#!/bin/sh
# PCP QA Test No. 712
# Exercise encrypted communications between pmcd/clients
# Copyright (c) 2012-2013,2022 Red Hat.
#

seq=`basename $0`
echo "QA output created by $seq"

. ./common.secure

_check_tls

_cleanup()
{
    _restore_config $PCP_TLSCONF_PATH
    unset PCP_SECURE_SOCKETS

    _service pcp restart 2>&1 | _filter_pcp_stop | _filter_pcp_start
    _wait_for_pmcd
    _restore_auto_restart pmcd
    _wait_for_pmlogger
    _restore_auto_restart pmlogger

    $sudo rm -rf $tmp.*
}

status=1	# failure is the default!
$sudo rm -rf $tmp.* $seq.full
trap "_cleanup; exit \$status" 0 1 2 3 15

if [ ! -f .rnd ]
then
    echo "Creating random bytes in .rnd" >>$seq.full
    openssl rand -writerand .rnd
fi

_save_config $PCP_TLSCONF_PATH
_stop_auto_restart pmcd
_stop_auto_restart pmlogger
_service pcp stop | _filter_pcp_stop

_filter_tls()
{
    sed \
	-e 's/value [0-9][0-9]*/value NUMBER/' \
	-e '/pminfo([0-9][0-9]*)/s//pminfo(PID)/' \
	-e "s/host \"$hostname\"/host LOCALHOST/g" \
	-e 's/^\[[A-Z].. [A-Z]..  *[0-9][0-9]* ..:..:..]/[DATE]/' \
    #end
}

# real QA test starts here
_setup_tls
original=$PCP_TLSCONF_PATH
cp $original $tmp.tls.orig

_service pmcd start | _filter_pcp_start
_wait_for_pmcd

echo
echo "checking client, generic certificate.  should pass..."
export PCP_SECURE_SOCKETS=1
yes | pminfo -h $hostname -f hinv.ncpu 2>&1 | tee -a $seq.full | _filter_tls

echo
echo "checking client, no certificate verify.  should pass..." | tee -a $seq.full
export PCP_SECURE_SOCKETS=1
export PCP_TLSCONF_PATH=/dev/null
yes | pminfo -h $hostname -f hinv.ncpu 2>&1 | tee -a $seq.full | _filter_tls
export PCP_TLSCONF_PATH=$original

echo
echo "checking client, verify certificate setup.  should pass..." | tee -a $seq.full
cp $tmp.tls.orig $tmp.tls.conf
echo "tls-verify-clients = true" >> $tmp.tls.conf
$sudo cp $tmp.tls.conf $PCP_TLSCONF_PATH
export PCP_SECURE_SOCKETS=1
yes | pminfo -h $hostname -f hinv.ncpu 2>&1 | tee -a $seq.full | _filter_tls

echo
echo "checking client, server certificate only.  should fail..." | tee -a $seq.full
cp $tmp.tls.orig $tmp.tls.conf
sed -i -e 's/pcp.key/server.key/g' $tmp.tls.conf
sed -i -e 's/pcp.crt/server.crt/g' $tmp.tls.conf
unset PCP_SECURE_SOCKETS
_service pmcd start | _filter_pcp_start
_wait_for_pmcd
$sudo cp $tmp.tls.conf $PCP_TLSCONF_PATH
export PCP_TLSCONF_PATH=$original
export PCP_SECURE_SOCKETS=1
yes | pminfo -h $hostname -f hinv.ncpu 2>&1 | tee -a $seq.full | _filter_tls

# check mode where separate client/server certificates are used
#cp $tmp.tls.orig $tmp.tls.conf
#sed -i -e 's/pcp.key/server.key/g' $tmp.tls.conf
#sed -i -e 's/pcp.crt/server.crt/g' $tmp.tls.conf
#echo "tls-client-key-file = $here/tls.conf/client.key" >> $tmp.tls.conf
#echo "tls-client-cert-file = $here/tls.conf/client.crt" >> $tmp.tls.conf
#echo "tls-verify-clients = true" >> $tmp.tls.conf
#$sudo cp $tmp.tls.conf $PCP_TLSCONF_PATH

#unset PCP_SECURE_SOCKETS
#_service pmcd start | _filter_pcp_start
#_wait_for_pmcd

#echo
#echo "checking both client and server certificates.  should pass..." | tee -a $seq.full
#export PCP_SECURE_SOCKETS=1
#yes | pminfo -h $hostname -f hinv.ncpu 2>&1 | tee -a $seq.full | _filter_tls

# success, all done
status=0
exit
