Merge branch 'feature/integration-test' into develop

2016-08-18 10:10:58 +02:00 · 2016-08-18 10:10:58 +02:00 · b8096684a0
parent a23fe0a338 d96ac748f8
commit b8096684a0
9 changed files with 280 additions and 0 deletions
--- a/examples/.gitignore
+++ b/examples/.gitignore
@ -0,0 +1,3 @@
+# generate-csr.sh:
+/key.pem
+/csr.der
--- a/examples/cli.ini
+++ b/examples/cli.ini
@ -0,0 +1,25 @@
+# This is an example of the kind of things you can do in a configuration file.
+# All flags used by the client can be configured here. Run Certbot with
+# "--help" to learn more about the available options.
+
+# Use a 4096 bit RSA key instead of 2048
+rsa-key-size = 4096
+
+# Uncomment and update to register with the specified e-mail address
+# email = foo@example.com
+
+# Uncomment and update to generate certificates for the specified
+# domains.
+# domains = example.com, www.example.com
+
+# Uncomment to use a text interface instead of ncurses
+# text = True
+
+# Uncomment to use the standalone authenticator on port 443
+# authenticator = standalone
+# standalone-supported-challenges = tls-sni-01
+
+# Uncomment to use the webroot authenticator. Replace webroot-path with the
+# path to the public_html / webroot folder being served by your web server.
+# authenticator = webroot
+# webroot-path = /usr/share/nginx/html
--- a/examples/dev-cli.ini
+++ b/examples/dev-cli.ini
@ -0,0 +1,20 @@
+# Always use the staging/testing server - avoids rate limiting
+server = https://acme-staging.api.letsencrypt.org/directory
+
+# This is an example configuration file for developers
+config-dir = /tmp/le/conf
+work-dir = /tmp/le/conf
+logs-dir = /tmp/le/logs
+
+# make sure to use a valid email and domains!
+email = foo@example.com
+domains = example.com
+
+text = True
+agree-tos = True
+debug = True
+# Unfortunately, it's not possible to specify "verbose" multiple times
+# (correspondingly to -vvvvvv)
+verbose = True
+
+authenticator = standalone
--- a/examples/generate-csr.sh
+++ b/examples/generate-csr.sh
@ -0,0 +1,28 @@
+#!/bin/sh
+# This script generates a simple SAN CSR to be used with Let's Encrypt
+# CA. Mostly intended for "auth --csr" testing, but, since it's easily
+# auditable, feel free to adjust it and use it on your production web
+# server.
+
+if [ "$#" -lt 1 ]
+then
+  echo "Usage: $0 domain [domain...]" >&2
+  exit 1
+fi
+
+domains="DNS:$1"
+shift
+for x in "$@"
+do
+  domains="$domains,DNS:$x"
+done
+
+SAN="$domains" openssl req -config "${OPENSSL_CNF:-openssl.cnf}" \
+  -new -nodes -subj '/' -reqexts san \
+  -out "${CSR_PATH:-csr.der}" \
+  -keyout "${KEY_PATH:-key.pem}" \
+  -newkey rsa:2048 \
+  -outform DER
+# 512 or 1024 too low for Boulder, 2048 is smallest for tests
+
+echo "You can now run: certbot auth --csr ${CSR_PATH:-csr.der}"
--- a/examples/openssl.cnf
+++ b/examples/openssl.cnf
@ -0,0 +1,5 @@
+[ req ]
+distinguished_name = req_distinguished_name
+[ req_distinguished_name ]
+[ san ]
+subjectAltName=${ENV::SAN}
--- a/examples/plugins/certbot_example_plugins.py
+++ b/examples/plugins/certbot_example_plugins.py
@ -0,0 +1,31 @@
+"""Example Certbot plugins.
+
+For full examples, see `certbot.plugins`.
+
+"""
+import zope.interface
+
+from certbot import interfaces
+from certbot.plugins import common
+
+
+@zope.interface.implementer(interfaces.IAuthenticator)
+@zope.interface.provider(interfaces.IPluginFactory)
+class Authenticator(common.Plugin):
+    """Example Authenticator."""
+
+    description = "Example Authenticator plugin"
+
+    # Implement all methods from IAuthenticator, remembering to add
+    # "self" as first argument, e.g. def prepare(self)...
+
+
+@zope.interface.implementer(interfaces.IInstaller)
+@zope.interface.provider(interfaces.IPluginFactory)
+class Installer(common.Plugin):
+    """Example Installer."""
+
+    description = "Example Installer plugin"
+
+    # Implement all methods from IInstaller, remembering to add
+    # "self" as first argument, e.g. def get_all_names(self)...
--- a/examples/plugins/setup.py
+++ b/examples/plugins/setup.py
@ -0,0 +1,17 @@
+from setuptools import setup
+
+
+setup(
+    name='certbot-example-plugins',
+    package='certbot_example_plugins.py',
+    install_requires=[
+        'certbot',
+        'zope.interface',
+    ],
+    entry_points={
+        'certbot.plugins': [
+            'example_authenticator = certbot_example_plugins:Authenticator',
+            'example_installer = certbot_example_plugins:Installer',
+        ],
+    },
+)
--- a/tests/boulder-integration.sh
+++ b/tests/boulder-integration.sh
@ -0,0 +1,116 @@
+#!/bin/sh -xe
+# Simple integration test. Make sure to activate virtualenv beforehand
+# (source venv/bin/activate) and that you are running Boulder test
+# instance (see ./boulder-start.sh).
+#
+# Environment variables:
+#   SERVER: Passed as "certbot --server" argument.
+#
+# Note: this script is called by Boulder integration test suite!
+
+set -v
+
+. ./tests/integration/_common.sh
+export PATH="/usr/sbin:$PATH"  # /usr/sbin/nginx
+
+export GOPATH="${GOPATH:-/tmp/go}"
+export PATH="$GOPATH/bin:$PATH"
+
+if [ `uname` = "Darwin" ];then
+  readlink="greadlink"
+else
+  readlink="readlink"
+fi
+
+common_no_force_renew() {
+    certbot_test_no_force_renew \
+        --authenticator certbot-haproxy:haproxy-authenticator\
+        --installer certbot-haproxy:haproxy-installer\
+        "$@"
+}
+
+common() {
+    common_no_force_renew \
+        --authenticator certbot-haproxy:haproxy-authenticator\
+        --installer certbot-haproxy:haproxy-installer\
+        --renew-by-default \
+        "$@"
+}
+
+# common --domains le1.wtf --standalone-supported-challenges tls-sni-01 auth
+common --domains le2.wtf --standalone-supported-challenges http-01 run
+common -a manual -d le.wtf auth --rsa-key-size 4096
+
+export CSR_PATH="${root}/csr.der" KEY_PATH="${root}/key.pem" \
+       OPENSSL_CNF=examples/openssl.cnf
+./examples/generate-csr.sh le3.wtf
+common auth --csr "$CSR_PATH" \
+       --cert-path "${root}/csr/cert.pem" \
+       --chain-path "${root}/csr/chain.pem"
+openssl x509 -in "${root}/csr/cert.pem" -text
+openssl x509 -in "${root}/csr/chain.pem" -text
+
+# TODO: key-path was "${root}/csr/key.pem", so maybe make that work as well?
+common --domains le3.wtf install \
+       --cert-path "${root}/csr/cert.pem" \
+       --key-path "${root}/key.pem"
+
+CheckCertCount() {
+    CERTCOUNT=`ls "${root}/conf/archive/le.wtf/cert"* | wc -l`
+    if [ "$CERTCOUNT" -ne "$1" ] ; then
+        echo Wrong cert count, not "$1" `ls "${root}/conf/archive/le.wtf/"*`
+        exit 1
+    fi
+}
+
+CheckCertCount 1
+# This won't renew (because it's not time yet)
+common_no_force_renew renew
+CheckCertCount 1
+
+# --renew-by-default is used, so renewal should occur
+common renew
+CheckCertCount 2
+
+# This will renew because the expiry is less than 10 years from now
+sed -i "4arenew_before_expiry = 4 years" "$root/conf/renewal/le.wtf.conf"
+common_no_force_renew renew --rsa-key-size 2048
+CheckCertCount 3
+
+# The 4096 bit setting should persist to the first renewal, but be overriden in the second
+
+size1=`wc -c ${root}/conf/archive/le.wtf/privkey1.pem | cut -d" " -f1`
+size2=`wc -c ${root}/conf/archive/le.wtf/privkey2.pem | cut -d" " -f1`
+size3=`wc -c ${root}/conf/archive/le.wtf/privkey3.pem | cut -d" " -f1`
+# 4096 bit PEM keys are about ~3270 bytes, 2048 ones are about 1700 bytes
+if [ "$size1" -lt 3000 ] || [ "$size2" -lt 3000 ] || [ "$size3" -gt 1800 ] ; then
+    echo key sizes violate assumptions:
+    ls -l "${root}/conf/archive/le.wtf/privkey"*
+    exit 1
+fi
+
+# ECDSA
+openssl ecparam -genkey -name secp384r1 -out "${root}/privkey-p384.pem"
+SAN="DNS:ecdsa.le.wtf" openssl req -new -sha256 \
+    -config "${OPENSSL_CNF:-openssl.cnf}" \
+    -key "${root}/privkey-p384.pem" \
+    -subj "/" \
+    -reqexts san \
+    -outform der \
+    -out "${root}/csr-p384.der"
+common auth --csr "${root}/csr-p384.der" \
+    --cert-path "${root}/csr/cert-p384.pem" \
+    --chain-path "${root}/csr/chain-p384.pem"
+openssl x509 -in "${root}/csr/cert-p384.pem" -text | grep 'ASN1 OID: secp384r1'
+
+# OCSP Must Staple
+common auth --must-staple --domains "must-staple.le.wtf"
+openssl x509 -in "${root}/conf/live/must-staple.le.wtf/cert.pem" -text | grep '1.3.6.1.5.5.7.1.24'
+
+# revoke by account key
+common revoke --cert-path "$root/conf/live/le.wtf/cert.pem"
+# revoke renewed
+# common revoke --cert-path "$root/conf/live/le1.wtf/cert.pem"
+# revoke by cert key
+common revoke --cert-path "$root/conf/live/le2.wtf/cert.pem" \
+       --key-path "$root/conf/live/le2.wtf/privkey.pem"
--- a/tests/integration/_common.sh
+++ b/tests/integration/_common.sh
@ -0,0 +1,35 @@
+#!/bin/sh
+
+if [ "xxx$root" = "xxx" ];
+then
+    # The -t is required on OS X. It provides a template file path for
+    # the kernel to use.
+    root="$(mktemp -d -t leitXXXX)"
+    echo "Root integration tests directory: $root"
+fi
+store_flags="--config-dir $root/conf --work-dir $root/work"
+store_flags="$store_flags --logs-dir $root/logs"
+export root store_flags
+
+certbot_test () {
+    certbot_test_no_force_renew \
+        --renew-by-default \
+        "$@"
+}
+
+certbot_test_no_force_renew () {
+    certbot \
+        --server "${SERVER:-http://localhost:4000/directory}" \
+        --no-verify-ssl \
+        --tls-sni-01-port 5001 \
+        --http-01-port 8000 \
+        --manual-test-mode \
+        $store_flags \
+        --non-interactive \
+        --no-redirect \
+        --agree-tos \
+        --register-unsafely-without-email \
+        --debug \
+        -vvvvvvv \
+        "$@"
+}