Re: SSL Tests for sslinfo extension

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Daniel Gustafsson <daniel(at)yesql(dot)se>
Cc: Michael Paquier <michael(at)paquier(dot)xyz>, Andrew Dunstan <andrew(at)dunslane(dot)net>, Dagfinn Ilmari Mannsåker <ilmari(at)ilmari(dot)org>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>
Subject: Re: SSL Tests for sslinfo extension
Date: 2021-11-27 19:27:19
Message-ID: 599244.1638041239@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Daniel Gustafsson <daniel(at)yesql(dot)se> writes:
> On 17 Jun 2021, at 09:29, Michael Paquier <michael(at)paquier(dot)xyz> wrote:
>> Hmm. Adding internal dependencies between the tests should be avoided
>> if we can. What would it take to move those TAP tests to
>> contrib/sslinfo instead? This is while keeping in mind that there was
>> a patch aimed at refactoring the SSL test suite for NSS.

> It would be quite invasive as we currently don't provide the SSLServer test
> harness outside of src/test/ssl, and given how tailored it is today I'm not
> sure doing so without a rewrite would be a good idea.

I think testing sslinfo in src/test/ssl is fine, while putting its test
inside contrib/ would be dangerous, because then the test would be run
by default. src/test/ssl is not run by default because the server it
starts is potentially accessible by other local users, and AFAICS the
same has to be true for an sslinfo test.

So I don't have any problem with this structurally, but I do have a
few nitpicks:

* I think the error message added in 0001 should complain about
missing password "encryption" not "encoding", no?

* 0002 hasn't been updated for the great PostgresNode renaming.

* 0002 needs to extend src/test/ssl/README to mention that
"make installcheck" requires having installed contrib/sslinfo,
analogous to similar comments in (eg) src/test/recovery/README.

* 0002 writes a temporary file in the source tree. This is bad;
for one thing I bet it fails under VPATH, but in any case there
is no reason to risk it. Put it in the tmp_check directory instead
(cf temp kdc files in src/test/kerberos/t/001_auth.pl). That's
safer and you needn't worry about cleaning it up.

* Hmm ... now I notice that you borrowed the key-file-copying logic
from the 001 and 002 tests, but it's just as bad practice there.
We should fix them too.

* I ran a code-coverage check and it shows that this doesn't test
ssl_issuer_field() or any of the following functions in sslinfo.c.
I think at least ssl_extension_info() is complicated enough to
deserve a test.

regards, tom lane

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Tom Lane 2021-11-27 19:49:11 Re: rand48 replacement
Previous Message Fabien COELHO 2021-11-27 19:11:34 Re: rand48 replacement