From 39363a57c72a88cb29c245eb5bb59b9fd3923840 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lauri=20V=C3=B5sandi?= <lauri.vosandi@gmail.com>
Date: Thu, 6 Jul 2017 09:29:02 +0000
Subject: [PATCH] tests: More coverage

---
 certidude/cli.py                      | 10 +++++++
 certidude/common.py                   |  7 +++--
 certidude/templates/script/default.sh |  4 +++
 tests/test_cli.py                     | 38 ++++++++++++++++-----------
 4 files changed, 40 insertions(+), 19 deletions(-)

diff --git a/certidude/cli.py b/certidude/cli.py
index a30ddcd..53bab37 100755
--- a/certidude/cli.py
+++ b/certidude/cli.py
@@ -122,6 +122,7 @@ def certidude_request(fork, renew, no_wait, kerberos):
     context = globals()
     context.update(locals())
 
+    # TODO: Create per-authority timers
     if not os.path.exists("/etc/systemd/system/certidude.timer"):
         click.echo("Creating systemd timer...")
         with open("/etc/systemd/system/certidude.timer", "w") as fh:
@@ -233,6 +234,15 @@ def certidude_request(fork, renew, no_wait, kerberos):
                 # curl on Fedora ?
                 # pip
 
+                # Firefox (?) on Debian, Ubuntu
+                if os.path.exists("/usr/bin/update-ca-certificates"):
+                    link_path = "/usr/local/share/ca-certificates/%s" % authority_name
+                    if not os.path.lexists(link_path):
+                        os.symlink(authority_path, link_path)
+                    os.system("update-ca-certificates")
+
+                # TODO: test for curl, wget
+
 
         ###############
         ### Get CRL ###
diff --git a/certidude/common.py b/certidude/common.py
index 473f47d..1db73b9 100644
--- a/certidude/common.py
+++ b/certidude/common.py
@@ -7,10 +7,9 @@ def selinux_fixup(path):
     """
     Fix OpenVPN credential store security context on Fedora
     """
-    if not os.path.exists("/usr/bin/chcon"):
-        return
-    cmd = "chcon", "--type=home_cert_t", path
-    subprocess.call(cmd)
+    if os.path.exists("/usr/bin/chcon"):
+        cmd = "chcon", "--type=home_cert_t", path
+        subprocess.call(cmd)
 
 def drop_privileges():
     from certidude import config
diff --git a/certidude/templates/script/default.sh b/certidude/templates/script/default.sh
index 06af6f7..17bb870 100644
--- a/certidude/templates/script/default.sh
+++ b/certidude/templates/script/default.sh
@@ -1,5 +1,6 @@
 #!/bin/sh
 
+{% if named_tags or other_tags %}
 # Tags:
 {% for key, value in named_tags.items() %}
 # {{ key }} -> {{ value }}
@@ -7,6 +8,9 @@
 {% for tag in other_tags %}
 # {{ tag }}
 {% endfor %}
+{% else %}
+# No tags
+{% endif %}
 
 # Submit some stats to CA
 curl http://{{ authority_name }}/api/signed/{{ common_name }}/attr -X POST -d "\
diff --git a/tests/test_cli.py b/tests/test_cli.py
index 6f1eaf9..73f82b7 100644
--- a/tests/test_cli.py
+++ b/tests/test_cli.py
@@ -153,12 +153,16 @@ def test_cli_setup_authority():
     assert not os.environ.get("KRB5CCNAME"), "Environment contaminated"
     assert not os.environ.get("KRB5_KTNAME"), "Environment contaminated"
 
-    # Mock SELinux
-    with open("/usr/bin/chcon", "w") as fh:
-        fh.write("#!/bin/bash\n")
-        fh.write("exit 0\n")
-    os.chmod("/usr/bin/chcon", 0755)
+    # Mock Fedora
+    for util in "/usr/bin/chcon", "/usr/bin/dnf", "/usr/bin/update-ca-trust":
+        with open(util, "w") as fh:
+            fh.write("#!/bin/bash\n")
+            fh.write("exit 0\n")
+        os.chmod(util, 0755)
+    if not os.path.exists("/etc/pki/ca-trust/source/anchors/"):
+        os.makedirs("/etc/pki/ca-trust/source/anchors/")
 
+    # Back up original DNS server
     if not os.path.exists("/etc/resolv.conf.orig"):
         shutil.copyfile("/etc/resolv.conf", "/etc/resolv.conf.orig")
 
@@ -565,16 +569,6 @@ def test_cli_setup_authority():
     assert r.status_code == 200, r.text # script render ok
     assert "uci set " in r.text, r.text
 
-    # Test lease update
-    r = client().simulate_post("/api/lease/",
-        query_string = "client=test&inner_address=127.0.0.1&outer_address=8.8.8.8&serial=0",
-        headers={"Authorization":admintoken})
-    assert r.status_code == 403, r.text # invalid serial number supplied
-    r = client().simulate_post("/api/lease/",
-        query_string = "client=test&inner_address=1.2.3.4&outer_address=8.8.8.8",
-        headers={"Authorization":admintoken})
-    assert r.status_code == 200, r.text # lease update ok
-
     # Test lease retrieval
     r = client().simulate_get("/api/signed/test/lease/")
     assert r.status_code == 401, r.text
@@ -603,6 +597,20 @@ def test_cli_setup_authority():
     assert r.status_code == 200, r.text
     assert r.text == "[]", r.text
 
+    # Test script without tags
+    r = client().simulate_get("/api/signed/test/script/")
+    assert r.status_code == 200, r.text # script render ok
+    assert "# No tags" in r.text, r.text
+
+    # Test lease update
+    r = client().simulate_post("/api/lease/",
+        query_string = "client=test&inner_address=127.0.0.1&outer_address=8.8.8.8&serial=0",
+        headers={"Authorization":admintoken})
+    assert r.status_code == 403, r.text # invalid serial number supplied
+    r = client().simulate_post("/api/lease/",
+        query_string = "client=test&inner_address=1.2.3.4&outer_address=8.8.8.8",
+        headers={"Authorization":admintoken})
+    assert r.status_code == 200, r.text # lease update ok
 
     # Test revocation
     r = client().simulate_delete("/api/signed/test/")