tls tests with bundle.pem (#1671)
This commit is contained in:
parent
865ff5c88d
commit
496dacb7ff
4 changed files with 13 additions and 13 deletions
|
@ -5,7 +5,6 @@ set -u
|
|||
|
||||
setup_file() {
|
||||
load "../lib/setup_file.sh"
|
||||
[[ "${PACKAGE_TESTING}" == "true" ]] && return
|
||||
./instance-data load
|
||||
|
||||
tmpdir="${BATS_FILE_TMPDIR}"
|
||||
|
@ -33,6 +32,8 @@ setup_file() {
|
|||
echo "ibase=16; ${serial}" | bc >"${tmpdir}/serials.txt"
|
||||
cfssl gencrl "${tmpdir}/serials.txt" "${tmpdir}/ca.pem" "${tmpdir}/ca-key.pem" | base64 -d | openssl crl -inform DER -out "${tmpdir}/crl.pem"
|
||||
|
||||
cat "${tmpdir}/ca.pem" "${tmpdir}/inter.pem" > "${tmpdir}/bundle.pem"
|
||||
|
||||
config_set '
|
||||
.api.server.tls.cert_file=strenv(tmpdir) + "/server.pem" |
|
||||
.api.server.tls.key_file=strenv(tmpdir) + "/server-key.pem" |
|
||||
|
@ -49,7 +50,6 @@ teardown_file() {
|
|||
}
|
||||
|
||||
setup() {
|
||||
[[ "${PACKAGE_TESTING}" == "true" ]] && skip
|
||||
load "../lib/setup.sh"
|
||||
./instance-crowdsec start
|
||||
}
|
||||
|
@ -66,7 +66,7 @@ teardown() {
|
|||
}
|
||||
|
||||
@test "simulate one bouncer request with a valid cert" {
|
||||
run -0 curl -s --cert "${tmpdir}/bouncer.pem" --key "${tmpdir}/bouncer-key.pem" --cacert "${tmpdir}/inter.pem" https://localhost:8080/v1/decisions\?ip=42.42.42.42
|
||||
run -0 curl -s --cert "${tmpdir}/bouncer.pem" --key "${tmpdir}/bouncer-key.pem" --cacert "${tmpdir}/bundle.pem" https://localhost:8080/v1/decisions\?ip=42.42.42.42
|
||||
assert_output "null"
|
||||
run -0 cscli bouncers list -o json
|
||||
run -0 jq '. | length' <(output)
|
||||
|
@ -84,13 +84,13 @@ teardown() {
|
|||
}
|
||||
|
||||
@test "simulate one bouncer request with an invalid OU" {
|
||||
run curl -s --cert "${tmpdir}/bouncer_bad_ou.pem" --key "${tmpdir}/bouncer_bad_ou-key.pem" --cacert "${tmpdir}/inter.pem" https://localhost:8080/v1/decisions\?ip=42.42.42.42
|
||||
run curl -s --cert "${tmpdir}/bouncer_bad_ou.pem" --key "${tmpdir}/bouncer_bad_ou-key.pem" --cacert "${tmpdir}/bundle.pem" https://localhost:8080/v1/decisions\?ip=42.42.42.42
|
||||
run -0 cscli bouncers list -o json
|
||||
assert_output "[]"
|
||||
}
|
||||
|
||||
@test "simulate one bouncer request with a revoked certificate" {
|
||||
run -0 curl -i -s --cert "${tmpdir}/bouncer_revoked.pem" --key "${tmpdir}/bouncer_revoked-key.pem" --cacert "${tmpdir}/inter.pem" https://localhost:8080/v1/decisions\?ip=42.42.42.42
|
||||
run -0 curl -i -s --cert "${tmpdir}/bouncer_revoked.pem" --key "${tmpdir}/bouncer_revoked-key.pem" --cacert "${tmpdir}/bundle.pem" https://localhost:8080/v1/decisions\?ip=42.42.42.42
|
||||
assert_output --partial "access forbidden"
|
||||
run -0 cscli bouncers list -o json
|
||||
assert_output "[]"
|
||||
|
|
|
@ -5,7 +5,6 @@ set -u
|
|||
|
||||
setup_file() {
|
||||
load "../lib/setup_file.sh"
|
||||
[[ "${PACKAGE_TESTING}" == "true" ]] && return
|
||||
./instance-data load
|
||||
|
||||
CONFIG_DIR=$(dirname "${CONFIG_YAML}")
|
||||
|
@ -36,6 +35,8 @@ setup_file() {
|
|||
echo "ibase=16; ${serial}" | bc >"${tmpdir}/serials.txt"
|
||||
cfssl gencrl "${tmpdir}/serials.txt" "${tmpdir}/ca.pem" "${tmpdir}/ca-key.pem" | base64 -d | openssl crl -inform DER -out "${tmpdir}/crl.pem"
|
||||
|
||||
cat "${tmpdir}/ca.pem" "${tmpdir}/inter.pem" > "${tmpdir}/bundle.pem"
|
||||
|
||||
config_set '
|
||||
.api.server.tls.cert_file=strenv(tmpdir) + "/server.pem" |
|
||||
.api.server.tls.key_file=strenv(tmpdir) + "/server-key.pem" |
|
||||
|
@ -53,7 +54,6 @@ teardown_file() {
|
|||
}
|
||||
|
||||
setup() {
|
||||
[[ "${PACKAGE_TESTING}" == "true" ]] && skip
|
||||
load "../lib/setup.sh"
|
||||
}
|
||||
|
||||
|
@ -65,7 +65,7 @@ teardown() {
|
|||
|
||||
@test "invalid OU for agent" {
|
||||
config_set "${CONFIG_DIR}/local_api_credentials.yaml" '
|
||||
.ca_cert_path=strenv(tmpdir) + "/inter.pem" |
|
||||
.ca_cert_path=strenv(tmpdir) + "/bundle.pem" |
|
||||
.key_path=strenv(tmpdir) + "/agent_bad_ou-key.pem" |
|
||||
.cert_path=strenv(tmpdir) + "/agent_bad_ou.pem" |
|
||||
.url="https://127.0.0.1:8080"
|
||||
|
@ -79,7 +79,7 @@ teardown() {
|
|||
|
||||
@test "we have exactly one machine registered with TLS" {
|
||||
config_set "${CONFIG_DIR}/local_api_credentials.yaml" '
|
||||
.ca_cert_path=strenv(tmpdir) + "/inter.pem" |
|
||||
.ca_cert_path=strenv(tmpdir) + "/bundle.pem" |
|
||||
.key_path=strenv(tmpdir) + "/agent-key.pem" |
|
||||
.cert_path=strenv(tmpdir) + "/agent.pem" |
|
||||
.url="https://127.0.0.1:8080"
|
||||
|
@ -97,7 +97,7 @@ teardown() {
|
|||
|
||||
@test "invalid cert for agent" {
|
||||
config_set "${CONFIG_DIR}/local_api_credentials.yaml" '
|
||||
.ca_cert_path=strenv(tmpdir) + "/inter.pem" |
|
||||
.ca_cert_path=strenv(tmpdir) + "/bundle.pem" |
|
||||
.key_path=strenv(tmpdir) + "/agent_invalid-key.pem" |
|
||||
.cert_path=strenv(tmpdir) + "/agent_invalid.pem" |
|
||||
.url="https://127.0.0.1:8080"
|
||||
|
@ -110,7 +110,7 @@ teardown() {
|
|||
|
||||
@test "revoked cert for agent" {
|
||||
config_set "${CONFIG_DIR}/local_api_credentials.yaml" '
|
||||
.ca_cert_path=strenv(tmpdir) + "/inter.pem" |
|
||||
.ca_cert_path=strenv(tmpdir) + "/bundle.pem" |
|
||||
.key_path=strenv(tmpdir) + "/agent_revoked-key.pem" |
|
||||
.cert_path=strenv(tmpdir) + "/agent_revoked.pem" |
|
||||
.url="https://127.0.0.1:8080"
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
#!/bin/sh
|
||||
#!/usr/bin/env bash
|
||||
|
||||
set -eu
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
#!/bin/sh
|
||||
#!/usr/bin/env bash
|
||||
|
||||
set -eu
|
||||
|
||||
|
|
Loading…
Reference in a new issue