X-Git-Url: https://pwan.org/git/?p=certmaster.git;a=blobdiff_plain;f=tests%2Ftest-certmaster.sh;fp=tests%2Ftest-certmaster.sh;h=eab2d9a9000005d32b9d7af489807521829a837e;hp=0000000000000000000000000000000000000000;hb=240ba9b7e2ee00a8f6014c7d597a5afd1f96249c;hpb=af9d4112024b33b207ad562f3cadb199155b9575

diff --git a/tests/test-certmaster.sh b/tests/test-certmaster.sh
new file mode 100755
index 0000000..eab2d9a
--- /dev/null
+++ b/tests/test-certmaster.sh
@@ -0,0 +1,240 @@
+#!/bin/bash
+# shunit2 tests for certmaster
+# (sorry bats, but I couldn't figure out how to push a command into the background with ya)
+
+setUp() 
+{
+    /etc/init.d/certmaster stop >& /dev/null || true
+    mkdir -p /etc/certmaster
+    cp certmaster.conf.tst /etc/certmaster/certmaster.conf
+    cp minion.conf.tst /etc/certmaster/minion.conf
+    rm -rf /var/lib/certmaster
+    rm -rf /var/lib/certmaster/test
+    rm -rf /etc/pki/certmaster
+    rm -rf /etc/pki/certmaster-test
+    /etc/init.d/certmaster start  >& /dev/null
+}
+
+tearDown() {
+    /etc/init.d/certmaster stop >& /dev/null
+}
+
+test_CertmasterCaAvailable()
+{
+    [[ -x "/usr/bin/certmaster-ca" ]]
+    assertTrue "certmaster-ca exists" $?
+}
+
+test_CertmasterRequestAvailable()
+{
+    [[ -x "/usr/bin/certmaster-request" ]]
+    assertTrue "certmaster-request exists" $?
+}
+
+test_CertmasterDaemonRunning()
+{
+    /etc/init.d/certmaster status
+    assertTrue "certmaster daemon running" $?
+}
+
+test_CertmasterRequestHelp()
+{
+    actual=`certmaster-request --help`
+
+    expected=$(cat <<EOF
+Usage: certmaster-request [options]
+
+Options:
+  -h, --help       show this help message and exit
+  --hostname=NAME  hostname to use as the CN for the certificate
+  --ca=CA          certificate authority used to sign the certificate
+EOF
+)
+
+   assertEquals "certmaster-request --help" "$actual" "$expected"
+
+}
+
+test_CertmasterRequestHFlag() 
+{
+    actual=`certmaster-request -h`
+
+    expected=$(cat <<EOF
+Usage: certmaster-request [options]
+
+Options:
+  -h, --help       show this help message and exit
+  --hostname=NAME  hostname to use as the CN for the certificate
+  --ca=CA          certificate authority used to sign the certificate
+EOF
+)
+   assertEquals "certmaster-request -h" "$actual" "$expected"
+
+}
+
+test_CertmasterRequestBadFlag()
+{
+
+    # backticks don't capture stderr...
+    actual=$(certmaster-request --blah 2>&1)
+
+    expected=$(cat <<EOF
+Usage: certmaster-request [options]
+
+certmaster-request: error: no such option: --blah
+EOF
+)
+   assertEquals "certmaster-request --blah" "$actual" "$expected"
+
+}
+
+test_CertmasterCAHelp()
+{
+    actual=`certmaster-ca --help`
+    expected=$(cat <<EOF
+Usage: certmaster-ca <option> [args]
+
+Options:
+  --version         show program's version number and exit
+  -h, --help        show this help message and exit
+  --ca=CA           certificate authority used to sign/list certs
+  -l, --list        list signing requests remaining
+  -s, --sign        sign requests of hosts specified
+  -c, --clean       clean out all certs or csrs for the hosts specified
+  --list-signed     list all signed certs
+  --list-cert-hash  list the cert hash for signed certs
+EOF
+)
+   assertEquals "certmaster-ca --help" "$actual" "$expected"
+}
+
+test_CertmasterCAHFlag()
+{
+    actual=`certmaster-ca -h`
+    expected=$(cat <<EOF
+Usage: certmaster-ca <option> [args]
+
+Options:
+  --version         show program's version number and exit
+  -h, --help        show this help message and exit
+  --ca=CA           certificate authority used to sign/list certs
+  -l, --list        list signing requests remaining
+  -s, --sign        sign requests of hosts specified
+  -c, --clean       clean out all certs or csrs for the hosts specified
+  --list-signed     list all signed certs
+  --list-cert-hash  list the cert hash for signed certs
+EOF
+)
+   assertEquals "certmaster-ca -h" "$actual" "$expected"
+}
+
+test_CertmasterCAVersion()
+{
+    actual=`certmaster-ca --version`
+
+    [[ "$actual" == *"version:"* ]]    
+    assertTrue "version includes a version" $?
+
+    [[ "$actual" == *"release:"* ]]    
+    assertTrue "version includes a release" $?
+}
+
+test_TestCA_Autosigning()
+{
+    certmaster-request --hostname testcert.pwan.co --ca test
+
+    [[ -e /etc/pki/certmaster-test ]]
+    assertTrue "/etc/pki/certmaster-test exists" $?
+    [[ -e /etc/pki/certmaster-test/testcert.pwan.co.cert ]]
+    assertTrue "testcert.pwan.co.cert exists" $?
+    [[ -e  /etc/pki/certmaster-test/testcert.pwan.co.pem ]]
+    assertTrue "testcert.pwan.co.pem exists" $?
+    [[ -e /etc/pki/certmaster-test/testcert.pwan.co.csr ]]
+    assertTrue "testcert.pwan.co.csr exists" $?
+
+    subject=`openssl x509 -in /etc/pki/certmaster-test/testcert.pwan.co.cert -subject -noout`
+    [[ $subject == *"CN=testcert.pwan.co"* ]]
+
+    openssl rsa -in /etc/pki/certmaster-test/testcert.pwan.co.pem -check > /dev/null 2>&1
+    assertTrue "test.pwan.co.pem OK" $?
+    openssl req -text -noout -verify -in /etc/pki/certmaster-test/testcert.pwan.co.csr > /dev/null 2>&1
+    assertTrue "test.pwan.co.csr OK" $?
+
+    # Verify there are no certs left to sign
+    output=`certmaster-ca --list --ca test`
+    assertEquals "nothing to sign" "$output" "No certificates to sign"
+
+    # Verify the cert shows up in the signed list
+    output=`certmaster-ca --list-signed --ca test`
+    [[ $output == *"testcert.pwan.co"* ]]
+    assertTrue "--list-signed includes testcert" $?
+
+    # Verify the cert shows up in the list-cert-hash command
+    output=`certmaster-ca --list-cert-hash --ca test`
+    [[ $output == *"testcert.pwan.co"* ]]
+    assertTrue "--list-cert-hash includes testcert" $?
+
+}
+
+test_DefaultCA_NonAutosigning() {
+
+    # Turn on job control, so 'fg' is available
+    set -m 
+
+    # Request a cert
+    certmaster-request --hostname defaultcert.pwan.co &
+    sleep 1
+    echo "...patience grasshopper..."
+
+    # Verify the cert is waiting to be signed
+    output=`certmaster-ca --list`
+    [[ $output == *"defaultcert.pwan.co"* ]]
+    assertTrue "$output includes defaultcert" $?
+
+    # Sign the cert
+    output=`certmaster-ca --sign defaultcert.pwan.co`
+    sleep 1
+
+    # Bring the request back to the foreground so it can finish
+    fg 
+
+    # Verify there are no certs left to sign
+    output=`certmaster-ca --list`
+    assertEquals "nothing to sign" "$output" "No certificates to sign"
+
+    # Verify the cert shows up in the signed list
+    output=`certmaster-ca --list-signed`
+    [[ $output == *"defaultcert.pwan.co"* ]]
+    assertTrue "--list-signed includes defaultcert" $?
+
+    # Verify the cert shows up in the list-cert-hash command
+    output=`certmaster-ca --list-cert-hash`
+    [[ $output == *"defaultcert.pwan.co"* ]]
+    assertTrue "--list-cert-hash includes defaultcert" $?
+
+    # Verify all the expected files exist
+    [[ -e /etc/pki/certmaster ]]
+    assertTrue "/etc/pki/certmaster exists" $?
+    [[ -e  /etc/pki/certmaster/defaultcert.pwan.co.cert ]]
+    assertTrue "defaultcert.pwan.co.cert.exists" $?
+    [[ -e /etc/pki/certmaster/defaultcert.pwan.co.pem ]]
+    assertTrue "defaultcert.pwan.co.pem exists" $?
+    [[ -e /etc/pki/certmaster/defaultcert.pwan.co.csr ]]
+    assertTrue "default.pwan.co.csr exists" $?
+
+    # Verify the cert's CN
+    subject=`openssl x509 -in /etc/pki/certmaster/defaultcert.pwan.co.cert -subject -noout`
+    [[ $subject == *"CN=defaultcert.pwan.co"* ]]
+
+    # Verify the key and signing request are valid
+    openssl rsa -in /etc/pki/certmaster/defaultcert.pwan.co.pem -check > /dev/null 2>&1
+    assertTrue "default.pwan.co.pem OK" $?
+    openssl req -text -noout -verify -in /etc/pki/certmaster/defaultcert.pwan.co.csr > /dev/nulla 2>&1
+    assertTrue "defaultcert.pwan.co.csr OK" $?
+
+    set +m
+}
+
+
+# load shunit2
+. /usr/share/shunit2/shunit2