def remove_key_in_conf(value_list,
conf_type="libvirtd",
remote_params=None,
restart_libvirt=False):
"""
Remove settings in configuration file on local or remote
and restart libvirtd if needed
:param value_list: A list of settings to delete, like ["log_level", "log_outputs"]
:param conf_type: The configuration type to update on localhost,
eg, "libvirt", "virtqemud"
:param remote_params: The params for remote access
:param restart_libvirt: True to restart libvirtd
:return: remote.RemoteFile object for remote file or
utils_config.LibvirtConfigCommon object for local configuration file
"""
if remote_params:
remote_ip = remote_params.get("server_ip",
remote_params.get("remote_ip"))
remote_pwd = remote_params.get("server_pwd",
remote_params.get("remote_pwd"))
remote_user = remote_params.get("server_user",
remote_params.get("remote_user"))
file_path = remote_params.get("file_path")
if not all([remote_ip, remote_pwd, remote_user, file_path]):
raise exceptions.TestError("remote_[ip|user|pwd] and file_path "
"are necessary!")
remote_file_obj = remote.RemoteFile(address=remote_ip,
client='scp',
username=remote_user,
password=remote_pwd,
port='22',
remote_path=file_path)
remote_file_obj.remove(value_list)
if restart_libvirt:
libvirt.remotely_control_libvirtd(remote_ip,
remote_user,
remote_pwd,
action='restart',
status_error='no')
return remote_file_obj
else:
target_conf = utils_config.get_conf_obj(conf_type)
for item in value_list:
try:
del target_conf[item]
except utils_config.ConfigNoOptionError as err:
LOG.error(err)
if restart_libvirt:
libvirtd = utils_libvirtd.Libvirtd()
libvirtd.restart()
return target_conf
def update_remote_file(params,
value,
file_path='/etc/libvirt/libvirtd.conf',
restart_libvirt=True):
"""
Update file on remote and restart libvirtd if needed
:param param: Test run params
:param value: The value to update
:param file_path: The path of the file
:param restart_libvirt: True to restart libvirtd
:return: remote.RemoteFile object
"""
try:
tmp_value = eval(value)
logging.debug("Update file {} with: {}".format(file_path, value))
remote_ip = params.get("server_ip", params.get("remote_ip"))
remote_pwd = params.get("server_pwd", params.get("remote_pwd"))
remote_user = params.get("server_user", params.get("remote_user"))
remote_file_obj = remote.RemoteFile(address=remote_ip,
client='scp',
username=remote_user,
password=remote_pwd,
port='22',
remote_path=file_path)
remote_file_obj.sub_else_add(tmp_value)
if restart_libvirt:
libvirt.remotely_control_libvirtd(remote_ip,
remote_user,
remote_pwd,
action='restart',
status_error='no')
return remote_file_obj
except Exception as err:
raise exceptions.TestFail("Unable to update {}: {}".format(
file_path, err))
def run(test, params, env):
"""
Test remote access with TCP, TLS connection
"""
test_dict = dict(params)
vm_name = test_dict.get("main_vm")
status_error = test_dict.get("status_error", "no")
allowed_dn_str = params.get("tls_allowed_dn_list")
if allowed_dn_str:
allowed_dn_list = []
if not libvirt_version.version_compare(1, 0, 0):
# Reverse the order in the dn list to workaround the
# feature changes between RHEL 6 and RHEL 7
dn_list = allowed_dn_str.split(",")
dn_list.reverse()
allowed_dn_str = ','.join(dn_list)
allowed_dn_list.append(allowed_dn_str)
test_dict['tls_allowed_dn_list'] = allowed_dn_list
transport = test_dict.get("transport")
plus = test_dict.get("conn_plus", "+")
config_ipv6 = test_dict.get("config_ipv6", "no")
tls_port = test_dict.get("tls_port", "")
listen_addr = test_dict.get("listen_addr", "0.0.0.0")
ssh_port = test_dict.get("ssh_port", "")
tcp_port = test_dict.get("tcp_port", "")
server_ip = test_dict.get("server_ip")
server_user = test_dict.get("server_user")
server_pwd = test_dict.get("server_pwd")
no_any_config = params.get("no_any_config", "no")
sasl_user_pwd = test_dict.get("sasl_user_pwd")
sasl_allowed_users = test_dict.get("sasl_allowed_users")
server_cn = test_dict.get("server_cn")
custom_pki_path = test_dict.get("custom_pki_path")
rm_client_key_cmd = test_dict.get("remove_client_key_cmd")
rm_client_cert_cmd = test_dict.get("remove_client_cert_cmd")
ca_cn_new = test_dict.get("ca_cn_new")
no_verify = test_dict.get("no_verify", "no")
ipv6_addr_des = test_dict.get("ipv6_addr_des")
tls_sanity_cert = test_dict.get("tls_sanity_cert")
restart_libvirtd = test_dict.get("restart_libvirtd", "yes")
diff_virt_ver = test_dict.get("diff_virt_ver", "no")
driver = test_dict.get("test_driver", "qemu")
uri_path = test_dict.get("uri_path", "/system")
virsh_cmd = params.get("virsh_cmd", "list")
action = test_dict.get("libvirtd_action", "restart")
uri_user = test_dict.get("uri_user", "")
unix_sock_dir = test_dict.get("unix_sock_dir")
mkdir_cmd = test_dict.get("mkdir_cmd")
rmdir_cmd = test_dict.get("rmdir_cmd")
adduser_cmd = test_dict.get("adduser_cmd")
deluser_cmd = test_dict.get("deluser_cmd")
auth_conf = test_dict.get("auth_conf")
auth_conf_cxt = test_dict.get("auth_conf_cxt")
polkit_pkla = test_dict.get("polkit_pkla")
polkit_pkla_cxt = test_dict.get("polkit_pkla_cxt")
ssh_setup = test_dict.get("ssh_setup", "no")
