Commit d1c04760 authored by Jérome Perrin's avatar Jérome Perrin

wip caucase test

parent eed36779
......@@ -55,8 +55,8 @@ class EchoHTTPServer(ManagedHTTPServer):
class CaucaseService(ManagedService):
url = None # type: str
caucase_dir = None # type: str
caucase_process = None # type: subprocess.Popen
directory = None # type: str
_caucased_process = None # type: subprocess.Popen
def start(self):
# type: () -> None
......@@ -67,13 +67,15 @@ class CaucaseService(ManagedService):
)
caucased_path = os.path.join(software_release_root_path, 'bin', 'caucased')
self.caucase_dir = tempfile.mkdtemp()
caucased_dir = os.path.join(self.caucase_dir, 'caucased')
self.directory = tempfile.mkdtemp()
caucased_dir = os.path.join(self.directory, 'caucased')
os.mkdir(caucased_dir)
os.mkdir(os.path.join(caucased_dir, 'user'))
os.mkdir(os.path.join(caucased_dir, 'service'))
backend_caucased_netloc = '%s:%s' % (self._cls._ipv4_address, findFreeTCPPort(self._cls._ipv4_address))
self.url = 'http://' + backend_caucased_netloc
self.caucased_process = subprocess.Popen(
self._caucased_process = subprocess.Popen(
[
caucased_path,
'--db', os.path.join(caucased_dir, 'caucase.sqlite'),
......@@ -96,9 +98,13 @@ class CaucaseService(ManagedService):
def stop(self):
# type: () -> None
self.caucased_process.terminate()
self.caucased_process.wait()
shutil.rmtree(self.caucase_dir)
self._caucased_process.terminate()
self._caucased_process.wait()
shutil.rmtree(self.directory)
def sign_csr(self, csr_path):
# type: () -> None
pass
class BalancerTestCase(ERP5InstanceTestCase):
......@@ -189,15 +195,109 @@ class TestAccessLog(BalancerTestCase, CrontabMixin):
import pdb; pdb.set_trace()
class CaucaseClientCertificate(ManagedService):
ca_crt_file = None # type: str
crl_file = None # type: str
csr_file = None # type: str
cert_file = None # type: str
key_file = None # type: str
def start(self):
# type: () -> None
self.ca_crt_file = tempfile.NamedTemporaryFile(delete=False, suffix='ca-crt.pem').name
self.crl_file = tempfile.NamedTemporaryFile(delete=False, suffix='ca-crl.pem').name
self.csr_file = tempfile.NamedTemporaryFile(delete=False, suffix='csr.pem').name
# self.cert_file = tempfile.NamedTemporaryFile(delete=False, suffix='crt.pem').name
self.cert_file = self.key_file = tempfile.NamedTemporaryFile(delete=False, suffix='key.pem').name
def stop(self):
# type: () -> None
os.unlink(self.ca_crt_file)
os.unlink(self.crl_file)
os.unlink(self.csr_file)
# os.unlink(self.cert_file)
os.unlink(self.key_file)
def request(self, common_name, caucase):
# type: (str, CaucaseCertificate) -> None
software_release_root_path = os.path.join(
self._cls.slap._software_root,
hashlib.md5(self._cls.getSoftwareURL().encode()).hexdigest(),
)
caucase_path = os.path.join(software_release_root_path, 'bin', 'caucase')
cas_args = [
caucase_path,
'--ca-url', caucase.url,
'--ca-crt', self.ca_crt_file, # must not exist
'--crl', self.crl_file,
# XXX 'service
# '--ca-crt', os.path.join(caucase.directory, 'service', 'service-ca-crt.pem'),
# '--crl', os.path.join(caucase.directory, 'service', 'service.crl'),
# '--user-ca-crt', os.path.join(caucase.directory, 'service', 'user-ca-crt.pem'),
# '--user-crl', os.path.join(caucase.directory, 'service', 'user.crl'),
]
key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend()
)
with open(self.key_file, 'wb') as f:
f.write(key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption(),
))
csr = x509.CertificateSigningRequestBuilder().subject_name(x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, common_name),
])).sign(key, hashes.SHA256(), default_backend())
with open(self.csr_file, 'wb') as f:
f.write(csr.public_bytes(serialization.Encoding.PEM))
caucase_process = subprocess.Popen(
cas_args + [
'--send-csr', self.csr_file,
],
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT,
)
result = caucase_process.communicate()
csr_id = result[0].split()[0]
for _ in range(10):
if not subprocess.call(
cas_args + [
'--get-crt', csr_id, self.cert_file,
],
) == 0:
break
else:
time.sleep(1)
else:
raise RuntimeError('getting service certificate failed.')
class TestFrontendXForwardedFor(BalancerTestCase):
__partition_reference__ = 'xff'
frontend_caucase_dir = None
frontend_caucased_process = None
# TODO: ManagedService
@classmethod
def setUpClass(cls):
# type: () -> None
frontend_caucase = cls.getManagedService('frontend_caucase', CaucaseService)
certificate = cls.getManagedService('client_certificate', CaucaseClientCertificate)
certificate.request(u'shared frontend', frontend_caucase)
cls.client_certificate = certificate.key_file
super(TestFrontendXForwardedFor, cls).setUpClass()
# TODO: ManagedService
@classmethod
def setUpClassOld(cls):
# type: () -> None
# start a caucased and generate a valid client certificate.
cls.computer_partition_root_path = os.path.abspath(os.curdir)
......@@ -211,6 +311,7 @@ class TestFrontendXForwardedFor(BalancerTestCase):
frontend_caucased_netloc = '%s:%s' % (cls._ipv4_address, findFreeTCPPort(cls._ipv4_address))
cls.frontend_caucased_url = 'http://' + frontend_caucased_netloc
if 0:
cls.user_certificate = frontend_user_key = os.path.join(frontend_user_dir, 'client.key.pem')
frontend_user_csr = os.path.join(frontend_user_dir, 'client.csr.pem')
......@@ -277,6 +378,7 @@ class TestFrontendXForwardedFor(BalancerTestCase):
'--user-crl', os.path.join(frontend_service_dir, 'user.crl'),
]
if 0:
caucase_process = subprocess.Popen(
cau_args + [
'--mode', 'user',
......@@ -351,7 +453,7 @@ class TestFrontendXForwardedFor(BalancerTestCase):
'default': False,
'default-auth': True,
}
parameter_dict['ssl']['frontend-caucase-url-list'] = [cls.frontend_caucased_url]
parameter_dict['ssl']['frontend-caucase-url-list'] = [cls.getManagedService('frontend_caucase', CaucaseService).url]
return parameter_dict
@classmethod
......@@ -391,3 +493,5 @@ class TestFrontendXForwardedFor(BalancerTestCase):
headers={'X-Forwarded-For': '1.2.3.4'},
verify=False,
)
del TestAccessLog
\ No newline at end of file
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment