def testSecurity_NEGATIVE_IncorrectPassword(self): _log.analyze("TESTRUN", "+", {}) global rt1 global security_test_dir self.verify_storage() result = {} try: content = Security.verify_signature_get_files( os.path.join(security_test_dir, "scripts", "test_security1_correctly_signed.calvin") ) if not content: raise Exception("Failed finding script, signature and cert, stopping here") result = request_handler.deploy_application( rt1, "test_security1_correctly_signed", content["file"], credentials={"testdomain": {"user": "******", "password": "******"}}, content=content, check=True, ) except Exception as e: if e.message.startswith("401"): # We were blocked, as we should return _log.exception("Test deploy failed for non security reasons") raise Exception("Deployment of app test_security1_correctly_signed, did not fail for security reasons")
def deploy_signed_application_that_should_fail(request_handler, runtimes, name, application_path, retries=20): """ Deploys app associated w/ deployer and then tries to verify its presence in registry (for all runtimes). """ from calvin.utilities.security import Security delay = 0.1 retry = 0 result = None while retry < retries: try: content = Security.verify_signature_get_files(application_path) if not content: raise Exception("Failed finding script, signature and cert, stopping here") result = request_handler.deploy_application(runtimes, name, script=content['file'], content=content, check=True) except Exception as e: try: if e.message.startswith("401"): return except Exception as e: _log.error("Failed for other reasons, continue, e={}".format(e)) continue delay = min(2, delay * 1.5); retry += 1 time.sleep(delay) _log.info("Deployment failed, but not due to security reasons, %d retries" % (retry)) raise Exception("Deployment of app correctly_signed, did not fail for security reasons")
def control_deploy(args): response = None reqs = requirements_file(args.reqs) if args.reqs else None if args.signer: conf = certificate.Config(configfile=None, domain=args.signer, readonly=True) certificate.sign_file(conf, args.script.name) source_text = args.script.read() credentials_ = None content = None if args.credentials: try: credentials_ = json.loads(args.credentials) except Exception as e: print "Credentials not JSON:\n", e return -1 if credentials_: content = Security.verify_signature_get_files(args.script.name, skip_file=True) if content: content['file'] = source_text try: response = get_request_handler().deploy_application( args.node, args.script.name, source_text, reqs, credentials=credentials_, content=content, check=args.check) except Exception as e: print e return response
def control_deploy(args): response = None reqs = requirements_file(args.reqs) if args.reqs else None if args.signer: conf = certificate.Config(configfile=None, domain=args.signer, readonly=True) certificate.sign_file(conf, args.script.name) source_text = args.script.read() credentials_ = None content = None if args.credentials: try: credentials_ = json.loads(args.credentials) except Exception as e: print "Credentials not JSON:\n", e return -1 if credentials_: content = Security.verify_signature_get_files(args.script.name, skip_file=True) if content: content['file'] = source_text try: response = get_request_handler().deploy_application(args.node, args.script.name, source_text, reqs, credentials=credentials_, content=content, check=args.check) except Exception as e: print e return response
def testSecurity_NEGATIVE_CorrectlySignedApp_IncorrectlySignedActor(self): _log.analyze("TESTRUN", "+", {}) global rt1 global security_test_dir self.verify_storage() result = {} try: content = Security.verify_signature_get_files(security_test_dir + "/scripts/test_security1_correctlySignedApp_incorrectlySignedActor.calvin") if not content: raise Exception("Failed finding script, signature and cert, stopping here") result = request_handler.deploy_application(rt1, "test_security1_correctlySignedApp_incorrectlySignedActor", content['file'], credentials={"user": ["user1"], "password": ["pass1"]}, content=content, check=True) except Exception as e: _log.debug(str(e)) if e.message.startswith("401"): raise Exception("Failed security verification of app testSecurity_NEGATIVE_CorrectlySignedApp_IncorrectlySignedActor") _log.exception("Test deploy failed") raise Exception("Failed deployment of app testSecurity_NEGATIVE_CorrectlySignedApp_IncorrectlySignedActor, no use to verify if requirements fulfilled") #print "RESULT:", result time.sleep(2) # Verify that actors exist like this actors = request_handler.get_actors(rt1) assert result['actor_map']['test_security1_correctlySignedApp_incorrectlySignedActor:src'] in actors assert result['actor_map']['test_security1_correctlySignedApp_incorrectlySignedActor:sum'] in actors assert result['actor_map']['test_security1_correctlySignedApp_incorrectlySignedActor:snk'] in actors actual = request_handler.report(rt1, result['actor_map']['test_security1_correctlySignedApp_incorrectlySignedActor:snk']) assert len(actual) == 0 request_handler.delete_application(rt1, result['application_id'])
def testSecurity_POSITIVE_RADIUS_Authentication(self): _log.analyze("TESTRUN", "+", {}) global rt3 global security_test_dir self.verify_storage() result = {} try: content = Security.verify_signature_get_files(os.path.join(security_test_dir, "scripts", "test_security1_correctly_signed.calvin")) if not content: raise Exception("Failed finding script, signature and cert, stopping here") result = request_handler.deploy_application(rt3, "test_security1_correctly_signed", content['file'], credentials={"testdomain":{"user":"******", "password":"******"}}, content=content, check=True) except Exception as e: if isinstance(e, Timeout): raise Exception("Can't connect to RADIUS server. Have you started a RADIUS server?") elif e.message.startswith("401"): raise Exception("Failed security verification of app test_security1_correctly_signed") _log.exception("Test deploy failed") raise Exception("Failed deployment of app test_security1_correctly_signed, no use to verify if requirements fulfilled") time.sleep(2) # Verify that actors exist like this actors = request_handler.get_actors(rt3) assert result['actor_map']['test_security1_correctly_signed:src'] in actors assert result['actor_map']['test_security1_correctly_signed:sum'] in actors assert result['actor_map']['test_security1_correctly_signed:snk'] in actors actual = request_handler.report(rt3, result['actor_map']['test_security1_correctly_signed:snk']) assert len(actual) > 5 request_handler.delete_application(rt3, result['application_id'])
def testSecurity_NEGATIVE_Deny_SignedApp_SignedActor_UnallowedRequirement(self): _log.analyze("TESTRUN", "+", {}) global rt2 global security_test_dir self.verify_storage() result = {} try: content = Security.verify_signature_get_files(os.path.join(security_test_dir, "scripts", "test_security1_correctly_signed.calvin")) if not content: raise Exception("Failed finding script, signature and cert, stopping here") result = request_handler.deploy_application(rt2, "test_security1_correctly_signed", content['file'], credentials={"testdomain":{"user":"******", "password":"******"}}, content=content, check=True) except Exception as e: _log.debug(str(e)) if e.message.startswith("401"): raise Exception("Failed security verification of app test_security1_correctly_signed") _log.exception("Test deploy failed") raise Exception("Failed deployment of app test_security1_correctly_signed, no use to verify if requirements fulfilled") time.sleep(2) # Verify that actors exist like this actors = request_handler.get_actors(rt2) assert result['actor_map']['test_security1_correctly_signed:src'] in actors assert result['actor_map']['test_security1_correctly_signed:sum'] in actors assert result['actor_map']['test_security1_correctly_signed:snk'] in actors actual = request_handler.report(rt2, result['actor_map']['test_security1_correctly_signed:snk']) assert len(actual) == 0 # Means that the actor with unallowed requirements was not accepted request_handler.delete_application(rt2, result['application_id'])
def testSecurity_NEGATIVE_UnallowedUser(self): _log.analyze("TESTRUN", "+", {}) global storage_verified if not storage_verified: try: storage_verified = helpers.security_verify_storage(rt, request_handler) except Exception as err: _log.error("Failed storage verification, err={}".format(err)) raise result = {} try: content = Security.verify_signature_get_files(os.path.join(application_store_path, "correctly_signed.calvin")) if not content: raise Exception("Failed finding script, signature and cert, stopping here") request_handler.set_credentials({"user": "******", "password": "******"}) result = request_handler.deploy_application(rt[1], "correctly_signed", content['file'], content=content, check=True) except Exception as e: if e.message.startswith("401"): # We were blocked, as we should return _log.exception("Test deploy failed for non security reasons") raise Exception("Deployment of app correctly_signed did not fail for security reasons")
def testSecurity_NEGATIVE_Deny_SignedApp_SignedActor_UnallowedRequirement(self): _log.analyze("TESTRUN", "+", {}) global rt2 global security_test_dir self.verify_storage() result = {} try: content = Security.verify_signature_get_files(os.path.join(security_test_dir, "scripts", "test_security1_correctly_signed.calvin")) if not content: raise Exception("Failed finding script, signature and cert, stopping here") result = request_handler.deploy_application(rt2, "test_security1_correctly_signed", content['file'], credentials={"user": ["user1"], "password": ["pass1"]}, content=content, check=True) except Exception as e: _log.debug(str(e)) if e.message.startswith("401"): raise Exception("Failed security verification of app test_security1_correctly_signed") _log.exception("Test deploy failed") raise Exception("Failed deployment of app test_security1_correctly_signed, no use to verify if requirements fulfilled") time.sleep(2) # Verify that actors exist like this actors = request_handler.get_actors(rt2) assert result['actor_map']['test_security1_correctly_signed:src'] in actors assert result['actor_map']['test_security1_correctly_signed:sum'] in actors assert result['actor_map']['test_security1_correctly_signed:snk'] in actors actual = request_handler.report(rt2, result['actor_map']['test_security1_correctly_signed:snk']) assert len(actual) == 0 # Means that the actor with unallowed requirements was not accepted request_handler.delete_application(rt2, result['application_id'])
def testSecurity_POSITIVE_External_Authorization(self): _log.analyze("TESTRUN", "+", {}) global rt4 global security_test_dir self.verify_storage() result = {} try: content = Security.verify_signature_get_files(os.path.join(security_test_dir, "scripts", "test_security1_unsignedApp_signedActors.calvin")) if not content: raise Exception("Failed finding script, signature and cert, stopping here") result = request_handler.deploy_application(rt4, "test_security1_unsignedApp_signedActors", content['file'], credentials={"user": ["user2"], "password": ["pass2"]}, content=content, check=True) except Exception as e: if e.message.startswith("401"): raise Exception("Failed security verification of app test_security1_unsignedApp_signedActors") _log.exception("Test deploy failed") raise Exception("Failed deployment of app test_security1_unsignedApp_signedActors, no use to verify if requirements fulfilled") time.sleep(2) # Verify that actors exist like this actors = request_handler.get_actors(rt4) assert result['actor_map']['test_security1_unsignedApp_signedActors:src'] in actors assert result['actor_map']['test_security1_unsignedApp_signedActors:sum'] in actors assert result['actor_map']['test_security1_unsignedApp_signedActors:snk'] in actors actual = request_handler.report(rt4, result['actor_map']['test_security1_unsignedApp_signedActors:snk']) assert len(actual) > 5 request_handler.delete_application(rt4, result['application_id'])
def testPositive_Permit_UnsignedApp_Unsigned_Actor(self): _log.analyze("TESTRUN", "+", {}) result = {} try: content = Security.verify_signature_get_files(os.path.join(application_store_path, "unsignedApp_unsignedActors.calvin")) if not content: raise Exception("Failed finding script, signature and cert, stopping here") request_handler.set_credentials({"user": "******", "password": "******"}) result = request_handler.deploy_application(runtimes[1]["RT"], "unsignedApp_unsignedActors", content['file'], content=content, check=True) except Exception as e: if e.message.startswith("401"): raise Exception("Failed security verification of app unsignedApp_unsignedActors") _log.exception("Test deploy failed") raise Exception("Failed deployment of app unsignedApp_unsignedActors, no use to verify if requirements fulfilled") # Verify that actors exist like this try: actors = helpers.fetch_and_log_runtime_actors(runtimes, request_handler) except Exception as err: _log.error("Failed to get actors from runtimes, err={}".format(err)) raise assert result['actor_map']['unsignedApp_unsignedActors:src'] in actors[1] assert result['actor_map']['unsignedApp_unsignedActors:sum'] in actors[1] assert result['actor_map']['unsignedApp_unsignedActors:snk'] in actors[1] actual = request_handler.report(runtimes[1]["RT"], result['actor_map']['unsignedApp_unsignedActors:snk']) assert len(actual) > 2 request_handler.delete_application(runtimes[1]["RT"], result['application_id'])
def testNegative_Deny_SignedApp_SignedActor_UnallowedRequirement(self): _log.analyze("TESTRUN", "+", {}) result = {} try: content = Security.verify_signature_get_files(os.path.join(application_store_path, "correctly_signed.calvin")) if not content: raise Exception("Failed finding script, signature and cert, stopping here") request_handler.set_credentials({"user": "******", "password": "******"}) result = request_handler.deploy_application(runtimes[2]["RT"], "correctly_signed", content['file'], content=content, check=True) except Exception as e: _log.debug(str(e)) if e.message.startswith("401"): raise Exception("Failed security verification of app correctly_signed") _log.exception("Test deploy failed") raise Exception("Failed deployment of app correctly_signed, no use to verify if requirements fulfilled") # Verify that actors exist like this try: actors = helpers.fetch_and_log_runtime_actors(runtimes, request_handler) except Exception as err: _log.error("Failed to get actors from runtimes, err={}".format(err)) raise assert result['actor_map']['correctly_signed:src'] in actors[2] assert result['actor_map']['correctly_signed:sum'] in actors[2] assert result['actor_map']['correctly_signed:snk'] in actors[2] actual = request_handler.report(runtimes[2]["RT"], result['actor_map']['correctly_signed:snk']) _log.debug("actual={}".format(actual)) assert len(actual) == 0 # Means that the actor with unallowed requirements was not accepted request_handler.delete_application(runtimes[2]["RT"], result['application_id'])
def testSecurity_POSITIVE_RADIUS_Authentication(self): _log.analyze("TESTRUN", "+", {}) global rt3 global security_test_dir self.verify_storage() result = {} try: content = Security.verify_signature_get_files(security_test_dir + "/scripts/test_security1_correctly_signed.calvin") if not content: raise Exception("Failed finding script, signature and cert, stopping here") result = request_handler.deploy_application(rt3, "test_security1_correctly_signed", content['file'], credentials={"user": ["radius_user1"], "password": ["radius_passwd1"]}, content=content, check=True) except Exception as e: if e.message.startswith("401"): raise Exception("Failed security verification of app test_security1_correctly_signed") _log.exception("Test deploy failed") raise Exception("Failed deployment of app test_security1_correctly_signed, no use to verify if requirements fulfilled") #print "RESULT:", result time.sleep(2) # For example verify that actors exist like this actors = request_handler.get_actors(rt3) assert result['actor_map']['test_security1_correctly_signed:src'] in actors assert result['actor_map']['test_security1_correctly_signed:sum'] in actors assert result['actor_map']['test_security1_correctly_signed:snk'] in actors actual = request_handler.report(rt3, result['actor_map']['test_security1_correctly_signed:snk']) assert len(actual) > 5 request_handler.delete_application(rt3, result['application_id'])
def control_deploy(args): response = None reqs = requirements_file(args.reqs) if args.reqs else None if args.signer: conf = certificate.Config(configfile=None, domain=args.signer, readonly=True) certificate.sign_file(conf, args.script.name) source_text = args.script.read() credentials_ = None content = None if args.credentials: content = Security.verify_signature_get_files(args.script.name, skip_file=True) if content: content['file'] = source_text req_handler = handle_security_arguments(args) try: response = req_handler.deploy_application(args.node, args.script.name, source_text, reqs, content=content, check=args.check) except Exception as e: print e return response
def testSecurity_POSITIVE_External_Authorization(self): _log.analyze("TESTRUN", "+", {}) global rt4 global security_test_dir self.verify_storage() result = {} try: content = Security.verify_signature_get_files(os.path.join(security_test_dir, "scripts", "test_security1_unsignedApp_signedActors.calvin")) if not content: raise Exception("Failed finding script, signature and cert, stopping here") result = request_handler.deploy_application(rt4, "test_security1_unsignedApp_signedActors", content['file'], credentials={"testdomain":{"user":"******","password":"******"}}, content=content, check=True) except Exception as e: if e.message.startswith("401"): raise Exception("Failed security verification of app test_security1_unsignedApp_signedActors") _log.exception("Test deploy failed") raise Exception("Failed deployment of app test_security1_unsignedApp_signedActors, no use to verify if requirements fulfilled") time.sleep(2) # Verify that actors exist like this actors = request_handler.get_actors(rt4) assert result['actor_map']['test_security1_unsignedApp_signedActors:src'] in actors assert result['actor_map']['test_security1_unsignedApp_signedActors:sum'] in actors assert result['actor_map']['test_security1_unsignedApp_signedActors:snk'] in actors actual = request_handler.report(rt4, result['actor_map']['test_security1_unsignedApp_signedActors:snk']) assert len(actual) > 5 request_handler.delete_application(rt4, result['application_id'])
def testSecurity_NEGATIVE_IncorrectPassword(self): _log.analyze("TESTRUN", "+", {}) global storage_verified if not storage_verified: try: storage_verified = helpers.security_verify_storage( rt, request_handler) except Exception as err: _log.error("Failed storage verification, err={}".format(err)) raise result = {} try: content = Security.verify_signature_get_files( os.path.join(application_store_path, "correctly_signed.calvin")) if not content: raise Exception( "Failed finding script, signature and cert, stopping here") request_handler.set_credentials({ "user": "******", "password": "******" }) result = helpers.deploy_signed_application_that_should_fail( request_handler, rt[1], "incorrectly_signed", content) except Exception as e: _log.error( "Test deploy failed for non security reasons, e={}".format(e)) raise Exception( "Deployment of app correctly_signed, did not fail for security reasons" ) return
def testPositive_External_Authentication(self): _log.analyze("TESTRUN", "+", {}) result = {} try: content = Security.verify_signature_get_files(os.path.join(application_store_path, "correctly_signed.calvin")) if not content: raise Exception("Failed finding script, signature and cert, stopping here") request_handler.set_credentials({"user": "******", "password": "******"}) result = request_handler.deploy_application(runtimes[1]["RT"], "correctly_signed", content['file'], content=content, check=True) except Exception as e: if isinstance(e, Timeout): raise Exception("Can't connect to runtime 5.\n\te={}".format(e)) elif e.message.startswith("401"): raise Exception("Failed security verification of app correctly_signed") _log.exception("Test deploy failed") raise Exception("Failed deployment of app correctly_signed, no use to verify if requirements fulfilled") # Verify that actors exist like this try: actors = helpers.fetch_and_log_runtime_actors(runtimes, request_handler) except Exception as err: _log.error("Failed to get actors from runtimes, err={}".format(err)) raise assert result['actor_map']['correctly_signed:src'] in actors[1] assert result['actor_map']['correctly_signed:sum'] in actors[1] assert result['actor_map']['correctly_signed:snk'] in actors[1] time.sleep(0.1) actual = request_handler.report(runtimes[1]["RT"], result['actor_map']['correctly_signed:snk']) assert len(actual) > 2 request_handler.delete_application(runtimes[1]["RT"], result['application_id'])
def testSecurity_NEGATIVE_CorrectlySignedApp_IncorrectlySignedActor(self): _log.analyze("TESTRUN", "+", {}) global storage_verified if not storage_verified: try: storage_verified = helpers.security_verify_storage( rt, request_handler) except Exception as err: _log.error("Failed storage verification, err={}".format(err)) raise result = {} try: content = Security.verify_signature_get_files( os.path.join( application_store_path, "correctlySignedApp_incorrectlySignedActor.calvin")) if not content: raise Exception( "Failed finding script, signature and cert, stopping here") request_handler.set_credentials({ "user": "******", "password": "******" }) result = helpers.deploy_signed_application( request_handler, rt[1], "correctlySignedApp_incorrectlySignedActor", content) except Exception as e: _log.debug(str(e)) if e.message.startswith("401"): raise Exception( "Failed security verification of app correctlySignedApp_incorrectlySignedActor" ) _log.error( "Test deploy failed for non security reasons, e={}".format(e)) raise Exception( "Failed deployment of app correctlySignedApp_incorrectlySignedActor, no use to verify if requirements fulfilled" ) snk = result['actor_map'][ 'correctlySignedApp_incorrectlySignedActor:snk'] request_handler.set_credentials({"user": "******", "password": "******"}) request_handler.report(rt[1], snk, kwargs={'active': True}) try: helpers.actual_tokens(request_handler, rt[1], snk, size=5, retries=2) except Exception as e: if e.message.startswith("Not enough tokens"): # We were blocked, as we should helpers.delete_app(request_handler, rt[1], result['application_id']) return _log.error( "Test deploy failed for non security reasons, e={}".format(e)) raise Exception( "Incorrectly signed actor was not stopped as it should have been")
