From 992f435b77980e0e10b1dd8daa19713a47074c60 Mon Sep 17 00:00:00 2001 From: dosas Date: Mon, 9 Oct 2023 11:21:19 +0200 Subject: [PATCH] Nailgun ssl cert verification (#12813) * Add config option to verify nailgun requests against ssl cert * Use ssl verification for all instances of ServerConfig * Use dynaconf validator --------- Co-authored-by: dosas --- conf/server.yaml.template | 4 +++ robottelo/config/__init__.py | 6 ++-- robottelo/config/validators.py | 1 + robottelo/hosts.py | 2 +- tests/foreman/api/test_role.py | 45 ++++++++++++++++++-------- tests/foreman/api/test_subscription.py | 5 +-- tests/foreman/api/test_user.py | 12 ++++--- 7 files changed, 52 insertions(+), 23 deletions(-) diff --git a/conf/server.yaml.template b/conf/server.yaml.template index 5c08431532b..7f876bccaba 100644 --- a/conf/server.yaml.template +++ b/conf/server.yaml.template @@ -48,6 +48,10 @@ SERVER: ADMIN_USERNAME: admin # Admin password when accessing API and UI ADMIN_PASSWORD: changeme + # Set to true to verify against the certificate given in REQUESTS_CA_BUNDLE + # Or specify path to certificate path or directory + # see: https://requests.readthedocs.io/en/latest/user/advanced/#ssl-cert-verification + VERIFY_CA: false SSH_CLIENT: # Specify port number for ssh client, Default: 22 diff --git a/robottelo/config/__init__.py b/robottelo/config/__init__.py index 5bd85ab5737..e078d2fcc63 100644 --- a/robottelo/config/__init__.py +++ b/robottelo/config/__init__.py @@ -110,7 +110,7 @@ def user_nailgun_config(username=None, password=None): """ creds = (username, password) - return ServerConfig(get_url(), creds, verify=False) + return ServerConfig(get_url(), creds, verify=settings.server.verify_ca) def setting_is_set(option): @@ -153,7 +153,9 @@ def configure_nailgun(): from nailgun.config import ServerConfig entity_mixins.CREATE_MISSING = True - entity_mixins.DEFAULT_SERVER_CONFIG = ServerConfig(get_url(), get_credentials(), verify=False) + entity_mixins.DEFAULT_SERVER_CONFIG = ServerConfig( + get_url(), get_credentials(), verify=settings.server.verify_ca + ) gpgkey_init = entities.GPGKey.__init__ def patched_gpgkey_init(self, server_config=None, **kwargs): diff --git a/robottelo/config/validators.py b/robottelo/config/validators.py index b605a1cd229..383abfb7aed 100644 --- a/robottelo/config/validators.py +++ b/robottelo/config/validators.py @@ -29,6 +29,7 @@ Validator('server.port', default=443), Validator('server.ssh_username', default='root'), Validator('server.ssh_password', default=None), + Validator('server.verify_ca', default=False), ], content_host=[ Validator('content_host.default_rhel_version', must_exist=True), diff --git a/robottelo/hosts.py b/robottelo/hosts.py index 9b6923d7449..6ee09915587 100644 --- a/robottelo/hosts.py +++ b/robottelo/hosts.py @@ -1776,7 +1776,7 @@ class DecClass(cls): self.nailgun_cfg = ServerConfig( auth=(settings.server.admin_username, settings.server.admin_password), url=f'{self.url}', - verify=False, + verify=settings.server.verify_ca, ) # add each nailgun entity to self.api, injecting our server config for name, obj in entities.__dict__.items(): diff --git a/tests/foreman/api/test_role.py b/tests/foreman/api/test_role.py index d75ff03e84b..4b42408114d 100644 --- a/tests/foreman/api/test_role.py +++ b/tests/foreman/api/test_role.py @@ -26,6 +26,7 @@ from requests.exceptions import HTTPError from robottelo.cli.ldapauthsource import LDAPAuthSource +from robottelo.config import settings from robottelo.constants import LDAP_ATTR, LDAP_SERVER_TYPE from robottelo.utils.datafactory import gen_string, generate_strings_list, parametrized from robottelo.utils.issue_handlers import is_open @@ -154,7 +155,9 @@ def user_config(self, user, satellite): :param user: The nailgun.entities.User object of an user with passwd parameter """ - return ServerConfig(auth=(user.login, user.passwd), url=satellite.url, verify=False) + return ServerConfig( + auth=(user.login, user.passwd), url=satellite.url, verify=settings.server.verify_ca + ) @pytest.fixture def role_taxonomies(self): @@ -991,7 +994,9 @@ def test_positive_user_group_users_access_as_org_admin(self, role_taxonomies, ta location=[role_taxonomies['loc'].id], ).create() for login, password in ((userone_login, userone_pass), (usertwo_login, usertwo_pass)): - sc = ServerConfig(auth=(login, password), url=target_sat.url, verify=False) + sc = ServerConfig( + auth=(login, password), url=target_sat.url, verify=settings.server.verify_ca + ) try: entities.Domain(sc).search( query={ @@ -1120,7 +1125,9 @@ def test_negative_assign_taxonomies_by_org_admin( location=[role_taxonomies['loc']], ).create() assert user_login == user.login - sc = ServerConfig(auth=(user_login, user_pass), url=target_sat.url, verify=False) + sc = ServerConfig( + auth=(user_login, user_pass), url=target_sat.url, verify=settings.server.verify_ca + ) # Getting the domain from user1 dom = entities.Domain(sc, id=dom.id).read() dom.organization = [filter_taxonomies['org']] @@ -1279,7 +1286,9 @@ def test_negative_create_roles_by_org_admin(self, role_taxonomies, target_sat): location=[role_taxonomies['loc']], ).create() assert user_login == user.login - sc = ServerConfig(auth=(user_login, user_pass), url=target_sat.url, verify=False) + sc = ServerConfig( + auth=(user_login, user_pass), url=target_sat.url, verify=settings.server.verify_ca + ) role_name = gen_string('alpha') with pytest.raises(HTTPError): entities.Role( @@ -1344,7 +1353,9 @@ def test_negative_admin_permissions_to_org_admin(self, role_taxonomies, target_s location=[role_taxonomies['loc']], ).create() assert user_login == user.login - sc = ServerConfig(auth=(user_login, user_pass), url=target_sat.url, verify=False) + sc = ServerConfig( + auth=(user_login, user_pass), url=target_sat.url, verify=settings.server.verify_ca + ) with pytest.raises(HTTPError): entities.User(sc, id=1).read() @@ -1389,7 +1400,9 @@ def test_positive_create_user_by_org_admin(self, role_taxonomies, target_sat): location=[role_taxonomies['loc']], ).create() assert user_login == user.login - sc_user = ServerConfig(auth=(user_login, user_pass), url=target_sat.url, verify=False) + sc_user = ServerConfig( + auth=(user_login, user_pass), url=target_sat.url, verify=settings.server.verify_ca + ) user_login = gen_string('alpha') user_pass = gen_string('alphanumeric') user = entities.User( @@ -1470,7 +1483,9 @@ def test_positive_create_nested_location(self, role_taxonomies, target_sat): ) user.role = [org_admin] user = user.update(['role']) - sc = ServerConfig(auth=(user_login, user_pass), url=target_sat.url, verify=False) + sc = ServerConfig( + auth=(user_login, user_pass), url=target_sat.url, verify=settings.server.verify_ca + ) name = gen_string('alphanumeric') location = entities.Location(sc, name=name, parent=role_taxonomies['loc'].id).create() assert location.name == name @@ -1534,7 +1549,9 @@ def test_negative_create_taxonomies_by_org_admin(self, role_taxonomies, target_s location=[role_taxonomies['loc']], ).create() assert user_login == user.login - sc = ServerConfig(auth=(user_login, user_pass), url=target_sat.url, verify=False) + sc = ServerConfig( + auth=(user_login, user_pass), url=target_sat.url, verify=settings.server.verify_ca + ) with pytest.raises(HTTPError): entities.Organization(sc, name=gen_string('alpha')).create() if not is_open("BZ:1825698"): @@ -1578,7 +1595,9 @@ def test_positive_access_all_global_entities_by_org_admin( location=[role_taxonomies['loc'], filter_taxonomies['loc']], ).create() assert user_login == user.login - sc = ServerConfig(auth=(user_login, user_pass), url=target_sat.url, verify=False) + sc = ServerConfig( + auth=(user_login, user_pass), url=target_sat.url, verify=settings.server.verify_ca + ) try: for entity in [ entities.Architecture, @@ -1627,7 +1646,7 @@ def test_negative_access_entities_from_ldap_org_admin(self, role_taxonomies, cre sc = ServerConfig( auth=(create_ldap['ldap_user_name'], create_ldap['ldap_user_passwd']), url=create_ldap['sat_url'], - verify=False, + verify=settings.server.verify_ca, ) with pytest.raises(HTTPError): entities.Architecture(sc).search() @@ -1670,7 +1689,7 @@ def test_negative_access_entities_from_ldap_user( sc = ServerConfig( auth=(create_ldap['ldap_user_name'], create_ldap['ldap_user_passwd']), url=create_ldap['sat_url'], - verify=False, + verify=settings.server.verify_ca, ) with pytest.raises(HTTPError): entities.Architecture(sc).search() @@ -1734,7 +1753,7 @@ def test_positive_assign_org_admin_to_ldap_user_group(self, role_taxonomies, cre sc = ServerConfig( auth=(user.login, password), url=create_ldap['sat_url'], - verify=False, + verify=settings.server.verify_ca, ) # Accessing the Domain resource entities.Domain(sc, id=domain.id).read() @@ -1790,7 +1809,7 @@ def test_negative_assign_org_admin_to_ldap_user_group(self, create_ldap, role_ta sc = ServerConfig( auth=(user.login, password), url=create_ldap['sat_url'], - verify=False, + verify=settings.server.verify_ca, ) # Trying to access the Domain resource with pytest.raises(HTTPError): diff --git a/tests/foreman/api/test_subscription.py b/tests/foreman/api/test_subscription.py index 8b1da648d81..377d43555dd 100644 --- a/tests/foreman/api/test_subscription.py +++ b/tests/foreman/api/test_subscription.py @@ -28,6 +28,7 @@ from requests.exceptions import HTTPError from robottelo.cli.subscription import Subscription +from robottelo.config import settings from robottelo.constants import DEFAULT_SUBSCRIPTION_NAME, PRDS, REPOS, REPOSET pytestmark = [pytest.mark.run_in_one_thread] @@ -191,7 +192,7 @@ def test_positive_delete_manifest_as_another_user( sc1 = ServerConfig( auth=(user1.login, user1_password), url=target_sat.url, - verify=False, + verify=settings.server.verify_ca, ) user2_password = gen_string('alphanumeric') user2 = target_sat.api.User( @@ -203,7 +204,7 @@ def test_positive_delete_manifest_as_another_user( sc2 = ServerConfig( auth=(user2.login, user2_password), url=target_sat.url, - verify=False, + verify=settings.server.verify_ca, ) # use the first admin to upload a manifest with function_entitlement_manifest as manifest: diff --git a/tests/foreman/api/test_user.py b/tests/foreman/api/test_user.py index cab7b49d653..eff47fbba0f 100644 --- a/tests/foreman/api/test_user.py +++ b/tests/foreman/api/test_user.py @@ -418,7 +418,9 @@ def test_positive_table_preferences(self, module_target_sat): user = entities.User(role=existing_roles, password=password).create() name = "hosts" columns = ["power_status", "name", "comment"] - sc = ServerConfig(auth=(user.login, password), url=module_target_sat.url, verify=False) + sc = ServerConfig( + auth=(user.login, password), url=module_target_sat.url, verify=settings.server.verify_ca + ) entities.TablePreferences(sc, user=user, name=name, columns=columns).create() table_preferences = entities.TablePreferences(sc, user=user).search() assert len(table_preferences) == 1 @@ -726,7 +728,7 @@ def test_positive_ad_basic_no_roles(self, create_ldap): sc = ServerConfig( auth=(create_ldap['ldap_user_name'], create_ldap['ldap_user_passwd']), url=create_ldap['sat_url'], - verify=False, + verify=settings.server.verify_ca, ) with pytest.raises(HTTPError): entities.Architecture(sc).search() @@ -775,7 +777,7 @@ def test_positive_access_entities_from_ldap_org_admin(self, create_ldap, module_ sc = ServerConfig( auth=(create_ldap['ldap_user_name'], create_ldap['ldap_user_passwd']), url=create_ldap['sat_url'], - verify=False, + verify=settings.server.verify_ca, ) with pytest.raises(HTTPError): entities.Architecture(sc).search() @@ -857,7 +859,7 @@ def test_positive_ipa_basic_no_roles(self, create_ldap): sc = ServerConfig( auth=(create_ldap['username'], create_ldap['ldap_user_passwd']), url=create_ldap['sat_url'], - verify=False, + verify=settings.server.verify_ca, ) with pytest.raises(HTTPError): entities.Architecture(sc).search() @@ -896,7 +898,7 @@ def test_positive_access_entities_from_ipa_org_admin(self, create_ldap): sc = ServerConfig( auth=(create_ldap['username'], create_ldap['ldap_user_passwd']), url=create_ldap['sat_url'], - verify=False, + verify=settings.server.verify_ca, ) with pytest.raises(HTTPError): entities.Architecture(sc).search()