From 5d493ca53cbbc078af6937ec993fc8fcddc002c4 Mon Sep 17 00:00:00 2001 From: alexzorin Date: Thu, 3 Mar 2022 08:55:20 +1100 Subject: storage: always save key_type to renewal .conf (#9217) * storage: always save key_type to renewal .conf * fix typo in comment Co-authored-by: DasSkelett --- .../certbot_tests/assertions.py | 17 +++++++++++++++-- .../certbot_tests/test_main.py | 3 +++ certbot/certbot/_internal/storage.py | 5 +++++ certbot/tests/storage_test.py | 2 +- 4 files changed, 24 insertions(+), 3 deletions(-) diff --git a/certbot-ci/certbot_integration_tests/certbot_tests/assertions.py b/certbot-ci/certbot_integration_tests/certbot_tests/assertions.py index 92ce8fac8..272084217 100644 --- a/certbot-ci/certbot_integration_tests/certbot_tests/assertions.py +++ b/certbot-ci/certbot_integration_tests/certbot_tests/assertions.py @@ -1,6 +1,7 @@ """This module contains advanced assertions for the certbot integration tests.""" import io import os +from typing import Optional from typing import Type from cryptography.hazmat.backends import default_backend @@ -62,14 +63,26 @@ def assert_hook_execution(probe_path: str, probe_content: str) -> None: assert probe_content in lines +def assert_saved_lineage_option(config_dir: str, lineage: str, + option: str, value: Optional[str] = None) -> None: + """ + Assert that the option of a lineage has been saved. + :param str config_dir: location of the certbot configuration + :param str lineage: lineage domain name + :param str option: the option key + :param value: if desired, the expected option value + """ + with open(os.path.join(config_dir, 'renewal', '{0}.conf'.format(lineage))) as file_h: + assert f"{option} = {value if value else ''}" in file_h.read() + + def assert_saved_renew_hook(config_dir: str, lineage: str) -> None: """ Assert that the renew hook configuration of a lineage has been saved. :param str config_dir: location of the certbot configuration :param str lineage: lineage domain name """ - with open(os.path.join(config_dir, 'renewal', '{0}.conf'.format(lineage))) as file_h: - assert 'renew_hook' in file_h.read() + assert_saved_lineage_option(config_dir, lineage, 'renew_hook') def assert_cert_count_for_lineage(config_dir: str, lineage: str, count: int) -> None: diff --git a/certbot-ci/certbot_integration_tests/certbot_tests/test_main.py b/certbot-ci/certbot_integration_tests/certbot_tests/test_main.py index 21f400d37..4a3395217 100644 --- a/certbot-ci/certbot_integration_tests/certbot_tests/test_main.py +++ b/certbot-ci/certbot_integration_tests/certbot_tests/test_main.py @@ -25,6 +25,7 @@ from certbot_integration_tests.certbot_tests.assertions import assert_equals_gro from certbot_integration_tests.certbot_tests.assertions import assert_equals_world_read_permissions from certbot_integration_tests.certbot_tests.assertions import assert_hook_execution from certbot_integration_tests.certbot_tests.assertions import assert_rsa_key +from certbot_integration_tests.certbot_tests.assertions import assert_saved_lineage_option from certbot_integration_tests.certbot_tests.assertions import assert_saved_renew_hook from certbot_integration_tests.certbot_tests.assertions import assert_world_no_permissions from certbot_integration_tests.certbot_tests.assertions import assert_world_read_permissions @@ -102,6 +103,7 @@ def test_http_01(context: IntegrationTestsContext) -> None: assert_hook_execution(context.hook_probe, 'deploy') assert_saved_renew_hook(context.config_dir, certname) + assert_saved_lineage_option(context.config_dir, certname, 'key_type', 'rsa') def test_manual_http_auth(context: IntegrationTestsContext) -> None: @@ -544,6 +546,7 @@ def test_renew_with_ec_keys(context: IntegrationTestsContext) -> None: assert 200 < os.stat(key1).st_size < 250 # ec keys of 256 bits are ~225 bytes assert_elliptic_key(key1, SECP256R1) assert_cert_count_for_lineage(context.config_dir, certname, 1) + assert_saved_lineage_option(context.config_dir, certname, 'key_type', 'ecdsa') context.certbot(['renew', '--elliptic-curve', 'secp384r1']) assert_cert_count_for_lineage(context.config_dir, certname, 2) diff --git a/certbot/certbot/_internal/storage.py b/certbot/certbot/_internal/storage.py index 5dd3e565b..9bdbe2731 100644 --- a/certbot/certbot/_internal/storage.py +++ b/certbot/certbot/_internal/storage.py @@ -298,6 +298,11 @@ def relevant_values(all_values: Mapping[str, Any]) -> Dict[str, Any]: # and behavioral consistency when versions of Certbot with different # server defaults are used. rv["server"] = all_values["server"] + + # Save key type to help with forward compatibility on Certbot's transition + # from RSA to ECDSA certificates by default. + rv["key_type"] = all_values["key_type"] + return rv diff --git a/certbot/tests/storage_test.py b/certbot/tests/storage_test.py index aa5910f1e..5be3c3037 100644 --- a/certbot/tests/storage_test.py +++ b/certbot/tests/storage_test.py @@ -39,7 +39,7 @@ class RelevantValuesTest(unittest.TestCase): """Tests for certbot._internal.storage.relevant_values.""" def setUp(self): - self.values = {"server": "example.org"} + self.values = {"server": "example.org", "key_type": "rsa"} def _call(self, *args, **kwargs): from certbot._internal.storage import relevant_values -- cgit v1.2.3