Commit 6f118c15 authored by Benjamin "Ziirish" SANS's avatar Benjamin "Ziirish" SANS
Browse files

improve tests

parent ef241a80
# simple config for burp_ca
RANDFILE = /dev/urandom
CA_DIR = @WORKING_DIR@/CA
[ ca ]
dir = $ENV::CA_DIR
database = $dir/index.txt
serial = $dir/serial.txt
certs = $dir/certs
new_certs_dir = $dir/newcerts
crlnumber = $dir/crlnumber.txt
unique_subject = no
default_md = sha256
default_days = 7300
default_crl_days = 7300
#????
name_opt = ca_default
cert_opt = ca_default
x509_extensions = usr_cert
copy_extensions = copy
policy = policy_anything
[ usr_cert ]
basicConstraints = CA:FALSE
[ policy_anything ]
commonName = supplied
#!/usr/bin/env bash
#
# Copyright: Patrick Koppen
# License: GPLv3
# Version: 1.2
# Date: 29.12.2012
set -e
etc=/etc/burp
dir=${etc}/CA
conf=${etc}/CA.cnf
name=$(hostname -f)
ca_days=7300
size=2048
def_umask=022
sec_umask=077
function help() {
cat <<EOF
$0: Help:
-h|--help show help
-i|--init inititalize CA
-k|--key generate new key
-K|--keypath <path> path to new key
-r|--request generate certificate sign request
-R|--requestpath <path> path to certificate sign request
-s|--sign sign csr (use --ca <ca> and --name <name>)
--batch do not prompt for anything
--revoke <number> revoke certificate with serial number
--crl generate certificate revoke list
-d|--dir <dir> ca output dir (default: $dir)
-c|--config config file (default: $conf)
-n|--name name (default: $name)
-D|--days valid days for certificate (default in config file)
--ca_days valid days for CA certificate (default: $ca_days)
-S|--size key size (default: $size)
-a|--ca ca name if different from name
-f|--dhfile <path> generate Diffie-Hellman file
-A|--altname subjectAltName
EOF
}
check_second_arg()
{
if [ "$1" -eq 0 ] ; then
help
exit 1
fi
}
while [ $# -gt 0 ]
do
case $1 in
-h|--help) help; exit 0 ;;
-i|--init) init=yes ;;
-k|--key) key=yes ;;
-K|--keypath) check_second_arg $#; keypath=$2; shift ;;
-r|--request) request=yes ;;
-R|--requestpath) check_second_arg $#; requestpath=$2; shift ;;
-s|--sign) sign=yes ;;
--batch) batch="-batch" ;;
--revoke) check_second_arg $#; revoke=$2; shift ;;
--crl) crl=yes ;;
-d|--dir) check_second_arg $#; dir=$2; shift ;;
-c|--config) check_second_arg $#; conf=$2; shift ;;
-n|--name) check_second_arg $#; name=$2; shift ;;
-D|--days) check_second_arg $#; days="-days $2"; shift ;;
--ca_days) check_second_arg $#; ca_days=$2; shift ;;
-S|--size) check_second_arg $#; size=$2; shift ;;
-a|--ca) check_second_arg $#; ca=$2; shift ;;
-f|--dhfile) check_second_arg $#; dhfile=$2; shift ;;
-A|--altname) check_second_arg $#; altname=$2; shift ;;
--) shift; break;;
-*) echo "$0: error - unrecognized option $1" 1>&2; exit 1;;
*) break;;
esac
shift
done
if [ -n "$dhfile" ] ; then
openssl dhparam -out "$dhfile" 1024
r=$?
chmod 600 "$dhfile"
exit $r
fi
if [ -z "$ca" ]; then
ca=${name}
fi
if [ -n "$altname" ]; then
altname="subjectAltName=$altname"
fi
# init CA
if [ "$init" = "yes" ]; then
echo "Init... ${ca}"
if [ ! -f ${conf} ]; then
echo "$0: error - config ${conf} missing" 1>&2; exit 1
fi
if [ -d ${dir} ]; then
echo "$0: error - ${dir} exists, ca initialized" 1>&2; exit 1
fi
mkdir ${dir}
mkdir ${dir}/certs
mkdir ${dir}/newcerts
umask ${sec_umask}
openssl genrsa -out ${dir}/CA_${ca}.key ${size}
umask ${def_umask}
TEMP=$(mktemp /tmp/burp_ca.tmp.XXXXXXXX || echo /tmp/burp_ca.tmp.$$)
cat <<-EOF > ${TEMP}
RANDFILE = /dev/urandom
[ req ]
distinguished_name = req_distinguished_name
prompt = no
[ v3_ca ]
basicConstraints=CA:true
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
[ req_distinguished_name ]
commonName = ${ca}
EOF
CA_DIR=${dir} openssl req -config ${TEMP} -new -x509 -days $ca_days \
-key ${dir}/CA_${ca}.key -out ${dir}/CA_${ca}.crt -extensions v3_ca
rm -f $TEMP
: > ${dir}/index.txt
echo "00" > ${dir}/serial.txt
echo "00" > ${dir}/crlnumber.txt
fi
[ -z "$keypath" ] && keypath=${dir}/${name}.key
# generate key
if [ "$key" = "yes" ]; then
echo "generating key ${name}: ${keypath}"
umask ${sec_umask}
openssl genrsa -out "${keypath}" ${size}
umask ${def_umask}
fi
# generate signing request
[ -z "$requestpath" ] && requestpath=${dir}/${name}.csr
if [ "$request" = "yes" ]; then
echo "generating request ${name}"
TEMP=$(mktemp /tmp/burp_ca.tmp.XXXXXXXX || echo /tmp/burp_ca.tmp.$$)
cat <<-EOF > ${TEMP}
RANDFILE = /dev/urandom
req_extensions = v3_req
[ req ]
distinguished_name = req_distinguished_name
prompt = no
[ v3_req ]
basicConstraints=CA:false
$altname
[ req_distinguished_name ]
commonName = ${name}
EOF
openssl req -config ${TEMP} -new -key "${keypath}" \
-out "${requestpath}" -extensions v3_req
rm -f $TEMP
fi
# sign
if [ "$sign" = "yes" ]; then
serial=$(cat ${dir}/serial.txt)
CA_DIR=${dir} openssl ca -config ${conf} -name ca \
-in ${dir}/${name}.csr -out $dir/${name}.crt ${days} \
-keyfile ${dir}/CA_${ca}.key -cert ${dir}/CA_${ca}.crt \
${batch}
if [ ! -f ${dir}/newcerts/${serial}.pem ]; then
exit 0
fi
mv ${dir}/newcerts/${serial}.pem ${dir}/certs/${serial}.pem
#rehash the certificates
for file in ${dir}/certs/*.pem; do ln -s -f $file ${dir}/certs/`openssl x509 -hash -noout -in $file`.0; done
fi
#revoke
if [ -n "$revoke" ]; then
CA_DIR=${dir} openssl ca -config ${conf} -name ca \
-revoke ${dir}/certs/${revoke}.pem \
-keyfile ${dir}/CA_${ca}.key -cert ${dir}/CA_${ca}.crt \
${batch}
fi
#crl
if [ -n "$crl" ]; then
CA_DIR=${dir} openssl ca -config ${conf} -name ca \
-gencrl -out ${dir}/CA_${ca}.crl \
-keyfile ${dir}/CA_${ca}.key -cert ${dir}/CA_${ca}.crt
fi
exit 0
# This is an example config file for the burp server.
mode = server
port = 4971
status_port = 4972
directory = @WORKING_DIR@/spool
clientconfdir = @WORKING_DIR@/config/clientconfdir
pidfile = @WORKING_DIR@/config/burp.server.pid
hardlinked_archive = 0
working_dir_recovery_method = delete
max_children = 5
max_status_children = 5
umask = 0022
syslog = 0
stdout = 1
# The following options can restrict what the client can do.
# Note that restore_clients will still be able to do all of these operations,
# except for force_backup.
client_can_delete = 1
# Set client_can_force_backup to 0 to only allow timed backups.
client_can_force_backup = 1
client_can_list = 1
# Set client_can_restore to 0 if you want restores to only be initialised by
# the server.
client_can_restore = 1
client_can_verify = 1
# Ratelimit throttles the send speed. Specified in Megabits per second (Mb/s).
# ratelimit = 1.5
# Network timeout defaults to 7200 seconds (2 hours).
# network_timeout = 7200
# When the client version does not match the server version, log a warning.
# Set to 0 to turn it off.
version_warn = 1
# More configuration files can be read, using syntax like the following
# (without the leading '# ').
# . path/to/more/conf
# Location of autoupgrade files to serve to clients. Leave it commented out
# to not autoupgrade clients.
# autoupgrade_dir = /etc/burp/autoupgrade/server
# You can have as many 'keep' lines as you like.
# For example, if running backups daily, setting 7, 4, 6 will keep
# 7 daily backups, 4 weekly, and 6 four-weekly backups.
keep = 7
# keep = 4
# keep = 6
# Run as different user/group.
# user=graham
# group=nogroup
# CA options.
# If you want your server to be a certificate authority and generate its own
# certificates, uncomment the following lines. If the directory specified in
# ca_conf does not exist, the server will create, populate it, and the paths
# indicated by ssl_cert_ca, ssl_cert, ssl_key and ssl_dhfile below will be
# overwritten. See docs/burp_ca.txt for more information.
ca_conf = @WORKING_DIR@/config/CA/CA.cnf
ca_name = burpCA
ca_server_name = burpserver
ca_burp_ca = @WORKING_DIR@/config/CA/burp_ca
# SSL certificate authority - same file on both server and client
ssl_cert_ca = @WORKING_DIR@/config/ssl_cert_ca.pem
# Server SSL certificate
ssl_cert = @WORKING_DIR@/config/ssl_cert-server.pem
# Server SSL key
ssl_key = @WORKING_DIR@/config/ssl_cert-server.key
# Server SSL ciphers
#ssl_ciphers =
# SSL key password
ssl_key_password = password
# Server DH file.
ssl_dhfile = @WORKING_DIR@/config/dhfile.pem
timer_script = @WORKING_DIR@/config/timer_script
# Ensure that 20 hours elapse between backups
# Available units:
# s (seconds), m (minutes), h (hours), d (days), w (weeks), n (months)
timer_arg = 20h
# Allow backups to start in the evenings and nights during weekdays
timer_arg = Mon,Tue,Wed,Thu,Fri,00,01,02,03,04,05,19,20,21,22,23
# Allow more hours at the weekend.
timer_arg = Sat,Sun,00,01,02,03,04,05,06,07,08,17,18,19,20,21,22,23
# Note that, if you specify no timebands, the default timer script will never
# allow backups.
# Uncomment the notify_success_* lines for email notifications of backups that
# succeeded.
# In the subject line, the following are substituted:
# %b - "backup"/"restore"/"verify"
# %c - client name
# %w - number of warnings, if any
#notify_success_script = /etc/burp/notify_script
#notify_success_arg = sendmail -t
#notify_success_arg = To: youremail@example.com
#notify_success_arg = From: burp
#notify_success_arg = Subject: %b succeeded: %c %w
# Uncomment the following to have success notifications only if there were
# warnings.
#notify_success_warnings_only = 1
# Uncomment the following to have success notifications only if there were
# new or changed files.
#notify_success_changes_only = 1
