def setUp(self):
self.profile = "facilitydata"
self.root_scope_def = ScopeDefinition.objects.create(
id="rootcert",
profile=self.profile,
version=1,
primary_scope_param_key="mainpartition",
description="Root cert for ${mainpartition}.",
read_filter_template="",
write_filter_template="",
read_write_filter_template="${mainpartition}",
)
self.subset_scope_def = ScopeDefinition.objects.create(
id="subcert",
profile=self.profile,
version=1,
primary_scope_param_key="",
description=
"Subset cert under ${mainpartition} for ${subpartition}.",
read_filter_template="${mainpartition}",
write_filter_template="${mainpartition}:${subpartition}",
read_write_filter_template="",
)
self.root_cert = Certificate.generate_root_certificate(
self.root_scope_def.id)
self.subset_cert = Certificate(
parent=self.root_cert,
profile=self.profile,
scope_definition=self.subset_scope_def,
scope_version=self.subset_scope_def.version,
scope_params=json.dumps({
"mainpartition": self.root_cert.id,
"subpartition": "abracadabra"
}),
private_key=Key(),
)
self.root_cert.sign_certificate(self.subset_cert)
self.subset_cert.save()
self.unsaved_cert = Certificate(
parent=self.root_cert,
profile=self.profile,
scope_definition=self.subset_scope_def,
scope_version=self.subset_scope_def.version,
scope_params=json.dumps({
"mainpartition": self.root_cert.id,
"subpartition": "other"
}),
public_key=Key(),
)
self.root_cert.sign_certificate(self.unsaved_cert)
self.controller = MorangoProfileController("facilitydata")
self.network_connection = self.controller.create_network_connection(
self.live_server_url)
self.key = SharedKey.get_or_create_shared_key()
def certificate_signing_request(
self,
parent_cert,
scope_definition_id,
scope_params,
userargs=None,
password=None,
):
# if server cert does not exist locally, retrieve it from server
if not Certificate.objects.filter(id=parent_cert.id).exists():
cert_chain_response = self._get_certificate_chain(
params={"ancestors_of": parent_cert.id})
# upon receiving cert chain from server, we attempt to save the chain into our records
Certificate.save_certificate_chain(cert_chain_response.json(),
expected_last_id=parent_cert.id)
csr_key = Key()
# build up data for csr
data = {
"parent": parent_cert.id,
"profile": parent_cert.profile,
"scope_definition": scope_definition_id,
"scope_version": parent_cert.scope_version,
"scope_params": json.dumps(scope_params),
"public_key": csr_key.get_public_key_string(),
}
csr_resp = self._certificate_signing(data, userargs, password)
csr_data = csr_resp.json()
# verify cert returned from server, and proceed to save into our records
csr_cert = Certificate.deserialize(csr_data["serialized"],
csr_data["signature"])
csr_cert.private_key = csr_key
csr_cert.check_certificate()
csr_cert.save()
return csr_cert
def test_bad_scope_subset_does_not_validate(self):
bad_subset_cert = Certificate(
parent=self.root_cert,
profile=self.profile,
scope_definition=self.subset_scope_def,
scope_version=self.subset_scope_def.version,
scope_params=json.dumps({
"mainpartition": "a" * 32,
"subpartition": "abracadabra"
}),
private_key=Key(),
)
self.root_cert.sign_certificate(bad_subset_cert)
bad_subset_cert.save()
with self.assertRaises(CertificateScopeNotSubset):
bad_subset_cert.check_certificate()
def test_push_signed_client_certificate_chain_publickey_error(self):
self.network_connection.capabilities = [ALLOW_CERTIFICATE_PUSHING]
with mock.patch.object(NetworkSyncConnection, "_get_public_key"):
NetworkSyncConnection._get_public_key.return_value.json.return_value = [
{
"public_key": Key().get_public_key_string()
}
]
with self.assertRaises(HTTPError) as e:
self.network_connection.push_signed_client_certificate_chain(
self.root_cert,
self.subset_scope_def.id,
{
"mainpartition": self.root_cert.id,
"subpartition": "abracadabra"
},
)
self.assertEqual(e.exception.response.status_code, 400)
def setUp(self):
self.profile = "testprofile"
self.root_scope_def = ScopeDefinition.objects.create(
id="rootcert",
profile=self.profile,
version=1,
primary_scope_param_key="mainpartition",
description="Root cert for ${mainpartition}.",
read_filter_template="",
write_filter_template="",
read_write_filter_template="${mainpartition}",
)
self.subset_scope_def = ScopeDefinition.objects.create(
id="subcert",
profile=self.profile,
version=1,
primary_scope_param_key="",
description=
"Subset cert under ${mainpartition} for ${subpartition}.",
read_filter_template="${mainpartition}",
write_filter_template="${mainpartition}:${subpartition}",
read_write_filter_template="",
)
self.root_cert = Certificate.generate_root_certificate(
self.root_scope_def.id)
self.subset_cert = Certificate(
parent=self.root_cert,
profile=self.profile,
scope_definition=self.subset_scope_def,
scope_version=self.subset_scope_def.version,
scope_params=json.dumps({
"mainpartition": self.root_cert.id,
"subpartition": "abracadabra"
}),
private_key=Key(),
)
self.root_cert.sign_certificate(self.subset_cert)
self.subset_cert.save()
def push_signed_client_certificate_chain(self, local_parent_cert,
scope_definition_id,
scope_params):
if ALLOW_CERTIFICATE_PUSHING not in self.capabilities:
raise MorangoServerDoesNotAllowNewCertPush(
"Server does not allow certificate pushing")
# grab shared public key of server
publickey_response = self._get_public_key()
# request the server for a one-time-use nonce
nonce_response = self._get_nonce()
# build up data for csr
certificate = Certificate(
parent_id=local_parent_cert.id,
profile=local_parent_cert.profile,
scope_definition_id=scope_definition_id,
scope_version=local_parent_cert.scope_version,
scope_params=json.dumps(scope_params),
public_key=Key(
public_key_string=publickey_response.json()[0]["public_key"]),
salt=nonce_response.json()
["id"], # for pushing signed certs, we use nonce as salt
)
# add ID and signature to the certificate
certificate.id = certificate.calculate_uuid()
certificate.parent.sign_certificate(certificate)
# serialize the chain for sending to server
certificate_chain = list(
local_parent_cert.get_ancestors(
include_self=True)) + [certificate]
data = json.dumps(
CertificateSerializer(certificate_chain, many=True).data)
# client sends signed certificate chain to server
self._push_certificate_chain(data)
# if there are no errors, we can save the pushed certificate
certificate.save()
return certificate
def test_setting_public_key_does_not_set_private_key(self):
cert = Certificate()
cert.public_key = Key()
self.assertEqual(cert.private_key, None)
def test_setting_private_key_sets_public_key(self):
cert = Certificate()
cert.private_key = Key()
self.assertTrue(
cert.public_key.verify("testval",
cert.private_key.sign("testval")))