From aec94b681c69eb429fcfa5050602608d8cfcdb86 Mon Sep 17 00:00:00 2001 From: Jacek Kowalski <Jacek@jacekk.info> Date: Mon, 16 Mar 2020 23:20:08 +0000 Subject: [PATCH] Create the CA as self-signed certs no longer work --- docker.sh | 22 +++++++++++ install.sh | 25 +++++++----- install_root.sh | 9 ++++ build.gradle | 2 src/test/groovy/StandardTests.groovy | 26 ++++++++---- script.sh | 2 + 6 files changed, 65 insertions(+), 21 deletions(-) diff --git a/build.gradle b/build.gradle index f43ce99..7fbace1 100644 --- a/build.gradle +++ b/build.gradle @@ -1,7 +1,7 @@ apply plugin: 'groovy' dependencies { - compile 'org.codehaus.groovy:groovy-all:2.4.4' + compile 'org.codehaus.groovy:groovy-all:2.5.10' compile 'junit:junit:4.12' compile 'org.seleniumhq.selenium:selenium-htmlunit-driver:2.47.1' } diff --git a/docker.sh b/docker.sh new file mode 100755 index 0000000..ad3fcc9 --- /dev/null +++ b/docker.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +DIR_NAME=`dirname $0` +PARENT_NAME=`realpath "${DIR_NAME}/.."` + +docker pull debian +docker run -i -t -d \ + -v "${PARENT_NAME}:/data:ro" \ + --name uphpcas-tests \ + debian + +set -e + +docker exec -i -t uphpcas-tests /data/tests/install_root.sh +docker exec -i -t uphpcas-tests apt-get -y install php php-xml +docker exec -i -t uphpcas-tests chown www-data:www-data /var/www +docker exec -i -t --user www-data --workdir /var/www uphpcas-tests cp -Rfv /data . +docker exec -i -t --user www-data --workdir /var/www/data uphpcas-tests ./tests/install.sh +docker exec -i -t --user www-data --workdir /var/www/data uphpcas-tests ./tests/script.sh + +docker stop uphpcas-tests +docker rm -v uphpcas-tests diff --git a/install.sh b/install.sh index 8d3179a..2db81b0 100755 --- a/install.sh +++ b/install.sh @@ -1,16 +1,19 @@ #!/bin/bash -sudo add-apt-repository -y ppa:cwchien/gradle -sudo apt-get update -sudo apt-get -y install gradle-ppa openjdk-7-jdk openssl stunnel +set -e -sudo update-java-alternatives -s java-1.7.0-openjdk-amd64 -sudo rm /usr/lib/jvm/default-java +function genAndSign() { + local cn=$1 + local file=$2 + openssl genrsa -out "/tmp/${file}.key" 2048 + openssl req -new -key "/tmp/${file}.key" -out "/tmp/${file}.csr" -subj "/CN=${cn}/" + openssl x509 -req -in "/tmp/${file}.csr" -out "/tmp/${file}.crt" \ + -CA /tmp/ca.crt -CAkey /tmp/ca.key -CAcreateserial + cat "/tmp/${file}.crt" "/tmp/${file}.key" > "/tmp/${file}.pem" +} -openssl genrsa -out /tmp/correct.key 1024 -openssl req -new -key /tmp/correct.key -out /tmp/correct.crt -subj '/CN=127.0.0.1/' -x509 -cat /tmp/correct.crt /tmp/correct.key > /tmp/correct.pem +openssl genrsa -out /tmp/ca.key 2048 +openssl req -new -key /tmp/ca.key -out /tmp/ca.crt -subj '/CN=Test CA/' -x509 -openssl genrsa -out /tmp/wrongcn.key 1024 -openssl req -new -key /tmp/wrongcn.key -out /tmp/wrongcn.crt -subj '/CN=127.0.0.2/' -x509 -cat /tmp/wrongcn.crt /tmp/wrongcn.key > /tmp/wrongcn.pem +genAndSign "127.0.0.1" "correct" +genAndSign "127.0.0.2" "wrongcn" diff --git a/install_root.sh b/install_root.sh new file mode 100755 index 0000000..bd7d21f --- /dev/null +++ b/install_root.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +set -e + +apt-get -y update +apt-get -y install \ + --no-install-recommends \ + --no-install-suggests \ + gradle openssl stunnel diff --git a/script.sh b/script.sh index 53f1667..3eda212 100755 --- a/script.sh +++ b/script.sh @@ -1,5 +1,7 @@ #!/bin/bash +set -e + cd `dirname $0` stunnel4 etc/stunnel.conf diff --git a/src/test/groovy/StandardTests.groovy b/src/test/groovy/StandardTests.groovy index 74828c6..a470fc0 100644 --- a/src/test/groovy/StandardTests.groovy +++ b/src/test/groovy/StandardTests.groovy @@ -16,7 +16,7 @@ @Parameters(name = "{0}") public static Iterable<Object[]> data() { return [ - // cas, cafile, method, login page expected text, main page expected text + // name, cas, cafile, method, login page expected text, main page expected text // HTTP should succeed [ "HTTP", "http://127.0.0.1:8081/cas.php", null, null, "Authenticated as user123", "Authenticated as user123" ] as Object[], @@ -24,14 +24,18 @@ [ "HTTP POST", "http://127.0.0.1:8081/cas.php", null, "POST", "Authenticated as user123", "Authenticated as user123" ] as Object[], // HTTPS should succeed - [ "HTTPS", "https://127.0.0.1:8444/cas.php", "/tmp/correct.crt", null, "Authenticated as user123", "Authenticated as user123" ] as Object[], - [ "HTTPS GET", "https://127.0.0.1:8444/cas.php", "/tmp/correct.crt", "GET", "Authenticated as user123", "Authenticated as user123" ] as Object[], - [ "HTTPS POST", "https://127.0.0.1:8444/cas.php", "/tmp/correct.crt", "POST", "Authenticated as user123", "Authenticated as user123" ] as Object[], - - // system CAfile does not contain this self-signed certificate - should fail + [ "HTTPS", "https://127.0.0.1:8444/cas.php", "/tmp/ca.crt", null, "Authenticated as user123", "Authenticated as user123" ] as Object[], + [ "HTTPS GET", "https://127.0.0.1:8444/cas.php", "/tmp/ca.crt", "GET", "Authenticated as user123", "Authenticated as user123" ] as Object[], + [ "HTTPS POST", "https://127.0.0.1:8444/cas.php", "/tmp/ca.crt", "POST", "Authenticated as user123", "Authenticated as user123" ] as Object[], + + // system CAfile does not contain CA certificate - should fail [ "HTTPS SysCA", "https://127.0.0.1:8444/cas.php", null, null, "CAS server is unavailable", "Not authenticated." ] as Object[], [ "HTTPS SysCA GET", "https://127.0.0.1:8444/cas.php", null, "GET", "CAS server is unavailable", "Not authenticated." ] as Object[], [ "HTTPS SysCA POST", "https://127.0.0.1:8444/cas.php", null, "POST", "CAS server is unavailable", "Not authenticated." ] as Object[], + // correct.crt is a leaf certificate - should fail + [ "HTTPS LeafCA", "https://127.0.0.1:8444/cas.php", "/tmp/correct.crt", null, "CAS server is unavailable", "Not authenticated." ] as Object[], + [ "HTTPS LeafCA GET", "https://127.0.0.1:8444/cas.php", "/tmp/correct.crt", "GET", "CAS server is unavailable", "Not authenticated." ] as Object[], + [ "HTTPS LeafCA POST", "https://127.0.0.1:8444/cas.php", "/tmp/correct.crt", "POST", "CAS server is unavailable", "Not authenticated." ] as Object[], // wrongcn.crt does not contain correct.crt - should fail [ "HTTPS WrongCA", "https://127.0.0.1:8444/cas.php", "/tmp/wrongcn.crt", null, "CAS server is unavailable", "Not authenticated." ] as Object[], [ "HTTPS WrongCA GET", "https://127.0.0.1:8444/cas.php", "/tmp/wrongcn.crt", "GET", "CAS server is unavailable", "Not authenticated." ] as Object[], @@ -45,10 +49,14 @@ [ "HTTPS2 WrongCA", "https://127.0.0.1:8445/cas.php", "/tmp/correct.crt", null, "CAS server is unavailable", "Not authenticated." ] as Object[], [ "HTTPS2 WrongCA GET", "https://127.0.0.1:8445/cas.php", "/tmp/correct.crt", "GET", "CAS server is unavailable", "Not authenticated." ] as Object[], [ "HTTPS2 WrongCA POST", "https://127.0.0.1:8445/cas.php", "/tmp/correct.crt", "POST", "CAS server is unavailable", "Not authenticated." ] as Object[], + // wrongcn.crt is a leaf certificate - should fail + [ "HTTPS2 WrongCN", "https://127.0.0.1:8445/cas.php", "/tmp/wrongcn.crt", null, "CAS server is unavailable", "Not authenticated." ] as Object[], + [ "HTTPS2 WrongCN GET", "https://127.0.0.1:8445/cas.php", "/tmp/wrongcn.crt", "GET", "CAS server is unavailable", "Not authenticated." ] as Object[], + [ "HTTPS2 WrongCN POST", "https://127.0.0.1:8445/cas.php", "/tmp/wrongcn.crt", "POST", "CAS server is unavailable", "Not authenticated." ] as Object[], // wrongcn.crt is issued to 127.0.0.2, not 127.0.0.1 - should fail - [ "HTTPS2 CN", "https://127.0.0.1:8445/cas.php", "/tmp/wrongcn.crt", null, "CAS server is unavailable", "Not authenticated." ] as Object[], - [ "HTTPS2 CN GET", "https://127.0.0.1:8445/cas.php", "/tmp/wrongcn.crt", "GET", "CAS server is unavailable", "Not authenticated." ] as Object[], - [ "HTTPS2 CN POST", "https://127.0.0.1:8445/cas.php", "/tmp/wrongcn.crt", "POST", "CAS server is unavailable", "Not authenticated." ] as Object[], + [ "HTTPS2 CA+WrongCN", "https://127.0.0.1:8445/cas.php", "/tmp/ca.crt", null, "CAS server is unavailable", "Not authenticated." ] as Object[], + [ "HTTPS2 CA+WrongCN GET", "https://127.0.0.1:8445/cas.php", "/tmp/ca.crt", "GET", "CAS server is unavailable", "Not authenticated." ] as Object[], + [ "HTTPS2 CA+WrongCN POST", "https://127.0.0.1:8445/cas.php", "/tmp/ca.crt", "POST", "CAS server is unavailable", "Not authenticated." ] as Object[], ] } -- Gitblit v1.9.1