SCAS Patch 3100 test report

Setup

The certification was done on the cern testbed. One machine was set up to be a SCAS server, and a glexec worker node was installed as a client. Both machines were SLC4 32bit. For both a normal yum install and yaim configure was done. The server was first installed as 0.2.6-1c and then upgraded to the patch version 0.2.6-7. After the update the service was restarted

Bugs

bug #52648 [SCAS] Userban fails due to incorrect construction of pemstring

Could not verify the problem, user banning worked with both versions

bug #53524 SCAS: Denial of Service on SCAS daemon

Did a massive telnet test against the host, and it definately was adveresly affected and stoppead accepting client connections

After update ran the same test, and the server stayed responsive the whole time

Certification

The SCAS test suite is only partially related to SCAS, more to glexex. Hence the SCAS was tested with a number of proxy certificates to check that the mapping/denial works correctly. The utility glexec-test.sh was used, which connects to the SCAS service using given certificate, and prints the mapping received. After that also ran tests with combinations of GLEXEC_CLIENT_CERT and GLEXEC_SOURCE_PROXY to see that the user mapping is done correctly, even if another certificate was used to connect to the service. The following certificates were used:

• proxy1: normal user proxy
• proxy2: another user proxy
• proxy3: the same user, different role
• proxy4: proxy without voms extensions
• proxy5: malformed proxy
• proxy6: proxy from an untrusted CA
• proxy7: banned user

All tests passed, the result is attached. Test with proxy4 should fail, since the DN is not explicitly in the grid mapfile.

-- KalleHapponen - 09-Nov-2009