diff options
-rw-r--r-- | cloudinit/CloudConfig/cc_ca_certs.py | 9 | ||||
-rw-r--r-- | tests/unittests/test_handler_ca_certs.py | 93 |
2 files changed, 95 insertions, 7 deletions
diff --git a/cloudinit/CloudConfig/cc_ca_certs.py b/cloudinit/CloudConfig/cc_ca_certs.py index 07074e2f..a51dbe9f 100644 --- a/cloudinit/CloudConfig/cc_ca_certs.py +++ b/cloudinit/CloudConfig/cc_ca_certs.py @@ -56,6 +56,12 @@ def add_ca_certs(certs): cert_file_contents = "\n".join(certs) write_file(CERT_FILENAME, cert_file_contents, "root", "root", "644") +def remove_default_ca_certs(): + """ + Removes all default trusted CA certificates from the system. + """ + raise NotImplementedError() + def handle(name, cfg, cloud, log, args): """ Call to handle ca-cert sections in cloud-config file. @@ -71,6 +77,9 @@ def handle(name, cfg, cloud, log, args): return ca_cert_cfg = cfg['ca-certs'] + if ca_cert_cfg.get("remove-defaults", False): + remove_default_ca_certs() + # set the validation key based on the presence of either 'validation_key' # or 'validation_cert'. In the case where both exist, 'validation_key' # takes precedence diff --git a/tests/unittests/test_handler_ca_certs.py b/tests/unittests/test_handler_ca_certs.py index 7c0197ed..08126d19 100644 --- a/tests/unittests/test_handler_ca_certs.py +++ b/tests/unittests/test_handler_ca_certs.py @@ -1,7 +1,8 @@ from unittest import TestCase from mocker import MockerTestCase -from cloudinit.CloudConfig.cc_ca_certs import handle, write_file, update_ca_certs, add_ca_certs +from cloudinit.CloudConfig.cc_ca_certs import handle, write_file, update_ca_certs, add_ca_certs, remove_default_ca_certs + class TestNoConfig(MockerTestCase): def setUp(self): @@ -32,16 +33,82 @@ class TestConfig(MockerTestCase): self.log = None self.args = [] - # The config option is present for all these tests so - # update_ca_certs should always be called. - mock = self.mocker.replace(update_ca_certs, passthrough=False) - mock() + # Mock out the functions that actually modify the system + self.mock_add = self.mocker.replace(add_ca_certs, passthrough=False) + self.mock_update = self.mocker.replace(update_ca_certs, passthrough=False) + self.mock_remove = self.mocker.replace(remove_default_ca_certs, passthrough=False) + # Order must be correct + self.mocker.order() def test_no_trusted_list(self): - """Test that no certificate are written if not provided.""" + """ + Test that no certificates are written if the 'trusted' key is not + present. + """ config = {"ca-certs": {}} - mock = self.mocker.replace(write_file, passthrough=False) + # No functions should be called + self.mock_update() + self.mocker.replay() + + handle(self.name, config, self.cloud_init, self.log, self.args) + + def test_empty_trusted_list(self): + """Test that no certificate are written if 'trusted' list is empty""" + config = {"ca-certs": {"trusted": []}} + + # No functions should be called + self.mock_update() + self.mocker.replay() + + handle(self.name, config, self.cloud_init, self.log, self.args) + + def test_single_trusted(self): + """Test that a single cert gets passed to add_ca_certs""" + config = {"ca-certs": {"trusted": ["CERT1"]}} + + self.mock_add(["CERT1"]) + self.mock_update() + self.mocker.replay() + + handle(self.name, config, self.cloud_init, self.log, self.args) + + def test_multiple_trusted(self): + """Test that multiple certs get passed to add_ca_certs""" + config = {"ca-certs": {"trusted": ["CERT1", "CERT2"]}} + + self.mock_add(["CERT1", "CERT2"]) + self.mock_update() + self.mocker.replay() + + handle(self.name, config, self.cloud_init, self.log, self.args) + + def test_remove_default_ca_certs(self): + """Test remove_defaults works as expected""" + config = {"ca-certs": {"remove-defaults": True}} + + self.mock_remove() + self.mock_update() + self.mocker.replay() + + handle(self.name, config, self.cloud_init, self.log, self.args) + + def test_no_remove_defaults_if_false(self): + """Test remove_defaults is not called when config value is False""" + config = {"ca-certs": {"remove-defaults": False}} + + self.mock_update() + self.mocker.replay() + + handle(self.name, config, self.cloud_init, self.log, self.args) + + def test_correct_order_for_remove_then_add(self): + """Test remove_defaults is not called when config value is False""" + config = {"ca-certs": {"remove-defaults": True, "trusted": ["CERT1"]}} + + self.mock_remove() + self.mock_add(["CERT1"]) + self.mock_update() self.mocker.replay() handle(self.name, config, self.cloud_init, self.log, self.args) @@ -78,6 +145,7 @@ class TestAddCaCerts(MockerTestCase): add_ca_certs(certs) + class TestUpdateCaCerts(MockerTestCase): def test_commands(self): mock_check_call = self.mocker.replace("subprocess.check_call", @@ -87,3 +155,14 @@ class TestUpdateCaCerts(MockerTestCase): self.mocker.replay() update_ca_certs() + + +#class TestRemoveDefaultCaCerts(MockerTestCase): +# def test_commands(self): +# mock_check_call = self.mocker.replace("subprocess.check_call", +# passthrough=False) +# mock_check_call(["dpkg-reconfigure", "ca-certificates"]) +# mock_check_call(["update-ca-certificates"]) +# self.mocker.replay() +# +# update_ca_certs() |