From a48331a9cbd444cda3ba3c9625247c524dc2bfed Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lauri=20V=C3=B5sandi?= Date: Fri, 7 Jul 2017 21:07:25 +0000 Subject: [PATCH] tests: Add test for machine attribute updates --- certidude/api/__init__.py | 7 +++++-- certidude/api/ocsp.py | 1 + certidude/api/revoked.py | 2 ++ certidude/config.py | 2 ++ certidude/templates/server/server.conf | 3 +++ tests/test_cli.py | 25 +++++++++++++++++++++++-- 6 files changed, 36 insertions(+), 4 deletions(-) diff --git a/certidude/api/__init__.py b/certidude/api/__init__.py index aa033ab..0a054f9 100644 --- a/certidude/api/__init__.py +++ b/certidude/api/__init__.py @@ -175,7 +175,6 @@ class NormalizeMiddleware(object): def certidude_app(log_handlers=[]): from certidude import config - from .revoked import RevocationListResource from .signed import SignedCertificateDetailResource from .request import RequestListResource, RequestDetailResource from .lease import LeaseResource, LeaseDetailResource @@ -191,7 +190,6 @@ def certidude_app(log_handlers=[]): # Certificate authority API calls app.add_route("/api/certificate/", CertificateAuthorityResource()) - app.add_route("/api/revoked/", RevocationListResource()) app.add_route("/api/signed/{cn}/", SignedCertificateDetailResource()) app.add_route("/api/request/{cn}/", RequestDetailResource()) app.add_route("/api/request/", RequestListResource()) @@ -217,6 +215,11 @@ def certidude_app(log_handlers=[]): # Bootstrap resource app.add_route("/api/bootstrap/", BootstrapResource()) + # Add CRL handler if we have any whitelisted subnets + if config.CRL_SUBNETS: + from .revoked import RevocationListResource + app.add_route("/api/revoked/", RevocationListResource()) + # Add SCEP handler if we have any whitelisted subnets if config.SCEP_SUBNETS: from .scep import SCEPResource diff --git a/certidude/api/ocsp.py b/certidude/api/ocsp.py index 1b6a3d9..4196911 100644 --- a/certidude/api/ocsp.py +++ b/certidude/api/ocsp.py @@ -12,6 +12,7 @@ from oscrypto import keys, asymmetric, symmetric from oscrypto.errors import SignatureError class OCSPResource(object): + @whitelist_subnets(config.OCSP_SUBNETS) def __call__(self, req, resp): if req.method == "GET": _, _, _, tail = req.path.split("/", 3) diff --git a/certidude/api/revoked.py b/certidude/api/revoked.py index 1522c65..0389af0 100644 --- a/certidude/api/revoked.py +++ b/certidude/api/revoked.py @@ -5,6 +5,7 @@ import json import logging from certidude import const, config from certidude.authority import export_crl, list_revoked +from certidude.firewall import whitelist_subnets from cryptography import x509 from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives.serialization import Encoding @@ -12,6 +13,7 @@ from cryptography.hazmat.primitives.serialization import Encoding logger = logging.getLogger(__name__) class RevocationListResource(object): + @whitelist_subnets(config.CRL_SUBNETS) def on_get(self, req, resp): # Primarily offer DER encoded CRL as per RFC5280 # This is also what StrongSwan expects diff --git a/certidude/config.py b/certidude/config.py index 9768faf..7cd005c 100644 --- a/certidude/config.py +++ b/certidude/config.py @@ -36,6 +36,8 @@ SCEP_SUBNETS = set([ipaddress.ip_network(j) for j in cp.get("authorization", "scep subnets").split(" ") if j]) OCSP_SUBNETS = set([ipaddress.ip_network(j) for j in cp.get("authorization", "ocsp subnets").split(" ") if j]) +CRL_SUBNETS = set([ipaddress.ip_network(j) for j in + cp.get("authorization", "crl subnets").split(" ") if j]) AUTHORITY_DIR = "/var/lib/certidude" AUTHORITY_PRIVATE_KEY_PATH = cp.get("authority", "private key path") diff --git a/certidude/templates/server/server.conf b/certidude/templates/server/server.conf index 33b74d9..02051c8 100644 --- a/certidude/templates/server/server.conf +++ b/certidude/templates/server/server.conf @@ -62,6 +62,9 @@ scep subnets = # Online Certificate Status Protocol enabled subnets ocsp subnets = +# Certificate Revocation lists can be accessed from anywhere by default +crl subnets = 0.0.0.0/0 + [logging] # Disable logging ;backend = diff --git a/tests/test_cli.py b/tests/test_cli.py index 73f82b7..a7e3d5b 100644 --- a/tests/test_cli.py +++ b/tests/test_cli.py @@ -1,4 +1,5 @@ import pwd +from xattr import listxattr, getxattr from click.testing import CliRunner from datetime import datetime, timedelta from time import sleep @@ -154,7 +155,7 @@ def test_cli_setup_authority(): assert not os.environ.get("KRB5_KTNAME"), "Environment contaminated" # Mock Fedora - for util in "/usr/bin/chcon", "/usr/bin/dnf", "/usr/bin/update-ca-trust": + for util in "/usr/bin/chcon", "/usr/bin/dnf", "/usr/bin/update-ca-trust", "/usr/sbin/dmidecode": with open(util, "w") as fh: fh.write("#!/bin/bash\n") fh.write("exit 0\n") @@ -193,7 +194,7 @@ def test_cli_setup_authority(): # Bootstrap domain controller here, # Samba startup takes some time - os.system("apt-get install -y samba krb5-user winbind") + os.system("apt-get install -y samba krb5-user winbind bc") if os.path.exists("/etc/samba/smb.conf"): os.unlink("/etc/samba/smb.conf") os.system("samba-tool domain provision --server-role=dc --domain=EXAMPLE --realm=EXAMPLE.LAN --host-name=ca") @@ -308,6 +309,11 @@ def test_cli_setup_authority(): r = requests.get("http://ca.example.lan/api/revoked/") assert r.status_code == 200, r.text + # Check that SCEP and OCSP are disabled by default + r = requests.get("http://ca.example.lan/api/ocsp/") + assert r.status_code == 404, r.text + r = requests.get("http://ca.example.lan/api/scep/") + assert r.status_code == 404, r.text # Test command line interface result = runner.invoke(cli, ['list', '-srv']) @@ -554,6 +560,16 @@ def test_cli_setup_authority(): headers={"Authorization":admintoken}) assert r.status_code == 200, r.text # lease update ok + # Attempt to fetch and execute default.sh script + assert not [j for j in listxattr("/var/lib/certidude/ca.example.lan/signed/test.pem") if j.startswith("user.machine.")] + #os.system("curl http://ca.example.lan/api/signed/test/script | bash") + r = client().simulate_post("/api/signed/test/attr", body="cpu=i5&mem=512M&dist=Ubuntu", + headers={"content-type": "application/x-www-form-urlencoded"}) + assert r.status_code == 200, r.text + assert getxattr("/var/lib/certidude/ca.example.lan/signed/test.pem", "user.machine.cpu") == "i5" + assert getxattr("/var/lib/certidude/ca.example.lan/signed/test.pem", "user.machine.mem") == "512M" + assert getxattr("/var/lib/certidude/ca.example.lan/signed/test.pem", "user.machine.dist") == "Ubuntu" + # Test tagging integration in scripting framework r = client().simulate_get("/api/signed/test/script/") assert r.status_code == 200, r.text # script render ok @@ -1006,10 +1022,15 @@ def test_cli_setup_authority(): os.system("sed -e 's/machine enrollment =.*/machine enrollment = allowed/g' -i /etc/certidude/server.conf") os.system("sed -e 's/scep subnets =.*/scep subnets = 0.0.0.0\\/0/g' -i /etc/certidude/server.conf") os.system("sed -e 's/ocsp subnets =.*/ocsp subnets = 0.0.0.0\\/0/g' -i /etc/certidude/server.conf") + os.system("sed -e 's/crl subnets =.*/crl subnets =/g' -i /etc/certidude/server.conf") os.system("sed -e 's/address = certificates@example.lan/address =/g' -i /etc/certidude/server.conf") from certidude.common import pip pip("asn1crypto certbuilder") + # CRL-s disabled now + r = requests.get("http://ca.example.lan/api/revoked/") + assert r.status_code == 404, r.text + # Update server credential cache with open("/etc/cron.hourly/certidude") as fh: cronjob = fh.read()