# Uncomment the following for email notifications of backups that failed.
#notify_failure_script = /etc/burp/notify_script
#notify_failure_arg = sendmail -t
#notify_failure_arg = To: youremail@example.com
#notify_failure_arg = From: burp
#notify_failure_arg = Subject: %b failed: %c %w
# The server can run scripts on each connection after authentication and before
# disconnecting.
#server_script_pre = /etc/burp/ssl_extra_checks_script
#server_script_pre_arg = /etc/burp/crl
#server_script_pre_arg = /etc/burp/burp-server.conf
#server_script_pre_arg = /etc/burp/server-pre-script.local
# Set server_script_pre_notify to 1 to have notifications on server_script_pre
# returning non-zero. Most people will want to leave this off - it could
# result in a lot of emails because clients normally connect once every 20
# minutes. Requires notify_failure_script to be set above.
#server_script_pre_notify = 0
#server_script_post =
#server_script_post_arg =
#server_script_post_arg =
#server_script_post_run_on_fail=0
# As for server_script_pre_notify, but for post.
#server_script_post_notify = 0
# Clients that are able to list and restore files belonging to any other
# client. If this is too permissive, you may set a restore_client for
# individual original clients in the individual clientconfdir files.
# restore_client = someclient
# restore_client = someotherclient
# If you add at least one 'include=' line, the server will override the
# rest of the client options below, which define exactly what to backup.
# Setting any of the other options here will then also take effect on the
# client.
# (This file needs to be included in the clientconfdir file for the client,
# using the '. path/to/this/file' syntax. Alternatively, these options can
# be added to the clientconfdir file directly).
# include=/home
# exclude=/home/dontwant
# exclude_ext=vdi
# exclude_regex=/\.cache/
# exclude_fs=tmpfs
# exclude_comp=gz
# min_file_size=0
# max_file_size=0
# cross_filesystem=/some/path
# cross_all_filesystems=0
# nobackup=.nobackup
# read_fifo=/some/path/to/a/fifo
# read_all_fifos=0
# split_vss=1
# strip_vss=0
password = abcdefgh
# More configuration files can be read, using syntax like the following
# (without the leading '# ').
. incexc/example
#!/usr/bin/env bash
#
# Script that determines whether it is time to run a backup.
echo "Running timer script: $@"
client="$1" ; shift
current="$1" ; shift
storage_dir="$1" ; shift
reserved1="$1" ; shift
reserved2="$1" ; shift
interval="$1" ; shift
timestamp="$current/timestamp"
# A 'backup' file placed in the storage directory tells this script that
# a backup needs to be done right now.
# This gives the 'server initiates a manual backup' feature.
manual_file="$storage_dir/$client/backup"
if [ -f "$manual_file" ] ; then
echo "Found $manual_file"
echo "Do a backup of $client now"
rm -f "$manual_file"
exit 0
fi
# The rest of the arguments, if any, should be timebands.
# Set LANG=C and LC_TIME=C so that 'date' returns English day names.
curdayhour=$(LANG=C LC_TIME=C date +"*%a*%H*")
intimeband=0 # If no timebands given, default to not OK.
while [ "$#" -gt 0 ] ; do
intimeband=0
timeband="$1"
case "$timeband" in
$curdayhour)
echo "In timeband: $timeband"
intimeband=1
break
;;
*)
echo "Out of timeband: $timeband"
;;
esac
shift
done
get_intervals()
{
if [ ! -e "$current" ] ; then
echo "No prior backup of $client"
return 0
fi
if [ ! -f "$timestamp" ] ; then
echo "$0: Timestamp file missing for $client."
return 0
fi
if [ -z "$interval" ] ; then
echo "$0: No time interval given for $client."
return 0
fi
case "$interval" in
[0-9]*s) i=${interval%s*} ; intervalsecs=$i ;;
[0-9]*m) i=${interval%m*} ; intervalsecs=$((i*60)) ;;
[0-9]*h) i=${interval%h*} ; intervalsecs=$((i*60*60)) ;;
[0-9]*d) i=${interval%d*} ; intervalsecs=$((i*60*60*24)) ;;
[0-9]*w) i=${interval%w*} ; intervalsecs=$((i*60*60*24*7)) ;;
[0-9]*n) i=${interval%n*} ; intervalsecs=$((i*60*60*24*7*30)) ;;
*) echo "$0: interval $interval not understood for $client."
return 0 ;;
esac
if [ -z "$intervalsecs" ] ; then
echo "$0: interval $interval not understood for $client."
return 0
fi
read junk ts < "$timestamp"
if ! secs=$(LANG=C LC_TIME=C date +%s -d "$ts") \
|| ! now=$(LANG=C LC_TIME=C date +"%Y-%m-%d %H:%M:%S") \
|| ! nowsecs=$(LANG=C LC_TIME=C date +%s -d "$now")
then
echo "$0: Date command returned error for $client."
return 0
fi
min_timesecs=$((secs+intervalsecs))
# GNU coreutils 'date' command should accept the following (even
# slightly old versions).
if ! min_time=$(LANG=C LC_TIME=C date -d "Jan 1, 1970 00:00:00 +0000 + $min_timesecs seconds" +"%Y-%m-%d %H:%M:%S")
then
# FreeBSD 'date' will return an error with the above, so try
# a version that FreeBSD 'date' should be happy with.
if ! min_time=$(LANG=C LC_TIME=C date -r $min_timesecs +"%Y-%m-%d %H:%M:%S")
then
echo "$0: Date command returned error for $client."
return 0
fi
fi
echo "Last backup: $ts"
echo "Next after : $min_time (interval $interval)"
return 1
}
if [ "$intimeband" = "0" ] ; then
get_intervals
exit 1
fi
if get_intervals ; then
echo "Do a backup of $client now."
exit 0
fi
if [ "$min_timesecs" -lt "$nowsecs" ] ; then
echo "$min_time < $now."
echo "Do a backup of $client now."
exit 0
fi
echo "Not yet time for a backup of $client"
exit 1
......@@ -39,9 +39,9 @@ update
[ $ISROOT -eq 1 ] && apt-get install -y uthash-dev g++ make libssl-dev librsync-dev
echo "downloading and compiling burp v${BURP_VERSION}"
OLD_PWD=`pwd`
TEMP=$(mktemp -d)
cd $TEMP
ROOT_PWD=`pwd`
BURP_DIR=$(mktemp -d)
cd $BURP_DIR
git clone $BURP
cd burp
......@@ -49,8 +49,19 @@ git checkout tags/${BURP_VERSION}
./configure --disable-ipv6
make
cd $OLD_PWD
rm -rf $TEMP
cd $ROOT_PWD
WORKING_DIR=$(mktemp -d)
echo "copying configuration files"
cp -a test/burp/config $WORKING_DIR/
sed -i "s|@WORKING_DIR@|${WORKING_DIR}|" $WORKING_DIR/config/burp.conf
sed -i "s|@WORKING_DIR@|${WORKING_DIR}|" $WORKING_DIR/config/CA/CA.cnf
echo "launching background burp-server"
$BURP_DIR/burp/src/burp -F -c $WORKING_DIR/config/burp.conf -g
$BURP_DIR/burp/src/burp -F -c $WORKING_DIR/config/burp.conf &
BURP_PID=$?
##echo "install lib devel..."
##apt-get update
......@@ -78,7 +89,11 @@ pip install -r test-requirements.txt
nosetests --with-coverage --cover-package=burpui test/test_burpui.py
ret=$?
echo "cleanup"
deactivate
kill $BURP_PID
rm -rf $BURP_DIR
rm -rf $WORKING_DIR
echo "That's it!"
......
[Global]
# On which port is the application listening
port: 5001
# On which address is the application listening
# '::' is the default for all IPv6
bind: ::
# enable SSL
ssl: false
# ssl cert
sslcert: /etc/burp/ssl_cert-server.pem
# ssl key
sslkey: /etc/burp/ssl_cert-server.key
# burp server version (currently only burp 1.x is implemented)
version: 1
# Handle multiple bui-servers or not
# If set to 'false', you will need to declare at least one 'Agent' section (see
# bellow)
standalone: true
# authentication plugin (mandatory)
# list the misc/auth directory to see the available backends
# to disable authentication you can set "auth: none"
auth: basic
[UI]
# refresh interval of the pages in seconds
refresh: 15
# burp1 backend specific options
[Burp1]
# burp status address (can only be '127.0.0.1' or '::1'
bhost: ::1
# burp status port