Dne 07. 11. 18 v 16:39 Christopher Hofmann napsal(a):
> Hi YaSTees!
>
> I had a deeper look into Ladislav's REST API and I found it very
> flexible and easy to use - and furthermore very straightforward and easy
> to enhance.
The advantage of the REST API is that it's not bound to any specific language or
testing framework, you can easily write a small wrapper for rspec,cucumber,...
or
openQA ;-)
> It looks as the most promising approach for using it in openQA for
> testing YaST.
Great! Thank you for looking into it!
> Now the question raises how we can proceed with it and what we actually
> need to do to get it integrated in YaST's master branch.
>
> The benefit we get when integrate it in mainline YaST is that we are
> able to test an testing unmodified YaST as it also is shipped to the
> user. Testing a modified system is not really useful as it may behave
> different to the unmodified system.
It should be part of the system, patching the installer for testing is not a
nice
solution.
> Possible downsides of the permanent integration would be
> -> more dependencies bloat the instsys
> Additional dependencies are:
> libjsoncpp19 216.7 KiB
> libmicrohttpd12 145.1 KiB
> so overall ~360 KiB - not too much
Yes, the overhead is pretty small, just two small libs. Optionally we could
place it
in a separate inst-sys image and load it on demand, like we already do for gdb.
But
it's much bigger (~20MiB), these few kilobytes should be OK even in the default
image.
> -> Opening ports on a system is always a risk. We potentially open
> security hole when this is part of every customer's system.
> Making sure it is only enabled when explicitly adding boot params should
> make it quite safe. Of course we also need a security review before.
> Maybe we should even mandatory require a user authentication.
I think sooner or later we would need to add some kind of authentication anyway.
Without it anybody who can connect to the API from the network can become root
(e.g.
by sniffing the values entered in the root password dialog). That means you
could
safely use it only in an isolated trusted network.
It would be also nice to support HTTPS so you can send or receive e.g. the root
password value in the tests in encrypted form over the network. (There is a
small
complication with the server certificate, but nothing unsolvable...)
The SSL and basic authentication features are already supported by the
libmicrohttpd
library (see [1] and [2]) so adding these security features should not be
difficult.
> Alternative option would be to only listen to a UNIX socket or to
> localhost. Then it could be used from outside through an ssh connection.
Currently it by default listens only on the localhost (so the REST API is not
reachable from the other hosts). But as written above, for real usage it would
be
nice to add some more security features.
> So I think these downsides are not bringing big trouble.
>
> We could consider if it is possible to make it a kind of plug-in. Can it
> be e.g. be enabled only when both of the libraries above are available
> in the system?
Ideally I'd make it a plugin and distribute it as a completely separate
package. This
package would not be installed by default into the target system, but would be
available in the inst-sys. And for enabling you would still need some extra boot
parameter to ensure it's user controlled (not enabled by default or by mistake).
(Of course, it would be nice to have some openQA test which would check that
without
the boot option the API port is closed and the API is not active.)
If needed later the plugin could be optionally installed into the target
system, e.g.
for the AutoYaST second stage tests or tests in the installed system.
In the past we had a support for the libqdialogsolver plugin [3] in
libyui-qt-pkg
(already dropped, see [4]). I think we could use a similar solution here.
BTW my plan is to continue with the project in the next HackWeek, if there is
some
must have feature for openQA (I guess that plugin separation) just let me know.
:-)
Ladislav
[1]
https://www.gnu.org/software/libmicrohttpd/tutorial.html#Supporting-basic-authentication
[2]
https://www.gnu.org/software/libmicrohttpd/tutorial.html#Adding-a-layer-of-security
[3] https://github.com/openSUSE/zypp-dialogsolver
[4] https://github.com/libyui/libyui-qt-pkg/pull/48).
--
Ladislav Slezák
YaST Developer
SUSE LINUX, s.r.o.
Corso IIa
Křižíkova 148/34
18600 Praha 8
--
To unsubscribe, e-mail: yast-devel+unsubscr...@opensuse.org
To contact the owner, e-mail: yast-devel+ow...@opensuse.org
