Ejemplo n.º 1
0
def manage_cs_create(args):
    if not args.name:
        raise Exception("No name of code signer supplied")
    code_signer.CS(organization=args.name,
                   commonName=args.name + "CS",
                   security_dir=args.dir,
                   force=args.force)
Ejemplo n.º 2
0
def manage_cs_sign(args):
    if not args.name:
        raise Exception("No code signer name supplied")
    if not args.file:
        raise Exception("supply path to a file(s) to sign")
    cs = code_signer.CS(organization=args.name, commonName=args.name+"CS", security_dir=args.dir, force=args.force)
    # Collect files to sign
    files = []
    if args.file:
        for f in args.file:
            exist = os.path.isfile(f)
            if not exist:
                raise Exception("The file path supplied is not an existing file")
            files.extend(glob.glob(f))
    if args.nsfile:
        store = ActorStore()
        for m in args.nsfile:
            files.extend(store.actor_paths(m))
    # Filter out any files not *.calvin, *.py
    files = [f for f in files if f.endswith(('.calvin', '.py')) and not f.endswith('__init__.py')]
    if not files:
        raise Exception("No (*.calvin, *.py) files supplied")
    exceptions = []
    for f in files:
        try:
            cs.sign_file(f)
        except Exception as e:
            exceptions.append(e)
    for e in exceptions:
        print "Error {}".format(e)
Ejemplo n.º 3
0
def manage_cs_export(args):
    if not args.name:
        raise Exception("No code signer name supplied")
    if not args.path:
        raise Exception("No out path supplied")
    cs = code_signer.CS(organization=args.name, commonName=args.name+"CS", security_dir=args.dir, force=args.force)
    out_file = cs.export_cs_cert(args.path)
    print "exported to:" + out_file
Ejemplo n.º 4
0
def sign_files_for_security_tests(credentials_testdir):
    from calvin.utilities import code_signer
    from calvin.utilities.utils import get_home
    from calvin.utilities import certificate
    import shutil

    def replace_text_in_file(file_path, text_to_be_replaced, text_to_insert):
        # Read in the file
        filedata = None
        with open(file_path, 'r') as file:
            filedata = file.read()

        # Replace the target string
        filedata = filedata.replace(text_to_be_replaced, text_to_insert)

        # Write the file out again
        with open(file_path, 'w') as file:
            file.write(filedata)

    homefolder = get_home()
    runtimesdir = os.path.join(credentials_testdir, "runtimes")
    runtimes_truststore_signing_path = os.path.join(runtimesdir,
                                                    "truststore_for_signing")
    orig_testdir = os.path.join(os.path.dirname(__file__), "security_test")
    orig_actor_store_path = os.path.abspath(
        os.path.join(os.path.dirname(__file__), '..', 'actorstore',
                     'systemactors'))
    actor_store_path = os.path.join(credentials_testdir, "store")
    orig_application_store_path = os.path.join(orig_testdir, "scripts")
    application_store_path = os.path.join(credentials_testdir, "scripts")
    print "Create test folders"
    try:
        os.makedirs(actor_store_path)
        os.makedirs(os.path.join(actor_store_path, "test"))
        shutil.copy(os.path.join(orig_actor_store_path, "test", "__init__.py"),
                    os.path.join(actor_store_path, "test", "__init__.py"))
        os.makedirs(os.path.join(actor_store_path, "std"))
        shutil.copy(os.path.join(orig_actor_store_path, "std", "__init__.py"),
                    os.path.join(actor_store_path, "std", "__init__.py"))
        shutil.copytree(orig_application_store_path, application_store_path)
    except Exception as err:
        _log.error(
            "Failed to create test folder structure, err={}".format(err))
        print "Failed to create test folder structure, err={}".format(err)
        raise

    print "Trying to create a new test application/actor signer."
    cs = code_signer.CS(organization="testsigner",
                        commonName="signer",
                        security_dir=credentials_testdir)

    #Create signed version of CountTimer actor
    orig_actor_CountTimer_path = os.path.join(orig_actor_store_path, "std",
                                              "CountTimer.py")
    actor_CountTimer_path = os.path.join(actor_store_path, "std",
                                         "CountTimer.py")
    shutil.copy(orig_actor_CountTimer_path, actor_CountTimer_path)
    cs.sign_file(actor_CountTimer_path)

    #Create unsigned version of CountTimer actor
    actor_CountTimerUnsigned_path = actor_CountTimer_path.replace(
        ".py", "Unsigned.py")
    shutil.copy(actor_CountTimer_path, actor_CountTimerUnsigned_path)
    replace_text_in_file(actor_CountTimerUnsigned_path, "CountTimer",
                         "CountTimerUnsigned")

    #Create signed version of Sum actor
    orig_actor_Sum_path = os.path.join(orig_actor_store_path, "std", "Sum.py")
    actor_Sum_path = os.path.join(actor_store_path, "std", "Sum.py")
    shutil.copy(orig_actor_Sum_path, actor_Sum_path)
    cs.sign_file(actor_Sum_path)

    #Create unsigned version of Sum actor
    actor_SumUnsigned_path = actor_Sum_path.replace(".py", "Unsigned.py")
    shutil.copy(actor_Sum_path, actor_SumUnsigned_path)
    replace_text_in_file(actor_SumUnsigned_path, "Sum", "SumUnsigned")

    #Create incorrectly signed version of Sum actor
    actor_SumFake_path = actor_Sum_path.replace(".py", "Fake.py")
    shutil.copy(actor_Sum_path, actor_SumFake_path)
    #Change the class name to SumFake
    replace_text_in_file(actor_SumFake_path, "Sum", "SumFake")
    cs.sign_file(actor_SumFake_path)
    #Now append to the signed file so the signature verification fails
    with open(actor_SumFake_path, "a") as fd:
        fd.write(" ")

    #Create signed version of Sink actor
    orig_actor_Sink_path = os.path.join(orig_actor_store_path, "test",
                                        "Sink.py")
    actor_Sink_path = os.path.join(actor_store_path, "test", "Sink.py")
    shutil.copy(orig_actor_Sink_path, actor_Sink_path)
    cs.sign_file(actor_Sink_path)

    #Create unsigned version of Sink actor
    actor_SinkUnsigned_path = actor_Sink_path.replace(".py", "Unsigned.py")
    shutil.copy(actor_Sink_path, actor_SinkUnsigned_path)
    replace_text_in_file(actor_SinkUnsigned_path, "Sink", "SinkUnsigned")

    #Sign applications
    cs.sign_file(
        os.path.join(application_store_path, "correctly_signed.calvin"))
    cs.sign_file(
        os.path.join(application_store_path,
                     "correctlySignedApp_incorrectlySignedActor.calvin"))
    cs.sign_file(
        os.path.join(application_store_path, "incorrectly_signed.calvin"))
    #Now append to the signed file so the signature verification fails
    with open(
            os.path.join(application_store_path, "incorrectly_signed.calvin"),
            "a") as fd:
        fd.write(" ")

    print "Export Code Signers certificate to the truststore for code signing"
    out_file = cs.export_cs_cert(runtimes_truststore_signing_path)
    certificate.c_rehash(type=certificate.TRUSTSTORE_SIGN,
                         security_dir=credentials_testdir)
    return actor_store_path, application_store_path
Ejemplo n.º 5
0
    def setup(self, request):
        from calvin.Tools.csruntime import csruntime
        from conftest import _config_pytest
        import fileinput
        global rt
        global request_handler
        try:
            shutil.rmtree(credentials_testdir)
        except Exception as err:
            print "Failed to remove old tesdir, err={}".format(err)
            pass
        try:
            os.makedirs(credentials_testdir)
            os.makedirs(runtimesdir)
            os.makedirs(runtimes_truststore)
            os.makedirs(runtimes_truststore_signing_path)
            os.makedirs(actor_store_path)
            os.makedirs(os.path.join(actor_store_path, "test"))
            shutil.copy(
                os.path.join(orig_actor_store_path, "test", "__init__.py"),
                os.path.join(actor_store_path, "test", "__init__.py"))
            os.makedirs(os.path.join(actor_store_path, "std"))
            shutil.copy(
                os.path.join(orig_actor_store_path, "std", "__init__.py"),
                os.path.join(actor_store_path, "std", "__init__.py"))
            shutil.copytree(orig_application_store_path,
                            application_store_path)
            filelist = [
                f for f in os.listdir(application_store_path)
                if f.endswith(".sign.93d58fef")
            ]
            for f in filelist:
                os.remove(os.path.join(application_store_path, f))
            shutil.copytree(
                os.path.join(security_testdir, "identity_provider"),
                identity_provider_path)
        except Exception as err:
            _log.error(
                "Failed to create test folder structure, err={}".format(err))
            print "Failed to create test folder structure, err={}".format(err)
            raise

        print "Trying to create a new test application/actor signer."
        cs = code_signer.CS(organization="testsigner",
                            commonName="signer",
                            security_dir=credentials_testdir)

        #Create signed version of CountTimer actor
        orig_actor_CountTimer_path = os.path.join(orig_actor_store_path, "std",
                                                  "CountTimer.py")
        actor_CountTimer_path = os.path.join(actor_store_path, "std",
                                             "CountTimer.py")
        shutil.copy(orig_actor_CountTimer_path, actor_CountTimer_path)
        #        cs.sign_file(actor_CountTimer_path)

        #Create unsigned version of CountTimer actor
        actor_CountTimerUnsigned_path = actor_CountTimer_path.replace(
            ".py", "Unsigned.py")
        shutil.copy(actor_CountTimer_path, actor_CountTimerUnsigned_path)
        replace_text_in_file(actor_CountTimerUnsigned_path, "CountTimer",
                             "CountTimerUnsigned")

        #Create signed version of Sum actor
        orig_actor_Sum_path = os.path.join(orig_actor_store_path, "std",
                                           "Sum.py")
        actor_Sum_path = os.path.join(actor_store_path, "std", "Sum.py")
        shutil.copy(orig_actor_Sum_path, actor_Sum_path)
        #        cs.sign_file(actor_Sum_path)

        #Create unsigned version of Sum actor
        actor_SumUnsigned_path = actor_Sum_path.replace(".py", "Unsigned.py")
        shutil.copy(actor_Sum_path, actor_SumUnsigned_path)
        replace_text_in_file(actor_SumUnsigned_path, "Sum", "SumUnsigned")

        #Create incorrectly signed version of Sum actor
        #        actor_SumFake_path = actor_Sum_path.replace(".py", "Fake.py")
        #        shutil.copy(actor_Sum_path, actor_SumFake_path)
        #        #Change the class name to SumFake
        #        replace_text_in_file(actor_SumFake_path, "Sum", "SumFake")
        #        cs.sign_file(actor_SumFake_path)
        #        #Now append to the signed file so the signature verification fails
        #        with open(actor_SumFake_path, "a") as fd:
        #                fd.write(" ")

        #Create signed version of Sink actor
        orig_actor_Sink_path = os.path.join(orig_actor_store_path, "test",
                                            "Sink.py")
        actor_Sink_path = os.path.join(actor_store_path, "test", "Sink.py")
        shutil.copy(orig_actor_Sink_path, actor_Sink_path)
        #        cs.sign_file(actor_Sink_path)

        #Create unsigned version of Sink actor
        actor_SinkUnsigned_path = actor_Sink_path.replace(".py", "Unsigned.py")
        shutil.copy(actor_Sink_path, actor_SinkUnsigned_path)
        replace_text_in_file(actor_SinkUnsigned_path, "Sink", "SinkUnsigned")

        #Sign applications
        #        cs.sign_file(os.path.join(application_store_path, "test_security1_correctly_signed.calvin"))
        #        cs.sign_file(os.path.join(application_store_path, "test_security1_correctlySignedApp_incorrectlySignedActor.calvin"))
        #        cs.sign_file(os.path.join(application_store_path, "test_security1_incorrectly_signed.calvin"))
        #        #Now append to the signed file so the signature verification fails
        #        with open(os.path.join(application_store_path, "test_security1_incorrectly_signed.calvin"), "a") as fd:
        #                fd.write(" ")

        #        print "Export Code Signers certificate to the truststore for code signing"
        #        out_file = cs.export_cs_cert(runtimes_truststore_signing_path)

        print "Trying to create a new test domain configuration."
        ca = certificate_authority.CA(domain=domain_name,
                                      commonName="testdomain CA",
                                      security_dir=credentials_testdir)
        #
        print "Copy CA cert into truststore of runtimes folder"
        ca.export_ca_cert(runtimes_truststore)
        #Define the runtime attributes
        rt0_attributes = {
            'indexed_public': {
                'owner': {
                    'organization': domain_name,
                    'personOrGroup': 'testOwner1'
                },
                'node_name': {
                    'organization': 'org.testexample',
                    'name': 'CA'
                },
                'address': {
                    'country': 'SE',
                    'locality': 'testCity',
                    'street': 'testStreet',
                    'streetNumber': 1
                }
            }
        }
        rt1_attributes = {
            'indexed_public': {
                'owner': {
                    'organization': domain_name,
                    'personOrGroup': 'testOwner1'
                },
                'node_name': {
                    'organization': 'org.testexample',
                    'name': 'testNode1'
                },
                'address': {
                    'country': 'SE',
                    'locality': 'testCity',
                    'street': 'testStreet',
                    'streetNumber': 1
                }
            }
        }
        rt2_attributes = {
            'indexed_public': {
                'owner': {
                    'organization': domain_name,
                    'personOrGroup': 'testOwner1'
                },
                'node_name': {
                    'organization': 'org.testexample',
                    'name': 'testNode2'
                },
                'address': {
                    'country': 'SE',
                    'locality': 'testCity',
                    'street': 'otherStreet',
                    'streetNumber': 1
                }
            }
        }
        rt3_attributes = {
            'indexed_public': {
                'owner': {
                    'organization': domain_name,
                    'personOrGroup': 'testOwner1'
                },
                'node_name': {
                    'organization': 'org.testexample',
                    'name': 'testNode3'
                },
                'address': {
                    'country': 'SE',
                    'locality': 'testCity',
                    'street': 'testStreet',
                    'streetNumber': 1
                }
            }
        }
        rt4_attributes = {
            'indexed_public': {
                'owner': {
                    'organization': domain_name,
                    'personOrGroup': 'testOwner1'
                },
                'node_name': {
                    'organization': 'org.testexample',
                    'name': 'testNode4'
                },
                'address': {
                    'country': 'SE',
                    'locality': 'testCity',
                    'street': 'testStreet',
                    'streetNumber': 1
                }
            }
        }
        rt5_attributes = {
            'indexed_public': {
                'owner': {
                    'organization': domain_name,
                    'personOrGroup': 'testOwner1'
                },
                'node_name': {
                    'organization': 'org.testexample',
                    'name': 'testNode5'
                },
                'address': {
                    'country': 'SE',
                    'locality': 'testCity',
                    'street': 'testStreet',
                    'streetNumber': 1
                }
            }
        }
        rt_attributes = []
        rt_attributes.append(deepcopy(rt0_attributes))
        rt_attributes.append(deepcopy(rt1_attributes))
        rt_attributes.append(deepcopy(rt2_attributes))
        rt_attributes.append(deepcopy(rt3_attributes))
        rt_attributes.append(deepcopy(rt4_attributes))
        rt_attributes.append(deepcopy(rt5_attributes))
        rt_attributes_cpy = deepcopy(rt_attributes)
        runtimes = []
        #Initiate Requesthandler with trusted CA cert
        truststore_dir = certificate.get_truststore_path(
            type=certificate.TRUSTSTORE_TRANSPORT,
            security_dir=credentials_testdir)
        #   The following is less than optimal if multiple CA certs exist
        ca_cert_path = os.path.join(truststore_dir,
                                    os.listdir(truststore_dir)[0])
        request_handler = RequestHandler(verify=ca_cert_path)
        #Generate credentials, create CSR, sign with CA and import cert for all runtimes
        enrollment_passwords = []
        for rt_attribute in rt_attributes:
            attributes = AttributeResolver(rt_attribute)
            node_name = attributes.get_node_name_as_str()
            nodeid = calvinuuid.uuid("")
            enrollment_password = ca.cert_enrollment_add_new_runtime(node_name)
            enrollment_passwords.append(enrollment_password)
            runtime = runtime_credentials.RuntimeCredentials(
                node_name,
                domain=domain_name,
                security_dir=credentials_testdir,
                nodeid=nodeid,
                enrollment_password=enrollment_password)
            runtimes.append(runtime)
            ca_cert = runtime.get_truststore(
                type=certificate.TRUSTSTORE_TRANSPORT)[0][0]
            csr_path = os.path.join(runtime.runtime_dir, node_name + ".csr")
            #Encrypt CSR with CAs public key (to protect enrollment password)
            rsa_encrypted_csr = runtime.cert_enrollment_encrypt_csr(
                csr_path, ca_cert)
            #Decrypt encrypted CSR with CAs private key
            csr = ca.decrypt_encrypted_csr(
                encrypted_enrollment_request=rsa_encrypted_csr)
            csr_path = ca.store_csr_with_enrollment_password(csr)
            cert_path = ca.sign_csr(csr_path)
            runtime.store_own_cert(certpath=cert_path,
                                   security_dir=credentials_testdir)
        #Let's hash passwords in users.json file (the runtimes will try to do this
        # but they will all try to do it at the same time, so it will be overwritten
        # multiple times and the first test will always fail)
#        self.arp = FileAuthenticationRetrievalPoint(identity_provider_path)
#        self.arp.check_stored_users_db_for_unhashed_passwords()

#The policy allows access to control interface for everyone, for more advanced rules
# it might be appropriate to run set_credentials for request_handler, e.g.,
#  request_handler.set_credentials({domain_name:{"user": "******", "password": "******"}})

        rt_conf = copy.deepcopy(_conf)
        #        rt_conf.set('security', 'runtime_to_runtime_security', "tls")
        #        rt_conf.set('security', 'control_interface_security', "tls")
        rt_conf.set('security', 'domain_name', domain_name)
        #        rt_conf.set('security', 'certificate_authority_control_uri',"https://%s:5020" % hostname )
        rt_conf.set('security', 'security_dir', credentials_testdir)
        rt_conf.set('global', 'actor_paths', [actor_store_path])
        rt_conf.set('global', 'storage_type', "securedht")

        # Runtime 0: local authentication, signature verification, local authorization.
        # Primarily acts as Certificate Authority for the domain
        rt0_conf = copy.deepcopy(rt_conf)
        #        rt0_conf.set('security','enrollment_password',enrollment_passwords[0])
        #The csruntime certificate requests assumes TLS for the control interface
        #        rt0_conf.set('security', 'control_interface_security', "tls")
        #        rt0_conf.set('security','certificate_authority','True')
        #        rt0_conf.set("security", "security_conf", {
        #                        "comment": "Certificate Authority",
        #                        "authentication": {
        #                            "procedure": "local",
        #                            "identity_provider_path": identity_provider_path
        #                        },
        #                        "authorization": {
        #                            "procedure": "local",
        #                            "policy_storage_path": policy_storage_path
        #                        }
        #                    })
        rt0_conf.save("/tmp/calvin5000.conf")

        # Runtime 1: local authentication, signature verification, local authorization.
        rt1_conf = copy.deepcopy(rt_conf)
        #        rt1_conf.set('security','enrollment_password',enrollment_passwords[1])
        #        rt1_conf.set("security", "security_conf", {
        #                        "comment": "Local authentication, local authorization",
        #                        "authentication": {
        #                            "procedure": "local",
        #                            "identity_provider_path": identity_provider_path
        #                        },
        #                        "authorization": {
        #                            "procedure": "local",
        #                            "policy_storage_path": policy_storage_path
        #                        }
        #                    })
        rt1_conf.save("/tmp/calvin5001.conf")

        # Runtime 2: local authentication, signature verification, local authorization.
        # Can also act as authorization server for other runtimes.
        # Other street compared to the other runtimes
        rt2_conf = copy.deepcopy(rt_conf)
        #        rt2_conf.set('security','enrollment_password',enrollment_passwords[2])
        #        rt2_conf.set("security", "security_conf", {
        #                        "comment": "Local authentication, local authorization",
        #                        "authentication": {
        #                            "procedure": "local",
        #                            "identity_provider_path": identity_provider_path
        #                        },
        #                        "authorization": {
        #                            "procedure": "local",
        #                            "policy_storage_path": policy_storage_path,
        #                            "accept_external_requests": True
        #                        }
        #                    })
        rt2_conf.save("/tmp/calvin5002.conf")

        # Runtime 3: external authentication (RADIUS), signature verification, local authorization.
        rt3_conf = copy.deepcopy(rt_conf)
        #        rt3_conf.set('security','enrollment_password',enrollment_passwords[3])
        #        rt3_conf.set("security", "security_conf", {
        #                        "comment": "RADIUS authentication, local authorization",
        #                        "authentication": {
        #                            "procedure": "radius",
        #                            "server_ip": "localhost",
        #                            "secret": "elxghyc5lz1_passwd"
        #                        },
        #                        "authorization": {
        #                            "procedure": "local",
        #                            "policy_storage_path": policy_storage_path
        #                        }
        #                    })
        rt3_conf.save("/tmp/calvin5003.conf")

        # Runtime 4: local authentication, signature verification, external authorization (runtime 2).
        rt4_conf = copy.deepcopy(rt_conf)
        #        rt4_conf.set('security','enrollment_password',enrollment_passwords[4])
        #        rt4_conf.set("security", "security_conf", {
        #                        "comment": "Local authentication, external authorization",
        #                        "authentication": {
        #                            "procedure": "local",
        #                            "identity_provider_path": identity_provider_path
        #                        },
        #                        "authorization": {
        #                            "procedure": "external"
        #                        }
        #                    })
        rt4_conf.save("/tmp/calvin5004.conf")

        # Runtime 5: external authentication (runtime 1), signature verification, local authorization.
        rt5_conf = copy.deepcopy(rt_conf)
        #        rt5_conf.set('global','storage_type','proxy')
        #        rt5_conf.set('global','storage_proxy',"calvinip://%s:5000" % ip_addr )
        #        rt5_conf.set('security','enrollment_password',enrollment_passwords[5])
        #        rt5_conf.set("security", "security_conf", {
        #                        "comment": "Local authentication, external authorization",
        #                        "authentication": {
        #                            "procedure": "external",
        #                            "server_uuid": runtimes[1].node_id
        #                        },
        #                        "authorization": {
        #                            "procedure": "local",
        #                            "policy_storage_path": policy_storage_path
        #                        }
        #                    })
        rt5_conf.save("/tmp/calvin5005.conf")

