EGEE Web>SA3>EGEECertification>SA3Testing>GridSiteSoftwareVerificationandValidationPlan (2011-02-21, ZdenekSustr)

GridSite Software Verification and Validation Plan

Service Description
Deployment scenarios
Functionality tests
- Features/Scenarios to be tested
- Features not to be tested
Performance tests
Scalability tests

Service Description

GridSite is a set of extensions to the Apache WebServer and a toolkit for Grid credentials, GACL access control lists and HTTP(S) protocol operations. GridSite uses X.509 certificates loaded into unmodified versions of web browsers like Internet Explorer, Netscape or Mozilla to authenticate users, and then grants read and write authorization on this basis. HTML and text files can be edited within a browser window, or pages and binary files can be uploaded from local disk.

Deployment scenarios

The WMProxy uses the GridSite Apache module to provide security functions for the job control. The GridSite delegation service is also used to delegate credentials submitted with the jobs.

The L&B server uses the GridSite library to manage and evaluate the ACLs used to control access to user jobs.

Functionality tests

Prerequisites

There are prerequisites to successfully running functionality tests for GridSite. Most importantly, the Apache WebServer (module httpd) and mod_ssl (module mod_ssl) must be installed, properly configured and started.

Show Code Hide Code

yum -y install httpd mod_ssl

Workarounds for mod_ssl (see https://savannah.cern.ch/bugs/?48458):

yum -y install dummy-ca-certs

Start Apache with the GridSite module enabled:

sed -e '1,$s!/usr/lib/httpd/modules/!modules/!' /usr/share/doc/gridsite-*/httpd-webserver.conf | sed 's!/var/www/html!/var/www/htdocs!' | sed "s/FULL.SERVER.NAME/$(hostname -f)/" | sed "s/\(GridSiteGSIProxyLimit\)/# \1/"> /tmp/httpd-webserver.conf
echo "AddHandler cgi-script .cgi" >> /tmp/httpd-webserver.conf
echo "ScriptAlias /gridsite-delegation.cgi /usr/sbin/gridsite-delegation.cgi" >> /tmp/httpd-webserver.conf
mkdir /var/www/htdocs
httpd -f /tmp/httpd-webserver.conf

Optional Service Ping Test

There are basic tests verifying that the service is up and running. They can be run optionally to confirm that the essential environment for functionality tests is ready.

gridsite-test-ping-local.sh – Test installation on a local machine (processes running, ports listening, modules loaded, etc.).
gridsite-test-ping-remote.sh – Test the GridSite availability remotely (ports open, WS delegation ping (?))

Show Code Hide Code

./ping-remote.sh `hostname -f`
./ping-local.sh -f /tmp/httpd-webserver.conf

Features/Scenarios to be tested

Basic access control test. First check that the server is closed, then specify a policy and check that it opened the access. Repeat for reading (HTTP PUT), writing (HTTP PUT) and removal (HTTP DEVEL).

Read Permissions

Normal workflow – correct input

Publish an HTML file and specify a policy. Try reading the file off the WebServer.

Pass/Fail Criteria

Pass: It was possible to read the file without problems (HTTP message OK, status code 200)
Fail: It was not possible to read the file.

Error workflow – erroneous input

Try reading the file without setting a policy allowing that.

Pass/Fail Criteria

Pass: It was not possible to read the file (HTTP message Forbidden, status code 403)
Fail: Another HTTP status code was returned (it was either possible to read the file or the reading failed due to a different reason)

Show Code Hide Code

cat >/var/www/htdocs/test.html <<EOF
<html><body><h1>Hello Grid</h1></body></html>
EOF
code=`curl --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates --output /dev/null --silent --write-out '%{http_code}\n'  https://$(hostname -f)/test.html`
[ "$code" = "403" ] && echo "OK"

cat >/var/www/htdocs/.gacl <<EOF
<gacl>
  <entry>
    <any-user/>
      <allow><read/></allow>
  </entry>
</gacl>
EOF

code=`curl --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates --output /dev/null --silent --write-out '%{http_code}\n'  https://$(hostname -f)/test.html`
[ "$code" = "200" ] && echo "OK"

Get Directory Index (List & Read Permissions)

Specify a policy and try reading the contents of a directory at the WebServer.

