||||
-rw-r--r-- | debian/tests/default-mods | 28 | ||||
-rw-r--r-- | debian/tests/duplicate-module-load | 26 | ||||
-rw-r--r-- | debian/tests/htcacheclean | 70 | ||||
-rw-r--r-- | debian/tests/run-test-suite | 64 | ||||
-rw-r--r-- | debian/tests/ssl-passphrase | 54 |
7 files changed, 310 insertions, 0 deletions
diff --git a/debian/tests/chroot b/debian/tests/chroot new file mode 100644 index 0000000..d722a29 --- /dev/null +++ b/debian/tests/chroot @@ -0,0 +1,39 @@ +#!/bin/sh +set -ex + +# Check that ChrootDir works correctly. Written in response to LP: #1251939. +# +# Author: Robie Basak <robie.basak@ubuntu.com> +# +# This test requires: +# * wget +# * The dpkg-dev package for the dpkg-architecture command +# +# This is a "breaks-testbed" dep8 test. +# +# This test sets up a minimal environment to exercise ChrootDir. Do not use +# it as an example of how to set up Apache in a secure chroot environment. + +sed -i 's_DocumentRoot.*$_DocumentRoot /_' /etc/apache2/sites-available/000-default.conf + +LIBGCC_S_PATH=/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)/libgcc_s.so.1 +cat > /etc/apache2/conf-available/chroot.conf <<EOT +LoadFile $LIBGCC_S_PATH +ChrootDir /var/www +<Directory /> + Options Indexes FollowSymLinks + AllowOverride None + Require all granted +</Directory> +EOT +a2enconf chroot + +echo "Hello, world!" > /var/www/hello.txt + +service apache2 restart + +result=`wget -qO- http://localhost/hello.txt` +if [ "$result" != "Hello, world!" ]; then + echo "Unexpected result from wget" >&2 + exit 1 +fi diff --git a/debian/tests/control b/debian/tests/control new file mode 100644 index 0000000..cb45689 --- /dev/null +++ b/debian/tests/control @@ -0,0 +1,29 @@ +Tests: run-test-suite +Features: no-build-needed +Restrictions: allow-stderr isolation-container breaks-testbed needs-root +Depends: build-essential, apache2, apache2-dev, + libwww-perl, libnet-ssleay-perl, libanyevent-perl, libdatetime-perl, + libhtml-parser-perl, libtime-hires-perl, libcrypt-ssleay-perl, + libhttp-dav-perl, libprotocol-http2-perl, libfcgi-perl, + perl-doc + +Tests: duplicate-module-load +Restrictions: allow-stderr, needs-root +Depends: apache2 + +Tests: htcacheclean +Restrictions: allow-stderr, needs-root, skippable +Depends: apache2 + +Tests: default-mods +Restrictions: allow-stderr, needs-root +Depends: apache2 + +Tests: ssl-passphrase +Restrictions: needs-root allow-stderr breaks-testbed +Depends: apache2, curl, expect, ssl-cert + +Tests: chroot +Features: no-build-needed +Restrictions: needs-root allow-stderr breaks-testbed +Depends: apache2, wget, dpkg-dev diff --git a/debian/tests/default-mods b/debian/tests/default-mods new file mode 100644 index 0000000..5d9df6a --- /dev/null +++ b/debian/tests/default-mods @@ -0,0 +1,28 @@ +#!/bin/bash +set -eu + +RC=0 +fail () { + echo "FAIL: $@" >&2 + RC=1 +} + +declare -a REQUIRED_MODS +REQUIRED_MODS=( + alias + auth_basic + authn_core + authz_core + log_config + mime + reqtimeout + version + watchdog +) + + +for m in "${REQUIRED_MODS[@]}" ; do + apachectl -M | grep -w "${m}_module" || fail "Module $m not activated" +done + +exit $RC diff --git a/debian/tests/duplicate-module-load b/debian/tests/duplicate-module-load new file mode 100644 index 0000000..3d28471 --- /dev/null +++ b/debian/tests/duplicate-module-load @@ -0,0 +1,26 @@ +#!/bin/sh +set -exu + +# Check to make sure that module loads haven't been duplicated. +# Since this is potential minefield that could cause chaos, and a fix is +# currently in the Ubuntu delta, check specifically for it. + +# Why is this so bad? See: +# https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1251939 +# https://issues.apache.org/bugzilla/show_bug.cgi?id=55787 + +cd $ADTTMP + +apache2ctl -l -M > unsorted +sort unsorted > sorted +if ! grep core.c sorted ; then + echo "core.c not found in apach2ctl output. apache2ctl broken?" + exit 1 +fi + +uniq < sorted > dedup + +if ! diff -u sorted dedup ; then + echo Duplicate module loads found + exit 1 +fi diff --git a/debian/tests/htcacheclean b/debian/tests/htcacheclean new file mode 100644 index 0000000..90c721f --- /dev/null +++ b/debian/tests/htcacheclean @@ -0,0 +1,70 @@ +#!/bin/sh +set -exu + +fatal () { + echo "ERROR: $@" >&2 + exit 1 +} + +skip () { + echo "ERROR: $@" >&2 + exit 77 +} + +htc_enabled () { + if ls /etc/rc[2345].d/S*apache-htcacheclean > /dev/null 2>&1 ; then + return 0 + else + return 1 + fi +} + +if htc_enabled ; then + fatal "apache-htcacheclean should not be enabled" +fi + +a2enmod cache_disk + +if ! htc_enabled ; then + fatal "apache-htcacheclean should be enabled" +fi + +service apache-htcacheclean start + +# for debugging +ps -ef|grep /usr/bin/htcacheclean || true + +PGREP="pgrep -P 1 -u www-data -G www-data htcacheclean" + +if ! $PGREP ; then + fatal "htcacheclean is not running or running as wrong user/group" +fi + +if ! service apache-htcacheclean status ; then + fatal "status did not return 'running'" +fi + +service apache-htcacheclean stop +sleep 1 + +if $PGREP ; then + skip "htcacheclean did not stop" +fi + +if service apache-htcacheclean status ; then + fatal "status did not return 'stopped'" +fi + +a2dismod cache_disk + +if htc_enabled ; then + fatal "apache-htcacheclean should not be enabled" +fi + +a2enmod cache_socache + +if htc_enabled ; then + fatal "apache-htcacheclean has been enabled for cache_socache" +fi + +exit 0 diff --git a/debian/tests/run-test-suite b/debian/tests/run-test-suite new file mode 100644 index 0000000..15279b8 --- /dev/null +++ b/debian/tests/run-test-suite @@ -0,0 +1,64 @@ +#!/bin/bash + +. /etc/apache2/envvars +set -xeu +set -o pipefail +export LANG=C +export PATH=/usr/lib/ccache:$PATH +# set to "-v t/modules/ext_filter.t ..." to run only a few test, but verbose +TESTS="" +TESTUSER=tuser + +# The test framework assumes localhost resolves exclusively to 127.0.0.1 +# (and not to ::1). So remove 'localhost' from the ::1 entry. +perl -p -i -e ' if (/^\s*::1\s+/) { s/\s+localhost\s+/ /g }' /etc/hosts + +useradd --user-group --system --create-home -s /bin/bash $TESTUSER +cp -a debian/perl-framework $AUTOPKGTEST_TMP +cd $AUTOPKGTEST_TMP/perl-framework + +run_tests () { + local MPM=$1 + shift + local LOG=testlog.$MPM + + echo =============Running-with-${MPM}========== + rm -f apache2.conf.debian + cp /etc/apache2/apache2.conf apache2.conf.debian + cat /etc/apache2/mods-available/$MPM.load >> apache2.conf.debian + ls /etc/apache2/mods-available/*.load | grep -v mpm_ | xargs cat >> apache2.conf.debian + # these are only for tests and don't have a .load file + for m in bucketeer case_filter case_filter_in ; do + echo "LoadModule ${m}_module /usr/lib/apache2/modules/mod_${m}.so" >> apache2.conf.debian + done + # need TypesConfig from mime.conf for t/modules/filter.t + cat /etc/apache2/mods-available/mime.conf >> apache2.conf.debian + echo "Servername localhost" >> apache2.conf.debian + make clean || true + perl -p -i -e 's,^Include,#Include,' apache2.conf.debian + chown -R $TESTUSER: $AUTOPKGTEST_TMP + su $TESTUSER -c "perl Makefile.PL -apxs /usr/bin/apxs2 -httpd_conf $PWD/apache2.conf.debian" \ + || return 1 + su $TESTUSER -c "t/TEST $TESTS" | tee $LOG + if ! grep -E "^Files=[0-9]+, Tests=[0-9]+" $LOG ; then + echo "Message about Files/Tests not found in $LOG" >&2 + return 1 + fi + if ! grep -E "^Result: PASS" $LOG ; then + echo "PASS message not found in $LOG" >&2 + return 1 + fi + if grep -E "^Result: FAIL" $LOG ; then >&2 + echo "Test suite failed" + return 1 + fi + if grep -E "server dumped core" $LOG ; then >&2 + echo "segfault detected" + return 1 + fi + return 0 +} + +run_tests mpm_prefork +run_tests mpm_worker +run_tests mpm_event diff --git a/debian/tests/ssl-passphrase b/debian/tests/ssl-passphrase new file mode 100644 index 0000000..a0a4fb6 --- /dev/null +++ b/debian/tests/ssl-passphrase @@ -0,0 +1,54 @@ +#!/bin/sh +set -ex + +# Check that the init script correctly prompts for the passphrase on startup, +# then starts and responds correctly to https queries. +# +# Author: Robie Basak <robie.basak@ubuntu.com> + +cd /etc/ssl/private +[ -f ssl-cert-snakeoil.key.nopassphrase ] || mv ssl-cert-snakeoil.key ssl-cert-snakeoil.key.nopassphrase +openssl rsa -des3 -in ssl-cert-snakeoil.key.nopassphrase -out ssl-cert-snakeoil.key -passout pass:test +a2enmod ssl +a2ensite default-ssl + +# respond to systemd-ask-passphrase +password_responder() { + while [ ! -e /run/systemd/ask-password/sck.* ]; do sleep 1; done + echo "ssl-passphrase test password responder: found prompt, sending password" + echo test | /lib/systemd/systemd-reply-password 1 /run/systemd/ask-password/sck.* +} +password_responder & + +# run expect for running under sysvinit/upstart +expect <<EOT +spawn service apache2 restart +set timeout 600 +expect { + "assphrase:" {send "test\r"} + + # Failure cases + "failed" {exit 1} + eof {exit 0} +} + +# wait for eof and return exit code from spawned process back to the caller +expect eof +catch wait result +exit [lindex \$result 3] +EOT + +echo "Hello, world!" > /var/www/html/hello.txt + +# Use curl here. wget doesn't work on Debian, even with --no-check-certificate +# wget on Debian gives me: +# GnuTLS: A TLS warning alert has been received. +# Unable to establish SSL connection. +# Presumably this is due to the self-signed certificate, but I'm not sure how +# to skip the warning with wget. curl will do for now. +result=`curl -k https://localhost/hello.txt` + +if [ "$result" != "Hello, world!" ]; then + echo "Unexpected result from wget" >&2 + exit 1 +fi |