Merge pull request #434 from OpenKMIP/feat/add-auth-integration-tests

Add functional tests for server auth and access control

.travis.yml

@@ -18,6 +18,14 @@ matrix:
           os: linux
           dist: trusty
           env: TOXENV=py27 RUN_INTEGRATION_TESTS=1
+        - python: 2.7
+          os: linux
+          dist: precise
+          env: TOXENV=py27 RUN_INTEGRATION_TESTS=2
+        - python: 2.7
+          os: linux
+          dist: trusty
+          env: TOXENV=py27 RUN_INTEGRATION_TESTS=2
         - python: 3.4
           os: linux
           dist: precise
@@ -34,6 +42,14 @@ matrix:
           os: linux
           dist: trusty
           env: TOXENV=py34 RUN_INTEGRATION_TESTS=1
+        - python: 3.4
+          os: linux
+          dist: precise
+          env: TOXENV=py34 RUN_INTEGRATION_TESTS=2
+        - python: 3.4
+          os: linux
+          dist: trusty
+          env: TOXENV=py34 RUN_INTEGRATION_TESTS=2
         - python: 3.5
           os: linux
           dist: precise
@@ -50,6 +66,14 @@ matrix:
           os: linux
           dist: trusty
           env: TOXENV=py35 RUN_INTEGRATION_TESTS=1
+        - python: 3.5
+          os: linux
+          dist: precise
+          env: TOXENV=py35 RUN_INTEGRATION_TESTS=2
+        - python: 3.5
+          os: linux
+          dist: trusty
+          env: TOXENV=py35 RUN_INTEGRATION_TESTS=2
         - python: 3.6
           os: linux
           dist: precise
@@ -66,6 +90,14 @@ matrix:
           os: linux
           dist: trusty
           env: TOXENV=py36 RUN_INTEGRATION_TESTS=1
+        - python: 3.6
+          os: linux
+          dist: precise
+          env: TOXENV=py36 RUN_INTEGRATION_TESTS=2
+        - python: 3.6
+          os: linux
+          dist: trusty
+          env: TOXENV=py36 RUN_INTEGRATION_TESTS=2
         - python: 2.7
           os: linux
           dist: precise
@@ -91,9 +123,14 @@ matrix:
           dist: trusty
           env: TOXENV=docs RUN_INTEGRATION_TESTS=0
 install:
+  # Pin six to >= 1.11.0 to avoid setuptools/pip race condition
+  # For more info, see: https://github.com/OpenKMIP/PyKMIP/issues/435
+  - pip uninstall -y six
+  - pip install six>=1.11.0
   - pip install tox
   - pip install bandit
   - pip install codecov
+  - pip install slugs
   - python setup.py install
 script:
   - ./.travis/run.sh

.travis/functional/pykmip/certs/dummy.txt

@@ -0,0 +1 @@
+Dummy file to ensure ./certs gets copied with the ./pykmip directory.

.travis/functional/pykmip/client.conf

@@ -0,0 +1,51 @@
+[john_doe]
+host=127.0.0.1
+port=5696
+certfile=/tmp/pykmip/certs/client_certificate_john_doe.pem
+keyfile=/tmp/pykmip/certs/client_key_john_doe.pem
+ca_certs=/tmp/pykmip/certs/root_certificate.pem
+cert_reqs=CERT_REQUIRED
+ssl_version=PROTOCOL_SSLv23
+do_handshake_on_connect=True
+suppress_ragged_eofs=True
+username=John Doe
+password=secret1
+
+[jane_doe]
+host=127.0.0.1
+port=5696
+certfile=/tmp/pykmip/certs/client_certificate_jane_doe.pem
+keyfile=/tmp/pykmip/certs/client_key_jane_doe.pem
+ca_certs=/tmp/pykmip/certs/root_certificate.pem
+cert_reqs=CERT_REQUIRED
+ssl_version=PROTOCOL_SSLv23
+do_handshake_on_connect=True
+suppress_ragged_eofs=True
+username=Jane Doe
+password=secret2
+
+[john_smith]
+host=127.0.0.1
+port=5696
+certfile=/tmp/pykmip/certs/client_certificate_john_smith.pem
+keyfile=/tmp/pykmip/certs/client_key_john_smith.pem
+ca_certs=/tmp/pykmip/certs/root_certificate.pem
+cert_reqs=CERT_REQUIRED
+ssl_version=PROTOCOL_SSLv23
+do_handshake_on_connect=True
+suppress_ragged_eofs=True
+username=John Smith
+password=secret3
+
+[jane_smith]
+host=127.0.0.1
+port=5696
+certfile=/tmp/pykmip/certs/client_certificate_jane_smith.pem
+keyfile=/tmp/pykmip/certs/client_key_jane_smith.pem
+ca_certs=/tmp/pykmip/certs/root_certificate.pem
+cert_reqs=CERT_REQUIRED
+ssl_version=PROTOCOL_SSLv23
+do_handshake_on_connect=True
+suppress_ragged_eofs=True
+username=Jane Smith
+password=secret4

