class SSLIAMServerCerts(EutesterTestCase): def __init__(self, extra_args=None): self.setuptestcase() self.setup_parser() if extra_args: for arg in extra_args: self.parser.add_argument(arg) self.get_args() # Setup basic eutester object self.tester = Eucaops(credpath=self.args.credpath, config_file=self.args.config, password=self.args.password) def cert_CRUD(self): """ This will test upload, list, get, update, and delete server certificates. @raise Exception: """ """certificate details to update""" cert_name = "ssl-server-certs-basics" updated_cert_name = cert_name + "-updated" new_path = "/certs/" self.tester.add_server_cert(cert_name=cert_name) self.tester.update_server_cert(cert_name=cert_name, new_cert_name=updated_cert_name, new_path=new_path) self.tester.delete_server_cert(updated_cert_name)
class SSLIAMServerCerts(EutesterTestCase): def __init__(self, extra_args= None): self.setuptestcase() self.setup_parser() if extra_args: for arg in extra_args: self.parser.add_argument(arg) self.get_args() # Setup basic eutester object self.tester = Eucaops( credpath=self.args.credpath, config_file=self.args.config,password=self.args.password) def cert_CRUD(self): """ This will test upload, list, get, update, and delete server certificates. @raise Exception: """ """certificate details to update""" cert_name = "ssl-server-certs-basics" updated_cert_name = cert_name + "-updated" new_path = "/certs/" self.tester.add_server_cert(cert_name=cert_name) self.tester.update_server_cert(cert_name=cert_name, new_cert_name=updated_cert_name, new_path=new_path) self.tester.delete_server_cert(updated_cert_name)
class SSLTermination(EutesterTestCase): def __init__(self, extra_args=None): self.cert_name = "elb-ssl-test-" + str(time.time()) self.setuptestcase() self.setup_parser() if extra_args: for arg in extra_args: self.parser.add_argument(arg) self.get_args() # Setup basic eutester object if self.args.region: self.tester = ELBops(credpath=self.args.credpath, region=self.args.region) else: self.tester = Eucaops(credpath=self.args.credpath, config_file=self.args.config, password=self.args.password) self.tester.poll_count = 120 ### Add and authorize a group for the instance self.group = self.tester.add_group(group_name="group-" + str(time.time())) self.tester.authorize_group_by_name(group_name=self.group.name) self.tester.authorize_group_by_name(group_name=self.group.name, port=-1, protocol="icmp") ### Generate a keypair for the instance self.keypair = self.tester.add_keypair("keypair-" + str(time.time())) self.keypath = '%s/%s.pem' % (os.curdir, self.keypair.name) ### Get an image self.image = self.args.emi if not self.image: self.image = self.tester.get_emi(root_device_type="instance-store") ### Populate available zones zones = self.tester.ec2.get_all_zones() self.zone = random.choice(zones).name self.load_balancer_port = 80 (self.web_servers, self.filename) = self.tester.create_web_servers( keypair=self.keypair, group=self.group, zone=self.zone, port=self.load_balancer_port, filename='instance-name', image=self.image, count=1) self.load_balancer = self.tester.create_load_balancer( zones=[self.zone], name="test-" + str(time.time()), load_balancer_port=self.load_balancer_port) assert isinstance(self.load_balancer, LoadBalancer) self.tester.register_lb_instances(self.load_balancer.name, self.web_servers.instances) def ssl_termination(self): """ This will test ELB with HTTPS listener. @raise Exception: """ self.debug("ELB SSl test") """get ELB ip info and setup url""" dns = self.tester.service_manager.get_enabled_dns() lb_ip = dns.resolve(self.load_balancer.dns_name) lb_url = "https://{0}/instance-name".format(lb_ip) """upload server certificate""" self.tester.add_server_cert(cert_name=self.cert_name) """create a new listener on HTTPS port 443 and remove listener on port 80""" cert_arn = self.tester.get_server_cert(self.cert_name).arn listener = (443, 80, "HTTPS", cert_arn) self.tester.add_lb_listener(lb_name=self.load_balancer.name, listener=listener) self.tester.remove_lb_listener(lb_name=self.load_balancer.name, port=self.load_balancer_port) """perform https requests to LB""" self.tester.generate_http_requests(url=lb_url, count=10) def clean_method(self): self.tester.delete_server_cert(self.cert_name) self.tester.cleanup_artifacts()
class SSLTermination(EutesterTestCase): def __init__(self, extra_args= None): self.cert_name = "elb-ssl-test-"+str(time.time()) self.setuptestcase() self.setup_parser() if extra_args: for arg in extra_args: self.parser.add_argument(arg) self.get_args() # Setup basic eutester object if self.args.region: self.tester = ELBops( credpath=self.args.credpath, region=self.args.region) else: self.tester = Eucaops( credpath=self.args.credpath, config_file=self.args.config,password=self.args.password) self.tester.poll_count = 120 ### Add and authorize a group for the instance self.group = self.tester.add_group(group_name="group-" + str(time.time())) self.tester.authorize_group_by_name(group_name=self.group.name ) self.tester.authorize_group_by_name(group_name=self.group.name, port=-1, protocol="icmp" ) ### Generate a keypair for the instance self.keypair = self.tester.add_keypair( "keypair-" + str(time.time())) self.keypath = '%s/%s.pem' % (os.curdir, self.keypair.name) ### Get an image self.image = self.args.emi if not self.image: self.image = self.tester.get_emi(root_device_type="instance-store") ### Populate available zones zones = self.tester.ec2.get_all_zones() self.zone = random.choice(zones).name self.load_balancer_port = 80 (self.web_servers, self.filename) = self.tester.create_web_servers(keypair=self.keypair, group=self.group, zone=self.zone, port=self.load_balancer_port, filename='instance-name', image=self.image, count=1) self.load_balancer = self.tester.create_load_balancer(zones=[self.zone], name="test-" + str(time.time()), load_balancer_port=self.load_balancer_port) assert isinstance(self.load_balancer, LoadBalancer) self.tester.register_lb_instances(self.load_balancer.name, self.web_servers.instances) def ssl_termination(self): """ This will test ELB with HTTPS listener. @raise Exception: """ self.debug("ELB SSl test") """get ELB ip info and setup url""" dns = self.tester.service_manager.get_enabled_dns() lb_ip = dns.resolve(self.load_balancer.dns_name) lb_url = "https://{0}/instance-name".format(lb_ip) """upload server certificate""" self.tester.add_server_cert(cert_name=self.cert_name) """create a new listener on HTTPS port 443 and remove listener on port 80""" cert_arn = self.tester.get_server_cert(self.cert_name).arn listener = (443, 80, "HTTPS", cert_arn) self.tester.add_lb_listener(lb_name=self.load_balancer.name, listener=listener) self.tester.remove_lb_listener(lb_name=self.load_balancer.name, port=self.load_balancer_port) """perform https requests to LB""" self.tester.generate_http_requests(url=lb_url, count=10) def clean_method(self): self.tester.delete_server_cert(self.cert_name) self.tester.cleanup_artifacts()
class SSLTermination(EutesterTestCase): def __init__(self, extra_args= None): self.setuptestcase() self.setup_parser() if extra_args: for arg in extra_args: self.parser.add_argument(arg) self.get_args() # Setup basic eutester object if self.args.region: self.tester = ELBops(credpath=self.args.credpath, region=self.args.region) else: self.tester = Eucaops(credpath=self.args.credpath, config_file=self.args.config,password=self.args.password) # test resource hash self.test_hash = str(int(time.time())) # test resources dir self.resource_dir = "./testcases/cloud_user/elb/test_data" # User data file self.user_data = self.resource_dir+"/webserver_user_data.sh" # Add and authorize a group for the instances self.group = self.tester.add_group(group_name="group-" + self.test_hash) self.tester.authorize_group_by_name(group_name=self.group.name) self.tester.authorize_group_by_name(group_name=self.group.name, port=-1, protocol="icmp") self.tester.authorize_group_by_name(group_name=self.group.name, port=80, protocol="tcp") self.tester.authorize_group_by_name(group_name=self.group.name, port=443, protocol="tcp") # Generate a keypair for the instances self.keypair = self.tester.add_keypair("keypair-" + self.test_hash) self.keypath = '%s/%s.pem' % (os.curdir, self.keypair.name) # Get an image self.image = self.args.emi if not self.image: self.image = self.tester.get_emi() # Populate available zones zones = self.tester.ec2.get_all_zones() self.zone = random.choice(zones).name # create base load balancer self.load_balancer_port = 80 self.load_balancer = self.tester.create_load_balancer(zones=[self.zone], name="elb-" + self.test_hash, load_balancer_port=self.load_balancer_port) assert isinstance(self.load_balancer, LoadBalancer) # create autoscaling group of webservers that register to the load balancer self.count = 1 (self.web_servers) = self.tester.create_as_webservers(name=self.test_hash, keypair=self.keypair.name, group=self.group.name, zone=self.zone, image=self.image.id, count=self.count, user_data=self.user_data, load_balancer=self.load_balancer.name) # web servers scaling group self.asg = self.tester.describe_as_group(name="asg-"+self.test_hash) # wait until scaling instances are InService with the load balancer before continuing - 5 min timeout assert self.tester.wait_for_result(self.tester.wait_for_lb_instances, True, timeout=300, lb=self.load_balancer.name, number=self.count) def ssl_termination(self): """ This will test ELB with HTTPS listener for the front end elb connection. @raise Exception: """ self.debug("ELB SSl test") # get ELB ip info and setup url (also verifies DNS lookup) dns = self.tester.service_manager.get_enabled_dns() lb_ip = dns.resolve(self.load_balancer.dns_name) lb_url = "https://{0}/instance-name".format(lb_ip) # upload server certificate frontend_cert_name = "elb-ssl-test-"+str(int(time.time())) self.tester.add_server_cert(cert_name=frontend_cert_name) # remove any existing listeners self.remove_all_listeners(lb_name=self.load_balancer.name) """create a new listener on HTTPS port 443 and remove listener on port 80""" cert_arn = self.tester.get_server_cert(self.cert_name).arn listener = (443, 80, "HTTPS", "HTTP", cert_arn) self.tester.add_lb_listener(lb_name=self.load_balancer.name, listener=listener) self.tester.remove_lb_listener(lb_name=self.load_balancer.name, port=self.load_balancer_port) self.tester.update_listener(lb=self.load_balancer, lb_port=443, lb_protocol="HTTPS", instance_port=80, instance_protocol="HTTP", cert_arn=frontend_cert_arn) # perform https requests to LB self.tester.sleep(10) self.tester.generate_http_requests(url=lb_url, count=10) def end_to_end_ssl_termination(self): """ Test for https://eucalyptus.atlassian.net/browse/EUCA-10477 This will test ELB end to end encryption. @raise Exception: """ self.debug("ELB End To End SSl test") # get ELB url lb_url = "https://"+self.load_balancer.dns_name+"/instance-name" # upload server certificate frontend_cert_name = "elb-e2e-ssl-test-"+str(int(time.time())) self.tester.add_server_cert(cert_name=frontend_cert_name) # get the arn of the certificate frontend_cert_arn = self.tester.get_server_cert(frontend_cert_name).arn # remove any existing listeners self.remove_all_listeners(lb_name=self.load_balancer.name) # update listener self.tester.update_listener(lb=self.load_balancer, lb_port=443, lb_protocol="HTTPS", instance_port=443, instance_protocol="HTTPS", cert_arn=frontend_cert_arn) # ssl certfile cert_file = "ssl_server_certs_basics.crt" # PublicKeyPolicy cert_body = open(join(self.resource_dir, cert_file)).read() publickey_policy_attributes = {'PublicKey': cert_body} publickey_policy_name = "snakecert" self.tester.create_lb_policy(lb_name=self.load_balancer.name, policy_name=publickey_policy_name, policy_type="PublicKeyPolicyType", policy_attributes=publickey_policy_attributes) # BackendServerAuthenticationPolicy backend_policy_attributes = {'PublicKeyPolicyName': publickey_policy_name} backend_policy_name = "snakeauth" self.tester.create_lb_policy(lb_name=self.load_balancer.name, policy_name=backend_policy_name, policy_type="BackendServerAuthenticationPolicyType", policy_attributes=backend_policy_attributes) self.tester.set_lb_policy_for_back_end_server(lb_name=self.load_balancer.name, instance_port=443, policy_name=backend_policy_name) # perform https requests to LB self.tester.sleep(15) self.tester.generate_http_requests(url=lb_url, count=10) def only_back_end_authentication(self): """ Test for https://eucalyptus.atlassian.net/browse/EUCA-10477 This will test HTTP connection to ELB front end with back end encryption of traffic to the registered instances. @raise Exception: """ self.debug("ELB Back End SSl test") # get ELB url lb_url = "http://"+self.load_balancer.dns_name+"/instance-name" # remove any existing listeners self.remove_all_listeners(lb_name=self.load_balancer.name) # update listener self.tester.update_listener(lb=self.load_balancer, lb_port=80, lb_protocol="HTTP", instance_port=443, instance_protocol="HTTPS") # ssl certfile cert_file = "ssl_server_certs_basics.crt" # PublicKeyPolicy cert_body = open(join(self.resource_dir, cert_file)).read() publickey_policy_attributes = {'PublicKey': cert_body} publickey_policy_name = "snakecert-backend-only" self.tester.create_lb_policy(lb_name=self.load_balancer.name, policy_name=publickey_policy_name, policy_type="PublicKeyPolicyType", policy_attributes=publickey_policy_attributes) # BackendServerAuthenticationPolicy backend_policy_attributes = {'PublicKeyPolicyName': publickey_policy_name} backend_policy_name = "snakeauth-back-end-only" self.tester.create_lb_policy(lb_name=self.load_balancer.name, policy_name=backend_policy_name, policy_type="BackendServerAuthenticationPolicyType", policy_attributes=backend_policy_attributes) self.tester.set_lb_policy_for_back_end_server(lb_name=self.load_balancer.name, instance_port=443, policy_name=backend_policy_name) # perform https requests to LB self.tester.sleep(15) self.tester.generate_http_requests(url=lb_url, count=10) def invalid_backend_authentication(self): """ Test for https://eucalyptus.atlassian.net/browse/EUCA-10477 This is a negative test for ELB backend auth. Policy has invalid cert for backend authentication. We expect an HTTP 503 error returned @raise Exception: """ self.debug("ELB Back End SSl Negative test") # get ELB url lb_url = "http://"+self.load_balancer.dns_name+"/instance-name" # remove any existing listeners self.remove_all_listeners(lb_name=self.load_balancer.name) # update listener self.tester.update_listener(lb=self.load_balancer, lb_port=80, lb_protocol="HTTP", instance_port=443, instance_protocol="HTTPS") # ssl certfile cert_file = "bad_cert.crt" # PublicKeyPolicy cert_body = open(join(self.resource_dir, cert_file)).read() publickey_policy_attributes = {'PublicKey': cert_body} publickey_policy_name = "snakecertBAD" self.tester.create_lb_policy(lb_name=self.load_balancer.name, policy_name=publickey_policy_name, policy_type="PublicKeyPolicyType", policy_attributes=publickey_policy_attributes) # BackendServerAuthenticationPolicy backend_policy_attributes = {'PublicKeyPolicyName': publickey_policy_name} backend_policy_name = "snakeauthBAD" self.tester.create_lb_policy(lb_name=self.load_balancer.name, policy_name=backend_policy_name, policy_type="BackendServerAuthenticationPolicyType", policy_attributes=backend_policy_attributes) self.tester.set_lb_policy_for_back_end_server(lb_name=self.load_balancer.name, instance_port=443, policy_name=backend_policy_name) # perform https requests to LB self.tester.sleep(15) got_expected_error = False try: self.tester.generate_http_requests(url=lb_url, count=10) except HTTPError as e: self.debug("PASSED, received expected error: " + str(e.getcode()) + " " + e.msg) got_expected_error = True assert got_expected_error, "Did not get expected HTTP 503 ERROR response" def remove_all_listeners(self, lb_name): for listener in self.tester.describe_lb_listeners(lb_name): self.debug("Found existing listener: " + str(listener)) self.tester.remove_lb_listener(lb_name=lb_name, port=listener.load_balancer_port) def clean_method(self): try: self.tester.delete_all_server_certs() except: self.debug("Delete certificates went awry") finally: self.tester.cleanup_artifacts() if self.tester.test_resources["security-groups"]: for group in self.tester.test_resources["security-groups"]: self.tester.wait_for_result(self.tester.gracefully_delete_group, True, timeout=60, group=group)