The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.
Difference between revisions of "EGI Quality Criteria Testing"
Jump to navigation
Jump to search
| Line 1: | Line 1: | ||
<br> | |||
== Quality Criteria Testing == | == Quality Criteria Testing == | ||
Verifiers should adjust the level of testing for each release (major, minor, revision) as described in the [[ | Verifiers should adjust the level of testing for each release (major, minor, revision) as described in the [[Verifiers guideline]]. They must also consider that some of the QC included in the documents are also checked during Stage-Rollout. This list include the '''mandatory''' criteria that must be checked for '''all''' verifications: | ||
<br> | |||
{| cellspacing="0" cellpadding="3" border="1" style="border: 1px solid black; | {| cellspacing="0" cellpadding="3" border="1" class="wikitable sortable" style="border: 1px solid black;" | ||
|- align="left" style="background: none repeat scroll 0% 0% Lightgray;" | |- align="left" style="background: none repeat scroll 0% 0% Lightgray;" | ||
! QC | ! QC | ||
! Description | ! Description | ||
|- | |- | ||
| GENERIC_DIST_3 | | GENERIC_DIST_3 | ||
| Valid binary packages must be available for the tested platform | | Valid binary packages must be available for the tested platform | ||
|- | |- | ||
| GENERIC_SEC_1 | | GENERIC_SEC_1 | ||
| No world-writable files are used in the product | | No world-writable files are used in the product | ||
|- | |- | ||
| INFO_MODEL_SCHEMA_1 | | INFO_MODEL_SCHEMA_1 | ||
| Glue1.3 & Glue2 support | | Glue1.3 & Glue2 support | ||
|- | |- | ||
| INFO_MODEL_SCHEMA_2 | | INFO_MODEL_SCHEMA_2 | ||
| Version of middleware published | | Version of middleware published | ||
|- | |- | ||
| AUTHN_CRED_2 | | AUTHN_CRED_2 | ||
| Use of SHA-2 certificates/proxies | | Use of SHA-2 certificates/proxies | ||
|- | |- | ||
| AUTHN_CRED_3 | | AUTHN_CRED_3 | ||
| Use of RFC proxies | | Use of RFC proxies | ||
|} | |} | ||
== How to test criteria == | == How to test criteria == | ||
=== Generic === | === Generic === | ||
==== GENERIC_DIST_3 ==== | ==== GENERIC_DIST_3 ==== | ||
The product '''must be installable''' from the UMD repository (+ epel if using RH based distros) with no extra packages coming from other sources. All packages '''must be signed'''. | The product '''must be installable''' from the UMD repository (+ epel if using RH based distros) with no extra packages coming from other sources. All packages '''must be signed'''. | ||
Ideally a meta-package fetches all dependencies. Installing should be done with the regular package management tools of the distro (rh based): | Ideally a meta-package fetches all dependencies. Installing should be done with the regular package management tools of the distro (rh based): | ||
yum install <meta-package> | |||
or (debian based): | |||
An easy way to find world-writable files is using the find command: | apt-get install <meta-package> | ||
The packages ''should not'' create any files outside the regular OS locations: use of /opt is discouraged, if files are created there, the QC passes, but a note should be included in the report (except for yaim packages) | |||
==== GENERIC_SEC_1 ==== | |||
An easy way to find world-writable files is using the find command: | |||
find / -type f -perm -002 -exec ls -l {} \; | find / -type f -perm -002 -exec ls -l {} \; | ||
For finding world-writable files in the packages contents: | For finding world-writable files in the packages contents: | ||
rpm -qalv | egrep "^[-d]([-r][-w][-xs]){2}[-r]w" | rpm -qalv | egrep "^[-d]([-r][-w][-xs]){2}[-r]w" | ||
=== Information Model Capability === | === Information Model Capability === | ||
==== INFO_MODEL_SCHEMA_1 ==== | ==== INFO_MODEL_SCHEMA_1 ==== | ||
Use [https://tomtools.cern.ch/confluence/display/IS/GLUEValidator GlueValidator] for testing the validity of both Glue1.3 and Glue2. | Use [https://tomtools.cern.ch/confluence/display/IS/GLUEValidator GlueValidator] for testing the validity of both Glue1.3 and Glue2. | ||
Some exceptions may be allowed: | Some exceptions may be allowed: | ||
* AssertionError: The field GLUE2EndpointCapability with value 'information.publication' does not follow the type Capability_t | |||
*AssertionError: The field GLUE2EndpointCapability with value 'information.publication' does not follow the type Capability_t | |||
* | * | ||
==== INFO_MODEL_SCHEMA_2 ==== | ==== INFO_MODEL_SCHEMA_2 ==== | ||
The basic query would be something like: | The basic query would be something like: | ||
ldapsearch -x -h | ldapsearch -x -h <hostname> -p 2170 -b GLUE2GroupID=resource,o=glue objectclass=GLUE2Endpoint | ||
That should return one or more Endpoint objects, containing attributes like | That should return one or more Endpoint objects, containing attributes like | ||
GLUE2EndpointImplementationVersion: 2.7.0 | GLUE2EndpointImplementationVersion: 2.7.0 | ||
GLUE2EntityOtherInfo: MiddlewareVersion=2.5.1-1 | GLUE2EntityOtherInfo: MiddlewareVersion=2.5.1-1 | ||
=== Authentication Capability === | === Authentication Capability === | ||
==== AUTHN_CRED_2 ==== | ==== AUTHN_CRED_2 ==== | ||
If you do not have valid SHA-2 certificates, you can get one using a provider like | If you do not have valid SHA-2 certificates, you can get one using a provider like CILogon, using their (unaccredited) OpenID provider like Google | ||
(instructions from D. Groep) | (instructions from D. Groep) | ||
# Go to https://cilogon.org/ | #Go to https://cilogon.org/ | ||
# Select "Google" from the list of IdPs. | #Select "Google" from the list of IdPs. | ||
# After signing in to Google and typing in a password, you can download a pkcs#12 file with your new certificate and private key. | #After signing in to Google and typing in a password, you can download a pkcs#12 file with your new certificate and private key. | ||
# To get the conventional usercert.pem and userkey.pem, use openssl: | #To get the conventional usercert.pem and userkey.pem, use openssl: | ||
openssl pkcs12 -in myfile.p12 -info -out usercert.pem -nokeys | openssl pkcs12 -in myfile.p12 -info -out usercert.pem -nokeys | ||
| Line 94: | Line 98: | ||
chmod 0600 userkey.pem | chmod 0600 userkey.pem | ||
Services to test need to have the OpenID CA just like the other IGTF CAs, which is available from the [https://dist.eugridpma.info/distribution/current/experimental/ experimental repository]. A [https://dist.eugridpma.info/distribution/current/experimental/RPMS/ca_cilogon-openid-1.48-1.noarch.rpm RPM package] is also provided. | Services to test need to have the OpenID CA just like the other IGTF CAs, which is available from the [https://dist.eugridpma.info/distribution/current/experimental/ experimental repository]. A [https://dist.eugridpma.info/distribution/current/experimental/RPMS/ca_cilogon-openid-1.48-1.noarch.rpm RPM package] is also provided. | ||
SA2 VM images also include SHA-2 certificates into /etc/grid-security directory (hostcert-SHA2.pem and hostkey-SHA2.pem). These certificates could replace /etc/grid-security/hostcert.pem and /etc/grid-security/hostkey.pem to check SHA-2 service support. First of all backup the old certificates: | |||
cp /etc/grid-security/hostcert.pem /etc/grid-security/hostcert.pem.orig | |||
cp /etc/grid-security/hostkey.pem /etc/grid-security/hostkey.pem.orig | |||
<pre> | And replace them by the new SHA2 certificates: | ||
$ voms-proxy-init -rfc --voms dteam | |||
cp /etc/grid-security/hostcert-SHA2.pem /etc/grid-security/hostcert.pem | |||
cp /etc/grid-security/hostkey-SHA2.pem /etc/grid-security/hostkey.pem | |||
An then restart the service. | |||
==== AUTHN_CRED_3 ==== | |||
RFC proxies can be created by using the <tt>-rfc</tt> option in voms-proxy-init: | |||
<pre>$ voms-proxy-init -rfc --voms dteam | |||
Your identity: /DC=es/DC=irisgrid/O=ifca/CN=Enol-Fernandez-delCastillo | Your identity: /DC=es/DC=irisgrid/O=ifca/CN=Enol-Fernandez-delCastillo | ||
Creating temporary proxy .......................................... Done | Creating temporary proxy .......................................... Done | ||
| Line 107: | Line 121: | ||
Creating proxy ...................................... Done | Creating proxy ...................................... Done | ||
Your proxy is valid until Thu Aug 2 01:01:26 2012 | Your proxy is valid until Thu Aug 2 01:01:26 2012 | ||
</pre> | </pre> | ||
You can check if the proxy has RFC format with voms-proxy-info: | |||
You can check if the proxy has RFC format with voms-proxy-info: | <pre>$ voms-proxy-info --all | ||
<pre> | subject : /DC=es/DC=irisgrid/O=ifca/CN=Enol-Fernandez-delCastillo/CN=3300543 | ||
$ voms-proxy-info --all | issuer : /DC=es/DC=irisgrid/O=ifca/CN=Enol-Fernandez-delCastillo | ||
subject | identity : /DC=es/DC=irisgrid/O=ifca/CN=Enol-Fernandez-delCastillo | ||
issuer | type : RFC compliant proxy | ||
identity | strength : 1024 bits | ||
type | path : /nfs4/home/local/enol/.x509up_u7056 | ||
strength | timeleft : 11:59:52 | ||
path | |||
timeleft | |||
=== VO dteam extension information === | === VO dteam extension information === | ||
VO | VO : dteam | ||
subject | subject : /DC=es/DC=irisgrid/O=ifca/CN=Enol-Fernandez-delCastillo | ||
issuer | issuer : /C=GR/O=HellasGrid/OU=hellasgrid.gr/CN=voms.hellasgrid.gr | ||
attribute : /dteam/Role=NULL/Capability=NULL | attribute : /dteam/Role=NULL/Capability=NULL | ||
timeleft | timeleft : 11:59:51 | ||
uri | uri : voms.hellasgrid.gr:15004 | ||
</pre> | </pre> | ||
[[Category:Technology]] [[Category:Quality_Assurance]] | |||
Revision as of 10:33, 17 January 2013
Quality Criteria Testing
Verifiers should adjust the level of testing for each release (major, minor, revision) as described in the Verifiers guideline. They must also consider that some of the QC included in the documents are also checked during Stage-Rollout. This list include the mandatory criteria that must be checked for all verifications:
| QC | Description |
|---|---|
| GENERIC_DIST_3 | Valid binary packages must be available for the tested platform |
| GENERIC_SEC_1 | No world-writable files are used in the product |
| INFO_MODEL_SCHEMA_1 | Glue1.3 & Glue2 support |
| INFO_MODEL_SCHEMA_2 | Version of middleware published |
| AUTHN_CRED_2 | Use of SHA-2 certificates/proxies |
| AUTHN_CRED_3 | Use of RFC proxies |
How to test criteria
Generic
GENERIC_DIST_3
The product must be installable from the UMD repository (+ epel if using RH based distros) with no extra packages coming from other sources. All packages must be signed.
Ideally a meta-package fetches all dependencies. Installing should be done with the regular package management tools of the distro (rh based):
yum install <meta-package>
or (debian based):
apt-get install <meta-package>
The packages should not create any files outside the regular OS locations: use of /opt is discouraged, if files are created there, the QC passes, but a note should be included in the report (except for yaim packages)
GENERIC_SEC_1
An easy way to find world-writable files is using the find command:
find / -type f -perm -002 -exec ls -l {} \;
For finding world-writable files in the packages contents:
rpm -qalv | egrep "^[-d]([-r][-w][-xs]){2}[-r]w"
Information Model Capability
INFO_MODEL_SCHEMA_1
Use GlueValidator for testing the validity of both Glue1.3 and Glue2.
Some exceptions may be allowed:
- AssertionError: The field GLUE2EndpointCapability with value 'information.publication' does not follow the type Capability_t
INFO_MODEL_SCHEMA_2
The basic query would be something like:
ldapsearch -x -h <hostname> -p 2170 -b GLUE2GroupID=resource,o=glue objectclass=GLUE2Endpoint
That should return one or more Endpoint objects, containing attributes like
GLUE2EndpointImplementationVersion: 2.7.0 GLUE2EntityOtherInfo: MiddlewareVersion=2.5.1-1
Authentication Capability
AUTHN_CRED_2
If you do not have valid SHA-2 certificates, you can get one using a provider like CILogon, using their (unaccredited) OpenID provider like Google
(instructions from D. Groep)
- Go to https://cilogon.org/
- Select "Google" from the list of IdPs.
- After signing in to Google and typing in a password, you can download a pkcs#12 file with your new certificate and private key.
- To get the conventional usercert.pem and userkey.pem, use openssl:
openssl pkcs12 -in myfile.p12 -info -out usercert.pem -nokeys openssl pkcs12 -in myfile.p12 -info -out userkey.pem -nocerts chmod 0600 userkey.pem
Services to test need to have the OpenID CA just like the other IGTF CAs, which is available from the experimental repository. A RPM package is also provided.
SA2 VM images also include SHA-2 certificates into /etc/grid-security directory (hostcert-SHA2.pem and hostkey-SHA2.pem). These certificates could replace /etc/grid-security/hostcert.pem and /etc/grid-security/hostkey.pem to check SHA-2 service support. First of all backup the old certificates:
cp /etc/grid-security/hostcert.pem /etc/grid-security/hostcert.pem.orig cp /etc/grid-security/hostkey.pem /etc/grid-security/hostkey.pem.orig
And replace them by the new SHA2 certificates:
cp /etc/grid-security/hostcert-SHA2.pem /etc/grid-security/hostcert.pem cp /etc/grid-security/hostkey-SHA2.pem /etc/grid-security/hostkey.pem
An then restart the service.
AUTHN_CRED_3
RFC proxies can be created by using the -rfc option in voms-proxy-init:
$ voms-proxy-init -rfc --voms dteam Your identity: /DC=es/DC=irisgrid/O=ifca/CN=Enol-Fernandez-delCastillo Creating temporary proxy .......................................... Done Contacting voms.hellasgrid.gr:15004 [/C=GR/O=HellasGrid/OU=hellasgrid.gr/CN=voms.hellasgrid.gr] "dteam" Done Creating proxy ...................................... Done Your proxy is valid until Thu Aug 2 01:01:26 2012
You can check if the proxy has RFC format with voms-proxy-info:
$ voms-proxy-info --all subject : /DC=es/DC=irisgrid/O=ifca/CN=Enol-Fernandez-delCastillo/CN=3300543 issuer : /DC=es/DC=irisgrid/O=ifca/CN=Enol-Fernandez-delCastillo identity : /DC=es/DC=irisgrid/O=ifca/CN=Enol-Fernandez-delCastillo type : RFC compliant proxy strength : 1024 bits path : /nfs4/home/local/enol/.x509up_u7056 timeleft : 11:59:52 === VO dteam extension information === VO : dteam subject : /DC=es/DC=irisgrid/O=ifca/CN=Enol-Fernandez-delCastillo issuer : /C=GR/O=HellasGrid/OU=hellasgrid.gr/CN=voms.hellasgrid.gr attribute : /dteam/Role=NULL/Capability=NULL timeleft : 11:59:51 uri : voms.hellasgrid.gr:15004