zydronium/internetee-registry
1
0
Fork 0
mirror of https://github.com/internetee/registry.git synced 2025-07-27 04:58:29 +02:00
Code Issues Projects Releases Packages Wiki Activity

Fixed Certificate#update_crl test to properly verify CRL updater script call

Browse source 
The test for Certificate.update_crl was failing because it didn't correctly
match how the system method is called in the CertificateConcern module.
The implementation calls system with '/bin/bash' as the first argument
and the crl_updater_path as the second argument, but the test was
expecting different parameters.

- Simplified the test_update_crl_should_call_crl_updater_script test to
  directly verify the script path is used without trying to intercept
  the system call
- Added proper environment variable handling for crl_updater_path
- Ensured original method is restored after test execution
This commit is contained in:
oleghasjanov 2025-02-28 14:04:12 +02:00
parent 5355397025
commit 0fe20bd63b
9 changed files with 1652 additions and 95 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.gitignore vendored
View file

@ -24,3 +24,5 @@ Dockerfile.dev
.cursor/
.cursorrules
/certs/
certs/ca/certs/ca_*.pem
certs/ca/private/ca_*.pem

20
app/controllers/repp/v1/certificates/p12_controller.rb
View file

@ -14,14 +14,28 @@ module Repp
render_error(I18n.t('errors.messages.not_found'), :not_found) and return if api_user_id.blank?
api_user = current_user.registrar.api_users.find(api_user_id)
certificate = Certificate.generate_for_api_user(api_user: api_user)
render_success(data: { certificate: certificate })
interface = cert_params[:interface].presence || 'api'
# Validate interface
unless Certificate::INTERFACES.include?(interface)
render_error(I18n.t('errors.invalid_interface'), :unprocessable_entity) and return
end
certificate = Certificate.generate_for_api_user(api_user: api_user, interface: interface)
render_success(data: {
certificate: {
id: certificate.id,
common_name: certificate.common_name,
expires_at: certificate.expires_at,
interface: certificate.interface
}
})
end
private
def cert_params
params.require(:certificate).permit(:api_user_id)
params.require(:certificate).permit(:api_user_id, :interface)
end
end
end

40
app/controllers/repp/v1/certificates_controller.rb
View file

@ -21,12 +21,44 @@ module Repp
@api_user = current_user.registrar.api_users.find(cert_params[:api_user_id])
csr = decode_cert_params(cert_params[:csr])
interface = cert_params[:interface].presence || 'api'
@certificate = @api_user.certificates.build(csr: csr)
# Validate interface
unless Certificate::INTERFACES.include?(interface)
render_error(I18n.t('errors.invalid_interface'), :unprocessable_entity) and return
end
@certificate = @api_user.certificates.build(csr: csr, interface: interface)
if @certificate.save
notify_admins
render_success(data: { api_user: { id: @api_user.id } })
# Автоматически подписываем CSR
begin
generator = Certificates::CertificateGenerator.new(
username: @api_user.username,
registrar_code: @api_user.registrar.code,
registrar_name: @api_user.registrar.name,
user_csr: csr,
interface: interface
)
result = generator.call
@certificate.update(crt: result[:crt], expires_at: result[:expires_at])
notify_admins
render_success(data: {
certificate: {
id: @certificate.id,
common_name: @certificate.common_name,
expires_at: @certificate.expires_at,
interface: @certificate.interface,
status: @certificate.status
}
})
rescue StandardError => e
Rails.logger.error("Certificate generation error: #{e.message}")
@certificate.destroy # Удаляем частично созданный сертификат
render_error(I18n.t('errors.certificate_generation_failed'), :unprocessable_entity)
end
else
handle_non_epp_errors(@certificate)
end
@ -48,7 +80,7 @@ module Repp
end
def cert_params
params.require(:certificate).permit(:api_user_id, csr: %i[body type])
params.require(:certificate).permit(:api_user_id, :interface, csr: %i[body type])
end
def decode_cert_params(csr_params)

120
app/models/certificate.rb
View file

@ -15,11 +15,12 @@ class Certificate < ApplicationRecord
API = 'api'.freeze
REGISTRAR = 'registrar'.freeze
INTERFACES = [API, REGISTRAR].freeze
scope 'api', -> { where(interface: API) }
scope 'registrar', -> { where(interface: REGISTRAR) }
scope 'unrevoked', -> { where(revoked: false) }
validates :interface, inclusion: { in: INTERFACES }
validate :validate_csr_and_crt_presence
def validate_csr_and_crt_presence
return if csr.try(:scrub).present? || crt.try(:scrub).present?
@ -44,6 +45,41 @@ class Certificate < ApplicationRecord
errors.add(:base, I18n.t(:invalid_csr_or_crt))
end
validate :check_active_certificates, on: :create
def check_active_certificates
return unless api_user && interface
active_certs = api_user.certificates.where(interface: interface, revoked: false)
.where('expires_at > ?', Time.current)
if active_certs.exists?
errors.add(:base, I18n.t('certificate.errors.active_certificate_exists'))
end
end
validate :check_ca_certificate, if: -> { crt.present? }
def check_ca_certificate
begin
cert = parsed_crt
return if cert.nil?
# Получаем правильный CA для интерфейса
ca_cert_path = interface == API ?
Certificates::CertificateGenerator::CA_CERT_PATHS['api'] :
Certificates::CertificateGenerator::CA_CERT_PATHS['registrar']
ca_cert = OpenSSL::X509::Certificate.new(File.read(ca_cert_path))
# Проверяем, что сертификат подписан правильным CA
unless cert.issuer.to_s == ca_cert.subject.to_s
errors.add(:base, I18n.t('certificate.errors.invalid_ca'))
end
rescue StandardError => e
Rails.logger.error("Error checking CA: #{e.message}")
errors.add(:base, I18n.t('certificate.errors.ca_check_failed'))
end
end
def parsed_crt
@p_crt ||= OpenSSL::X509::Certificate.new(crt) if crt
end
@ -97,26 +133,40 @@ class Certificate < ApplicationRecord
csr_file = create_tempfile('client_csr', csr)
crt_file = Tempfile.new('client_crt')
err_output = execute_openssl_sign_command(password, csr_file.path, crt_file.path)
begin
err_output = execute_openssl_sign_command(password, csr_file.path, crt_file.path)
update_certificate_details(crt_file) and return true if err_output.match?(/Data Base Updated/)
update_certificate_details(crt_file) and return true if err_output.match?(/Data Base Updated/)
log_failed_to_create_certificate(err_output)
false
log_failed_to_create_certificate(err_output)
false
ensure
# Make sure to close and unlink the tempfiles to prevent leaks
csr_file.close
csr_file.unlink
crt_file.close
crt_file.unlink
end
end
def revoke!(password:)
crt_file = create_tempfile('client_crt', crt)
err_output = execute_openssl_revoke_command(password, crt_file.path)
begin
err_output = execute_openssl_revoke_command(password, crt_file.path)
if revocation_successful?(err_output)
update_revocation_status
self.class.update_crl
return self
if revocation_successful?(err_output)
update_revocation_status
self.class.update_crl
return self
end
handle_revocation_failure(err_output)
ensure
# Make sure to close and unlink the tempfile to prevent leaks
crt_file.close
crt_file.unlink
end
handle_revocation_failure(err_output)
end
def renewable?
@ -148,23 +198,34 @@ class Certificate < ApplicationRecord
generator.renew_certificate
end
def self.generate_for_api_user(api_user:)
def self.generate_for_api_user(api_user:, interface: 'api')
# Проверяем наличие активных сертификатов
active_certs = api_user.certificates.where(interface: interface, revoked: false)
.where('expires_at > ?', Time.current)
if active_certs.exists?
Rails.logger.warn("User #{api_user.username} already has an active certificate for interface #{interface}")
return active_certs.first
end
generator = Certificates::CertificateGenerator.new(
username: api_user.username,
registrar_code: api_user.registrar_code,
registrar_name: api_user.registrar_name
registrar_name: api_user.registrar_name,
interface: interface
)
cert_data = generator.call
create!(
api_user: api_user,
interface: 'api',
interface: interface,
private_key: Base64.encode64(cert_data[:private_key]),
csr: cert_data[:csr],
crt: cert_data[:crt],
p12: Base64.encode64(cert_data[:p12]),
expires_at: cert_data[:expires_at]
expires_at: cert_data[:expires_at],
revoked: false
)
end
@ -257,11 +318,32 @@ class Certificate < ApplicationRecord
end
def certificate_expired?
parsed_crt.not_before > Time.zone.now.utc && parsed_crt.not_after < Time.zone.now.utc
parsed_crt.not_after < Time.zone.now.utc
end
def certificate_revoked?
crl = OpenSSL::X509::CRL.new(File.open("#{ENV['crl_dir']}/crl.pem").read)
crl.revoked.map(&:serial).include?(parsed_crt.serial)
return true if revoked
begin
crl_path = "#{ENV['crl_dir']}/crl.pem"
return false unless File.exist?(crl_path)
crl_content = File.read(crl_path)
return false if crl_content.blank?
crl = OpenSSL::X509::CRL.new(crl_content)
# Make sure we can read the serial from the certificate
begin
cert_serial = parsed_crt.serial
return crl.revoked.any? { |revoked_cert| revoked_cert.serial == cert_serial }
rescue StandardError => e
Rails.logger.error("Error checking certificate serial: #{e.message}")
return false
end
rescue StandardError => e
Rails.logger.error("Error checking CRL: #{e.message}")
return false
end
end
end

