def test_check_expiry(temp_deployment_files): """ Validates check_expiry """ repo_path = str( git.git_handler(TEST_PARAMS["repo_url"], ref=TEST_PARAMS["repo_rev"])) with mock.patch.dict(config.GLOBAL_CONTEXT, {"site_repo": repo_path}): pki_generator = PKIGenerator(duration=365, sitename=TEST_PARAMS["site_name"]) generated_files = pki_generator.generate() pki_util = pki_utility.PKIUtility(duration=0) assert len(generated_files), 'No secrets were generated' for generated_file in generated_files: if "certificate" not in generated_file: continue with open(generated_file, 'r') as f: results = yaml.safe_load_all(f) # Validate valid YAML. results = PeglegSecretManagement( docs=results).get_decrypted_secrets() for result in results: if result['schema'] == \ "deckhand/Certificate/v1": cert = result['data'] cert_info = pki_util.check_expiry(cert) assert cert_info['expired'] is False, \ "%s is expired/expiring on %s" % \ (result['metadata']['name'], cert_info['expiry_date'])
def __init__(self, sitename, block_strings=True, author=None, duration=365, regenerate_all=False, save_location=None): """Constructor for ``PKIGenerator``. :param int duration: Duration in days that generated certificates are valid. :param str sitename: Site name for which to retrieve documents used for certificate and keypair generation. :param bool block_strings: Whether to dump out certificate data as block-style YAML string. Defaults to true. :param str author: Identifying name of the author generating new certificates. :param bool regenerate_all: If Pegleg should regenerate all certs. """ self._regenerate_all = regenerate_all self._sitename = sitename self._documents = site.get_rendered_docs(sitename) self._author = author self._save_location = save_location or config.get_site_repo() self.keys = pki_utility.PKIUtility(block_strings=block_strings, duration=duration) self.outputs = collections.defaultdict(dict) # Maps certificates to CAs in order to derive certificate paths. self._cert_to_ca_map = {}
def test_generate_certificate(self): pki_obj = pki_utility.PKIUtility(duration=365) ca_cert_wrapper, ca_key_wrapper = pki_obj.generate_ca( self.__class__.__name__) ca_cert = ca_cert_wrapper['data']['managedDocument'] ca_key = ca_key_wrapper['data']['managedDocument'] cert_wrapper, cert_key_wrapper = pki_obj.generate_certificate( name=self.__class__.__name__, ca_cert=ca_cert['data'], ca_key=ca_key['data'], cn='admin') assert 'pegleg/PeglegManagedDocument/v1' == cert_wrapper['schema'] assert 'pegleg/PeglegManagedDocument/v1' == cert_key_wrapper['schema'] cert = cert_wrapper['data']['managedDocument'] assert isinstance(cert, dict), cert cert_key = cert_key_wrapper['data']['managedDocument'] assert isinstance(cert_key, dict), cert_key assert isinstance(cert, dict), cert assert CERT_SCHEMA in cert['schema'] assert CERT_HEADER in cert['data'] assert isinstance(cert_key, dict), cert_key assert CERT_KEY_SCHEMA in cert_key['schema'] assert CERT_KEY_HEADER in cert_key['data']
def test_check_expiry_is_expired_true(self): """Check that ``check_expiry`` returns True is cert is expired. Second values are used to demonstrate precision down to the second. """ pki_obj = pki_utility.PKIUtility(duration=0) ca_config = json.loads(pki_obj.ca_config) ca_config['signing']['default']['expiry'] = '1s' m_callable = mock.PropertyMock(return_value=json.dumps(ca_config)) with mock.patch.object(pki_utility.PKIUtility, 'ca_config', new_callable=m_callable): ca_cert_wrapper, ca_key_wrapper = pki_obj.generate_ca( self.__class__.__name__) ca_cert = ca_cert_wrapper['data']['managedDocument'] ca_key = ca_key_wrapper['data']['managedDocument'] cert_wrapper, _ = pki_obj.generate_certificate( name=self.__class__.__name__, ca_cert=ca_cert['data'], ca_key=ca_key['data'], cn='admin') cert = cert_wrapper['data']['managedDocument'] time.sleep(2) # Validate that the cert has expired. is_expired = pki_obj.check_expiry(cert=cert['data'])['expired'] assert is_expired
def test_check_expiry_is_expired_false(self): """Check that ``check_expiry`` returns False if cert isn't expired.""" pki_obj = pki_utility.PKIUtility(duration=0) ca_config = json.loads(pki_obj.ca_config) ca_config['signing']['default']['expiry'] = '1h' m_callable = mock.PropertyMock(return_value=json.dumps(ca_config)) with mock.patch.object(pki_utility.PKIUtility, 'ca_config', new_callable=m_callable): ca_cert_wrapper, ca_key_wrapper = pki_obj.generate_ca( self.__class__.__name__) ca_cert = ca_cert_wrapper['data']['managedDocument'] ca_key = ca_key_wrapper['data']['managedDocument'] cert_wrapper, _ = pki_obj.generate_certificate( name=self.__class__.__name__, ca_cert=ca_cert['data'], ca_key=ca_key['data'], cn='admin') cert = cert_wrapper['data']['managedDocument'] # Validate that the cert hasn't expired. is_expired = pki_obj.check_expiry(cert=cert['data'])['expired'] assert not is_expired
def test_generate_keypair(self): pki_obj = pki_utility.PKIUtility() pub_key_wrapper, priv_key_wrapper = pki_obj.generate_keypair( self.__class__.__name__) assert 'pegleg/PeglegManagedDocument/v1' == pub_key_wrapper['schema'] assert 'pegleg/PeglegManagedDocument/v1' == priv_key_wrapper['schema'] pub_key = pub_key_wrapper['data']['managedDocument'] assert isinstance(pub_key, dict), pub_key priv_key = priv_key_wrapper['data']['managedDocument'] assert isinstance(pub_key, dict), priv_key assert isinstance(pub_key, dict), pub_key assert PUBLIC_KEY_SCHEMA in pub_key['schema'] assert PUBLIC_KEY_HEADER in pub_key['data'] assert isinstance(priv_key, dict), priv_key assert PRIVATE_KEY_SCHEMA in priv_key['schema'] assert PRIVATE_KEY_HEADER in priv_key['data']
def test_generate_ca(self): pki_obj = pki_utility.PKIUtility() ca_cert_wrapper, ca_key_wrapper = pki_obj.generate_ca( self.__class__.__name__) assert 'pegleg/PeglegManagedDocument/v1' == ca_cert_wrapper['schema'] assert 'pegleg/PeglegManagedDocument/v1' == ca_key_wrapper['schema'] ca_cert = ca_cert_wrapper['data']['managedDocument'] assert isinstance(ca_cert, dict), ca_cert ca_key = ca_key_wrapper['data']['managedDocument'] assert isinstance(ca_key, dict), ca_key assert isinstance(ca_cert, dict), ca_cert assert CA_SCHEMA in ca_cert['schema'] assert CERT_HEADER in ca_cert['data'] assert isinstance(ca_key, dict), ca_key assert CA_KEY_SCHEMA in ca_key['schema'] assert CERT_KEY_HEADER in ca_key['data']