def test_create_pkcs12(self):
'''
Test creating pkcs12
'''
ca_path = tempfile.mkdtemp(dir=integration.SYS_TMP_DIR)
try:
ca_name = 'test_ca'
certp = '{0}/{1}/certs/{2}.p12'.format(
ca_path, ca_name, _TLS_TEST_DATA['create_ca']['CN'])
ret = 'Created PKCS#12 Certificate for "{0}": "{1}"'.format(
_TLS_TEST_DATA['create_ca']['CN'], certp)
mock_opt = MagicMock(return_value=ca_path)
mock_ret = MagicMock(return_value=0)
mock_pgt = MagicMock(return_value=False)
with patch.dict(
tls.__salt__, {
'config.option': mock_opt,
'cmd.retcode': mock_ret,
'pillar.get': mock_pgt
}):
with patch.dict(tls.__opts__, {
'hash_type': 'sha256',
'cachedir': ca_path
}):
tls.create_ca(ca_name)
tls.create_csr(ca_name, **_TLS_TEST_DATA['create_ca'])
tls.create_ca_signed_cert(
ca_name, _TLS_TEST_DATA['create_ca']['CN'])
self.assertEqual(
tls.create_pkcs12(ca_name,
_TLS_TEST_DATA['create_ca']['CN'],
'password'), ret)
finally:
if os.path.isdir(ca_path):
shutil.rmtree(ca_path)
def test_recreate_ca_signed_cert(self):
'''
Test signing certificate from request when certificate exists
'''
ca_path = tempfile.mkdtemp(dir=TMP)
try:
ca_name = 'test_ca'
certp = '{0}/{1}/certs/{2}.crt'.format(
ca_path, ca_name, _TLS_TEST_DATA['create_ca']['CN'])
ret = 'Created Certificate for "{0}": "{1}"'.format(
_TLS_TEST_DATA['create_ca']['CN'], certp)
mock_opt = MagicMock(return_value=ca_path)
mock_ret = MagicMock(return_value=0)
mock_pgt = MagicMock(return_value=False)
with patch.dict(tls.__salt__, {'config.option': mock_opt,
'cmd.retcode': mock_ret,
'pillar.get': mock_pgt}), \
patch.dict(tls.__opts__, {'hash_type': 'sha256',
'cachedir': ca_path}), \
patch('salt.modules.tls.maybe_fix_ssl_version',
MagicMock(return_value=True)):
tls.create_ca(ca_name)
tls.create_csr(ca_name)
tls.create_ca_signed_cert(ca_name,
_TLS_TEST_DATA['create_ca']['CN'])
self.assertEqual(
tls.create_ca_signed_cert(
ca_name,
_TLS_TEST_DATA['create_ca']['CN'],
replace=True), ret)
finally:
if os.path.isdir(ca_path):
shutil.rmtree(ca_path)
def test_recreate_pkcs12(self, ca_path):
'''
Test creating pkcs12 when it already exists
'''
ca_name = 'test_ca'
certp = '{0}/{1}/certs/{2}.p12'.format(
ca_path, ca_name, _TLS_TEST_DATA['create_ca']['CN'])
ret = 'Created PKCS#12 Certificate for "{0}": "{1}"'.format(
_TLS_TEST_DATA['create_ca']['CN'], certp)
mock_opt = MagicMock(return_value=ca_path)
mock_ret = MagicMock(return_value=0)
mock_pgt = MagicMock(return_value=False)
with patch.dict(tls.__salt__, {'config.option': mock_opt,
'cmd.retcode': mock_ret,
'pillar.get': mock_pgt}), \
patch.dict(tls.__opts__, {'hash_type': 'sha256',
'cachedir': ca_path}), \
patch.dict(_TLS_TEST_DATA['create_ca'], {'replace': True}), \
patch('salt.modules.tls.maybe_fix_ssl_version',
MagicMock(return_value=True)):
tls.create_ca(ca_name)
tls.create_csr(ca_name)
tls.create_ca_signed_cert(ca_name,
_TLS_TEST_DATA['create_ca']['CN'])
tls.create_pkcs12(ca_name, _TLS_TEST_DATA['create_ca']['CN'],
'password')
self.assertEqual(
tls.create_pkcs12(ca_name,
_TLS_TEST_DATA['create_ca']['CN'],
'password',
replace=True), ret)
def test_revoked_cert_should_return_False_from_validate(self):
revoked_crl_filename = os.path.join(self.tempdir, "revoked.crl")
tls.create_ca(self.ca_name)
tls.create_csr(
ca_name=self.ca_name,
CN="testing.bad.localhost",
)
tls.create_ca_signed_cert(
ca_name=self.ca_name,
CN="testing.bad.localhost",
)
tls.create_empty_crl(
ca_name=self.ca_name,
crl_file=revoked_crl_filename,
)
tls.revoke_cert(
ca_name=self.ca_name,
CN="testing.bad.localhost",
crl_file=revoked_crl_filename,
)
self.assertFalse(
tls.validate(
cert=os.path.join(
self.tempdir,
self.ca_name,
"certs",
"testing.bad.localhost.crt",
),
ca_name=self.ca_name,
crl_file=revoked_crl_filename,
)["valid"])
def test_create_pkcs12(self, ca_path):
"""
Test creating pkcs12
"""
ca_name = "test_ca"
certp = "{0}/{1}/certs/{2}.p12".format(
ca_path, ca_name, _TLS_TEST_DATA["create_ca"]["CN"])
ret = 'Created PKCS#12 Certificate for "{0}": "{1}"'.format(
_TLS_TEST_DATA["create_ca"]["CN"], certp)
mock_opt = MagicMock(return_value=ca_path)
mock_ret = MagicMock(return_value=0)
mock_pgt = MagicMock(return_value=False)
with patch.dict(
tls.__salt__,
{
"config.option": mock_opt,
"cmd.retcode": mock_ret,
"pillar.get": mock_pgt,
},
), patch.dict(tls.__opts__, {
"hash_type": "sha256",
"cachedir": ca_path
}), patch("salt.modules.tls.maybe_fix_ssl_version",
MagicMock(return_value=True)):
tls.create_ca(ca_name)
tls.create_csr(ca_name, **_TLS_TEST_DATA["create_ca"])
tls.create_ca_signed_cert(ca_name,
_TLS_TEST_DATA["create_ca"]["CN"])
self.assertEqual(
tls.create_pkcs12(ca_name, _TLS_TEST_DATA["create_ca"]["CN"],
"password"),
ret,
)
def test_with_existing_ca_signing_csr_should_produce_valid_cert(self):
print("Revoked should not be here")
empty_crl_filename = os.path.join(self.tempdir, "empty.crl")
tls.create_ca(self.ca_name)
tls.create_csr(
ca_name=self.ca_name,
CN="testing.localhost",
)
tls.create_ca_signed_cert(
ca_name=self.ca_name,
CN="testing.localhost",
)
tls.create_empty_crl(
ca_name=self.ca_name,
crl_file=empty_crl_filename,
)
ret = tls.validate(
cert=os.path.join(
self.tempdir,
self.ca_name,
"certs",
"testing.localhost.crt",
),
ca_name=self.ca_name,
crl_file=empty_crl_filename,
)
print("not there")
self.assertTrue(ret["valid"], ret.get("error"))
def test_with_existing_ca_signing_csr_should_produce_valid_cert(self):
print('Revoked should not be here')
empty_crl_filename = os.path.join(self.tempdir, 'empty.crl')
tls.create_ca(self.ca_name)
tls.create_csr(
ca_name=self.ca_name,
CN='testing.localhost',
)
tls.create_ca_signed_cert(
ca_name=self.ca_name,
CN='testing.localhost',
)
tls.create_empty_crl(
