diff --git a/Makefile b/Makefile index c564bbb1..596fac37 100644 --- a/Makefile +++ b/Makefile @@ -12,6 +12,8 @@ define cucumber_image_build docker build --tag vcert.auto aruba/ endef +export DUMMY_PASS=CyberArkT3stP4ZZC0de%jQX^J=4H + define cucumber_tests_run if [ -n "$(FEATURE)" ] && [ -n "$(PLATFORM)" ]; then \ echo "running cucumber tests for both feature $(FEATURE) and platform $(PLATFORM)"; \ diff --git a/aruba/features/credmgmt/credmgmt.feature b/aruba/features/credmgmt/credmgmt.feature index 09da2214..327a77a2 100644 --- a/aruba/features/credmgmt/credmgmt.feature +++ b/aruba/features/credmgmt/credmgmt.feature @@ -35,7 +35,7 @@ Feature: Managing credentials tokens from TPP Scenario: request with PKCS12 if possible with no password When I interactively get credentials from TPP with PKSC12 and no password - And I type "newPassw0rd!" + And I type dummy password And I remember the output And it should output access token And it should output refresh token diff --git a/aruba/features/enroll/basic.enroll.feature b/aruba/features/enroll/basic.enroll.feature index 8bee2f71..a2631f56 100644 --- a/aruba/features/enroll/basic.enroll.feature +++ b/aruba/features/enroll/basic.enroll.feature @@ -23,7 +23,7 @@ Feature: Enroll certificate @FAKE Scenario: Passphrases don't match When I run `vcert enroll -test-mode -test-mode-delay 0 -cn vfidev.example.com` interactively - And I type "newPassw0rd!" + And I type dummy password And I type "different password" Then it should fail with "Passphrases don't match" diff --git a/aruba/features/enroll/enroll-deprecated-options.feature b/aruba/features/enroll/enroll-deprecated-options.feature index 0d88009c..1ce1aa1d 100644 --- a/aruba/features/enroll/enroll-deprecated-options.feature +++ b/aruba/features/enroll/enroll-deprecated-options.feature @@ -13,7 +13,7 @@ Feature: Tests with deprecated TPP options # if ERRORLEVEL 1 goto :DONE # timeout /t 10 Scenario: ~ Service Generated CSR with RSA key ~ - When I enroll a certificate in TPPdeprecated with -csr service -key-type rsa -key-size 4096 -cn service-gen-rsa.vcert.example -format json -key-password newPassw0rd! + When I enroll a certificate with dummy password in TPPdeprecated with -csr service -key-type rsa -key-size 4096 -cn service-gen-rsa.vcert.example -format json Then it should retrieve certificate Then I get JSON response And that certificate should contain "Public-Key: (4096 bit)" @@ -31,7 +31,7 @@ Feature: Tests with deprecated TPP options Scenario: ~ Service Generated CSR pickup later ID as param ~ When I enroll certificate using TPPdeprecated with -csr service -cn service-gen-pickup-id-as-param.vcert.example -no-pickup Then it should post certificate request - And I retrieve the certificate from TPPdeprecated using the same Pickup ID with -key-password newPassw0rd! -timeout 59 + And I retrieve the certificate from TPPdeprecated using the same Pickup ID and using a dummy password with -timeout 59 Then it should retrieve certificate Then it should output encrypted private key @@ -46,7 +46,7 @@ Feature: Tests with deprecated TPP options Scenario: ~ Service Generated CSR pickup later ID in file~ When I enroll certificate using TPPdeprecated with -csr service -cn service-gen-pickup-id-in-file.vcert.example -no-pickup -pickup-id-file pickup_id.txt Then it should post certificate request - And I retrieve the certificate from TPPdeprecated with -pickup-id-file pickup_id.txt -key-password newPassw0rd! -timeout 59 + And I retrieve the certificate using a dummy password from TPPdeprecated with -pickup-id-file pickup_id.txt -timeout 59 Then it should retrieve certificate Then it should output encrypted private key diff --git a/aruba/features/enroll/enroll-with-csr-PS-tests.feature b/aruba/features/enroll/enroll-with-csr-PS-tests.feature index f0b2adff..7217f9a7 100644 --- a/aruba/features/enroll/enroll-with-csr-PS-tests.feature +++ b/aruba/features/enroll/enroll-with-csr-PS-tests.feature @@ -13,7 +13,7 @@ Feature: few more tests from Ryan # if ERRORLEVEL 1 goto :DONE # timeout /t 10 Scenario: ~ Service Generated CSR with RSA key ~ - When I enroll a certificate in TPP with -csr service -key-type rsa -key-size 4096 -cn service-gen-rsa.vcert.example -format json -key-password newPassw0rd! + When I enroll a certificate with dummy password in TPP with -csr service -key-type rsa -key-size 4096 -cn service-gen-rsa.vcert.example -format json Then it should retrieve certificate Then I get JSON response And that certificate should contain "Public-Key: (4096 bit)" @@ -24,7 +24,7 @@ Feature: few more tests from Ryan # if ERRORLEVEL 1 goto :DONE # timeout /t 10 Scenario: ~ Service Generated CSR with ECC key ~ - When I enroll random certificate using TPPecdsa with -csr service -key-type ecdsa -key-curve