From c68c5d2a0706717bdeec38e01e15d234722117ca Mon Sep 17 00:00:00 2001 From: Priit Laes Date: Tue, 29 Sep 2015 14:44:31 +0300 Subject: [PATCH] Remove 'certidude' group requirement for creating CA configuration We shouldn't require user to have 'certidude' user/group in system in order to just create initial CA setup. --- certidude/cli.py | 9 +-------- tests/test_cli.py | 8 +++----- 2 files changed, 4 insertions(+), 13 deletions(-) diff --git a/certidude/cli.py b/certidude/cli.py index f969260..07d5899 100755 --- a/certidude/cli.py +++ b/certidude/cli.py @@ -444,7 +444,6 @@ def certidude_setup_production(username, hostname, push_server, nginx_config, uw @click.command("authority", help="Set up Certificate Authority in a directory") -@click.option("--group", "-g", default="certidude", help="Group for file permissions, certidude by default") @click.option("--parent", "-p", help="Parent CA, none by default") @click.option("--common-name", "-cn", default=HOSTNAME, help="Common name, hostname by default") @click.option("--country", "-c", default="ee", help="Country, Estonia by default") @@ -462,11 +461,7 @@ def certidude_setup_production(username, hostname, push_server, nginx_config, uw @click.option("--inbox", default="imap://user:pass@host:port/INBOX", help="Inbound e-mail server") @click.option("--outbox", default="smtp://localhost", help="Outbound e-mail server") @click.argument("directory") -def certidude_setup_authority(parent, country, state, locality, organization, organizational_unit, common_name, directory, certificate_lifetime, authority_lifetime, revocation_list_lifetime, pkcs11, group, crl_distribution_url, ocsp_responder_url, email_address, inbox, outbox): - logging.info("Creating certificate authority in %s", directory) - _, _, uid, gid, gecos, root, shell = pwd.getpwnam(group) - os.setgid(gid) - +def certidude_setup_authority(parent, country, state, locality, organization, organizational_unit, common_name, directory, certificate_lifetime, authority_lifetime, revocation_list_lifetime, pkcs11, crl_distribution_url, ocsp_responder_url, email_address, inbox, outbox): slug = os.path.basename(directory[:-1] if directory.endswith('/') else directory) if not slug: raise click.ClickException("Please supply proper target path") @@ -575,7 +570,6 @@ def certidude_setup_authority(parent, country, state, locality, organization, or with open(ca_crt, "wb") as fh: fh.write(crypto.dump_certificate(crypto.FILETYPE_PEM, ca)) - os.umask(0o077) with open(ca_key, "wb") as fh: fh.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key)) @@ -586,7 +580,6 @@ def certidude_setup_authority(parent, country, state, locality, organization, or click.echo("You need to copy the contents of the 'openssl.cnf.example'") click.echo("to system-wide OpenSSL configuration file, usually located") click.echo("at /etc/ssl/openssl.cnf") - click.echo() click.echo() click.echo("Use following commands to inspect the newly created files:") diff --git a/tests/test_cli.py b/tests/test_cli.py index f6550cf..bc74ea1 100644 --- a/tests/test_cli.py +++ b/tests/test_cli.py @@ -14,11 +14,9 @@ def user_check(name='certidude'): pass return True -@pytest.mark.skipif(user_check(), reason="Missing certidude user") -def test_cli(): - +def test_cli_setup_authority(): # Authority setup - # TODO: group, parent, common-name, country, state, locality + # TODO: parent, common-name, country, state, locality # {authority,certificate,revocation-list}-lifetime # organization, organizational-unit # pkcs11 @@ -36,7 +34,7 @@ def test_cli(): for d in ('requests', 'revoked', 'signed'): assert os.path.isdir(os.path.join('ca', d)) -def test_cli_setup_authority_slug_name(): +def test_cli_setup_authority_invalid_name(): with runner.isolated_filesystem(): result = runner.invoke(cli, ['setup', 'authority']) assert result.exception