def test_create_root_ca(self):
rootca = get_test_root_ca(self.baseurl)
self.test_response.status_code = 200
self.test_response._content = serialize_json({"data": {"certificate": "-----BEGIN CERTIFICATE-----"}})
with capture_stdout(self.vault_client.create_root_ca, rootca) as output:
self.assertEqual(output.strip(), "[*] pkictl - Generated Root CA: test-root-ca")
self.test_response._content = serialize_json({"data": None})
with capture_stdout(self.vault_client.create_root_ca, rootca) as output:
self.assertEqual(output.strip(), "[*] pkictl - Root CA 'test-root-ca' has already been generated")
self.test_response.status_code = 204
with capture_stdout(self.vault_client.create_root_ca, rootca) as output:
self.assertEqual(output.strip(), "[*] pkictl - Root CA 'test-root-ca' has already been generated")
def test_create_root_ca_fail(self):
rootca = get_test_root_ca(self.baseurl)
self.test_response.status_code = 400
self.test_response._content = serialize_json({"data": {"certificate": "-----BEGIN CERTIFICATE-----"}})
with self.assertRaises(SystemExit) as e:
self.vault_client.create_root_ca(rootca)
self.assertEqual(e.exception.args[0], "[-] pkictl - Error: Failed to generate Root CA: test-root-ca")
def test_sign_intermediate_ca_fail(self):
ca = get_test_intermediate_ca(self.baseurl)
ca.csr = "-----BEGIN CERTIFICATE REQUEST-----"
self.test_response.status_code = 500
self.test_response._content = serialize_json({"data": {"certificate": "-----BEGIN CERTIFICATE-----"}})
with self.assertRaises(SystemExit) as e:
self.vault_client.sign_intermediate_ca(ca)
self.assertEqual(e.exception.args[0], "[-] pkictl - Error: Failed to sign intermediate CA 'test-intermediate-ca' with issuing CA: test-root-ca")
def test_sign_intermediate_ca(self):
ca = get_test_intermediate_ca(self.baseurl)
ca.csr = "-----BEGIN CERTIFICATE REQUEST-----"
self.test_response.status_code = 200
self.test_response._content = serialize_json({"data": {"certificate": "-----BEGIN CERTIFICATE-----", "issuing_ca": "-----BEGIN CERTIFICATE-----"}})
with capture_stdout(self.vault_client.sign_intermediate_ca, ca) as output:
self.assertEqual(output.strip(), "[*] pkictl - Signed intermediate CA 'test-intermediate-ca' with issuing CA: test-root-ca")
self.assertIsInstance(ca.cert, str)
def test_create_intermediate_ca_fail(self):
ca = get_test_intermediate_ca(self.baseurl)
d = {"data": {"csr": "-----BEGIN CERTIFICATE REQUEST-----", 'private_key': '-----BEGIN RSA PRIVATE KEY----'}}
self.test_response._content = serialize_json(d)
self.test_response.status_code = 400
with self.assertRaises(SystemExit) as e:
self.vault_client.create_intermediate_ca(ca)
self.assertEqual(e.exception.args[0], "[-] pkictl - Error: Failed to generate intermediate CA: test-intermediate-ca")
def test_create_intermediate_ca(self):
ca = get_test_intermediate_ca(self.baseurl)
d = {"data": {"csr": "-----BEGIN CERTIFICATE REQUEST-----", 'private_key': '-----BEGIN RSA PRIVATE KEY----'}}
self.test_response.status_code = 200
self.test_response._content = serialize_json(d)
with capture_stdout(self.vault_client.create_intermediate_ca, ca) as output:
self.assertEqual(output.strip(), "[*] pkictl - Created intermediate CA: test-intermediate-ca")
self.assertIsInstance(ca.csr, str)
def test_unseal_server(self):
self.vault_client.master_keys = ["a", "b", "c", "d", "e"]
self.test_response._content = serialize_json({"sealed": False, "t": 3, "n": 5, "version": "11.3.0"})
self.test_response.status_code = 200
with capture_stdout(self.vault_client.unseal_server) as output:
self.assertEqual(output.strip(), "[*] pkictl - Unsealed the Vault server")
self.test_response.status_code = 400
with self.assertRaises(SystemExit) as e:
self.vault_client.unseal_server()
self.assertEqual(e.exception.args[0], "[-] pkictl - Error: failed to unseal the Vault server")
def test_health_check(self):
self.test_response._content = serialize_json({"initialized": True, "sealed": True})
initialized, sealed = self.vault_client.healthcheck()
self.assertEqual(initialized, True)
self.assertEqual(sealed, True)
self.test_response.status_code = 200
with capture_stdout(self.vault_client.healthcheck) as output:
self.assertEqual(output.strip(), "[*] pkictl - the Vault server has been initialized and is not sealed")
self.test_response.status_code = 501
with capture_stdout(self.vault_client.healthcheck) as output:
self.assertEqual(output.strip(), "[*] pkictl - the Vault server has not been initialized")
self.test_response.status_code = 503
with capture_stdout(self.vault_client.healthcheck) as output:
self.assertEqual(output.strip(), "[-] pkictl - Error: the Vault server is sealed")
def test_initialize_server(self):
self.test_response.status_code = 200
self.test_response._content = serialize_json({"root_token": "test", "keys_base64": ["a", "b", "c", "d", "e"]})
with tempfile.NamedTemporaryFile() as lf, tempfile.NamedTemporaryFile() as tf:
with capture_stdout(self.vault_client.initialize_server, log_file=lf.name, token_file=tf.name) as output:
self.assertEqual(output.strip(), "[*] pkictl - Initialized the Vault server")
self.assertEqual(len(self.vault_client.master_keys), 5)
self.test_response.status_code = 401
with capture_stdout(self.vault_client.initialize_server) as output:
self.assertEqual(output.strip(), "[-] pkictl - Error: failed to initialize the Vault server")
# fails to write master keys to file
self.test_response.status_code = 200
with tempfile.NamedTemporaryFile() as t, self.assertRaises(SystemExit):
os.chmod(t.name, 0o400)
self.vault_client.initialize_server(log_file=t.name)
# fails to write root token to file
self.test_response.status_code = 200
with tempfile.NamedTemporaryFile() as t, self.assertRaises(SystemExit):
os.chmod(t.name, 0o400)
self.vault_client.initialize_server(token_file=t.name)