[andy/dehydrated.git] / test.sh

#!/usr/bin/env bash

# Fail early
set -eu -o pipefail

# Check if running in CI environment
if [[ ! "${CI:-false}" == "true" ]]; then
  echo "ERROR: Not running in CI environment!"
  exit 1
fi

_TEST() {
  echo
  echo "${1} "
}
_SUBTEST() {
  echo -n " + ${1} "
}
_PASS() {
  echo -e "[\u001B[32mPASS\u001B[0m]"
}
_FAIL() {
  echo -e "[\u001B[31mFAIL\u001B[0m]"
  echo
  echo "Problem: ${@}"
  echo
  echo "STDOUT:"
  cat tmplog
  echo
  echo "STDERR:"
  cat errorlog
  exit 1
}
_CHECK_FILE() {
  _SUBTEST "Checking if file '${1}' exists..."
  if [[ -e "${1}" ]]; then
    _PASS
  else
    _FAIL "Missing file: ${1}"
  fi
}
_CHECK_LOG() {
  _SUBTEST "Checking if log contains '${1}'..."
  if grep -- "${1}" tmplog > /dev/null; then
    _PASS
  else
    _FAIL "Missing in log: ${1}"
  fi
}
_CHECK_NOT_LOG() {
  _SUBTEST "Checking if log doesn't contain '${1}'..."
  if grep -- "${1}" tmplog > /dev/null; then
    _FAIL "Found in log: ${1}"
  else
    _PASS
  fi
}
_CHECK_ERRORLOG() {
  _SUBTEST "Checking if errorlog is empty..."
  if [[ -z "$(cat errorlog)" ]]; then
    _PASS
  else
    _FAIL "Non-empty errorlog"
  fi
}

# If not found (should be cached in travis) download ngrok
if [[ ! -e "ngrok/ngrok" ]]; then
  (
    mkdir -p ngrok
    cd ngrok
    wget https://dl.ngrok.com/ngrok_2.0.19_linux_amd64.zip -O ngrok.zip
    unzip ngrok.zip ngrok
    chmod +x ngrok
  )
fi

# Run ngrok and grab temporary url from logfile
ngrok/ngrok http 8080 --log stdout --log-format logfmt --log-level debug > tmp.log &
ngrok/ngrok http 8080 --log stdout --log-format logfmt --log-level debug > tmp2.log &
ngrok/ngrok http 8080 --log stdout --log-format logfmt --log-level debug > tmp3.log &
sleep 2
TMP_URL="$(grep -Eo "Hostname:[a-z0-9]+.ngrok.io" tmp.log | head -1 | cut -d':' -f2)"
TMP2_URL="$(grep -Eo "Hostname:[a-z0-9]+.ngrok.io" tmp2.log | head -1 | cut -d':' -f2)"
TMP3_URL="$(grep -Eo "Hostname:[a-z0-9]+.ngrok.io" tmp3.log | head -1 | cut -d':' -f2)"
if [[ -z "${TMP_URL}" ]] || [[ -z "${TMP2_URL}" ]] || [[ -z "${TMP3_URL}" ]]; then
  echo "Couldn't get an url from ngrok, not a letsencrypt.sh bug, tests can't continue."
  exit 1
fi

# Run python webserver in .acme-challenges directory to serve challenge responses
mkdir -p .acme-challenges/.well-known/acme-challenge
(
  cd .acme-challenges
  python -m SimpleHTTPServer 8080 > /dev/null 2> /dev/null
) &

# Generate config and create empty domains.txt
echo 'CA="https://testca.kurz.pw/directory"' > config.sh
echo 'LICENSE="https://testca.kurz.pw/terms/v1"' >> config.sh
echo 'WELLKNOWN=".acme-challenges/.well-known/acme-challenge"' >> config.sh
echo 'RENEW_DAYS="14"' >> config.sh
touch domains.txt

# Check if help command is working
_TEST "Checking if help command is working..."
./letsencrypt.sh --help > tmplog 2> errorlog || _FAIL "Script execution failed"
_CHECK_LOG "Default command: help"
_CHECK_LOG "--help (-h)"
_CHECK_LOG "--domain (-d) domain.tld"
_CHECK_ERRORLOG

# Run in cron mode with empty domains.txt (should only generate private key and exit)
_TEST "First run in cron mode, checking if private key is generated and registered"
./letsencrypt.sh --cron > tmplog 2> errorlog || _FAIL "Script execution failed"
_CHECK_LOG "Registering account key"
_CHECK_FILE "private_key.pem"
_CHECK_ERRORLOG

# Temporarily move config out of the way and try signing certificate by using temporary config location
_TEST "Try signing using temporary config location and with domain as command line parameter"
mv config.sh tmp_config.sh
./letsencrypt.sh --cron --domain "${TMP_URL}" --domain "${TMP2_URL}" -f tmp_config.sh > tmplog 2> errorlog || _FAIL "Script execution failed"
_CHECK_NOT_LOG "Checking domain name(s) of existing cert"
_CHECK_LOG "Generating private key"
_CHECK_LOG "Requesting challenge for ${TMP_URL}"
_CHECK_LOG "Requesting challenge for ${TMP2_URL}"
_CHECK_LOG "Challenge is valid!"
_CHECK_LOG "Creating fullchain.pem"
_CHECK_LOG "Done!"
_CHECK_ERRORLOG
mv tmp_config.sh config.sh

# Move private key and add new location to config
mv private_key.pem account_key.pem
echo 'PRIVATE_KEY="./account_key.pem"' >> config.sh

# Add third domain to command-lime, should force renewal.
_TEST "Run in cron mode again, this time adding third domain, should force renewal."
./letsencrypt.sh --cron --domain "${TMP_URL}" --domain "${TMP2_URL}" --domain "${TMP3_URL}" > tmplog 2> errorlog || _FAIL "Script execution failed"
_CHECK_LOG "Domain name(s) are not matching!"
_CHECK_LOG "Forcing renew."
_CHECK_LOG "Generating private key"
_CHECK_LOG "Requesting challenge for ${TMP_URL}"
_CHECK_LOG "Requesting challenge for ${TMP2_URL}"
_CHECK_LOG "Requesting challenge for ${TMP3_URL}"
_CHECK_LOG "Challenge is valid!"
_CHECK_LOG "Creating fullchain.pem"
_CHECK_LOG "Done!"
_CHECK_ERRORLOG

# Prepare domains.txt
# Modify TMP3_URL to be uppercase to check for upper-lower-case mismatch bugs
echo "${TMP_URL} ${TMP2_URL} $(tr 'a-z' 'A-Z' <<<"${TMP3_URL}")" >> domains.txt

# Run in cron mode again (should find a non-expiring certificate and do nothing)
_TEST "Run in cron mode again, this time with domain in domains.txt, should find non-expiring certificate"
./letsencrypt.sh --cron > tmplog 2> errorlog || _FAIL "Script execution failed"
_CHECK_LOG "Checking domain name(s) of existing cert... unchanged."
_CHECK_LOG "Skipping renew"
_CHECK_ERRORLOG

# Disable private key renew
echo 'PRIVATE_KEY_RENEW="no"' >> config.sh

# Run in cron mode one last time, with domain in domains.txt and force-resign (should find certificate, resign anyway, and not generate private key)
_TEST "Run in cron mode one last time, with domain in domains.txt and force-resign"
./letsencrypt.sh --cron --force > tmplog 2> errorlog || _FAIL "Script execution failed"
_CHECK_LOG "Checking domain name(s) of existing cert... unchanged."
_CHECK_LOG "Ignoring because renew was forced!"
_CHECK_NOT_LOG "Generating private key"
_CHECK_LOG "Requesting challenge for ${TMP_URL}"
_CHECK_LOG "Requesting challenge for ${TMP2_URL}"
_CHECK_LOG "Requesting challenge for ${TMP3_URL}"
_CHECK_LOG "Challenge is valid!"
_CHECK_LOG "Creating fullchain.pem"
_CHECK_LOG "Done!"
_CHECK_ERRORLOG

# Check if signcsr command is working
_TEST "Running signcsr command"
./letsencrypt.sh --signcsr certs/${TMP_URL}/cert.csr > tmplog 2> errorlog || _FAIL "Script execution failed"
_CHECK_LOG "BEGIN CERTIFICATE"
_CHECK_LOG "END CERTIFICATE"
_CHECK_NOT_LOG "ERROR"

# Delete account key (not needed anymore)
rm account_key.pem

# Check if renewal works
_TEST "Run in cron mode again, to check if renewal works"
echo 'RENEW_DAYS="300"' >> config.sh
./letsencrypt.sh --cron > tmplog 2> errorlog || _FAIL "Script execution failed"
_CHECK_LOG "Checking domain name(s) of existing cert... unchanged."
_CHECK_LOG "Renewing!"
_CHECK_ERRORLOG

# Check if certificate is valid in various ways
_TEST "Verifying certificate..."
_SUBTEST "Verifying certificate on its own..."
openssl x509 -in "certs/${TMP_URL}/cert.pem" -noout -text > tmplog 2> errorlog && _PASS || _FAIL
_CHECK_LOG "CN=${TMP_URL}"
_CHECK_LOG "${TMP2_URL}"
_SUBTEST "Verifying file with full chain..."
openssl x509 -in "certs/${TMP_URL}/fullchain.pem" -noout -text > /dev/null 2>> errorlog && _PASS || _FAIL
_SUBTEST "Verifying certificate against CA certificate..."
(openssl verify -verbose -CAfile "certs/${TMP_URL}/fullchain.pem" -purpose sslserver "certs/${TMP_URL}/fullchain.pem" 2>&1 || true) | (grep -v ': OK$' || true) >> errorlog 2>> errorlog && _PASS || _FAIL
_CHECK_ERRORLOG

# Revoke certificate using certificate key
_TEST "Revoking certificate..."
./letsencrypt.sh --revoke "certs/${TMP_URL}/cert.pem" --privkey "certs/${TMP_URL}/privkey.pem" > tmplog 2> errorlog || _FAIL "Script execution failed"
REAL_CERT="$(readlink -n "certs/${TMP_URL}/cert.pem")"
_CHECK_LOG "Revoking certs/${TMP_URL}/${REAL_CERT}"
_CHECK_LOG "Done."
_CHECK_FILE "certs/${TMP_URL}/${REAL_CERT}-revoked"
_CHECK_ERRORLOG

# Test cleanup command
_TEST "Cleaning up certificates"
./letsencrypt.sh --cleanup > tmplog 2> errorlog || _FAIL "Script execution failed"
_CHECK_LOG "Moving unused file to archive directory: ${TMP_URL}/cert-"
_CHECK_LOG "Moving unused file to archive directory: ${TMP_URL}/chain-"
_CHECK_LOG "Moving unused file to archive directory: ${TMP_URL}/fullchain-"
_CHECK_ERRORLOG

# All done
exit 0
Commit	Line	Data
1561e9fc	1	#!/usr/bin/env bash
a4e7c43a LS	2
	3	# Fail early
	4	set -eu -o pipefail
	5
	6	# Check if running in CI environment
	7	if [[ ! "${CI:-false}" == "true" ]]; then
	8	echo "ERROR: Not running in CI environment!"
	9	exit 1
	10	fi
	11
	12	_TEST() {
d3bc67eb	13	echo
40556950 LS	14	echo "${1} "
	15	}
	16	_SUBTEST() {
	17	echo -n " + ${1} "
a4e7c43a LS	18	}
a4e7c43a LS	19	_PASS() {
40556950	20	echo -e "[\u001B[32mPASS\u001B[0m]"
a4e7c43a LS	21	}
	22	_FAIL() {
	23	echo -e "[\u001B[31mFAIL\u001B[0m]"
	24	echo
	25	echo "Problem: ${@}"
	26	echo
	27	echo "STDOUT:"
	28	cat tmplog
	29	echo
	30	echo "STDERR:"
	31	cat errorlog
	32	exit 1
	33	}
	34	_CHECK_FILE() {
d3bc67eb	35	_SUBTEST "Checking if file '${1}' exists..."
40556950 LS	36	if [[ -e "${1}" ]]; then
	37	_PASS
	38	else
	39	_FAIL "Missing file: ${1}"
	40	fi
a4e7c43a LS	41	}
a4e7c43a LS	42	_CHECK_LOG() {
d3bc67eb	43	_SUBTEST "Checking if log contains '${1}'..."
40556950 LS	44	if grep -- "${1}" tmplog > /dev/null; then
	45	_PASS
	46	else
	47	_FAIL "Missing in log: ${1}"
	48	fi
	49	}
341f5252	50	_CHECK_NOT_LOG() {
d3bc67eb	51	_SUBTEST "Checking if log doesn't contain '${1}'..."
341f5252 LS	52	if grep -- "${1}" tmplog > /dev/null; then
	53	_FAIL "Found in log: ${1}"
	54	else
	55	_PASS
	56	fi
	57	}
40556950 LS	58	_CHECK_ERRORLOG() {
	59	_SUBTEST "Checking if errorlog is empty..."
	60	if [[ -z "$(cat errorlog)" ]]; then
	61	_PASS
	62	else
	63	_FAIL "Non-empty errorlog"
	64	fi
a4e7c43a LS	65	}
	66
	67	# If not found (should be cached in travis) download ngrok
	68	if [[ ! -e "ngrok/ngrok" ]]; then
	69	(
	70	mkdir -p ngrok
ebe9ea3d	71	cd ngrok
a4e7c43a LS	72	wget https://dl.ngrok.com/ngrok_2.0.19_linux_amd64.zip -O ngrok.zip
	73	unzip ngrok.zip ngrok
	74	chmod +x ngrok
	75	)
	76	fi
	77
	78	# Run ngrok and grab temporary url from logfile
	79	ngrok/ngrok http 8080 --log stdout --log-format logfmt --log-level debug > tmp.log &
338ec308	80	ngrok/ngrok http 8080 --log stdout --log-format logfmt --log-level debug > tmp2.log &
c9823c25	81	ngrok/ngrok http 8080 --log stdout --log-format logfmt --log-level debug > tmp3.log &
a4e7c43a LS	82	sleep 2
a4e7c43a LS	83	TMP_URL="$(grep -Eo "Hostname:[a-z0-9]+.ngrok.io" tmp.log \| head -1 \| cut -d':' -f2)"
338ec308	84	TMP2_URL="$(grep -Eo "Hostname:[a-z0-9]+.ngrok.io" tmp2.log \| head -1 \| cut -d':' -f2)"
c9823c25 LS	85	TMP3_URL="$(grep -Eo "Hostname:[a-z0-9]+.ngrok.io" tmp3.log \| head -1 \| cut -d':' -f2)"
c9823c25 LS	86	if [[ -z "${TMP_URL}" ]] \|\| [[ -z "${TMP2_URL}" ]] \|\| [[ -z "${TMP3_URL}" ]]; then
a4e7c43a LS	87	echo "Couldn't get an url from ngrok, not a letsencrypt.sh bug, tests can't continue."
	88	exit 1
	89	fi
	90
	91	# Run python webserver in .acme-challenges directory to serve challenge responses
	92	mkdir -p .acme-challenges/.well-known/acme-challenge
	93	(
	94	cd .acme-challenges
	95	python -m SimpleHTTPServer 8080 > /dev/null 2> /dev/null
	96	) &
	97
	98	# Generate config and create empty domains.txt
f6f77139 LS	99	echo 'CA="https://testca.kurz.pw/directory"' > config.sh
f6f77139 LS	100	echo 'LICENSE="https://testca.kurz.pw/terms/v1"' >> config.sh
a4e7c43a	101	echo 'WELLKNOWN=".acme-challenges/.well-known/acme-challenge"' >> config.sh
da2795d3	102	echo 'RENEW_DAYS="14"' >> config.sh
a4e7c43a LS	103	touch domains.txt
	104
	105	# Check if help command is working
	106	_TEST "Checking if help command is working..."
6a8f4482	107	./letsencrypt.sh --help > tmplog 2> errorlog \|\| _FAIL "Script execution failed"
a4e7c43a	108	_CHECK_LOG "Default command: help"
40556950 LS	109	_CHECK_LOG "--help (-h)"
	110	_CHECK_LOG "--domain (-d) domain.tld"
	111	_CHECK_ERRORLOG
a4e7c43a LS	112
	113	# Run in cron mode with empty domains.txt (should only generate private key and exit)
	114	_TEST "First run in cron mode, checking if private key is generated and registered"
6a8f4482	115	./letsencrypt.sh --cron > tmplog 2> errorlog \|\| _FAIL "Script execution failed"
a4e7c43a LS	116	_CHECK_LOG "Registering account key"
a4e7c43a LS	117	_CHECK_FILE "private_key.pem"
40556950	118	_CHECK_ERRORLOG
a4e7c43a LS	119
	120	# Temporarily move config out of the way and try signing certificate by using temporary config location
	121	_TEST "Try signing using temporary config location and with domain as command line parameter"
	122	mv config.sh tmp_config.sh
b57fd221	123	./letsencrypt.sh --cron --domain "${TMP_URL}" --domain "${TMP2_URL}" -f tmp_config.sh > tmplog 2> errorlog \|\| _FAIL "Script execution failed"
6a8f4482	124	_CHECK_NOT_LOG "Checking domain name(s) of existing cert"
a4e7c43a LS	125	_CHECK_LOG "Generating private key"
a4e7c43a LS	126	_CHECK_LOG "Requesting challenge for ${TMP_URL}"
338ec308	127	_CHECK_LOG "Requesting challenge for ${TMP2_URL}"
a4e7c43a LS	128	_CHECK_LOG "Challenge is valid!"
	129	_CHECK_LOG "Creating fullchain.pem"
	130	_CHECK_LOG "Done!"
40556950	131	_CHECK_ERRORLOG
a4e7c43a LS	132	mv tmp_config.sh config.sh
	133
	134	# Move private key and add new location to config
	135	mv private_key.pem account_key.pem
	136	echo 'PRIVATE_KEY="./account_key.pem"' >> config.sh
	137
c9823c25 LS	138	# Add third domain to command-lime, should force renewal.
c9823c25 LS	139	_TEST "Run in cron mode again, this time adding third domain, should force renewal."
0d842e87	140	./letsencrypt.sh --cron --domain "${TMP_URL}" --domain "${TMP2_URL}" --domain "${TMP3_URL}" > tmplog 2> errorlog \|\| _FAIL "Script execution failed"
c9823c25 LS	141	_CHECK_LOG "Domain name(s) are not matching!"
c9823c25 LS	142	_CHECK_LOG "Forcing renew."
a2867410	143	_CHECK_LOG "Generating private key"
c9823c25 LS	144	_CHECK_LOG "Requesting challenge for ${TMP_URL}"
	145	_CHECK_LOG "Requesting challenge for ${TMP2_URL}"
	146	_CHECK_LOG "Requesting challenge for ${TMP3_URL}"
	147	_CHECK_LOG "Challenge is valid!"
	148	_CHECK_LOG "Creating fullchain.pem"
	149	_CHECK_LOG "Done!"
	150	_CHECK_ERRORLOG
	151
33f07fcc LS	152	# Prepare domains.txt
	153	# Modify TMP3_URL to be uppercase to check for upper-lower-case mismatch bugs
	154	echo "${TMP_URL} ${TMP2_URL} $(tr 'a-z' 'A-Z' <<<"${TMP3_URL}")" >> domains.txt
	155
	156	# Run in cron mode again (should find a non-expiring certificate and do nothing)
a4e7c43a	157	_TEST "Run in cron mode again, this time with domain in domains.txt, should find non-expiring certificate"
6a8f4482 LS	158	./letsencrypt.sh --cron > tmplog 2> errorlog \|\| _FAIL "Script execution failed"
6a8f4482 LS	159	_CHECK_LOG "Checking domain name(s) of existing cert... unchanged."
64b23e7a	160	_CHECK_LOG "Skipping renew"
40556950	161	_CHECK_ERRORLOG
a4e7c43a	162
a2867410 LS	163	# Disable private key renew
	164	echo 'PRIVATE_KEY_RENEW="no"' >> config.sh
	165
341f5252 LS	166	# Run in cron mode one last time, with domain in domains.txt and force-resign (should find certificate, resign anyway, and not generate private key)
341f5252 LS	167	_TEST "Run in cron mode one last time, with domain in domains.txt and force-resign"
6a8f4482 LS	168	./letsencrypt.sh --cron --force > tmplog 2> errorlog \|\| _FAIL "Script execution failed"
6a8f4482 LS	169	_CHECK_LOG "Checking domain name(s) of existing cert... unchanged."
2d097c92	170	_CHECK_LOG "Ignoring because renew was forced!"
af2bc7a9	171	_CHECK_NOT_LOG "Generating private key"
341f5252	172	_CHECK_LOG "Requesting challenge for ${TMP_URL}"
338ec308	173	_CHECK_LOG "Requesting challenge for ${TMP2_URL}"
c9823c25	174	_CHECK_LOG "Requesting challenge for ${TMP3_URL}"
341f5252 LS	175	_CHECK_LOG "Challenge is valid!"
	176	_CHECK_LOG "Creating fullchain.pem"
	177	_CHECK_LOG "Done!"
	178	_CHECK_ERRORLOG
	179
c9823c25 LS	180	# Check if signcsr command is working
	181	_TEST "Running signcsr command"
	182	./letsencrypt.sh --signcsr certs/${TMP_URL}/cert.csr > tmplog 2> errorlog \|\| _FAIL "Script execution failed"
bfb45d8b LS	183	_CHECK_LOG "BEGIN CERTIFICATE"
	184	_CHECK_LOG "END CERTIFICATE"
	185	_CHECK_NOT_LOG "ERROR"
c9823c25	186
a4e7c43a LS	187	# Delete account key (not needed anymore)
	188	rm account_key.pem
	189
85b3f191 LS	190	# Check if renewal works
	191	_TEST "Run in cron mode again, to check if renewal works"
	192	echo 'RENEW_DAYS="300"' >> config.sh
	193	./letsencrypt.sh --cron > tmplog 2> errorlog \|\| _FAIL "Script execution failed"
	194	_CHECK_LOG "Checking domain name(s) of existing cert... unchanged."
	195	_CHECK_LOG "Renewing!"
	196	_CHECK_ERRORLOG
	197
a4e7c43a LS	198	# Check if certificate is valid in various ways
a4e7c43a LS	199	_TEST "Verifying certificate..."
d3bc67eb LS	200	_SUBTEST "Verifying certificate on its own..."
d3bc67eb LS	201	openssl x509 -in "certs/${TMP_URL}/cert.pem" -noout -text > tmplog 2> errorlog && _PASS \|\| _FAIL
a4e7c43a	202	_CHECK_LOG "CN=${TMP_URL}"
338ec308	203	_CHECK_LOG "${TMP2_URL}"
d3bc67eb LS	204	_SUBTEST "Verifying file with full chain..."
	205	openssl x509 -in "certs/${TMP_URL}/fullchain.pem" -noout -text > /dev/null 2>> errorlog && _PASS \|\| _FAIL
	206	_SUBTEST "Verifying certificate against CA certificate..."
	207	(openssl verify -verbose -CAfile "certs/${TMP_URL}/fullchain.pem" -purpose sslserver "certs/${TMP_URL}/fullchain.pem" 2>&1 \|\| true) \| (grep -v ': OK$' \|\| true) >> errorlog 2>> errorlog && _PASS \|\| _FAIL
40556950	208	_CHECK_ERRORLOG
a4e7c43a LS	209
	210	# Revoke certificate using certificate key
	211	_TEST "Revoking certificate..."
6a8f4482	212	./letsencrypt.sh --revoke "certs/${TMP_URL}/cert.pem" --privkey "certs/${TMP_URL}/privkey.pem" > tmplog 2> errorlog \|\| _FAIL "Script execution failed"
c7018036 MG	213	REAL_CERT="$(readlink -n "certs/${TMP_URL}/cert.pem")"
c7018036 MG	214	_CHECK_LOG "Revoking certs/${TMP_URL}/${REAL_CERT}"
3dcfa8b4	215	_CHECK_LOG "Done."
c7018036	216	_CHECK_FILE "certs/${TMP_URL}/${REAL_CERT}-revoked"
40556950	217	_CHECK_ERRORLOG
a4e7c43a	218
a35b89e9 LS	219	# Test cleanup command
	220	_TEST "Cleaning up certificates"
	221	./letsencrypt.sh --cleanup > tmplog 2> errorlog \|\| _FAIL "Script execution failed"
	222	_CHECK_LOG "Moving unused file to archive directory: ${TMP_URL}/cert-"
	223	_CHECK_LOG "Moving unused file to archive directory: ${TMP_URL}/chain-"
	224	_CHECK_LOG "Moving unused file to archive directory: ${TMP_URL}/fullchain-"
	225	_CHECK_ERRORLOG
	226
a4e7c43a LS	227	# All done
a4e7c43a LS	228	exit 0