Venafi
diff --git a/‎tests/test_pm.py‎
Lines changed: 349 additions & 15 deletions b/‎tests/test_pm.py‎
Lines changed: 349 additions & 15 deletions
@@ -14,19 +14,22 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
-import os
 import unittest
 from pprint import pformat
 
-from test_env import (TPP_TOKEN_URL, CLOUD_APIKEY, CLOUD_URL, TPP_PM_ROOT, CLOUD_ENTRUST_CA_NAME,CLOUD_DIGICERT_CA_NAME,
-                      TPP_CA_NAME, TPP_USER, TPP_PASSWORD)
+from test_env import (TPP_TOKEN_URL, CLOUD_APIKEY, CLOUD_URL, TPP_PM_ROOT, CLOUD_ENTRUST_CA_NAME,
+                      CLOUD_DIGICERT_CA_NAME, TPP_CA_NAME, TPP_USER, TPP_PASSWORD)
 from test_utils import timestamp
-from vcert import TPPTokenConnection, CloudConnection, Authentication, SCOPE_PM, logger
+from vcert import TPPTokenConnection, CloudConnection, Authentication, SCOPE_PM, logger, VenafiError
 from vcert.parser import json_parser, yaml_parser
 from vcert.parser.utils import parse_policy_spec
 from vcert.policy import (Policy, Subject, KeyPair, SubjectAltNames, Defaults, DefaultSubject, DefaultKeyPair,
                           PolicySpecification)
-from vcert.policy.pm_cloud import CA_TYPE_DIGICERT, CA_TYPE_ENTRUST
+from vcert.policy.pm_cloud import (CA_TYPE_DIGICERT, CA_TYPE_ENTRUST, validate_policy_spec as validate_ps_vaas,
+                                   get_ca_info, default_error_msg)
+from vcert.policy.pm_tpp import (is_service_generated_csr, validate_policy_spec as validate_ps_tpp, no_match_error_msg,
+                                 too_many_error_msg, unsupported_error_msg, supported_key_types,
+                                 supported_rsa_key_sizes, supported_elliptic_curves)
 
 # This values are loaded from the project root which is vcert-python, not tests folder
 POLICY_SPEC_JSON = './tests/resources/policy_specification.json'
@@ -171,6 +174,347 @@ def _get_random_zone():
         return _get_zone()
 
 
+class TestLocalMethods(unittest.TestCase):
+    def test_exceptions_tpp(self):
+        try:
+            is_service_generated_csr("")
+        except VenafiError as err:
+            self.assertEqual(err.args[0], "csr generation value cannot be empty")
+
+        ps = PolicySpecification(policy=Policy(), defaults=Defaults())
+        ps.policy.auto_installed = True
+        ps.defaults.auto_installed = False
+
+        # Testing Subject structure
+        try:
+            validate_ps_tpp(ps)
+        except VenafiError as err:
+            self.assertEqual(err.args[0], "Subject structure is empty")
+
+        s = Subject(orgs=["foo", "bar"],
+                    org_units=["QA Venafi"],
+                    localities=["foo", "bar"],
+                    states=["foo", "bar"],
+                    countries=["foo", "bar"])
+        ps.policy.subject = s
+
+        try:
+            validate_ps_tpp(ps)
+        except VenafiError as err:
+            self.assertEqual(err.args[0], too_many_error_msg.format('organizations'))
+        ps.policy.subject.orgs = ["Venafi"]
+        try:
+            validate_ps_tpp(ps)
+        except VenafiError as err:
+            self.assertEqual(err.args[0], too_many_error_msg.format('localities'))
+        ps.policy.subject.localities = ["Salt Lake City"]
+        try:
+            validate_ps_tpp(ps)
+        except VenafiError as err:
+            self.assertEqual(err.args[0], too_many_error_msg.format('states'))
+        ps.policy.subject.states = ["Utah"]
+        try:
+            validate_ps_tpp(ps)
+        except VenafiError as err:
+            self.assertEqual(err.args[0], too_many_error_msg.format('countries'))
+        ps.policy.subject.countries = ["USA"]
+        try:
+            validate_ps_tpp(ps)
+        except VenafiError as err:
+            self.assertEqual(err.args[0], "country code [USA] does not match ISO Alpha-2 specification")
+        ps.policy.subject.countries = ["US"]
+
+        # Testing KeyPair object
+        try:
+            validate_ps_tpp(ps)
+        except VenafiError as err:
+            self.assertEqual(err.args[0], "Key Pair structure is empty")
+
+        kp = KeyPair(key_types=["foo", "bar"],
+                     rsa_key_sizes=[123, 456],
+                     elliptic_curves=["foo", "bar"],
+                     service_generated=False)
+        ps.policy.key_pair = kp
+
+        try:
+            validate_ps_tpp(ps)
+        except VenafiError as err:
+            self.assertEqual(err.args[0], too_many_error_msg.format('key types'))
+        ps.policy.key_pair.key_types = ["foo"]
+        try:
+            validate_ps_tpp(ps)
+        except VenafiError as err:
+            msg = unsupported_error_msg.format('key types', supported_key_types, kp.key_types)
+            self.assertEqual(err.args[0], msg)
+        ps.policy.key_pair.key_types = ["RSA"]
+        try:
+            validate_ps_tpp(ps)
+        except VenafiError as err:
+            self.assertEqual(err.args[0], too_many_error_msg.format('key bit strength'))
+        ps.policy.key_pair.rsa_key_sizes = [256]
+        try:
+            validate_ps_tpp(ps)
+        except VenafiError as err:
+            msg = unsupported_error_msg.format('key bit strength', supported_rsa_key_sizes, kp.rsa_key_sizes)
+            self.assertEqual(err.args[0], msg)
+        ps.policy.key_pair.rsa_key_sizes = [4096]
+        try:
+            validate_ps_tpp(ps)
+        except VenafiError as err:
+            self.assertEqual(err.args[0], too_many_error_msg.format('elliptic curve'))
+        ps.policy.key_pair.elliptic_curves = ["foo"]
+        try:
+            validate_ps_tpp(ps)
+        except VenafiError as err:
+            msg = unsupported_error_msg.format('elliptic curve', supported_elliptic_curves, kp.elliptic_curves)
+            self.assertEqual(err.args[0], msg)
+        ps.policy.key_pair.elliptic_curves = ["P521"]
+
+        # Testing DefaultSubject structure
+        ds = DefaultSubject(org="Foo",
+                            org_units=["foo", "bar"],
+                            locality="foo",
+                            state="foo",
+                            country="foo")
+        ps.defaults.subject = ds
+
+        try:
+            validate_ps_tpp(ps)
+        except VenafiError as err:
+            msg = no_match_error_msg.format('organizations', ds.org, s.orgs[0])
+            self.assertEqual(err.args[0], msg)
+        ps.defaults.subject.org = s.orgs[0]
+        try:
+            validate_ps_tpp(ps)
+        except VenafiError as err:
+            msg = no_match_error_msg.format('orgUnits', ds.org_units[0], s.org_units[0])
+            self.assertEqual(err.args[0], msg)
+        ps.defaults.subject.org_units = s.org_units
+        try:
+            validate_ps_tpp(ps)
+        except VenafiError as err:
+            msg = no_match_error_msg.format('localities', ds.locality, s.localities[0])
+            self.assertEqual(err.args[0], msg)
+        ps.defaults.subject.locality = s.localities[0]
+        try:
+            validate_ps_tpp(ps)
+        except VenafiError as err:
+            msg = no_match_error_msg.format('states', ds.state, s.states[0])
+            self.assertEqual(err.args[0], msg)
+        ps.defaults.subject.state = s.states[0]
+        try:
+            validate_ps_tpp(ps)
+        except VenafiError as err:
+            msg = no_match_error_msg.format('countries', ds.country, s.countries[0])
+            self.assertEqual(err.args[0], msg)
+        ps.defaults.subject.country = s.countries[0]
+
+        # Testing DefaultKeyPair against Policy KeyPair
+        dkp = DefaultKeyPair(key_type="foo",
+                             rsa_key_size=256,
+                             elliptic_curve="foo",
+                             service_generated=True)
+        ps.defaults.key_pair = dkp
+
+        try:
+            validate_ps_tpp(ps)
+        except VenafiError as err:
+            msg = no_match_error_msg.format('key types', dkp.key_type, kp.key_types[0])
+            self.assertEqual(err.args[0], msg)
+        ps.defaults.key_pair.key_type = kp.key_types[0]
+        try:
+            validate_ps_tpp(ps)
+        except VenafiError as err:
+            msg = no_match_error_msg.format('rsa key sizes', dkp.rsa_key_size, kp.rsa_key_sizes[0])
+            self.assertEqual(err.args[0], msg)
+        ps.defaults.key_pair.rsa_key_size = kp.rsa_key_sizes[0]
+        try:
+            validate_ps_tpp(ps)
+        except VenafiError as err:
+            msg = no_match_error_msg.format('elliptic curves', dkp.elliptic_curve, kp.elliptic_curves[0])
+            self.assertEqual(err.args[0], msg)
+        ps.defaults.key_pair.elliptic_curve = kp.elliptic_curves[0]
+        try:
+            validate_ps_tpp(ps)
+        except VenafiError as err:
+            msg = no_match_error_msg.format('generation type', dkp.service_generated, kp.service_generated)
+            self.assertEqual(err.args[0], msg)
+        ps.defaults.key_pair.service_generated = kp.service_generated
+
+        # Testing DefaultKeyPair
+        dkp2 = DefaultKeyPair(key_type="foo",
+                              rsa_key_size=256,
+                              elliptic_curve="foo",
+                              service_generated=False)
+        ps.policy = None
+        ps.defaults.key_pair = dkp2
+
+        try:
+            validate_ps_tpp(ps)
+        except VenafiError as err:
+            msg = unsupported_error_msg.format('key type', supported_key_types, dkp2.key_type)
+            self.assertEqual(err.args[0], msg)
+        ps.defaults.key_pair.key_type = "RSA"
+        try:
+            validate_ps_tpp(ps)
+        except VenafiError as err:
+            msg = unsupported_error_msg.format('rsa key size', supported_rsa_key_sizes, dkp2.rsa_key_size)
+            self.assertEqual(err.args[0], msg)
+        ps.defaults.key_pair.rsa_key_size = 4096
+        try:
+            validate_ps_tpp(ps)
+        except VenafiError as err:
+            msg = unsupported_error_msg.format('elliptic curve', supported_elliptic_curves, dkp2.elliptic_curve)
+            self.assertEqual(err.args[0], msg)
+        ps.defaults.key_pair.elliptic_curve = "P521"
+
+        # Testing autoinstalled option
+        ps.policy = Policy(subject=s, key_pair=kp, auto_installed=True)
+        try:
+            validate_ps_tpp(ps)
+        except VenafiError as err:
+            self.assertEqual(err.args[0], no_match_error_msg.format('autoinstalled', False, True))
+        ps.defaults.auto_installed = True
+
+    def test_exceptions_vaas(self):
+        try:
+            get_ca_info("foo\\bar")
+        except VenafiError as err:
+            self.assertEqual(err.args[0], f"Certificate Authority name invalid [foo\\bar]")
+
+        ps = PolicySpecification(policy=Policy(), defaults=Defaults())
+        kp = KeyPair(key_types=["foo", "bar"],
+                     rsa_key_sizes=[256],
+                     elliptic_curves=["asd"],
+                     service_generated=True)
+        ps.policy.key_pair = kp
+        ps.policy.subject_alt_names = SubjectAltNames(dns_allowed=True,  email_allowed=True)
+        s = Subject(orgs=["Venafi"],
+                    org_units=["QA Venafi"],
+                    localities=["Salt Lake City"],
+                    states=["Utah"],
+                    countries=["US"])
+        ps.policy.subject = s
+        ds = DefaultSubject(org="Foo",
+                            org_units=["Bar"],
+                            locality="Kwan",
+                            state="Merida",
+                            country="MX")
+        ps.defaults.subject = ds
+        dkp = DefaultKeyPair(key_type="foo",
+                             rsa_key_size=256,
+                             elliptic_curve="bar",
+                             service_generated=False)
+        ps.defaults.key_pair = dkp
+
+        # validate key pair values
+        try:
+            validate_ps_vaas(ps)
+        except VenafiError as err:
+            msg = "Key Type values exceeded. Only one Key Type is allowed by VaaS"
+            self.assertEqual(err.args[0], msg)
+        ps.policy.key_pair.key_types = ["foo"]
+        try:
+            validate_ps_vaas(ps)
+        except VenafiError as err:
+            msg = f"Key Type [{ps.policy.key_pair.key_types[0]}] is not supported by VaaS"
+            self.assertEqual(err.args[0], msg)
+        ps.policy.key_pair.key_types = ["RSA"]
+        try:
+            validate_ps_vaas(ps)
+        except VenafiError as err:
+            msg = f"The Key Size [{256}] is not supported by VaaS"
+            self.assertEqual(err.args[0], msg)
+        ps.policy.key_pair.rsa_key_sizes = [4096]
+
+        # validate subject CN and SAN regexes
+        try:
+            validate_ps_vaas(ps)
+        except VenafiError as err:
+            msg = "Subject Alt name [SubjAltNameEmailAllowed] is not allowed by VaaS"
+            self.assertEqual(err.args[0], msg)
+        ps.policy.subject_alt_names.email_allowed = False
+
+        # validate default subject values against policy values
+        try:
+            validate_ps_vaas(ps)
+        except VenafiError as err:
+            msg = default_error_msg.format('Organization', ds.org, s.orgs)
+            self.assertEqual(err.args[0], msg)
+        ps.defaults.subject.org = s.orgs[0]
+        try:
+            validate_ps_vaas(ps)
+        except VenafiError as err:
+            msg = default_error_msg.format('Org Units', ds.org_units, s.org_units)
+            self.assertEqual(err.args[0], msg)
+        ps.defaults.subject.org_units = s.org_units
+        try:
+            validate_ps_vaas(ps)
+        except VenafiError as err:
+            msg = default_error_msg.format('Localities', ds.locality, s.localities)
+            self.assertEqual(err.args[0], msg)
+        ps.defaults.subject.locality = s.localities[0]
+        try:
+            validate_ps_vaas(ps)
+        except VenafiError as err:
+            msg = default_error_msg.format('States', ds.state, s.states)
+            self.assertEqual(err.args[0], msg)
+        ps.defaults.subject.state = s.states[0]
+        try:
+            validate_ps_vaas(ps)
+        except VenafiError as err:
+            msg = default_error_msg.format('Countries', ds.country, s.countries)
+            self.assertEqual(err.args[0], msg)
+        ps.defaults.subject.country = s.countries[0]
+
+        # validate default key pair values against policy values
+        try:
+            validate_ps_vaas(ps)
+        except VenafiError as err:
+            msg = default_error_msg.format('Key Types', dkp.key_type, kp.key_types)
+            self.assertEqual(err.args[0], msg)
+        ps.defaults.key_pair.key_type = kp.key_types[0]
+        try:
+            validate_ps_vaas(ps)
+        except VenafiError as err:
+            msg = default_error_msg.format('RSA Key Sizes', dkp.rsa_key_size, kp.rsa_key_sizes)
+            self.assertEqual(err.args[0], msg)
+        ps.defaults.key_pair.rsa_key_size = kp.rsa_key_sizes[0]
+        try:
+            validate_ps_vaas(ps)
+        except VenafiError as err:
+            msg = default_error_msg.format('Elliptic Curves', dkp.elliptic_curve, kp.elliptic_curves)
+            self.assertEqual(err.args[0], msg)
+        ps.defaults.key_pair.elliptic_curve = kp.elliptic_curves[0]
+        try:
+            validate_ps_vaas(ps)
+        except VenafiError as err:
+            msg = default_error_msg.format('Service Generated', dkp.service_generated, kp.service_generated)
+            self.assertEqual(err.args[0], msg)
+        ps.defaults.key_pair.service_generated = kp.service_generated
+
+        # validate default values when policy is not defined
+        ps.policy = None
+        dkp2 = DefaultKeyPair(key_type="foo",
+                              rsa_key_size=256,
+                              elliptic_curve="bar",
+                              service_generated=False)
+        ps.defaults.key_pair = dkp2
+
+        try:
+            validate_ps_vaas(ps)
+        except VenafiError as err:
+            msg = f"Default Key Type [{dkp2.key_type}] is not supported by VaaS"
+            self.assertEqual(err.args[0], msg)
+        ps.defaults.key_pair.key_type = "RSA"
+        try:
+            validate_ps_vaas(ps)
+        except VenafiError as err:
+            msg = f"Default Key Size [{256}] is not supported by VaaS"
+            self.assertEqual(err.args[0], msg)
+        ps.defaults.key_pair.rsa_key_size = 4096
+
+
 def create_policy(connector, zone, policy_spec=None, policy=None, defaults=None):
     if not policy_spec:
         policy_spec = PolicySpecification()
@@ -262,13 +606,3 @@ def _get_zone():
 def _get_tpp_policy_name():
     time = timestamp()
     return f"{_get_app_name().format(time)}"
-
-# def _resolve_resources_path(path):
-#     resources_dir = os.path.dirname(__file__)
-#     log.debug(f"Testing root folder: [{resources_dir}]")
-#     if resources_dir.endswith('tests'):
-#         resolved_path = f"./{path}"
-#     else:
-#         resolved_path = f"./tests/{path}"
-#     log.debug(f"resolved path: [{resolved_path}]")
-#     return resolved_path