AT_BANNER([ovs-monitor-ipsec])

AT_SETUP([ovs-monitor-ipsec])
AT_SKIP_IF([test $HAVE_PYTHON = no])
AT_SKIP_IF([$non_ascii_cwd])

trim () {  # Removes blank lines and lines starting with # from input.
    sed -e '/^#/d' -e '/^[       ]*$/d' "$@"
}

OVS_VSWITCHD_START([])
OVS_MONITOR_IPSEC_START

###
### Add an ipsec_gre psk interface and check what ovs-monitor-ipsec does
###
AT_CHECK([ovs-vsctl \
              -- add-port br0 gre0 \
              -- set interface gre0 type=ipsec_gre \
                                    options:remote_ip=1.2.3.4 \
                                    options:psk=swordfish])
OVS_WAIT_UNTIL([test -f actions && grep 'spdadd 1.2.3.4' actions >/dev/null])
AT_CHECK([cat actions], [0], [dnl
setkey:
> flush;
setkey:
> spdflush;
racoon: reload
racoon: reload
setkey:
> spdadd 0.0.0.0/0 1.2.3.4 gre -P out ipsec esp/transport//require;
> spdadd 1.2.3.4 0.0.0.0/0 gre -P in ipsec esp/transport//require;
])
AT_CHECK([trim etc/racoon/psk.txt], [0], [1.2.3.4   swordfish
])
AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
remote 1.2.3.4 {
        exchange_mode main;
        nat_traversal on;
        proposal {
                encryption_algorithm aes;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2;
        }
}
sainfo anonymous {
        pfs_group 2;
        lifetime time 1 hour;
        encryption_algorithm aes;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}
])

###
### Delete the ipsec_gre interface and check what ovs-monitor-ipsec does
###
AT_CHECK([ovs-vsctl del-port gre0])
OVS_WAIT_UNTIL([test `wc -l < actions` -ge 17])
AT_CHECK([sed '1,9d' actions], [0], [dnl
racoon: reload
setkey:
> spddelete 0.0.0.0/0 1.2.3.4 gre -P out;
> spddelete 1.2.3.4 0.0.0.0/0 gre -P in;
setkey:
> dump ;
setkey:
> dump ;
])
AT_CHECK([trim etc/racoon/psk.txt], [0], [])
AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
sainfo anonymous {
        pfs_group 2;
        lifetime time 1 hour;
        encryption_algorithm aes;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}
])

###
### Add ipsec_gre certificate interface and check what ovs-monitor-ipsec does
###
AT_DATA([cert.pem], [dnl
-----BEGIN CERTIFICATE-----
(not a real certificate)
-----END CERTIFICATE-----
])
AT_DATA([key.pem], [dnl
-----BEGIN RSA PRIVATE KEY-----
(not a real private key)
-----END RSA PRIVATE KEY-----
])
AT_CHECK([ovs-vsctl \
              -- add-port br0 gre1 \
              -- set Interface gre1 type=ipsec_gre \
                 options:remote_ip=2.3.4.5 \
                 options:peer_cert='"-----BEGIN CERTIFICATE-----
(not a real peer certificate)
-----END CERTIFICATE-----
"' \
                 options:certificate='"/cert.pem"' \
                 options:private_key='"/key.pem"'])
OVS_WAIT_UNTIL([test `wc -l < actions` -ge 21])
AT_CHECK([sed '1,17d' actions], [0], [dnl
racoon: reload
setkey:
> spdadd 0.0.0.0/0 2.3.4.5 gre -P out ipsec esp/transport//require;
> spdadd 2.3.4.5 0.0.0.0/0 gre -P in ipsec esp/transport//require;
])
AT_CHECK([trim etc/racoon/psk.txt], [0], [])
AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
remote 2.3.4.5 {
        exchange_mode main;
        nat_traversal on;
        ike_frag on;
        certificate_type x509 "/cert.pem" "/key.pem";
        my_identifier asn1dn;
        peers_identifier asn1dn;
        peers_certfile x509 "/etc/racoon/certs/ovs-2.3.4.5.pem";
        verify_identifier on;
        proposal {
                encryption_algorithm aes;
                hash_algorithm sha1;
                authentication_method rsasig;
                dh_group 2;
        }
}
sainfo anonymous {
        pfs_group 2;
        lifetime time 1 hour;
        encryption_algorithm aes;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}
])
AT_CHECK([cat etc/racoon/certs/ovs-2.3.4.5.pem], [0], [dnl
-----BEGIN CERTIFICATE-----
(not a real peer certificate)
-----END CERTIFICATE-----
])

###
### Delete the ipsec_gre certificate interface.
###
AT_CHECK([ovs-vsctl del-port gre1])
OVS_WAIT_UNTIL([test `wc -l < actions` -ge 29])
AT_CHECK([sed '1,21d' actions], [0], [dnl
racoon: reload
setkey:
> spddelete 0.0.0.0/0 2.3.4.5 gre -P out;
> spddelete 2.3.4.5 0.0.0.0/0 gre -P in;
setkey:
> dump ;
setkey:
> dump ;
])
AT_CHECK([trim etc/racoon/psk.txt], [0], [])
AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
sainfo anonymous {
        pfs_group 2;
        lifetime time 1 hour;
        encryption_algorithm aes;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}
])
AT_CHECK([test ! -f etc/racoon/certs/ovs-2.3.4.5.pem])

###
### Add an SSL certificate interface.
###
cp cert.pem ssl-cert.pem
cp key.pem ssl-key.pem
AT_DATA([ssl-cacert.pem], [dnl
-----BEGIN CERTIFICATE-----
(not a real CA certificate)
-----END CERTIFICATE-----
])
AT_CHECK([ovs-vsctl set-ssl /ssl-key.pem /ssl-cert.pem /ssl-cacert.pem \
              -- add-port br0 gre2 \
              -- set Interface gre2 type=ipsec_gre \
                 options:remote_ip=3.4.5.6 \
                 options:peer_cert='"-----BEGIN CERTIFICATE-----
(not a real peer certificate)
-----END CERTIFICATE-----
"' \
                 options:use_ssl_cert='"true"'])
OVS_WAIT_UNTIL([test `wc -l < actions` -ge 33])
AT_CHECK([sed '1,29d' actions], [0], [dnl
racoon: reload
setkey:
> spdadd 0.0.0.0/0 3.4.5.6 gre -P out ipsec esp/transport//require;
> spdadd 3.4.5.6 0.0.0.0/0 gre -P in ipsec esp/transport//require;
])
AT_CHECK([trim etc/racoon/psk.txt], [0], [])
AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
remote 3.4.5.6 {
        exchange_mode main;
        nat_traversal on;
        ike_frag on;
        certificate_type x509 "/ssl-cert.pem" "/ssl-key.pem";
        my_identifier asn1dn;
        peers_identifier asn1dn;
        peers_certfile x509 "/etc/racoon/certs/ovs-3.4.5.6.pem";
        verify_identifier on;
        proposal {
                encryption_algorithm aes;
                hash_algorithm sha1;
                authentication_method rsasig;
                dh_group 2;
        }
}
sainfo anonymous {
        pfs_group 2;
        lifetime time 1 hour;
        encryption_algorithm aes;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}
])
AT_CHECK([cat etc/racoon/certs/ovs-3.4.5.6.pem], [0], [dnl
-----BEGIN CERTIFICATE-----
(not a real peer certificate)
-----END CERTIFICATE-----
])

###
### Delete the SSL certificate interface.
###
AT_CHECK([ovs-vsctl del-port gre2])
OVS_WAIT_UNTIL([test `wc -l < actions` -ge 41])
AT_CHECK([sed '1,33d' actions], [0], [dnl
racoon: reload
setkey:
> spddelete 0.0.0.0/0 3.4.5.6 gre -P out;
> spddelete 3.4.5.6 0.0.0.0/0 gre -P in;
setkey:
> dump ;
setkey:
> dump ;
])
AT_CHECK([trim etc/racoon/psk.txt], [0], [])
AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
sainfo anonymous {
        pfs_group 2;
        lifetime time 1 hour;
        encryption_algorithm aes;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}
])
AT_CHECK([test ! -f etc/racoon/certs/ovs-3.4.5.6.pem])

dnl Skip SSL errors reported by Open vSwitch
OVS_VSWITCHD_STOP(["/stream_ssl/d"])
AT_CLEANUP