def test_tls_ciphers_used(self): """ Checks cipher-suites used is a subset of preconfigured list of cipher-suites. Checks for TLS 1.2 and TLS 1.3 """ for node in self.servers: self.log.info("Testing node {0}".format(node.ip)) ports_to_scan = self.get_service_ports(node) ports_to_scan.extend(self.ports_to_scan) for node_port in ports_to_scan: self.log.info("Port being tested: {0}".format(node_port)) cmd = self.testssl.TEST_SSL_FILENAME + " --warnings off --color 0 {0}:{1}" \ .format(node.ip, node_port) self.log.info("The command is {0}".format(cmd)) shell = RemoteMachineShellConnection(self.slave_host) output, error = shell.execute_command(cmd) shell.disconnect() output = output.decode().split("\n") check_next = 0 stmt = "" tls_1_dot_2_obtained_list = [] tls_1_dot_3_obtained_list = [] for line in output: if check_next == 1: if line == "": check_next = 0 stmt = "" elif "TLSv1.3 (" in line: stmt = "TLSv1.3 (" elif stmt == "TLSv1.2 (": tls_1_dot_2_obtained_list.append(line.split()[-1]) elif stmt == "TLSv1.3 (": tls_1_dot_3_obtained_list.append(line.split()[-1]) elif "TLSv1.2 (" in line: check_next = 1 stmt = "TLSv1.2 (" # Get the preconfigured list of cipher-suites shell = RemoteMachineShellConnection(self.master) output, error = shell.execute_couchbase_cli(cli_command="setting-security", options="--get", cluster_host="localhost", user="******", password="******") shell.disconnect() content = json.loads(output[0]) services_ports_map = {11207: "data", 18094: "fullTextSearch", 19102: "index", 18096: "eventing", 18093: "query", 18095: "analytics", 18097: "backup", 18091: "clusterManager", 18092: "clusterManager"} cipher_order_list = content[services_ports_map[node_port]]["supportedCipherSuites"] # Verifies TLS 1.2 cipher-suites is a subset of preconfigured list of # cipher-suites is_present = False if all(ciphers in cipher_order_list for ciphers in tls_1_dot_2_obtained_list): is_present = True self.assertTrue(is_present, msg="Obtained list of TLS 1.2 cipher-suites is not a " "subset of pre-configured list of cipher-suites on " "port: {0} :: service: {1}" .format(node_port, services_ports_map[node_port])) # Verifies TLS 1.3 cipher-suites is a subset of preconfigured list of # cipher-suites is_present = False if all(ciphers in cipher_order_list for ciphers in tls_1_dot_3_obtained_list): is_present = True self.assertTrue(is_present, msg="Obtained list of TLS 1.3 cipher-suites is not a " "subset of pre-configured list of cipher-suites on " "port: {0} :: service: {1}" .format(node_port, services_ports_map[node_port]))