def test_revoked_cert_should_return_False_from_validate(self): revoked_crl_filename = os.path.join(self.tempdir, "revoked.crl") tls.create_ca(self.ca_name) tls.create_csr( ca_name=self.ca_name, CN="testing.bad.localhost", ) tls.create_ca_signed_cert( ca_name=self.ca_name, CN="testing.bad.localhost", ) tls.create_empty_crl( ca_name=self.ca_name, crl_file=revoked_crl_filename, ) tls.revoke_cert( ca_name=self.ca_name, CN="testing.bad.localhost", crl_file=revoked_crl_filename, ) self.assertFalse( tls.validate( cert=os.path.join( self.tempdir, self.ca_name, "certs", "testing.bad.localhost.crt", ), ca_name=self.ca_name, crl_file=revoked_crl_filename, )["valid"])
def test_recreate_ca(self): ''' Test creating CA cert when one already exists ''' ca_path = tempfile.mkdtemp(dir=integration.SYS_TMP_DIR) try: ca_name = 'test_ca' certp = '{0}/{1}/{2}_ca_cert.crt'.format(ca_path, ca_name, ca_name) certk = '{0}/{1}/{2}_ca_cert.key'.format(ca_path, ca_name, ca_name) ret = 'Created Private Key: "{0}." Created CA "{1}": "{2}."'.format( certk, ca_name, certp) mock_opt = MagicMock(return_value=ca_path) mock_ret = MagicMock(return_value=0) with patch.dict(tls.__salt__, { 'config.option': mock_opt, 'cmd.retcode': mock_ret }): with patch.dict(tls.__opts__, { 'hash_type': 'sha256', 'cachedir': ca_path }): with patch.dict(_TLS_TEST_DATA['create_ca'], {'replace': True}): tls.create_ca(ca_name) self.assertEqual( tls.create_ca(ca_name, days=365, fixmode=False, **_TLS_TEST_DATA['create_ca']), ret) finally: if os.path.isdir(ca_path): shutil.rmtree(ca_path)
def test_recreate_pkcs12(self, ca_path): ''' Test creating pkcs12 when it already exists ''' ca_name = 'test_ca' certp = '{0}/{1}/certs/{2}.p12'.format( ca_path, ca_name, _TLS_TEST_DATA['create_ca']['CN']) ret = 'Created PKCS#12 Certificate for "{0}": "{1}"'.format( _TLS_TEST_DATA['create_ca']['CN'], certp) mock_opt = MagicMock(return_value=ca_path) mock_ret = MagicMock(return_value=0) mock_pgt = MagicMock(return_value=False) with patch.dict(tls.__salt__, {'config.option': mock_opt, 'cmd.retcode': mock_ret, 'pillar.get': mock_pgt}), \ patch.dict(tls.__opts__, {'hash_type': 'sha256', 'cachedir': ca_path}), \ patch.dict(_TLS_TEST_DATA['create_ca'], {'replace': True}), \ patch('salt.modules.tls.maybe_fix_ssl_version', MagicMock(return_value=True)): tls.create_ca(ca_name) tls.create_csr(ca_name) tls.create_ca_signed_cert(ca_name, _TLS_TEST_DATA['create_ca']['CN']) tls.create_pkcs12(ca_name, _TLS_TEST_DATA['create_ca']['CN'], 'password') self.assertEqual( tls.create_pkcs12(ca_name, _TLS_TEST_DATA['create_ca']['CN'], 'password', replace=True), ret)
def test_validating_revoked_cert_with_no_crl_file_should_return_False( self): revoked_crl_filename = None tls.create_ca(self.ca_name) tls.create_csr( ca_name=self.ca_name, CN='testing.bad.localhost', ) tls.create_ca_signed_cert( ca_name=self.ca_name, CN='testing.bad.localhost', ) tls.create_empty_crl( ca_name=self.ca_name, crl_file=revoked_crl_filename, ) tls.revoke_cert( ca_name=self.ca_name, CN='testing.bad.localhost', crl_file=revoked_crl_filename, ) self.assertFalse( tls.validate( cert=os.path.join( self.tempdir, self.ca_name, 'certs', 'testing.bad.localhost.crt', ), ca_name=self.ca_name, crl_file=revoked_crl_filename, )['valid'])
def test_with_existing_ca_signing_csr_should_produce_valid_cert(self): print('Revoked should not be here') empty_crl_filename = os.path.join(self.tempdir, 'empty.crl') tls.create_ca(self.ca_name) tls.create_csr( ca_name=self.ca_name, CN='testing.localhost', ) tls.create_ca_signed_cert( ca_name=self.ca_name, CN='testing.localhost', ) tls.create_empty_crl( ca_name=self.ca_name, crl_file=empty_crl_filename, ) ret = tls.validate( cert=os.path.join( self.tempdir, self.ca_name, 'certs', 'testing.localhost.crt', ), ca_name=self.ca_name, crl_file=empty_crl_filename, ) print('not there') self.assertTrue(ret['valid'], ret.get('error'))
def test_create_pkcs12(self, ca_path): """ Test creating pkcs12 """ ca_name = "test_ca" certp = "{0}/{1}/certs/{2}.p12".format( ca_path, ca_name, _TLS_TEST_DATA["create_ca"]["CN"]) ret = 'Created PKCS#12 Certificate for "{0}": "{1}"'.format( _TLS_TEST_DATA["create_ca"]["CN"], certp) mock_opt = MagicMock(return_value=ca_path) mock_ret = MagicMock(return_value=0) mock_pgt = MagicMock(return_value=False) with patch.dict( tls.__salt__, { "config.option": mock_opt, "cmd.retcode": mock_ret, "pillar.get": mock_pgt, }, ), patch.dict(tls.__opts__, { "hash_type": "sha256", "cachedir": ca_path }), patch("salt.modules.tls.maybe_fix_ssl_version", MagicMock(return_value=True)): tls.create_ca(ca_name) tls.create_csr(ca_name, **_TLS_TEST_DATA["create_ca"]) tls.create_ca_signed_cert(ca_name, _TLS_TEST_DATA["create_ca"]["CN"]) self.assertEqual( tls.create_pkcs12(ca_name, _TLS_TEST_DATA["create_ca"]["CN"], "password"), ret, )
