dedd3a409f
Ensure the certificate material is not world-readable. Create a letsencrypt group, and have things owned by root but group readable. Change-Id: I49a6a8520aca27e70b3e48d0fcc874daf1c4ff24
71 lines
2.7 KiB
Python
71 lines
2.7 KiB
Python
# Copyright 2019 Red Hat, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
import pytest
|
|
|
|
testinfra_hosts = ['adns-letsencrypt.opendev.org',
|
|
'letsencrypt01.opendev.org',
|
|
'letsencrypt02.opendev.org']
|
|
|
|
|
|
def test_acme_zone(host):
|
|
if host.backend.get_hostname() != 'adns-letsencrypt.opendev.org':
|
|
pytest.skip()
|
|
acme_opendev_zone = host.file('/var/lib/bind/zones/acme.opendev.org/zone.db')
|
|
assert acme_opendev_zone.exists
|
|
|
|
# On our test nodes, unbound is listening on 127.0.0.1:53; this
|
|
# ensures the query hits bind
|
|
query_addr = host.ansible("setup")["ansible_facts"]["ansible_default_ipv4"]["address"]
|
|
cmd = host.run("dig -t txt acme.opendev.org @" + query_addr)
|
|
count = 0
|
|
for line in cmd.stdout.split('\n'):
|
|
if line.startswith('acme.opendev.org. 60 IN TXT'):
|
|
count = count + 1
|
|
if count != 6:
|
|
# NOTE(ianw): I'm sure there's more pytest-y ways to save this
|
|
# for debugging ...
|
|
print(cmd.stdout)
|
|
assert count == 6, "Did not see required number of TXT records!"
|
|
|
|
def test_certs_created(host):
|
|
if host.backend.get_hostname() == 'letsencrypt01.opendev.org':
|
|
domain_one = host.file(
|
|
'/etc/letsencrypt-certs/'
|
|
'letsencrypt01.opendev.org/letsencrypt01.opendev.org.key')
|
|
assert domain_one.exists
|
|
assert domain_one.user == "root"
|
|
assert domain_one.group == "letsencrypt"
|
|
assert domain_one.mode == 0o640
|
|
|
|
domain_two = host.file(
|
|
'/etc/letsencrypt-certs/'
|
|
'someotherservice.opendev.org/someotherservice.opendev.org.key')
|
|
assert domain_two.exists
|
|
assert domain_two.user == "root"
|
|
assert domain_two.group == "letsencrypt"
|
|
assert domain_two.mode == 0o640
|
|
|
|
elif host.backend.get_hostname() == 'letsencrypt02.opendev.org':
|
|
domain_one = host.file(
|
|
'/etc/letsencrypt-certs/'
|
|
'letsencrypt02.opendev.org/letsencrypt02.opendev.org.key')
|
|
assert domain_one.exists
|
|
assert domain_one.user == "root"
|
|
assert domain_one.group == "letsencrypt"
|
|
assert domain_one.mode == 0o640
|
|
|
|
else:
|
|
pytest.skip()
|