f1ed12e2cf
Signing requests are expected to arrive at /v1/sign/<registration_authority> now. Virtual registration authority is a new concept which right now includes everything the original configuration included. That means for example each registration authority available within Anchor deployment can configure its own CA, auth, and validators. Clients request a specific registration authority via the URL. This does not mean they can just choose who signs the CSR - they still need to pass all checks. Only the guesswork of "which validation set applies to them" is gone because of this change. The previous concept of validator sets is gone. Each registration authority configures its own validators and all of them need to pass. Previous endpoint /sign will not work anymore. It's incompatible with the new design. The configuration file changes in the following way: 1. Registration authorities need to be defined in the main config. 2. Validator sets are not available anymore. 3. CA and auth settings at the top level need to be named. They can be referred to in the registration authority block. 4. Old names are removed. Any use of "auth", "ca", or "validators" at the top level will result in an error and explanation regarding the upgrade path. Further documentation and a sample config with the new layout can be found in the docs/configuration.rst file. Closes-bug: 1463752 Change-Id: I5a949e0c79a2d56eadadf5ece62bb8b8eea89e78
99 lines
3.4 KiB
Python
99 lines
3.4 KiB
Python
# -*- coding:utf-8 -*-
|
|
#
|
|
# Copyright 2015 Hewlett-Packard Development Company, L.P.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
from anchor import jsonloader
|
|
|
|
import json
|
|
import logging
|
|
import sys
|
|
import unittest
|
|
|
|
import mock
|
|
|
|
import tests
|
|
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
# find the class representing an open file; it depends on the python version
|
|
# it's used later for mocking
|
|
if sys.version_info[0] < 3:
|
|
file_class = file # noqa
|
|
else:
|
|
import _io
|
|
file_class = _io.TextIOWrapper
|
|
|
|
|
|
class TestConfig(tests.DefaultConfigMixin, unittest.TestCase):
|
|
def test_wrong_key(self):
|
|
"""Wrong config key should raise the right error."""
|
|
jsonloader.conf = jsonloader.AnchorConf(logger)
|
|
|
|
with self.assertRaises(AttributeError):
|
|
jsonloader.conf.abcdef
|
|
|
|
def test_load_file(self):
|
|
"""Test loading of a correct configuration."""
|
|
jsonloader.conf = jsonloader.AnchorConf(logger)
|
|
|
|
open_name = 'anchor.jsonloader.open'
|
|
with mock.patch(open_name, create=True) as mock_open:
|
|
mock_open.return_value = mock.MagicMock(spec=file_class)
|
|
m_file = mock_open.return_value.__enter__.return_value
|
|
m_file.read.return_value = json.dumps(self.sample_conf)
|
|
|
|
jsonloader.conf.load_file_data('/tmp/impossible_path')
|
|
|
|
self.assertEqual(
|
|
(jsonloader.conf.registration_authority['default_ra']
|
|
['authentication']),
|
|
'default_auth')
|
|
self.assertEqual(
|
|
jsonloader.conf.signing_ca['default_ca']['valid_hours'],
|
|
24)
|
|
|
|
def test_load_file_cant_open(self):
|
|
"""Test failures when opening files."""
|
|
jsonloader.conf = jsonloader.AnchorConf(logger)
|
|
|
|
open_name = 'anchor.jsonloader.open'
|
|
with mock.patch(open_name, create=True) as mock_open:
|
|
mock_open.return_value = mock.MagicMock(spec=file_class)
|
|
mock_open.side_effect = IOError("can't open file")
|
|
|
|
with self.assertRaises(IOError):
|
|
jsonloader.conf.load_file_data('/tmp/impossible_path')
|
|
|
|
def test_load_file_cant_parse(self):
|
|
"""Test failues when parsing json format."""
|
|
jsonloader.conf = jsonloader.AnchorConf(logger)
|
|
|
|
open_name = 'anchor.jsonloader.open'
|
|
with mock.patch(open_name, create=True) as mock_open:
|
|
mock_open.return_value = mock.MagicMock(spec=file_class)
|
|
m_file = mock_open.return_value.__enter__.return_value
|
|
m_file.read.return_value = "{{{{ bad json"
|
|
|
|
with self.assertRaises(ValueError):
|
|
jsonloader.conf.load_file_data('/tmp/impossible_path')
|
|
|
|
def test_registration_authority_names(self):
|
|
"""Instances should be listed once config is loaded."""
|
|
jsonloader.conf = jsonloader.AnchorConf(logger)
|
|
jsonloader.conf.load_str_data(json.dumps(self.sample_conf))
|
|
self.assertEqual(list(jsonloader.registration_authority_names()),
|
|
['default_ra'])
|