def setup_module(module): global request_handler global runtime1 global runtime2 global constrained_id global constrained_process request_handler = RequestHandler() runtime1 = RT("http://127.0.0.1:5001") runtime1.id = request_handler.get_node_id(runtime1.control_uri) runtime2 = RT("http://127.0.0.1:5003") runtime2.id = request_handler.get_node_id(runtime2.control_uri) # start constrained constrained_process = subprocess.Popen( calvin_command + " -a '{\"indexed_public\": {\"node_name\": {\"organization\": \"com.ericsson\", \"purpose\": \"distributed-test\", \"group\": \"rest\", \"name\": \"constrained\"}}}' -u '[\"calvinip://127.0.0.1:5000\", \"ssdp\"]'", shell=True) for x in range(0, 10): peers = request_handler.get_nodes(runtime1) for peer in peers: peer_info = request_handler.get_node(runtime1, peer) if "constrained" in peer_info["attributes"]["indexed_public"][0]: constrained_id = peer return time.sleep(1) pytest.exit("Failed to get constrained runtimes")
def setup(self, request): from calvin.Tools.csruntime import csruntime from conftest import _config_pytest import fileinput global runtimes global rt_attributes global request_handler try: shutil.rmtree(credentials_testdir) except Exception as err: print "Failed to remove old tesdir, err={}".format(err) pass helpers.sign_files_for_security_tests(credentials_testdir) runtimes = helpers.create_CA_and_generate_runtime_certs(domain_name, credentials_testdir, NBR_OF_RUNTIMES) #Initiate Requesthandler with trusted CA cert truststore_dir = certificate.get_truststore_path(type=certificate.TRUSTSTORE_TRANSPORT, security_dir=credentials_testdir) request_handler = RequestHandler(verify=truststore_dir) rt_conf = copy.deepcopy(_conf) rt_conf.set('security', 'domain_name', domain_name) rt_conf.set('security', 'security_dir', credentials_testdir) rt_conf.set('global', 'actor_paths', [actor_store_path]) rt_conf.set('global', 'storage_type', "securedht") for i in range(NBR_OF_RUNTIMES): rt_conf.set('security','certificate_authority',{ 'domain_name':domain_name }) rt_conf.save("/tmp/calvin{}.conf".format(5000+i)) helpers.start_all_runtimes(runtimes, hostname, request_handler) request.addfinalizer(self.teardown)
def setup_module(module): global request_handler global runtime1 request_handler = RequestHandler() runtime1 = RT("http://127.0.0.1:5001") runtime1.id = request_handler.get_node_id(runtime1.control_uri)
def setup(self, request): from calvin.Tools.csruntime import csruntime from conftest import _config_pytest global runtimes global rt_attributes global request_handler try: shutil.rmtree(credentials_testdir) except Exception as err: print "Failed to remove old testdir, err={}".format(err) pass try: shutil.copytree(orig_identity_provider_path, identity_provider_path) except Exception as err: _log.error("Failed to create test folder structure, err={}".format(err)) print "Failed to create test folder structure, err={}".format(err) raise helpers.sign_files_for_security_tests(credentials_testdir) runtimes = helpers.create_CA_and_generate_runtime_certs(domain_name, credentials_testdir, NBR_OF_RUNTIMES) #Initiate Requesthandler with trusted CA cert truststore_dir = certificate.get_truststore_path(type=certificate.TRUSTSTORE_TRANSPORT, security_dir=credentials_testdir) request_handler = RequestHandler(verify=truststore_dir) #Let's use the admin user0 for request_handler request_handler.set_credentials({"user": "******", "password": "******"}) rt_conf = copy.deepcopy(_conf) rt_conf.set('security', 'security_dir', credentials_testdir) rt_conf.set('global', 'actor_paths', [actor_store_path]) # Runtime 0: Certificate authority, authentication server, authorization server, proxy storage server. rt0_conf = copy.deepcopy(rt_conf) rt0_conf.set('global','storage_type','local') rt0_conf.set("security", "security_conf", { "comment": "Authentication server accepting external requests", "authentication": { "procedure": "local", "identity_provider_path": identity_provider_path, "accept_external_requests": True } }) rt0_conf.save("/tmp/calvin5000.conf") # Other runtimes rt_conf.set('global','storage_type','proxy') rt_conf.set('global','storage_proxy',"calvinip://%s:5000" % ip_addr ) rt_conf.set("security", "security_conf", { "comment": "External authentication", "authentication": { "procedure": "external" } }) for i in range(1, NBR_OF_RUNTIMES): rt_conf.save("/tmp/calvin500{}.conf".format(i)) helpers.start_all_runtimes(runtimes, hostname, request_handler) request.addfinalizer(self.teardown)
def setUp(self): global request_handler request_handler = RequestHandler() self.rt1, _ = dispatch_node(["calvinip://%s:5000" % (ip_addr,)], "http://%s:5003" % ip_addr) self.rt2, _ = dispatch_node(["calvinip://%s:5001" % (ip_addr,)], "http://%s:5004" % ip_addr) self.rt3, _ = dispatch_node(["calvinip://%s:5002" % (ip_addr,)], "http://%s:5005" % ip_addr) request_handler.peer_setup(self.rt1, ["calvinip://%s:5001" % (ip_addr,), "calvinip://%s:5002" % (ip_addr, )]) request_handler.peer_setup(self.rt2, ["calvinip://%s:5000" % (ip_addr,), "calvinip://%s:5002" % (ip_addr, )]) request_handler.peer_setup(self.rt3, ["calvinip://%s:5000" % (ip_addr,), "calvinip://%s:5001" % (ip_addr, )])
def get_node_id(rt): request_handler = RequestHandler() for x in range(0, 10): try: rt.id = request_handler.get_node_id(rt.control_uri) return True except: pass time.sleep(1) print "Failed to get node id from '%s'" % rt.control_uri return False
def setup(self, request): from calvin.Tools.csruntime import csruntime from conftest import _config_pytest import fileinput global rt global rt_attributes global request_handler try: shutil.rmtree(credentials_testdir) except Exception as err: print "Failed to remove old tesdir, err={}".format(err) pass #This test does not really need signed actors/applications, but do it anyway to be #be able to deploy application similarly as the other security tests helpers.sign_files_for_security_tests(credentials_testdir) runtimes = helpers.create_CA_and_get_enrollment_passwords( domain_name, credentials_testdir, NBR_OF_RUNTIMES) #Initiate Requesthandler with trusted CA cert truststore_dir = certificate.get_truststore_path( type=certificate.TRUSTSTORE_TRANSPORT, security_dir=credentials_testdir) request_handler = RequestHandler(verify=truststore_dir) rt_conf = copy.deepcopy(_conf) rt_conf.set('security', 'security_dir', credentials_testdir) rt_conf.set('global', 'actor_paths', [actor_store_path]) rt_conf.set('security', 'control_interface_security', "tls") rt_conf.set('global', 'storage_type', "securedht") # Runtime 0: Certificate authority. rt0_conf = copy.deepcopy(rt_conf) rt0_conf.set('security', 'certificate_authority', { 'domain_name': domain_name, 'is_ca': 'True' }) rt0_conf.save("/tmp/calvin5000.conf") for i in range(1, NBR_OF_RUNTIMES): rt_conf.set( 'security', 'certificate_authority', { 'domain_name': domain_name, 'is_ca': 'False', 'enrollment_password': runtimes[i]["enrollment_password"] }) rt_conf.save("/tmp/calvin{}.conf".format(5000 + i)) rt = helpers.start_all_runtimes(runtimes, hostname, request_handler, tls=True) request.addfinalizer(self.teardown)
def __init__(self, runtime, deployable, credentials=None, verify=True): super(Deployer, self).__init__() self.runtime = runtime self.deployable = deployable self.credentials = credentials self.actor_map = {} self.app_id = None self.verify = verify self.request_handler = RequestHandler() if "name" in self.deployable: self.name = self.deployable["name"] else: self.name = None
def dispatch_and_deploy(app_info, wait, uris, control_uri, attr, credentials): from calvin.requests.request_handler import RequestHandler rt, process = runtime(uris, control_uri, attr, dispatch=True) app_id = None app_id = deploy(rt, app_info, credentials) print "Deployed application", app_id timeout = wait if wait else None if timeout: process.join(timeout) RequestHandler().quit(rt) time.sleep(0.1) else: process.join()
def dispatch_and_deploy(app_info, wait, uris, control_uri, attr, credentials): from calvin.requests.request_handler import RequestHandler rt, process = runtime(uris, control_uri, attr, dispatch=True) app_id = None app_id = deploy(rt, app_info, credentials) print "Deployed application", app_id timeout = wait if wait else None if timeout: process.join(timeout) RequestHandler().quit(rt) # This time has to be long enough for the mainloop to wrap things up, otherwise the program will hang indefinitely time.sleep(1.0) else: process.join()
def __init__(self, control_uri, barrier): super(NodeControl, self).__init__() self._id = None self._uri = None self.control_uri = control_uri self.request_handler = RequestHandler() # When barrier ordered make sure we can contact the runtime if barrier: failed = True # Try 20 times waiting for control API to be up and running for i in range(20): try: self._id = self.request_handler.get_node_id(self) failed = False break except: time.sleep(0.1) assert not failed
def setUp(self): global request_handler request_handler = RequestHandler() self.rt1, _ = dispatch_node(["calvinip://%s:5000" % (ip_addr,)], "http://%s:5003" % ip_addr, attributes={'indexed_public': {'owner':{'organization': 'org.testexample', 'personOrGroup': 'testOwner1'}, 'node_name': {'organization': 'org.testexample', 'name': 'testNode1'}, 'address': {'country': 'SE', 'locality': 'testCity', 'street': 'testStreet', 'streetNumber': 1}}}) self.rt2, _ = dispatch_node(["calvinip://%s:5001" % (ip_addr,)], "http://%s:5004" % ip_addr, attributes={'indexed_public': {'owner':{'organization': 'org.testexample', 'personOrGroup': 'testOwner1'}, 'node_name': {'organization': 'org.testexample', 'name': 'testNode2'}, 'address': {'country': 'SE', 'locality': 'testCity', 'street': 'testStreet', 'streetNumber': 1}}}) self.rt3, _ = dispatch_node(["calvinip://%s:5002" % (ip_addr,)], "http://%s:5005" % ip_addr, attributes={'indexed_public': {'owner':{'organization': 'org.testexample', 'personOrGroup': 'testOwner2'}, 'node_name': {'organization': 'org.testexample', 'name': 'testNode3'}, 'address': {'country': 'SE', 'locality': 'testCity', 'street': 'testStreet', 'streetNumber': 2}}})
def __init__(self, control_uri, barrier): super(NodeControl, self).__init__() self._id = None self._uris = None self.control_uri = control_uri self.request_handler = request_handler or RequestHandler() delay = 0.1 # When barrier ordered make sure we can contact the runtime if barrier: success = False # Try 20 times waiting for control API to be up and running for i in range(20): try: self._id = self.request_handler.get_node_id(self) success = True break except Exception: time.sleep(delay) delay = 2 * delay if delay < 1.0 else 1.0 assert success
def setup(self, request): from calvin.Tools.csruntime import csruntime from conftest import _config_pytest import fileinput global runtimes global request_handler try: shutil.rmtree(credentials_testdir) except Exception as err: print "Failed to remove old tesdir, err={}".format(err) pass try: shutil.copytree(orig_identity_provider_path, identity_provider_path) except Exception as err: _log.error("Failed to copy the identity provider files, err={}".format(err)) raise actor_store_path, application_store_path = helpers.sign_files_for_security_tests(credentials_testdir) runtimes = helpers.create_CA_and_generate_runtime_certs(domain_name, credentials_testdir, NBR_OF_RUNTIMES) #Initiate Requesthandler with trusted CA cert truststore_dir = certificate.get_truststore_path(type=certificate.TRUSTSTORE_TRANSPORT, security_dir=credentials_testdir) request_handler = RequestHandler(verify=truststore_dir) #Let's use the admin user0 for request_handler request_handler.set_credentials({"user": "******", "password": "******"}) rt_conf = copy.deepcopy(_conf) rt_conf.set('security', 'security_dir', credentials_testdir) rt_conf.set('global', 