def test_log_syslog(self):
with patch('syslog.syslog', new=self.dummy_syslog):
try:
logger = logging.getLogger()
old_handlers = []
for hdl in logger.handlers:
logger.removeHandler(hdl)
old_handlers.append(hdl)
test_handler = SysLogLibHandler("USER")
logger.addHandler(test_handler)
logger.setLevel(logging.WARNING)
log.info("info")
log.warn("warn")
log.warning("warning")
log.error("error")
log.critical("critical")
log.debug("debug")
lines = self._syslog.getvalue().split("\n")
assert("info" not in lines)
assert("12:warn" in lines)
assert("12:warning" in lines)
assert("10:critical" in lines)
assert("11:error" in lines)
assert("debug" not in lines)
finally:
logger.removeHandler(test_handler)
for hdl in old_handlers:
logger.addHandler(hdl)
def test_log_plain(self):
try:
logfile = StringIO()
logger = logging.getLogger()
old_handlers = []
for hdl in logger.handlers:
logger.removeHandler(hdl)
old_handlers.append(hdl)
test_handler = logging.StreamHandler(logfile)
logger.addHandler(test_handler)
logger.setLevel(logging.WARNING)
log.info("info")
log.warn("warn")
log.warning("warning")
log.error("error")
log.critical("critical")
log.debug("debug")
lines = logfile.getvalue().split("\n")
assert ("info" not in lines)
assert ("warn" in lines)
assert ("warning" in lines)
assert ("critical" in lines)
assert ("error" in lines)
assert ("debug" not in lines)
finally:
logger.removeHandler(test_handler)
for hdl in old_handlers:
logger.addHandler(hdl)
def test_log_plain(self):
try:
logfile = StringIO()
logger = logging.getLogger()
old_handlers = []
for hdl in logger.handlers:
logger.removeHandler(hdl)
old_handlers.append(hdl)
test_handler = logging.StreamHandler(logfile)
logger.addHandler(test_handler)
logger.setLevel(logging.WARNING)
log.info("info")
log.warn("warn")
log.warning("warning")
log.error("error")
log.critical("critical")
log.debug("debug")
lines = logfile.getvalue().split("\n")
assert("info" not in lines)
assert("warn" in lines)
assert("warning" in lines)
assert("critical" in lines)
assert("error" in lines)
assert("debug" not in lines)
finally:
logger.removeHandler(test_handler)
for hdl in old_handlers:
logger.addHandler(hdl)
def test_log_syslog(self):
with patch('syslog.syslog', new=self.dummy_syslog):
try:
logger = logging.getLogger()
old_handlers = []
for hdl in logger.handlers:
logger.removeHandler(hdl)
old_handlers.append(hdl)
test_handler = SysLogLibHandler("USER")
logger.addHandler(test_handler)
logger.setLevel(logging.WARNING)
log.info("info")
log.warn("warn")
log.warning("warning")
log.error("error")
log.critical("critical")
log.debug("debug")
lines = self._syslog.getvalue().split("\n")
assert ("info" not in lines)
assert ("12:warn" in lines)
assert ("12:warning" in lines)
assert ("10:critical" in lines)
assert ("11:error" in lines)
assert ("debug" not in lines)
finally:
logger.removeHandler(test_handler)
for hdl in old_handlers:
logger.addHandler(hdl)
def loadstats(req, *opts):
"""
Log (INFO) information about the result of the last call to load
:param req: The request
:param opts: Options: (none)
:return: None
"""
from stats import metadata
_stats = None
try:
if 'json' in opts:
_stats = json.dumps(metadata)
else:
buf = StringIO()
yaml.dump(metadata, buf)
_stats = buf.getvalue()
except Exception as ex:
log.error(ex)
log.info("pyff loadstats: %s" % _stats)
def signcerts(req, *opts):
"""
Logs the fingerprints of the signing certs found in the current working tree.
:param req: The request
:param opts: Options (not used)
:return: always returns the unmodified working document
Useful for testing.
**Examples**
.. code-block:: yaml
- signcerts
"""
if req.t is None:
raise PipeException("Your plumbing is missing a select statement.")
for fp, pem in xmlsec.CertDict(req.t).iteritems():
log.info("found signing cert with fingerprint %s" % fp)
return req.t
def signcerts(req, *opts):
"""
Logs the fingerprints of the signing certs found in the current working tree.
:param req: The request
:param opts: Options (not used)
:return: always returns the unmodified working document
Useful for testing.
**Examples**
.. code-block:: yaml
- signcerts
"""
if req.t is None:
raise PipeException("Your pipeline is missing a select statement.")
for fp, pem in xmlsec.crypto.CertDict(req.t).iteritems():
log.info("found signing cert with fingerprint %s" % fp)
return req.t
def sign(req, *opts):
"""
Sign the working document.
:param req: The request
:param opts: Options (unused)
:return: returns the signed working document
Sign expects a single dict with at least a 'key' key and optionally a 'cert' key. The 'key' argument references
either a PKCS#11 uri or the filename containing a PEM-encoded non-password protected private RSA key.
The 'cert' argument may be empty in which case the cert is looked up using the PKCS#11 token, or may point
to a file containing a PEM-encoded X.509 certificate.
**PKCS11 URIs**
A pkcs11 URI has the form
.. code-block:: xml
pkcs11://<absolute path to SO/DLL>[:slot]/<object label>[?pin=<pin>]
The pin parameter can be used to point to an environment variable containing the pin: "env:<ENV variable>".
By default pin is "env:PYKCS11PIN" which tells sign to use the pin found in the PYKCS11PIN environment
variable. This is also the default for PyKCS11 which is used to communicate with the PKCS#11 module.
**Examples**
.. code-block:: yaml
- sign:
key: pkcs11:///usr/lib/libsofthsm.so/signer
This would sign the document using the key with label 'signer' in slot 0 of the /usr/lib/libsofthsm.so module.
Note that you may need to run pyff with env PYKCS11PIN=<pin> .... for this to work. Consult the documentation
of your PKCS#11 module to find out about any other configuration you may need.
.. code-block:: yaml
- sign:
key: signer.key
cert: signer.crt
This example signs the document using the plain key and cert found in the signer.key and signer.crt files.
"""
if req.t is None:
raise PipeException("Your pipeline is missing a select statement.")
if not type(req.args) is dict:
raise PipeException("Missing key and cert arguments to sign pipe")
key_file = req.args.get('key', None)
cert_file = req.args.get('cert', None)
if key_file is None:
raise PipeException("Missing key argument for sign pipe")
if cert_file is None:
log.info("Attempting to extract certificate from token...")
opts = dict()
relt = root(req.t)
idattr = relt.get('ID')
if idattr:
opts['reference_uri'] = "#%s" % idattr
xmlsec.sign(req.t, key_file, cert_file, **opts)
return req.t
:param opts: Options: (none)
:return: None
"""
from stats import metadata
_stats = None
try:
if 'json' in opts:
_stats = json.dumps(metadata)
else:
buf = StringIO()
yaml.dump(metadata, buf)
_stats = buf.getvalue()
except Exception, ex:
log.error(ex)
log.info("pyff loadstats: %s" % _stats)
@pipe
@deprecated
def remote(req, *opts):
"""Deprecated. Calls :py:mod:`pyff.pipes.builtins.load`.
"""
return load(req, opts)
@pipe
@deprecated
def local(req, *opts):
"""Deprecated. Calls :py:mod:`pyff.pipes.builtins.load`.
"""
return load(req, opts)
def sign(req, *opts):
"""
Sign the working document.
:param req: The request
:param opts: Options (unused)
:return: returns the signed working document
Sign expects a single dict with at least a 'key' key and optionally a 'cert' key. The 'key' argument references
either a PKCS#11 uri or the filename containing a PEM-encoded non-password protected private RSA key.
The 'cert' argument may be empty in which case the cert is looked up using the PKCS#11 token, or may point
to a file containing a PEM-encoded X.509 certificate.
**PKCS11 URIs**
A pkcs11 URI has the form
.. code-block:: xml
pkcs11://<absolute path to SO/DLL>[:slot]/<object label>[?pin=<pin>]
The pin parameter can be used to point to an environment variable containing the pin: "env:<ENV variable>".
By default pin is "env:PYKCS11PIN" which tells sign to use the pin found in the PYKCS11PIN environment
variable. This is also the default for PyKCS11 which is used to communicate with the PKCS#11 module.
**Examples**
.. code-block:: yaml
- sign:
key: pkcs11:///usr/lib/libsofthsm.so/signer
This would sign the document using the key with label 'signer' in slot 0 of the /usr/lib/libsofthsm.so module.
Note that you may need to run pyff with env PYKCS11PIN=<pin> .... for this to work. Consult the documentation
of your PKCS#11 module to find out about any other configuration you may need.
.. code-block:: yaml
- sign:
key: signer.key
cert: signer.crt
This example signs the document using the plain key and cert found in the signer.key and signer.crt files.
"""
if req.t is None:
raise PipeException("Your pipeline is missing a select statement.")
if not type(req.args) is dict:
raise PipeException("Missing key and cert arguments to sign pipe")
key_file = req.args.get('key', None)
cert_file = req.args.get('cert', None)
if key_file is None:
raise PipeException("Missing key argument for sign pipe")
if cert_file is None:
log.info("Attempting to extract certificate from token...")
opts = dict()
relt = root(req.t)
idattr = relt.get('ID')
if idattr:
opts['reference_uri'] = "#%s" % idattr
xmlsec.sign(req.t, key_file, cert_file, **opts)
return req.t