        #Start all runtimes
        for i in range(len(rt_attributes_cpy)):
            _log.info("Starting runtime {}".format(i))
            try:
                logfile = _config_pytest.getoption("logfile") + "500{}".format(
                    i)
                outfile = os.path.join(
                    os.path.dirname(logfile),
                    os.path.basename(logfile).replace("log", "out"))
                if outfile == logfile:
                    outfile = None
            except:
                logfile = None
                outfile = None
            csruntime(hostname,
                      port=5000 + i,
                      controlport=5020 + i,
                      attr=rt_attributes_cpy[i],
                      loglevel=_config_pytest.getoption("loglevel"),
                      logfile=logfile,
                      outfile=outfile,
                      configfile="/tmp/calvin500{}.conf".format(i))
            #            rt.append(RT("https://{}:502{}".format(hostname, i)))
            rt.append(RT("http://{}:502{}".format(hostname, i)))
            # Wait to be sure that all runtimes has started
            time.sleep(1)
        time.sleep(10)

        request.addfinalizer(self.teardown)
Ejemplo n.º 6
0
def sign_files_for_security_tests(credentials_testdir):
    from calvin.utilities import code_signer
    from calvin.utilities.utils import get_home
    from calvin.utilities import certificate
    import shutil

    def replace_text_in_file(file_path, text_to_be_replaced, text_to_insert):
        # Read in the file
        filedata = None
        with open(file_path, 'r') as file:
            filedata = file.read()

        # Replace the target string
        filedata = filedata.replace(text_to_be_replaced, text_to_insert)

        # Write the file out again
        with open(file_path, 'w') as file:
            file.write(filedata)

    def _copy_and_sign_actor(prefix, file_name):
        #Create signed version of the actor
        directory = os.path.join(actor_store_path, prefix)
        if not os.path.isdir(directory):
            os.makedirs(directory)
            shutil.copy(
                os.path.join(orig_actor_store_path, prefix, "__init__.py"),
                os.path.join(actor_store_path, prefix, "__init__.py"))
        orig_actor_path = os.path.join(orig_actor_store_path, prefix,
                                       file_name)
        new_actor_path = os.path.join(actor_store_path, prefix, file_name)
        shutil.copy(orig_actor_path, new_actor_path)
        cs.sign_file(new_actor_path)
        return new_actor_path

    homefolder = get_home()
    runtimesdir = os.path.join(credentials_testdir, "runtimes")
    runtimes_truststore_signing_path = os.path.join(runtimesdir,
                                                    "truststore_for_signing")
    orig_testdir = os.path.join(os.path.dirname(__file__), "security_test")
    orig_actor_store_path = os.path.abspath(
        os.path.join(os.path.dirname(__file__), '..', 'actorstore',
                     'systemactors'))
    actor_store_path = os.path.join(credentials_testdir, "store")
    orig_application_store_path = os.path.join(orig_testdir, "scripts")
    application_store_path = os.path.join(credentials_testdir, "scripts")
    print "Create test folders"
    try:
        shutil.copytree(orig_application_store_path, application_store_path)
    except Exception as err:
        _log.error(
            "Failed to create test folder structure, err={}".format(err))
        print "Failed to create test folder structure, err={}".format(err)
        raise

    print "Trying to create a new test application/actor signer."
    cs = code_signer.CS(organization="com.ericsson",
                        commonName="signer",
                        security_dir=credentials_testdir)

    _copy_and_sign_actor("flow", "Alternate.py")
    _copy_and_sign_actor("flow", "Alternate2.py")
    _copy_and_sign_actor("flow", "Collect.py")
    _copy_and_sign_actor("flow", "CollectCompleteDict.py")
    _copy_and_sign_actor("flow", "Dealternate.py")
    _copy_and_sign_actor("flow", "Deselect.py")
    _copy_and_sign_actor("flow", "Dispatch.py")
    _copy_and_sign_actor("flow", "DispatchDict.py")
    _copy_and_sign_actor("flow", "Join.py")
    _copy_and_sign_actor("flow", "Void.py")
    _copy_and_sign_actor("flow", "Select.py")
    _copy_and_sign_actor("flow", "Terminator.py")

    _copy_and_sign_actor("io", "FileReader.py")

    _copy_and_sign_actor("misc", "ExplicitStateExample.py")

    _copy_and_sign_actor("std", "Counter.py")
    _copy_and_sign_actor("std", "Constant.py")
    _copy_and_sign_actor("std", "Constantify.py")
    _copy_and_sign_actor("std", "Compare.py")
    _copy_and_sign_actor("std", "Identity.py")
    _copy_and_sign_actor("std", "Stringify.py")
    _copy_and_sign_actor("std", "Trigger.py")
    actor_CountTimer_path = _copy_and_sign_actor("std", "CountTimer.py")
    actor_Sum_path = _copy_and_sign_actor("std", "Sum.py")

    _copy_and_sign_actor("test", "FiniteCounter.py")
    _copy_and_sign_actor("test", "TestProcess.py")
    actor_Sink_path = _copy_and_sign_actor("test", "Sink.py")

    _copy_and_sign_actor("text", "LineJoin.py")
    _copy_and_sign_actor("text", "PrefixString.py")
    _copy_and_sign_actor("text", "RegexMatch.py")

    _copy_and_sign_actor("exception", "ExceptionHandler.py")

    #Create unsigned version of CountTimer actor
    actor_CountTimerUnsigned_path = actor_CountTimer_path.replace(
        ".py", "Unsigned.py")
    shutil.copy(actor_CountTimer_path, actor_CountTimerUnsigned_path)
    replace_text_in_file(actor_CountTimerUnsigned_path, "CountTimer",
                         "CountTimerUnsigned")

    #Create unsigned version of Sum actor
    actor_SumUnsigned_path = actor_Sum_path.replace(".py", "Unsigned.py")
    shutil.copy(actor_Sum_path, actor_SumUnsigned_path)
    replace_text_in_file(actor_SumUnsigned_path, "Sum", "SumUnsigned")

    #Create incorrectly signed version of Sum actor
    actor_SumFake_path = actor_Sum_path.replace(".py", "Fake.py")
    shutil.copy(actor_Sum_path, actor_SumFake_path)
    #Change the class name to SumFake
    replace_text_in_file(actor_SumFake_path, "Sum", "SumFake")
    cs.sign_file(actor_SumFake_path)
    #Now append to the signed file so the signature verification fails
    with open(actor_SumFake_path, "a") as fd:
        fd.write(" ")

    #Create unsigned version of Sink actor
    actor_SinkUnsigned_path = actor_Sink_path.replace(".py", "Unsigned.py")
    shutil.copy(actor_Sink_path, actor_SinkUnsigned_path)
    replace_text_in_file(actor_SinkUnsigned_path, "Sink", "SinkUnsigned")

    #Sign applications
    cs.sign_file(
        os.path.join(application_store_path, "correctly_signed.calvin"))
    cs.sign_file(
        os.path.join(application_store_path,
                     "correctlySignedApp_incorrectlySignedActor.calvin"))
    cs.sign_file(
        os.path.join(application_store_path, "incorrectly_signed.calvin"))
    #Now append to the signed file so the signature verification fails
    with open(
            os.path.join(application_store_path, "incorrectly_signed.calvin"),
            "a") as fd:
        fd.write(" ")

    print "Export Code Signers certificate to the truststore for code signing"
    out_file = cs.export_cs_cert(runtimes_truststore_signing_path)
    certificate.c_rehash(type=certificate.TRUSTSTORE_SIGN,
                         security_dir=credentials_testdir)
    return actor_store_path, application_store_path
Ejemplo n.º 7
0
def sign_appInfo_for_security_tests(credentials_testdir):
    from calvin.utilities import code_signer
    cs = code_signer.CS(organization="com.ericsson",
                        commonName="signer",
                        security_dir=credentials_testdir)
    cs.sign_file(actor_Alternate2_path)