2 # shunit2 tests for certmaster
3 # (sorry bats, but I couldn't figure out how to push a command into the background with ya)
7 /etc
/init.d
/certmaster stop
>& /dev
/null || true
8 mkdir
-p /etc
/certmaster
9 cp certmaster.conf.tst
/etc
/certmaster
/certmaster.conf
10 cp minion.conf.tst
/etc
/certmaster
/minion.conf
11 rm -rf /var
/lib
/certmaster
12 rm -rf /var
/lib
/certmaster
/test
13 rm -rf /etc
/pki
/certmaster
14 rm -rf /etc
/pki
/certmaster-test
15 /etc
/init.d
/certmaster start
>& /dev
/null
19 /etc
/init.d
/certmaster stop
>& /dev
/null
22 test_CertmasterCaAvailable
()
24 [[ -x "/usr/bin/certmaster-ca" ]]
25 assertTrue
"certmaster-ca exists" $?
28 test_CertmasterRequestAvailable
()
30 [[ -x "/usr/bin/certmaster-request" ]]
31 assertTrue
"certmaster-request exists" $?
34 test_CertmasterDaemonRunning
()
36 /etc
/init.d
/certmaster status
37 assertTrue
"certmaster daemon running" $?
40 test_CertmasterRequestHelp
()
42 actual
=`certmaster-request --help`
45 Usage: certmaster-request [options]
48 -h, --help show this help message and exit
49 --hostname=NAME hostname to use as the CN for the certificate
50 --ca=CA certificate authority used to sign the certificate
54 assertEquals
"certmaster-request --help" "$actual" "$expected"
58 test_CertmasterRequestHFlag
()
60 actual
=`certmaster-request -h`
63 Usage: certmaster-request [options]
66 -h, --help show this help message and exit
67 --hostname=NAME hostname to use as the CN for the certificate
68 --ca=CA certificate authority used to sign the certificate
71 assertEquals
"certmaster-request -h" "$actual" "$expected"
75 test_CertmasterRequestBadFlag
()
78 # backticks don't capture stderr...
79 actual
=$
(certmaster-request
--blah 2>&1)
82 Usage: certmaster-request [options]
84 certmaster-request: error: no such option: --blah
87 assertEquals
"certmaster-request --blah" "$actual" "$expected"
91 test_CertmasterRequest_UnknownCA
()
93 actual
=$
(certmaster-request
--hostname unknown.pwan.co
--ca unknown
2>&1)
95 error: Unknown cert authority: unknown
99 assertEquals
"certmaster-request --ca unknown" "$actual" "$expected"
102 test_CertmasterCAHelp
()
104 actual
=`certmaster-ca --help`
106 Usage: certmaster-ca <option> [args]
109 --version show program's version number and exit
110 -h, --help show this help message and exit
111 --ca=CA certificate authority used to sign/list certs
112 -l, --list list signing requests remaining
113 -s, --sign sign requests of hosts specified
114 -c, --clean clean out all certs or csrs for the hosts specified
115 --list-signed list all signed certs
116 --list-cert-hash list the cert hash for signed certs
119 assertEquals
"certmaster-ca --help" "$actual" "$expected"
122 test_CertmasterCAHFlag
()
124 actual
=`certmaster-ca -h`
126 Usage: certmaster-ca <option> [args]
129 --version show program's version number and exit
130 -h, --help show this help message and exit
131 --ca=CA certificate authority used to sign/list certs
132 -l, --list list signing requests remaining
133 -s, --sign sign requests of hosts specified
134 -c, --clean clean out all certs or csrs for the hosts specified
135 --list-signed list all signed certs
136 --list-cert-hash list the cert hash for signed certs
139 assertEquals
"certmaster-ca -h" "$actual" "$expected"
142 test_CertmasterCAVersion
()
144 actual
=`certmaster-ca --version`
146 [[ "$actual" == *"version:"* ]]
147 assertTrue
"version includes a version" $?
149 [[ "$actual" == *"release:"* ]]
150 assertTrue
"version includes a release" $?
153 test_CertmasterCA_UnknownCA
()
155 actual
=$
(certmaster-ca
--list --ca unknown
2>&1)
158 Unknown ca unknown: check /etc/certmaster.cfg
162 assertEquals
"certmaster-ca --ca unknown" "$actual" "$expected"
165 test_TestCA_Autosigning
()
167 certmaster-request
--hostname testcert.pwan.co
--ca test
169 [[ -e /etc
/pki
/certmaster-test
]]
170 assertTrue
"/etc/pki/certmaster-test exists" $?
171 [[ -e /etc
/pki
/certmaster-test
/testcert.pwan.co.cert
]]
172 assertTrue
"testcert.pwan.co.cert exists" $?
173 [[ -e /etc
/pki
/certmaster-test
/testcert.pwan.co.pem
]]
174 assertTrue
"testcert.pwan.co.pem exists" $?
175 [[ -e /etc
/pki
/certmaster-test
/testcert.pwan.co.csr
]]
176 assertTrue
"testcert.pwan.co.csr exists" $?