Pass/Fail Criteria

Pass: It was possible to get the index without problems (HTTP message OK, status code 200)
Fail: It was not possible to read the index.

Error workflow – erroneous input

Try reading the contents of a directory at the WebServer without appropriate policy settings

Pass/Fail Criteria

Pass: It was not possible to read the index (HTTP message Forbidden, status code 403)
Fail: Another HTTP status code was returned (it was either possible to read the index or the reading failed due to a different reason)

Show Code Hide Code

code=`curl --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates --output /dev/null --silent --write-out '%{http_code}\n' \
https://$(hostname -f)/`
[ "$code" = "403" ] && echo "OK"

cat >/var/www/htdocs/.gacl <<EOF
<gacl>
  <entry>
    <person>
      <dn>`openssl x509 -noout -subject -in /etc/grid-security/hostcert.pem | sed -e 's/^subject= //'`</dn>
    </person>
    <allow><read/><list/></allow>
  </entry>
</gacl>
EOF

code=`curl --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates --output /dev/null --silent --write-out '%{http_code}\n' \
https://$(hostname -f)/`
[ "$code" = "200" ] && echo "OK"

WRITE & DELETE (write permissions)

Normal workflow – correct input

Set policy and try to upload a file to the WebServer. Then try to delete it.

Pass/Fail Criteria

Pass: It was possible to upload the file without problems (HTTP message Created, status code 201) and it was possible to delete it again (HTTP message OK, status code 200)
Fail: It was not possible to upload the file or delete the file afterward.

Error workflow – erroneous input

Try uploading a file to the WebServer without the appropriate policy set. Then set the policy, upload a file, remove the policy and try to delete the file.

Pass/Fail Criteria

Pass: Neither file upload nor deletion were allowed (HTTP message Forbidden, status code 403)
Fail: File upload or deletion were allowed.

Show Code Hide Code

rm -f /var/www/htdocs/.gacl /var/www/htdocs/test.txt
date > /tmp/test.txt
chown apache /var/www/htdocs/
code=`curl --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates --output /dev/null --silent --write-out '%{http_code}\n' \
--upload-file /tmp/test.txt https://$(hostname -f)/test.txt`
[ "$code" = "403" ] && echo "OK"

cat >/var/www/htdocs/.gacl <<EOF
<gacl>
  <entry>
    <person>
      <dn>`openssl x509 -noout -subject -in /etc/grid-security/hostcert.pem | sed -e 's/^subject= //'`</dn>
    </person>
    <allow><write/></allow>
  </entry>
</gacl>
EOF

code=`curl --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates --output /dev/null --silent --write-out '%{http_code}\n' \
--upload-file /tmp/test.txt https://$(hostname -f)/test.txt`
cmp -s /tmp/test.txt /var/www/htdocs/test.txt
[ $? -eq 0 -a "$code" = "201" ] && echo "OK"

mv  /var/www/htdocs/.gacl /var/www/htdocs/.gacl.bak
code=`curl --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates --output /dev/null --silent --write-out '%{http_code}\n' \
-X DELETE https://$(hostname -f)/test.txt`
[ "$code" = "403" ] && echo "OK"

mv /var/www/htdocs/.gacl.bak /var/www/htdocs/.gacl

code=`curl --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates --output /dev/null --silent --write-out '%{http_code}\n' \
-X DELETE https://$(hostname -f)/test.txt`
[ "$code" = "200" ] && echo "OK"
chown root /var/www/htdocs

XXX Repeat the tests with particular VOMS attributes. Try also longer proxy chains

Check Attributes Passed on to the Environment

Normal workflow – correct input

Access a CGI script that prints out environment variables (e. g. by calling printenv). Check its output to confirm the presence of GridSite-specific attributes (prefixed with GRST_).

Pass/Fail Criteria

Pass: CGI output contained GridSite-specific attributes.
Fail: CGI output did not contain GridSite-specific attributes or any other error occurred.

Error workflow – erroneous input

N/A

Pass/Fail Criteria

N/A

Show Code Hide Code

cat >/var/www/htdocs/.gacl <<EOF
<gacl>
  <entry>
    <person>
      <dn>`openssl x509 -noout -subject -in /etc/grid-security/hostcert.pem | sed -e 's/^subject= //'`</dn>
    </person>
    <allow><read/></allow>
  </entry>
</gacl>
EOF
cat >/var/www/htdocs/test.cgi <<EOF
#!/bin/sh                                                                                                                                    
echo 'Content-type: text/plain'                                                                                                              
echo                                                                                                                                         
printenv
EOF
chmod +x /var/www/htdocs/test.cgi
code=`curl --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates --output /tmp/gridsite.log --silent --write-out '%{http_code}\n'  https://$(hostname -f)/test.cgi`
[ "$code" = "200" ] && echo "OK"
grep "^GRST_" /tmp/gridsite.log 2>/dev/null
[ $? -eq 0 ] && echo "OK"

Test Basic Commands

Normal workflow – correct input

Try running essential commands (htcp, htls, htmv, htrm) to perform their standard functions.

Pass/Fail Criteria

Pass: None of the programs returned errors in standard situations and they all performed as expected.
Fail: Either of the programs returned errors or failed to perform.

Error workflow – erroneous input

N/A

Pass/Fail Criteria

N/A

Show Code Hide Code

cat >/var/www/htdocs/.gacl <<EOF
<gacl>
  <entry>
    <person>
      <dn>`openssl x509 -noout -subject -in /etc/grid-security/hostcert.pem | sed -e 's/^subject= //'`</dn>
    </person>
    <allow><read/><write/><list/></allow>
  </entry>
</gacl>
EOF

chown apache /var/www/htdocs/

date > /tmp/test.txt
htcp --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates/ /tmp/test.txt https://$(hostname -f)/
[ $? -eq 0 ] && echo "OK"
htls --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates/ https://$(hostname -f)/test.txt > /dev/null
[ $? -eq 0 ] && echo "OK"
htmv --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates/ https://$(hostname -f)/test.txt https://$(hostname -f)/test2.txt
[ $? -eq 0 ] && echo "OK"
htcp --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates/ https://$(hostname -f)/test2.txt /tmp
[ $? -eq 0 ] && echo "OK"
htrm --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates/ https://$(hostname -f)/test2.txt
[ $? -eq 0 ] && echo "OK"
htls --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates/ https://$(hostname -f)/test2.txt 2> /dev/null
[ $? -eq 22 ] && echo "OK"
htls --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates/ https://$(hostname -f)/ > /dev/null
[ $? -eq 0 ] && echo "OK"
cmp /tmp/test.txt /tmp/test2.txt
[ $? -eq 0 ] && echo "OK"

chown root /var/www/htdocs/

Test Proxy Delegation

Normal workflow – correct input

Try out proxy delegation through gridsite-delegation.cgi. Try to expire the proxy and renew with a new ID.

Pass/Fail Criteria

Pass: Delegation worked.
Fail: Any of the operations failed.

Error workflow – erroneous input

N/A

Pass/Fail Criteria

N/A

Show Code Hide Code

mkdir /var/www/proxycache
chown apache /var/www/proxycache

#delegation
id=`htproxyput --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates https://$(hostname -f)/gridsite-delegation.cgi`
[ $? -eq 0 -a -n "$id" ] && echo OK

expiry=`htproxyunixtime --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates --delegation-id $id https://$(hostname -f)/gridsite-delegation.cgi`

newid=`htproxyrenew --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates --delegation-id $id https://$(hostname -f)/gridsite-delegation.cgi`
[ $? -eq 0 -a -n "$newid" ] && echo OK

htproxydestroy --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem --capath /etc/grid-security/certificates --delegation-id $id https://$(hostname -f)/gridsite-delegation.cgi

Features not to be tested

N/A

Performance tests

Measure time needed to delegate a proxy to the WMS
Measure overall time needed to process an HTTP request that is handled by the GridSite module (with an GACL policy specified)

Scalability tests

Repeat the tests above in parallel. Possibly the Apache benchmark tools (like ab) could be utilized. Measure time and CPU load.

-- ZdenekSustr - 03-Feb-2011

Topic revision: r4 - 2011-02-21 - ZdenekSustr

EGEE

Main.WebList

Welcome Guest

- Cern Search
- TWiki Search
- Google Search
EGEE All webs

Copyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Ask a support question or Send feedback