def __init__(self,
host,
username,
password,
command,
ready_regex='.*\[SoapUIMockServiceRunner\] Started.*',
ready_timeout=60,
stop_keycode=3):
'''
Initialize the class and open the SSH connection.
:param host: str - hostname of the server
:param username: str - username
:param password: str - password
:param command: str - mock service start command, one-liner (semicolons can be used for command sequence)
:param ready_regex: str - regex to wait for until concluding that the service is up and running
:param ready_timeout: int - service start timeout in seconds; if this passes, starting failed
:param stop_keycode: int - keycode to send to kill the service; can be Ctrl-C (3) or Enter (13) for SoapUI
'''
self.ssh = ssh_client.SSHClient(host=host,
username=username,
password=password)
self.command = command
self.ready_regex = re.compile(ready_regex)
self.ready_timeout = ready_timeout
self.stop_keycode = stop_keycode
def test_case(self):
'''
Test 2.1.3 success scenarios. Failure scenarios are tested in another function.
:param self: MainController object
:return: None
'''
# TEST PLAN 2.1.3 security server client certification
# Failure scenarios (2.1.3.1) are tested under failing_tests()
self.log('*** 2.1.3 / XT-457')
# Set certificate filenames
remote_csr_path = 'temp.der'
cert_path = 'temp.pem'
server_name = ssh_server_actions.get_server_name(self)
# Get files to be removed (some may be left from previous runs)
path_wildcard = self.get_download_path('*')
# Loop over the files and remove them
for fpath in glob.glob(path_wildcard):
try:
os.remove(fpath)
except:
pass
# TEST PLAN 2.1.3-1 generate key for authentication device, and
# TEST PLAN 2.1.3-2 generate certificate request for the key and save it to local system
self.log('2.1.3-1, 2.1.3-2 generate key and certificate request using that key')
generate_csr(self, client_code, client_class, server_name)
# Get the certificate request path
file_path = glob.glob(self.get_download_path('_'.join(['*', server_name, client_class, client_code]) + '.der'))[
0]
# Create an SSH connection to CA
client = ssh_client.SSHClient(self.config.get('ca.ssh_host'), self.config.get('ca.ssh_user'),
self.config.get('ca.ssh_pass'))
# Get the certificate local path
local_cert_path = self.get_download_path(cert_path)
# TEST PLAN 2.1.3-3 upload certificate request to CA and get the signing certificate from CA
self.log('2.1.3-3 upload certificate request to CA and get the siging certificate')
get_cert(client, 'sign-sign', file_path, local_cert_path, cert_path, remote_csr_path)
time.sleep(6)
file_cert_path = glob.glob(local_cert_path)[0]
# TEST PLAN 2.1.3-4 import the certificate to security server
self.log('2.1.3-4 import certificate to security server')
import_cert(self, file_cert_path)
# Check if import succeeded
self.log('2.1.3-4 check if import succeeded')
check_import(self, client_class, client_code)
def get_client(ssh_host, ssh_username, ssh_password):
'''
Creates a new SSH connection.
:param ssh_host: str - SSH server hostname
:param ssh_username: str - SSH username
:param ssh_password: str - SSH password
:return: SSHClient object
'''
return ssh_client.SSHClient(ssh_host, username=ssh_username, password=ssh_password)
def wrong_cert_type_error(self, client):
'''
Test that tries to import a wrong type of certificate to the server. This certificate should not be imported.
:param self: MainController object
:param client: client data
:return: None
'''
# TEST PLAN 2.1.3.1-2 certificate is not a signing certificate
self.log('2.1.3.1-2 test importing a certificate that is not a signing certificate')
remote_csr_path = 'temp.der'
cert_path = 'temp.pem'
# Set local path for certificate
local_cert_path = self.get_download_path(cert_path)
server_name = ssh_server_actions.get_server_name(self)
# Remove temporary files
for fpath in glob.glob(self.get_download_path('*')):
os.remove(fpath)
# Generate CSR for the client
self.log('2.1.3.1-2 generate CSR for the client')
generate_csr(self, client['code'], client['class'], ssh_server_actions.get_server_name(self))
file_path = \
glob.glob(self.get_download_path('_'.join(['*', server_name, client['class'], client['code']]) + '.der'))[0]
# Create SSH connection to CA
sshclient = ssh_client.SSHClient(self.config.get('ca.ssh_host'), self.config.get('ca.ssh_user'),
self.config.get('ca.ssh_pass'))
# Get an authentication certificate instead of signing certificate.
self.log('2.1.3.1-2 get the authentication certificate')
get_cert(sshclient, 'sign-auth', file_path, local_cert_path, cert_path, remote_csr_path)
time.sleep(6)
file_cert_path = glob.glob(local_cert_path)[0]
# Try to import certificate
self.log('2.1.3.1-2 trying to import authentication certificate as signing certificate. Should fail.')
import_cert(self, file_cert_path)
self.wait_jquery()
time.sleep(3)
assert messages.get_error_message(
self) == messages.CERTIFICATE_NOT_SIGNING_KEY
self.log('2.1.3.1-2 certificate not accepted, test succeeded')
self.log('2.1.3.1-2 remove test data')
popups.close_all_open_dialogs(self)
remove_certificate(self, client)
def no_key_error(self, client):
'''
Try to import certificate that does not have a corresponding key in the server. Should fail.