'actor_paths', [actor_store_path]) # Runtime 0: Certificate authority, authentication server, authorization server. rt0_conf = copy.deepcopy(rt_conf) rt0_conf.set('global','storage_type','local') rt0_conf.set('security','certificate_authority',{ 'domain_name':domain_name, 'is_ca':True }) rt0_conf.set("security", "security_conf", { "comment": "Certificate Authority", "authentication": { "procedure": "local", "identity_provider_path": identity_provider_path, "accept_external_requests": True }, "authorization": { "procedure": "local", "policy_storage_path": policy_storage_path, "accept_external_requests": True } }) rt0_conf.save("/tmp/calvin5000.conf") _log.info("Starting runtime 0") # Other runtimes rt_conf.set('global','storage_type','proxy') rt_conf.set('global','storage_proxy',"calvinip://%s:5000" % ip_addr ) rt_conf.set('security','certificate_authority',{ 'domain_name':domain_name, 'is_ca':False }) rt_conf.set("security", "security_conf", { "comment": "External authentication, external authorization", "authentication": { "procedure": "external", "server_uuid": runtimes[0]["id"] }, "authorization": { "procedure": "external", "server_uuid": runtimes[0]["id"] } }) for i in range(1, NBR_OF_RUNTIMES): rt_conf.save("/tmp/calvin500{}.conf".format(i)) # # Runtime 3: external authentication (RADIUS). # rt3_conf = copy.deepcopy(rt1_conf) # rt3_conf.set('security','enrollment_password',enrollment_passwords[3]) # rt3_conf.save("/tmp/calvin5002.conf") # rt3_conf.set("security", "security_conf", { # "authentication": { # "procedure": "radius", # "server_ip": "localhost", # "secret": "elxghyc5lz1_passwd" # }, # "authorization": { # "procedure": "external", # "server_uuid": runtimes[0].node_id # } # }) # rt3_conf.save("/tmp/calvin5003.conf") helpers.start_all_runtimes(runtimes, hostname, request_handler) request.addfinalizer(self.teardown)
def setUp(self): self.request_handler = RequestHandler() self.test_type, [self.rt1, self.rt2, self.rt3 ] = helpers.setup_test_type(self.request_handler)
def setup_module(module): global runtime global runtimes global peerlist global kill_peers global request_handler ip_addr = None bt_master_controluri = None request_handler = RequestHandler() try: ip_addr = os.environ["CALVIN_TEST_IP"] purpose = os.environ["CALVIN_TEST_UUID"] except KeyError: pass if ip_addr is None: # Bluetooth tests assumes one master runtime with two connected peers # CALVIN_TEST_BT_MASTERCONTROLURI is the control uri of the master runtime try: bt_master_controluri = os.environ[ "CALVIN_TEST_BT_MASTERCONTROLURI"] _log.debug("Running Bluetooth tests") except KeyError: pass if ip_addr: remote_node_count = 2 kill_peers = False test_peers = None import socket ports = [] for a in range(2): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(('', 0)) addr = s.getsockname() ports.append(addr[1]) s.close() runtime, _ = dispatch_node(["calvinip://%s:%s" % (ip_addr, ports[0])], "http://%s:%s" % (ip_addr, ports[1])) _log.debug( "First runtime started, control http://%s:%s, calvinip://%s:%s" % (ip_addr, ports[1], ip_addr, ports[0])) interval = 0.5 for retries in range(1, 20): time.sleep(interval) _log.debug("Trying to get test nodes for 'purpose' %s" % purpose) test_peers = request_handler.get_index( runtime, format_index_string({ 'node_name': { 'organization': 'com.ericsson', 'purpose': purpose } })) if not test_peers is None and not test_peers["result"] is None and \ len(test_peers["result"]) == remote_node_count: test_peers = test_peers["result"] break if test_peers is None or len(test_peers) != remote_node_count: _log.debug( "Failed to find all remote nodes within time, peers = %s" % test_peers) raise Exception("Not all nodes found dont run tests, peers = %s" % test_peers) test_peer2_id = test_peers[0] test_peer2 = request_handler.get_node(runtime, test_peer2_id) if test_peer2: runtime2 = RT(test_peer2["control_uri"]) runtime2.id = test_peer2_id runtime2.uri = test_peer2["uri"] runtimes.append(runtime2) test_peer3_id = test_peers[1] if test_peer3_id: test_peer3 = request_handler.get_node(runtime, test_peer3_id) if test_peer3: runtime3 = RT(test_peer3["control_uri"]) runtime3.id = test_peer3_id runtime3.uri = test_peer3["uri"] runtimes.append(runtime3) elif bt_master_controluri: runtime = RT(bt_master_controluri) bt_master_id = request_handler.get_node_id(bt_master_controluri) data = request_handler.get_node(runtime, bt_master_id) if data: runtime.id = bt_master_id runtime.uri = data["uri"] test_peers = request_handler.get_nodes(runtime) test_peer2_id = test_peers[0] test_peer2 = request_handler.get_node(runtime, test_peer2_id) if test_peer2: rt2 = RT(test_peer2["control_uri"]) rt2.id = test_peer2_id rt2.uri = test_peer2["uri"] runtimes.append(rt2) test_peer3_id = test_peers[1] if test_peer3_id: test_peer3 = request_handler.get_node(runtime, test_peer3_id) if test_peer3: rt3 = request_handler.RT(test_peer3["control_uri"]) rt3.id = test_peer3_id rt3.uri = test_peer3["uri"] runtimes.append(rt3) else: try: ip_addr = os.environ["CALVIN_TEST_LOCALHOST"] except: import socket ip_addr = socket.gethostbyname(socket.gethostname()) localhost = "calvinip://%s:5000" % (ip_addr, ), "http://localhost:5001" remotehosts = [("calvinip://%s:%d" % (ip_addr, d), "http://localhost:%d" % (d + 1)) for d in range(5002, 5005, 2)] # remotehosts = [("calvinip://127.0.0.1:5002", "http://localhost:5003")] for host in remotehosts: runtimes += [dispatch_node([host[0]], host[1])[0]] runtime, _ = dispatch_node([localhost[0]], localhost[1]) time.sleep(1) # FIXME When storage up and running peersetup not needed, but still useful during testing request_handler.peer_setup(runtime, [i[0] for i in remotehosts]) time.sleep(0.5) """ # FIXME Does not yet support peerlist try: self.peerlist = peerlist( self.runtime, self.runtime.id, len(remotehosts)) # Make sure all peers agree on network [peerlist(self.runtime, p, len(self.runtimes)) for p in self.peerlist] except: self.peerlist = [] """ peerlist = [rt.control_uri for rt in runtimes] print "SETUP DONE ***", peerlist
def setUp(self): global request_handler request_handler = RequestHandler() self.hosts = [] self.rt = []
def get_request_handler(): from calvin.requests.request_handler import RequestHandler return _request_handler if _request_handler else RequestHandler()
def runtime_certificate(rt_attributes): import copy import requests import sys from calvin.requests.request_handler import RequestHandler from calvin.utilities.attribute_resolver import AttributeResolver from calvin.utilities import calvinconfig from calvin.utilities import calvinuuid from calvin.utilities import runtime_credentials from calvin.utilities import certificate from calvin.utilities import certificate_authority from calvin.runtime.south.plugins.storage.twistedimpl.dht.service_discovery_ssdp import parse_http_response global _conf global _log _conf = calvinconfig.get() if not _conf.get_section("security"): #If the security section is empty, no securty features are enabled and certificates aren't needed _log.debug("No runtime security enabled") else: _log.debug( "Some security features are enabled, let's make sure certificates are in place" ) _ca_conf = _conf.get("security", "certificate_authority") security_dir = _conf.get("security", "security_dir") storage_type = _conf.get("global", "storage_type") if _ca_conf: try: ca_ctrl_uri = _ca_conf[ "ca_control_uri"] if "ca_control_uri" in _ca_conf else None domain_name = _ca_conf[ "domain_name"] if "domain_name" in _ca_conf else None is_ca = _ca_conf["is_ca"] if "is_ca" in _ca_conf else None enrollment_password = _ca_conf[ "enrollment_password"] if "enrollment_password" in _ca_conf else None except Exception as err: _log.error( "runtime_certificate: Failed to parse security configuration in calvin.conf, err={}" .format(err)) raise #AttributeResolver tranforms the attributes, so make a deepcopy instead rt_attributes_cpy = copy.deepcopy(rt_attributes) attributes = AttributeResolver(rt_attributes_cpy) node_name = attributes.get_node_name_as_str() nodeid = calvinuuid.uuid("") runtime = runtime_credentials.RuntimeCredentials( node_name, domain_name, security_dir=security_dir, nodeid=nodeid, enrollment_password=enrollment_password) certpath, cert, certstr = runtime.get_own_cert() if not cert: csr_path = os.path.join(runtime.runtime_dir, node_name + ".csr") if is_ca == "True": _log.debug( "No runtime certificate, but node is a CA, just sign csr, domain={}" .format(domain_name)) ca = certificate_authority.CA(domain=domain_name, security_dir=security_dir) cert_path = ca.sign_csr(csr_path, is_ca=True) runtime.store_own_cert(certpath=cert_path, security_dir=security_dir) else: _log.debug( "No runtime certicificate can be found, send CSR to CA" ) truststore_dir = certificate.get_truststore_path( type=certificate.TRUSTSTORE_TRANSPORT, security_dir=security_dir) request_handler = RequestHandler(verify=truststore_dir) ca_control_uris = [] #TODO: add support for multiple CA control uris if ca_ctrl_uri: _log.debug( "CA control_uri in config={}".format(ca_ctrl_uri)) ca_control_uris.append(ca_ctrl_uri) elif storage_type in ["dht", "securedht"]: _log.debug("Find CA via SSDP") responses = discover() if not responses: _log.error("No responses received") for response in responses: cmd, headers = parse_http_response(response) if 'location' in headers: ca_control_uri, ca_node_id = headers[ 'location'].split('/node/') ca_control_uri = ca_control_uri.replace( "http", "https") ca_control_uris.append(ca_control_uri) _log.debug( "CA control_uri={}, node_id={}".format( ca_control_uri, ca_node_id)) else: _log.error( "There is no runtime certificate. For automatic certificate enrollment using proxy storage," "the CA control uri must be configured in the calvin configuration " ) raise Exception( "There is no runtime certificate. For automatic certificate enrollment using proxy storage," "the CA control uri must be configured in the calvin configuration " ) cert_available = False # Loop through all CA:s that responded until hopefully one signs our CSR # Potential improvement would be to have domain name in response and only try # appropriate CAs i = 0 while not cert_available and i < len(ca_control_uris): certstr = None #Repeatedly (maximum 10 attempts) send CSR to CA until a certificate is returned (this to remove the requirement of the CA #node to be be the first node to start) rsa_encrypted_csr = runtime.get_encrypted_csr() j = 0 while not certstr and j < 10: try: certstr = request_handler.sign_csr_request( ca_control_uris[i], rsa_encrypted_csr)['certificate'] except requests.exceptions.RequestException as err: time_to_sleep = 1 + j * j * j _log.debug( "RequestException, CSR not accepted or CA not up and running yet, sleep {} seconds and try again, err={}" .format(time_to_sleep, err)) time.sleep(time_to_sleep) j = j + 1 pass else: cert_available = True i = i + 1 #TODO: check that everything is ok with signed cert, e.g., check that the CA domain # matches the expected and that the CA cert is trusted runtime.store_own_cert(certstring=certstr, security_dir=security_dir) else: _log.debug("Runtime certificate available")
def setup(self, request): from calvin.Tools.csruntime import csruntime from conftest import _config_pytest import fileinput global hostname global rt global rt_attributes global request_handler try: ipv6_hostname = socket.gethostbyaddr('::1') except Exception as err: print( "Failed to resolve the IPv6 localhost hostname, please update the corresponding entry in the /etc/hosts file, e.g.,:\n" "\t::1 <hostname>.localdomain <hostname>.local <hostname> localhost" ) raise try: ipv6_hostname = socket.gethostbyaddr('::ffff:127.0.0.1') except Exception as err: print( "Failed to resolve ::ffff:127.0.0.1, please add the following line (with your hostname) to /etc/hosts :\n" "::ffff:127.0.0.1: <hostname>.localdomain <hostname>.local <hostname>" ) raise try: hostname = socket.gethostname() ip_addr = socket.gethostbyname(hostname) fqdn = socket.getfqdn(hostname) print("\n\tip_addr={}" "\n\thostname={}" "\n\tfqdn={}".format(ip_addr, hostname, fqdn)) except Exception as err: print( "Failed to resolve the hostname, ip_addr or the FQDN of the runtime, err={}" .format(err)) raise try: shutil.rmtree(credentials_testdir) except Exception as err: print "Failed to remove old tesdir, err={}".format(err) pass try: os.makedirs(credentials_testdir) os.makedirs(runtimesdir) os.makedirs(runtimes_truststore) except Exception as err: _log.error( "Failed to create test folder structure, err={}".format(err)) print "Failed to create test folder structure, err={}".format(err) raise _log.info( "Trying to create a new test domain configuration. Create many CAs to ensure runtime can handle several CA certificates" ) try: ca1 = certificate_authority.CA(domain=domain_name + " 1", commonName="testdomainCA1", security_dir=credentials_testdir) ca2 = certificate_authority.CA(domain=domain_name + " 2", commonName="testdomainCA2", security_dir=credentials_testdir) ca3 = certificate_authority.CA(domain=domain_name + " 3", commonName="testdomainCA3", security_dir=credentials_testdir) except Exception as err: _log.error("Failed to create CA, err={}".format(err)) _log.info("Copy CA cert into truststore of runtimes folder") ca1.export_ca_cert(runtimes_truststore) ca2.export_ca_cert(runtimes_truststore) ca3.export_ca_cert(runtimes_truststore) actor_store_path, application_store_path = helpers.sign_files_for_security_tests( credentials_testdir) runtimes = helpers.create_CA_and_generate_runtime_certs( domain_name, credentials_testdir, NBR_OF_RUNTIMES) #Initiate Requesthandler with trusted CA cert truststore_dir = certificate.get_truststore_path( type=certificate.TRUSTSTORE_TRANSPORT, security_dir=credentials_testdir) request_handler = RequestHandler(verify=truststore_dir) rt_conf = copy.deepcopy(_conf) rt_conf.set('security', 'runtime_to_runtime_security', "tls") rt_conf.set('security', 'control_interface_security', "tls") rt_conf.set('security', 'security_dir', credentials_testdir) rt0_conf = copy.deepcopy(rt_conf) # Runtime 0: local authentication, signature verification, local authorization. # Primarily acts as Certificate Authority for the domain rt0_conf.set('global', 'storage_type', 'local') rt0_conf.set('security', 'certificate_authority', { 'domain_name': domain_name, 'is_ca': 'True' }) rt0_conf.save("/tmp/calvin5000.conf") # Runtime 1: local authentication, signature verification, local authorization. rt_conf.set('global', 'storage_type', 'proxy') rt_conf.set('global', 'storage_proxy', "calvinip://%s:5000" % hostname) rt_conf.set('security', 'certificate_authority', { 'domain_name': domain_name, 'is_ca': 'False' }) for i in range(1, NBR_OF_RUNTIMES): rt_conf.save("/tmp/calvin500{}.conf".format(i)) rt = helpers.start_all_runtimes(runtimes, hostname, request_handler, tls=True) request.addfinalizer(self.teardown)
def setup(self, request): from calvin.Tools.csruntime import csruntime from conftest import _config_pytest import fileinput global rt global request_handler try: shutil.rmtree(credentials_testdir) except Exception as err: print "Failed to remove old tesdir, err={}".format(err) pass try: os.makedirs(credentials_testdir) os.makedirs(runtimesdir) os.makedirs(runtimes_truststore) os.makedirs(runtimes_truststore_signing_path) os.makedirs(actor_store_path) os.makedirs(os.path.join(actor_store_path, "test")) shutil.copy( os.path.join(orig_actor_store_path, "test", "__init__.py"), os.path.join(actor_store_path, "test", "__init__.py")) os.makedirs(os.path.join(actor_store_path, "std")) shutil.copy( os.path.join(orig_actor_store_path, "std", "__init__.py"), os.path.join(actor_store_path, "std", "__init__.py")) shutil.copytree(orig_application_store_path, application_store_path) filelist = [ f for f in os.listdir(application_store_path) if f.endswith(".sign.93d58fef") ] for f in filelist: os.remove(os.path.join(application_store_path, f)) shutil.copytree( os.path.join(security_testdir, "identity_provider"), identity_provider_path) except Exception as err: _log.error( "Failed to create test folder structure, err={}".format(err)) print "Failed to create test folder structure, err={}".format(err) raise print "Trying to create a new test application/actor signer." cs = code_signer.CS(organization="testsigner", commonName="signer", security_dir=credentials_testdir) #Create signed version of CountTimer actor orig_actor_CountTimer_path = os.path.join(orig_actor_store_path, "std", "CountTimer.py") actor_CountTimer_path = os.path.join(actor_store_path, "std", "CountTimer.py") shutil.copy(orig_actor_CountTimer_path, actor_CountTimer_path) # cs.sign_file(actor_CountTimer_path) #Create unsigned version of CountTimer actor actor_CountTimerUnsigned_path = actor_CountTimer_path.replace( ".py", "Unsigned.py") shutil.copy(actor_CountTimer_path, actor_CountTimerUnsigned_path) replace_text_in_file(actor_CountTimerUnsigned_path, "CountTimer", "CountTimerUnsigned") #Create signed version of Sum actor orig_actor_Sum_path = os.path.join(orig_actor_store_path, "std", "Sum.py") actor_Sum_path = os.path.join(actor_store_path, "std", "Sum.py") shutil.copy(orig_actor_Sum_path, actor_Sum_path) # cs.sign_file(actor_Sum_path) #Create unsigned version of Sum actor actor_SumUnsigned_path = actor_Sum_path.replace(".py", "Unsigned.py") shutil.copy(actor_Sum_path, actor_SumUnsigned_path) replace_text_in_file(actor_SumUnsigned_path, "Sum", "SumUnsigned") #Create incorrectly signed version of Sum actor # actor_SumFake_path = actor_Sum_path.replace(".py", "Fake.py") # shutil.copy(actor_Sum_path, actor_SumFake_path) # #Change the class name to SumFake # replace_text_in_file(actor_SumFake_path, "Sum", "SumFake") # cs.sign_file(actor_SumFake_path) # #Now append to