def test_client_no_ca_trust(self):
client = CustodiaSimpleClient(self.socket_url + '/forwarder')
client.headers['REMOTE_USER'] = '******'
# XXX workaround for requests bug with urllib3 v1.22
with self.assertRaises(RequestsConnSSLErrors) as e:
client.list_container('test')
self.assert_ssl_error_msg("CERTIFICATE_VERIFY_FAILED", e.exception)
def setUpClass(cls):
env = os.environ.copy()
env['PYTHONPATH'] = './'
pexec = env.get('CUSTODIAPYTHON', 'python')
unlink_if_exists('test_socket')
unlink_if_exists('test_secrets.db')
unlink_if_exists('test_mkey.conf')
unlink_if_exists('test_custodia.conf')
unlink_if_exists('test_log.txt')
unlink_if_exists('test_audit.log')
cls.socket_url = TEST_SOCKET_URL
cls.test_auth_id = "test_user"
cls.test_auth_key = "cd54b735-e756-4f12-aa18-d85509baef36"
(srvkeys, clikeys) = generate_all_keys('test_mkey.conf')
with (open('test_custodia.conf', 'w+')) as conffile:
t = Template(TEST_CUSTODIA_CONF)
conf = t.substitute({
'SOCKET_URL': cls.socket_url,
'TEST_AUTH_ID': cls.test_auth_id,
'TEST_AUTH_KEY': cls.test_auth_key
})
conffile.write(conf)
with (open('test_log.txt', 'a')) as logfile:
p = subprocess.Popen(
[pexec, 'custodia/custodia', 'test_custodia.conf'],
env=env,
stdout=logfile,
stderr=logfile)
time.sleep(1)
if p.poll() is not None:
raise AssertionError(
"Premature termination of Custodia server, see test_log.txt")
cls.custodia_process = p
cls.client = CustodiaSimpleClient(cls.socket_url + '/secrets/uns')
cls.client.headers['REMOTE_USER'] = '******'
cls.admin = CustodiaSimpleClient(cls.socket_url + '/secrets')
cls.admin.headers['REMOTE_USER'] = '******'
cls.fwd = CustodiaSimpleClient(cls.socket_url + '/forwarder')
cls.fwd.headers['REMOTE_USER'] = '******'
cls.loop = CustodiaSimpleClient(cls.socket_url + '/forwarder_loop')
cls.loop.headers['REMOTE_USER'] = '******'
cls.enc = CustodiaSimpleClient(cls.socket_url + '/enc')
cls.enc.headers['REMOTE_USER'] = '******'
cls.kem = CustodiaKEMClient(cls.socket_url + '/enc')
cls.kem.headers['REMOTE_USER'] = '******'
cls.kem.set_server_public_keys(*srvkeys)
cls.kem.set_client_keys(*clikeys)
def parse_args(arglist=None):
args = main_parser.parse_args(arglist)
if args.debug:
args.verbose = True
if not args.server:
instance_socket = '/var/run/custodia/{}.sock'.format(args.instance)
args.server = 'http+unix://{}'.format(url_escape(instance_socket, ''))
if args.server.startswith('http+unix://'):
# append uds-path
if not args.server.endswith('/'):
udspath = args.uds_urlpath
if not udspath.startswith('/'):
udspath = '/' + udspath
args.server += udspath
args.client_conn = CustodiaSimpleClient(args.server)
if args.header is not None:
args.client_conn.headers.update(args.header)
if args.cafile:
args.client_conn.set_ca_cert(args.cafile)
if args.certfile:
args.client_conn.set_client_cert(args.certfile, args.keyfile)
args.client_conn.headers['CUSTODIA_CERT_AUTH'] = 'true'
return args
def test_client_no_client_cert(self):
client = CustodiaSimpleClient(self.socket_url + '/forwarder')
client.headers['REMOTE_USER'] = '******'
client.set_ca_cert(self.ca_cert)
with self.assertRaises(SSLError) as e:
client.list_container('test')
self.assert_ssl_error_msg("SSLV3_ALERT_HANDSHAKE_FAILURE", e.exception)
class CustodiaSimpleConstructor(object):
yaml_tag = u'!custodia/simple'
def __init__(self, url):
self.client = CustodiaSimpleClient(url)
def __call__(self, loader, node):
value = loader.construct_scalar(node)
return self.client.get_secret(value)
def test_client_no_client_cert(self):
client = CustodiaSimpleClient(self.socket_url + '/forwarder')
client.headers['REMOTE_USER'] = '******'
client.set_ca_cert(self.ca_cert)
# XXX workaround for requests bug with urllib3 v1.22
with self.assertRaises(RequestsConnSSLErrors) as e:
client.list_container('test')
self.assert_ssl_error_msg("SSLV3_ALERT_HANDSHAKE_FAILURE", e.exception)
def custodia_client(self):
if self._custodia_client is None:
sec = self.custodia_client_section
url = self.get(sec, 'url')
client = CustodiaSimpleClient(url)
headers = self.get(sec, 'headers', fallback=None)
if headers:
headers = json.loads(headers)
client.headers.update(headers)
tls_cafile = self.get(sec, 'tls_cafile', fallback=None)
if tls_cafile:
client.set_ca_cert(tls_cafile)
certfile = self.get(sec, 'tls_certfile', fallback=None)
keyfile = self.get(sec, 'tls_keyfile', fallback=None)
if certfile:
client.set_client_cert(certfile, keyfile)
self._custodia_client = client
return self._custodia_client
def test_client_no_client_cert(self):
client = CustodiaSimpleClient(self.socket_url + '/forwarder')
client.headers['REMOTE_USER'] = '******'
client.set_ca_cert(self.ca_cert)
with self.assertRaises(SSLError) as e:
client.list_container('test')
self.assertIn("SSLV3_ALERT_HANDSHAKE_FAILURE", str(e.exception))
def test_set_gssapi_auth(self):
client = CustodiaSimpleClient('http://local.example')
self.assertEqual(client.session.auth, None)
client.set_gssapi_auth()
self.assertIsInstance(client.session.auth,
requests_gssapi.HTTPSPNEGOAuth)
self.assertEqual(client.session.auth.opportunistic_auth, False)
client.set_gssapi_auth(opportunistic_auth=True)
self.assertIsInstance(client.session.auth,
requests_gssapi.HTTPSPNEGOAuth)
self.assertEqual(client.session.auth.opportunistic_auth, True)
def parse_args(arglist=None):
args = main_parser.parse_args(arglist)
if args.keyfile and not args.certfile:
main_parser.error("keyfile without certfile is not supported\n")
# mutually exclusive groups don't supported nested subgroups
if args.gssapi and args.certfile:
main_parser.error("gssapi and certfile are mutually exclusive.\n")
if args.gssapi and requests_gssapi is None:
main_parser.error(
"'requests_gssapi' package is not available! You can install "
"it with: 'pip install custodia[gssapi]'.\n")
if args.debug:
args.verbose = True
if not args.server:
instance_socket = '/var/run/custodia/{}.sock'.format(args.instance)
args.server = 'http+unix://{}'.format(url_escape(instance_socket, ''))
if args.server.startswith('http+unix://'):
# append uds-path
if not args.server.endswith('/'):
udspath = args.uds_urlpath
if not udspath.startswith('/'):
udspath = '/' + udspath
args.server += udspath
args.client_conn = CustodiaSimpleClient(args.server)
args.client_conn.timeout = args.timeout
if args.header is not None:
args.client_conn.headers.update(args.header)
if args.cafile:
args.client_conn.set_ca_cert(args.cafile)
# authentication
if args.certfile:
args.client_conn.set_client_cert(args.certfile, args.keyfile)
args.client_conn.headers['CUSTODIA_CERT_AUTH'] = 'true'
elif args.gssapi:
args.client_conn.set_gssapi_auth()
return args
def main():
args = main_parser.parse_args()
if args.debug:
args.verbose = True
logdict = logging.Logger.manager.loggerDict
for obj in logdict.values():
if not isinstance(obj, logging.Logger):
continue
obj.setLevel(logging.DEBUG)
if args.server.startswith('http+unix://'):
# append uds-path
if not args.server.endswith('/'):
udspath = args.uds_urlpath
if not udspath.startswith('/'):
udspath = '/' + udspath
args.server += udspath
args.client_conn = CustodiaSimpleClient(args.server)
if args.header is not None:
args.client_conn.headers.update(args.header)
if args.cafile:
args.client_conn.set_ca_cert(args.cafile)
if args.certfile:
args.client_conn.set_client_cert(args.certfile, args.keyfile)
args.client_conn.headers['CUSTODIA_CERT_AUTH'] = 'true'
try:
result = args.func(args)
except RequestsHTTPError as e:
return main_parser.exit(1, str(e))
except Exception as e: # pylint: disable=broad-except
if args.verbose:
traceback.print_exc(file=sys.stderr)
return main_parser.exit(100, str(e))
if result is not None:
if isinstance(result, list):
print('\n'.join(result))
else:
print(result)
def main():
args = main_parser.parse_args()
if args.debug:
args.verbose = True
logdict = logging.Logger.manager.loggerDict
for obj in logdict.values():
if not isinstance(obj, logging.Logger):
continue
obj.setLevel(logging.DEBUG)
if args.server.startswith('http+unix://'):
# append uds-path
if not args.server.endswith('/'):
udspath = args.uds_urlpath
if not udspath.startswith('/'):
udspath = '/' + udspath
args.server += udspath
args.client_conn = CustodiaSimpleClient(args.server)
if args.header is not None:
args.client_conn.headers.update(args.header)
if args.cafile:
args.client_conn.set_ca_cert(args.cafile)
if args.certfile:
args.client_conn.set_client_cert(args.certfile, args.keyfile)
args.client_conn.headers['CUSTODIA_CERT_AUTH'] = 'true'
try:
result = args.func(args)
except BaseException as e:
errcode, msg = error_message(args, e)
main_parser.exit(errcode, msg)
else:
if result is not None:
if isinstance(result, list):
print('\n'.join(result))
else:
print(result)
def custodia_client(self):
if self._custodia_client is None:
sec = self.custodia_client_section
url = self.get(sec, 'url')
client = CustodiaSimpleClient(url)
headers = self.get(sec, 'headers', fallback=None)
if headers:
headers = json.loads(headers)
client.headers.update(headers)
tls_cafile = self.get(sec, 'tls_cafile', fallback=None)
if tls_cafile:
client.set_ca_cert(tls_cafile)
certfile = self.get(sec, 'tls_certfile', fallback=None)
keyfile = self.get(sec, 'tls_keyfile', fallback=None)
if certfile:
client.set_client_cert(certfile, keyfile)
self._custodia_client = client
return self._custodia_client
def __init__(self, url):
self.client = CustodiaSimpleClient(url)
def test_client_no_ca_trust(self):
client = CustodiaSimpleClient(self.socket_url + '/forwarder')
client.headers['REMOTE_USER'] = '******'
with self.assertRaises(SSLError) as e:
client.list_container('test')
self.assert_ssl_error_msg("CERTIFICATE_VERIFY_FAILED", e.exception)
def test_client_no_ca_trust(self):
client = CustodiaSimpleClient(self.socket_url + '/forwarder')
client.headers['REMOTE_USER'] = '******'
with self.assertRaises(SSLError) as e:
client.list_container('test')
self.assertIn("CERTIFICATE_VERIFY_FAILED", str(e.exception))
