def test_create_ca_signed_cert(self, ca_path):
'''
Test signing certificate from request
'''
ca_name = 'test_ca'
certp = '{0}/{1}/certs/{2}.crt'.format(
ca_path, ca_name, _TLS_TEST_DATA['create_ca']['CN'])
ret = 'Created Certificate for "{0}": "{1}"'.format(
_TLS_TEST_DATA['create_ca']['CN'], certp)
mock_opt = MagicMock(return_value=ca_path)
mock_ret = MagicMock(return_value=0)
mock_pgt = MagicMock(return_value=False)
with patch.dict(tls.__salt__, {'config.option': mock_opt,
'cmd.retcode': mock_ret,
'pillar.get': mock_pgt}), \
patch.dict(tls.__opts__, {'hash_type': 'sha256',
'cachedir': ca_path}), \
patch('salt.modules.tls.maybe_fix_ssl_version',
MagicMock(return_value=True)):
tls.create_ca(ca_name)
tls.create_csr(ca_name, **_TLS_TEST_DATA['create_ca'])
self.assertEqual(
tls.create_ca_signed_cert(ca_name,
_TLS_TEST_DATA['create_ca']['CN']),
ret)
def test_recreate_csr(self, ca_path):
"""
Test creating certificate signing request when one already exists
"""
ca_name = "test_ca"
certp = "{0}/{1}/certs/{2}.csr".format(
ca_path, ca_name, _TLS_TEST_DATA["create_ca"]["CN"])
certk = "{0}/{1}/certs/{2}.key".format(
ca_path, ca_name, _TLS_TEST_DATA["create_ca"]["CN"])
ret = ('Created Private Key: "{0}." '
'Created CSR for "{1}": "{2}."').format(
certk, _TLS_TEST_DATA["create_ca"]["CN"], certp)
mock_opt = MagicMock(return_value=ca_path)
mock_ret = MagicMock(return_value=0)
mock_pgt = MagicMock(return_value=False)
with patch.dict(
tls.__salt__,
{
"config.option": mock_opt,
"cmd.retcode": mock_ret,
"pillar.get": mock_pgt,
},
), patch.dict(tls.__opts__, {
"hash_type": "sha256",
"cachedir": ca_path
}), patch.dict(_TLS_TEST_DATA["create_ca"], {"replace": True}), patch(
"salt.modules.tls.maybe_fix_ssl_version",
MagicMock(return_value=True)):
tls.create_ca(ca_name)
tls.create_csr(ca_name)
self.assertEqual(
tls.create_csr(ca_name, **_TLS_TEST_DATA["create_ca"]), ret)
def test_create_pkcs12(self, ca_path):
"""
Test creating pkcs12
"""
ca_name = "test_ca"
certp = "{0}/{1}/certs/{2}.p12".format(
ca_path, ca_name, _TLS_TEST_DATA["create_ca"]["CN"])
ret = 'Created PKCS#12 Certificate for "{0}": "{1}"'.format(
_TLS_TEST_DATA["create_ca"]["CN"], certp)
mock_opt = MagicMock(return_value=ca_path)
mock_ret = MagicMock(return_value=0)
mock_pgt = MagicMock(return_value=False)
with patch.dict(
tls.__salt__,
{
"config.option": mock_opt,
"cmd.retcode": mock_ret,
"pillar.get": mock_pgt,
},
), patch.dict(tls.__opts__, {
"hash_type": "sha256",
"cachedir": ca_path
}), patch("salt.modules.tls.maybe_fix_ssl_version",
MagicMock(return_value=True)):
tls.create_ca(ca_name)
tls.create_csr(ca_name, **_TLS_TEST_DATA["create_ca"])
tls.create_ca_signed_cert(ca_name,
_TLS_TEST_DATA["create_ca"]["CN"])
self.assertEqual(
tls.create_pkcs12(ca_name, _TLS_TEST_DATA["create_ca"]["CN"],
"password"),
ret,
)
def test_with_existing_ca_signing_csr_should_produce_valid_cert(self):
print("Revoked should not be here")
empty_crl_filename = os.path.join(self.tempdir, "empty.crl")
tls.create_ca(self.ca_name)
tls.create_csr(
ca_name=self.ca_name,
CN="testing.localhost",
)
tls.create_ca_signed_cert(
ca_name=self.ca_name,
CN="testing.localhost",
)
tls.create_empty_crl(
ca_name=self.ca_name,
crl_file=empty_crl_filename,
)
ret = tls.validate(
cert=os.path.join(
self.tempdir,
self.ca_name,
"certs",
"testing.localhost.crt",
),
ca_name=self.ca_name,
crl_file=empty_crl_filename,
)
print("not there")
self.assertTrue(ret["valid"], ret.get("error"))
def test_with_existing_ca_signing_csr_should_produce_valid_cert(self):
print('Revoked should not be here')
empty_crl_filename = os.path.join(self.tempdir, 'empty.crl')
tls.create_ca(self.ca_name)
tls.create_csr(
ca_name=self.ca_name,
CN='testing.localhost',
)
tls.create_ca_signed_cert(
ca_name=self.ca_name,
CN='testing.localhost',
)
tls.create_empty_crl(
ca_name=self.ca_name,
crl_file=empty_crl_filename,
)
ret = tls.validate(
cert=os.path.join(
self.tempdir,
self.ca_name,
'certs',
'testing.localhost.crt',
),
ca_name=self.ca_name,
crl_file=empty_crl_filename,
)
print('not there')
self.assertTrue(ret['valid'], ret.get('error'))
def test_recreate_pkcs12(self, ca_path):
'''
Test creating pkcs12 when it already exists
'''
ca_name = 'test_ca'
certp = '{0}/{1}/certs/{2}.p12'.format(
ca_path, ca_name, _TLS_TEST_DATA['create_ca']['CN'])
ret = 'Created PKCS#12 Certificate for "{0}": "{1}"'.format(
_TLS_TEST_DATA['create_ca']['CN'], certp)
mock_opt = MagicMock(return_value=ca_path)
mock_ret = MagicMock(return_value=0)
mock_pgt = MagicMock(return_value=False)
with patch.dict(tls.__salt__, {'config.option': mock_opt,
'cmd.retcode': mock_ret,
'pillar.get': mock_pgt}), \
patch.dict(tls.__opts__, {'hash_type': 'sha256',
'cachedir': ca_path}), \
patch.dict(_TLS_TEST_DATA['create_ca'], {'replace': True}), \
patch('salt.modules.tls.maybe_fix_ssl_version',
MagicMock(return_value=True)):
tls.create_ca(ca_name)
tls.create_csr(ca_name)
tls.create_ca_signed_cert(ca_name,
_TLS_TEST_DATA['create_ca']['CN'])
tls.create_pkcs12(ca_name, _TLS_TEST_DATA['create_ca']['CN'],
'password')
self.assertEqual(
tls.create_pkcs12(ca_name,
_TLS_TEST_DATA['create_ca']['CN'],
'password',
replace=True), ret)
def test_create_csr_permissions_on_csr_and_key(tmpdir, tls_test_data):
ca_name = "test_ca"
csrp = (tmpdir.join(ca_name).join("certs").join("{}.csr".format(
tls_test_data["create_ca"]["CN"])).strpath)
keyp = (tmpdir.join(ca_name).join("certs").join("{}.key".format(
tls_test_data["create_ca"]["CN"])).strpath)
mock_opt = MagicMock(return_value=tmpdir)
mock_ret = MagicMock(return_value=0)
mock_pgt = MagicMock(return_value=False)
with patch.dict(
tls.__salt__,
{
"config.option": mock_opt,
"cmd.retcode": mock_ret,
"pillar.get": mock_pgt
},
), patch.dict(tls.__opts__, {
"hash_type": "sha256",
"cachedir": tmpdir
}):
tls.create_ca(ca_name, days=365, **tls_test_data["create_ca"])
tls.create_csr(ca_name, **tls_test_data["create_ca"])
csrp_mode = os.stat(csrp).st_mode & 0o7777
keyp_mode = os.stat(keyp).st_mode & 0o7777
assert 0o644 == csrp_mode
assert 0o600 == keyp_mode
def test_validating_revoked_cert_with_no_crl_file_should_return_False(
self):
revoked_crl_filename = None
tls.create_ca(self.ca_name)
tls.create_csr(
ca_name=self.ca_name,
CN='testing.bad.localhost',
)
tls.create_ca_signed_cert(
ca_name=self.ca_name,
CN='testing.bad.localhost',
)
tls.create_empty_crl(
ca_name=self.ca_name,
crl_file=revoked_crl_filename,
)
tls.revoke_cert(
ca_name=self.ca_name,
CN='testing.bad.localhost',
crl_file=revoked_crl_filename,
)
self.assertFalse(
tls.validate(
cert=os.path.join(
self.tempdir,
self.ca_name,
'certs',
'testing.bad.localhost.crt',
),
ca_name=self.ca_name,
crl_file=revoked_crl_filename,
)['valid'])
def test_recreate_ca_signed_cert(self, ca_path):
"""
Test signing certificate from request when certificate exists
"""
ca_name = "test_ca"
certp = "{}/{}/certs/{}.crt".format(
ca_path, ca_name, _TLS_TEST_DATA["create_ca"]["CN"]
)
ret = 'Created Certificate for "{}": "{}"'.format(
_TLS_TEST_DATA["create_ca"]["CN"], certp
)
mock_opt = MagicMock(return_value=ca_path)
mock_ret = MagicMock(return_value=0)
mock_pgt = MagicMock(return_value=False)
with patch.dict(
tls.__salt__,
{
"config.option": mock_opt,
"cmd.retcode": mock_ret,
"pillar.get": mock_pgt,
},
), patch.dict(
tls.__opts__, {"hash_type": "sha256", "cachedir": ca_path}
), patch(
"salt.modules.tls.maybe_fix_ssl_version", MagicMock(return_value=True)
):
tls.create_ca(ca_name)
tls.create_csr(ca_name)
tls.create_ca_signed_cert(ca_name, _TLS_TEST_DATA["create_ca"]["CN"])
self.assertEqual(
tls.create_ca_signed_cert(
ca_name, _TLS_TEST_DATA["create_ca"]["CN"], replace=True
),
ret,
)
def test_create_pkcs12(self):
'''
Test creating pkcs12
'''
ca_path = tempfile.mkdtemp(dir=integration.SYS_TMP_DIR)
try:
ca_name = 'test_ca'
certp = '{0}/{1}/certs/{2}.p12'.format(
ca_path, ca_name, _TLS_TEST_DATA['create_ca']['CN'])
ret = 'Created PKCS#12 Certificate for "{0}": "{1}"'.format(
_TLS_TEST_DATA['create_ca']['CN'], certp)
mock_opt = MagicMock(return_value=ca_path)
mock_ret = MagicMock(return_value=0)
mock_pgt = MagicMock(return_value=False)
with patch.dict(
tls.__salt__, {
'config.option': mock_opt,
'cmd.retcode': mock_ret,
'pillar.get': mock_pgt
}):
with patch.dict(tls.__opts__, {
'hash_type': 'sha256',
'cachedir': ca_path
}):
tls.create_ca(ca_name)
tls.create_csr(ca_name, **_TLS_TEST_DATA['create_ca'])
tls.create_ca_signed_cert(
ca_name, _TLS_TEST_DATA['create_ca']['CN'])
self.assertEqual(
tls.create_pkcs12(ca_name,
_TLS_TEST_DATA['create_ca']['CN'],
'password'), ret)
finally:
if os.path.isdir(ca_path):
shutil.rmtree(ca_path)
def test_create_pkcs12(self):
'''
Test creating pkcs12
'''
ca_path = tempfile.mkdtemp(dir=integration.SYS_TMP_DIR)
try:
ca_name = 'test_ca'
certp = '{0}/{1}/certs/{2}.p12'.format(
ca_path,
ca_name,
_TLS_TEST_DATA['create_ca']['CN'])
ret = 'Created PKCS#12 Certificate for "{0}": "{1}"'.format(
_TLS_TEST_DATA['create_ca']['CN'], certp)
mock_opt = MagicMock(return_value=ca_path)
mock_ret = MagicMock(return_value=0)
mock_pgt = MagicMock(return_value=False)
with patch.dict(tls.__salt__, {'config.option': mock_opt, 'cmd.retcode': mock_ret, 'pillar.get': mock_pgt}):
with patch.dict(tls.__opts__, {'hash_type': 'sha256',
'cachedir': ca_path}):
tls.create_ca(ca_name)
tls.create_csr(ca_name, **_TLS_TEST_DATA['create_ca'])
tls.create_ca_signed_cert(ca_name,
_TLS_TEST_DATA['create_ca']['CN'])
self.assertEqual(
tls.create_pkcs12(ca_name,
_TLS_TEST_DATA['create_ca']['CN'],
'password'),
ret)
finally:
if os.path.isdir(ca_path):
shutil.rmtree(ca_path)
def test_recreate_csr(self, ca_path):
'''
Test creating certificate signing request when one already exists
'''
ca_name = 'test_ca'
certp = '{0}/{1}/certs/{2}.csr'.format(
ca_path, ca_name, _TLS_TEST_DATA['create_ca']['CN'])
certk = '{0}/{1}/certs/{2}.key'.format(
ca_path, ca_name, _TLS_TEST_DATA['create_ca']['CN'])
ret = ('Created Private Key: "{0}." '
'Created CSR for "{1}": "{2}."').format(
certk, _TLS_TEST_DATA['create_ca']['CN'], certp)
mock_opt = MagicMock(return_value=ca_path)
mock_ret = MagicMock(return_value=0)
mock_pgt = MagicMock(return_value=False)
with patch.dict(tls.__salt__, {'config.option': mock_opt,
'cmd.retcode': mock_ret,
'pillar.get': mock_pgt}), \
patch.dict(tls.__opts__, {'hash_type': 'sha256',
'cachedir': ca_path}), \
patch.dict(_TLS_TEST_DATA['create_ca'], {'replace': True}), \
patch('salt.modules.tls.maybe_fix_ssl_version',
MagicMock(return_value=True)):
tls.create_ca(ca_name)
tls.create_csr(ca_name)
self.assertEqual(
tls.create_csr(ca_name, **_TLS_TEST_DATA['create_ca']), ret)
def test_revoked_cert_should_return_False_from_validate(self):
revoked_crl_filename = os.path.join(self.tempdir, "revoked.crl")
tls.create_ca(self.ca_name)
tls.create_csr(
ca_name=self.ca_name,
CN="testing.bad.localhost",
)
tls.create_ca_signed_cert(
ca_name=self.ca_name,
CN="testing.bad.localhost",
)
tls.create_empty_crl(
ca_name=self.ca_name,
crl_file=revoked_crl_filename,
)
tls.revoke_cert(
ca_name=self.ca_name,
CN="testing.bad.localhost",
crl_file=revoked_crl_filename,
)
self.assertFalse(
tls.validate(
cert=os.path.join(
self.tempdir,
self.ca_name,
"certs",
"testing.bad.localhost.crt",
),
ca_name=self.ca_name,
crl_file=revoked_crl_filename,
)["valid"])
def test_create_csr(self):
'''
Test creating certificate signing request
'''
ca_path = tempfile.mkdtemp(dir=integration.SYS_TMP_DIR)
try:
ca_name = 'test_ca'
certp = '{0}/{1}/certs/{2}.csr'.format(
ca_path,
ca_name,
_TLS_TEST_DATA['create_ca']['CN'])
certk = '{0}/{1}/certs/{2}.key'.format(
ca_path,
ca_name,
_TLS_TEST_DATA['create_ca']['CN'])
ret = ('Created Private Key: "{0}." '
'Created CSR for "{1}": "{2}."').format(
certk, _TLS_TEST_DATA['create_ca']['CN'], certp)
mock_opt = MagicMock(return_value=ca_path)
mock_ret = MagicMock(return_value=0)
mock_pgt = MagicMock(return_value=False)
with patch.dict(tls.__salt__, {'config.option': mock_opt, 'cmd.retcode': mock_ret, 'pillar.get': mock_pgt}):
with patch.dict(tls.__opts__, {'hash_type': 'sha256',
'cachedir': ca_path}):
tls.create_ca(ca_name)
self.assertEqual(
tls.create_csr(
ca_name,
**_TLS_TEST_DATA['create_ca']),
ret)
finally:
if os.path.isdir(ca_path):
shutil.rmtree(ca_path)
def test_create_csr_permissions_on_csr_and_key(tmp_path, tls_test_data):
ca_name = "test_ca"
csrp = (tmp_path / ca_name / "certs" /
"{}.csr".format(tls_test_data["create_ca"]["CN"]))
keyp = (tmp_path / ca_name / "certs" /
"{}.key".format(tls_test_data["create_ca"]["CN"]))
mock_opt = MagicMock(return_value=str(tmp_path))
mock_ret = MagicMock(return_value=0)
mock_pgt = MagicMock(return_value=False)
with patch.dict(
tls.__salt__,
{
"config.option": mock_opt,
"cmd.retcode": mock_ret,
"pillar.get": mock_pgt
},
), patch.dict(tls.__opts__, {
"hash_type": "sha256",
"cachedir": str(tmp_path)
}):
ca_ret = tls.create_ca(ca_name, days=365, **tls_test_data["create_ca"])
assert ca_ret
csr_ret = tls.create_csr(ca_name, **tls_test_data["create_ca"])
assert csr_ret
assert csrp.exists()
assert keyp.exists()
assert csrp.stat().st_mode & 0o7777 == 0o644
assert keyp.stat().st_mode & 0o7777 == 0o600
def test_create_csr(self):
'''
Test creating certificate signing request
'''
ca_path = tempfile.mkdtemp(dir=integration.SYS_TMP_DIR)
try:
ca_name = 'test_ca'
certp = '{0}/{1}/certs/{2}.csr'.format(
ca_path, ca_name, _TLS_TEST_DATA['create_ca']['CN'])
certk = '{0}/{1}/certs/{2}.key'.format(
ca_path, ca_name, _TLS_TEST_DATA['create_ca']['CN'])
ret = ('Created Private Key: "{0}." '
'Created CSR for "{1}": "{2}."').format(
certk, _TLS_TEST_DATA['create_ca']['CN'], certp)
mock_opt = MagicMock(return_value=ca_path)
mock_ret = MagicMock(return_value=0)
mock_pgt = MagicMock(return_value=False)
with patch.dict(
tls.__salt__, {
'config.option': mock_opt,
'cmd.retcode': mock_ret,
'pillar.get': mock_pgt
}):
with patch.dict(tls.__opts__, {
'hash_type': 'sha256',
'cachedir': ca_path
}):
tls.create_ca(ca_name)
self.assertEqual(
tls.create_csr(ca_name, **_TLS_TEST_DATA['create_ca']),
ret)
finally:
if os.path.isdir(ca_path):
shutil.rmtree(ca_path)
def test_recreate_ca_signed_cert(self):
'''
Test signing certificate from request when certificate exists
'''
ca_path = tempfile.mkdtemp(dir=TMP)
try:
ca_name = 'test_ca'
certp = '{0}/{1}/certs/{2}.crt'.format(
ca_path, ca_name, _TLS_TEST_DATA['create_ca']['CN'])
ret = 'Created Certificate for "{0}": "{1}"'.format(
_TLS_TEST_DATA['create_ca']['CN'], certp)
mock_opt = MagicMock(return_value=ca_path)
mock_ret = MagicMock(return_value=0)
mock_pgt = MagicMock(return_value=False)
with patch.dict(
tls.__salt__, {
'config.option': mock_opt,
'cmd.retcode': mock_ret,
'pillar.get': mock_pgt
}):
with patch.dict(tls.__opts__, {
'hash_type': 'sha256',
'cachedir': ca_path
}):
tls.create_ca(ca_name)
tls.create_csr(ca_name)
tls.create_ca_signed_cert(
ca_name, _TLS_TEST_DATA['create_ca']['CN'])
self.assertEqual(
tls.create_ca_signed_cert(
ca_name,
_TLS_TEST_DATA['create_ca']['CN'],
replace=True), ret)
finally:
if os.path.isdir(ca_path):
shutil.rmtree(ca_path)
def test_pyOpenSSL_version_destructive(self):
'''
Test extension logic with different pyOpenSSL versions
'''
pillarval = {'csr': {'extendedKeyUsage': 'serverAuth'}}
mock_pgt = MagicMock(return_value=pillarval)
ca_path = tempfile.mkdtemp(dir=integration.SYS_TMP_DIR)
ca_name = 'test_ca'
certp = '{0}/{1}/{2}_ca_cert.crt'.format(ca_path, ca_name, ca_name)
certk = '{0}/{1}/{2}_ca_cert.key'.format(ca_path, ca_name, ca_name)
ret = 'Created Private Key: "{0}." Created CA "{1}": "{2}."'.format(
certk, ca_name, certp)
mock_opt = MagicMock(return_value=ca_path)
mock_ret = MagicMock(return_value=0)
try:
with patch.dict(tls.__salt__, {
'config.option': mock_opt,
'cmd.retcode': mock_ret
}):
with patch.dict(tls.__opts__, {
'hash_type': 'sha256',
'cachedir': ca_path
}):
with patch.dict(_TLS_TEST_DATA['create_ca'],
{'replace': True}):
with patch.dict(
tls.__dict__, {
'OpenSSL_version': LooseVersion('0.1.1'),
'X509_EXT_ENABLED': False
}):
self.assertEqual(
tls.create_ca(ca_name,
days=365,
fixmode=False,
**_TLS_TEST_DATA['create_ca']),
ret)
with patch.dict(
tls.__dict__, {
'OpenSSL_version': LooseVersion('0.14.1'),
'X509_EXT_ENABLED': True
}):
self.assertEqual(
tls.create_ca(ca_name,
days=365,
fixmode=False,
**_TLS_TEST_DATA['create_ca']),
ret)
with patch.dict(
tls.__dict__, {
'OpenSSL_version': LooseVersion('0.15.1'),
'X509_EXT_ENABLED': True
}):
self.assertEqual(
tls.create_ca(ca_name,
days=365,
fixmode=False,
**_TLS_TEST_DATA['create_ca']),
ret)
finally:
if os.path.isdir(ca_path):
shutil.rmtree(ca_path)
try:
certp = '{0}/{1}/certs/{2}.csr'.format(
ca_path, ca_name, _TLS_TEST_DATA['create_ca']['CN'])
certk = '{0}/{1}/certs/{2}.key'.format(
ca_path, ca_name, _TLS_TEST_DATA['create_ca']['CN'])
ret = ('Created Private Key: "{0}." '
'Created CSR for "{1}": "{2}."').format(
certk, _TLS_TEST_DATA['create_ca']['CN'], certp)
with patch.dict(
tls.__salt__, {
'config.option': mock_opt,
'cmd.retcode': mock_ret,
'pillar.get': mock_pgt
}):
with patch.dict(tls.__opts__, {
'hash_type': 'sha256',
'cachedir': ca_path
}):
with patch.dict(_TLS_TEST_DATA['create_ca'], {
'subjectAltName': 'DNS:foo.bar',
'replace': True
}):
with patch.dict(
tls.__dict__, {
'OpenSSL_version': LooseVersion('0.1.1'),
'X509_EXT_ENABLED': False
}):
tls.create_ca(ca_name)
tls.create_csr(ca_name)
self.assertRaises(ValueError, tls.create_csr,
ca_name,
**_TLS_TEST_DATA['create_ca'])
with patch.dict(
tls.__dict__, {
'OpenSSL_version': LooseVersion('0.14.1'),
'X509_EXT_ENABLED': True
}):
tls.create_ca(ca_name)
tls.create_csr(ca_name)
self.assertEqual(
tls.create_csr(ca_name,
**_TLS_TEST_DATA['create_ca']),
ret)
with patch.dict(
tls.__dict__, {
'OpenSSL_version': LooseVersion('0.15.1'),
'X509_EXT_ENABLED': True
}):
tls.create_ca(ca_name)
tls.create_csr(ca_name)
self.assertEqual(
tls.create_csr(ca_name,
**_TLS_TEST_DATA['create_ca']),
ret)
finally:
if os.path.isdir(ca_path):
shutil.rmtree(ca_path)
def test_pyOpenSSL_version_destructive(self):
'''
Test extension logic with different pyOpenSSL versions
'''
pillarval = {'csr': {'extendedKeyUsage': 'serverAuth'}}
mock_pgt = MagicMock(return_value=pillarval)
ca_path = tempfile.mkdtemp(dir=integration.SYS_TMP_DIR)
ca_name = 'test_ca'
certp = '{0}/{1}/{2}_ca_cert.crt'.format(
ca_path,
ca_name,
ca_name)
certk = '{0}/{1}/{2}_ca_cert.key'.format(
ca_path,
ca_name,
ca_name)
ret = 'Created Private Key: "{0}." Created CA "{1}": "{2}."'.format(
certk, ca_name, certp)
mock_opt = MagicMock(return_value=ca_path)
mock_ret = MagicMock(return_value=0)
try:
with patch.dict(tls.__salt__, {
'config.option': mock_opt,
'cmd.retcode': mock_ret}):
with patch.dict(tls.__opts__, {
'hash_type': 'sha256',
'cachedir': ca_path}):
with patch.dict(_TLS_TEST_DATA['create_ca'],
{'replace': True}):
with patch.dict(tls.__dict__, {
'OpenSSL_version':
LooseVersion('0.1.1'),
'X509_EXT_ENABLED': False}):
self.assertEqual(
tls.create_ca(
ca_name,
days=365,
fixmode=False,
**_TLS_TEST_DATA['create_ca']),
ret)
with patch.dict(tls.__dict__, {
'OpenSSL_version':
LooseVersion('0.14.1'),
'X509_EXT_ENABLED': True}):
self.assertEqual(
tls.create_ca(
ca_name,
days=365,
fixmode=False,
**_TLS_TEST_DATA['create_ca']),
ret)
with patch.dict(tls.__dict__, {
'OpenSSL_version':
LooseVersion('0.15.1'),
'X509_EXT_ENABLED': True}):
self.assertEqual(
tls.create_ca(
ca_name,
days=365,
fixmode=False,
**_TLS_TEST_DATA['create_ca']),
ret)
finally:
if os.path.isdir(ca_path):
shutil.rmtree(ca_path)
try:
certp = '{0}/{1}/certs/{2}.csr'.format(
ca_path,
ca_name,
_TLS_TEST_DATA['create_ca']['CN'])
certk = '{0}/{1}/certs/{2}.key'.format(
ca_path,
ca_name,
_TLS_TEST_DATA['create_ca']['CN'])
ret = ('Created Private Key: "{0}." '
'Created CSR for "{1}": "{2}."').format(
certk, _TLS_TEST_DATA['create_ca']['CN'], certp)
with patch.dict(tls.__salt__, {
'config.option': mock_opt,
'cmd.retcode': mock_ret,
'pillar.get': mock_pgt}):
with patch.dict(tls.__opts__, {'hash_type': 'sha256',
'cachedir': ca_path}):
with patch.dict(_TLS_TEST_DATA['create_ca'], {
'subjectAltName': 'DNS:foo.bar',
'replace': True}):
with patch.dict(tls.__dict__, {
'OpenSSL_version':
LooseVersion('0.1.1'),
'X509_EXT_ENABLED': False}):
tls.create_ca(ca_name)
tls.create_csr(ca_name)
self.assertRaises(ValueError,
tls.create_csr,
ca_name,
**_TLS_TEST_DATA['create_ca'])
with patch.dict(tls.__dict__, {
'OpenSSL_version':
LooseVersion('0.14.1'),
'X509_EXT_ENABLED': True}):
tls.create_ca(ca_name)
tls.create_csr(ca_name)
self.assertEqual(
tls.create_csr(
ca_name,
**_TLS_TEST_DATA['create_ca']),
ret)
with patch.dict(tls.__dict__, {
'OpenSSL_version':
LooseVersion('0.15.1'),
'X509_EXT_ENABLED': True}):
tls.create_ca(ca_name)
tls.create_csr(ca_name)
self.assertEqual(
tls.create_csr(
ca_name,
**_TLS_TEST_DATA['create_ca']),
ret)
finally:
if os.path.isdir(ca_path):
shutil.rmtree(ca_path)
def test_creating_csr_should_fail_with_no_ca(self):
expected_message = ('Certificate for CA named "bad_ca" does not exist,'
" please create it first.")
self.assertEqual(tls.create_csr(ca_name="bad_ca"), expected_message)
def test_pyOpenSSL_version_destructive(self, ca_path):
"""
Test extension logic with different pyOpenSSL versions
"""
pillarval = {"csr": {"extendedKeyUsage": "serverAuth"}}
mock_pgt = MagicMock(return_value=pillarval)
ca_name = "test_ca"
certp = "{0}/{1}/{1}_ca_cert.crt".format(ca_path, ca_name)
certk = "{0}/{1}/{1}_ca_cert.key".format(ca_path, ca_name)
ret = 'Created Private Key: "{0}." Created CA "{1}": "{2}."'.format(
certk, ca_name, certp)
mock_opt = MagicMock(return_value=ca_path)
mock_ret = MagicMock(return_value=0)
with patch.dict(tls.__salt__, {
"config.option": mock_opt,
"cmd.retcode": mock_ret
}):
with patch.dict(tls.__opts__, {
"hash_type": "sha256",
"cachedir": ca_path
}):
with patch.dict(_TLS_TEST_DATA["create_ca"],
{"replace": True}):
with patch.dict(
tls.__dict__,
{
"OpenSSL_version": LooseVersion("0.1.1"),
"X509_EXT_ENABLED": False,
},
):
self.assertEqual(
tls.create_ca(ca_name,
days=365,
fixmode=False,
**_TLS_TEST_DATA["create_ca"]),
ret,
)
with patch.dict(
tls.__dict__,
{
"OpenSSL_version": LooseVersion("0.14.1"),
"X509_EXT_ENABLED": True,
},
):
self.assertEqual(
tls.create_ca(ca_name,
days=365,
fixmode=False,
**_TLS_TEST_DATA["create_ca"]),
ret,
)
with patch.dict(
tls.__dict__,
{
"OpenSSL_version": LooseVersion("0.15.1"),
"X509_EXT_ENABLED": True,
},
):
self.assertEqual(
tls.create_ca(ca_name,
days=365,
fixmode=False,
**_TLS_TEST_DATA["create_ca"]),
ret,
)
certp = "{0}/{1}/certs/{2}.csr".format(
ca_path, ca_name, _TLS_TEST_DATA["create_ca"]["CN"])
certk = "{0}/{1}/certs/{2}.key".format(
ca_path, ca_name, _TLS_TEST_DATA["create_ca"]["CN"])
ret = ('Created Private Key: "{0}." '
'Created CSR for "{1}": "{2}."').format(
certk, _TLS_TEST_DATA["create_ca"]["CN"], certp)
with patch.dict(
tls.__salt__,
{
"config.option": mock_opt,
"cmd.retcode": mock_ret,
"pillar.get": mock_pgt,
},
):
with patch.dict(tls.__opts__, {
"hash_type": "sha256",
"cachedir": ca_path
}):
with patch.dict(
_TLS_TEST_DATA["create_ca"],
{
"subjectAltName": "DNS:foo.bar",
"replace": True
},
):
with patch.dict(
tls.__dict__,
{
"OpenSSL_version": LooseVersion("0.1.1"),
"X509_EXT_ENABLED": False,
},
):
tls.create_ca(ca_name)
tls.create_csr(ca_name)
self.assertRaises(ValueError, tls.create_csr, ca_name,
**_TLS_TEST_DATA["create_ca"])
with patch.dict(
tls.__dict__,
{
"OpenSSL_version": LooseVersion("0.14.1"),
"X509_EXT_ENABLED": True,
},
):
tls.create_ca(ca_name)
tls.create_csr(ca_name)
self.assertEqual(
tls.create_csr(ca_name,
**_TLS_TEST_DATA["create_ca"]), ret)
with patch.dict(
tls.__dict__,
{
"OpenSSL_version": LooseVersion("0.15.1"),
"X509_EXT_ENABLED": True,
},
):
tls.create_ca(ca_name)
tls.create_csr(ca_name)
self.assertEqual(
tls.create_csr(ca_name,
**_TLS_TEST_DATA["create_ca"]), ret)