def admin_token(config): try: path = os.path.join(config['dir'], 'keystone.conf') keystone_ini = utils.parse_openstack_ini(path) path = os.path.join(config['dir'], 'keystone-paste.ini') paste_ini = utils.parse_openstack_ini(path) except EnvironmentError: return TestResult(Result.SKIP, 'cannot read keystone config files') keystone_req = { "DEFAULT.admin_token": {"disallowed": "*"}, } keystone_res = utils.verify_config("keystone.conf", keystone_ini, keystone_req, needs_parsing=False) paste_req = { "filter:admin_token_auth.AdminTokenAuthMiddleware": {"disallowed": "*"} } paste_res = utils.verify_config("keystone-paste.ini", paste_ini, paste_req, needs_parsing=False) result = GroupTestResult() for res in keystone_res: result.add_result(res[0], res[1]) for res in paste_res: result.add_result(res[0], res[1]) return result
def body_size(config): try: path = os.path.join(config['dir'], 'cinder.conf') cinder_conf = utils.parse_openstack_ini(path) except EnvironmentError: return TestResult(Result.SKIP, 'cannot read cinder config files') osapi_max_body_size = int( cinder_conf.get('DEFAULT', {}).get('osapi_max_request_body_size', '114688')) oslo_max_body_size = int( cinder_conf.get('oslo_middleware', {}).get('max_request_body_size', '114688')) results = GroupTestResult() res_name = 'osapi body size' if osapi_max_body_size <= 114688: results.add_result(res_name, TestResult(Result.PASS)) else: results.add_result( res_name, TestResult(Result.FAIL, 'osapi allows too big request bodies')) res_name = 'oslo body size' if oslo_max_body_size <= 114688: results.add_result(res_name, TestResult(Result.PASS)) else: results.add_result( res_name, TestResult(Result.FAIL, 'middleware allows too big request bodies')) return results
def wrapper(config): try: path = os.path.join(config['dir'], 'manila.conf') conf = utils.parse_openstack_ini(path) except EnvironmentError: return TestResult(Result.SKIP, 'cannot read manila config file') return f(conf)
def nas_security(config): try: path = os.path.join(config['dir'], 'cinder.conf') cinder_conf = utils.parse_openstack_ini(path) except EnvironmentError: return TestResult(Result.SKIP, 'cannot read cinder config files') secure_operations = cinder_conf.get('DEFAULT', {}).get( 'nas_secure_file_operations', 'auto').lower() != 'false' secure_permissions = cinder_conf.get('DEFAULT', {}).get( 'nas_secure_file_permissions', 'auto').lower() != 'false' results = GroupTestResult() if secure_operations: results.add_result('operations', TestResult(Result.PASS)) else: results.add_result( 'operations', TestResult(Result.FAIL, 'NAS operations are not secure')) if secure_permissions: results.add_result('permissions', TestResult(Result.PASS)) else: results.add_result( 'permissions', TestResult(Result.FAIL, 'NAS permissions are not secure')) return results
def body_size(config): try: path = os.path.join(config['dir'], 'cinder.conf') cinder_conf = utils.parse_openstack_ini(path) except EnvironmentError: return TestResult(Result.SKIP, 'cannot read cinder config files') osapi_max_body_size = int(cinder_conf.get('DEFAULT', {}).get( 'osapi_max_request_body_size', '114688')) oslo_max_body_size = int(cinder_conf.get('oslo_middleware', {}).get( 'max_request_body_size', '114688')) results = GroupTestResult() res_name = 'osapi body size' if osapi_max_body_size <= 114688: results.add_result(res_name, TestResult(Result.PASS)) else: results.add_result(res_name, TestResult( Result.FAIL, 'osapi allows too big request bodies')) res_name = 'oslo body size' if oslo_max_body_size <= 114688: results.add_result(res_name, TestResult(Result.PASS)) else: results.add_result(res_name, TestResult( Result.FAIL, 'middleware allows too big request bodies')) return results
