func (s *ConfigSuite) TestGenerateStateServerCertAndKey(c *gc.C) {
// Add a cert.
s.FakeHomeSuite.Home.AddFiles(c, gitjujutesting.TestFile{".ssh/id_rsa.pub", "rsa\n"})
for _, test := range []struct {
configValues map[string]interface{}
errMatch string
}{{
configValues: map[string]interface{}{
"name": "test-no-certs",
"type": "dummy",
},
errMatch: "environment configuration has no ca-cert",
}, {
configValues: map[string]interface{}{
"name": "test-no-certs",
"type": "dummy",
"ca-cert": testing.CACert,
},
errMatch: "environment configuration has no ca-private-key",
}, {
configValues: map[string]interface{}{
"name": "test-no-certs",
"type": "dummy",
"ca-cert": testing.CACert,
"ca-private-key": testing.CAKey,
},
}} {
cfg, err := config.New(config.UseDefaults, test.configValues)
c.Assert(err, gc.IsNil)
certPEM, keyPEM, err := cfg.GenerateStateServerCertAndKey()
if test.errMatch == "" {
c.Assert(err, gc.IsNil)
_, _, err = cert.ParseCertAndKey(certPEM, keyPEM)
c.Check(err, gc.IsNil)
err = cert.Verify(certPEM, testing.CACert, time.Now())
c.Assert(err, gc.IsNil)
err = cert.Verify(certPEM, testing.CACert, time.Now().AddDate(9, 0, 0))
c.Assert(err, gc.IsNil)
err = cert.Verify(certPEM, testing.CACert, time.Now().AddDate(10, 0, 1))
c.Assert(err, gc.NotNil)
} else {
c.Assert(err, gc.ErrorMatches, test.errMatch)
c.Assert(certPEM, gc.Equals, "")
c.Assert(keyPEM, gc.Equals, "")
}
}
}
func (s *RsyslogSuite) TestModeAccumulate(c *gc.C) {
st, m := s.st, s.machine
worker, err := rsyslog.NewRsyslogConfigWorker(st.Rsyslog(), rsyslog.RsyslogModeAccumulate, m.Tag().String(), "", nil)
c.Assert(err, gc.IsNil)
defer func() { c.Assert(worker.Wait(), gc.IsNil) }()
defer worker.Kill()
waitForFile(c, filepath.Join(*rsyslog.LogDir, "ca-cert.pem"))
// We should have ca-cert.pem, rsyslog-cert.pem, and rsyslog-key.pem.
caCertPEM, err := ioutil.ReadFile(filepath.Join(*rsyslog.LogDir, "ca-cert.pem"))
c.Assert(err, gc.IsNil)
rsyslogCertPEM, err := ioutil.ReadFile(filepath.Join(*rsyslog.LogDir, "rsyslog-cert.pem"))
c.Assert(err, gc.IsNil)
rsyslogKeyPEM, err := ioutil.ReadFile(filepath.Join(*rsyslog.LogDir, "rsyslog-key.pem"))
c.Assert(err, gc.IsNil)
_, _, err = cert.ParseCertAndKey(string(rsyslogCertPEM), string(rsyslogKeyPEM))
c.Assert(err, gc.IsNil)
err = cert.Verify(string(rsyslogCertPEM), string(caCertPEM), time.Now().UTC())
c.Assert(err, gc.IsNil)
// Verify rsyslog configuration.
waitForFile(c, filepath.Join(*rsyslog.RsyslogConfDir, "25-juju.conf"))
rsyslogConf, err := ioutil.ReadFile(filepath.Join(*rsyslog.RsyslogConfDir, "25-juju.conf"))
c.Assert(err, gc.IsNil)
syslogPort := s.Conn.Environ.Config().SyslogPort()
syslogConfig := syslog.NewAccumulateConfig(m.Tag().String(), *rsyslog.LogDir, syslogPort, "", []string{})
syslogConfig.ConfigDir = *rsyslog.RsyslogConfDir
rendered, err := syslogConfig.Render()
c.Assert(err, gc.IsNil)
c.Assert(string(rsyslogConf), gc.DeepEquals, string(rendered))
}
func (s *CloudInitSuite) TestFinishBootstrapConfig(c *gc.C) {
attrs := dummySampleConfig().Merge(testing.Attrs{
"authorized-keys": "we-are-the-keys",
"admin-secret": "lisboan-pork",
"agent-version": "1.2.3",
"state-server": false,
})
cfg, err := config.New(config.NoDefaults, attrs)
c.Assert(err, gc.IsNil)
oldAttrs := cfg.AllAttrs()
mcfg := &cloudinit.MachineConfig{
Bootstrap: true,
}
cons := constraints.MustParse("mem=1T cpu-power=999999999")
err = environs.FinishMachineConfig(mcfg, cfg, cons)
c.Assert(err, gc.IsNil)
c.Check(mcfg.AuthorizedKeys, gc.Equals, "we-are-the-keys")
c.Check(mcfg.DisableSSLHostnameVerification, jc.IsFalse)
password := utils.UserPasswordHash("lisboan-pork", utils.CompatSalt)
c.Check(mcfg.APIInfo, gc.DeepEquals, &api.Info{
Password: password, CACert: testing.CACert,
})
c.Check(mcfg.StateInfo, gc.DeepEquals, &state.Info{
Password: password, Info: mongo.Info{CACert: testing.CACert},
})
c.Check(mcfg.StateServingInfo.StatePort, gc.Equals, cfg.StatePort())
c.Check(mcfg.StateServingInfo.APIPort, gc.Equals, cfg.APIPort())
c.Check(mcfg.Constraints, gc.DeepEquals, cons)
oldAttrs["ca-private-key"] = ""
oldAttrs["admin-secret"] = ""
c.Check(mcfg.Config.AllAttrs(), gc.DeepEquals, oldAttrs)
srvCertPEM := mcfg.StateServingInfo.Cert
srvKeyPEM := mcfg.StateServingInfo.PrivateKey
_, _, err = cert.ParseCertAndKey(srvCertPEM, srvKeyPEM)
c.Check(err, gc.IsNil)
err = cert.Verify(srvCertPEM, testing.CACert, time.Now())
c.Assert(err, gc.IsNil)
err = cert.Verify(srvCertPEM, testing.CACert, time.Now().AddDate(9, 0, 0))
c.Assert(err, gc.IsNil)
err = cert.Verify(srvCertPEM, testing.CACert, time.Now().AddDate(10, 0, 1))
c.Assert(err, gc.NotNil)
}
func (s *CloudInitSuite) TestFinishBootstrapConfig(c *gc.C) {
attrs := dummySampleConfig().Merge(testing.Attrs{
"authorized-keys": "we-are-the-keys",
"admin-secret": "lisboan-pork",
"agent-version": "1.2.3",
"controller": false,
})
cfg, err := config.New(config.NoDefaults, attrs)
c.Assert(err, jc.ErrorIsNil)
oldAttrs := cfg.AllAttrs()
icfg := &instancecfg.InstanceConfig{
Bootstrap: true,
}
err = instancecfg.FinishInstanceConfig(icfg, cfg)
c.Assert(err, jc.ErrorIsNil)
c.Check(icfg.AuthorizedKeys, gc.Equals, "we-are-the-keys")
c.Check(icfg.DisableSSLHostnameVerification, jc.IsFalse)
password := "******"
c.Check(icfg.APIInfo, gc.DeepEquals, &api.Info{
Password: password, CACert: testing.CACert,
ModelTag: testing.ModelTag,
})
c.Check(icfg.MongoInfo, gc.DeepEquals, &mongo.MongoInfo{
Password: password, Info: mongo.Info{CACert: testing.CACert},
})
c.Check(icfg.StateServingInfo.StatePort, gc.Equals, cfg.StatePort())
c.Check(icfg.StateServingInfo.APIPort, gc.Equals, cfg.APIPort())
c.Check(icfg.StateServingInfo.CAPrivateKey, gc.Equals, oldAttrs["ca-private-key"])
oldAttrs["ca-private-key"] = ""
oldAttrs["admin-secret"] = ""
c.Check(icfg.Config.AllAttrs(), gc.DeepEquals, oldAttrs)
srvCertPEM := icfg.StateServingInfo.Cert
srvKeyPEM := icfg.StateServingInfo.PrivateKey
_, _, err = cert.ParseCertAndKey(srvCertPEM, srvKeyPEM)
c.Check(err, jc.ErrorIsNil)
err = cert.Verify(srvCertPEM, testing.CACert, time.Now())
c.Assert(err, jc.ErrorIsNil)
err = cert.Verify(srvCertPEM, testing.CACert, time.Now().AddDate(9, 0, 0))
c.Assert(err, jc.ErrorIsNil)
err = cert.Verify(srvCertPEM, testing.CACert, time.Now().AddDate(10, 0, 1))
c.Assert(err, gc.NotNil)
}
func verifyCertificates() error {
_, err := tls.X509KeyPair([]byte(CACert), []byte(CAKey))
if err != nil {
return fmt.Errorf("bad CA cert key pair: %v", err)
}
_, err = tls.X509KeyPair([]byte(ServerCert), []byte(ServerKey))
if err != nil {
return fmt.Errorf("bad server cert key pair: %v", err)
}
return cert.Verify(ServerCert, CACert, time.Now())
}
func (certSuite) TestVerify(c *gc.C) {
now := time.Now()
caCert, caKey, err := cert.NewCA("foo", now.Add(1*time.Minute))
c.Assert(err, jc.ErrorIsNil)
var noHostnames []string
srvCert, _, err := cert.NewServer(caCert, caKey, now.Add(3*time.Minute), noHostnames)
c.Assert(err, jc.ErrorIsNil)
err = cert.Verify(srvCert, caCert, now)
c.Assert(err, jc.ErrorIsNil)
err = cert.Verify(srvCert, caCert, now.Add(55*time.Second))
c.Assert(err, jc.ErrorIsNil)
err = cert.Verify(srvCert, caCert, now.AddDate(0, 0, -8))
c.Check(err, gc.ErrorMatches, "x509: certificate has expired or is not yet valid")
err = cert.Verify(srvCert, caCert, now.Add(2*time.Minute))
c.Check(err, gc.ErrorMatches, "x509: certificate has expired or is not yet valid")
caCert2, caKey2, err := cert.NewCA("bar", now.Add(1*time.Minute))
c.Assert(err, jc.ErrorIsNil)
// Check original server certificate against wrong CA.
err = cert.Verify(srvCert, caCert2, now)
c.Check(err, gc.ErrorMatches, "x509: certificate signed by unknown authority")
srvCert2, _, err := cert.NewServer(caCert2, caKey2, now.Add(1*time.Minute), noHostnames)
c.Assert(err, jc.ErrorIsNil)
// Check new server certificate against original CA.
err = cert.Verify(srvCert2, caCert, now)
c.Check(err, gc.ErrorMatches, "x509: certificate signed by unknown authority")
}
func (s *RsyslogSuite) TestModeAccumulate(c *gc.C) {
st, m := s.st, s.machine
worker, err := rsyslog.NewRsyslogConfigWorker(st.Rsyslog(), rsyslog.RsyslogModeAccumulate, m.Tag(), "", nil, s.ConfDir())
c.Assert(err, jc.ErrorIsNil)
defer func() { c.Assert(worker.Wait(), gc.IsNil) }()
defer worker.Kill()
dirname := filepath.Join(s.ConfDir(), "rsyslog")
waitForFile(c, filepath.Join(dirname, "ca-cert.pem"))
// We should have ca-cert.pem, rsyslog-cert.pem, and rsyslog-key.pem.
caCertPEM, err := ioutil.ReadFile(filepath.Join(dirname, "ca-cert.pem"))
c.Assert(err, jc.ErrorIsNil)
rsyslogCertPEM, err := ioutil.ReadFile(filepath.Join(dirname, "rsyslog-cert.pem"))
c.Assert(err, jc.ErrorIsNil)
rsyslogKeyPEM, err := ioutil.ReadFile(filepath.Join(dirname, "rsyslog-key.pem"))
c.Assert(err, jc.ErrorIsNil)
_, _, err = cert.ParseCertAndKey(string(rsyslogCertPEM), string(rsyslogKeyPEM))
c.Assert(err, jc.ErrorIsNil)
err = cert.Verify(string(rsyslogCertPEM), string(caCertPEM), time.Now().UTC())
c.Assert(err, jc.ErrorIsNil)
// Verify rsyslog configuration.
waitForFile(c, filepath.Join(*rsyslog.RsyslogConfDir, "25-juju.conf"))
rsyslogConf, err := ioutil.ReadFile(filepath.Join(*rsyslog.RsyslogConfDir, "25-juju.conf"))
c.Assert(err, jc.ErrorIsNil)
syslogPort := s.Environ.Config().SyslogPort()
syslogConfig := &syslog.SyslogConfig{
LogFileName: m.Tag().String(),
LogDir: *rsyslog.LogDir,
Port: syslogPort,
Namespace: "",
StateServerAddresses: []string{},
}
syslog.NewAccumulateConfig(syslogConfig)
syslogConfig.ConfigDir = *rsyslog.RsyslogConfDir
syslogConfig.JujuConfigDir = filepath.Join(s.ConfDir(), "rsyslog")
rendered, err := syslogConfig.Render()
c.Assert(err, jc.ErrorIsNil)
c.Assert(string(rsyslogConf), gc.DeepEquals, string(rendered))
// Verify logrotate files
assertPathExists(c, filepath.Join(dirname, "logrotate.conf"))
assertPathExists(c, filepath.Join(dirname, "logrotate.run"))
}
func (s *ConfigSuite) TestGenerateControllerCertAndKey(c *gc.C) {
// Add a cert.
s.FakeHomeSuite.Home.AddFiles(c, gitjujutesting.TestFile{".ssh/id_rsa.pub", "rsa\n"})
for _, test := range []struct {
caCert string
caKey string
sanValues []string
}{{
caCert: testing.CACert,
caKey: testing.CAKey,
}, {
caCert: testing.CACert,
caKey: testing.CAKey,
sanValues: []string{"10.0.0.1", "192.168.1.1"},
}} {
certPEM, keyPEM, err := controller.GenerateControllerCertAndKey(test.caCert, test.caKey, test.sanValues)
c.Assert(err, jc.ErrorIsNil)
_, _, err = cert.ParseCertAndKey(certPEM, keyPEM)
c.Check(err, jc.ErrorIsNil)
err = cert.Verify(certPEM, testing.CACert, time.Now())
c.Assert(err, jc.ErrorIsNil)
err = cert.Verify(certPEM, testing.CACert, time.Now().AddDate(9, 0, 0))
c.Assert(err, jc.ErrorIsNil)
err = cert.Verify(certPEM, testing.CACert, time.Now().AddDate(10, 0, 1))
c.Assert(err, gc.NotNil)
srvCert, err := cert.ParseCert(certPEM)
c.Assert(err, jc.ErrorIsNil)
sanIPs := make([]string, len(srvCert.IPAddresses))
for i, ip := range srvCert.IPAddresses {
sanIPs[i] = ip.String()
}
c.Assert(sanIPs, jc.SameContents, test.sanValues)
}
}
func (s *bootstrapSuite) TestFinishBootstrapConfig(c *gc.C) {
path := filepath.Join(c.MkDir(), "key")
ioutil.WriteFile(path, []byte("publickey"), 0644)
s.PatchEnvironment("JUJU_STREAMS_PUBLICKEY_FILE", path)
password := "******"
cloudName := "dummy"
dummyCloud := cloud.Cloud{
RegionConfig: cloud.RegionConfig{
"a-region": cloud.Attrs{
"a-key": "a-value",
},
"b-region": cloud.Attrs{
"b-key": "b-value",
},
},
}
env := newEnviron("foo", useDefaultKeys, nil)
err := bootstrap.Bootstrap(envtesting.BootstrapContext(c), env, bootstrap.BootstrapParams{
ControllerConfig: coretesting.FakeControllerConfig(),
ControllerInheritedConfig: map[string]interface{}{"ftp-proxy": "http://proxy"},
CloudName: cloudName,
Cloud: dummyCloud,
AdminSecret: password,
CAPrivateKey: coretesting.CAKey,
})
c.Assert(err, jc.ErrorIsNil)
icfg := env.instanceConfig
c.Check(icfg.APIInfo, jc.DeepEquals, &api.Info{
Password: password,
CACert: coretesting.CACert,
ModelTag: coretesting.ModelTag,
})
c.Check(icfg.Controller.MongoInfo, jc.DeepEquals, &mongo.MongoInfo{
Password: password, Info: mongo.Info{CACert: coretesting.CACert},
})
c.Check(icfg.Bootstrap.ControllerInheritedConfig, gc.DeepEquals, map[string]interface{}{"ftp-proxy": "http://proxy"})
c.Check(icfg.Bootstrap.RegionInheritedConfig, jc.DeepEquals, cloud.RegionConfig{
"a-region": cloud.Attrs{
"a-key": "a-value",
},
"b-region": cloud.Attrs{
"b-key": "b-value",
},
})
controllerCfg := icfg.Controller.Config
c.Check(controllerCfg["ca-private-key"], gc.IsNil)
c.Check(icfg.Bootstrap.StateServingInfo.StatePort, gc.Equals, controllerCfg.StatePort())
c.Check(icfg.Bootstrap.StateServingInfo.APIPort, gc.Equals, controllerCfg.APIPort())
c.Check(icfg.Bootstrap.StateServingInfo.CAPrivateKey, gc.Equals, coretesting.CAKey)
srvCertPEM := icfg.Bootstrap.StateServingInfo.Cert
srvKeyPEM := icfg.Bootstrap.StateServingInfo.PrivateKey
_, _, err = cert.ParseCertAndKey(srvCertPEM, srvKeyPEM)
c.Check(err, jc.ErrorIsNil)
// TODO(perrito666) 2016-05-02 lp:1558657
err = cert.Verify(srvCertPEM, coretesting.CACert, time.Now())
c.Assert(err, jc.ErrorIsNil)
err = cert.Verify(srvCertPEM, coretesting.CACert, time.Now().AddDate(9, 0, 0))
c.Assert(err, jc.ErrorIsNil)
err = cert.Verify(srvCertPEM, coretesting.CACert, time.Now().AddDate(10, 0, 1))
c.Assert(err, gc.NotNil)
}