def test_ssl_vs(self): papi = ApiSession(api.avi_credentials.controller, api.avi_credentials.username, api.avi_credentials.password, api_version=api.avi_credentials.api_version, verify=False, data_log=True) ssl_vs_cfg = gSAMPLE_CONFIG["SSL-VS"] vs_obj = ssl_vs_cfg["vs_obj"] pool_name = gSAMPLE_CONFIG["SSL-VS"]["pool_obj"]["name"] resp = papi.post('pool', data=gSAMPLE_CONFIG["SSL-VS"]["pool_obj"]) assert resp.status_code == 201 pool_ref = papi.get_obj_ref(resp.json()) cert, key, _, _ = get_sample_ssl_params \ (folder_path=os.path.abspath( os.path.join(os.path.dirname(__file__), '..', 'samples')) + os.sep) api_utils = ApiUtils(papi) try: resp = api_utils.import_ssl_certificate("ssl-vs-kc", key, cert) ssl_kc = resp.json() except: ssl_kc = api.get_object_by_name('sslkeyandcertificate', 'ssl-vs-kc') ssl_key_and_cert_ref = [papi.get_obj_ref(ssl_kc)] vs_obj["pool_ref"] = pool_ref vs_obj["ssl_key_and_certificate_refs"] = ssl_key_and_cert_ref resp = papi.post('virtualservice', data=json.dumps(vs_obj)) assert resp.status_code < 300 resp = papi.delete_by_name('virtualservice', vs_obj['name']) assert resp.status_code in (200, 204) resp = papi.delete_by_name("pool", pool_name) assert resp.status_code in (200, 204) resp = api.delete_by_name('sslkeyandcertificate', 'ssl-vs-kc') assert resp.status_code in (200, 204)
def test_ssl_vs(self): papi = ApiSession('10.10.25.42', 'admin', 'avi123', verify=False, api_version="17.2.1") ssl_vs_cfg = gSAMPLE_CONFIG["SSL-VS"] vs_obj = ssl_vs_cfg["vs_obj"] pool_name = gSAMPLE_CONFIG["SSL-VS"]["pool_obj"]["name"] resp = papi.post('pool', data=gSAMPLE_CONFIG["SSL-VS"]["pool_obj"]) assert resp.status_code == 201 pool_ref = papi.get_obj_ref(resp.json()) cert, key, _, _ = get_sample_ssl_params(folder_path='../samples/') api_utils = ApiUtils(papi) try: resp = api_utils.import_ssl_certificate("ssl-vs-kc", key, cert) print resp.text ssl_kc = resp.json() except: ssl_kc = api.get_object_by_name('sslkeyandcertificate', 'ssl-vs-kc') ssl_key_and_cert_ref = [papi.get_obj_ref(ssl_kc)] vs_obj["pool_ref"] = pool_ref vs_obj["ssl_key_and_certificate_refs"] = ssl_key_and_cert_ref resp = papi.post('virtualservice', data=json.dumps(vs_obj)) print resp, resp.text assert resp.status_code < 300 resp = papi.delete_by_name('virtualservice', vs_obj['name']) assert resp.status_code in (200, 204) resp = papi.delete_by_name("pool", pool_name) assert resp.status_code in (200, 204) resp = api.delete_by_name('sslkeyandcertificate', 'ssl-vs-kc') assert resp.status_code in (200, 204)
def test_ssl_vs(self): papi = ApiSession(api.controller_ip, api.username, api.password, verify=False) ssl_vs_cfg = gSAMPLE_CONFIG["SSL-VS"] vs_obj = ssl_vs_cfg["vs_obj"] pool_name = gSAMPLE_CONFIG["SSL-VS"]["pool_obj"]["name"] resp = papi.post('pool', data=json.dumps(ssl_vs_cfg["pool_obj"])) pool_ref = papi.get_obj_ref(resp.json()) cert, key, _, _ = get_sample_ssl_params(folder_path='../samples/') api_utils = ApiUtils(papi) try: resp = api_utils.import_ssl_certificate("ssl-vs-kc", key, cert) ssl_kc = resp.json() except: ssl_kc = api.get_object_by_name('sslkeyandcertificate', 'ssl-vs-kc') ssl_key_and_cert_ref = [papi.get_obj_ref(ssl_kc)] vs_obj["pool_ref"] = pool_ref vs_obj["ssl_key_and_certificate_refs"] = ssl_key_and_cert_ref resp = papi.post('virtualservice', data=json.dumps(vs_obj)) assert resp.status_code < 300 resp = papi.delete_by_name('virtualservice', vs_obj['name']) assert resp.status_code in (200, 204) resp = papi.delete_by_name("pool", pool_name) assert resp.status_code in (200, 204) resp = api.delete_by_name('sslkeyandcertificate', 'ssl-vs-kc') assert resp.status_code in (200, 204)
def test_basic_auth(self): basic_vs_cfg = gSAMPLE_CONFIG["BasicVS"] vs_obj = basic_vs_cfg["vs_obj"] headers = { 'X-Avi-Version': login_info.get("api_version", gapi_version), 'Authorization': 'Basic YWRtaW46YXZpMTIzJCU=' } aviapi = ApiSession(controller_ip=login_info.get('controller_ip'), username=login_info.get('username'), api_version=login_info.get("api_version", gapi_version), user_hdrs=headers) resp = aviapi.post('pool', data=json.dumps(basic_vs_cfg["pool_obj"]), api_version=login_info.get("api_version")) assert resp.status_code in (200, 201) resp = aviapi.post('vsvip', data=json.dumps(basic_vs_cfg["vsvip_obj"]), api_version=login_info.get("api_version")) assert resp.status_code in (200, 201) vs_obj["vsvip_ref"] = api.get_obj_ref(resp.json()) resp = aviapi.post('virtualservice', data=json.dumps(vs_obj), api_version=login_info.get("api_version")) print(resp.json) assert resp.status_code in (200, 201) pool_name = gSAMPLE_CONFIG["BasicVS"]["pool_obj"]["name"] vsvip_name = gSAMPLE_CONFIG["BasicVS"]["vsvip_obj"]["name"] resp = aviapi.get('virtualservice', tenant='admin', api_version=login_info.get("api_version")) assert resp.json()['count'] >= 1 assert resp.status_code in (200, 204) resp = aviapi.delete_by_name('virtualservice', vs_obj['name'], api_version=login_info.get("api_version")) assert resp.status_code in (200, 204) resp = aviapi.delete_by_name("pool", pool_name, api_version=login_info.get("api_version")) assert resp.status_code in (200, 204) resp = aviapi.delete_by_name("vsvip", vsvip_name, api_version=login_info.get("api_version")) assert resp.status_code in (200, 204)
def test_multiple_tenants(self): """ Tests api with multiple tenants to make sure object is only returned for the right tenant. """ tobj = {'name': 'test-tenant'} resp = api.post('tenant', data=tobj) assert resp.status_code in (200, 201) tapi = ApiSession(api.controller_ip, api.username, api.password, tenant=tobj['name'], verify=False) t_obj = tapi.get_object_by_name('tenant', tobj['name']) # created pool. log.info('tenant %s', t_obj) basic_vs_cfg = gSAMPLE_CONFIG["BasicVS"] pool_cfg = copy.deepcopy(basic_vs_cfg["pool_obj"]) pool_cfg['name'] = pool_cfg['name'] + '-test-tenant' resp = tapi.post('pool', data=pool_cfg) assert resp.status_code in (200, 201) # check pool was not created in tenant admin pname = pool_cfg['name'] resp = api.get_object_by_name('pool', pname) assert resp is None resp = tapi.get_object_by_name('pool', pname) assert resp resp = api.get_object_by_name('pool', pname, tenant_uuid=t_obj['uuid']) assert resp resp = api.get_object_by_name('pool', pname, tenant='test-tenant') assert resp resp = tapi.delete_by_name("pool", pname) assert resp.status_code in (200, 204) resp = api.get_object_by_name('pool', pname, tenant='test-tenant') assert resp is None resp = tapi.delete_by_name('tenant', 'test-tenant', tenant='admin') assert resp.status_code in (200, 204)
def test_retry_unauth_api(self): papi = ApiSession(controller_ip=api.avi_credentials.controller, username=api.avi_credentials.username, password=api.avi_credentials.password, verify=False, api_version=api.avi_credentials.api_version, data_log=api.data_log) papi.keystone_token = 'invalid' resp = papi.post('tenant', data={'name': 'tenant1', 'local': 'true'}) assert resp.status_code == 201 papi.delete_by_name('tenant', 'tenant1')
def test_session_reset(self): papi = ApiSession(api.controller_ip, api.username, api.password, verify=False, api_version=api.api_version) res = papi.get('pool', params={'fields': 'name'}) assert res.status_code == 200 papi.reset_session() res = papi.get('pool', params={'fields': 'name'}) assert res.status_code == 200 data = {'name': 'test-reset'} res = papi.post('pool', data=data) assert res.status_code == 201 papi.reset_session() res = papi.delete_by_name('pool', 'test-reset') assert res.status_code == 204
def test_session_reset(self): papi = ApiSession(controller_ip=api.avi_credentials.controller, username=api.avi_credentials.username, password=api.avi_credentials.password, verify=False, api_version=api.avi_credentials.api_version, data_log=api.data_log) res = papi.get('pool', params={'fields': 'name'}) assert res.status_code == 200 papi.reset_session() res = papi.get('pool', params={'fields': 'name'}) assert res.status_code == 200 data = {'name': 'test-reset'} res = papi.post('pool', data=data) assert res.status_code == 201 papi.reset_session() res = papi.delete_by_name('pool', 'test-reset') assert res.status_code == 204
def test_multiple_tenants(self): """ Tests api with multiple tenants to make sure object is only returned for the right tenant. """ tobj = {'name': 'test-tenant'} resp = api.post('tenant', data=tobj) assert resp.status_code in (200, 201) tapi = ApiSession(controller_ip=api.avi_credentials.controller, username=api.avi_credentials.username, password=api.avi_credentials.password, tenant=tobj['name'], verify=False, data_log=api.data_log) t_obj = tapi.get_object_by_name('tenant', tobj['name']) # created pool. log.info('tenant %s', t_obj) basic_vs_cfg = gSAMPLE_CONFIG["BasicVS"] pool_cfg = copy.deepcopy(basic_vs_cfg["pool_obj"]) pool_cfg['name'] = pool_cfg['name'] + '-test-tenant' resp = tapi.post('pool', data=pool_cfg) assert resp.status_code in (200, 201) # check pool was not created in tenant admin pname = pool_cfg['name'] resp = api.get_object_by_name('pool', pname) assert resp is None resp = tapi.get_object_by_name('pool', pname) assert resp resp = api.get_object_by_name('pool', pname, tenant_uuid=t_obj['uuid']) assert resp resp = api.get_object_by_name('pool', pname, tenant='test-tenant') assert resp resp = tapi.delete_by_name("pool", pname) assert resp.status_code in (200, 204) resp = api.get_object_by_name('pool', pname, tenant='test-tenant') assert resp is None resp = tapi.delete_by_name('tenant', 'test-tenant', tenant='admin') assert resp.status_code in (200, 204)
def get_crt(user, password, tenant, api_version, account_key, csr, CA=DEFAULT_CA, disable_check=False, directory_url=DEFAULT_DIRECTORY_URL, contact=None): directory, acct_headers, alg, jwk = None, None, None, None # global variables # helper functions - base64 encode for jose spec def _b64(b): return base64.urlsafe_b64encode(b).decode('utf8').replace("=", "") # helper function - run external commands def _cmd(cmd_list, stdin=None, cmd_input=None, err_msg="Command Line Error"): proc = subprocess.Popen(cmd_list, stdin=stdin, stdout=subprocess.PIPE, stderr=subprocess.PIPE) out, err = proc.communicate(cmd_input) if proc.returncode != 0: raise IOError("{0}\n{1}".format(err_msg, err)) return out # helper function - make request and automatically parse json response def _do_request(url, data=None, err_msg="Error", depth=0): try: resp = urlopen( Request(url, data=data, headers={ "Content-Type": "application/jose+json", "User-Agent": "acme-tiny" })) resp_data, code, headers = resp.read().decode( "utf8"), resp.getcode(), resp.headers except IOError as e: resp_data = e.read().decode("utf8") if hasattr(e, "read") else str(e) code, headers = getattr(e, "code", None), {} try: resp_data = json.loads(resp_data) # try to parse json results except ValueError: pass # ignore json parsing errors if depth < 100 and code == 400 and resp_data[ 'type'] == "urn:ietf:params:acme:error:badNonce": raise IndexError(resp_data) # allow 100 retrys for bad nonces if code not in [200, 201, 204]: raise ValueError( "{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}". format(err_msg, url, data, code, resp_data)) return resp_data, code, headers # helper function - make signed requests def _send_signed_request(url, payload, err_msg, depth=0): payload64 = "" if payload is None else _b64( json.dumps(payload).encode('utf8')) new_nonce = _do_request(directory['newNonce'])[2]['Replay-Nonce'] protected = {"url": url, "alg": alg, "nonce": new_nonce} protected.update({"jwk": jwk} if acct_headers is None else {"kid": acct_headers['Location']}) protected64 = _b64(json.dumps(protected).encode('utf8')) protected_input = "{0}.{1}".format(protected64, payload64).encode('utf8') out = _cmd(["openssl", "dgst", "-sha256", "-sign", account_key], stdin=subprocess.PIPE, cmd_input=protected_input, err_msg="OpenSSL Error") data = json.dumps({ "protected": protected64, "payload": payload64, "signature": _b64(out) }) try: return _do_request(url, data=data.encode('utf8'), err_msg=err_msg, depth=depth) except IndexError: # retry bad nonces (they raise IndexError) return _send_signed_request(url, payload, err_msg, depth=(depth + 1)) # helper function - poll until complete def _poll_until_not(url, pending_statuses, err_msg): result, t0 = None, time.time() while result is None or result['status'] in pending_statuses: assert (time.time() - t0 < 3600), "Polling timeout" # 1 hour timeout time.sleep(0 if result is None else 2) result, _, _ = _send_signed_request(url, None, err_msg) return result session = ApiSession('localhost', user, password, tenant=tenant, api_version=api_version) log.info("Generating account key...") out = _cmd(["openssl", "genrsa", "4096"], err_msg="OpenSSL Error") with open(account_key, 'w') as f: f.write(out.decode("utf-8")) # parse account key to get public key log.info("Parsing account key...") out = _cmd(["openssl", "rsa", "-in", account_key, "-noout", "-text"], err_msg="OpenSSL Error") pub_pattern = r"modulus:[\s]+?00:([a-f0-9\:\s]+?)\npublicExponent: ([0-9]+)" pub_hex, pub_exp = re.search(pub_pattern, out.decode('utf8'), re.MULTILINE | re.DOTALL).groups() pub_exp = "{0:x}".format(int(pub_exp)) pub_exp = "0{0}".format(pub_exp) if len(pub_exp) % 2 else pub_exp alg = "RS256" jwk = { "e": _b64(binascii.unhexlify(pub_exp.encode("utf-8"))), "kty": "RSA", "n": _b64(binascii.unhexlify( re.sub(r"(\s|:)", "", pub_hex).encode("utf-8"))), } accountkey_json = json.dumps(jwk, sort_keys=True, separators=(',', ':')) thumbprint = _b64(hashlib.sha256(accountkey_json.encode('utf8')).digest()) # find domains log.info("Parsing CSR...") out = _cmd(["openssl", "req", "-in", csr, "-noout", "-text"], err_msg="Error loading {0}".format(csr)) domains = set([]) common_name = re.search(r"Subject:.*? CN\s?=\s?([^\s,;/]+)", out.decode('utf8')) if common_name is not None: domains.add(common_name.group(1)) subject_alt_names = re.search( r"X509v3 Subject Alternative Name: (?:critical)?\n +([^\n]+)\n", out.decode('utf8'), re.MULTILINE | re.DOTALL) if subject_alt_names is not None: for san in subject_alt_names.group(1).split(", "): if san.startswith("DNS:"): domains.add(san[4:]) log.info("Found domains: {0}".format(", ".join(domains))) # get the ACME directory of urls log.info("Getting directory...") directory_url = CA + "/directory" if CA != DEFAULT_CA else directory_url # backwards compatibility with deprecated CA kwarg directory, _, _ = _do_request(directory_url, err_msg="Error getting directory") log.info("Directory found!") # create account, update contact details (if any), and set the global key identifier log.info("Registering account...") reg_payload = {"termsOfServiceAgreed": True} account, code, acct_headers = _send_signed_request(directory['newAccount'], reg_payload, "Error registering") log.info("Registered!" if code == 201 else "Already registered!") if contact is not None: account, _, _ = _send_signed_request(acct_headers['Location'], {"contact": contact}, "Error updating contact details") log.info("Updated contact details:\n{0}".format("\n".join( account['contact']))) # create a new order log.info("Creating new order...") order_payload = { "identifiers": [{ "type": "dns", "value": d } for d in domains] } order, _, order_headers = _send_signed_request(directory['newOrder'], order_payload, "Error creating new order") log.info("Order created!") # get the authorizations that need to be completed for auth_url in order['authorizations']: authorization, _, _ = _send_signed_request(auth_url, None, "Error getting challenges") domain = authorization['identifier']['value'] log.info("Verifying {0}...".format(domain)) # find the http-01 challenge and write the challenge file challenge = [ c for c in authorization['challenges'] if c['type'] == "http-01" ][0] token = re.sub(r"[^A-Za-z0-9_\-]", "_", challenge['token']) keyauthorization = "{0}.{1}".format(token, thumbprint) # Update vs rsp = session.get("vsvip/?search=(fqdn,{})".format(domain)).json() if rsp["count"] == 0: raise Exception( "Could not find a VSVIP with fqdn = {}".format(domain)) vsvip_uuid = rsp["results"][0]["uuid"] rsp = session.get( "virtualservice?search=(vsvip_ref,{})".format(vsvip_uuid)).json() if rsp['count'] == 0: raise Exception( "Could not find a VS with common name = {}".format(domain)) vs_uuid = rsp["results"][0]["uuid"] log.info("Found vs {} with fqdn {}".format(vs_uuid, domain)) # Check if the vs is servering on port 80 serving_on_port_80 = False service_on_port_80_data = None for service in rsp["results"][0]["services"]: if service["port"] == "80": serving_on_port_80 = True break # create HTTP policy httppolicy_data = { "name": (domain + "LetsEncryptHTTPpolicy"), "http_security_policy": { "rules": [{ "name": "Rule 1", "index": 1, "enable": True, "match": { "vs_port": { "match_criteria": "IS_IN", "ports": [80] }, "path": { "match_criteria": "CONTAINS", "match_case": "SENSITIVE", "match_str": [".well-known/acme-challenge/{}".format(token)] } }, "action": { "action": "HTTP_SECURITY_ACTION_SEND_RESPONSE", "status_code": "HTTP_LOCAL_RESPONSE_STATUS_CODE_200", "file": { "content_type": "text/plain", "file_content": keyauthorization } } }] }, "is_internal_policy": False } rsp = session.post("httppolicyset", data=httppolicy_data).json() httppolicy_uuid = rsp["uuid"] log.info("Created HTTP policy with uuid {}".format(httppolicy_uuid)) patch_data = { "add": { "http_policies": [{ "http_policy_set_ref": "/api/httppolicyset/{}".format(httppolicy_uuid), "index": 1000001 }] } } if not serving_on_port_80: # Add to port to virtualservice service_on_port_80_data = { "enable_http2": False, "enable_ssl": False, "port": 80, "port_range_end": 80 } patch_data["add"]["services"] = [service_on_port_80_data] rsp = session.patch("virtualservice/{}".format(vs_uuid), patch_data) exception_occured = None try: # check that the file is in place try: wellknown_url = "http://{0}/.well-known/acme-challenge/{1}".format( domain, token) assert (disable_check or _do_request(wellknown_url)[0] == keyauthorization) except (AssertionError, ValueError) as e: raise ValueError( "Wrote file to {0}, but couldn't download {1}: {2}".format( 'wellknown_path', 'wellknown_url', e)) # say the challenge is done _send_signed_request( challenge['url'], {}, "Error submitting challenges: {0}".format(domain)) authorization = _poll_until_not( auth_url, ["pending"], "Error checking challenge status for {0}".format(domain)) if authorization['status'] != "valid": raise ValueError("Challenge did not pass for {0}: {1}".format( domain, authorization)) except Exception as e: exception_occured = str(e) finally: # Update the vs patch_data = { "delete": { "http_policies": [{ "http_policy_set_ref": "/api/httppolicyset/{}".format(httppolicy_uuid), "index": 1000001 }] } } if not serving_on_port_80: patch_data["delete"]["services"] = [service_on_port_80_data] rsp = session.patch("virtualservice/{}".format(vs_uuid), patch_data) rsp = session.delete("httppolicyset/{}".format(httppolicy_uuid)) if exception_occured: log.error(exception_occured) raise Exception(exception_occured) log.info("{0} verified!".format(domain)) # finalize the order with the csr log.info("Signing certificate...") csr_der = _cmd(["openssl", "req", "-in", csr, "-outform", "DER"], err_msg="DER Export Error") _send_signed_request(order['finalize'], {"csr": _b64(csr_der)}, "Error finalizing order") # poll the order to monitor when it's done order = _poll_until_not(order_headers['Location'], ["pending", "processing"], "Error checking order status") if order['status'] != "valid": raise ValueError("Order failed: {0}".format(order)) # download the certificate certificate_pem, _, _ = _send_signed_request( order['certificate'], None, "Certificate download failed") log.info("Certificate signed!") return certificate_pem