system-config/testinfra/test_letsencrypt.py
Ian Wienand 139dd374ec letsencrypt test: fix email match
It seems acme.sh might have been rewriting this with quotes, and has
now stopped doing that.  Fix the match.

Change-Id: I3c363c498580b79a1a9ed07da6ed3ac72807383b
2020-08-25 14:42:54 +10:00

164 lines
5.9 KiB
Python

# Copyright 2019 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import pytest
testinfra_hosts = ['adns-letsencrypt.opendev.org',
'bridge.openstack.org',
'letsencrypt01.opendev.org',
'letsencrypt02.opendev.org']
def test_acme_zone(host):
if host.backend.get_hostname() != 'adns-letsencrypt.opendev.org':
pytest.skip()
acme_opendev_zone = host.file('/var/lib/bind/zones/acme.opendev.org/zone.db')
assert acme_opendev_zone.exists
# On our test nodes, unbound is listening on 127.0.0.1:53; this
# ensures the query hits bind
query_addr = host.ansible("setup")["ansible_facts"]["ansible_default_ipv4"]["address"]
cmd = host.run("dig -t txt acme.opendev.org @" + query_addr)
count = 0
for line in cmd.stdout.split('\n'):
if line.startswith('acme.opendev.org. 60 IN TXT'):
count = count + 1
if count != 6:
# NOTE(ianw): I'm sure there's more pytest-y ways to save this
# for debugging ...
print(cmd.stdout)
assert count == 6, "Did not see required number of TXT records!"
def test_certs_created(host):
if host.backend.get_hostname() == 'letsencrypt01.opendev.org':
domain_one = host.file(
'/etc/letsencrypt-certs/'
'letsencrypt01.opendev.org/letsencrypt01.opendev.org.key')
assert domain_one.exists
assert domain_one.user == "root"
assert domain_one.group == "letsencrypt"
assert domain_one.mode == 0o640
cert_one = host.file(
'/etc/letsencrypt-certs/'
'letsencrypt01.opendev.org/letsencrypt01.opendev.org.cer')
assert cert_one.exists
assert cert_one.user == "root"
assert cert_one.group == "letsencrypt"
assert cert_one.mode == 0o640
ca_one = host.file(
'/etc/letsencrypt-certs/'
'letsencrypt01.opendev.org/ca.cer')
assert ca_one.exists
assert ca_one.user == "root"
assert ca_one.group == "letsencrypt"
assert ca_one.mode == 0o640
domain_two = host.file(
'/etc/letsencrypt-certs/'
'someotherservice.opendev.org/someotherservice.opendev.org.key')
assert domain_two.exists
assert domain_two.user == "root"
assert domain_two.group == "letsencrypt"
assert domain_two.mode == 0o640
cert_two = host.file(
'/etc/letsencrypt-certs/'
'someotherservice.opendev.org/someotherservice.opendev.org.cer')
assert cert_two.exists
assert cert_two.user == "root"
assert cert_two.group == "letsencrypt"
assert cert_two.mode == 0o640
ca_two = host.file(
'/etc/letsencrypt-certs/'
'someotherservice.opendev.org/ca.cer')
assert ca_one.exists
assert ca_one.user == "root"
assert ca_one.group == "letsencrypt"
assert ca_one.mode == 0o640
elif host.backend.get_hostname() == 'letsencrypt02.opendev.org':
domain_one = host.file(
'/etc/letsencrypt-certs/'
'letsencrypt02.opendev.org/letsencrypt02.opendev.org.key')
assert domain_one.exists
assert domain_one.user == "root"
assert domain_one.group == "letsencrypt"
assert domain_one.mode == 0o640
cert_one = host.file(
'/etc/letsencrypt-certs/'
'letsencrypt02.opendev.org/letsencrypt02.opendev.org.cer')
assert cert_one.exists
assert cert_one.user == "root"
assert cert_one.group == "letsencrypt"
assert cert_one.mode == 0o640
ca_one = host.file(
'/etc/letsencrypt-certs/'
'letsencrypt02.opendev.org/ca.cer')
assert ca_one.exists
assert ca_one.user == "root"
assert ca_one.group == "letsencrypt"
assert ca_one.mode == 0o640
else:
pytest.skip()
def test_updated_handler(host):
if host.backend.get_hostname() == 'letsencrypt01.opendev.org':
stamp_file = host.file('/tmp/letsencrypt01-main-service.stamp')
assert stamp_file.exists
stamp_file = host.file('/tmp/letsencrypt01-other-service.stamp')
assert stamp_file.exists
elif host.backend.get_hostname() == 'letsencrypt02.opendev.org':
stamp_file = host.file('/tmp/letsencrypt02-main-service.stamp')
assert stamp_file.exists
else:
pytest.skip()
def test_acme_sh_config(host):
if not host.backend.get_hostname().startswith('letsencrypt0'):
pytest.skip()
config = host.file('/root/.acme.sh/account.conf')
assert config.exists
assert config.contains("^ACCOUNT_EMAIL=le-test@opendev.org")
def test_certcheck_config(host, zuul_data):
if host.backend.get_hostname() != 'bridge.openstack.org':
pytest.skip()
if zuul_data['extra']['zuul']['job'] != 'system-config-run-letsencrypt':
pytest.skip()
domainlist = host.file('/var/lib/certcheck/ssldomains')
# TODO(ianw): figure out a flag or something from the
# system-config-run-letsencrypt test so that we can assert this
# file exists only in that case.
if not domainlist.exists:
pytest.skip()
assert domainlist.exists
assert domainlist.user == 'certcheck'
# from variables
assert domainlist.contains('^letsencrypt01.opendev.org 5000')
# from extra list; may need to change if list is modified
assert domainlist.contains('^wiki.openstack.org 443')