tempesta-tech · krizhanovsky · Jul 31, 2019 · Jun 12, 2019 · Jun 19, 2019 · Jun 20, 2019
diff --git a/README.md b/README.md
@@ -71,7 +71,8 @@ deproxy server, and workload tests should use wrk client and nginx server.
 ## Requirements
 
 - Host for testing framework: `Python2`, `python2-paramiko`,
-`python-configparser`, `python-subprocess32`, `wrk`, `ab`, `python-scapy`
+`python-configparser`, `python-subprocess32`, `wrk`, `ab`, `python-scapy`,
+`python-cryptography`
 - All hosts except previous one: `sftp-server`
 - Host for running TempestaFW: Linux kernel with Tempesta, TempestaFW sources,
 `systemtap`, `tcpdump`, `bc`
@@ -123,6 +124,9 @@ is `10` seconds.
 
 `log_file` option specifies a file to tee (duplicate) tests' stderr to.
 
+`workdir` - path to temporary files, e.g. TLS certificates generated by
+the framework.
+
 This group of options can be overridden by command line options, for more
 information run tests with `-h` key.
 ```sh
@@ -157,6 +161,7 @@ SSH. If hostname is `localhost`, TempestaFW will be ran locally.
 `config` — workdir-relative or absolute path to the temporary TempestaFW config
 that will be created during testing.
 
+
 #### Server Section
 
 `ip` — IPv4/IPv6 address of the backend server host in test network, as
@@ -371,4 +376,12 @@ this, but it simpler to check free ports before start server.
 #### Classes for servers and clients
 
 deproxyclient, deproxyserver, nginx, wrk - this classes used for creating
-and handling corresponding types of items.
+and handling corresponding types of items.
+
+
+## Resources
+
+There are not so much good references about best practices in development of
+testing framework.
+
+* [Why Good Developers Write Bad Tests](https://www.youtube.com/watch?v=oO-FMAdjY68)
diff --git a/framework/deproxy_client.py b/framework/deproxy_client.py
@@ -63,7 +63,7 @@ def handle_read(self):
                                     method=method)
                 self.response_buffer = \
                             self.response_buffer[response.original_length:]
-            except deproxy.IncompliteMessage:
+            except deproxy.IncompleteMessage:
                 return
             except deproxy.ParseError:
                 tf_cfg.dbg(4, ('Deproxy: Client: Can\'t parse message\n'
@@ -113,6 +113,7 @@ def make_request(self, request):
     def receive_response(self, response):
         raise NotImplementedError("Not implemented 'receive_response()'")
 
+
 class DeproxyClient(BaseDeproxyClient):
     last_response = None
     responses = []

diff --git a/framework/deproxy_server.py b/framework/deproxy_server.py
@@ -25,6 +25,14 @@ def __init__(self, server, sock=None, keep_alive=None):
         self.request_buffer = ''
         tf_cfg.dbg(6, '\tDeproxy: SrvConnection: New server connection.')
 
+    def initiate_send(self):
+        """ Override dispatcher_with_send.initiate_send() which transfers
+        data with too small chunks of 512 bytes.
+        """
+        num_sent = 0
+        num_sent = asyncore.dispatcher.send(self, self.out_buffer[:4096])
+        self.out_buffer = self.out_buffer[num_sent:]
+
     def send_pending_and_close(self):
         while len(self.out_buffer):
             self.initiate_send()
@@ -59,7 +67,7 @@ def handle_read(self):
         self.request_buffer += self.recv(deproxy.MAX_MESSAGE_SIZE)
         try:
             request = deproxy.Request(self.request_buffer)
-        except deproxy.IncompliteMessage:
+        except deproxy.IncompleteMessage:
             return
         except deproxy.ParseError:
             tf_cfg.dbg(4, ('Deproxy: SrvConnection: Can\'t parse message\n'

diff --git a/framework/tester.py b/framework/tester.py
@@ -10,7 +10,7 @@
 from framework.templates import fill_template, populate_properties
 
 __author__ = 'Tempesta Technologies, Inc.'
-__copyright__ = 'Copyright (C) 2018 Tempesta Technologies, Inc.'
+__copyright__ = 'Copyright (C) 2018-2019 Tempesta Technologies, Inc.'
 __license__ = 'GPL2'
 
 backend_defs = {}
@@ -61,25 +61,29 @@ def __init__(self, *args, **kwargs):
         self.__tempesta = None
         self.deproxy_manager = deproxy_manager.DeproxyManager()
 
-    def __create_client_deproxy(self, client):
+    def __create_client_deproxy(self, client, ssl):
         addr = fill_template(client['addr'], client)
         port = int(fill_template(client['port'], client))
-        clt = deproxy_client.DeproxyClient(addr=addr, port=port)
+        clt = deproxy_client.DeproxyClient(addr=addr, port=port, ssl=ssl)
+        if ssl:
+            server_hostname = fill_template(client['ssl_hostname'], client)
+            clt.set_server_hostname(server_hostname)
         return clt
 
-    def __create_client_wrk(self, client):
+    def __create_client_wrk(self, client, ssl):
         addr = fill_template(client['addr'], client)
-        wrk = wrk_client.Wrk(server_addr=addr)
+        wrk = wrk_client.Wrk(server_addr=addr, ssl=ssl)
         wrk.set_script(client['id']+"_script", content="")
         return wrk
 
     def __create_client(self, client):
         populate_properties(client)
+        ssl = client.setdefault('ssl', False)
         cid = client['id']
         if client['type'] == 'deproxy':
-            self.__clients[cid] = self.__create_client_deproxy(client)
+            self.__clients[cid] = self.__create_client_deproxy(client, ssl)
         elif client['type'] == 'wrk':
-            self.__clients[cid] = self.__create_client_wrk(client)
+            self.__clients[cid] = self.__create_client_wrk(client, ssl)
 
     def __create_backend(self, server):
         srv = None
@@ -143,6 +147,9 @@ def get_tempesta(self):
     def __create_tempesta(self):
         desc = self.tempesta.copy()
         populate_properties(desc)
+        custom_cert = False
+        if 'custom_cert' in desc:
+            custom_cert = self.tempesta['custom_cert']
         config = ""
         if 'config' in desc:
             config = desc['config']
@@ -151,7 +158,8 @@ def __create_tempesta(self):
             self.__tempesta = factory(desc)
         else:
             self.__tempesta = default_tempesta_factory(desc)
-        self.__tempesta.config.set_defconfig(fill_template(config, desc))
+        self.__tempesta.config.set_defconfig(fill_template(config, desc),
+                                             custom_cert)
 
     def start_all_servers(self):
         for sid in self.__servers:
@@ -161,9 +169,11 @@ def start_all_servers(self):
                 raise Exception("Can not start server %s" % sid)
 
     def start_tempesta(self):
-        self.__tempesta.start()
-        if not self.__tempesta.is_running():
-            raise Exception("Can not start Tempesta")
+        """ Start Tempesta and wait until the initialization process finish. """
+        with dmesg.wait_for_msg('[tempesta fw] modules are started', 1, True):
+            self.__tempesta.start()
+            if not self.__tempesta.is_running():
+                raise Exception("Can not start Tempesta")
 
     def start_all_clients(self):
         for cid in self.__clients:
@@ -197,7 +207,7 @@ def tearDown(self):
         try:
             deproxy_manager.finish_all_deproxy()
         except:
-            print ('Unknown exception in stopping deproxy')
+            print('Unknown exception in stopping deproxy')
 
         self.oops.update()
         if self.oops.warn_count("Oops") > 0:

diff --git a/framework/x509.py b/framework/x509.py
@@ -0,0 +1,139 @@
+"""
+X509 certificates generation required to test handling of different cipher
+suites anomalies on Tempesta TLS side. We didn't modify mbedTLS x509 related
+code, so now we're not interested with x509 parsing at all, so we do not play
+with different x509 formats, extensions and so on.
+
+Without loss of generality we use self-signed certificates to make things simple
+in tests.
+"""
+from cryptography import x509
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.backends.interfaces import (
+    DSABackend, EllipticCurveBackend, RSABackend, X509Backend
+)
+from cryptography.hazmat.primitives import hashes, serialization
+from cryptography.hazmat.primitives.asymmetric import dsa, ec, rsa
+from cryptography.x509.oid import NameOID
+from datetime import datetime, timedelta
+
+from helpers import tf_cfg
+
+__author__ = 'Tempesta Technologies, Inc.'
+__copyright__ = 'Copyright (C) 2019 Tempesta Technologies, Inc.'
+__license__ = 'GPL2'
+
+
+class CertGenerator:
+
+    def __init__(self, cert_path=None, key_path=None, default=False):
+        workdir = tf_cfg.cfg.get('General', 'workdir')
+        self.f_cert = cert_path if cert_path else workdir + "/tempesta.crt"
+        self.f_key = key_path if key_path else workdir + "/tempesta.key"
+        # Define the certificate fields data supposed for mutation by a caller.
+        self.C = u'US'
+        self.ST = u'Washington'
+        self.L = u'Seattle'
+        self.O = u'Tempesta Technologies Inc.'
+        self.OU = u'Testing'
+        self.CN = u'tempesta-tech.com'
+        self.emailAddress = u'info@tempesta-tech.com'
+        self.not_valid_before = datetime.now() - timedelta(1)
+        self.not_valid_after = datetime.now() + timedelta(365)
+        # Use EC by defauls as the fastest and more widespread.
+        self.key = {
+            'alg': 'ecdsa',
+            'curve': ec.SECP256R1()
+        }
+        self.sign_alg = 'sha256'
+        self.format = 'pem'
+        self.cert = None
+        self.pkey = None
+        if default:
+            self.generate()
+
+    @staticmethod
+    def __write(path, data):
+        fdesc = open(path, "wt")
+        fdesc.write(data)
+        fdesc.close()
+
+    def __encoding(self):
+        if self.format == 'pem':
+            return serialization.Encoding.PEM
+        else:
+            raise NotImplementedError("Not implemented encoding: %s"
+                                      % self.format)
+
+    def __build_name(self):
+        return x509.Name([
+            x509.NameAttribute(NameOID.COUNTRY_NAME, self.C),
+            x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, self.ST),
+            x509.NameAttribute(NameOID.LOCALITY_NAME, self.L),
+            x509.NameAttribute(NameOID.ORGANIZATION_NAME, self.O),
+            x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, self.OU),
+            x509.NameAttribute(NameOID.COMMON_NAME, self.CN),
+            x509.NameAttribute(NameOID.EMAIL_ADDRESS, self.emailAddress),
+        ])
+
+    def __gen_key_pair(self):
+        if self.key['alg'] == 'rsa':
+            assert self.key['len'], "No RSA key length specified"
+            self.pkey = rsa.generate_private_key(65537, self.key['len'],
+                                                 default_backend())
+        elif self.key['alg'] == 'ecdsa':
+            assert self.key['curve'], "No EC curve specified"
+            self.pkey = ec.generate_private_key(self.key['curve'],
+                                                default_backend())
+        else:
+            raise NotImplementedError("Not implemented key algorithm: %s"
+                                      % self.key_alg)
+
+    def __hash(self):
+        if self.sign_alg == 'sha1':
+            return hashes.SHA1()
+        elif self.sign_alg == 'sha256':
+            return hashes.SHA256()
+        elif self.sign_alg == 'sha384':
+            return hashes.SHA384()
+        elif self.sign_alg == 'sha512':
+            return hashes.SHA512()
+        else:
+            raise NotImplementedError("Not implemented hash algorithm: %s"
+                                      % self.sign_alg)
+
+    def serialize_cert(self):
+        return self.cert.public_bytes(self.__encoding())
+
+    def serialize_priv_key(self):
+        return self.pkey.private_bytes(self.__encoding(),
+                serialization.PrivateFormat.PKCS8,
+                serialization.NoEncryption())
+
+    def generate(self):
+        self.__gen_key_pair()
+        x509name = self.__build_name()
+        builder = x509.CertificateBuilder().serial_number(
+            x509.random_serial_number()
+        ).subject_name(
+            x509name
+        ).issuer_name(
+            x509name
+        ).not_valid_before(
+            self.not_valid_before
+        ).not_valid_after(
+            self.not_valid_after
+        ).public_key(
+            self.pkey.public_key()
+        )
+        self.cert = builder.sign(self.pkey, self.__hash(), default_backend())
+        # Write the certificate & private key.
+        self.__write(self.f_cert, self.serialize_cert())
+        self.__write(self.f_key, self.serialize_priv_key())
+
+    def __str__(self):
+        assert self.cert, "Stringify null x509 certificate object"
+        return str(self.cert)
+
+    def get_file_paths(self):
+        return (self.f_cert, self.f_key)