def test_client_no_ca_trust(self): client = CustodiaSimpleClient(self.socket_url + '/forwarder') client.headers['REMOTE_USER'] = '******' # XXX workaround for requests bug with urllib3 v1.22 with self.assertRaises(RequestsConnSSLErrors) as e: client.list_container('test') self.assert_ssl_error_msg("CERTIFICATE_VERIFY_FAILED", e.exception)
def setUpClass(cls): env = os.environ.copy() env['PYTHONPATH'] = './' pexec = env.get('CUSTODIAPYTHON', 'python') unlink_if_exists('test_socket') unlink_if_exists('test_secrets.db') unlink_if_exists('test_mkey.conf') unlink_if_exists('test_custodia.conf') unlink_if_exists('test_log.txt') unlink_if_exists('test_audit.log') cls.socket_url = TEST_SOCKET_URL cls.test_auth_id = "test_user" cls.test_auth_key = "cd54b735-e756-4f12-aa18-d85509baef36" (srvkeys, clikeys) = generate_all_keys('test_mkey.conf') with (open('test_custodia.conf', 'w+')) as conffile: t = Template(TEST_CUSTODIA_CONF) conf = t.substitute({ 'SOCKET_URL': cls.socket_url, 'TEST_AUTH_ID': cls.test_auth_id, 'TEST_AUTH_KEY': cls.test_auth_key }) conffile.write(conf) with (open('test_log.txt', 'a')) as logfile: p = subprocess.Popen( [pexec, 'custodia/custodia', 'test_custodia.conf'], env=env, stdout=logfile, stderr=logfile) time.sleep(1) if p.poll() is not None: raise AssertionError( "Premature termination of Custodia server, see test_log.txt") cls.custodia_process = p cls.client = CustodiaSimpleClient(cls.socket_url + '/secrets/uns') cls.client.headers['REMOTE_USER'] = '******' cls.admin = CustodiaSimpleClient(cls.socket_url + '/secrets') cls.admin.headers['REMOTE_USER'] = '******' cls.fwd = CustodiaSimpleClient(cls.socket_url + '/forwarder') cls.fwd.headers['REMOTE_USER'] = '******' cls.loop = CustodiaSimpleClient(cls.socket_url + '/forwarder_loop') cls.loop.headers['REMOTE_USER'] = '******' cls.enc = CustodiaSimpleClient(cls.socket_url + '/enc') cls.enc.headers['REMOTE_USER'] = '******' cls.kem = CustodiaKEMClient(cls.socket_url + '/enc') cls.kem.headers['REMOTE_USER'] = '******' cls.kem.set_server_public_keys(*srvkeys) cls.kem.set_client_keys(*clikeys)
def parse_args(arglist=None): args = main_parser.parse_args(arglist) if args.debug: args.verbose = True if not args.server: instance_socket = '/var/run/custodia/{}.sock'.format(args.instance) args.server = 'http+unix://{}'.format(url_escape(instance_socket, '')) if args.server.startswith('http+unix://'): # append uds-path if not args.server.endswith('/'): udspath = args.uds_urlpath if not udspath.startswith('/'): udspath = '/' + udspath args.server += udspath args.client_conn = CustodiaSimpleClient(args.server) if args.header is not None: args.client_conn.headers.update(args.header) if args.cafile: args.client_conn.set_ca_cert(args.cafile) if args.certfile: args.client_conn.set_client_cert(args.certfile, args.keyfile) args.client_conn.headers['CUSTODIA_CERT_AUTH'] = 'true' return args
def test_client_no_client_cert(self): client = CustodiaSimpleClient(self.socket_url + '/forwarder') client.headers['REMOTE_USER'] = '******' client.set_ca_cert(self.ca_cert) with self.assertRaises(SSLError) as e: client.list_container('test') self.assert_ssl_error_msg("SSLV3_ALERT_HANDSHAKE_FAILURE", e.exception)
class CustodiaSimpleConstructor(object): yaml_tag = u'!custodia/simple' def __init__(self, url): self.client = CustodiaSimpleClient(url) def __call__(self, loader, node): value = loader.construct_scalar(node) return self.client.get_secret(value)
def test_client_no_client_cert(self): client = CustodiaSimpleClient(self.socket_url + '/forwarder') client.headers['REMOTE_USER'] = '******' client.set_ca_cert(self.ca_cert) # XXX workaround for requests bug with urllib3 v1.22 with self.assertRaises(RequestsConnSSLErrors) as e: client.list_container('test') self.assert_ssl_error_msg("SSLV3_ALERT_HANDSHAKE_FAILURE", e.exception)
def custodia_client(self): if self._custodia_client is None: sec = self.custodia_client_section url = self.get(sec, 'url') client = CustodiaSimpleClient(url) headers = self.get(sec, 'headers', fallback=None) if headers: headers = json.loads(headers) client.headers.update(headers) tls_cafile = self.get(sec, 'tls_cafile', fallback=None) if tls_cafile: client.set_ca_cert(tls_cafile) certfile = self.get(sec, 'tls_certfile', fallback=None) keyfile = self.get(sec, 'tls_keyfile', fallback=None) if certfile: client.set_client_cert(certfile, keyfile) self._custodia_client = client return self._custodia_client
def test_client_no_client_cert(self): client = CustodiaSimpleClient(self.socket_url + '/forwarder') client.headers['REMOTE_USER'] = '******' client.set_ca_cert(self.ca_cert) with self.assertRaises(SSLError) as e: client.list_container('test') self.assertIn("SSLV3_ALERT_HANDSHAKE_FAILURE", str(e.exception))
def test_set_gssapi_auth(self): client = CustodiaSimpleClient('http://local.example') self.assertEqual(client.session.auth, None) client.set_gssapi_auth() self.assertIsInstance(client.session.auth, requests_gssapi.HTTPSPNEGOAuth) self.assertEqual(client.session.auth.opportunistic_auth, False) client.set_gssapi_auth(opportunistic_auth=True) self.assertIsInstance(client.session.auth, requests_gssapi.HTTPSPNEGOAuth) self.assertEqual(client.session.auth.opportunistic_auth, True)
def parse_args(arglist=None): args = main_parser.parse_args(arglist) if args.keyfile and not args.certfile: main_parser.error("keyfile without certfile is not supported\n") # mutually exclusive groups don't supported nested subgroups if args.gssapi and args.certfile: main_parser.error("gssapi and certfile are mutually exclusive.\n") if args.gssapi and requests_gssapi is None: main_parser.error( "'requests_gssapi' package is not available! You can install " "it with: 'pip install custodia[gssapi]'.\n") if args.debug: args.verbose = True if not args.server: instance_socket = '/var/run/custodia/{}.sock'.format(args.instance) args.server = 'http+unix://{}'.format(url_escape(instance_socket, '')) if args.server.startswith('http+unix://'): # append uds-path if not args.server.endswith('/'): udspath = args.uds_urlpath if not udspath.startswith('/'): udspath = '/' + udspath args.server += udspath args.client_conn = CustodiaSimpleClient(args.server) args.client_conn.timeout = args.timeout if args.header is not None: args.client_conn.headers.update(args.header) if args.cafile: args.client_conn.set_ca_cert(args.cafile) # authentication if args.certfile: args.client_conn.set_client_cert(args.certfile, args.keyfile) args.client_conn.headers['CUSTODIA_CERT_AUTH'] = 'true' elif args.gssapi: args.client_conn.set_gssapi_auth() return args
def main(): args = main_parser.parse_args() if args.debug: args.verbose = True logdict = logging.Logger.manager.loggerDict for obj in logdict.values(): if not isinstance(obj, logging.Logger): continue obj.setLevel(logging.DEBUG) if args.server.startswith('http+unix://'): # append uds-path if not args.server.endswith('/'): udspath = args.uds_urlpath if not udspath.startswith('/'): udspath = '/' + udspath args.server += udspath args.client_conn = CustodiaSimpleClient(args.server) if args.header is not None: args.client_conn.headers.update(args.header) if args.cafile: args.client_conn.set_ca_cert(args.cafile) if args.certfile: args.client_conn.set_client_cert(args.certfile, args.keyfile) args.client_conn.headers['CUSTODIA_CERT_AUTH'] = 'true' try: result = args.func(args) except RequestsHTTPError as e: return main_parser.exit(1, str(e)) except Exception as e: # pylint: disable=broad-except if args.verbose: traceback.print_exc(file=sys.stderr) return main_parser.exit(100, str(e)) if result is not None: if isinstance(result, list): print('\n'.join(result)) else: print(result)
def main(): args = main_parser.parse_args() if args.debug: args.verbose = True logdict = logging.Logger.manager.loggerDict for obj in logdict.values(): if not isinstance(obj, logging.Logger): continue obj.setLevel(logging.DEBUG) if args.server.startswith('http+unix://'): # append uds-path if not args.server.endswith('/'): udspath = args.uds_urlpath if not udspath.startswith('/'): udspath = '/' + udspath args.server += udspath args.client_conn = CustodiaSimpleClient(args.server) if args.header is not None: args.client_conn.headers.update(args.header) if args.cafile: args.client_conn.set_ca_cert(args.cafile) if args.certfile: args.client_conn.set_client_cert(args.certfile, args.keyfile) args.client_conn.headers['CUSTODIA_CERT_AUTH'] = 'true' try: result = args.func(args) except BaseException as e: errcode, msg = error_message(args, e) main_parser.exit(errcode, msg) else: if result is not None: if isinstance(result, list): print('\n'.join(result)) else: print(result)
def __init__(self, url): self.client = CustodiaSimpleClient(url)
def test_client_no_ca_trust(self): client = CustodiaSimpleClient(self.socket_url + '/forwarder') client.headers['REMOTE_USER'] = '******' with self.assertRaises(SSLError) as e: client.list_container('test') self.assert_ssl_error_msg("CERTIFICATE_VERIFY_FAILED", e.exception)
def test_client_no_ca_trust(self): client = CustodiaSimpleClient(self.socket_url + '/forwarder') client.headers['REMOTE_USER'] = '******' with self.assertRaises(SSLError) as e: client.list_container('test') self.assertIn("CERTIFICATE_VERIFY_FAILED", str(e.exception))