diff --git a/tests/test_commands.py b/tests/test_commands.py index d3f4e51565bc3d3ebfe1c34a50527fa310c18680..52f3aa29fecd19c62d308a4b7a9289944e65fbf2 100644 --- a/tests/test_commands.py +++ b/tests/test_commands.py @@ -433,7 +433,7 @@ def test_client_errors_out_if_certificate_already_issued(gctmpdir): def test_renew_returns_status_code(tmpdir): tmpdir.chdir() - status_code = gimmecert.commands.renew(io.StringIO(), io.StringIO(), tmpdir.strpath, 'server', 'myserver', False, None, None) + status_code = gimmecert.commands.renew(io.StringIO(), io.StringIO(), tmpdir.strpath, 'server', 'myserver', False, None, None, None) assert isinstance(status_code, int) @@ -443,7 +443,7 @@ def test_renew_reports_error_if_directory_is_not_initialised(tmpdir): stdout_stream = io.StringIO() stderr_stream = io.StringIO() - status_code = gimmecert.commands.renew(stdout_stream, stderr_stream, tmpdir.strpath, 'server', 'myserver', False, None, None) + status_code = gimmecert.commands.renew(stdout_stream, stderr_stream, tmpdir.strpath, 'server', 'myserver', False, None, None, None) stdout = stdout_stream.getvalue() stderr = stderr_stream.getvalue() @@ -457,7 +457,7 @@ def test_renew_reports_error_if_no_existing_server_certificate_is_present(gctmpd stdout_stream = io.StringIO() stderr_stream = io.StringIO() - status_code = gimmecert.commands.renew(stdout_stream, stderr_stream, gctmpdir.strpath, 'server', 'myserver', False, None, None) + status_code = gimmecert.commands.renew(stdout_stream, stderr_stream, gctmpdir.strpath, 'server', 'myserver', False, None, None, None) stdout = stdout_stream.getvalue() stderr = stderr_stream.getvalue() @@ -472,7 +472,7 @@ def test_renew_reports_error_if_no_existing_client_certificate_is_present(gctmpd stdout_stream = io.StringIO() stderr_stream = io.StringIO() - status_code = gimmecert.commands.renew(stdout_stream, stderr_stream, gctmpdir.strpath, 'client', 'myclient', False, None, None) + status_code = gimmecert.commands.renew(stdout_stream, stderr_stream, gctmpdir.strpath, 'client', 'myclient', False, None, None, None) stdout = stdout_stream.getvalue() stderr = stderr_stream.getvalue() @@ -489,7 +489,7 @@ def test_renew_reports_success_and_paths_to_server_artifacts(gctmpdir): gimmecert.commands.server(io.StringIO(), io.StringIO(), gctmpdir.strpath, 'myserver', None, None, None) - status_code = gimmecert.commands.renew(stdout_stream, stderr_stream, gctmpdir.strpath, 'server', 'myserver', False, None, None) + status_code = gimmecert.commands.renew(stdout_stream, stderr_stream, gctmpdir.strpath, 'server', 'myserver', False, None, None, None) stdout = stdout_stream.getvalue() stderr = stderr_stream.getvalue() @@ -508,7 +508,7 @@ def test_renew_reports_success_and_paths_to_client_artifacts(gctmpdir): gimmecert.commands.client(io.StringIO(), io.StringIO(), gctmpdir.strpath, 'myclient', None, None) - status_code = gimmecert.commands.renew(stdout_stream, stderr_stream, gctmpdir.strpath, 'client', 'myclient', False, None, None) + status_code = gimmecert.commands.renew(stdout_stream, stderr_stream, gctmpdir.strpath, 'client', 'myclient', False, None, None, None) stdout = stdout_stream.getvalue() stderr = stderr_stream.getvalue() @@ -527,7 +527,7 @@ def test_renew_keeps_server_private_key(gctmpdir): gimmecert.commands.server(io.StringIO(), io.StringIO(), gctmpdir.strpath, 'myserver', None, None, None) private_key_after_issuance = private_key_file.read() - gimmecert.commands.renew(io.StringIO(), io.StringIO(), gctmpdir.strpath, 'server', 'myserver', False, None, None) + gimmecert.commands.renew(io.StringIO(), io.StringIO(), gctmpdir.strpath, 'server', 'myserver', False, None, None, None) private_key_after_renewal = private_key_file.read() assert private_key_after_issuance == private_key_after_renewal @@ -539,7 +539,7 @@ def