RuhNetConsulting
/
getssl
mirror of https://github.com/srvrco/getssl
1
0
Fork 0
Code Issues 0 Projects 0 Releases 51 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1138 Commits
14 Branches
16 MiB
 
 
 
 
 
 
Branch: master
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
getssl/test/19-test-add-to-sans.bats

177 lines
6.0 KiB
Raw Permalink Blame History

#! /usr/bin/env bats
load '/bats-support/load.bash'
load '/bats-assert/load.bash'
load '/getssl/test/test_helper.bash'
# This is run for every test
setup() {
[ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
}
teardown() {
[ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
}
setup_file() {
if [ -z "$STAGING" ]; then
export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
curl --silent -X POST -d '{"host":"a.'$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a
fi
}
teardown_file() {
if [ -z "$STAGING" ]; then
curl --silent -X POST -d '{"host":"a.'$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/clear-a
fi
}
@test "Create certificate to check can add to SANS" {
if [ -n "$STAGING" ]; then
skip "Not trying on staging server yet"
fi
CONFIG_FILE="getssl-dns01.cfg"
setup_environment
init_getssl
create_certificate
assert_success
check_output_for_errors
}
@test "Check that if the SANS doesn't change, we don't re-create the certificate (single domain)" {
if [ -n "$STAGING" ]; then
skip "Not trying on staging server yet"
fi
CONFIG_FILE="getssl-dns01.cfg"
. "${CODE_DIR}/test/test-config/${CONFIG_FILE}"
CERT=${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt
create_certificate
assert_success
check_output_for_errors
# As the SANS list didn't change, a new certificate isn't needed
refute_line --partial "does not match domains requested"
refute_line --partial "does not have the same domains as the config - re-create-csr"
refute_line --partial "certificate installed OK on server"
assert_line --partial 'certificate is valid for more than'
# Check that the SAN list in the certificate matches the expected value
SAN_IN_CERT=$(openssl x509 -in "$CERT" -noout -text | grep "DNS:" | sed 's/^ *//g')
SAN_EXPECTED="DNS:${GETSSL_HOST}"
if [[ "$SAN_IN_CERT" != "$SAN_EXPECTED" ]]; then
echo "# SAN_IN_CERT=$SAN_IN_CERT"
echo "# SAN_EXPECTED=$SAN_EXPECTED"
fi
[ "${SAN_IN_CERT}" = "$SAN_EXPECTED" ]
}
@test "Check certificate is recreated if we add a new domain to SANS" {
if [ -n "$STAGING" ]; then
skip "Not trying on staging server yet"
fi
CONFIG_FILE="getssl-dns01.cfg"
cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
SANS="a.${GETSSL_HOST}"
EOF
. "${CODE_DIR}/test/test-config/${CONFIG_FILE}"
CERT=${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt
create_certificate
assert_success
check_output_for_errors
# As the SANS list changed, a new certificate is needed
assert_line --partial "does not match domains requested"
assert_line --partial "does not have the same domains as the config - re-create-csr"
assert_line --partial "certificate installed OK on server"
refute_line --partial 'certificate is valid for more than'
# Check that the SAN list in the certificate matches the expected value
SAN_IN_CERT=$(openssl x509 -in "$CERT" -noout -text | grep "DNS:" | sed 's/^ *//g')
SAN_EXPECTED="DNS:${GETSSL_HOST}, DNS:a.${GETSSL_HOST}"
if [[ "$SAN_IN_CERT" != "$SAN_EXPECTED" ]]; then
echo "# SAN_IN_CERT=$SAN_IN_CERT"
echo "# SAN_EXPECTED=$SAN_EXPECTED"
fi
[ "${SAN_IN_CERT}" = "$SAN_EXPECTED" ]
}
@test "Check that if the SANS doesn't change, we don't re-create the certificate (multiple domains)" {
if [ -n "$STAGING" ]; then
skip "Not trying on staging server yet"
fi
CONFIG_FILE="getssl-dns01.cfg"
cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
SANS="a.${GETSSL_HOST}"
EOF
. "${CODE_DIR}/test/test-config/${CONFIG_FILE}"
CERT=${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt
create_certificate
assert_success
check_output_for_errors
# As the SANS list didn't change, a new certificate isn't needed
refute_line --partial "does not match domains requested"
refute_line --partial "does not have the same domains as the config - re-create-csr"
refute_line --partial "certificate installed OK on server"
assert_line --partial 'certificate is valid for more than'
# Check that the SAN list in the certificate matches the expected value
SAN_IN_CERT=$(openssl x509 -in "$CERT" -noout -text | grep "DNS:" | sed 's/^ *//g')
SAN_EXPECTED="DNS:${GETSSL_HOST}, DNS:a.${GETSSL_HOST}"
if [[ "$SAN_IN_CERT" != "$SAN_EXPECTED" ]]; then
echo "# SAN_IN_CERT=$SAN_IN_CERT"
echo "# SAN_EXPECTED=$SAN_EXPECTED"
fi
[ "${SAN_IN_CERT}" = "$SAN_EXPECTED" ]
}
@test "Check that if the SANS doesn't change, we don't re-create the certificate (reordered domains)" {
if [ -n "$STAGING" ]; then
skip "Not trying on staging server yet"
fi
CONFIG_FILE="getssl-dns01.cfg"
cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
IGNORE_DIRECTORY_DOMAIN="true"
SANS="a.${GETSSL_HOST}, ${GETSSL_HOST}"
EOF
. "${CODE_DIR}/test/test-config/${CONFIG_FILE}"
CERT=${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt
create_certificate
assert_success
check_output_for_errors
# As the SANS list didn't change, a new certificate isn't needed
refute_line --partial "does not match domains requested"
refute_line --partial "does not have the same domains as the config - re-create-csr"
refute_line --partial "certificate installed OK on server"
assert_line --partial 'certificate is valid for more than'
# Check that the SAN list in the certificate matches the expected value
SAN_IN_CERT=$(openssl x509 -in "$CERT" -noout -text | grep "DNS:" | sed 's/^ *//g')
SAN_EXPECTED="DNS:${GETSSL_HOST}, DNS:a.${GETSSL_HOST}"
if [[ "$SAN_IN_CERT" != "$SAN_EXPECTED" ]]; then
echo "# SAN_IN_CERT=$SAN_IN_CERT"
echo "# SAN_EXPECTED=$SAN_EXPECTED"
fi
[ "${SAN_IN_CERT}" = "$SAN_EXPECTED" ]
}