Add image signing scenario
This change adds the first scenario test to the Barbican Tempest plugin. This scenatio tests Nova and Glance's image signature verification functionality. Depends-On: Ifdf8b426c21e4b3a51f97cbc3d95eb842eb04515 Change-Id: Id9629ecbbc75e19eec81f60daec7b0a085bcdc12
This commit is contained in:
parent
35c2c57f45
commit
5af45595bb
|
@ -12,14 +12,22 @@
|
|||
# License for the specific language governing permissions and limitations under
|
||||
# the License.
|
||||
|
||||
from tempest import clients
|
||||
from tempest.common import credentials_factory as common_creds
|
||||
from tempest import config
|
||||
from tempest.lib.services import clients
|
||||
|
||||
from tempest.lib.services import clients as cli
|
||||
|
||||
CONF = config.CONF
|
||||
|
||||
ADMIN_CREDS = common_creds.get_configured_admin_credentials()
|
||||
|
||||
class Clients(clients.ServiceClients):
|
||||
|
||||
class Manager(clients.Manager):
|
||||
def __init__(self, credentials=ADMIN_CREDS):
|
||||
super(Manager, self).__init__(credentials)
|
||||
|
||||
|
||||
class Clients(cli.ServiceClients):
|
||||
"""Tempest stable service clients and loaded plugins service clients"""
|
||||
|
||||
def __init__(self, credentials, service=None):
|
||||
|
|
|
@ -0,0 +1,158 @@
|
|||
# Copyright 2017 Johns Hopkins Applied Physics Lab
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
import base64
|
||||
from datetime import datetime
|
||||
from datetime import timedelta
|
||||
import os
|
||||
|
||||
from cryptography.hazmat.backends import default_backend
|
||||
from cryptography.hazmat.primitives.asymmetric import padding
|
||||
from cryptography.hazmat.primitives.asymmetric import rsa
|
||||
from cryptography.hazmat.primitives import hashes
|
||||
from cryptography.hazmat.primitives import serialization
|
||||
from cryptography import x509
|
||||
from cryptography.x509.oid import NameOID
|
||||
|
||||
from oslo_log import log as logging
|
||||
from tempest import config
|
||||
from tempest.scenario import manager as mgr
|
||||
|
||||
from barbican_tempest_plugin import clients
|
||||
|
||||
CONF = config.CONF
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
|
||||
class BarbicanScenarioTest(mgr.ScenarioTest):
|
||||
|
||||
credentials = ('primary', )
|
||||
manager = clients.Manager()
|
||||
|
||||
def setUp(self):
|
||||
super(BarbicanScenarioTest, self).setUp()
|
||||
self.img_file = os.path.join(CONF.scenario.img_dir,
|
||||
CONF.scenario.img_file)
|
||||
self.private_key = rsa.generate_private_key(public_exponent=3,
|
||||
key_size=1024,
|
||||
backend=default_backend())
|
||||
self.signing_certificate = self._create_self_signed_certificate(
|
||||
self.private_key
|
||||
)
|
||||
self.signing_cert_uuid = self._store_cert(
|
||||
self.signing_certificate
|
||||
)
|
||||
|
||||
@classmethod
|
||||
def skip_checks(cls):
|
||||
super(BarbicanScenarioTest, cls).skip_checks()
|
||||
if not CONF.service_available.barbican:
|
||||
raise cls.skipException('Barbican is not enabled.')
|
||||
|
||||
@classmethod
|
||||
def setup_clients(cls):
|
||||
super(BarbicanScenarioTest, cls).setup_clients()
|
||||
|
||||
os = getattr(cls, 'os_%s' % cls.credentials[0])
|
||||
cls.consumer_client = os.secret_v1.ConsumerClient(
|
||||
service='key-manager'
|
||||
)
|
||||
cls.container_client = os.secret_v1.ContainerClient(
|
||||
service='key-manager'
|
||||
)
|
||||
cls.order_client = os.secret_v1.OrderClient(service='key-manager')
|
||||
cls.secret_client = os.secret_v1.SecretClient(service='key-manager')
|
||||
cls.secret_metadata_client = os.secret_v1.SecretMetadataClient(
|
||||
service='key-manager'
|
||||
)
|
||||
|
||||
def _get_uuid(self, href):
|
||||
return href.split('/')[-1]
|
||||
|
||||
def _create_self_signed_certificate(self, private_key):
|
||||
issuer = x509.Name([
|
||||
x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
|
||||
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"CA"),
|
||||
x509.NameAttribute(NameOID.LOCALITY_NAME, u"San Francisco"),
|
||||
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"My Company"),
|
||||
x509.NameAttribute(NameOID.COMMON_NAME, u"Test Certificate"),
|
||||
])
|
||||
cert_builder = x509.CertificateBuilder(
|
||||
issuer_name=issuer, subject_name=issuer,
|
||||
public_key=private_key.public_key(),
|
||||
serial_number=x509.random_serial_number(),
|
||||
not_valid_before=datetime.utcnow(),
|
||||
not_valid_after=datetime.utcnow() + timedelta(days=10)
|
||||
)
|
||||
cert = cert_builder.sign(private_key,
|
||||
hashes.SHA256(),
|
||||
default_backend())
|
||||
return cert
|
||||
|
||||
def _store_cert(self, cert):
|
||||
pem_encoding = cert.public_bytes(encoding=serialization.Encoding.PEM)
|
||||
cert_b64 = base64.b64encode(pem_encoding)
|
||||
expire_time = (datetime.utcnow() + timedelta(days=5))
|
||||
LOG.debug("Uploading certificate to barbican")
|
||||
result = self.secret_client.create_secret(
|
||||
expiration=expire_time.isoformat(), algorithm="rsa",
|
||||
secret_type="certificate",
|
||||
payload_content_type="application/octet-stream",
|
||||
payload_content_encoding="base64",
|
||||
payload=cert_b64
|
||||
)
|
||||
LOG.debug("Certificate uploaded to barbican (%s)", result)
|
||||
return self._get_uuid(result['secret_ref'])
|
||||
|
||||
def _sign_image(self, image_file):
|
||||
LOG.debug("Creating signature for image data")
|
||||
signer = self.private_key.signer(
|
||||
padding.PSS(
|
||||
mgf=padding.MGF1(hashes.SHA256()),
|
||||
salt_length=padding.PSS.MAX_LENGTH
|
||||
),
|
||||
hashes.SHA256()
|
||||
)
|
||||
chunk_bytes = 8192
|
||||
with open(image_file, 'rb') as f:
|
||||
chunk = f.read(chunk_bytes)
|
||||
while len(chunk) > 0:
|
||||
signer.update(chunk)
|
||||
chunk = f.read(chunk_bytes)
|
||||
signature = signer.finalize()
|
||||
signature_b64 = base64.b64encode(signature)
|
||||
return signature_b64
|
||||
|
||||
def sign_and_upload_image(self):
|
||||
img_signature = self._sign_image(self.img_file)
|
||||
|
||||
img_properties = {
|
||||
'img_signature': img_signature,
|
||||
'img_signature_certificate_uuid': self.signing_cert_uuid,
|
||||
'img_signature_key_type': 'RSA-PSS',
|
||||
'img_signature_hash_method': 'SHA-256',
|
||||
}
|
||||
|
||||
LOG.debug("Uploading image with signature metadata properties")
|
||||
img_uuid = self._image_create(
|
||||
'signed_img',
|
||||
CONF.scenario.img_container_format,
|
||||
self.img_file,
|
||||
disk_format=CONF.scenario.img_disk_format,
|
||||
properties=img_properties
|
||||
)
|
||||
LOG.debug("Uploaded image %s", img_uuid)
|
||||
|
||||
return img_uuid
|
|
@ -0,0 +1,83 @@
|
|||
# Copyright (c) 2017 Johns Hopkins University Applied Physics Laboratory
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_log import log as logging
|
||||
from tempest import config
|
||||
from tempest import exceptions
|
||||
from tempest.lib import decorators
|
||||
from tempest import test
|
||||
|
||||
from barbican_tempest_plugin.tests.scenario import barbican_manager
|
||||
|
||||
CONF = config.CONF
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
|
||||
class ImageSigningTest(barbican_manager.BarbicanScenarioTest):
|
||||
|
||||
@decorators.idempotent_id('4343df3c-5553-40ea-8705-0cce73b297a9')
|
||||
@test.services('compute', 'image')
|
||||
def test_signed_image_upload_and_boot(self):
|
||||
"""Test that Nova boots a signed image.
|
||||
|
||||
The test follows these steps:
|
||||
* Create an asymmetric keypair
|
||||
* Sign an image file with the private key
|
||||
* Create a certificate with the public key
|
||||
* Store the certificate in Barbican
|
||||
* Store the signed image in Glance
|
||||
* Boot the signed image
|
||||
* Confirm the instance changes state to Active
|
||||
"""
|
||||
img_uuid = self.sign_and_upload_image()
|
||||
|
||||
LOG.debug("Booting server with signed image %s", img_uuid)
|
||||
instance = self.create_server(name='signed_img_server',
|
||||
image_id=img_uuid,
|
||||
wait_until='ACTIVE')
|
||||
self.servers_client.delete_server(instance['id'])
|
||||
|
||||
@decorators.idempotent_id('74f022d6-a6ef-4458-96b7-541deadacf99')
|
||||
@test.services('compute', 'image')
|
||||
def test_signed_image_upload_boot_failure(self):
|
||||
"""Test that Nova refuses to boot an incorrectly signed image.
|
||||
|
||||
If the create_server call succeeds instead of throwing an
|
||||
exception, it is likely that signature verification is not
|
||||
turned on. To turn on signature verification, set
|
||||
verify_glance_signatures=True in the nova configuration
|
||||
file under the [glance] section.
|
||||
|
||||
The test follows these steps:
|
||||
* Create an asymmetric keypair
|
||||
* Sign an image file with the private key
|
||||
* Create a certificate with the public key
|
||||
* Store the certificate in Barbican
|
||||
* Store the signed image in Glance
|
||||
* Modify the signature to be incorrect
|
||||
* Attempt to boot the incorrectly signed image
|
||||
* Confirm an exception is thrown
|
||||
"""
|
||||
img_uuid = self.sign_and_upload_image()
|
||||
|
||||
LOG.debug("Modifying image signature to be incorrect")
|
||||
metadata = {'img_signature': 'fake_signature'}
|
||||
self.compute_images_client.update_image_metadata(
|
||||
img_uuid, metadata
|
||||
)
|
||||
|
||||
self.assertRaisesRegex(exceptions.BuildErrorException,
|
||||
"Signature verification for the image failed",
|
||||
self.create_server,
|
||||
image_id=img_uuid)
|
|
@ -11,7 +11,16 @@ export LOCALCONF_PATH=$DEVSTACK_DIR/local.conf
|
|||
# Here we can set some configurations for local.conf
|
||||
# for example, to pass some config options directly to .conf files
|
||||
|
||||
# For image signature verification tests
|
||||
echo -e '[[post-config|$NOVA_CONF]]' >> $LOCALCONF_PATH
|
||||
echo -e '[glance]' >> $LOCALCONF_PATH
|
||||
echo -e 'verify_glance_signatures = True' >> $LOCALCONF_PATH
|
||||
|
||||
# Allow dynamically created tempest users to create secrets
|
||||
# in barbican
|
||||
echo -e '[[test-config|$TEMPEST_CONFIG]]' >> $LOCALCONF_PATH
|
||||
echo -e '[auth]' >> $LOCALCONF_PATH
|
||||
echo -e 'tempest_roles=creator' >> $LOCALCONF_PATH
|
||||
# Glance v1 doesn't do signature verification on image upload
|
||||
echo -e '[image-feature-enabled]' >> $LOCALCONF_PATH
|
||||
echo -e 'api_v1=False' >> $LOCALCONF_PATH
|
||||
|
|
Loading…
Reference in New Issue