def test_refresh_self_signed_certificate_send_sighup(mocker, tmpdir, caplog): caplog.set_level(logging.INFO) process_group = 'fake_pg' mocker.patch('watchdog.is_pid_running', return_value=True) mocker.patch('os.getpgid', return_value=process_group) mocker.patch('os.killpg') config = _get_config() pk_path = _get_mock_private_key_path(mocker, tmpdir) four_hours_back = (datetime.utcnow() - timedelta(hours=4)).strftime(DT_PATTERN) tls_dict = watchdog.tls_paths_dictionary(MOUNT_NAME, str(tmpdir)) state = _create_certificate_and_state(tls_dict, str(tmpdir), pk_path, four_hours_back, ap_id=AP_ID) watchdog.check_certificate(config, state, str(tmpdir), STATE_FILE, base_path=str(tmpdir)) assert 'SIGHUP signal to stunnel. PID: %d, group ID: %s' % ( PID, process_group) in caplog.text
def test_refresh_self_signed_certificate_pid_not_running( mocker, tmpdir, caplog): caplog.set_level(logging.WARN) mocker.patch('watchdog.is_pid_running', return_value=False) config = _get_config() pk_path = _get_mock_private_key_path(mocker, tmpdir) four_hours_back = (datetime.utcnow() - timedelta(hours=4)).strftime(DT_PATTERN) tls_dict = watchdog.tls_paths_dictionary(MOUNT_NAME, str(tmpdir)) state = _create_certificate_and_state(tls_dict, str(tmpdir), pk_path, four_hours_back, False, ap_id=AP_ID) watchdog.check_certificate(config, state, str(tmpdir), STATE_FILE, base_path=str(tmpdir)) assert 'TLS tunnel is not running for' in caplog.text
def test_recreate_missing_self_signed_certificate(mocker, tmpdir): mocker.patch('watchdog.get_utc_now', return_value=FIXED_DT) config = _get_config() pk_path = _get_mock_private_key_path(mocker, tmpdir) four_hours_back = (FIXED_DT - timedelta(hours=4)).strftime(DT_PATTERN) tls_dict = watchdog.tls_paths_dictionary(MOUNT_NAME, str(tmpdir)) state = _create_certificate_and_state(tls_dict, str(tmpdir), pk_path, four_hours_back, ap_id=AP_ID, remove_cert=True) watchdog.check_certificate(config, state, str(tmpdir), STATE_FILE, base_path=str(tmpdir)) assert datetime.strptime(state['certificateCreationTime'], DT_PATTERN) > datetime.strptime( four_hours_back, DT_PATTERN) assert state['accessPoint'] == AP_ID assert not state.get('awsCredentialsMethod') assert os.path.exists(pk_path) assert not os.path.exists( os.path.join(tls_dict['mount_dir'], 'publicKey.pem')) assert os.path.exists(os.path.join(tls_dict['mount_dir'], 'request.csr')) assert os.path.exists( os.path.join(tls_dict['mount_dir'], 'certificate.pem'))
def test_do_not_refresh_self_signed_certificate_bad_ap_id_bad_char( mocker, tmpdir, caplog): caplog.set_level(logging.ERROR) mocker.patch('watchdog.get_utc_now', return_value=FIXED_DT) config = _get_config() pk_path = _get_mock_private_key_path(mocker, tmpdir) four_hours_back = (FIXED_DT - timedelta(hours=4)).strftime(DT_PATTERN) tls_dict = watchdog.tls_paths_dictionary(MOUNT_NAME, str(tmpdir)) state = _create_certificate_and_state(tls_dict, str(tmpdir), pk_path, four_hours_back, ap_id=BAD_AP_ID_BAD_CHAR, remove_cert=True) watchdog.check_certificate(config, state, str(tmpdir), STATE_FILE, base_path=str(tmpdir)) assert datetime.strptime(state['certificateCreationTime'], DT_PATTERN) == datetime.strptime( four_hours_back, DT_PATTERN) assert not state['accessPoint'] == AP_ID assert 'Access Point ID "%s" has been changed in the state file to a malformed format' % BAD_AP_ID_BAD_CHAR in caplog.text
def test_do_not_refresh_self_signed_certificate(mocker, tmpdir): mocker.patch('watchdog.get_utc_now', return_value=FIXED_DT) config = _get_config() pk_path = _get_mock_private_key_path(mocker, tmpdir) current_time_formatted = FIXED_DT.strftime(DT_PATTERN) tls_dict = watchdog.tls_paths_dictionary(MOUNT_NAME, str(tmpdir)) state = _create_certificate_and_state(tls_dict, str(tmpdir), pk_path, current_time_formatted, ap_id=AP_ID) watchdog.check_certificate(config, state, str(tmpdir), STATE_FILE, base_path=str(tmpdir)) with open(os.path.join(str(tmpdir), STATE_FILE), 'r') as state_json: state = json.load(state_json) assert datetime.strptime(state['certificateCreationTime'], DT_PATTERN) == datetime.strptime( current_time_formatted, DT_PATTERN) assert state['accessPoint'] == AP_ID assert not state.get('awsCredentialsMethod') assert os.path.exists(pk_path) assert not os.path.exists( os.path.join(tls_dict['mount_dir'], 'publicKey.pem')) assert os.path.exists(os.path.join(tls_dict['mount_dir'], 'request.csr')) assert os.path.exists( os.path.join(tls_dict['mount_dir'], 'certificate.pem'))
def test_refresh_self_signed_certificate_with_iam_with_ap_id(mocker, tmpdir): mocker.patch('watchdog.get_utc_now', return_value=FIXED_DT) config = _get_config() pk_path = _get_mock_private_key_path(mocker, tmpdir) four_hours_back = (FIXED_DT - timedelta(hours=4)).strftime(DT_PATTERN) tls_dict = watchdog.tls_paths_dictionary(MOUNT_NAME, str(tmpdir)) state = _create_certificate_and_state( tls_dict, str(tmpdir), pk_path, four_hours_back, security_credentials=CREDENTIALS, credentials_source=CREDENTIALS_SOURCE, ap_id=AP_ID) watchdog.check_certificate(config, state, str(tmpdir), STATE_FILE, base_path=str(tmpdir)) with open(os.path.join(str(tmpdir), STATE_FILE), 'r') as state_json: state = json.load(state_json) assert datetime.strptime(state['certificateCreationTime'], DT_PATTERN) > datetime.strptime( four_hours_back, DT_PATTERN) assert state['accessPoint'] == AP_ID assert state['awsCredentialsMethod'] == CREDENTIALS_SOURCE assert os.path.exists(pk_path) assert os.path.exists(os.path.join(tls_dict['mount_dir'], 'publicKey.pem')) assert os.path.exists(os.path.join(tls_dict['mount_dir'], 'request.csr')) assert os.path.exists( os.path.join(tls_dict['mount_dir'], 'certificate.pem'))
def _test_refresh_certificate_helper(mocker, tmpdir, caplog, minutes_back, renewal_interval=60, with_iam=True, with_ap=True): mocker.patch('watchdog.get_utc_now', return_value=FIXED_DT) config = _get_config(certificate_renewal_interval=renewal_interval) pk_path = _get_mock_private_key_path(mocker, tmpdir) minutes_back = (FIXED_DT - timedelta(minutes=minutes_back)).strftime(DT_PATTERN) tls_dict = watchdog.tls_paths_dictionary(MOUNT_NAME, str(tmpdir)) if not with_iam and with_ap: state = _create_certificate_and_state(tls_dict, str(tmpdir), pk_path, minutes_back, ap_id=AP_ID) elif with_iam and not with_ap: state = _create_certificate_and_state( tls_dict, str(tmpdir), pk_path, minutes_back, security_credentials=CREDENTIALS, credentials_source=CREDENTIALS_SOURCE) else: state = _create_certificate_and_state( tls_dict, str(tmpdir), pk_path, minutes_back, security_credentials=CREDENTIALS, credentials_source=CREDENTIALS_SOURCE, ap_id=AP_ID) watchdog.check_certificate(config, state, str(tmpdir), STATE_FILE, base_path=str(tmpdir)) with open(os.path.join(str(tmpdir), STATE_FILE), 'r') as state_json: state = json.load(state_json) if not with_iam and with_ap: assert state['accessPoint'] == AP_ID assert not state.get('awsCredentialsMethod') assert not os.path.exists( os.path.join(tls_dict['mount_dir'], 'publicKey.pem')) elif with_iam and not with_ap: assert 'accessPoint' not in state assert state['awsCredentialsMethod'] == CREDENTIALS_SOURCE assert os.path.exists( os.path.join(tls_dict['mount_dir'], 'publicKey.pem')) else: assert state['accessPoint'] == AP_ID assert state['awsCredentialsMethod'] == CREDENTIALS_SOURCE assert os.path.exists( os.path.join(tls_dict['mount_dir'], 'publicKey.pem')) assert datetime.strptime(state['certificateCreationTime'], DT_PATTERN) > datetime.strptime( minutes_back, DT_PATTERN) assert os.path.exists(pk_path) assert os.path.exists(os.path.join(tls_dict['mount_dir'], 'request.csr')) assert os.path.exists( os.path.join(tls_dict['mount_dir'], 'certificate.pem')) return caplog