GridSite Software Verification and Validation Plan

Service Description

GridSite is a set of extensions to the Apache WebServer and a toolkit for Grid credentials, GACL access control lists and HTTP(S) protocol operations. GridSite uses X.509 certificates loaded into unmodified versions of web browsers like Internet Explorer, Netscape or Mozilla to authenticate users, and then grants read and write authorization on this basis. HTML and text files can be edited within a browser window, or pages and binary files can be uploaded from local disk.

Deployment scenarios

The WMProxy uses the GridSite Apache module to provide security functions for the job control. The GridSite delegation service is also used to delegate credentials submitted with the jobs.

The L&B server uses the GridSite library to manage and evaluate the ACLs used to control access to user jobs.

Functionality tests

Prerequisites

There are prerequisites to successfully running functionality tests for GridSite. Most importantly, the Apache WebServer (module httpd) and mod_ssl (module mod_ssl) must be installed, properly configured and started.

yum -y install httpd mod_ssl

Workarounds for mod_ssl (see https://savannah.cern.ch/bugs/?48458):

yum -y install dummy-ca-certs

Start Apache with the GridSite module enabled:

sed -e '1,$s!/usr/lib/httpd/modules/!modules/!' /usr/share/doc/gridsite-*/httpd-webserver.conf | sed 's!/var/www/html!/var/www/htdocs!' | sed "s/FULL.SERVER.NAME/$(hostname -f)/" | sed "s/\(GridSiteGSIProxyLimit\)/# \1/"> /tmp/httpd-webserver.conf
echo "AddHandler cgi-script .cgi" >> /tmp/httpd-webserver.conf
echo "ScriptAlias /gridsite-delegation.cgi /usr/sbin/gridsite-delegation.cgi" >> /tmp/httpd-webserver.conf
mkdir /var/www/htdocs
httpd -f /tmp/httpd-webserver.conf

Optional Service Ping Test

There are basic tests verifying that the service is up and running. They can be run optionally to confirm that the essential environment for functionality tests is ready.

  • gridsite-test-ping-local.sh – Test installation on a local machine (processes running, ports listening, modules loaded, etc.).
  • gridsite-test-ping-remote.sh – Test the GridSite availability remotely (ports open, WS delegation ping (?))

./ping-remote.sh `hostname -f`
./ping-local.sh -f /tmp/httpd-webserver.conf

Features/Scenarios to be tested

Basic access control test. First check that the server is closed, then specify a policy and check that it opened the access. Repeat for reading (HTTP PUT), writing (HTTP PUT) and removal (HTTP DEVEL).

Read Permissions

Normal workflow – correct input
Publish an HTML file and specify a policy. Try reading the file off the WebServer.

Pass/Fail Criteria
Pass: It was possible to read the file without problems (HTTP message OK, status code 200)
Fail: It was not possible to read the file.

Error workflow – erroneous input
Try reading the file without setting a policy allowing that.

Pass/Fail Criteria
Pass: It was not possible to read the file (HTTP message Forbidden, status code 403)
Fail: Another HTTP status code was returned (it was either possible to read the file or the reading failed due to a different reason)

cat >/var/www/htdocs/test.html <<EOF
<html><body><h1>Hello Grid</h1></body></html>
EOF
code=`curl --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates --output /dev/null --silent --write-out '%{http_code}\n'  https://$(hostname -f)/test.html`
[ "$code" = "403" ] && echo "OK"

cat >/var/www/htdocs/.gacl <<EOF
<gacl>
  <entry>
    <any-user/>
      <allow><read/></allow>
  </entry>
</gacl>
EOF

code=`curl --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates --output /dev/null --silent --write-out '%{http_code}\n'  https://$(hostname -f)/test.html`
[ "$code" = "200" ] && echo "OK"

Get Directory Index (List & Read Permissions)

Specify a policy and try reading the contents of a directory at the WebServer.

Pass/Fail Criteria
Pass: It was possible to get the index without problems (HTTP message OK, status code 200)
Fail: It was not possible to read the index.

Error workflow – erroneous input
Try reading the contents of a directory at the WebServer without appropriate policy settings

Pass/Fail Criteria
Pass: It was not possible to read the index (HTTP message Forbidden, status code 403)
Fail: Another HTTP status code was returned (it was either possible to read the index or the reading failed due to a different reason)

code=`curl --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates --output /dev/null --silent --write-out '%{http_code}\n' \
https://$(hostname -f)/`
[ "$code" = "403" ] && echo "OK"

cat >/var/www/htdocs/.gacl <<EOF
<gacl>
  <entry>
    <person>
      <dn>`openssl x509 -noout -subject -in /etc/grid-security/hostcert.pem | sed -e 's/^subject= //'`</dn>
    </person>
    <allow><read/><list/></allow>
  </entry>
</gacl>
EOF

code=`curl --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates --output /dev/null --silent --write-out '%{http_code}\n' \
https://$(hostname -f)/`
[ "$code" = "200" ] && echo "OK"

WRITE & DELETE (write permissions)

Normal workflow – correct input
Set policy and try to upload a file to the WebServer. Then try to delete it.

Pass/Fail Criteria
Pass: It was possible to upload the file without problems (HTTP message Created, status code 201) and it was possible to delete it again (HTTP message OK, status code 200)
Fail: It was not possible to upload the file or delete the file afterward.

Error workflow – erroneous input
Try uploading a file to the WebServer without the appropriate policy set. Then set the policy, upload a file, remove the policy and try to delete the file.

Pass/Fail Criteria
Pass: Neither file upload nor deletion were allowed (HTTP message Forbidden, status code 403)
Fail: File upload or deletion were allowed.

rm -f /var/www/htdocs/.gacl /var/www/htdocs/test.txt
date > /tmp/test.txt
chown apache /var/www/htdocs/
code=`curl --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates --output /dev/null --silent --write-out '%{http_code}\n' \
--upload-file /tmp/test.txt https://$(hostname -f)/test.txt`
[ "$code" = "403" ] && echo "OK"

cat >/var/www/htdocs/.gacl <<EOF
<gacl>
  <entry>
    <person>
      <dn>`openssl x509 -noout -subject -in /etc/grid-security/hostcert.pem | sed -e 's/^subject= //'`</dn>
    </person>
    <allow><write/></allow>
  </entry>
</gacl>
EOF

code=`curl --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates --output /dev/null --silent --write-out '%{http_code}\n' \
--upload-file /tmp/test.txt https://$(hostname -f)/test.txt`
cmp -s /tmp/test.txt /var/www/htdocs/test.txt
[ $? -eq 0 -a "$code" = "201" ] && echo "OK"

mv  /var/www/htdocs/.gacl /var/www/htdocs/.gacl.bak
code=`curl --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates --output /dev/null --silent --write-out '%{http_code}\n' \
-X DELETE https://$(hostname -f)/test.txt`
[ "$code" = "403" ] && echo "OK"

mv /var/www/htdocs/.gacl.bak /var/www/htdocs/.gacl

code=`curl --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates --output /dev/null --silent --write-out '%{http_code}\n' \
-X DELETE https://$(hostname -f)/test.txt`
[ "$code" = "200" ] && echo "OK"
chown root /var/www/htdocs
XXX Repeat the tests with particular VOMS attributes. Try also longer proxy chains

Check Attributes Passed on to the Environment

Normal workflow – correct input
Access a CGI script that prints out environment variables (e. g. by calling printenv). Check its output to confirm the presence of GridSite-specific attributes (prefixed with GRST_).

Pass/Fail Criteria
Pass: CGI output contained GridSite-specific attributes.
Fail: CGI output did not contain GridSite-specific attributes or any other error occurred.

Error workflow – erroneous input
N/A

Pass/Fail Criteria
N/A

cat >/var/www/htdocs/.gacl <<EOF
<gacl>
  <entry>
    <person>
      <dn>`openssl x509 -noout -subject -in /etc/grid-security/hostcert.pem | sed -e 's/^subject= //'`</dn>
    </person>
    <allow><read/></allow>
  </entry>
</gacl>
EOF
cat >/var/www/htdocs/test.cgi <<EOF
#!/bin/sh                                                                                                                                    
echo 'Content-type: text/plain'                                                                                                              
echo                                                                                                                                         
printenv
EOF
chmod +x /var/www/htdocs/test.cgi
code=`curl --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates --output /tmp/gridsite.log --silent --write-out '%{http_code}\n'  https://$(hostname -f)/test.cgi`
[ "$code" = "200" ] && echo "OK"
grep "^GRST_" /tmp/gridsite.log 2>/dev/null
[ $? -eq 0 ] && echo "OK"

Test Basic Commands

Normal workflow – correct input
Try running essential commands (htcp, htls, htmv, htrm) to perform their standard functions.

Pass/Fail Criteria
Pass: None of the programs returned errors in standard situations and they all performed as expected.
Fail: Either of the programs returned errors or failed to perform.

Error workflow – erroneous input
N/A

Pass/Fail Criteria
N/A

cat >/var/www/htdocs/.gacl <<EOF
<gacl>
  <entry>
    <person>
      <dn>`openssl x509 -noout -subject -in /etc/grid-security/hostcert.pem | sed -e 's/^subject= //'`</dn>
    </person>
    <allow><read/><write/><list/></allow>
  </entry>
</gacl>
EOF

chown apache /var/www/htdocs/

date > /tmp/test.txt
htcp --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates/ /tmp/test.txt https://$(hostname -f)/
[ $? -eq 0 ] && echo "OK"
htls --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates/ https://$(hostname -f)/test.txt > /dev/null
[ $? -eq 0 ] && echo "OK"
htmv --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates/ https://$(hostname -f)/test.txt https://$(hostname -f)/test2.txt
[ $? -eq 0 ] && echo "OK"
htcp --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates/ https://$(hostname -f)/test2.txt /tmp
[ $? -eq 0 ] && echo "OK"
htrm --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates/ https://$(hostname -f)/test2.txt
[ $? -eq 0 ] && echo "OK"
htls --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates/ https://$(hostname -f)/test2.txt 2> /dev/null
[ $? -eq 22 ] && echo "OK"
htls --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates/ https://$(hostname -f)/ > /dev/null
[ $? -eq 0 ] && echo "OK"
cmp /tmp/test.txt /tmp/test2.txt
[ $? -eq 0 ] && echo "OK"

chown root /var/www/htdocs/

Test Proxy Delegation

Normal workflow – correct input
Try out proxy delegation through gridsite-delegation.cgi. Try to expire the proxy and renew with a new ID.

Pass/Fail Criteria
Pass: Delegation worked.
Fail: Any of the operations failed.

Error workflow – erroneous input
N/A

Pass/Fail Criteria
N/A

mkdir /var/www/proxycache
chown apache /var/www/proxycache

#delegation
id=`htproxyput --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates https://$(hostname -f)/gridsite-delegation.cgi`
[ $? -eq 0 -a -n "$id" ] && echo OK

expiry=`htproxyunixtime --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates --delegation-id $id https://$(hostname -f)/gridsite-delegation.cgi`

newid=`htproxyrenew --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates --delegation-id $id https://$(hostname -f)/gridsite-delegation.cgi`
[ $? -eq 0 -a -n "$newid" ] && echo OK

htproxydestroy --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates --delegation-id $id https://$(hostname -f)/gridsite-delegation.cgi

Features not to be tested

N/A

Performance tests

  • Measure time needed to delegate a proxy to the WMS
  • Measure overall time needed to process an HTTP request that is handled by the GridSite module (with an GACL policy specified)

Scalability tests

Repeat the tests above in parallel. Possibly the Apache benchmark tools (like ab) could be utilized. Measure time and CPU load.

-- ZdenekSustr - 03-Feb-2011

Edit | Attach | Watch | Print version | History: r4 < r3 < r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r4 - 2011-02-21 - ZdenekSustr
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    EGEE All webs login

This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright & by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Ask a support question or Send feedback