test_renew_keeps_client_private_key(gctmpdir): gimmecert.commands.client(io.StringIO(), io.StringIO(), gctmpdir.strpath, 'myclient', None, None) private_key_after_issuance = private_key_file.read() - gimmecert.commands.renew(io.StringIO(), io.StringIO(), gctmpdir.strpath, 'client', 'myclient', False, None, None) + gimmecert.commands.renew(io.StringIO(), io.StringIO(), gctmpdir.strpath, 'client', 'myclient', False, None, None, None) private_key_after_renewal = private_key_file.read() assert private_key_after_issuance == private_key_after_renewal @@ -551,7 +551,7 @@ def test_renew_replaces_server_certificate(gctmpdir): gimmecert.commands.server(io.StringIO(), io.StringIO(), gctmpdir.strpath, 'myserver', None, None, None) certificate_after_issuance = certificate_file.read() - gimmecert.commands.renew(io.StringIO(), io.StringIO(), gctmpdir.strpath, 'server', 'myserver', False, None, None) + gimmecert.commands.renew(io.StringIO(), io.StringIO(), gctmpdir.strpath, 'server', 'myserver', False, None, None, None) certificate_after_renewal = certificate_file.read() assert certificate_after_issuance != certificate_after_renewal @@ -565,7 +565,7 @@ def test_renew_replaces_client_certificate(gctmpdir): gimmecert.commands.client(io.StringIO(), io.StringIO(), gctmpdir.strpath, 'myclient', None, None) certificate_after_issuance = certificate_file.read() - gimmecert.commands.renew(io.StringIO(), io.StringIO(), gctmpdir.strpath, 'client', 'myclient', False, None, None) + gimmecert.commands.renew(io.StringIO(), io.StringIO(), gctmpdir.strpath, 'client', 'myclient', False, None, None, None) certificate_after_renewal = certificate_file.read() assert certificate_after_issuance != certificate_after_renewal @@ -579,7 +579,7 @@ def test_renew_reports_success_and_paths_to_server_artifacts_with_new_key(gctmpd gimmecert.commands.server(io.StringIO(), io.StringIO(), gctmpdir.strpath, 'myserver', None, None, None) - status_code = gimmecert.commands.renew(stdout_stream, stderr_stream, gctmpdir.strpath, 'server', 'myserver', True, None, None) + status_code = gimmecert.commands.renew(stdout_stream, stderr_stream, gctmpdir.strpath, 'server', 'myserver', True, None, None, None) stdout = stdout_stream.getvalue() stderr = stderr_stream.getvalue() @@ -596,11 +596,14 @@ def test_renew_generates_new_private_key_if_requested(gctmpdir): gimmecert.commands.server(io.StringIO(), io.StringIO(), gctmpdir.strpath, 'myserver', None, None, None) private_key_after_issuance = private_key_file.read() + private_key_size_after_issuance = gimmecert.storage.read_private_key(private_key_file.strpath).key_size - gimmecert.commands.renew(io.StringIO(), io.StringIO(), gctmpdir.strpath, 'server', 'myserver', True, None, None) + gimmecert.commands.renew(io.StringIO(), io.StringIO(), gctmpdir.strpath, 'server', 'myserver', True, None, None, None) private_key_after_renewal = private_key_file.read() + private_key_size_after_renewal = gimmecert.storage.read_private_key(private_key_file.strpath).key_size assert private_key_after_issuance != private_key_after_renewal + assert private_key_size_after_issuance == private_key_size_after_renewal def test_status_returns_status_code(tmpdir): @@ -1070,7 +1073,7 @@ def test_renew_reports_success_and_paths_to_server_artifacts_with_csr(gctmpdir): gimmecert.commands.server(io.StringIO(), io.StringIO(), gctmpdir.strpath, 'myserver', None, csr_file.strpath, None) - status_code = gimmecert.commands.renew(stdout_stream, stderr_stream, gctmpdir.strpath, 'server', 'myserver', False, None, None) + status_code = gimmecert.commands.renew(stdout_stream, stderr_stream, gctmpdir.strpath, 'server', 'myserver', False, None, None, None) stdout = stdout_stream.getvalue() stderr = stderr_stream.getvalue() @@ -1095,7 +1098,7 @@ def