def nas_security(config): try: path = os.path.join(config['dir'], 'cinder.conf') cinder_conf = utils.parse_openstack_ini(path) except EnvironmentError: return TestResult(Result.SKIP, 'cannot read cinder config files') secure_operations = cinder_conf.get('DEFAULT', {}).get( 'nas_secure_file_operations', 'auto').lower() != 'false' secure_permissions = cinder_conf.get('DEFAULT', {}).get( 'nas_secure_file_permissions', 'auto').lower() != 'false' results = GroupTestResult() if secure_operations: results.add_result('operations', TestResult(Result.PASS)) else: results.add_result('operations', TestResult( Result.FAIL, 'NAS operations are not secure')) if secure_permissions: results.add_result('permissions', TestResult(Result.PASS)) else: results.add_result('permissions', TestResult( Result.FAIL, 'NAS permissions are not secure')) return results
def cinder_auth(config): try: path = os.path.join(config['dir'], 'cinder.conf') cinder_conf = utils.parse_openstack_ini(path) except EnvironmentError: return TestResult(Result.SKIP, 'cannot read cinder config files') auth = cinder_conf.get('DEFAULT', {}).get('auth_strategy', 'keystone') if auth != 'keystone': return TestResult(Result.FAIL, 'authentication should be done by keystone') else: return TestResult(Result.PASS)
def glance_secure(config): try: path = os.path.join(config['dir'], 'cinder.conf') cinder_conf = utils.parse_openstack_ini(path) except EnvironmentError: return TestResult(Result.SKIP, 'cannot read cinder config files') insecure = cinder_conf.get('DEFAULT', {}).get('glance_api_insecure', 'False').lower() == 'true' if insecure: return TestResult(Result.FAIL, 'glance access is not secure') else: return TestResult(Result.PASS)
def glance_secure(config): try: path = os.path.join(config['dir'], 'cinder.conf') cinder_conf = utils.parse_openstack_ini(path) except EnvironmentError: return TestResult(Result.SKIP, 'cannot read cinder config files') insecure = cinder_conf.get('DEFAULT', {}).get( 'glance_api_insecure', 'False').lower() == 'true' if insecure: return TestResult(Result.FAIL, 'glance access is not secure') else: return TestResult(Result.PASS)
def body_size(config): try: path = os.path.join(config['dir'], 'keystone.conf') keystone_ini = utils.parse_openstack_ini(path) except EnvironmentError: return TestResult(Result.SKIP, 'cannot read keystone config files') keystone_req = { "DEFAULT.max_request_body_size": {"allowed": "*"}, } keystone_res = utils.verify_config("keystone.conf", keystone_ini, keystone_req, needs_parsing=False) result = GroupTestResult() for res in keystone_res: result.add_result(res[0], res[1]) return result
def keystone_secure(config): try: path = os.path.join(config['dir'], 'cinder.conf') cinder_conf = utils.parse_openstack_ini(path) except EnvironmentError: return TestResult(Result.SKIP, 'cannot read cinder config files') protocol = cinder_conf.get('keystone_authtoken', {}).get('auth_protocol', 'https') identity = cinder_conf.get('keystone_authtoken', {}).get('identity_uri', 'https:') if not identity.startswith('https:'): return TestResult(Result.FAIL, 'keystone access is not secure') if protocol != 'https': return TestResult(Result.FAIL, 'keystone access is not secure') return TestResult(Result.PASS)
def token_hash(config): try: path = os.path.join(config['dir'], 'keystone.conf') keystone_ini = utils.parse_openstack_ini(path) except EnvironmentError: return TestResult(Result.SKIP, 'cannot read keystone config files') provider = keystone_ini.get('token', {}).get('provider', 'uuid') if (provider.startswith('keystone.token.providers.') and provider.endswith('.Provider')): provider = provider[25:-9] if provider not in ('pki', 'pkiz'): return TestResult(Result.SKIP, 'test relevant only for pki tokens') single = keystone_ini.get('token', {}).get('hash_algorithm') plural = keystone_ini.get('token', {}).get('hash_algorithms') val = plural or single if val is None or val.lower() not in ('sha256', 'sha512'): return TestResult(Result.FAIL, 'token hash should be sha256 or sha512') return TestResult(Result.PASS)