def test_generate_root_ca_already_init(self,
get_local_client,
configure_pki_backend,
is_ca_ready,
get_access_address):
is_ca_ready.return_value = True
with self.assertRaises(vault_pki.vault.VaultError):
vault_pki.generate_root_ca()
def test_generate_root_ca(self,
get_local_client,
configure_pki_backend,
is_ca_ready,
get_access_address):
mock_client = get_local_client.return_value
mock_client.write.return_value = {'data': {'certificate': 'cert'}}
is_ca_ready.return_value = False
get_access_address.return_value = 'addr'
rv = vault_pki.generate_root_ca(ttl='0h',
allow_any_name=True,
allowed_domains='domains',
allow_bare_domains=True,
allow_subdomains=True,
allow_glob_domains=False,
enforce_hostnames=True,
max_ttl='0h')
self.assertEqual(rv, 'cert')
mock_client.write.assert_has_calls([
mock.call('charm-pki-local/root/generate/internal',
common_name='Vault Root Certificate Authority '
'(charm-pki-local)',
ttl='0h'),
mock.call('charm-pki-local/config/urls',
issuing_certificates='addr/v1/charm-pki-local/ca',
crl_distribution_points='addr/v1/charm-pki-local/crl'),
mock.call('charm-pki-local/roles/local',
allow_any_name=True,
allowed_domains='domains',
allow_bare_domains=True,
allow_subdomains=True,
allow_glob_domains=False,
enforce_hostnames=True,
max_ttl='0h',
server_flag=True,
client_flag=True),
mock.call('charm-pki-local/roles/local-client',
allow_any_name=True,
allowed_domains='domains',
allow_bare_domains=True,
allow_subdomains=True,
allow_glob_domains=False,
enforce_hostnames=True,
max_ttl='0h',
server_flag=False,
client_flag=True),
])
def auto_generate_root_ca_cert():
actions_yaml = yaml.load(Path('actions.yaml').read_text())
props = actions_yaml['generate-root-ca']['properties']
action_config = {key: value['default'] for key, value in props.items()}
try:
root_ca = vault_pki.generate_root_ca(
ttl=action_config['ttl'],
allow_any_name=action_config['allow-any-name'],
allowed_domains=action_config['allowed-domains'],
allow_bare_domains=action_config['allow-bare-domains'],
allow_subdomains=action_config['allow-subdomains'],
allow_glob_domains=action_config['allow-glob-domains'],
enforce_hostnames=action_config['enforce-hostnames'],
max_ttl=action_config['max-ttl'])
leader_set({'root-ca': root_ca})
set_flag('charm.vault.ca.ready')
except vault.VaultError as e:
log("Skipping auto-generate root CA cert: {}".format(e))