Yasuke/moto
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
e3244a9678
moto/tests/test_acmpca/test_acmpca.py
Bert Blommers 672c95384a
Feature: ACM-PCA (#5712)
2022-11-28 12:22:48 -01:00

361 lines
13 KiB
Python
Raw Blame History

"""Unit tests for acmpca-supported APIs."""
import boto3
import pytest
import sure # noqa # pylint: disable=unused-import
from botocore.exceptions import ClientError
from moto import mock_acmpca
from moto.core import DEFAULT_ACCOUNT_ID
import datetime
import cryptography.x509
from cryptography.x509 import NameOID
import cryptography.hazmat.primitives.asymmetric.rsa
from cryptography.hazmat.primitives import serialization, hashes
from cryptography.hazmat.backends import default_backend
# See our Development Tips on writing tests for hints on how to write good tests:
# http://docs.getmoto.org/en/latest/docs/contributing/development_tips/tests.html
@mock_acmpca
def test_create_certificate_authority():
client = boto3.client("acm-pca", region_name="eu-west-1")
resp = client.create_certificate_authority(
CertificateAuthorityConfiguration={
"KeyAlgorithm": "RSA_4096",
"SigningAlgorithm": "SHA512WITHRSA",
"Subject": {"CommonName": "yscb41lw.test"},
},
CertificateAuthorityType="SUBORDINATE",
IdempotencyToken="terraform-20221125230308947400000001",
)
resp.should.have.key("CertificateAuthorityArn").match(
f"^arn:aws:acm-pca:eu-west-1:{DEFAULT_ACCOUNT_ID}:certificate-authority/"
)
@mock_acmpca
def test_describe_certificate_authority():
client = boto3.client("acm-pca", region_name="ap-southeast-1")
ca_arn = client.create_certificate_authority(
CertificateAuthorityConfiguration={
"KeyAlgorithm": "RSA_4096",
"SigningAlgorithm": "SHA512WITHRSA",
"Subject": {"CommonName": "yscb41lw.test"},
},
CertificateAuthorityType="SUBORDINATE",
IdempotencyToken="terraform-20221125230308947400000001",
)["CertificateAuthorityArn"]
ca = client.describe_certificate_authority(CertificateAuthorityArn=ca_arn)[
"CertificateAuthority"
]
ca.should.have.key("Arn").equals(ca_arn)
ca.should.have.key("OwnerAccount").equals(DEFAULT_ACCOUNT_ID)
ca.should.have.key("CreatedAt")
ca.should.have.key("Type").equals("SUBORDINATE")
ca.should.have.key("Status").equals("PENDING_CERTIFICATE")
ca.should.have.key("CertificateAuthorityConfiguration").equals(
{
"KeyAlgorithm": "RSA_4096",
"SigningAlgorithm": "SHA512WITHRSA",
"Subject": {"CommonName": "yscb41lw.test"},
}
)
@mock_acmpca
def test_describe_unknown_certificate_authority():
client = boto3.client("acm-pca", region_name="ap-southeast-1")
with pytest.raises(ClientError) as exc:
client.describe_certificate_authority(CertificateAuthorityArn="unknown")
err = exc.value.response["Error"]
err["Code"].should.equal("ResourceNotFoundException")
@mock_acmpca
def test_get_certificate_authority_certificate():
client = boto3.client("acm-pca", region_name="ap-southeast-1")
ca_arn = client.create_certificate_authority(
CertificateAuthorityConfiguration={
"KeyAlgorithm": "RSA_4096",
"SigningAlgorithm": "SHA512WITHRSA",
"Subject": {"CommonName": "yscb41lw.test"},
},
CertificateAuthorityType="SUBORDINATE",
IdempotencyToken="terraform-20221125230308947400000001",
)["CertificateAuthorityArn"]
resp = client.get_certificate_authority_certificate(CertificateAuthorityArn=ca_arn)
# Certificate is empty for now, until we call import_certificate_authority_certificate
resp.should.have.key("Certificate").equals("")
@mock_acmpca
def test_get_certificate_authority_csr():
client = boto3.client("acm-pca", region_name="us-east-2")
ca_arn = client.create_certificate_authority(
CertificateAuthorityConfiguration={
"KeyAlgorithm": "RSA_4096",
"SigningAlgorithm": "SHA512WITHRSA",
"Subject": {"CommonName": "yscb41lw.test"},
},
CertificateAuthorityType="SUBORDINATE",
IdempotencyToken="terraform-20221125230308947400000001",
)["CertificateAuthorityArn"]
resp = client.get_certificate_authority_csr(CertificateAuthorityArn=ca_arn)
resp.should.have.key("Csr")
@mock_acmpca
def test_list_tags_when_ca_has_no_tags():
client = boto3.client("acm-pca", region_name="us-east-2")
ca_arn = client.create_certificate_authority(
CertificateAuthorityConfiguration={
"KeyAlgorithm": "RSA_4096",
"SigningAlgorithm": "SHA512WITHRSA",
"Subject": {"CommonName": "yscb41lw.test"},
},
CertificateAuthorityType="SUBORDINATE",
IdempotencyToken="terraform-20221125230308947400000001",
)["CertificateAuthorityArn"]
resp = client.list_tags(CertificateAuthorityArn=ca_arn)
resp.should.have.key("Tags").equals([])
@mock_acmpca
def test_list_tags():
client = boto3.client("acm-pca", region_name="us-east-2")
ca_arn = client.create_certificate_authority(
CertificateAuthorityConfiguration={
"KeyAlgorithm": "RSA_4096",
"SigningAlgorithm": "SHA512WITHRSA",
"Subject": {"CommonName": "yscb41lw.test"},
},
CertificateAuthorityType="SUBORDINATE",
IdempotencyToken="terraform-20221125230308947400000001",
Tags=[{"Key": "t1", "Value": "v1"}, {"Key": "t2", "Value": "v2"}],
)["CertificateAuthorityArn"]
resp = client.list_tags(CertificateAuthorityArn=ca_arn)
resp.should.have.key("Tags").equals(
[{"Key": "t1", "Value": "v1"}, {"Key": "t2", "Value": "v2"}]
)
@mock_acmpca
def test_update_certificate_authority():
client = boto3.client("acm-pca", region_name="eu-west-1")
ca_arn = client.create_certificate_authority(
CertificateAuthorityConfiguration={
"KeyAlgorithm": "RSA_4096",
"SigningAlgorithm": "SHA512WITHRSA",
"Subject": {"CommonName": "yscb41lw.test"},
},
CertificateAuthorityType="SUBORDINATE",
)["CertificateAuthorityArn"]
client.update_certificate_authority(
CertificateAuthorityArn=ca_arn,
Status="DISABLED",
)
ca = client.describe_certificate_authority(CertificateAuthorityArn=ca_arn)[
"CertificateAuthority"
]
ca.should.have.key("Status").equals("DISABLED")
ca.should.have.key("LastStateChangeAt")
@mock_acmpca
def test_delete_certificate_authority():
client = boto3.client("acm-pca", region_name="ap-southeast-1")
ca_arn = client.create_certificate_authority(
CertificateAuthorityConfiguration={
"KeyAlgorithm": "RSA_4096",
"SigningAlgorithm": "SHA512WITHRSA",
"Subject": {"CommonName": "yscb41lw.test"},
},
CertificateAuthorityType="SUBORDINATE",
)["CertificateAuthorityArn"]
client.delete_certificate_authority(CertificateAuthorityArn=ca_arn)
ca = client.describe_certificate_authority(CertificateAuthorityArn=ca_arn)[
"CertificateAuthority"
]
ca.should.have.key("Status").equals("DELETED")
@mock_acmpca
def test_issue_certificate():
client = boto3.client("acm-pca", region_name="ap-southeast-1")
ca_arn = client.create_certificate_authority(
CertificateAuthorityConfiguration={
"KeyAlgorithm": "RSA_4096",
"SigningAlgorithm": "SHA512WITHRSA",
"Subject": {"CommonName": "t8fzth32.test"},
},
CertificateAuthorityType="ROOT",
)["CertificateAuthorityArn"]
csr = client.get_certificate_authority_csr(CertificateAuthorityArn=ca_arn)["Csr"]
resp = client.issue_certificate(
CertificateAuthorityArn=ca_arn,
Csr=csr,
SigningAlgorithm="SHA512WITHRSA",
Validity={"Type": "YEARS", "Value": 10},
)
resp.should.have.key("CertificateArn")
@mock_acmpca
def test_get_certificate():
client = boto3.client("acm-pca", region_name="us-east-2")
ca_arn = client.create_certificate_authority(
CertificateAuthorityConfiguration={
"KeyAlgorithm": "RSA_4096",
"SigningAlgorithm": "SHA512WITHRSA",
"Subject": {"CommonName": "t8fzth32.test"},
},
CertificateAuthorityType="ROOT",
)["CertificateAuthorityArn"]
csr = client.get_certificate_authority_csr(CertificateAuthorityArn=ca_arn)["Csr"]
certificate_arn = client.issue_certificate(
CertificateAuthorityArn=ca_arn,
Csr=csr,
SigningAlgorithm="SHA512WITHRSA",
Validity={"Type": "YEARS", "Value": 10},
)["CertificateArn"]
resp = client.get_certificate(
CertificateAuthorityArn=ca_arn, CertificateArn=certificate_arn
)
resp.should.have.key("Certificate")
@mock_acmpca
def test_import_certificate_authority_certificate():
client = boto3.client("acm-pca", region_name="eu-west-1")
ca_arn = client.create_certificate_authority(
CertificateAuthorityConfiguration={
"KeyAlgorithm": "RSA_4096",
"SigningAlgorithm": "SHA512WITHRSA",
"Subject": {"CommonName": "yscb41lw.test"},
},
CertificateAuthorityType="SUBORDINATE",
)["CertificateAuthorityArn"]
cert = create_cert()
client.import_certificate_authority_certificate(
CertificateAuthorityArn=ca_arn,
Certificate=cert,
)
ca = client.describe_certificate_authority(CertificateAuthorityArn=ca_arn)[
"CertificateAuthority"
]
ca.should.have.key("Status").equals("ACTIVE")
ca.should.have.key("NotBefore")
ca.should.have.key("NotAfter")
resp = client.get_certificate_authority_certificate(CertificateAuthorityArn=ca_arn)
resp.should.have.key("Certificate").match("^-----BEGIN CERTIFICATE-----")
@mock_acmpca
def test_tag_certificate_authority():
client = boto3.client("acm-pca", region_name="eu-west-1")
ca_arn = client.create_certificate_authority(
CertificateAuthorityConfiguration={
"KeyAlgorithm": "RSA_4096",
"SigningAlgorithm": "SHA512WITHRSA",
"Subject": {"CommonName": "yscb41lw.test"},
},
CertificateAuthorityType="SUBORDINATE",
)["CertificateAuthorityArn"]
client.tag_certificate_authority(
CertificateAuthorityArn=ca_arn,
Tags=[{"Key": "t1", "Value": "v1"}, {"Key": "t2", "Value": "v2"}],
)
resp = client.list_tags(CertificateAuthorityArn=ca_arn)
resp.should.have.key("Tags").equals(
[{"Key": "t1", "Value": "v1"}, {"Key": "t2", "Value": "v2"}]
)
@mock_acmpca
def test_untag_certificate_authority():
client = boto3.client("acm-pca", region_name="eu-west-1")
ca_arn = client.create_certificate_authority(
CertificateAuthorityConfiguration={
"KeyAlgorithm": "RSA_4096",
"SigningAlgorithm": "SHA512WITHRSA",
"Subject": {"CommonName": "yscb41lw.test"},
},
CertificateAuthorityType="SUBORDINATE",
)["CertificateAuthorityArn"]
client.tag_certificate_authority(
CertificateAuthorityArn=ca_arn,
Tags=[{"Key": "t1", "Value": "v1"}, {"Key": "t2", "Value": "v2"}],
)
client.untag_certificate_authority(
CertificateAuthorityArn=ca_arn, Tags=[{"Key": "t1", "Value": "v1"}]
)
resp = client.list_tags(CertificateAuthorityArn=ca_arn)
resp.should.have.key("Tags").equals([{"Key": "t2", "Value": "v2"}])
def create_cert():
serial_number = cryptography.x509.random_serial_number()
subject = cryptography.x509.Name(
[
cryptography.x509.NameAttribute(NameOID.COUNTRY_NAME, "US"),
cryptography.x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, "CA"),
cryptography.x509.NameAttribute(NameOID.LOCALITY_NAME, "Test Francisco"),
cryptography.x509.NameAttribute(NameOID.ORGANIZATION_NAME, "TestCompany"),
cryptography.x509.NameAttribute(NameOID.COMMON_NAME, "testcert.io"),
]
)
issuer = cryptography.x509.Name(
[ # C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
cryptography.x509.NameAttribute(NameOID.COUNTRY_NAME, "US"),
cryptography.x509.NameAttribute(NameOID.ORGANIZATION_NAME, "Amazon"),
cryptography.x509.NameAttribute(
NameOID.ORGANIZATIONAL_UNIT_NAME, "Server CA 1B"
),
cryptography.x509.NameAttribute(NameOID.COMMON_NAME, "TestCert"),
]
)
key = cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key(
public_exponent=65537, key_size=2048
)
cert = (
cryptography.x509.CertificateBuilder()
.subject_name(subject)
.issuer_name(issuer)
.public_key(key.public_key())
.serial_number(serial_number)
.not_valid_before(datetime.datetime.utcnow() - datetime.timedelta(days=10))
.not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=10))
.sign(key, hashes.SHA512(), default_backend())
)
return cert.public_bytes(serialization.Encoding.PEM)
Reference in New Issue View Git Blame Copy Permalink