Commit 9ed78bde authored by Adrien Dorsaz's avatar Adrien Dorsaz

staging acme_dns_tiny: use same account key for all tests, remove tests which...

staging acme_dns_tiny: use same account key for all tests, remove tests which were testing server exceptions
parent a86c633e
Pipeline #277 passed with stages
in 17 minutes and 23 seconds
...@@ -19,11 +19,13 @@ TSIGALGORITHM = os.getenv("GITLABCI_TSIGALGORITHM") ...@@ -19,11 +19,13 @@ TSIGALGORITHM = os.getenv("GITLABCI_TSIGALGORITHM")
CONTACT = os.getenv("GITLABCI_CONTACT") CONTACT = os.getenv("GITLABCI_CONTACT")
def generate_config(): def generate_config(account_key_path=None):
"""Generate basic acme-dns-tiny configuration""" """Generate basic acme-dns-tiny configuration"""
# Account key # Account key should be created if not given
account_key = NamedTemporaryFile(delete=False) if account_key_path is None:
Popen(["openssl", "genrsa", "-out", account_key.name, "2048"]).wait() account_key = NamedTemporaryFile(delete=False)
Popen(["openssl", "genrsa", "-out", account_key.name, "2048"]).wait()
account_key_path = account_key.name
# Domain key and CSR # Domain key and CSR
domain_key = NamedTemporaryFile(delete=False) domain_key = NamedTemporaryFile(delete=False)
...@@ -34,7 +36,7 @@ def generate_config(): ...@@ -34,7 +36,7 @@ def generate_config():
# acme-dns-tiny configuration # acme-dns-tiny configuration
parser = configparser.ConfigParser() parser = configparser.ConfigParser()
parser.read("./example.ini") parser.read("./example.ini")
parser["acmednstiny"]["AccountKeyFile"] = account_key.name parser["acmednstiny"]["AccountKeyFile"] = account_key_path
parser["acmednstiny"]["CSRFile"] = domain_csr.name parser["acmednstiny"]["CSRFile"] = domain_csr.name
parser["acmednstiny"]["ACMEDirectory"] = ACMEDIRECTORY parser["acmednstiny"]["ACMEDirectory"] = ACMEDIRECTORY
if CONTACT: if CONTACT:
...@@ -49,7 +51,7 @@ def generate_config(): ...@@ -49,7 +51,7 @@ def generate_config():
parser["DNS"]["Zone"] = DNSZONE parser["DNS"]["Zone"] = DNSZONE
parser["DNS"]["TTL"] = DNSTTL parser["DNS"]["TTL"] = DNSTTL
return account_key.name, domain_key.name, domain_csr.name, parser return account_key_path, domain_key.name, domain_csr.name, parser
def generate_acme_dns_tiny_unit_test_config(): def generate_acme_dns_tiny_unit_test_config():
...@@ -77,7 +79,7 @@ def generate_acme_dns_tiny_config(): # pylint: disable=too-many-locals,too-many ...@@ -77,7 +79,7 @@ def generate_acme_dns_tiny_config(): # pylint: disable=too-many-locals,too-many
config.write(configfile) config.write(configfile)
# Simple configuration with good options, without contacts field # Simple configuration with good options, without contacts field
account_key, domain_key, _, config = generate_config() _, domain_key, _, config = generate_config(account_key)
os.remove(domain_key) os.remove(domain_key)
config.remove_option("acmednstiny", "Contacts") config.remove_option("acmednstiny", "Contacts")
...@@ -87,7 +89,7 @@ def generate_acme_dns_tiny_config(): # pylint: disable=too-many-locals,too-many ...@@ -87,7 +89,7 @@ def generate_acme_dns_tiny_config(): # pylint: disable=too-many-locals,too-many
config.write(configfile) config.write(configfile)
# Simple configuration without CSR in configuration (will be passed as argument) # Simple configuration without CSR in configuration (will be passed as argument)
account_key, domain_key, cname_csr, config = generate_config() _, domain_key, cname_csr, config = generate_config(account_key)