.travis/functional/pykmip/policies/policy.json

@@ -0,0 +1,24 @@
+{
+  "policy_1": {
+    "groups": {
+      "Group A": {
+        "SYMMETRIC_KEY": {
+          "GET": "ALLOW_ALL",
+          "DESTROY": "ALLOW_ALL"
+        }
+      },
+      "Group B": {
+        "SYMMETRIC_KEY": {
+          "GET": "ALLOW_ALL",
+          "DESTROY": "DISALLOW_ALL"
+        }
+      }
+    },
+    "default": {
+      "SYMMETRIC_KEY": {
+        "GET": "DISALLOW_ALL",
+        "DESTROY": "DISALLOW_ALL"
+      }
+    }
+  }
+}

.travis/functional/pykmip/server.conf

@@ -0,0 +1,19 @@
+[server]
+hostname=127.0.0.1
+port=5696
+certificate_path=/tmp/pykmip/certs/server_certificate.pem
+key_path=/tmp/pykmip/certs/server_key.pem
+ca_path=/tmp/pykmip/certs/root_certificate.pem
+auth_suite=Basic
+policy_path=/tmp/pykmip/policies
+enable_tls_client_auth=True
+tls_cipher_suites=
+    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
+    AES128-SHA256
+    TLS_RSA_WITH_AES_256_CBC_SHA256
+    AES256-SHA256
+logging_level=DEBUG
+
+[auth:slugs]
+enabled=True
+url=http://127.0.0.1:8080/slugs/

.travis/functional/slugs/slugs.conf

@@ -0,0 +1,12 @@
+[global]
+environment = 'production'
+server.socket_host = '127.0.0.1'
+server.socket_port = 8080
+log.access_file = '/tmp/slugs/access.log'
+log.error_file = '/tmp/slugs/error.log'
+
+[data]
+user_group_mapping = '/tmp/slugs/user_group_mapping.csv'
+
+[/slugs]
+tools.trailing_slash.on = True

.travis/functional/slugs/user_group_mapping.csv

@@ -0,0 +1,4 @@
+John Doe,Group A
+Jane Doe,Group A
+Jane Doe,Group B
+John Smith,Group B

.travis/run.sh

@@ -16,6 +16,21 @@ if [[ "${RUN_INTEGRATION_TESTS}" == "1" ]]; then
     sudo chmod 777 /var/log/pykmip
     python ./bin/run_server.py &
     tox -e integration -- --config client
+elif [[ "${RUN_INTEGRATION_TESTS}" == "2" ]]; then
+    # Set up the SLUGS instance
+    cp -r ./.travis/functional/slugs /tmp/
+    slugs -c /tmp/slugs/slugs.conf &
+
+    # Set up the PyKMIP server
+    cp -r ./.travis/functional/pykmip /tmp/
+    python ./bin/create_certificates.py
+    mv *.pem /tmp/pykmip/certs/
+    sudo mkdir /var/log/pykmip
+    sudo chmod 777 /var/log/pykmip
+    pykmip-server -f /tmp/pykmip/server.conf -l /tmp/pykmip/server.log &
+
+    # Run the functional tests
+    tox -e functional -- --config-file /tmp/pykmip/client.conf
 else
     tox
 fi

kmip/tests/functional/conftest.py

@@ -0,0 +1,29 @@
+# Copyright (c) 2018 The Johns Hopkins University/Applied Physics Laboratory
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+import pytest
+
+
+def pytest_addoption(parser):
+    parser.addoption(
+        "--config-file",
+        action="store",
+        help="Config file path for client configuration settings"
+    )
+
+
+@pytest.fixture(scope="class")
+def config_file(request):
+    request.cls.config_file = request.config.getoption("--config-file")