system-config/testinfra/test_letsencrypt.py
Ian Wienand 1992a9c1ec letsencrypt: use a fake CA for self-signed testing certs
Production letsencrypt certificate generation creates an intermediate
chain file (ca.cer); to simulate this during the self-signed tests
generate a fake CA certifcate, and use that to sign the generated
server certificate.

Tests updated to look for all these files

Change-Id: I3990529bca7ff3c6413ed0066f9c4feaf5464b1c
2019-05-14 10:24:28 +10:00

133 lines
4.8 KiB
Python

# Copyright 2019 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import pytest
testinfra_hosts = ['adns-letsencrypt.opendev.org',
'letsencrypt01.opendev.org',
'letsencrypt02.opendev.org']
def test_acme_zone(host):
if host.backend.get_hostname() != 'adns-letsencrypt.opendev.org':
pytest.skip()
acme_opendev_zone = host.file('/var/lib/bind/zones/acme.opendev.org/zone.db')
assert acme_opendev_zone.exists
# On our test nodes, unbound is listening on 127.0.0.1:53; this
# ensures the query hits bind
query_addr = host.ansible("setup")["ansible_facts"]["ansible_default_ipv4"]["address"]
cmd = host.run("dig -t txt acme.opendev.org @" + query_addr)
count = 0
for line in cmd.stdout.split('\n'):
if line.startswith('acme.opendev.org. 60 IN TXT'):
count = count + 1
if count != 6:
# NOTE(ianw): I'm sure there's more pytest-y ways to save this
# for debugging ...
print(cmd.stdout)
assert count == 6, "Did not see required number of TXT records!"
def test_certs_created(host):
if host.backend.get_hostname() == 'letsencrypt01.opendev.org':
domain_one = host.file(
'/etc/letsencrypt-certs/'
'letsencrypt01.opendev.org/letsencrypt01.opendev.org.key')
assert domain_one.exists
assert domain_one.user == "root"
assert domain_one.group == "letsencrypt"
assert domain_one.mode == 0o640
cert_one = host.file(
'/etc/letsencrypt-certs/'
'letsencrypt01.opendev.org/letsencrypt01.opendev.org.cer')
assert cert_one.exists
assert cert_one.user == "root"
assert cert_one.group == "letsencrypt"
assert cert_one.mode == 0o640
ca_one = host.file(
'/etc/letsencrypt-certs/'
'letsencrypt01.opendev.org/ca.cer')
assert ca_one.exists
assert ca_one.user == "root"
assert ca_one.group == "letsencrypt"
assert ca_one.mode == 0o640
domain_two = host.file(
'/etc/letsencrypt-certs/'
'someotherservice.opendev.org/someotherservice.opendev.org.key')
assert domain_two.exists
assert domain_two.user == "root"
assert domain_two.group == "letsencrypt"
assert domain_two.mode == 0o640
cert_two = host.file(
'/etc/letsencrypt-certs/'
'someotherservice.opendev.org/someotherservice.opendev.org.cer')
assert cert_two.exists
assert cert_two.user == "root"
assert cert_two.group == "letsencrypt"
assert cert_two.mode == 0o640
ca_two = host.file(
'/etc/letsencrypt-certs/'
'someotherservice.opendev.org/ca.cer')
assert ca_one.exists
assert ca_one.user == "root"
assert ca_one.group == "letsencrypt"
assert ca_one.mode == 0o640
elif host.backend.get_hostname() == 'letsencrypt02.opendev.org':
domain_one = host.file(
'/etc/letsencrypt-certs/'
'letsencrypt02.opendev.org/letsencrypt02.opendev.org.key')
assert domain_one.exists
assert domain_one.user == "root"
assert domain_one.group == "letsencrypt"
assert domain_one.mode == 0o640
cert_one = host.file(
'/etc/letsencrypt-certs/'
'letsencrypt02.opendev.org/letsencrypt02.opendev.org.cer')
assert cert_one.exists
assert cert_one.user == "root"
assert cert_one.group == "letsencrypt"
assert cert_one.mode == 0o640
ca_one = host.file(
'/etc/letsencrypt-certs/'
'letsencrypt02.opendev.org/ca.cer')
assert ca_one.exists
assert ca_one.user == "root"
assert ca_one.group == "letsencrypt"
assert ca_one.mode == 0o640
else:
pytest.skip()
def test_updated_handler(host):
if host.backend.get_hostname() == 'letsencrypt01.opendev.org':
stamp_file = host.file('/tmp/letsencrypt01-main-service.stamp')
assert stamp_file.exists
stamp_file = host.file('/tmp/letsencrypt01-other-service.stamp')
assert stamp_file.exists
elif host.backend.get_hostname() == 'letsencrypt02.opendev.org':
stamp_file = host.file('/tmp/letsencrypt02-main-service.stamp')
assert stamp_file.exists
else:
pytest.skip()