Check nginx + httpd + openssl version and unit tests.

Fleshgrinder · Fleshgrinder · commit 80bf661318d4 · 2014-10-13T19:53:31.000+02:00
diff --git a/config.sh b/config.sh
@@ -62,6 +62,9 @@ readonly SERVER_INIT_PATH='/etc/init.d/nginx'
 # The minimum version the server has to have for session ticket keys via files.
 readonly SERVER_MIN_VERSION='1.5.7'
 
+# The minimum version the OpenSSL library requires for session ticket support.
+readonly OPENSSL_MIN_VERSION='0.9.8f'
+
 # Absolute path to the cron program.
 readonly CRON_PATH='/etc/cron.d/session_ticket_key_rotation'
 
@@ -202,31 +205,74 @@ system time and ensure all servers are in sync"
   fi
 }
 
+# Check OpenSSL version which has (of course) an awkward formatting.
+#
+# ARGS:
+#  $1 - The minimum required version.
+# RETURN:
+#  0 - If version is equal or greater.
+#  1 - If version is lower.
+check_openssl_version()
+{
+  # Example output: `OpenSSL 1.0.1f 6 Jan 2014`
+  OPENSSL_VERSION=$(openssl version)
+
+  OPENSSL_VERSION="${OPENSSL_VERSION#* }" # Remove smallest prefix space.
+  OPENSSL_VERSION="${OPENSSL_VERSION%% *}" # Remove largest suffix space.
+  # Now we have only `1.0.1f` left from above example.
+
+  # This one's complicated. We need an integer for -ge comparison and therefore
+  # remove the last character and all dots from the version string. Afterwards
+  # we get the last character and convert it to its ASCII code point.
+  #
+  # Note the leading single quote in front of the second command, that's what
+  # converts the character to its code point.
+  V1=$(printf -- '%s%03d' \
+    "$(printf -- '%s' ${OPENSSL_VERSION} | head -c -1 | tr -d '.')" \
+    "'$(printf -- '%s' ${OPENSSL_VERSION} | tail -c -1)")
+
+  # Now we need to do the same with the minimum version.
+  V2=$(printf -- '%s%03d' \
+    "$(printf -- '%s' ${1} | head -c -1 | tr -d '.')" \
+    "'$(printf -- '%s' ${1} | tail -c -1)")
+
+  # Greater or equals is what we are interested in.
+  if [ "${V1}" -ge "${V2}" ]
+  then
+    ok "Installed OpenSSL version is ${YELLOW}${OPENSSL_VERSION}${NORMAL}"
+  else
+    fail "Installed OpenSSL version is ${YELLOW}${OPENSSL_VERSION}${NORMAL} \
+which does not support session ticket keys. You need to install at least \
+version ${YELLOW}${2}${NORMAL}"
+  fi
+}
+
 # Check program version.
 #
+# NOTE: Works for nginx and Apache http (httpd).
 # ARGS:
 #  $1 - The name of the program to check the version (must support -v option).
 #  $2 - The minimum version.
 # RETURN:
 #  0 - If version is equal or greater.
 #  1 - If version is lower.
-check_version()
+check_server_version()
 {
-  # Get version information from program.
-  SERVER_VERSION=$("${1}" -v 2>&1)
-
-  # nginx specific, the format of the output looks like:
-  # `nginx version: nginx/1.7.6`
-  # We need to strip the part to the left of the slash.
-  SERVER_VERSION="${SERVER_VERSION##*/}"
-
-  # Remove dots and leading zeros.
-  V1=$(printf '%s' "${SERVER_VERSION}" | tr -d '.')
-  V1="${V1##*0}"
-
-  # Remove dots and leading zeros.
-  V2=$(printf '%s' "${2}" | tr -d '.')
-  V2="${V2##*0}"
+  # Get version information from program. The head call isn't necessary for
+  # nginx but it is for httpd because it will output something like:
+  #   Server version: Apache/2.4.10
+  #   Server built:   Jul 09 2014 07:22:45
+  SERVER_VERSION=$("${1}" -v 2>&1 | head -n1)
+
+  # nginx: nginx version: nginx/1.7.6
+  # httpd: Server version: Apache/2.4.10
+  SERVER_VERSION="${SERVER_VERSION##*/}" # Remove longest match slash.
+  # nginx: 1.7.6
+  # httpd: 2.4.10
+
+  # Remove dots.
+  V1=$(printf -- '%s' "${SERVER_VERSION}" | tr -d '.')
+  V2=$(printf -- '%s' "${2}" | tr -d '.')
 
   # Greater or equals is what we are interested in.
   if [ "${V1}" -ge "${V2}" ]
diff --git a/install.sh b/install.sh
@@ -65,7 +65,7 @@ fi
 super_user
 check_ntpd
 is_installed "${SERVER}"
-check_version "${SERVER}" "${SERVER_MIN_VERSION}"
+check_server_version "${SERVER}" "${SERVER_MIN_VERSION}"
 check_filesystem "${FILESYSTEMS_PATH}"
 
 # Simple fail only checks, we have to make sure that the currently configured
diff --git a/test/integration_test.sh b/test/integration_test.sh
@@ -41,6 +41,8 @@ set -e
 WD=$(cd -- $(dirname -- "${0}"); pwd)
 . "${WD}/test.sh"
 
+check_openssl_version "${OPENSSL_MIN_VERSION}"
+
 # Clean-up everything on exit (any: see trap).
 teardown()
 {
@@ -63,8 +65,6 @@ teardown()
 }
 trap -- teardown 0 1 2 3 6 9 14 15
 
-# We need faster rotation, otherwise this test is going to take days.
-
 # Generate private key and certificate for localhost server.
 TEST_NAME='integration_test_key_cert'
 openssl req -x509 -nodes -days 1 -newkey rsa:2048 \
diff --git a/test/test_check_openssl_version.sh b/test/test_check_openssl_version.sh
@@ -37,10 +37,12 @@
 WD=$(cd -- $(dirname -- "${0}"); pwd)
 . "${WD}/test.sh"
 
-check_version nginx 0.0.1 && test_ok || test_fail
-check_version nginx 99.99.99 && test_fail || test_ok
+check_openssl_version '0.0.1a' && test_ok || test_fail
+check_openssl_version "${OPENSSL_MIN_VERSION}" && test_ok || test_fail
+check_openssl_version '99.99.99z' && test_fail || test_ok
 
 # Equal
-V=$(nginx -v 2>&1)
-V="${V##*/}"
-check_version nginx "${V}" && test_ok || test_fail
+V=$(openssl version)
+V="${V#* }"
+V="${V%% *}"
+check_openssl_version "${V}" && test_ok || test_fail
diff --git a/test/test_check_server_version.sh b/test/test_check_server_version.sh
@@ -0,0 +1,47 @@
+#!/bin/sh
+
+# ------------------------------------------------------------------------------
+# This is free and unencumbered software released into the public domain.
+#
+# Anyone is free to copy, modify, publish, use, compile, sell, or
+# distribute this software, either in source code form or as a compiled
+# binary, for any purpose, commercial or non-commercial, and by any
+# means.
+#
+# In jurisdictions that recognize copyright laws, the author or authors
+# of this software dedicate any and all copyright interest in the
+# software to the public domain. We make this dedication for the benefit
+# of the public at large and to the detriment of our heirs and
+# successors. We intend this dedication to be an overt act of
+# relinquishment in perpetuity of all present and future rights to this
+# software under copyright law.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+# IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+# OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+# ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+# OTHER DEALINGS IN THE SOFTWARE.
+#
+# For more information, please refer to <http://unlicense.org>
+# ------------------------------------------------------------------------------
+
+# ------------------------------------------------------------------------------
+# AUTHOR: Richard Fussenegger <richard@fussenegger.info>
+# COPYRIGHT: Copyright (c) 2013 Richard Fussenegger
+# LICENSE: http://unlicense.org/ PD
+# LINK: http://richard.fussenegger.info/
+# ------------------------------------------------------------------------------
+
+WD=$(cd -- $(dirname -- "${0}"); pwd)
+. "${WD}/test.sh"
+
+check_server_version "${SERVER}" '0.0.1' && test_ok || test_fail
+check_server_version "${SERVER}" "${SERVER_MIN_VERSION}" && test_ok || test_fail
+check_server_version "${SERVER}" '99.99.99' && test_fail || test_ok
+
+# Equal
+V=$("${SERVER}" -v 2>&1 | head -n1)
+V="${V##*/}"
+check_server_version "${SERVER}" "${V}" && test_ok || test_fail