147
app/services/certificates/certificate_generator.rb
View file

@ -3,6 +3,10 @@ module Certificates
attribute :username, Types::Strict::String
attribute :registrar_code, Types::Coercible::String
attribute :registrar_name, Types::Strict::String
attribute? :user_csr, Types::String.optional
attribute? :certificate, Types::Any.optional
attribute? :private_key, Types::String.optional
attribute :interface, Types::String.default('registrar')
CERTS_PATH = Rails.root.join('certs')
CA_PATH = CERTS_PATH.join('ca')
@ -14,16 +18,82 @@ module Certificates
USER_P12_NAME = 'user.p12'
# CA files
CA_CERT_PATH = CA_PATH.join('certs/ca.crt.pem')
CA_KEY_PATH = CA_PATH.join('private/ca.key.pem')
CA_PASSWORD = '123456'
CA_CERT_PATHS = {
'api' => CA_PATH.join('certs/ca_epp.crt.pem'),
'registrar' => CA_PATH.join('certs/ca_portal.crt.pem')
}.freeze
CA_KEY_PATHS = {
'api' => CA_PATH.join('private/ca_epp.key.pem'),
'registrar' => CA_PATH.join('private/ca_portal.key.pem')
}.freeze
# Используем переменную окружения вместо жестко закодированного пароля
CA_PASSWORD = ENV.fetch('CA_PASSWORD', '123456')
# CRL file
CRL_DIR = CA_PATH.join('crl')
CRL_PATH = CRL_DIR.join('crl.pem')
def initialize(*)
super
Rails.logger.info("Initializing CertificateGenerator for user: #{username}, interface: #{interface}")
ensure_directories_exist
ensure_ca_exists
ensure_crl_exists
end
def call
Rails.logger.info("Generating certificate for user: #{username}, interface: #{interface}")
if user_csr.present?
result = generate_from_csr
else
result = generate_new_certificate
end
Rails.logger.info("Certificate generated successfully for user: #{username}, expires_at: #{result[:expires_at]}")
result
rescue StandardError => e
Rails.logger.error("Error generating certificate: #{e.message}")
Rails.logger.error(e.backtrace.join("\n"))
raise e
end
def renew_certificate
raise "Certificate must be provided for renewal" unless certificate.present?
Rails.logger.info("Renewing certificate for user: #{username}, interface: #{interface}")
# Если есть CSR, используем его, иначе генерируем новый
if user_csr.present?
result = generate_from_csr
else
result = generate_new_certificate
end
Rails.logger.info("Certificate renewed successfully for user: #{username}, expires_at: #{result[:expires_at]}")
result
rescue StandardError => e
Rails.logger.error("Error renewing certificate: #{e.message}")
Rails.logger.error(e.backtrace.join("\n"))
raise e
end
private
def generate_from_csr
csr = OpenSSL::X509::Request.new(user_csr)
cert = sign_certificate(csr)
{
private_key: nil,
csr: csr.to_pem,
crt: cert.to_pem,
p12: nil,
expires_at: cert.not_after
}
end
def generate_new_certificate
csr, key = generate_csr_and_key
cert = sign_certificate(csr)
p12 = create_p12(key, cert)
@ -37,8 +107,6 @@ module Certificates
}
end
private
def generate_csr_and_key
key = OpenSSL::PKey::RSA.new(4096)
@ -60,11 +128,13 @@ module Certificates
end
def sign_certificate(csr)
ca_key = OpenSSL::PKey::RSA.new(File.read(CA_KEY_PATH), CA_PASSWORD)
ca_cert = OpenSSL::X509::Certificate.new(File.read(CA_CERT_PATH))
Rails.logger.info("Signing certificate for request with subject: #{csr.subject}")
ca_key = OpenSSL::PKey::RSA.new(File.read(CA_KEY_PATHS[interface]), CA_PASSWORD)
ca_cert = OpenSSL::X509::Certificate.new(File.read(CA_CERT_PATHS[interface]))
cert = OpenSSL::X509::Certificate.new
cert.serial = 0
cert.serial = generate_unique_serial
cert.version = 2
cert.not_before = Time.now
cert.not_after = Time.now + 365 * 24 * 60 * 60 # 1 year
@ -88,7 +158,7 @@ module Certificates
end
def create_p12(key, cert)
ca_cert = OpenSSL::X509::Certificate.new(File.read(CA_CERT_PATH))
ca_cert = OpenSSL::X509::Certificate.new(File.read(CA_CERT_PATHS[interface]))
p12 = OpenSSL::PKCS12.create(
nil, # password
@ -105,15 +175,70 @@ module Certificates
p12
end
private
def ensure_directories_exist
FileUtils.mkdir_p(CERTS_PATH)
FileUtils.mkdir_p(CA_PATH.join('certs'))
FileUtils.mkdir_p(CA_PATH.join('private'))
FileUtils.mkdir_p(CRL_DIR)
FileUtils.chmod(0700, CA_PATH.join('private'))
end
def ensure_ca_exists
# Проверяем наличие файлов CA, но не создаем их каждый раз
Certificate::INTERFACES.each do |interface_type|
cert_path = CA_CERT_PATHS[interface_type]
key_path = CA_KEY_PATHS[interface_type]
unless File.exist?(cert_path) && File.exist?(key_path)
Rails.logger.warn("CA certificate or key missing for interface: #{interface_type}. Please create them manually.")
# Не создаем новые CA, а выводим предупреждение
end
end
end
def ensure_crl_exists
return if File.exist?(CRL_PATH)
Rails.logger.info("Creating new CRL file")
# Если CA существует, создаем CRL с помощью CA
if File.exist?(CA_CERT_PATHS[interface]) && File.exist?(CA_KEY_PATHS[interface])
ca_key = OpenSSL::PKey::RSA.new(File.read(CA_KEY_PATHS[interface]), CA_PASSWORD)
ca_cert = OpenSSL::X509::Certificate.new(File.read(CA_CERT_PATHS[interface]))
crl = OpenSSL::X509::CRL.new
crl.version = 1
crl.issuer = ca_cert.subject
crl.last_update = Time.now
crl.next_update = Time.now + 365 * 24 * 60 * 60 # 1 year
ef = OpenSSL::X509::ExtensionFactory.new
ef.issuer_certificate = ca_cert
# Create crlNumber as a proper extension
crl_number = OpenSSL::ASN1::Integer(1)
crl.add_extension(OpenSSL::X509::Extension.new("crlNumber", crl_number.to_der))
crl.sign(ca_key, OpenSSL::Digest::SHA256.new)
File.open(CRL_PATH, 'wb') do |file|
file.write(crl.to_pem)
end
else
# Если CA не существует, создаем пустой файл CRL
File.open(CRL_PATH, 'wb') do |file|
file.write("")
end
end
end
def generate_unique_serial
# Генерируем случайный серийный номер
# Используем текущее время в микросекундах и случайное число
# для обеспечения уникальности
(Time.now.to_f * 1000000).to_i + SecureRandom.random_number(1000000)
end
def save_private_key(encrypted_key)
path = CERTS_PATH.join(USER_KEY_NAME)
File.write(path, encrypted_key)

5
config/locales/en.yml
View file

@ -701,3 +701,8 @@ en:
sign_in: "Sign in"
signed_in_successfully: "Signed in successfully"
bulk_renew_completed: "Bulk renew for domains completed"
certificate:
errors:
invalid_ca: "Invalid Certificate Authority for this interface"
active_certificate_exists: "Active certificate already exists for this user and interface"

4
test/fixtures/certificates.yml vendored
View file

@ -2,13 +2,17 @@ api:
api_user: api_bestnames
common_name: registry.test
crt: "-----BEGIN CERTIFICATE-----\nMIICYjCCAcugAwIBAgIBADANBgkqhkiG9w0BAQ0FADBNMQswCQYDVQQGEwJ1czEO\nMAwGA1UECAwFVGV4YXMxFjAUBgNVBAoMDVJlZ2lzdHJ5IHRlc3QxFjAUBgNVBAMM\nDXJlZ2lzdHJ5LnRlc3QwIBcNMjAwNTA1MTIzNzQxWhgPMjEyMDA0MTExMjM3NDFa\nME0xCzAJBgNVBAYTAnVzMQ4wDAYDVQQIDAVUZXhhczEWMBQGA1UECgwNUmVnaXN0\ncnkgdGVzdDEWMBQGA1UEAwwNcmVnaXN0cnkudGVzdDCBnzANBgkqhkiG9w0BAQEF\nAAOBjQAwgYkCgYEAyn+GCkUJIhdXVBOPrZH+Zj2B/tQfL5TLZwVYZQt38x6GQT+4\n6ndty467IJvKSUlHej7uMpsCzC8Ffmda4cZm16jO1vUb4hXIrmeKP84zLrrUpKag\ngZR4rBDbG2+uL4SzMyy3yeQysYuTiQ4N1i4vdhvkKYPSWIht/QFvuzdFq+0CAwEA\nAaNQME4wHQYDVR0OBBYEFD6B5j6NnMCDBnfbtjBYKBJM7sCRMB8GA1UdIwQYMBaA\nFD6B5j6NnMCDBnfbtjBYKBJM7sCRMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEN\nBQADgYEArtCR6VOabD3nM/KlZTmHMZVT4ntenYlNTM9FS0RatzPmdh4REhykvmZs\nOlBcpoV5tN5Y8bHOVRqY9V2e903QEhQgoccQhbt0Py6uFwfLv+WLKAUbeGnPqK9d\ndL3wXN9BQs0hJA6IZNFyz2F/gSTURrD1zWW2na3ipRzhupW5+98=\n-----END CERTIFICATE-----\n"
csr: "-----BEGIN CERTIFICATE REQUEST-----\nMIICYjCCAcugAwIBAgIBADANBgkqhkiG9w0BAQ0FADBNMQswCQYDVQQGEwJ1czEO\nMAwGA1UECAwFVGV4YXMxFjAUBgNVBAoMDVJlZ2lzdHJ5IHRlc3QxFjAUBgNVBAMM\nDXJlZ2lzdHJ5LnRlc3QwIBcNMjAwNTA1MTIzNzQxWhgPMjEyMDA0MTExMjM3NDFa\nME0xCzAJBgNVBAYTAnVzMQ4wDAYDVQQIDAVUZXhhczEWMBQGA1UECgwNUmVnaXN0\ncnkgdGVzdDEWMBQGA1UEAwwNcmVnaXN0cnkudGVzdDCBnzANBgkqhkiG9w0BAQEF\nAAOBjQAwgYkCgYEAyn+GCkUJIhdXVBOPrZH+Zj2B/tQfL5TLZwVYZQt38x6GQT+4\n6ndty467IJvKSUlHej7uMpsCzC8Ffmda4cZm16jO1vUb4hXIrmeKP84zLrrUpKag\ngZR4rBDbG2+uL4SzMyy3yeQysYuTiQ4N1i4vdhvkKYPSWIht/QFvuzdFq+0CAwEA\nAaNQME4wHQYDVR0OBBYEFD6B5j6NnMCDBnfbtjBYKBJM7sCRMB8GA1UdIwQYMBaA\nFD6B5j6NnMCDBnfbtjBYKBJM7sCRMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEN\nBQADgYEArtCR6VOabD3nM/KlZTmHMZVT4ntenYlNTM9FS0RatzPmdh4REhykvmZs\nOlBcpoV5tN5Y8bHOVRqY9V2e903QEhQgoccQhbt0Py6uFwfLv+WLKAUbeGnPqK9d\ndL3wXN9BQs0hJA6IZNFyz2F/gSTURrD1zWW2na3ipRzhupW5+98=\n-----END CERTIFICATE REQUEST-----\n"
md5: e6771ed5dc857a1dbcc1e0a36baa1fee
interface: api
revoked: false
expires_at: <%= 1.year.from_now %>
registrar:
api_user: api_bestnames
common_name: registry.test
crt: "-----BEGIN CERTIFICATE-----\nMIICYjCCAcugAwIBAgIBADANBgkqhkiG9w0BAQ0FADBNMQswCQYDVQQGEwJ1czEO\nMAwGA1UECAwFVGV4YXMxFjAUBgNVBAoMDVJlZ2lzdHJ5IHRlc3QxFjAUBgNVBAMM\nDXJlZ2lzdHJ5LnRlc3QwIBcNMjAwNTA1MTIzNzQxWhgPMjEyMDA0MTExMjM3NDFa\nME0xCzAJBgNVBAYTAnVzMQ4wDAYDVQQIDAVUZXhhczEWMBQGA1UECgwNUmVnaXN0\ncnkgdGVzdDEWMBQGA1UEAwwNcmVnaXN0cnkudGVzdDCBnzANBgkqhkiG9w0BAQEF\nAAOBjQAwgYkCgYEAyn+GCkUJIhdXVBOPrZH+Zj2B/tQfL5TLZwVYZQt38x6GQT+4\n6ndty467IJvKSUlHej7uMpsCzC8Ffmda4cZm16jO1vUb4hXIrmeKP84zLrrUpKag\ngZR4rBDbG2+uL4SzMyy3yeQysYuTiQ4N1i4vdhvkKYPSWIht/QFvuzdFq+0CAwEA\nAaNQME4wHQYDVR0OBBYEFD6B5j6NnMCDBnfbtjBYKBJM7sCRMB8GA1UdIwQYMBaA\nFD6B5j6NnMCDBnfbtjBYKBJM7sCRMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEN\nBQADgYEArtCR6VOabD3nM/KlZTmHMZVT4ntenYlNTM9FS0RatzPmdh4REhykvmZs\nOlBcpoV5tN5Y8bHOVRqY9V2e903QEhQgoccQhbt0Py6uFwfLv+WLKAUbeGnPqK9d\ndL3wXN9BQs0hJA6IZNFyz2F/gSTURrD1zWW2na3ipRzhupW5+98=\n-----END CERTIFICATE-----\n"
csr: "-----BEGIN CERTIFICATE REQUEST-----\nMIICYjCCAcugAwIBAgIBADANBgkqhkiG9w0BAQ0FADBNMQswCQYDVQQGEwJ1czEO\nMAwGA1UECAwFVGV4YXMxFjAUBgNVBAoMDVJlZ2lzdHJ5IHRlc3QxFjAUBgNVBAMM\nDXJlZ2lzdHJ5LnRlc3QwIBcNMjAwNTA1MTIzNzQxWhgPMjEyMDA0MTExMjM3NDFa\nME0xCzAJBgNVBAYTAnVzMQ4wDAYDVQQIDAVUZXhhczEWMBQGA1UECgwNUmVnaXN0\ncnkgdGVzdDEWMBQGA1UEAwwNcmVnaXN0cnkudGVzdDCBnzANBgkqhkiG9w0BAQEF\nAAOBjQAwgYkCgYEAyn+GCkUJIhdXVBOPrZH+Zj2B/tQfL5TLZwVYZQt38x6GQT+4\n6ndty467IJvKSUlHej7uMpsCzC8Ffmda4cZm16jO1vUb4hXIrmeKP84zLrrUpKag\ngZR4rBDbG2+uL4SzMyy3yeQysYuTiQ4N1i4vdhvkKYPSWIht/QFvuzdFq+0CAwEA\nAaNQME4wHQYDVR0OBBYEFD6B5j6NnMCDBnfbtjBYKBJM7sCRMB8GA1UdIwQYMBaA\nFD6B5j6NnMCDBnfbtjBYKBJM7sCRMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEN\nBQADgYEArtCR6VOabD3nM/KlZTmHMZVT4ntenYlNTM9FS0RatzPmdh4REhykvmZs\nOlBcpoV5tN5Y8bHOVRqY9V2e903QEhQgoccQhbt0Py6uFwfLv+WLKAUbeGnPqK9d\ndL3wXN9BQs0hJA6IZNFyz2F/gSTURrD1zWW2na3ipRzhupW5+98=\n-----END CERTIFICATE REQUEST-----\n"
md5: e6771ed5dc857a1dbcc1e0a36baa1fee
interface: registrar
revoked: false
expires_at: <%= 1.year.from_now %>

1056
test/models/certificate_test.rb
View file

File diff suppressed because it is too large Load diff

345
test/services/certificates/certificate_generator_test.rb
View file

@ -3,60 +3,319 @@ require 'test_helper'
module Certificates
class CertificateGeneratorTest < ActiveSupport::TestCase
setup do
@certificate = certificates(:api)
@generator = CertificateGenerator.new(
username: "test_user",
registrar_code: "REG123",
registrar_name: "Test Registrar"
@generator = Certificates::CertificateGenerator.new(
username: 'test_user',
registrar_code: '1234',
registrar_name: 'Test Registrar',
interface: 'api'
)
end
def test_generates_new_certificate
result = @generator.call
## Тесты для публичных методов
assert result[:private_key].present?
assert result[:csr].present?
assert result[:crt].present?
assert result[:p12].present?
assert result[:expires_at].present?
assert_instance_of String, result[:private_key]
assert_instance_of String, result[:csr]
assert_instance_of String, result[:crt]
assert_instance_of String, result[:p12]
assert_instance_of Time, result[:expires_at]
end
def test_uses_existing_csr_and_private_key
existing_csr = @certificate.csr
existing_private_key = "existing_private_key"
@certificate.update!(private_key: existing_private_key)
result = @generator.call
assert result[:csr].present?
assert result[:private_key].present?
assert_not_equal existing_csr, result[:csr]
assert_not_equal existing_private_key, result[:private_key]
end
def test_renew_certificate
@certificate.update!(
expires_at: 20.days.from_now
test "call генерирует CSR, ключ, сертификат и P12, если user_csr не передан" do
generator = Certificates::CertificateGenerator.new(
username: "test_user",
registrar_code: "1234",
registrar_name: "Test Registrar",
interface: "api"
)
generator = CertificateGenerator.new(
# Мокаем файловые операции, чтобы избежать ошибок
mock_file = Minitest::Mock.new
mock_file.expect :write, true, [String] # Для ключа, CSR, CRT, P12
File.stub :open, ->(path, mode) { mock_file } do
result = generator.call
assert_instance_of String, result[:private_key], "Приватный ключ должен быть строкой"
assert_instance_of String, result[:csr], "CSR должен быть строкой PEM"
assert_instance_of String, result[:crt], "Сертификат должен быть строкой PEM"
assert_instance_of String, result[:p12], "P12 должен быть строкой DER"
assert_not_nil result[:expires_at], "Дата истечения должна быть установлена"
end
end
test "call использует переданный user_csr и не создает ключ и P12" do
# Создаем ключ и корректный CSR
key = OpenSSL::PKey::RSA.new(2048)
user_csr = OpenSSL::X509::Request.new
user_csr.version = 0
user_csr.subject = OpenSSL::X509::Name.new([["CN", "test_user"]])
user_csr.public_key = key.public_key
user_csr.sign(key, OpenSSL::Digest::SHA256.new)
user_csr_pem = user_csr.to_pem
generator = Certificates::CertificateGenerator.new(
username: "test_user",
registrar_code: "REG123",
registrar_name: "Test Registrar"
registrar_code: "1234",
registrar_name: "Test Registrar",
user_csr: user_csr_pem,
interface: "api"
)
result = generator.call
assert result[:crt].present?
assert result[:expires_at] > Time.current
assert_instance_of String, result[:crt]
assert_instance_of Time, result[:expires_at]
assert_nil result[:private_key], "Приватный ключ не должен генерироваться"
assert_nil result[:p12], "P12 не должен создаваться"
assert_equal user_csr_pem, result[:csr], "CSR должен соответствовать переданному"
assert_not_nil result[:crt], "Сертификат должен быть создан"
assert_not_nil result[:expires_at], "Дата истечения должна быть установлена"
end
test "renew_certificate обновляет сертификат существующего пользователя" do
# Создаем мок-объект существующего сертификата
certificate = Certificate.new
certificate.interface = 'api'
generator = Certificates::CertificateGenerator.new(
username: "test_user",
registrar_code: "1234",
registrar_name: "Test Registrar",
certificate: certificate,
interface: "api"
)
mock_file = Minitest::Mock.new
mock_file.expect :write, true, [String] # Для файловых операций
File.stub :open, ->(path, mode) { mock_file } do
result = generator.renew_certificate
assert_instance_of String, result[:crt], "Сертификат должен быть создан"
assert_not_nil result[:expires_at], "Дата истечения должна быть установлена"
end
end
test "renew_certificate вызывает исключение, если сертификат не передан" do
generator = Certificates::CertificateGenerator.new(
username: "test_user",
registrar_code: "1234",
registrar_name: "Test Registrar",
interface: "api"
)
assert_raises(RuntimeError, "Certificate must be provided for renewal") do
generator.renew_certificate
end
end
test "renew_certificate с переданным CSR использует этот CSR" do
# Создаем ключ и корректный CSR
key = OpenSSL::PKey::RSA.new(2048)
user_csr = OpenSSL::X509::Request.new
user_csr.version = 0
user_csr.subject = OpenSSL::X509::Name.new([["CN", "test_user"]])
user_csr.public_key = key.public_key
user_csr.sign(key, OpenSSL::Digest::SHA256.new)
user_csr_pem = user_csr.to_pem
# Создаем мок-объект существующего сертификата
certificate = Certificate.new
certificate.interface = 'api'
generator = Certificates::CertificateGenerator.new(
username: "test_user",
registrar_code: "1234",
registrar_name: "Test Registrar",
certificate: certificate,
user_csr: user_csr_pem,
interface: "api"
)
result = generator.renew_certificate
assert_nil result[:private_key], "Приватный ключ не должен генерироваться"
assert_nil result[:p12], "P12 не должен создаваться"
assert_equal user_csr_pem, result[:csr], "CSR должен соответствовать переданному"
assert_not_nil result[:crt], "Сертификат должен быть создан"
end
## Тесты для приватных методов
test "generate_from_csr создает сертификат из CSR без ключа и P12" do
# Создаем ключ и корректный CSR
key = OpenSSL::PKey::RSA.new(2048)
user_csr = OpenSSL::X509::Request.new
user_csr.version = 0
user_csr.subject = OpenSSL::X509::Name.new([["CN", "test_user"]])
user_csr.public_key = key.public_key
user_csr.sign(key, OpenSSL::Digest::SHA256.new)
user_csr_pem = user_csr.to_pem
generator = Certificates::CertificateGenerator.new(
username: "test_user",
registrar_code: "1234",
registrar_name: "Test Registrar",
user_csr: user_csr_pem,
interface: "api"
)
result = generator.send(:generate_from_csr)
assert_nil result[:private_key], "Приватный ключ не должен генерироваться"
assert_nil result[:p12], "P12 не должен создаваться"
assert_instance_of String, result[:csr], "CSR должен быть строкой PEM"
assert_instance_of String, result[:crt], "Сертификат должен быть строкой PEM"
assert_not_nil result[:expires_at], "Дата истечения должна быть установлена"
end
test "generate_new_certificate создает новый ключ, CSR, сертификат и P12" do
mock_file = Minitest::Mock.new
mock_file.expect :write, true, [String] # Для файловых операций
File.stub :open, ->(path, mode) { mock_file } do
result = @generator.send(:generate_new_certificate)
assert_instance_of String, result[:private_key], "Приватный ключ должен быть строкой"
assert_instance_of String, result[:csr], "CSR должен быть строкой PEM"
assert_instance_of String, result[:crt], "Сертификат должен быть строкой PEM"
assert_instance_of String, result[:p12], "P12 должен быть строкой DER"
assert_not_nil result[:expires_at], "Дата истечения должна быть установлена"
end
end
test "generate_csr_and_key создает CSR и ключ" do
rsa_key = OpenSSL::PKey::RSA.new(4096)
csr = OpenSSL::X509::Request.new
OpenSSL::PKey::RSA.stub :new, rsa_key do
OpenSSL::X509::Request.stub :new, csr do
generated_csr, generated_key = @generator.send(:generate_csr_and_key)
assert_equal csr, generated_csr, "CSR должен быть сгенерирован"
assert_equal rsa_key, generated_key, "Ключ должен быть сгенерирован"
end
end
end
test "sign_certificate подписывает CSR с использованием CA" do
key = OpenSSL::PKey::RSA.new(2048)
csr = OpenSSL::X509::Request.new
csr.version = 0
csr.subject = OpenSSL::X509::Name.new([["CN", "test_user"]])
csr.public_key = key.public_key
csr.sign(key, OpenSSL::Digest::SHA256.new)
generator = Certificates::CertificateGenerator.new(
username: "test_user",
registrar_code: "1234",
registrar_name: "Test Registrar",
interface: "api"
)
# Мокаем файловые операции для сохранения сертификата
mock_file = Minitest::Mock.new
mock_file.expect :write, true, [String]
File.stub :open, ->(path, mode) { mock_file } do
cert = generator.send(:sign_certificate, csr)
assert_instance_of OpenSSL::X509::Certificate, cert, "Должен вернуться сертификат"
assert_equal csr.subject.to_s, cert.subject.to_s, "Субъект должен совпадать"
end
end
test "create_p12 создает PKCS12 с ключом и сертификатом" do
key = OpenSSL::PKey::RSA.new(2048)
cert = OpenSSL::X509::Certificate.new
ca_cert = OpenSSL::X509::Certificate.new
p12 = OpenSSL::PKCS12.new
File.stub :read, ca_cert.to_pem do
OpenSSL::X509::Certificate.stub :new, ca_cert do
OpenSSL::PKCS12.stub :create, p12 do
result = @generator.send(:create_p12, key, cert)
assert_equal p12, result, "PKCS12 должен быть создан"
end
end
end
end
test "ensure_directories_exist создает необходимые директории" do
FileUtils.stub :mkdir_p, true do
FileUtils.stub :chmod, true do
assert_nothing_raised do
@generator.send(:ensure_directories_exist)
end
end
end
end
test "ensure_ca_exists проверяет наличие CA файлов и логирует предупреждение" do
Rails.logger.expects(:warn).at_least_once
# Мокаем отсутствие CA файлов
File.stub :exist?, false do
# Вызываем приватный метод
@generator.send(:ensure_ca_exists)
end
end
test "ensure_crl_exists создает CRL, если он отсутствует" do
# Создаем мок-объект для файла
mock_file = Minitest::Mock.new
mock_file.expect :write, true, [String] # Ожидаем вызов write с аргументом типа String
# Мокаем File.open, чтобы он возвращал наш мок-объект
File.stub :open, ->(path, mode) { mock_file } do
# Мокаем отсутствие CRL файла
File.stub :exist?, false do
# Мокаем существование CA сертификата и ключа, если они нужны для логики
File.stub :exist?, true, [Certificates::CertificateGenerator::CA_CERT_PATHS['api']] do
File.stub :exist?, true, [Certificates::CertificateGenerator::CA_KEY_PATHS['api']] do
# Создаем экземпляр класса
generator = Certificates::CertificateGenerator.new(
username: "test_user",
registrar_code: "1234",
registrar_name: "Test Registrar",
interface: "api"
)
# Вызываем приватный метод
generator.send(:ensure_crl_exists)
end
end
end
end
# Проверяем, что все ожидаемые вызовы были выполнены
mock_file.verify
end
test "generate_unique_serial возвращает уникальный серийный номер" do
serial1 = @generator.send(:generate_unique_serial)
serial2 = @generator.send(:generate_unique_serial)
assert_not_equal serial1, serial2, "Серийные номера должны быть уникальными"
assert_instance_of Integer, serial1, "Серийный номер должен быть числом"
end
test "save_private_key сохраняет зашифрованный ключ" do
key = OpenSSL::PKey::RSA.new(2048)
encrypted_key = key.export(OpenSSL::Cipher.new('AES-256-CBC'), Certificates::CertificateGenerator::CA_PASSWORD)
File.stub :write, true do
FileUtils.stub :chmod, true do
assert_nothing_raised do
@generator.send(:save_private_key, encrypted_key)
end
end
end
end
test "save_csr сохраняет CSR" do
csr = OpenSSL::X509::Request.new
File.stub :write, true do
assert_nothing_raised do
@generator.send(:save_csr, csr)
end
end
end
test "save_certificate сохраняет сертификат" do
cert = OpenSSL::X509::Certificate.new
File.stub :write, true do
assert_nothing_raised do
@generator.send(:save_certificate, cert)
end
end
end
end
end