def testSecurity_POSITIVE_Migration_When_Denied(self): _log.analyze("TESTRUN", "+", {}) global storage_verified if not storage_verified: try: storage_verified = helpers.security_verify_storage( rt, request_handler) except Exception as err: _log.error("Failed storage verification, err={}".format(err)) raise result = {} try: content = Security.verify_signature_get_files( os.path.join(application_store_path, "correctly_signed.calvin")) if not content: raise Exception( "Failed finding script, signature and cert, stopping here") request_handler.set_credentials({ "user": "******", "password": "******" }) result = helpers.deploy_signed_application(request_handler, rt[1], "correctly_signed", content) except Exception as e: if e.message.startswith("401"): raise Exception( "Failed security verification of app correctly_signed") _log.exception("Test deploy failed") raise Exception( "Failed deployment of app correctly_signed, no use to verify if requirements fulfilled" ) # Verify that actors exist like this (all of them should have migrated to rt[2]) try: actors = helpers.fetch_and_log_runtime_actors(rt, request_handler) except Exception as err: _log.error( "Failed to get actors from runtimes, err={}".format(err)) raise assert result['actor_map']['correctly_signed:src'] in actors[2] assert result['actor_map']['correctly_signed:sum'] in actors[2] assert result['actor_map']['correctly_signed:snk'] in actors[2] snk = result['actor_map']['correctly_signed:snk'] request_handler.set_credentials({"user": "******", "password": "******"}) request_handler.report(rt[2], snk, kwargs={'active': True}) actual = helpers.actual_tokens(request_handler, rt[2], snk, size=5, retries=20) assert len(actual) > 4 helpers.delete_app(request_handler, rt[1], result['application_id'])
def compile_file(file, credentials=None): with open(file, 'r') as source: sourceText = source.read() content = None if credentials: content = Security.verify_signature_get_files(file, skip_file=True) if content: content['file'] = sourceText return compile(sourceText, file, content=content, credentials=credentials)
def testSecurity_POSITIVE_CorrectlySignedApp_CorrectlySignedActors(self): _log.analyze("TESTRUN", "+", {}) global rt global request_handler global security_testdir try: helpers.security_verify_storage(rt, request_handler) except Exception as err: _log.error("Failed storage verification, err={}".format(err)) raise result = {} try: content = Security.verify_signature_get_files( os.path.join(application_store_path, "correctly_signed.calvin")) if not content: raise Exception( "Failed finding script, signature and cert, stopping here") request_handler.set_credentials({ "user": "******", "password": "******" }) result = request_handler.deploy_application(rt[1], "correctly_signed", content['file'], content=content, check=True) except Exception as e: if e.message.startswith("401"): raise Exception( "Failed security verification of app correctly_signed") _log.exception("Test deploy failed") raise Exception( "Failed deployment of app correctly_signed, no use to verify if requirements fulfilled" ) # Verify that actors exist like this try: actors = helpers.fetch_and_log_runtime_actors(rt, request_handler) except Exception as err: _log.error( "Failed to get actors from runtimes, err={}".format(err)) raise assert result['actor_map']['correctly_signed:src'] in actors[1] assert result['actor_map']['correctly_signed:sum'] in actors[1] assert result['actor_map']['correctly_signed:snk'] in actors[1] request_handler.set_credentials({"user": "******", "password": "******"}) actual = request_handler.report( rt[1], result['actor_map']['correctly_signed:snk']) print "actual=", actual assert len(actual) > 2 request_handler.delete_application(rt[1], result['application_id'])
def deploy_signed_application(request_handler, runtimes, name, application_path, retries=10): """ Deploys app associated w/ deployer and then tries to verify its presence in registry (for all runtimes). """ from functools import partial from calvin.utilities.security import Security content = Security.verify_signature_get_files(application_path) if not content: raise Exception("Failed finding script, signature and cert, stopping here") return retry(retries, partial(request_handler.deploy_application, runtimes, name, script=content['file'], content=content, check=True), lambda _: True, "Failed to deploy application")
def testSecurity_POSITIVE_External_Authentication(self): _log.analyze("TESTRUN", "+", {}) global storage_verified if not storage_verified: try: storage_verified = helpers.security_verify_storage( rt, request_handler) except Exception as err: _log.error("Failed storage verification, err={}".format(err)) raise result = {} try: content = Security.verify_signature_get_files( os.path.join(application_store_path, "correctly_signed.calvin")) if not content: raise Exception( "Failed finding script, signature and cert, stopping here") request_handler.set_credentials({ "user": "******", "password": "******" }) result = helpers.deploy_signed_application(request_handler, rt[1], "correctly_signed", content) except Exception as e: if isinstance(e, Timeout): raise Exception( "Can't connect to runtime 5.\n\te={}".format(e)) elif e.message.startswith("401"): raise Exception( "Failed security verification of app correctly_signed") _log.exception("Test deploy failed") raise Exception( "Failed deployment of app correctly_signed, no use to verify if requirements fulfilled" ) snk = result['actor_map']['correctly_signed:snk'] request_handler.set_credentials({"user": "******", "password": "******"}) request_handler.report(rt[1], snk, kwargs={'active': True}) actual = helpers.actual_tokens(request_handler, rt[1], snk, size=5, retries=20) assert len(actual) > 4 helpers.delete_app(request_handler, rt[1], result['application_id'])
def testSecurity_NEGATIVE_CorrectlySignedApp_IncorrectlySignedActor(self): _log.analyze("TESTRUN", "+", {}) global rt1 global security_test_dir self.verify_storage() result = {} try: content = Security.verify_signature_get_files( os.path.join( security_test_dir, "scripts", "test_security1_correctlySignedApp_incorrectlySignedActor.calvin" ) ) if not content: raise Exception("Failed finding script, signature and cert, stopping here") result = request_handler.deploy_application( rt1, "test_security1_correctlySignedApp_incorrectlySignedActor", content["file"], credentials={"testdomain": {"user": "******", "password": "******"}}, content=content, check=True, ) except Exception as e: _log.debug(str(e)) if e.message.startswith("401"): raise Exception( "Failed security verification of app test_security1_correctlySignedApp_incorrectlySignedActor" ) _log.exception("Test deploy failed") raise Exception( "Failed deployment of app test_security1_correctlySignedApp_incorrectlySignedActor, no use to verify if requirements fulfilled" ) time.sleep(2) # Verify that actors exist like this actors = request_handler.get_actors(rt1) assert result["actor_map"]["test_security1_correctlySignedApp_incorrectlySignedActor:src"] in actors assert result["actor_map"]["test_security1_correctlySignedApp_incorrectlySignedActor:sum"] in actors assert result["actor_map"]["test_security1_correctlySignedApp_incorrectlySignedActor:snk"] in actors actual = request_handler.report( rt1, result["actor_map"]["test_security1_correctlySignedApp_incorrectlySignedActor:snk"] ) assert len(actual) == 0 # Means that the incorrectly signed actor was not accepted request_handler.delete_application(rt1, result["application_id"])
def testNegative_IncorrectPassword(self): _log.analyze("TESTRUN", "+", {}) result = {} try: content = Security.verify_signature_get_files(os.path.join(application_store_path, "correctly_signed.calvin")) if not content: raise Exception("Failed finding script, signature and cert, stopping here") request_handler.set_credentials({"user": "******", "password": "******"}) result = request_handler.deploy_application(runtimes[1]["RT"], "correctly_signed", content['file'], content=content, check=True) except Exception as e: if e.message.startswith("401"): # We were blocked, as we should return _log.exception("Test deploy failed for non security reasons") raise Exception("Deployment of app correctly_signed, did not fail for security reasons")
def testSecurity_POSITIVE_RADIUS_Authentication(self): _log.analyze("TESTRUN", "+", {}) global rt3 global security_test_dir self.verify_storage() result = {} try: content = Security.verify_signature_get_files( os.path.join(security_test_dir, "scripts", "test_security1_correctly_signed.calvin") ) if not content: raise Exception("Failed finding script, signature and cert, stopping here") result = request_handler.deploy_application( rt3, "test_security1_correctly_signed", content["file"], credentials={"testdomain": {"user": "******", "password": "******"}}, content=content, check=True, ) except Exception as e: if isinstance(e, Timeout): raise Exception("Can't connect to RADIUS server. Have you started a RADIUS server?") elif e.message.startswith("401"): raise Exception("Failed security verification of app test_security1_correctly_signed") _log.exception("Test deploy failed") raise Exception( "Failed deployment of app test_security1_correctly_signed, no use to verify if requirements fulfilled" ) time.sleep(2) # Verify that actors exist like this actors = request_handler.get_actors(rt3) assert result["actor_map"]["test_security1_correctly_signed:src"] in actors assert result["actor_map"]["test_security1_correctly_signed:sum"] in actors assert result["actor_map"]["test_security1_correctly_signed:snk"] in actors actual = request_handler.report(rt3, result["actor_map"]["test_security1_correctly_signed:snk"]) assert len(actual) > 5 request_handler.delete_application(rt3, result["application_id"])
def test_deploy_and_migrate_with_automatice_ca_discovery(self): _log.analyze("TESTRUN", "+", {}) result = {} try: content = Security.verify_signature_get_files(os.path.join(application_store_path, "unsignedApp_unsignedActors.calvin")) if not content: raise Exception("Failed finding script, signature and cert, stopping here") request_handler.set_credentials({"user": "******", "password": "******"}) result = request_handler.deploy_application(runtimes[0]["RT"], "unsignedApp_unsignedActors", content['file'], content=content, check=True) except Exception as e: if e.message.startswith("401"): raise Exception("Failed to deploy unsignedApp_unsignedActors") _log.exception("Test deploy failed") raise Exception("Failed deployment of app unsignedApp_unsignedActors, no use to verify if requirements fulfilled") #Log actor ids: _log.info("Actors id:s:\n\tsrc id={}\n\tsum={}\n\tsnk={}".format(result['actor_map']['unsignedApp_unsignedActors:src'], result['actor_map']['unsignedApp_unsignedActors:sum'], result['actor_map']['unsignedApp_unsignedActors:snk'])) # Verify that actors exist like this try: actors = helpers.fetch_and_log_runtime_actors(runtimes, request_handler) except Exception as err: _log.error("Failed to get actors from runtimes, err={}".format(err)) raise assert result['actor_map']['unsignedApp_unsignedActors:src'] in actors[0] assert result['actor_map']['unsignedApp_unsignedActors:sum'] in actors[0] assert result['actor_map']['unsignedApp_unsignedActors:snk'] in actors[0] time.sleep(1) try: actual = request_handler.report(runtimes[0]["RT"], result['actor_map']['unsignedApp_unsignedActors:snk']) except Exception as err: _log.error("Failed to report from runtime 0, err={}".format(err)) raise _log.info("actual={}".format(actual)) assert len(actual) > 5 time.sleep(1) request_handler.delete_application(runtimes[0]["RT"], result['application_id'])
def control_deploy(args): response = None reqs = requirements_file(args.reqs) if args.reqs else None if args.signer: conf = certificate.Config(configfile=None, domain=args.signer, readonly=True) certificate.sign_file(conf, args.script.name) source_text = args.script.read() credentials_ = None content = None if args.credentials: content = Security.verify_signature_get_files(args.script.name, skip_file=True) if content: content['file'] = source_text req_handler= handle_security_arguments(args) try: response = req_handler.deploy_application(args.node, args.script.name, source_text, reqs, content=content, check=args.check) except Exception as e: print e return response
def testSecurity_POSITIVE_Permit_UnsignedApp_Unsigned_Actor(self): _log.analyze("TESTRUN", "+", {}) global rt2 global security_test_dir self.verify_storage() result = {} try: content = Security.verify_signature_get_files( os.path.join(security_test_dir, "scripts", "test_security1_unsignedApp_unsignedActors.calvin") ) if not content: raise Exception("Failed finding script, signature and cert, stopping here") result = request_handler.deploy_application( rt2, "test_security1_unsignedApp_unsignedActors", content["file"], credentials={"testdomain": {"user": "******", "password": "******"}}, content=content, check=True, ) except Exception as e: if e.message.startswith("401"): raise Exception("Failed security verification of app test_security1_unsignedApp_unsignedActors") _log.exception("Test deploy failed") raise Exception( "Failed deployment of app test_security1_unsignedApp_unsignedActors, no use to verify if requirements fulfilled" ) time.sleep(2) # Verify that actors exist like this actors = request_handler.get_actors(rt2) assert result["actor_map"]["test_security1_unsignedApp_unsignedActors:src"] in actors assert result["actor_map"]["test_security1_unsignedApp_unsignedActors:sum"] in actors assert result["actor_map"]["test_security1_unsignedApp_unsignedActors:snk"] in actors actual = request_handler.report(rt2, result["actor_map"]["test_security1_unsignedApp_unsignedActors:snk"]) assert len(actual) > 5 request_handler.delete_application(rt2, result["application_id"])
def deploy_signed_application_that_should_fail(request_handler, runtimes, name, application_path, retries=20): """ Deploys app associated w/ deployer and then tries to verify its presence in registry (for all runtimes). """ from calvin.utilities.security import Security delay = 0.1 retry = 0 result = None while retry < retries: try: content = Security.verify_signature_get_files(application_path) if not content: raise Exception( "Failed finding script, signature and cert, stopping here") result = request_handler.deploy_application(runtimes, name, script=content['file'], content=content, check=True) except Exception as e: try: if e.message.startswith("401"): return except Exception as e: _log.error( "Failed for other reasons, continue, e={}".format(e)) continue delay = min(2, delay * 1.5) retry += 1 time.sleep(delay) _log.info( "Deployment failed, but not due to security reasons, %d retries" % (retry)) raise Exception( "Deployment of app correctly_signed, did not fail for security reasons" )
def testSecurity_NEGATIVE_CorrectlySignedApp_IncorrectlySignedActor(self): _log.analyze("TESTRUN", "+", {}) global storage_verified if not storage_verified: try: storage_verified = helpers.security_verify_storage(rt, request_handler) except Exception as err: _log.error("Failed storage verification, err={}".format(err)) raise result = {} try: content = Security.verify_signature_get_files(os.path.join(application_store_path, "correctlySignedApp_incorrectlySignedActor.calvin")) if not content: raise Exception("Failed finding script, signature and cert, stopping here") request_handler.set_credentials({"user": "******", "password": "******"}) result = request_handler.deploy_application(rt[1], "correctlySignedApp_incorrectlySignedActor", content['file'], credentials={domain_name:{"user": "******", "password": "******"}}, content=content, check=True) except Exception as e: _log.debug(str(e)) if e.message.startswith("401"): raise Exception("Failed security verification of app correctlySignedApp_incorrectlySignedActor") _log.exception("Test deploy failed") raise Exception("Failed deployment of app correctlySignedApp_incorrectlySignedActor, no use to verify if requirements fulfilled") # Verify that actors exist like this try: actors = helpers.fetch_and_log_runtime_actors(rt, request_handler) except Exception as err: _log.error("Failed to get actors from runtimes, err={}".format(err)) raise assert result['actor_map']['correctlySignedApp_incorrectlySignedActor:src'] in actors[1] assert result['actor_map']['correctlySignedApp_incorrectlySignedActor:sum'] in actors[1] assert result['actor_map']['correctlySignedApp_incorrectlySignedActor:snk'] in actors[1] actual = request_handler.report(rt[1], result['actor_map']['correctlySignedApp_incorrectlySignedActor:snk']) _log.info("actual={}".format(actual)) assert len(actual) == 0 # Means that the incorrectly signed actor was not accepted request_handler.delete_application(rt[1], result['application_id'])
