def test_create_certificates_ca_not_initialized(
ca: certs.CertificateAuthority) -> None:
with pytest.raises(RuntimeError,
match="Certificate authority is not initialized yet"):
ca.create_site_certificate("xyz")
with pytest.raises(RuntimeError,
match="Certificate authority is not initialized yet"):
ca.create_agent_receiver_certificate()
def test_validate_certificate_expired(ca: CertificateAuthority) -> None:
ca._days_valid = 1
with on_time(1638174087, "UTC"):
cert, _priv_key = ca._certificate_from_root("abc123")
with pytest.raises(
CertificateValidationError,
match="Client certificate expired",
):
_validate_certificate(cert)
def fixture_ca(
mocker: MockerFixture,
tmp_path: Path,
) -> CertificateAuthority:
ca = CertificateAuthority(tmp_path / "ca", "test-ca")
ca.initialize()
mocker.patch(
"agent_receiver.certificates.ROOT_CERT",
ca._root_cert_path,
)
return ca
def test_initialize(ca: certs.CertificateAuthority) -> None:
assert not ca.is_initialized
ca.initialize()
assert ca.is_initialized
cert, key = ca._get_root_certificate()
assert check_cn(
cert,
CA_NAME,
)
check_certificate_against_private_key(
cert,
key,
)
def test_validate_certificate_not_yet_valid(ca: CertificateAuthority) -> None:
with on_time(time() + 24 * 3600, "UTC"):
cert, _priv_key = ca._certificate_from_root("abc123")
with pytest.raises(
CertificateValidationError,
match="Client certificate not yet valid",
):
_validate_certificate(cert)
def test_write_agent_receiver_certificate(ca: CertificateAuthority) -> None:
assert not ca.agent_receiver_certificate_exists
ca.create_agent_receiver_certificate(days_valid=100)
assert ca.agent_receiver_certificate_exists
assert _file_permissions_is_660(ca._agent_receiver_cert_path)
cert, key = load_cert_and_private_key(ca._agent_receiver_cert_path)
assert check_cn(
cert,
"localhost",
)
check_certificate_against_private_key(
cert,
key,
)
check_certificate_against_public_key(
cert,
_rsa_public_key_from_cert_or_csr(ca.root_ca.cert),
)
def test_write_agent_receiver_certificate(
ca: certs.CertificateAuthority) -> None:
ca.initialize()
assert not ca.agent_receiver_certificate_exists
ca.create_agent_receiver_certificate()
assert ca.agent_receiver_certificate_exists
assert _file_permissions_is_660(ca._agent_receiver_cert_path)
cert, key = load_cert_and_private_key(ca._agent_receiver_cert_path)
assert check_cn(
cert,
"localhost",
)
check_certificate_against_private_key(
cert,
key,
)
check_certificate_against_public_key(
cert,
rsa_public_key_from_cert_or_csr(ca._get_root_certificate()[0]),
)
def test_create_site_certificate(ca: certs.CertificateAuthority) -> None:
ca.initialize()
site_id = "xyz"
assert not ca.site_certificate_exists(site_id)
ca.create_site_certificate(site_id)
assert ca.site_certificate_exists(site_id)
assert _file_permissions_is_660(ca._site_certificate_path(site_id))
cert, key = load_cert_and_private_key(ca._site_certificate_path(site_id))
assert check_cn(
cert,
site_id,
)
check_certificate_against_private_key(
cert,
key,
)
check_certificate_against_public_key(
cert,
rsa_public_key_from_cert_or_csr(ca._get_root_certificate()[0]),
)
def test_create_site_certificate(ca: CertificateAuthority) -> None:
site_id = "xyz"
assert not ca.site_certificate_exists(site_id)
ca.create_site_certificate(site_id, days_valid=100)
assert ca.site_certificate_exists(site_id)
assert _file_permissions_is_660(ca._site_certificate_path(site_id))
cert, key = load_cert_and_private_key(ca._site_certificate_path(site_id))
assert check_cn(
cert,
site_id,
)
check_certificate_against_private_key(
cert,
key,
)
check_certificate_against_public_key(
cert,
_rsa_public_key_from_cert_or_csr(ca.root_ca.cert),
)
def fixture_untrusted_cert(tmp_path: Path) -> Certificate:
ca2 = CertificateAuthority(tmp_path / "ca-2", "test-ca-2")
ca2.initialize()
cert, _priv_key = ca2._certificate_from_root("abc123")
return cert
def fixture_trusted_cert(ca: CertificateAuthority) -> Certificate:
cert, _priv_key = ca._certificate_from_root("abc123")
return cert
def fixture_ca(tmp_path: Path) -> CertificateAuthority:
ca_path = tmp_path / "ca"
return CertificateAuthority(
root_ca=RootCA.load_or_create(root_cert_path(ca_path), CA_NAME),
ca_path=ca_path,
)
def ca(tmp_path):
p = tmp_path / "etc" / "ssl"
return CertificateAuthority(root_ca=RootCA.load_or_create(
root_cert_path(p), "ca-name"),
ca_path=p)