def admin_token(config):
try:
path = os.path.join(config['dir'], 'keystone.conf')
keystone_ini = utils.parse_openstack_ini(path)
path = os.path.join(config['dir'], 'keystone-paste.ini')
paste_ini = utils.parse_openstack_ini(path)
except EnvironmentError:
return TestResult(Result.SKIP, 'cannot read keystone config files')
keystone_req = {
"DEFAULT.admin_token": {"disallowed": "*"},
}
keystone_res = utils.verify_config("keystone.conf", keystone_ini,
keystone_req, needs_parsing=False)
paste_req = {
"filter:admin_token_auth.AdminTokenAuthMiddleware": {"disallowed": "*"}
}
paste_res = utils.verify_config("keystone-paste.ini", paste_ini, paste_req,
needs_parsing=False)
result = GroupTestResult()
for res in keystone_res:
result.add_result(res[0], res[1])
for res in paste_res:
result.add_result(res[0], res[1])
return result
def body_size(config):
try:
path = os.path.join(config['dir'], 'cinder.conf')
cinder_conf = utils.parse_openstack_ini(path)
except EnvironmentError:
return TestResult(Result.SKIP, 'cannot read cinder config files')
osapi_max_body_size = int(
cinder_conf.get('DEFAULT', {}).get('osapi_max_request_body_size',
'114688'))
oslo_max_body_size = int(
cinder_conf.get('oslo_middleware', {}).get('max_request_body_size',
'114688'))
results = GroupTestResult()
res_name = 'osapi body size'
if osapi_max_body_size <= 114688:
results.add_result(res_name, TestResult(Result.PASS))
else:
results.add_result(
res_name,
TestResult(Result.FAIL, 'osapi allows too big request bodies'))
res_name = 'oslo body size'
if oslo_max_body_size <= 114688:
results.add_result(res_name, TestResult(Result.PASS))
else:
results.add_result(
res_name,
TestResult(Result.FAIL,
'middleware allows too big request bodies'))
return results
def wrapper(config):
try:
path = os.path.join(config['dir'], 'manila.conf')
conf = utils.parse_openstack_ini(path)
except EnvironmentError:
return TestResult(Result.SKIP, 'cannot read manila config file')
return f(conf)
def nas_security(config):
try:
path = os.path.join(config['dir'], 'cinder.conf')
cinder_conf = utils.parse_openstack_ini(path)
except EnvironmentError:
return TestResult(Result.SKIP, 'cannot read cinder config files')
secure_operations = cinder_conf.get('DEFAULT', {}).get(
'nas_secure_file_operations', 'auto').lower() != 'false'
secure_permissions = cinder_conf.get('DEFAULT', {}).get(
'nas_secure_file_permissions', 'auto').lower() != 'false'
results = GroupTestResult()
if secure_operations:
results.add_result('operations', TestResult(Result.PASS))
else:
results.add_result(
'operations',
TestResult(Result.FAIL, 'NAS operations are not secure'))
if secure_permissions:
results.add_result('permissions', TestResult(Result.PASS))
else:
results.add_result(
'permissions',
TestResult(Result.FAIL, 'NAS permissions are not secure'))
return results
def body_size(config):
try:
path = os.path.join(config['dir'], 'cinder.conf')
cinder_conf = utils.parse_openstack_ini(path)
except EnvironmentError:
return TestResult(Result.SKIP, 'cannot read cinder config files')
osapi_max_body_size = int(cinder_conf.get('DEFAULT', {}).get(
'osapi_max_request_body_size', '114688'))
oslo_max_body_size = int(cinder_conf.get('oslo_middleware', {}).get(
'max_request_body_size', '114688'))
results = GroupTestResult()
res_name = 'osapi body size'
if osapi_max_body_size <= 114688:
results.add_result(res_name, TestResult(Result.PASS))
else:
results.add_result(res_name, TestResult(
Result.FAIL, 'osapi allows too big request bodies'))
res_name = 'oslo body size'
if oslo_max_body_size <= 114688:
results.add_result(res_name, TestResult(Result.PASS))
else:
results.add_result(res_name, TestResult(
Result.FAIL, 'middleware allows too big request bodies'))
return results
def nas_security(config):
try:
path = os.path.join(config['dir'], 'cinder.conf')
cinder_conf = utils.parse_openstack_ini(path)
except EnvironmentError:
return TestResult(Result.SKIP, 'cannot read cinder config files')
secure_operations = cinder_conf.get('DEFAULT', {}).get(
'nas_secure_file_operations', 'auto').lower() != 'false'
secure_permissions = cinder_conf.get('DEFAULT', {}).get(
'nas_secure_file_permissions', 'auto').lower() != 'false'
results = GroupTestResult()
if secure_operations:
results.add_result('operations', TestResult(Result.PASS))
else:
results.add_result('operations', TestResult(
Result.FAIL, 'NAS operations are not secure'))
if secure_permissions:
results.add_result('permissions', TestResult(Result.PASS))
else:
results.add_result('permissions', TestResult(
Result.FAIL, 'NAS permissions are not secure'))
return results
def cinder_auth(config):
try:
path = os.path.join(config['dir'], 'cinder.conf')
cinder_conf = utils.parse_openstack_ini(path)
except EnvironmentError:
return TestResult(Result.SKIP, 'cannot read cinder config files')
auth = cinder_conf.get('DEFAULT', {}).get('auth_strategy', 'keystone')
if auth != 'keystone':
return TestResult(Result.FAIL,
'authentication should be done by keystone')
else:
return TestResult(Result.PASS)
def cinder_auth(config):
try:
path = os.path.join(config['dir'], 'cinder.conf')
cinder_conf = utils.parse_openstack_ini(path)
except EnvironmentError:
return TestResult(Result.SKIP, 'cannot read cinder config files')
auth = cinder_conf.get('DEFAULT', {}).get('auth_strategy', 'keystone')
if auth != 'keystone':
return TestResult(Result.FAIL,
'authentication should be done by keystone')
else:
return TestResult(Result.PASS)
def glance_secure(config):
try:
path = os.path.join(config['dir'], 'cinder.conf')
cinder_conf = utils.parse_openstack_ini(path)
except EnvironmentError:
return TestResult(Result.SKIP, 'cannot read cinder config files')
insecure = cinder_conf.get('DEFAULT', {}).get('glance_api_insecure',
'False').lower() == 'true'
if insecure:
return TestResult(Result.FAIL, 'glance access is not secure')
else:
return TestResult(Result.PASS)
def glance_secure(config):
try:
path = os.path.join(config['dir'], 'cinder.conf')
cinder_conf = utils.parse_openstack_ini(path)
except EnvironmentError:
return TestResult(Result.SKIP, 'cannot read cinder config files')
insecure = cinder_conf.get('DEFAULT', {}).get(
'glance_api_insecure', 'False').lower() == 'true'
if insecure:
return TestResult(Result.FAIL, 'glance access is not secure')
else:
return TestResult(Result.PASS)
def body_size(config):
try:
path = os.path.join(config['dir'], 'keystone.conf')
keystone_ini = utils.parse_openstack_ini(path)
except EnvironmentError:
return TestResult(Result.SKIP, 'cannot read keystone config files')
keystone_req = {
"DEFAULT.max_request_body_size": {"allowed": "*"},
}
keystone_res = utils.verify_config("keystone.conf", keystone_ini,
keystone_req, needs_parsing=False)
result = GroupTestResult()
for res in keystone_res:
result.add_result(res[0], res[1])
return result
def keystone_secure(config):
try:
path = os.path.join(config['dir'], 'cinder.conf')
cinder_conf = utils.parse_openstack_ini(path)
except EnvironmentError:
return TestResult(Result.SKIP, 'cannot read cinder config files')
protocol = cinder_conf.get('keystone_authtoken',
{}).get('auth_protocol', 'https')
identity = cinder_conf.get('keystone_authtoken',
{}).get('identity_uri', 'https:')
if not identity.startswith('https:'):
return TestResult(Result.FAIL, 'keystone access is not secure')
if protocol != 'https':
return TestResult(Result.FAIL, 'keystone access is not secure')
return TestResult(Result.PASS)
def keystone_secure(config):
try:
path = os.path.join(config['dir'], 'cinder.conf')
cinder_conf = utils.parse_openstack_ini(path)
except EnvironmentError:
return TestResult(Result.SKIP, 'cannot read cinder config files')
protocol = cinder_conf.get('keystone_authtoken', {}).get('auth_protocol',
'https')
identity = cinder_conf.get('keystone_authtoken', {}).get('identity_uri',
'https:')
if not identity.startswith('https:'):
return TestResult(Result.FAIL, 'keystone access is not secure')
if protocol != 'https':
return TestResult(Result.FAIL, 'keystone access is not secure')
return TestResult(Result.PASS)
def token_hash(config):
try:
path = os.path.join(config['dir'], 'keystone.conf')
keystone_ini = utils.parse_openstack_ini(path)
except EnvironmentError:
return TestResult(Result.SKIP, 'cannot read keystone config files')
provider = keystone_ini.get('token', {}).get('provider', 'uuid')
if (provider.startswith('keystone.token.providers.') and
provider.endswith('.Provider')):
provider = provider[25:-9]
if provider not in ('pki', 'pkiz'):
return TestResult(Result.SKIP, 'test relevant only for pki tokens')
single = keystone_ini.get('token', {}).get('hash_algorithm')
plural = keystone_ini.get('token', {}).get('hash_algorithms')
val = plural or single
if val is None or val.lower() not in ('sha256', 'sha512'):
return TestResult(Result.FAIL, 'token hash should be sha256 or sha512')
return TestResult(Result.PASS)
