Commit d1c04760 authored by Jérome Perrin's avatar Jérome Perrin

wip caucase test

parent eed36779
...@@ -55,8 +55,8 @@ class EchoHTTPServer(ManagedHTTPServer): ...@@ -55,8 +55,8 @@ class EchoHTTPServer(ManagedHTTPServer):
class CaucaseService(ManagedService): class CaucaseService(ManagedService):
url = None # type: str url = None # type: str
caucase_dir = None # type: str directory = None # type: str
caucase_process = None # type: subprocess.Popen _caucased_process = None # type: subprocess.Popen
def start(self): def start(self):
# type: () -> None # type: () -> None
...@@ -67,13 +67,15 @@ class CaucaseService(ManagedService): ...@@ -67,13 +67,15 @@ class CaucaseService(ManagedService):
) )
caucased_path = os.path.join(software_release_root_path, 'bin', 'caucased') caucased_path = os.path.join(software_release_root_path, 'bin', 'caucased')
self.caucase_dir = tempfile.mkdtemp() self.directory = tempfile.mkdtemp()
caucased_dir = os.path.join(self.caucase_dir, 'caucased') caucased_dir = os.path.join(self.directory, 'caucased')
os.mkdir(caucased_dir) os.mkdir(caucased_dir)
os.mkdir(os.path.join(caucased_dir, 'user'))
os.mkdir(os.path.join(caucased_dir, 'service'))
backend_caucased_netloc = '%s:%s' % (self._cls._ipv4_address, findFreeTCPPort(self._cls._ipv4_address)) backend_caucased_netloc = '%s:%s' % (self._cls._ipv4_address, findFreeTCPPort(self._cls._ipv4_address))
self.url = 'http://' + backend_caucased_netloc self.url = 'http://' + backend_caucased_netloc
self.caucased_process = subprocess.Popen( self._caucased_process = subprocess.Popen(
[ [
caucased_path, caucased_path,
'--db', os.path.join(caucased_dir, 'caucase.sqlite'), '--db', os.path.join(caucased_dir, 'caucase.sqlite'),
...@@ -96,9 +98,13 @@ class CaucaseService(ManagedService): ...@@ -96,9 +98,13 @@ class CaucaseService(ManagedService):
def stop(self): def stop(self):
# type: () -> None # type: () -> None
self.caucased_process.terminate() self._caucased_process.terminate()
self.caucased_process.wait() self._caucased_process.wait()
shutil.rmtree(self.caucase_dir) shutil.rmtree(self.directory)
def sign_csr(self, csr_path):
# type: () -> None
pass
class BalancerTestCase(ERP5InstanceTestCase): class BalancerTestCase(ERP5InstanceTestCase):
...@@ -189,15 +195,109 @@ class TestAccessLog(BalancerTestCase, CrontabMixin): ...@@ -189,15 +195,109 @@ class TestAccessLog(BalancerTestCase, CrontabMixin):
import pdb; pdb.set_trace() import pdb; pdb.set_trace()
class CaucaseClientCertificate(ManagedService):
ca_crt_file = None # type: str
crl_file = None # type: str
csr_file = None # type: str
cert_file = None # type: str
key_file = None # type: str
def start(self):
# type: () -> None
self.ca_crt_file = tempfile.NamedTemporaryFile(delete=False, suffix='ca-crt.pem').name
self.crl_file = tempfile.NamedTemporaryFile(delete=False, suffix='ca-crl.pem').name
self.csr_file = tempfile.NamedTemporaryFile(delete=False, suffix='csr.pem').name
# self.cert_file = tempfile.NamedTemporaryFile(delete=False, suffix='crt.pem').name
self.cert_file = self.key_file = tempfile.NamedTemporaryFile(delete=False, suffix='key.pem').name
def stop(self):
# type: () -> None
os.unlink(self.ca_crt_file)
os.unlink(self.crl_file)
os.unlink(self.csr_file)
# os.unlink(self.cert_file)
os.unlink(self.key_file)
def request(self, common_name, caucase):
# type: (str, CaucaseCertificate) -> None
software_release_root_path = os.path.join(
self._cls.slap._software_root,
hashlib.md5(self._cls.getSoftwareURL().encode()).hexdigest(),
)
caucase_path = os.path.join(software_release_root_path, 'bin', 'caucase')
cas_args = [
caucase_path,
'--ca-url', caucase.url,
'--ca-crt', self.ca_crt_file, # must not exist
'--crl', self.crl_file,
# XXX 'service
# '--ca-crt', os.path.join(caucase.directory, 'service', 'service-ca-crt.pem'),
# '--crl', os.path.join(caucase.directory, 'service', 'service.crl'),
# '--user-ca-crt', os.path.join(caucase.directory, 'service', 'user-ca-crt.pem'),
# '--user-crl', os.path.join(caucase.directory, 'service', 'user.crl'),
]
key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend()
)
with open(self.key_file, 'wb') as f:
f.write(key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption(),
))
csr = x509.CertificateSigningRequestBuilder().subject_name(x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, common_name),
])).sign(key, hashes.SHA256(), default_backend())
with open(self.csr_file, 'wb') as f:
f.write(csr.public_bytes(serialization.Encoding.PEM))
caucase_process = subprocess.Popen(
cas_args + [
'--send-csr', self.csr_file,
],
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT,
)
result = caucase_process.communicate()
csr_id = result[0].split()[0]
for _ in range(10):
if not subprocess.call(
cas_args + [
'--get-crt', csr_id, self.cert_file,
],
) == 0:
break
else:
time.sleep(1)
else:
raise RuntimeError('getting service certificate failed.')
class TestFrontendXForwardedFor(BalancerTestCase): class TestFrontendXForwardedFor(BalancerTestCase):
__partition_reference__ = 'xff' __partition_reference__ = 'xff'
frontend_caucase_dir = None frontend_caucase_dir = None
frontend_caucased_process = None frontend_caucased_process = None
# TODO: ManagedService
@classmethod @classmethod
def setUpClass(cls): def setUpClass(cls):
# type: () -> None
frontend_caucase = cls.getManagedService('frontend_caucase', CaucaseService)
certificate = cls.getManagedService('client_certificate', CaucaseClientCertificate)
certificate.request(u'shared frontend', frontend_caucase)
cls.client_certificate = certificate.key_file
super(TestFrontendXForwardedFor, cls).setUpClass()
# TODO: ManagedService
@classmethod
def setUpClassOld(cls):
# type: () -> None # type: () -> None
# start a caucased and generate a valid client certificate. # start a caucased and generate a valid client certificate.
cls.computer_partition_root_path = os.path.abspath(os.curdir) cls.computer_partition_root_path = os.path.abspath(os.curdir)
...@@ -211,26 +311,27 @@ class TestFrontendXForwardedFor(BalancerTestCase): ...@@ -211,26 +311,27 @@ class TestFrontendXForwardedFor(BalancerTestCase):
frontend_caucased_netloc = '%s:%s' % (cls._ipv4_address, findFreeTCPPort(cls._ipv4_address)) frontend_caucased_netloc = '%s:%s' % (cls._ipv4_address, findFreeTCPPort(cls._ipv4_address))
cls.frontend_caucased_url = 'http://' + frontend_caucased_netloc cls.frontend_caucased_url = 'http://' + frontend_caucased_netloc
cls.user_certificate = frontend_user_key = os.path.join(frontend_user_dir, 'client.key.pem') if 0:
frontend_user_csr = os.path.join(frontend_user_dir, 'client.csr.pem') cls.user_certificate = frontend_user_key = os.path.join(frontend_user_dir, 'client.key.pem')
frontend_user_csr = os.path.join(frontend_user_dir, 'client.csr.pem')
key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend()
)
with open(frontend_user_key, 'wb') as f:
f.write(key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption(),
))
csr = x509.CertificateSigningRequestBuilder().subject_name(x509.Name([ key = rsa.generate_private_key(
x509.NameAttribute(NameOID.COMMON_NAME, u'user'), public_exponent=65537,
])).sign(key, hashes.SHA256(), default_backend()) key_size=2048,
with open(frontend_user_csr, 'wb') as f: backend=default_backend()
f.write(csr.public_bytes(serialization.Encoding.PEM)) )
with open(frontend_user_key, 'wb') as f:
f.write(key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption(),
))
csr = x509.CertificateSigningRequestBuilder().subject_name(x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, u'user'),
])).sign(key, hashes.SHA256(), default_backend())
with open(frontend_user_csr, 'wb') as f:
f.write(csr.public_bytes(serialization.Encoding.PEM))
cls.software_release_root_path = os.path.join( cls.software_release_root_path = os.path.join(
cls.slap._software_root, cls.slap._software_root,
...@@ -277,23 +378,24 @@ class TestFrontendXForwardedFor(BalancerTestCase): ...@@ -277,23 +378,24 @@ class TestFrontendXForwardedFor(BalancerTestCase):
'--user-crl', os.path.join(frontend_service_dir, 'user.crl'), '--user-crl', os.path.join(frontend_service_dir, 'user.crl'),
] ]
caucase_process = subprocess.Popen( if 0:
cau_args + [ caucase_process = subprocess.Popen(
'--mode', 'user', cau_args + [
'--send-csr', frontend_user_csr, '--mode', 'user',
], '--send-csr', frontend_user_csr,
stdout=subprocess.PIPE, ],
stderr=subprocess.STDOUT, stdout=subprocess.PIPE,
) stderr=subprocess.STDOUT,
result = caucase_process.communicate() )
csr_id = result[0].split()[0] result = caucase_process.communicate()
csr_id = result[0].split()[0]
subprocess.check_call( subprocess.check_call(
cau_args + [ cau_args + [
'--mode', 'user', '--mode', 'user',
'--get-crt', csr_id, frontend_user_key, '--get-crt', csr_id, frontend_user_key,
], ],
) )
cls.client_certificate = frontend_service_key = os.path.join(frontend_service_dir, 'crt.pem') cls.client_certificate = frontend_service_key = os.path.join(frontend_service_dir, 'crt.pem')
frontend_service_csr = os.path.join(frontend_service_dir, 'csr.pem') frontend_service_csr = os.path.join(frontend_service_dir, 'csr.pem')
...@@ -351,7 +453,7 @@ class TestFrontendXForwardedFor(BalancerTestCase): ...@@ -351,7 +453,7 @@ class TestFrontendXForwardedFor(BalancerTestCase):
'default': False, 'default': False,
'default-auth': True, 'default-auth': True,
} }
parameter_dict['ssl']['frontend-caucase-url-list'] = [cls.frontend_caucased_url] parameter_dict['ssl']['frontend-caucase-url-list'] = [cls.getManagedService('frontend_caucase', CaucaseService).url]
return parameter_dict return parameter_dict
@classmethod @classmethod
...@@ -391,3 +493,5 @@ class TestFrontendXForwardedFor(BalancerTestCase): ...@@ -391,3 +493,5 @@ class TestFrontendXForwardedFor(BalancerTestCase):
headers={'X-Forwarded-For': '1.2.3.4'}, headers={'X-Forwarded-For': '1.2.3.4'},
verify=False, verify=False,
) )
del TestAccessLog
\ No newline at end of file
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment