def post(self): ra_name = self.ra_name logger.debug("processing signing request in registration authority %s", ra_name) try: auth_result = auth.validate(ra_name, pecan.request.POST.get('user'), pecan.request.POST.get('secret')) audit.emit_auth_event(ra_name, pecan.request.POST.get('user'), auth_result) except http_status.HTTPUnauthorized: audit.emit_auth_event(ra_name, pecan.request.POST.get('user'), None) raise try: csr = certificate_ops.parse_csr(pecan.request.POST.get('csr'), pecan.request.POST.get('encoding')) certificate_ops.validate_csr(ra_name, auth_result, csr, pecan.request) csr = certificate_ops.fixup_csr(ra_name, csr, pecan.request) cert, fingerprint = certificate_ops.dispatch_sign(ra_name, csr) audit.emit_signing_event(ra_name, pecan.request.POST.get('user'), auth_result, fingerprint=fingerprint) except Exception: audit.emit_signing_event(ra_name, pecan.request.POST.get('user'), auth_result) raise return cert
def test_parse_csr_success1(self): """Test basic success path for parse_csr.""" result = certificate_ops.parse_csr(self.csr_sample, 'pem') subject = result.get_subject() actual_cn = subject.get_entries_by_oid( x509_name.OID_commonName)[0].get_value() self.assertEqual(actual_cn, self.csr_sample_cn)
def test_parse_csr_success2(self): """Test basic success path for parse_csr.""" result = certificate_ops.parse_csr(self.csr, 'PEM') subject = result.get_subject() actual_cn = subject.get_entries_by_nid( x509_name.NID_commonName)[0].get_value() self.assertEqual(actual_cn, self.expected_cn)
def test_parse_csr_success1(self): """Test basic success path for parse_csr.""" result = certificate_ops.parse_csr(self.csr, 'pem') subject = result.get_subject() actual_cn = subject.get_entries_by_nid( x509_name.NID_commonName)[0].get_value() self.assertEqual(actual_cn, self.expected_cn)
def test_parse_csr_success2(self): """Test basic success path for parse_csr.""" result = certificate_ops.parse_csr(self.csr_sample, 'PEM') subject = result.get_subject() actual_cn = subject.get_entries_by_oid( x509_name.OID_commonName)[0].get_value() self.assertEqual(actual_cn, self.csr_sample_cn)
def test_validate_csr_bypass(self): """Test empty validator set for validate_csr.""" csr_obj = certificate_ops.parse_csr(self.csr, 'pem') config = "anchor.jsonloader.conf._config" data = {'validators': {}} with mock.patch.dict(config, data): # this should work, it allows people to bypass validation certificate_ops.validate_csr(None, csr_obj, None)
def test_validate_csr_success(self): """Test basic success path for validate_csr.""" csr_obj = certificate_ops.parse_csr(self.csr, 'pem') config = "anchor.jsonloader.conf._config" validators = {'steps': {'extensions': {'allowed_extensions': []}}} data = {'validators': validators} with mock.patch.dict(config, data): certificate_ops.validate_csr(None, csr_obj, None)
def test_validate_csr_success(self): """Test basic success path for validate_csr.""" csr_obj = certificate_ops.parse_csr(self.csr_sample, 'pem') config = "anchor.jsonloader.conf._config" self.sample_conf_ra['default_ra']['validators'] = {'extensions': { 'allowed_extensions': ['basicConstraints', 'keyUsage']}} data = self.sample_conf with mock.patch.dict(config, data): certificate_ops.validate_csr('default_ra', None, csr_obj, None)
def test_validate_csr_bypass(self): """Test empty validator set for validate_csr.""" csr_obj = certificate_ops.parse_csr(self.csr_sample, 'pem') config = "anchor.jsonloader.conf._config" self.sample_conf_ra['default_ra']['validators'] = {} data = self.sample_conf with mock.patch.dict(config, data): # this should work, it allows people to bypass validation certificate_ops.validate_csr('default_ra', None, csr_obj, None)
def post(self): auth_result = auth.validate(pecan.request.POST.get('user'), pecan.request.POST.get('secret')) csr = certificate_ops.parse_csr(pecan.request.POST.get('csr'), pecan.request.POST.get('encoding')) certificate_ops.validate_csr(auth_result, csr, pecan.request) return certificate_ops.sign(csr)
def test_ca_key_read_failure(self): """Test CA key read failure.""" csr_obj = certificate_ops.parse_csr(self.csr, 'pem') config = "anchor.jsonloader.conf._config" data = {'ca': {'cert_path': 'tests/CA/root-ca.crt', 'key_path': '/xxx/not/a/valid/path'}} with mock.patch.dict(config, data): with self.assertRaises(http_status.HTTPServerError): certificate_ops.sign(csr_obj)
def test_validate_csr_fail(self): """Test failure path for validate_csr.""" csr_obj = certificate_ops.parse_csr(self.csr, 'pem') config = "anchor.jsonloader.conf._config" validators = {'steps': {'common_name': {'allowed_domains': ['.testing.com']}}} data = {'validators': validators} with mock.patch.dict(config, data): with self.assertRaises(http_status.HTTPClientError): certificate_ops.validate_csr(None, csr_obj, None)
def test_ca_key_read_failure(self): """Test CA key read failure.""" csr_obj = certificate_ops.parse_csr(self.csr_sample, 'pem') config = "anchor.jsonloader.conf._config" self.sample_conf_ca['default_ca']['cert_path'] = 'tests/CA/root-ca.crt' self.sample_conf_ca['default_ca']['key_path'] = '/xxx/not/a/valid/path' data = self.sample_conf with mock.patch.dict(config, data): with self.assertRaises(http_status.HTTPException) as cm: certificate_ops.dispatch_sign('default_ra', csr_obj) self.assertEqual(cm.exception.code, 500)
def post(self): ra_name = self.ra_name logger.debug("processing signing request in registration authority %s", ra_name) auth_result = auth.validate(ra_name, pecan.request.POST.get('user'), pecan.request.POST.get('secret')) csr = certificate_ops.parse_csr(pecan.request.POST.get('csr'), pecan.request.POST.get('encoding')) certificate_ops.validate_csr(ra_name, auth_result, csr, pecan.request) return certificate_ops.dispatch_sign(ra_name, csr)
def test_validate_csr_success(self): """Test basic success path for validate_csr.""" csr_obj = certificate_ops.parse_csr(self.csr_sample, 'pem') config = "anchor.jsonloader.conf._config" self.sample_conf_ra['default_ra']['validators'] = { 'extensions': { 'allowed_extensions': ['basicConstraints', 'keyUsage'] } } data = self.sample_conf with mock.patch.dict(config, data): certificate_ops.validate_csr('default_ra', None, csr_obj, None)
def test_ca_key_read_failure(self): """Test CA key read failure.""" csr_obj = certificate_ops.parse_csr(self.csr, 'pem') config = "anchor.jsonloader.conf._config" data = { 'ca': { 'cert_path': 'tests/CA/root-ca.crt', 'key_path': '/xxx/not/a/valid/path' } } with mock.patch.dict(config, data): with self.assertRaises(http_status.HTTPServerError): certificate_ops.sign(csr_obj)
def test_validate_csr_fail(self): """Test failure path for validate_csr.""" csr_obj = certificate_ops.parse_csr(self.csr_sample, 'pem') config = "anchor.jsonloader.conf._config" self.sample_conf_ra['default_ra']['validators'] = { 'common_name': { 'allowed_domains': ['.testing.example.com'] } } data = self.sample_conf with mock.patch.dict(config, data): with self.assertRaises(http_status.HTTPException) as cm: certificate_ops.validate_csr('default_ra', None, csr_obj, None) self.assertEqual(cm.exception.code, 400)
def test_validate_csr_fail(self): """Test failure path for validate_csr.""" csr_obj = certificate_ops.parse_csr(self.csr, 'pem') config = "anchor.jsonloader.conf._config" validators = { 'steps': { 'common_name': { 'allowed_domains': ['.testing.com'] } } } data = {'validators': validators} with mock.patch.dict(config, data): with self.assertRaises(http_status.HTTPClientError): certificate_ops.validate_csr(None, csr_obj, None)
def test_parse_csr_fail4(self): """Test invalid CSR (wrong value) format for parse_csr.""" with self.assertRaises(http_status.HTTPClientError): certificate_ops.parse_csr('invalid csr input', 'pem')
def test_parse_csr_fail3(self): """Test invalid CSR (None) format for parse_csr.""" with self.assertRaises(http_status.HTTPClientError): certificate_ops.parse_csr(None, 'pem')
def test_parse_csr_fail2(self): """Test invalid CSR format (wrong type) for parse_csr.""" with self.assertRaises(http_status.HTTPClientError): certificate_ops.parse_csr(self.csr, True)
def test_parse_csr_fail1(self): """Test invalid CSR format (wrong value) for parse_csr.""" with self.assertRaises(http_status.HTTPClientError): certificate_ops.parse_csr(self.csr_sample, 'blah')
def test_parse_csr_success1(self): """Test basic success path for parse_csr.""" result = certificate_ops.parse_csr(self.csr, 'pem') subject = result.get_subject() actual_cn = subject.get_entries_by_nid_name('CN')[0].get_value() self.assertEqual(actual_cn, self.expected_cn)
def test_parse_csr_fail1(self): """Test invalid CSR format (wrong value) for parse_csr.""" with self.assertRaises(http_status.HTTPClientError): certificate_ops.parse_csr(self.csr, 'blah')
def test_parse_csr_fail2(self): """Test invalid CSR format (wrong type) for parse_csr.""" with self.assertRaises(http_status.HTTPClientError): certificate_ops.parse_csr(self.csr_sample, True)