the signed file so the signature verification fails # with open(actor_SumFake_path, "a") as fd: # fd.write(" ") #Create signed version of Sink actor orig_actor_Sink_path = os.path.join(orig_actor_store_path, "test", "Sink.py") actor_Sink_path = os.path.join(actor_store_path, "test", "Sink.py") shutil.copy(orig_actor_Sink_path, actor_Sink_path) # cs.sign_file(actor_Sink_path) #Create unsigned version of Sink actor actor_SinkUnsigned_path = actor_Sink_path.replace(".py", "Unsigned.py") shutil.copy(actor_Sink_path, actor_SinkUnsigned_path) replace_text_in_file(actor_SinkUnsigned_path, "Sink", "SinkUnsigned") #Sign applications # cs.sign_file(os.path.join(application_store_path, "test_security1_correctly_signed.calvin")) # cs.sign_file(os.path.join(application_store_path, "test_security1_correctlySignedApp_incorrectlySignedActor.calvin")) # cs.sign_file(os.path.join(application_store_path, "test_security1_incorrectly_signed.calvin")) # #Now append to the signed file so the signature verification fails # with open(os.path.join(application_store_path, "test_security1_incorrectly_signed.calvin"), "a") as fd: # fd.write(" ") # print "Export Code Signers certificate to the truststore for code signing" # out_file = cs.export_cs_cert(runtimes_truststore_signing_path) print "Trying to create a new test domain configuration." ca = certificate_authority.CA(domain=domain_name, commonName="testdomain CA", security_dir=credentials_testdir) # print "Copy CA cert into truststore of runtimes folder" ca.export_ca_cert(runtimes_truststore) #Define the runtime attributes rt0_attributes = { 'indexed_public': { 'owner': { 'organization': domain_name, 'personOrGroup': 'testOwner1' }, 'node_name': { 'organization': 'org.testexample', 'name': 'CA' }, 'address': { 'country': 'SE', 'locality': 'testCity', 'street': 'testStreet', 'streetNumber': 1 } } } rt1_attributes = { 'indexed_public': { 'owner': { 'organization': domain_name, 'personOrGroup': 'testOwner1' }, 'node_name': { 'organization': 'org.testexample', 'name': 'testNode1' }, 'address': { 'country': 'SE', 'locality': 'testCity', 'street': 'testStreet', 'streetNumber': 1 } } } rt2_attributes = { 'indexed_public': { 'owner': { 'organization': domain_name, 'personOrGroup': 'testOwner1' }, 'node_name': { 'organization': 'org.testexample', 'name': 'testNode2' }, 'address': { 'country': 'SE', 'locality': 'testCity', 'street': 'otherStreet', 'streetNumber': 1 } } } rt3_attributes = { 'indexed_public': { 'owner': { 'organization': domain_name, 'personOrGroup': 'testOwner1' }, 'node_name': { 'organization': 'org.testexample', 'name': 'testNode3' }, 'address': { 'country': 'SE', 'locality': 'testCity', 'street': 'testStreet', 'streetNumber': 1 } } } rt4_attributes = { 'indexed_public': { 'owner': { 'organization': domain_name, 'personOrGroup': 'testOwner1' }, 'node_name': { 'organization': 'org.testexample', 'name': 'testNode4' }, 'address': { 'country': 'SE', 'locality': 'testCity', 'street': 'testStreet', 'streetNumber': 1 } } } rt5_attributes = { 'indexed_public': { 'owner': { 'organization': domain_name, 'personOrGroup': 'testOwner1' }, 'node_name': { 'organization': 'org.testexample', 'name': 'testNode5' }, 'address': { 'country': 'SE', 'locality': 'testCity', 'street': 'testStreet', 'streetNumber': 1 } } } rt_attributes = [] rt_attributes.append(deepcopy(rt0_attributes)) rt_attributes.append(deepcopy(rt1_attributes)) rt_attributes.append(deepcopy(rt2_attributes)) rt_attributes.append(deepcopy(rt3_attributes)) rt_attributes.append(deepcopy(rt4_attributes)) rt_attributes.append(deepcopy(rt5_attributes)) rt_attributes_cpy = deepcopy(rt_attributes) runtimes = [] #Initiate Requesthandler with trusted CA cert truststore_dir = certificate.get_truststore_path( type=certificate.TRUSTSTORE_TRANSPORT, security_dir=credentials_testdir) # The following is less than optimal if multiple CA certs exist ca_cert_path = os.path.join(truststore_dir, os.listdir(truststore_dir)[0]) request_handler = RequestHandler(verify=ca_cert_path) #Generate credentials, create CSR, sign with CA and import cert for all runtimes enrollment_passwords = [] for rt_attribute in rt_attributes: attributes = AttributeResolver(rt_attribute) node_name = attributes.get_node_name_as_str() nodeid = calvinuuid.uuid("") enrollment_password = ca.cert_enrollment_add_new_runtime(node_name) enrollment_passwords.append(enrollment_password) runtime = runtime_credentials.RuntimeCredentials( node_name, domain=domain_name, security_dir=credentials_testdir, nodeid=nodeid, enrollment_password=enrollment_password) runtimes.append(runtime) ca_cert = runtime.get_truststore( type=certificate.TRUSTSTORE_TRANSPORT)[0][0] csr_path = os.path.join(runtime.runtime_dir, node_name + ".csr") #Encrypt CSR with CAs public key (to protect enrollment password) rsa_encrypted_csr = runtime.cert_enrollment_encrypt_csr( csr_path, ca_cert) #Decrypt encrypted CSR with CAs private key csr = ca.decrypt_encrypted_csr( encrypted_enrollment_request=rsa_encrypted_csr) csr_path = ca.store_csr_with_enrollment_password(csr) cert_path = ca.sign_csr(csr_path) runtime.store_own_cert(certpath=cert_path, security_dir=credentials_testdir) #Let's hash passwords in users.json file (the runtimes will try to do this # but they will all try to do it at the same time, so it will be overwritten # multiple times and the first test will always fail) # self.arp = FileAuthenticationRetrievalPoint(identity_provider_path) # self.arp.check_stored_users_db_for_unhashed_passwords() #The policy allows access to control interface for everyone, for more advanced rules # it might be appropriate to run set_credentials for request_handler, e.g., # request_handler.set_credentials({domain_name:{"user": "******", "password": "******"}}) rt_conf = copy.deepcopy(_conf) # rt_conf.set('security', 'runtime_to_runtime_security', "tls") # rt_conf.set('security', 'control_interface_security', "tls") rt_conf.set('security', 'domain_name', domain_name) # rt_conf.set('security', 'certificate_authority_control_uri',"https://%s:5020" % hostname ) rt_conf.set('security', 'security_dir', credentials_testdir) rt_conf.set('global', 'actor_paths', [actor_store_path]) rt_conf.set('global', 'storage_type', "securedht") # Runtime 0: local authentication, signature verification, local authorization. # Primarily acts as Certificate Authority for the domain rt0_conf = copy.deepcopy(rt_conf) # rt0_conf.set('security','enrollment_password',enrollment_passwords[0]) #The csruntime certificate requests assumes TLS for the control interface # rt0_conf.set('security', 'control_interface_security', "tls") # rt0_conf.set('security','certificate_authority','True') # rt0_conf.set("security", "security_conf", { # "comment": "Certificate Authority", # "authentication": { # "procedure": "local", # "identity_provider_path": identity_provider_path # }, # "authorization": { # "procedure": "local", # "policy_storage_path": policy_storage_path # } # }) rt0_conf.save("/tmp/calvin5000.conf") # Runtime 1: local authentication, signature verification, local authorization. rt1_conf = copy.deepcopy(rt_conf) # rt1_conf.set('security','enrollment_password',enrollment_passwords[1]) # rt1_conf.set("security", "security_conf", { # "comment": "Local authentication, local authorization", # "authentication": { # "procedure": "local", # "identity_provider_path": identity_provider_path # }, # "authorization": { # "procedure": "local", # "policy_storage_path": policy_storage_path # } # }) rt1_conf.save("/tmp/calvin5001.conf") # Runtime 2: local authentication, signature verification, local authorization. # Can also act as authorization server for other runtimes. # Other street compared to the other runtimes rt2_conf = copy.deepcopy(rt_conf) # rt2_conf.set('security','enrollment_password',enrollment_passwords[2]) # rt2_conf.set("security", "security_conf", { # "comment": "Local authentication, local authorization", # "authentication": { # "procedure": "local", # "identity_provider_path": identity_provider_path # }, # "authorization": { # "procedure": "local", # "policy_storage_path": policy_storage_path, # "accept_external_requests": True # } # }) rt2_conf.save("/tmp/calvin5002.conf") # Runtime 3: external authentication (RADIUS), signature verification, local authorization. rt3_conf = copy.deepcopy(rt_conf) # rt3_conf.set('security','enrollment_password',enrollment_passwords[3]) # rt3_conf.set("security", "security_conf", { # "comment": "RADIUS authentication, local authorization", # "authentication": { # "procedure": "radius", # "server_ip": "localhost", # "secret": "elxghyc5lz1_passwd" # }, # "authorization": { # "procedure": "local", # "policy_storage_path": policy_storage_path # } # }) rt3_conf.save("/tmp/calvin5003.conf") # Runtime 4: local authentication, signature verification, external authorization (runtime 2). rt4_conf = copy.deepcopy(rt_conf) # rt4_conf.set('security','enrollment_password',enrollment_passwords[4]) # rt4_conf.set("security", "security_conf", { # "comment": "Local authentication, external authorization", # "authentication": { # "procedure": "local", # "identity_provider_path": identity_provider_path # }, # "authorization": { # "procedure": "external" # } # }) rt4_conf.save("/tmp/calvin5004.conf") # Runtime 5: external authentication (runtime 1), signature verification, local authorization. rt5_conf = copy.deepcopy(rt_conf) # rt5_conf.set('global','storage_type','proxy') # rt5_conf.set('global','storage_proxy',"calvinip://%s:5000" % ip_addr ) # rt5_conf.set('security','enrollment_password',enrollment_passwords[5]) # rt5_conf.set("security", "security_conf", { # "comment": "Local authentication, external authorization", # "authentication": { # "procedure": "external", # "server_uuid": runtimes[1].node_id # }, # "authorization": { # "procedure": "local", # "policy_storage_path": policy_storage_path # } # }) rt5_conf.save("/tmp/calvin5005.conf") #Start all runtimes for i in range(len(rt_attributes_cpy)): _log.info("Starting runtime {}".format(i)) try: logfile = _config_pytest.getoption("logfile") + "500{}".format( i) outfile = os.path.join( os.path.dirname(logfile), os.path.basename(logfile).replace("log", "out")) if outfile == logfile: outfile = None except: logfile = None outfile = None csruntime(hostname, port=5000 + i, controlport=5020 + i, attr=rt_attributes_cpy[i], loglevel=_config_pytest.getoption("loglevel"), logfile=logfile, outfile=outfile, configfile="/tmp/calvin500{}.conf".format(i)) # rt.append(RT("https://{}:502{}".format(hostname, i))) rt.append(RT("http://{}:502{}".format(hostname, i))) # Wait to be sure that all runtimes has started time.sleep(1) time.sleep(10) request.addfinalizer(self.teardown)
import shutil import json from collections import namedtuple from calvin.requests.request_handler import RequestHandler, RT from calvin.utilities.nodecontrol import dispatch_node, dispatch_storage_node from calvin.utilities.attribute_resolver import format_index_string from calvin.utilities import certificate from calvin.utilities import certificate_authority from calvin.utilities import calvinlogger from calvin.utilities import calvinconfig from calvin.utilities import calvinuuid from calvin.utilities.utils import get_home _log = calvinlogger.get_logger(__name__) _conf = calvinconfig.get() request_handler = RequestHandler() try: ip_addr = os.environ["CALVIN_TEST_LOCALHOST"] except: ip_addr = socket.gethostbyname(socket.gethostname()) rt1 = None rt2 = None rt3 = None rt1_id = None rt2_id = None rt3_id = None test_script_dir = None deploy_attr = [
def setup(self, request): from calvin.Tools.csruntime import csruntime from conftest import _config_pytest import fileinput global hostname global rt global rt_attributes global request_handler try: ipv6_hostname = socket.gethostbyaddr('::1') except Exception as err: print( "Failed to resolve the IPv6 localhost hostname, please update the corresponding entry in the /etc/hosts file, e.g.,:\n" "\t::1 <hostname>.localdomain <hostname>.local <hostname> localhost" ) raise try: ipv6_hostname = socket.gethostbyaddr('::ffff:127.0.0.1') except Exception as err: print( "Failed to resolve ::ffff:127.0.0.1, please add the following line (with your hostname) to /etc/hosts :\n" "::ffff:127.0.0.1: <hostname>.localdomain <hostname>.local <hostname>" ) raise try: hostname = socket.gethostname() ip_addr = socket.gethostbyname(hostname) fqdn = socket.getfqdn(hostname) print("\n\tip_addr={}" "\n\thostname={}" "\n\tfqdn={}".format(ip_addr, hostname, fqdn)) except Exception as err: print( "Failed to resolve the hostname, ip_addr or the FQDN of the runtime, err={}" .format(err)) raise try: shutil.rmtree(credentials_testdir) except Exception as err: print "Failed to remove old tesdir, err={}".format(err) pass try: os.mkdir(credentials_testdir) os.mkdir(runtimesdir) os.mkdir(runtimes_truststore) except Exception as err: _log.error( "Failed to create test folder structure, err={}".format(err)) print "Failed to create test folder structure, err={}".format(err) raise _log.info("Trying to create a new test domain configuration.") try: ca = certificate_authority.CA(domain=domain_name, commonName="testdomain CA", security_dir=credentials_testdir) except Exception as err: _log.error("Failed to create CA, err={}".format(err)) _log.info("Copy CA cert into truststore of runtimes folder") ca.export_ca_cert(runtimes_truststore) node_names = [] rt_attributes = [] for i in range(6): node_name = { 'organization': 'org.testexample', 'name': 'testNode{}'.format(i) } owner = {'organization': domain_name, 'personOrGroup': 'testOwner'} address = { 'country': 'SE', 'locality': 'testCity', 'street': 'testStreet', 'streetNumber': 1 } rt_attribute = { 'indexed_public': { 'owner': owner, 'node_name': node_name, 'address': address } } rt_attributes.append(rt_attribute) rt_attributes_cpy = deepcopy(rt_attributes) runtimes = [] #Initiate Requesthandler with trusted CA cert truststore_dir = certificate.get_truststore_path( type=certificate.TRUSTSTORE_TRANSPORT, security_dir=credentials_testdir) # The following is less than optimal if multiple CA certs exist ca_cert_path = os.path.join(truststore_dir, os.listdir(truststore_dir)[0]) request_handler = RequestHandler(verify=ca_cert_path) #Generate credentials, create CSR, sign with CA and import cert for all runtimes enrollment_passwords = [] for rt_attribute in rt_attributes_cpy: _log.info("rt_attribute={}".format(rt_attribute)) attributes = AttributeResolver(rt_attribute) node_name = attributes.get_node_name_as_str() nodeid = calvinuuid.uuid("") enrollment_password = ca.cert_enrollment_add_new_runtime(node_name) enrollment_passwords.append(enrollment_password) runtime = runtime_credentials.RuntimeCredentials( node_name, domain=domain_name, security_dir=credentials_testdir, nodeid=nodeid, enrollment_password=enrollment_password) runtimes.append(runtime) ca_cert = runtime.get_truststore( type=certificate.TRUSTSTORE_TRANSPORT)[0][0] csr_path = os.path.join(runtime.runtime_dir, node_name + ".csr") #Encrypt CSR with CAs public key (to protect enrollment password) rsa_encrypted_csr = runtime.cert_enrollment_encrypt_csr( csr_path, ca_cert) #Decrypt encrypted CSR with CAs private key csr = ca.decrypt_encrypted_csr( encrypted_enrollment_request=rsa_encrypted_csr) csr_path = ca.store_csr_with_enrollment_password(csr) cert_path = ca.sign_csr(csr_path) runtime.store_own_cert(certpath=cert_path, security_dir=credentials_testdir) rt_conf = copy.deepcopy(_conf) rt_conf.set('security', 'runtime_to_runtime_security', "tls") rt_conf.set('security', 'control_interface_security', "tls") rt_conf.set('security', 'domain_name', domain_name) rt_conf.set('security', 'security_dir', credentials_testdir) rt0_conf = copy.deepcopy(rt_conf) rt_conf.set('global', 'storage_type', 'proxy') rt_conf.set('global', 'storage_proxy', "calvinip://%s:5000" % hostname) # Runtime 0: local authentication, signature verification, local authorization. # Primarily acts as Certificate Authority for the domain rt0_conf.set('global', 'storage_type', 'local') rt0_conf.save("/tmp/calvin5000.conf") # Runtime 1: local authentication, signature verification, local authorization. rt1_conf = copy.deepcopy(rt_conf) rt1_conf.save("/tmp/calvin5001.conf") # Runtime 2: local authentication, signature verification, local authorization. # Can also act as authorization server for other runtimes. # Other street compared to the other runtimes rt2_conf = copy.deepcopy(rt_conf) rt2_conf.save("/tmp/calvin5002.conf") # Runtime 3: external authentication (RADIUS), signature verification, local authorization. rt3_conf = copy.deepcopy(rt_conf) rt3_conf.save("/tmp/calvin5003.conf") # Runtime 4: local authentication, signature verification, external authorization (runtime 2). rt4_conf = copy.deepcopy(rt_conf) rt4_conf.save("/tmp/calvin5004.conf") # Runtime 5: external authentication (runtime 1), signature verification, local authorization. rt5_conf = copy.deepcopy(rt_conf) rt5_conf.save("/tmp/calvin5005.conf") #Start all runtimes for i in range(len(rt_attributes)): _log.info("Starting runtime {}".format(i)) try: logfile = _config_pytest.getoption("logfile") + "500{}".format( i) outfile = os.path.join( os.path.dirname(logfile), os.path.basename(logfile).replace("log", "out")) if outfile == logfile: outfile = None except: logfile = None outfile = None csruntime(hostname, port=5000 + i, controlport=5020 + i, attr=rt_attributes[i], loglevel=_config_pytest.getoption("loglevel"), logfile=logfile, outfile=outfile, configfile="/tmp/calvin500{}.conf".format(i)) rt.append(RT("https://{}:502{}".format(hostname, i))) # Wait to be sure that all runtimes has started time.sleep(1) time.sleep(2) request.addfinalizer(self.teardown)