p521 -format json -key-password newPassw0rd! + When I enroll random certificate with dummy password using TPPecdsa with -csr service -key-type ecdsa -key-curve p521 -format json Then it should post certificate request And it should retrieve certificate And the JSON response at "PrivateKey" should include "-----BEGIN EC PRIVATE KEY-----" @@ -42,7 +42,7 @@ Feature: few more tests from Ryan Scenario: ~ Service Generated CSR pickup later ID as param ~ When I enroll certificate using TPP with -csr service -cn service-gen-pickup-id-as-param.vcert.example -no-pickup Then it should post certificate request - And I retrieve the certificate from TPP using the same Pickup ID with -key-password newPassw0rd! -timeout 59 + And I retrieve the certificate from TPP using the same Pickup ID and using a dummy password with -timeout 59 Then it should retrieve certificate Then it should output encrypted private key @@ -57,7 +57,7 @@ Feature: few more tests from Ryan Scenario: ~ Service Generated CSR pickup later ID in file~ When I enroll certificate using TPP with -csr service -cn service-gen-pickup-id-in-file.vcert.example -no-pickup -pickup-id-file pickup_id.txt Then it should post certificate request - And I retrieve the certificate from TPP with -pickup-id-file pickup_id.txt -key-password newPassw0rd! -timeout 59 + And I retrieve the certificate using a dummy password from TPP with -pickup-id-file pickup_id.txt -timeout 59 Then it should retrieve certificate Then it should output encrypted private key @@ -96,7 +96,7 @@ Feature: few more tests from Ryan # if ERRORLEVEL 1 goto :DONE # timeout /t 10 Scenario: ~ Service Generated CSR with SANS and should be no log output ~ - When I enroll random certificate using TPP with -csr service -san-dns one.vcert.example -san-dns two.vcert.example -san-ip 10.20.30.40 -san-ip 198.168.144.120 -san-email zack.jackson@vcert.example -format json -key-password newPassw0rd! + When I enroll random certificate with dummy password using TPP with -csr service -san-dns one.vcert.example -san-dns two.vcert.example -san-ip 10.20.30.40 -san-ip 198.168.144.120 -san-email zack.jackson@vcert.example -format json And I get JSON response And that certificate should contain "DNS:one.vcert.example" And that certificate should contain "DNS:two.vcert.example" @@ -112,7 +112,7 @@ Feature: few more tests from Ryan # if ERRORLEVEL 1 goto :DONE # timeout /t 10 Scenario: ~ User Provided CSR with SANs ~ - Given I generate CSR with -cn user-provided-with-sans.vcert.example -san-dns one.vcert.example -san-dns two.vcert.example -san-ip 10.20.30.40 -san-ip 198.168.144.120 -san-email zack.jackson@vcert.example -key-file user-provided-with-sans.key -csr-file user-provided-with-sans.req -key-password newPassw0rd! + Given I generate CSR using dummy password with flags -cn user-provided-with-sans.vcert.example -san-dns one.vcert.example -san-dns two.vcert.example -san-ip 10.20.30.40 -san-ip 198.168.144.120 -san-email zack.jackson@vcert.example -key-file user-provided-with-sans.key -csr-file user-provided-with-sans.req And I enroll certificate using TPP with -csr file:user-provided-with-sans.req -cert-file c.pem And I decode certificate from file "c.pem" And that certificate should contain "DNS:one.vcert.example" @@ -130,7 +130,7 @@ Feature: few more tests from Ryan # if ERRORLEVEL 1 goto :DONE # timeout /t 10 Scenario: ~ User Provided CSR with full Subject DN ~ - Given I generate CSR with -cn user-provided-full-subject.vcert.example -ou "DevOps Integrations" -o "Swordfish Security" -l "St. Petersburg" -st Russia -c RU -key-file user-provided-full-subject.key -csr-file user-provided-full-subject.req -key-password newPassw0rd! + Given I generate CSR using dummy password with flags -cn user-provided-full-subject.vcert.example -ou "DevOps Integrations" -o "Swordfish Security" -l "St. Petersburg" -st Russia -c RU -key-file user-provided-full-subject.key -csr-file user-provided-full-subject.req And I enroll certificate using TPP with -csr file:user-provided-full-subject.req -format json And I get JSON response Then that certificate Subject should contain "C = RU" diff --git a/aruba/features/enroll/enroll-with-csr.feature b/aruba/features/enroll/enroll-with-csr.feature index 3f75270b..a2e3abd0 100644 --- a/aruba/features/enroll/enroll-with-csr.feature +++ b/aruba/features/enroll/enroll-with-csr.feature @@ -75,7 +75,7 @@ Feature: enrolling certificates with -csr option (VEN-40652) | Cloud | Scenario Outline: where it enrolls certificates with -csr local -no-prompt -key-password ... - Given I enroll random certificate using with -csr local -no-prompt -key-password newPassw0rd! + Given I enroll random certificate with dummy password using with -csr local -no-prompt And it should post certificate request Then it should retrieve certificate And it should output encrypted private key @@ -98,7 +98,7 @@ Feature: enrolling certificates with -csr option (VEN-40652) Scenario Outline: where it should however enroll a certificate with -csr service, empty -key-password and -no-pickup - When I enroll random certificate using with -csr service -no-prompt -no-pickup + When I enroll random certificate with dummy password using with -csr service -no-prompt -no-pickup Then it should post certificate request @FAKE @@ -117,7 +117,7 @@ Feature: enrolling certificates with -csr option (VEN-40652) | Cloud | Scenario Outline: where it should enroll a certificate with -csr service -no-prompt -key-password ... - When I enroll random certificate using with -csr service -no-prompt -key-password newPassw0rd! + When I enroll random certificate with dummy password using with -csr service -no-prompt Then it should post certificate request And it should retrieve certificate And it should output encrypted private key @@ -138,7 +138,7 @@ Feature: enrolling certificates with -csr option (VEN-40652) Then I retrieve the certificate using using the same Pickup ID with -timeout 180 And it should retrieve certificate And it should not output private key - Then I retrieve the certificate using using the same Pickup ID with -key-password newPassw0rd! -timeout 180 + Then I retrieve the certificate using using the same Pickup ID and using a dummy password with -timeout 180 And it should retrieve certificate And it should output encrypted private key diff --git a/aruba/features/enroll/pickup.feature b/aruba/features/enroll/pickup.feature index 3955b313..6e309e16 100644 --- a/aruba/features/enroll/pickup.feature +++ b/aruba/features/enroll/pickup.feature @@ -9,6 +9,6 @@ Feature: pickup is an action for retrieving certificates Scenario: should write private key to -key-file if specified (makes sense only with -csr service) Given I enroll a certificate in test-mode with -no-prompt -cn vfidev.example.com -csr service -no-pickup -pickup-id-file p.txt - Then I retrieve the certificate in test-mode with -pickup-id-file p.txt -key-password newPassw0rd! + Then I retrieve the certificate using a dummy password in test-mode with -pickup-id-file p.txt And it should retrieve certificate And it should output encrypted private key diff --git a/aruba/features/format/jks.feature b/aruba/features/format/jks.feature index 76efd998..1c2cf9e1 100644 --- a/aruba/features/format/jks.feature +++ b/aruba/features/format/jks.feature @@ -204,8 +204,8 @@ Feature: JKS format output Scenario Outline: where it pickups up service-generated certificate and outputs it in JKS format When I enroll random certificate using with -no-prompt -no-pickup -csr service - And I retrieve the certificate using using the same Pickup ID with -timeout 180 -key-password newPassw0rd! -file all.jks -format jks -jks-alias abc - And "all.jks" should be JKS archive with password "newPassw0rd!" + And I retrieve the certificate using using the same Pickup ID and using a dummy password with -timeout 180 -file all.jks -format jks -jks-alias abc +# And "all.jks" should be JKS archive with password "dummy password" # currently, we don't have JKS steps @FAKE Examples: diff --git a/aruba/features/format/pkcs12.feature b/aruba/features/format/pkcs12.feature index ac15c43d..e182aa91 100644 --- a/aruba/features/format/pkcs12.feature +++ b/aruba/features/format/pkcs12.feature @@ -47,9 +47,9 @@ Feature: PKCS#12 format output And "all.p12" should be PKCS#12 archive with password "" Scenario Outline: where all objects are written to one PKCS#12 archive with key password - When I enroll random certificate in with -format pkcs12 -file all.p12 -key-password newPassw0rd! + When I enroll random certificate with dummy password in with -format pkcs12 -file all.p12 Then the exit status should be 0 - And "all.p12" should be PKCS#12 archive with password "newPassw0rd!" + And "all.p12" should be PKCS#12 archive with dummy password @FAKE Examples: @@ -67,9 +67,9 @@ Feature: PKCS#12 format output | Cloud | Scenario Outline: where all objects are written to one PKCS#12 legacy archive with key password - When I enroll random certificate in with -format legacy-pkcs12 -file all.p12 -key-password newPassw0rd! + When I enroll random certificate with dummy password in with -format legacy-pkcs12 -file all.p12 Then the exit status should be 0 - And "all.p12" should be PKCS#12 archive in legacy mode with password "newPassw0rd!" + And "all.p12" should be PKCS#12 archive in legacy mode with dummy password @FAKE Examples: @@ -166,8 +166,8 @@ Feature: PKCS#12 format output Scenario Outline: where it pickups up service-generated certificate and outputs it in PKCS#12 format When I enroll random certificate using with -no-prompt -no-pickup -csr service - And I retrieve the certificate using using the same Pickup ID with -timeout 180 -key-password newPassw0rd! -file all.p12 -format pkcs12 - And "all.p12" should be PKCS#12 archive with password "newPassw0rd!" + And I retrieve the certificate using using the same Pickup ID and using a dummy password with -timeout 180 -file all.p12 -format pkcs12 + And "all.p12" should be PKCS#12 archive with dummy password @FAKE Examples: @@ -181,8 +181,8 @@ Feature: PKCS#12 format output Scenario Outline: where it pickups up service-generated certificate and outputs it in PKCS#12 legacy format When I enroll random certificate using with -no-prompt -no-pickup -csr service - And I retrieve the certificate using using the same Pickup ID with -timeout 180 -key-password newPassw0rd! -file all.p12 -format legacy-pkcs12 - And "all.p12" should be PKCS#12 archive in legacy mode with password "newPassw0rd!" + And I retrieve the certificate using using the same Pickup ID and using a dummy password with -timeout 180 -file all.p12 -format legacy-pkcs12 + And "all.p12" should be PKCS#12 archive in legacy mode with dummy password @FAKE Examples: @@ -199,24 +199,24 @@ Feature: PKCS#12 format output # Examples: # | endpoint | # | Cloud | # -csr service is not supported by Cloud - +# # Scenario Outline: Pickup PKCS12 with typing pass phrases # When I enroll random certificate using with -no-prompt -no-pickup -csr service # And I interactively retrieve the certificate using using the same Pickup ID with -timeout 99 -file all.p12 -format pkcs12 -# And I type "newPassw0rd!" -# And I type "newPassw0rd!" +# And I type dummy password +# And I type dummy password # Then the exit status should be 0 -# And "all.p12" should be PKCS#12 archive with password "newPassw0rd!" +# And "all.p12" should be PKCS#12 archive with dummy password # Examples: # | endpoint | # | test-mode | - # | TPP | - # | Cloud | # -csr service is not supported by Cloud +# | TPP | +# | Cloud | # -csr service is not supported by Cloud Scenario Outline: where it should enroll a PKCS12 certificate with -csr service and without file option (VEN-48622) When I enroll random certificate using with -csr service -no-prompt -no-pickup -format pkcs12 Then it should post certificate request - Then I retrieve the certificate using using the same Pickup ID with -key-password newPassw0rd! -timeout 59 + Then I retrieve the certificate using using the same Pickup ID and using a dummy password with -timeout 59 And it should retrieve certificate And it should output encrypted private key diff --git a/aruba/features/gencsr/output.feature b/aruba/features/gencsr/output.feature index fefb58a3..46c3ec70 100644 --- a/aruba/features/gencsr/output.feature +++ b/aruba/features/gencsr/output.feature @@ -16,8 +16,8 @@ Feature: Generating simple certificate request Scenario: where CSR is generated interactively with non-empty key-password When I run `vcert gencsr -cn vfidev.example.com` interactively - And I type "newPassw0rd!" - And I type "newPassw0rd!" + And I type dummy password + And I type dummy password Then the exit status should be 0 And it should output encrypted private key And it should output CSR @@ -29,7 +29,7 @@ Feature: Generating simple certificate request And it should output CSR Scenario: where CSR is generated and the private key is encrypted - When I run `vcert gencsr -cn vfidev.example.com -key-password newPassw0rd!` + When I generate CSR using dummy password with flags -cn vfidev.example.com Then the exit status should be 0 And it should output encrypted private key And it should output CSR diff --git a/aruba/features/gencsr/step_definitions/my_steps.rb b/aruba/features/gencsr/step_definitions/my_steps.rb new file mode 100644 index 00000000..6ac65580 --- /dev/null +++ b/aruba/features/gencsr/step_definitions/my_steps.rb @@ -0,0 +1,6 @@ +And(/^I type dummy password$/) do + steps %{ + And I type "#{DUMMY_PASSWORD}" + } +end# frozen_string_literal: true + diff --git a/aruba/features/renew/renew-with-csr-local.feature b/aruba/features/renew/renew-with-csr-local.feature index da5b3c32..7ff35177 100644 --- a/aruba/features/renew/renew-with-csr-local.feature +++ b/aruba/features/renew/renew-with-csr-local.feature @@ -65,14 +65,14 @@ Feature: renew action with -csr local (default) option | Cloud | Scenario Outline: renew certificate using -id using `-csr local` with PKCS12 flag - Given I enroll random certificate using with -key-password Passcode123! -key-file k.pem -cert-file c.pem -csr local + Given I enroll random certificate with dummy password using with -key-file k.pem -cert-file c.pem -csr local And it should write private key to the file "k.pem" And it should write certificate to the file "c.pem" And it should output Pickup ID And I decode certificate from file "c.pem" - Then I renew the certificate in using the same Pickup ID with flags -key-password Passcode123! -file all.p12 -format pkcs12 + Then I renew the certificate using a dummy password in using the same Pickup ID with flags -file all.p12 -format pkcs12 And it should retrieve certificate - And "all.p12" should be PKCS#12 archive with password "Passcode123!" + And "all.p12" should be PKCS#12 archive with dummy password @TPP Examples: @@ -85,14 +85,14 @@ Feature: renew action with -csr local (default) option | Cloud | Scenario Outline: renew certificate using -id using `-csr local` with PKCS12 legacy flag - Given I enroll random certificate using with -key-password Passcode123! -key-file k.pem -cert-file c.pem -csr local + Given I enroll random certificate with dummy password using with -key-file k.pem -cert-file c.pem -csr local And it should write private key to the file "k.pem" And it should write certificate to the file "c.pem" And it should output Pickup ID And I decode certificate from file "c.pem" - Then I renew the certificate in using the same Pickup ID with flags -key-password Passcode123! -file all.p12 -format legacy-pkcs12 + Then I renew the certificate using a dummy password in using the same Pickup ID with flags -file all.p12 -format legacy-pkcs12 And it should retrieve certificate - And "all.p12" should be PKCS#12 archive in legacy mode with password "Passcode123!" + And "all.p12" should be PKCS#12 archive in legacy mode with dummy password @TPP Examples: diff --git a/aruba/features/renew/renew-with-csr-service.feature b/aruba/features/renew/renew-with-csr-service.feature index d3af071f..9d59b983 100644 --- a/aruba/features/renew/renew-with-csr-service.feature +++ b/aruba/features/renew/renew-with-csr-service.feature @@ -76,19 +76,19 @@ Feature: renew action with `-csr service` option And certificate in "c.pem" and certificate in "c1.pem" should not have the same serial Scenario: renew service-generated-CSR certificate in TPP with `-csr service` option with PKCS12 flag - Given I enroll random certificate using TPP with -csr service -key-password Passcode123! -key-file k.pem -cert-file c.pem + Given I enroll random certificate with dummy password using TPP with -csr service -key-file k.pem -cert-file c.pem And it should write private key to the file "k.pem" And it should write certificate to the file "c.pem" And it should output Pickup ID - When I renew the certificate in TPP using the same Pickup ID with flags -csr service -key-password Passcode123! -file all.p12 -format pkcs12 + When I renew the certificate using a dummy password in TPP using the same Pickup ID with flags -csr service -file all.p12 -format pkcs12 Then it should retrieve certificate - And "all.p12" should be PKCS#12 archive with password "Passcode123!" + And "all.p12" should be PKCS#12 archive with dummy password Scenario: renew service-generated-CSR certificate in TPP with `-csr service` option with PKCS12 legacy flag - Given I enroll random certificate using TPP with -csr service -key-password Passcode123! -key-file k.pem -cert-file c.pem + Given I enroll random certificate with dummy password using TPP with -csr service -key-file k.pem -cert-file c.pem And it should write private key to the file "k.pem" And it should write certificate to the file "c.pem" And it should output Pickup ID - When I renew the certificate in TPP using the same Pickup ID with flags -csr service -key-password Passcode123! -file all.p12 -format legacy-pkcs12 + When I renew the certificate using a dummy password in TPP using the same Pickup ID with flags -csr service -file all.p12 -format legacy-pkcs12 Then it should retrieve certificate - And "all.p12" should be PKCS#12 archive in legacy mode with password "Passcode123!" + And "all.p12" should be PKCS#12 archive in legacy mode with dummy password diff --git a/aruba/features/step_definitions/actions.rb b/aruba/features/step_definitions/actions.rb index 6677d0c0..f3c44e0f 100644 --- a/aruba/features/step_definitions/actions.rb +++ b/aruba/features/step_definitions/actions.rb @@ -9,7 +9,7 @@ end end -When(/^I enroll(?: a)?( random)? certificate (and_random_instance )?(?:in|from|using) (\S+) with (.+)?$/) do |random, random_instance, endpoint, flags| +When(/^I enroll(?: a)?( random)? certificate( with dummy password)? (and_random_instance )?(?:in|from|using) (\S+) with (.+)?$/) do |random, dummy_password, random_instance, endpoint, flags| if random cn = " -cn " + random_cn end @@ -17,7 +17,12 @@ if random_instance instance = "-instance devops-instance:" + random_string end - cmd = "vcert enroll #{ENDPOINTS[endpoint]} #{ZONE[endpoint]} #{cn} #{flags} #{instance}" + + if dummy_password + key_pass_flag = " -key-password #{DUMMY_PASSWORD}" + end + + cmd = "vcert enroll #{ENDPOINTS[endpoint]} #{ZONE[endpoint]} #{cn} #{flags} #{instance} #{key_pass_flag}" steps %{Then I try to run `#{cmd}`} m = last_command_started.output.match /^PickupID="(.+)"$/ @@ -27,19 +32,28 @@ end #I retreive the certificate from TPP using the same PickupID interactively -When(/^I interactively retrieve(?: the) certificate (?:in|from|using) (\S+) using (the same Pickup ID)(?: with)?(.+)?$/) do |endpoint, same_pickup_id, flags| - cmd = "vcert pickup #{ENDPOINTS[endpoint]} -pickup-id '#{@pickup_id}'#{flags}" +When(/^I interactively retrieve(?: the) certificate (?:in|from|using) (\S+) using the same Pickup ID( and using a dummy password)? (?: with)?(.+)?$/) do |endpoint, dummy_password, flags| + if dummy_password + key_pass_flag = " -key-password #{DUMMY_PASSWORD}" + end + cmd = "vcert pickup #{ENDPOINTS[endpoint]} -pickup-id '#{@pickup_id}'#{flags} #{key_pass_flag}" steps %{Then I try to run `#{cmd}` interactively} end #I retreive the certificate from TPP using the same PickupID -When(/^I retrieve(?: the) certificate (?:in|from|using) (\S+) using (the same Pickup ID)(?: with)?(.+)?$/) do |endpoint, same_pickup_id, flags| - cmd = "vcert pickup #{ENDPOINTS[endpoint]} -pickup-id '#{@pickup_id}'#{flags}" +When(/^I retrieve(?: the) certificate (?:in|from|using) (\S+) using the same Pickup ID( and using a dummy password)?(?: with)?(.+)?$/) do |endpoint, dummy_password, flags| + if dummy_password + key_pass_flag = " -key-password #{DUMMY_PASSWORD}" + end + cmd = "vcert pickup #{ENDPOINTS[endpoint]} -pickup-id '#{@pickup_id}'#{flags} #{key_pass_flag}" steps %{Then I try to run `#{cmd}`} end -When(/^I retrieve(?: the) certificate (?:from|in|using) (\S+) with (.+)$/) do |endpoint, flags| - cmd = "vcert pickup #{ENDPOINTS[endpoint]} #{flags}" +When(/^I retrieve(?: the) certificate( using a dummy password)? (?:from|in|using) (\S+) with (.+)$/) do |dummy_password, endpoint, flags| + if dummy_password + key_pass_flag = " -key-password #{DUMMY_PASSWORD}" + end + cmd = "vcert pickup #{ENDPOINTS[endpoint]} #{key_pass_flag} #{flags}" steps %{Then I try to run `#{cmd}`} end @@ -68,14 +82,19 @@ end # renewal via memorized PickupId or thumbprint -When(/^I renew(?: the)? certificate (?:from|in|using) (\S+) using the same (Pickup ID|Thumbprint)(?: with)?(?: flags)?(.+)?$/) do |endpoint, field, flags| +When(/^I renew(?: the)? certificate( using a dummy password)? (?:from|in|using) (\S+) using the same (Pickup ID|Thumbprint)(?: with)?(?: flags)?(.+)?$/) do |dummy_password, endpoint, field, flags| sleep 2 if field == "Pickup ID" - cmd = "vcert renew #{ENDPOINTS[endpoint]} -id '#{@pickup_id}' #{flags}" + pickup_id_flag = " -id '#{@pickup_id}'" end if field == "Thumbprint" - cmd = "vcert renew #{ENDPOINTS[endpoint]} -thumbprint '#{@certificate_fingerprint}' #{flags}" + thumbprint_flag = " -thumbprint '#{@certificate_fingerprint}'" + end + if dummy_password + key_pass_flag = " -key-password #{DUMMY_PASSWORD}" end + + cmd = "vcert renew #{ENDPOINTS[endpoint]} #{thumbprint_flag} #{pickup_id_flag} #{key_pass_flag} #{flags}" if flags != "" # we try to get key-password # This regex basically tries to get everything after and including "-key-password " (note the space in the string) @@ -104,12 +123,15 @@ steps %{Then I try to run `#{cmd}`} end -When(/^I generate( random)? CSR(?: with)?(.+)?$/) do |random, flags| - if random - cn = " -cn " + random_cn - end - cmd = "vcert gencsr#{cn}#{flags}" - steps %{Then I try to run `#{cmd}`} +When(/^I generate( random)? CSR( using dummy password)?(?: with flags (.+))?$/) do |random, dummy_password, flags| + if random + cn = " -cn " + random_cn + end + if dummy_password + key_pass_flag = " -key-password #{DUMMY_PASSWORD}" + end + cmd = "vcert gencsr#{cn} #{key_pass_flag} #{flags}" + steps %{Then I try to run `#{cmd}`} end # Getting credentials diff --git a/aruba/features/step_definitions/openssl.rb b/aruba/features/step_definitions/openssl.rb index a2fe5994..87e9c7ca 100644 --- a/aruba/features/step_definitions/openssl.rb +++ b/aruba/features/step_definitions/openssl.rb @@ -75,7 +75,7 @@ steps %{ When I run `openssl req -modulus -noout -in #{csr_file}` And I remember the output - And I run `openssl rsa -modulus -passin pass:newPassw0rd! -noout -in #{key_file}` + And I run `openssl rsa -modulus -passin pass:#{DUMMY_PASSWORD} -noout -in #{key_file}` Then the outputs should#{negated} be the same } end @@ -84,7 +84,7 @@ steps %{ Then I run `openssl req -modulus -noout -in #{csr_file}` And I remember the output - Then I run `openssl rsa -modulus -passin pass:newPassw0rd! -noout -in #{key_file}` + Then I run `openssl rsa -modulus -passin pass:#{DUMMY_PASSWORD} -noout -in #{key_file}` And the outputs should be the same And I remember the output And I run `openssl x509 -modulus -noout -in #{cert_file}` @@ -134,6 +134,19 @@ # -nodes Don't encrypt private keys end +When(/^"([^"]*)" should be PKCS#12 archive with dummy password$/) do |filename| + steps %{ + Then I try to run `openssl pkcs12 -in "#{filename}" -passin pass:#{DUMMY_PASSWORD} -noout` + And the exit status should be 0 + } + # -nokeys Don't output private keys + # -nocerts Don't output certificates + # -clcerts Only output client certificates + # -cacerts Only output CA certificates + # -noout Don't output anything, just verify + # -nodes Don't encrypt private keys +end + When(/^"([^"]*)" should be PKCS#12 archive in legacy mode with password "([^"]*)"$/) do |filename, password| steps %{ Then I try to run `openssl pkcs12 -in "#{filename}" -legacy -passin pass:#{password} -noout` @@ -147,6 +160,19 @@ # -nodes Don't encrypt private keys end +When(/^"([^"]*)" should be PKCS#12 archive in legacy mode with dummy password/) do |filename| + steps %{ + Then I try to run `openssl pkcs12 -in "#{filename}" -legacy -passin pass:#{DUMMY_PASSWORD} -noout` + And the exit status should be 0 + } + # -nokeys Don't output private keys + # -nocerts Don't output certificates + # -clcerts Only output client certificates + # -cacerts Only output CA certificates + # -noout Don't output anything, just verify + # -nodes Don't encrypt private keys +end + When(/^"([^"]*)" should be RSA private key with password "([^"]*)"$/) do |filename, password| steps %{ Then I try to run `openssl rsa -in "#{filename}" -passin pass:#{password} -noout` diff --git a/aruba/features/support/aruba.rb b/aruba/features/support/aruba.rb index 9164381d..e5de683f 100644 --- a/aruba/features/support/aruba.rb +++ b/aruba/features/support/aruba.rb @@ -31,6 +31,8 @@ AZURE_KEYSTORE_NAME = ENV["AZURE_KEYSTORE_NAME"] AZURE_PROVIDER_NAME = ENV["AZURE_PROVIDER_NAME"] +DUMMY_PASSWORD = "CyberArkT3stP4ZZC0de%jQX^J=4H" + def last_json last_command_started.stdout.to_s end diff --git a/cmd/vcert/playbook_test.go b/cmd/vcert/playbook_test.go index 47884abe..1280e591 100644 --- a/cmd/vcert/playbook_test.go +++ b/cmd/vcert/playbook_test.go @@ -15,6 +15,7 @@ import ( "golang.org/x/crypto/pkcs12" "github.com/Venafi/vcert/v5/pkg/playbook/app/domain" + "github.com/Venafi/vcert/v5/pkg/util" "github.com/Venafi/vcert/v5/pkg/venafi" ) @@ -39,7 +40,7 @@ func TestPlaybook(t *testing.T) { func (s *PlaybookSuite) TestPlaybook_SetTLSConfig() { p12FileLocation := "../../test-files/playbook/cert.p12" - p12Password := "newPassword!" + p12Password := os.Getenv(util.ENV_DUMMY_PASS) playbook := domain.Playbook{ CertificateTasks: domain.CertificateTasks{ diff --git a/cmd/vcert/utils.go b/cmd/vcert/utils.go index 21781aea..209d3e0a 100644 --- a/cmd/vcert/utils.go +++ b/cmd/vcert/utils.go @@ -53,6 +53,7 @@ const ( SshCertPubKeyLocal = "local" sshCertFileExt = "-cert.pub" sshPubKeyFileExt = ".pub" + ENV_DUMMY_PASS = "DUMMY_PASS" ) func parseCustomField(s string) (key, value string, err error) { diff --git a/examples/simple-cli/main.go b/examples/simple-cli/main.go index 0b75bcb3..668c7ef7 100644 --- a/examples/simple-cli/main.go +++ b/examples/simple-cli/main.go @@ -87,7 +87,7 @@ func main() { KeyType: certificate.KeyTypeRSA, KeyLength: 2048, ChainOption: certificate.ChainOptionRootLast, - KeyPassword: "newPassw0rd!", + KeyPassword: os.Getenv(util.ENV_DUMMY_PASS), //Before setting custom field in request you need to configure custom field on TPP CustomFields: []certificate.CustomField{ {Name: "custom", Value: "2019-12-10"}, @@ -108,7 +108,7 @@ func main() { KeyType: certificate.KeyTypeRSA, KeyLength: 2048, ChainOption: certificate.ChainOptionRootLast, - KeyPassword: "newPassw0rd!", + KeyPassword: os.Getenv(util.ENV_DUMMY_PASS), } } @@ -218,7 +218,7 @@ func main() { ObjectName: importObjectName, CertificateData: pcc.Certificate, PrivateKeyData: pcc.PrivateKey, - Password: "newPassw0rd!", + Password: os.Getenv(util.ENV_DUMMY_PASS), Reconcile: false, } case config.ConnectorType == endpoint.ConnectorTypeCloud: @@ -248,7 +248,7 @@ func main() { importedRetriveReq = &certificate.Request{ PickupID: importResp.CertificateDN, Timeout: 180 * time.Second, - KeyPassword: "newPassw0rd!", + KeyPassword: os.Getenv(util.ENV_DUMMY_PASS), FetchPrivateKey: true, } case config.ConnectorType == endpoint.ConnectorTypeCloud: diff --git a/examples/simple-cli/main_test.go b/examples/simple-cli/main_test.go index be0b0c15..2a1ed995 100644 --- a/examples/simple-cli/main_test.go +++ b/examples/simple-cli/main_test.go @@ -65,7 +65,7 @@ func TestRequestCertificate(t *testing.T) { KeyType: certificate.KeyTypeRSA, KeyLength: 2048, ChainOption: certificate.ChainOptionRootLast, - KeyPassword: "newPassw0rd!", + KeyPassword: dummy_pass, } // @@ -225,7 +225,7 @@ func TestImportCertificate(t *testing.T) { KeyType: certificate.KeyTypeRSA, KeyLength: 2048, ChainOption: certificate.ChainOptionRootLast, - KeyPassword: "newPassw0rd!", + KeyPassword: dummy_pass, } err = c.GenerateRequest(nil, req) @@ -259,7 +259,7 @@ func TestImportCertificate(t *testing.T) { ObjectName: importCertDN, CertificateData: pcc.Certificate, PrivateKeyData: pcc.PrivateKey, - Password: "newPassw0rd!", + Password: dummy_pass, Reconcile: false, } importResp, err := c.ImportCertificate(importReq) @@ -275,7 +275,7 @@ func TestImportCertificate(t *testing.T) { req = &certificate.Request{ PickupID: importResp.CertificateDN, Timeout: 180 * time.Second, - KeyPassword: "newPassw0rd!", + KeyPassword: dummy_pass, FetchPrivateKey: true, } pcc2, err := c.RetrieveCertificate(req) diff --git a/examples/simple-cli/vars.go b/examples/simple-cli/vars.go index 37250736..dfb3967a 100644 --- a/examples/simple-cli/vars.go +++ b/examples/simple-cli/vars.go @@ -29,6 +29,8 @@ import ( var mockConfig, cloudConfig, tppConfig *vcert.Config +var dummy_pass = "CyberArkT3stP4ZZC0de%jQX^J=4H" + func init() { mockConfig = &vcert.Config{ ConnectorType: endpoint.ConnectorTypeFake, diff --git a/pkg/certificate/certificateCollection_test.go b/pkg/certificate/certificateCollection_test.go index 3e7c7924..e9837753 100644 --- a/pkg/certificate/certificateCollection_test.go +++ b/pkg/certificate/certificateCollection_test.go @@ -19,8 +19,11 @@ package certificate import ( "crypto/x509" "encoding/pem" + "os" "strings" "testing" + + "github.com/Venafi/vcert/v5/pkg/util" ) var pkPEM = `-----BEGIN RSA PRIVATE KEY----- @@ -330,7 +333,7 @@ func TestAddPrivateKey(t *testing.T) { pk, _ := GenerateRSAPrivateKey(512) pcc, _ := NewPEMCollection(nil, nil, nil) - err := pcc.AddPrivateKey(pk, []byte("newPassw0rd!")) + err := pcc.AddPrivateKey(pk, []byte(os.Getenv(util.ENV_DUMMY_PASS))) if !strings.Contains(pcc.PrivateKey, "PRIVATE KEY") || err != nil { t.Fatalf("collection should have PEM encoded private key") } diff --git a/pkg/util/constants.go b/pkg/util/constants.go index c151fda9..50c6c4b2 100644 --- a/pkg/util/constants.go +++ b/pkg/util/constants.go @@ -6,4 +6,5 @@ const ( // DefaultUserAgent is the default value of the UserAgent header in HTTP // requests to Venafi API endpoints. DefaultUserAgent = "vcert/v5" + ENV_DUMMY_PASS = "DUMMY_PASS" ) diff --git a/pkg/venafi/tpp/connector_test.go b/pkg/venafi/tpp/connector_test.go index e55db5c6..4f2a4968 100644 --- a/pkg/venafi/tpp/connector_test.go +++ b/pkg/venafi/tpp/connector_test.go @@ -1273,7 +1273,7 @@ func TestRequestCertificateServiceGenerated(t *testing.T) { req.CsrOrigin = certificate.ServiceGeneratedCSR req.FetchPrivateKey = true - req.KeyPassword = "newPassw0rd!" + req.KeyPassword = os.Getenv(util.ENV_DUMMY_PASS) config.UpdateCertificateRequest(req) pickupId, err := tpp.RequestCertificate(req) diff --git a/test-files/playbook/bad_sample.yaml b/test-files/playbook/bad_sample.yaml index 9cd7dff9..f8061182 100644 --- a/test-files/playbook/bad_sample.yaml +++ b/test-files/playbook/bad_sample.yaml @@ -18,7 +18,7 @@ certificateTasks: - engineering - marketing csrOrigin: service - keyPassword: "newPassword!" + keyPassword: "CyberArkT3stP4ZZC0de%jQX^J=4H" installations - type: PEM location: "/Users/rvela/venafi/supertreat/pem" diff --git a/test-files/playbook/bad_tpl.yaml b/test-files/playbook/bad_tpl.yaml index 51cc1bf4..8f9c031a 100644 --- a/test-files/playbook/bad_tpl.yaml +++ b/test-files/playbook/bad_tpl.yaml @@ -17,7 +17,7 @@ certificateTasks: - engineering - marketing csrOrigin: service - keyPassword: "newPassword!" + keyPassword: "CyberArkT3stP4ZZC0de%jQX^J=4H" installations: - type: JKS location: "/Users/rvela/venafi/supertreat/jks/foo.jks" diff --git a/test-files/playbook/cert.p12 b/test-files/playbook/cert.p12 index 803ecf46..74277721 100644 Binary files a/test-files/playbook/cert.p12 and b/test-files/playbook/cert.p12 differ diff --git a/test-files/playbook/sample.yaml b/test-files/playbook/sample.yaml index 7b82e29b..1dbe861d 100644 --- a/test-files/playbook/sample.yaml +++ b/test-files/playbook/sample.yaml @@ -19,7 +19,7 @@ certificateTasks: - engineering - marketing csrOrigin: service - keyPassword: "newPassword!" + keyPassword: "Passcode123!" installations: - type: PKCS12 location: "/Users/rvela/venafi/supertreat/p12/foo.p12" diff --git a/test-files/playbook/sample_tpl.yaml b/test-files/playbook/sample_tpl.yaml index 0de01c42..d2354c6a 100644 --- a/test-files/playbook/sample_tpl.yaml +++ b/test-files/playbook/sample_tpl.yaml @@ -20,7 +20,7 @@ certificateTasks: - engineering - marketing csrOrigin: service - keyPassword: "newPassword!" + keyPassword: "Passcode123!" installations: - type: PEM location: "/Users/rvela/venafi/supertreat/pem"