Commit da5845ac authored by Adrien Dorsaz's avatar Adrien Dorsaz

config_factory: rewrite to create for each test different config with different keys

parent 1d0d558b
...@@ -46,99 +46,120 @@ def generate_config(): ...@@ -46,99 +46,120 @@ def generate_config():
parser["DNS"]["Zone"] = DNSZONE parser["DNS"]["Zone"] = DNSZONE
parser["DNS"]["TTL"] = DNSTTL parser["DNS"]["TTL"] = DNSTTL
config = NamedTemporaryFile(delete=False) return account_key.name, domain_key.name, domain_csr.name, parser
with open(config.name, 'w') as configfile:
parser.write(configfile)
return account_key.name, domain_key.name, domain_csr.name, config.name
# generate account and domain keys # generate account and domain keys
def generate_acme_dns_tiny_config(): def generate_acme_dns_tiny_config():
# Simple good configuration # Simple configuration with good options
account_key, domain_key, domain_csr, goodCName = generate_config(); account_key, domain_key, domain_csr, config = generate_config();
os.remove(domain_key)
# CSR for good configuration with wildcard domain
wilddomain_csr = NamedTemporaryFile(delete=False)
Popen(["openssl", "req", "-newkey", "rsa:2048", "-nodes", "-keyout", domain_key,
"-subj", "/CN=*.{0}".format(DOMAIN), "-out", wilddomain_csr.name]).wait()
# weak 1024 bit account key
weak_key = NamedTemporaryFile(delete=False)
Popen(["openssl", "genrsa", "-out", weak_key.name, "1024"]).wait()
# CSR using subject alt-name domain instead of CN (common name) goodCName = NamedTemporaryFile(delete=False)
san_csr = NamedTemporaryFile(delete=False) with open(goodCName.name, 'w') as configfile:
san_conf = NamedTemporaryFile(delete=False) config.write(configfile)
san_conf.write(open("/etc/ssl/openssl.cnf").read().encode("utf8"))
san_conf.write("\n[SAN]\nsubjectAltName=DNS:{0},DNS:www.{0}\n".format(DOMAIN).encode("utf8"))
san_conf.seek(0)
Popen(["openssl", "req", "-new", "-sha256", "-key", domain_key,
"-subj", "/", "-reqexts", "SAN", "-config", san_conf.name,
"-out", san_csr.name]).wait()
# CSR using wildcard in subject alt-name domain
wildsan_csr = NamedTemporaryFile(delete=False)
wildsan_conf = NamedTemporaryFile(delete=False)
wildsan_conf.write(open("/etc/ssl/openssl.cnf").read().encode("utf8"))
wildsan_conf.write("\n[SAN]\nsubjectAltName=DNS:{0},DNS:*.{0}\n".format(DOMAIN).encode("utf8"))
wildsan_conf.seek(0)
Popen(["openssl", "req", "-new", "-sha256", "-key", domain_key,
"-subj", "/", "-reqexts", "SAN", "-config", wildsan_conf.name,
"-out", wildsan_csr.name]).wait()
# CSR signed with the account key # Simple configuration without CSR in configuration (will be passed as argument)
account_csr = NamedTemporaryFile(delete=False) account_key, domain_key, domain_csr, config = generate_config();
Popen(["openssl", "req", "-new", "-sha256", "-key", account_key, os.remove(domain_key)
"-subj", "/CN={0}".format(DOMAIN), "-out", account_csr.name]).wait()
# Create config parser from the good default config to generate custom configs cnameCSR = domain_csr
config = configparser.ConfigParser() config.remove_option("acmednstiny", "CSRFile")
config.read(goodCName)
goodCNameWithoutCSR = NamedTemporaryFile(delete=False) goodCNameWithoutCSR = NamedTemporaryFile(delete=False)
config.remove_option("acmednstiny", "CSRFile")
with open(goodCNameWithoutCSR.name, 'w') as configfile: with open(goodCNameWithoutCSR.name, 'w') as configfile:
config.write(configfile) config.write(configfile)
# Configuration with CSR containing a wildcard domain
account_key, domain_key, domain_csr, config = generate_config();
Popen(["openssl", "req", "-newkey", "rsa:2048", "-nodes", "-keyout", domain_key,
"-subj", "/CN=*.{0}".format(DOMAIN), "-out", domain_csr]).wait()
os.remove(domain_key)
wildCName = NamedTemporaryFile(delete=False) wildCName = NamedTemporaryFile(delete=False)
