Custom SSL certificates config panel

Adds a new panel to the superuser config tool, for managing custom SSL certificates in the config bundle [Delivers #135586525]
2017-01-11 18:45:46 -05:00 · 2017-01-11 18:45:46 -05:00 · 7e0fbeb625
commit 7e0fbeb625
parent 773f271daa
14 changed files with 434 additions and 41 deletions
--- a/test/test_api_usage.py
+++ b/test/test_api_usage.py
@ -66,12 +66,14 @@ from endpoints.api.permission import (RepositoryUserPermission, RepositoryTeamPe
                                      RepositoryTeamPermissionList, RepositoryUserPermissionList)
 from endpoints.api.superuser import (SuperUserLogs, SuperUserList, SuperUserManagement,
                                     SuperUserServiceKeyManagement, SuperUserServiceKey,
-                                     SuperUserServiceKeyApproval, SuperUserTakeOwnership,)
+                                     SuperUserServiceKeyApproval, SuperUserTakeOwnership,
+                                     SuperUserCustomCertificates, SuperUserCustomCertificate)
 from endpoints.api.globalmessages import (GlobalUserMessage, GlobalUserMessages,)
 from endpoints.api.secscan import RepositoryImageSecurity
 from endpoints.api.suconfig import (SuperUserRegistryStatus, SuperUserConfig, SuperUserConfigFile,
                                    SuperUserCreateInitialSuperUser)
 from endpoints.api.manifest import RepositoryManifestLabels, ManageRepositoryManifestLabel
+from test.test_ssl_util import generate_test_cert


 try:
@ -4240,6 +4242,81 @@ class TestRepositoryImageSecurity(ApiTestCase):
      self.assertEquals(1, response['data']['Layer']['IndexedByVersion'])


+class TestSuperUserCustomCertificates(ApiTestCase):
+  def test_custom_certificates(self):
+    self.login(ADMIN_ACCESS_USER)
+
+    # Upload a certificate.
+    cert_contents, _ = generate_test_cert(hostname='somecoolhost', san_list=['DNS:bar', 'DNS:baz'])
+    self.postResponse(SuperUserCustomCertificate, params=dict(certpath='testcert'),
+                      file=(StringIO(cert_contents), 'testcert'), expected_code=204)
+
+    # Make sure it is present.
+    json = self.getJsonResponse(SuperUserCustomCertificates)
+    self.assertEquals(1, len(json['certs']))
+
+    cert_info = json['certs'][0]
+    self.assertEquals('testcert', cert_info['path'])
+
+    self.assertEquals(set(['somecoolhost', 'bar', 'baz']), set(cert_info['names']))
+    self.assertFalse(cert_info['expired'])
+
+    # Remove the certificate.
+    self.deleteResponse(SuperUserCustomCertificate, params=dict(certpath='testcert'))
+
+    # Make sure it is gone.
+    json = self.getJsonResponse(SuperUserCustomCertificates)
+    self.assertEquals(0, len(json['certs']))
+
+  def test_expired_custom_certificate(self):
+    self.login(ADMIN_ACCESS_USER)
+
+    # Upload a certificate.
+    cert_contents, _ = generate_test_cert(hostname='somecoolhost', expires=-10)
+    self.postResponse(SuperUserCustomCertificate, params=dict(certpath='testcert'),
+                      file=(StringIO(cert_contents), 'testcert'), expected_code=204)
+
+    # Make sure it is present.
+    json = self.getJsonResponse(SuperUserCustomCertificates)
+    self.assertEquals(1, len(json['certs']))
+
+    cert_info = json['certs'][0]
+    self.assertEquals('testcert', cert_info['path'])
+
+    self.assertEquals(set(['somecoolhost']), set(cert_info['names']))
+    self.assertTrue(cert_info['expired'])
+
+  def test_invalid_custom_certificate(self):
+    self.login(ADMIN_ACCESS_USER)
+
+    # Upload an invalid certificate.
+    self.postResponse(SuperUserCustomCertificate, params=dict(certpath='testcert'),
+                      file=(StringIO('some contents'), 'testcert'), expected_code=204)
+
+    # Make sure it is present but invalid.
+    json = self.getJsonResponse(SuperUserCustomCertificates)
+    self.assertEquals(1, len(json['certs']))
+
+    cert_info = json['certs'][0]
+    self.assertEquals('testcert', cert_info['path'])
+    self.assertEquals('no start line', cert_info['error'])
+
+  def test_path_sanitization(self):
+    self.login(ADMIN_ACCESS_USER)
+
+    # Upload a certificate.
+    cert_contents, _ = generate_test_cert(hostname='somecoolhost', expires=-10)
+    self.postResponse(SuperUserCustomCertificate, params=dict(certpath='testcert/../foobar'),
+                      file=(StringIO(cert_contents), 'testcert/../foobar'), expected_code=204)
+
+    # Make sure it is present.
+    json = self.getJsonResponse(SuperUserCustomCertificates)
+    self.assertEquals(1, len(json['certs']))
+
+    cert_info = json['certs'][0]
+    self.assertEquals('foobar', cert_info['path'])
+
+
 class TestSuperUserTakeOwnership(ApiTestCase):
  def test_take_ownership_superuser(self):
    self.login(ADMIN_ACCESS_USER)