def test_recreate_csr(self, ca_path): ''' Test creating certificate signing request when one already exists ''' ca_name = 'test_ca' certp = '{0}/{1}/certs/{2}.csr'.format( ca_path, ca_name, _TLS_TEST_DATA['create_ca']['CN']) certk = '{0}/{1}/certs/{2}.key'.format( ca_path, ca_name, _TLS_TEST_DATA['create_ca']['CN']) ret = ('Created Private Key: "{0}." ' 'Created CSR for "{1}": "{2}."').format( certk, _TLS_TEST_DATA['create_ca']['CN'], certp) mock_opt = MagicMock(return_value=ca_path) mock_ret = MagicMock(return_value=0) mock_pgt = MagicMock(return_value=False) with patch.dict(tls.__salt__, {'config.option': mock_opt, 'cmd.retcode': mock_ret, 'pillar.get': mock_pgt}), \ patch.dict(tls.__opts__, {'hash_type': 'sha256', 'cachedir': ca_path}), \ patch.dict(_TLS_TEST_DATA['create_ca'], {'replace': True}), \ patch('salt.modules.tls.maybe_fix_ssl_version', MagicMock(return_value=True)): tls.create_ca(ca_name) tls.create_csr(ca_name) self.assertEqual( tls.create_csr(ca_name, **_TLS_TEST_DATA['create_ca']), ret)
def test_recreate_ca_signed_cert(self, ca_path): """ Test signing certificate from request when certificate exists """ ca_name = "test_ca" certp = "{}/{}/certs/{}.crt".format( ca_path, ca_name, _TLS_TEST_DATA["create_ca"]["CN"] ) ret = 'Created Certificate for "{}": "{}"'.format( _TLS_TEST_DATA["create_ca"]["CN"], certp ) mock_opt = MagicMock(return_value=ca_path) mock_ret = MagicMock(return_value=0) mock_pgt = MagicMock(return_value=False) with patch.dict( tls.__salt__, { "config.option": mock_opt, "cmd.retcode": mock_ret, "pillar.get": mock_pgt, }, ), patch.dict( tls.__opts__, {"hash_type": "sha256", "cachedir": ca_path} ), patch( "salt.modules.tls.maybe_fix_ssl_version", MagicMock(return_value=True) ): tls.create_ca(ca_name) tls.create_csr(ca_name) tls.create_ca_signed_cert(ca_name, _TLS_TEST_DATA["create_ca"]["CN"]) self.assertEqual( tls.create_ca_signed_cert( ca_name, _TLS_TEST_DATA["create_ca"]["CN"], replace=True ), ret, )
def test_recreate_ca(self, ca_path): ''' Test creating CA cert when one already exists ''' ca_name = 'test_ca' certp = '{0}/{1}/{2}_ca_cert.crt'.format( ca_path, ca_name, ca_name) certk = '{0}/{1}/{2}_ca_cert.key'.format( ca_path, ca_name, ca_name) ret = 'Created Private Key: "{0}." Created CA "{1}": "{2}."'.format( certk, ca_name, certp) mock_opt = MagicMock(return_value=ca_path) mock_ret = MagicMock(return_value=0) with patch('salt.modules.tls.maybe_fix_ssl_version', MagicMock(return_value=True)), \ patch.dict(tls.__salt__, {'config.option': mock_opt, 'cmd.retcode': mock_ret}), \ patch.dict(tls.__opts__, {'hash_type': 'sha256', 'cachedir': ca_path}), \ patch.dict(_TLS_TEST_DATA['create_ca'], {'replace': True}): tls.create_ca(ca_name) self.assertEqual( tls.create_ca( ca_name, days=365, fixmode=False, **_TLS_TEST_DATA['create_ca']), ret)
def test_create_pkcs12(self): ''' Test creating pkcs12 ''' ca_path = tempfile.mkdtemp(dir=integration.SYS_TMP_DIR) try: ca_name = 'test_ca' certp = '{0}/{1}/certs/{2}.p12'.format( ca_path, ca_name, _TLS_TEST_DATA['create_ca']['CN']) ret = 'Created PKCS#12 Certificate for "{0}": "{1}"'.format( _TLS_TEST_DATA['create_ca']['CN'], certp) mock_opt = MagicMock(return_value=ca_path) mock_ret = MagicMock(return_value=0) mock_pgt = MagicMock(return_value=False) with patch.dict(tls.__salt__, {'config.option': mock_opt, 'cmd.retcode': mock_ret, 'pillar.get': mock_pgt}): with patch.dict(tls.__opts__, {'hash_type': 'sha256', 'cachedir': ca_path}): tls.create_ca(ca_name) tls.create_csr(ca_name, **_TLS_TEST_DATA['create_ca']) tls.create_ca_signed_cert(ca_name, _TLS_TEST_DATA['create_ca']['CN']) self.assertEqual( tls.create_pkcs12(ca_name, _TLS_TEST_DATA['create_ca']['CN'], 'password'), ret) finally: if os.path.isdir(ca_path): shutil.rmtree(ca_path)
def test_create_csr(self): ''' Test creating certificate signing request ''' ca_path = tempfile.mkdtemp(dir=integration.SYS_TMP_DIR) try: ca_name = 'test_ca' certp = '{0}/{1}/certs/{2}.csr'.format( ca_path, ca_name, _TLS_TEST_DATA['create_ca']['CN']) certk = '{0}/{1}/certs/{2}.key'.format( ca_path, ca_name, _TLS_TEST_DATA['create_ca']['CN']) ret = ('Created Private Key: "{0}." ' 'Created CSR for "{1}": "{2}."').format( certk, _TLS_TEST_DATA['create_ca']['CN'], certp) mock_opt = MagicMock(return_value=ca_path) mock_ret = MagicMock(return_value=0) mock_pgt = MagicMock(return_value=False) with patch.dict( tls.__salt__, { 'config.option': mock_opt, 'cmd.retcode': mock_ret, 'pillar.get': mock_pgt }): with patch.dict(tls.__opts__, { 'hash_type': 'sha256', 'cachedir': ca_path }): tls.create_ca(ca_name) self.assertEqual( tls.create_csr(ca_name, **_TLS_TEST_DATA['create_ca']), ret) finally: if os.path.isdir(ca_path): shutil.rmtree(ca_path)
def test_create_csr(self): ''' Test creating certificate signing request ''' ca_path = tempfile.mkdtemp(dir=integration.SYS_TMP_DIR) try: ca_name = 'test_ca' certp = '{0}/{1}/certs/{2}.csr'.format( ca_path, ca_name, _TLS_TEST_DATA['create_ca']['CN']) certk = '{0}/{1}/certs/{2}.key'.format( ca_path, ca_name, _TLS_TEST_DATA['create_ca']['CN']) ret = ('Created Private Key: "{0}." ' 'Created CSR for "{1}": "{2}."').format( certk, _TLS_TEST_DATA['create_ca']['CN'], certp) mock_opt = MagicMock(return_value=ca_path) mock_ret = MagicMock(return_value=0) mock_pgt = MagicMock(return_value=False) with patch.dict(tls.__salt__, {'config.option': mock_opt, 'cmd.retcode': mock_ret, 'pillar.get': mock_pgt}): with patch.dict(tls.__opts__, {'hash_type': 'sha256', 'cachedir': ca_path}): tls.create_ca(ca_name) self.assertEqual( tls.create_csr( ca_name, **_TLS_TEST_DATA['create_ca']), ret) finally: if os.path.isdir(ca_path): shutil.rmtree(ca_path)
def test_recreate_ca(self): ''' Test creating CA cert when one already exists ''' ca_path = tempfile.mkdtemp(dir=integration.SYS_TMP_DIR) try: ca_name = 'test_ca' certp = '{0}/{1}/{2}_ca_cert.crt'.format( ca_path, ca_name, ca_name) certk = '{0}/{1}/{2}_ca_cert.key'.format( ca_path, ca_name, ca_name) ret = 'Created Private Key: "{0}." Created CA "{1}": "{2}."'.format( certk, ca_name, certp) mock_opt = MagicMock(return_value=ca_path) mock_ret = MagicMock(return_value=0) with patch.dict(tls.__salt__, {'config.option': mock_opt, 'cmd.retcode': mock_ret}): with patch.dict(tls.__opts__, {'hash_type': 'sha256', 'cachedir': ca_path}): with patch.dict(_TLS_TEST_DATA['create_ca'], {'replace': True}): tls.create_ca(ca_name) self.assertEqual( tls.create_ca( ca_name, days=365, fixmode=False, **_TLS_TEST_DATA['create_ca']), ret) finally: if os.path.isdir(ca_path): shutil.rmtree(ca_path)
def test_create_pkcs12(self): ''' Test creating pkcs12 ''' ca_path = tempfile.mkdtemp(dir=integration.SYS_TMP_DIR) try: ca_name = 'test_ca' certp = '{0}/{1}/certs/{2}.p12'.format( ca_path, ca_name, _TLS_TEST_DATA['create_ca']['CN']) ret = 'Created PKCS#12 Certificate for "{0}": "{1}"'.format( _TLS_TEST_DATA['create_ca']['CN'], certp) mock_opt = MagicMock(return_value=ca_path) mock_ret = MagicMock(return_value=0) mock_pgt = MagicMock(return_value=False) with patch.dict( tls.__salt__, { 'config.option': mock_opt, 'cmd.retcode': mock_ret, 'pillar.get': mock_pgt }): with patch.dict(tls.__opts__, { 'hash_type': 'sha256', 'cachedir': ca_path }): tls.create_ca(ca_name) tls.create_csr(ca_name, **_TLS_TEST_DATA['create_ca']) tls.create_ca_signed_cert( ca_name, _TLS_TEST_DATA['create_ca']['CN']) self.assertEqual( tls.create_pkcs12(ca_name, _TLS_TEST_DATA['create_ca']['CN'], 'password'), ret) finally: if os.path.isdir(ca_path): shutil.rmtree(ca_path)
def test_recreate_ca(self, ca_path): """ Test creating CA cert when one already exists """ ca_name = "test_ca" certp = "{0}/{1}/{1}_ca_cert.crt".format(ca_path, ca_name) certk = "{0}/{1}/{1}_ca_cert.key".format(ca_path, ca_name) ret = 'Created Private Key: "{0}." Created CA "{1}": "{2}."'.format( certk, ca_name, certp) mock_opt = MagicMock(return_value=ca_path) mock_ret = MagicMock(return_value=0) with patch("salt.modules.tls.maybe_fix_ssl_version", MagicMock(return_value=True)), patch.dict( tls.__salt__, { "config.option": mock_opt, "cmd.retcode": mock_ret }), patch.dict(tls.__opts__, { "hash_type": "sha256", "cachedir": ca_path }), patch.dict(_TLS_TEST_DATA["create_ca"], {"replace": True}): tls.create_ca(ca_name) self.assertEqual( tls.create_ca(ca_name, days=365, fixmode=False, **_TLS_TEST_DATA["create_ca"]), ret, )
def test_create_ca_permissions_on_cert_and_key(tmpdir, tls_test_data): ca_name = "test_ca" certp = tmpdir.join(ca_name).join("{}_ca_cert.crt".format(ca_name)).strpath certk = tmpdir.join(ca_name).join("{}_ca_cert.key".format(ca_name)).strpath mock_opt = MagicMock(return_value=tmpdir) mock_ret = MagicMock(return_value=0) print(tls_test_data) with patch.dict(tls.__salt__, { "config.option": mock_opt, "cmd.retcode": mock_ret }), patch.dict(tls.__opts__, { "hash_type": "sha256", "cachedir": tmpdir }): tls.create_ca(ca_name, days=365, fixmode=False, **tls_test_data["create_ca"]) certp_mode = os.stat(certp).st_mode & 0o7777 certk_mode = os.stat(certk).st_mode & 0o7777 assert 0o644 == certp_mode assert 0o600 == certk_mode
def test_recreate_csr(self, ca_path): """ Test creating certificate signing request when one already exists """ ca_name = "test_ca" certp = "{0}/{1}/certs/{2}.csr".format( ca_path, ca_name, _TLS_TEST_DATA["create_ca"]["CN"]) certk = "{0}/{1}/certs/{2}.key".format( ca_path, ca_name, _TLS_TEST_DATA["create_ca"]["CN"]) ret = ('Created Private Key: "{0}." ' 'Created CSR for "{1}": "{2}."').format( certk, _TLS_TEST_DATA["create_ca"]["CN"], certp) mock_opt = MagicMock(return_value=ca_path) mock_ret = MagicMock(return_value=0) mock_pgt = MagicMock(return_value=False) with patch.dict( tls.__salt__, { "config.option": mock_opt, "cmd.retcode": mock_ret, "pillar.get": mock_pgt, }, ), patch.dict(tls.__opts__, { "hash_type": "sha256", "cachedir": ca_path }), patch.dict(_TLS_TEST_DATA["create_ca"], {"replace": True}), patch( "salt.modules.tls.maybe_fix_ssl_version", MagicMock(return_value=True)): tls.create_ca(ca_name) tls.create_csr(ca_name) self.assertEqual( tls.create_csr(ca_name, **_TLS_TEST_DATA["create_ca"]), ret)
def test_create_csr_permissions_on_csr_and_key(tmpdir, tls_test_data): ca_name = "test_ca" csrp = (tmpdir.join(ca_name).join("certs").join("{}.csr".format( tls_test_data["create_ca"]["CN"])).strpath) keyp = (tmpdir.join(ca_name).join("certs").join("{}.key".format( tls_test_data["create_ca"]["CN"])).strpath) mock_opt = MagicMock(return_value=tmpdir) mock_ret = MagicMock(return_value=0) mock_pgt = MagicMock(return_value=False) with patch.dict( tls.__salt__, { "config.option": mock_opt, "cmd.retcode": mock_ret, "pillar.get": mock_pgt }, ), patch.dict(tls.__opts__, { "hash_type": "sha256", "cachedir": tmpdir }): tls.create_ca(ca_name, days=365, **tls_test_data["create_ca"]) tls.create_csr(ca_name, **tls_test_data["create_ca"]) csrp_mode = os.stat(csrp).st_mode & 0o7777 keyp_mode = os.stat(keyp).st_mode & 0o7777 assert 0o644 == csrp_mode assert 0o600 == keyp_mode
def test_create_ca_signed_cert(self, ca_path): ''' Test signing certificate from request ''' ca_name = 'test_ca' certp = '{0}/{1}/certs/{2}.crt'.format( ca_path, ca_name, _TLS_TEST_DATA['create_ca']['CN']) ret = 'Created Certificate for "{0}": "{1}"'.format( _TLS_TEST_DATA['create_ca']['CN'], certp) mock_opt = MagicMock(return_value=ca_path) mock_ret = MagicMock(return_value=0) mock_pgt = MagicMock(return_value=False) with patch.dict(tls.__salt__, {'config.option': mock_opt, 'cmd.retcode': mock_ret, 'pillar.get': mock_pgt}), \ patch.dict(tls.__opts__, {'hash_type': 'sha256', 'cachedir': ca_path}), \ patch('salt.modules.tls.maybe_fix_ssl_version', MagicMock(return_value=True)): tls.create_ca(ca_name) tls.create_csr(ca_name, **_TLS_TEST_DATA['create_ca']) self.assertEqual( tls.create_ca_signed_cert(ca_name, _TLS_TEST_DATA['create_ca']['CN']), ret)
def test_with_existing_ca_signing_csr_should_produce_valid_cert(self): print("Revoked should not be here") empty_crl_filename = os.path.join(self.tempdir, "empty.crl") tls.create_ca(self.ca_name) tls.create_csr( ca_name=self.ca_name, CN="testing.localhost", ) tls.create_ca_signed_cert( ca_name=self.ca_name, CN="testing.localhost", ) tls.create_empty_crl( ca_name=self.ca_name, crl_file=empty_crl_filename, ) ret = tls.validate( cert=os.path.join( self.tempdir, self.ca_name, "certs", "testing.localhost.crt", ), ca_name=self.ca_name, crl_file=empty_crl_filename, ) print("not there") self.assertTrue(ret["valid"], ret.get("error"))
def test_create_ca_permissions_on_cert_and_key(tmp_path, tls_test_data): ca_name = "test_ca" certp = tmp_path / ca_name / "{}_ca_cert.crt".format(ca_name) certk = tmp_path / ca_name / "{}_ca_cert.key".format(ca_name) mock_opt = MagicMock(return_value=str(tmp_path)) mock_ret = MagicMock(return_value=0) with patch.dict( tls.__salt__, {"config.option": mock_opt, "cmd.retcode": mock_ret} ), patch.dict(tls.__opts__, {"hash_type": "sha256", "cachedir": str(tmp_path)}): tls.create_ca(ca_name, days=365, fixmode=False, **tls_test_data["create_ca"]) assert certp.stat().st_mode & 0o7777 == 0o644 assert certk.stat().st_mode & 0o7777 == 0o600
