feat(testing): add integration test against gpg-wks-client

This commit is contained in:
s3lph 2022-12-20 23:13:37 +01:00
parent f4ea60c057
commit b396a2c01c
3 changed files with 87 additions and 21 deletions

View file

@ -3,6 +3,7 @@ image: python:3.9-bullseye
stages:
- test
- integration
- build
- deploy
- upload
@ -20,8 +21,9 @@ test:
script:
- pip3 install -e .
- python3 -m coverage run --rcfile=setup.cfg -m unittest discover easywks
- python3 -m coverage combine
- python3 -m coverage report --rcfile=setup.cfg
artifacts:
paths:
- ".coverage*"
codestyle:
stage: test
@ -29,24 +31,61 @@ codestyle:
- pip3 install -e .
- pycodestyle easywks
easywksserver_gpgwksclient:
stage: integration
script:
- echo "openpgpkey" > /etc/hostname
- echo "127.0.0.1 openpgpkey.example.org openpgpkey example.org" > /etc/hosts
- pip3 install -e .
- apt update; apt install --yes gnupg2 socat ca-certificates
- openssl req -x509 -newkey rsa:4096 -keyout /etc/ssl/key.pem -out /etc/ssl/cert.pem -sha256 -days 365 -nodes -subj '/CN=openpgpkey.example.org'
- cp /etc/ssl/cert.pem /usr/local/share/ca-certificates/local.crt
- update-ca-certificates
- mkdir -p /tmp/easywks
- |
cat > /tmp/easywks.yml <<EOF
directory: /tmp/easywks
permit_unsigned_response: true # required for gpg-wks-client compat
httpd:
host: 127.0.0.1
port: 8080
mailing_method: stdout
domains:
example.org:
submission_address: gpgwks@example.org
EOF
- easywks --config /tmp/easywks.yml init
- easywks --config /tmp/easywks.yml webserver &
- socat OPENSSL-LISTEN:443,fork,reuseaddr,verify=0,cert=/etc/ssl/cert.pem,key=/etc/ssl/key.pem TCP:127.0.0.1:8080 &
- sleep 3
- install -m 0700 -d /tmp/gpg /tmp/cleangpg
- export GNUPGHOME=/tmp/gpg
- test/genkey.sh alice@example.org
- >-
export FINGERPRINT="$(gpg --with-colons --fingerprint alice@example.org | grep -A1 ^pub | grep ^fpr | cut -d: -f10)"
- /usr/lib/gnupg/gpg-wks-client --supported alice@example.org
- /usr/lib/gnupg/gpg-wks-client --check gpgwks@example.org
- PUBREQ="$(/usr/lib/gnupg/gpg-wks-client --create "${FINGERPRINT}" alice@example.org)"
- CONFREQ="$(echo "${PUBREQ}" | easywks --config /tmp/easywks.yml process)"
- CONFRESP="$(echo "${CONFREQ}" | /usr/lib/gnupg/gpg-wks-client --receive --verbose)"
- PUBRESP="$(echo "${CONFRESP}" | easywks --config /tmp/easywks.yml process)"
- echo "${PUBRESP}" | gpg --batch --decrypt
- /usr/lib/gnupg/gpg-wks-client --check alice@example.org
- export GNUPGHOME=/tmp/gpg
- gpg --auto-key-locate=clear,wkd,nodefault --locate-keys alice@example.org
- kill %2
- kill %1
# currently not working for some reason
#build_docker:
# stage: build
# script:
# - apt update && apt install --yes docker.io
# - docker build -t "registry.gitlab.com/s3lph/easywks:$CI_COMMIT_SHA" -f package/docker/Dockerfile .
# - docker tag "registry.gitlab.com/s3lph/easywks:$CI_COMMIT_SHA" "registry.gitlab.com/s3lph/easywks:$CI_COMMIT_REF_NAME"
# - if [[ -n "$CI_COMMIT_TAG" ]]; then docker tag "registry.gitlab.com/s3lph/easywks:$CI_COMMIT_SHA" "registry.gitlab.com/s3lph/easywks:$CI_COMMIT_TAG"; fi
# - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD registry.gitlab.com
# - docker push "registry.gitlab.com/s3lph/easywks:$CI_COMMIT_SHA"
# - docker push "registry.gitlab.com/s3lph/easywks:$CI_COMMIT_REF_NAME"
# - if [[ -n "$CI_COMMIT_TAG" ]]; then docker push "registry.gitlab.com/s3lph/easywks:$CI_COMMIT_TAG"; fi
# only:
# - staging
# - tags
coverage:
stage: integration
coverage: >-
/(?i)total.*? (100(?:\.0+)?\%|[1-9]?\d(?:\.\d+)?\%)$/
script:
- python3 -m coverage combine
- python3 -m coverage report --rcfile=setup.cfg
build_wheel:
stage: build
script:

