def start_other_runtimes(runtimes, rt, hostname, request_handler, tls=False):
from calvin.Tools.csruntime import csruntime
from conftest import _config_pytest
#Start the other runtimes
for i in range(1, len(runtimes)):
_log.info("Starting runtime {}".format(i))
try:
logfile = _config_pytest.getoption("logfile") + "500{}".format(i)
outfile = os.path.join(
os.path.dirname(logfile),
os.path.basename(logfile).replace("log", "out"))
if outfile == logfile:
outfile = None
except:
logfile = None
outfile = None
csruntime(hostname,
port=5000 + i,
controlport=5020 + i,
attr=runtimes[i]["attributes"],
loglevel=_config_pytest.getoption("loglevel"),
logfile=logfile,
outfile=outfile,
configfile="/tmp/calvin500{}.conf".format(i))
uri = "https://{}:502{}".format(
hostname, i) if tls == True else "http://{}:502{}".format(
hostname, i)
rt.append(RT(uri))
rt[i].attributes = runtimes[i]["attributes"]
time.sleep(0.1)
def start_runtime0(runtimes,
rt,
hostname,
request_handler,
tls=False,
enroll_passwords=False):
from calvin.Tools.csruntime import csruntime
from conftest import _config_pytest
#Start runtime 0 as it takes alot of time to start, and needs to be up before the others start
_log.info("Starting runtime 0")
try:
logfile = _config_pytest.getoption("logfile") + "5000"
outfile = os.path.join(os.path.dirname(logfile),
os.path.basename(logfile).replace("log", "out"))
if outfile == logfile:
outfile = None
except:
logfile = None
outfile = None
csruntime(hostname,
port=5000,
controlport=5020,
attr=runtimes[0]["attributes"],
loglevel=_config_pytest.getoption("loglevel"),
logfile=logfile,
outfile=outfile,
configfile="/tmp/calvin5000.conf")
uri = "https://{}:5020".format(
hostname) if tls == True else "http://{}:5020".format(hostname)
rt.append(RT(uri))
rt[0].attributes = runtimes[0]["attributes"]
#Wait for runtime 0 to be up and running
wait_for_runtime(request_handler, rt[0])
def start_runtime0(runtimes, hostname, request_handler, tls=False, enroll_passwords=False):
from calvin.Tools.csruntime import csruntime
from conftest import _config_pytest
#Start runtime 0 as it takes alot of time to start, and needs to be up before the others start
_log.info("Starting runtime 0")
try:
logfile = _config_pytest.getoption("logfile")+"5000"
outfile = os.path.join(os.path.dirname(logfile), os.path.basename(logfile).replace("log", "out"))
if outfile == logfile:
outfile = None
except:
logfile = None
outfile = None
try:
# Dump attribute file to allow manual check of starting runtimes later
json.dump(runtimes[0]["attributes"], open("/tmp/calvin5000.attr", "w"))
except:
pass
csruntime(hostname, port=5000, controlport=5020, attr=runtimes[0]["attributes"],
loglevel=_config_pytest.getoption("loglevel"), logfile=logfile, outfile=outfile,
configfile="/tmp/calvin5000.conf")
uri = "calvinip://{}:5000".format(hostname)
curi = "https://{}:5020".format(hostname) if tls==True else "http://{}:5020".format(hostname)
runtimes[0]['RT'] = RT(curi)
runtimes[0]['RT'].uris=[uri]
runtimes[0]['RT'].attributes=runtimes[0]["attributes"]
#Wait for runtime 0 to be up and running
wait_for_runtime(request_handler, runtimes[0]["RT"])
def start_other_runtimes(runtimes, hostname, request_handler, tls=False):
from calvin.Tools.csruntime import csruntime
from conftest import _config_pytest
#Start the other runtimes
for i in range(1, len(runtimes)):
_log.info("Starting runtime {}".format(i))
try:
logfile = _config_pytest.getoption("logfile") + "500{}".format(i)
outfile = os.path.join(
os.path.dirname(logfile),
os.path.basename(logfile).replace("log", "out"))
if outfile == logfile:
outfile = None
except:
logfile = None
outfile = None
try:
# Dump attribute file to allow manual check of starting runtimes later
json.dump(runtimes[0]["attributes"],
open("/tmp/calvin500{}.attr".format(i), "w"))
except:
pass
csruntime(hostname,
port=5000 + i,
controlport=5020 + i,
attr=runtimes[i]["attributes"],
loglevel=_config_pytest.getoption("loglevel"),
logfile=logfile,
outfile=outfile,
configfile="/tmp/calvin500{}.conf".format(i))
uri = "calvinip://{}:500{}".format(hostname, i)
curi = "https://{}:502{}".format(
hostname, i) if tls == True else "http://{}:502{}".format(
hostname, i)
requests_rt = RT(curi)
runtimes[i]['RT'] = RT(curi)
runtimes[i]['RT'].uris = [uri]
runtimes[i]['RT'].attributes = runtimes[i]["attributes"]
time.sleep(0.1)
time.sleep(1)
try:
security_verify_storage(runtimes, request_handler)
except Exception as err:
_log.error("Failed storage verification, err={}".format(err))
raise
def setup(self, request):
from calvin.Tools.csruntime import csruntime
from conftest import _config_pytest
global rt1
global rt2
global test_script_dir
_conf.save("/tmp/calvin5000.conf")
try:
logfile = _config_pytest.getoption("logfile")+"5000"
outfile = os.path.join(os.path.dirname(logfile), os.path.basename(logfile).replace("log", "out"))
if outfile == logfile:
outfile = None
except:
logfile = None
outfile = None
csruntime(ip_addr, port=5000, controlport=5003, attr={'indexed_public':
{'owner':{'organization': 'org.testexample', 'personOrGroup': 'testOwner1'},
'node_name': {'organization': 'org.testexample', 'name': 'testNode1'},
'address': {'country': 'SE', 'locality': 'testCity', 'street': 'testStreet', 'streetNumber': 1}}},
loglevel=_config_pytest.getoption("loglevel"), logfile=logfile, outfile=outfile,
configfile="/tmp/calvin5000.conf")
rt1 = utils.RT("http://%s:5003" % ip_addr)
_conf.set('global', 'actor_paths', [absolute_filename('test_store')])
_conf.set('global', 'capabilities_blacklist', ['calvinsys.events.timer'])
_conf.save("/tmp/calvin5001.conf")
try:
logfile = _config_pytest.getoption("logfile")+"5001"
outfile = os.path.join(os.path.dirname(logfile), os.path.basename(logfile).replace("log", "out"))
if outfile == logfile:
outfile = None
except:
logfile = None
outfile = None
csruntime(ip_addr, port=5001, controlport=5004, attr={'indexed_public':
{'owner':{'organization': 'org.testexample', 'personOrGroup': 'testOwner1'},
'node_name': {'organization': 'org.testexample', 'name': 'testNode2'},
'address': {'country': 'SE', 'locality': 'testCity', 'street': 'testStreet', 'streetNumber': 1}}},
loglevel=_config_pytest.getoption("loglevel"), logfile=logfile, outfile=outfile,
configfile="/tmp/calvin5001.conf")
rt2 = utils.RT("http://%s:5004" % ip_addr)
test_script_dir = absolute_filename('scripts/')
request.addfinalizer(self.teardown)
def start_other_runtimes(runtimes, hostname, request_handler, tls=False):
from calvin.Tools.csruntime import csruntime
from conftest import _config_pytest
#Start the other runtimes
for i in range(1, len(runtimes)):
_log.info("Starting runtime {}".format(i))
try:
logfile = _config_pytest.getoption("logfile")+"500{}".format(i)
outfile = os.path.join(os.path.dirname(logfile), os.path.basename(logfile).replace("log", "out"))
if outfile == logfile:
outfile = None
except:
logfile = None
outfile = None
try:
# Dump attribute file to allow manual check of starting runtimes later
json.dump(runtimes[0]["attributes"], open("/tmp/calvin500{}.attr".format(i), "w"))
except:
pass
csruntime(hostname,
port=5000+i,
controlport=5020+i,
attr=runtimes[i]["attributes"],
loglevel=_config_pytest.getoption("loglevel"),
logfile=logfile,
outfile=outfile,
configfile="/tmp/calvin500{}.conf".format(i))
uri = "calvinip://{}:500{}".format(hostname, i)
curi = "https://{}:502{}".format(hostname, i) if tls==True else "http://{}:502{}".format(hostname, i)
requests_rt = RT(curi)
runtimes[i]['RT'] = RT(curi)
runtimes[i]['RT'].uris = [uri]
runtimes[i]['RT'].attributes=runtimes[i]["attributes"]
time.sleep(0.1)
time.sleep(1)
try:
security_verify_storage(runtimes, request_handler)
except Exception as err:
_log.error("Failed storage verification, err={}".format(err))
raise
def start_runtime0(runtimes,
hostname,
request_handler,
tls=False,
enroll_passwords=False):
from calvin.Tools.csruntime import csruntime
from conftest import _config_pytest
#Start runtime 0 as it takes alot of time to start, and needs to be up before the others start
_log.info("Starting runtime 0")
try:
logfile = _config_pytest.getoption("logfile") + "5000"
outfile = os.path.join(os.path.dirname(logfile),
os.path.basename(logfile).replace("log", "out"))
if outfile == logfile:
outfile = None
except:
logfile = None
outfile = None
try:
# Dump attribute file to allow manual check of starting runtimes later
json.dump(runtimes[0]["attributes"], open("/tmp/calvin5000.attr", "w"))
except:
pass
csruntime(hostname,
port=5000,
controlport=5020,
attr=runtimes[0]["attributes"],
loglevel=_config_pytest.getoption("loglevel"),
logfile=logfile,
outfile=outfile,
configfile="/tmp/calvin5000.conf")
uri = "calvinip://{}:5000".format(hostname)
curi = "https://{}:5020".format(
hostname) if tls == True else "http://{}:5020".format(hostname)
runtimes[0]['RT'] = RT(curi)
runtimes[0]['RT'].uris = [uri]
runtimes[0]['RT'].attributes = runtimes[0]["attributes"]
#Wait for runtime 0 to be up and running
wait_for_runtime(request_handler, runtimes[0]["RT"])
def setup(self, request):
from calvin.Tools.csruntime import csruntime
from conftest import _config_pytest
homefolder = get_home()
domain = "rttest"
testdir = os.path.join(homefolder, ".calvin","sec_dht_test")
configdir = os.path.join(testdir, domain)
runtimesdir = os.path.join(testdir,"runtimes")
runtimes_truststore = os.path.join(runtimesdir,"truststore_for_transport")
try:
shutil.rmtree(testdir)
except:
print "Failed to remove old tesdir"
pass
try:
os.mkdir(testdir)
os.mkdir(configdir)
os.mkdir(runtimesdir)
os.mkdir(runtimes_truststore)
except:
print "Failed to create test folder structure"
pass
print "Trying to create a new test domain configuration."
ca = certificate_authority.CA(domain=domain, commonName="sec-dht-test-CA", security_dir=testdir)
print "Reading configuration successfull."
print "Copy CA cert into truststore of runtimes folder"
ca.export_ca_cert(runtimes_truststore)
ca_original_backup = os.path.join(homefolder, ".calvin",
"sec_dht_test_backup", domain)
try:
shutil.rmtree(ca_original_backup)
except:
pass
# copy other setup and remove private directory and openssl.conf file
# shutil.copytree(configdir, ca_original_backup)
# shutil.rmtree(os.path.join(configdir, "private"))
# configfile=os.path.join(configdir, "openssl.conf")
# os.remove(configfile)
# print "Trying to create a second test domain configuration."
# testconfig = certificate_authority.CA(domain=domain, security_dir=testdir)
global rt1
global rt2
global rt3
global test_script_dir
rt_conf = copy.deepcopy(_conf)
rt_conf.set('global', 'storage_type', 'securedht')
rt_conf.add_section('security')
rt_conf.set('security', "runtimes_path", runtimesdir)
rt_conf.set('security', "security_domain_name", domain)
rt_conf.set('security', "security_path",testdir)
rt_conf.save("/tmp/calvin1.conf")
rt_conf2 = copy.deepcopy(rt_conf)
rt_conf2.set('global', 'actor_paths', [absolute_filename('test_store')])
rt_conf2.set('global', 'capabilities_blacklist', ['calvinsys.events.timer'])
rt_conf2.save("/tmp/calvin2.conf")
rt_ca_conf = copy.deepcopy(rt_conf)
rt_ca_conf.set('security', "certificate_authority", "True")
rt_ca_conf.save("/tmp/calvin_ca.conf")
try:
logfile = _config_pytest.getoption("logfile")+"5000"
outfile = os.path.join(os.path.dirname(logfile), os.path.basename(logfile).replace("log", "out"))
if outfile == logfile:
outfile = None
except:
logfile = None
outfile = None
csruntime(ip_addr, port=5000, controlport=5003, attr={'indexed_public':
{'owner':{'organization': 'org.testexample', 'personOrGroup': 'testOwner1'},
'node_name': {'name': 'node0'},
'address': {'country': 'SE', 'locality': 'testCity', 'street': 'testStreet', 'streetNumber': 1}}},
loglevel=_config_pytest.getoption("loglevel"), logfile=logfile, outfile=outfile,
configfile="/tmp/calvin_ca.conf")
rt1 = RT("http://%s:5003" % ip_addr)
try:
logfile = _config_pytest.getoption("logfile")+"5001"
outfile = os.path.join(os.path.dirname(logfile), os.path.basename(logfile).replace("log", "out"))
if outfile == logfile:
outfile = None
except:
logfile = None
outfile = None
csruntime(ip_addr, port=5001, controlport=5004, attr={'indexed_public':
{'owner':{'organization': 'org.testexample', 'personOrGroup': 'testOwner1'},
'node_name': {'name': 'node1'},
'address': {'country': 'SE', 'locality': 'testCity', 'street': 'testStreet', 'streetNumber': 1}}},
loglevel=_config_pytest.getoption("loglevel"), logfile=logfile, outfile=outfile,
configfile="/tmp/calvin1.conf")
rt2 = RT("http://%s:5004" % ip_addr)
try:
logfile = _config_pytest.getoption("logfile")+"5002"
outfile = os.path.join(os.path.dirname(logfile), os.path.basename(logfile).replace("log", "out"))
if outfile == logfile:
outfile = None
except:
logfile = None
outfile = None
csruntime(ip_addr, port=5002, controlport=5005, attr={'indexed_public':
{'owner':{'organization': 'org.testexample', 'personOrGroup': 'testOwner1'},
'node_name': {'name': 'node2'},
'address': {'country': 'SE', 'locality': 'testCity', 'street': 'testStreet', 'streetNumber': 1}}},
loglevel=_config_pytest.getoption("loglevel"), logfile=logfile, outfile=outfile,
configfile="/tmp/calvin2.conf")
rt3 = RT("http://%s:5005" % ip_addr)
test_script_dir = absolute_filename('scripts/')
request.addfinalizer(self.teardown)
def setup(self, request):
from calvin.Tools.csruntime import csruntime
from conftest import _config_pytest
homefolder = get_home()
domain = "rttest"
testdir = os.path.join(homefolder, ".calvin", "sec_dht_test")
configdir = os.path.join(testdir, domain)
runtimesdir = os.path.join(testdir, "runtimes")
runtimes_truststore = os.path.join(runtimesdir,
"truststore_for_transport")
try:
shutil.rmtree(testdir)
except:
print "Failed to remove old tesdir"
pass
try:
os.mkdir(testdir)
os.mkdir(configdir)
os.mkdir(runtimesdir)
os.mkdir(runtimes_truststore)
except:
print "Failed to create test folder structure"
pass
print "Trying to create a new test domain configuration."
ca = certificate_authority.CA(domain=domain,
commonName="sec-dht-test-CA",
security_dir=testdir)
print "Reading configuration successfull."
print "Copy CA cert into truststore of runtimes folder"
ca.export_ca_cert(runtimes_truststore)
ca_original_backup = os.path.join(homefolder, ".calvin",
"sec_dht_test_backup", domain)
try:
shutil.rmtree(ca_original_backup)
except:
pass
# copy other setup and remove private directory and openssl.conf file
# shutil.copytree(configdir, ca_original_backup)
# shutil.rmtree(os.path.join(configdir, "private"))
# configfile=os.path.join(configdir, "openssl.conf")
# os.remove(configfile)
# print "Trying to create a second test domain configuration."
# testconfig = certificate_authority.CA(domain=domain, security_dir=testdir)
global rt1
global rt2
global rt3
global test_script_dir
rt_conf = copy.deepcopy(_conf)
rt_conf.set('global', 'storage_type', 'securedht')
rt_conf.add_section('security')
rt_conf.set('security', "runtimes_path", runtimesdir)
rt_conf.set('security', "security_domain_name", domain)
rt_conf.set('security', "security_path", testdir)
rt_conf.save("/tmp/calvin1.conf")
rt_conf2 = copy.deepcopy(rt_conf)
rt_conf2.set('global', 'actor_paths',
[absolute_filename('test_store')])
rt_conf2.set('global', 'capabilities_blacklist',
['calvinsys.events.timer'])
rt_conf2.save("/tmp/calvin2.conf")
rt_ca_conf = copy.deepcopy(rt_conf)
rt_ca_conf.set('security', "certificate_authority", "True")
rt_ca_conf.save("/tmp/calvin_ca.conf")
try:
logfile = _config_pytest.getoption("logfile") + "5000"
outfile = os.path.join(
os.path.dirname(logfile),
os.path.basename(logfile).replace("log", "out"))
if outfile == logfile:
outfile = None
except:
logfile = None
outfile = None
csruntime(ip_addr,
port=5000,
controlport=5003,
attr={
'indexed_public': {
'owner': {
'organization': 'org.testexample',
'personOrGroup': 'testOwner1'
},
'node_name': {
'name': 'node0'
},
'address': {
'country': 'SE',
'locality': 'testCity',
'street': 'testStreet',
'streetNumber': 1
}
}
},
loglevel=_config_pytest.getoption("loglevel"),
logfile=logfile,
outfile=outfile,
configfile="/tmp/calvin_ca.conf")
rt1 = RT("http://%s:5003" % ip_addr)
try:
logfile = _config_pytest.getoption("logfile") + "5001"
outfile = os.path.join(
os.path.dirname(logfile),
os.path.basename(logfile).replace("log", "out"))
if outfile == logfile:
outfile = None
except:
logfile = None
outfile = None
csruntime(ip_addr,
port=5001,
controlport=5004,
attr={
'indexed_public': {
'owner': {
'organization': 'org.testexample',
'personOrGroup': 'testOwner1'
},
'node_name': {
'name': 'node1'
},
'address': {
'country': 'SE',
'locality': 'testCity',
'street': 'testStreet',
'streetNumber': 1
}
}
},
loglevel=_config_pytest.getoption("loglevel"),
logfile=logfile,
outfile=outfile,
configfile="/tmp/calvin1.conf")
rt2 = RT("http://%s:5004" % ip_addr)
try:
logfile = _config_pytest.getoption("logfile") + "5002"
outfile = os.path.join(
os.path.dirname(logfile),
os.path.basename(logfile).replace("log", "out"))
if outfile == logfile:
outfile = None
except:
logfile = None
outfile = None
csruntime(ip_addr,
port=5002,
controlport=5005,
attr={
'indexed_public': {
'owner': {
'organization': 'org.testexample',
'personOrGroup': 'testOwner1'
},
'node_name': {
'name': 'node2'
},
'address': {
'country': 'SE',
'locality': 'testCity',
'street': 'testStreet',
'streetNumber': 1
}
}
},
loglevel=_config_pytest.getoption("loglevel"),
logfile=logfile,
outfile=outfile,
configfile="/tmp/calvin2.conf")
rt3 = RT("http://%s:5005" % ip_addr)
test_script_dir = absolute_filename('scripts/')
request.addfinalizer(self.teardown)
def setup(self, request):
from calvin.Tools.csruntime import csruntime
from conftest import _config_pytest
homefolder = get_home()
domain = "rttest"
configdir = os.path.join(homefolder, ".calvin",
"security", domain)
try:
shutil.rmtree(configdir)
except:
pass
print "Trying to create a new test domain configuration."
