From b4ce615ca09e694b24f3bcdf5be68a29da831576 Mon Sep 17 00:00:00 2001
From: Andreas Granig <agranig@sipwise.com>
Date: Tue, 21 Mar 2017 15:27:30 +0100
Subject: [PATCH] TT#13249 Fix api client ssl cert test

Change-Id: Ie0d4541cb2f1fa15c0211a7f761150cddf732ea1
---
 t/api-rest/api-cert-auth.t | 116 +++++++++----------------------------
 1 file changed, 27 insertions(+), 89 deletions(-)

diff --git a/t/api-rest/api-cert-auth.t b/t/api-rest/api-cert-auth.t
index 10659ded6a..1049390b08 100644
--- a/t/api-rest/api-cert-auth.t
+++ b/t/api-rest/api-cert-auth.t
@@ -5,125 +5,63 @@ use Net::Domain qw(hostfqdn);
 use LWP::UserAgent;
 use Test::More;
 use File::Temp qw/tempfile/;
+use Test::Collection;
 
-#use IO::Socket::SSL;
-#$IO::Socket::SSL::DEBUG = 1;
-
+my $certpath = '/tmp/apicert.pem';
 my $uri = $ENV{CATALYST_SERVER} || ('https://'.hostfqdn.':4443');
 
 #docker: CATALYST_SERVER=https://10.15.20.104:1443 perl t/api-rest/api-cert-auth.t
 
-my $valid_ssl_client_cert = $ENV{API_SSL_CLIENT_CERT};
-my $valid_ssl_client_key = $ENV{API_SSL_CLIENT_KEY} ||
-    $valid_ssl_client_cert;
-
-my $invalid_ssl_client_cert = $ENV{API_SSL_INVALID_CLIENT_CERT};
-my $invalid_ssl_client_key = $ENV{API_SSL_INVALID_CLIENT_KEY} ||
-    $invalid_ssl_client_cert;
-
-my $unauth_ssl_client_cert = $ENV{API_SSL_UNAUTH_CLIENT_CERT};
-my $unauth_ssl_client_key = $ENV{API_SSL_UNAUTH_CLIENT_KEY} ||
-    $unauth_ssl_client_cert;
-
-my $ssl_ca_cert = $ENV{API_SSL_CA_CERT};
+-f $certpath && unlink $certpath;
 
-unless ($valid_ssl_client_cert && $ssl_ca_cert) {
-    ($valid_ssl_client_cert, $ssl_ca_cert) = _download_certs($uri);
-    $valid_ssl_client_key = $valid_ssl_client_cert;
-}
-my $ca_verify_error = _verify_ca($uri);
+my ($invalid_ssl_client_cert, $valid_ssl_client_cert) = _download_certs($uri);
 
 my ($ua, $res);
 $ua = LWP::UserAgent->new;
 
 SKIP: {
-    unless ( $invalid_ssl_client_cert && (-e $invalid_ssl_client_cert) ) {
-        skip ("Skip Invalid client certificate, we have none", 1);
-    }
     # invalid cert
     $ua->ssl_opts(
         SSL_cert_file => $invalid_ssl_client_cert,
-        SSL_key_file  => $invalid_ssl_client_key,
-        SSL_ca_file   => $ssl_ca_cert,
+        SSL_key_file  => $invalid_ssl_client_cert,
+        SSL_verify_mode => 0,
+        verify_hostname => 0,
     );
-    $res = $ua->get($uri.'/api/');
-    is($res->code, 400, "check invalid client certificate")
+    $res = $ua->head($uri.'/api/');
+    is($res->code, 403, "check invalid client certificate")
         || note ($res->message);
 }
 SKIP: {
-    unless ( $unauth_ssl_client_cert && (-e $unauth_ssl_client_cert) ) {
-        skip ("Skip unauthorized client certificate, we have none", 1);
-    }
-    # unauth cert
     $ua->ssl_opts(
-        SSL_cert_file => $unauth_ssl_client_cert,
-        SSL_key_file  => $unauth_ssl_client_key,
-        SSL_ca_file   => $ssl_ca_cert,
+        SSL_cert_file => $valid_ssl_client_cert,
+        SSL_key_file => $valid_ssl_client_cert,
+        SSL_verify_mode => 0,
+        verify_hostname => 0,
     );
-    $res = $ua->get($uri.'/api/');
-    is($res->code, 403, "check unauthorized client certificate")
+    $res = $ua->head($uri.'/api/');
+    is($res->code, 200, "check valid client certificate")
         || note ($res->message);
 }
 
-# successful auth
-SKIP: {
-    if($ca_verify_error){
-        skip ("Skip valid certificate test: CA has errors: $ca_verify_error", 1);
-    }else{
-        $ua->ssl_opts(
-            SSL_cert_file => $valid_ssl_client_cert,
-            SSL_key_file => $valid_ssl_client_key,
-            SSL_verify_mode => 0,
-            verify_hostname => 0,
-        );
-        $res = $ua->get($uri.'/api/');
-        is($res->code, 200, "check valid client certificate")
-            || note ($res->message);
-    }
-}
-
-#my @links = $res->header('Link');
-#ok(grep /^<\/api\/contacts\/>; rel="collection /, @links);
-#ok(grep /^<\/api\/contracts\/>; rel="collection /, @links);
+# just to generate a new cert on file system cache:
+$ua = Test::Collection->new()->ua();
 
 done_testing;
 
-sub _prepare_ua {
-    my ($uri) = @_;
-    my ($ua, $req, $res);
-    $ua = LWP::UserAgent->new(cookie_jar => {}, ssl_opts => {verify_hostname => 0, SSL_verify_mode => 0});
-    $res = $ua->post($uri.'/login/admin', {username => 'administrator', password => 'administrator'}, 'Referer' => $uri.'/login/admin');
-    $res = $ua->get($uri.'/dashboard/');
-    return $ua;
-}
-
 sub _download_certs {
     my ($uri) = @_;
     my ($ua, $req, $res);
-    $ua = _prepare_ua($uri);
-    $res = $ua->get($uri.'/administrator/1/api_key');
-    if ($res->decoded_content =~ m/gen\.generate/) { # key need to be generated first
-        $res = $ua->post($uri.'/administrator/1/api_key', {'gen.generate' => 'foo'}, 'Referer' => $uri.'/dashboard');
-    }
-    my (undef, $tmp_apiclient_filename) = tempfile;
-    my (undef, $tmp_apica_filename) = tempfile;
-    $res = $ua->post($uri.'/administrator/1/api_key', {'pem.download' => 'foo'}, 'Referer' => $uri.'/dashboard', ':content_file' => $tmp_apiclient_filename);
-    $res = $ua->post($uri.'/administrator/1/api_key', {'ca.download' => 'foo'}, 'Referer' => $uri.'/dashboard', ':content_file' => $tmp_apica_filename);
-    diag ("Client cert: $tmp_apiclient_filename - CA cert: $tmp_apica_filename\n");
-    return ($tmp_apiclient_filename, $tmp_apica_filename);
-}
 
-sub _verify_ca {
-    my ($uri) = @_;
-    my ($ua, $req, $res);
-    $ua = _prepare_ua($uri);
-    $res = $ua->get($uri.'/administrator/1/api_key?ca.verify=1', 'Referer' => $uri.'/dashboard');
-    my $content = $res->decoded_content;
-    if($content !~ /CA certificate is OK/i){
-        (my ($error)) = $res->decoded_content =~/<div class="alert alert-error">(.*?)<\/div>/ism;
-        return $error;
-    }
-    return;
+    my $invalid_cert = '/tmp/invalidcert.pem';
+    my $valid_cert = '/tmp/validcert.pem';
+
+    -f $invalid_cert && unlink $invalid_cert;
+    -f $valid_cert && unlink $valid_cert;
+    $ua = Test::Collection->new()->ua();
+    rename $certpath, $invalid_cert;
+    $ua = Test::Collection->new()->ua();
+    rename $certpath, $valid_cert;
+    return ($invalid_cert, $valid_cert);
 }
 
 # vim: set tabstop=4 expandtab: