mirror of
https://github.com/apache/cloudstack.git
synced 2025-10-26 08:42:29 +01:00
7ce54bf7a8
This introduces a new certificate authority framework that allows pluggable CA provider implementations to handle certificate operations around issuance, revocation and propagation. The framework injects itself to `NioServer` to handle agent connections securely. The framework adds assumptions in `NioClient` that a keystore if available with known name `cloud.jks` will be used for SSL negotiations and handshake. This includes a default 'root' CA provider plugin which creates its own self-signed root certificate authority on first run and uses it for issuance and provisioning of certificate to CloudStack agents such as the KVM, CPVM and SSVM agents and also for the management server for peer clustering. Additional changes and notes: - Comma separate list of management server IPs can be set to the 'host' global setting. Newly provisioned agents (KVM/CPVM/SSVM etc) will get radomized comma separated list to which they will attempt connection or reconnection in provided order. This removes need of a TCP LB on port 8250 (default) of the management server(s). - All fresh deployment will enforce two-way SSL authentication where connecting agents will be required to present certificates issued by the 'root' CA plugin. - Existing environment on upgrade will continue to use one-way SSL authentication and connecting agents will not be required to present certificates. - A script `keystore-setup` is responsible for initial keystore setup and CSR generation on the agent/hosts. - A script `keystore-cert-import` is responsible for import provided certificate payload to the java keystore file. - Agent security (keystore, certificates etc) are setup initially using SSH, and later provisioning is handled via an existing agent connection using command-answers. The supported clients and agents are limited to CPVM, SSVM, and KVM agents, and clustered management server (peering). - Certificate revocation does not revoke an existing agent-mgmt server connection, however rejects a revoked certificate used during SSL handshake. - Older `cloudstackmanagement.keystore` is deprecated and will no longer be used by mgmt server(s) for SSL negotiations and handshake. New keystores will be named `cloud.jks`, any additional SSL certificates should not be imported in it for use with tomcat etc. The `cloud.jks` keystore is stricly used for agent-server communications. - Management server keystore are validated and renewed on start up only, the validity of them are same as the CA certificates. New APIs: - listCaProviders: lists all available CA provider plugins - listCaCertificate: lists the CA certificate(s) - issueCertificate: issues X509 client certificate with/without a CSR - provisionCertificate: provisions certificate to a host - revokeCertificate: revokes a client certificate using its serial Global settings for the CA framework: - ca.framework.provider.plugin: The configured CA provider plugin - ca.framework.cert.keysize: The key size for certificate generation - ca.framework.cert.signature.algorithm: The certificate signature algorithm - ca.framework.cert.validity.period: Certificate validity in days - ca.framework.cert.automatic.renewal: Certificate auto-renewal setting - ca.framework.background.task.delay: CA background task delay/interval - ca.framework.cert.expiry.alert.period: Days to check and alert expiring certificates Global settings for the default 'root' CA provider: - ca.plugin.root.private.key: (hidden/encrypted) CA private key - ca.plugin.root.public.key: (hidden/encrypted) CA public key - ca.plugin.root.ca.certificate: (hidden/encrypted) CA certificate - ca.plugin.root.issuer.dn: The CA issue distinguished name - ca.plugin.root.auth.strictness: Are clients required to present certificates - ca.plugin.root.allow.expired.cert: Are clients with expired certificates allowed UI changes: - Button to download/save the CA certificates. Misc changes: - Upgrades bountycastle version and uses newer classes - Refactors SAMLUtil to use new CertUtils Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
230 lines
9.1 KiB
Python
230 lines
9.1 KiB
Python
# Licensed to the Apache Software Foundation (ASF) under one
|
|
# or more contributor license agreements. See the NOTICE file
|
|
# distributed with this work for additional information
|
|
# regarding copyright ownership. The ASF licenses this file
|
|
# to you under the Apache License, Version 2.0 (the
|
|
# "License"); you may not use this file except in compliance
|
|
# with the License. You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing,
|
|
# software distributed under the License is distributed on an
|
|
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
# KIND, either express or implied. See the License for the
|
|
# specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
from nose.plugins.attrib import attr
|
|
from marvin.cloudstackTestCase import *
|
|
from marvin.cloudstackAPI import *
|
|
from marvin.lib.utils import *
|
|
from marvin.lib.base import *
|
|
from marvin.lib.common import *
|
|
|
|
from cryptography import x509
|
|
from cryptography.hazmat.backends import default_backend
|
|
from cryptography.hazmat.primitives import serialization
|
|
from OpenSSL.crypto import FILETYPE_PEM, verify, X509
|
|
|
|
PUBKEY_VERIFY=True
|
|
try:
|
|
from OpenSSL.crypto import load_publickey
|
|
except ImportError:
|
|
PUBKEY_VERIFY=False
|
|
|
|
|
|
class TestCARootProvider(cloudstackTestCase):
|
|
|
|
@classmethod
|
|
def setUpClass(cls):
|
|
testClient = super(TestCARootProvider, cls).getClsTestClient()
|
|
cls.apiclient = testClient.getApiClient()
|
|
cls.services = testClient.getParsedTestDataConfig()
|
|
cls.hypervisor = cls.testClient.getHypervisorInfo()
|
|
cls.cleanup = []
|
|
|
|
|
|
@classmethod
|
|
def tearDownClass(cls):
|
|
try:
|
|
cleanup_resources(cls.apiclient, cls.cleanup)
|
|
except Exception as e:
|
|
raise Exception("Warning: Exception during cleanup : %s" % e)
|
|
|
|
|
|
def setUp(self):
|
|
self.apiclient = self.testClient.getApiClient()
|
|
self.dbclient = self.testClient.getDbConnection()
|
|
self.cleanup = []
|
|
|
|
|
|
def tearDown(self):
|
|
try:
|
|
cleanup_resources(self.apiclient, self.cleanup)
|
|
except Exception as e:
|
|
raise Exception("Warning: Exception during cleanup : %s" % e)
|
|
|
|
|
|
def getUpSystemVMHosts(self, hostId=None):
|
|
hosts = list_hosts(
|
|
self.apiclient,
|
|
type='SecondaryStorageVM',
|
|
state='Up',
|
|
resourcestate='Enabled',
|
|
id=hostId
|
|
)
|
|
return hosts
|
|
|
|
|
|
@attr(tags=['advanced', 'simulator', 'basic', 'sg'], required_hardware=False)
|
|
def test_list_ca_providers(self):
|
|
"""
|
|
Tests default ca providers list
|
|
"""
|
|
cmd = listCAProviders.listCAProvidersCmd()
|
|
response = self.apiclient.listCAProviders(cmd)
|
|
self.assertEqual(len(response), 1)
|
|
self.assertEqual(response[0].name, 'root')
|
|
|
|
|
|
def getCaCertificate(self):
|
|
cmd = listCaCertificate.listCaCertificateCmd()
|
|
cmd.provider = 'root'
|
|
response = self.apiclient.listCaCertificate(cmd)
|
|
return response.cacertificates.certificate
|
|
|
|
|
|
@attr(tags=['advanced', 'simulator', 'basic', 'sg'], required_hardware=False)
|
|
def test_list_ca_certificate(self):
|
|
"""
|
|
Tests the ca certificate
|
|
"""
|
|
certificate = self.getCaCertificate()
|
|
self.assertTrue(len(certificate) > 0)
|
|
|
|
cert = x509.load_pem_x509_certificate(str(certificate), default_backend())
|
|
self.assertEqual(cert.signature_hash_algorithm.name, 'sha256')
|
|
self.assertEqual(cert.issuer.get_attributes_for_oid(x509.oid.NameOID.COMMON_NAME)[0].value, 'ca.cloudstack.apache.org')
|
|
|
|
|
|
@attr(tags=['advanced', 'simulator', 'basic', 'sg'], required_hardware=False)
|
|
def test_issue_certificate_without_csr(self):
|
|
"""
|
|
Tests issuance of a certificate
|
|
"""
|
|
cmd = issueCertificate.issueCertificateCmd()
|
|
cmd.domain = 'apache.org,cloudstack.apache.org'
|
|
cmd.ipaddress = '10.1.1.1,10.2.2.2'
|
|
cmd.provider = 'root'
|
|
|
|
response = self.apiclient.issueCertificate(cmd)
|
|
self.assertTrue(len(response.privatekey) > 0)
|
|
self.assertTrue(len(response.cacertificates) > 0)
|
|
self.assertTrue(len(response.certificate) > 0)
|
|
|
|
cert = x509.load_pem_x509_certificate(str(response.certificate), default_backend())
|
|
|
|
# Validate basic certificate attributes
|
|
self.assertEqual(cert.signature_hash_algorithm.name, 'sha256')
|
|
self.assertEqual(cert.subject.get_attributes_for_oid(x509.oid.NameOID.COMMON_NAME)[0].value, 'apache.org')
|
|
|
|
# Validate alternative names
|
|
