slapos_cloud: use cryptography library to extract certificate information

The string (certificate) dont contains metadata text anymore only the certificate itself.

slapos_cloud: use cryptography library to extract certificate information
The string (certificate) dont contains metadata text anymore only the certificate itself.
ce467e26 · Rafael Monnerat · e79d358e · ce467e26 · ce467e26 · ce467e26
Commit ce467e26 authored Sep 21, 2023 by Rafael Monnerat
3 changed files
--- a/master/bt5/slapos_cloud/TestTemplateItem/portal_components/test.erp5.testSlapOSCloudComputeNodeSlapInterfaceWorkflow.py
+++ b/master/bt5/slapos_cloud/TestTemplateItem/portal_components/test.erp5.testSlapOSCloudComputeNodeSlapInterfaceWorkflow.py
@@ -24,7 +24,8 @@ from time import sleep
 from zExceptions import Unauthorized
 from unittest import expectedFailure
 from Products.ERP5Type.Errors import UnsupportedWorkflowMethod
-
+from cryptography import x509
+from cryptography.x509.oid import NameOID

 class TestSlapOSCoreComputeNodeSlapInterfaceWorkflow(SlapOSTestCaseMixin):
  
@@ -60,10 +61,15 @@ class TestSlapOSCoreComputeNodeSlapInterfaceWorkflow(SlapOSTestCaseMixin):
    certificate_login = certificate_login_list[0]
    self.assertEqual(certificate_login.getValidationState(), 'validated')
    self.assertNotEqual(certificate_login.getReference(), None)
-    self.assertNotEqual(certificate_login.getDestinationReference(), None)
-    serial = '0x%x' % int(certificate_login.getDestinationReference(), 16)
-    self.assertIn(serial, compute_node_certificate)
-    self.assertIn(certificate_login.getReference(), compute_node_certificate.decode('string_escape'))
+    self.assertNotEqual(certificate_login.getSourceReference(), None)
+
+    ssl_certificate = x509.load_pem_x509_certificate(compute_node_certificate)
+    self.assertEqual(len(ssl_certificate.subject), 2)
+    cn = [i.value for i in ssl_certificate.subject if i.oid == NameOID.COMMON_NAME][0]
+    self.assertEqual(certificate_login.getReference().decode("UTF-8"), cn)
+ 
+    # TODO: Should we check for csr_id
+    #self.assertTrue(certificate_login.getSourceReference() in compute_node_certificate)

  def test_generateCertificate_twice(self):
    self.login(self.compute_node.getUserId())
@@ -72,18 +78,23 @@ class TestSlapOSCoreComputeNodeSlapInterfaceWorkflow(SlapOSTestCaseMixin):
    compute_node_certificate = self.portal.REQUEST.get('compute_node_certificate')
    self.assertNotEqual(None, compute_node_key)
    self.assertNotEqual(None, compute_node_certificate)
-    self.assertEqual(None, self.compute_node.getDestinationReference())
+    self.assertEqual(None, self.compute_node.getSourceReference())

    certificate_login_list = self.compute_node.objectValues(portal_type="Certificate Login")
    self.assertEqual(len(certificate_login_list), 1)
    certificate_login = certificate_login_list[0]
    self.assertEqual(certificate_login.getValidationState(), 'validated')
    self.assertNotEqual(certificate_login.getReference(), None)
-    self.assertNotEqual(certificate_login.getDestinationReference(), None)
-    serial = '0x%x' % int(certificate_login.getDestinationReference(), 16)
-    self.assertIn(serial, compute_node_certificate)
-    self.assertIn(certificate_login.getReference(), compute_node_certificate.decode('string_escape'))
-
+    self.assertNotEqual(certificate_login.getSourceReference(), None)
+
+    ssl_certificate = x509.load_pem_x509_certificate(compute_node_certificate)
+    self.assertEqual(len(ssl_certificate.subject), 2)
+    cn = [i.value for i in ssl_certificate.subject if i.oid == NameOID.COMMON_NAME][0]
+    self.assertEqual(certificate_login.getReference().decode("UTF-8"), cn)
+ 
+    # TODO: Should we check for csr_id
+    #self.assertTrue(certificate_login.getSourceReference() in compute_node_certificate)
+    
    self.assertRaises(ValueError, self.compute_node.generateCertificate)
    self.assertEqual(None, self.portal.REQUEST.get('compute_node_key'))
    self.assertEqual(None, self.portal.REQUEST.get('compute_node_certificate'))
@@ -272,10 +283,16 @@ class TestSlapOSCoreComputeNodeSlapInterfaceWorkflow(SlapOSTestCaseMixin):
    certificate_login = certificate_login_list[0]
    self.assertEqual(certificate_login.getValidationState(), 'validated')
    self.assertNotEqual(certificate_login.getReference(), None)
-    self.assertNotEqual(certificate_login.getDestinationReference(), None)
-    serial = '0x%x' % int(certificate_login.getDestinationReference(), 16)
-    self.assertIn(serial, compute_node_certificate)
-    self.assertIn(certificate_login.getReference(), compute_node_certificate.decode('string_escape'))
+    self.assertNotEqual(certificate_login.getSourceReference(), None)
+
+    ssl_certificate = x509.load_pem_x509_certificate(compute_node_certificate)
+    self.assertEqual(len(ssl_certificate.subject), 2)
+    cn = [i.value for i in ssl_certificate.subject if i.oid == NameOID.COMMON_NAME][0]
+    self.assertEqual(certificate_login.getReference().decode("UTF-8"), cn)
+ 
+    # TODO: Should we check for csr_id
+    #self.assertTrue(certificate_login.getSourceReference() in compute_node_certificate)
+    
    self.assertNotEqual(certificate_login.getReference(),
                        self.compute_node.getReference())

@@ -290,7 +307,7 @@ class TestSlapOSCoreComputeNodeSlapInterfaceWorkflow(SlapOSTestCaseMixin):
    self.assertRaises(ValueError, self.compute_node.revokeCertificate)
    self.assertEqual(None, self.portal.REQUEST.get('compute_node_key'))
    self.assertEqual(None, self.portal.REQUEST.get('compute_node_certificate'))
-    self.assertEqual(None, self.compute_node.getDestinationReference())
+    self.assertEqual(None, self.compute_node.getSourceReference())
    certificate_login_list = self.compute_node.objectValues(portal_type="Certificate Login")
    self.assertEqual(len(certificate_login_list), 0)

@@ -306,13 +323,18 @@ class TestSlapOSCoreComputeNodeSlapInterfaceWorkflow(SlapOSTestCaseMixin):
    certificate_login = certificate_login_list[0]
    self.assertEqual(certificate_login.getValidationState(), 'validated')
    self.assertNotEqual(certificate_login.getReference(), None)
-    self.assertNotEqual(certificate_login.getDestinationReference(), None)
-    serial = '0x%x' % int(certificate_login.getDestinationReference(), 16)
-    self.assertIn(serial, compute_node_certificate)
-    self.assertIn(certificate_login.getReference(), compute_node_certificate.decode('string_escape'))
+    self.assertNotEqual(certificate_login.getSourceReference(), None)
    self.assertNotEqual(certificate_login.getReference(),
                        self.compute_node.getReference())

+    ssl_certificate = x509.load_pem_x509_certificate(compute_node_certificate)
+    self.assertEqual(len(ssl_certificate.subject), 2)
+    cn = [i.value for i in ssl_certificate.subject if i.oid == NameOID.COMMON_NAME][0]
+    self.assertEqual(certificate_login.getReference().decode("UTF-8"), cn)
+ 
+    # TODO: Should we check for csr_id
+    #self.assertTrue(certificate_login.getSourceReference() in compute_node_certificate)
+
    self.compute_node.revokeCertificate()
    self.assertEqual(None, self.portal.REQUEST.get('compute_node_key'))
    self.assertEqual(None, self.portal.REQUEST.get('compute_node_certificate'))
@@ -337,17 +359,22 @@ class TestSlapOSCoreComputeNodeSlapInterfaceWorkflow(SlapOSTestCaseMixin):
    certificate_login_list = self.compute_node.objectValues(portal_type="Certificate Login")
    self.assertEqual(len(certificate_login_list), 1)
    certificate_login = certificate_login_list[0]
-    destination_reference = certificate_login.getDestinationReference()
+    source_reference = certificate_login.getSourceReference()

    self.assertEqual(certificate_login.getValidationState(), 'validated')
    self.assertNotEqual(certificate_login.getReference(), None)
-    self.assertNotEqual(certificate_login.getDestinationReference(), None)
-    serial = '0x%x' % int(certificate_login.getDestinationReference(), 16)
-    self.assertIn(serial, compute_node_certificate)
-    self.assertIn(certificate_login.getReference(), compute_node_certificate.decode('string_escape'))
+    self.assertNotEqual(certificate_login.getSourceReference(), None)
    self.assertNotEqual(certificate_login.getReference(),
                        self.compute_node.getReference())
-    self.assertNotEqual(None, destination_reference)
+
+    ssl_certificate = x509.load_pem_x509_certificate(compute_node_certificate)
+    self.assertEqual(len(ssl_certificate.subject), 2)
+    cn = [i.value for i in ssl_certificate.subject if i.oid == NameOID.COMMON_NAME][0]
+    self.assertEqual(certificate_login.getReference().decode("UTF-8"), cn)
+ 
+    # TODO: Should we check for csr_id
+    #self.assertTrue(certificate_login.getSourceReference() in compute_node_certificate)
+    self.assertNotEqual(None, source_reference)

    self.compute_node.revokeCertificate()
    self.compute_node.generateCertificate()
@@ -358,7 +385,7 @@ class TestSlapOSCoreComputeNodeSlapInterfaceWorkflow(SlapOSTestCaseMixin):
    self.assertNotEqual(compute_node_certificate, self.portal.REQUEST.get('compute_node_certificate'))

    self.assertEqual(certificate_login.getValidationState(), 'invalidated')
-    self.assertEqual(certificate_login.getDestinationReference(), destination_reference)
+    self.assertEqual(certificate_login.getSourceReference(), source_reference)
    self.assertNotEqual(certificate_login.getReference(), None)

    certificate_login_list = self.compute_node.objectValues(portal_type="Certificate Login")
@@ -366,21 +393,25 @@ class TestSlapOSCoreComputeNodeSlapInterfaceWorkflow(SlapOSTestCaseMixin):
    new_certificate_login = [i for i in certificate_login_list \
      if i.getId() != certificate_login.getId()][0]
    
-    destination_reference = certificate_login.getDestinationReference()
+    source_reference = certificate_login.getSourceReference()
    self.assertEqual(new_certificate_login.getValidationState(), 'validated')
    self.assertNotEqual(new_certificate_login.getReference(), None)
    self.assertNotEqual(new_certificate_login.getReference(),
      certificate_login.getReference())
  
-    self.assertNotEqual(new_certificate_login.getDestinationReference(), None)
-    self.assertNotEqual(new_certificate_login.getDestinationReference(),
-      certificate_login.getDestinationReference())
-    serial = '0x%x' % int(new_certificate_login.getDestinationReference(), 16)
-
+    self.assertNotEqual(new_certificate_login.getSourceReference(), None)
+    self.assertNotEqual(new_certificate_login.getSourceReference(),
+      certificate_login.getSourceReference())
    compute_node_certificate = self.portal.REQUEST.get('compute_node_certificate')
-    self.assertIn(serial, compute_node_certificate)
-    self.assertIn(new_certificate_login.getReference(), compute_node_certificate.decode('string_escape'))
-    self.assertNotIn(certificate_login.getReference(), compute_node_certificate.decode('string_escape'))
+    
+    ssl_certificate = x509.load_pem_x509_certificate(compute_node_certificate)
+    self.assertEqual(len(ssl_certificate.subject), 2)
+    cn = [i.value for i in ssl_certificate.subject if i.oid == NameOID.COMMON_NAME][0]
+    self.assertEqual(new_certificate_login.getReference().decode("UTF-8"), cn)
+    self.assertNotEqual(certificate_login.getReference().decode("UTF-8"), cn)
+
+    # TODO: Should we check for csr_id
+    #self.assertIn(certificate_login.getSourceReference(), compute_node_certificate)
    
    self.assertNotEqual(certificate_login.getReference(),
                        self.compute_node.getReference())
@@ -396,17 +427,19 @@ class TestSlapOSCoreComputeNodeSlapInterfaceWorkflow(SlapOSTestCaseMixin):
    certificate_login_list = self.compute_node.objectValues(portal_type="Certificate Login")
    self.assertEqual(len(certificate_login_list), 1)
    certificate_login = certificate_login_list[0]
-    destination_reference = certificate_login.getDestinationReference()
+    source_reference = certificate_login.getSourceReference()

    self.assertEqual(certificate_login.getValidationState(), 'validated')
    self.assertNotEqual(certificate_login.getReference(), None)
-    self.assertNotEqual(certificate_login.getDestinationReference(), None)
-    serial = '0x%x' % int(certificate_login.getDestinationReference(), 16)
-    self.assertIn(serial, compute_node_certificate)
-    self.assertIn(certificate_login.getReference(), compute_node_certificate.decode('string_escape'))
+    self.assertNotEqual(certificate_login.getSourceReference(), None)
+
+    ssl_certificate = x509.load_pem_x509_certificate(compute_node_certificate)
+    self.assertEqual(len(ssl_certificate.subject), 2)
+    cn = [i.value for i in ssl_certificate.subject if i.oid == NameOID.COMMON_NAME][0]
+    self.assertEqual(certificate_login.getReference().decode("UTF-8"), cn)
    self.assertNotEqual(certificate_login.getReference(),
                        self.compute_node.getReference())
-    self.assertNotEqual(None, destination_reference)
+    self.assertNotEqual(None, source_reference)

    self.compute_node.revokeCertificate()
    self.compute_node.generateCertificate()
@@ -417,7 +450,7 @@ class TestSlapOSCoreComputeNodeSlapInterfaceWorkflow(SlapOSTestCaseMixin):
    self.assertNotEqual(compute_node_certificate, self.portal.REQUEST.get('compute_node_certificate'))

    self.assertEqual(certificate_login.getValidationState(), 'invalidated')
-    self.assertEqual(certificate_login.getDestinationReference(), destination_reference)
+    self.assertEqual(certificate_login.getSourceReference(), source_reference)
    self.assertNotEqual(certificate_login.getReference(), None)

    certificate_login_list = self.compute_node.objectValues(portal_type="Certificate Login")
@@ -425,22 +458,22 @@ class TestSlapOSCoreComputeNodeSlapInterfaceWorkflow(SlapOSTestCaseMixin):
    new_certificate_login = [i for i in certificate_login_list \
      if i.getId() != certificate_login.getId()][0]
    
-    destination_reference = certificate_login.getDestinationReference()
+    source_reference = certificate_login.getSourceReference()
    self.assertEqual(new_certificate_login.getValidationState(), 'validated')
    self.assertNotEqual(new_certificate_login.getReference(), None)
    self.assertNotEqual(new_certificate_login.getReference(),
      certificate_login.getReference())
  
-    self.assertNotEqual(new_certificate_login.getDestinationReference(), None)
-    self.assertNotEqual(new_certificate_login.getDestinationReference(),
-      certificate_login.getDestinationReference())
-    serial = '0x%x' % int(new_certificate_login.getDestinationReference(), 16)
-
+    self.assertNotEqual(new_certificate_login.getSourceReference(), None)
+    self.assertNotEqual(new_certificate_login.getSourceReference(),
+      certificate_login.getSourceReference())
    compute_node_certificate = self.portal.REQUEST.get('compute_node_certificate')
-    self.assertIn(serial, compute_node_certificate)
-    self.assertIn(new_certificate_login.getReference(), compute_node_certificate.decode('string_escape'))
-    self.assertNotIn(certificate_login.getReference(), compute_node_certificate.decode('string_escape'))
-    
+
+    ssl_certificate = x509.load_pem_x509_certificate(compute_node_certificate)
+    self.assertEqual(len(ssl_certificate.subject), 2)
+    cn = [i.value for i in ssl_certificate.subject if i.oid == NameOID.COMMON_NAME][0]
+    self.assertEqual(new_certificate_login.getReference().decode("UTF-8"), cn)
+    self.assertNotEqual(certificate_login.getReference().decode("UTF-8"), cn)
    self.assertNotEqual(certificate_login.getReference(),
                        self.compute_node.getReference())

@@ -453,7 +486,7 @@ class TestSlapOSCoreComputeNodeSlapInterfaceWorkflow(SlapOSTestCaseMixin):
    self.assertNotEqual(compute_node_certificate, self.portal.REQUEST.get('compute_node_certificate'))

    self.assertEqual(new_certificate_login.getValidationState(), 'invalidated')
-    self.assertNotEqual(new_certificate_login.getDestinationReference(), destination_reference)
+    self.assertNotEqual(new_certificate_login.getSourceReference(), source_reference)
    self.assertNotEqual(new_certificate_login.getReference(), None)

    certificate_login_list = self.compute_node.objectValues(portal_type="Certificate Login")
@@ -462,22 +495,23 @@ class TestSlapOSCoreComputeNodeSlapInterfaceWorkflow(SlapOSTestCaseMixin):
    third_certificate_login = [i for i in certificate_login_list \
      if i.getId() not in [certificate_login.getId(), new_certificate_login.getId()]][0]
    
-    destination_reference = new_certificate_login.getDestinationReference()
+    source_reference = new_certificate_login.getSourceReference()
    self.assertEqual(third_certificate_login.getValidationState(), 'validated')
    self.assertNotEqual(third_certificate_login.getReference(), None)
    self.assertNotEqual(third_certificate_login.getReference(),
      certificate_login.getReference())
  
-    self.assertNotEqual(third_certificate_login.getDestinationReference(), None)
-    self.assertNotEqual(third_certificate_login.getDestinationReference(),
-      new_certificate_login.getDestinationReference())
-    serial = '0x%x' % int(third_certificate_login.getDestinationReference(), 16)
+    self.assertNotEqual(third_certificate_login.getSourceReference(), None)
+    self.assertNotEqual(third_certificate_login.getSourceReference(),
+      new_certificate_login.getSourceReference())

    compute_node_certificate = self.portal.REQUEST.get('compute_node_certificate')
-    self.assertIn(serial, compute_node_certificate)
-    self.assertIn(third_certificate_login.getReference(), compute_node_certificate.decode('string_escape'))
-    self.assertNotIn(new_certificate_login.getReference(), compute_node_certificate.decode('string_escape'))
-    
+
+    ssl_certificate = x509.load_pem_x509_certificate(compute_node_certificate)
+    self.assertEqual(len(ssl_certificate.subject), 2)
+    cn = [i.value for i in ssl_certificate.subject if i.oid == NameOID.COMMON_NAME][0]
+    self.assertEqual(third_certificate_login.getReference().decode("UTF-8"), cn)
+    self.assertNotEqual(new_certificate_login.getReference().decode("UTF-8"), cn)
    self.assertNotEqual(third_certificate_login.getReference(),
                        self.compute_node.getReference())


--- a/master/bt5/slapos_cloud/TestTemplateItem/portal_components/test.erp5.testSlapOSCloudInstanceSlapInterfaceWorkflow.py
+++ b/master/bt5/slapos_cloud/TestTemplateItem/portal_components/test.erp5.testSlapOSCloudInstanceSlapInterfaceWorkflow.py
@@ -24,10 +24,12 @@ from erp5.component.document.SoftwareInstance import SoftwareInstance, \
 import transaction
 from time import sleep
 from zExceptions import Unauthorized
+from cryptography import x509
+from cryptography.x509.oid import NameOID

 class TestSlapOSCoreInstanceSlapInterfaceWorkflow(SlapOSTestCaseMixin):
  """Tests instance.requestInstance"""
-
+  
  launch_caucase = 1

  def afterSetUp(self):
@@ -1330,7 +1332,6 @@ class TestSlapOSCoreInstanceSlapInterfaceWorkflowTransfer(SlapOSTestCaseMixin):
    self.software_instance.generateCertificate()
    self.assertNotEqual(self.software_instance.getSslKey(), None)
    self.assertNotEqual(self.software_instance.getSslCertificate(), None)
-    self.assertEqual(self.software_instance.getDestinationReference(), None)

    certificate_login_list = self.software_instance.objectValues(portal_type="Certificate Login")
    self.assertEqual(len(certificate_login_list), 1)
@@ -1338,11 +1339,12 @@ class TestSlapOSCoreInstanceSlapInterfaceWorkflowTransfer(SlapOSTestCaseMixin):

    self.assertEqual(certificate_login.getValidationState(), 'validated')
    self.assertNotEqual(certificate_login.getReference(), None)
-    self.assertNotEqual(certificate_login.getDestinationReference(), None)
-    serial = '0x%x' % int(certificate_login.getDestinationReference(), 16)
-    self.assertIn(serial, self.software_instance.getSslCertificate())
-    self.assertIn(certificate_login.getReference(), \
-       self.software_instance.getSslCertificate().decode('string_escape'))
+
+    self.assertNotEqual(certificate_login.getSourceReference(), None)
+    ssl_certificate = x509.load_pem_x509_certificate(self.software_instance.getSslCertificate())
+    self.assertEqual(len(ssl_certificate.subject), 2)
+    cn = [i.value for i in ssl_certificate.subject if i.oid == NameOID.COMMON_NAME][0]
+    self.assertEqual(certificate_login.getReference().decode("UTF-8"), cn)
    self.assertRaises(ValueError, self.software_instance.generateCertificate)

  def test_revokeCertificate(self):
@@ -1371,7 +1373,7 @@ class TestSlapOSCoreInstanceSlapInterfaceWorkflowTransfer(SlapOSTestCaseMixin):
    certificate_login = certificate_login_list[0]
    self.assertEqual(certificate_login.getValidationState(), 'validated')
    self.assertNotEqual(certificate_login.getReference(), None)
-    self.assertNotEqual(certificate_login.getDestinationReference(), None)
+    self.assertNotEqual(certificate_login.getSourceReference(), None)

    self.assertNotEqual(self.software_instance.getSslKey(),
      ssl_key)
@@ -1398,11 +1400,11 @@ class TestSlapOSCoreInstanceSlapInterfaceWorkflowTransfer(SlapOSTestCaseMixin):

    self.assertEqual(another_certificate_login.getValidationState(), 'validated')
    self.assertNotEqual(another_certificate_login.getReference(), None)
-    self.assertNotEqual(another_certificate_login.getDestinationReference(), None)
+    self.assertNotEqual(another_certificate_login.getSourceReference(), None)

    self.assertEqual(certificate_login.getValidationState(), 'invalidated')
    self.assertNotEqual(certificate_login.getReference(),
      another_certificate_login.getReference())
-    self.assertNotEqual(certificate_login.getDestinationReference(),
-      another_certificate_login.getDestinationReference())
+    self.assertNotEqual(certificate_login.getSourceReference(),
+      another_certificate_login.getSourceReference())

--- a/master/bt5/slapos_jio/TestTemplateItem/portal_components/test.erp5.testSlapOSHalJsonStyleSkins.py
+++ b/master/bt5/slapos_jio/TestTemplateItem/portal_components/test.erp5.testSlapOSHalJsonStyleSkins.py
@@ -618,7 +618,7 @@ class TestPerson_get_Certificate(TestSlapOSHalJsonStyleMixin):

    self.assertSameSet(response_dict.keys(), ["common_name", "certificate", "id", "key"])

-    self.assertEqual(response_dict["id"], login.getDestinationReference())
+    self.assertEqual(response_dict["id"], login.getSourceReference())
    self.assertEqual(json.dumps(response_dict["common_name"]), json.dumps(login.getReference()))
    self.assertEqual(self.portal.REQUEST.RESPONSE.getStatus(), 200)

@@ -632,7 +632,7 @@ class TestPerson_get_Certificate(TestSlapOSHalJsonStyleMixin):
    self.assertEqual("validated" , login.getValidationState())
    self.assertEqual("validated" , new_login.getValidationState())
    self.assertNotEqual(login.getReference(), new_login.getReference())
-    self.assertNotEqual(login.getDestinationReference(), new_login.getDestinationReference())
+    self.assertNotEqual(login.getSourceReference(), new_login.getSourceReference())

    self.assertSameSet(new_response_dict.keys(), ["common_name", "certificate", "id", "key"])
    self.assertEqual(json.dumps(new_response_dict["common_name"]), json.dumps(new_login.getReference()))