sts-sponsors team mailing list archive
-
sts-sponsors team
-
Mailing list archive
-
Message #02924
[Bug 1820083] Re: TLS params not set for session
For the record this is the proposed unit test to be added. Since the
pastebin is set to expire after one year.
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import os
from socket import gethostname
# from OpenSSL import crypto
from etcd3gw.client import Etcd3Client
from etcd3gw.tests import base
def create_self_signed_cert():
# create a key pair
pub_key = crypto.PKey()
pub_key.generate_key(crypto.TYPE_RSA, 2048)
# create a csr
csr = crypto.X509Req()
csr.get_subject().C = "US"
csr.get_subject().ST = "Boston"
csr.get_subject().L = "Boston"
csr.get_subject().O = "Test Company Ltd"
csr.get_subject().OU = "Test Company Ltd"
csr.get_subject().CN = gethostname()
csr.set_pubkey(pub_key)
csr.sign(pub_key, "sha256")
# create a self-signed cert
cert = crypto.X509()
cert.get_subject().C = "US"
cert.get_subject().ST = "Boston"
cert.get_subject().L = "Boston"
cert.get_subject().O = "Test Company Ltd"
cert.get_subject().OU = "Test Company Ltd"
cert.get_subject().CN = gethostname()
cert.set_serial_number(1000)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(pub_key)
cert.sign(pub_key, "sha256")
with open('cert.crt', 'w') as crt:
if crt is not None:
crt.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode("utf-8"))
with open('test.key', 'w') as key:
if key is not None:
key.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, pub_key).decode("utf-8"))
with open('test.ca', 'w') as ca:
if ca is not None:
ca.write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, csr).decode("utf-8"))
crt.close()
key.close()
ca.close()
class TestEtcd3Gateway(base.TestCase):
def test_client_default(self):
client = Etcd3Client()
self.assertEqual("http://localhost:2379/v3alpha/lease/grant";,
client.get_url("/lease/grant"))
def test_client_ipv4(self):
client = Etcd3Client(host="127.0.0.1")
self.assertEqual("http://127.0.0.1:2379/v3alpha/lease/grant";,
client.get_url("/lease/grant"))
def test_client_ipv6(self):
client = Etcd3Client(host="::1")
self.assertEqual("http://[::1]:2379/v3alpha/lease/grant";,
client.get_url("/lease/grant"))
def test_client_tls(self):
create_self_signed_cert()
with open('cert.crt', 'r') as crt_file, \
open('test.key', 'r') as key_file, \
open('test.ca', 'r') as ca_file:
client = Etcd3Client(host="127.0.0.1", protocol="https", ca_cert=ca_file, cert_key=key_file,
cert_cert=crt_file, timeout=10)
self.assertEqual(client.session.cert, (crt_file, key_file))
self.assertEqual(client.session.verify, ca_file)
os.remove("cert.crt")
os.remove("test.key")
os.remove("test.ca")
--
You received this bug notification because you are a member of STS
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1820083
Title:
TLS params not set for session
Status in python-etcd3gw package in Ubuntu:
Fix Released
Status in python-etcd3gw source package in Bionic:
In Progress
Status in python-etcd3gw source package in Cosmic:
Won't Fix
Status in python-etcd3gw source package in Disco:
Won't Fix
Status in python-etcd3gw source package in Eoan:
Won't Fix
Status in python-etcd3gw source package in Focal:
In Progress
Status in python-etcd3gw source package in Groovy:
Won't Fix
Status in python-etcd3gw source package in Hirsute:
Fix Released
Bug description:
[Impact]
A connection session is opened, but the TLS parameters (timeout, ca,
cert and key) are not actually set for the session. This prevents use
of TLS for the etcd3gw package.
[Test Plan]
# Create self signed certs, using the default for all prompts
$ openssl req -addext "subjectAltName = DNS:localhost" -x509 -keyout
localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.crt
# install 'etcd' package, stop the default server, and spin up ectd
server
$ sudo apt install etcd
$ sudo systemctl stop etcd
$ etcd --name test --data-dir test --cert-file=localhost.crt --key-
file=localhost.key --advertise-client-urls=https://localhost:2379
--listen-client-urls=https://localhost:2379
# run test script
$ cat test.py
#!/usr/bin/python3
from etcd3gw import Etcd3Client
c = Etcd3Client(host="localhost", protocol="https", cert_key="localhost.key", cert_cert="localhost.crt", ca_cert="localhost.crt", timeout=10)
c.put('test', 'success!')
resp = c.get('test')
print(b''.join(resp).decode())
$ ./test.py
success!
[Where Problems Could Occur]
This adds TLS parameters (if provided) to the session, so regressions
would involve failed connections, possibly those without TLS that had
TLS params incorrectly provided before.
[Other]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2 which is already in h, so
this is needed in b/f/g. This package was not included in Xenial.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions
