projects / certmaster.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
BATS fell down pushing a process into the background, so I switched to shunit2 /...
[certmaster.git] / tests / test-certmaster.sh
1 #!/bin/bash
2 # shunit2 tests for certmaster
3 # (sorry bats, but I couldn't figure out how to push a command into the background with ya)
4
5 setUp()
6 {
7 /etc/init.d/certmaster stop >& /dev/null || true
8 mkdir -p /etc/certmaster
9 cp certmaster.conf.tst /etc/certmaster/certmaster.conf
10 cp minion.conf.tst /etc/certmaster/minion.conf
11 rm -rf /var/lib/certmaster
12 rm -rf /var/lib/certmaster/test
13 rm -rf /etc/pki/certmaster
14 rm -rf /etc/pki/certmaster-test
15 /etc/init.d/certmaster start >& /dev/null
16 }
17
18 tearDown() {
19 /etc/init.d/certmaster stop >& /dev/null
20 }
21
22 test_CertmasterCaAvailable()
23 {
24 [[ -x "/usr/bin/certmaster-ca" ]]
25 assertTrue "certmaster-ca exists" $?
26 }
27
28 test_CertmasterRequestAvailable()
29 {
30 [[ -x "/usr/bin/certmaster-request" ]]
31 assertTrue "certmaster-request exists" $?
32 }
33
34 test_CertmasterDaemonRunning()
35 {
36 /etc/init.d/certmaster status
37 assertTrue "certmaster daemon running" $?
38 }
39
40 test_CertmasterRequestHelp()
41 {
42 actual=`certmaster-request --help`
43
44 expected=$(cat <<EOF
45 Usage: certmaster-request [options]
46
47 Options:
48 -h, --help show this help message and exit
49 --hostname=NAME hostname to use as the CN for the certificate
50 --ca=CA certificate authority used to sign the certificate
51 EOF
52 )
53
54 assertEquals "certmaster-request --help" "$actual" "$expected"
55
56 }
57
58 test_CertmasterRequestHFlag()
59 {
60 actual=`certmaster-request -h`
61
62 expected=$(cat <<EOF
63 Usage: certmaster-request [options]
64
65 Options:
66 -h, --help show this help message and exit
67 --hostname=NAME hostname to use as the CN for the certificate
68 --ca=CA certificate authority used to sign the certificate
69 EOF
70 )
71 assertEquals "certmaster-request -h" "$actual" "$expected"
72
73 }
74
75 test_CertmasterRequestBadFlag()
76 {
77
78 # backticks don't capture stderr...
79 actual=$(certmaster-request --blah 2>&1)
80
81 expected=$(cat <<EOF
82 Usage: certmaster-request [options]
83
84 certmaster-request: error: no such option: --blah
85 EOF
86 )
87 assertEquals "certmaster-request --blah" "$actual" "$expected"
88
89 }
90
91 test_CertmasterCAHelp()
92 {
93 actual=`certmaster-ca --help`
94 expected=$(cat <<EOF
95 Usage: certmaster-ca <option> [args]
96
97 Options:
98 --version show program's version number and exit
99 -h, --help show this help message and exit
100 --ca=CA certificate authority used to sign/list certs
101 -l, --list list signing requests remaining
102 -s, --sign sign requests of hosts specified
103 -c, --clean clean out all certs or csrs for the hosts specified
104 --list-signed list all signed certs
105 --list-cert-hash list the cert hash for signed certs
106 EOF
107 )
108 assertEquals "certmaster-ca --help" "$actual" "$expected"
109 }
110
111 test_CertmasterCAHFlag()
112 {
113 actual=`certmaster-ca -h`
114 expected=$(cat <<EOF
115 Usage: certmaster-ca <option> [args]
116
117 Options:
118 --version show program's version number and exit
119 -h, --help show this help message and exit
120 --ca=CA certificate authority used to sign/list certs
121 -l, --list list signing requests remaining
122 -s, --sign sign requests of hosts specified
123 -c, --clean clean out all certs or csrs for the hosts specified
124 --list-signed list all signed certs
125 --list-cert-hash list the cert hash for signed certs
126 EOF
127 )
128 assertEquals "certmaster-ca -h" "$actual" "$expected"
129 }
130
131 test_CertmasterCAVersion()
132 {
133 actual=`certmaster-ca --version`
134
135 [[ "$actual" == *"version:"* ]]
136 assertTrue "version includes a version" $?
137
138 [[ "$actual" == *"release:"* ]]
139 assertTrue "version includes a release" $?
140 }
141
142 test_TestCA_Autosigning()
143 {
144 certmaster-request --hostname testcert.pwan.co --ca test
145
146 [[ -e /etc/pki/certmaster-test ]]
147 assertTrue "/etc/pki/certmaster-test exists" $?
148 [[ -e /etc/pki/certmaster-test/testcert.pwan.co.cert ]]
149 assertTrue "testcert.pwan.co.cert exists" $?
150 [[ -e /etc/pki/certmaster-test/testcert.pwan.co.pem ]]
151 assertTrue "testcert.pwan.co.pem exists" $?
152 [[ -e /etc/pki/certmaster-test/testcert.pwan.co.csr ]]
153 assertTrue "testcert.pwan.co.csr exists" $?
154
155 subject=`openssl x509 -in /etc/pki/certmaster-test/testcert.pwan.co.cert -subject -noout`
156 [[ $subject == *"CN=testcert.pwan.co"* ]]
157
158 openssl rsa -in /etc/pki/certmaster-test/testcert.pwan.co.pem -check > /dev/null 2>&1
159 assertTrue "test.pwan.co.pem OK" $?
160 openssl req -text -noout -verify -in /etc/pki/certmaster-test/testcert.pwan.co.csr > /dev/null 2>&1
161 assertTrue "test.pwan.co.csr OK" $?
162
163 # Verify there are no certs left to sign
164 output=`certmaster-ca --list --ca test`
165 assertEquals "nothing to sign" "$output" "No certificates to sign"
166
167 # Verify the cert shows up in the signed list
168 output=`certmaster-ca --list-signed --ca test`
169 [[ $output == *"testcert.pwan.co"* ]]
170 assertTrue "--list-signed includes testcert" $?
171
172 # Verify the cert shows up in the list-cert-hash command
173 output=`certmaster-ca --list-cert-hash --ca test`
174 [[ $output == *"testcert.pwan.co"* ]]
175 assertTrue "--list-cert-hash includes testcert" $?
176
177 }
178
179 test_DefaultCA_NonAutosigning() {
180
181 # Turn on job control, so 'fg' is available
182 set -m
183
184 # Request a cert
185 certmaster-request --hostname defaultcert.pwan.co &
186 sleep 1
187 echo "...patience grasshopper..."
188
189 # Verify the cert is waiting to be signed
190 output=`certmaster-ca --list`
191 [[ $output == *"defaultcert.pwan.co"* ]]
192 assertTrue "$output includes defaultcert" $?
193
194 # Sign the cert
195 output=`certmaster-ca --sign defaultcert.pwan.co`
196 sleep 1
197
198 # Bring the request back to the foreground so it can finish
199 fg
200
201 # Verify there are no certs left to sign
202 output=`certmaster-ca --list`
203 assertEquals "nothing to sign" "$output" "No certificates to sign"
204
205 # Verify the cert shows up in the signed list
206 output=`certmaster-ca --list-signed`
207 [[ $output == *"defaultcert.pwan.co"* ]]
208 assertTrue "--list-signed includes defaultcert" $?
209
210 # Verify the cert shows up in the list-cert-hash command
211 output=`certmaster-ca --list-cert-hash`
212 [[ $output == *"defaultcert.pwan.co"* ]]
213 assertTrue "--list-cert-hash includes defaultcert" $?
214
215 # Verify all the expected files exist
216 [[ -e /etc/pki/certmaster ]]
217 assertTrue "/etc/pki/certmaster exists" $?
218 [[ -e /etc/pki/certmaster/defaultcert.pwan.co.cert ]]
219 assertTrue "defaultcert.pwan.co.cert.exists" $?
220 [[ -e /etc/pki/certmaster/defaultcert.pwan.co.pem ]]
221 assertTrue "defaultcert.pwan.co.pem exists" $?
222 [[ -e /etc/pki/certmaster/defaultcert.pwan.co.csr ]]
223 assertTrue "default.pwan.co.csr exists" $?
224
225 # Verify the cert's CN
226 subject=`openssl x509 -in /etc/pki/certmaster/defaultcert.pwan.co.cert -subject -noout`
227 [[ $subject == *"CN=defaultcert.pwan.co"* ]]
228
229 # Verify the key and signing request are valid
230 openssl rsa -in /etc/pki/certmaster/defaultcert.pwan.co.pem -check > /dev/null 2>&1
231 assertTrue "default.pwan.co.pem OK" $?
232 openssl req -text -noout -verify -in /etc/pki/certmaster/defaultcert.pwan.co.csr > /dev/nulla 2>&1
233 assertTrue "defaultcert.pwan.co.csr OK" $?
234
235 set +m
236 }
237
238
239 # load shunit2
240 . /usr/share/shunit2/shunit2
Fedora's certmaster (https://fedorahosted.org/certmaster/) with multiple CA support