def create_ca_cert(self):
ca_private_key = self.cert_location + get_random_name(self.connections.project_name) + '-ca-cert-privkey.pem'
ca_cert = self.cert_location + get_random_name(self.connections.project_name) + '-ca-cert.pem'
SslCert.generate_private_key(ca_private_key)
self.check_file_dir_exists(ca_private_key)
self.ca_private_key = ca_private_key
result, fqdn, stderr = SslCert.local_exec('hostname -f')
subject = '/CN=contrail-test-ca-' + fqdn
SslCert.generate_cert(ca_cert, ca_private_key, self_signed=True, subj=subject)
self.check_file_dir_exists(ca_cert)
self.ca_cert = ca_cert
self.addCleanup(SslCert.local_exec, 'rm %s' % (ca_private_key))
self.addCleanup(SslCert.local_exec, 'rm %s' % (ca_cert))
self.addCleanup(SslCert.local_exec, 'rm %s.srl' % (ca_cert.split('.')[0]))
return ca_private_key, ca_cert
def create_ca_cert(self):
ca_private_key = self.cert_location + get_random_name(self.connections.project_name) + '-ca-cert-privkey.pem'
ca_cert = self.cert_location + get_random_name(self.connections.project_name) + '-ca-cert.pem'
SslCert.generate_private_key(ca_private_key)
self.check_file_dir_exists(ca_private_key)
self.ca_private_key = ca_private_key
result, fqdn, stderr = SslCert.local_exec('hostname -f')
subject = '/CN=contrail-test-ca-' + fqdn
SslCert.generate_cert(ca_cert, ca_private_key, self_signed=True, subj=subject)
self.check_file_dir_exists(ca_cert)
self.ca_cert = ca_cert
self.addCleanup(SslCert.local_exec, 'rm %s' % (ca_private_key))
self.addCleanup(SslCert.local_exec, 'rm %s' % (ca_cert))
self.addCleanup(SslCert.local_exec, 'rm %s.srl' % (ca_cert.split('.')[0]))
return ca_private_key, ca_cert
def create_cert(self, subject='/', subjectAltName=None, ca_cert=None):
ca_cert = ca_cert or self.ca_cert
private_key = self.cert_location + get_random_name(
self.connections.project_name) + '-privkey.pem'
csr = self.cert_location + get_random_name(
self.connections.project_name) + '-req.csr'
cert = self.cert_location + get_random_name(
self.connections.project_name) + '-cert.pem'
SslCert.generate_private_key(private_key)
self.check_file_dir_exists(private_key)
SslCert.generate_csr(csr,
private_key,
subj=subject,
subjectAltName=subjectAltName)
self.check_file_dir_exists(csr)
SslCert.generate_cert(cert,
self.ca_private_key,
ca_pem=ca_cert,
csr=csr,
subjectAltName=subjectAltName)
self.check_file_dir_exists(cert)
self.addCleanup(SslCert.local_exec, 'rm %s' % (private_key))
self.addCleanup(SslCert.local_exec, 'rm %s' % (csr))
self.addCleanup(SslCert.local_exec, 'rm %s' % (cert))
return private_key, csr, cert
def create_cert(self, subject='/', subjectAltName=None, ca_cert=None):
ca_cert = ca_cert or self.ca_cert
private_key = self.cert_location + get_random_name(self.connections.project_name) + '-privkey.pem'
csr = self.cert_location + get_random_name(self.connections.project_name) + '-req.csr'
cert = self.cert_location + get_random_name(self.connections.project_name) + '-cert.pem'
SslCert.generate_private_key(private_key)
self.check_file_dir_exists(private_key)
SslCert.generate_csr(csr, private_key, subj=subject, subjectAltName=subjectAltName)
self.check_file_dir_exists(csr)
SslCert.generate_cert(cert, self.ca_private_key, ca_pem=ca_cert,
csr=csr, subjectAltName=subjectAltName)
self.check_file_dir_exists(cert)
self.addCleanup(SslCert.local_exec, 'rm %s' % (private_key))
self.addCleanup(SslCert.local_exec, 'rm %s' % (csr))
self.addCleanup(SslCert.local_exec, 'rm %s' % (cert))
return private_key, csr, cert
def test_introspect_self_signed_cert(self):
"""
Description: Test agent introspect with self signed certificates
Steps:
1. create the ssl certificates for client as well as for agent
2. enable the ssl, set the certs path in config file and restart the agent
3. get the url with https using client certs, should succeed
4. get the url with http, should fail
5. match the https output with http output(with ssl disabled), both should be same
"""
host_name = self.inputs.compute_names[0]
host_ip = self.inputs.compute_info[host_name]
port = self.inputs.agent_port
host_fqname = self.inputs.host_data[host_ip]['fqname']
service = 'contrail-vrouter-agent'
container = self.inputs.get_container_name(host_ip, 'agent')
ssl_enable = 'true'
#Create self signed certs
key = self.cert_location + get_random_name(self.connections.project_name) + '-privkey.pem'
cert = self.cert_location + get_random_name(self.connections.project_name) + '-self-signed-cert.pem'
SslCert.generate_private_key(key)
self.check_file_dir_exists(key)
SslCert.generate_cert(cert, key, self_signed=True, subj='/CN=%s' % host_name)
self.check_file_dir_exists(cert)
self.set_ssl_config_in_inputs(key=key, cert=cert, ca_cert=cert)
agent_inspect = AgentInspect(host_ip, port, self.logger,
inputs=self.inputs)
cntr = CONTRAIL_SERVICE_CONTAINER[service]
self.inputs.copy_file_to_server(host_ip, key, self.cert_location,
key.split('/')[-1], container=cntr)
self.inputs.copy_file_to_server(host_ip, cert, self.cert_location,
cert.split('/')[-1], container=cntr)
#Add to cleanup to delete the certs
self.addCleanup(self.delete_cert_file, host_ip,
self.cert_location+key.split('/')[-1], cntr)
self.addCleanup(self.delete_cert_file, host_ip,
self.cert_location+cert.split('/')[-1], cntr)
url_http = 'http://%s:%s' % (host_name, port)
output_http = self.get_url_and_verify(url_http, agent_inspect)
assert self.update_config_file_and_restart_service(host_name,
CONTRAIL_CONF_FILES[service], ssl_enable, key,
cert, cert, service, container, verify_service=True)
url = 'https://%s:%s' % (host_name, port)
self.get_url_and_verify(url, agent_inspect, exp_out=output_http)
url = 'https://%s:%s' % (host_fqname, port)
output = agent_inspect.dict_get(url=url)
assert (output == None)
url = 'https://%s:%s' % (host_ip, port)
output = agent_inspect.dict_get(url=url)
assert (output == None)
output = agent_inspect.dict_get(url=url_http)
assert (output == None)
def test_introspect_self_signed_cert(self):
"""
Description: Test agent introspect with self signed certificates
Steps:
1. create the ssl certificates for client as well as for agent
2. enable the ssl, set the certs path in config file and restart the agent
3. get the url with https using client certs, should succeed
4. get the url with http, should fail
5. match the https output with http output(with ssl disabled), both should be same
"""
host_name = self.inputs.compute_names[0]
host_ip = self.inputs.compute_info[host_name]
port = self.inputs.agent_port
host_fqname = self.inputs.host_data[host_ip]['fqname']
service = 'contrail-vrouter-agent'
container = self.inputs.get_container_name(host_ip, 'agent')
ssl_enable = 'true'
#Create self signed certs
key = self.cert_location + get_random_name(self.connections.project_name) + '-privkey.pem'
cert = self.cert_location + get_random_name(self.connections.project_name) + '-self-signed-cert.pem'
SslCert.generate_private_key(key)
self.check_file_dir_exists(key)
SslCert.generate_cert(cert, key, self_signed=True, subj='/CN=%s' % host_name)
self.check_file_dir_exists(cert)
self.set_ssl_config_in_inputs(key=key, cert=cert, ca_cert=cert)
agent_inspect = AgentInspect(host_ip, port, self.logger,
inputs=self.inputs)
self.inputs.copy_file_to_server(host_ip, key, self.cert_location,
key.split('/')[-1], container=container)
self.inputs.copy_file_to_server(host_ip, cert, self.cert_location,
cert.split('/')[-1], container=container)
#Add to cleanup to delete the certs
self.addCleanup(self.delete_cert_file, host_ip,
self.cert_location+key.split('/')[-1], container)
self.addCleanup(self.delete_cert_file, host_ip,
self.cert_location+cert.split('/')[-1], container)
url_http = 'http://%s:%s' % (host_name, port)
output_http = self.get_url_and_verify(url_http, agent_inspect)
self.update_config_file_and_restart_service(host_ip,
CONTRAIL_CONF_FILES[service], ssl_enable, key,
cert, cert, service, container, verify_service=True)
url = 'https://%s:%s' % (host_name, port)
self.get_url_and_verify(url, agent_inspect, exp_out=output_http)
url = 'https://%s:%s' % (host_fqname, port)
output = agent_inspect.dict_get(url=url)
assert (output == None)
url = 'https://%s:%s' % (host_ip, port)
output = agent_inspect.dict_get(url=url)
assert (output == None)
output = agent_inspect.dict_get(url=url_http)
assert (output == None)