testconfig = certificate.Config(domain=domain)
print "Reading configuration successfull."
print "Creating new domain."
certificate.new_domain(testconfig)
print "Created new domain."
# Now handled within runtime
#for i in range(3):
# name = "++++node{}".format(i)
# nodeid = calvinuuid.uuid("NODE")
# certreq = certificate.new_runtime(testconfig, name, nodeid=nodeid)
# certificate.sign_req(testconfig, os.path.basename(certreq), name)
global rt1
global rt2
global rt3
global test_script_dir
rt_conf = copy.deepcopy(_conf)
rt_conf.set('global', 'storage_type', 'securedht')
rt_conf.add_section('security')
rt_conf.set('security', "certificate_conf", None)
rt_conf.set('security', "certificate_domain", domain)
rt_conf.save("/tmp/calvin500x.conf")
try:
logfile = _config_pytest.getoption("logfile")+"5000"
outfile = os.path.join(os.path.dirname(logfile), os.path.basename(logfile).replace("log", "out"))
if outfile == logfile:
outfile = None
except:
logfile = None
outfile = None
csruntime(ip_addr, port=5000, controlport=5003, attr={'indexed_public':
{'owner':{'organization': 'org.testexample', 'personOrGroup': 'testOwner1'},
'node_name': {'name': 'node0'},
'address': {'country': 'SE', 'locality': 'testCity', 'street': 'testStreet', 'streetNumber': 1}}},
loglevel=_config_pytest.getoption("loglevel"), logfile=logfile, outfile=outfile,
configfile="/tmp/calvin500x.conf")
rt1 = RT("http://%s:5003" % ip_addr)
try:
logfile = _config_pytest.getoption("logfile")+"5001"
outfile = os.path.join(os.path.dirname(logfile), os.path.basename(logfile).replace("log", "out"))
if outfile == logfile:
outfile = None
except:
logfile = None
outfile = None
csruntime(ip_addr, port=5001, controlport=5004, attr={'indexed_public':
{'owner':{'organization': 'org.testexample', 'personOrGroup': 'testOwner1'},
'node_name': {'name': 'node1'},
'address': {'country': 'SE', 'locality': 'testCity', 'street': 'testStreet', 'streetNumber': 1}}},
loglevel=_config_pytest.getoption("loglevel"), logfile=logfile, outfile=outfile,
configfile="/tmp/calvin500x.conf")
rt2 = RT("http://%s:5004" % ip_addr)
try:
logfile = _config_pytest.getoption("logfile")+"5002"
outfile = os.path.join(os.path.dirname(logfile), os.path.basename(logfile).replace("log", "out"))
if outfile == logfile:
outfile = None
except:
logfile = None
outfile = None
csruntime(ip_addr, port=5002, controlport=5005, attr={'indexed_public':
{'owner':{'organization': 'org.testexample', 'personOrGroup': 'testOwner1'},
'node_name': {'name': 'node2'},
'address': {'country': 'SE', 'locality': 'testCity', 'street': 'testStreet', 'streetNumber': 1}}},
loglevel=_config_pytest.getoption("loglevel"), logfile=logfile, outfile=outfile,
configfile="/tmp/calvin500x.conf")
rt3 = RT("http://%s:5005" % ip_addr)
test_script_dir = absolute_filename('scripts/')
request.addfinalizer(self.teardown)
def setup(self, request):
from calvin.Tools.csruntime import csruntime
from conftest import _config_pytest
global rt1
global rt2
global rt3
global rt4
global security_test_dir
security_test_dir = os.path.join(os.path.dirname(__file__), "security_test")
# Runtime 1: local authentication, signature verification, local authorization.
rt_conf = copy.deepcopy(_conf)
rt_conf.set("security", "security_domain_name", "testdomain")
rt_conf.set("security", "security_path", security_test_dir)
rt_conf.set("global", "actor_paths", [os.path.join(security_test_dir, "store")])
rt1_conf = copy.deepcopy(rt_conf)
rt1_conf.set(
"security",
"security_conf",
{
"comment": "Local authentication, local authorization",
"signature_trust_store": os.path.join(security_test_dir, "trustStore"),
"authentication": {
"procedure": "local",
"identity_provider_path": os.path.join(security_test_dir, "identity_provider"),
},
"authorization": {
"procedure": "local",
"policy_storage_path": os.path.join(security_test_dir, "policies"),
},
},
)
rt1_conf.set("global", "actor_paths", [os.path.join(security_test_dir, "store")])
rt1_conf.save("/tmp/calvin5001.conf")
try:
logfile = _config_pytest.getoption("logfile") + "5001"
outfile = os.path.join(os.path.dirname(logfile), os.path.basename(logfile).replace("log", "out"))
if outfile == logfile:
outfile = None
except:
logfile = None
outfile = None
csruntime(
ip_addr,
port=5001,
controlport=5021,
attr={
"indexed_public": {
"owner": {"organization": "org.testexample", "personOrGroup": "testOwner1"},
"node_name": {"organization": "org.testexample", "name": "testNode1"},
"address": {"country": "SE", "locality": "testCity", "street": "testStreet", "streetNumber": 1},
}
},
loglevel=_config_pytest.getoption("loglevel"),
logfile=logfile,
outfile=outfile,
configfile="/tmp/calvin5001.conf",
)
rt1 = RT("http://%s:5021" % ip_addr)
# Runtime 2: local authentication, signature verification, local authorization.
# Can also act as authorization server for other runtimes.
# Other street compared to the other runtimes
rt2_conf = copy.deepcopy(rt_conf)
rt2_conf.set(
"security",
"security_conf",
{
"comment": "Local authentication, local authorization",
"signature_trust_store": os.path.join(security_test_dir, "trustStore"),
"authentication": {
"procedure": "local",
"identity_provider_path": os.path.join(security_test_dir, "identity_provider"),
},
"authorization": {
"procedure": "local",
"policy_storage_path": os.path.join(security_test_dir, "policies"),
"accept_external_requests": True,
},
},
)
rt2_conf.set("global", "actor_paths", [os.path.join(security_test_dir, "store")])
rt2_conf.save("/tmp/calvin5002.conf")
try:
logfile = _config_pytest.getoption("logfile") + "5002"
outfile = os.path.join(os.path.dirname(logfile), os.path.basename(logfile).replace("log", "out"))
if outfile == logfile:
outfile = None
except:
logfile = None
outfile = None
csruntime(
ip_addr,
port=5002,
controlport=5022,
attr={
"indexed_public": {
"owner": {"organization": "org.testexample", "personOrGroup": "testOwner1"},
"node_name": {"organization": "org.testexample", "name": "testNode2"},
"address": {"country": "SE", "locality": "testCity", "street": "otherStreet", "streetNumber": 1},
}
},
loglevel=_config_pytest.getoption("loglevel"),
logfile=logfile,
outfile=outfile,
configfile="/tmp/calvin5002.conf",
)
rt2 = RT("http://%s:5022" % ip_addr)
# Runtime 3: external authentication (RADIUS), signature verification, local authorization.
rt3_conf = copy.deepcopy(rt_conf)
rt3_conf.set(
"security",
"security_conf",
{
"comment": "RADIUS authentication, local authorization",
"signature_trust_store": os.path.join(security_test_dir, "trustStore"),
"authentication": {"procedure": "radius", "server_ip": "localhost", "secret": "elxghyc5lz1_passwd"},
"authorization": {
"procedure": "local",
"policy_storage_path": os.path.join(security_test_dir, "policies"),
},
},
)
rt3_conf.set("global", "actor_paths", [os.path.join(security_test_dir, "store")])
rt3_conf.save("/tmp/calvin5003.conf")
try:
logfile = _config_pytest.getoption("logfile") + "5003"
outfile = os.path.join(os.path.dirname(logfile), os.path.basename(logfile).replace("log", "out"))
if outfile == logfile:
outfile = None
except:
logfile = None
outfile = None
csruntime(
ip_addr,
port=5003,
controlport=5023,
attr={
"indexed_public": {
"owner": {"organization": "org.testexample", "personOrGroup": "testOwner1"},
"node_name": {"organization": "org.testexample", "name": "testNode3"},
"address": {"country": "SE", "locality": "testCity", "street": "testStreet", "streetNumber": 1},
}
},
loglevel=_config_pytest.getoption("loglevel"),
logfile=logfile,
outfile=outfile,
configfile="/tmp/calvin5003.conf",
)
rt3 = RT("http://%s:5023" % ip_addr)
# Runtime 4: local authentication, signature verification, external authorization (runtime 2).
rt4_conf = copy.deepcopy(rt_conf)
rt4_conf.set(
"security",
"security_conf",
{
"comment": "Local authentication, external authorization",
"signature_trust_store": os.path.join(security_test_dir, "trustStore"),
"authentication": {
"procedure": "local",
"identity_provider_path": os.path.join(security_test_dir, "identity_provider"),
},
"authorization": {"procedure": "external", "server_uuid": "17e9ad66-bcba-4068-bc17-7fcc86aa870e"},
},
)
rt4_conf.set("global", "actor_paths", [os.path.join(security_test_dir, "store")])
rt4_conf.save("/tmp/calvin5004.conf")
try:
logfile = _config_pytest.getoption("logfile") + "5004"
outfile = os.path.join(os.path.dirname(logfile), os.path.basename(logfile).replace("log", "out"))
if outfile == logfile:
outfile = None
except:
logfile = None
outfile = None
time.sleep(1) # Wait to be sure that runtime 2 has started
csruntime(
ip_addr,
port=5004,
controlport=5024,
attr={
"indexed_public": {
"owner": {"organization": "org.testexample", "personOrGroup": "testOwner1"},
"node_name": {"organization": "org.testexample", "name": "testNode4"},
"address": {"country": "SE", "locality": "testCity", "street": "testStreet", "streetNumber": 1},
}
},
loglevel=_config_pytest.getoption("loglevel"),
logfile=logfile,
outfile=outfile,
configfile="/tmp/calvin5004.conf",
)
rt4 = RT("http://%s:5024" % ip_addr)
request.addfinalizer(self.teardown)
def setup(self, request):
from calvin.Tools.csruntime import csruntime
from conftest import _config_pytest
global rt1
global rt2
global rt3
global rt4
global security_test_dir
security_test_dir = os.path.join(os.path.dirname(__file__), "security_test")
# Runtime 1: local authentication, signature verification, local authorization.
rt_conf = copy.deepcopy(_conf)
rt_conf.set('security', 'security_domain_name', "testdomain")
rt_conf.set('security', 'security_path',security_test_dir)
rt_conf.set('global', 'actor_paths', [os.path.join(security_test_dir, "store")])
rt1_conf = copy.deepcopy(rt_conf)
rt1_conf.set("security", "security_conf", {
"comment": "Local authentication, local authorization",
"signature_trust_store": os.path.join(security_test_dir, "trustStore"),
"authentication": {
"procedure": "local",
"identity_provider_path": os.path.join(security_test_dir, "identity_provider")
},
"authorization": {
"procedure": "local",
"policy_storage_path": os.path.join(security_test_dir, "policies")
}
})
rt1_conf.set('global', 'actor_paths', [os.path.join(security_test_dir, "store")])
rt1_conf.save("/tmp/calvin5001.conf")
try:
logfile = _config_pytest.getoption("logfile")+"5001"
outfile = os.path.join(os.path.dirname(logfile), os.path.basename(logfile).replace("log", "out"))
if outfile == logfile:
outfile = None
except:
logfile = None
outfile = None
csruntime(ip_addr, port=5001, controlport=5021, attr={'indexed_public':
{'owner':{'organization': 'org.testexample', 'personOrGroup': 'testOwner1'},
'node_name': {'organization': 'org.testexample', 'name': 'testNode1'},
'address': {'country': 'SE', 'locality': 'testCity', 'street': 'testStreet', 'streetNumber': 1}}},
loglevel=_config_pytest.getoption("loglevel"), logfile=logfile, outfile=outfile,
configfile="/tmp/calvin5001.conf")
rt1 = RT("http://%s:5021" % ip_addr)
# Runtime 2: local authentication, signature verification, local authorization.
# Can also act as authorization server for other runtimes.
# Other street compared to the other runtimes
rt2_conf = copy.deepcopy(rt_conf)
rt2_conf.set("security", "security_conf", {
"comment": "Local authentication, local authorization",
"signature_trust_store": os.path.join(security_test_dir, "trustStore"),
"authentication": {
"procedure": "local",
"identity_provider_path": os.path.join(security_test_dir, "identity_provider")
},
"authorization": {
"procedure": "local",
"policy_storage_path": os.path.join(security_test_dir, "policies"),
"accept_external_requests": True
}
})
rt2_conf.set('global', 'actor_paths', [os.path.join(security_test_dir, "store")])
rt2_conf.save("/tmp/calvin5002.conf")
try:
logfile = _config_pytest.getoption("logfile")+"5002"
outfile = os.path.join(os.path.dirname(logfile), os.path.basename(logfile).replace("log", "out"))
if outfile == logfile:
outfile = None
except:
logfile = None
outfile = None
csruntime(ip_addr, port=5002, controlport=5022, attr={'indexed_public':
{'owner':{'organization': 'org.testexample', 'personOrGroup': 'testOwner1'},
'node_name': {'organization': 'org.testexample', 'name': 'testNode2'},
'address': {'country': 'SE', 'locality': 'testCity', 'street': 'otherStreet', 'streetNumber': 1}}},
loglevel=_config_pytest.getoption("loglevel"), logfile=logfile, outfile=outfile,
configfile="/tmp/calvin5002.conf")
rt2 = RT("http://%s:5022" % ip_addr)
# Runtime 3: external authentication (RADIUS), signature verification, local authorization.
rt3_conf = copy.deepcopy(rt_conf)
rt3_conf.set("security", "security_conf", {
"comment": "RADIUS authentication, local authorization",
"signature_trust_store": os.path.join(security_test_dir, "trustStore"),
"authentication": {
"procedure": "radius",
"server_ip": "localhost",
"secret": "elxghyc5lz1_passwd"
},
"authorization": {
"procedure": "local",
"policy_storage_path": os.path.join(security_test_dir, "policies")
}
})
rt3_conf.set('global', 'actor_paths', [os.path.join(security_test_dir, "store")])
rt3_conf.save("/tmp/calvin5003.conf")
try:
logfile = _config_pytest.getoption("logfile")+"5003"
outfile = os.path.join(os.path.dirname(logfile), os.path.basename(logfile).replace("log", "out"))
if outfile == logfile:
outfile = None
except:
logfile = None
outfile = None
csruntime(ip_addr, port=5003, controlport=5023, attr={'indexed_public':
{'owner':{'organization': 'org.testexample', 'personOrGroup': 'testOwner1'},
'node_name': {'organization': 'org.testexample', 'name': 'testNode3'},
'address': {'country': 'SE', 'locality': 'testCity', 'street': 'testStreet', 'streetNumber': 1}}},
loglevel=_config_pytest.getoption("loglevel"), logfile=logfile, outfile=outfile,
configfile="/tmp/calvin5003.conf")
rt3 = RT("http://%s:5023" % ip_addr)
# Runtime 4: local authentication, signature verification, external authorization (runtime 2).
rt4_conf = copy.deepcopy(rt_conf)
rt4_conf.set("security", "security_conf", {
"comment": "Local authentication, external authorization",
"signature_trust_store": os.path.join(security_test_dir, "trustStore"),
"authentication": {
"procedure": "local",
"identity_provider_path": os.path.join(security_test_dir, "identity_provider")
},
"authorization": {
"procedure": "external",
"server_uuid": "17e9ad66-bcba-4068-bc17-7fcc86aa870e"
}
})
rt4_conf.set('global', 'actor_paths', [os.path.join(security_test_dir, "store")])
rt4_conf.save("/tmp/calvin5004.conf")
try:
logfile = _config_pytest.getoption("logfile")+"5004"
outfile = os.path.join(os.path.dirname(logfile), os.path.basename(logfile).replace("log", "out"))
if outfile == logfile:
outfile = None
except:
logfile = None
outfile = None
time.sleep(1) # Wait to be sure that runtime 2 has started
csruntime(ip_addr, port=5004, controlport=5024, attr={'indexed_public':
{'owner':{'organization': 'org.testexample', 'personOrGroup': 'testOwner1'},
'node_name': {'organization': 'org.testexample', 'name': 'testNode4'},
'address': {'country': 'SE', 'locality': 'testCity', 'street': 'testStreet', 'streetNumber': 1}}},
loglevel=_config_pytest.getoption("loglevel"), logfile=logfile, outfile=outfile,
configfile="/tmp/calvin5004.conf")
rt4 = RT("http://%s:5024" % ip_addr)
request.addfinalizer(self.teardown)
def setup(self, request):
from calvin.Tools.csruntime import csruntime
from conftest import _config_pytest
global rt1
global rt2
global rt3
global rt4
global security_test_dir
security_test_dir = os.path.join(os.path.dirname(__file__), "security_test")
# Runtime 1: local authentication, signature verification, no authorization (no policy check).
rt1_conf = copy.deepcopy(_conf)
rt1_conf.set("security", "security_conf", {
"comment": "Local authentication, no authorization",
"signature_trust_store": os.path.join(security_test_dir, "trustStore"),
"authentication": {
"procedure": "local",
"local_users": {"user1": "pass1", "user2": "pass2", "user3": "pass3"}
}
})
rt1_conf.set('global', 'actor_paths', [os.path.join(security_test_dir, "store")])
rt1_conf.set('security', 'certificate_domain', "testdomain")
rt1_conf.set('security', 'certificate_conf', os.path.join(security_test_dir, "testdomain", "openssl.conf"))
rt1_conf.save("/tmp/calvin5001.conf")
try:
logfile = _config_pytest.getoption("logfile")+"5001"
outfile = os.path.join(os.path.dirname(logfile), os.path.basename(logfile).replace("log", "out"))
if outfile == logfile:
outfile = None
except:
logfile = None
outfile = None
csruntime(ip_addr, port=5001, controlport=5021, attr={'indexed_public':
{'owner':{'organization': 'org.testexample', 'personOrGroup': 'testOwner1'},
'node_name': {'organization': 'org.testexample', 'name': 'testNode1'},
'address': {'country': 'SE', 'locality': 'testCity', 'street': 'testStreet', 'streetNumber': 1}}},
loglevel=_config_pytest.getoption("loglevel"), logfile=logfile, outfile=outfile,
configfile="/tmp/calvin5001.conf")
rt1 = RT("http://%s:5021" % ip_addr)
# Runtime 2: local authentication, signature verification, local authorization.
# Can also act as authorization server for other runtimes.
rt2_conf = copy.deepcopy(_conf)
rt2_conf.set("security", "security_conf", {
"comment": "Local authentication, local authorization",
"signature_trust_store": os.path.join(security_test_dir, "trustStore"),
"authentication": {
"procedure": "local",
"local_users": {"user1": "pass1", "user2": "pass2", "user3": "pass3"}
},
"authorization": {
"procedure": "local",
"policy_storage_path": os.path.join(security_test_dir, "policies")
}
})
rt2_conf.set('global', 'actor_paths', [os.path.join(security_test_dir, "store")])
rt2_conf.set('security', 'certificate_domain', "testdomain")
rt2_conf.set('security', 'certificate_conf', os.path.join(security_test_dir, "testdomain", "openssl.conf"))
rt2_conf.save("/tmp/calvin5002.conf")
try:
logfile = _config_pytest.getoption("logfile")+"5002"
outfile = os.path.join(os.path.dirname(logfile), os.path.basename(logfile).replace("log", "out"))
if outfile == logfile:
outfile = None
except:
logfile = None
outfile = None
csruntime(ip_addr, port=5002, controlport=5022, attr={'indexed_public':
{'owner':{'organization': 'org.testexample', 'personOrGroup': 'testOwner1'},
'node_name': {'organization': 'org.testexample', 'name': 'testNode2'},
'address': {'country': 'SE', 'locality': 'testCity', 'street': 'testStreet', 'streetNumber': 1}}},
loglevel=_config_pytest.getoption("loglevel"), logfile=logfile, outfile=outfile,
configfile="/tmp/calvin5002.conf", authz_server=True)
rt2 = RT("http://%s:5022" % ip_addr)
# Runtime 3: external authentication (RADIUS), signature verification, local authorization.
rt3_conf = copy.deepcopy(_conf)
rt3_conf.set("security", "security_conf", {
"comment": "RADIUS authentication, local authorization",
"signature_trust_store": os.path.join(security_test_dir, "trustStore"),
"authentication": {
"procedure": "radius",
"server_ip": "localhost",
"secret": "elxghyc5lz1_passwd"
},
"authorization": {
"procedure": "local",
"policy_storage_path": os.path.join(security_test_dir, "policies")
}
})
rt3_conf.set('global', 'actor_paths', [os.path.join(security_test_dir, "store")])
rt3_conf.set('security', 'certificate_domain', "testdomain")
rt3_conf.set('security', 'certificate_conf', os.path.join(security_test_dir, "testdomain", "openssl.conf"))
rt3_conf.save("/tmp/calvin5003.conf")
try:
logfile = _config_pytest.getoption("logfile")+"5003"
outfile = os.path.join(os.path.dirname(logfile), os.path.basename(logfile).replace("log", "out"))
if outfile == logfile:
outfile = None
except:
logfile = None
outfile = None
csruntime(ip_addr, port=5003, controlport=5023, attr={'indexed_public':
{'owner':{'organization': 'org.testexample', 'personOrGroup': 'testOwner1'},
'node_name': {'organization': 'org.testexample', 'name': 'testNode3'},
'address': {'country': 'SE', 'locality': 'testCity', 'street': 'testStreet', 'streetNumber': 1}}},
loglevel=_config_pytest.getoption("loglevel"), logfile=logfile, outfile=outfile,
configfile="/tmp/calvin5003.conf")
rt3 = RT("http://%s:5023" % ip_addr)
# Runtime 4: local authentication, signature verification, external authorization (runtime 2).
rt4_conf = copy.deepcopy(_conf)
rt4_conf.set("security", "security_conf", {
"comment": "Local authentication, external authorization",
"signature_trust_store": os.path.join(security_test_dir, "trustStore"),
"authentication": {
"procedure": "local",
"local_users": {"user1": "pass1", "user2": "pass2", "user3": "pass3"}
},
"authorization": {
"procedure": "external",
"server_ip": ip_addr,
"server_port": 5022
}
})
rt4_conf.set('global', 'actor_paths', [os.path.join(security_test_dir, "store")])
rt4_conf.set('security', 'certificate_domain', "testdomain")
rt4_conf.set('security', 'certificate_conf', os.path.join(security_test_dir, "testdomain", "openssl.conf"))
rt4_conf.save("/tmp/calvin5004.conf")
try:
logfile = _config_pytest.getoption("logfile")+"5004"
outfile = os.path.join(os.path.dirname(logfile), os.path.basename(logfile).replace("log", "out"))
if outfile == logfile:
outfile = None
except:
logfile = None
outfile = None
csruntime(ip_addr, port=5004, controlport=5024, attr={'indexed_public':
{'owner':{'organization': 'org.testexample', 'personOrGroup': 'testOwner1'},
'node_name': {'organization': 'org.testexample', 'name': 'testNode4'},
'address': {'country': 'SE', 'locality': 'testCity', 'street': 'testStreet', 'streetNumber': 1}}},
loglevel=_config_pytest.getoption("loglevel"), logfile=logfile, outfile=outfile,
configfile="/tmp/calvin5004.conf")
rt4 = RT("http://%s:5024" % ip_addr)
request.addfinalizer(self.teardown)
def setup(self, request):
from calvin.Tools.csruntime import csruntime
from conftest import _config_pytest
import fileinput
global rt
global request_handler
try:
shutil.rmtree(credentials_testdir)
except Exception as err:
print "Failed to remove old tesdir, err={}".format(err)
pass
try:
os.makedirs(credentials_testdir)
os.makedirs(runtimesdir)
os.makedirs(runtimes_truststore)
os.makedirs(runtimes_truststore_signing_path)
os.makedirs(actor_store_path)
os.makedirs(os.path.join(actor_store_path, "test"))
shutil.copy(
os.path.join(orig_actor_store_path, "test", "__init__.py"),
os.path.join(actor_store_path, "test", "__init__.py"))
os.makedirs(os.path.join(actor_store_path, "std"))
shutil.copy(
os.path.join(orig_actor_store_path, "std", "__init__.py"),
os.path.join(actor_store_path, "std", "__init__.py"))
shutil.copytree(orig_application_store_path,
application_store_path)
filelist = [
f for f in os.listdir(application_store_path)
if f.endswith(".sign.93d58fef")
]
for f in filelist:
os.remove(os.path.join(application_store_path, f))
shutil.copytree(
os.path.join(security_testdir, "identity_provider"),
identity_provider_path)
except Exception as err:
_log.error(
"Failed to create test folder structure, err={}".format(err))
print "Failed to create test folder structure, err={}".format(err)
raise
print "Trying to create a new test application/actor signer."
cs = code_signer.CS(organization="testsigner",
commonName="signer",
security_dir=credentials_testdir)
#Create signed version of CountTimer actor
orig_actor_CountTimer_path = os.path.join(orig_actor_store_path, "std",
"CountTimer.py")
actor_CountTimer_path = os.path.join(actor_store_path, "std",
"CountTimer.py")
shutil.copy(orig_actor_CountTimer_path, actor_CountTimer_path)
# cs.sign_file(actor_CountTimer_path)
#Create unsigned version of CountTimer actor
actor_CountTimerUnsigned_path = actor_CountTimer_path.replace(
".py", "Unsigned.py")
shutil.copy(actor_CountTimer_path, actor_CountTimerUnsigned_path)
replace_text_in_file(actor_CountTimerUnsigned_path, "CountTimer",
"CountTimerUnsigned")
#Create signed version of Sum actor
orig_actor_Sum_path = os.path.join(orig_actor_store_path, "std",
"Sum.py")
actor_Sum_path = os.path.join(actor_store_path, "std", "Sum.py")
shutil.copy(orig_actor_Sum_path, actor_Sum_path)
# cs.sign_file(actor_Sum_path)
#Create unsigned version of Sum actor
actor_SumUnsigned_path = actor_Sum_path.replace(".py", "Unsigned.py")
shutil.copy(actor_Sum_path, actor_SumUnsigned_path)
replace_text_in_file(actor_SumUnsigned_path, "Sum", "SumUnsigned")
#Create incorrectly signed version of Sum actor
# actor_SumFake_path = actor_Sum_path.replace(".py", "Fake.py")
# shutil.copy(actor_Sum_path, actor_SumFake_path)
# #Change the class name to SumFake
# replace_text_in_file(actor_SumFake_path, "Sum", "SumFake")
# cs.sign_file(actor_SumFake_path)
# #Now append to the signed file so the signature verification fails
# with open(actor_SumFake_path, "a") as fd:
# fd.write(" ")
#Create signed version of Sink actor
orig_actor_Sink_path = os.path.join(orig_actor_store_path, "test",
"Sink.py")
actor_Sink_path = os.path.join(actor_store_path, "test", "Sink.py")
shutil.copy(orig_actor_Sink_path, actor_Sink_path)
# cs.sign_file(actor_Sink_path)
#Create unsigned version of Sink actor
actor_SinkUnsigned_path = actor_Sink_path.replace(".py", "Unsigned.py")
shutil.copy(actor_Sink_path, actor_SinkUnsigned_path)
replace_text_in_file(actor_SinkUnsigned_path, "Sink", "SinkUnsigned")
#Sign applications
# cs.sign_file(os.path.join(application_store_path, "test_security1_correctly_signed.calvin"))
# cs.sign_file(os.path.join(application_store_path, "test_security1_correctlySignedApp_incorrectlySignedActor.calvin"))
# cs.sign_file(os.path.join(application_store_path, "test_security1_incorrectly_signed.calvin"))
# #Now append to the signed file so the signature verification fails
# with open(os.path.join(application_store_path, "test_security1_incorrectly_signed.calvin"), "a") as fd:
# fd.write(" ")
# print "Export Code Signers certificate to the truststore for code signing"
# out_file = cs.export_cs_cert(runtimes_truststore_signing_path)
print "Trying to create a new test domain configuration."
ca = certificate_authority.CA(domain=domain_name,
commonName="testdomain CA",
security_dir=credentials_testdir)
#
print "Copy CA cert into truststore of runtimes folder"
ca.export_ca_cert(runtimes_truststore)
#Define the runtime attributes
rt0_attributes = {
'indexed_public': {
'owner': {
'organization': domain_name,
'personOrGroup': 'testOwner1'
},
'node_name': {
'organization': 'org.testexample',
'name': 'CA'
},
'address': {
'country': 'SE',
'locality': 'testCity',
'street': 'testStreet',
'streetNumber': 1
}
}
}
rt1_attributes = {
'indexed_public': {
'owner': {
'organization': domain_name,
'personOrGroup': 'testOwner1'
},
'node_name': {
'organization': 'org.testexample',
'name': 'testNode1'
},
'address': {
'country': 'SE',
'locality': 'testCity',
'street': 'testStreet',
'streetNumber': 1
}
}
}
rt2_attributes = {
'indexed_public': {
'owner': {
'organization': domain_name,
'personOrGroup': 'testOwner1'
},
'node_name': {
'organization': 'org.testexample',
'name': 'testNode2'
},
'address': {
'country': 'SE',
'locality': 'testCity',
'street': 'otherStreet',
'streetNumber': 1
}
}
}
rt3_attributes = {
'indexed_public': {
'owner': {
'organization': domain_name,
'personOrGroup': 'testOwner1'
},
'node_name': {
'organization': 'org.testexample',
'name': 'testNode3'
},
'address': {
'country': 'SE',
'locality': 'testCity',
'street': 'testStreet',
'streetNumber': 1
}
}
}
rt4_attributes = {
'indexed_public': {
'owner': {
'organization': domain_name,
'personOrGroup': 'testOwner1'
},
'node_name': {
'organization': 'org.testexample',
'name': 'testNode4'
},
'address': {
'country': 'SE',
'locality': 'testCity',
'street': 'testStreet',
'streetNumber': 1
}
}
}
rt5_attributes = {
'indexed_public': {
'owner': {
'organization': domain_name,
'personOrGroup': 'testOwner1'
},
'node_name': {
'organization': 'org.testexample',
'name': 'testNode5'
},
'address': {
'country': 'SE',
'locality': 'testCity',
'street': 'testStreet',
'streetNumber': 1
}
}
}
rt_attributes = []
rt_attributes.append(deepcopy(rt0_attributes))
rt_attributes.append(deepcopy(rt1_attributes))
rt_attributes.append(deepcopy(rt2_attributes))
rt_attributes.append(deepcopy(rt3_attributes))
rt_attributes.append(deepcopy(rt4_attributes))
rt_attributes.append(deepcopy(rt5_attributes))
rt_attributes_cpy = deepcopy(rt_attributes)
runtimes = []
#Initiate Requesthandler with trusted CA cert
truststore_dir = certificate.get_truststore_path(
type=certificate.TRUSTSTORE_TRANSPORT,
security_dir=credentials_testdir)
# The following is less than optimal if multiple CA certs exist
ca_cert_path = os.path.join(truststore_dir,
os.listdir(truststore_dir)[0])
request_handler = RequestHandler(verify=ca_cert_path)
#Generate credentials, create CSR, sign with CA and import cert for all runtimes
enrollment_passwords = []
for rt_attribute in rt_attributes:
attributes = AttributeResolver(rt_attribute)
node_name = attributes.get_node_name_as_str()
nodeid = calvinuuid.uuid("")
enrollment_password = ca.cert_enrollment_add_new_runtime(node_name)
enrollment_passwords.append(enrollment_password)
runtime = runtime_credentials.RuntimeCredentials(
node_name,
domain=domain_name,
security_dir=credentials_testdir,
nodeid=nodeid,
enrollment_password=enrollment_password)
runtimes.append(runtime)
ca_cert = runtime.get_truststore(
type=certificate.TRUSTSTORE_TRANSPORT)[0][0]
csr_path = os.path.join(runtime.runtime_dir, node_name + ".csr")
#Encrypt CSR with CAs public key (to protect enrollment password)
rsa_encrypted_csr = runtime.cert_enrollment_encrypt_csr(
csr_path, ca_cert)
#Decrypt encrypted CSR with CAs private key
csr = ca.decrypt_encrypted_csr(
encrypted_enrollment_request=rsa_encrypted_csr)
csr_path = ca.store_csr_with_enrollment_password(csr)
cert_path = ca.sign_csr(csr_path)
runtime.store_own_cert(certpath=cert_path,
security_dir=credentials_testdir)
#Let's hash passwords in users.json file (the runtimes will try to do this
# but they will all try to do it at the same time, so it will be overwritten
# multiple times and the first test will always fail)
# self.arp = FileAuthenticationRetrievalPoint(identity_provider_path)
# self.arp.check_stored_users_db_for_unhashed_passwords()
#The policy allows access to control interface for everyone, for more advanced rules
# it might be appropriate to run set_credentials for request_handler, e.g.,
# request_handler.set_credentials({domain_name:{"user": "******", "password": "******"}})
rt_conf = copy.deepcopy(_conf)
# rt_conf.set('security', 'runtime_to_runtime_security', "tls")
# rt_conf.set('security', 'control_interface_security', "tls")
rt_conf.set('security', 'domain_name', domain_name)
# rt_conf.set('security', 'certificate_authority_control_uri',"https://%s:5020" % hostname )
rt_conf.set('security', 'security_dir', credentials_testdir)
rt_conf.set('global', 'actor_paths', [actor_store_path])
rt_conf.set('global', 'storage_type', "securedht")
# Runtime 0: local authentication, signature verification, local authorization.
# Primarily acts as Certificate Authority for the domain
rt0_conf = copy.deepcopy(rt_conf)
# rt0_conf.set('security','enrollment_password',enrollment_passwords[0])
#The csruntime certificate requests assumes TLS for the control interface
# rt0_conf.set('security', 'control_interface_security', "tls")
# rt0_conf.set('security','certificate_authority','True')
# rt0_conf.set("security", "security_conf", {
# "comment": "Certificate Authority",
# "authentication": {
# "procedure": "local",
# "identity_provider_path": identity_provider_path
# },
# "authorization": {
# "procedure": "local",
# "policy_storage_path": policy_storage_path
# }
# })
rt0_conf.save("/tmp/calvin5000.conf")
# Runtime 1: local authentication, signature verification, local authorization.
rt1_conf = copy.deepcopy(rt_conf)
# rt1_conf.set('security','enrollment_password',enrollment_passwords[1])
# rt1_conf.set("security", "security_conf", {
# "comment": "Local authentication, local authorization",
# "authentication": {
# "procedure": "local",
# "identity_provider_path": identity_provider_path
# },
# "authorization": {
# "procedure": "local",
# "policy_storage_path": policy_storage_path
# }
# })
rt1_conf.save("/tmp/calvin5001.conf")
# Runtime 2: local authentication, signature verification, local authorization.
# Can also act as authorization server for other runtimes.
# Other street compared to the other runtimes
rt2_conf = copy.deepcopy(rt_conf)
# rt2_conf.set('security','enrollment_password',enrollment_passwords[2])
# rt2_conf.set("security", "security_conf", {
# "comment": "Local authentication, local authorization",
# "authentication": {
# "procedure": "local",
# "identity_provider_path": identity_provider_path
# },
# "authorization": {
# "procedure": "local",
# "policy_storage_path": policy_storage_path,
# "accept_external_requests": True
# }
# })
rt2_conf.save("/tmp/calvin5002.conf")
# Runtime 3: external authentication (RADIUS), signature verification, local authorization.
rt3_conf = copy.deepcopy(rt_conf)
# rt3_conf.set('security','enrollment_password',enrollment_passwords[3])
# rt3_conf.set("security", "security_conf", {
# "comment": "RADIUS authentication, local authorization",
# "authentication": {
# "procedure": "radius",
# "server_ip": "localhost",
# "secret": "elxghyc5lz1_passwd"
# },
# "authorization": {
# "procedure": "local",
# "policy_storage_path": policy_storage_path
# }
# })
rt3_conf.save("/tmp/calvin5003.conf")
# Runtime 4: local authentication, signature verification, external authorization (runtime 2).
rt4_conf = copy.deepcopy(rt_conf)
# rt4_conf.set('security','enrollment_password',enrollment_passwords[4])
# rt4_conf.set("security", "security_conf", {
# "comment": "Local authentication, external authorization",
# "authentication": {
# "procedure": "local",
# "identity_provider_path": identity_provider_path
# },
# "authorization": {
# "procedure": "external"
# }
# })
rt4_conf.save("/tmp/calvin5004.conf")
# Runtime 5: external authentication (runtime 1), signature verification, local authorization.
rt5_conf = copy.deepcopy(rt_conf)
# rt5_conf.set('global','storage_type','proxy')
# rt5_conf.set('global','storage_proxy',"calvinip://%s:5000" % ip_addr )
# rt5_conf.set('security','enrollment_password',enrollment_passwords[5])
# rt5_conf.set("security", "security_conf", {
# "comment": "Local authentication, external authorization",
# "authentication": {
# "procedure": "external",
# "server_uuid": runtimes[1].node_id
# },
# "authorization": {
# "procedure": "local",
# "policy_storage_path": policy_storage_path
# }
# })
rt5_conf.save("/tmp/calvin5005.conf")
#Start all runtimes
for i in range(len(rt_attributes_cpy)):
_log.info("Starting runtime {}".format(i))
try:
logfile = _config_pytest.getoption("logfile") + "500{}".format(
i)
outfile = os.path.join(
os.path.dirname(logfile),
os.path.basename(logfile).replace("log", "out"))
if outfile == logfile:
outfile = None
except:
logfile = None
outfile = None
csruntime(hostname,
port=5000 + i,
controlport=5020 + i,
attr=rt_attributes_cpy[i],
loglevel=_config_pytest.getoption("loglevel"),
logfile=logfile,
outfile=outfile,
configfile="/tmp/calvin500{}.conf".format(i))
# rt.append(RT("https://{}:502{}".format(hostname, i)))
rt.append(RT("http://{}:502{}".format(hostname, i)))
# Wait to be sure that all runtimes has started
time.sleep(1)
time.sleep(10)
request.addfinalizer(self.teardown)
def setup(self, request):
from calvin.Tools.csruntime import csruntime
from conftest import _config_pytest
global rt1
global rt2
global test_script_dir
_conf.save("/tmp/calvin5000.conf")
try:
logfile = _config_pytest.getoption("logfile") + "5000"
outfile = os.path.join(
os.path.dirname(logfile),
os.path.basename(logfile).replace("log", "out"))
if outfile == logfile:
outfile = None
except:
logfile = None
outfile = None
csruntime(ip_addr,
port=5000,
controlport=5003,
attr={
'indexed_public': {
'owner': {
'organization': 'org.testexample',
'personOrGroup': 'testOwner1'
},
'node_name': {
'organization': 'org.testexample',
'name': 'testNode1'
},
'address': {
'country': 'SE',
'locality': 'testCity',
'street': 'testStreet',
'streetNumber': 1
}
}
},
loglevel=_config_pytest.getoption("loglevel"),
logfile=logfile,
outfile=outfile,
configfile="/tmp/calvin5000.conf")
rt1 = utils.RT("http://%s:5003" % ip_addr)
_conf.set('global', 'actor_paths', [absolute_filename('test_store')])
_conf.set('global', 'capabilities_blacklist',
['calvinsys.events.timer'])
_conf.save("/tmp/calvin5001.conf")
try:
logfile = _config_pytest.getoption("logfile") + "5001"
outfile = os.path.join(
os.path.dirname(logfile),
os.path.basename(logfile).replace("log", "out"))
if outfile == logfile:
outfile = None
except:
logfile = None
outfile = None
csruntime(ip_addr,
port=5001,
controlport=5004,
attr={
'indexed_public': {
'owner': {
'organization': 'org.testexample',
'personOrGroup': 'testOwner1'
},
'node_name': {
'organization': 'org.testexample',
'name': 'testNode2'
},
'address': {
'country': 'SE',
'locality': 'testCity',
'street': 'testStreet',
'streetNumber': 1
}
}
},
loglevel=_config_pytest.getoption("loglevel"),
logfile=logfile,
outfile=outfile,
configfile="/tmp/calvin5001.conf")
rt2 = utils.RT("http://%s:5004" % ip_addr)
test_script_dir = absolute_filename('scripts/')
request.addfinalizer(self.teardown)
def setup(self, request):
from calvin.Tools.csruntime import csruntime
from conftest import _config_pytest
global rt1
global rt2
global rt3
global security_test_dir
security_test_dir = absolute_filename('security_test/')
rt1_conf = copy.deepcopy(_conf)
rt1_conf.add_section("security")
rt1_conf.set("security", "security_conf", {
"comment": "Experimental security settings",
"signature_trust_store": security_test_dir + "keys/app_signer/truststore/",
"access_control_enabled": "False",
"authentication": {
"procedure": "local_file",
"local_users": {"user1": "pass1", "user2": "pass2", "user3": "pass3"}
}
})
rt1_conf.set("security", "security_policy", {
"policy1": {
"principal": {
"user": ["user1"]
},
"application_signature": ["signer"],
"actor_signature": ["signer"],
"resource": ["calvinsys"]
},
"policy2":{
"principal": {
"user": ["user2"],
},
"application_signature": ["__unsigned__"],
"actor_signature": ["signer"],
"resource": ["calvinsys", "runtime"]
},
"policy3": {
"principal": {
"user": ["user3"],
},
"application_signature": ["__unsigned__"],
"actor_signature": ["__unsigned__"],
"resource": ["calvinsys", "runtime"]
},
"policy4": {
"principal": {
"user": ["user4"],
},
"application_signature": ["signer"],
"actor_signature": ["unsigner"],
"resource": ["runtime"]
}
})
rt1_conf.set('global', 'actor_paths', [security_test_dir + "/store"])
rt1_conf.save("/tmp/calvin5001.conf")
try:
logfile = _config_pytest.getoption("logfile")+"5001"
outfile = os.path.join(os.path.dirname(logfile), os.path.basename(logfile).replace("log", "out"))
if outfile == logfile:
outfile = None
except:
logfile = None
outfile = None
csruntime(ip_addr, port=5001, controlport=5021, attr={'indexed_public':
{'owner':{'organization': 'org.testexample', 'personOrGroup': 'testOwner1'},
'node_name': {'organization': 'org.testexample', 'name': 'testNode1'},
'address': {'country': 'SE', 'locality': 'testCity', 'street': 'testStreet', 'streetNumber': 1}}},
loglevel=_config_pytest.getoption("loglevel"), logfile=logfile, outfile=outfile,
configfile="/tmp/calvin5001.conf")
rt1 = RT("http://%s:5021" % ip_addr)
rt2_conf = copy.deepcopy(_conf)
rt2_conf.add_section("security")
rt2_conf.set("security", "security_conf", {
"comment": "Experimental security settings",
"signature_trust_store": security_test_dir + "keys/app_signer/truststore/",
"access_control_enabled": "False",
"authentication": {
"procedure": "local_file",
"local_users": {"user1": "pass1", "user2": "pass2", "user3": "pass3"}
}
})
rt2_conf.set("security", "security_policy", {
"policy1": {
"principal": {
"user": ["user1"]
},
"application_signature": ["signer"],
"actor_signature": ["signer"],
"resource": ["calvinsys"]
},
"policy2":{
"principal": {
"user": ["user2"],
},
"application_signature": ["__unsigned__"],
"actor_signature": ["signer"],
"resource": ["calvinsys", "runtime"]
},
"policy3": {
"principal": {
"user": ["user3"],
},
"application_signature": ["__unsigned__"],
"actor_signature": ["__unsigned__"],
"resource": ["calvinsys", "runtime"]
},
"policy4": {
"principal": {
"user": ["user4"],
},
"application_signature": ["signer"],
"actor_signature": ["unsigner"],
"resource": ["runtime"]
}
})
rt2_conf.set('global', 'actor_paths', [security_test_dir + "/store"])
rt2_conf.save("/tmp/calvin5002.conf")
try:
logfile = _config_pytest.getoption("logfile")+"5002"
outfile = os.path.join(os.path.dirname(logfile), os.path.basename(logfile).replace("log", "out"))
if outfile == logfile:
outfile = None
except:
logfile = None
outfile = None
csruntime(ip_addr, port=5002, controlport=5022, attr={'indexed_public':
{'owner':{'organization': 'org.testexample', 'personOrGroup': 'testOwner1'},
'node_name': {'organization': 'org.testexample', 'name': 'testNode2'},
'address': {'country': 'SE', 'locality': 'testCity', 'street': 'testStreet', 'streetNumber': 1}}},
loglevel=_config_pytest.getoption("loglevel"), logfile=logfile, outfile=outfile,
configfile="/tmp/calvin5002.conf")
rt2 = RT("http://%s:5022" % ip_addr)
rt3_conf = copy.deepcopy(_conf)
rt3_conf.add_section("security")
rt3_conf.set("security", "security_conf", {
"comment": "Experimental security settings",
"signature_trust_store": security_test_dir + "keys/app_signer/truststore/",
"access_control_enabled": "True",
"authentication_method": "radius",
"authentication": {
"procedure": "radius",
"server_ip": "136.225.129.50",
"secret": "elxghyc5lz1_passwd"
}
})
rt3_conf.set("security", "security_policy", {
"policy1": {
"principal": {
"user": ["radius_user1"],
},
"application_signature": ["signer"],
"actor_signature": ["signer"],
"resource": ["calvinsys", "runtime"]
}
})
rt3_conf.set('global', 'actor_paths', [security_test_dir + "/store"])
rt3_conf.save("/tmp/calvin5003.conf")
try:
logfile = _config_pytest.getoption("logfile")+"5003"
outfile = os.path.join(os.path.dirname(logfile), os.path.basename(logfile).replace("log", "out"))
if outfile == logfile:
outfile = None
except:
logfile = None
outfile = None
csruntime(ip_addr, port=5003, controlport=5023, attr={'indexed_public':
{'owner':{'organization': 'org.testexample', 'personOrGroup': 'testOwner1'},
'node_name': {'organization': 'org.testexample', 'name': 'testNode3'},
'address': {'country': 'SE', 'locality': 'testCity', 'street': 'testStreet', 'streetNumber': 1}}},
loglevel=_config_pytest.getoption("loglevel"), logfile=logfile, outfile=outfile,
configfile="/tmp/calvin5003.conf")
rt3 = RT("http://%s:5023" % ip_addr)
request.addfinalizer(self.teardown)
def setup(self, request):
from calvin.Tools.csruntime import csruntime
from conftest import _config_pytest
import fileinput
global hostname
global rt
global rt_attributes
global request_handler
try:
ipv6_hostname = socket.gethostbyaddr('::1')
except Exception as err:
print(
"Failed to resolve the IPv6 localhost hostname, please update the corresponding entry in the /etc/hosts file, e.g.,:\n"
"\t::1 <hostname>.localdomain <hostname>.local <hostname> localhost"
)
raise
try:
ipv6_hostname = socket.gethostbyaddr('::ffff:127.0.0.1')
except Exception as err:
print(
"Failed to resolve ::ffff:127.0.0.1, please add the following line (with your hostname) to /etc/hosts :\n"
"::ffff:127.0.0.1: <hostname>.localdomain <hostname>.local <hostname>"
)
raise
try:
hostname = socket.gethostname()
ip_addr = socket.gethostbyname(hostname)
fqdn = socket.getfqdn(hostname)
print("\n\tip_addr={}"
"\n\thostname={}"
"\n\tfqdn={}".format(ip_addr, hostname, fqdn))
except Exception as err:
print(
"Failed to resolve the hostname, ip_addr or the FQDN of the runtime, err={}"
.format(err))
raise
try:
shutil.rmtree(credentials_testdir)
except Exception as err:
print "Failed to remove old tesdir, err={}".format(err)
pass
try:
os.mkdir(credentials_testdir)
os.mkdir(runtimesdir)
os.mkdir(runtimes_truststore)
except Exception as err:
_log.error(
"Failed to create test folder structure, err={}".format(err))
print "Failed to create test folder structure, err={}".format(err)
raise
_log.info("Trying to create a new test domain configuration.")
try:
ca = certificate_authority.CA(domain=domain_name,
commonName="testdomain CA",
security_dir=credentials_testdir)
except Exception as err:
_log.error("Failed to create CA, err={}".format(err))
_log.info("Copy CA cert into truststore of runtimes folder")
ca.export_ca_cert(runtimes_truststore)
node_names = []
rt_attributes = []
for i in range(6):
node_name = {
'organization': 'org.testexample',
'name': 'testNode{}'.format(i)
}
owner = {'organization': domain_name, 'personOrGroup': 'testOwner'}
address = {
'country': 'SE',
'locality': 'testCity',
'street': 'testStreet',
'streetNumber': 1
}
rt_attribute = {
'indexed_public': {
'owner': owner,
'node_name': node_name,
'address': address
}
}
rt_attributes.append(rt_attribute)
rt_attributes_cpy = deepcopy(rt_attributes)
runtimes = []
#Initiate Requesthandler with trusted CA cert
truststore_dir = certificate.get_truststore_path(
type=certificate.TRUSTSTORE_TRANSPORT,
security_dir=credentials_testdir)
# The following is less than optimal if multiple CA certs exist
ca_cert_path = os.path.join(truststore_dir,
os.listdir(truststore_dir)[0])
request_handler = RequestHandler(verify=ca_cert_path)
#Generate credentials, create CSR, sign with CA and import cert for all runtimes
enrollment_passwords = []
for rt_attribute in rt_attributes_cpy:
_log.info("rt_attribute={}".format(rt_attribute))
attributes = AttributeResolver(rt_attribute)
node_name = attributes.get_node_name_as_str()
nodeid = calvinuuid.uuid("")
enrollment_password = ca.cert_enrollment_add_new_runtime(node_name)
enrollment_passwords.append(enrollment_password)
runtime = runtime_credentials.RuntimeCredentials(
node_name,
domain=domain_name,
security_dir=credentials_testdir,
nodeid=nodeid,
enrollment_password=enrollment_password)
runtimes.append(runtime)
ca_cert = runtime.get_truststore(
type=certificate.TRUSTSTORE_TRANSPORT)[0][0]
csr_path = os.path.join(runtime.runtime_dir, node_name + ".csr")
#Encrypt CSR with CAs public key (to protect enrollment password)
rsa_encrypted_csr = runtime.cert_enrollment_encrypt_csr(
csr_path, ca_cert)
#Decrypt encrypted CSR with CAs private key
csr = ca.decrypt_encrypted_csr(
encrypted_enrollment_request=rsa_encrypted_csr)
csr_path = ca.store_csr_with_enrollment_password(csr)
cert_path = ca.sign_csr(csr_path)
runtime.store_own_cert(certpath=cert_path,
security_dir=credentials_testdir)
rt_conf = copy.deepcopy(_conf)
rt_conf.set('security', 'runtime_to_runtime_security', "tls")
rt_conf.set('security', 'control_interface_security', "tls")
rt_conf.set('security', 'domain_name', domain_name)
rt_conf.set('security', 'security_dir', credentials_testdir)
rt0_conf = copy.deepcopy(rt_conf)
rt_conf.set('global', 'storage_type', 'proxy')
rt_conf.set('global', 'storage_proxy', "calvinip://%s:5000" % hostname)
# Runtime 0: local authentication, signature verification, local authorization.
# Primarily acts as Certificate Authority for the domain
rt0_conf.set('global', 'storage_type', 'local')
rt0_conf.save("/tmp/calvin5000.conf")
# Runtime 1: local authentication, signature verification, local authorization.
rt1_conf = copy.deepcopy(rt_conf)
rt1_conf.save("/tmp/calvin5001.conf")
# Runtime 2: local authentication, signature verification, local authorization.
# Can also act as authorization server for other runtimes.
# Other street compared to the other runtimes
rt2_conf = copy.deepcopy(rt_conf)
rt2_conf.save("/tmp/calvin5002.conf")
# Runtime 3: external authentication (RADIUS), signature verification, local authorization.
rt3_conf = copy.deepcopy(rt_conf)
rt3_conf.save("/tmp/calvin5003.conf")
# Runtime 4: local authentication, signature verification, external authorization (runtime 2).
rt4_conf = copy.deepcopy(rt_conf)
rt4_conf.save("/tmp/calvin5004.conf")
# Runtime 5: external authentication (runtime 1), signature verification, local authorization.
rt5_conf = copy.deepcopy(rt_conf)
rt5_conf.save("/tmp/calvin5005.conf")
#Start all runtimes
for i in range(len(rt_attributes)):
_log.info("Starting runtime {}".format(i))
try:
logfile = _config_pytest.getoption("logfile") + "500{}".format(
i)
outfile = os.path.join(
os.path.dirname(logfile),
os.path.basename(logfile).replace("log", "out"))
if outfile == logfile:
outfile = None
except:
logfile = None
outfile = None
csruntime(hostname,
port=5000 + i,
controlport=5020 + i,
attr=rt_attributes[i],
loglevel=_config_pytest.getoption("loglevel"),
logfile=logfile,
outfile=outfile,
configfile="/tmp/calvin500{}.conf".format(i))
rt.append(RT("https://{}:502{}".format(hostname, i)))
# Wait to be sure that all runtimes has started
time.sleep(1)
time.sleep(2)
request.addfinalizer(self.teardown)
