lauri/certidude
1
0
Fork 0
mirror of https://github.com/laurivosandi/certidude synced 2025-09-06 13:51:12 +00:00
Code Issues Activity

Major refactor

Browse Source 
* Migrate to Python 3
* Update token generator mechanism
* Switch to Bootstrap 4
* Switch from Iconmonstr to Font Awesome icons
* Rename default CA common name to "Certidude at ca.example.lan"
* Add self-enroll for the TLS server certificates
* TLS client auth for lease updating
* Compile assets from npm packages to /var/lib/certidude/ca.example.lan/assets
This commit is contained in:
Lauri Võsandi
2017-12-30 13:57:48 +00:00
parent d32ec224d7
commit 59bedc1f16
69 changed files with 1617 additions and 1549 deletions
Download Patch File Download Diff File Expand all files Collapse all files

401
tests/test_cli.py
View File

@@ -1,7 +1,12 @@
import pwd
from oscrypto import asymmetric
from csrbuilder import CSRBuilder, pem_armor_csr
from subprocess import check_output
from importlib import reload
from click.testing import CliRunner
from datetime import datetime, timedelta
from time import sleep
import json
import pytest
import shutil
import sys
@@ -43,29 +48,28 @@ def client():
return testing.TestClient(app)
def generate_csr(cn=None):
from cryptography import x509
from cryptography.hazmat.primitives.asymmetric import rsa, padding
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.backends import default_backend
from cryptography.x509.oid import NameOID
key = rsa.generate_private_key(
public_exponent=65537,
key_size=1024,
backend=default_backend())
csr = x509.CertificateSigningRequestBuilder()
if cn is not None:
csr = csr.subject_name(x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, cn)]))
buf = csr.sign(key, hashes.SHA256(), default_backend()
).public_bytes(serialization.Encoding.PEM)
return buf
public_key, private_key = asymmetric.generate_pair('rsa', bit_size=2048)
builder = CSRBuilder({ 'common_name': cn }, public_key)
request = builder.build(private_key)
return pem_armor_csr(request)
def clean_client():
assert os.getuid() == 0 and os.getgid() == 0
if os.path.exists("/etc/certidude/client.conf"):
os.unlink("/etc/certidude/client.conf")
if os.path.exists("/etc/certidude/services.conf"):
os.unlink("/etc/certidude/services.conf")
files = [
"/etc/certidude/client.conf",
"/etc/certidude/services.conf",
"/var/lib/certidude/ca.example.lan/client_key.pem",
"/var/lib/certidude/ca.example.lan/server_key.pem",
"/var/lib/certidude/ca.example.lan/client_req.pem",
"/var/lib/certidude/ca.example.lan/server_req.pem",
"/var/lib/certidude/ca.example.lan/client_cert.pem",
"/var/lib/certidude/ca.example.lan/server_cert.pem",
]
for path in files:
if os.path.exists(path):
os.unlink(path)
# Remove client storage area
if os.path.exists("/tmp/ca.example.lan"):
@@ -140,9 +144,9 @@ def clean_server():
def test_cli_setup_authority():
assert os.getuid() == 0, "Run tests as root in a clean VM or container"
assert check_output(["/bin/hostname", "-f"]) == b"ca.example.lan\n", "As a safety precaution, unittests only run in a machine whose hostanme -f is ca.example.lan"
os.system("apt-get install -y git build-essential python-dev libkrb5-dev")
os.system("pip install cryptography")
os.system("apt-get install -q -y git build-essential python-dev libkrb5-dev")
assert not os.environ.get("KRB5CCNAME"), "Environment contaminated"
assert not os.environ.get("KRB5_KTNAME"), "Environment contaminated"
@@ -152,7 +156,7 @@ def test_cli_setup_authority():
with open(util, "w") as fh:
fh.write("#!/bin/bash\n")
fh.write("exit 0\n")
os.chmod(util, 0755)
os.chmod(util, 0o755)
if not os.path.exists("/etc/pki/ca-trust/source/anchors/"):
os.makedirs("/etc/pki/ca-trust/source/anchors/")
@@ -198,7 +202,7 @@ def test_cli_setup_authority():
if os.path.exists("/etc/krb5.keytab"):
os.unlink("/etc/krb5.keytab")
os.symlink("/var/lib/samba/private/secrets.keytab", "/etc/krb5.keytab")
os.chmod("/var/lib/samba/private/secrets.keytab", 0644) # To allow access to certidude server
os.chmod("/var/lib/samba/private/secrets.keytab", 0o644) # To allow access to certidude server
if os.path.exists("/etc/krb5.conf"): # Remove the one from krb5-user package
os.unlink("/etc/krb5.conf")
os.symlink("/var/lib/samba/private/krb5.conf", "/etc/krb5.conf")
@@ -225,21 +229,25 @@ def test_cli_setup_authority():
assert const.HOSTNAME == "ca"
assert const.DOMAIN == "example.lan"
result = runner.invoke(cli, ['setup', 'authority', '-s'])
os.setgid(0) # Restore GID
os.umask(0022)
# Bootstrap authority
bootstrap_pid = os.fork() # TODO: this shouldn't be necessary
if not bootstrap_pid:
assert os.getuid() == 0 and os.getgid() == 0
result = runner.invoke(cli, ["setup", "authority"])
assert not result.exception, result.output
return
else:
os.waitpid(bootstrap_pid, 0)
assert os.getuid() == 0 and os.getgid() == 0, "Environment contaminated"
result = runner.invoke(cli, ['setup', 'authority']) # For if-else branches
os.setgid(0) # Restore GID
os.umask(0022)
# Make sure nginx is running
assert not result.exception, result.output
assert os.getuid() == 0 and os.getgid() == 0, "Serve dropped permissions incorrectly!"
assert os.system("nginx -t") == 0, "invalid nginx configuration"
os.system("service nginx restart")
assert os.path.exists("/run/nginx.pid"), "nginx wasn't started up properly"
# Make sure we generated legit CA certificate
from certidude import config, authority, auth, user
assert authority.certificate.serial_number >= 0x100000000000000000000000000000000000000
assert authority.certificate.serial_number <= 0xfffffffffffffffffffffffffffffffffffffff
@@ -277,7 +285,7 @@ def test_cli_setup_authority():
import requests
# Test CA certificate fetch
buf = open("/var/lib/certidude/ca.example.lan/ca_crt.pem").read()
buf = open("/var/lib/certidude/ca.example.lan/ca_cert.pem").read()
r = requests.get("http://ca.example.lan/api/certificate")
assert r.status_code == 200
assert r.headers.get('content-type') == "application/x-x509-ca-cert"
@@ -332,7 +340,7 @@ def test_cli_setup_authority():
assert r.status_code == 400, r.text
# Test request submission
buf = generate_csr(cn=u"test")
buf = generate_csr(cn="test")
r = client().simulate_post("/api/request/", body=buf)
assert r.status_code == 415 # wrong content type
@@ -382,7 +390,7 @@ def test_cli_setup_authority():
assert not inbox
r = client().simulate_post("/api/request/",
body=generate_csr(cn=u"test"),
body=generate_csr(cn="test"),
headers={"content-type":"application/pkcs10"})
assert r.status_code == 409 # duplicate cn, different keypair
assert not inbox
@@ -419,7 +427,7 @@ def test_cli_setup_authority():
assert "Signed " in inbox.pop(), inbox
# Test autosign
buf = generate_csr(cn=u"test2")
buf = generate_csr(cn="test2")
r = client().simulate_post("/api/request/",
query_string="autosign=1",
body=buf,
@@ -436,7 +444,7 @@ def test_cli_setup_authority():
assert r.status_code == 303 # already signed, redirect to signed certificate
assert not inbox
buf = generate_csr(cn=u"test2")
buf = generate_csr(cn="test2")
r = client().simulate_post("/api/request/",
query_string="autosign=1",
body=buf,
@@ -445,7 +453,7 @@ def test_cli_setup_authority():
assert "Stored request " in inbox.pop(), inbox
assert not inbox
buf = generate_csr(cn=u"test2.example.lan")
buf = generate_csr(cn="test2.example.lan")
r = client().simulate_post("/api/request/",
query_string="autosign=1",
body=buf,
@@ -537,8 +545,7 @@ def test_cli_setup_authority():
assert r.status_code == 200, r.text
r = client().simulate_get("/api/signed/test/tag/", headers={"Authorization":admintoken})
assert r.status_code == 200, r.text
assert r.text == '[{"value": "Tartu", "key": "location", "id": "location=Tartu"}, {"value": "else", "key": "other", "id": "else"}]', r.text
# TODO: assert set(json.loads(r.text)) == set([{"key": "location", "id": "location=Tartu", "value": "Tartu"}, {"key": "other", "id": "else", "value": "else"}]), r.text
# Test scripting
@@ -550,21 +557,25 @@ def test_cli_setup_authority():
# Insert lease
r = client().simulate_get("/api/signed/test/lease/", headers={"Authorization":admintoken})
assert r.status_code == 404, r.text
r = client().simulate_post("/api/lease/",
query_string = "client=test&inner_address=127.0.0.1&outer_address=8.8.8.8")
assert r.status_code == 403, r.text # lease update forbidden without cert
r = client().simulate_post("/api/lease/",
query_string = "client=test&inner_address=127.0.0.1&outer_address=8.8.8.8",
headers={"Authorization":admintoken})
headers={"X-SSL-CERT":open("/var/lib/certidude/ca.example.lan/signed/ca.example.lan.pem").read() })
assert r.status_code == 200, r.text # lease update ok
# Attempt to fetch and execute default.sh script
from xattr import listxattr, getxattr
assert not [j for j in listxattr("/var/lib/certidude/ca.example.lan/signed/test.pem") if j.startswith("user.machine.")]
assert not [j for j in listxattr("/var/lib/certidude/ca.example.lan/signed/test.pem") if j.startswith(b"user.machine.")]
#os.system("curl http://ca.example.lan/api/signed/test/script | bash")
r = client().simulate_post("/api/signed/test/attr", body="cpu=i5&mem=512M&dist=Ubuntu",
r = client().simulate_post("/api/signed/test/attr", body="cpu=i5&mem=512M&dist=Ubunt",
headers={"content-type": "application/x-www-form-urlencoded"})
assert r.status_code == 200, r.text
assert getxattr("/var/lib/certidude/ca.example.lan/signed/test.pem", "user.machine.cpu") == "i5"
assert getxattr("/var/lib/certidude/ca.example.lan/signed/test.pem", "user.machine.mem") == "512M"
assert getxattr("/var/lib/certidude/ca.example.lan/signed/test.pem", "user.machine.dist") == "Ubuntu"
assert getxattr("/var/lib/certidude/ca.example.lan/signed/test.pem", "user.machine.cpu") == b"i5"
assert getxattr("/var/lib/certidude/ca.example.lan/signed/test.pem", "user.machine.mem") == b"512M"
assert getxattr("/var/lib/certidude/ca.example.lan/signed/test.pem", "user.machine.dist") == b"Ubunt"
# Test tagging integration in scripting framework
r = client().simulate_get("/api/signed/test/script/")
@@ -617,13 +628,14 @@ def test_cli_setup_authority():
# Test lease update
r = client().simulate_post("/api/lease/",
query_string = "client=test&inner_address=127.0.0.1&outer_address=8.8.8.8&serial=0",
headers={"Authorization":admintoken})
headers={"X-SSL-CERT":open("/var/lib/certidude/ca.example.lan/signed/ca.example.lan.pem").read() })
assert r.status_code == 403, r.text # invalid serial number supplied
r = client().simulate_post("/api/lease/",
query_string = "client=test&inner_address=1.2.3.4&outer_address=8.8.8.8",
headers={"Authorization":admintoken})
headers={"X-SSL-CERT":open("/var/lib/certidude/ca.example.lan/signed/ca.example.lan.pem").read() })
assert r.status_code == 200, r.text # lease update ok
# Test revocation
r = client().simulate_delete("/api/signed/test/")
assert r.status_code == 401, r.text
@@ -679,44 +691,7 @@ def test_cli_setup_authority():
### Token mechanism ###
#######################
r = client().simulate_post("/api/token/")
assert r.status_code == 404, r.text
"""
config.BUNDLE_FORMAT = "ovpn"
config.USER_ENROLLMENT_ALLOWED = True
r = client().simulate_post("/api/token/")
assert r.status_code == 401 # needs auth
r = client().simulate_post("/api/token/",
headers={"Authorization":usertoken})
assert r.status_code == 403 # regular user forbidden
r = client().simulate_post("/api/token/",
body="user=userbot", # TODO: test nonexistant user
headers={"content-type": "application/x-www-form-urlencoded", "Authorization":admintoken})
assert r.status_code == 200 # token generated by admin
assert "Token for " in inbox.pop(), inbox
r2 = client().simulate_get("/api/token/",
query_string="u=userbot&t=1493184342&c=ac9b71421d5741800c5a4905b20c1072594a2df863e60ba836464888786bf2a6",
headers={"content-type": "application/x-www-form-urlencoded", "Authorization":admintoken})
assert r2.status_code == 403 # invalid checksum
r2 = client().simulate_get("/api/token/",
query_string=r.content,
headers={"User-Agent":UA_FEDORA_FIREFOX})
assert r2.status_code == 200 # token consumed by anyone on Fedora
assert r2.headers.get('content-type') == "application/x-openvpn"
assert "Signed " in inbox.pop(), inbox
config.BUNDLE_FORMAT = "p12" # Switch to PKCS#12
r2 = client().simulate_get("/api/token/", query_string=r.content)
assert r2.status_code == 200 # token consumed by anyone on unknown device
assert r2.headers.get('content-type') == "application/x-pkcs12"
assert "Signed " in inbox.pop(), inbox
"""
# Beyond this point don't use client()
const.STORAGE_PATH = "/tmp/"
# TODO
#############
@@ -740,7 +715,7 @@ def test_cli_setup_authority():
with open("/etc/certidude/client.conf", "a") as fh:
fh.write("insecure = true\n")
result = runner.invoke(cli, ["request", "--no-wait"])
result = runner.invoke(cli, ["enroll", "--skip-self", "--no-wait"])
assert not result.exception, result.output
assert not os.path.exists("/run/certidude/ca.example.lan.pid"), result.output
assert "(Autosign failed, only client certificates allowed to be signed automatically)" in result.output, result.output
@@ -754,12 +729,12 @@ def test_cli_setup_authority():
else:
os.waitpid(child_pid, 0)
result = runner.invoke(cli, ["request", "--no-wait"])
result = runner.invoke(cli, ["enroll", "--skip-self", "--no-wait"])
assert not result.exception, result.output
assert not os.path.exists("/run/certidude/ca.example.lan.pid"), result.output
assert "Writing certificate to:" in result.output, result.output
result = runner.invoke(cli, ["request", "--renew", "--no-wait"])
result = runner.invoke(cli, ["enroll", "--skip-self", "--renew", "--no-wait"])
assert not result.exception, result.output
assert not os.path.exists("/run/certidude/ca.example.lan.pid"), result.output
#assert "Writing certificate to:" in result.output, result.output
@@ -776,6 +751,7 @@ def test_cli_setup_authority():
# First OpenVPN server is set up
clean_client()
assert not os.path.exists("/var/lib/certidude/ca.example.lan/server_cert.pem")
if not os.path.exists("/etc/openvpn/keys"):
os.makedirs("/etc/openvpn/keys")
@@ -792,7 +768,9 @@ def test_cli_setup_authority():
with open("/etc/certidude/client.conf", "a") as fh:
fh.write("insecure = true\n")
result = runner.invoke(cli, ["request", "--no-wait"])
assert not os.path.exists("/var/lib/certidude/ca.example.lan/server_cert.pem")
result = runner.invoke(cli, ["enroll", "--skip-self", "--no-wait"])
assert not result.exception, result.output
assert "(Autosign failed, only client certificates allowed to be signed automatically)" in result.output, result.output
assert not os.path.exists("/run/certidude/ca.example.lan.pid"), result.output
@@ -809,11 +787,11 @@ def test_cli_setup_authority():
else:
os.waitpid(child_pid, 0)
result = runner.invoke(cli, ["request", "--no-wait"])
result = runner.invoke(cli, ["enroll", "--skip-self", "--no-wait"])
assert not result.exception, result.output
assert not os.path.exists("/run/certidude/ca.example.lan.pid"), result.output
assert "Writing certificate to:" in result.output, result.output
assert os.path.exists("/tmp/ca.example.lan/server_cert.pem")
assert os.path.exists("/var/lib/certidude/ca.example.lan/server_cert.pem")
assert os.path.exists("/etc/openvpn/site-to-client.conf")
# Secondly OpenVPN client is set up
@@ -830,7 +808,7 @@ def test_cli_setup_authority():
with open("/etc/certidude/client.conf", "a") as fh:
fh.write("insecure = true\n")
result = runner.invoke(cli, ["request", "--no-wait"])
result = runner.invoke(cli, ["enroll", "--skip-self", "--no-wait"])
assert not result.exception, result.output
assert not os.path.exists("/run/certidude/ca.example.lan.pid"), result.output
assert "Writing certificate to:" in result.output, result.output
@@ -847,7 +825,7 @@ def test_cli_setup_authority():
with open("/etc/certidude/client.conf", "a") as fh:
fh.write("insecure = true\n")
result = runner.invoke(cli, ["request", "--no-wait"])
result = runner.invoke(cli, ["enroll", "--skip-self", "--no-wait"])
assert not result.exception, result.output
assert not os.path.exists("/run/certidude/ca.example.lan.pid"), result.output
assert "Writing certificate to:" in result.output, result.output
@@ -861,134 +839,132 @@ def test_cli_setup_authority():
if not ev_pid:
r = requests.get(ev_url, headers={"Accept": "text/event-stream"}, stream=True)
assert r.status_code == 200, r.text
i = r.iter_lines()
assert i.next() == ": hi"
assert not i.next()
i = r.iter_lines(decode_unicode=True)
assert i.__next__() == ": hi"
assert not i.__next__()
# IPSec gateway below
assert i.next() == "event: log-entry", i.next()
assert i.next().startswith("id:")
assert i.next().startswith('data: {"message": "Served CA certificate ')
assert not i.next()
assert i.__next__() == "event: log-entry", i.__next__()
assert i.__next__().startswith("id:")
"""
assert i.__next__().startswith('data: {"message": "Served CA certificate ')
assert not i.__next__()
assert i.next() == "event: log-entry", i.next()
assert i.next().startswith("id:")
assert i.next().startswith('data: {"message": "Serving revocation list (PEM)')
assert not i.next()
assert i.__next__() == "event: log-entry", i.__next__()
assert i.__next__().startswith("id:")
assert i.__next__().startswith('data: {"message": "Serving revocation list (PEM)')
assert not i.__next__()
assert i.next() == "event: log-entry", i.next() # FIXME
assert i.next().startswith("id:")
assert i.next().startswith('data: {"message": "Serving revocation list (PEM)')
assert not i.next()
assert i.__next__() == "event: log-entry", i.__next__() # FIXME
assert i.__next__().startswith("id:")
assert i.__next__().startswith('data: {"message": "Serving revocation list (PEM)')
assert not i.__next__()
assert i.next() == "event: request-submitted", "%s; %s" % (i.next(), i.next())
assert i.next().startswith("id:")
assert i.next() == "data: ipsec.example.lan"
assert not i.next()
assert i.__next__() == "event: request-submitted", "%s; %s" % (i.__next__(), i.__next__())
assert i.__next__().startswith("id:")
assert i.__next__() == "data: ipsec.example.lan"
assert not i.__next__()
assert i.next() == "event: log-entry", i.next()
assert i.next().startswith("id:")
assert i.next().startswith('data: {"message": "Stored signing request ipsec.example.lan ')
assert not i.next()
assert i.__next__() == "event: log-entry", i.__next__()
assert i.__next__().startswith("id:")
assert i.__next__().startswith('data: {"message": "Stored signing request ipsec.example.lan ')
assert not i.__next__()
assert i.next() == "event: log-entry", i.next() # FIXME
assert i.next().startswith("id:")
assert i.next().startswith('data: {"message": "Stored signing request ipsec.example.lan ')
assert not i.next()
assert i.__next__() == "event: log-entry", i.__next__() # FIXME
assert i.__next__().startswith("id:")
assert i.__next__().startswith('data: {"message": "Stored signing request ipsec.example.lan ')
assert not i.__next__()
assert i.next() == "event: request-signed"
assert i.next().startswith("id:")
assert i.next().startswith('data: ipsec.example.lan')
assert not i.next()
assert i.__next__() == "event: request-signed"
assert i.__next__().startswith("id:")
assert i.__next__().startswith('data: ipsec.example.lan')
assert not i.__next__()
assert i.next() == "event: log-entry", i.next()
assert i.next().startswith("id:")
assert i.next().startswith('data: {"message": "Serving revocation list (PEM)')
assert not i.next()
assert i.__next__() == "event: log-entry", i.__next__()
assert i.__next__().startswith("id:")
assert i.__next__().startswith('data: {"message": "Serving revocation list (PEM)')
assert not i.__next__()
assert i.next() == "event: log-entry", i.next() # FIXME
assert i.next().startswith("id:")
assert i.next().startswith('data: {"message": "Serving revocation list (PEM)')
assert not i.next()
assert i.__next__() == "event: log-entry", i.__next__() # FIXME
assert i.__next__().startswith("id:")
assert i.__next__().startswith('data: {"message": "Serving revocation list (PEM)')
assert not i.__next__()
assert i.next() == "event: log-entry", i.next()
assert i.next().startswith("id:")
assert i.next().startswith('data: {"message": "Served certificate ipsec.example.lan')
assert not i.next()
assert i.__next__() == "event: log-entry", i.__next__()
assert i.__next__().startswith("id:")
assert i.__next__().startswith('data: {"message": "Served certificate ipsec.example.lan')
assert not i.__next__()
assert i.next() == "event: log-entry", i.next() # FIXME
assert i.next().startswith("id:")
assert i.next().startswith('data: {"message": "Served certificate ipsec.example.lan')
assert not i.next()
assert i.__next__() == "event: log-entry", i.__next__() # FIXME
assert i.__next__().startswith("id:")
assert i.__next__().startswith('data: {"message": "Served certificate ipsec.example.lan')
assert not i.__next__()
# IPsec client as service enroll
assert i.next() == "event: log-entry", i.next()
assert i.next().startswith("id:")
assert i.next().startswith('data: {"message": "Serving revocation list (PEM)')
assert not i.next()
assert i.__next__() == "event: log-entry", i.__next__()
assert i.__next__().startswith("id:")
assert i.__next__().startswith('data: {"message": "Serving revocation list (PEM)')
assert not i.__next__()
assert i.next() == "event: log-entry", i.next() # FIXME
assert i.next().startswith("id:")
assert i.next().startswith('data: {"message": "Serving revocation list (PEM)')
assert not i.next()
assert i.__next__() == "event: log-entry", i.__next__() # FIXME
assert i.__next__().startswith("id:")
assert i.__next__().startswith('data: {"message": "Serving revocation list (PEM)')
assert not i.__next__()
assert i.next() == "event: request-signed", i.next()
assert i.next().startswith("id:")
assert i.next().startswith('data: roadwarrior2')
assert not i.next()
assert i.__next__() == "event: request-signed", i.__next__()
assert i.__next__().startswith("id:")
assert i.__next__().startswith('data: roadwarrior2')
assert not i.__next__()
assert i.next() == "event: log-entry", i.next()
assert i.next().startswith("id:")
assert i.next().startswith('data: {"message": "Autosigned roadwarrior2')
assert not i.next()
assert i.next() == "event: log-entry", i.next() # FIXME
assert i.next().startswith("id:")
assert i.next().startswith('data: {"message": "Autosigned roadwarrior2')
assert not i.next()
assert i.__next__() == "event: log-entry", i.__next__()
assert i.__next__().startswith("id:")
assert i.__next__().startswith('data: {"message": "Autosigned roadwarrior2')
assert not i.__next__()
assert i.__next__() == "event: log-entry", i.__next__() # FIXME
assert i.__next__().startswith("id:")
assert i.__next__().startswith('data: {"message": "Autosigned roadwarrior2')
assert not i.__next__()
# IPSec client using Networkmanger enroll
assert i.next() == "event: log-entry", i.next()
assert i.next().startswith("id:")
assert i.next().startswith('data: {"message": "Served CA certificate ')
assert not i.next()
assert i.__next__() == "event: log-entry", i.__next__()
assert i.__next__().startswith("id:")
assert i.__next__().startswith('data: {"message": "Served CA certificate ')
assert not i.__next__()
assert i.next() == "event: log-entry", i.next()
assert i.next().startswith("id:")
assert i.next().startswith('data: {"message": "Serving revocation list (PEM)')
assert not i.next()
assert i.__next__() == "event: log-entry", i.__next__()
assert i.__next__().startswith("id:")
assert i.__next__().startswith('data: {"message": "Serving revocation list (PEM)')
assert not i.__next__()
assert i.next() == "event: log-entry", i.next() # FIXME
assert i.next().startswith("id:")
assert i.next().startswith('data: {"message": "Serving revocation list (PEM)')
assert not i.next()
assert i.__next__() == "event: log-entry", i.__next__() # FIXME
assert i.__next__().startswith("id:")
assert i.__next__().startswith('data: {"message": "Serving revocation list (PEM)')
assert not i.__next__()
assert i.next() == "event: request-signed", i.next()
assert i.next().startswith("id:")
assert i.next().startswith('data: roadwarrior4')
assert not i.next()
assert i.__next__() == "event: request-signed", i.__next__()
assert i.__next__().startswith("id:")
assert i.__next__().startswith('data: roadwarrior4')
assert not i.__next__()
assert i.next() == "event: log-entry", i.next()
assert i.next().startswith("id:")
assert i.next().startswith('data: {"message": "Autosigned roadwarrior4')
assert not i.next()
assert i.__next__() == "event: log-entry", i.__next__()
assert i.__next__().startswith("id:")
assert i.__next__().startswith('data: {"message": "Autosigned roadwarrior4')
assert not i.__next__()
assert i.next() == "event: log-entry", i.next() # FIXME
assert i.next().startswith("id:")
assert i.next().startswith('data: {"message": "Autosigned roadwarrior4')
assert not i.next()
assert i.__next__() == "event: log-entry", i.__next__() # FIXME
assert i.__next__().startswith("id:")
assert i.__next__().startswith('data: {"message": "Autosigned roadwarrior4')
assert not i.__next__()
# Revoke
assert i.next() == "event: certificate-revoked", i.next() # why?!
assert i.next().startswith("id:")
assert i.next().startswith('data: roadwarrior4')
assert not i.next()
assert i.__next__() == "event: certificate-revoked", i.__next__() # why?!
assert i.__next__().startswith("id:")
assert i.__next__().startswith('data: roadwarrior4')
assert not i.__next__()
"""
return
@@ -999,22 +975,27 @@ def test_cli_setup_authority():
# Setup gateway
clean_client()
assert not os.path.exists("/var/lib/certidude/ca.example.lan/signed/ipsec.example.lan.pem")
result = runner.invoke(cli, ['setup', 'strongswan', 'server', "-cn", "ipsec", "ca.example.lan"])
assert result.exception, result.output # FQDN required
assert not os.path.exists("/var/lib/certidude/ca.example.lan/signed/ipsec.example.lan.pem")
result = runner.invoke(cli, ['setup', 'strongswan', 'server', "-cn", "ipsec.example.lan", "ca.example.lan"])
assert not result.exception, result.output
assert open("/etc/ipsec.secrets").read() == ": RSA /tmp/ca.example.lan/server_key.pem\n"
assert open("/etc/ipsec.secrets").read() == ": RSA /var/lib/certidude/ca.example.lan/server_key.pem\n"
assert not os.path.exists("/var/lib/certidude/ca.example.lan/signed/ipsec.example.lan.pem")
result = runner.invoke(cli, ['setup', 'strongswan', 'server', "-cn", "ipsec.example.lan", "ca.example.lan"])
assert not result.exception, result.output # client conf already exists, remove to regenerate
assert not os.path.exists("/var/lib/certidude/ca.example.lan/signed/ipsec.example.lan.pem")
with open("/etc/certidude/client.conf", "a") as fh:
fh.write("insecure = true\n")
result = runner.invoke(cli, ["request", "--no-wait"])
result = runner.invoke(cli, ["enroll", "--skip-self", "--no-wait"])
assert not result.exception, result.output
assert "(Autosign failed, only client certificates allowed to be signed automatically" in result.output, result.output
assert not os.path.exists("/run/certidude/ca.example.lan.pid"), result.output
assert not os.path.exists("/var/lib/certidude/ca.example.lan/signed/ipsec.example.lan.pem")
@@ -1029,12 +1010,12 @@ def test_cli_setup_authority():
else:
os.waitpid(child_pid, 0)
result = runner.invoke(cli, ["request", "--no-wait"])
result = runner.invoke(cli, ["enroll", "--skip-self", "--no-wait"])
assert not result.exception, result.output
assert not os.path.exists("/run/certidude/ca.example.lan.pid"), result.output
assert "Writing certificate to:" in result.output, result.output
assert os.path.exists("/tmp/ca.example.lan/server_cert.pem")
assert os.path.exists("/var/lib/certidude/ca.example.lan/server_cert.pem")
# IPSec client as service
@@ -1050,7 +1031,7 @@ def test_cli_setup_authority():
with open("/etc/certidude/client.conf", "a") as fh:
fh.write("insecure = true\n")
result = runner.invoke(cli, ["request", "--no-wait"])
result = runner.invoke(cli, ["enroll", "--skip-self", "--no-wait"])
assert not result.exception, result.output
assert not os.path.exists("/run/certidude/ca.example.lan.pid"), result.output
@@ -1066,7 +1047,7 @@ def test_cli_setup_authority():
with open("/etc/certidude/client.conf", "a") as fh:
fh.write("insecure = true\n")
result = runner.invoke(cli, ["request", "--no-wait"])
result = runner.invoke(cli, ["enroll", "--skip-self", "--no-wait"])
assert not result.exception, result.output
assert not os.path.exists("/run/certidude/ca.example.lan.pid"), result.output
assert "Writing certificate to:" in result.output, result.output
@@ -1086,7 +1067,7 @@ def test_cli_setup_authority():
os.waitpid(child_pid, 0)
# Make sure check is ran on the client side
result = runner.invoke(cli, ["request", "--no-wait"])
result = runner.invoke(cli, ["enroll", "--skip-self", "--no-wait"])
assert not result.exception, result.output
assert not os.path.exists("/run/certidude/ca.example.lan.pid"), result.output
#assert "Certificate has been revoked, wiping keys and certificates" in result.output, result.output
@@ -1148,7 +1129,6 @@ def test_cli_setup_authority():
os.system("sed -e 's/crl subnets =.*/crl subnets =/g' -i /etc/certidude/server.conf")
os.system("sed -e 's/address = certificates@example.lan/address =/g' -i /etc/certidude/server.conf")
from certidude.common import pip
pip("asn1crypto certbuilder")
# Update server credential cache
with open("/etc/cron.hourly/certidude") as fh:
@@ -1174,19 +1154,19 @@ def test_cli_setup_authority():
assert not result.exception, result.output
return
sleep(1) # Wait for serve to start up
sleep(5) # Wait for serve to start up
# CRL-s disabled now
r = requests.get("http://ca.example.lan/api/revoked/")
assert r.status_code == 404, r.text
assert os.system("openssl ocsp -issuer /var/lib/certidude/ca.example.lan/ca_crt.pem -cert /var/lib/certidude/ca.example.lan/signed/roadwarrior2.pem -text -url http://ca.example.lan/api/ocsp/ -out /tmp/ocsp1.log") == 0
assert os.system("openssl ocsp -issuer /var/lib/certidude/ca.example.lan/ca_crt.pem -cert /var/lib/certidude/ca.example.lan/ca_crt.pem -text -url http://ca.example.lan/api/ocsp/ -out /tmp/ocsp2.log") == 0
assert os.system("openssl ocsp -issuer /var/lib/certidude/ca.example.lan/ca_cert.pem -cert /var/lib/certidude/ca.example.lan/signed/roadwarrior2.pem -text -url http://ca.example.lan/api/ocsp/ -out /tmp/ocsp1.log") == 0
assert os.system("openssl ocsp -issuer /var/lib/certidude/ca.example.lan/ca_cert.pem -cert /var/lib/certidude/ca.example.lan/ca_cert.pem -text -url http://ca.example.lan/api/ocsp/ -out /tmp/ocsp2.log") == 0
for filename in os.listdir("/var/lib/certidude/ca.example.lan/revoked"):
if not filename.endswith(".pem"):
continue
assert os.system("openssl ocsp -issuer /var/lib/certidude/ca.example.lan/ca_crt.pem -cert /var/lib/certidude/ca.example.lan/revoked/%s -text -url http://ca.example.lan/api/ocsp/ -out /tmp/ocsp3.log" % filename) == 0
assert os.system("openssl ocsp -issuer /var/lib/certidude/ca.example.lan/ca_cert.pem -cert /var/lib/certidude/ca.example.lan/revoked/%s -text -url http://ca.example.lan/api/ocsp/ -out /tmp/ocsp3.log" % filename) == 0
break
with open("/tmp/ocsp1.log") as fh:
@@ -1256,7 +1236,7 @@ def test_cli_setup_authority():
with open("/etc/certidude/client.conf", "a") as fh:
fh.write("insecure = true\n")
result = runner.invoke(cli, ["request", "--no-wait", "--kerberos"])
result = runner.invoke(cli, ["enroll", "--skip-self", "--no-wait", "--kerberos"])
assert result.exception, result.output # Bad request 400
# With matching CN it should work
@@ -1268,7 +1248,7 @@ def test_cli_setup_authority():
with open("/etc/certidude/client.conf", "a") as fh:
fh.write("insecure = true\n")
result = runner.invoke(cli, ["request", "--no-wait", "--kerberos"])
result = runner.invoke(cli, ["enroll", "--skip-self", "--no-wait", "--kerberos"])
assert not result.exception, result.output
assert "Writing certificate to:" in result.output, result.output
return
@@ -1280,7 +1260,7 @@ def test_cli_setup_authority():
### SCEP tests ###
##################
os.umask(0022)
os.umask(0o022)
if not os.path.exists("/tmp/sscep"):
assert not os.system("git clone https://github.com/certnanny/sscep /tmp/sscep")
if not os.path.exists("/tmp/sscep/sscep_dyn"):
@@ -1301,7 +1281,7 @@ def test_cli_setup_authority():
result = runner.invoke(cli, ['list', '-srv'])
assert not result.exception, result.output
result = runner.invoke(cli, ['cron'])
result = runner.invoke(cli, ['expire'])
assert not result.exception, result.output
# Shut down server
@@ -1310,7 +1290,10 @@ def test_cli_setup_authority():
os.waitpid(server_pid, 0)
# Note: STORAGE_PATH was mangled above, hence it's /tmp not /var/lib/certidude
assert open("/etc/apparmor.d/local/usr.lib.ipsec.charon").read() == "/tmp/** r,\n"
assert open("/etc/apparmor.d/local/usr.lib.ipsec.charon").read() == \
"/var/lib/certidude/ca.example.lan/client_key.pem r,\n" + \
"/var/lib/certidude/ca.example.lan/ca_cert.pem r,\n" + \
"/var/lib/certidude/ca.example.lan/client_cert.pem r,\n"
assert len(inbox) == 0, inbox # Make sure all messages were checked
os.system("service nginx stop")