coryHawkvelt/gatehouse-api
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
015c622016b69cf8fc6d22a9e485ba3ba3d20b31
gatehouse-api/tests/integration/certificate_signing_tests.py
T
nexgen_mirrors 015c622016 test: add comprehensive integration test suite for IAM platform 
Add 162 integration tests covering authentication flows, TOTP MFA,
SSH key/certificate management, organization workflows, multi-org
access, self-service features, admin operations, authorization,
security edge cases, department/principal management, CA management,
policy compliance, WebAuthn passkeys, and ZeroTier network access.

Includes:
- Reusable API client library with session management
- Test fixtures for users, organizations, memberships, and CAs
- Helper functions for SSH key generation and verification
- Documentation for running and writing tests

Also update test configuration to disable conflicting maas plugins
and configure WebAuthn/session settings for localhost testing.
2026-04-23 15:41:37 +09:30

1 line
7.7 KiB
Python
Raw Blame History

[{}, {"response.get('message')}": 'if message_contains:\n assert message_contains.lower() in response.get(', 'f': "xpected message to contain '{message_contains"}, {"response.get('message')}": 'return data\n\n\ndef assert_error(exc: ApiError', 'expected_status': 'int', 'expected_error_type': 'str | None = None):', 'Inspect an ApiError raised by the client."': 'assert exc.status_code == expected_status', 'f': 'xpected status {expected_status'}, {'f': 'RL: {exc.method'}, {'f': 'esponse: {exc.response_data'}, {'{exc.error_type}': 'Tier 1 — C. SSH Certificate Signing\n# =============================================================================\n\nclass TestCertificateSigning:', 'Test SSH certificate signing at POST /ssh/sign."': 'def _setup_cert_env(self', 'create_test_membership)': '', 'CA."': 'import tempfile\n import subprocess\n import os\n import base64\n\n # Create a user and login\n user = create_test_user(password=', 'password="MyPassword123!': 'Generate a fresh Ed25519 key pair to avoid fingerprint collisions\n with tempfile.TemporaryDirectory() as tmpdir:\n key_path = os.path.join(tmpdir', 'test_key")\n gen_proc = subprocess.run(\n ["ssh-keygen", "-t", "ed25519", "-f", key_path, "-N", "': '-C', 'test@example.com': 'capture_output=True', 'pytest.skip(f': 'sh-keygen not available: {gen_proc.stderr.decode()'}, ['data'], ['id'], ['data'], ['challenge_text'], ['ssh-keygen', '-Y', 'sign', '-f', 'key_path, "-n', 'file', 'sig_path],\n input=challenge_text.encode(),\n capture_output=True,\n )\n if sign_proc.returncode != 0:\n pytest.skip(f"ssh-keygen sign failed: {sign_proc.stderr.decode()}', 'with open(sig_path, "rb', 'as sf:\n signature_b64 = base64.b64encode(sf.read()).decode()\n\n # Verify the key\n integration_client.ssh.verify_key(key_id, signature_b64)\n\n # Create an org and add user as member\n org = create_test_org(name="Test Org for Cert Signing")\n create_test_membership(user["id'], ['id'], ['id'], ['data'], ['id'], ['id'], ['email'], ['id'], ['serial'], ['email'], ['principals'], {'principals': 'ef test_sign_certificate_custom_principals_positive(self', 'create_test_membership)': '', 'TEST': 'SSH-CERT-04 — Reject signing with unverified key.\n\n WHAT: User with UNVERIFIED key', 'WHY': 'Only verified keys should be able to sign certificates.\n EXPECTED: 400 Bad Request with error_type=', '\n user, org, key_id = self._setup_cert_env(\n integration_app, integration_client, create_test_user, create_test_org, create_test_membership\n )\n\n # Sign certificate with custom principals\n result = integration_client.ssh.sign_certificate(key_id=key_id, principals=["deploy"])\n data = assert_success(result, "certificate")\n\n # Verify response contains expected fields\n assert "certificate" in data, "Response missing certificate"\n assert "serial" in data, "Response missing serial"\n assert data["serial"] is not None, "Serial should not be None"\n assert "principals" in data, "Response missing principals"\n # Should contain the requested principal\n assert "deploy" in data["principals"], "Requested principal \'deploy\' not in principals': 'ef test_sign_certificate_unverified_key_negative(self', '\n user = create_test_user(password="MyPassword123!")\n integration_client.auth.login(email=user["email"], password="MyPassword123!': "Generate a fresh Ed25519 key pair but DON'T verify it\n with tempfile.TemporaryDirectory() as tmpdir:\n key_path = os.path.join(tmpdir", 'test_key")\n gen_proc = subprocess.run(\n ["ssh-keygen", "-t", "ed25519", "-f", key_path, "-N", "': '-C', 'test@example.com': 'capture_output=True', 'pytest.skip(f': 'sh-keygen not available: {gen_proc.stderr.decode()'}, ['data'], ['id'], ['id'], ['id'], ['id'], ['data'], ['id'], ['id'], ['email'], ['id'], ['email'], ['ssh-keygen', '-t', 'ed25519', '-f', 'key_path, "-N'], {'.pub", "r': 'as pub_f:\n public_key = pub_f.read().strip()\n\n # Add the public key\n add_result = integration_client.ssh.add_key(public_key', 'Cert Test Key")\n key_id = add_result["data"]["id"]\n\n # Get challenge\n challenge_result = integration_client.ssh.get_challenge(key_id)\n challenge_text = challenge_result["data"]["challenge_text"]\n\n # Sign challenge with ssh-keygen\n sig_path = key_path + ".sig"\n sign_proc = subprocess.run(\n ["ssh-keygen", "-Y", "sign", "-f", key_path, "-n", "file': 'sig_path]', 'pytest.skip(f': 'sh-keygen sign failed: {sign_proc.stderr.decode()'}, ['id'], ['id'], ['id'], ['unauthorized'], ['id'], ['email'], ['ssh-keygen', '-t', 'ed25519', '-f', 'key_path, "-N'], {'.pub", "r': 'as pub_f:\n public_key = pub_f.read().strip()\n\n # Add the public key\n add_result = integration_client.ssh.add_key(public_key', 'Cert Test Key")\n key_id = add_result["data"]["id"]\n\n # Get challenge\n challenge_result = integration_client.ssh.get_challenge(key_id)\n challenge_text = challenge_result["data"]["challenge_text"]\n\n # Sign challenge with ssh-keygen\n sig_path = key_path + ".sig"\n sign_proc = subprocess.run(\n ["ssh-keygen", "-Y", "sign", "-f", key_path, "-n", "file': 'sig_path]', 'pytest.skip(f': 'sh-keygen sign failed: {sign_proc.stderr.decode()'}, ['id'], ['id'], ['id'], ['data'], ['id'], ['id'], ['email'], [503, 400], {'exc_info.value.status_code}': 'ef test_sign_certificate_cross_user_key_negative(self', 'create_test_membership)': '', 'TEST': "SSH-CERT-09 — Reject signing with another user's key.\n\n WHAT: User A has a verified key. User B has principals and CA.\n User B tries to sign using User A's key_id.\n WHY: Cross-user certificate signing must be blocked.\n EXPECTED: 403 Forbidden.", '\n import tempfile\n import subprocess\n import os\n import base64\n\n # Create User A with a verified key\n user_a = create_test_user(password="PassA123!")\n user_b = create_test_user(password="PassB123!")\n\n # Login as User A and generate a key\n integration_client.auth.login(email=user_a["email"], password="PassA123!': 'Generate a fresh Ed25519 key pair for User A\n with tempfile.TemporaryDirectory() as tmpdir:\n key_path = os.path.join(tmpdir', 'test_key")\n gen_proc = subprocess.run(\n ["ssh-keygen", "-t", "ed25519", "-f", key_path, "-N", "': '-C', 'test@example.com': 'capture_output=True', 'pytest.skip(f': 'sh-keygen not available: {gen_proc.stderr.decode()'}, ['data'], ['id'], ['data'], ['challenge_text'], ['ssh-keygen', '-Y', 'sign', '-f', 'key_path, "-n', 'file', 'sig_path],\n input=challenge_text.encode(),\n capture_output=True,\n )\n if sign_proc.returncode != 0:\n pytest.skip(f"ssh-keygen sign failed: {sign_proc.stderr.decode()}', 'with open(sig_path, "rb', 'as sf:\n signature_b64 = base64.b64encode(sf.read()).decode()\n\n # Verify User A\'s key\n integration_client.ssh.verify_key(key_id_a, signature_b64)\n\n # Create an org\n org = create_test_org(name="Test Org for Cert Signing")\n\n # Add both users as members\n create_test_membership(user_a["id'], ['id'], ['id'], ['id'], ['id'], ['data'], ['id'], ['id'], ['email'], ['id'], ['email']]
Reference in New Issue View Git Blame Copy Permalink