test_renew_reports_success_and_paths_to_client_artifacts_with_csr(gctmpdir): gimmecert.commands.client(io.StringIO(), io.StringIO(), gctmpdir.strpath, 'myclient', csr_file.strpath, None) - status_code = gimmecert.commands.renew(stdout_stream, stderr_stream, gctmpdir.strpath, 'client', 'myclient', False, None, None) + status_code = gimmecert.commands.renew(stdout_stream, stderr_stream, gctmpdir.strpath, 'client', 'myclient', False, None, None, None) stdout = stdout_stream.getvalue() stderr = stderr_stream.getvalue() @@ -1120,7 +1123,7 @@ def test_renew_reports_success_and_paths_to_server_artifacts_with_csr_when_repla gimmecert.commands.server(io.StringIO(), io.StringIO(), gctmpdir.strpath, 'myserver', None, None, None) - status_code = gimmecert.commands.renew(stdout_stream, stderr_stream, gctmpdir.strpath, 'server', 'myserver', False, csr_file.strpath, None) + status_code = gimmecert.commands.renew(stdout_stream, stderr_stream, gctmpdir.strpath, 'server', 'myserver', False, csr_file.strpath, None, None) stdout = stdout_stream.getvalue() stderr = stderr_stream.getvalue() @@ -1150,7 +1153,7 @@ def test_renew_replaces_server_private_key_with_csr(gctmpdir): assert private_key_file.check(file=1) - gimmecert.commands.renew(io.StringIO(), io.StringIO(), gctmpdir.strpath, 'server', 'myserver', False, custom_csr_file.strpath, None) + gimmecert.commands.renew(io.StringIO(), io.StringIO(), gctmpdir.strpath, 'server', 'myserver', False, custom_csr_file.strpath, None, None) assert csr_file.check(file=1) @@ -1174,7 +1177,7 @@ def test_renew_raises_exception_if_both_new_private_key_generation_and_csr_are_p gimmecert.storage.write_csr(custom_csr, custom_csr_file.strpath) with pytest.raises(gimmecert.commands.InvalidCommandInvocation) as e_info: - gimmecert.commands.renew(io.StringIO(), io.StringIO(), gctmpdir.strpath, 'server', 'myserver', True, custom_csr_file.strpath, None) + gimmecert.commands.renew(io.StringIO(), io.StringIO(), gctmpdir.strpath, 'server', 'myserver', True, custom_csr_file.strpath, None, None) assert str(e_info.value) == "Only one of the following two parameters should be specified: generate_new_private_key, custom_csr_path." @@ -1184,7 +1187,7 @@ def test_renew_raises_exception_if_update_dns_names_is_used_for_client_certifica with pytest.raises(gimmecert.commands.InvalidCommandInvocation) as e_info: gimmecert.commands.renew(io.StringIO(), io.StringIO(), sample_project_directory.strpath, 'client', 'client-with-privkey-1', - False, None, ["myservice.example.com"]) + False, None, ["myservice.example.com"], None) assert str(e_info.value) == "Updating DNS subject alternative names can be done only for server certificates." @@ -1201,7 +1204,7 @@ def test_renew_reports_success_and_paths_to_server_artifacts_with_private_key_wh gimmecert.commands.server(io.StringIO(), io.StringIO(), gctmpdir.strpath, 'myserver', None, custom_csr_file.strpath, None) - status_code = gimmecert.commands.renew(stdout_stream, stderr_stream, gctmpdir.strpath, 'server', 'myserver', True, None, None) + status_code = gimmecert.commands.renew(stdout_stream, stderr_stream, gctmpdir.strpath, 'server', 'myserver', True, None, None, None) stdout = stdout_stream.getvalue() stderr = stderr_stream.getvalue() @@ -1226,7 +1229,7 @@ def test_renew_reports_success_and_paths_to_artifacts_when_renewing_server_certi status_code = gimmecert.commands.renew(stdout_stream, stderr_stream, sample_project_directory.strpath, 'server', entity_name, - False, None, ["myservice.example.com"]) + False, None, ["myservice.example.com"], None) stdout = stdout_stream.getvalue() stderr = stderr_stream.getvalue() @@ -1249,7 +1252,7 @@ def test_renew_replaces_dns_names(gctmpdir): gimmecert.commands.renew(io.StringIO(), io.StringIO(), gctmpdir.strpath, 'server', 'myserver', - False, None, ["myservice1.example.com", "myservice2.example.com"]) + False, None, ["myservice1.example.com", "myservice2.example.com"], None) new_certificate_pem = certificate_file.read() new_certificate = gimmecert.storage.read_certificate(certificate_file.strpath) @@ -1272,7 +1275,7 @@ def test_renew_removes_dns_names(gctmpdir): old_certificate = gimmecert.storage.read_certificate(certificate_file.strpath) old_subject_alt_name = old_certificate.extensions.get_extension_for_class(cryptography.x509.SubjectAlternativeName).value - gimmecert.commands.renew(io.StringIO(), io.StringIO(), gctmpdir.strpath, 'server', 'myserver', False, None, []) + gimmecert.commands.renew(io.StringIO(), io.StringIO(), gctmpdir.strpath, 'server', 'myserver', False, None, [], None) new_certificate_pem = certificate_file.read() new_certificate = gimmecert.storage.read_certificate(certificate_file.strpath) @@ -1300,7 +1303,7 @@ def test_renew_replaces_server_csr_with_private_key(gctmpdir): assert csr_file.check(file=1) - gimmecert.commands.renew(io.StringIO(), io.StringIO(), gctmpdir.strpath, 'server', 'myserver', True, None, None) + gimmecert.commands.renew(io.StringIO(), io.StringIO(), gctmpdir.strpath, 'server', 'myserver', True, None, None, None) assert private_key_file.check(file=1) @@ -1386,7 +1389,7 @@ def test_renew_server_reads_csr_from_stdin(mock_read_input, sample_project_direc stdout_stream = io.StringIO() stderr_stream = io.StringIO() - status_code = gimmecert.commands.renew(stdout_stream, stderr_stream, sample_project_directory.strpath, "server", entity_name, False, '-', None) + status_code = gimmecert.commands.renew(stdout_stream, stderr_stream, sample_project_directory.strpath, "server", entity_name, False, '-', None, None) assert status_code == 0 # Read stored/generated artefacts. @@ -1418,7 +1421,7 @@ def test_renew_client_reads_csr_from_stdin(mock_read_input, sample_project_direc stdout_stream = io.StringIO() stderr_stream = io.StringIO() - status_code = gimmecert.commands.renew(stdout_stream, stderr_stream, sample_project_directory.strpath, "client", entity_name, False, '-', None) + status_code = gimmecert.commands.renew(stdout_stream, stderr_stream, sample_project_directory.strpath, "client", entity_name, False, '-', None, None) assert status_code == 0 # Read stored/generated artefacts. @@ -1479,3 +1482,29 @@ def test_client_uses_passed_in_private_key_algorithm_and_parameters_when_generat private_key = gimmecert.storage.read_private_key(private_key_file.strpath) assert private_key.key_size == 1024 + + +def test_renew_generates_new_private_key_with_same_size_as_old_one(gctmpdir): + private_key_file = gctmpdir.join('.gimmecert', 'server', 'myserver.key.pem') + + gimmecert.commands.server(io.StringIO(), io.StringIO(), gctmpdir.strpath, 'myserver', None, None, ('rsa', 1024)) + private_key_after_issuance = private_key_file.read() + + gimmecert.commands.renew(io.StringIO(), io.StringIO(), gctmpdir.strpath, 'server', 'myserver', True, None, None, None) + private_key_after_renewal = private_key_file.read() + private_key_size_after_renewal = gimmecert.storage.read_private_key(private_key_file.strpath).key_size + + assert private_key_after_issuance != private_key_after_renewal + assert private_key_size_after_renewal == 1024 + + +def test_renew_generates_new_private_key_with_different_size_if_requested(gctmpdir): + private_key_file = gctmpdir.join('.gimmecert', 'server', 'myserver.key.pem') + + # Should produce 2048-bit RSA key (default from hierarchy). + gimmecert.commands.server(io.StringIO(), io.StringIO(), gctmpdir.strpath, 'myserver', None, None, None) + + gimmecert.commands.renew(io.StringIO(), io.StringIO(), gctmpdir.strpath, 'server', 'myserver', True, None, None, ("rsa", 1024)) + private_key_size_after_renewal = gimmecert.storage.read_private_key(private_key_file.strpath).key_size + + assert private_key_size_after_renewal == 1024