b9c6be13b6ba6316a89d446c120036bea5134c99
[certmaster.git] / tests / test-certmaster.sh
1 #!/bin/bash
2 # shunit2 tests for certmaster
3 # (sorry bats, but I couldn't figure out how to push a command into the background with ya)
4
5 setUp()
6 {
7 /etc/init.d/certmaster stop >& /dev/null || true
8 mkdir -p /etc/certmaster
9 cp certmaster.conf.tst /etc/certmaster/certmaster.conf
10 cp minion.conf.tst /etc/certmaster/minion.conf
11 rm -rf /var/lib/certmaster
12 rm -rf /var/lib/certmaster/test
13 rm -rf /etc/pki/certmaster
14 rm -rf /etc/pki/certmaster-test
15 /etc/init.d/certmaster start >& /dev/null
16 }
17
18 tearDown() {
19 /etc/init.d/certmaster stop >& /dev/null
20 }
21
22 test_CertmasterCaAvailable()
23 {
24 [[ -x "/usr/bin/certmaster-ca" ]]
25 assertTrue "certmaster-ca exists" $?
26 }
27
28 test_CertmasterRequestAvailable()
29 {
30 [[ -x "/usr/bin/certmaster-request" ]]
31 assertTrue "certmaster-request exists" $?
32 }
33
34 test_CertmasterDaemonRunning()
35 {
36 /etc/init.d/certmaster status
37 assertTrue "certmaster daemon running" $?
38 }
39
40 test_CertmasterRequestHelp()
41 {
42 actual=`certmaster-request --help`
43
44 expected=$(cat <<EOF
45 Usage: certmaster-request [options]
46
47 Options:
48 -h, --help show this help message and exit
49 --hostname=NAME hostname to use as the CN for the certificate
50 --ca=CA certificate authority used to sign the certificate
51 EOF
52 )
53
54 assertEquals "certmaster-request --help" "$actual" "$expected"
55
56 }
57
58 test_CertmasterRequestHFlag()
59 {
60 actual=`certmaster-request -h`
61
62 expected=$(cat <<EOF
63 Usage: certmaster-request [options]
64
65 Options:
66 -h, --help show this help message and exit
67 --hostname=NAME hostname to use as the CN for the certificate
68 --ca=CA certificate authority used to sign the certificate
69 EOF
70 )
71 assertEquals "certmaster-request -h" "$actual" "$expected"
72
73 }
74
75 test_CertmasterRequestBadFlag()
76 {
77
78 # backticks don't capture stderr...
79 actual=$(certmaster-request --blah 2>&1)
80
81 expected=$(cat <<EOF
82 Usage: certmaster-request [options]
83
84 certmaster-request: error: no such option: --blah
85 EOF
86 )
87 assertEquals "certmaster-request --blah" "$actual" "$expected"
88
89 }
90
91 test_CertmasterRequest_UnknownCA()
92 {
93 actual=$(certmaster-request --hostname unknown.pwan.co --ca unknown 2>&1)
94 expected=$(cat <<EOF
95 error: Unknown cert authority: unknown
96 EOF
97 )
98
99 assertEquals "certmaster-request --ca unknown" "$actual" "$expected"
100 }
101
102 test_CertmasterCAHelp()
103 {
104 actual=`certmaster-ca --help`
105 expected=$(cat <<EOF
106 Usage: certmaster-ca <option> [args]
107
108 Options:
109 --version show program's version number and exit
110 -h, --help show this help message and exit
111 --ca=CA certificate authority used to sign/list certs
112 -l, --list list signing requests remaining
113 -s, --sign sign requests of hosts specified
114 -c, --clean clean out all certs or csrs for the hosts specified
115 --list-signed list all signed certs
116 --list-cert-hash list the cert hash for signed certs
117 EOF
118 )
119 assertEquals "certmaster-ca --help" "$actual" "$expected"
120 }
121
122 test_CertmasterCAHFlag()
123 {
124 actual=`certmaster-ca -h`
125 expected=$(cat <<EOF
126 Usage: certmaster-ca <option> [args]
127
128 Options:
129 --version show program's version number and exit
130 -h, --help show this help message and exit
131 --ca=CA certificate authority used to sign/list certs
132 -l, --list list signing requests remaining
133 -s, --sign sign requests of hosts specified
134 -c, --clean clean out all certs or csrs for the hosts specified
135 --list-signed list all signed certs
136 --list-cert-hash list the cert hash for signed certs
137 EOF
138 )
139 assertEquals "certmaster-ca -h" "$actual" "$expected"
140 }
141
142 test_CertmasterCAVersion()
143 {
144 actual=`certmaster-ca --version`
145
146 [[ "$actual" == *"version:"* ]]
147 assertTrue "version includes a version" $?
148
149 [[ "$actual" == *"release:"* ]]
150 assertTrue "version includes a release" $?
151 }
152
153 test_CertmasterCA_UnknownCA()
154 {
155 actual=$(certmaster-ca --list --ca unknown 2>&1)
156
157 expected=$(cat <<EOF
158 Unknown ca unknown: check /etc/certmaster.cfg
159 EOF
160 )
161
162 assertEquals "certmaster-ca --ca unknown" "$actual" "$expected"
163 }
164
165 test_TestCA_Autosigning()
166 {
167 certmaster-request --hostname testcert.pwan.co --ca test
168
169 [[ -e /etc/pki/certmaster-test ]]
170 assertTrue "/etc/pki/certmaster-test exists" $?
171 [[ -e /etc/pki/certmaster-test/testcert.pwan.co.cert ]]
172 assertTrue "testcert.pwan.co.cert exists" $?
173 [[ -e /etc/pki/certmaster-test/testcert.pwan.co.pem ]]
174 assertTrue "testcert.pwan.co.pem exists" $?
175 [[ -e /etc/pki/certmaster-test/testcert.pwan.co.csr ]]
176 assertTrue "testcert.pwan.co.csr exists" $?
177
178 subject=`openssl x509 -in /etc/pki/certmaster-test/testcert.pwan.co.cert -subject -noout`
179 [[ $subject == *"CN=testcert.pwan.co"* ]]
180
181 openssl rsa -in /etc/pki/certmaster-test/testcert.pwan.co.pem -check > /dev/null 2>&1
182 assertTrue "test.pwan.co.pem OK" $?
183 openssl req -text -noout -verify -in /etc/pki/certmaster-test/testcert.pwan.co.csr > /dev/null 2>&1
184 assertTrue "test.pwan.co.csr OK" $?
185
186 # Verify there are no certs left to sign
187 output=`certmaster-ca --list --ca test`
188 assertEquals "nothing to sign" "$output" "No certificates to sign"
189
190 # Verify the cert shows up in the signed list
191 output=`certmaster-ca --list-signed --ca test`
192 [[ $output == *"testcert.pwan.co"* ]]
193 assertTrue "--list-signed includes testcert" $?
194
195 # Verify the cert shows up in the list-cert-hash command
196 output=`certmaster-ca --list-cert-hash --ca test`
197 [[ $output == *"testcert.pwan.co"* ]]
198 assertTrue "--list-cert-hash includes testcert" $?
199
200 }
201
202 test_DefaultCA_NonAutosigning() {
203
204 # Turn on job control, so 'fg' is available
205 set -m
206
207 # Request a cert
208 certmaster-request --hostname defaultcert.pwan.co &
209 sleep 1
210 echo "...patience grasshopper..."
211
212 # Verify the cert is waiting to be signed
213 output=`certmaster-ca --list`
214 [[ $output == *"defaultcert.pwan.co"* ]]
215 assertTrue "$output includes defaultcert" $?
216
217 # Sign the cert
218 output=`certmaster-ca --sign defaultcert.pwan.co`
219 sleep 1
220
221 # Bring the request back to the foreground so it can finish
222 fg
223
224 # Verify there are no certs left to sign
225 output=`certmaster-ca --list`
226 assertEquals "nothing to sign" "$output" "No certificates to sign"
227
228 # Verify the cert shows up in the signed list
229 output=`certmaster-ca --list-signed`
230 [[ $output == *"defaultcert.pwan.co"* ]]
231 assertTrue "--list-signed includes defaultcert" $?
232
233 # Verify the cert shows up in the list-cert-hash command
234 output=`certmaster-ca --list-cert-hash`
235 [[ $output == *"defaultcert.pwan.co"* ]]
236 assertTrue "--list-cert-hash includes defaultcert" $?
237
238 # Verify all the expected files exist
239 [[ -e /etc/pki/certmaster ]]
240 assertTrue "/etc/pki/certmaster exists" $?
241 [[ -e /etc/pki/certmaster/defaultcert.pwan.co.cert ]]
242 assertTrue "defaultcert.pwan.co.cert.exists" $?
243 [[ -e /etc/pki/certmaster/defaultcert.pwan.co.pem ]]
244 assertTrue "defaultcert.pwan.co.pem exists" $?
245 [[ -e /etc/pki/certmaster/defaultcert.pwan.co.csr ]]
246 assertTrue "default.pwan.co.csr exists" $?
247
248 # Verify the cert's CN
249 subject=`openssl x509 -in /etc/pki/certmaster/defaultcert.pwan.co.cert -subject -noout`
250 [[ $subject == *"CN=defaultcert.pwan.co"* ]]
251
252 # Verify the key and signing request are valid
253 openssl rsa -in /etc/pki/certmaster/defaultcert.pwan.co.pem -check > /dev/null 2>&1
254 assertTrue "default.pwan.co.pem OK" $?
255 openssl req -text -noout -verify -in /etc/pki/certmaster/defaultcert.pwan.co.csr > /dev/nulla 2>&1
256 assertTrue "defaultcert.pwan.co.csr OK" $?
257
258 set +m
259 }
260
261
262 # load shunit2
263 . /usr/share/shunit2/shunit2