def test_tls_ciphers(kafka_service_tls):
task_name = 'kafka-0-broker'
endpoint = sdk_cmd.svc_cli(
config.PACKAGE_NAME,
config.SERVICE_NAME,
'endpoints {}'.format(BROKER_TLS_ENDPOINT),
json=True)['dns'][0]
ciphers_config_path = ['service', 'security', 'transport_encryption', 'ciphers']
expected_ciphers = set(sdk_utils.get_in(ciphers_config_path, sdk_cmd.svc_cli(
config.PACKAGE_NAME,
config.SERVICE_NAME,
'describe',
json=True), '').rstrip().split(','))
possible_ciphers = set(map(cipher_suites.rfc_name, sdk_security.openssl_ciphers()))
enabled_ciphers = set()
assert expected_ciphers, 'Expected ciphers should be non-empty'
assert possible_ciphers, 'Possible ciphers should be non-empty'
sdk_cmd.service_task_exec(config.SERVICE_NAME, task_name, 'openssl version') # Output OpenSSL version.
print("\nExpected ciphers:")
print("\n".join(sdk_utils.sort(list(expected_ciphers))))
print("\n{} ciphers will be checked:".format(len(possible_ciphers)))
print("\n".join(sdk_utils.sort(list(possible_ciphers))))
for cipher in possible_ciphers:
openssl_cipher = cipher_suites.openssl_name(cipher)
if sdk_security.is_cipher_enabled(config.SERVICE_NAME, task_name, openssl_cipher, endpoint):
enabled_ciphers.add(cipher)
print('{} ciphers enabled out of {}:'.format(len(enabled_ciphers), len(possible_ciphers)))
print("\n".join(sdk_utils.sort(list(enabled_ciphers))))
assert expected_ciphers == enabled_ciphers, "Enabled ciphers should match expected ciphers"
def test_tls_ciphers(kafka_service):
task_name = "kafka-0-broker"
task_id = sdk_tasks.get_task_ids(config.SERVICE_NAME, task_name)[0]
endpoint = sdk_cmd.svc_cli(
config.PACKAGE_NAME,
config.SERVICE_NAME,
"endpoints {}".format(BROKER_TLS_ENDPOINT),
parse_json=True,
)[1]["dns"][0]
ciphers_config_path = [
"service", "security", "transport_encryption", "ciphers"
]
expected_ciphers = set(
test_utils.get_in(
ciphers_config_path,
sdk_cmd.svc_cli(config.PACKAGE_NAME,
config.SERVICE_NAME,
"describe",
parse_json=True)[1],
"",
).rstrip().split(","))
print("The expected cyphers are\n", expected_ciphers)
openssl_ciphers = sdk_security.openssl_ciphers()
missing_openssl_ciphers = cipher_suites.missing_openssl_ciphers(
openssl_ciphers)
possible_openssl_ciphers = openssl_ciphers - missing_openssl_ciphers
enabled_ciphers = set()
assert openssl_ciphers, "OpenSSL ciphers should be non-empty"
assert expected_ciphers, "Expected ciphers should be non-empty"
assert possible_openssl_ciphers, "Possible OpenSSL ciphers should be non-empty"
sdk_cmd.marathon_task_exec(task_id,
"openssl version") # Output OpenSSL version.
print("\n{} OpenSSL ciphers missing from the cipher_suites module:".format(
len(missing_openssl_ciphers)))
print("\n".join(test_utils.sort(list(missing_openssl_ciphers))))
print("\n{} expected ciphers:".format(len(expected_ciphers)))
print("\n".join(test_utils.sort(list(expected_ciphers))))
print("\n{} ciphers will be checked:".format(
len(possible_openssl_ciphers)))
for openssl_cipher in test_utils.sort(list(possible_openssl_ciphers)):
print("{} ({})".format(cipher_suites.rfc_name(openssl_cipher),
openssl_cipher))
for openssl_cipher in possible_openssl_ciphers:
if sdk_security.is_cipher_enabled(config.SERVICE_NAME, task_name,
openssl_cipher, endpoint):
enabled_ciphers.add(cipher_suites.rfc_name(openssl_cipher))
print("{} ciphers enabled out of {}:".format(
len(enabled_ciphers), len(possible_openssl_ciphers)))
print("\n".join(test_utils.sort(list(enabled_ciphers))))
assert expected_ciphers == enabled_ciphers, "Enabled ciphers should match expected ciphers"
def test_tls_ciphers(kafka_service):
task_name = "kafka-0-broker"
endpoint = sdk_networks.get_endpoint(config.PACKAGE_NAME,
config.SERVICE_NAME,
BROKER_TLS_ENDPOINT)["dns"][0]
ciphers_config_path = [
"service", "security", "transport_encryption", "ciphers"
]
rc, stdout, _ = sdk_cmd.svc_cli(config.PACKAGE_NAME, config.SERVICE_NAME,
"describe")
assert rc == 0, "Describe command failed"
expected_ciphers = set(
sdk_utils.get_in(
ciphers_config_path,
json.loads(stdout),
"",
).rstrip().split(","))
openssl_ciphers = sdk_security.openssl_ciphers()
missing_openssl_ciphers = cipher_suites.missing_openssl_ciphers(
openssl_ciphers)
possible_openssl_ciphers = openssl_ciphers - missing_openssl_ciphers
enabled_ciphers = set()
assert openssl_ciphers, "OpenSSL ciphers should be non-empty"
assert expected_ciphers, "Expected ciphers should be non-empty"
assert possible_openssl_ciphers, "Possible OpenSSL ciphers should be non-empty"
# Output OpenSSL version.
sdk_cmd.service_task_exec(config.SERVICE_NAME, task_name,
"openssl version")
log.warning("\n%s OpenSSL ciphers missing from the cipher_suites module:",
len(missing_openssl_ciphers))
log.warning("\n".join(to_sorted(list(missing_openssl_ciphers))))
log.info("\n%s expected ciphers:", len(expected_ciphers))
log.info("\n".join(to_sorted(list(expected_ciphers))))
log.info("\n%s ciphers will be checked:", len(possible_openssl_ciphers))
for openssl_cipher in to_sorted(list(possible_openssl_ciphers)):
log.info("%s (%s)", cipher_suites.rfc_name(openssl_cipher),
openssl_cipher)
for openssl_cipher in possible_openssl_ciphers:
if sdk_security.is_cipher_enabled(config.SERVICE_NAME, task_name,
openssl_cipher, endpoint):
enabled_ciphers.add(cipher_suites.rfc_name(openssl_cipher))
log.info("%s ciphers enabled out of %s:", len(enabled_ciphers),
len(possible_openssl_ciphers))
log.info("\n".join(to_sorted(list(enabled_ciphers))))
assert expected_ciphers == enabled_ciphers, "Enabled ciphers should match expected ciphers"
def test_tls_ciphers(kafka_service_tls):
task_name = 'kafka-0-broker'
endpoint = sdk_cmd.svc_cli(config.PACKAGE_NAME,
config.SERVICE_NAME,
'endpoints {}'.format(BROKER_TLS_ENDPOINT),
json=True)['dns'][0]
ciphers_config_path = [
'service', 'security', 'transport_encryption', 'ciphers'
]
expected_ciphers = set(
sdk_utils.get_in(
ciphers_config_path,
sdk_cmd.svc_cli(config.PACKAGE_NAME,
config.SERVICE_NAME,
'describe',
json=True), '').rstrip().split(','))
openssl_ciphers = sdk_security.openssl_ciphers()
missing_openssl_ciphers = cipher_suites.missing_openssl_ciphers(
openssl_ciphers)
possible_openssl_ciphers = openssl_ciphers - missing_openssl_ciphers
enabled_ciphers = set()
assert openssl_ciphers, 'OpenSSL ciphers should be non-empty'
assert expected_ciphers, 'Expected ciphers should be non-empty'
assert possible_openssl_ciphers, 'Possible OpenSSL ciphers should be non-empty'
sdk_cmd.service_task_exec(config.SERVICE_NAME, task_name,
'openssl version') # Output OpenSSL version.
log.warning("\n%s OpenSSL ciphers missing from the cipher_suites module:",
len(missing_openssl_ciphers))
log.warning("\n".join(sdk_utils.sort(list(missing_openssl_ciphers))))
log.info("\n%s expected ciphers:", len(expected_ciphers))
log.info("\n".join(sdk_utils.sort(list(expected_ciphers))))
log.info("\n%s ciphers will be checked:", len(possible_openssl_ciphers))
for openssl_cipher in sdk_utils.sort(list(possible_openssl_ciphers)):
log.info("%s (%s)", cipher_suites.rfc_name(openssl_cipher),
openssl_cipher)
for openssl_cipher in possible_openssl_ciphers:
if sdk_security.is_cipher_enabled(config.SERVICE_NAME, task_name,
openssl_cipher, endpoint):
enabled_ciphers.add(cipher_suites.rfc_name(openssl_cipher))
log.info('%s ciphers enabled out of %s:', len(enabled_ciphers),
len(possible_openssl_ciphers))
log.info("\n".join(sdk_utils.sort(list(enabled_ciphers))))
assert expected_ciphers == enabled_ciphers, "Enabled ciphers should match expected ciphers"
