Fix KMIP gate
Switches KMIP server configuration and KMIP plugin to use TLSv1.2 by default. This is the most secure option. In case the system is older and does not have TLSv1.2, an error message is printed out. Removes the behavior of switching to TLSv1.2 despite the user's configuration that was added with I7018262cb74a95dfa24d6b94d49f1ebd62bdeebd. This behavior was confusing -- it is much clearer to have the user-configurable options default to TLSv1.2. Sets KMIP_PLUGIN_ENABLED before running the tests, so that the tests that won't work for KMIP will be skipped. See Id908bf57233af84bff56d90c75d175b04ccd4373 for more details. Cleans up the quotes around the paths to the log files and server conf files when they are passed to the pykmip server. Depends-On: I9fe7b156c4a825c8bfe94a3c48ce686ce0dee01e Change-Id: I64e27a26dfe02d794b725763c55d0197bc2c46bd
This commit is contained in:
parent
6752fa23b5
commit
10e7a5491a
@ -61,7 +61,7 @@ kmip_opts = [
|
||||
help=u._('Port for the KMIP server'),
|
||||
),
|
||||
cfg.StrOpt('ssl_version',
|
||||
default='PROTOCOL_TLSv1',
|
||||
default='PROTOCOL_TLSv1_2',
|
||||
help=u._('SSL version, maps to the module ssl\'s constants'),
|
||||
),
|
||||
cfg.StrOpt('ca_certs',
|
||||
@ -239,13 +239,9 @@ class KMIPSecretStore(ss.SecretStoreBase):
|
||||
|
||||
config = conf.kmip_plugin
|
||||
|
||||
# Use TLSv1_2, if present
|
||||
tlsv12 = getattr(ssl, "PROTOCOL_TLSv1_2", None)
|
||||
if tlsv12:
|
||||
config.ssl_version = 'PROTOCOL_TLSv1_2'
|
||||
LOG.info(u._LI('Going to use TLS1.2...'))
|
||||
else:
|
||||
LOG.warning(u._LW('TLSv1_2 is not present on the System'))
|
||||
if not getattr(ssl, config.ssl_version, None):
|
||||
LOG.error(u._LE("The configured SSL version (%s) is not available"
|
||||
" on the system."), config.ssl_version)
|
||||
|
||||
self.client = client.ProxyKmipClient(
|
||||
hostname=config.host,
|
||||
|
@ -13,7 +13,6 @@
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
import base64
|
||||
import ssl
|
||||
import stat
|
||||
|
||||
import mock
|
||||
@ -146,11 +145,18 @@ class WhenTestingKMIPSecretStore(utils.BaseTestCase):
|
||||
self.assertTrue(secret_store.pkcs1_only)
|
||||
|
||||
def test_enable_tlsv12_config_option(self):
|
||||
ssl.PROTOCOL_TLSv1_2 = 5
|
||||
ssl_version = "PROTOCOL_TLSv1_2"
|
||||
CONF = kss.CONF
|
||||
secret_store = kss.KMIPSecretStore(CONF)
|
||||
self.assertTrue(secret_store)
|
||||
self.assertEqual(CONF.kmip_plugin.ssl_version, 'PROTOCOL_TLSv1_2')
|
||||
CONF.kmip_plugin.ssl_version = ssl_version
|
||||
kss.KMIPSecretStore(CONF)
|
||||
self.assertEqual(ssl_version, CONF.kmip_plugin.ssl_version)
|
||||
|
||||
def test_enable_tlsv1_config_option(self):
|
||||
ssl_version = "PROTOCOL_TLSv1"
|
||||
CONF = kss.CONF
|
||||
CONF.kmip_plugin.ssl_version = ssl_version
|
||||
kss.KMIPSecretStore(CONF)
|
||||
self.assertEqual(ssl_version, CONF.kmip_plugin.ssl_version)
|
||||
|
||||
# --------------- TEST GENERATE_SUPPORTS ---------------------------------
|
||||
|
||||
|
@ -376,6 +376,7 @@ function install_pykmip {
|
||||
if is_service_enabled pykmip-server; then
|
||||
[ ! -d ${PYKMIP_CONF_DIR} ] && sudo mkdir -p ${PYKMIP_CONF_DIR}
|
||||
sudo chown ${USER} ${PYKMIP_CONF_DIR}
|
||||
|
||||
[ ! -d ${PYKMIP_LOG_DIR} ] && sudo mkdir -p ${PYKMIP_LOG_DIR}
|
||||
sudo chown ${USER} ${PYKMIP_LOG_DIR}
|
||||
|
||||
@ -397,7 +398,7 @@ port=5696
|
||||
certificate_path=${PYKMIP_SERVER_CERT}
|
||||
key_path=${PYKMIP_SERVER_KEY}
|
||||
ca_path=${PYKMIP_CA_PATH}
|
||||
auth_suite=Basic
|
||||
auth_suite=TLS1.2
|
||||
EOF
|
||||
fi
|
||||
fi
|
||||
@ -415,7 +416,7 @@ function configure_pykmip {
|
||||
|
||||
# start_pykmip - start the PyKMIP server
|
||||
function start_pykmip {
|
||||
run_process pykmip-server "pykmip-server -f \'${PYKMIP_CONF}\' -l \'${PYKMIP_LOG_DIR}/pykmip-devstack.log\'"
|
||||
run_process pykmip-server "pykmip-server -f ${PYKMIP_CONF} -l ${PYKMIP_LOG_DIR}/pykmip-devstack.log"
|
||||
}
|
||||
|
||||
# Dogtag functions
|
||||
|
@ -18,8 +18,10 @@
|
||||
|
||||
set -ex
|
||||
|
||||
plugin=$1
|
||||
|
||||
sudo pip install -r /opt/stack/new/barbican/test-requirements.txt
|
||||
|
||||
cd /opt/stack/new/barbican/functionaltests
|
||||
echo 'Running Functional Tests'
|
||||
sudo ./run_tests.sh
|
||||
sudo ./run_tests.sh $plugin
|
||||
|
@ -22,6 +22,12 @@ fi
|
||||
|
||||
echo "Successfully contacted the Barbican API"
|
||||
|
||||
plugin=$1
|
||||
|
||||
if [[ "$plugin" == "kmip" ]]; then
|
||||
export KMIP_PLUGIN_ENABLED=1
|
||||
fi
|
||||
|
||||
# run the tests sequentially
|
||||
testr init
|
||||
testr run --subunit | subunit-trace --no-failure-debug -f
|
||||
|
Loading…
Reference in New Issue
Block a user