Files @ 5a918cd2502e
Branch filter:

Location: gimmecert/functional_tests/test_server.py - annotation

branko
Noticket: Switching to development version.
e17474c5ef5d
e17474c5ef5d
5c9e817249b5
e17474c5ef5d
e17474c5ef5d
e17474c5ef5d
e17474c5ef5d
e17474c5ef5d
e17474c5ef5d
e17474c5ef5d
e17474c5ef5d
e17474c5ef5d
e17474c5ef5d
e17474c5ef5d
e17474c5ef5d
e17474c5ef5d
e17474c5ef5d
e17474c5ef5d
e17474c5ef5d
e17474c5ef5d
3c69231d7781
e17474c5ef5d
e17474c5ef5d
e17474c5ef5d
e17474c5ef5d
e17474c5ef5d
e17474c5ef5d
e17474c5ef5d
e17474c5ef5d
e17474c5ef5d
e17474c5ef5d
e17474c5ef5d
e17474c5ef5d
e17474c5ef5d
e17474c5ef5d
e17474c5ef5d
e17474c5ef5d
e17474c5ef5d
e17474c5ef5d
e17474c5ef5d
e17474c5ef5d
e17474c5ef5d
e17474c5ef5d
e17474c5ef5d
e17474c5ef5d
3c69231d7781
3c69231d7781
3c69231d7781
3c69231d7781
3c69231d7781
3c69231d7781
988ac40d5cec
988ac40d5cec
988ac40d5cec
988ac40d5cec
988ac40d5cec
988ac40d5cec
988ac40d5cec
988ac40d5cec
988ac40d5cec
988ac40d5cec
988ac40d5cec
988ac40d5cec
988ac40d5cec
988ac40d5cec
988ac40d5cec
988ac40d5cec
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a8c83185a93
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
7a2919409da2
1d67951da5af
1d67951da5af
1d67951da5af
1d67951da5af
1d67951da5af
1d67951da5af
1d67951da5af
1d67951da5af
1d67951da5af
1d67951da5af
1d67951da5af
1d67951da5af
1d67951da5af
1d67951da5af
1d67951da5af
1d67951da5af
1d67951da5af
1d67951da5af
1d67951da5af
1d67951da5af
1d67951da5af
1d67951da5af
1d67951da5af
1d67951da5af
1d67951da5af
1d67951da5af
1d67951da5af
1d67951da5af
1d67951da5af
1d67951da5af
407076b32362
407076b32362
407076b32362
407076b32362
407076b32362
407076b32362
407076b32362
407076b32362
407076b32362
407076b32362
407076b32362
407076b32362
407076b32362
407076b32362
407076b32362
407076b32362
407076b32362
407076b32362
407076b32362
407076b32362
407076b32362
407076b32362
407076b32362
407076b32362
407076b32362
407076b32362
407076b32362
407076b32362
407076b32362
407076b32362
407076b32362
407076b32362
407076b32362
407076b32362
407076b32362
407076b32362
407076b32362
# -*- coding: utf-8 -*-
#
# Copyright (C) 2018, 2020, 2024 Branko Majic
#
# This file is part of Gimmecert.
#
# Gimmecert is free software: you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the Free
# Software Foundation, either version 3 of the License, or (at your option) any
# later version.
#
# Gimmecert is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
# details.
#
# You should have received a copy of the GNU General Public License along with
# Gimmecert.  If not, see <http://www.gnu.org/licenses/>.
#

import sys

from .base import run_command


def test_server_command_available_with_help():
    # John has finally finished initialising his CA hierarchy. What he
    # wants to do now is to issue a server certificate. He starts off
    # by having a look at the list of available commands.
    stdout, stderr, exit_code = run_command("gimmecert")

    # Looking at output, John notices the server command.
    assert exit_code == 0
    assert stderr == ""
    assert "server" in stdout

    # He goes ahead and has a look at the server command invocation to
    # check what kind of parameters he might need to provide.
    stdout, stderr, exit_code = run_command("gimmecert", "server", "-h")

    # John can see that the command accepts an entity name, and an
    # optional list of DNS subject alternative names.
    assert exit_code == 0
    assert stderr == ""
    assert stdout.startswith("usage: gimmecert server")
    # Help output for nargs="*" got changed in Python 3.9. See
    # https://bugs.python.org/issue38438 for details.
    if sys.version_info.major == 3 and sys.version_info.minor < 9:
        assert " entity_name [dns_name [dns_name ...]]" in stdout
    else:
        assert " entity_name [dns_name ...]" in stdout


def test_server_command_requires_initialised_hierarchy(tmpdir):
    # John is about to issue a server certificate. He switches to his
    # project directory.
    tmpdir.chdir()

    # John tries to issue a server certificate.
    stdout, stderr, exit_code = run_command("gimmecert", "server", "myserver")

    # Unfortunately, John has forgotten to initialise the CA hierarchy
    # from within this directory, and is instead presented with an
    # error.
    assert stdout == ""
    assert stderr == "CA hierarchy must be initialised prior to issuing server certificates. Run the gimmecert init command first.\n"
    assert exit_code != 0


def test_server_command_issues_server_certificate(tmpdir):
    # John is about to issue a server certificate. He switches to his
    # project directory, and initialises the CA hierarchy there.
    tmpdir.chdir()
    run_command("gimmecert", "init")

    # He then runs command for issuing a server certificate.
    stdout, stderr, exit_code = run_command('gimmecert', 'server', 'myserver')

    # John notices that the command has run without an error, and that
    # it has printed out path to the private key and certificate.
    assert stderr == ""
    assert exit_code == 0
    assert "Server certificate issued." in stdout
    assert ".gimmecert/server/myserver.key.pem" in stdout
    assert ".gimmecert/server/myserver.cert.pem" in stdout

    # John has a look at the generated private key using the OpenSSL
    # CLI.
    stdout, stderr, exit_code = run_command('openssl', 'rsa', '-noout', '-text', '-in', '.gimmecert/server/myserver.key.pem')

    # No errors are reported, and John is able to see some details
    # about the generated key.
    assert exit_code == 0
    assert stderr == ""
    assert "Private-Key: (2048 bit, 2 primes)" in stdout

    # John then has a look at the generated certificate file.
    stdout, stderr, exit_code = run_command('openssl', 'x509', '-noout', '-text', '-in', '.gimmecert/server/myserver.cert.pem')

    # Once again, there are no errors, and he can see some details
    # about the certificate.
    assert exit_code == 0
    assert stderr == ""
    assert 'Certificate:' in stdout

    # He notices that the certificate includes the provided entity
    # name as DNS subject alternative name.
    assert "DNS:myserver\n" in stdout

    # John has a quick look at issuer and subject DN stored in
    # certificate.
    issuer_dn, _, _ = run_command('openssl', 'x509', '-noout', '-issuer', '-in', '.gimmecert/server/myserver.cert.pem')
    subject_dn, _, _ = run_command('openssl', 'x509', '-noout', '-subject', '-in', '.gimmecert/server/myserver.cert.pem')
    issuer_dn = issuer_dn.replace('issuer=', '', 1).rstrip().replace(' /CN=', 'CN = ', 1)  # OpenSSL 1.0 vs 1.1 formatting
    subject_dn = subject_dn.replace('subject=', '', 1).rstrip().replace(' /CN=', 'CN = ', 1)  # OpenSSL 1.0 vs 1.1 formatting

    # He notices the issuer DN is as expected based on the directory
    # name, and that server certificate subject DN simply has CN field
    # with the name he provided earlier.
    assert issuer_dn == "CN = %s Level 1 CA" % tmpdir.basename
    assert subject_dn == "CN = myserver"

    # John takes a look at certificate purpose, since he wants to
    # ensure it is a proper TLS server certificate.
    stdout, stderr, exit_code = run_command('openssl', 'x509', '-noout', '-purpose', '-in', '.gimmecert/server/myserver.cert.pem')

    # He verifies that the provided certificate has correct purpose.
    assert "SSL server : Yes" in stdout
    assert "SSL server CA : No" in stdout
    assert "SSL client : No" in stdout
    assert "SSL client CA : No" in stdout

    # Finally, he decides to check if the certificate can be verified
    # using the CA certificate chain.
    _, _, error_code = run_command(
        "openssl", "verify",
        "-CAfile",
        ".gimmecert/ca/chain-full.cert.pem",
        ".gimmecert/server/myserver.cert.pem"
    )

    # He is happy to see that verification succeeds.
    assert error_code == 0


def test_server_command_issues_server_certificate_with_additional_subject_alternative_names(tmpdir):
    # John wants to issue a server certificate that will include a
    # number of additional DNS subject alternative names. He switches
    # to his project directory, and initialises the CA hierarchy
    # there.
    tmpdir.chdir()
    run_command("gimmecert", "init")

    # He then runs command for issuing a server certificate, providing
    # additional DNS subject alternative names..
    stdout, stderr, exit_code = run_command('gimmecert', 'server', 'myserver', 'myserver.local', 'myserver.example.com')

    # The command finishes without any errors being reported.
    assert stderr == ""
    assert exit_code == 0

    # John then a look at generated certificate file.
    stdout, stderr, exit_code = run_command('openssl', 'x509', '-noout', '-text', '-in', '.gimmecert/server/myserver.cert.pem')

    # No errors are reported, and he notices that the provided subject
    # alternative names have been included in the certificate in
    # addition to default one based on the server entity name.
    assert exit_code == 0
    assert stderr == ""

    assert "DNS:myserver," in stdout
    assert "DNS:myserver.local," in stdout
    assert "DNS:myserver.example.com\n" in stdout


def test_server_command_does_not_overwrite_existing_artifacts(tmpdir):
    # John has become an avid user of Gimmecert. He uses it in a lot
    # of projects, including one specific project which he had set-up
    # a couple of months ago, where he has issued some server
    # certificate.
    tmpdir.chdir()
    run_command("gimmecert", "init")
    run_command("gimmecert", "server", "myserver")

    private_key = tmpdir.join(".gimmecert", "server", "myserver.key.pem").read()
    certificate = tmpdir.join(".gimmecert", "server", "myserver.cert.pem").read()

    # After a couple of months of inactivity on that particular
    # project, John is again asked to do something in relation to
    # it. He recalls that he needed to issue a server certificate for
    # it, so he goes ahead and tries to do it again.
    tmpdir.chdir()
    stdout, stderr, exit_code = run_command("gimmecert", "server", "myserver")

    # John realizes in last moment, just as he presses ENTER, that he
    # had issued certificate already. He wonders if he'd need to
    # redeploy it again now, though. To his (small) relief, he
    # realizes is it not necessary, since the tool has refused to
    # overwrite the old key and certificate. Instead he is presented
    # with an error notifying him that the certificate has already
    # been issued.
    assert exit_code != 0
    assert stderr == "Refusing to overwrite existing data. Certificate has already been issued for server myserver.\n"
    assert stdout == ""

    # John double-checks (just to be on the safe side), and can see
    # that both the private key and certificate have been left
    # unchanged.
    assert tmpdir.join(".gimmecert", "server", "myserver.key.pem").read() == private_key
    assert tmpdir.join(".gimmecert", "server", "myserver.cert.pem").read() == certificate