def _create_ca_conf_helper(mocker,
tmpdir,
current_time,
iam=True,
ap=True,
client_info=True):
tls_dict = mount_efs.tls_paths_dictionary(MOUNT_NAME, str(tmpdir))
mount_efs.create_required_directory({}, tls_dict['mount_dir'])
tls_dict['certificate_path'] = os.path.join(tls_dict['mount_dir'],
'config.conf')
tls_dict['private_key'] = os.path.join(tls_dict['mount_dir'],
'privateKey.pem')
tls_dict['public_key'] = os.path.join(tls_dict['mount_dir'],
'publicKey.pem')
if iam:
with open(tls_dict['public_key'], 'w') as f:
f.write(PUBLIC_KEY_BODY)
mocker.patch('watchdog.get_aws_security_credentials',
return_value=CREDENTIALS)
credentials = 'dummy:lookup' if iam else None
ap_id = AP_ID if ap else None
client_info = CLIENT_INFO if client_info else None
full_config_body = watchdog.create_ca_conf(tls_dict['certificate_path'],
COMMON_NAME,
tls_dict['mount_dir'],
tls_dict['private_key'],
current_time, REGION, FS_ID,
credentials, ap_id, client_info)
assert os.path.exists(tls_dict['certificate_path'])
return tls_dict, full_config_body
def test_create_ca_supporting_dirs(tmpdir):
config = _get_config()
tls_dict = mount_efs.tls_paths_dictionary(MOUNT_NAME, str(tmpdir))
mount_efs.ca_dirs_check(config, tls_dict['database_dir'],
tls_dict['certs_dir'])
assert os.path.exists(tls_dict['database_dir'])
assert os.path.exists(tls_dict['certs_dir'])
def _test_certificate_with_iam_with_ap_with_invalid_client_source_config(
mocker, tmpdir, client_source):
mocker.patch('mount_efs.check_if_platform_is_mac', return_value=False)
config = _get_mock_config(client_info={'source': client_source}
) if client_source else _get_config()
client_info = mount_efs.get_client_info(config)
pk_path = _get_mock_private_key_path(mocker, tmpdir)
tls_dict = mount_efs.tls_paths_dictionary(MOUNT_NAME, str(tmpdir))
tmp_config_path = os.path.join(str(tmpdir), MOUNT_NAME, 'tmpConfig')
mount_efs.create_certificate(config,
MOUNT_NAME,
COMMON_NAME,
REGION,
FS_ID,
CREDENTIALS,
AP_ID,
client_info,
base_path=str(tmpdir))
# Any invalid or not given client source should be marked as unknown
expected_client_info = {
'source': 'unknown',
'efs_utils_version': mount_efs.VERSION
}
with open(os.path.join(tls_dict['mount_dir'], 'config.conf')) as f:
conf_body = f.read()
assert conf_body == mount_efs.create_ca_conf(
tmp_config_path, COMMON_NAME, tls_dict['mount_dir'], pk_path,
FIXED_DT, REGION, FS_ID, CREDENTIALS, AP_ID, expected_client_info)
assert os.path.exists(pk_path)
assert os.path.exists(os.path.join(tls_dict['mount_dir'], 'publicKey.pem'))
assert os.path.exists(os.path.join(tls_dict['mount_dir'], 'request.csr'))
assert os.path.exists(
os.path.join(tls_dict['mount_dir'], 'certificate.pem'))
def test_certificate_without_iam_without_ap_id_with_client_source(
mocker, tmpdir):
config = _get_mock_config()
pk_path = _get_mock_private_key_path(mocker, tmpdir)
tls_dict = mount_efs.tls_paths_dictionary(MOUNT_NAME, str(tmpdir))
tmp_config_path = os.path.join(str(tmpdir), MOUNT_NAME, 'tmpConfig')
mount_efs.create_certificate(config,
MOUNT_NAME,
COMMON_NAME,
REGION,
FS_ID,
None,
None,
CLIENT_INFO,
base_path=str(tmpdir))
with open(os.path.join(tls_dict['mount_dir'], 'config.conf')) as f:
conf_body = f.read()
assert conf_body == mount_efs.create_ca_conf(
tmp_config_path, COMMON_NAME, tls_dict['mount_dir'], pk_path,
FIXED_DT, REGION, FS_ID, None, None, CLIENT_INFO)
assert os.path.exists(pk_path)
assert not os.path.exists(
os.path.join(tls_dict['mount_dir'], 'publicKey.pem'))
assert os.path.exists(os.path.join(tls_dict['mount_dir'], 'request.csr'))
assert os.path.exists(
os.path.join(tls_dict['mount_dir'], 'certificate.pem'))
def _test_recreate_certificate_with_valid_client_source_config(
mocker, tmpdir, client_source):
config = _get_mock_config(client_info={'source': client_source}
) if client_source else _get_config()
client_info = mount_efs.get_client_info(config)
pk_path = _get_mock_private_key_path(mocker, tmpdir)
tls_dict = mount_efs.tls_paths_dictionary(MOUNT_NAME, str(tmpdir))
tmp_config_path = os.path.join(str(tmpdir), MOUNT_NAME, 'tmpConfig')
mount_efs.create_certificate(config,
MOUNT_NAME,
COMMON_NAME,
REGION,
FS_ID,
CREDENTIALS,
AP_ID,
client_info,
base_path=str(tmpdir))
expected_client_info = {
'source': client_source,
'efs_utils_version': mount_efs.VERSION
}
with open(os.path.join(tls_dict['mount_dir'], 'config.conf')) as f:
conf_body = f.read()
assert conf_body == mount_efs.create_ca_conf(
tmp_config_path, COMMON_NAME, tls_dict['mount_dir'], pk_path,
FIXED_DT, REGION, FS_ID, CREDENTIALS, AP_ID, expected_client_info)
assert os.path.exists(pk_path)
assert os.path.exists(os.path.join(tls_dict['mount_dir'], 'publicKey.pem'))
assert os.path.exists(os.path.join(tls_dict['mount_dir'], 'request.csr'))
assert os.path.exists(
os.path.join(tls_dict['mount_dir'], 'certificate.pem'))
def test_bootstrap_tls_no_cert_creation(mocker, tmpdir):
setup_mocks_without_popen(mocker)
mocker.patch('mount_efs.get_mount_specific_filename',
return_value=DNS_NAME)
state_file_dir = str(tmpdir)
tls_dict = mount_efs.tls_paths_dictionary(DNS_NAME, state_file_dir)
pk_path = os.path.join(str(tmpdir), 'privateKey.pem')
mocker.patch('mount_efs.get_private_key_path', return_value=pk_path)
def config_get_side_effect(section, field):
if section == mount_efs.CONFIG_SECTION and field == 'state_file_dir_mode':
return '0755'
elif section == mount_efs.CONFIG_SECTION and field == 'dns_name_format':
return '{fs_id}.efs.{region}.amazonaws.com'
else:
raise ValueError('Unexpected arguments')
MOCK_CONFIG.get.side_effect = config_get_side_effect
try:
with mount_efs.bootstrap_tls(MOCK_CONFIG, INIT_SYSTEM, DNS_NAME, FS_ID,
None, MOUNT_POINT, {}, state_file_dir):
pass
except OSError as e:
assert '[Errno 2] No such file or directory' in str(e)
assert not os.path.exists(
os.path.join(tls_dict['mount_dir'], 'certificate.pem'))
assert not os.path.exists(
os.path.join(tls_dict['mount_dir'], 'request.csr'))
assert not os.path.exists(
os.path.join(tls_dict['mount_dir'], 'config.conf'))
assert not os.path.exists(pk_path)
def _create_ca_conf_helper(tmpdir, current_time, iam=True, ap=True):
tls_dict = mount_efs.tls_paths_dictionary(MOUNT_NAME, str(tmpdir))
mount_efs.create_required_directory({}, tls_dict['mount_dir'])
tls_dict['certificate_path'] = os.path.join(tls_dict['mount_dir'],
'config.conf')
tls_dict['private_key'] = os.path.join(tls_dict['mount_dir'],
'privateKey.pem')
tls_dict['public_key'] = os.path.join(tls_dict['mount_dir'],
'publicKey.pem')
if iam:
with open(tls_dict['public_key'], 'w') as f:
f.write(PUBLIC_KEY_BODY)
credentials = CREDENTIALS if iam else None
ap_id = AP_ID if ap else None
full_config_body = mount_efs.create_ca_conf(tls_dict['certificate_path'],
COMMON_NAME,
tls_dict['mount_dir'],
tls_dict['private_key'],
current_time, REGION, FS_ID,
credentials, ap_id)
assert os.path.exists(tls_dict['certificate_path'])
return tls_dict, full_config_body
def test_certificate_with_iam_without_ap_id(mocker, tmpdir):
config = _get_mock_config()
pk_path = _get_mock_private_key_path(mocker, tmpdir)
tls_dict = mount_efs.tls_paths_dictionary(MOUNT_NAME, str(tmpdir))
tmp_config_path = os.path.join(str(tmpdir), MOUNT_NAME, "tmpConfig")
mount_efs.create_certificate(
config,
MOUNT_NAME,
COMMON_NAME,
REGION,
FS_ID,
CREDENTIALS,
None,
CLIENT_INFO,
base_path=str(tmpdir),
)
with open(os.path.join(tls_dict["mount_dir"], "config.conf")) as f:
conf_body = f.read()
assert conf_body == mount_efs.create_ca_conf(
tmp_config_path,
COMMON_NAME,
tls_dict["mount_dir"],
pk_path,
FIXED_DT,
REGION,
FS_ID,
CREDENTIALS,
None,
CLIENT_INFO,
)
assert os.path.exists(pk_path)
assert os.path.exists(os.path.join(tls_dict["mount_dir"], "publicKey.pem"))
assert os.path.exists(os.path.join(tls_dict["mount_dir"], "request.csr"))
assert os.path.exists(
os.path.join(tls_dict["mount_dir"], "certificate.pem"))
def _test_recreate_certificate_with_valid_client_source_config(
mocker, tmpdir, client_source):
mocker.patch(
"mount_efs.check_if_platform_is_mac",
return_value=False if client_source != "macos" else True,
)
config = (_get_mock_config(client_info={"source": client_source})
if client_source else _get_config())
client_info = mount_efs.get_client_info(config)
pk_path = _get_mock_private_key_path(mocker, tmpdir)
tls_dict = mount_efs.tls_paths_dictionary(MOUNT_NAME, str(tmpdir))
tmp_config_path = os.path.join(str(tmpdir), MOUNT_NAME, "tmpConfig")
mount_efs.create_certificate(
config,
MOUNT_NAME,
COMMON_NAME,
REGION,
FS_ID,
CREDENTIALS,
AP_ID,
client_info,
base_path=str(tmpdir),
)
expected_client_info = {
"source": client_source,
"efs_utils_version": mount_efs.VERSION,
}
with open(os.path.join(tls_dict["mount_dir"], "config.conf")) as f:
conf_body = f.read()
assert conf_body == mount_efs.create_ca_conf(
tmp_config_path,
COMMON_NAME,
tls_dict["mount_dir"],
pk_path,
FIXED_DT,
REGION,
FS_ID,
CREDENTIALS,
AP_ID,
expected_client_info,
)
assert os.path.exists(pk_path)
assert os.path.exists(os.path.join(tls_dict["mount_dir"], "publicKey.pem"))
assert os.path.exists(os.path.join(tls_dict["mount_dir"], "request.csr"))
assert os.path.exists(
os.path.join(tls_dict["mount_dir"], "certificate.pem"))
def _create_ca_conf_helper(mocker,
tmpdir,
current_time,
iam=True,
ap=True,
client_info=True):
config = _get_config()
tls_dict = mount_efs.tls_paths_dictionary(MOUNT_NAME, str(tmpdir))
mount_efs.create_required_directory({}, tls_dict["mount_dir"])
tls_dict["certificate_path"] = os.path.join(tls_dict["mount_dir"],
"config.conf")
tls_dict["private_key"] = os.path.join(tls_dict["mount_dir"],
"privateKey.pem")
tls_dict["public_key"] = os.path.join(tls_dict["mount_dir"],
"publicKey.pem")
if iam:
with open(tls_dict["public_key"], "w") as f:
f.write(PUBLIC_KEY_BODY)
mocker.patch("watchdog.get_aws_security_credentials",
return_value=CREDENTIALS)
credentials = "dummy:lookup" if iam else None
ap_id = AP_ID if ap else None
client_info = CLIENT_INFO if client_info else None
full_config_body = watchdog.create_ca_conf(
config,
tls_dict["certificate_path"],
COMMON_NAME,
tls_dict["mount_dir"],
tls_dict["private_key"],
current_time,
REGION,
FS_ID,
credentials,
ap_id,
client_info,
)
assert os.path.exists(tls_dict["certificate_path"])
return tls_dict, full_config_body
def test_create_ca_supporting_files(tmpdir):
config = _get_config()
tls_dict = mount_efs.tls_paths_dictionary(MOUNT_NAME, str(tmpdir))
index = tls_dict['index']
index_attr = tls_dict['index_attr']
serial = tls_dict['serial']
rand = tls_dict['rand']
mount_efs.ca_dirs_check(config, tls_dict['database_dir'], tls_dict['certs_dir'])
mount_efs.ca_supporting_files_check(index, index_attr, serial, rand)
with open(index_attr, 'r') as index_attr_file:
index_attr_content = index_attr_file.read()
with open(serial, 'r') as serial_file:
serial_content = serial_file.read()
assert os.path.exists(index)
assert os.path.exists(index_attr)
assert os.path.exists(serial)
assert os.path.exists(rand)
assert 'unique_subject = no' == index_attr_content
assert '00' == serial_content
def test_create_ca_supporting_files(tmpdir):
config = _get_config()
tls_dict = mount_efs.tls_paths_dictionary(MOUNT_NAME, str(tmpdir))
index = tls_dict["index"]
index_attr = tls_dict["index_attr"]
serial = tls_dict["serial"]
rand = tls_dict["rand"]
mount_efs.ca_dirs_check(config, tls_dict["database_dir"],
tls_dict["certs_dir"])
mount_efs.ca_supporting_files_check(index, index_attr, serial, rand)
with open(index_attr, "r") as index_attr_file:
index_attr_content = index_attr_file.read()
with open(serial, "r") as serial_file:
serial_content = serial_file.read()
assert os.path.exists(index)
assert os.path.exists(index_attr)
assert os.path.exists(serial)
assert os.path.exists(rand)
assert "unique_subject = no" == index_attr_content
assert "00" == serial_content