From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
Cc: | Michael Paquier <michael(at)paquier(dot)xyz>, Andrew Dunstan <andrew(at)dunslane(dot)net>, Dagfinn Ilmari Mannsåker <ilmari(at)ilmari(dot)org>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
Subject: | Re: SSL Tests for sslinfo extension |
Date: | 2021-11-27 19:27:19 |
Message-ID: | 599244.1638041239@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Daniel Gustafsson <daniel(at)yesql(dot)se> writes:
> On 17 Jun 2021, at 09:29, Michael Paquier <michael(at)paquier(dot)xyz> wrote:
>> Hmm. Adding internal dependencies between the tests should be avoided
>> if we can. What would it take to move those TAP tests to
>> contrib/sslinfo instead? This is while keeping in mind that there was
>> a patch aimed at refactoring the SSL test suite for NSS.
> It would be quite invasive as we currently don't provide the SSLServer test
> harness outside of src/test/ssl, and given how tailored it is today I'm not
> sure doing so without a rewrite would be a good idea.
I think testing sslinfo in src/test/ssl is fine, while putting its test
inside contrib/ would be dangerous, because then the test would be run
by default. src/test/ssl is not run by default because the server it
starts is potentially accessible by other local users, and AFAICS the
same has to be true for an sslinfo test.
So I don't have any problem with this structurally, but I do have a
few nitpicks:
* I think the error message added in 0001 should complain about
missing password "encryption" not "encoding", no?
* 0002 hasn't been updated for the great PostgresNode renaming.
* 0002 needs to extend src/test/ssl/README to mention that
"make installcheck" requires having installed contrib/sslinfo,
analogous to similar comments in (eg) src/test/recovery/README.
* 0002 writes a temporary file in the source tree. This is bad;
for one thing I bet it fails under VPATH, but in any case there
is no reason to risk it. Put it in the tmp_check directory instead
(cf temp kdc files in src/test/kerberos/t/001_auth.pl). That's
safer and you needn't worry about cleaning it up.
* Hmm ... now I notice that you borrowed the key-file-copying logic
from the 001 and 002 tests, but it's just as bad practice there.
We should fix them too.
* I ran a code-coverage check and it shows that this doesn't test
ssl_issuer_field() or any of the following functions in sslinfo.c.
I think at least ssl_extension_info() is complicated enough to
deserve a test.
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2021-11-27 19:49:11 | Re: rand48 replacement |
Previous Message | Fabien COELHO | 2021-11-27 19:11:34 | Re: rand48 replacement |