SCAutolib 2.0.0__tar.gz → 3.0.0__tar.gz

{SCAutolib-2.0.0/SCAutolib.egg-info → SCAutolib-3.0.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: SCAutolib
-Version: 2.0.0
+Version: 3.0.0
 Summary: Python library for automation tests of smart cards using virtualization.
 Home-page: https://github.com/redhat-qe-security/SCAutolib
 Author: Pavel Yadlouski

{SCAutolib-2.0.0 → SCAutolib-3.0.0}/SCAutolib/__init__.py

@@ -1,5 +1,3 @@
-from enum import Enum, auto
-
 import coloredlogs
 import logging
 import subprocess
@@ -7,6 +5,8 @@ from pathlib import Path
 import time
 from schema import Schema, Use, Or, And, Optional
 
+from SCAutolib.enums import CardType, UserType
+
 fmt = "%(name)s:%(module)s.%(funcName)s.%(lineno)d [%(levelname)s] %(message)s"
 date_fmt = "%H:%M:%S"
 coloredlogs.install(level="DEBUG", fmt=fmt, datefmt=date_fmt,
@@ -49,24 +49,23 @@ schema_cas = Schema(And(
 # Specify validation schema for all users
 schema_user = Schema({'name': Use(str),
                       'passwd': Use(str),
-                      'pin': Use(str),
-                      Optional('card_dir', default=None): Use(Path),
-                      'card_type': Or("virtual", "real", "removinator"),
-                      Optional('cert', default=None): Use(Path),
-                      Optional('key', default=None): Use(Path),
-                      'local': Use(bool)})
-
+                      'user_type': Or(UserType.local, UserType.ipa)})
 
-class ReturnCode(Enum):
-    """
-    Enum for return codes
-    """
-    SUCCESS = 0
-    MISSING_CA = auto()
-    FAILURE = auto()
-    ERROR = auto()
-    EXCEPTION = auto()
-    UNKNOWN = auto()
+# Specify validation schema for all cards
+schema_card = Schema({'name': Use(str),
+                      'pin': Use(str),
+                      Optional('card_details', default=None): Use(str),
+                      'cardholder': Use(str),
+                      'CN': Use(str),
+                      Optional('UID', default=None): Use(str),
+                      Optional('expires', default=None): Use(str),
+                      'card_type': Or(CardType.virtual, CardType.physical),
+                      'ca_name': Use(str),
+                      Optional('ca_cert', default=None): Use(str),
+                      Optional('slot', default=None): Use(str),
+                      Optional('uri', default=None): Use(str),
+                      Optional('cert', default=None): Use(str),
+                      Optional('key', default=None): Use(str)})
 
 
 def run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, check=True,
@@ -85,7 +84,7 @@ def run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, check=True,
     :type sleep: int
     :param return_code: acceptable return codes from given commands.
         If check=True, and the return code of the cmd is not in the return_code
-        list an subprocess.CalledProcessError exception would be raised.
+        list a subprocess.CalledProcessError exception would be raised.
     :type return_code: list
     :param cmd: Command to be executed
     :type cmd: list or str

{SCAutolib-2.0.0 → SCAutolib-3.0.0}/SCAutolib/cli_commands.py

@@ -6,8 +6,9 @@ import click
 from pathlib import Path
 from sys import exit
 
-from SCAutolib import logger, exceptions, schema_user, ReturnCode
+from SCAutolib import logger, exceptions, schema_user
 from SCAutolib.controller import Controller
+from SCAutolib.enums import ReturnCode
 
 
 @click.group()

{SCAutolib-2.0.0 → SCAutolib-3.0.0}/SCAutolib/controller.py

@@ -4,15 +4,16 @@ from schema import Schema, Use
 from shutil import rmtree
 from typing import Union
 
-from SCAutolib import exceptions, schema_cas, schema_user
+from SCAutolib import exceptions, schema_cas, schema_user, schema_card
 from SCAutolib import (logger, run, LIB_DIR, LIB_BACKUP, LIB_DUMP,
                        LIB_DUMP_USERS, LIB_DUMP_CAS, LIB_DUMP_CARDS,
                        TEMPLATES_DIR)
 from SCAutolib.models import CA, file, user, card, authselect as auth
-from SCAutolib.models.file import File
-from SCAutolib.utils import (OSVersion, _check_selinux, _gen_private_key,
+from SCAutolib.models.file import File, OpensslCnf
+from SCAutolib.enums import (OSVersion, CardType, UserType)
+from SCAutolib.utils import (_check_selinux, _gen_private_key,
                              _get_os_version, _install_packages,
-                             _check_packages, dump_to_json, local_ca_factory)
+                             _check_packages, dump_to_json, ca_factory)
 
 
 class Controller:
@@ -68,12 +69,31 @@ class Controller:
     def prepare(self, force: bool, gdm: bool, install_missing: bool,
                 graphical: bool):
         """
-        Method for setting up whole system based on configuration file and
-        CLI commands
+        Prepare system for testing. This method provides complex configuration
+        of system under test for testing including creation of CAs, users and
+        smart cards in the system and objects that represents them in SCAutolib.
+        Configuration is based on config file and CLI options.
+
+        :param force: Defines if existing objects, files, users, services etc.
+            should be erased or overwritten if they already exist. True stands
+            for erase/overwrite. This parameter is forwarded to several methods
+            and it can have slightly different meaning in each of them.
+            For details see docstrings of the methods.
+        :type force: bool
+
+        :param gdm: If True, GDM package would be installed
+        :type gdm: bool
+        :param install_missing: If True, all missing packages would be
+            installed
+        :type install_missing: bool
+        :param graphical: If True, GUI tests dependencies are installed
+        :type graphical: bool
         """
         self.setup_system(install_missing, gdm, graphical)
 
-        # In this method not having section for local CA and/or for IPA CA is OK
+        # Prepare CAs: Virtual cards are populated by certificates that are: a)
+        # created locally and signed by local CA configured on the system under
+        # test, or b) created and signed using FreeIPA.
         try:
             self.setup_local_ca(force=force)
         except exceptions.SCAutolibWrongConfig as e:
@@ -82,9 +102,20 @@ class Controller:
             self.setup_ipa_client(force=force)
         except exceptions.SCAutolibWrongConfig as e:
             logger.info(e)
+
         for usr in self.lib_conf["users"]:
-            u = self.setup_user(usr, force=force)
-            self.enroll_card(u)
+            self.setup_user(usr, force=force)
+
+        # Create cards defined in config. For physical cards only objects will
+        # be created while for virtual cards tokens will be created and enrolled
+        for token in self.lib_conf["cards"]:
+            # prepare CA objects for physical cards
+            if token["card_type"] == CardType.physical:
+                self.setup_custom_ca(token)
+                self.setup_card(token)
+            elif token["card_type"] == CardType.virtual:
+                c = self.setup_card(token)
+                self.enroll_card(c)
 
     def setup_system(self, install_missing: bool, gdm: bool, graphical: bool):
         """
@@ -97,6 +128,8 @@ class Controller:
         :type install_missing: bool
         :param gdm: If True, GDM package would be installed
         :type gdm: bool
+        :param graphical: If True, GUI tests dependencies are installed
+        :type graphical: bool
         :return:
         """
         for d in (LIB_DIR, LIB_BACKUP, LIB_DUMP, LIB_DUMP_USERS, LIB_DUMP_CAS,
@@ -112,13 +145,15 @@ class Controller:
             packages += ["tesseract", "ffmpeg-free"]
 
         # Prepare for virtual cards
-        if "virtual" in [u["card_type"] for u in self.lib_conf["users"]]:
+        if any(c["card_type"] == CardType.virtual
+                for c in self.lib_conf["cards"]):
             packages += ["pcsc-lite-ccid", "pcsc-lite", "virt_cacard",
                          "vpcd", "softhsm"]
             run("dnf -y copr enable jjelen/vsmartcard")
 
         # Add IPA packages if needed
-        if not all([u["local"] for u in self.lib_conf["users"]]):
+        if any([u["user_type"] != UserType.local
+                for u in self.lib_conf["users"]]):
             packages += self._general_steps_for_ipa()
 
         # Check for installed packages
@@ -148,16 +183,16 @@ class Controller:
         self.sssd_conf.save()
         self._general_steps_for_virtual_sc()
 
-        base_user = user.BaseUser("base-user", "redhat")
+        base_user = user.User("base-user", "redhat")
         base_user.add_user()
         dump_to_json(base_user)
-        dump_to_json(user.BaseUser(username="root",
-                                   password=self.lib_conf["root_passwd"]))
+        dump_to_json(user.User(username="root",
+                               password=self.lib_conf["root_passwd"]))
 
     def setup_local_ca(self, force: bool = False):
         """
         Setup local CA based on configuration from the configuration file. All
-        necessary file for this operation (e.g. CNF file for self-signed root
+        necessary files for this operation (e.g. CNF file for self-signed root
         certificate) would be created along the way.
 
         :param force: If local CA already exists in given directory, specifies
@@ -171,11 +206,31 @@ class Controller:
             raise exceptions.SCAutolibWrongConfig(msg)
 
         ca_dir: Path = self.lib_conf["ca"]["local_ca"]["dir"]
-        self.local_ca = local_ca_factory(ca_dir, force)
+        ca_dir.mkdir(exist_ok=True, parents=True)
+
+        cnf = OpensslCnf(ca_dir.joinpath("ca.cnf"), "CA", str(ca_dir))
+        self.local_ca = ca_factory(path=ca_dir, cnf=cnf, create=True)
+        if force:
+            logger.warning(f"Removing previous local CA from {ca_dir}")
+            self.local_ca.cleanup()
+        cnf.create()
+        cnf.save()
+        self.local_ca.setup()
+        self.local_ca.update_ca_db()
+        run(["systemctl", "restart", "sssd"], sleep=5)
+
         logger.info(f"Local CA is configured in {ca_dir}")
 
         dump_to_json(self.local_ca)
 
+    def setup_custom_ca(self, card_data: dict):
+        if card_data["card_type"] == CardType.physical:
+            ca = ca_factory(create=True, card_data=card_data)
+            ca.setup()
+            if not ca._ca_cert.is_file():
+                raise FileNotFoundError(f"File not found: {ca._ca_cert}")
+            dump_to_json(ca)
+
     def setup_ipa_client(self, force: bool = False):
         """
         Configure IPA client for given IPA server on current host. IPA server
@@ -210,8 +265,7 @@ class Controller:
 
     def setup_user(self, user_dict: dict, force: bool = False):
         """
-        Configure the user on the specified system (local machine/CA). The user
-        would be configured along with the card based on configurations.
+        Configure the user on the specified system (local machine/CA).
 
         :param force: specify if the user should be re-created with its
             card directory
@@ -221,41 +275,14 @@ class Controller:
         :return: the user object
         """
         new_user = None
-        card_dir: Path = user_dict["card_dir"]
-        # Card dir is home dir of the user home directory
-        if force and card_dir.exists():
-            rmtree(card_dir)
 
-        if user_dict["local"]:
+        if user_dict["user_type"] == UserType.local:
             new_user = user.User(username=user_dict["name"],
-                                 pin=user_dict["pin"],
-                                 password=user_dict["passwd"],
-                                 card_dir=card_dir,
-                                 cert=user_dict["cert"], key=user_dict["key"],
-                                 local=True)
+                                 password=user_dict["passwd"])
             if force:
-                if new_user.cert and new_user.cert.exists():
-                    self.local_ca.revoke_cert(new_user.cert)
                 new_user.delete_user()
-            user_dict["card_dir"].mkdir(exist_ok=True)
             new_user.add_user()
 
-            csr_path = new_user.card_dir.joinpath(f"csr-{new_user.username}.csr")
-            cnf = file.OpensslCnf(filepath=csr_path, conf_type="user",
-                                  replace=new_user.username)
-            cnf.create()
-            cnf.save()
-
-            new_user.cnf = cnf.path
-            self.sssd_conf.set(
-                section=f"certmap/shadowutils/{new_user.username}",
-                key="matchrule",
-                value=f"<SUBJECT>.*CN={new_user.username}.*")
-            self.sssd_conf.save()
-            self.sssd_conf.update_default_content()
-            run(["systemctl", "restart", "sssd"])
-            logger.debug(f"Match rule for user {new_user.username} is added "
-                         f"to /etc/sssd/sssd.conf")
         else:
             if self.ipa_ca is None:
                 msg = "Can't proceed in configuration of IPA user because no " \
@@ -263,75 +290,109 @@ class Controller:
                 raise exceptions.SCAutolibException(msg)
             new_user = user.IPAUser(ipa_server=self.ipa_ca,
                                     username=user_dict["name"],
-                                    pin=user_dict["pin"],
-                                    password=user_dict["passwd"],
-                                    card_dir=card_dir,
-                                    cert=user_dict["cert"],
-                                    key=user_dict["key"],
-                                    local=False)
+                                    password=user_dict["passwd"])
             if force:
-                if new_user.cert and new_user.cert.exists():
-                    self.ipa_ca.revoke_cert(new_user.cert)
                 new_user.delete_user()
-            user_dict["card_dir"].mkdir(exist_ok=True)
-
             new_user.add_user()
-
-        if user_dict["card_type"] == "virtual":
-            hsm_conf = file.SoftHSM2Conf(
-                new_user.card_dir.joinpath("sofhtsm2.conf"),
-                new_user.card_dir)
-            hsm_conf.create()
-            hsm_conf.save()
-
-            new_user.card = card.VirtualCard(new_user,
-                                             softhsm2_conf=hsm_conf.path)
-        else:
-            raise NotImplementedError("Other card type than 'virtual' does"
-                                      "not supported yet")
-
-        new_user.card.create()
         self.users.append(new_user)
-
         dump_to_json(new_user)
-
         return new_user
 
-    def enroll_card(self, user_: user.User, force: bool = False):
+    def setup_card(self, card_dict: dict, force: bool = False):
         """
-        Enroll the card of a given user with configured CA. If private key
-        and/or the certificate do not exists, new one's would be requested
-        from corresponding CA.
+        Create card object. Card object should contain its root CA cert as it
+        represents general card (i.e. including physical read-only cards).
 
-        :param force:
-        :param user_: User with a card to be enrolled.
+        :param card_dict: Dictionary containing card attributes
+        :type card_dict: dict
+        :param force: If its true and card directory exists it will be removed
+        :type force: bool
         """
-        logger.debug(f"Starting enrollment of the card for user "
-                     f"{user_.username}")
-        if not user_.card:
-            raise exceptions.SCAutolibException(
-                f"Card for the user {user_.username} is not initialized")
+        card_dir: Path = Path("/root/cards", card_dict["name"])
+        card_dir.mkdir(parents=True, exist_ok=True)
 
-        if not user_.key.exists():
-            _gen_private_key(user_.key)
+        if force and card_dir.exists():
+            rmtree(card_dir)
 
-        if not user_.cert.exists():
-            # Creating a new private key makes sense only if the certificate
-            # doesn't exist yet
+        if card_dict["card_type"] == CardType.physical:
+            new_card = card.PhysicalCard(card_dict, card_dir=card_dir)
+        elif card_dict["card_type"] == CardType.virtual:
+            hsm_conf = self.prepare_softhsm_config(card_dir)
+            new_card = card.VirtualCard(card_dict, softhsm2_conf=hsm_conf.path,
+                                        card_dir=card_dir)
+            # card needs to know some details of its user
+            new_card.user = self.link_user_to_card(new_card)
+            if new_card.user.user_type == UserType.local:
+                new_card.cnf = self.prepare_user_cnf(new_card)
+            if force:
+                self.revoke_certs(new_card)
+            new_card.create()
+        else:
+            raise NotImplementedError("Other card types than 'physical' and "
+                                      "'virtual' are not supported")
+
+        dump_to_json(new_card)
+        return new_card
+
+    def link_user_to_card(self, card: card.VirtualCard):
+        for card_user in self.users:
+            if card_user.username == card.cardholder:
+                return card_user
+
+    def prepare_softhsm_config(self, card_dir: Path = None):
+        """Prepare SoftHSM2 config for virtual card"""
+        filepath = card_dir.joinpath("sofhtsm2.conf")
+        hsm_conf = file.SoftHSM2Conf(filepath, card_dir=card_dir)
+        hsm_conf.create()
+        hsm_conf.save()
+        return hsm_conf
+
+    def prepare_user_cnf(self, card: card.VirtualCard):
+        """Prepare user openssl cnf"""
+        cnf_path = card.card_dir.joinpath(f"{card.cardholder}.cnf")
+        cnf = file.OpensslCnf(filepath=cnf_path, conf_type="user",
+                              replace=[card.cardholder, card.CN])
+        cnf.create()
+        cnf.save()
+        return cnf.path
+
+    def revoke_certs(self, card: card.VirtualCard):
+        if card.cert and card.cert.exists():
+            if card.user.user_type == UserType.local:
+                self.local_ca.revoke_cert(card.cert)
+            else:
+                self.ipa_ca.revoke_cert(card.cert)
+
+    def enroll_card(self, card: card.VirtualCard):
+        """
+        Enroll the card - i.e. upload keys and certs to card. If private key
+        and/or the certificate do not exist, new one's would be requested
+        from corresponding CA.
+
+        :param card: card object
+        :type card: card.VirtualCard
+        """
+        logger.debug(f"Starting enrollment of the card {card.name}")
+        if not card:
+            raise exceptions.SCAutolibException(
+                f"Card {card.name} is not initialized")
 
-            csr = user_.gen_csr()
+        if not card.key.exists():
+            _gen_private_key(card.key)
 
+        if not card.cert.exists():
+            csr = card.gen_csr()
             ca = self.ipa_ca \
-                if isinstance(user_, user.IPAUser) else self.local_ca
-            user_.cert = ca.request_cert(csr, user_.username, user_.cert)
+                if isinstance(card.user, user.IPAUser) else self.local_ca
+            card.cert = ca.request_cert(csr, card.cardholder, card.cert)
 
-        user_.card.enroll()
-
-        dump_to_json(user_.card)
-        # Update the dump for current user to link it with the card
-        dump_to_json(user_)
+        card.enroll()
+        dump_to_json(card)
 
     def cleanup(self):
+        # FIXME Card.delete is not yet implemented, sssd_conf.clean is broken,
+        #  authselect.cleanup is not implemented, local_ca.cleanup is not
+        #  sufficient
         """
         Clean the system after setup. This method restores the SSSD config file,
         deletes created users with cards, remove CA's (local and/or IPA Client)
@@ -339,18 +400,18 @@ class Controller:
         self.sssd_conf.clean()
 
         for user_file in LIB_DUMP_USERS.iterdir():
-            usr = user.BaseUser.load(user_file)
-            usr.delete()
-            card_file = LIB_DUMP_CARDS.joinpath(f"card-{usr.username}.json")
+            usr = user.User.load(user_file)
+            usr.delete_user()
+        for card_file in LIB_DUMP_CARDS.iterdir():
             if card_file.exists():
-                card.Card.load(card_file, user=user).delete()
+                card.Card.load(card_file).delete()  # TODO implement card.delete
 
         if self.local_ca:
-            self.local_ca.cleanup()
+            self.local_ca.cleanup()  # FIXME restore sssd_auth_ca_db.pem file
         if self.ipa_ca:
             self.ipa_ca.cleanup()
 
-        self.authselect.cleanup()
+        self.authselect.cleanup()  # TODO implement authselect.cleanup
 
     @staticmethod
     def _validate_configuration(conf: dict, params: {} = None) -> dict:
@@ -376,7 +437,8 @@ class Controller:
         # Specify general schema for whole config file
         schema = Schema({"root_passwd": Use(str),
                          "ca": schema_cas,
-                         "users": [schema_user]})
+                         "users": [schema_user],
+                         "cards": [schema_card]})
 
         return schema.validate(conf)
 

SCAutolib-3.0.0/SCAutolib/enums.py

@@ -0,0 +1,40 @@
+from enum import Enum, auto
+
+
+class OSVersion(Enum):
+    """
+    Enumeration for Linux versions. Used for more convenient checks.
+    """
+    Fedora = 1
+    RHEL_9 = 2
+    RHEL_8 = 3
+    CentOS_8 = 4
+    CentOS_9 = 5
+
+
+class CardType(str, Enum):
+    physical = "physical"
+    virtual = "virtual"
+
+
+class UserType(str, Enum):
+    local = "local"
+    ipa = "ipa"
+
+
+class CAType(str, Enum):
+    local = "local"
+    custom = "custom"
+    ipa = "IPA"
+
+
+class ReturnCode(Enum):
+    """
+    Enum for return codes
+    """
+    SUCCESS = 0
+    MISSING_CA = auto()
+    FAILURE = auto()
+    ERROR = auto()
+    EXCEPTION = auto()
+    UNKNOWN = auto()