178 subject
=`openssl x509 -in /etc/pki/certmaster-test/testcert.pwan.co.cert -subject -noout`
179 [[ $subject == *"CN=testcert.pwan.co"* ]]
181 openssl x509
-in /etc
/pki
/certmaster-test
/testcert.pwan.co.cert
-text |
grep Signature |
grep sha256
182 assertTrue
"testcert.pwan.co.cert has a sha256 hash" $?
184 openssl rsa
-in /etc
/pki
/certmaster-test
/testcert.pwan.co.pem
-check > /dev
/null
2>&1
185 assertTrue
"test.pwan.co.pem OK" $?
186 openssl req
-text -noout -verify -in /etc
/pki
/certmaster-test
/testcert.pwan.co.csr
> /dev
/null
2>&1
187 assertTrue
"test.pwan.co.csr OK" $?
189 # Verify there are no certs left to sign
190 output
=`certmaster-ca --list --ca test`
191 assertEquals
"nothing to sign" "$output" "No certificates to sign"
193 # Verify the cert shows up in the signed list
194 output
=`certmaster-ca --list-signed --ca test`
195 [[ $output == *"testcert.pwan.co"* ]]
196 assertTrue
"--list-signed includes testcert" $?
198 # Verify the cert shows up in the list-cert-hash command
199 output
=`certmaster-ca --list-cert-hash --ca test`
200 [[ $output == *"testcert.pwan.co"* ]]
201 assertTrue
"--list-cert-hash includes testcert" $?
205 test_MD5CA_Attempy
() {
207 # TODO: Verify attempts to create MD5 certs fail
208 assertTrue
"TODO" false
211 test_Sha1CA_Autosigning
() {
213 # TODO: Verify a deprecation warning was issued ?
215 certmaster-request
--hostname testcert.pwan.co
--ca sha1
216 openssl x509
-in /etc
/pki
/certmaster-sha
1/testcert.pwan.co.cert
-text |
grep Signature |
grep sha1
217 assertTrue
"testcert.pwan.co.cert has a sha1 hash" $?
221 test_Sha224CA_Autosigning
() {
223 # TODO: Verify /etc/pki/certmaster-test/testcert.pwan.co.cert is using sha224
224 certmaster-request
--hostname testcert.pwan.co
--ca sha224
225 openssl x509
-in /etc
/pki
/certmaster-sha224
/testcert.pwan.co.cert
-text |
grep Signature |
grep sha224
226 assertTrue
"testcert.pwan.co.cert has a sha224 hash" $?
230 test_DefaultCA_NonAutosigning
() {
232 # Turn on job control, so 'fg' is available
236 certmaster-request
--hostname defaultcert.pwan.co
&
238 echo "...patience grasshopper..."
240 # Verify the cert is waiting to be signed
241 output
=`certmaster-ca --list`
242 [[ $output == *"defaultcert.pwan.co"* ]]
243 assertTrue
"$output includes defaultcert" $?
246 output
=`certmaster-ca --sign defaultcert.pwan.co`
249 # Bring the request back to the foreground so it can finish
252 # Verify there are no certs left to sign
253 output
=`certmaster-ca --list`
254 assertEquals
"nothing to sign" "$output" "No certificates to sign"
256 # Verify the cert shows up in the signed list
257 output
=`certmaster-ca --list-signed`
258 [[ $output == *"defaultcert.pwan.co"* ]]
259 assertTrue
"--list-signed includes defaultcert" $?
261 # Verify the cert shows up in the list-cert-hash command
262 output
=`certmaster-ca --list-cert-hash`
263 [[ $output == *"defaultcert.pwan.co"* ]]
264 assertTrue
"--list-cert-hash includes defaultcert" $?
266 # Verify all the expected files exist
267 [[ -e /etc
/pki
/certmaster
]]
268 assertTrue
"/etc/pki/certmaster exists" $?
269 [[ -e /etc
/pki
/certmaster
/defaultcert.pwan.co.cert
]]
270 assertTrue
"defaultcert.pwan.co.cert.exists" $?
271 [[ -e /etc
/pki
/certmaster
/defaultcert.pwan.co.pem
]]
272 assertTrue
"defaultcert.pwan.co.pem exists" $?
273 [[ -e /etc
/pki
/certmaster
/defaultcert.pwan.co.csr
]]
274 assertTrue
"default.pwan.co.csr exists" $?
276 # Verify the cert's CN
277 subject
=`openssl x509 -in /etc/pki/certmaster/defaultcert.pwan.co.cert -subject -noout`
278 [[ $subject == *"CN=defaultcert.pwan.co"* ]]
280 # Verify the key and signing request are valid
281 openssl rsa
-in /etc
/pki
/certmaster
/defaultcert.pwan.co.pem
-check > /dev
/null
2>&1
282 assertTrue
"default.pwan.co.pem OK" $?
283 openssl req
-text -noout -verify -in /etc
/pki
/certmaster
/defaultcert.pwan.co.csr
> /dev
/nulla
2>&1
284 assertTrue
"defaultcert.pwan.co.csr OK" $?
291 .
/usr
/share
/shunit
2/shunit2