ca_name=self.ca_name,
crl_file=empty_crl_filename,
)
ret = tls.validate(
cert=os.path.join(
self.tempdir,
self.ca_name,
'certs',
'testing.localhost.crt',
),
ca_name=self.ca_name,
crl_file=empty_crl_filename,
)
print('not there')
self.assertTrue(ret['valid'], ret.get('error'))
def test_validating_revoked_cert_with_no_crl_file_should_return_False(
self):
revoked_crl_filename = None
tls.create_ca(self.ca_name)
tls.create_csr(
ca_name=self.ca_name,
CN='testing.bad.localhost',
)
tls.create_ca_signed_cert(
ca_name=self.ca_name,
CN='testing.bad.localhost',
)
tls.create_empty_crl(
ca_name=self.ca_name,
crl_file=revoked_crl_filename,
)
tls.revoke_cert(
ca_name=self.ca_name,
CN='testing.bad.localhost',
crl_file=revoked_crl_filename,
)
self.assertFalse(
tls.validate(
cert=os.path.join(
self.tempdir,
self.ca_name,
'certs',
'testing.bad.localhost.crt',
),
ca_name=self.ca_name,
crl_file=revoked_crl_filename,
)['valid'])
def test_recreate_ca_signed_cert(self, ca_path):
"""
Test signing certificate from request when certificate exists
"""
ca_name = "test_ca"
certp = "{}/{}/certs/{}.crt".format(
ca_path, ca_name, _TLS_TEST_DATA["create_ca"]["CN"]
)
ret = 'Created Certificate for "{}": "{}"'.format(
_TLS_TEST_DATA["create_ca"]["CN"], certp
)
mock_opt = MagicMock(return_value=ca_path)
mock_ret = MagicMock(return_value=0)
mock_pgt = MagicMock(return_value=False)
with patch.dict(
tls.__salt__,
{
"config.option": mock_opt,
"cmd.retcode": mock_ret,
"pillar.get": mock_pgt,
},
), patch.dict(
tls.__opts__, {"hash_type": "sha256", "cachedir": ca_path}
), patch(
"salt.modules.tls.maybe_fix_ssl_version", MagicMock(return_value=True)
):
tls.create_ca(ca_name)
tls.create_csr(ca_name)
tls.create_ca_signed_cert(ca_name, _TLS_TEST_DATA["create_ca"]["CN"])
self.assertEqual(
tls.create_ca_signed_cert(
ca_name, _TLS_TEST_DATA["create_ca"]["CN"], replace=True
),
ret,
)
def test_create_pkcs12(self):
'''
Test creating pkcs12
'''
ca_path = tempfile.mkdtemp(dir=integration.SYS_TMP_DIR)
try:
ca_name = 'test_ca'
certp = '{0}/{1}/certs/{2}.p12'.format(
ca_path,
ca_name,
_TLS_TEST_DATA['create_ca']['CN'])
ret = 'Created PKCS#12 Certificate for "{0}": "{1}"'.format(
_TLS_TEST_DATA['create_ca']['CN'], certp)
mock_opt = MagicMock(return_value=ca_path)
mock_ret = MagicMock(return_value=0)
mock_pgt = MagicMock(return_value=False)
with patch.dict(tls.__salt__, {'config.option': mock_opt, 'cmd.retcode': mock_ret, 'pillar.get': mock_pgt}):
with patch.dict(tls.__opts__, {'hash_type': 'sha256',
'cachedir': ca_path}):
tls.create_ca(ca_name)
tls.create_csr(ca_name, **_TLS_TEST_DATA['create_ca'])
tls.create_ca_signed_cert(ca_name,
_TLS_TEST_DATA['create_ca']['CN'])
self.assertEqual(
tls.create_pkcs12(ca_name,
_TLS_TEST_DATA['create_ca']['CN'],
'password'),
ret)
finally:
if os.path.isdir(ca_path):
shutil.rmtree(ca_path)