config["acmednstiny"]["CSRFile"] = wilddomain_csr.name
with open(wildCName.name, 'w') as configfile: with open(wildCName.name, 'w') as configfile:
config.write(configfile) config.write(configfile)
dnsHostIP = NamedTemporaryFile(delete=False) # Configuration with IP as DNS Host
account_key, domain_key, domain_csr, config = generate_config();
os.remove(domain_key)
config["DNS"]["Host"] = DNSHOSTIP config["DNS"]["Host"] = DNSHOSTIP
dnsHostIP = NamedTemporaryFile(delete=False)
with open(dnsHostIP.name, 'w') as configfile: with open(dnsHostIP.name, 'w') as configfile:
config.write(configfile) config.write(configfile)
config["DNS"]["Host"] = DNSHOST
# Configuration with CSR using subject alt-name domain instead of CN (common name)
account_key, domain_key, domain_csr, config = generate_config();
san_conf = NamedTemporaryFile(delete=False)
san_conf.write(open("/etc/ssl/openssl.cnf").read().encode("utf8"))
san_conf.write("\n[SAN]\nsubjectAltName=DNS:{0},DNS:www.{0}\n".format(DOMAIN).encode("utf8"))
san_conf.seek(0)
Popen(["openssl", "req", "-new", "-sha256", "-key", domain_key,
"-subj", "/", "-reqexts", "SAN", "-config", san_conf.name,
"-out", domain_csr]).wait()
os.remove(san_conf.name)
os.remove(domain_key)
goodSAN = NamedTemporaryFile(delete=False) goodSAN = NamedTemporaryFile(delete=False)
config["acmednstiny"]["CSRFile"] = san_csr.name
with open(goodSAN.name, 'w') as configfile: with open(goodSAN.name, 'w') as configfile:
config.write(configfile) config.write(configfile)
# Configuration with CSR containing a wildcard domain inside subjetcAltName
account_key, domain_key, domain_csr, config = generate_config();
wildsan_conf = NamedTemporaryFile(delete=False)
wildsan_conf.write(open("/etc/ssl/openssl.cnf").read().encode("utf8"))
wildsan_conf.write("\n[SAN]\nsubjectAltName=DNS:{0},DNS:*.{0}\n".format(DOMAIN).encode("utf8"))
wildsan_conf.seek(0)
Popen(["openssl", "req", "-new", "-sha256", "-key", domain_key,
"-subj", "/", "-reqexts", "SAN", "-config", wildsan_conf.name,
"-out", domain_csr]).wait()
os.remove(wildsan_conf.name)
os.remove(domain_key)
wildSAN = NamedTemporaryFile(delete=False) wildSAN = NamedTemporaryFile(delete=False)
config["acmednstiny"]["CSRFile"] = wildsan_csr.name
with open(wildSAN.name, 'w') as configfile: with open(wildSAN.name, 'w') as configfile:
config.write(configfile) config.write(configfile)
# Bad configuration with weak 1024 bit account key
account_key, domain_key, domain_csr, config = generate_config();
os.remove(domain_key)
Popen(["openssl", "genrsa", "-out", account_key, "1024"]).wait()
weakKey = NamedTemporaryFile(delete=False) weakKey = NamedTemporaryFile(delete=False)
config["acmednstiny"]["AccountKeyFile"] = weak_key.name
config["acmednstiny"]["CSRFile"] = domain_csr
with open(weakKey.name, 'w') as configfile: with open(weakKey.name, 'w') as configfile:
config.write(configfile) config.write(configfile)
# Bad configuration with account key as domain key
account_key, domain_key, domain_csr, config = generate_config();
os.remove(domain_key)
# Create a new CSR signed with the account key instead of domain key
Popen(["openssl", "req", "-new", "-sha256", "-key", account_key,
"-subj", "/CN={0}".format(DOMAIN), "-out", domain_csr]).wait()
accountAsDomain = NamedTemporaryFile(delete=False) accountAsDomain = NamedTemporaryFile(delete=False)
config["acmednstiny"]["AccountKeyFile"] = account_key
config["acmednstiny"]["CSRFile"] = account_csr.name
with open(accountAsDomain.name, 'w') as configfile: with open(accountAsDomain.name, 'w') as configfile:
config.write(configfile) config.write(configfile)
# Create config parser from the good default config to generate custom configs
account_key, domain_key, domain_csr, config = generate_config();
os.remove(domain_key)
invalidTSIGName = NamedTemporaryFile(delete=False) invalidTSIGName = NamedTemporaryFile(delete=False)
config["TSIGKeyring"]["KeyName"] = "{0}.invalid".format(TSIGKEYNAME) config["TSIGKeyring"]["KeyName"] = "{0}.invalid".format(TSIGKEYNAME)
config["acmednstiny"]["CSRFile"] = domain_csr
with open(invalidTSIGName.name, 'w') as configfile: with open(invalidTSIGName.name, 'w') as configfile:
config.write(configfile) config.write(configfile)
# Create config parser from the good default config to generate custom configs
account_key, domain_key, domain_csr, config = generate_config();
os.remove(domain_key)
missingDNS = NamedTemporaryFile(delete=False) missingDNS = NamedTemporaryFile(delete=False)
config["DNS"] = {} config["DNS"] = {}
with open(missingDNS.name, 'w') as configfile: with open(missingDNS.name, 'w') as configfile:
...@@ -146,7 +167,7 @@ def generate_acme_dns_tiny_config(): ...@@ -146,7 +167,7 @@ def generate_acme_dns_tiny_config():
return { return {
# configs # configs
"goodCName": goodCName, "goodCName": goodCName.name,
"goodCNameWithoutCSR": goodCNameWithoutCSR.name, "goodCNameWithoutCSR": goodCNameWithoutCSR.name,
"wildCName": wildCName.name, "wildCName": wildCName.name,
"dnsHostIP": dnsHostIP.name, "dnsHostIP": dnsHostIP.name,
...@@ -156,9 +177,7 @@ def generate_acme_dns_tiny_config(): ...@@ -156,9 +177,7 @@ def generate_acme_dns_tiny_config():
"accountAsDomain": accountAsDomain.name, "accountAsDomain": accountAsDomain.name,
"invalidTSIGName": invalidTSIGName.name, "invalidTSIGName": invalidTSIGName.name,
"missingDNS": missingDNS.name, "missingDNS": missingDNS.name,
# key (just to simply remove the account from staging server) # CName CSR file to use with goodCNameWithoutCSR as argument
"accountkey": account_key,
# CName CSR file to use with goodCNameWithoutCSR
"cnameCSR": domain_csr, "cnameCSR": domain_csr,
} }
...@@ -166,14 +185,19 @@ def generate_acme_dns_tiny_config(): ...@@ -166,14 +185,19 @@ def generate_acme_dns_tiny_config():
def generate_acme_account_rollover_config(): def generate_acme_account_rollover_config():
# Old account is directly created by the config generator # Old account is directly created by the config generator
old_account_key, domain_key, domain_csr, config = generate_config() old_account_key, domain_key, domain_csr, config = generate_config()
os.remove(domain_key)
# New account key # New account key
new_account_key = NamedTemporaryFile(delete=False) new_account_key = NamedTemporaryFile(delete=False)
Popen(["openssl", "genrsa", "-out", new_account_key.name, "2048"]).wait() Popen(["openssl", "genrsa", "-out", new_account_key.name, "2048"]).wait()
rolloverAccount = NamedTemporaryFile(delete=False)
with open(rolloverAccount.name, 'w') as configfile:
config.write(configfile)
return { return {
# config and keys (returned to keep files on system) # config and keys (returned to keep files on system)
"config": config, "config": rolloverAccount.name,
"oldaccountkey": old_account_key, "oldaccountkey": old_account_key,
"newaccountkey": new_account_key.name "newaccountkey": new_account_key.name
} }
...@@ -182,8 +206,13 @@ def generate_acme_account_rollover_config(): ...@@ -182,8 +206,13 @@ def generate_acme_account_rollover_config():
def generate_acme_account_deactivate_config(): def generate_acme_account_deactivate_config():
# Account key is created by the by the config generator # Account key is created by the by the config generator
account_key, domain_key, domain_csr, config = generate_config() account_key, domain_key, domain_csr, config = generate_config()
os.remove(domain_key)
deactivateAccount = NamedTemporaryFile(delete=False)
with open(deactivateAccount.name, 'w') as configfile:
config.write(configfile)
return { return {
"config": config, "config": deactivateAccount.name,
"key": account_key "key": account_key
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment