improve tests

test/burp/config/CA/CA.cnf

+# simple config for burp_ca
+
+RANDFILE                = /dev/urandom
+CA_DIR                  = @WORKING_DIR@/CA
+
+
+[ ca ]
+dir                     = $ENV::CA_DIR
+database                = $dir/index.txt
+serial                  = $dir/serial.txt
+certs                   = $dir/certs
+new_certs_dir           = $dir/newcerts
+crlnumber               = $dir/crlnumber.txt
+
+unique_subject          = no
+
+default_md              = sha256
+default_days            = 7300
+default_crl_days        = 7300
+
+#????
+name_opt                = ca_default
+cert_opt                = ca_default
+
+x509_extensions         = usr_cert
+copy_extensions         = copy
+policy                  = policy_anything
+
+[ usr_cert ]
+basicConstraints        = CA:FALSE
+
+[ policy_anything ]
+commonName              = supplied

test/burp/config/CA/burp_ca

+#!/usr/bin/env bash
+#
+# Copyright: Patrick Koppen
+# License:   GPLv3
+# Version:   1.2
+# Date:      29.12.2012
+
+set -e
+
+etc=/etc/burp
+dir=${etc}/CA
+conf=${etc}/CA.cnf
+
+name=$(hostname -f)
+ca_days=7300
+size=2048
+
+def_umask=022
+sec_umask=077
+
+function help() {
+  cat <<EOF
+$0: Help:
+    -h|--help               show help
+    -i|--init               inititalize CA
+    -k|--key                generate new key
+    -K|--keypath <path>     path to new key
+    -r|--request            generate certificate sign request
+    -R|--requestpath <path> path to certificate sign request
+    -s|--sign               sign csr (use --ca <ca> and --name <name>)
+       --batch              do not prompt for anything
+       --revoke <number>    revoke certificate with serial number
+       --crl                generate certificate revoke list
+    -d|--dir <dir>          ca output dir (default: $dir)
+    -c|--config             config file (default: $conf)
+    -n|--name               name (default: $name)
+    -D|--days               valid days for certificate (default in config file)
+       --ca_days            valid days for CA certificate (default: $ca_days)
+    -S|--size               key size (default: $size)
+    -a|--ca                 ca name if different from name
+    -f|--dhfile <path>      generate Diffie-Hellman file
+    -A|--altname            subjectAltName
+EOF
+}
+
+check_second_arg()
+{
+	if [ "$1" -eq 0 ] ; then
+		help
+		exit 1
+	fi
+}
+
+while [ $# -gt 0 ]
+do
+    case $1 in
+    -h|--help) help; exit 0 ;;
+    -i|--init) init=yes ;;
+    -k|--key) key=yes ;;
+    -K|--keypath) check_second_arg $#; keypath=$2; shift ;;
+    -r|--request) request=yes ;;
+    -R|--requestpath) check_second_arg $#; requestpath=$2; shift ;;
+    -s|--sign) sign=yes ;;
+       --batch) batch="-batch" ;;
+       --revoke) check_second_arg $#; revoke=$2; shift ;;
+       --crl) crl=yes ;;
+    -d|--dir) check_second_arg $#; dir=$2; shift ;;
+    -c|--config) check_second_arg $#; conf=$2; shift ;;
+    -n|--name) check_second_arg $#; name=$2; shift ;;
+    -D|--days) check_second_arg $#; days="-days $2"; shift ;;
+       --ca_days) check_second_arg $#; ca_days=$2; shift ;;
+    -S|--size) check_second_arg $#; size=$2; shift ;;
+    -a|--ca) check_second_arg $#; ca=$2; shift ;;
+    -f|--dhfile) check_second_arg $#; dhfile=$2; shift ;;
+    -A|--altname) check_second_arg $#; altname=$2; shift ;;
+    --) shift; break;;
+    -*) echo "$0: error - unrecognized option $1" 1>&2; exit 1;;
+    *) break;;
+    esac
+    shift
+done
+
+if [ -n "$dhfile" ] ; then
+	openssl dhparam -out "$dhfile" 1024
+	r=$?
+	chmod 600 "$dhfile"
+	exit $r
+fi
+
+if [ -z "$ca" ]; then
+  ca=${name}
+fi
+
+if [ -n "$altname" ]; then
+  altname="subjectAltName=$altname"
+fi
+
+# init CA
+if [ "$init" = "yes" ]; then
+  echo "Init... ${ca}"
+  if [ ! -f ${conf} ]; then
+     echo "$0: error - config ${conf} missing" 1>&2; exit 1
+  fi
+  if [ -d ${dir} ]; then
+     echo "$0: error - ${dir} exists, ca initialized" 1>&2; exit 1
+  fi
+  
+  mkdir ${dir}
+  mkdir ${dir}/certs
+  mkdir ${dir}/newcerts
+
+  umask ${sec_umask}
+  openssl genrsa -out ${dir}/CA_${ca}.key ${size}
+  umask ${def_umask}
+  TEMP=$(mktemp /tmp/burp_ca.tmp.XXXXXXXX || echo /tmp/burp_ca.tmp.$$)
+  cat <<-EOF > ${TEMP}
+	RANDFILE                = /dev/urandom
+
+	[ req ]
+	distinguished_name      = req_distinguished_name
+	prompt                  = no
+
+	[ v3_ca ]
+	basicConstraints=CA:true
+	subjectKeyIdentifier=hash
+	authorityKeyIdentifier=keyid,issuer:always
+
+	[ req_distinguished_name ]
+	commonName                      = ${ca}
+EOF
+  CA_DIR=${dir} openssl req -config ${TEMP} -new -x509 -days $ca_days \
+    -key ${dir}/CA_${ca}.key -out ${dir}/CA_${ca}.crt -extensions v3_ca
+  rm -f $TEMP
+
+  : > ${dir}/index.txt
+  echo "00" > ${dir}/serial.txt
+  echo "00" > ${dir}/crlnumber.txt
+
+fi
+
+[ -z "$keypath" ] && keypath=${dir}/${name}.key
+
+# generate key
+if [ "$key" = "yes" ]; then
+  echo "generating key ${name}: ${keypath}"
+  umask ${sec_umask}
+  openssl genrsa -out "${keypath}" ${size}
+  umask ${def_umask}
+fi
+
+# generate signing request 
+[ -z "$requestpath" ] && requestpath=${dir}/${name}.csr
+if [ "$request" = "yes" ]; then
+  echo "generating request ${name}"
+  TEMP=$(mktemp /tmp/burp_ca.tmp.XXXXXXXX || echo /tmp/burp_ca.tmp.$$)
+  cat <<-EOF > ${TEMP}
+	RANDFILE                = /dev/urandom
+        req_extensions          = v3_req
+
+	[ req ]
+	distinguished_name      = req_distinguished_name
+	prompt                  = no
+
+	[ v3_req ]
+	basicConstraints=CA:false
+	$altname
+
+	[ req_distinguished_name ]
+	commonName                      = ${name}
+
+EOF
+  openssl req -config ${TEMP} -new -key "${keypath}" \
+    -out "${requestpath}" -extensions v3_req
+  rm -f $TEMP
+fi
+
+
+# sign 
+if [ "$sign" = "yes" ]; then
+  serial=$(cat ${dir}/serial.txt)
+  CA_DIR=${dir} openssl ca -config ${conf} -name ca \
+    -in ${dir}/${name}.csr -out $dir/${name}.crt ${days} \
+    -keyfile ${dir}/CA_${ca}.key -cert ${dir}/CA_${ca}.crt \
+    ${batch}
+  if [ ! -f ${dir}/newcerts/${serial}.pem ]; then
+    exit 0
+  fi
+  mv ${dir}/newcerts/${serial}.pem ${dir}/certs/${serial}.pem
+  #rehash the certificates
+  for file in ${dir}/certs/*.pem; do ln -s -f $file ${dir}/certs/`openssl x509 -hash -noout -in $file`.0; done
+fi
+
+#revoke
+if [ -n "$revoke" ]; then
+  CA_DIR=${dir} openssl ca -config ${conf} -name ca \
+    -revoke ${dir}/certs/${revoke}.pem \
+    -keyfile ${dir}/CA_${ca}.key -cert ${dir}/CA_${ca}.crt \
+    ${batch}
+fi
+
+#crl
+if [ -n "$crl" ]; then
+  CA_DIR=${dir} openssl ca -config ${conf} -name ca \
+   -gencrl -out ${dir}/CA_${ca}.crl \
+   -keyfile ${dir}/CA_${ca}.key -cert ${dir}/CA_${ca}.crt 
+fi
+
+exit 0

test/burp/config/burp.conf

+# This is an example config file for the burp server.
+
+mode = server
+port = 4971
+status_port = 4972
+directory = @WORKING_DIR@/spool
+clientconfdir = @WORKING_DIR@/config/clientconfdir
+pidfile = @WORKING_DIR@/config/burp.server.pid
+hardlinked_archive = 0
+working_dir_recovery_method = delete
+max_children = 5
+max_status_children = 5
+umask = 0022
+syslog = 0
+stdout = 1
+# The following options can restrict what the client can do.
+# Note that restore_clients will still be able to do all of these operations,
+# except for force_backup.
+client_can_delete = 1
+# Set client_can_force_backup to 0 to only allow timed backups.
+client_can_force_backup = 1
+client_can_list = 1
+# Set client_can_restore to 0 if you want restores to only be initialised by
+# the server.
+client_can_restore = 1
+client_can_verify = 1
+# Ratelimit throttles the send speed. Specified in Megabits per second (Mb/s).
+# ratelimit = 1.5
+# Network timeout defaults to 7200 seconds (2 hours).
+# network_timeout = 7200
+
+# When the client version does not match the server version, log a warning.
+# Set to 0 to turn it off.
+version_warn = 1
+
+# More configuration files can be read, using syntax like the following
+# (without the leading '# ').
+# . path/to/more/conf
+
+# Location of autoupgrade files to serve to clients. Leave it commented out
+# to not autoupgrade clients.
+# autoupgrade_dir = /etc/burp/autoupgrade/server
+
+# You can have as many 'keep' lines as you like.
+# For example, if running backups daily, setting 7, 4, 6 will keep
+# 7 daily backups, 4 weekly, and 6 four-weekly backups.
+keep = 7
+# keep = 4
+# keep = 6
+
+# Run as different user/group.
+# user=graham
+# group=nogroup
+
+# CA options.
+# If you want your server to be a certificate authority and generate its own
+# certificates, uncomment the following lines. If the directory specified in
+# ca_conf does not exist, the server will create, populate it, and the paths
+# indicated by ssl_cert_ca, ssl_cert, ssl_key and ssl_dhfile below will be
+# overwritten. See docs/burp_ca.txt for more information.
+ca_conf = @WORKING_DIR@/config/CA/CA.cnf
+ca_name = burpCA
+ca_server_name = burpserver
+ca_burp_ca = @WORKING_DIR@/config/CA/burp_ca
+
+# SSL certificate authority - same file on both server and client
+ssl_cert_ca = @WORKING_DIR@/config/ssl_cert_ca.pem
+
+# Server SSL certificate
+ssl_cert = @WORKING_DIR@/config/ssl_cert-server.pem
+
+# Server SSL key
+ssl_key = @WORKING_DIR@/config/ssl_cert-server.key
+
+# Server SSL ciphers
+#ssl_ciphers = 
+
+# SSL key password
+ssl_key_password = password
+
+# Server DH file.
+ssl_dhfile = @WORKING_DIR@/config/dhfile.pem
+
+timer_script = @WORKING_DIR@/config/timer_script
+# Ensure that 20 hours elapse between backups
+# Available units:
+# s (seconds), m (minutes), h (hours), d (days), w (weeks), n (months)
+timer_arg = 20h
+# Allow backups to start in the evenings and nights during weekdays
+timer_arg = Mon,Tue,Wed,Thu,Fri,00,01,02,03,04,05,19,20,21,22,23
+# Allow more hours at the weekend.
+timer_arg = Sat,Sun,00,01,02,03,04,05,06,07,08,17,18,19,20,21,22,23
+# Note that, if you specify no timebands, the default timer script will never
+# allow backups.
+
+# Uncomment the notify_success_* lines for email notifications of backups that
+# succeeded.
+# In the subject line, the following are substituted:
+# %b - "backup"/"restore"/"verify"
+# %c - client name
+# %w - number of warnings, if any
+#notify_success_script = /etc/burp/notify_script
+#notify_success_arg = sendmail -t
+#notify_success_arg = To: youremail@example.com
+#notify_success_arg = From: burp
+#notify_success_arg = Subject: %b succeeded: %c %w
+# Uncomment the following to have success notifications only if there were
+# warnings.
+#notify_success_warnings_only = 1
+# Uncomment the following to have success notifications only if there were
+# new or changed files.
+#notify_success_changes_only = 1
+
+# Uncomment the following for email notifications of backups that failed.
+#notify_failure_script = /etc/burp/notify_script
+#notify_failure_arg = sendmail -t
+#notify_failure_arg = To: youremail@example.com
+#notify_failure_arg = From: burp
+#notify_failure_arg = Subject: %b failed: %c %w
+
+# The server can run scripts on each connection after authentication and before
+# disconnecting.
+#server_script_pre = /etc/burp/ssl_extra_checks_script
+#server_script_pre_arg = /etc/burp/crl
+#server_script_pre_arg = /etc/burp/burp-server.conf
+#server_script_pre_arg = /etc/burp/server-pre-script.local
+# Set server_script_pre_notify to 1 to have notifications on server_script_pre
+# returning non-zero. Most people will want to leave this off - it could
+# result in a lot of emails because clients normally connect once every 20
+# minutes. Requires notify_failure_script to be set above.
+#server_script_pre_notify = 0
+#server_script_post = 
+#server_script_post_arg = 
+#server_script_post_arg = 
+#server_script_post_run_on_fail=0
+# As for server_script_pre_notify, but for post.
+#server_script_post_notify = 0
+
+# Clients that are able to list and restore files belonging to any other
+# client. If this is too permissive, you may set a restore_client for
+# individual original clients in the individual clientconfdir files.
+# restore_client = someclient
+# restore_client = someotherclient

test/burp/config/clientconfdir/incexc/example

+# If you add at least one 'include=' line, the server will override the
+# rest of the client options below, which define exactly what to backup.
+# Setting any of the other options here will then also take effect on the
+# client.
+# (This file needs to be included in the clientconfdir file for the client,
+# using the '. path/to/this/file' syntax. Alternatively, these options can
+# be added to the clientconfdir file directly).
+
+# include=/home
+# exclude=/home/dontwant
+# exclude_ext=vdi
+# exclude_regex=/\.cache/
+# exclude_fs=tmpfs
+# exclude_comp=gz
+# min_file_size=0
+# max_file_size=0
+# cross_filesystem=/some/path
+# cross_all_filesystems=0
+# nobackup=.nobackup
+# read_fifo=/some/path/to/a/fifo
+# read_all_fifos=0
+# split_vss=1
+# strip_vss=0

test/burp/config/clientconfdir/testclient

+password = abcdefgh
+
+# More configuration files can be read, using syntax like the following
+# (without the leading '# ').
+. incexc/example

test/burp/config/timer_script

+#!/usr/bin/env bash
+#
+# Script that determines whether it is time to run a backup.
+
+echo "Running timer script: $@"
+
+client="$1" ; shift
+current="$1" ; shift
+storage_dir="$1" ; shift
+reserved1="$1" ; shift
+reserved2="$1" ; shift
+interval="$1" ; shift
+timestamp="$current/timestamp"
+
+# A 'backup' file placed in the storage directory tells this script that
+# a backup needs to be done right now.
+# This gives the 'server initiates a manual backup' feature.
+
+manual_file="$storage_dir/$client/backup"
+if [ -f "$manual_file" ] ; then
+	echo "Found $manual_file"
+	echo "Do a backup of $client now"
+	rm -f "$manual_file"
+	exit 0
+fi
+
+# The rest of the arguments, if any, should be timebands.
+# Set LANG=C and LC_TIME=C so that 'date' returns English day names.
+curdayhour=$(LANG=C LC_TIME=C date +"*%a*%H*")
+intimeband=0 # If no timebands given, default to not OK.
+while [ "$#" -gt 0 ] ; do
+	intimeband=0
+	timeband="$1"
+	case "$timeband" in
+		$curdayhour)
+			echo "In timeband: $timeband"
+			intimeband=1
+			break
+			;;
+		*)
+			echo "Out of timeband: $timeband"
+			;;
+	esac
+	shift
+done
+
+get_intervals()
+{
+	if [ ! -e "$current" ] ; then
+		echo "No prior backup of $client"
+		return 0
+	fi
+	if [ ! -f "$timestamp" ] ; then
+		echo "$0: Timestamp file missing for $client."
+		return 0
+	fi
+	if [ -z "$interval" ] ; then
+		echo "$0: No time interval given for $client."
+		return 0
+	fi
+
+	case "$interval" in
+	  [0-9]*s) i=${interval%s*} ; intervalsecs=$i ;;
+	  [0-9]*m) i=${interval%m*} ; intervalsecs=$((i*60)) ;;
+	  [0-9]*h) i=${interval%h*} ; intervalsecs=$((i*60*60)) ;;
+	  [0-9]*d) i=${interval%d*} ; intervalsecs=$((i*60*60*24)) ;;
+	  [0-9]*w) i=${interval%w*} ; intervalsecs=$((i*60*60*24*7)) ;;
+	  [0-9]*n) i=${interval%n*} ; intervalsecs=$((i*60*60*24*7*30)) ;;
+	  *) echo "$0: interval $interval not understood for $client."
+		return 0 ;;
+	esac
+
+	if [ -z "$intervalsecs" ] ; then
+		echo "$0: interval $interval not understood for $client."
+		return 0
+	fi
+
+	read junk ts < "$timestamp"
+
+	if   ! secs=$(LANG=C LC_TIME=C date +%s -d "$ts") \
+	  || ! now=$(LANG=C LC_TIME=C date +"%Y-%m-%d %H:%M:%S") \
+	  || ! nowsecs=$(LANG=C LC_TIME=C date +%s -d "$now")
+	then
+		echo "$0: Date command returned error for $client."
+		return 0
+	fi
+
+	min_timesecs=$((secs+intervalsecs))
+
+	# GNU coreutils 'date' command should accept the following (even
+	# slightly old versions).
+	if ! min_time=$(LANG=C LC_TIME=C date -d "Jan 1, 1970 00:00:00 +0000 + $min_timesecs seconds" +"%Y-%m-%d %H:%M:%S")
+	then
+		# FreeBSD 'date' will return an error with the above, so try
+		# a version that FreeBSD 'date' should be happy with.
+		if ! min_time=$(LANG=C LC_TIME=C date -r $min_timesecs +"%Y-%m-%d %H:%M:%S")
+		then
+			echo "$0: Date command returned error for $client."
+			return 0
+		fi
+	fi
+
+	echo "Last backup: $ts"
+	echo "Next after : $min_time (interval $interval)"
+
+	return 1
+}
+
+if [ "$intimeband" = "0" ] ; then
+	get_intervals
+	exit 1
+fi
+
+if get_intervals ; then
+	echo "Do a backup of $client now."
+	exit 0
+fi
+
+if [ "$min_timesecs" -lt "$nowsecs" ] ; then
+	echo "$min_time < $now."
+	echo "Do a backup of $client now."
+	exit 0
+fi
+
+echo "Not yet time for a backup of $client"
+
+exit 1

test/run_tests.sh

@@ -39,9 +39,9 @@ update
 [ $ISROOT -eq 1 ] && apt-get install -y uthash-dev g++ make libssl-dev librsync-dev
 
 echo "downloading and compiling burp v${BURP_VERSION}"
-OLD_PWD=`pwd`
-TEMP=$(mktemp -d)
-cd $TEMP
+ROOT_PWD=`pwd`
+BURP_DIR=$(mktemp -d)
+cd $BURP_DIR
 
 git clone $BURP
 cd burp
@@ -49,8 +49,19 @@ git checkout tags/${BURP_VERSION}
 ./configure --disable-ipv6
 make
 
-cd $OLD_PWD
-rm -rf $TEMP
+cd $ROOT_PWD
+WORKING_DIR=$(mktemp -d)
+
+echo "copying configuration files"
+cp -a test/burp/config $WORKING_DIR/
+sed -i "s|@WORKING_DIR@|${WORKING_DIR}|" $WORKING_DIR/config/burp.conf
+sed -i "s|@WORKING_DIR@|${WORKING_DIR}|" $WORKING_DIR/config/CA/CA.cnf
+
+echo "launching background burp-server"
+$BURP_DIR/burp/src/burp -F -c $WORKING_DIR/config/burp.conf -g
+$BURP_DIR/burp/src/burp -F -c $WORKING_DIR/config/burp.conf &
+
+BURP_PID=$?
 
 ##echo "install lib devel..."
 ##apt-get update
@@ -78,7 +89,11 @@ pip install -r test-requirements.txt
 nosetests --with-coverage --cover-package=burpui test/test_burpui.py
 ret=$?
 
+echo "cleanup"
 deactivate
+kill $BURP_PID
+rm -rf $BURP_DIR
+rm -rf $WORKING_DIR
 
 echo "That's it!"
 

test/test3.cfg

+[Global]
+# On which port is the application listening
+port: 5001
+# On which address is the application listening
+# '::' is the default for all IPv6
+bind: ::
+# enable SSL
+ssl: false
+# ssl cert
+sslcert: /etc/burp/ssl_cert-server.pem
+# ssl key
+sslkey: /etc/burp/ssl_cert-server.key
+# burp server version (currently only burp 1.x is implemented)
+version: 1
+# Handle multiple bui-servers or not
+# If set to 'false', you will need to declare at least one 'Agent' section (see
+# bellow)
+standalone: true
+# authentication plugin (mandatory)
+# list the misc/auth directory to see the available backends
+# to disable authentication you can set "auth: none"
+auth: basic
+
+[UI]
+# refresh interval of the pages in seconds
+refresh: 15
+
+# burp1 backend specific options
+[Burp1]
+# burp status address (can only be '127.0.0.1' or '::1'
+bhost: ::1
+# burp status port