os.remove(domain_key) os.remove(domain_key)
config.remove_option("acmednstiny", "CSRFile") config.remove_option("acmednstiny", "CSRFile")
...@@ -97,7 +99,7 @@ def generate_acme_dns_tiny_config(): # pylint: disable=too-many-locals,too-many ...@@ -97,7 +99,7 @@ def generate_acme_dns_tiny_config(): # pylint: disable=too-many-locals,too-many
config.write(configfile) config.write(configfile)
# Configuration with CSR containing a wildcard domain # Configuration with CSR containing a wildcard domain
account_key, domain_key, domain_csr, config = generate_config() _, domain_key, domain_csr, config = generate_config(account_key)
Popen(["openssl", "req", "-newkey", "rsa:2048", "-nodes", "-keyout", domain_key, Popen(["openssl", "req", "-newkey", "rsa:2048", "-nodes", "-keyout", domain_key,
"-subj", "/CN=*.{0}".format(DOMAIN), "-out", domain_csr]).wait() "-subj", "/CN=*.{0}".format(DOMAIN), "-out", domain_csr]).wait()
...@@ -108,7 +110,7 @@ def generate_acme_dns_tiny_config(): # pylint: disable=too-many-locals,too-many ...@@ -108,7 +110,7 @@ def generate_acme_dns_tiny_config(): # pylint: disable=too-many-locals,too-many
config.write(configfile) config.write(configfile)
# Configuration with IP as DNS Host # Configuration with IP as DNS Host
account_key, domain_key, _, config = generate_config() _, domain_key, _, config = generate_config(account_key)
os.remove(domain_key) os.remove(domain_key)
config["DNS"]["Host"] = DNSHOSTIP config["DNS"]["Host"] = DNSHOSTIP
...@@ -118,7 +120,7 @@ def generate_acme_dns_tiny_config(): # pylint: disable=too-many-locals,too-many ...@@ -118,7 +120,7 @@ def generate_acme_dns_tiny_config(): # pylint: disable=too-many-locals,too-many
config.write(configfile) config.write(configfile)
# Configuration with CSR using subject alt-name domain instead of CN (common name) # Configuration with CSR using subject alt-name domain instead of CN (common name)
account_key, domain_key, domain_csr, config = generate_config() _, domain_key, domain_csr, config = generate_config(account_key)
san_conf = NamedTemporaryFile(delete=False) san_conf = NamedTemporaryFile(delete=False)
with open("/etc/ssl/openssl.cnf", 'r') as opensslcnf: with open("/etc/ssl/openssl.cnf", 'r') as opensslcnf:
...@@ -136,7 +138,7 @@ def generate_acme_dns_tiny_config(): # pylint: disable=too-many-locals,too-many ...@@ -136,7 +138,7 @@ def generate_acme_dns_tiny_config(): # pylint: disable=too-many-locals,too-many
config.write(configfile) config.write(configfile)
# Configuration with CSR containing a wildcard domain inside subjetcAltName # Configuration with CSR containing a wildcard domain inside subjetcAltName
account_key, domain_key, domain_csr, config = generate_config() _, domain_key, domain_csr, config = generate_config(account_key)
wild_san_conf = NamedTemporaryFile(delete=False) wild_san_conf = NamedTemporaryFile(delete=False)
with open("/etc/ssl/openssl.cnf", 'r') as opensslcnf: with open("/etc/ssl/openssl.cnf", 'r') as opensslcnf:
...@@ -154,34 +156,13 @@ def generate_acme_dns_tiny_config(): # pylint: disable=too-many-locals,too-many ...@@ -154,34 +156,13 @@ def generate_acme_dns_tiny_config(): # pylint: disable=too-many-locals,too-many
with open(wild_san.name, 'w') as configfile: with open(wild_san.name, 'w') as configfile:
config.write(configfile) config.write(configfile)
# Bad configuration with weak 1024 bit account key # Invalid TSIG key name
account_key, domain_key, _, config = generate_config() _, domain_key, _, config = generate_config(account_key)
os.remove(domain_key)
Popen(["openssl", "genrsa", "-out", account_key, "1024"]).wait()
weak_key = NamedTemporaryFile(delete=False)
with open(weak_key.name, 'w') as configfile:
config.write(configfile)
# Bad configuration with account key as domain key
account_key, domain_key, domain_csr, config = generate_config()
os.remove(domain_key) os.remove(domain_key)
# Create a new CSR signed with the account key instead of domain key config["TSIGKeyring"]["KeyName"] = "{0}.invalid".format(TSIGKEYNAME)
Popen(["openssl", "req", "-new", "-sha256", "-key", account_key,
"-subj", "/CN={0}".format(DOMAIN), "-out", domain_csr]).wait()
account_as_domain = NamedTemporaryFile(delete=False)
with open(account_as_domain.name, 'w') as configfile:
config.write(configfile)
# Create config parser from the good default config to generate custom configs
account_key, domain_key, _, config = generate_config()
os.remove(domain_key)
invalid_tsig_name = NamedTemporaryFile(delete=False) invalid_tsig_name = NamedTemporaryFile(delete=False)
config["TSIGKeyring"]["KeyName"] = "{0}.invalid".format(TSIGKEYNAME)
with open(invalid_tsig_name.name, 'w') as configfile: with open(invalid_tsig_name.name, 'w') as configfile:
config.write(configfile) config.write(configfile)
...@@ -194,8 +175,6 @@ def generate_acme_dns_tiny_config(): # pylint: disable=too-many-locals,too-many ...@@ -194,8 +175,6 @@ def generate_acme_dns_tiny_config(): # pylint: disable=too-many-locals,too-many
"dns_host_ip": dns_host_ip.name, "dns_host_ip": dns_host_ip.name,
"good_san": good_san.name, "good_san": good_san.name,
"wild_san": wild_san.name, "wild_san": wild_san.name,
"weak_key": weak_key.name,
"account_as_domain": account_as_domain.name,
"invalid_tsig_name": invalid_tsig_name.name, "invalid_tsig_name": invalid_tsig_name.name,
# cname CSR file to use with good_cname_without_csr as argument # cname CSR file to use with good_cname_without_csr as argument
"cname_csr": cname_csr, "cname_csr": cname_csr,
......
...@@ -196,23 +196,10 @@ class TestACMEDNSTiny(unittest.TestCase): ...@@ -196,23 +196,10 @@ class TestACMEDNSTiny(unittest.TestCase):
self._assert_certificate_chain(certchain) self._assert_certificate_chain(certchain)
def test_weak_key(self):
"""Let's Encrypt rejects weak keys."""
self.assertRaisesRegex(ValueError,
"key too small",
acme_dns_tiny.main, [self.configs['weak_key'], "--verbose"])
def test_account_key_domain(self):
"""Can't use the account key for the CSR."""
self.assertRaisesRegex(ValueError,
"certificate public key must be different than account key",
acme_dns_tiny.main, [self.configs['account_as_domain'],
"--verbose"])
def test_failure_dns_update_tsigkeyname(self): def test_failure_dns_update_tsigkeyname(self):
"""Fail to update DNS records by invalid TSIG Key name.""" """Fail to update DNS records by invalid TSIG Key name."""
self.assertRaisesRegex(ValueError, self.assertRaisesRegex(ValueError,
"Error updating DNS", "Error updating DNS records",
acme_dns_tiny.main, [self.configs['invalid_tsig_name'], acme_dns_tiny.main, [self.configs['invalid_tsig_name'],
"--verbose"]) "--verbose"])
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment