From 3acb57a71cf6ce59eae11883277e1915759b7606 Mon Sep 17 00:00:00 2001 From: econwar Date: Fri, 25 Jan 2019 12:05:45 +0000 Subject: [PATCH] Add DR suite that verifies security certs Change-Id: I75e28171bc5999e8e19f5ca9a236e0a1d17a5a38 Issue-ID: DMAAP-1004 Signed-off-by: econwar --- plans/dmaap-datarouter/ssl-dr-suite/setup.sh | 68 +++++++++++++++++++ plans/dmaap-datarouter/ssl-dr-suite/teardown.sh | 26 ++++++++ plans/dmaap-datarouter/ssl-dr-suite/testplan.txt | 2 + scripts/dmaap-datarouter/datarouterCA.crt | 39 +++++++++++ scripts/dmaap-datarouter/remove_cert_from_ca.py | 51 +++++++++++++++ scripts/dmaap-datarouter/update_ca.py | 33 ++++++++++ .../ssl-dr-suite/ssl-dr-suite.robot | 76 ++++++++++++++++++++++ 7 files changed, 295 insertions(+) create mode 100755 plans/dmaap-datarouter/ssl-dr-suite/setup.sh create mode 100755 plans/dmaap-datarouter/ssl-dr-suite/teardown.sh create mode 100755 plans/dmaap-datarouter/ssl-dr-suite/testplan.txt create mode 100644 scripts/dmaap-datarouter/datarouterCA.crt create mode 100644 scripts/dmaap-datarouter/remove_cert_from_ca.py create mode 100644 scripts/dmaap-datarouter/update_ca.py create mode 100755 tests/dmaap-datarouter/ssl-dr-suite/ssl-dr-suite.robot diff --git a/plans/dmaap-datarouter/ssl-dr-suite/setup.sh b/plans/dmaap-datarouter/ssl-dr-suite/setup.sh new file mode 100755 index 00000000..39217991 --- /dev/null +++ b/plans/dmaap-datarouter/ssl-dr-suite/setup.sh @@ -0,0 +1,68 @@ +#!/bin/bash +# +# ============LICENSE_START======================================================= +# Copyright (C) 2019 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +# +source ${SCRIPTS}/common_functions.sh + +# Clone DMaaP Data Router repo +mkdir -p $WORKSPACE/archives/dmaapdr +cd $WORKSPACE/archives/dmaapdr + +git clone --depth 1 https://gerrit.onap.org/r/dmaap/datarouter -b master +cd datarouter +git pull +cd $WORKSPACE/archives/dmaapdr/datarouter/datarouter-docker-compose/src/main/resources + +# start DMaaP DR containers with docker compose and configuration from docker-compose.yml +docker login -u docker -p docker nexus3.onap.org:10001 +docker-compose up -d + +# Wait for initialization of Docker container for datarouter-node, datarouter-prov and mariadb +for i in {1..10}; do + if [ $(docker inspect --format '{{ .State.Running }}' datarouter-node) ] && \ + [ $(docker inspect --format '{{ .State.Running }}' datarouter-prov) ] && \ + [ $(docker inspect --format '{{ .State.Running }}' subscriber-node) ] && \ + [ $(docker inspect --format '{{ .State.Running }}' mariadb) ] + then + echo "DR Service Running" + break + else + echo sleep $i + sleep $i + fi +done + +DR_PROV_IP=`get-instance-ip.sh datarouter-prov` +DR_NODE_IP=`get-instance-ip.sh datarouter-node` +DR_SUB_IP=`get-instance-ip.sh subscriber-node` +DR_GATEWAY_IP=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.Gateway}}{{end}}' datarouter-prov) + +echo DR_PROV_IP=${DR_PROV_IP} +echo DR_NODE_IP=${DR_NODE_IP} +echo DR_SUB_IP=${DR_SUB_IP} +echo DR_GATEWAY_IP=${DR_GATEWAY_IP} + +sudo sed -i "$ a $DR_PROV_IP dmaap-dr-prov" /etc/hosts +sudo sed -i "$ a $DR_NODE_IP dmaap-dr-node" /etc/hosts + +python $WORKSPACE/scripts/dmaap-datarouter/update_ca.py + +docker exec -i datarouter-prov sh -c "curl -k -X PUT https://dmaap-dr-prov:8443/internal/api/PROV_AUTH_ADDRESSES?val=dmaap-dr-prov\|$DR_GATEWAY_IP" + +ROBOT_VARIABLES="-v DR_SUB_IP:${DR_SUB_IP}" \ No newline at end of file diff --git a/plans/dmaap-datarouter/ssl-dr-suite/teardown.sh b/plans/dmaap-datarouter/ssl-dr-suite/teardown.sh new file mode 100755 index 00000000..3cf35373 --- /dev/null +++ b/plans/dmaap-datarouter/ssl-dr-suite/teardown.sh @@ -0,0 +1,26 @@ +#!/bin/bash +# +# ============LICENSE_START======================================================= +# Copyright (C) 2019 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +# + +cd $WORKSPACE/archives/dmaapdr/datarouter/datarouter-docker-compose/src/main/resources +sudo sed -i".bak" '/dmaap-dr-prov/d' /etc/hosts +sudo sed -i".bak" '/dmaap-dr-node/d' /etc/hosts +docker-compose down -v +python $WORKSPACE/scripts/dmaap-datarouter/remove_cert_from_ca.py diff --git a/plans/dmaap-datarouter/ssl-dr-suite/testplan.txt b/plans/dmaap-datarouter/ssl-dr-suite/testplan.txt new file mode 100755 index 00000000..5d32c668 --- /dev/null +++ b/plans/dmaap-datarouter/ssl-dr-suite/testplan.txt @@ -0,0 +1,2 @@ +# Place the suites in run order. +dmaap-datarouter/ssl-dr-suite diff --git a/scripts/dmaap-datarouter/datarouterCA.crt b/scripts/dmaap-datarouter/datarouterCA.crt new file mode 100644 index 00000000..a8a0ed84 --- /dev/null +++ b/scripts/dmaap-datarouter/datarouterCA.crt @@ -0,0 +1,39 @@ + +# Issuer: C=US,O=ONAP,OU=OSAAF +# Subject: C=US,O=ONAP,OU=OSAAF +# Label: "" +# Serial: 0x9EAEEDC0A7CEB59D +# MD5 Fingerprint: 77:EB:5E:94:2E:B7:A3:45:97:6C:87:FE:A7:F7:64:0F +# SHA1 Fingerprint: 90:25:D1:D3:8B:3C:BE:2C:73:E9:6C:1A:48:5B:06:A8:39:0D:54:3B +# SHA256 Fingerprint: 1F:C2:BB:F6:7E:11:6F:F0:4C:C3:D9:6C:73:E5:99:B7:CA:7D:4D:EF:AA:6C:69:46:0D:2C:7B:A9:E4:23:5F:EA +-----BEGIN CERTIFICATE----- +MIIFPjCCAyagAwIBAgIJAJ6u7cCnzrWdMA0GCSqGSIb3DQEBCwUAMCwxDjAMBgNV +BAsMBU9TQUFGMQ0wCwYDVQQKDARPTkFQMQswCQYDVQQGEwJVUzAeFw0xODA0MDUx +NDE1MjhaFw0zODAzMzExNDE1MjhaMCwxDjAMBgNVBAsMBU9TQUFGMQ0wCwYDVQQK +DARPTkFQMQswCQYDVQQGEwJVUzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC +ggIBAMA5pkgRs7NhGG4ew5JouhyYakgYUyFaG121+/h8qbSdt0hVQv56+EA41Yq7 +XGie7RYDQK9NmAFF3gruE+6X7wvJiChp+Cyd7sFMnb65uWhxEdxWTM2BJFrgfzUn +H8ZCxgaCo3XH4PzlKRy2LQQJEJECwl/RZmRCXijMt5e9h8XoZY/fKkKcZZUsWNCM +pTo266wjvA9MXLmdgReRj0+vrCjrNqy+htwJDztoiHWiYPqT6o8EvGcgjNqjlZx7 +NUNf8MfLDByqKF6+wRbHv1GKjn3/Vijd45Fv8riyRYROiFanvbV6jIfBkv8PZbXg +2VDWsYsgp8NAvMxK+iV8cO+Ck3lBI2GOPZbCEqpPVTYbLUz6sczAlCXwQoPzDIZY +wYa3eR/gYLY1gP2iEVHORag3bLPap9ZX5E8DZkzTNTjovvLk8KaCmfcaUMJsBtDd +ApcUitz10cnRyZc1sX3gE1f3DpzQM6t9C5sOVyRhDcSrKqqwb9m0Ss04XAS9FsqM +P3UWYQyqDXSxlUAYaX892u8mV1hxnt2gjb22RloXMM6TovM3sSrJS0wH+l1nznd6 +aFXftS/G4ZVIVZ/LfT1is4StoyPWZCwwwly1z8qJQ/zhip5NgZTxQw4mi7ww35DY +PdAQOCoajfSvFjqslQ/cPRi/MRCu079heVb5fQnnzVtnpFQRAgMBAAGjYzBhMB0G +A1UdDgQWBBRTVTPyS+vQUbHBeJrBKDF77+rtSTAfBgNVHSMEGDAWgBRTVTPyS+vQ +UbHBeJrBKDF77+rtSTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAN +BgkqhkiG9w0BAQsFAAOCAgEAPx/IaK94n02wPxpnYTy+LVLIxwdq/kawNd6IbiMz +L87zmNMDmHcGbfoRCj8OkhuggX9Lx1/CkhpXimuYsZOFQi5blr/u+v4mIbsgbmi9 +7j+cUHDP0zLycvSvxKHty51LwmaX9a4wkJl5zBU4O1sd/H9tWcEmwJ39ltKoBKBx +c94Zc3iMm5ytRWGj+0rKzLDAXEWpoZ5bE5PLJauA6UDCxDLfs3FwhbS7uDggxYvf +jySF5FCNET94oJ+m8s7VeHvoa8iPGKvXrIqdd7XDHnqJJlVKr7m9S0fMbyEB8ci2 +RtOXDt93ifY1uhoEtEykn4dqBSp8ezvNMnwoXdYPDvTd9uCAFeWFLVreBAWxd25h +PsBTkZA5hpa/rA+mKv6Af4VBViYr8cz4dZCsFChuioVebe9ighrfjB//qKepFjPF +CyjzKN1u0JKm/2x/ORqxkTONG8p3uDwoIOyimUcTtTMv42bfYD88RKakqSFXE9G+ +Z0LlaKABqfjK49o/tsAp+c5LoNlYllKhnetO3QAdraHwdmC36BhoghzR1jpX751A +cZn2VH3Q4XKyp01cJNCJIrua+A+bx6zh3RyW6zIIkbRCbET+UD+4mr8WIcSE3mtR +ZVlnhUDO4z9//WKMVzwS9Rh8/kuszrGFI1KQozXCHLrce3YP6RYZfOed79LXaRwX +dYY= +-----END CERTIFICATE----- \ No newline at end of file diff --git a/scripts/dmaap-datarouter/remove_cert_from_ca.py b/scripts/dmaap-datarouter/remove_cert_from_ca.py new file mode 100644 index 00000000..192e274f --- /dev/null +++ b/scripts/dmaap-datarouter/remove_cert_from_ca.py @@ -0,0 +1,51 @@ +# +# ============LICENSE_START======================================================= +# Copyright (C) 2019 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +# + +import certifi +import os + +cafile = certifi.where() +number_of_lines_to_delete = 39 +count = 0 +dr_cert_exists = False + +with open(cafile, 'r+b', buffering=0) as outfile: + for line in outfile.readlines()[-35:-34]: + if "# Serial: 0x9EAEEDC0A7CEB59D" in line: + dr_cert_exists = True + if dr_cert_exists: + outfile.seek(0, os.SEEK_END) + end = outfile.tell() + while outfile.tell() > 0: + outfile.seek(-1, os.SEEK_CUR) + char = outfile.read(1) + if char == b'\n': + count += 1 + if count == number_of_lines_to_delete: + outfile.truncate() + print("Removed " + str(number_of_lines_to_delete) + " lines from end of CA File") + exit(0) + outfile.seek(-1, os.SEEK_CUR) + else: + print("No DR cert in CA File to remove") + +if count < number_of_lines_to_delete + 1: + print("Number of lines in file less than number of lines to delete. Exiting...") + exit(1) diff --git a/scripts/dmaap-datarouter/update_ca.py b/scripts/dmaap-datarouter/update_ca.py new file mode 100644 index 00000000..0d76e224 --- /dev/null +++ b/scripts/dmaap-datarouter/update_ca.py @@ -0,0 +1,33 @@ +# +# ============LICENSE_START======================================================= +# Copyright (C) 2019 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +# + +import certifi +import os + +cafile = certifi.where() +dir_path = os.path.dirname(os.path.realpath(__file__)) +datarouter_ca = dir_path + '/datarouterCA.crt' +with open(datarouter_ca, 'rb') as infile: + customca = infile.read() + +with open(cafile, 'ab') as outfile: + outfile.write(customca) + +print("Added DR Cert to CA") diff --git a/tests/dmaap-datarouter/ssl-dr-suite/ssl-dr-suite.robot b/tests/dmaap-datarouter/ssl-dr-suite/ssl-dr-suite.robot new file mode 100755 index 00000000..d2e466d9 --- /dev/null +++ b/tests/dmaap-datarouter/ssl-dr-suite/ssl-dr-suite.robot @@ -0,0 +1,76 @@ +*** Settings *** +Library OperatingSystem +Library RequestsLibrary +Library requests +Library Collections +Library String +Library Process + +*** Variables *** +${TARGET_URL} https://dmaap-dr-prov:8443/ +${CREATE_FEED_DATA} {"name": "CSIT_Test", "version": "v1.0.0", "description": "CSIT_Test", "business_description": "CSIT_Test", "suspend": false, "deleted": false, "changeowner": true, "authorization": {"classification": "unclassified", "endpoint_addrs": [], "endpoint_ids": [{"password": "dradmin", "id": "dradmin"}]}} +${SUBSCRIBE_DATA} {"delivery":{ "url":"http://${DR_SUB_IP}:7070/", "user":"LOGIN", "password":"PASSWORD", "use100":true}, "metadataOnly":false, "suspend":false, "groupid":29, "subscriber":"dmaap-subscriber"} +${FEED_CONTENT_TYPE} application/vnd.att-dr.feed +${SUBSCRIBE_CONTENT_TYPE} application/vnd.att-dr.subscription +${PUBLISH_FEED_CONTENT_TYPE} application/octet-stream +${CLI_VERIFY_SUB_RECEIVED_FILE} docker exec subscriber-node /bin/sh -c "ls /opt/app/subscriber/delivery | grep csit_test" + +*** Test Cases *** +Run Feed Creation + [Documentation] Feed Creation + [Timeout] 1 minute + ${resp}= PostCall ${TARGET_URL} ${CREATE_FEED_DATA} ${FEED_CONTENT_TYPE} dradmin + log ${TARGET_URL} + log ${resp.text} + Should Be Equal As Strings ${resp.status_code} 201 + log 'JSON Response Code:'${resp} + +Run Subscribe to Feed + [Documentation] Subscribe to Feed + [Timeout] 1 minute + ${resp}= PostCall ${TARGET_URL}subscribe/1 ${SUBSCRIBE_DATA} ${SUBSCRIBE_CONTENT_TYPE} dradmin + log ${TARGET_URL}subscribe/1 + log ${resp.text} + Should Be Equal As Strings ${resp.status_code} 201 + log 'JSON Response Code:'${resp} + +Run Publish to Feed + [Documentation] Publish to Feed + [Timeout] 1 minute + Sleep 10s Behaviour was noticed where feed was not created in time for publish to be sent + ${resp}= PutCall ${TARGET_URL}publish/1/csit_test ${CREATE_FEED_DATA} ${PUBLISH_FEED_CONTENT_TYPE} dradmin + log ${TARGET_URL}publish/1/csit_test + ${redirect_location}= Set Variable ${resp.headers['Location']} + log ${redirect_location} + ${resp}= PutCall ${redirect_location} ${CREATE_FEED_DATA} ${PUBLISH_FEED_CONTENT_TYPE} dradmin + log ${resp.text} + Should Be Equal As Strings ${resp.status_code} 204 + log 'JSON Response Code:'${resp} + +Verify Subscriber Received Published File + [Documentation] Verify file is delivered on datarouter-subscriber + [Timeout] 1 minute + Sleep 5s Time to allow subscriber to receive the file + ${cli_cmd_output}= Run Process ${CLI_VERIFY_SUB_RECEIVED_FILE} shell=yes + Log ${cli_cmd_output.stdout} + Should Be Equal As Strings ${cli_cmd_output.rc} 0 + Should Contain ${cli_cmd_output.stdout} csit_test + +*** Keywords *** +PostCall + [Arguments] ${url} ${data} ${content_type} ${user} + ${headers}= Create Dictionary X-ATT-DR-ON-BEHALF-OF=${user} Content-Type=${content_type} + ${resp}= Evaluate requests.post('${url}', data='${data}', headers=${headers}, verify=True) requests + [Return] ${resp} + +PutCall + [Arguments] ${url} ${data} ${content_type} ${user} + ${headers}= Create Dictionary X-ATT-DR-ON-BEHALF-OF=${user} Content-Type=${content_type} Authorization=Basic ZHJhZG1pbjpkcmFkbWlu + ${resp}= Evaluate requests.put('${url}', data='${data}', headers=${headers}, verify=True, allow_redirects=False) requests + [Return] ${resp} + +DeleteCall + [Arguments] ${url} ${user} + ${headers}= Create Dictionary X-ATT-DR-ON-BEHALF-OF=${user} + ${resp}= Evaluate requests.delete('${url}', headers=${headers}, verify=True) requests + [Return] ${resp} -- 2.16.6