Merge branch 'py3' into develop

* py3:
  make echo actually show information
  fix linting for hubble_status object
  various bad escape fixes
  pylint changes to make signing pass
  pylint changes
  let's make pylint non-optional
  not really py3 related test bugfixes
  logging is a built-in. It should not be in reqs
  still no good
  update jenkins test image
  avoid checking signatures on None type "files"
  minor fix for s3fs. Sometimes _init() gives None
  important bugfix for s3fs (binary pickles)
  fix minor clean-install bug with configfile permissions
  additional changes needed for py3 branch
  more python 3 changes needed — why in this merge though??
  Basic signing for roots, s3fs and azurefs (untested)
  fix error in sqlite returner
  add a few more options
  add args, byte dumps, pretty-print dumps, and colorized dumps
  This seems handy.
  clean up test for correctness
  some short names should just be short names
  add the tests for the current problem and fixes for it
  clean up test for correctness
  clean up test for pylint
  fix bug in hubblestack_nova/openssl.py caused by strptime
  fix py3 audit bug
  do the 3.6.10 thing
  test the hec obj a little more
  make some minor repairs to the hec.dq
  py3 is pickier about comparisons in sorted
  platform.linux_distribution & platform.dist replaced with distro
  Update nova_loader.py
  fix error when running hubble without -v
  remove unnecessary conversion to list
  change syntax to make it compatible with python 3
  do the 3.6.10 thing
  test the hec obj a little more
  make some minor repairs to the hec.dq
  py3 is pickier about comparisons in sorted
  fix audit file
  fix changes
  platform.linux_distribution & platform.dist replaced with distro
  Update nova_loader.py
  fix error when running hubble without -v
  remove unnecessary conversion to list
  change syntax to make it compatible with python 3

Author: jettero

.gitignore

@@ -123,3 +123,12 @@ relevant-files.txt
 # sometimes when I stop docker with a sigquit, hubble drops core (??)
 core
 core.*
+
+# contrib/gen-pretend-certs.sh data dumptory
+.pretend-certs
+MANIFEST
+SIGNATURE
+test-*.file
+
+# certificate bundles for binary distributions
+pre_packaged_certificates.py

.pipeline

@@ -1,5 +1,5 @@
 
-def imgname = 'hubblestack/jenkins:centos-v1.0.8'
+def imgname = 'hubblestack/jenkins:centos-v1.0.14'
 
 pipeline {
     agent { docker { image "${imgname}" } }
@@ -13,15 +13,21 @@ pipeline {
     environment {
         PY_COLORS = 1
         HS_PROFILE = 1
+        TEST_PY_V = '3.6.10'
     }
 
     stages {
         stage('setup') {
             steps {
+                sh '''#!/bin/bash
+                    git clean -dfx
+                    '''
                 sh '''#!/bin/bash
                     source /etc/profile.d/kersplat.sh
-                    pyenv local $PY_V
-                    pyenv shell $PY_V
+                    export PY_V="$TEST_PY_V"
+                    pyenv local $TEST_PY_V
+                    pyenv shell $TEST_PY_V
+                    echo "pyenv version-name: $(pyenv version-name)"
                     set -x -e
                     rm -rf vlib venv .pytest_cache
                     pip install --cache-dir ./pip.cache -t ./vlib virtualenv
@@ -37,9 +43,9 @@ pipeline {
                     /usr/bin/git fetch --no-tags --progress https://github.com/hubblestack/hubble.git +refs/heads/develop:refs/remotes/origin/develop
                     echo git branch -vva
                     git branch -vva
-                    echo "LHS=$LHS RHS=$RHS"
                     LHS="origin/${CHANGE_TARGET:-develop}"
                     RHS="${BRANCH_NAME:+origin/}${BRANCH_NAME:-HEAD}"
+                    echo "LHS=$LHS RHS=$RHS"
                     if [[ $(git show -s --format='%s%n%b' "${LHS}..${RHS}") =~ LINT-FULL ]]
                     then find hubblestack -name "*.py"
                     else find hubblestack -name "*.py" -print0 | xargs -r0 git diff --name-only "$LHS" "$RHS"
@@ -63,16 +69,14 @@ pipeline {
                 }
                 stage('pylint') {
                     steps {
-                        catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE') {
-                            sh '''#!/bin/bash
-                                source ./venv/bin/activate
-                                < relevant-files.txt  xargs -r pylint --output-format=json \
-                                    > tests/unittests/output/pylint.json
-                                x=$?
-                                python ./tests/automation/pylint-json-to-html tests/unittests/output/pylint.json
-                                exit $x
-                                '''
-                        }
+                        sh '''#!/bin/bash
+                            source ./venv/bin/activate
+                            < relevant-files.txt  xargs -r pylint --output-format=json \
+                                > tests/unittests/output/pylint.json
+                            x=$?
+                            python ./tests/automation/pylint-json-to-html tests/unittests/output/pylint.json
+                            exit $x
+                            '''
                     }
                 }
                 stage('bandit') {

contrib/gen-pretend-certs.py

@@ -0,0 +1,227 @@
+#!/usr/bin/env python
+# coding: UTF-8
+
+import six
+import os
+import shutil
+import argparse
+import datetime
+
+from cryptography import x509
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import hashes, serialization
+from cryptography.hazmat.primitives.asymmetric import rsa, ed448, ed25519
+from cryptography.x509.oid import NameOID
+
+DEFAULT_PDIR = '.pretend-certs'
+
+def genkey(key_type='rsa', rsa_key_size=1024, rsa_public_exponent=65537, **args):
+    if key_type == 'rsa':
+        return rsa.generate_private_key(
+            public_exponent=rsa_public_exponent,
+            key_size=rsa_key_size, backend=default_backend())
+    elif key_type == 'ed448':
+        return ed448.Ed448PrivateKey.generate()
+    elif key_type == 'ed25519':
+        return ed25519.Ed25519PrivateKey.generate()
+    raise ValueError('Unknown key_type={}'.format(key_type))
+
+def as_pem(key):
+    if isinstance(key, (rsa.RSAPrivateKey, ed448.Ed448PrivateKey, ed25519.Ed25519PrivateKey)):
+        return key.private_bytes(
+            encoding=serialization.Encoding.PEM,
+            format=serialization.PrivateFormat.PKCS8,
+            encryption_algorithm=serialization.NoEncryption())
+    elif isinstance(key, (rsa.RSAPublicKey, ed448.Ed448PublicKey, ed25519.Ed25519PublicKey)):
+        return key.public_bytes(
+            encoding=serialization.Encoding.PEM,
+            format=serialization.PublicFormat.SubjectPublicKeyInfo)
+    elif isinstance(key, x509.Certificate):
+        return key.public_bytes(encoding=serialization.Encoding.PEM)
+    raise ValueError('Unhandled key class {}'.format(type(key)))
+
+class Authority:
+    def __init__(self, key, crt):
+        self.key = key
+        self.crt = crt
+
+def gen_CA(fname='ca-root', cn='ca-root', path_length=0, authority=None, pdir=DEFAULT_PDIR, **args):
+    private_key = genkey(**args)
+    public_key  = private_key.public_key()
+
+    with open(os.path.join(pdir, fname + '.key'), 'w') as fh:
+        fh.write( as_pem(private_key) )
+
+    with open(os.path.join(pdir, fname + '.unsigned'), 'w') as fh:
+        fh.write( as_pem(public_key) )
+
+    ksec_100 = datetime.timedelta(0, 100e3, 0)
+    Msec_300 = datetime.timedelta(0, 300e6, 0)
+
+    builder = x509.CertificateBuilder()
+
+    subject = issuer = x509.Name([
+        x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
+        x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'State'),
+        x509.NameAttribute(NameOID.LOCALITY_NAME, u'City'),
+        x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org'),
+        x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'Group'),
+        x509.NameAttribute(NameOID.COMMON_NAME, six.text_type(cn)),
+    ])
+
+    if authority:
+        issuer = authority.crt.subject
+
+    builder = builder.subject_name(subject)
+    builder = builder.issuer_name(issuer)
+    builder = builder.not_valid_before(datetime.datetime.today() - ksec_100)
+    builder = builder.not_valid_after(datetime.datetime.today() + Msec_300)
+    builder = builder.serial_number(x509.random_serial_number())
+    builder = builder.public_key(public_key)
+
+    authority_public_key = authority.crt.public_key() if authority else public_key
+    builder = builder.add_extension(
+        x509.AuthorityKeyIdentifier.from_issuer_public_key(authority_public_key), critical=False
+    )
+    builder = builder.add_extension(
+        x509.SubjectKeyIdentifier.from_public_key(public_key), critical=False
+    )
+    builder = builder.add_extension(
+        x509.BasicConstraints(ca=True, path_length=path_length), critical=True,
+    )
+    builder = builder.add_extension(
+        x509.KeyUsage(
+            digital_signature=True,
+            key_cert_sign=True,
+            crl_sign=False,
+            key_agreement=False,
+            key_encipherment=False,
+            content_commitment=False,
+            data_encipherment=False,
+            encipher_only=False,
+            decipher_only=False,
+        ), critical=True
+    )
+
+    signing_args = {
+        'private_key': authority.key if authority else private_key,
+        'backend': default_backend(),
+        'algorithm': None,
+    }
+
+    if isinstance(signing_args['private_key'], rsa.RSAPrivateKey):
+        signing_args['algorithm'] = hashes.SHA256()
+
+    certificate = builder.sign(**signing_args)
+
+    with open(os.path.join(pdir, fname + '.crt'), 'w') as fh:
+        fh.write( as_pem(certificate) )
+
+    return Authority(private_key, certificate)
+
+def gen_leaf(authority, fname_template='{}', cn='Certy Cert McCertFace', pdir=DEFAULT_PDIR, **args):
+    private_key = genkey(**args)
+    public_key  = private_key.public_key()
+
+    private_name = fname_template.format('private')
+    public_name = fname_template.format('public')
+
+    with open(os.path.join(pdir, private_name + '.key'), 'w') as fh:
+        fh.write( as_pem(private_key) )
+
+    with open(os.path.join(pdir, public_name + '.unsigned'), 'w') as fh:
+        fh.write( as_pem(public_key) )
+
+    ksec_100 = datetime.timedelta(0, 100e3, 0)
+    Msec_300 = datetime.timedelta(0, 300e6, 0)
+
+    builder = x509.CertificateBuilder()
+    subject = x509.Name([
+        x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
+        x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'State'),
+        x509.NameAttribute(NameOID.LOCALITY_NAME, u'City'),
+        x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org'),
+        x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'Group'),
+        x509.NameAttribute(NameOID.COMMON_NAME, six.text_type(cn)),
+    ])
+
+    builder = builder.subject_name(subject)
+    builder = builder.issuer_name(authority.crt.subject)
+    builder = builder.not_valid_before(datetime.datetime.today() - ksec_100)
+    builder = builder.not_valid_after(datetime.datetime.today() + Msec_300)
+    builder = builder.serial_number(x509.random_serial_number())
+    builder = builder.public_key(public_key)
+
+    authority_public_key = authority.crt.public_key()
+    # this would pin us to exactly one issuer; without it, any matching issuer
+    # CN should do the trick
+    # builder = builder.add_extension(
+    #     x509.AuthorityKeyIdentifier.from_issuer_public_key(authority_public_key), critical=False
+    # )
+    builder = builder.add_extension(
+        x509.SubjectKeyIdentifier.from_public_key(public_key), critical=False
+    )
+    builder = builder.add_extension(
+        x509.KeyUsage(
+            digital_signature=True,
+            data_encipherment=True,
+            content_commitment=True,
+            key_cert_sign=False,
+            crl_sign=False,
+            key_agreement=False,
+            key_encipherment=False,
+            encipher_only=False,
+            decipher_only=False,
+        ), critical=True
+    )
+
+    signing_args = {
+        'private_key': authority.key,
+        'backend': default_backend(),
+        'algorithm': None,
+    }
+
+    if isinstance(signing_args['private_key'], rsa.RSAPrivateKey):
+        signing_args['algorithm'] = hashes.SHA256()
+
+    certificate = builder.sign(**signing_args)
+
+    with open(os.path.join(pdir, public_name + '.crt'), 'w') as fh:
+        fh.write( as_pem(certificate) )
+
+    return Authority(private_key, certificate)
+
+def main(root_cn, int1_cn, int2_cn, **args):
+    if os.path.isdir(args['pdir']):
+        shutil.rmtree(args['pdir'])
+    os.mkdir(args['pdir'])
+
+    ca  = gen_CA(cn=root_cn, fname='ca-root', path_length=1, **args)
+    ia1 = gen_CA(cn=int1_cn, fname='intermediate-1', authority=ca, path_length=0, **args)
+    ia2 = gen_CA(cn=int2_cn, fname='intermediate-2', authority=ca, path_length=0, **args)
+
+    lf1 = gen_leaf(cn='Certy Cert #1', fname_template='{}-1', authority=ia1, **args)
+    lf2 = gen_leaf(cn='Certy Cert #2', fname_template='{}-2', authority=ia2, **args)
+
+    with open(os.path.join(args['pdir'], 'bundle.pem'), 'w') as ofh:
+        for i in range(1,3):
+            with open(os.path.join(args['pdir'], 'intermediate-{}.crt'.format(i)), 'r') as ifh:
+                ofh.write(ifh.read())
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser( # description='this program',
+        formatter_class=argparse.ArgumentDefaultsHelpFormatter)
+    parser.add_argument('-v', '--verbose', action='store_true')
+    parser.add_argument('-o', '--output-dir', dest='pdir', type=str, default=DEFAULT_PDIR)
+    parser.add_argument('-R', '--root-cn', type=six.text_type, default='car.hubblestack.io')
+    parser.add_argument('-I', '--int1-cn', type=six.text_type, default='ia1.hubblestack.io')
+    parser.add_argument('-J', '--int2-cn', type=six.text_type, default='ia2.hubblestack.io')
+    parser.add_argument('-t', '--key-type', type=six.text_type,
+        choices=['rsa', 'ed448', 'ed25519'], default='rsa')
+    parser.add_argument('-z', '--rsa-key-size', type=int, default=1024)
+    parser.add_argument('-p', '--rsa-public-exponent', type=int, default=65537)
+
+    args = parser.parse_args()
+
+    try: main(**args.__dict__)
+    except KeyboardInterrupt: pass

doc/conf.py

@@ -50,9 +50,9 @@
 master_doc = 'index'
 
 # General information about the project.
-project = u'HubbleStack'
-copyright = u'2018, Colton Myers, Christer Edwards'
-author = u'Colton Myers, Christer Edwards'
+project = 'HubbleStack'
+copyright = '2018, Colton Myers, Christer Edwards'
+author = 'Colton Myers, Christer Edwards'
 
 # The version info for the project you're documenting, acts as replacement for
 # |version| and |release|, also used in various other places throughout the
@@ -140,8 +140,8 @@
 # (source start file, target name, title,
 #  author, documentclass [howto, manual, or own class]).
 latex_documents = [
-    (master_doc, 'HubbleStack.tex', u'HubbleStack Documentation',
-     u'Colton Myers, Christer Edwards', 'manual'),
+    (master_doc, 'HubbleStack.tex', 'HubbleStack Documentation',
+     'Colton Myers, Christer Edwards', 'manual'),
 ]
 
 
@@ -150,7 +150,7 @@
 # One entry per manual page. List of tuples
 # (source start file, name, description, authors, manual section).
 man_pages = [
-    (master_doc, 'hubblestack', u'HubbleStack Documentation',
+    (master_doc, 'hubblestack', 'HubbleStack Documentation',
      [author], 1)
 ]
 
@@ -161,7 +161,7 @@
 # (source start file, target name, title, author,
 #  dir menu entry, description, category)
 texinfo_documents = [
-    (master_doc, 'HubbleStack', u'HubbleStack Documentation',
+    (master_doc, 'HubbleStack', 'HubbleStack Documentation',
      author, 'HubbleStack', 'One line description of project.',
      'Miscellaneous'),
 ]