Commit 62978dd3 authored by Łukasz Nowak's avatar Łukasz Nowak

check_certificate: Support certificate only configuration

parent de8c7232
......@@ -16,7 +16,7 @@ class RunPromise(GenericPromise):
"""
certificate_file = self.getConfig('certificate')
key_file = self.getConfig('key')
key_file = self.getConfig('key', None)
try:
certificate_expiration_days = int(
......@@ -36,22 +36,6 @@ class RunPromise(GenericPromise):
certificate_file, e))
return
try:
with open(key_file, 'r') as fh:
key = serialization.load_pem_private_key(
str2bytes(fh.read()), None, default_backend())
except Exception as e:
self.logger.error(
'ERROR Problem loading key %r, error: %s' % (key_file, e))
return
if certificate.public_key().public_numbers() != \
key.public_key().public_numbers():
self.logger.error(
'ERROR Certificate %r does not match key %r' % (
certificate_file, key_file))
return
if certificate.not_valid_after - datetime.timedelta(
days=certificate_expiration_days) < datetime.datetime.utcnow():
self.logger.error(
......@@ -59,5 +43,26 @@ class RunPromise(GenericPromise):
certificate_file, certificate_expiration_days))
return
self.logger.info(
'OK Certificate %r and key %r are ok' % (certificate_file, key_file))
if key_file is not None:
try:
with open(key_file, 'r') as fh:
key = serialization.load_pem_private_key(
str2bytes(fh.read()), None, default_backend())
except Exception as e:
self.logger.error(
'ERROR Problem loading key %r, error: %s' % (key_file, e))
return
if certificate.public_key().public_numbers() != \
key.public_key().public_numbers():
self.logger.error(
'ERROR Certificate %r does not match key %r' % (
certificate_file, key_file))
return
if key_file:
self.logger.info(
'OK Certificate %r and key %r are ok' % (certificate_file, key_file))
else:
self.logger.info(
'OK Certificate %r is ok, no key provided' % (certificate_file,))
......@@ -146,6 +146,19 @@ class TestCheckCertificate(TestPromisePluginMixin):
self.certificate_path, self.key_path)
)
def test_no_key_provided(self):
self.createKeyCertificate()
self.writePromise({
'certificate': self.certificate_path,
})
self.configureLauncher()
self.launcher.run()
self.assertPassedMessage(
self.getPromiseResult(self.promise_name),
"OK Certificate '%s' is ok, no key provided" % (
self.certificate_path,)
)
def test_no_key(self):
self.createKeyCertificate()
nokey_path = os.path.join(self.tempdir, 'nokey.pem')
......@@ -206,6 +219,20 @@ class TestCheckCertificate(TestPromisePluginMixin):
self.certificate_path,)
)
def test_expires_no_key(self):
self.createKeyCertificate(days=5)
self.writePromise({
'certificate': self.certificate_path,
})
self.configureLauncher()
with self.assertRaises(PromiseError):
self.launcher.run()
self.assertFailedMessage(
self.getPromiseResult(self.promise_name),
"ERROR Certificate '%s' will expire in less than 15 days" % (
self.certificate_path,)
)
def test_expires_custom(self):
self.createKeyCertificate(days=19)
self.writePromise({
......@@ -222,6 +249,21 @@ class TestCheckCertificate(TestPromisePluginMixin):
self.certificate_path,)
)
def test_expires_custom_no_key(self):
self.createKeyCertificate(days=19)
self.writePromise({
'certificate': self.certificate_path,
'certificate-expiration-days': '20'
})
self.configureLauncher()
with self.assertRaises(PromiseError):
self.launcher.run()
self.assertFailedMessage(
self.getPromiseResult(self.promise_name),
"ERROR Certificate '%s' will expire in less than 20 days" % (
self.certificate_path,)
)
def test_expires_bad_value(self):
self.createKeyCertificate(days=14)
self.writePromise({
......@@ -237,6 +279,20 @@ class TestCheckCertificate(TestPromisePluginMixin):
"ERROR certificate-expiration-days is wrong: 'bad'"
)
def test_expires_bad_value_no_key(self):
self.createKeyCertificate(days=14)
self.writePromise({
'certificate': self.certificate_path,
'certificate-expiration-days': 'bad'
})
self.configureLauncher()
with self.assertRaises(PromiseError):
self.launcher.run()
self.assertFailedMessage(
self.getPromiseResult(self.promise_name),
"ERROR certificate-expiration-days is wrong: 'bad'"
)
class TestCheckCertificateSameFile(TestCheckCertificate):
same_file = True
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment