def test_tls_ciphers(kafka_service): task_name = "kafka-0-broker" task_id = sdk_tasks.get_task_ids(config.SERVICE_NAME, task_name)[0] endpoint = sdk_cmd.svc_cli( config.PACKAGE_NAME, config.SERVICE_NAME, "endpoints {}".format(BROKER_TLS_ENDPOINT), parse_json=True, )[1]["dns"][0] ciphers_config_path = [ "service", "security", "transport_encryption", "ciphers" ] expected_ciphers = set( test_utils.get_in( ciphers_config_path, sdk_cmd.svc_cli(config.PACKAGE_NAME, config.SERVICE_NAME, "describe", parse_json=True)[1], "", ).rstrip().split(",")) print("The expected cyphers are\n", expected_ciphers) openssl_ciphers = sdk_security.openssl_ciphers() missing_openssl_ciphers = cipher_suites.missing_openssl_ciphers( openssl_ciphers) possible_openssl_ciphers = openssl_ciphers - missing_openssl_ciphers enabled_ciphers = set() assert openssl_ciphers, "OpenSSL ciphers should be non-empty" assert expected_ciphers, "Expected ciphers should be non-empty" assert possible_openssl_ciphers, "Possible OpenSSL ciphers should be non-empty" sdk_cmd.marathon_task_exec(task_id, "openssl version") # Output OpenSSL version. print("\n{} OpenSSL ciphers missing from the cipher_suites module:".format( len(missing_openssl_ciphers))) print("\n".join(test_utils.sort(list(missing_openssl_ciphers)))) print("\n{} expected ciphers:".format(len(expected_ciphers))) print("\n".join(test_utils.sort(list(expected_ciphers)))) print("\n{} ciphers will be checked:".format( len(possible_openssl_ciphers))) for openssl_cipher in test_utils.sort(list(possible_openssl_ciphers)): print("{} ({})".format(cipher_suites.rfc_name(openssl_cipher), openssl_cipher)) for openssl_cipher in possible_openssl_ciphers: if sdk_security.is_cipher_enabled(config.SERVICE_NAME, task_name, openssl_cipher, endpoint): enabled_ciphers.add(cipher_suites.rfc_name(openssl_cipher)) print("{} ciphers enabled out of {}:".format( len(enabled_ciphers), len(possible_openssl_ciphers))) print("\n".join(test_utils.sort(list(enabled_ciphers)))) assert expected_ciphers == enabled_ciphers, "Enabled ciphers should match expected ciphers"
def test_tls_ciphers(kafka_service): task_name = "kafka-0-broker" endpoint = sdk_networks.get_endpoint(config.PACKAGE_NAME, config.SERVICE_NAME, BROKER_TLS_ENDPOINT)["dns"][0] ciphers_config_path = [ "service", "security", "transport_encryption", "ciphers" ] rc, stdout, _ = sdk_cmd.svc_cli(config.PACKAGE_NAME, config.SERVICE_NAME, "describe") assert rc == 0, "Describe command failed" expected_ciphers = set( sdk_utils.get_in( ciphers_config_path, json.loads(stdout), "", ).rstrip().split(",")) openssl_ciphers = sdk_security.openssl_ciphers() missing_openssl_ciphers = cipher_suites.missing_openssl_ciphers( openssl_ciphers) possible_openssl_ciphers = openssl_ciphers - missing_openssl_ciphers enabled_ciphers = set() assert openssl_ciphers, "OpenSSL ciphers should be non-empty" assert expected_ciphers, "Expected ciphers should be non-empty" assert possible_openssl_ciphers, "Possible OpenSSL ciphers should be non-empty" # Output OpenSSL version. sdk_cmd.service_task_exec(config.SERVICE_NAME, task_name, "openssl version") log.warning("\n%s OpenSSL ciphers missing from the cipher_suites module:", len(missing_openssl_ciphers)) log.warning("\n".join(to_sorted(list(missing_openssl_ciphers)))) log.info("\n%s expected ciphers:", len(expected_ciphers)) log.info("\n".join(to_sorted(list(expected_ciphers)))) log.info("\n%s ciphers will be checked:", len(possible_openssl_ciphers)) for openssl_cipher in to_sorted(list(possible_openssl_ciphers)): log.info("%s (%s)", cipher_suites.rfc_name(openssl_cipher), openssl_cipher) for openssl_cipher in possible_openssl_ciphers: if sdk_security.is_cipher_enabled(config.SERVICE_NAME, task_name, openssl_cipher, endpoint): enabled_ciphers.add(cipher_suites.rfc_name(openssl_cipher)) log.info("%s ciphers enabled out of %s:", len(enabled_ciphers), len(possible_openssl_ciphers)) log.info("\n".join(to_sorted(list(enabled_ciphers)))) assert expected_ciphers == enabled_ciphers, "Enabled ciphers should match expected ciphers"
def test_tls_ciphers(kafka_service_tls): task_name = 'kafka-0-broker' endpoint = sdk_cmd.svc_cli(config.PACKAGE_NAME, config.SERVICE_NAME, 'endpoints {}'.format(BROKER_TLS_ENDPOINT), json=True)['dns'][0] ciphers_config_path = [ 'service', 'security', 'transport_encryption', 'ciphers' ] expected_ciphers = set( sdk_utils.get_in( ciphers_config_path, sdk_cmd.svc_cli(config.PACKAGE_NAME, config.SERVICE_NAME, 'describe', json=True), '').rstrip().split(',')) openssl_ciphers = sdk_security.openssl_ciphers() missing_openssl_ciphers = cipher_suites.missing_openssl_ciphers( openssl_ciphers) possible_openssl_ciphers = openssl_ciphers - missing_openssl_ciphers enabled_ciphers = set() assert openssl_ciphers, 'OpenSSL ciphers should be non-empty' assert expected_ciphers, 'Expected ciphers should be non-empty' assert possible_openssl_ciphers, 'Possible OpenSSL ciphers should be non-empty' sdk_cmd.service_task_exec(config.SERVICE_NAME, task_name, 'openssl version') # Output OpenSSL version. log.warning("\n%s OpenSSL ciphers missing from the cipher_suites module:", len(missing_openssl_ciphers)) log.warning("\n".join(sdk_utils.sort(list(missing_openssl_ciphers)))) log.info("\n%s expected ciphers:", len(expected_ciphers)) log.info("\n".join(sdk_utils.sort(list(expected_ciphers)))) log.info("\n%s ciphers will be checked:", len(possible_openssl_ciphers)) for openssl_cipher in sdk_utils.sort(list(possible_openssl_ciphers)): log.info("%s (%s)", cipher_suites.rfc_name(openssl_cipher), openssl_cipher) for openssl_cipher in possible_openssl_ciphers: if sdk_security.is_cipher_enabled(config.SERVICE_NAME, task_name, openssl_cipher, endpoint): enabled_ciphers.add(cipher_suites.rfc_name(openssl_cipher)) log.info('%s ciphers enabled out of %s:', len(enabled_ciphers), len(possible_openssl_ciphers)) log.info("\n".join(sdk_utils.sort(list(enabled_ciphers)))) assert expected_ciphers == enabled_ciphers, "Enabled ciphers should match expected ciphers"