# Copyright 2019 Red Hat, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. import pytest testinfra_hosts = ['adns-letsencrypt.opendev.org', 'letsencrypt01.opendev.org', 'letsencrypt02.opendev.org'] def test_acme_zone(host): if host.backend.get_hostname() != 'adns-letsencrypt.opendev.org': pytest.skip() acme_opendev_zone = host.file('/var/lib/bind/zones/acme.opendev.org/zone.db') assert acme_opendev_zone.exists # On our test nodes, unbound is listening on 127.0.0.1:53; this # ensures the query hits bind query_addr = host.ansible("setup")["ansible_facts"]["ansible_default_ipv4"]["address"] cmd = host.run("dig -t txt acme.opendev.org @" + query_addr) count = 0 for line in cmd.stdout.split('\n'): if line.startswith('acme.opendev.org. 60 IN TXT'): count = count + 1 if count != 6: # NOTE(ianw): I'm sure there's more pytest-y ways to save this # for debugging ... print(cmd.stdout) assert count == 6, "Did not see required number of TXT records!" def test_certs_created(host): if host.backend.get_hostname() == 'letsencrypt01.opendev.org': domain_one = host.file( '/etc/letsencrypt-certs/' 'letsencrypt01.opendev.org/letsencrypt01.opendev.org.key') assert domain_one.exists assert domain_one.user == "root" assert domain_one.group == "letsencrypt" assert domain_one.mode == 0o640 cert_one = host.file( '/etc/letsencrypt-certs/' 'letsencrypt01.opendev.org/letsencrypt01.opendev.org.cer') assert cert_one.exists assert cert_one.user == "root" assert cert_one.group == "letsencrypt" assert cert_one.mode == 0o640 ca_one = host.file( '/etc/letsencrypt-certs/' 'letsencrypt01.opendev.org/ca.cer') assert ca_one.exists assert ca_one.user == "root" assert ca_one.group == "letsencrypt" assert ca_one.mode == 0o640 domain_two = host.file( '/etc/letsencrypt-certs/' 'someotherservice.opendev.org/someotherservice.opendev.org.key') assert domain_two.exists assert domain_two.user == "root" assert domain_two.group == "letsencrypt" assert domain_two.mode == 0o640 cert_two = host.file( '/etc/letsencrypt-certs/' 'someotherservice.opendev.org/someotherservice.opendev.org.cer') assert cert_two.exists assert cert_two.user == "root" assert cert_two.group == "letsencrypt" assert cert_two.mode == 0o640 ca_two = host.file( '/etc/letsencrypt-certs/' 'someotherservice.opendev.org/ca.cer') assert ca_one.exists assert ca_one.user == "root" assert ca_one.group == "letsencrypt" assert ca_one.mode == 0o640 elif host.backend.get_hostname() == 'letsencrypt02.opendev.org': domain_one = host.file( '/etc/letsencrypt-certs/' 'letsencrypt02.opendev.org/letsencrypt02.opendev.org.key') assert domain_one.exists assert domain_one.user == "root" assert domain_one.group == "letsencrypt" assert domain_one.mode == 0o640 cert_one = host.file( '/etc/letsencrypt-certs/' 'letsencrypt02.opendev.org/letsencrypt02.opendev.org.cer') assert cert_one.exists assert cert_one.user == "root" assert cert_one.group == "letsencrypt" assert cert_one.mode == 0o640 ca_one = host.file( '/etc/letsencrypt-certs/' 'letsencrypt02.opendev.org/ca.cer') assert ca_one.exists assert ca_one.user == "root" assert ca_one.group == "letsencrypt" assert ca_one.mode == 0o640 else: pytest.skip() def test_updated_handler(host): if host.backend.get_hostname() == 'letsencrypt01.opendev.org': stamp_file = host.file('/tmp/letsencrypt01-main-service.stamp') assert stamp_file.exists stamp_file = host.file('/tmp/letsencrypt01-other-service.stamp') assert stamp_file.exists elif host.backend.get_hostname() == 'letsencrypt02.opendev.org': stamp_file = host.file('/tmp/letsencrypt02-main-service.stamp') assert stamp_file.exists else: pytest.skip() def test_acme_sh_config(host): if not host.backend.get_hostname().startswith('letsencrypt0'): pytest.skip() config = host.file('/root/.acme.sh/account.conf') assert config.exists assert config.contains("^ACCOUNT_EMAIL='le-test@opendev.org'")