tcp_setup = test_dict.get("tcp_setup", "no")
tls_setup = test_dict.get("tls_setup", "no")
unix_setup = test_dict.get("unix_setup", "no")
ssh_recovery = test_dict.get("ssh_auto_recovery", "yes")
tcp_recovery = test_dict.get("tcp_auto_recovery", "yes")
tls_recovery = test_dict.get("tls_auto_recovery", "yes")
unix_recovery = test_dict.get("unix_auto_recovery", "yes")
port = ""
# extra URI arguments
extra_params = ""
# it's used to clean up SSH, TLS, TCP, UNIX and SASL objs later
objs_list = []
# redirect LIBVIRT_DEBUG log into test log later
test_dict["logfile"] = test.logfile
# Make sure all of parameters are assigned a valid value
check_parameters(test_dict, test)
# only simply connect libvirt daemon then return
if no_any_config == "yes":
test_dict["uri"] = "%s%s%s://%s" % (driver, plus, transport, uri_path)
remote_access(test_dict, test)
return
# append extra 'pkipath' argument to URI if exists
if custom_pki_path:
extra_params = "?pkipath=%s" % custom_pki_path
# append extra 'no_verify' argument to URI if exists
if no_verify == "yes":
extra_params = "?no_verify=1"
# append extra 'socket' argument to URI if exists
if unix_sock_dir:
extra_params = "?socket=%s/libvirt-sock" % unix_sock_dir
# generate auth.conf and default under the '/etc/libvirt'
if auth_conf_cxt and auth_conf:
cmd = "echo -e '%s' > %s" % (auth_conf_cxt, auth_conf)
process.system(cmd, ignore_status=True, shell=True)
# generate polkit_pkla and default under the
# '/etc/polkit-1/localauthority/50-local.d/'
if polkit_pkla_cxt and polkit_pkla:
cmd = "echo -e '%s' > %s" % (polkit_pkla_cxt, polkit_pkla)
process.system(cmd, ignore_status=True, shell=True)
# generate remote IP
if config_ipv6 == "yes" and ipv6_addr_des:
remote_ip = "[%s]" % ipv6_addr_des
elif config_ipv6 != "yes" and server_cn:
remote_ip = server_cn
elif config_ipv6 != "yes" and ipv6_addr_des:
remote_ip = "[%s]" % ipv6_addr_des
elif server_ip and transport != "unix":
remote_ip = server_ip
else:
remote_ip = ""
# get URI port
if tcp_port != "":
port = ":" + tcp_port
if tls_port != "":
port = ":" + tls_port
if ssh_port != "" and not ipv6_addr_des:
port = ":" + ssh_port
# generate URI
uri = "%s%s%s://%s%s%s%s%s" % (driver, plus, transport, uri_user,
remote_ip, port, uri_path, extra_params)
test_dict["uri"] = uri
logging.debug("The final test dict:\n<%s>", test_dict)
if virsh_cmd == "start" and transport != "unix":
session = remote.wait_for_login("ssh", server_ip, "22", "root",
server_pwd, "#")
cmd = "virsh domstate %s" % vm_name
status, output = session.cmd_status_output(cmd)
if status:
session.close()
test.cancel(output)
session.close()
try:
# setup IPv6
if config_ipv6 == "yes":
ipv6_obj = IPv6Manager(test_dict)
objs_list.append(ipv6_obj)
ipv6_obj.setup()
# compare libvirt version if needs
if diff_virt_ver == "yes":
compare_virt_version(server_ip, server_user, server_pwd, test)
# setup SSH
if transport == "ssh" or ssh_setup == "yes":
if not test_dict.get("auth_pwd"):
ssh_obj = SSHConnection(test_dict)
if ssh_recovery == "yes":
objs_list.append(ssh_obj)
# setup test environment
ssh_obj.conn_setup()
# setup TLS
if transport == "tls" or tls_setup == "yes":
tls_obj = TLSConnection(test_dict)
if tls_recovery == "yes":
objs_list.append(tls_obj)
# reserve cert path
tmp_dir = tls_obj.tmp_dir
# setup test environment
if tls_sanity_cert == "no":
# only setup CA and client
tls_obj.conn_setup(False, True)
else:
# setup CA, server and client
tls_obj.conn_setup()
# setup TCP
if transport == "tcp" or tcp_setup == "yes":
tcp_obj = TCPConnection(test_dict)
if tcp_recovery == "yes":
objs_list.append(tcp_obj)
# setup test environment
tcp_obj.conn_setup()
# create a directory if needs
if mkdir_cmd:
process.system(mkdir_cmd, ignore_status=True, shell=True)
# setup UNIX
if transport == "unix" or unix_setup == "yes":
unix_obj = UNIXConnection(test_dict)
if unix_recovery == "yes":
objs_list.append(unix_obj)
# setup test environment
unix_obj.conn_setup()
# need to restart libvirt service for negative testing
if restart_libvirtd == "no":
remotely_control_libvirtd(server_ip, server_user, server_pwd,
action, status_error)
# check TCP/IP listening by service
if restart_libvirtd != "no" and transport != "unix":
service = 'libvirtd'
if transport == "ssh":
service = 'ssh'
check_listening_port_remote_by_service(server_ip, server_user,
server_pwd, service, port,
listen_addr)
# remove client certifications if exist, only for TLS negative testing
if rm_client_key_cmd:
process.system(rm_client_key_cmd, ignore_status=True, shell=True)
if rm_client_cert_cmd:
process.system(rm_client_cert_cmd, ignore_status=True, shell=True)
# add user to specific group
if adduser_cmd:
process.system(adduser_cmd, ignore_status=True, shell=True)
# change /etc/pki/libvirt/servercert.pem then
# restart libvirt service on the remote host
if tls_sanity_cert == "no" and ca_cn_new:
test_dict['ca_cn'] = ca_cn_new
test_dict['ca_cakey_path'] = tmp_dir
test_dict['scp_new_cacert'] = 'no'
tls_obj_new = TLSConnection(test_dict)
test_dict['tls_obj_new'] = tls_obj_new
# only setup new CA and server
tls_obj_new.conn_setup(True, False)
# setup SASL certification
# From libvirt-3.2.0, the default sasl change from
# DIGEST-MD5 to GSSAPI. "sasl_user" is discarded.
# More details: https://libvirt.org/auth.html#ACL_server_kerberos
if sasl_user_pwd and not libvirt_version.version_compare(3, 2, 0):
# covert string tuple and list to python data type
sasl_user_pwd = eval(sasl_user_pwd)
if sasl_allowed_users:
sasl_allowed_users = eval(sasl_allowed_users)
# create a sasl user
sasl_obj = SASL(test_dict)
objs_list.append(sasl_obj)
sasl_obj.setup()
for sasl_user, sasl_pwd in sasl_user_pwd:
# need't authentication if the auth.conf is configured by user
if not auth_conf:
test_dict["auth_user"] = sasl_user
test_dict["auth_pwd"] = sasl_pwd
logging.debug("sasl_user, sasl_pwd = "
"(%s, %s)", sasl_user, sasl_pwd)
if sasl_allowed_users and sasl_user not in sasl_allowed_users:
test_dict["status_error"] = "yes"
patterns_extra_dict = {"authentication name": sasl_user}
test_dict["patterns_extra_dict"] = patterns_extra_dict
remote_access(test_dict, test)
else:
remote_access(test_dict, test)
finally:
# recovery test environment
# Destroy the VM after all test are done
if vm_name:
vm = env.get_vm(vm_name)
if vm and vm.is_alive():
vm.destroy(gracefully=False)
if rmdir_cmd:
process.system(rmdir_cmd, ignore_status=True, shell=True)
if deluser_cmd:
process.system(deluser_cmd, ignore_status=True, shell=True)
if auth_conf and os.path.isfile(auth_conf):
os.unlink(auth_conf)
if polkit_pkla and os.path.isfile(polkit_pkla):
os.unlink(polkit_pkla)
cleanup(objs_list)
def run(test, params, env):
"""
Test remote access with TCP, TLS connection
"""
test_dict = dict(params)
pattern = test_dict.get("filter_pattern", "")
if ('@LIBVIRT' in pattern and
distro.detect().name == 'rhel' and
int(distro.detect().version) < 8):
test.cancel("The test {} is not supported on current OS({}{}<8.0) as "
"the keyword @LIBVIRT is not supported by gnutls on this "
"OS.".format(test.name, distro.detect().name,
distro.detect().version))
vm_name = test_dict.get("main_vm")
status_error = test_dict.get("status_error", "no")
allowed_dn_str = params.get("tls_allowed_dn_list")
if allowed_dn_str:
allowed_dn_list = []
if not libvirt_version.version_compare(1, 0, 0):
# Reverse the order in the dn list to workaround the
# feature changes between RHEL 6 and RHEL 7
dn_list = allowed_dn_str.split(",")
dn_list.reverse()
allowed_dn_str = ','.join(dn_list)
allowed_dn_list.append(allowed_dn_str)
test_dict['tls_allowed_dn_list'] = allowed_dn_list
transport = test_dict.get("transport")
plus = test_dict.get("conn_plus", "+")
config_ipv6 = test_dict.get("config_ipv6", "no")
tls_port = test_dict.get("tls_port", "")
listen_addr = test_dict.get("listen_addr", "0.0.0.0")
ssh_port = test_dict.get("ssh_port", "")
tcp_port = test_dict.get("tcp_port", "")
server_ip = test_dict.get("server_ip")
server_user = test_dict.get("server_user")
server_pwd = test_dict.get("server_pwd")
no_any_config = params.get("no_any_config", "no")
sasl_type = test_dict.get("sasl_type", "gssapi")
sasl_user_pwd = test_dict.get("sasl_user_pwd")
sasl_allowed_users = test_dict.get("sasl_allowed_users")
server_cn = test_dict.get("server_cn")
custom_pki_path = test_dict.get("custom_pki_path")
rm_client_key_cmd = test_dict.get("remove_client_key_cmd")
rm_client_cert_cmd = test_dict.get("remove_client_cert_cmd")
ca_cn_new = test_dict.get("ca_cn_new")
no_verify = test_dict.get("no_verify", "no")
ipv6_addr_des = test_dict.get("ipv6_addr_des")
tls_sanity_cert = test_dict.get("tls_sanity_cert")
restart_libvirtd = test_dict.get("restart_libvirtd", "yes")
diff_virt_ver = test_dict.get("diff_virt_ver", "no")
driver = test_dict.get("test_driver", "qemu")
uri_path = test_dict.get("uri_path", "/system")
virsh_cmd = params.get("virsh_cmd", "list")
action = test_dict.get("libvirtd_action", "restart")
uri_user = test_dict.get("uri_user", "")
uri_aliases = test_dict.get("uri_aliases", "")
uri_default = test_dict.get("uri_default", "")
unix_sock_dir = test_dict.get("unix_sock_dir")
mkdir_cmd = test_dict.get("mkdir_cmd")
rmdir_cmd = test_dict.get("rmdir_cmd")
adduser_cmd = test_dict.get("adduser_cmd")
deluser_cmd = test_dict.get("deluser_cmd")
auth_conf = test_dict.get("auth_conf")
auth_conf_cxt = test_dict.get("auth_conf_cxt")
polkit_pkla = test_dict.get("polkit_pkla")
polkit_pkla_cxt = test_dict.get("polkit_pkla_cxt")
ssh_setup = test_dict.get("ssh_setup", "no")
tcp_setup = test_dict.get("tcp_setup", "no")
tls_setup = test_dict.get("tls_setup", "no")
unix_setup = test_dict.get("unix_setup", "no")
ssh_recovery = test_dict.get("ssh_auto_recovery", "yes")
tcp_recovery = test_dict.get("tcp_auto_recovery", "yes")
tls_recovery = test_dict.get("tls_auto_recovery", "yes")
unix_recovery = test_dict.get("unix_auto_recovery", "yes")
sasl_allowed_username_list = test_dict.get("sasl_allowed_username_list")
auth_unix_rw = test_dict.get("auth_unix_rw")
kinit_pwd = test_dict.get("kinit_pwd")
test_alias = test_dict.get("test_alias")
config_list = []
port = ""
# extra URI arguments
extra_params = ""
# it's used to clean up SSH, TLS, TCP, UNIX and SASL objs later
objs_list = []
# redirect LIBVIRT_DEBUG log into test log later
test_dict["logfile"] = test.logfile
# Make sure all of parameters are assigned a valid value
check_parameters(test_dict, test)
# Make sure libvirtd on remote is running
server_session = remote.wait_for_login('ssh', server_ip, '22',
server_user, server_pwd,
r"[\#\$]\s*$")
remote_libvirtd = Libvirtd(session=server_session)
if not remote_libvirtd.is_running():
logging.debug("start libvirt on remote")
res = remote_libvirtd.start()
if not res:
status, output = server_session.cmd_status_output("journalctl -xe")
test.error("Failed to start libvirtd on remote. [status]: %s "
"[output]: %s." % (status, output))
server_session.close()
if distro.detect().name == 'rhel' and int(distro.detect().version) >= 9:
# Update crypto policies to legacy for RHEL>=9 per Bug 1931723 or
# https://libguestfs.org/virt-v2v-input-xen.1.html#ssh-authentication
crypto_policies = process.run("update-crypto-policies --set LEGACY",
ignore_status=False)
# only simply connect libvirt daemon then return
if no_any_config == "yes":
test_dict["uri"] = "%s%s%s://%s" % (driver, plus, transport, uri_path)
remote_access(test_dict, test)
return
# append extra 'pkipath' argument to URI if exists
if custom_pki_path:
extra_params = "?pkipath=%s" % custom_pki_path
# append extra 'no_verify' argument to URI if exists
if no_verify == "yes":
extra_params = "?no_verify=1"
# append extra 'socket' argument to URI if exists
if unix_sock_dir:
extra_params = "?socket=%s/libvirt-sock" % unix_sock_dir
# generate auth.conf and default under the '/etc/libvirt'
if auth_conf_cxt and auth_conf:
cmd = "echo -e '%s' > %s" % (auth_conf_cxt, auth_conf)
process.system(cmd, ignore_status=True, shell=True)
# generate polkit_pkla and default under the
# '/etc/polkit-1/localauthority/50-local.d/'
if polkit_pkla_cxt and polkit_pkla:
cmd = "echo -e '%s' > %s" % (polkit_pkla_cxt, polkit_pkla)
process.system(cmd, ignore_status=True, shell=True)
# generate remote IP
if config_ipv6 == "yes" and ipv6_addr_des:
remote_ip = "[%s]" % ipv6_addr_des
elif config_ipv6 != "yes" and server_cn:
remote_ip = server_cn
elif config_ipv6 != "yes" and ipv6_addr_des:
remote_ip = "[%s]" % ipv6_addr_des
elif server_ip and transport != "unix":
remote_ip = server_ip
else:
remote_ip = ""
# get URI port
if tcp_port != "":
port = ":" + tcp_port
if tls_port != "":
port = ":" + tls_port
if ssh_port != "" and not ipv6_addr_des:
port = ":" + ssh_port
# generate URI
uri = "%s%s%s://%s%s%s%s%s" % (driver, plus, transport, uri_user,
remote_ip, port, uri_path, extra_params)
test_dict["uri"] = uri
logging.debug("The final test dict:\n<%s>", test_dict)
if virsh_cmd == "start" and transport != "unix":
session = remote.wait_for_login("ssh", server_ip, "22", "root",
server_pwd, "#")
cmd = "virsh domstate %s" % vm_name
status, output = session.cmd_status_output(cmd)
if status:
session.close()
test.cancel(output)
session.close()
try:
# setup IPv6
if config_ipv6 == "yes":
ipv6_obj = IPv6Manager(test_dict)
objs_list.append(ipv6_obj)
ipv6_obj.setup()
# compare libvirt version if needs
if diff_virt_ver == "yes":
compare_virt_version(server_ip, server_user, server_pwd, test)
# setup SSH
if (transport == "ssh" or ssh_setup == "yes") and sasl_type != "plain":
if not test_dict.get("auth_pwd"):
ssh_obj = SSHConnection(test_dict)
if ssh_recovery == "yes":
objs_list.append(ssh_obj)
# setup test environment
ssh_obj.conn_setup()
else:
# To access to server with password,
# cleanup authorized_keys on remote
ssh_pubkey_file = "/root/.ssh/id_rsa.pub"
if (os.path.exists("/root/.ssh/id_rsa") and
os.path.exists(ssh_pubkey_file)):
remote_file_obj = remote.RemoteFile(address=server_ip,
client='scp',
username=server_user,
password=server_pwd,
port='22',
remote_path="/root/.ssh/authorized_keys")
with open(ssh_pubkey_file, 'r') as fd:
line = fd.read().split()[-1].rstrip('\n')
line = ".*" + line
remote_file_obj.remove([line])
objs_list.append(remote_file_obj)
# setup TLS
if transport == "tls" or tls_setup == "yes":
tls_obj = TLSConnection(test_dict)
if tls_recovery == "yes":
objs_list.append(tls_obj)
# reserve cert path
tmp_dir = tls_obj.tmp_dir
# setup test environment
tls_obj.conn_setup()
# setup TCP
if transport == "tcp" or tcp_setup == "yes":
tcp_obj = TCPConnection(test_dict)
if tcp_recovery == "yes":
objs_list.append(tcp_obj)
# setup test environment
tcp_obj.conn_setup()
# create a directory if needs
if mkdir_cmd:
process.system(mkdir_cmd, ignore_status=True, shell=True)
# setup UNIX
if transport == "unix" or unix_setup == "yes" or sasl_type == "plain":
unix_obj = UNIXConnection(test_dict)
if unix_recovery == "yes":
objs_list.append(unix_obj)
# setup test environment
unix_obj.conn_setup()
# need to restart libvirt service for negative testing
if restart_libvirtd == "no":
remotely_control_libvirtd(server_ip, server_user,
server_pwd, action, status_error)
# check TCP/IP listening by service
if restart_libvirtd != "no" and transport != "unix":
service = 'libvirtd'
if transport == "ssh":
service = 'ssh'
check_listening_port_remote_by_service(server_ip, server_user,
server_pwd, service,
port, listen_addr)
# open the tls/tcp listening port on server
if transport in ["tls", "tcp"]:
firewalld_port = port[1:]
server_session = remote.wait_for_login('ssh', server_ip, '22',
server_user, server_pwd,
r"[\#\$]\s*$")
firewall_cmd = utils_iptables.Firewall_cmd(server_session)
firewall_cmd.add_port(firewalld_port, 'tcp', permanent=True)
server_session.close()
if 'inv_transport' in test_dict:
transport = test_dict['inv_transport']
uri = "%s%s%s://%s%s%s%s%s" % (driver, plus, transport, uri_user,
remote_ip, port, uri_path,
extra_params)
test_dict["uri"] = uri
config_list = []
if uri_aliases:
uri_config = change_libvirtconf_on_client(
{'uri_aliases': uri_aliases})
config_list.append(uri_config)
test_dict["uri"] = test_alias
if uri_default:
test_dict["uri"] = ""
# Delete the default URI environment variable to prevent overriding
del os.environ['LIBVIRT_DEFAULT_URI']
uri_config = change_libvirtconf_on_client(
{'uri_default': uri_default})
config_list.append(uri_config)
ret = virsh.command('uri', debug=True)
if uri_default.strip('"') in ret.stdout_text:
logging.debug("Virsh output as expected.")
else:
test.fail("Expected virsh output: {} not found in:{}".format(
uri_default.strip('"'), ret.stdout_text))
# remove client certifications if exist, only for TLS negative testing
if rm_client_key_cmd:
process.system(rm_client_key_cmd, ignore_status=True, shell=True)
if rm_client_cert_cmd:
process.system(rm_client_cert_cmd, ignore_status=True, shell=True)
# add user to specific group
if adduser_cmd:
process.system(adduser_cmd, ignore_status=True, shell=True)
# change /etc/pki/libvirt/servercert.pem then
# restart libvirt service on the remote host
if tls_sanity_cert == "no" and ca_cn_new:
test_dict['ca_cn'] = ca_cn_new
test_dict['scp_new_cacert'] = 'no'
tls_obj_new = TLSConnection(test_dict)
test_dict['tls_obj_new'] = tls_obj_new
# only setup new CA and server
tls_obj_new.conn_setup(True, False)
# obtain and cache a ticket
if kinit_pwd and sasl_type == 'gssapi' and auth_unix_rw == 'sasl':
username_list = json.loads(sasl_allowed_username_list)
for username in username_list:
kinit_cmd = "echo '%s' | kinit %s" % (kinit_pwd, username)
process.system(kinit_cmd, ignore_status=True, shell=True)
# setup SASL certification
# From libvirt-3.2.0, the default sasl change from
# DIGEST-MD5 to GSSAPI. "sasl_user" is discarded.
# More details: https://libvirt.org/auth.html#ACL_server_kerberos
if sasl_user_pwd and sasl_type in ['digest-md5', 'plain']:
# covert string tuple and list to python data type
sasl_user_pwd = eval(sasl_user_pwd)
if sasl_allowed_users:
sasl_allowed_users = eval(sasl_allowed_users)
# create a sasl user
sasl_obj = SASL(test_dict)
objs_list.append(sasl_obj)
sasl_obj.setup()
for sasl_user, sasl_pwd in sasl_user_pwd:
# need't authentication if the auth.conf is configured by user
if not auth_conf:
if sasl_type == 'plain':
test_dict["auth_pwd"] = server_pwd
pass
else:
test_dict["auth_user"] = sasl_user
test_dict["auth_pwd"] = sasl_pwd
logging.debug("sasl_user, sasl_pwd = "
"(%s, %s)", sasl_user, sasl_pwd)
if sasl_allowed_users and sasl_user not in sasl_allowed_users:
test_dict["status_error"] = "yes"
patterns_extra_dict = {"authentication name": sasl_user,
"enter your password": sasl_pwd}
test_dict["patterns_extra_dict"] = patterns_extra_dict
remote_access(test_dict, test)
else:
if not uri_default:
remote_access(test_dict, test)
finally:
# recovery test environment
# Destroy the VM after all test are done
for config in config_list:
restore_libvirtconf_on_client(config)
cleanup(objs_list)
if vm_name:
vm = env.get_vm(vm_name)
if vm and vm.is_alive():
vm.destroy(gracefully=False)
if transport in ["tcp", "tls"] and 'firewalld_port' in locals():
server_session = remote.wait_for_login('ssh', server_ip, '22',
server_user, server_pwd,
r"[\#\$]\s*$")
firewall_cmd = utils_iptables.Firewall_cmd(server_session)
firewall_cmd.remove_port(firewalld_port, 'tcp', permanent=True)
server_session.close()
if rmdir_cmd:
process.system(rmdir_cmd, ignore_status=True, shell=True)
if deluser_cmd:
process.system(deluser_cmd, ignore_status=True, shell=True)
if auth_conf and os.path.isfile(auth_conf):
os.unlink(auth_conf)
if polkit_pkla and os.path.isfile(polkit_pkla):
os.unlink(polkit_pkla)
def run(test, params, env):
"""
Test TLS connection priorities with remote machine.
"""
server_ip = params.get("server_ip")
server_user = params.get("server_user")
server_pwd = params.get("server_pwd")
tls_port = params.get("tls_port", "16514")
ssl_v3 = params.get("priority_ssl_v3_only")
ssl_inv = params.get("priority_ssl_invalid")
tls_inv = params.get("priority_tls_invalid")
no_ssl_v3 = params.get("priority_no_ssl_v3")
wrong_message = params.get("wrong_priorities_message").split(',')
invalid_message = params.get("invalid_priorities_message").split(',')
welcome_message = params.get("successful_message").split(',')
uri = "qemu+tls://{}"
remote_update_session = None
# Initial Setup - this part is the longest and always required part of the
# test and therefore it is not effective to divide this test into smaller
# parts that would take much longer in sum.
# Create connection with the server
server_session = create_session_on_remote(params)
# Make sure the Libvirtd is running on remote
remote_libvirtd = utils_libvirtd.Libvirtd(session=server_session)
if not remote_libvirtd.is_running():
res = remote_libvirtd.start()
if not res:
status, output = server_session.cmd_status_output("journalctl -xe")
test.error("Failed to start libvirtd on remote. [status]: %s "
"[output]: %s." % (status, output))
# setup TLS
tls_obj = TLSConnection(params)
# setup test environment
tls_obj.conn_setup()
# Open the tls/tcp listening port on server
firewall_cmd = utils_iptables.Firewall_cmd(server_session)
firewall_cmd.add_port(tls_port, 'tcp', permanent=True)
server_session.close()
# Check which version to use for TLS v1.X
ssl_check = process.run(
'openssl s_client -connect {}:16514 -tls1_1'.format(server_ip),
ignore_status=True)
if ssl_check.exit_status:
logging.debug('TLSv1.1 not supported, use TLS v1.2 instead')
tls_v1 = params.get("priority_tls_v1_2_only")
else:
# Use TLS v1.0
tls_v1 = params.get("priority_tls_v1_only")
# Update TLS priority on remote
replacements = {
r'#tls_priority=".*?"':
'tls_priority="{}"'.format(params['remote_tls_priority'])
}
# DO NOT DELETE remote_update_session as it destroys changes applied by the
# method remote_libvirtdconf.sub_else_add - cleanup called when the instance
# is destroyed
remote_update_session = change_parameter_on_remote(params, replacements)
# Restart Remote Libvirtd "
remotely_control_libvirtd(server_ip, server_user, server_pwd, 'restart')
config = None
try:
# Phase I - test via libvirt.conf on client
# TLS priority set to SSLv3 only for client via libvirt.conf
new_tls_priority = {'tls_priority': '"{}"'.format(ssl_v3)}
config = change_libvirtconf_on_client(new_tls_priority)
# Connect to hypervisor
uri_path = server_ip + '/system'
connect_dict = {
'uri': uri.format(uri_path),
'cmd': "",
'pass_message_list': wrong_message,
'expect_error': True,
}
test_pass = connect_to_server_hypervisor(connect_dict)
# Restore if pass
if test_pass:
config.restore()
config = None
else:
test.fail(
'TLS priorities test failed for case when client supports'
' SSLv3 only and server does not support SSLv3 only.')
# TLS priority set to TLS1.0 only for client via libvirt.conf
new_tls_priority = {'tls_priority': '"{}"'.format(tls_v1)}
config = change_libvirtconf_on_client(new_tls_priority)
# Remove SSLv3.0 support via URI
uri_path = server_ip + '/system' + '?tls_priority={}'.format(no_ssl_v3)
connect_dict['uri'] = uri.format(uri_path)
connect_dict['pass_message_list'] = welcome_message
connect_dict['expect_error'] = False
test_pass = connect_to_server_hypervisor(connect_dict)
if test_pass:
config.restore()
config = None
else:
test.fail(
'TLS priorities test failed for case when client supports'
' TLSv1.X only and server does not support SSLv3 only.')
# Pass invalid SSL priority
new_tls_priority = {'tls_priority': '"{}"'.format(ssl_inv)}
config = change_libvirtconf_on_client(new_tls_priority)
uri_path = server_ip + '/system'
connect_dict['uri'] = uri.format(uri_path)
connect_dict['pass_message_list'] = invalid_message
connect_dict['expect_error'] = True
test_pass = connect_to_server_hypervisor(connect_dict)
if test_pass:
config.restore()
config = None
else:
test.fail(
'TLS priorities test failed for case when client supports'
' SSLv4.0 which is invalid.')
# Phase II - test via URI on client
uri_path = server_ip + '/system' + '?tls_priority={}'.format(ssl_v3)
connect_dict['uri'] = uri.format(uri_path)
connect_dict['pass_message_list'] = wrong_message
connect_dict['expect_error'] = True
test_pass = connect_to_server_hypervisor(connect_dict)
if not test_pass:
test.fail('TLS priorities test failed for case when the client '
'supports SSLv3 only by URI and the server does not '
'support SSLv3 only.')
uri_path = server_ip + '/system' + '?tls_priority={}'.format(tls_v1)
connect_dict['uri'] = uri.format(uri_path)
connect_dict['pass_message_list'] = welcome_message
connect_dict['expect_error'] = False
test_pass = connect_to_server_hypervisor(connect_dict)
if not test_pass:
test.fail('TLS priorities test failed for case when the client '
'supports TLSv1.X only by URI and the server does not '
'support SSLv3 only.')
uri_path = server_ip + '/system' + '?tls_priority={}'.format(tls_inv)
connect_dict['uri'] = uri.format(uri_path)
connect_dict['pass_message_list'] = invalid_message
connect_dict['expect_error'] = True
test_pass = connect_to_server_hypervisor(connect_dict)
if not test_pass:
test.fail('TLS priorities test failed for case when the client '
'supports SSLv4.0 by URI which is invalid.')
finally:
# Reset Firewall
server_session = create_session_on_remote(params)
firewall_cmd = utils_iptables.Firewall_cmd(server_session)
firewall_cmd.remove_port(tls_port, 'tcp')
server_session.close()
if config:
config.restore()
# Restore config on remote
if remote_update_session:
del remote_update_session
def run(test, params, env):
"""
Test remote access with TCP, TLS connection
"""
test_dict = dict(params)
vm_name = test_dict.get("main_vm")
status_error = test_dict.get("status_error", "no")
allowed_dn_str = params.get("tls_allowed_dn_list")
if allowed_dn_str:
allowed_dn_list = []
if not libvirt_version.version_compare(1, 0, 0):
# Reverse the order in the dn list to workaround the
# feature changes between RHEL 6 and RHEL 7
dn_list = allowed_dn_str.split(",")
dn_list.reverse()
allowed_dn_str = ','.join(dn_list)
allowed_dn_list.append(allowed_dn_str)
test_dict['tls_allowed_dn_list'] = allowed_dn_list
transport = test_dict.get("transport")
plus = test_dict.get("conn_plus", "+")
config_ipv6 = test_dict.get("config_ipv6", "no")
tls_port = test_dict.get("tls_port", "")
listen_addr = test_dict.get("listen_addr", "0.0.0.0")
ssh_port = test_dict.get("ssh_port", "")
tcp_port = test_dict.get("tcp_port", "")
server_ip = test_dict.get("server_ip")
server_user = test_dict.get("server_user")
server_pwd = test_dict.get("server_pwd")
no_any_config = params.get("no_any_config", "no")
sasl_type = test_dict.get("sasl_type", "gssapi")
sasl_user_pwd = test_dict.get("sasl_user_pwd")
sasl_allowed_users = test_dict.get("sasl_allowed_users")
server_cn = test_dict.get("server_cn")
custom_pki_path = test_dict.get("custom_pki_path")
rm_client_key_cmd = test_dict.get("remove_client_key_cmd")
rm_client_cert_cmd = test_dict.get("remove_client_cert_cmd")
ca_cn_new = test_dict.get("ca_cn_new")
no_verify = test_dict.get("no_verify", "no")
ipv6_addr_des = test_dict.get("ipv6_addr_des")
tls_sanity_cert = test_dict.get("tls_sanity_cert")
restart_libvirtd = test_dict.get("restart_libvirtd", "yes")
diff_virt_ver = test_dict.get("diff_virt_ver", "no")
driver = test_dict.get("test_driver", "qemu")
uri_path = test_dict.get("uri_path", "/system")
virsh_cmd = params.get("virsh_cmd", "list")
action = test_dict.get("libvirtd_action", "restart")
uri_user = test_dict.get("uri_user", "")
unix_sock_dir = test_dict.get("unix_sock_dir")
mkdir_cmd = test_dict.get("mkdir_cmd")
rmdir_cmd = test_dict.get("rmdir_cmd")
adduser_cmd = test_dict.get("adduser_cmd")
deluser_cmd = test_dict.get("deluser_cmd")
auth_conf = test_dict.get("auth_conf")
auth_conf_cxt = test_dict.get("auth_conf_cxt")
polkit_pkla = test_dict.get("polkit_pkla")
polkit_pkla_cxt = test_dict.get("polkit_pkla_cxt")
ssh_setup = test_dict.get("ssh_setup", "no")
tcp_setup = test_dict.get("tcp_setup", "no")
tls_setup = test_dict.get("tls_setup", "no")
unix_setup = test_dict.get("unix_setup", "no")
ssh_recovery = test_dict.get("ssh_auto_recovery", "yes")
tcp_recovery = test_dict.get("tcp_auto_recovery", "yes")
tls_recovery = test_dict.get("tls_auto_recovery", "yes")
unix_recovery = test_dict.get("unix_auto_recovery", "yes")
port = ""
# extra URI arguments
extra_params = ""
# it's used to clean up SSH, TLS, TCP, UNIX and SASL objs later
objs_list = []
# redirect LIBVIRT_DEBUG log into test log later
test_dict["logfile"] = test.logfile
# Make sure all of parameters are assigned a valid value
check_parameters(test_dict, test)
# only simply connect libvirt daemon then return
if no_any_config == "yes":
test_dict["uri"] = "%s%s%s://%s" % (driver, plus, transport, uri_path)
remote_access(test_dict, test)
return
# append extra 'pkipath' argument to URI if exists
if custom_pki_path:
extra_params = "?pkipath=%s" % custom_pki_path
# append extra 'no_verify' argument to URI if exists
if no_verify == "yes":
extra_params = "?no_verify=1"
# append extra 'socket' argument to URI if exists
if unix_sock_dir:
extra_params = "?socket=%s/libvirt-sock" % unix_sock_dir
# generate auth.conf and default under the '/etc/libvirt'
if auth_conf_cxt and auth_conf:
cmd = "echo -e '%s' > %s" % (auth_conf_cxt, auth_conf)
process.system(cmd, ignore_status=True, shell=True)
# generate polkit_pkla and default under the
# '/etc/polkit-1/localauthority/50-local.d/'
if polkit_pkla_cxt and polkit_pkla:
cmd = "echo -e '%s' > %s" % (polkit_pkla_cxt, polkit_pkla)
process.system(cmd, ignore_status=True, shell=True)
# generate remote IP
if config_ipv6 == "yes" and ipv6_addr_des:
remote_ip = "[%s]" % ipv6_addr_des
elif config_ipv6 != "yes" and server_cn:
remote_ip = server_cn
elif config_ipv6 != "yes" and ipv6_addr_des:
remote_ip = "[%s]" % ipv6_addr_des
elif server_ip and transport != "unix":
remote_ip = server_ip
else:
remote_ip = ""
# get URI port
if tcp_port != "":
port = ":" + tcp_port
if tls_port != "":
port = ":" + tls_port
if ssh_port != "" and not ipv6_addr_des:
port = ":" + ssh_port
# generate URI
uri = "%s%s%s://%s%s%s%s%s" % (driver, plus, transport, uri_user,
remote_ip, port, uri_path, extra_params)
test_dict["uri"] = uri
logging.debug("The final test dict:\n<%s>", test_dict)
if virsh_cmd == "start" and transport != "unix":
session = remote.wait_for_login("ssh", server_ip, "22", "root",
server_pwd, "#")
cmd = "virsh domstate %s" % vm_name
status, output = session.cmd_status_output(cmd)
if status:
session.close()
test.cancel(output)
session.close()
try:
# setup IPv6
if config_ipv6 == "yes":
ipv6_obj = IPv6Manager(test_dict)
objs_list.append(ipv6_obj)
ipv6_obj.setup()
# compare libvirt version if needs
if diff_virt_ver == "yes":
compare_virt_version(server_ip, server_user, server_pwd, test)
# setup SSH
if transport == "ssh" or ssh_setup == "yes":
if not test_dict.get("auth_pwd"):
ssh_obj = SSHConnection(test_dict)
if ssh_recovery == "yes":
objs_list.append(ssh_obj)
# setup test environment
ssh_obj.conn_setup()
# setup TLS
if transport == "tls" or tls_setup == "yes":
tls_obj = TLSConnection(test_dict)
if tls_recovery == "yes":
objs_list.append(tls_obj)
# reserve cert path
tmp_dir = tls_obj.tmp_dir
# setup test environment
if tls_sanity_cert == "no":
# only setup CA and client
tls_obj.conn_setup(False, True)
else:
# setup CA, server and client
tls_obj.conn_setup()
# setup TCP
if transport == "tcp" or tcp_setup == "yes":
tcp_obj = TCPConnection(test_dict)
if tcp_recovery == "yes":
objs_list.append(tcp_obj)
# setup test environment
tcp_obj.conn_setup()
# create a directory if needs
if mkdir_cmd:
process.system(mkdir_cmd, ignore_status=True, shell=True)
# setup UNIX
if transport == "unix" or unix_setup == "yes":
unix_obj = UNIXConnection(test_dict)
if unix_recovery == "yes":
objs_list.append(unix_obj)
# setup test environment
unix_obj.conn_setup()
# need to restart libvirt service for negative testing
if restart_libvirtd == "no":
remotely_control_libvirtd(server_ip, server_user,
server_pwd, action, status_error)
# check TCP/IP listening by service
if restart_libvirtd != "no" and transport != "unix":
service = 'libvirtd'
if transport == "ssh":
service = 'ssh'
check_listening_port_remote_by_service(server_ip, server_user,
server_pwd, service,
port, listen_addr)
# remove client certifications if exist, only for TLS negative testing
if rm_client_key_cmd:
process.system(rm_client_key_cmd, ignore_status=True, shell=True)
if rm_client_cert_cmd:
process.system(rm_client_cert_cmd, ignore_status=True, shell=True)
# add user to specific group
if adduser_cmd:
process.system(adduser_cmd, ignore_status=True, shell=True)
# change /etc/pki/libvirt/servercert.pem then
# restart libvirt service on the remote host
if tls_sanity_cert == "no" and ca_cn_new:
test_dict['ca_cn'] = ca_cn_new
test_dict['ca_cakey_path'] = tmp_dir
test_dict['scp_new_cacert'] = 'no'
tls_obj_new = TLSConnection(test_dict)
test_dict['tls_obj_new'] = tls_obj_new
# only setup new CA and server
tls_obj_new.conn_setup(True, False)
# setup SASL certification
# From libvirt-3.2.0, the default sasl change from
# DIGEST-MD5 to GSSAPI. "sasl_user" is discarded.
# More details: https://libvirt.org/auth.html#ACL_server_kerberos
if sasl_user_pwd and sasl_type == 'digest-md5':
# covert string tuple and list to python data type
sasl_user_pwd = eval(sasl_user_pwd)
if sasl_allowed_users:
sasl_allowed_users = eval(sasl_allowed_users)
# create a sasl user
sasl_obj = SASL(test_dict)
objs_list.append(sasl_obj)
sasl_obj.setup()
for sasl_user, sasl_pwd in sasl_user_pwd:
# need't authentication if the auth.conf is configured by user
if not auth_conf:
test_dict["auth_user"] = sasl_user
test_dict["auth_pwd"] = sasl_pwd
logging.debug("sasl_user, sasl_pwd = "
"(%s, %s)", sasl_user, sasl_pwd)
if sasl_allowed_users and sasl_user not in sasl_allowed_users:
test_dict["status_error"] = "yes"
patterns_extra_dict = {"authentication name": sasl_user}
test_dict["patterns_extra_dict"] = patterns_extra_dict
remote_access(test_dict, test)
else:
remote_access(test_dict, test)
finally:
# recovery test environment
# Destroy the VM after all test are done
cleanup(objs_list)
if vm_name:
vm = env.get_vm(vm_name)
if vm and vm.is_alive():
vm.destroy(gracefully=False)
if rmdir_cmd:
process.system(rmdir_cmd, ignore_status=True, shell=True)
if deluser_cmd:
process.system(deluser_cmd, ignore_status=True, shell=True)
if auth_conf and os.path.isfile(auth_conf):
os.unlink(auth_conf)
if polkit_pkla and os.path.isfile(polkit_pkla):
os.unlink(polkit_pkla)
