add + fix location ssh tests including a sample yaml for quickly trying lots of weird combos
Project: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/commit/f4346ef8 Tree: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/tree/f4346ef8 Diff: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/diff/f4346ef8 Branch: refs/heads/master Commit: f4346ef8009a13f03c6a6ee4f03777bfeb0bbb21 Parents: aafddb5 Author: Alex Heneveld <[email protected]> Authored: Thu Jan 22 21:38:52 2015 +0000 Committer: Alex Heneveld <[email protected]> Committed: Thu Jan 22 23:21:36 2015 +0000 ---------------------------------------------------------------------- .../internal/BrooklynFeatureEnablement.java | 5 +- .../location/basic/LocationConfigUtils.java | 3 +- .../brooklyn/util/crypto/FluentKeySigner.java | 6 ++- .../location/basic/LocationConfigUtilsTest.java | 4 +- .../jclouds/various-login-credentials.yaml | 52 ++++++++++++++++++++ pom.xml | 2 + 6 files changed, 67 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/blob/f4346ef8/core/src/main/java/brooklyn/internal/BrooklynFeatureEnablement.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/brooklyn/internal/BrooklynFeatureEnablement.java b/core/src/main/java/brooklyn/internal/BrooklynFeatureEnablement.java index 7ecd7cd..6839a75 100644 --- a/core/src/main/java/brooklyn/internal/BrooklynFeatureEnablement.java +++ b/core/src/main/java/brooklyn/internal/BrooklynFeatureEnablement.java @@ -96,10 +96,12 @@ public class BrooklynFeatureEnablement { */ public static final String FEATURE_SSH_ASYNC_EXEC = FEATURE_PROPERTY_PREFIX+".ssh.asyncExec"; + public static final String FEATURE_VALIDATE_LOCATION_SSH_KEYS = "brooklyn.validate.locationSshKeys"; + private static final Map<String, Boolean> FEATURE_ENABLEMENTS = Maps.newLinkedHashMap(); private static final Object MUTEX = new Object(); - + static void setDefaults() { // Idea is here one can put experimental features that are *enabled* by default, but // that can be turned off via system properties, or vice versa. @@ -115,6 +117,7 @@ public class BrooklynFeatureEnablement { setDefault(FEATURE_RENAME_THREADS, false); setDefault(FEATURE_INFER_CATALOG_ITEM_ON_REBIND, true); setDefault(FEATURE_SSH_ASYNC_EXEC, false); + setDefault(FEATURE_VALIDATE_LOCATION_SSH_KEYS, true); } static { http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/blob/f4346ef8/core/src/main/java/brooklyn/location/basic/LocationConfigUtils.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/brooklyn/location/basic/LocationConfigUtils.java b/core/src/main/java/brooklyn/location/basic/LocationConfigUtils.java index 3518a0a..5e5b6e8 100644 --- a/core/src/main/java/brooklyn/location/basic/LocationConfigUtils.java +++ b/core/src/main/java/brooklyn/location/basic/LocationConfigUtils.java @@ -35,6 +35,7 @@ import org.slf4j.LoggerFactory; import brooklyn.config.ConfigKey; import brooklyn.entity.basic.ConfigKeys; +import brooklyn.internal.BrooklynFeatureEnablement; import brooklyn.location.cloud.CloudLocationConfig; import brooklyn.management.ManagementContext; import brooklyn.util.ResourceUtils; @@ -75,7 +76,7 @@ public class LocationConfigUtils { private boolean preferPassword = false; private boolean tryDefaultKeys = true; private boolean requirePublicKey = true; - private boolean doKeyValidation = true; + private boolean doKeyValidation = BrooklynFeatureEnablement.isEnabled(BrooklynFeatureEnablement.FEATURE_VALIDATE_LOCATION_SSH_KEYS); private boolean warnOnErrors = true; private boolean throwOnErrors = false; http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/blob/f4346ef8/core/src/main/java/brooklyn/util/crypto/FluentKeySigner.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/brooklyn/util/crypto/FluentKeySigner.java b/core/src/main/java/brooklyn/util/crypto/FluentKeySigner.java index 0566b47..2dfbe98 100644 --- a/core/src/main/java/brooklyn/util/crypto/FluentKeySigner.java +++ b/core/src/main/java/brooklyn/util/crypto/FluentKeySigner.java @@ -22,6 +22,7 @@ import java.math.BigInteger; import java.security.KeyPair; import java.security.PublicKey; import java.security.SecureRandom; +import java.security.Security; import java.security.cert.CertificateParsingException; import java.security.cert.X509Certificate; import java.util.Date; @@ -31,6 +32,7 @@ import javax.security.auth.x500.X500Principal; import org.bouncycastle.asn1.x509.X509Extension; import org.bouncycastle.asn1.x509.X509Name; import org.bouncycastle.jce.X509Principal; +import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.x509.X509V3CertificateGenerator; import org.bouncycastle.x509.extension.AuthorityKeyIdentifierStructure; import org.bouncycastle.x509.extension.SubjectKeyIdentifierStructure; @@ -42,7 +44,9 @@ import brooklyn.util.exceptions.Exceptions; * X509v3CertificateBuilder drags in an add'l dependency (bcmail) and is harder to use. */ @SuppressWarnings("deprecation") public class FluentKeySigner { - + + static { Security.addProvider(new BouncyCastleProvider()); } + protected X500Principal issuerPrincipal; protected KeyPair issuerKey; http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/blob/f4346ef8/core/src/test/java/brooklyn/location/basic/LocationConfigUtilsTest.java ---------------------------------------------------------------------- diff --git a/core/src/test/java/brooklyn/location/basic/LocationConfigUtilsTest.java b/core/src/test/java/brooklyn/location/basic/LocationConfigUtilsTest.java index e515aab..4c2cc37 100644 --- a/core/src/test/java/brooklyn/location/basic/LocationConfigUtilsTest.java +++ b/core/src/test/java/brooklyn/location/basic/LocationConfigUtilsTest.java @@ -43,7 +43,7 @@ public class LocationConfigUtilsTest { config.put(LocationConfigKeys.PRIVATE_KEY_DATA, "mydata"); config.put(LocationConfigKeys.PRIVATE_KEY_FILE, SSH_PRIVATE_KEY_FILE); - OsCredential creds = LocationConfigUtils.getOsCredential(config); + OsCredential creds = LocationConfigUtils.getOsCredential(config).doKeyValidation(false); Assert.assertTrue(creds.hasKey()); // warnings, as it is malformed Assert.assertFalse(creds.getWarningMessages().isEmpty()); @@ -57,7 +57,7 @@ public class LocationConfigUtilsTest { ConfigBag config = ConfigBag.newInstance(); config.put(LocationConfigKeys.PRIVATE_KEY_DATA, "mydata"); - OsCredential creds = LocationConfigUtils.getOsCredential(config); + OsCredential creds = LocationConfigUtils.getOsCredential(config).doKeyValidation(false); Assert.assertTrue(creds.hasKey()); Assert.assertFalse(creds.getWarningMessages().isEmpty()); http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/blob/f4346ef8/locations/jclouds/src/test/resources/brooklyn/location/jclouds/various-login-credentials.yaml ---------------------------------------------------------------------- diff --git a/locations/jclouds/src/test/resources/brooklyn/location/jclouds/various-login-credentials.yaml b/locations/jclouds/src/test/resources/brooklyn/location/jclouds/various-login-credentials.yaml new file mode 100644 index 0000000..1cfe09e --- /dev/null +++ b/locations/jclouds/src/test/resources/brooklyn/location/jclouds/various-login-credentials.yaml @@ -0,0 +1,52 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +name: various-login-credentials-test + +# not live tested, but useful for manual tests +# assumes the keys listed here exist; +# some children should pass, some should fail... + +services: +- type: brooklyn.entity.basic.EmptySoftwareProcess + name: FAIL-missing-passphrase + location: + jclouds:aws-ec2: + privateKeyFile: ~/.ssh/passphrase-id_rsa +- type: brooklyn.entity.basic.EmptySoftwareProcess + name: GOOD-key-w-passphrase-supplied + location: + jclouds:aws-ec2: + privateKeyFile: ~/.ssh/passphrase-id_rsa + privateKeyPassphrase: passphrase +- type: brooklyn.entity.basic.EmptySoftwareProcess + name: GOOD-no-key-create-key + location: + jclouds:aws-ec2: + privateKeyFile: "" +- type: brooklyn.entity.basic.EmptySoftwareProcess + # depends if image allows password access + name: MAYBE-explicit-password + location: + jclouds:aws-ec2: + password: foo +- type: brooklyn.entity.basic.EmptySoftwareProcess + name: GOOD-default-should-use-id-rsa-or-create + location: + jclouds:aws-ec2 http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/blob/f4346ef8/pom.xml ---------------------------------------------------------------------- diff --git a/pom.xml b/pom.xml index 2cad93a..286ad96 100644 --- a/pom.xml +++ b/pom.xml @@ -1200,6 +1200,8 @@ <exclude>**/MANIFEST.MF</exclude> <exclude>**/test-output/**</exclude> <exclude>**/*.pem.pub</exclude> + <exclude>**/*_rsa.pub</exclude> + <exclude>**/*_rsa</exclude> <exclude>**/*.svg</exclude> <exclude>**/*.crt</exclude> <exclude>**/*.csr</exclude>
