forked from srvrco/getssl
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path19-test-add-to-sans.bats
177 lines (139 loc) · 5.97 KB
/
19-test-add-to-sans.bats
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
#! /usr/bin/env bats
load '/bats-support/load.bash'
load '/bats-assert/load.bash'
load '/getssl/test/test_helper.bash'
# This is run for every test
setup() {
[ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
}
teardown() {
[ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
}
setup_file() {
if [ -z "$STAGING" ]; then
export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
curl --silent -X POST -d '{"host":"a.'$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a
fi
}
teardown_file() {
if [ -z "$STAGING" ]; then
curl --silent -X POST -d '{"host":"a.'$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/clear-a
fi
}
@test "Create certificate to check can add to SANS" {
if [ -n "$STAGING" ]; then
skip "Not trying on staging server yet"
fi
CONFIG_FILE="getssl-dns01.cfg"
setup_environment
init_getssl
create_certificate
assert_success
check_output_for_errors
}
@test "Check that if the SANS doesn't change, we don't re-create the certificate (single domain)" {
if [ -n "$STAGING" ]; then
skip "Not trying on staging server yet"
fi
CONFIG_FILE="getssl-dns01.cfg"
. "${CODE_DIR}/test/test-config/${CONFIG_FILE}"
CERT=${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt
create_certificate
assert_success
check_output_for_errors
# As the SANS list didn't change, a new certificate isn't needed
refute_line --partial "does not match domains requested"
refute_line --partial "does not have the same domains as the config - re-create-csr"
refute_line --partial "certificate installed OK on server"
assert_line --partial 'certificate is valid for more than'
# Check that the SAN list in the certificate matches the expected value
SAN_IN_CERT=$(openssl x509 -in "$CERT" -noout -text | grep "DNS:" | sed 's/^ *//g')
SAN_EXPECTED="DNS:${GETSSL_HOST}"
if [[ "$SAN_IN_CERT" != "$SAN_EXPECTED" ]]; then
echo "# SAN_IN_CERT=$SAN_IN_CERT"
echo "# SAN_EXPECTED=$SAN_EXPECTED"
fi
[ "${SAN_IN_CERT}" = "$SAN_EXPECTED" ]
}
@test "Check certificate is recreated if we add a new domain to SANS" {
if [ -n "$STAGING" ]; then
skip "Not trying on staging server yet"
fi
CONFIG_FILE="getssl-dns01.cfg"
cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
SANS="a.${GETSSL_HOST}"
EOF
. "${CODE_DIR}/test/test-config/${CONFIG_FILE}"
CERT=${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt
create_certificate
assert_success
check_output_for_errors
# As the SANS list changed, a new certificate is needed
assert_line --partial "does not match domains requested"
assert_line --partial "does not have the same domains as the config - re-create-csr"
assert_line --partial "certificate installed OK on server"
refute_line --partial 'certificate is valid for more than'
# Check that the SAN list in the certificate matches the expected value
SAN_IN_CERT=$(openssl x509 -in "$CERT" -noout -text | grep "DNS:" | sed 's/^ *//g')
SAN_EXPECTED="DNS:${GETSSL_HOST}, DNS:a.${GETSSL_HOST}"
if [[ "$SAN_IN_CERT" != "$SAN_EXPECTED" ]]; then
echo "# SAN_IN_CERT=$SAN_IN_CERT"
echo "# SAN_EXPECTED=$SAN_EXPECTED"
fi
[ "${SAN_IN_CERT}" = "$SAN_EXPECTED" ]
}
@test "Check that if the SANS doesn't change, we don't re-create the certificate (multiple domains)" {
if [ -n "$STAGING" ]; then
skip "Not trying on staging server yet"
fi
CONFIG_FILE="getssl-dns01.cfg"
cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
SANS="a.${GETSSL_HOST}"
EOF
. "${CODE_DIR}/test/test-config/${CONFIG_FILE}"
CERT=${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt
create_certificate
assert_success
check_output_for_errors
# As the SANS list didn't change, a new certificate isn't needed
refute_line --partial "does not match domains requested"
refute_line --partial "does not have the same domains as the config - re-create-csr"
refute_line --partial "certificate installed OK on server"
assert_line --partial 'certificate is valid for more than'
# Check that the SAN list in the certificate matches the expected value
SAN_IN_CERT=$(openssl x509 -in "$CERT" -noout -text | grep "DNS:" | sed 's/^ *//g')
SAN_EXPECTED="DNS:${GETSSL_HOST}, DNS:a.${GETSSL_HOST}"
if [[ "$SAN_IN_CERT" != "$SAN_EXPECTED" ]]; then
echo "# SAN_IN_CERT=$SAN_IN_CERT"
echo "# SAN_EXPECTED=$SAN_EXPECTED"
fi
[ "${SAN_IN_CERT}" = "$SAN_EXPECTED" ]
}
@test "Check that if the SANS doesn't change, we don't re-create the certificate (reordered domains)" {
if [ -n "$STAGING" ]; then
skip "Not trying on staging server yet"
fi
CONFIG_FILE="getssl-dns01.cfg"
cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
IGNORE_DIRECTORY_DOMAIN="true"
SANS="a.${GETSSL_HOST}, ${GETSSL_HOST}"
EOF
. "${CODE_DIR}/test/test-config/${CONFIG_FILE}"
CERT=${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt
create_certificate
assert_success
check_output_for_errors
# As the SANS list didn't change, a new certificate isn't needed
refute_line --partial "does not match domains requested"
refute_line --partial "does not have the same domains as the config - re-create-csr"
refute_line --partial "certificate installed OK on server"
assert_line --partial 'certificate is valid for more than'
# Check that the SAN list in the certificate matches the expected value
SAN_IN_CERT=$(openssl x509 -in "$CERT" -noout -text | grep "DNS:" | sed 's/^ *//g')
SAN_EXPECTED="DNS:${GETSSL_HOST}, DNS:a.${GETSSL_HOST}"
if [[ "$SAN_IN_CERT" != "$SAN_EXPECTED" ]]; then
echo "# SAN_IN_CERT=$SAN_IN_CERT"
echo "# SAN_EXPECTED=$SAN_EXPECTED"
fi
[ "${SAN_IN_CERT}" = "$SAN_EXPECTED" ]
}