qemu/tests
Daniel P. Berrange b25e12daff qemu-nbd: add support for authorization of TLS clients
Currently any client which can complete the TLS handshake is able to use
the NBD server. The server admin can turn on the 'verify-peer' option
for the x509 creds to require the client to provide a x509 certificate.
This means the client will have to acquire a certificate from the CA
before they are permitted to use the NBD server. This is still a fairly
low bar to cross.

This adds a '--tls-authz OBJECT-ID' option to the qemu-nbd command which
takes the ID of a previously added 'QAuthZ' object instance. This will
be used to validate the client's x509 distinguished name. Clients
failing the authorization check will not be permitted to use the NBD
server.

For example to setup authorization that only allows connection from a client
whose x509 certificate distinguished name is

   CN=laptop.example.com,O=Example Org,L=London,ST=London,C=GB

escape the commas in the name and use:

  qemu-nbd --object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\
                    endpoint=server,verify-peer=yes \
           --object 'authz-simple,id=auth0,identity=CN=laptop.example.com,,\
                     O=Example Org,,L=London,,ST=London,,C=GB' \
           --tls-creds tls0 \
           --tls-authz authz0 \
	   ....other qemu-nbd args...

NB: a real shell command line would not have leading whitespace after
the line continuation, it is just included here for clarity.

Reviewed-by: Juan Quintela <quintela@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Message-Id: <20190227162035.18543-2-berrange@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
[eblake: split long line in --help text, tweak 233 to show that whitespace
after ,, in identity= portion is actually okay]
Signed-off-by: Eric Blake <eblake@redhat.com>
2019-03-06 11:05:27 -06:00
..
acceptance Acceptance tests: add Linux initrd checking test 2019-01-17 17:52:40 -02:00
data tests/data: introduce "uefi-boot-images" with the "bios-tables-test" ISOs 2019-02-21 12:28:41 -05:00
decode
docker tests/docker: peg netmap code to a specific version 2019-02-22 09:32:32 +00:00
fp softfloat: Support float_round_to_odd more places 2019-02-26 14:08:03 +00:00
guest-debug tests/guest-debug: fix scoping of failcount 2018-11-13 10:47:59 +00:00
image-fuzzer python: futurize -f lib2to3.fixes.fix_renames 2018-06-08 14:39:24 -03:00
keys
libqos qemu/queue.h: simplify reverse access to QTAILQ 2019-01-11 15:46:55 +01:00
migration migration-test: Only generate a single target architecture 2018-10-11 19:58:26 +01:00
multiboot tests/multiboot: Add .gitignore 2018-03-21 15:13:40 +01:00
qapi-schema qapi: Fix array first used in a different module 2019-03-05 14:43:11 +01:00
qemu-iotests qemu-nbd: add support for authorization of TLS clients 2019-03-06 11:05:27 -06:00
rocker
tcg target/mips: Add tests for integer add MSA instruction group 2019-03-05 17:05:33 +01:00
uefi-test-tools tests/uefi-test-tools: add build scripts 2019-02-21 12:28:41 -05:00
vm tests/vm: Be verbose while extracting compressed images 2019-02-11 12:47:08 +00:00
vmstate-static-checker-data
.gitignore qapi: Fix code generation for sub-modules in other directories 2019-03-05 14:43:11 +01:00
ac97-test.c
acpi-utils.c tests: acpi: reuse fetch_table() in vmgenid-test 2019-01-17 21:10:57 -05:00
acpi-utils.h tests: acpi: use AcpiSdtTable::aml instead of AcpiSdtTable::header::signature 2019-01-17 21:10:57 -05:00
ahci-test.c Testing patches for 2018-08-16 2018-08-16 09:50:54 +01:00
atomic64-bench.c tests: use g_usleep instead of rem = sleep(time) 2019-01-14 14:52:30 +00:00
atomic_add-bench.c tests: use g_usleep instead of rem = sleep(time) 2019-01-14 14:52:30 +00:00
benchmark-crypto-cipher.c crypto: expand algorithm coverage for cipher benchmark 2018-10-24 19:03:37 +01:00
benchmark-crypto-hash.c tests/crypto: Use the IEC binary prefix definitions 2018-07-02 15:41:17 +02:00
benchmark-crypto-hmac.c tests/crypto: Use the IEC binary prefix definitions 2018-07-02 15:41:17 +02:00
bios-tables-test.c tests: acpi: use AcpiSdtTable::aml instead of AcpiSdtTable::header::signature 2019-01-17 21:10:57 -05:00
boot-order-test.c tests/boot-order: Make test independent of global_qtest 2019-01-22 05:14:32 +01:00
boot-sector.c tests/boot-sector: Add magic bytes to s390x boot code header 2018-06-08 13:17:39 -04:00
boot-sector.h
boot-serial-test.c tests: Exit boot-serial-test loop if child dies 2018-12-17 15:37:50 +01:00
cdrom-test.c tests/cdrom-test: only include isapc cdrom test when g_test_slow() 2019-02-22 09:32:32 +00:00
check-block-qdict.c tests: fix crumple/recursive leak 2018-08-15 08:12:19 +02:00
check-block.sh qemu-iotests: convert pwd and $(pwd) to $PWD 2018-11-19 10:08:19 -06:00
check-qdict.c tests: Restore check-qdict unit test 2018-10-10 08:00:00 +02:00
check-qjson.c json: Fix % handling when not interpolating 2019-01-24 15:20:59 +01:00
check-qlist.c qobject: Replace qobject_incref/QINCREF qobject_decref/QDECREF 2018-05-04 08:27:53 +02:00
check-qlit.c qobject: Replace qobject_incref/QINCREF qobject_decref/QDECREF 2018-05-04 08:27:53 +02:00
check-qnull.c qobject: Replace qobject_incref/QINCREF qobject_decref/QDECREF 2018-05-04 08:27:53 +02:00
check-qnum.c qobject: Replace qobject_incref/QINCREF qobject_decref/QDECREF 2018-05-04 08:27:53 +02:00
check-qobject.c qstring: Move qstring_from_substr()'s @end one to the right 2018-07-28 09:09:58 +02:00
check-qom-interface.c qom: make interface types abstract 2018-12-11 15:45:22 -02:00
check-qom-proplist.c tests/qom-proplist: check class properties iterator 2018-10-05 16:27:09 +04:00
check-qstring.c qstring: Move qstring_from_substr()'s @end one to the right 2018-07-28 09:09:58 +02:00
cpu-plug-test.c hw/i386: Remove deprecated machines pc-0.10 and pc-0.11 2018-12-20 11:19:12 -05:00
crypto-tls-psk-helpers.c crypto: Implement TLS Pre-Shared Keys (PSK). 2018-07-03 13:04:38 +01:00
crypto-tls-psk-helpers.h crypto: Implement TLS Pre-Shared Keys (PSK). 2018-07-03 13:04:38 +01:00
crypto-tls-x509-helpers.c tests: call qcrypto_init instead of gnutls_global_init 2018-07-24 17:33:39 +01:00
crypto-tls-x509-helpers.h crypto: require gnutls >= 3.1.18 for building QEMU 2018-10-19 12:26:57 +01:00
device-introspect-test.c tests/device-introspect: Test with all machines, not only with "none" 2018-08-23 18:46:25 +02:00
device-plug-test.c tests/device-plug: Add PHB unplug request test for spapr 2019-02-26 09:21:25 +11:00
display-vga-test.c tests/display-vga: Enable virtio-vga test 2019-01-11 11:45:00 +01:00
drive_del-test.c tests: add qmp_assert_error_class() 2018-08-31 09:53:10 +02:00
ds1338-test.c
e1000-test.c
e1000e-test.c tests: Clean up string interpolation around qtest_qmp_device_add() 2018-08-16 08:42:06 +02:00
eepro100-test.c
endianness-test.c tests/endianesss: Make test independent of global_qtest 2019-01-22 05:14:32 +01:00
es1370-test.c
fdc-test.c tests: Remove (mostly) useless architecture checks 2019-03-06 10:10:36 +01:00
fw_cfg-test.c fw_cfg: import & use linux/qemu_fw_cfg.h 2018-08-23 18:46:25 +02:00
hd-geo-test.c block: Remove deprecated -drive geometry options 2018-08-15 12:50:39 +02:00
hexloader-test.c tests/hexloader-test: Don't pass -nographic to the QEMU under test 2019-01-22 06:26:32 +01:00
i440fx-test.c
i82801b11-test.c
ide-test.c tests: Remove (mostly) useless architecture checks 2019-03-06 10:10:36 +01:00
intel-hda-test.c
io-channel-helpers.c
io-channel-helpers.h
ioh3420-test.c
iothread.c
iothread.h
ipmi-bt-test.c tests: Remove (mostly) useless architecture checks 2019-03-06 10:10:36 +01:00
ipmi-kcs-test.c tests: Remove (mostly) useless architecture checks 2019-03-06 10:10:36 +01:00
ipoctal232-test.c
ivshmem-test.c chardev: forbid 'wait' option with client sockets 2019-02-12 17:35:56 +01:00
libqtest.c chardev: forbid 'wait' option with client sockets 2019-02-12 17:35:56 +01:00
libqtest.h tests/libqtest: Introduce qtest_init_with_serial() 2019-01-29 11:46:04 +00:00
m25p80-test.c libqtest: Replace qtest_startf() by qtest_initf() 2018-08-16 08:42:06 +02:00
m48t59-test.c libqtest: Replace qtest_startf() by qtest_initf() 2018-08-16 08:42:06 +02:00
machine-none-test.c tests/machine-none: Make test independent of global_qtest 2018-12-17 15:36:40 +01:00
Makefile.include qapi: Fix code generation for sub-modules in other directories 2019-03-05 14:43:11 +01:00
megasas-test.c
microbit-test.c tests/microbit-test: Add tests for nRF51 NVMC 2019-02-01 15:32:17 +00:00
migration-test.c tests: Add basic migration precopy tcp test 2019-03-06 10:49:17 +00:00
ne2000-test.c
numa-test.c libqtest: Replace qtest_startf() by qtest_initf() 2018-08-16 08:42:06 +02:00
nvme-test.c nvme: fix out-of-bounds access to the CMB 2018-11-22 16:43:52 +01:00
pca9552-test.c misc: add pca9552 LED blinker model 2018-06-08 13:15:32 +01:00
pcnet-test.c
pkix_asn1_tab.c
pnv-xscom-test.c tests/pnv-xscom: Make test independent of global_qtest 2019-01-22 05:14:32 +01:00
prom-env-test.c tests/prom-env: Make test independent of global_qtest 2018-12-17 15:36:40 +01:00
ptimer-test-stubs.c qemu-timer: introduce timer attributes 2018-10-19 13:44:03 +02:00
ptimer-test.c ptimer: Add TRIGGER_ONLY_ON_DECREMENT policy option 2018-07-09 14:51:34 +01:00
ptimer-test.h
pvpanic-test.c tests/pvpanic: Make the pvpanic test independent of global_qtest 2018-12-17 15:36:40 +01:00
pxe-test.c tests/pxe: Make test independent of global_qtest 2018-12-17 15:36:40 +01:00
q35-test.c qobject: Replace qobject_incref/QINCREF qobject_decref/QDECREF 2018-05-04 08:27:53 +02:00
qemu-iotests-quick.sh
qht-bench.c tests: use g_usleep instead of rem = sleep(time) 2019-01-14 14:52:30 +00:00
qmp-cmd-test.c tests: add qmp/object-add-without-props test 2018-08-31 09:53:10 +02:00
qmp-test.c Revert "tests: Add parameter to qtest_init_without_qmp_handshake" 2018-12-12 10:28:27 +01:00
qom-test.c tests: Skip old versioned machine types in quick testing mode 2018-08-23 18:46:23 +02:00
rcutorture.c rcutorture: remove synchronize_rcu from readers 2018-03-12 16:12:47 +01:00
requirements.txt Acceptance tests: add make rule for running them 2018-10-30 21:13:54 -03:00
rtas-test.c
rtc-test.c
rtl8139-test.c
sdhci-test.c libqtest: Replace qtest_startf() by qtest_initf() 2018-08-16 08:42:06 +02:00
socket-helpers.c sockets: strengthen test suite IP protocol availability checks 2018-03-13 18:06:06 +00:00
socket-helpers.h sockets: strengthen test suite IP protocol availability checks 2018-03-13 18:06:06 +00:00
spapr-phb-test.c
tco-test.c libqtest: Replace qtest_startf() by qtest_initf() 2018-08-16 08:42:06 +02:00
test-aio-multithread.c
test-aio.c coroutine: add test-aio coroutine queue chaining test case 2018-03-27 13:05:28 +01:00
test-announce-self.c tests: Add a test for qemu self announcements 2019-03-05 11:27:41 +08:00
test-arm-mptimer.c tests/test-arm-mptimer: Don't leak string memory 2018-12-14 13:30:54 +00:00
test-authz-list.c authz: add QAuthZList object type for an access control list 2019-02-26 15:32:18 +00:00
test-authz-listfile.c authz: add QAuthZListFile object type for a file access control list 2019-02-26 15:32:18 +00:00
test-authz-pam.c authz: add QAuthZPAM object type for authorizing using PAM 2019-02-26 15:32:19 +00:00
test-authz-simple.c authz: add QAuthZSimple object type for easy whitelist auth checks 2019-02-26 15:25:58 +00:00
test-base64.c
test-bdrv-drain.c Block layer patches: 2019-02-26 19:04:47 +00:00
test-bdrv-graph-mod.c tests: add test-bdrv-graph-mod 2019-02-25 15:03:19 +01:00
test-bitcnt.c
test-bitops.c
test-block-backend.c
test-block-iothread.c block: Fix hangs in synchronous APIs with iothreads 2019-02-01 13:46:44 +01:00
test-blockjob-txn.c tests/test-blockjob-txn: move .exit to .clean 2018-09-25 15:31:15 +02:00
test-blockjob.c test-blockjob: Acquire AioContext around job_cancel_sync() 2018-09-25 15:50:15 +02:00
test-bufferiszero.c
test-char.c char: allow specifying a GMainContext at opening time 2019-02-13 14:23:39 +01:00
test-clone-visitor.c tests: Rename UserDefNativeListUnion to UserDefListUnion 2019-03-05 14:43:11 +01:00
test-coroutine.c
test-crypto-afsplit.c
test-crypto-block.c crypto: support multiple threads accessing one QCryptoBlock 2018-12-12 11:16:49 +00:00
test-crypto-cipher.c
test-crypto-hash.c
test-crypto-hmac.c
test-crypto-ivgen.c
test-crypto-pbkdf.c test: execute g_test_run when tests are skipped 2019-01-11 13:57:25 +01:00
test-crypto-secret.c
test-crypto-tlscredsx509.c crypto: require gnutls >= 3.1.18 for building QEMU 2018-10-19 12:26:57 +01:00
test-crypto-tlssession.c authz: delete existing ACL implementation 2019-02-26 15:32:19 +00:00
test-crypto-xts.c crypto: add testing for unaligned buffers with XTS cipher mode 2018-10-24 19:03:37 +01:00
test-cutils.c cutils: Fix qemu_strtosz() & friends to reject non-finite sizes 2018-12-13 19:10:06 +01:00
test-filter-mirror.c test-filter-mirror: pass UNIX domain socket through fd 2019-02-04 16:03:20 +00:00
test-filter-redirector.c chardev: forbid 'wait' option with client sockets 2019-02-12 17:35:56 +01:00
test-hbitmap.c Revert "hbitmap: Add @advance param to hbitmap_iter_next()" 2019-01-15 18:26:50 -05:00
test-hmp.c hmp: Add hmp_announce_self 2019-03-05 11:27:41 +08:00
test-image-locking.c tests: Add unit tests for image locking 2018-11-12 17:46:57 +01:00
test-int128.c
test-io-channel-buffer.c
test-io-channel-command.c
test-io-channel-file.c
test-io-channel-socket.c io: ensure UNIX client doesn't unlink server socket 2019-01-24 12:23:35 +00:00
test-io-channel-tls.c authz: delete existing ACL implementation 2019-02-26 15:32:19 +00:00
test-io-task.c
test-iov.c
test-keyval.c hw: Use IEC binary prefix definitions from "qemu/units.h" 2018-07-02 15:41:10 +02:00
test-logging.c
test-mul64.c
test-netfilter.c qobject: Replace qobject_incref/QINCREF qobject_decref/QDECREF 2018-05-04 08:27:53 +02:00
test-opts-visitor.c
test-qapi-util.c
test-qdev-global-props.c qdev: all globals are now user-provided 2019-01-07 16:18:42 +04:00
test-qdist.c
test-qemu-opts.c hw: Use IEC binary prefix definitions from "qemu/units.h" 2018-07-02 15:41:10 +02:00
test-qga.c tests: add qmp_assert_error_class() 2018-08-31 09:53:10 +02:00
test-qht-par.c
test-qht.c qht: drop ht argument from qht iterators 2018-09-26 08:55:54 -07:00
test-qmp-cmds.c tests: Rename UserDefNativeListUnion to UserDefListUnion 2019-03-05 14:43:11 +01:00
test-qmp-event.c qapi: Generate QAPIEvent stuff into separate files 2019-02-18 14:44:04 +01:00
test-qobject-input-visitor.c tests: Rename UserDefNativeListUnion to UserDefListUnion 2019-03-05 14:43:11 +01:00
test-qobject-output-visitor.c tests: Rename UserDefNativeListUnion to UserDefListUnion 2019-03-05 14:43:11 +01:00
test-rcu-list.c qemu/queue.h: leave head structs anonymous unless necessary 2019-01-11 15:46:55 +01:00
test-rcu-simpleq.c tests: add test-list-simpleq 2018-08-23 18:46:25 +02:00
