diff --git a/tests/config_factory.py b/tests/config_factory.py index 82a7ce46552c241f70541f12401988bdcf16f605..8531d44741b9695375f59985ce918aaca4a6f7c1 100644 --- a/tests/config_factory.py +++ b/tests/config_factory.py @@ -19,11 +19,13 @@ TSIGALGORITHM = os.getenv("GITLABCI_TSIGALGORITHM") CONTACT = os.getenv("GITLABCI_CONTACT") -def generate_config(): +def generate_config(account_key_path=None): """Generate basic acme-dns-tiny configuration""" - # Account key - account_key = NamedTemporaryFile(delete=False) - Popen(["openssl", "genrsa", "-out", account_key.name, "2048"]).wait() + # Account key should be created if not given + if account_key_path is None: + account_key = NamedTemporaryFile(delete=False) + Popen(["openssl", "genrsa", "-out", account_key.name, "2048"]).wait() + account_key_path = account_key.name # Domain key and CSR domain_key = NamedTemporaryFile(delete=False) @@ -34,7 +36,7 @@ def generate_config(): # acme-dns-tiny configuration parser = configparser.ConfigParser() parser.read("./example.ini") - parser["acmednstiny"]["AccountKeyFile"] = account_key.name + parser["acmednstiny"]["AccountKeyFile"] = account_key_path parser["acmednstiny"]["CSRFile"] = domain_csr.name parser["acmednstiny"]["ACMEDirectory"] = ACMEDIRECTORY if CONTACT: @@ -49,7 +51,7 @@ def generate_config(): parser["DNS"]["Zone"] = DNSZONE parser["DNS"]["TTL"] = DNSTTL - return account_key.name, domain_key.name, domain_csr.name, parser + return account_key_path, domain_key.name, domain_csr.name, parser def generate_acme_dns_tiny_unit_test_config(): @@ -77,7 +79,7 @@ def generate_acme_dns_tiny_config(): # pylint: disable=too-many-locals,too-many config.write(configfile) # Simple configuration with good options, without contacts field - account_key, domain_key, _, config = generate_config() + _, domain_key, _, config = generate_config(account_key) os.remove(domain_key) config.remove_option("acmednstiny", "Contacts") @@ -87,7 +89,7 @@ def generate_acme_dns_tiny_config(): # pylint: disable=too-many-locals,too-many config.write(configfile) # Simple configuration without CSR in configuration (will be passed as argument) - account_key, domain_key, cname_csr, config = generate_config() + _, domain_key, cname_csr, config = generate_config(account_key) os.remove(domain_key) config.remove_option("acmednstiny", "CSRFile") @@ -97,7 +99,7 @@ def generate_acme_dns_tiny_config(): # pylint: disable=too-many-locals,too-many config.write(configfile) # Configuration with CSR containing a wildcard domain - account_key, domain_key, domain_csr, config = generate_config() + _, domain_key, domain_csr, config = generate_config(account_key) Popen(["openssl", "req", "-newkey", "rsa:2048", "-nodes", "-keyout", domain_key, "-subj", "/CN=*.{0}".format(DOMAIN), "-out", domain_csr]).wait() @@ -108,7 +110,7 @@ def generate_acme_dns_tiny_config(): # pylint: disable=too-many-locals,too-many config.write(configfile) # Configuration with IP as DNS Host - account_key, domain_key, _, config = generate_config() + _, domain_key, _, config = generate_config(account_key) os.remove(domain_key) config["DNS"]["Host"] = DNSHOSTIP @@ -118,7 +120,7 @@ def generate_acme_dns_tiny_config(): # pylint: disable=too-many-locals,too-many config.write(configfile) # Configuration with CSR using subject alt-name domain instead of CN (common name) - account_key, domain_key, domain_csr, config = generate_config() + _, domain_key, domain_csr, config = generate_config(account_key) san_conf = NamedTemporaryFile(delete=False) with open("/etc/ssl/openssl.cnf", 'r') as opensslcnf: @@ -136,7 +138,7 @@ def generate_acme_dns_tiny_config(): # pylint: disable=too-many-locals,too-many config.write(configfile) # Configuration with CSR containing a wildcard domain inside subjetcAltName - account_key, domain_key, domain_csr, config = generate_config() + _, domain_key, domain_csr, config = generate_config(account_key) wild_san_conf = NamedTemporaryFile(delete=False) with open("/etc/ssl/openssl.cnf", 'r') as opensslcnf: @@ -154,34 +156,13 @@ def generate_acme_dns_tiny_config(): # pylint: disable=too-many-locals,too-many with open(wild_san.name, 'w') as configfile: config.write(configfile) - # Bad configuration with weak 1024 bit account key - account_key, domain_key, _, config = generate_config() - os.remove(domain_key) - - Popen(["openssl", "genrsa", "-out", account_key, "1024"]).wait() - - weak_key = NamedTemporaryFile(delete=False) - with open(weak_key.name, 'w') as configfile: - config.write(configfile) - - # Bad configuration with account key as domain key - account_key, domain_key, domain_csr, config = generate_config() + # Invalid TSIG key name + _, domain_key, _, config = generate_config(account_key) os.remove(domain_key) - # Create a new CSR signed with the account key instead of domain key - Popen(["openssl", "req", "-new", "-sha256", "-key", account_key, - "-subj", "/CN={0}".format(DOMAIN), "-out", domain_csr]).wait() - - account_as_domain = NamedTemporaryFile(delete=False) - with open(account_as_domain.name, 'w') as configfile: - config.write(configfile) - - # Create config parser from the good default config to generate custom configs - account_key, domain_key, _, config = generate_config() - os.remove(domain_key) + config["TSIGKeyring"]["KeyName"] = "{0}.invalid".format(TSIGKEYNAME) invalid_tsig_name = NamedTemporaryFile(delete=False) - config["TSIGKeyring"]["KeyName"] = "{0}.invalid".format(TSIGKEYNAME) with open(invalid_tsig_name.name, 'w') as configfile: config.write(configfile) @@ -194,8 +175,6 @@ def generate_acme_dns_tiny_config(): # pylint: disable=too-many-locals,too-many "dns_host_ip": dns_host_ip.name, "good_san": good_san.name, "wild_san": wild_san.name, - "weak_key": weak_key.name, - "account_as_domain": account_as_domain.name, "invalid_tsig_name": invalid_tsig_name.name, # cname CSR file to use with good_cname_without_csr as argument "cname_csr": cname_csr, diff --git a/tests/staging_test_acme_dns_tiny.py b/tests/staging_test_acme_dns_tiny.py index c2f1e006653a089c3e2c45f34d9e865f52a46ec4..f23129283122d781a4706a45af2c902901804df5 100644 --- a/tests/staging_test_acme_dns_tiny.py +++ b/tests/staging_test_acme_dns_tiny.py @@ -196,23 +196,10 @@ class TestACMEDNSTiny(unittest.TestCase): self._assert_certificate_chain(certchain) - def test_weak_key(self): - """Let's Encrypt rejects weak keys.""" - self.assertRaisesRegex(ValueError, - "key too small", - acme_dns_tiny.main, [self.configs['weak_key'], "--verbose"]) - - def test_account_key_domain(self): - """Can't use the account key for the CSR.""" - self.assertRaisesRegex(ValueError, - "certificate public key must be different than account key", - acme_dns_tiny.main, [self.configs['account_as_domain'], - "--verbose"]) - def test_failure_dns_update_tsigkeyname(self): """Fail to update DNS records by invalid TSIG Key name.""" self.assertRaisesRegex(ValueError, - "Error updating DNS", + "Error updating DNS records", acme_dns_tiny.main, [self.configs['invalid_tsig_name'], "--verbose"])