def test_refresh_self_signed_certificate_send_sighup(mocker, tmpdir, caplog):
caplog.set_level(logging.INFO)
process_group = 'fake_pg'
mocker.patch('watchdog.is_pid_running', return_value=True)
mocker.patch('os.getpgid', return_value=process_group)
mocker.patch('os.killpg')
config = _get_config()
pk_path = _get_mock_private_key_path(mocker, tmpdir)
four_hours_back = (datetime.utcnow() -
timedelta(hours=4)).strftime(DT_PATTERN)
tls_dict = watchdog.tls_paths_dictionary(MOUNT_NAME, str(tmpdir))
state = _create_certificate_and_state(tls_dict,
str(tmpdir),
pk_path,
four_hours_back,
ap_id=AP_ID)
watchdog.check_certificate(config,
state,
str(tmpdir),
STATE_FILE,
base_path=str(tmpdir))
assert 'SIGHUP signal to stunnel. PID: %d, group ID: %s' % (
PID, process_group) in caplog.text
def test_refresh_self_signed_certificate_pid_not_running(
mocker, tmpdir, caplog):
caplog.set_level(logging.WARN)
mocker.patch('watchdog.is_pid_running', return_value=False)
config = _get_config()
pk_path = _get_mock_private_key_path(mocker, tmpdir)
four_hours_back = (datetime.utcnow() -
timedelta(hours=4)).strftime(DT_PATTERN)
tls_dict = watchdog.tls_paths_dictionary(MOUNT_NAME, str(tmpdir))
state = _create_certificate_and_state(tls_dict,
str(tmpdir),
pk_path,
four_hours_back,
False,
ap_id=AP_ID)
watchdog.check_certificate(config,
state,
str(tmpdir),
STATE_FILE,
base_path=str(tmpdir))
assert 'TLS tunnel is not running for' in caplog.text
def test_recreate_missing_self_signed_certificate(mocker, tmpdir):
mocker.patch('watchdog.get_utc_now', return_value=FIXED_DT)
config = _get_config()
pk_path = _get_mock_private_key_path(mocker, tmpdir)
four_hours_back = (FIXED_DT - timedelta(hours=4)).strftime(DT_PATTERN)
tls_dict = watchdog.tls_paths_dictionary(MOUNT_NAME, str(tmpdir))
state = _create_certificate_and_state(tls_dict,
str(tmpdir),
pk_path,
four_hours_back,
ap_id=AP_ID,
remove_cert=True)
watchdog.check_certificate(config,
state,
str(tmpdir),
STATE_FILE,
base_path=str(tmpdir))
assert datetime.strptime(state['certificateCreationTime'],
DT_PATTERN) > datetime.strptime(
four_hours_back, DT_PATTERN)
assert state['accessPoint'] == AP_ID
assert not state.get('awsCredentialsMethod')
assert os.path.exists(pk_path)
assert not os.path.exists(
os.path.join(tls_dict['mount_dir'], 'publicKey.pem'))
assert os.path.exists(os.path.join(tls_dict['mount_dir'], 'request.csr'))
assert os.path.exists(
os.path.join(tls_dict['mount_dir'], 'certificate.pem'))
def test_do_not_refresh_self_signed_certificate_bad_ap_id_bad_char(
mocker, tmpdir, caplog):
caplog.set_level(logging.ERROR)
mocker.patch('watchdog.get_utc_now', return_value=FIXED_DT)
config = _get_config()
pk_path = _get_mock_private_key_path(mocker, tmpdir)
four_hours_back = (FIXED_DT - timedelta(hours=4)).strftime(DT_PATTERN)
tls_dict = watchdog.tls_paths_dictionary(MOUNT_NAME, str(tmpdir))
state = _create_certificate_and_state(tls_dict,
str(tmpdir),
pk_path,
four_hours_back,
ap_id=BAD_AP_ID_BAD_CHAR,
remove_cert=True)
watchdog.check_certificate(config,
state,
str(tmpdir),
STATE_FILE,
base_path=str(tmpdir))
assert datetime.strptime(state['certificateCreationTime'],
DT_PATTERN) == datetime.strptime(
four_hours_back, DT_PATTERN)
assert not state['accessPoint'] == AP_ID
assert 'Access Point ID "%s" has been changed in the state file to a malformed format' % BAD_AP_ID_BAD_CHAR in caplog.text
def test_do_not_refresh_self_signed_certificate(mocker, tmpdir):
mocker.patch('watchdog.get_utc_now', return_value=FIXED_DT)
config = _get_config()
pk_path = _get_mock_private_key_path(mocker, tmpdir)
current_time_formatted = FIXED_DT.strftime(DT_PATTERN)
tls_dict = watchdog.tls_paths_dictionary(MOUNT_NAME, str(tmpdir))
state = _create_certificate_and_state(tls_dict,
str(tmpdir),
pk_path,
current_time_formatted,
ap_id=AP_ID)
watchdog.check_certificate(config,
state,
str(tmpdir),
STATE_FILE,
base_path=str(tmpdir))
with open(os.path.join(str(tmpdir), STATE_FILE), 'r') as state_json:
state = json.load(state_json)
assert datetime.strptime(state['certificateCreationTime'],
DT_PATTERN) == datetime.strptime(
current_time_formatted, DT_PATTERN)
assert state['accessPoint'] == AP_ID
assert not state.get('awsCredentialsMethod')
assert os.path.exists(pk_path)
assert not os.path.exists(
os.path.join(tls_dict['mount_dir'], 'publicKey.pem'))
assert os.path.exists(os.path.join(tls_dict['mount_dir'], 'request.csr'))
assert os.path.exists(
os.path.join(tls_dict['mount_dir'], 'certificate.pem'))
def test_refresh_self_signed_certificate_with_iam_with_ap_id(mocker, tmpdir):
mocker.patch('watchdog.get_utc_now', return_value=FIXED_DT)
config = _get_config()
pk_path = _get_mock_private_key_path(mocker, tmpdir)
four_hours_back = (FIXED_DT - timedelta(hours=4)).strftime(DT_PATTERN)
tls_dict = watchdog.tls_paths_dictionary(MOUNT_NAME, str(tmpdir))
state = _create_certificate_and_state(
tls_dict,
str(tmpdir),
pk_path,
four_hours_back,
security_credentials=CREDENTIALS,
credentials_source=CREDENTIALS_SOURCE,
ap_id=AP_ID)
watchdog.check_certificate(config,
state,
str(tmpdir),
STATE_FILE,
base_path=str(tmpdir))
with open(os.path.join(str(tmpdir), STATE_FILE), 'r') as state_json:
state = json.load(state_json)
assert datetime.strptime(state['certificateCreationTime'],
DT_PATTERN) > datetime.strptime(
four_hours_back, DT_PATTERN)
assert state['accessPoint'] == AP_ID
assert state['awsCredentialsMethod'] == CREDENTIALS_SOURCE
assert os.path.exists(pk_path)
assert os.path.exists(os.path.join(tls_dict['mount_dir'], 'publicKey.pem'))
assert os.path.exists(os.path.join(tls_dict['mount_dir'], 'request.csr'))
assert os.path.exists(
os.path.join(tls_dict['mount_dir'], 'certificate.pem'))
def _test_refresh_certificate_helper(mocker,
tmpdir,
caplog,
minutes_back,
renewal_interval=60,
with_iam=True,
with_ap=True):
mocker.patch('watchdog.get_utc_now', return_value=FIXED_DT)
config = _get_config(certificate_renewal_interval=renewal_interval)
pk_path = _get_mock_private_key_path(mocker, tmpdir)
minutes_back = (FIXED_DT -
timedelta(minutes=minutes_back)).strftime(DT_PATTERN)
tls_dict = watchdog.tls_paths_dictionary(MOUNT_NAME, str(tmpdir))
if not with_iam and with_ap:
state = _create_certificate_and_state(tls_dict,
str(tmpdir),
pk_path,
minutes_back,
ap_id=AP_ID)
elif with_iam and not with_ap:
state = _create_certificate_and_state(
tls_dict,
str(tmpdir),
pk_path,
minutes_back,
security_credentials=CREDENTIALS,
credentials_source=CREDENTIALS_SOURCE)
else:
state = _create_certificate_and_state(
tls_dict,
str(tmpdir),
pk_path,
minutes_back,
security_credentials=CREDENTIALS,
credentials_source=CREDENTIALS_SOURCE,
ap_id=AP_ID)
watchdog.check_certificate(config,
state,
str(tmpdir),
STATE_FILE,
base_path=str(tmpdir))
with open(os.path.join(str(tmpdir), STATE_FILE), 'r') as state_json:
state = json.load(state_json)
if not with_iam and with_ap:
assert state['accessPoint'] == AP_ID
assert not state.get('awsCredentialsMethod')
assert not os.path.exists(
os.path.join(tls_dict['mount_dir'], 'publicKey.pem'))
elif with_iam and not with_ap:
assert 'accessPoint' not in state
assert state['awsCredentialsMethod'] == CREDENTIALS_SOURCE
assert os.path.exists(
os.path.join(tls_dict['mount_dir'], 'publicKey.pem'))
else:
assert state['accessPoint'] == AP_ID
assert state['awsCredentialsMethod'] == CREDENTIALS_SOURCE
assert os.path.exists(
os.path.join(tls_dict['mount_dir'], 'publicKey.pem'))
assert datetime.strptime(state['certificateCreationTime'],
DT_PATTERN) > datetime.strptime(
minutes_back, DT_PATTERN)
assert os.path.exists(pk_path)
assert os.path.exists(os.path.join(tls_dict['mount_dir'], 'request.csr'))
assert os.path.exists(
os.path.join(tls_dict['mount_dir'], 'certificate.pem'))
return caplog