test-rcu-tailq.c tests: add test-rcu-tailq 2018-08-23 18:46:25 +02:00
test-replication.c test-replication: Lock AioContext around blk_unref() 2018-10-01 19:13:55 +02:00
test-shift128.c
test-string-input-visitor.c test-string-input-visitor: Add range overflow tests 2018-12-13 19:10:06 +01:00
test-string-output-visitor.c
test-thread-pool.c Remove unnecessary variables for function return value 2018-05-20 08:48:13 +03:00
test-throttle.c
test-timed-average.c
test-util-filemonitor.c util: add helper APIs for dealing with inotify in portable manner 2019-02-26 15:25:58 +00:00
test-util-sockets.c monitor: Fix unsafe sharing of @cur_mon among threads 2018-07-23 14:00:03 +02:00
test-uuid.c
test-visitor-serialization.c qobject: Replace qobject_incref/QINCREF qobject_decref/QDECREF 2018-05-04 08:27:53 +02:00
test-vmstate.c tests: add /vmstate/simple/array 2019-01-23 15:51:47 +00:00
test-write-threshold.c
test-x86-cpuid-compat.c build-sys: remove glib_subprocess check 2018-08-23 18:46:25 +02:00
test-x86-cpuid.c
test-xbzrle.c
tmp105-test.c misc: add pca9552 LED blinker model 2018-06-08 13:15:32 +01:00
tpci200-test.c
tpm-crb-swtpm-test.c test: Pass TPM interface model to functions creating command line 2018-06-06 15:44:07 -04:00
tpm-crb-test.c tests: Fix signalling race condition in TPM tests 2018-09-07 16:37:47 -04:00
tpm-emu.c tests: Fix signalling race condition in TPM tests 2018-09-07 16:37:47 -04:00
tpm-emu.h tests: Fix signalling race condition in TPM tests 2018-09-07 16:37:47 -04:00
tpm-tests.c tests: tpm: Use g_test_message rather than fprintf 2018-11-14 16:12:24 -05:00
tpm-tests.h test: Pass TPM interface model to functions creating command line 2018-06-06 15:44:07 -04:00
tpm-tis-swtpm-test.c test: Add swtpm migration test for the TPM TIS interface 2018-06-06 15:44:12 -04:00
tpm-tis-test.c tests: Fix signalling race condition in TPM tests 2018-09-07 16:37:47 -04:00
tpm-util.c tests/tpm: Display if swtpm is not found or --tpm2 not supported 2018-10-30 13:53:15 -04:00
tpm-util.h Clean up includes 2018-12-20 10:29:08 +01:00
usb-hcd-ehci-test.c tests: Clean up string interpolation around qtest_qmp_device_add() 2018-08-16 08:42:06 +02:00
usb-hcd-ohci-test.c tests: Clean up string interpolation around qtest_qmp_device_add() 2018-08-16 08:42:06 +02:00
usb-hcd-uhci-test.c tests: Clean up string interpolation around qtest_qmp_device_add() 2018-08-16 08:42:06 +02:00
usb-hcd-xhci-test.c tests: Clean up string interpolation around qtest_qmp_device_add() 2018-08-16 08:42:06 +02:00
vhost-user-bridge.c Clean up includes 2018-12-20 10:29:08 +01:00
vhost-user-test.c vhost-user-test: create a temporary directory per TestServer 2019-02-21 12:28:01 -05:00
virtio-9p-test.c
virtio-balloon-test.c libqtest: Replace qtest_startf() by qtest_initf() 2018-08-16 08:42:06 +02:00
virtio-blk-test.c tests/virtio-blk: add test for DISCARD command 2019-02-22 09:42:17 +00:00
virtio-ccw-test.c tests: virtio: separate ccw tests from libqos 2018-08-23 13:32:50 +02:00
virtio-console-test.c libqtest: Replace qtest_startf() by qtest_initf() 2018-08-16 08:42:06 +02:00
virtio-net-test.c virtio-net-test: add large tx buffer test 2018-12-04 11:06:15 +00:00
virtio-rng-test.c tests: Clean up string interpolation around qtest_qmp_device_add() 2018-08-16 08:42:06 +02:00
virtio-scsi-test.c tests: Clean up string interpolation around qtest_qmp_device_add() 2018-08-16 08:42:06 +02:00
virtio-serial-test.c libqtest: Replace qtest_startf() by qtest_initf() 2018-08-16 08:42:06 +02:00
vmgenid-test.c uuid: Make qemu_uuid_bswap() take and return a QemuUUID 2019-02-01 13:46:45 +01:00
vmxnet3-test.c
wdt_ib700-test.c qobject: Replace qobject_incref/QINCREF qobject_decref/QDECREF 2018-05-04 08:27:53 +02:00