def test_create_csr_permissions_on_csr_and_key(tmp_path, tls_test_data): ca_name = "test_ca" csrp = (tmp_path / ca_name / "certs" / "{}.csr".format(tls_test_data["create_ca"]["CN"])) keyp = (tmp_path / ca_name / "certs" / "{}.key".format(tls_test_data["create_ca"]["CN"])) mock_opt = MagicMock(return_value=str(tmp_path)) mock_ret = MagicMock(return_value=0) mock_pgt = MagicMock(return_value=False) with patch.dict( tls.__salt__, { "config.option": mock_opt, "cmd.retcode": mock_ret, "pillar.get": mock_pgt }, ), patch.dict(tls.__opts__, { "hash_type": "sha256", "cachedir": str(tmp_path) }): ca_ret = tls.create_ca(ca_name, days=365, **tls_test_data["create_ca"]) assert ca_ret csr_ret = tls.create_csr(ca_name, **tls_test_data["create_ca"]) assert csr_ret assert csrp.exists() assert keyp.exists() assert csrp.stat().st_mode & 0o7777 == 0o644 assert keyp.stat().st_mode & 0o7777 == 0o600
def test_create_ca(self): ''' Test creating CA cert ''' ca_path = tempfile.mkdtemp(dir=TMP) try: ca_name = 'test_ca' certp = '{0}/{1}/{2}_ca_cert.crt'.format(ca_path, ca_name, ca_name) certk = '{0}/{1}/{2}_ca_cert.key'.format(ca_path, ca_name, ca_name) ret = 'Created Private Key: "{0}." Created CA "{1}": "{2}."'.format( certk, ca_name, certp) mock_opt = MagicMock(return_value=ca_path) mock_ret = MagicMock(return_value=0) with patch.dict(tls.__salt__, {'config.option': mock_opt, 'cmd.retcode': mock_ret}), \ patch.dict(tls.__opts__, {'hash_type': 'sha256', 'cachedir': ca_path}), \ patch('salt.modules.tls.maybe_fix_ssl_version', MagicMock(return_value=True)): self.assertEqual( tls.create_ca(ca_name, days=365, fixmode=False, **_TLS_TEST_DATA['create_ca']), ret) finally: if os.path.isdir(ca_path): shutil.rmtree(ca_path)
def test_recreate_ca_signed_cert(self): ''' Test signing certificate from request when certificate exists ''' ca_path = tempfile.mkdtemp(dir=TMP) try: ca_name = 'test_ca' certp = '{0}/{1}/certs/{2}.crt'.format( ca_path, ca_name, _TLS_TEST_DATA['create_ca']['CN']) ret = 'Created Certificate for "{0}": "{1}"'.format( _TLS_TEST_DATA['create_ca']['CN'], certp) mock_opt = MagicMock(return_value=ca_path) mock_ret = MagicMock(return_value=0) mock_pgt = MagicMock(return_value=False) with patch.dict( tls.__salt__, { 'config.option': mock_opt, 'cmd.retcode': mock_ret, 'pillar.get': mock_pgt }): with patch.dict(tls.__opts__, { 'hash_type': 'sha256', 'cachedir': ca_path }): tls.create_ca(ca_name) tls.create_csr(ca_name) tls.create_ca_signed_cert( ca_name, _TLS_TEST_DATA['create_ca']['CN']) self.assertEqual( tls.create_ca_signed_cert( ca_name, _TLS_TEST_DATA['create_ca']['CN'], replace=True), ret) finally: if os.path.isdir(ca_path): shutil.rmtree(ca_path)
def test_pyOpenSSL_version_destructive(self): ''' Test extension logic with different pyOpenSSL versions ''' pillarval = {'csr': {'extendedKeyUsage': 'serverAuth'}} mock_pgt = MagicMock(return_value=pillarval) ca_path = tempfile.mkdtemp(dir=integration.SYS_TMP_DIR) ca_name = 'test_ca' certp = '{0}/{1}/{2}_ca_cert.crt'.format(ca_path, ca_name, ca_name) certk = '{0}/{1}/{2}_ca_cert.key'.format(ca_path, ca_name, ca_name) ret = 'Created Private Key: "{0}." Created CA "{1}": "{2}."'.format( certk, ca_name, certp) mock_opt = MagicMock(return_value=ca_path) mock_ret = MagicMock(return_value=0) try: with patch.dict(tls.__salt__, { 'config.option': mock_opt, 'cmd.retcode': mock_ret }): with patch.dict(tls.__opts__, { 'hash_type': 'sha256', 'cachedir': ca_path }): with patch.dict(_TLS_TEST_DATA['create_ca'], {'replace': True}): with patch.dict( tls.__dict__, { 'OpenSSL_version': LooseVersion('0.1.1'), 'X509_EXT_ENABLED': False }): self.assertEqual( tls.create_ca(ca_name, days=365, fixmode=False, **_TLS_TEST_DATA['create_ca']), ret) with patch.dict( tls.__dict__, { 'OpenSSL_version': LooseVersion('0.14.1'), 'X509_EXT_ENABLED': True }): self.assertEqual( tls.create_ca(ca_name, days=365, fixmode=False, **_TLS_TEST_DATA['create_ca']), ret) with patch.dict( tls.__dict__, { 'OpenSSL_version': LooseVersion('0.15.1'), 'X509_EXT_ENABLED': True }): self.assertEqual( tls.create_ca(ca_name, days=365, fixmode=False, **_TLS_TEST_DATA['create_ca']), ret) finally: if os.path.isdir(ca_path): shutil.rmtree(ca_path) try: certp = '{0}/{1}/certs/{2}.csr'.format( ca_path, ca_name, _TLS_TEST_DATA['create_ca']['CN']) certk = '{0}/{1}/certs/{2}.key'.format( ca_path, ca_name, _TLS_TEST_DATA['create_ca']['CN']) ret = ('Created Private Key: "{0}." ' 'Created CSR for "{1}": "{2}."').format( certk, _TLS_TEST_DATA['create_ca']['CN'], certp) with patch.dict( tls.__salt__, { 'config.option': mock_opt, 'cmd.retcode': mock_ret, 'pillar.get': mock_pgt }): with patch.dict(tls.__opts__, { 'hash_type': 'sha256', 'cachedir': ca_path }): with patch.dict(_TLS_TEST_DATA['create_ca'], { 'subjectAltName': 'DNS:foo.bar', 'replace': True }): with patch.dict( tls.__dict__, { 'OpenSSL_version': LooseVersion('0.1.1'), 'X509_EXT_ENABLED': False }): tls.create_ca(ca_name) tls.create_csr(ca_name) self.assertRaises(ValueError, tls.create_csr, ca_name, **_TLS_TEST_DATA['create_ca']) with patch.dict( tls.__dict__, { 'OpenSSL_version': LooseVersion('0.14.1'), 'X509_EXT_ENABLED': True }): tls.create_ca(ca_name) tls.create_csr(ca_name) self.assertEqual( tls.create_csr(ca_name, **_TLS_TEST_DATA['create_ca']), ret) with patch.dict( tls.__dict__, { 'OpenSSL_version': LooseVersion('0.15.1'), 'X509_EXT_ENABLED': True }): tls.create_ca(ca_name) tls.create_csr(ca_name) self.assertEqual( tls.create_csr(ca_name, **_TLS_TEST_DATA['create_ca']), ret) finally: if os.path.isdir(ca_path): shutil.rmtree(ca_path)
class TLSAddTestCase(TestCase, LoaderModuleMockMixin): """ Test cases for salt.modules.tls """ def setup_loader_modules(self): return {tls: {}} def test_cert_base_path(self): """ Test for retrieving cert base path """ ca_path = "/etc/tls" mock_opt = MagicMock(return_value=ca_path) with patch.dict(tls.__salt__, {"config.option": mock_opt}): self.assertEqual(tls.cert_base_path(), ca_path) def test_set_ca_cert_path(self): """ Test for setting the cert base path """ ca_path = "/tmp/ca_cert_test_path" mock_opt = MagicMock(return_value="/etc/tls") ret = {"ca.contextual_cert_base_path": "/tmp/ca_cert_test_path"} with patch.dict(tls.__salt__, {"config.option": mock_opt}): tls.set_ca_path(ca_path) self.assertEqual(tls.__context__, ret) def test_ca_exists(self): """ Test to see if ca does not exist """ ca_path = "/tmp/test_tls" ca_name = "test_ca" mock_opt = MagicMock(return_value=ca_path) with patch.dict(tls.__salt__, {"config.option": mock_opt}), patch( "os.path.exists", MagicMock(return_value=False) ), patch( "salt.modules.tls.maybe_fix_ssl_version", MagicMock(return_value=True) ): self.assertFalse(tls.ca_exists(ca_name)) def test_ca_exists_true(self): """ Test to see if ca exists """ ca_path = "/tmp/test_tls" ca_name = "test_ca" mock_opt = MagicMock(return_value=ca_path) with patch.dict(tls.__salt__, {"config.option": mock_opt}), patch( "os.path.exists", MagicMock(return_value=True) ), patch( "salt.modules.tls.maybe_fix_ssl_version", MagicMock(return_value=True) ): self.assertTrue(tls.ca_exists(ca_name)) def test_get_ca_fail(self): """ Test get_ca failure """ ca_path = "/tmp/test_tls" ca_name = "test_ca" mock_opt = MagicMock(return_value=ca_path) with patch.dict(tls.__salt__, {"config.option": mock_opt}), patch( "os.path.exists", MagicMock(return_value=False) ), patch( "salt.modules.tls.maybe_fix_ssl_version", MagicMock(return_value=True) ): self.assertRaises(ValueError, tls.get_ca, ca_name) def test_get_ca_text(self): """ Test get_ca text """ ca_path = "/tmp/test_tls" ca_name = "test_ca" mock_opt = MagicMock(return_value=ca_path) with patch( "salt.utils.files.fopen", mock_open(read_data=_TLS_TEST_DATA["ca_cert"]) ), patch.dict(tls.__salt__, {"config.option": mock_opt}), patch( "os.path.exists", MagicMock(return_value=True) ), patch( "salt.modules.tls.maybe_fix_ssl_version", MagicMock(return_value=True) ): self.assertEqual( tls.get_ca(ca_name, as_text=True), _TLS_TEST_DATA["ca_cert"] ) def test_get_ca(self): """ Test get_ca ''' ca_path = '/tmp/test_tls' ca_name = 'test_ca' certp = '{0}/{1}/{1}_ca_cert.crt'.format( ca_path, ca_name) mock_opt = MagicMock(return_value=ca_path) with patch.dict(tls.__salt__, {"config.option": mock_opt}), patch( "os.path.exists", MagicMock(return_value=True) ), patch( "salt.modules.tls.maybe_fix_ssl_version", MagicMock(return_value=True) ): self.assertEqual(tls.get_ca(ca_name), certp) def test_cert_info(self): """ Test cert info """ self.maxDiff = None with patch('os.path.exists', MagicMock(return_value=True)), \ patch('salt.modules.tls.maybe_fix_ssl_version', MagicMock(return_value=True)): ca_path = '/tmp/test_tls' ca_name = 'test_ca' certp = '{0}/{1}/{1}_ca_cert.crt'.format( ca_path, ca_name) ret = { "not_after": 1462379961, "signature_algorithm": "sha256WithRSAEncryption", "extensions": None, "fingerprint": ( "96:72:B3:0A:1D:34:37:05:75:57:44:7E:08:81:A7:09:" "0C:E1:8F:5F:4D:0C:49:CE:5B:D2:6B:45:D3:4D:FF:31" ), "serial_number": 284092004844685647925744086791559203700, "subject": { "C": "US", "CN": "localhost", "L": "Salt Lake City", "O": "SaltStack", "ST": "Utah", "emailAddress": "*****@*****.**", }, "not_before": 1430843961, "issuer": { "C": "US", "CN": "localhost", "L": "Salt Lake City", "O": "SaltStack", "ST": "Utah", "emailAddress": "*****@*****.**", }, } def ignore_extensions(data): """ Ignore extensions pending a resolution of issue 24338 """ if "extensions" in data.keys(): data["extensions"] = None return data # older pyopenssl versions don't have extensions or # signature_algorithms def remove_not_in_result(source, reference): if "signature_algorithm" not in reference: del source["signature_algorithm"] if "extensions" not in reference: del source["extensions"] with patch( "salt.utils.files.fopen", mock_open(read_data=_TLS_TEST_DATA["ca_cert"]) ): try: result = ignore_extensions(tls.cert_info(certp)) except AttributeError as err: # PyOpenSSL version 16.0.0 has an upstream bug in it where a call is made # in OpenSSL/crypto.py in the get_signature_algorithm function referencing # the cert_info attribute, which doesn't exist. This was fixed in subsequent # releases of PyOpenSSL with https://github.com/pyca/pyopenssl/pull/476 if ( "'_cffi_backend.CDataGCP' object has no attribute 'cert_info'" == six.text_type(err) ): log.exception(err) self.skipTest( "Encountered an upstream error with PyOpenSSL: {0}".format( err ) ) if ( "'_cffi_backend.CDataGCP' object has no attribute 'object'" == str(err) ): log.exception(err) self.skipTest( "Encountered an upstream error with PyOpenSSL: {0}".format( err ) ) # python-openssl version 0.14, when installed with the "junos-eznc" pip # package, causes an error on this test. Newer versions of PyOpenSSL do not have # this issue. If 0.14 is installed and we hit this error, skip the test. if LooseVersion(OpenSSL.__version__) == LooseVersion("0.14"): log.exception(err) self.skipTest( "Encountered a package conflict. OpenSSL version 0.14 cannot be used with " 'the "junos-eznc" pip package on this test. Skipping.' ) result = {} remove_not_in_result(ret, result) self.assertEqual(result, ret) @with_tempdir() def test_create_ca(self, ca_path): """ Test creating CA cert ''' ca_name = 'test_ca' certp = '{0}/{1}/{1}_ca_cert.crt'.format( ca_path, ca_name) certk = '{0}/{1}/{1}_ca_cert.key'.format( ca_path, ca_name) ret = 'Created Private Key: "{0}." Created CA "{1}": "{2}."'.format( certk, ca_name, certp ) mock_opt = MagicMock(return_value=ca_path) mock_ret = MagicMock(return_value=0) with patch.dict( tls.__salt__, {"config.option": mock_opt, "cmd.retcode": mock_ret} ), patch.dict( tls.__opts__, {"hash_type": "sha256", "cachedir": ca_path} ), patch( "salt.modules.tls.maybe_fix_ssl_version", MagicMock(return_value=True) ): self.assertEqual( tls.create_ca( ca_name, days=365, fixmode=False, **_TLS_TEST_DATA["create_ca"] ), ret, ) @with_tempdir() def test_recreate_ca(self, ca_path): """ Test creating CA cert when one already exists ''' ca_name = 'test_ca' certp = '{0}/{1}/{1}_ca_cert.crt'.format( ca_path, ca_name) certk = '{0}/{1}/{1}_ca_cert.key'.format( ca_path, ca_name) ret = 'Created Private Key: "{0}." Created CA "{1}": "{2}."'.format( certk, ca_name, certp ) mock_opt = MagicMock(return_value=ca_path) mock_ret = MagicMock(return_value=0) with patch( "salt.modules.tls.maybe_fix_ssl_version", MagicMock(return_value=True) ), patch.dict( tls.__salt__, {"config.option": mock_opt, "cmd.retcode": mock_ret} ), patch.dict( tls.__opts__, {"hash_type": "sha256", "cachedir": ca_path} ), patch.dict( _TLS_TEST_DATA["create_ca"], {"replace": True} ): tls.create_ca(ca_name) self.assertEqual( tls.create_ca( ca_name, days=365, fixmode=False, **_TLS_TEST_DATA["create_ca"] ), ret, )
def test_pyOpenSSL_version_destructive(self): ''' Test extension logic with different pyOpenSSL versions ''' pillarval = {'csr': {'extendedKeyUsage': 'serverAuth'}} mock_pgt = MagicMock(return_value=pillarval) ca_path = tempfile.mkdtemp(dir=integration.SYS_TMP_DIR) ca_name = 'test_ca' certp = '{0}/{1}/{2}_ca_cert.crt'.format( ca_path, ca_name, ca_name) certk = '{0}/{1}/{2}_ca_cert.key'.format( ca_path, ca_name, ca_name) ret = 'Created Private Key: "{0}." Created CA "{1}": "{2}."'.format( certk, ca_name, certp) mock_opt = MagicMock(return_value=ca_path) mock_ret = MagicMock(return_value=0) try: with patch.dict(tls.__salt__, { 'config.option': mock_opt, 'cmd.retcode': mock_ret}): with patch.dict(tls.__opts__, { 'hash_type': 'sha256', 'cachedir': ca_path}): with patch.dict(_TLS_TEST_DATA['create_ca'], {'replace': True}): with patch.dict(tls.__dict__, { 'OpenSSL_version': LooseVersion('0.1.1'), 'X509_EXT_ENABLED': False}): self.assertEqual( tls.create_ca( ca_name, days=365, fixmode=False, **_TLS_TEST_DATA['create_ca']), ret) with patch.dict(tls.__dict__, { 'OpenSSL_version': LooseVersion('0.14.1'), 'X509_EXT_ENABLED': True}): self.assertEqual( tls.create_ca( ca_name, days=365, fixmode=False, **_TLS_TEST_DATA['create_ca']), ret) with patch.dict(tls.__dict__, { 'OpenSSL_version': LooseVersion('0.15.1'), 'X509_EXT_ENABLED': True}): self.assertEqual( tls.create_ca( ca_name, days=365, fixmode=False, **_TLS_TEST_DATA['create_ca']), ret) finally: if os.path.isdir(ca_path): shutil.rmtree(ca_path) try: certp = '{0}/{1}/certs/{2}.csr'.format( ca_path, ca_name, _TLS_TEST_DATA['create_ca']['CN']) certk = '{0}/{1}/certs/{2}.key'.format( ca_path, ca_name, _TLS_TEST_DATA['create_ca']['CN']) ret = ('Created Private Key: "{0}." ' 'Created CSR for "{1}": "{2}."').format( certk, _TLS_TEST_DATA['create_ca']['CN'], certp) with patch.dict(tls.__salt__, { 'config.option': mock_opt, 'cmd.retcode': mock_ret, 'pillar.get': mock_pgt}): with patch.dict(tls.__opts__, {'hash_type': 'sha256', 'cachedir': ca_path}): with patch.dict(_TLS_TEST_DATA['create_ca'], { 'subjectAltName': 'DNS:foo.bar', 'replace': True}): with patch.dict(tls.__dict__, { 'OpenSSL_version': LooseVersion('0.1.1'), 'X509_EXT_ENABLED': False}): tls.create_ca(ca_name) tls.create_csr(ca_name) self.assertRaises(ValueError, tls.create_csr, ca_name, **_TLS_TEST_DATA['create_ca']) with patch.dict(tls.__dict__, { 'OpenSSL_version': LooseVersion('0.14.1'), 'X509_EXT_ENABLED': True}): tls.create_ca(ca_name) tls.create_csr(ca_name) self.assertEqual( tls.create_csr( ca_name, **_TLS_TEST_DATA['create_ca']), ret) with patch.dict(tls.__dict__, { 'OpenSSL_version': LooseVersion('0.15.1'), 'X509_EXT_ENABLED': True}): tls.create_ca(ca_name) tls.create_csr(ca_name) self.assertEqual( tls.create_csr( ca_name, **_TLS_TEST_DATA['create_ca']), ret) finally: if os.path.isdir(ca_path): shutil.rmtree(ca_path)
def test_ca_exists_should_be_True_after_ca_is_created(self): tls.create_ca(self.ca_name) self.assertTrue(tls.ca_exists(self.ca_name))
def test_pyOpenSSL_version_destructive(self, ca_path): """ Test extension logic with different pyOpenSSL versions """ pillarval = {"csr": {"extendedKeyUsage": "serverAuth"}} mock_pgt = MagicMock(return_value=pillarval) ca_name = "test_ca" certp = "{0}/{1}/{1}_ca_cert.crt".format(ca_path, ca_name) certk = "{0}/{1}/{1}_ca_cert.key".format(ca_path, ca_name) ret = 'Created Private Key: "{0}." Created CA "{1}": "{2}."'.format( certk, ca_name, certp) mock_opt = MagicMock(return_value=ca_path) mock_ret = MagicMock(return_value=0) with patch.dict(tls.__salt__, { "config.option": mock_opt, "cmd.retcode": mock_ret }): with patch.dict(tls.__opts__, { "hash_type": "sha256", "cachedir": ca_path }): with patch.dict(_TLS_TEST_DATA["create_ca"], {"replace": True}): with patch.dict( tls.__dict__, { "OpenSSL_version": LooseVersion("0.1.1"), "X509_EXT_ENABLED": False, }, ): self.assertEqual( tls.create_ca(ca_name, days=365, fixmode=False, **_TLS_TEST_DATA["create_ca"]), ret, ) with patch.dict( tls.__dict__, { "OpenSSL_version": LooseVersion("0.14.1"), "X509_EXT_ENABLED": True, }, ): self.assertEqual( tls.create_ca(ca_name, days=365, fixmode=False, **_TLS_TEST_DATA["create_ca"]), ret, ) with patch.dict( tls.__dict__, { "OpenSSL_version": LooseVersion("0.15.1"), "X509_EXT_ENABLED": True, }, ): self.assertEqual( tls.create_ca(ca_name, days=365, fixmode=False, **_TLS_TEST_DATA["create_ca"]), ret, ) certp = "{0}/{1}/certs/{2}.csr".format( ca_path, ca_name, _TLS_TEST_DATA["create_ca"]["CN"]) certk = "{0}/{1}/certs/{2}.key".format( ca_path, ca_name, _TLS_TEST_DATA["create_ca"]["CN"]) ret = ('Created Private Key: "{0}." ' 'Created CSR for "{1}": "{2}."').format( certk, _TLS_TEST_DATA["create_ca"]["CN"], certp) with patch.dict( tls.__salt__, { "config.option": mock_opt, "cmd.retcode": mock_ret, "pillar.get": mock_pgt, }, ): with patch.dict(tls.__opts__, { "hash_type": "sha256", "cachedir": ca_path }): with patch.dict( _TLS_TEST_DATA["create_ca"], { "subjectAltName": "DNS:foo.bar", "replace": True }, ): with patch.dict( tls.__dict__, { "OpenSSL_version": LooseVersion("0.1.1"), "X509_EXT_ENABLED": False, }, ): tls.create_ca(ca_name) tls.create_csr(ca_name) self.assertRaises(ValueError, tls.create_csr, ca_name, **_TLS_TEST_DATA["create_ca"]) with patch.dict( tls.__dict__, { "OpenSSL_version": LooseVersion("0.14.1"), "X509_EXT_ENABLED": True, }, ): tls.create_ca(ca_name) tls.create_csr(ca_name) self.assertEqual( tls.create_csr(ca_name, **_TLS_TEST_DATA["create_ca"]), ret) with patch.dict( tls.__dict__, { "OpenSSL_version": LooseVersion("0.15.1"), "X509_EXT_ENABLED": True, }, ): tls.create_ca(ca_name) tls.create_csr(ca_name) self.assertEqual( tls.create_csr(ca_name, **_TLS_TEST_DATA["create_ca"]), ret)