:param self: MainController object
:param client: client data
:return: None
'''
# TEST PLAN 2.1.3.1-3 key used for requesting the certificate is not found
self.log('2.1.3.1-3 test importing a certificate that does not have a corresponding key')
remote_csr_path = 'temp.der'
cert_path = 'temp.pem'
# Get local certificate path
local_cert_path = self.get_download_path(cert_path)
server_name = ssh_server_actions.get_server_name(self)
# Remove temporary files
for fpath in glob.glob(self.get_download_path('*')):
os.remove(fpath)
# Generate CSR
self.log('2.1.3.1-3 generate CSR for the client')
generate_csr(self, client['code'], client['class'], ssh_server_actions.get_server_name(self))
file_path = \
glob.glob(self.get_download_path('_'.join(['*', server_name, client['class'], client['code']]) + '.der'))[0]
sshclient = ssh_client.SSHClient(self.config.get('ca.ssh_host'), self.config.get('ca.ssh_user'),
self.config.get('ca.ssh_pass'))
# Get the signing certificate from CA
self.log('2.1.3.1-3 getting signing certificate from the CA')
get_cert(sshclient, 'sign-sign', file_path, local_cert_path, cert_path, remote_csr_path)
time.sleep(6)
file_cert_path = glob.glob(local_cert_path)[0]
# Remove the certificate and key from the server
self.log('2.1.3.1-3 remove the key from the server')
remove_certificate(self, client)
# Try to import the certificate that does not have a key any more
self.log('2.1.3.1-3 try to import the certificate. Should fail.')
import_cert(self, file_cert_path)
self.wait_jquery()
time.sleep(3)
assert messages.get_error_message(self) == messages.NO_KEY_FOR_CERTIFICATE
self.log('2.1.3.1-3 got an error message, test succeeded')
def webserver_connect(self, ssh_host, ssh_username, ssh_password):
self.ssh_client = ssh_client.SSHClient(host=ssh_host,
username=ssh_username,
password=ssh_password)
def already_existing_error(self, client):
'''
Test importing a certificate that already exists. Should not be added as a duplicate.
:param self: MainController object
:param client: client data
:return: None
'''
# TEST PLAN 2.1.3.1-6 try to import a certificate that has already been added.
self.log('2.1.3.1-6 try to import a certificate that has already been added.')
self.driver.get(self.url)
self.wait_jquery()
remote_csr_path = 'temp.der'
cert_path = 'temp.pem'
# Get local certificate path
local_cert_path = self.get_download_path(cert_path)
server_name = ssh_server_actions.get_server_name(self)
for fpath in glob.glob(self.get_download_path('*')):
os.remove(fpath)
# Generate CSR for the client
self.log('2.1.3.1-6 generate CSR for the client')
generate_csr(self, client['code'], client['class'], ssh_server_actions.get_server_name(self))
file_path = \
glob.glob(self.get_download_path('_'.join(['*', server_name, client['class'], client['code']]) + '.der'))[0]
# Open an SSH connection to CA
sshclient = ssh_client.SSHClient(self.config.get('ca.ssh_host'), self.config.get('ca.ssh_user'),
self.config.get('ca.ssh_pass'))
# Get the signing certificate from CA
self.log('2.1.3.1-6 get signing certificate from CA')
get_cert(sshclient, 'sign-sign', file_path, local_cert_path, cert_path, remote_csr_path)
time.sleep(6)
file_cert_path = glob.glob(local_cert_path)[0]
# Import the signing certificate. Should succeed.
self.log('2.1.3.1-6 import the signing certificate.')
import_cert(self, file_cert_path)
self.wait_jquery()
time.sleep(3)
# Import the same signing certificate. Should fail.
self.log('2.1.3.1-6 import the same signing certificate. Should fail.')
import_cert(self, file_cert_path)
self.wait_jquery()
time.sleep(3)
assert messages.CERTIFICATE_ALREADY_EXISTS in messages.get_error_message(self)
self.log('2.1.3.1-6 got an error for duplicate certificate, test succeeded')
popups.close_all_open_dialogs(self)
# Remove the certificate
self.log('2.1.3.1-6 removing the test certificate')
remove_certificate(self, client)
def no_client_for_certificate_error(self, client):
'''
Try to import a certificate that is issued to a non-existing client. Should fail.