def testSecurity_NEGATIVE_UnallowedUser(self): _log.analyze("TESTRUN", "+", {}) global rt1 global security_test_dir self.verify_storage() result = {} try: content = Security.verify_signature_get_files(security_test_dir + "/scripts/test_security1_correctly_signed.calvin") if not content: raise Exception("Failed finding script, signature and cert, stopping here") result = request_handler.deploy_application(rt1, "test_security1_correctly_signed", content['file'], credentials={"user": ["user_not_allowed"], "password": ["pass1"]}, content=content, check=True) except Exception as e: if e.message.startswith("401"): # We were blocked, as we should return _log.exception("Test deploy failed for non security reasons") raise Exception("Deployment of app test_security1_correctly_signed, did not fail for security reasons")
def testSecurity_NEGATIVE_IncorrectPassword(self): _log.analyze("TESTRUN", "+", {}) global rt1 global security_test_dir self.verify_storage() result = {} try: content = Security.verify_signature_get_files(os.path.join(security_test_dir, "scripts", "test_security1_correctly_signed.calvin")) if not content: raise Exception("Failed finding script, signature and cert, stopping here") result = request_handler.deploy_application(rt1, "test_security1_correctly_signed", content['file'], credentials={"testdomain":{"user":"******", "password":"******"}}, content=content, check=True) except Exception as e: if e.message.startswith("401"): # We were blocked, as we should return _log.exception("Test deploy failed for non security reasons") raise Exception("Deployment of app test_security1_correctly_signed, did not fail for security reasons")
def deploy_signed_application(request_handler, runtimes, name, application_path, retries=10): """ Deploys app associated w/ deployer and then tries to verify its presence in registry (for all runtimes). """ from functools import partial from calvin.utilities.security import Security content = Security.verify_signature_get_files(application_path) if not content: raise Exception( "Failed finding script, signature and cert, stopping here") return retry( retries, partial(request_handler.deploy_application, runtimes, name, script=content['file'], content=content, check=True), lambda _: True, "Failed to deploy application")
def testSecurity_deploy_and_migrate(self): _log.analyze("TESTRUN", "+", {}) global rt global request_handler global security_testdir try: rt0_id = request_handler.get_node_id(rt[0]) rt1_id = request_handler.get_node_id(rt[1]) rt2_id = request_handler.get_node_id(rt[2]) rt3_id = request_handler.get_node_id(rt[3]) rt4_id = request_handler.get_node_id(rt[4]) rt5_id = request_handler.get_node_id(rt[5]) except Exception as err: _log.error("Failed to fetch runtime ids, err={}".format(err)) raise time.sleep(1) try: self.verify_storage() except Exception as err: _log.error("Failed storage verification, err={}".format(err)) raise result = {} try: content = Security.verify_signature_get_files( os.path.join(orig_application_store_path, "test_security1_correctly_signed.calvin")) if not content: raise Exception( "Failed finding script, signature and cert, stopping here") request_handler.set_credentials( {domain_name: { "user": "******", "password": "******" }}) result = request_handler.deploy_application(rt[2], "test_script", content['file'], content=content, check=True) except Exception as e: if e.message.startswith("401"): raise Exception("Failed to deploy script") _log.exception("Test deploy failed") raise Exception( "Failed deployment of script, no use to verify if requirements fulfilled" ) time.sleep(2) #Log actor ids: _log.info("Actors id:s:\n\tsrc id={}\n\tsum={}\n\tsnk={}".format( result['actor_map']['test_script:src'], result['actor_map']['test_script:sum'], result['actor_map']['test_script:snk'])) # Verify that actors exist like this try: actors = fetch_and_log_runtime_actors() except Exception as err: _log.error( "Failed to get actors from runtimes, err={}".format(err)) raise assert result['actor_map']['test_script:src'] in actors[2] assert result['actor_map']['test_script:sum'] in actors[2] assert result['actor_map']['test_script:snk'] in actors[2] time.sleep(1) try: actual = request_handler.report( rt[2], result['actor_map']['test_script:snk']) except Exception as err: _log.error("Failed to report from runtime 2, err={}".format(err)) raise _log.info("actual={}".format(actual)) assert len(actual) > 5 #Migrate snk actor to rt1 time.sleep(2) _log.info( "Let's migrate actor {} from runtime {}(rt2) to runtime {}(rt1)". format(rt2_id, result['actor_map']['test_script:snk'], rt1_id)) try: request_handler.migrate(rt[2], result['actor_map']['test_script:snk'], rt1_id) except Exception as err: _log.error( "Failed to send first migration request to runtime 2, err={}". format(err)) raise time.sleep(3) try: actors = fetch_and_log_runtime_actors() except Exception as err: _log.error( "Failed to get actors from runtimes, err={}".format(err)) raise assert result['actor_map']['test_script:src'] in actors[2] assert result['actor_map']['test_script:sum'] in actors[2] assert result['actor_map']['test_script:snk'] in actors[1] time.sleep(1) try: actual = request_handler.report( rt[1], result['actor_map']['test_script:snk']) except Exception as err: _log.error( "Failed to report snk values from runtime 1, err={}".format( err)) raise _log.info("actual={}".format(actual)) assert len(actual) > 3 #Migrate src actor to rt3 time.sleep(1) try: request_handler.migrate(rt[2], result['actor_map']['test_script:src'], rt3_id) except Exception as err: _log.error( "Failed to send second migration requestfrom runtime 2, err={}" .format(err)) raise time.sleep(3) try: actors = fetch_and_log_runtime_actors() except Exception as err: _log.error( "Failed to get actors from runtimes, err={}".format(err)) raise assert result['actor_map']['test_script:src'] in actors[3] assert result['actor_map']['test_script:sum'] in actors[2] assert result['actor_map']['test_script:snk'] in actors[1] time.sleep(1) try: actual = request_handler.report( rt[1], result['actor_map']['test_script:snk']) except Exception as err: _log.error( "Failed to report snk values from runtime 1, err={}".format( err)) raise _log.info("actual={}".format(actual)) assert len(actual) > 3 time.sleep(1) request_handler.delete_application(rt[2], result['application_id'])
def testSecurity_deploy_and_migrate(self): _log.analyze("TESTRUN", "+", {}) global rt global request_handler global security_testdir try: self.verify_storage() except Exception as err: _log.error("Failed storage verification, err={}".format(err)) raise result = {} try: content = Security.verify_signature_get_files( os.path.join( application_store_path, "test_security1_unsignedApp_unsignedActors.calvin")) if not content: raise Exception( "Failed finding script, signature and cert, stopping here") request_handler.set_credentials( {domain_name: { "user": "******", "password": "******" }}) result = request_handler.deploy_application( rt[2], "test_security1_unsignedApp_unsignedActors", content['file'], content=content, check=True) except Exception as e: if e.message.startswith("401"): raise Exception( "Failed to deploy test_security1_unsignedApp_unsignedActors" ) _log.exception("Test deploy failed") raise Exception( "Failed deployment of app test_security1_unsignedApp_unsignedActors, no use to verify if requirements fulfilled" ) time.sleep(2) # Verify that actors exist like this try: actors = fetch_and_log_runtime_actors() except Exception as err: _log.error( "Failed to get actors from runtimes, err={}".format(err)) raise assert result['actor_map'][ 'test_security1_unsignedApp_unsignedActors:src'] in actors[2] assert result['actor_map'][ 'test_security1_unsignedApp_unsignedActors:sum'] in actors[2] assert result['actor_map'][ 'test_security1_unsignedApp_unsignedActors:snk'] in actors[2] actual = request_handler.report( rt[2], result['actor_map'] ['test_security1_unsignedApp_unsignedActors:snk']) _log.info("actual={}".format(actual)) assert len(actual) > 5 #Migrate snk actor to rt1 time.sleep(1) request_handler.migrate( rt[2], result['actor_map'] ['test_security1_unsignedApp_unsignedActors:snk'], request_handler.get_node_id(rt[1])) time.sleep(1) try: actors = fetch_and_log_runtime_actors() except Exception as err: _log.error( "Failed to get actors from runtimes, err={}".format(err)) raise assert result['actor_map'][ 'test_security1_unsignedApp_unsignedActors:src'] in actors[2] assert result['actor_map'][ 'test_security1_unsignedApp_unsignedActors:sum'] in actors[2] assert result['actor_map'][ 'test_security1_unsignedApp_unsignedActors:snk'] in actors[1] _log.info("kommer hit") actual = request_handler.report( rt[1], result['actor_map'] ['test_security1_unsignedApp_unsignedActors:snk']) _log.info("actual={}".format(actual)) assert len(actual) > 3 #Migrate src actor to rt3 time.sleep(1) request_handler.migrate( rt[2], result['actor_map'] ['test_security1_unsignedApp_unsignedActors:src'], request_handler.get_node_id(rt[3])) time.sleep(1) try: actors = fetch_and_log_runtime_actors() except Exception as err: _log.error( "Failed to get actors from runtimes, err={}".format(err)) raise assert result['actor_map'][ 'test_security1_unsignedApp_unsignedActors:src'] in actors[3] assert result['actor_map'][ 'test_security1_unsignedApp_unsignedActors:sum'] in actors[2] assert result['actor_map'][ 'test_security1_unsignedApp_unsignedActors:snk'] in actors[1] actual = request_handler.report( rt[1], result['actor_map'] ['test_security1_unsignedApp_unsignedActors:snk']) _log.info("actual={}".format(actual)) assert len(actual) > 3 request_handler.delete_application(rt[2], result['application_id'])
def compile_script_check_security(source_text, filename, cb, credentials=None, verify=True, node=None): """ Compile a script and return a tuple (deployable, errors, warnings). 'credentials' are optional security credentials(?) 'verify' is deprecated and will be removed 'node' is the runtime performing security check(?) 'cb' is a CalvinCB callback N.B. If callback 'cb' is given, this method calls cb(deployable, errors, warnings) and returns None N.B. If callback 'cb' is given, and method runs to completion, cb is called with additional parameter 'security' (?) """ def _exit_with_error(callback): """Helper method to generate a proper error""" it = IssueTracker() it.add_error("UNAUTHORIZED", info={'status':401}) callback({}, it) def _handle_authentication_decision(source_text, appname, verify, authentication_decision, security, org_cb, content=None): if not authentication_decision: _log.error("Authentication failed") # This error reason is detected in calvin control and gives proper REST response _exit_with_error(org_cb) verified, signer = security.verify_signature_content(content, "application") if not verified: # Verification not OK if sign or cert not OK. _log.error("Failed application verification") # This error reason is detected in calvin control and gives proper REST response _exit_with_error(org_cb) security.check_security_policy( CalvinCB(_handle_policy_decision, source_text, appname, verify, security=security, org_cb=org_cb), "application", signer=signer ) def _handle_policy_decision(source_text, appname, verify, access_decision, org_cb, security=None): if not access_decision: _log.error("Access denied") # This error reason is detected in calvin control and gives proper REST response _exit_with_error(org_cb) deployable, issutracker = compile_script(source_text, appname) org_cb(deployable, issutracker, security=security) # # Actual code for compile_script # appname = appname_from_filename(filename) # FIXME: if node is None we bypass security even if enabled. Is that the intention? if node is not None and security_enabled(): if credentials: content = Security.verify_signature_get_files(filename, skip_file=True) # content is ALWAYS a dict if skip_file is True content['file'] = source_text else: content = None # FIXME: If cb is None, we will return from this method with None instead of a tuple, failing silently sec = Security(node) sec.authenticate_subject( credentials, callback=CalvinCB(_handle_authentication_decision, source_text, appname, verify, security=sec, org_cb=cb, content=content) ) return # # We get here if node is None, or security is disabled # # This used to be # _handle_policy_decision(source_text, filename, verify, access_decision=True, security=None, org_cb=cb) # but since _handle_policy_decision is called with access_decision=True, security=None only compile_script would be called deployable, issuetracker = compile_script(source_text, appname) cb(deployable, issuetracker, security=None)
def testSecurity_deploy_and_migrate(self): _log.analyze("TESTRUN", "+", {}) global rt global request_handler global security_testdir start = time.time() try: helpers.security_verify_storage(rt, request_handler) except Exception as err: _log.error("Failed storage verification, err={}".format(err)) raise time_to_verify_storaget = time.time() - start time.sleep(1) try: rt0_id = request_handler.get_node_id(rt[0]) rt1_id = request_handler.get_node_id(rt[1]) except Exception as err: _log.error("Failed to fetch runtime ids, err={}".format(err)) raise result = {} try: content = Security.verify_signature_get_files( os.path.join(application_store_path, "unsignedApp_unsignedActors.calvin")) if not content: raise Exception( "Failed finding script, signature and cert, stopping here") request_handler.set_credentials({ "user": "******", "password": "******" }) result = request_handler.deploy_application( rt[0], "unsignedApp_unsignedActors", content['file'], content=content, check=True) except Exception as e: if e.message.startswith("401"): raise Exception("Failed to deploy unsignedApp_unsignedActors") _log.exception("Test deploy failed") raise Exception( "Failed deployment of app unsignedApp_unsignedActors, no use to verify if requirements fulfilled" ) try: actors = helpers.fetch_and_log_runtime_actors(rt, request_handler) except Exception as err: _log.error( "Failed to get actors from runtimes, err={}".format(err)) raise #Log actor ids: _log.info("Actors id:s:\n\tsrc id={}\n\tsum={}\n\tsnk={}".format( result['actor_map']['unsignedApp_unsignedActors:src'], result['actor_map']['unsignedApp_unsignedActors:sum'], result['actor_map']['unsignedApp_unsignedActors:snk'])) # Verify that actors exist like this try: actors = helpers.fetch_and_log_runtime_actors(rt, request_handler) except Exception as err: _log.error( "Failed to get actors from runtimes, err={}".format(err)) raise assert result['actor_map']['unsignedApp_unsignedActors:src'] in actors[ 0] assert result['actor_map']['unsignedApp_unsignedActors:sum'] in actors[ 0] assert result['actor_map']['unsignedApp_unsignedActors:snk'] in actors[ 0] time.sleep(1) try: actual = request_handler.report( rt[0], result['actor_map']['unsignedApp_unsignedActors:snk']) except Exception as err: _log.error("Failed to report from runtime 0, err={}".format(err)) raise _log.info("actual={}".format(actual)) assert len(actual) > 5 #Migrate snk actor to rt1 time.sleep(2) _log.info( "Let's migrate actor {} from runtime {}(rt0) to runtime {}(rt1)". format(rt0_id, result['actor_map']['unsignedApp_unsignedActors:snk'], rt1_id)) try: request_handler.migrate( rt[0], result['actor_map']['unsignedApp_unsignedActors:snk'], rt1_id) except Exception as err: _log.error( "Failed to send first migration request to runtime 0, err={}". format(err)) raise try: actors = helpers.fetch_and_log_runtime_actors(rt, request_handler) except Exception as err: _log.error( "Failed to get actors from runtimes, err={}".format(err)) raise assert result['actor_map']['unsignedApp_unsignedActors:src'] in actors[ 0] assert result['actor_map']['unsignedApp_unsignedActors:sum'] in actors[ 0] assert result['actor_map']['unsignedApp_unsignedActors:snk'] in actors[ 1] time.sleep(1) try: actual = request_handler.report( rt[1], result['actor_map']['unsignedApp_unsignedActors:snk']) except Exception as err: _log.error( "Failed to report snk values from runtime 1, err={}".format( err)) raise _log.info("actual={}".format(actual)) assert len(actual) > 3 #Migrate src actor to rt3 time.sleep(1) try: request_handler.migrate( rt[0], result['actor_map']['unsignedApp_unsignedActors:src'], rt1_id) except Exception as err: _log.error( "Failed to send second migration requestfrom runtime 0, err={}" .format(err)) raise try: actors = helpers.fetch_and_log_runtime_actors(rt, request_handler) except Exception as err: _log.error( "Failed to get actors from runtimes, err={}".format(err)) raise assert result['actor_map']['unsignedApp_unsignedActors:src'] in actors[ 1] assert result['actor_map']['unsignedApp_unsignedActors:sum'] in actors[ 0] assert result['actor_map']['unsignedApp_unsignedActors:snk'] in actors[ 1] time.sleep(1) try: actual = request_handler.report( rt[1], result['actor_map']['unsignedApp_unsignedActors:snk']) except Exception as err: _log.error( "Failed to report snk values from runtime 1, err={}".format( err)) raise _log.info("actual={}".format(actual)) assert len(actual) > 3 _log.info( "\n\t----------------------------" "\n\tTotal time to verify storage is {} seconds" "\n\tTotal time of entire (including storage verification) is {} seconds" "\n\t----------------------------".format(time_to_verify_storaget, time.time() - start)) time.sleep(1) request_handler.delete_application(rt[0], result['application_id'])
def testSecurity_deploy_and_migrate(self): _log.analyze("TESTRUN", "+", {}) global storage_verified if not storage_verified: try: storage_verified = helpers.security_verify_storage( rt, request_handler) except Exception as err: _log.error("Failed storage verification, err={}".format(err)) raise result = {} try: content = Security.verify_signature_get_files( os.path.join(orig_application_store_path, "correctly_signed.calvin")) if not content: raise Exception( "Failed finding script, signature and cert, stopping here") request_handler.set_credentials( {domain_name: { "user": "******", "password": "******" }}) result = request_handler.deploy_application(rt[2], "test_script", content['file'], content=content, check=True) except Exception as e: if e.message.startswith("401"): raise Exception("Failed to deploy script") _log.exception("Test deploy failed") raise Exception( "Failed deployment of script, no use to verify if requirements fulfilled" ) #Log actor ids: _log.info("Actors id:s:\n\tsrc id={}\n\tsum={}\n\tsnk={}".format( result['actor_map']['test_script:src'], result['actor_map']['test_script:sum'], result['actor_map']['test_script:snk'])) # Verify that actors exist like this try: actors = helpers.fetch_and_log_runtime_actors(rt, request_handler) except Exception as err: _log.error( "Failed to get actors from runtimes, err={}".format(err)) raise assert result['actor_map']['test_script:src'] in actors[2] assert result['actor_map']['test_script:sum'] in actors[2] assert result['actor_map']['test_script:snk'] in actors[2] time.sleep(1) try: actual = request_handler.report( rt[2], result['actor_map']['test_script:snk']) except Exception as err: _log.error("Failed to report from runtime 2, err={}".format(err)) raise _log.info("actual={}".format(actual)) assert len(actual) > 5 time.sleep(1) request_handler.delete_application(rt[2], result['application_id'])
def compile_script_check_security(source_text, filename, cb, credentials=None, verify=True, node=None): """ Compile a script and return a tuple (deployable, errors, warnings). 'credentials' are optional security credentials(?) 'verify' is deprecated and will be removed 'node' is the runtime performing security check(?) 'cb' is a CalvinCB callback N.B. If callback 'cb' is given, this method calls cb(deployable, errors, warnings) and returns None N.B. If callback 'cb' is given, and method runs to completion, cb is called with additional parameter 'security' (?) """ def _exit_with_error(callback): """Helper method to generate a proper error""" it = IssueTracker() it.add_error("UNAUTHORIZED", info={'status': 401}) callback({}, it) def _handle_authentication_decision(source_text, appname, verify, authentication_decision, security, org_cb, content=None): if not authentication_decision: _log.error("Authentication failed") # This error reason is detected in calvin control and gives proper REST response _exit_with_error(org_cb) verified, signer = security.verify_signature_content( content, "application") if not verified: # Verification not OK if sign or cert not OK. _log.error("Failed application verification") # This error reason is detected in calvin control and gives proper REST response _exit_with_error(org_cb) security.check_security_policy(CalvinCB(_handle_policy_decision, source_text, appname, verify, security=security, org_cb=org_cb), "application", signer=signer) def _handle_policy_decision(source_text, appname, verify, access_decision, org_cb, security=None): if not access_decision: _log.error("Access denied") # This error reason is detected in calvin control and gives proper REST response _exit_with_error(org_cb) deployable, issutracker = compile_script(source_text, appname) org_cb(deployable, issutracker, security=security) # # Actual code for compile_script # appname = appname_from_filename(filename) # FIXME: if node is None we bypass security even if enabled. Is that the intention? if node is not None and security_enabled(): if credentials: content = Security.verify_signature_get_files(filename, skip_file=True) # content is ALWAYS a dict if skip_file is True content['file'] = source_text else: content = None # FIXME: If cb is None, we will return from this method with None instead of a tuple, failing silently sec = Security(node) sec.authenticate_subject(credentials, callback=CalvinCB( _handle_authentication_decision, source_text, appname, verify, security=sec, org_cb=cb, content=content)) return # # We get here if node is None, or security is disabled # # This used to be # _handle_policy_decision(source_text, filename, verify, access_decision=True, security=None, org_cb=cb) # but since _handle_policy_decision is called with access_decision=True, security=None only compile_script would be called deployable, issuetracker = compile_script(source_text, appname) cb(deployable, issuetracker, security=None)