Fix KMIP gate

Switches KMIP server configuration and KMIP plugin to use TLSv1.2
by default. This is the most secure option. In case the system is
older and does not have TLSv1.2, an error message is printed out.

Removes the behavior of switching to TLSv1.2 despite
the user's configuration that was added with
I7018262cb74a95dfa24d6b94d49f1ebd62bdeebd. This behavior was
confusing -- it is much clearer to have the user-configurable options
default to TLSv1.2.

Sets KMIP_PLUGIN_ENABLED before running the tests, so that the
tests that won't work for KMIP will be skipped.
See Id908bf57233af84bff56d90c75d175b04ccd4373 for more details.

Cleans up the quotes around the paths to the log files and server
conf files when they are passed to the pykmip server.

Depends-On: I9fe7b156c4a825c8bfe94a3c48ce686ce0dee01e
Change-Id: I64e27a26dfe02d794b725763c55d0197bc2c46bd
This commit is contained in:
Kaitlin Farr 2017-02-23 18:15:57 -05:00
parent 6752fa23b5
commit 10e7a5491a
5 changed files with 27 additions and 16 deletions

View File

@ -61,7 +61,7 @@ kmip_opts = [
help=u._('Port for the KMIP server'),
),
cfg.StrOpt('ssl_version',
default='PROTOCOL_TLSv1',
default='PROTOCOL_TLSv1_2',
help=u._('SSL version, maps to the module ssl\'s constants'),
),
cfg.StrOpt('ca_certs',
@ -239,13 +239,9 @@ class KMIPSecretStore(ss.SecretStoreBase):
config = conf.kmip_plugin
# Use TLSv1_2, if present
tlsv12 = getattr(ssl, "PROTOCOL_TLSv1_2", None)
if tlsv12:
config.ssl_version = 'PROTOCOL_TLSv1_2'
LOG.info(u._LI('Going to use TLS1.2...'))
else:
LOG.warning(u._LW('TLSv1_2 is not present on the System'))
if not getattr(ssl, config.ssl_version, None):
LOG.error(u._LE("The configured SSL version (%s) is not available"
" on the system."), config.ssl_version)
self.client = client.ProxyKmipClient(
hostname=config.host,

View File

@ -13,7 +13,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
import base64
import ssl
import stat
import mock
@ -146,11 +145,18 @@ class WhenTestingKMIPSecretStore(utils.BaseTestCase):
self.assertTrue(secret_store.pkcs1_only)
def test_enable_tlsv12_config_option(self):
ssl.PROTOCOL_TLSv1_2 = 5
ssl_version = "PROTOCOL_TLSv1_2"
CONF = kss.CONF
secret_store = kss.KMIPSecretStore(CONF)
self.assertTrue(secret_store)
self.assertEqual(CONF.kmip_plugin.ssl_version, 'PROTOCOL_TLSv1_2')
CONF.kmip_plugin.ssl_version = ssl_version
kss.KMIPSecretStore(CONF)
self.assertEqual(ssl_version, CONF.kmip_plugin.ssl_version)
def test_enable_tlsv1_config_option(self):
ssl_version = "PROTOCOL_TLSv1"
CONF = kss.CONF
CONF.kmip_plugin.ssl_version = ssl_version
kss.KMIPSecretStore(CONF)
self.assertEqual(ssl_version, CONF.kmip_plugin.ssl_version)
# --------------- TEST GENERATE_SUPPORTS ---------------------------------

View File

@ -376,6 +376,7 @@ function install_pykmip {
if is_service_enabled pykmip-server; then
[ ! -d ${PYKMIP_CONF_DIR} ] && sudo mkdir -p ${PYKMIP_CONF_DIR}
sudo chown ${USER} ${PYKMIP_CONF_DIR}
[ ! -d ${PYKMIP_LOG_DIR} ] && sudo mkdir -p ${PYKMIP_LOG_DIR}
sudo chown ${USER} ${PYKMIP_LOG_DIR}
@ -397,7 +398,7 @@ port=5696
certificate_path=${PYKMIP_SERVER_CERT}
key_path=${PYKMIP_SERVER_KEY}
ca_path=${PYKMIP_CA_PATH}
auth_suite=Basic
auth_suite=TLS1.2
EOF
fi
fi
@ -415,7 +416,7 @@ function configure_pykmip {
# start_pykmip - start the PyKMIP server
function start_pykmip {
run_process pykmip-server "pykmip-server -f \'${PYKMIP_CONF}\' -l \'${PYKMIP_LOG_DIR}/pykmip-devstack.log\'"
run_process pykmip-server "pykmip-server -f ${PYKMIP_CONF} -l ${PYKMIP_LOG_DIR}/pykmip-devstack.log"
}
# Dogtag functions

View File

@ -18,8 +18,10 @@
set -ex
plugin=$1
sudo pip install -r /opt/stack/new/barbican/test-requirements.txt
cd /opt/stack/new/barbican/functionaltests
echo 'Running Functional Tests'
sudo ./run_tests.sh
sudo ./run_tests.sh $plugin

View File

@ -22,6 +22,12 @@ fi
echo "Successfully contacted the Barbican API"
plugin=$1
if [[ "$plugin" == "kmip" ]]; then
export KMIP_PLUGIN_ENABLED=1
fi
# run the tests sequentially
testr init
testr run --subunit | subunit-trace --no-failure-debug -f