View file

@ -89,11 +89,14 @@ class ConfirmationRequest:
encrypted = self._key.encrypt(to_encrypt)
mpenc = MIMEApplication(str(encrypted), _subtype='vnd.gnupg.wks')
mixed = MIMEMultipart(_subtype='mixed', _subparts=[mpplain, mpenc])
to_sign = PGPMessage.new(mixed.as_string(policy=default))
to_sign = PGPMessage.new(mixed.as_string(policy=default).replace('\n', '\r\n'))
sig = pgp_sign(self.domain, to_sign)
mpsig = MIMEApplication(str(sig), _subtype='pgp-signature')
email = MIMEMultipart(_subtype='signed', _subparts=[mixed, mpsig], policy=default,
mpsig = MIMEApplication(str(sig), _subtype='pgp-signature', name='signature.asc', _encoder=encode_noop)
mpsig['Content-Description'] = 'OpenPGP digital signature'
mpsig['Content-Disposition'] = 'attachment; filename="signature"'
email = MIMEMultipart(_subtype=f'signed', _subparts=[mixed, mpsig], policy=default,
protocol='application/pgp-signature')
email.set_param('micalg', f'pgp-{str(sig.hash_algorithm).split(".",1)[1].lower()}', requote=False)
email['Subject'] = 'Confirm your key publication'
email['To'] = self._submitter_addr
email['From'] = self._submission_addr
@ -184,8 +187,8 @@ class PublishResponse:
submission=self.submission_address)
mpplain = MIMEText(mail_text, _subtype='plain')
to_encrypt = PGPMessage.new(mpplain.as_string(policy=default))
to_encrypt |= pgp_sign(self.domain, to_encrypt)
encrypted: PGPMessage = self.key.encrypt(to_encrypt)
encrypted |= pgp_sign(self.domain, encrypted)
payload = MIMEApplication(str(encrypted), _subtype='octet-stream', _encoder=encode_noop)
mpenc = MIMEApplication('Version: 1\r\n', _subtype='pgp-encrypted', _encoder=encode_noop)
email = MIMEMultipart(_subtype='encrypted', _subparts=[mpenc, payload], policy=default,

24
test/genkey.sh Executable file
View file

@ -0,0 +1,24 @@
#!/bin/bash
cat >/tmp/keygen <<EOF
%no-protection
%no-ask-passphrase
%transient-key
Key-Type: EDDSA
Key-Curve: ed25519
Subkey-Type: ECDH
Subkey-Curve: cv25519
Expire-Date: 0
Name-Real: EasyWKS Test User
Name-Comment: TEST KEY DO NOT USE
Name-Email: ${1}
EOF
gpg --batch --full-gen-key /tmp/keygen
for uid in $@; do
gpg --batch --quick-add-uid "${1}" "EasyWKS Test User (TEST KEY DO NOT USE) <${uid}>"
done
gpg --export --armor "${1}" > "/tmp/${1}.asc"
for uid in $@; do
gpg --export --armor "${uid}" > "/tmp/${uid}.asc"
done