def test_check_expiry(temp_deployment_files):
""" Validates check_expiry """
repo_path = str(
git.git_handler(TEST_PARAMS["repo_url"], ref=TEST_PARAMS["repo_rev"]))
with mock.patch.dict(config.GLOBAL_CONTEXT, {"site_repo": repo_path}):
pki_generator = PKIGenerator(duration=365,
sitename=TEST_PARAMS["site_name"])
generated_files = pki_generator.generate()
pki_util = pki_utility.PKIUtility(duration=0)
assert len(generated_files), 'No secrets were generated'
for generated_file in generated_files:
if "certificate" not in generated_file:
continue
with open(generated_file, 'r') as f:
results = yaml.safe_load_all(f) # Validate valid YAML.
results = PeglegSecretManagement(
docs=results).get_decrypted_secrets()
for result in results:
if result['schema'] == \
"deckhand/Certificate/v1":
cert = result['data']
cert_info = pki_util.check_expiry(cert)
assert cert_info['expired'] is False, \
"%s is expired/expiring on %s" % \
(result['metadata']['name'],
cert_info['expiry_date'])
def __init__(self,
sitename,
block_strings=True,
author=None,
duration=365,
regenerate_all=False,
save_location=None):
"""Constructor for ``PKIGenerator``.
:param int duration: Duration in days that generated certificates
are valid.
:param str sitename: Site name for which to retrieve documents used for
certificate and keypair generation.
:param bool block_strings: Whether to dump out certificate data as
block-style YAML string. Defaults to true.
:param str author: Identifying name of the author generating new
certificates.
:param bool regenerate_all: If Pegleg should regenerate all certs.
"""
self._regenerate_all = regenerate_all
self._sitename = sitename
self._documents = site.get_rendered_docs(sitename)
self._author = author
self._save_location = save_location or config.get_site_repo()
self.keys = pki_utility.PKIUtility(block_strings=block_strings,
duration=duration)
self.outputs = collections.defaultdict(dict)
# Maps certificates to CAs in order to derive certificate paths.
self._cert_to_ca_map = {}
def test_generate_certificate(self):
pki_obj = pki_utility.PKIUtility(duration=365)
ca_cert_wrapper, ca_key_wrapper = pki_obj.generate_ca(
self.__class__.__name__)
ca_cert = ca_cert_wrapper['data']['managedDocument']
ca_key = ca_key_wrapper['data']['managedDocument']
cert_wrapper, cert_key_wrapper = pki_obj.generate_certificate(
name=self.__class__.__name__,
ca_cert=ca_cert['data'],
ca_key=ca_key['data'],
cn='admin')
assert 'pegleg/PeglegManagedDocument/v1' == cert_wrapper['schema']
assert 'pegleg/PeglegManagedDocument/v1' == cert_key_wrapper['schema']
cert = cert_wrapper['data']['managedDocument']
assert isinstance(cert, dict), cert
cert_key = cert_key_wrapper['data']['managedDocument']
assert isinstance(cert_key, dict), cert_key
assert isinstance(cert, dict), cert
assert CERT_SCHEMA in cert['schema']
assert CERT_HEADER in cert['data']
assert isinstance(cert_key, dict), cert_key
assert CERT_KEY_SCHEMA in cert_key['schema']
assert CERT_KEY_HEADER in cert_key['data']
def test_check_expiry_is_expired_true(self):
"""Check that ``check_expiry`` returns True is cert is expired.
Second values are used to demonstrate precision down to the second.
"""
pki_obj = pki_utility.PKIUtility(duration=0)
ca_config = json.loads(pki_obj.ca_config)
ca_config['signing']['default']['expiry'] = '1s'
m_callable = mock.PropertyMock(return_value=json.dumps(ca_config))
with mock.patch.object(pki_utility.PKIUtility,
'ca_config',
new_callable=m_callable):
ca_cert_wrapper, ca_key_wrapper = pki_obj.generate_ca(
self.__class__.__name__)
ca_cert = ca_cert_wrapper['data']['managedDocument']
ca_key = ca_key_wrapper['data']['managedDocument']
cert_wrapper, _ = pki_obj.generate_certificate(
name=self.__class__.__name__,
ca_cert=ca_cert['data'],
ca_key=ca_key['data'],
cn='admin')
cert = cert_wrapper['data']['managedDocument']
time.sleep(2)
# Validate that the cert has expired.
is_expired = pki_obj.check_expiry(cert=cert['data'])['expired']
assert is_expired
def test_check_expiry_is_expired_false(self):
"""Check that ``check_expiry`` returns False if cert isn't expired."""
pki_obj = pki_utility.PKIUtility(duration=0)
ca_config = json.loads(pki_obj.ca_config)
ca_config['signing']['default']['expiry'] = '1h'
m_callable = mock.PropertyMock(return_value=json.dumps(ca_config))
with mock.patch.object(pki_utility.PKIUtility,
'ca_config',
new_callable=m_callable):
ca_cert_wrapper, ca_key_wrapper = pki_obj.generate_ca(
self.__class__.__name__)
ca_cert = ca_cert_wrapper['data']['managedDocument']
ca_key = ca_key_wrapper['data']['managedDocument']
cert_wrapper, _ = pki_obj.generate_certificate(
name=self.__class__.__name__,
ca_cert=ca_cert['data'],
ca_key=ca_key['data'],
cn='admin')
cert = cert_wrapper['data']['managedDocument']
# Validate that the cert hasn't expired.
is_expired = pki_obj.check_expiry(cert=cert['data'])['expired']
assert not is_expired
def test_generate_keypair(self):
pki_obj = pki_utility.PKIUtility()
pub_key_wrapper, priv_key_wrapper = pki_obj.generate_keypair(
self.__class__.__name__)
assert 'pegleg/PeglegManagedDocument/v1' == pub_key_wrapper['schema']
assert 'pegleg/PeglegManagedDocument/v1' == priv_key_wrapper['schema']
pub_key = pub_key_wrapper['data']['managedDocument']
assert isinstance(pub_key, dict), pub_key
priv_key = priv_key_wrapper['data']['managedDocument']
assert isinstance(pub_key, dict), priv_key
assert isinstance(pub_key, dict), pub_key
assert PUBLIC_KEY_SCHEMA in pub_key['schema']
assert PUBLIC_KEY_HEADER in pub_key['data']
assert isinstance(priv_key, dict), priv_key
assert PRIVATE_KEY_SCHEMA in priv_key['schema']
assert PRIVATE_KEY_HEADER in priv_key['data']
def test_generate_ca(self):
pki_obj = pki_utility.PKIUtility()
ca_cert_wrapper, ca_key_wrapper = pki_obj.generate_ca(
self.__class__.__name__)
assert 'pegleg/PeglegManagedDocument/v1' == ca_cert_wrapper['schema']
assert 'pegleg/PeglegManagedDocument/v1' == ca_key_wrapper['schema']
ca_cert = ca_cert_wrapper['data']['managedDocument']
assert isinstance(ca_cert, dict), ca_cert
ca_key = ca_key_wrapper['data']['managedDocument']
assert isinstance(ca_key, dict), ca_key
assert isinstance(ca_cert, dict), ca_cert
assert CA_SCHEMA in ca_cert['schema']
assert CERT_HEADER in ca_cert['data']
assert isinstance(ca_key, dict), ca_key
assert CA_KEY_SCHEMA in ca_key['schema']
assert CERT_KEY_HEADER in ca_key['data']