func (*ConfigSuite) TestGenerateStateServerCertAndKey(c *gc.C) { // In order to test missing certs, it checks the JUJU_HOME dir, so we need // a fake home. defer testing.MakeFakeHomeWithFiles(c, []testing.TestFile{ {".ssh/id_rsa.pub", "rsa\n"}, }).Restore() for _, test := range []struct { configValues map[string]interface{} errMatch string }{{ configValues: map[string]interface{}{ "name": "test-no-certs", "type": "dummy", }, errMatch: "environment configuration has no ca-cert", }, { configValues: map[string]interface{}{ "name": "test-no-certs", "type": "dummy", "ca-cert": testing.CACert, }, errMatch: "environment configuration has no ca-private-key", }, { configValues: map[string]interface{}{ "name": "test-no-certs", "type": "dummy", "ca-cert": testing.CACert, "ca-private-key": testing.CAKey, }, }} { cfg, err := config.New(config.UseDefaults, test.configValues) c.Assert(err, gc.IsNil) certPEM, keyPEM, err := cfg.GenerateStateServerCertAndKey() if test.errMatch == "" { c.Assert(err, gc.IsNil) _, _, err = cert.ParseCertAndKey(certPEM, keyPEM) c.Check(err, gc.IsNil) err = cert.Verify(certPEM, testing.CACert, time.Now()) c.Assert(err, gc.IsNil) err = cert.Verify(certPEM, testing.CACert, time.Now().AddDate(9, 0, 0)) c.Assert(err, gc.IsNil) err = cert.Verify(certPEM, testing.CACert, time.Now().AddDate(10, 0, 1)) c.Assert(err, gc.NotNil) } else { c.Assert(err, gc.ErrorMatches, test.errMatch) c.Assert(certPEM, gc.Equals, "") c.Assert(keyPEM, gc.Equals, "") } } }
func (s *RsyslogSuite) TestModeAccumulate(c *gc.C) { st, m := s.OpenAPIAsNewMachine(c, state.JobManageEnviron) worker, err := rsyslog.NewRsyslogConfigWorker(st.Rsyslog(), rsyslog.RsyslogModeAccumulate, m.Tag(), "", nil) c.Assert(err, gc.IsNil) defer func() { c.Assert(worker.Wait(), gc.IsNil) }() defer worker.Kill() waitForFile(c, filepath.Join(*rsyslog.LogDir, "ca-cert.pem")) // We should have ca-cert.pem, rsyslog-cert.pem, and rsyslog-key.pem. caCertPEM, err := ioutil.ReadFile(filepath.Join(*rsyslog.LogDir, "ca-cert.pem")) c.Assert(err, gc.IsNil) rsyslogCertPEM, err := ioutil.ReadFile(filepath.Join(*rsyslog.LogDir, "rsyslog-cert.pem")) c.Assert(err, gc.IsNil) rsyslogKeyPEM, err := ioutil.ReadFile(filepath.Join(*rsyslog.LogDir, "rsyslog-key.pem")) c.Assert(err, gc.IsNil) _, _, err = cert.ParseCertAndKey(string(rsyslogCertPEM), string(rsyslogKeyPEM)) c.Assert(err, gc.IsNil) err = cert.Verify(string(rsyslogCertPEM), string(caCertPEM), time.Now().UTC()) c.Assert(err, gc.IsNil) // Verify rsyslog configuration. waitForFile(c, filepath.Join(*rsyslog.RsyslogConfDir, "25-juju.conf")) rsyslogConf, err := ioutil.ReadFile(filepath.Join(*rsyslog.RsyslogConfDir, "25-juju.conf")) c.Assert(err, gc.IsNil) syslogPort := s.Conn.Environ.Config().SyslogPort() syslogConfig := syslog.NewAccumulateConfig(m.Tag(), *rsyslog.LogDir, syslogPort, "") syslogConfig.ConfigDir = *rsyslog.RsyslogConfDir rendered, err := syslogConfig.Render() c.Assert(err, gc.IsNil) c.Assert(string(rsyslogConf), gc.DeepEquals, string(rendered)) }
func (s *CloudInitSuite) TestFinishBootstrapConfig(c *gc.C) { attrs := dummySampleConfig().Merge(testing.Attrs{ "authorized-keys": "we-are-the-keys", "admin-secret": "lisboan-pork", "agent-version": "1.2.3", "state-server": false, }) cfg, err := config.New(config.NoDefaults, attrs) c.Assert(err, gc.IsNil) oldAttrs := cfg.AllAttrs() mcfg := &cloudinit.MachineConfig{ Bootstrap: true, } cons := constraints.MustParse("mem=1T cpu-power=999999999") err = environs.FinishMachineConfig(mcfg, cfg, cons) c.Assert(err, gc.IsNil) c.Check(mcfg.AuthorizedKeys, gc.Equals, "we-are-the-keys") c.Check(mcfg.DisableSSLHostnameVerification, jc.IsFalse) password := utils.UserPasswordHash("lisboan-pork", utils.CompatSalt) c.Check(mcfg.APIInfo, gc.DeepEquals, &api.Info{ Password: password, CACert: testing.CACert, }) c.Check(mcfg.StateInfo, gc.DeepEquals, &state.Info{ Password: password, CACert: testing.CACert, }) c.Check(mcfg.StateServingInfo.StatePort, gc.Equals, cfg.StatePort()) c.Check(mcfg.StateServingInfo.APIPort, gc.Equals, cfg.APIPort()) c.Check(mcfg.Constraints, gc.DeepEquals, cons) oldAttrs["ca-private-key"] = "" oldAttrs["admin-secret"] = "" c.Check(mcfg.Config.AllAttrs(), gc.DeepEquals, oldAttrs) srvCertPEM := mcfg.StateServingInfo.Cert srvKeyPEM := mcfg.StateServingInfo.PrivateKey _, _, err = cert.ParseCertAndKey(srvCertPEM, srvKeyPEM) c.Check(err, gc.IsNil) err = cert.Verify(srvCertPEM, testing.CACert, time.Now()) c.Assert(err, gc.IsNil) err = cert.Verify(srvCertPEM, testing.CACert, time.Now().AddDate(9, 0, 0)) c.Assert(err, gc.IsNil) err = cert.Verify(srvCertPEM, testing.CACert, time.Now().AddDate(10, 0, 1)) c.Assert(err, gc.NotNil) }
func verifyCertificates() error { _, err := tls.X509KeyPair([]byte(CACert), []byte(CAKey)) if err != nil { return fmt.Errorf("bad CA cert key pair: %v", err) } _, err = tls.X509KeyPair([]byte(ServerCert), []byte(ServerKey)) if err != nil { return fmt.Errorf("bad server cert key pair: %v", err) } return cert.Verify(ServerCert, CACert, time.Now()) }
func (certSuite) TestVerify(c *gc.C) { now := time.Now() caCert, caKey, err := cert.NewCA("foo", now.Add(1*time.Minute)) c.Assert(err, gc.IsNil) var noHostnames []string srvCert, _, err := cert.NewServer(caCert, caKey, now.Add(3*time.Minute), noHostnames) c.Assert(err, gc.IsNil) err = cert.Verify(srvCert, caCert, now) c.Assert(err, gc.IsNil) err = cert.Verify(srvCert, caCert, now.Add(55*time.Second)) c.Assert(err, gc.IsNil) // TODO(rog) why does this succeed? // err = cert.Verify(srvCert, caCert, now.Add(-1 * time.Minute)) //c.Check(err, gc.ErrorMatches, "x509: certificate has expired or is not yet valid") err = cert.Verify(srvCert, caCert, now.Add(2*time.Minute)) c.Check(err, gc.ErrorMatches, "x509: certificate has expired or is not yet valid") caCert2, caKey2, err := cert.NewCA("bar", now.Add(1*time.Minute)) c.Assert(err, gc.IsNil) // Check original server certificate against wrong CA. err = cert.Verify(srvCert, caCert2, now) c.Check(err, gc.ErrorMatches, "x509: certificate signed by unknown authority") srvCert2, _, err := cert.NewServer(caCert2, caKey2, now.Add(1*time.Minute), noHostnames) c.Assert(err, gc.IsNil) // Check new server certificate against original CA. err = cert.Verify(srvCert2, caCert, now) c.Check(err, gc.ErrorMatches, "x509: certificate signed by unknown authority") }