2 # shunit2 tests for certmaster
3 # (sorry bats, but I couldn't figure out how to push a command into the background with ya)
7 /etc
/init.d
/certmaster stop
>& /dev
/null || true
8 mkdir
-p /etc
/certmaster
9 cp certmaster.conf.tst
/etc
/certmaster
/certmaster.conf
10 cp minion.conf.tst
/etc
/certmaster
/minion.conf
11 rm -rf /var
/lib
/certmaster
12 rm -rf /var
/lib
/certmaster
/test
13 rm -rf /var
/lib
/certmaster
/md5
14 rm -rf /var
/lib
/certmaster
/sha1
15 rm -rf /var
/lib
/certmaster
/sha224
16 rm -rf /etc
/pki
/certmaster
17 rm -rf /etc
/pki
/certmaster-test
18 rm -rf /etc
/pki
/certmaster-md5
19 rm -rf /etc
/pki
/certmaster-sha1
20 rm -rf /etc
/pki
/certmaster-sha224
21 /etc
/init.d
/certmaster start
>& /dev
/null
25 /etc
/init.d
/certmaster stop
>& /dev
/null
28 test_CertmasterCaAvailable
()
30 [[ -x "/usr/bin/certmaster-ca" ]]
31 assertTrue
"certmaster-ca exists" $?
34 test_CertmasterRequestAvailable
()
36 [[ -x "/usr/bin/certmaster-request" ]]
37 assertTrue
"certmaster-request exists" $?
40 test_CertmasterDaemonRunning
()
42 /etc
/init.d
/certmaster status
43 assertTrue
"certmaster daemon running" $?
46 test_CertmasterRequestHelp
()
48 actual
=`certmaster-request --help`
51 Usage: certmaster-request [options]
54 -h, --help show this help message and exit
55 --hostname=NAME hostname to use as the CN for the certificate
56 --ca=CA certificate authority used to sign the certificate
60 assertEquals
"certmaster-request --help" "$actual" "$expected"
64 test_CertmasterRequestHFlag
()
66 actual
=`certmaster-request -h`
69 Usage: certmaster-request [options]
72 -h, --help show this help message and exit
73 --hostname=NAME hostname to use as the CN for the certificate
74 --ca=CA certificate authority used to sign the certificate
77 assertEquals
"certmaster-request -h" "$actual" "$expected"
81 test_CertmasterRequestBadFlag
()
84 # backticks don't capture stderr...
85 actual
=$
(certmaster-request
--blah 2>&1)
88 Usage: certmaster-request [options]
90 certmaster-request: error: no such option: --blah
93 assertEquals
"certmaster-request --blah" "$actual" "$expected"
97 test_CertmasterRequest_UnknownCA
()
99 actual
=$
(certmaster-request
--hostname unknown.pwan.co
--ca unknown
2>&1)
101 error: Unknown cert authority: unknown
105 assertEquals
"certmaster-request --ca unknown" "$actual" "$expected"
108 test_CertmasterCAHelp
()
110 actual
=`certmaster-ca --help`
112 Usage: certmaster-ca <option> [args]
115 --version show program's version number and exit
116 -h, --help show this help message and exit
117 --ca=CA certificate authority used to sign/list certs
118 -l, --list list signing requests remaining
119 -s, --sign sign requests of hosts specified
120 -c, --clean clean out all certs or csrs for the hosts specified
121 --list-signed list all signed certs
122 --list-cert-hash list the cert hash for signed certs
125 assertEquals
"certmaster-ca --help" "$actual" "$expected"
128 test_CertmasterCAHFlag
()
130 actual
=`certmaster-ca -h`
132 Usage: certmaster-ca <option> [args]
135 --version show program's version number and exit
136 -h, --help show this help message and exit
137 --ca=CA certificate authority used to sign/list certs
138 -l, --list list signing requests remaining
139 -s, --sign sign requests of hosts specified
140 -c, --clean clean out all certs or csrs for the hosts specified
141 --list-signed list all signed certs
142 --list-cert-hash list the cert hash for signed certs
145 assertEquals
"certmaster-ca -h" "$actual" "$expected"
148 test_CertmasterCAVersion
()
150 actual
=`certmaster-ca --version`
152 [[ "$actual" == *"version:"* ]]
153 assertTrue
"version includes a version" $?
155 [[ "$actual" == *"release:"* ]]
156 assertTrue
"version includes a release" $?
159 test_CertmasterCA_UnknownCA
()
161 actual
=$
(certmaster-ca
--list --ca unknown
2>&1)
164 Unknown ca unknown: check /etc/certmaster.cfg
168 assertEquals
"certmaster-ca --ca unknown" "$actual" "$expected"
171 test_TestCA_Autosigning
()
173 certmaster-request
--hostname testcert.pwan.co
--ca test
175 [[ -e /etc
/pki
/certmaster-test
]]
176 assertTrue
"/etc/pki/certmaster-test exists" $?
177 [[ -e /etc
/pki
/certmaster-test
/testcert.pwan.co.cert
]]
178 assertTrue
"testcert.pwan.co.cert exists" $?
179 [[ -e /etc
/pki
/certmaster-test
/testcert.pwan.co.pem
]]
180 assertTrue
"testcert.pwan.co.pem exists" $?
181 [[ -e /etc
/pki
/certmaster-test
/testcert.pwan.co.csr
]]
182 assertTrue
"testcert.pwan.co.csr exists" $?
184 subject
=`openssl x509 -in /etc/pki/certmaster-test/testcert.pwan.co.cert -subject -noout`
185 [[ $subject == *"CN=testcert.pwan.co"* ]]
187 openssl x509
-in /etc
/pki
/certmaster-test
/testcert.pwan.co.cert
-text |
grep Signature |
grep sha256
> /dev
/null
2>&1
188 assertTrue
"testcert.pwan.co.cert has a sha256 hash" $?
190 openssl rsa
-in /etc
/pki
/certmaster-test
/testcert.pwan.co.pem
-check > /dev
/null
2>&1
191 assertTrue
"test.pwan.co.pem OK" $?
192 openssl req
-text -noout -verify -in /etc
/pki
/certmaster-test
/testcert.pwan.co.csr
> /dev
/null
2>&1
193 assertTrue
"test.pwan.co.csr OK" $?
195 # Verify there are no certs left to sign
196 output
=`certmaster-ca --list --ca test`
197 assertEquals
"nothing to sign" "$output" "No certificates to sign"
199 # Verify the cert shows up in the signed list
200 output
=`certmaster-ca --list-signed --ca test`
201 [[ $output == *"testcert.pwan.co"* ]]
202 assertTrue
"--list-signed includes testcert" $?
204 # Verify the cert shows up in the list-cert-hash command
205 output
=`certmaster-ca --list-cert-hash --ca test`
206 [[ $output == *"testcert.pwan.co"* ]]
207 assertTrue
"--list-cert-hash includes testcert" $?
211 test_MD5CA_Attempt
() {
213 # TODO: Verify attempts to create MD5 certs fail
214 actual
=$
(certmaster-request
--hostname badmd5req.pwan.co
--ca md5
2>&1)
216 error: md5 hash function is unsupported: md5
219 assertEquals
"MD5CA Attempt" "$actual" "$expected"
222 test_Sha1CA_Autosigning
() {
224 actual
=$
(certmaster-request
--hostname testcert.pwan.co
--ca sha1
2>&1)
226 Deprecated hash function of sha1: sha1
229 assertEquals
"deprecated sha1 warning" "$actual" "$expected"
230 openssl x509
-in /etc
/pki
/certmaster-sha
1/testcert.pwan.co.cert
-text |
grep Signature |
grep sha1
> /dev
/null
2>&1
231 assertTrue
"testcert.pwan.co.cert has a sha1 hash" $?
235 test_Sha224CA_Autosigning
() {
237 # TODO: Verify /etc/pki/certmaster-test/testcert.pwan.co.cert is using sha224
238 certmaster-request
--hostname testcert.pwan.co
--ca sha224
239 openssl x509
-in /etc
/pki
/certmaster-sha224
/testcert.pwan.co.cert
-text |
grep Signature |
grep sha224
> /dev
/null
2>&1
240 assertTrue
"testcert.pwan.co.cert has a sha224 hash" $?
244 test_DefaultCA_NonAutosigning
() {
246 # Turn on job control, so 'fg' is available
250 certmaster-request
--hostname defaultcert.pwan.co
&
252 echo "...patience grasshopper..."
254 # Verify the cert is waiting to be signed
255 output
=`certmaster-ca --list`
256 [[ $output == *"defaultcert.pwan.co"* ]]
257 assertTrue
"$output includes defaultcert" $?
260 output
=`certmaster-ca --sign defaultcert.pwan.co`
263 # Bring the request back to the foreground so it can finish
266 # Verify there are no certs left to sign
267 output
=`certmaster-ca --list`
268 assertEquals
"nothing to sign" "$output" "No certificates to sign"
270 # Verify the cert shows up in the signed list
271 output
=`certmaster-ca --list-signed`
272 [[ $output == *"defaultcert.pwan.co"* ]]
273 assertTrue
"--list-signed includes defaultcert" $?
275 # Verify the cert shows up in the list-cert-hash command
276 output
=`certmaster-ca --list-cert-hash`
277 [[ $output == *"defaultcert.pwan.co"* ]]
278 assertTrue
"--list-cert-hash includes defaultcert" $?
280 # Verify all the expected files exist
281 [[ -e /etc
/pki
/certmaster
]]
282 assertTrue
"/etc/pki/certmaster exists" $?
283 [[ -e /etc
/pki
/certmaster
/defaultcert.pwan.co.cert
]]
284 assertTrue
"defaultcert.pwan.co.cert.exists" $?
285 [[ -e /etc
/pki
/certmaster
/defaultcert.pwan.co.pem
]]
286 assertTrue
"defaultcert.pwan.co.pem exists" $?
287 [[ -e /etc
/pki
/certmaster
/defaultcert.pwan.co.csr
]]
288 assertTrue
"default.pwan.co.csr exists" $?
290 # Verify the cert's CN
291 subject
=`openssl x509 -in /etc/pki/certmaster/defaultcert.pwan.co.cert -subject -noout`
292 [[ $subject == *"CN=defaultcert.pwan.co"* ]]
294 # Verify the key and signing request are valid
295 openssl rsa
-in /etc
/pki
/certmaster
/defaultcert.pwan.co.pem
-check > /dev
/null
2>&1
296 assertTrue
"default.pwan.co.pem OK" $?
297 openssl req
-text -noout -verify -in /etc
/pki
/certmaster
/defaultcert.pwan.co.csr
> /dev
/nulla
2>&1
298 assertTrue
"defaultcert.pwan.co.csr OK" $?
305 .
/usr
/share
/shunit
2/shunit2