update test suite to latest letsencrypt certificate policy updatesHEAD master

author: vg <vgm+dev@devys.org> 2025-07-06 09:08:04 +0200
committer: vg <vgm+dev@devys.org> 2025-07-06 09:08:04 +0200
commit: f201868b9089da733ae268a5a72f8359be10e51d (patch)
tree: 95e1136e6bc4c34602fa903f06169b54623726cc
parent: ac6cbfb81f5683e5af2fdb8810c5bb536643f47d (diff)
download: acme-dns-tiny-master.tar.gz
acme-dns-tiny-master.tar.bz2
acme-dns-tiny-master.zip
1 files changed, 42 insertions, 33 deletions
diff --git a/tests/test_acme_dns_tiny.py b/tests/test_acme_dns_tiny.py
index ffbe0b6..5a4a479 100644
--- a/tests/test_acme_dns_tiny.py
+++ b/tests/test_acme_dns_tiny.py
@@ -1,9 +1,7 @@
 #!python3
 
 
-import collections
 import contextlib
-import inspect
 import logging
 import os
 import subprocess
@@ -139,16 +137,16 @@ def keys_generator():
 
 
 @pytest.fixture(scope='module', params=keys_generator())
-def account_domain_key(request):
+def keysdef(request):
     return request.param
 
 
 @pytest.fixture(scope='module', params=[
     {'subj': f'/CN={DOMAIN}',   'san': None},
     {'subj': f'/CN=*.{DOMAIN}', 'san': None},
-    {'subj': f'/',              'san': f'DNS:{DOMAIN},DNS:www.{DOMAIN}'},
+    {'subj':  '/',              'san': f'DNS:{DOMAIN},DNS:www.{DOMAIN}'},
     {'subj': f'/CN={DOMAIN}',   'san': f'DNS:www.{DOMAIN}'},
-    {'subj': f'/',              'san': f'DNS:{DOMAIN},DNS:*.{DOMAIN}'},
+    {'subj':  '/',              'san': f'DNS:{DOMAIN},DNS:*.{DOMAIN}'},
 ])
 def subj_fixture(request):
     return request.param
@@ -157,36 +155,32 @@ def subj_fixture(request):
 CSR_ARGS_COUNTER = 0
 
 @pytest.fixture(scope='module', params=[
-    pytest.param(None, id='no_separator'),
+    pytest.param({}, id='no_separator'),
     pytest.param({'args': {'--separator': '\\0'}}, id='separator'),
 ])
-def main_args(tmpdir_factory, account_domain_key, request, subj_fixture):
+def main_args(tmpdir_factory, keysdef, request, subj_fixture):
 
     global CSR_ARGS_COUNTER
     CSR_ARGS_COUNTER += 1
 
     tmpdir = tmpdir_factory.mktemp("data")
-    #keysdef = account_domain_key.values[0]
-    keysdef = account_domain_key
-    #print('debug', keysdef)
 
-    default_args = {
+    account_key = keysdef['account_key_path'](tmpdir)
+    args = {
             '--acme-directory': ACME_STAGING_DIRECTORY,
             '--script': SCRIPT,
-            '--account-key': keysdef['account_key_path'](tmpdir),
+            '--account-key': account_key,
             #'--ttl': 60, # already the default
             '--ttl': None,
             '--separator': None,
             '--verbose': None,
             '--quiet': None,
+            **request.param.get('args', {})
     }
 
-    if request.param:
-        default_args.update(request.param.get('args', {}))
-
-    if default_args['--separator'] is not None:
-        assert default_args['--separator'] == '\\0'
-        assert default_args['--separator'].encode(
+    if args['--separator'] is not None:
+        assert args['--separator'] == '\\0'
+        assert args['--separator'].encode(
                 'utf8').decode('unicode_escape') == '\0'
 
     name = f'{CSR_ARGS_COUNTER:02X}'
@@ -206,7 +200,11 @@ def main_args(tmpdir_factory, account_domain_key, request, subj_fixture):
             '-out', path
         ])
 
-    return {**default_args, '--csr': path}, keysdef['raise_expected']
+    return {**args, '--csr': path}, {
+            **keysdef,
+            'account_key_path': account_key, # expanded version
+            'domain_key_path': domain_key, # expanded version
+    }
 
 
 def test_sanity_env():
@@ -220,7 +218,7 @@ def test_sanity_command():
     subprocess.run([SCRIPT, 'add', f'_acme-challenge.{DOMAIN}.', 'dummy'])
 
 
-def assert_cert(capsys, args):
+def assert_cert(capsys, args, keysdef):
     captured = capsys.readouterr()
     #assert not captured.err
     #certlist = captured.out.split()
@@ -228,7 +226,18 @@ def assert_cert(capsys, args):
     logging.debug('captured stdout %s', captured.out)
     logging.debug('captured stderr %s', captured.err)
 
-    if args['--separator'] is None:
+    # Subscriber certificates with RSA public keys are issued from our RSA
+    # intermediates, which are issued only from our RSA root ISRG Root X1
+    # (i.e. they are not cross-signed). Therefore, all RSA subscriber certificates
+    # have only a single chain available. (since 2025-06-11, see here for more
+    # information https://letsencrypt.org/certificates/).
+    if (
+            args['--separator'] is None
+        or (
+            args['--separator'] is not None
+            and '/domain_rsa_' in keysdef['domain_key_path']
+        )
+    ):
         assert '\0' not in captured.out
     else:
         assert '\0' in captured.out
@@ -248,7 +257,7 @@ def assert_cert(capsys, args):
         assert certtool_out.count('Subject:') >= 3
 
 
-def module_main_caller(*, capsys, args, expectation, do_expire_nonce):
+def module_main_caller(*, capsys, args, expectation, do_expire_nonce, keysdef):
     logging.info(f'module_main_caller({args}, {expectation})')
 
     logging.debug('before call to acme_dns_tiny.main()')
@@ -256,19 +265,19 @@ def module_main_caller(*, capsys, args, expectation, do_expire_nonce):
         acme_dns_tiny.ACME.sreq = original_sreq_method
         if do_expire_nonce:
             logging.info('doing expire nonce test')
-            first_success_case_nonce_timeout_done = True
             acme_dns_tiny.ACME.sreq = nonce_expiration_sreq_wrapper
         acme_dns_tiny.main(args)
         # check_cert is under the expectation context manager since if
         # acme_dns_tiny.main() raises, following statement must not be run.
-        assert_cert(capsys, args)
+        assert_cert(capsys, args, keysdef)
     logging.debug('after call to acme_dns_tiny.main()')
 
 
 def test_main(main_args, capsys):
-    t_start = time.time()
+    #t_start = time.time()
     args = main_args[0]
-    raise_expected = main_args[1]
+    keysdef = main_args[1]
+    raise_expected = keysdef['raise_expected']
     do_expire_nonce = False
     #print('subj', subj, 'args', args)
     expectation = does_not_raise()
@@ -277,10 +286,10 @@ def test_main(main_args, capsys):
     elif not first_success_case_nonce_timeout_done:
         do_expire_nonce = True
     module_main_caller(capsys=capsys, args=args, expectation=expectation,
-                       do_expire_nonce=do_expire_nonce)
-    t_stop = time.time()
-
-    # calculate for letsencrypt rate limit (50account per hour)
-    t_diff = 216 - (t_stop - t_start)
-    if t_diff > 0:
-        time.sleep(t_diff)
+                       do_expire_nonce=do_expire_nonce,
+                       keysdef=keysdef)
+    #t_stop = time.time()
+    ## calculate for letsencrypt rate limit (50account per hour)
+    #t_diff = 216 - (t_stop - t_start)
+    #if t_diff > 0 and os.environ.get('ACCOUNT_SLEEP_SKIP') != '1':
+    #    time.sleep(t_diff)
author	vg <vgm+dev@devys.org>	2025-07-06 09:08:04 +0200
committer	vg <vgm+dev@devys.org>	2025-07-06 09:08:04 +0200
commit	f201868b9089da733ae268a5a72f8359be10e51d (patch)
tree	95e1136e6bc4c34602fa903f06169b54623726cc
parent	ac6cbfb81f5683e5af2fdb8810c5bb536643f47d (diff)
download	acme-dns-tiny-master.tar.gz acme-dns-tiny-master.tar.bz2 acme-dns-tiny-master.zip