<div dir="ltr"><div dir="ltr"><div class="gmail_default" style="font-family:arial,sans-serif"><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jun 27, 2023 at 12:19 PM Aaron Conole <<a href="mailto:aconole@redhat.com">aconole@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><a href="mailto:jspewock@iol.unh.edu" target="_blank">jspewock@iol.unh.edu</a> writes:<br>
<br>
> From: Jeremy Spewock <<a href="mailto:jspewock@iol.unh.edu" target="_blank">jspewock@iol.unh.edu</a>><br>
><br>
> Adds a method that follows the process for renewing your jwt according<br>
> to NIST API documentation. This way, if there are load issues and it<br>
> takes too long to get vectors back with multi-algorithm testing, the<br>
> script will always handle the jwt expiring.<br>
><br>
> Also added a maximum number of renewals so that the script cannot run<br>
> infinitely.<br>
><br>
> Signed-off-by: Jeremy Spewock <<a href="mailto:jspewock@iol.unh.edu" target="_blank">jspewock@iol.unh.edu</a>><br>
> ---<br>
<br>
Hi Jeremy,<br>
<br>
Thanks for the changes, it is much easier to follow now.<br>
<br>
I ran this through 'black' and it did flag a few of your changes, but<br>
I don't think it is an issue here because they are single quote<br>
vs. double quote usage, and the usage you have is consistent with the<br>
rest of the file.<br>
<br>
> tools/acvp/acvp_tool.py | 71 ++++++++++++++++++++++++++++++++++++-----<br>
> 1 file changed, 63 insertions(+), 8 deletions(-)<br>
> mode change 100755 => 100644 tools/acvp/acvp_tool.py<br>
<br>
Was this mode change intentional? I guess it must not be since the<br>
README advocates usage as:<br>
<br>
acvp_tool.py --request $DOWNLOAD_PATH<br>
<br>
I can fix on apply if you confirm.<br></blockquote><div><br></div><div><div style="font-family:arial,sans-serif" class="gmail_default">Great catch, you're right, this was not something I meant to change. I noticed there was a conflict with file modes when I was creating and testing the patch and I thought I fixed it to be the right one before submitting but I suppose I did it in reverse. <br></div><br></div><div style="font-family:arial,sans-serif" class="gmail_default">if you could fix it what would be appreciated, thank you.</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
> diff --git a/tools/acvp/acvp_tool.py b/tools/acvp/acvp_tool.py<br>
> old mode 100755<br>
> new mode 100644<br>
> index 40d2f2f..a28760d<br>
> --- a/tools/acvp/acvp_tool.py<br>
> +++ b/tools/acvp/acvp_tool.py<br>
> @@ -1,7 +1,7 @@<br>
> #!/usr/bin/env python3<br>
> <br>
> # SPDX-License-Identifier: BSD-3-Clause<br>
> -# Copyright 2022 The University of New Hampshire<br>
> +# Copyright 2023 The University of New Hampshire<br>
> <br>
> import hashlib<br>
> import sys<br>
> @@ -36,6 +36,8 @@ class ACVPProxy:<br>
> self.totp_path: str = totp_path<br>
> self.login_data: Optional[Dict[str, Any]] = None<br>
> self.session_data: Optional[Dict[str, Any]] = None<br>
> + self.retries: int = 0<br>
> + self.max_retries: int = 2<br>
> <br>
> with open(config_path, 'r') as f:<br>
> self.config: Any = json.load(f)<br>
> @@ -70,7 +72,13 @@ class ACVPProxy:<br>
> cert=self.cert,<br>
> headers={'Authorization': f'Bearer {token}'}<br>
> )<br>
> - if not response.ok:<br>
> + if response.status_code == 401:<br>
> + if self.__renew_jwt():<br>
> + token = self.session_data['jwt']<br>
> + continue<br>
> + logging.error("Failed to renew expired jwt")<br>
> + return None<br>
> + elif not response.ok:<br>
> logging.error(f'Failed to fetch vector set {url}')<br>
> logging.error(json.dumps(response.json(), indent=4))<br>
> return None<br>
> @@ -85,6 +93,35 @@ class ACVPProxy:<br>
> <a href="http://logging.info" rel="noreferrer" target="_blank">logging.info</a>(f'Downloaded vector set {url}')<br>
> return vector_set_json<br>
> <br>
> + def __renew_jwt(self) -> bool:<br>
> + """Renews the jwt in session_data.<br>
> +<br>
> + JWTs provided by the NIST API last 30 minutes which can cause this<br>
> + script to fail even with good data. This method renews the jwt using<br>
> + the login endpoint.<br>
> +<br>
> + @return: True if successfully renewed token<br>
> + """<br>
> + if self.retries >= self.max_retries:<br>
> + logging.error("Maximum number of jwt renewals has been reached.")<br>
> + return False<br>
> + response = <a href="http://requests.post" rel="noreferrer" target="_blank">requests.post</a>(<br>
> + url=f'{self.config["url"]}/acvp/v1/login',<br>
> + json=[<br>
> + {'acvVersion': '1.0'},<br>
> + {<br>
> + 'password': self.__get_totp(),<br>
> + 'accessToken': self.session_data["jwt"]<br>
> + }<br>
> + ],<br>
> + cert=self.cert,<br>
> + )<br>
> + if response.ok:<br>
> + self.retries += 1<br>
> + self.session_data["jwt"] = response.json()[1].pop("accessToken")<br>
> + return True<br>
> + return False<br>
> +<br>
> def login(self) -> bool:<br>
> """Log into the API server.<br>
> <br>
> @@ -178,6 +215,12 @@ class ACVPProxy:<br>
> 'Authorization': f'Bearer {self.session_data["jwt"]}'<br>
> }<br>
> )<br>
> + if result.status_code == 401:<br>
> + if self.__renew_jwt():<br>
> + write_data[0]["jwt"] = self.session_data["jwt"]<br>
> + continue<br>
> + logging.error("Failed to renew jwt")<br>
> + return None<br>
> version, result_json = result.json()<br>
> if 'retry' in result_json:<br>
> duration = result_json['retry']<br>
> @@ -208,7 +251,19 @@ class ACVPProxy:<br>
> headers={'Authorization': f'Bearer {self.session_data["jwt"]}'}<br>
> )<br>
> <br>
> - if not response.ok:<br>
> + if response.status_code == 401:<br>
> + if self.__renew_jwt():<br>
> + response = <a href="http://requests.post" rel="noreferrer" target="_blank">requests.post</a>(<br>
> + f'{self.config["url"]}{session_url}/vectorSets/'<br>
> + f'{vector_set["vsId"]}/results',<br>
> + json=[version, vector_set],<br>
> + cert=self.cert,<br>
> + headers={'Authorization': f'Bearer {self.session_data["jwt"]}'}<br>
> + )<br>
> + else:<br>
> + logging.error("Failed to renew jwt")<br>
> + return False<br>
> + elif not response.ok:<br>
> has_error = True<br>
> logging.error(f'Could not upload vector set response for '<br>
> f'vector set ID {vector_set["vsId"]}.')<br>
> @@ -239,13 +294,13 @@ def main(request_path: Optional[str],<br>
> config_path=config_path,<br>
> )<br>
> <br>
> - <a href="http://logging.info" rel="noreferrer" target="_blank">logging.info</a>('Attempting to log in...')<br>
> - if not proxy.login():<br>
> - logging.error('Could not log in.')<br>
> - sys.exit(1)<br>
> - <a href="http://logging.info" rel="noreferrer" target="_blank">logging.info</a>('Successfully logged in.')<br>
> <br>
> if request_path:<br>
> + <a href="http://logging.info" rel="noreferrer" target="_blank">logging.info</a>('Attempting to log in...')<br>
> + if not proxy.login():<br>
> + logging.error('Could not log in.')<br>
> + sys.exit(1)<br>
> + <a href="http://logging.info" rel="noreferrer" target="_blank">logging.info</a>('Successfully logged in.')<br>
> <a href="http://logging.info" rel="noreferrer" target="_blank">logging.info</a>('Creating a new test session and downloading vectors...')<br>
> test_session = proxy.register()<br>
> if not test_session:<br>
<br>
</blockquote></div></div>