mirror of
https://github.com/laurivosandi/certidude
synced 2024-12-23 00:25:18 +00:00
tests: More explicit errors for OCSP and SCEP
This commit is contained in:
parent
67dcf4a156
commit
098aa5657d
@ -1,4 +1,5 @@
|
|||||||
import click
|
import click
|
||||||
|
import falcon
|
||||||
import hashlib
|
import hashlib
|
||||||
import os
|
import os
|
||||||
from asn1crypto.util import timezone
|
from asn1crypto.util import timezone
|
||||||
@ -14,19 +15,22 @@ from oscrypto.errors import SignatureError
|
|||||||
class OCSPResource(object):
|
class OCSPResource(object):
|
||||||
@whitelist_subnets(config.OCSP_SUBNETS)
|
@whitelist_subnets(config.OCSP_SUBNETS)
|
||||||
def __call__(self, req, resp):
|
def __call__(self, req, resp):
|
||||||
if req.method == "GET":
|
try:
|
||||||
_, _, _, tail = req.path.split("/", 3)
|
if req.method == "GET":
|
||||||
body = b64decode(tail)
|
_, _, _, tail = req.path.split("/", 3)
|
||||||
elif req.method == "POST":
|
body = b64decode(tail)
|
||||||
body = req.stream.read(req.content_length or 0)
|
elif req.method == "POST":
|
||||||
else:
|
body = req.stream.read(req.content_length or 0)
|
||||||
raise falcon.HTTPMethodNotAllowed()
|
else:
|
||||||
|
raise falcon.HTTPMethodNotAllowed()
|
||||||
|
ocsp_req = ocsp.OCSPRequest.load(body)
|
||||||
|
except ValueError:
|
||||||
|
raise falcon.HTTPBadRequest()
|
||||||
|
|
||||||
fh = open(config.AUTHORITY_CERTIFICATE_PATH, "rb") # TODO: import from authority
|
fh = open(config.AUTHORITY_CERTIFICATE_PATH, "rb") # TODO: import from authority
|
||||||
server_certificate = asymmetric.load_certificate(fh.read())
|
server_certificate = asymmetric.load_certificate(fh.read())
|
||||||
fh.close()
|
fh.close()
|
||||||
|
|
||||||
ocsp_req = ocsp.OCSPRequest.load(body)
|
|
||||||
now = datetime.now(timezone.utc)
|
now = datetime.now(timezone.utc)
|
||||||
response_extensions = []
|
response_extensions = []
|
||||||
|
|
||||||
|
@ -39,7 +39,7 @@ class SCEPBadCertId(SCEPError): code = 4
|
|||||||
class SCEPResource(object):
|
class SCEPResource(object):
|
||||||
@whitelist_subnets(config.SCEP_SUBNETS)
|
@whitelist_subnets(config.SCEP_SUBNETS)
|
||||||
def on_get(self, req, resp):
|
def on_get(self, req, resp):
|
||||||
operation = req.get_param("operation")
|
operation = req.get_param("operation", required=True)
|
||||||
if operation.lower() == "getcacert":
|
if operation.lower() == "getcacert":
|
||||||
resp.body = keys.parse_certificate(authority.certificate_buf).dump()
|
resp.body = keys.parse_certificate(authority.certificate_buf).dump()
|
||||||
resp.append_header("Content-Type", "application/x-x509-ca-cert")
|
resp.append_header("Content-Type", "application/x-x509-ca-cert")
|
||||||
|
@ -312,12 +312,6 @@ def test_cli_setup_authority():
|
|||||||
r = requests.get("http://ca.example.lan/api/revoked/")
|
r = requests.get("http://ca.example.lan/api/revoked/")
|
||||||
assert r.status_code == 200, r.text
|
assert r.status_code == 200, r.text
|
||||||
|
|
||||||
# Check that SCEP and OCSP are disabled by default
|
|
||||||
r = requests.get("http://ca.example.lan/api/ocsp/")
|
|
||||||
assert r.status_code == 404, r.text
|
|
||||||
r = requests.get("http://ca.example.lan/api/scep/")
|
|
||||||
assert r.status_code == 404, r.text
|
|
||||||
|
|
||||||
# Test command line interface
|
# Test command line interface
|
||||||
result = runner.invoke(cli, ['list', '-srv'])
|
result = runner.invoke(cli, ['list', '-srv'])
|
||||||
assert not result.exception, result.output
|
assert not result.exception, result.output
|
||||||
@ -1077,13 +1071,13 @@ def test_cli_setup_authority():
|
|||||||
### Test that legacy features are disabled by default ###
|
### Test that legacy features are disabled by default ###
|
||||||
#########################################################
|
#########################################################
|
||||||
|
|
||||||
r = client().simulate_get("/api/scep/")
|
r = requests.get("http://ca.example.lan/api/scep/")
|
||||||
assert r.status_code == 404
|
assert r.status_code == 404
|
||||||
r = client().simulate_get("/api/ocsp/")
|
r = requests.get("http://ca.example.lan/api/ocsp/")
|
||||||
assert r.status_code == 404
|
assert r.status_code == 404
|
||||||
r = client().simulate_post("/api/scep/")
|
r = requests.post("http://ca.example.lan/api/scep/")
|
||||||
assert r.status_code == 404
|
assert r.status_code == 404
|
||||||
r = client().simulate_post("/api/ocsp/")
|
r = requests.post("http://ca.example.lan/api/ocsp/")
|
||||||
assert r.status_code == 404
|
assert r.status_code == 404
|
||||||
|
|
||||||
|
|
||||||
@ -1115,6 +1109,9 @@ def test_cli_setup_authority():
|
|||||||
else:
|
else:
|
||||||
os.waitpid(spn_pid, 0)
|
os.waitpid(spn_pid, 0)
|
||||||
|
|
||||||
|
r = requests.get("http://ca.example.lan/api/")
|
||||||
|
assert r.status_code == 502, r.text
|
||||||
|
|
||||||
# Make modifications to /etc/certidude/server.conf so
|
# Make modifications to /etc/certidude/server.conf so
|
||||||
# Certidude would auth against domain controller
|
# Certidude would auth against domain controller
|
||||||
os.system("sed -e 's/ldap uri = ldaps:.*/ldap uri = ldaps:\\/\\/ca.example.lan/g' -i /etc/certidude/server.conf")
|
os.system("sed -e 's/ldap uri = ldaps:.*/ldap uri = ldaps:\\/\\/ca.example.lan/g' -i /etc/certidude/server.conf")
|
||||||
@ -1154,12 +1151,29 @@ def test_cli_setup_authority():
|
|||||||
assert not result.exception, result.output
|
assert not result.exception, result.output
|
||||||
return
|
return
|
||||||
|
|
||||||
sleep(5) # Wait for serve to start up
|
# Wait for serve to start up
|
||||||
|
for j in range(0,10):
|
||||||
|
r = requests.get("http://ca.example.lan/api/")
|
||||||
|
if r.status_code != 502:
|
||||||
|
break
|
||||||
|
sleep(1)
|
||||||
|
assert r.status_code == 401
|
||||||
|
|
||||||
# CRL-s disabled now
|
# CRL-s disabled now
|
||||||
r = requests.get("http://ca.example.lan/api/revoked/")
|
r = requests.get("http://ca.example.lan/api/revoked/")
|
||||||
assert r.status_code == 404, r.text
|
assert r.status_code == 404, r.text
|
||||||
|
|
||||||
|
# OCSP and SCEP should be enabled now
|
||||||
|
r = requests.get("http://ca.example.lan/api/scep/")
|
||||||
|
assert r.status_code == 400
|
||||||
|
r = requests.get("http://ca.example.lan/api/ocsp/")
|
||||||
|
assert r.status_code == 400
|
||||||
|
r = requests.post("http://ca.example.lan/api/scep/")
|
||||||
|
assert r.status_code == 405
|
||||||
|
r = requests.post("http://ca.example.lan/api/ocsp/")
|
||||||
|
assert r.status_code == 400
|
||||||
|
|
||||||
|
|
||||||
assert os.system("openssl ocsp -issuer /var/lib/certidude/ca.example.lan/ca_cert.pem -cert /var/lib/certidude/ca.example.lan/signed/roadwarrior2.pem -text -url http://ca.example.lan/api/ocsp/ -out /tmp/ocsp1.log") == 0
|
assert os.system("openssl ocsp -issuer /var/lib/certidude/ca.example.lan/ca_cert.pem -cert /var/lib/certidude/ca.example.lan/signed/roadwarrior2.pem -text -url http://ca.example.lan/api/ocsp/ -out /tmp/ocsp1.log") == 0
|
||||||
assert os.system("openssl ocsp -issuer /var/lib/certidude/ca.example.lan/ca_cert.pem -cert /var/lib/certidude/ca.example.lan/ca_cert.pem -text -url http://ca.example.lan/api/ocsp/ -out /tmp/ocsp2.log") == 0
|
assert os.system("openssl ocsp -issuer /var/lib/certidude/ca.example.lan/ca_cert.pem -cert /var/lib/certidude/ca.example.lan/ca_cert.pem -text -url http://ca.example.lan/api/ocsp/ -out /tmp/ocsp2.log") == 0
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user