def custodia_server(self, simple_configuration, request, dev_null):
# Don't write server messages to stdout unless we are in debug mode
if (request.config.getoption('debug')
or request.config.getoption('verbose')):
stdout = stderr = None
else:
stdout = stderr = dev_null
self.process = subprocess.Popen(
[sys.executable, '-m', 'custodia.server', self.custodia_conf],
stdout=stdout,
stderr=stderr)
self._wait_pid(self.process, 2)
self._wait_socket(self.process, 5)
arg = '{}/custodia.sock'.format(CustodiaServerRunner.test_dir)
url = 'http+unix://{}'.format(url_escape(arg, ''))
self.custodia_client = CustodiaHTTPClient(url)
def fin():
self.process.terminate()
if not self._wait_pid(self.process, 2):
self.process.kill()
if not self._wait_pid(self.process, 2):
raise AssertionError("Hard kill failed")
request.addfinalizer(fin)
return self.custodia_client
def parse_args(arglist=None):
args = main_parser.parse_args(arglist)
if args.debug:
args.verbose = True
if not args.server:
instance_socket = '/var/run/custodia/{}.sock'.format(args.instance)
args.server = 'http+unix://{}'.format(url_escape(instance_socket, ''))
if args.server.startswith('http+unix://'):
# append uds-path
if not args.server.endswith('/'):
udspath = args.uds_urlpath
if not udspath.startswith('/'):
udspath = '/' + udspath
args.server += udspath
args.client_conn = CustodiaSimpleClient(args.server)
if args.header is not None:
args.client_conn.headers.update(args.header)
if args.cafile:
args.client_conn.set_ca_cert(args.cafile)
if args.certfile:
args.client_conn.set_client_cert(args.certfile, args.keyfile)
args.client_conn.headers['CUSTODIA_CERT_AUTH'] = 'true'
return args
def server_check(arg):
"""Check and format --server arg
"""
if arg.startswith(('http://', 'https://', 'http+unix://')):
return arg
if arg.startswith('./'):
arg = os.path.abspath(arg)
elif not arg.startswith('/'):
raise argparse.ArgumentTypeError(
'Unix socket path must start with / or ./')
# assume it is a unix socket
return 'http+unix://{}'.format(url_escape(arg, ''))
def _parse_config(args, config):
"""Parse arguments and create basic configuration
"""
defaults = {
# Do not use getfqdn(). Internaly it calls gethostbyaddr which might
# perform a DNS query.
'hostname': socket.gethostname(),
}
parser = configparser.ConfigParser(
interpolation=configparser.ExtendedInterpolation(), defaults=defaults)
parser.optionxform = str
with args.configfile as f:
parser.read_file(f)
for s in CONFIG_SPECIALS:
config[s] = dict()
# add env
parser['ENV'] = {
k: v.replace('$', '$$')
for k, v in os.environ.items() if not set(v).intersection('\r\n\x00')
}
# parse globals first
if parser.has_section('global'):
for opt, val in parser.items('global'):
if opt in CONFIG_SPECIALS:
raise ValueError('"%s" is an invalid ' '[global] option' % opt)
config[opt] = val
config['tls_verify_client'] = parser.getboolean('global',
'tls_verify_client',
fallback=False)
config['debug'] = parser.getboolean('global', 'debug', fallback=False)
if args.debug:
config['debug'] = True
config['auditlog'] = os.path.abspath(
config.get('auditlog', 'custodia.audit.log'))
config['umask'] = int(config.get('umask', '027'), 8)
url = config.get('server_url')
sock = config.get('server_socket')
if bool(url) == bool(sock):
raise ValueError("Exactly one of 'server_url' or "
"'server_socket' is required.")
if sock:
server_socket = os.path.abspath(sock)
config['server_url'] = 'http+unix://{}/'.format(
url_escape(server_socket, ''))
return parser
def parse_args(arglist=None):
args = main_parser.parse_args(arglist)
if args.keyfile and not args.certfile:
main_parser.error("keyfile without certfile is not supported\n")
# mutually exclusive groups don't supported nested subgroups
if args.gssapi and args.certfile:
main_parser.error("gssapi and certfile are mutually exclusive.\n")
if args.gssapi and requests_gssapi is None:
main_parser.error(
"'requests_gssapi' package is not available! You can install "
"it with: 'pip install custodia[gssapi]'.\n")
if args.debug:
args.verbose = True
if not args.server:
instance_socket = '/var/run/custodia/{}.sock'.format(args.instance)
args.server = 'http+unix://{}'.format(url_escape(instance_socket, ''))
if args.server.startswith('http+unix://'):
# append uds-path
if not args.server.endswith('/'):
udspath = args.uds_urlpath
if not udspath.startswith('/'):
udspath = '/' + udspath
args.server += udspath
args.client_conn = CustodiaSimpleClient(args.server)
args.client_conn.timeout = args.timeout
if args.header is not None:
args.client_conn.headers.update(args.header)
if args.cafile:
args.client_conn.set_ca_cert(args.cafile)
# authentication
if args.certfile:
args.client_conn.set_client_cert(args.certfile, args.keyfile)
args.client_conn.headers['CUSTODIA_CERT_AUTH'] = 'true'
elif args.gssapi:
args.client_conn.set_gssapi_auth()
return args