altNames = cert.extensions.get_extension_for_oid(x509.oid.ExtensionOID.SUBJECT_ALTERNATIVE_NAME)
|
|
for domain in cmd.domain.split(','):
|
|
self.assertTrue(domain in altNames.value.get_values_for_type(x509.DNSName))
|
|
for address in cmd.ipaddress.split(','):
|
|
self.assertTrue(address in map(lambda x: str(x), altNames.value.get_values_for_type(x509.IPAddress)))
|
|
|
|
# Validate certificate against CA public key
|
|
global PUBKEY_VERIFY
|
|
if not PUBKEY_VERIFY:
|
|
return
|
|
caCert = x509.load_pem_x509_certificate(str(self.getCaCertificate()), default_backend())
|
|
x = X509()
|
|
x.set_pubkey(load_publickey(FILETYPE_PEM, str(caCert.public_key().public_bytes(serialization.Encoding.PEM, serialization.PublicFormat.SubjectPublicKeyInfo))))
|
|
verify(x, cert.signature, cert.tbs_certificate_bytes, cert.signature_hash_algorithm.name)
|
|
|
|
|
|
@attr(tags=['advanced', 'simulator', 'basic', 'sg'], required_hardware=False)
|
|
def test_issue_certificate_with_csr(self):
|
|
"""
|
|
Tests issuance of a certificate
|
|
"""
|
|
cmd = issueCertificate.issueCertificateCmd()
|
|
cmd.csr = "-----BEGIN CERTIFICATE REQUEST-----\nMIIBHjCByQIBADBkMQswCQYDVQQGEwJJTjELMAkGA1UECAwCSFIxETAPBgNVBAcM\nCEd1cnVncmFtMQ8wDQYDVQQKDAZBcGFjaGUxEzARBgNVBAsMCkNsb3VkU3RhY2sx\nDzANBgNVBAMMBnYtMS1WTTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQD46KFWKYrJ\nF43Y1oqWUfrl4mj4Qm05Bgsi6nuigZv7ufiAKK0nO4iJKdRa2hFMUvBi2/bU3IyY\nNvg7cdJsn4K9AgMBAAGgADANBgkqhkiG9w0BAQUFAANBAIta9glu/ZSjA/ncyXix\nyDOyAKmXXxsRIsdrEuIzakUuJS7C8IG0FjUbDyIaiwWQa5x+Lt4oMqCmpNqRzaGP\nfOo=\n-----END CERTIFICATE REQUEST-----"
|
|
cmd.provider = 'root'
|
|
|
|
response = self.apiclient.issueCertificate(cmd)
|
|
self.assertTrue(response.privatekey is None)
|
|
self.assertTrue(len(response.cacertificates) > 0)
|
|
self.assertTrue(len(response.certificate) > 0)
|
|
|
|
cert = x509.load_pem_x509_certificate(str(response.certificate), default_backend())
|
|
|
|
# Validate basic certificate attributes
|
|
self.assertEqual(cert.signature_hash_algorithm.name, 'sha256')
|
|
self.assertEqual(cert.subject.get_attributes_for_oid(x509.oid.NameOID.COMMON_NAME)[0].value, 'v-1-VM')
|
|
|
|
# Validate certificate against CA public key
|
|
global PUBKEY_VERIFY
|
|
if not PUBKEY_VERIFY:
|
|
return
|
|
caCert = x509.load_pem_x509_certificate(str(self.getCaCertificate()), default_backend())
|
|
x = X509()
|
|
x.set_pubkey(load_publickey(FILETYPE_PEM, str(caCert.public_key().public_bytes(serialization.Encoding.PEM, serialization.PublicFormat.SubjectPublicKeyInfo))))
|
|
verify(x, cert.signature, cert.tbs_certificate_bytes, cert.signature_hash_algorithm.name)
|
|
|
|
|
|
@attr(tags=['advanced', 'simulator', 'basic', 'sg'], required_hardware=False)
|
|
def test_revoke_certificate(self):
|
|
"""
|
|
Tests certificate revocation
|
|
"""
|
|
cmd = revokeCertificate.revokeCertificateCmd()
|
|
cmd.serial = 'abc123' # hex value
|
|
cmd.cn = 'example.com'
|
|
cmd.provider = 'root'
|
|
|
|
self.dbclient.execute("delete from crl where serial='%s'" % cmd.serial)
|
|
|
|
response = self.apiclient.revokeCertificate(cmd)
|
|
self.assertTrue(response.success)
|
|
|
|
crl = self.dbclient.execute("select serial, cn from crl where serial='%s'" % cmd.serial)[0]
|
|
self.assertEqual(crl[0], cmd.serial)
|
|
self.assertEqual(crl[1], cmd.cn)
|
|
|
|
|
|
@attr(tags=['advanced', 'simulator', 'basic', 'sg'], required_hardware=False)
|
|
def test_provision_certificate(self):
|
|
"""
|
|
Tests certificate provisioning
|
|
"""
|
|
hosts = self.getUpSystemVMHosts()
|
|
if not hosts or len(hosts) < 1:
|
|
raise self.skipTest("No Up systemvm hosts found, skipping test")
|
|
|
|
host = hosts[0]
|
|
|
|
cmd = provisionCertificate.provisionCertificateCmd()
|
|
cmd.hostid = host.id
|
|
cmd.reconnect = True
|
|
cmd.provider = 'root'
|
|
|
|
response = self.apiclient.provisionCertificate(cmd)
|
|
self.assertTrue(response.success)
|
|
|
|
if self.hypervisor.lower() == 'simulator':
|
|
hosts = self.getUpSystemVMHosts(host.id)
|
|
self.assertTrue(hosts is None or len(hosts) == 0)
|
|
else:
|
|
def checkHostIsUp(hostId):
|
|
hosts = self.getUpSystemVMHosts(host.id)
|
|
return (hosts is not None), hosts
|
|
result, hosts = wait_until(1, 30, checkHostIsUp, host.id)
|
|
if result:
|
|
self.assertTrue(len(hosts) == 1)
|
|
else:
|
|
self.fail("Failed to have systemvm host in Up state after cert provisioning")
|