:param self: MainController object
:param client: client data
:return: None
'''
# TEST PLAN 2.1.3.1-4 client set in the certificate is not in the system
self.log('2.1.3.1-4 import a certificate that is issued to a non-existing client.')
self.driver.get(self.url)
self.wait_jquery()
remote_csr_path = 'temp.der'
cert_path = 'temp.pem'
# Get the local path of the certificate
local_cert_path = self.get_download_path(cert_path)
server_name = ssh_server_actions.get_server_name(self)
# Remove temporary files
for fpath in glob.glob(self.get_download_path('*')):
os.remove(fpath)
# Generate CSR for the client
self.log('2.1.3.1-4 generate CSR for the client')
generate_csr(self, client['code'], client['class'], ssh_server_actions.get_server_name(self))
file_path = \
glob.glob(self.get_download_path('_'.join(['*', server_name, client['class'], client['code']]) + '.der'))[0]
# Create an SSH connection to CA
sshclient = ssh_client.SSHClient(self.config.get('ca.ssh_host'), self.config.get('ca.ssh_user'),
self.config.get('ca.ssh_pass'))
# Get the signing certificate from CA
self.log('2.1.3.1-4 get the signing certificate from CA')
get_cert(sshclient, 'sign-sign', file_path, local_cert_path, cert_path, remote_csr_path)
time.sleep(6)
file_cert_path = glob.glob(local_cert_path)[0]
# Remove the test client.
self.log('2.1.3.1-4 removing test client.')
remove_client(self, client)
# Try to import the certificate. Should fail.
self.log('2.1.3.1-4 import a certificate that is issued to the client that was just removed. Should fail.')
import_cert(self, file_cert_path)
self.wait_jquery()
time.sleep(3)
assert messages.NO_CLIENT_FOR_CERTIFICATE in messages.get_error_message(self)
self.log('2.1.3.1-4 got an error, test succeeded.')
popups.close_all_open_dialogs(self)
# Remove the certificate from the server
self.log('2.1.3.1-4 removing the certificate.')
remove_certificate(self, client)
self.driver.get(self.url)
self.wait_jquery()
# Restore the client
self.log('2.1.3.1-4 restoring the client.')
add_client(self, client)
# Wait until data updated
time.sleep(60)
def not_valid_ca_error(self, client):
'''
Test for trying to add a certificate that was not issued by a valid certification authority (2.1.3.1-1)
Expectation: certificate not added.
:param self: MainController object
:param client: client data
:return: None
'''
# TEST PLAN 2.1.3.1-1 certificate is issued by a certification authority that is not in the allow list
self.log('2.1.3.1-1 certificate is issued by a certification authority that is not in the allow list')
error = False
try:
remote_csr_path = 'temp.der'
cert_path = 'temp.pem'
# Get local certificate path
local_cert_path = self.get_download_path(cert_path)
server_name = ssh_server_actions.get_server_name(self)
# Remove temporary files
for fpath in glob.glob(self.get_download_path('*')):
os.remove(fpath)
# Generate CSR for the client
self.log('2.1.3.1-1 Generate CSR for the client')
generate_csr(self, client['code'], client['class'], ssh_server_actions.get_server_name(self))
file_path = \
glob.glob(
self.get_download_path('_'.join(['*', server_name, client['class'], client['code']]) + '.der'))[0]
# Create a new SSH connection to CA
sshclient = ssh_client.SSHClient(self.config.get('ca.ssh_host'), self.config.get('ca.ssh_user'),
self.config.get('ca.ssh_pass'))
# Get the signing certificate from our CSR
self.log('2.1.3.1-1 Get the signing certificate from the certificate request')
get_cert(sshclient, 'sign-sign', file_path, local_cert_path, cert_path, remote_csr_path)
time.sleep(6)
file_cert_path = glob.glob(local_cert_path)[0]
# Remove CA from central server
self.log('2.1.3.1-1 Removing ca from central server')
# Relogin
self.logout(self.config.get('cs.host'))
self.login(self.config.get('cs.user'), self.config.get('cs.pass'))
# Go to certification services in the UI
self.wait_until_visible(type=By.CSS_SELECTOR, element=sidebar_constants.CERTIFICATION_SERVICES_CSS).click()
table = self.wait_until_visible(type=By.ID, element=certification_services.CERTIFICATION_SERVICES_TABLE_ID)
rows = table.find_element_by_tag_name('tbody').find_elements_by_tag_name('tr')
# Find our CA and remove it
for row in rows:
if self.config.get('ca.ssh_host') in row.text:
row.click()
self.wait_until_visible(type=By.ID, element=certification_services.DELETE_BTN_ID).click()
popups.confirm_dialog_click(self)
self.log('Wait 240 seconds for changes')
time.sleep(240)
self.log('Reloading page after changes')
# Reload page and wait until additional data is loaded using jQuery
self.driver.refresh()
self.wait_jquery()
# Try to import the certificate
self.log('2.1.3.1-1 Trying to import certificate')
import_cert(self, file_cert_path)
self.wait_jquery()
time.sleep(2)
# Check if we got an error message
assert messages.get_error_message(self) == messages.CA_NOT_VALID_AS_SERVICE
self.log('2.1.3.1-1 got correct error message')
except:
# Test failed
self.log('2.1.3.1-1 failed')
# Print traceback
traceback.print_exc()
error = True
finally:
# After testing, re-add the CA and restore the state the server was in
self.log('2.1.3.1-1-del restoring previous state')
# Login to Central Server
self.driver.get(self.config.get('cs.host'))
if not login.check_login(self, self.config.get('cs.user')):
self.login(self.config.get('cs.user'), self.config.get('cs.pass'))
# Create SSH connection to CA
sshclient = ssh_client.SSHClient(self.config.get('ca.ssh_host'),
self.config.get('ca.ssh_user'),
self.config.get('ca.ssh_pass'))
target_ca_cert_path = self.get_download_path("ca.pem")
target_ocsp_cert_path = self.get_download_path("ocsp.pem")
# Get CA certificates using SSH
self.log('2.1.3.1-1-del Getting CA certificates')
get_ca_certificate(sshclient, 'ca.cert.pem', target_ca_cert_path)
get_ca_certificate(sshclient, 'ocsp.cert.pem', target_ocsp_cert_path)
sshclient.close()
# Go to Central Server UI main page
self.driver.get(self.config.get('cs.host'))
self.wait_until_visible(type=By.CSS_SELECTOR, element=sidebar_constants.CERTIFICATION_SERVICES_CSS).click()
self.wait_jquery()
time.sleep(3)
table = self.wait_until_visible(type=By.ID, element=certification_services.CERTIFICATION_SERVICES_TABLE_ID)
rows = table.find_element_by_tag_name('tbody').find_elements_by_tag_name('tr')
# If CA server is not listed, re-add it
if self.config.get('ca.ssh_host') not in map(lambda x: x.text, rows):
self.log('2.1.3.1-1-del CA not found, re-adding')
self.wait_until_visible(type=By.ID, element=certification_services.ADD_BTN_ID).click()
import_cert_btn = self.wait_until_visible(type=By.ID,
element=certification_services.IMPORT_CA_CERT_BTN_ID)
# Upload CA certificate and submit the form
xroad.fill_upload_input(self, import_cert_btn, target_ca_cert_path)
self.wait_until_visible(type=By.ID, element=certification_services.SUBMIT_CA_CERT_BTN_ID).click()
# Set CA additional information
profile_info_area = self.wait_until_visible(type=By.CSS_SELECTOR,
element=certification_services.CETIFICATE_PROFILE_INFO_AREA_CSS)
self.input(profile_info_area,
'ee.ria.xroad.common.certificateprofile.impl.EjbcaCertificateProfileInfoProvider')
# Save the settings
self.wait_until_visible(type=By.ID, element=certification_services.SUBMIT_CA_SETTINGS_BTN_ID).click()
self.wait_jquery()
# Open OCSP tab
self.wait_until_visible(type=By.XPATH, element=certification_services.OCSP_RESPONSE_TAB).click()
self.log('2.1.3.1-1-del Add OCSP responder')
self.wait_until_visible(type=By.ID, element=certification_services.OCSP_RESONDER_ADD_BTN_ID).click()
# Import OCSP certificate
import_cert_btn = self.wait_until_visible(type=By.ID,
element=certification_services.IMPORT_OCSP_CERT_BTN_ID)
xroad.fill_upload_input(self, import_cert_btn, target_ocsp_cert_path)
url_area = self.wait_until_visible(type=By.ID, element=certification_services.OCS_RESPONSE_URL_AREA_ID)
self.input(url_area, self.config.get('ca.ocs_host'))
# Save OCSP information
self.wait_until_visible(type=By.ID,
element=certification_services.SUBMIT_OCSP_CERT_AND_URL_BTN_ID).click()
# Reload CS main page
self.driver.get(self.url)
# Open keys and certificates
self.wait_until_visible(type=By.CSS_SELECTOR, element=sidebar_constants.KEYSANDCERTIFICATES_BTN_CSS).click()
# Remove the testing certificate
remove_certificate(self, client)
self.log('Wait 120 seconds for changes')
time.sleep(120)
if error:
# If, at some point, we got an error, fail the test now
assert False, '2.1.3.1-1 test failed'