shell/caucase.sh: Extend embedded test suite.

Get an auto-issued user certificate and use it to exercise an authenticated action.

shell/caucase.sh: Extend embedded test suite.
Get an auto-issued user certificate and use it to exercise an authenticated action.
74540bdc · Vincent Pelletier · 2a556bd2 · 74540bdc
Commit 74540bdc authored Jun 25, 2020 by Vincent Pelletier
Hide whitespace changes
Inline Side-by-side

Showing with 60 additions and 5 deletions

shell/caucase.sh shell/caucase.sh +60 -5

No files found.
--- a/shell/caucase.sh
+++ b/shell/caucase.sh
@@ -1116,6 +1116,7 @@ EOF
  _test() {
    # shellcheck disable=SC2039
    local netloc="$1" \
+      csr_id \
      status \
      tmp_dir \
      caucased_dir \
@@ -1136,17 +1137,19 @@ EOF
      echo 'Could not setup caucased directory'
      return 1
    fi
-    caucased --netloc "$netloc" &
+    echo 'Starting caucased...'
+    caucased --netloc "$netloc" > /dev/null 2> /dev/null &
    caucased_pid="$!"
    # shellcheck disable=SC2064
    trap "kill \"$caucased_pid\"; wait; rm -rf \"$tmp_dir\"" EXIT
    # wait for up to about 10 seconds for caucased to start listening (initial
    # certificate generation.
+    echo 'Waiting for caucased to be ready...'
    for _ in $(seq 100); do
      _curlInsecure "http://$netloc" > /dev/null
      status=$?
      test $status -eq 0 && break
-      # curl status 7 means "cnould not connect"
+      # curl status 7 means "could not connect"
      if [ $status -ne 7 ]; then
        echo "curl failed while accessing test caucased with status $status"
        return 1
@@ -1163,17 +1166,69 @@ EOF
      echo 'Could not enter test temporary directory'
      return 1
    fi
-    _main --ca-url "http://$netloc" --update-user
+    cat > "openssl.cnf" << EOF
-    if [ ! -r cas.crt.pem ]; then
+[ req ]
+distinguished_name = req_distinguished_name
+string_mask = utf8only
+req_extensions = v3_req
+[ req_distinguished_name ]
+CN = Common Name
+[ v3_req ]
+basicConstraints = CA:FALSE
+EOF
+    echo 'Generating a key and csr...'
+    openssl req \
+      -new \
+      -keyout user_crt.pem \
+      -subj "/CN=testuser" \
+      -config openssl.cnf \
+      -nodes \
+      -out user_csr.pem 2> /dev/null
+    echo 'Bootstraping trust and submitting csr for a user certificate...'
+    csr_id="$(_main \
+      --ca-url "http://$netloc" \
+      --update-user \
+      --mode user \
+      --send-csr user_csr.pem \
+      | sed 's/\s.*//' \
+    )"
+    if [ ! -f cas.crt.pem ]; then
      echo 'cas.crt.pem not created'
      find . -ls
      return 1
    fi
-    if [ ! -r cau.crt.pem ]; then
+    if [ ! -f cau.crt.pem ]; then
      echo 'cau.crt.pem not created'
      find . -ls
      return 1
    fi
+    echo 'Retrieving auto-issued user certificate...'
+    if _main \
+      --ca-url "http://$netloc" \
+      --mode user \
+      --get-crt "$csr_id" user_crt.pem
+    then
+      :
+    else
+      echo 'Failed to receive signed user certificate.'
+      find . -ls
+      return 1
+    fi
+    echo 'Using the user certificate...'
+    if _main \
+      --ca-url "http://$netloc" \
+      --user-key user_crt.pem \
+      --list-csr \
+      > /dev/null; then
+      :
+    else
+      echo 'Failed to list pending CSR, authentication failed ?'
+      find . -ls
+      return 1
+    fi
+    echo 'Success'
  }
  if [ "$#" -gt 0 ] && [ "x$1" = 'x--test' ]; then
    if [ "$#" -le 2 ]; then