tests/test-certmaster.sh

   1 #!/bin/bash
   2 # shunit2 tests for certmaster
   3 # (sorry bats, but I couldn't figure out how to push a command into the background with ya)
   4
   5 setUp()
   6 {
   7     /etc/init.d/certmaster stop >& /dev/null || true
   8     mkdir -p /etc/certmaster
   9     cp certmaster.conf.tst /etc/certmaster/certmaster.conf
  10     cp minion.conf.tst /etc/certmaster/minion.conf
  11     rm -rf /var/lib/certmaster
  12     rm -rf /var/lib/certmaster/test
  13     rm -rf /etc/pki/certmaster
  14     rm -rf /etc/pki/certmaster-test
  15     /etc/init.d/certmaster start  >& /dev/null
  16 }
  17
  18 tearDown() {
  19     /etc/init.d/certmaster stop >& /dev/null
  20 }
  21
  22 test_CertmasterCaAvailable()
  23 {
  24     [[ -x "/usr/bin/certmaster-ca" ]]
  25     assertTrue "certmaster-ca exists" $?
  26 }
  27
  28 test_CertmasterRequestAvailable()
  29 {
  30     [[ -x "/usr/bin/certmaster-request" ]]
  31     assertTrue "certmaster-request exists" $?
  32 }
  33
  34 test_CertmasterDaemonRunning()
  35 {
  36     /etc/init.d/certmaster status
  37     assertTrue "certmaster daemon running" $?
  38 }
  39
  40 test_CertmasterRequestHelp()
  41 {
  42     actual=`certmaster-request --help`
  43
  44     expected=$(cat <<EOF
  45 Usage: certmaster-request [options]
  46
  47 Options:
  48   -h, --help       show this help message and exit
  49   --hostname=NAME  hostname to use as the CN for the certificate
  50   --ca=CA          certificate authority used to sign the certificate
  51 EOF
  52 )
  53
  54    assertEquals "certmaster-request --help" "$actual" "$expected"
  55
  56 }
  57
  58 test_CertmasterRequestHFlag()
  59 {
  60     actual=`certmaster-request -h`
  61
  62     expected=$(cat <<EOF
  63 Usage: certmaster-request [options]
  64
  65 Options:
  66   -h, --help       show this help message and exit
  67   --hostname=NAME  hostname to use as the CN for the certificate
  68   --ca=CA          certificate authority used to sign the certificate
  69 EOF
  70 )
  71    assertEquals "certmaster-request -h" "$actual" "$expected"
  72
  73 }
  74
  75 test_CertmasterRequestBadFlag()
  76 {
  77
  78     # backticks don't capture stderr...
  79     actual=$(certmaster-request --blah 2>&1)
  80
  81     expected=$(cat <<EOF
  82 Usage: certmaster-request [options]
  83
  84 certmaster-request: error: no such option: --blah
  85 EOF
  86 )
  87    assertEquals "certmaster-request --blah" "$actual" "$expected"
  88
  89 }
  90
  91 test_CertmasterRequest_UnknownCA()
  92 {
  93     actual=$(certmaster-request --hostname unknown.pwan.co --ca unknown 2>&1)
  94     expected=$(cat <<EOF
  95 error: Unknown cert authority: unknown
  96 EOF
  97 )
  98
  99    assertEquals "certmaster-request --ca unknown" "$actual" "$expected"
 100 }
 101
 102 test_CertmasterCAHelp()
 103 {
 104     actual=`certmaster-ca --help`
 105     expected=$(cat <<EOF
 106 Usage: certmaster-ca <option> [args]
 107
 108 Options:
 109   --version         show program's version number and exit
 110   -h, --help        show this help message and exit
 111   --ca=CA           certificate authority used to sign/list certs
 112   -l, --list        list signing requests remaining
 113   -s, --sign        sign requests of hosts specified
 114   -c, --clean       clean out all certs or csrs for the hosts specified
 115   --list-signed     list all signed certs
 116   --list-cert-hash  list the cert hash for signed certs
 117 EOF
 118 )
 119    assertEquals "certmaster-ca --help" "$actual" "$expected"
 120 }
 121
 122 test_CertmasterCAHFlag()
 123 {
 124     actual=`certmaster-ca -h`
 125     expected=$(cat <<EOF
 126 Usage: certmaster-ca <option> [args]
 127
 128 Options:
 129   --version         show program's version number and exit
 130   -h, --help        show this help message and exit
 131   --ca=CA           certificate authority used to sign/list certs
 132   -l, --list        list signing requests remaining
 133   -s, --sign        sign requests of hosts specified
 134   -c, --clean       clean out all certs or csrs for the hosts specified
 135   --list-signed     list all signed certs
 136   --list-cert-hash  list the cert hash for signed certs
 137 EOF
 138 )
 139    assertEquals "certmaster-ca -h" "$actual" "$expected"
 140 }
 141
 142 test_CertmasterCAVersion()
 143 {
 144     actual=`certmaster-ca --version`
 145
 146     [[ "$actual" == *"version:"* ]]
 147     assertTrue "version includes a version" $?
 148
 149     [[ "$actual" == *"release:"* ]]
 150     assertTrue "version includes a release" $?
 151 }
 152
 153 test_CertmasterCA_UnknownCA()
 154 {
 155     actual=$(certmaster-ca --list --ca unknown 2>&1)
 156
 157     expected=$(cat <<EOF
 158 Unknown ca unknown: check /etc/certmaster.cfg
 159 EOF
 160 )
 161
 162     assertEquals "certmaster-ca --ca unknown" "$actual" "$expected"
 163 }
 164
 165 test_TestCA_Autosigning()
 166 {
 167     certmaster-request --hostname testcert.pwan.co --ca test
 168
 169     [[ -e /etc/pki/certmaster-test ]]
 170     assertTrue "/etc/pki/certmaster-test exists" $?
 171     [[ -e /etc/pki/certmaster-test/testcert.pwan.co.cert ]]
 172     assertTrue "testcert.pwan.co.cert exists" $?
 173     [[ -e  /etc/pki/certmaster-test/testcert.pwan.co.pem ]]
 174     assertTrue "testcert.pwan.co.pem exists" $?
 175     [[ -e /etc/pki/certmaster-test/testcert.pwan.co.csr ]]
 176     assertTrue "testcert.pwan.co.csr exists" $?
 177
 178     subject=`openssl x509 -in /etc/pki/certmaster-test/testcert.pwan.co.cert -subject -noout`
 179     [[ $subject == *"CN=testcert.pwan.co"* ]]
 180
 181     openssl x509 -in /etc/pki/certmaster-test/testcert.pwan.co.cert  -text | grep Signature | grep sha256
 182     assertTrue "testcert.pwan.co.cert has a sha256 hash" $?
 183
 184     openssl rsa -in /etc/pki/certmaster-test/testcert.pwan.co.pem -check > /dev/null 2>&1
 185     assertTrue "test.pwan.co.pem OK" $?
 186     openssl req -text -noout -verify -in /etc/pki/certmaster-test/testcert.pwan.co.csr > /dev/null 2>&1
 187     assertTrue "test.pwan.co.csr OK" $?
 188
 189     # Verify there are no certs left to sign
 190     output=`certmaster-ca --list --ca test`
 191     assertEquals "nothing to sign" "$output" "No certificates to sign"
 192
 193     # Verify the cert shows up in the signed list
 194     output=`certmaster-ca --list-signed --ca test`
 195     [[ $output == *"testcert.pwan.co"* ]]
 196     assertTrue "--list-signed includes testcert" $?
 197
 198     # Verify the cert shows up in the list-cert-hash command
 199     output=`certmaster-ca --list-cert-hash --ca test`
 200     [[ $output == *"testcert.pwan.co"* ]]
 201     assertTrue "--list-cert-hash includes testcert" $?
 202
 203 }
 204
 205 test_MD5CA_Attempy() {
 206
 207     # TODO:  Verify attempts to create MD5 certs fail
 208     assertTrue "TODO" false
 209 }
 210
 211 test_Sha1CA_Autosigning() {
 212
 213     # TODO:  Verify a deprecation warning was issued ?
 214
 215     certmaster-request --hostname testcert.pwan.co --ca sha1
 216     openssl x509 -in /etc/pki/certmaster-sha1/testcert.pwan.co.cert  -text | grep Signature | grep sha1
 217     assertTrue "testcert.pwan.co.cert has a sha1 hash" $?
 218
 219 }
 220
 221 test_Sha224CA_Autosigning() {
 222
 223     # TODO:  Verify /etc/pki/certmaster-test/testcert.pwan.co.cert is using sha224
 224     certmaster-request --hostname testcert.pwan.co --ca sha224
 225     openssl x509 -in /etc/pki/certmaster-sha224/testcert.pwan.co.cert  -text | grep Signature | grep sha224
 226     assertTrue "testcert.pwan.co.cert has a sha224 hash" $?
 227
 228 }
 229
 230 test_DefaultCA_NonAutosigning() {
 231
 232     # Turn on job control, so 'fg' is available
 233     set -m
 234
 235     # Request a cert
 236     certmaster-request --hostname defaultcert.pwan.co &
 237     sleep 1
 238     echo "...patience grasshopper..."
 239
 240     # Verify the cert is waiting to be signed
 241     output=`certmaster-ca --list`
 242     [[ $output == *"defaultcert.pwan.co"* ]]
 243     assertTrue "$output includes defaultcert" $?
 244
 245     # Sign the cert
 246     output=`certmaster-ca --sign defaultcert.pwan.co`
 247     sleep 1
 248
 249     # Bring the request back to the foreground so it can finish
 250     fg
 251
 252     # Verify there are no certs left to sign
 253     output=`certmaster-ca --list`
 254     assertEquals "nothing to sign" "$output" "No certificates to sign"
 255
 256     # Verify the cert shows up in the signed list
 257     output=`certmaster-ca --list-signed`
 258     [[ $output == *"defaultcert.pwan.co"* ]]
 259     assertTrue "--list-signed includes defaultcert" $?
 260
 261     # Verify the cert shows up in the list-cert-hash command
 262     output=`certmaster-ca --list-cert-hash`
 263     [[ $output == *"defaultcert.pwan.co"* ]]
 264     assertTrue "--list-cert-hash includes defaultcert" $?
 265
 266     # Verify all the expected files exist
 267     [[ -e /etc/pki/certmaster ]]
 268     assertTrue "/etc/pki/certmaster exists" $?
 269     [[ -e  /etc/pki/certmaster/defaultcert.pwan.co.cert ]]
 270     assertTrue "defaultcert.pwan.co.cert.exists" $?
 271     [[ -e /etc/pki/certmaster/defaultcert.pwan.co.pem ]]
 272     assertTrue "defaultcert.pwan.co.pem exists" $?
 273     [[ -e /etc/pki/certmaster/defaultcert.pwan.co.csr ]]
 274     assertTrue "default.pwan.co.csr exists" $?
 275
 276     # Verify the cert's CN
 277     subject=`openssl x509 -in /etc/pki/certmaster/defaultcert.pwan.co.cert -subject -noout`
 278     [[ $subject == *"CN=defaultcert.pwan.co"* ]]
 279
 280     # Verify the key and signing request are valid
 281     openssl rsa -in /etc/pki/certmaster/defaultcert.pwan.co.pem -check > /dev/null 2>&1
 282     assertTrue "default.pwan.co.pem OK" $?
 283     openssl req -text -noout -verify -in /etc/pki/certmaster/defaultcert.pwan.co.csr > /dev/nulla 2>&1
 284     assertTrue "defaultcert.pwan.co.csr OK" $?
 285
 286     set +m
 287 }
 288
 289
 290 # load shunit2
 291 . /usr/share/shunit2/shunit2