For the record this is the proposed unit test to be added. Since the pastebin is set to expire after one year.
# Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. import os from socket import gethostname # from OpenSSL import crypto from etcd3gw.client import Etcd3Client from etcd3gw.tests import base def create_self_signed_cert(): # create a key pair pub_key = crypto.PKey() pub_key.generate_key(crypto.TYPE_RSA, 2048) # create a csr csr = crypto.X509Req() csr.get_subject().C = "US" csr.get_subject().ST = "Boston" csr.get_subject().L = "Boston" csr.get_subject().O = "Test Company Ltd" csr.get_subject().OU = "Test Company Ltd" csr.get_subject().CN = gethostname() csr.set_pubkey(pub_key) csr.sign(pub_key, "sha256") # create a self-signed cert cert = crypto.X509() cert.get_subject().C = "US" cert.get_subject().ST = "Boston" cert.get_subject().L = "Boston" cert.get_subject().O = "Test Company Ltd" cert.get_subject().OU = "Test Company Ltd" cert.get_subject().CN = gethostname() cert.set_serial_number(1000) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60) cert.set_issuer(cert.get_subject()) cert.set_pubkey(pub_key) cert.sign(pub_key, "sha256") with open('cert.crt', 'w') as crt: if crt is not None: crt.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode("utf-8")) with open('test.key', 'w') as key: if key is not None: key.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, pub_key).decode("utf-8")) with open('test.ca', 'w') as ca: if ca is not None: ca.write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, csr).decode("utf-8")) crt.close() key.close() ca.close() class TestEtcd3Gateway(base.TestCase): def test_client_default(self): client = Etcd3Client() self.assertEqual("http://localhost:2379/v3alpha/lease/grant";, client.get_url("/lease/grant")) def test_client_ipv4(self): client = Etcd3Client(host="127.0.0.1") self.assertEqual("http://127.0.0.1:2379/v3alpha/lease/grant";, client.get_url("/lease/grant")) def test_client_ipv6(self): client = Etcd3Client(host="::1") self.assertEqual("http://[::1]:2379/v3alpha/lease/grant";, client.get_url("/lease/grant")) def test_client_tls(self): create_self_signed_cert() with open('cert.crt', 'r') as crt_file, \ open('test.key', 'r') as key_file, \ open('test.ca', 'r') as ca_file: client = Etcd3Client(host="127.0.0.1", protocol="https", ca_cert=ca_file, cert_key=key_file, cert_cert=crt_file, timeout=10) self.assertEqual(client.session.cert, (crt_file, key_file)) self.assertEqual(client.session.verify, ca_file) os.remove("cert.crt") os.remove("test.key") os.remove("test.ca") -- You received this bug notification because you are a member of STS Sponsors, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session Status in python-etcd3gw package in Ubuntu: Fix Released Status in python-etcd3gw source package in Bionic: In Progress Status in python-etcd3gw source package in Cosmic: Won't Fix Status in python-etcd3gw source package in Disco: Won't Fix Status in python-etcd3gw source package in Eoan: Won't Fix Status in python-etcd3gw source package in Focal: In Progress Status in python-etcd3gw source package in Groovy: Won't Fix Status in python-etcd3gw source package in Hirsute: Fix Released Bug description: [Impact] A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS for the etcd3gw package. [Test Plan] # Create self signed certs, using the default for all prompts $ openssl req -addext "subjectAltName = DNS:localhost" -x509 -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.crt # install 'etcd' package, stop the default server, and spin up ectd server $ sudo apt install etcd $ sudo systemctl stop etcd $ etcd --name test --data-dir test --cert-file=localhost.crt --key- file=localhost.key --advertise-client-urls=https://localhost:2379 --listen-client-urls=https://localhost:2379 # run test script $ cat test.py #!/usr/bin/python3 from etcd3gw import Etcd3Client c = Etcd3Client(host="localhost", protocol="https", cert_key="localhost.key", cert_cert="localhost.crt", ca_cert="localhost.crt", timeout=10) c.put('test', 'success!') resp = c.get('test') print(b''.join(resp).decode()) $ ./test.py success! [Where Problems Could Occur] This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before. [Other] the upstream bug is https://github.com/dims/etcd3-gateway/issues/20 fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21 via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0 that commit is contained in version 0.2.2 which is already in h, so this is needed in b/f/g. This package was not included in Xenial. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- Mailing list: https://launchpad.net/~sts-sponsors Post to : [email protected] Unsubscribe : https://launchpad.net/~sts-sponsors More help : https://help.launchpad.net/ListHelp
