예제 #1
0
def test_tls_ciphers(kafka_service):
    task_name = "kafka-0-broker"
    task_id = sdk_tasks.get_task_ids(config.SERVICE_NAME, task_name)[0]
    endpoint = sdk_cmd.svc_cli(
        config.PACKAGE_NAME,
        config.SERVICE_NAME,
        "endpoints {}".format(BROKER_TLS_ENDPOINT),
        parse_json=True,
    )[1]["dns"][0]
    ciphers_config_path = [
        "service", "security", "transport_encryption", "ciphers"
    ]
    expected_ciphers = set(
        test_utils.get_in(
            ciphers_config_path,
            sdk_cmd.svc_cli(config.PACKAGE_NAME,
                            config.SERVICE_NAME,
                            "describe",
                            parse_json=True)[1],
            "",
        ).rstrip().split(","))
    print("The expected cyphers are\n", expected_ciphers)
    openssl_ciphers = sdk_security.openssl_ciphers()
    missing_openssl_ciphers = cipher_suites.missing_openssl_ciphers(
        openssl_ciphers)
    possible_openssl_ciphers = openssl_ciphers - missing_openssl_ciphers
    enabled_ciphers = set()

    assert openssl_ciphers, "OpenSSL ciphers should be non-empty"
    assert expected_ciphers, "Expected ciphers should be non-empty"
    assert possible_openssl_ciphers, "Possible OpenSSL ciphers should be non-empty"

    sdk_cmd.marathon_task_exec(task_id,
                               "openssl version")  # Output OpenSSL version.
    print("\n{} OpenSSL ciphers missing from the cipher_suites module:".format(
        len(missing_openssl_ciphers)))
    print("\n".join(test_utils.sort(list(missing_openssl_ciphers))))
    print("\n{} expected ciphers:".format(len(expected_ciphers)))
    print("\n".join(test_utils.sort(list(expected_ciphers))))
    print("\n{} ciphers will be checked:".format(
        len(possible_openssl_ciphers)))
    for openssl_cipher in test_utils.sort(list(possible_openssl_ciphers)):
        print("{} ({})".format(cipher_suites.rfc_name(openssl_cipher),
                               openssl_cipher))

    for openssl_cipher in possible_openssl_ciphers:
        if sdk_security.is_cipher_enabled(config.SERVICE_NAME, task_name,
                                          openssl_cipher, endpoint):
            enabled_ciphers.add(cipher_suites.rfc_name(openssl_cipher))

    print("{} ciphers enabled out of {}:".format(
        len(enabled_ciphers), len(possible_openssl_ciphers)))
    print("\n".join(test_utils.sort(list(enabled_ciphers))))

    assert expected_ciphers == enabled_ciphers, "Enabled ciphers should match expected ciphers"
예제 #2
0
def test_tls_ciphers(kafka_service):
    task_name = "kafka-0-broker"
    endpoint = sdk_networks.get_endpoint(config.PACKAGE_NAME,
                                         config.SERVICE_NAME,
                                         BROKER_TLS_ENDPOINT)["dns"][0]
    ciphers_config_path = [
        "service", "security", "transport_encryption", "ciphers"
    ]
    rc, stdout, _ = sdk_cmd.svc_cli(config.PACKAGE_NAME, config.SERVICE_NAME,
                                    "describe")
    assert rc == 0, "Describe command failed"
    expected_ciphers = set(
        sdk_utils.get_in(
            ciphers_config_path,
            json.loads(stdout),
            "",
        ).rstrip().split(","))

    openssl_ciphers = sdk_security.openssl_ciphers()
    missing_openssl_ciphers = cipher_suites.missing_openssl_ciphers(
        openssl_ciphers)
    possible_openssl_ciphers = openssl_ciphers - missing_openssl_ciphers
    enabled_ciphers = set()

    assert openssl_ciphers, "OpenSSL ciphers should be non-empty"
    assert expected_ciphers, "Expected ciphers should be non-empty"
    assert possible_openssl_ciphers, "Possible OpenSSL ciphers should be non-empty"

    # Output OpenSSL version.
    sdk_cmd.service_task_exec(config.SERVICE_NAME, task_name,
                              "openssl version")
    log.warning("\n%s OpenSSL ciphers missing from the cipher_suites module:",
                len(missing_openssl_ciphers))
    log.warning("\n".join(to_sorted(list(missing_openssl_ciphers))))
    log.info("\n%s expected ciphers:", len(expected_ciphers))
    log.info("\n".join(to_sorted(list(expected_ciphers))))
    log.info("\n%s ciphers will be checked:", len(possible_openssl_ciphers))
    for openssl_cipher in to_sorted(list(possible_openssl_ciphers)):
        log.info("%s (%s)", cipher_suites.rfc_name(openssl_cipher),
                 openssl_cipher)

    for openssl_cipher in possible_openssl_ciphers:
        if sdk_security.is_cipher_enabled(config.SERVICE_NAME, task_name,
                                          openssl_cipher, endpoint):
            enabled_ciphers.add(cipher_suites.rfc_name(openssl_cipher))

    log.info("%s ciphers enabled out of %s:", len(enabled_ciphers),
             len(possible_openssl_ciphers))
    log.info("\n".join(to_sorted(list(enabled_ciphers))))

    assert expected_ciphers == enabled_ciphers, "Enabled ciphers should match expected ciphers"
예제 #3
0
def test_tls_ciphers(kafka_service_tls):
    task_name = 'kafka-0-broker'
    endpoint = sdk_cmd.svc_cli(config.PACKAGE_NAME,
                               config.SERVICE_NAME,
                               'endpoints {}'.format(BROKER_TLS_ENDPOINT),
                               json=True)['dns'][0]
    ciphers_config_path = [
        'service', 'security', 'transport_encryption', 'ciphers'
    ]
    expected_ciphers = set(
        sdk_utils.get_in(
            ciphers_config_path,
            sdk_cmd.svc_cli(config.PACKAGE_NAME,
                            config.SERVICE_NAME,
                            'describe',
                            json=True), '').rstrip().split(','))

    openssl_ciphers = sdk_security.openssl_ciphers()
    missing_openssl_ciphers = cipher_suites.missing_openssl_ciphers(
        openssl_ciphers)
    possible_openssl_ciphers = openssl_ciphers - missing_openssl_ciphers
    enabled_ciphers = set()

    assert openssl_ciphers, 'OpenSSL ciphers should be non-empty'
    assert expected_ciphers, 'Expected ciphers should be non-empty'
    assert possible_openssl_ciphers, 'Possible OpenSSL ciphers should be non-empty'

    sdk_cmd.service_task_exec(config.SERVICE_NAME, task_name,
                              'openssl version')  # Output OpenSSL version.
    log.warning("\n%s OpenSSL ciphers missing from the cipher_suites module:",
                len(missing_openssl_ciphers))
    log.warning("\n".join(sdk_utils.sort(list(missing_openssl_ciphers))))
    log.info("\n%s expected ciphers:", len(expected_ciphers))
    log.info("\n".join(sdk_utils.sort(list(expected_ciphers))))
    log.info("\n%s ciphers will be checked:", len(possible_openssl_ciphers))
    for openssl_cipher in sdk_utils.sort(list(possible_openssl_ciphers)):
        log.info("%s (%s)", cipher_suites.rfc_name(openssl_cipher),
                 openssl_cipher)

    for openssl_cipher in possible_openssl_ciphers:
        if sdk_security.is_cipher_enabled(config.SERVICE_NAME, task_name,
                                          openssl_cipher, endpoint):
            enabled_ciphers.add(cipher_suites.rfc_name(openssl_cipher))

    log.info('%s ciphers enabled out of %s:', len(enabled_ciphers),
             len(possible_openssl_ciphers))
    log.info("\n".join(sdk_utils.sort(list(enabled_ciphers))))

    assert expected_ciphers == enabled_ciphers, "Enabled ciphers should match expected ciphers"