Merge pull request #710 from srvrco/tests-for-pr706-and-fix276

Tests for pr706 and fix276

Author: timkimber

getssl

@@ -270,6 +270,7 @@
 # 2021-07-30 Run tests with -d to catch intermittent failures, Use fork's repo for upgrade tests. (tlhackque) (#692) (2.41)
 # 2021-08-26 Improve upgrade check & make upgrade do a full install when possible (tlhackque) (#694) (2.42)
 # 2021-09-02 Fix version compare - cURL v8 may have single digit minor numbers. (tlhackque) (2.43)
+# 2021-09-26 Delete key file when key algorithm has changed (makuhama)
 # ----------------------------------------------------------------------------------------
 
 case :$SHELLOPTS: in
@@ -819,11 +820,13 @@ check_getssl_upgrade() { # check if a more recent release is available
   if [ "$TEMP_UPGRADE_FILE" == "" ]; then
     error_exit "mktemp failed"
   fi
-  CODE_LOCATION=$(sed -e"s/master/${release_tag}/" <<<"$CODE_LOCATION")
+  CODE_LOCATION=$(sed -e"s/getssl\/master/${release_tag}/" <<<"$CODE_LOCATION")
+  # shellcheck disable=SC2086
+  debug curl ${_NOMETER:---silent} --user-agent "$CURL_USERAGENT" "$CODE_LOCATION" --output "$TEMP_UPGRADE_FILE"
   # shellcheck disable=SC2086
   curl ${_NOMETER:---silent} --user-agent "$CURL_USERAGENT" "$CODE_LOCATION" --output "$TEMP_UPGRADE_FILE"
-
   errcode=$?
+
   if [[ $errcode -eq 60 ]]; then
     error_exit "curl needs updating, your version does not support SNI (multiple SSL domains on a single IP)"
   elif [[ $errcode -gt 0 ]]; then
@@ -838,11 +841,11 @@ check_getssl_upgrade() { # check if a more recent release is available
   fi
 
   if [[ ${_MUTE} -eq 0 ]]; then
-    echo "Updated getssl from v${VERSION} to v${release_tag}"
+    echo "Updated getssl from v${VERSION} to ${release_tag}"
     echo "The old version remains as ${0}.v${VERSION} and should be removed"
     echo "These update notifications can be turned off using the -Q option"
     echo ""
-    echo "Updates are;"
+    echo "Updates are:"
     awk "/\(${VERSION}\)$/ {s=1} s; /\(${release_tag}\)$/ || /^# ----/ {s=0}" "$TEMP_UPGRADE_FILE" | awk '{if(NR>1)print}'
     echo ""
   fi
@@ -2117,11 +2120,22 @@ json_get() { # get values from json
 
 obtain_ca_resource_locations()
 {
+  CURL_RESPONSE_FILE="$(mktemp 2>/dev/null || mktemp -t getssl.XXXXXX)"
+
   for suffix in "" "/directory" "/dir";
   do
     # Obtain CA resource locations
     # shellcheck disable=SC2086
-    ca_all_loc=$(curl ${_NOMETER} --user-agent "$CURL_USERAGENT" "${CA}${suffix}" 2>/dev/null)
+    ca_all_loc=$(curl ${_NOMETER} --user-agent "$CURL_USERAGENT" "${CA}${suffix}" 2> $CURL_RESPONSE_FILE)
+    errcode=$?
+    if [[ $errcode -ne 0 ]]; then
+      response=$(cat "$CURL_RESPONSE_FILE")
+      rm "$CURL_RESPONSE_FILE"
+      error_exit "ERROR curl \"$CA$suffix\" failed with $errcode and returned:\n$response"
+    else
+      rm "$CURL_RESPONSE_FILE"
+    fi
+
     debug "ca_all_loc from ${CA}${suffix} gives $ca_all_loc"
     # APIv1
     URL_new_reg=$(echo "$ca_all_loc" | grep "new-reg" | awk -F'"' '{print $4}')
@@ -3146,6 +3160,22 @@ else
 fi
 debug "created SAN list = $SANLIST"
 
+# check if private key alg has changed from RSA to EC (or vice versa)
+if [[ "$DUAL_RSA_ECDSA" == "false" ]] && [[ -s "$DOMAIN_DIR/${DOMAIN}.key" ]]; then
+  case "${PRIVATE_KEY_ALG}" in
+    rsa)
+      if grep -q -- "-----BEGIN EC PRIVATE KEY-----" "$DOMAIN_DIR/${DOMAIN}.key"; then
+        rm -f "$DOMAIN_DIR/${DOMAIN}.key"
+        _FORCE_RENEW=1
+      fi ;;
+    prime256v1|secp384r1|secp521r1)
+      if grep -q -- "-----BEGIN RSA PRIVATE KEY-----" "$DOMAIN_DIR/${DOMAIN}.key"; then
+        rm -f "$DOMAIN_DIR/${DOMAIN}.key"
+        _FORCE_RENEW=1
+      fi ;;
+  esac
+fi
+
 # if there is an existing certificate file, check details.
 if [[ -s "$CERT_FILE" ]]; then
   debug "certificate $CERT_FILE exists"
@@ -3199,20 +3229,6 @@ if [[ "$REUSE_PRIVATE_KEY" != "true" ]]; then
   fi
 fi
 
-# check if private key alg has changed from RSA to EC (or vice versa)
-if [[ "$DUAL_RSA_ECDSA" == "false" ]] && [[ -s "$DOMAIN_DIR/${DOMAIN}.key" ]]; then
-  case "${PRIVATE_KEY_ALG}" in
-    rsa)
-      if grep --silent -- "-----BEGIN EC PRIVATE KEY-----" "$DOMAIN_DIR/${DOMAIN}.key"; then
-        rm -f "$DOMAIN_DIR/${DOMAIN}.key"
-      fi ;;
-    prime256v1|secp384r1|secp521r1)
-      if grep --silent -- "-----BEGIN RSA PRIVATE KEY-----" "$DOMAIN_DIR/${DOMAIN}.key"; then
-        rm -f "$DOMAIN_DIR/${DOMAIN}.key"
-      fi ;;
-  esac
-fi
-
 # create new domain keys if they don't already exist
 if [[ "$DUAL_RSA_ECDSA" == "false" ]]; then
   create_key "${PRIVATE_KEY_ALG}" "$DOMAIN_DIR/${DOMAIN}.key" "$DOMAIN_KEY_LENGTH"

test/0-test-curl-error.bats

@@ -0,0 +1,29 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+}
+
+setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
+    #export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+}
+
+
+@test "Run getssl without pebble certificates to check the error message" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+    CONFIG_FILE="getssl-http01.cfg"
+    setup_environment
+    init_getssl
+    create_certificate
+    refute_line "getssl: unknown API version"
+    assert_failure
+}

test/32-test-upgrade.bats

@@ -161,7 +161,7 @@ teardown() {
 
     # Check for current tag or file version otherwise push to master fails on a new version (or if the tag hasn't been updated)
     assert_line --regexp "Installed v(${CURRENT_TAG}|${FILE_VERSION}), restarting"
-    assert_line "Configuration check successful"
+    assert_line --partial "Configuration check successful"
 }
 
 

test/39-private-key-alg-changed.bats

@@ -0,0 +1,88 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+}
+
+setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
+    export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+}
+
+teardown_file() {
+    cleanup_environment
+}
+
+@test "Create new certificate to create a private key" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+    CONFIG_FILE="getssl-http01.cfg"
+    setup_environment
+    init_getssl
+    create_certificate
+    assert_success
+    check_output_for_errors
+    # save a coy of the private key
+    cp "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.key" "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.key.orig"
+}
+
+@test "Renew certificate (not force) and check nothing happens and key doesn't change" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+
+    ORIG_KEY_HASH="$(cat ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.key | sha256sum)"
+
+    run ${CODE_DIR}/getssl -U -d $GETSSL_HOST
+    assert_success
+    assert_line --partial "certificate is valid for more than 30 days"
+    check_output_for_errors
+
+    NEW_KEY_HASH="$(cat ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.key  | sha256sum)"
+
+    assert [ "$NEW_KEY_HASH" == "$ORIG_KEY_HASH" ]
+}
+
+@test "Force renewal and check key hasn't changed" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+    ORIG_KEY_HASH="$(cat ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.key | sha256sum)"
+
+    run ${CODE_DIR}/getssl -U -d -f $GETSSL_HOST
+    assert_success
+    check_output_for_errors
+
+    NEW_KEY_HASH="$(cat ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.key  | sha256sum)"
+
+    assert [ "$NEW_KEY_HASH" == "$ORIG_KEY_HASH" ]
+}
+
+@test "Change key algorithm, force renewal, and check key has changed" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+
+    ORIG_KEY_HASH="$(cat ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.key | sha256sum)"
+
+    cat <<- 'EOF' > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+PRIVATE_KEY_ALG="prime256v1"
+EOF
+
+    run ${CODE_DIR}/getssl -U -d $GETSSL_HOST
+    assert_success
+    refute_line --partial "certificate is valid for more than 30 days"
+
+    check_output_for_errors
+
+    NEW_KEY_HASH="$(cat ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.key  | sha256sum)"
+
+    assert [ "$NEW_KEY_HASH" != "$ORIG_KEY_HASH" ]
+}