diff options
-rw-r--r-- | tests/test_acme_dns_tiny.py | 189 |
1 files changed, 115 insertions, 74 deletions
diff --git a/tests/test_acme_dns_tiny.py b/tests/test_acme_dns_tiny.py index 9a2562d..bb96765 100644 --- a/tests/test_acme_dns_tiny.py +++ b/tests/test_acme_dns_tiny.py @@ -2,9 +2,13 @@ import collections +import inspect +import logging import os +import subprocess import sys import tempfile + import pytest @@ -14,20 +18,45 @@ sys.path.append(os.path.realpath(".")) import acme_dns_tiny -DOMAIN = os.getenv('TEST_DOMAIN') ACME_STAGING_DIRECTORY = \ 'https://acme-staging-v02.api.letsencrypt.org/directory' +DOMAIN = os.getenv('TEST_DOMAIN') CONTACT = os.getenv('TEST_CONTACT') # form: mailto:name@domain +SCRIPT = os.getenv('TEST_SCRIPT') -def test_sanity_env(): - assert DOMAIN - assert CONTACT +def funcname(): + return inspect.currentframe().f_back.f_code.co_name -@pytest.fixture(scope='module') -def casemap(tmpdir_factory): +def parent_funcname(): + return inspect.currentframe().f_back.f_back.f_code.co_name + +def assert_success(capsys, args): + name = parent_funcname() + logging.info(f'assert_success({name}, {args})') + acme_dns_tiny.main(args) + captured = capsys.readouterr() + #assert not captured.err + certlist = captured.out.split('-----BEGIN CERTIFICATE-----') + assert len(certlist) == 3 + assert certlist[0] == '' + assert '-----END CERTIFICATE-----\n' in certlist[1] + assert '-----END CERTIFICATE-----\n' in certlist[2] + textchain = acme_dns_tiny.openssl(['x509', '-text', '-noout'], + stdin=captured.out) + assert 'Issuer' in textchain + + +def assert_assertion(args): + name = parent_funcname() + logging.info(f'assert_assertion({name}, {args})') + with pytest.raises(ValueError): + acme_dns_tiny.main(args) + +@pytest.fixture(scope='module') +def keys(tmpdir_factory): tmpdir = tmpdir_factory.mktemp("data") def _gen_key(name, size): @@ -35,98 +64,110 @@ def casemap(tmpdir_factory): acme_dns_tiny.openssl(['genrsa', '-out', path, str(size)]) return path - account_key = _gen_key('account_key', 4096) - domain_key = _gen_key('domain_key', 4096) - weak_account_key = _gen_key('weak_account_key', 1024) - weak_domain_key = _gen_key('weak_domain_key', 1024) + return { + 'account_key': _gen_key('account_key', 4096), + 'domain_key': _gen_key('domain_key', 4096), + 'weak_account_key': _gen_key('weak_account_key', 1024), + 'weak_domain_key': _gen_key('weak_domain_key', 1024), + } + + +@pytest.fixture(scope='module') +def csr_args(tmpdir_factory, keys): + tmpdir = tmpdir_factory.mktemp("data") default_args = { '--acme-directory': ACME_STAGING_DIRECTORY, - '--script': 'tests/test_script.sh', - '--account-key': account_key, + '--script': SCRIPT, + '--account-key': keys['account_key'], #'--ttl': 60, # already the default '--ttl': None, '--contact': None, - #'--contact': [CONTACT], # not supported by staging directory '--verbose': None, '--quiet': None, } - def _csr(name, domain_key, subj=f'/CN={DOMAIN}'): + def _csr(subj, key_name='domain_key', san=None, args={}): + name = parent_funcname() + domain_key = keys[key_name] path = str(tmpdir.join(name)) - acme_dns_tiny.openssl([ - 'req', '-new', '-key', domain_key, '-subj', subj, '-out', path - ]) - return {**default_args, '--csr': path} - - def _san_csr(name, subj='/', san=None): - path = str(tmpdir.join(name)) - with tempfile.NamedTemporaryFile('w', encoding='utf8') as conf, \ - open('/etc/ssl/openssl.cnf', 'r', encoding='utf8') as orig: - conf.write(orig.read()) - conf.write(f'\n[SAN]\nsubjectAltName={san}\n') - conf.flush() + if san is None: acme_dns_tiny.openssl([ - 'req', '-new', '-key', domain_key, '-subj', subj, - '-reqexts', 'SAN', '-config', conf.name, '-out', path + 'req', '-new', '-key', domain_key, '-subj', subj, '-out', path ]) - return {**default_args, '--csr': path} + else: + with tempfile.NamedTemporaryFile('w', encoding='utf8') as conf, \ + open('/etc/ssl/openssl.cnf', 'r', encoding='utf8') as orig: + conf.write(orig.read()) + conf.write(f'\n[SAN]\nsubjectAltName={san}\n') + conf.flush() + acme_dns_tiny.openssl([ + 'req', '-new', '-key', domain_key, '-subj', subj, + '-reqexts', 'SAN', '-config', conf.name, '-out', path + ]) + return {**default_args, '--csr': path, **args} - return { - # single domain - 'single': _csr('csr_single', domain_key), + return _csr - # single, but weak account key used - 'weakaccountkey': { - **_csr('csr_simple', domain_key), - '--account-key': weak_account_key, - }, - # single, but weak domain key used to sign csr - 'weakdomainkey': _csr('csr_weakdomain', weak_domain_key), +def test_sanity_env(): + assert bool(DOMAIN) + assert bool(CONTACT) + assert bool(SCRIPT) - # single, csr wrongly signed by account key - 'csrbyaccount': _csr('csr_byaccount', account_key), - # wildcard domain in CN - 'wildcard': _csr('csr_wildcard', domain_key, f'/CN=*.{DOMAIN}'), +def test_sanity_command(): + subprocess.run([SCRIPT, 'add', f'_acme-challenge.{DOMAIN}.', 'dummy']) - # san only - 'sanonly': _san_csr('csr_sanonly', - san=f'DNS:{DOMAIN},DNS:www.{DOMAIN}'), - # san and cn - 'san': _san_csr('csr_san', subj=f'/CN={DOMAIN}', - san=f'DNS:www.{DOMAIN}'), +def test_success_single_domain_in_cn(csr_args, capsys): + subj = f'/CN={DOMAIN}' + assert_success(capsys, csr_args(subj)) - # san wildcard (domain + *.domain, contrary to wildcard in cn) - 'wildcardsan': _san_csr('csr_wildcardsan', - san=f'DNS:{DOMAIN},DNS:*.{DOMAIN}') - } +def test_success_wildcard_in_cn(csr_args, capsys): + subj = f'/CN=*.{DOMAIN}' + assert_success(capsys, csr_args(subj)) -def assert_certificate_chain(captured): - #assert not captured.err - certlist = captured.out.split('-----BEGIN CERTIFICATE-----') - assert len(certlist) == 3 - assert certlist[0] == '' - assert '-----END CERTIFICATE-----\n' in certlist[1] - assert '-----END CERTIFICATE-----\n' in certlist[2] - textchain = acme_dns_tiny.openssl(['x509', '-text', '-noout'], - stdin=captured.out) - assert 'Issuer' in textchain + +def test_success_san_only(csr_args, capsys): + subj = '/' + san = f'DNS:{DOMAIN},DNS:www.{DOMAIN}' + assert_success(capsys, csr_args(subj=subj, san=san)) + + +def test_success_san_only_contact(csr_args, capsys): + subj = '/' + san = f'DNS:{DOMAIN},DNS:www.{DOMAIN}' + args = {'--contact': [CONTACT]} + assert_success(capsys, csr_args(subj=subj, san=san, args=args)) + + +def test_success_san_contact(csr_args, capsys): + subj = f'/CN={DOMAIN}' + san = f'DNS:www.{DOMAIN}' + args = {'--contact': [CONTACT]} + assert_success(capsys, csr_args(subj=subj, san=san, args=args)) + + +def test_success_wildcard_san(csr_args, capsys): + subj = '/' + san = f'DNS:{DOMAIN},DNS:*.{DOMAIN}' + assert_success(capsys, csr_args(subj=subj, san=san)) + + +def test_fail_weak_account_key(csr_args, keys): + subj = f'/CN={DOMAIN}' + args = {'--account-key': keys['weak_account_key']} + assert_assertion(csr_args(subj, args=args)) -def test_success(capsys, casemap): - for name in ('single', 'wildcard', 'sanonly', 'san', 'wildcardsan'): - print(f'test_success case: {name}', file=sys.stderr) - acme_dns_tiny.main(casemap[name]) - captured = capsys.readouterr() - assert_certificate_chain(captured) +def test_fail_weak_domain_key(csr_args): + subj = f'/CN={DOMAIN}' + assert_assertion(csr_args(subj, key_name='weak_domain_key')) -def test_assert(casemap): - for name in ('weakaccountkey', 'weakdomainkey', 'csrbyaccount'): - print(f'test_assert case: {name}', file=sys.stderr) - with pytest.raises(ValueError): - acme_dns_tiny.main(casemap[name]) +def test_fail_csr_by_account(csr_args): + subj = f'/CN={DOMAIN}' + # single, csr wrongly signed by account key + assert_assertion(csr_args(subj, key_name='account_key')) |