go.chromium.org/luci@v0.0.0-20250314024836-d9a61d0730e6/tokenserver/testing/include.sh

go.chromium.org/luci@v0.0.0-20250314024836-d9a61d0730e6/tokenserver/testing/include.sh (about)

     1  #!/bin/bash
     2  # Copyright 2016 The LUCI Authors. All rights reserved.
     3  # Use of this source code is governed under the Apache License, Version 2.0
     4  # that can be found in the LICENSE file.
     5  
     6  # includes.sh is included by all other scripts.
     7  #
     8  # It contains a bunch of global variables and functions.
     9  
    10  
    11  # Change to your Cloud Project ID. See README.md.
    12  CLOUD_PROJECT_ID=my-cloud-project
    13  
    14  
    15  WORKING_DIR=/tmp/token_server_test
    16  CA_DIR=$WORKING_DIR/ca
    17  CA_NAME="Fake CA: fake.ca"
    18  
    19  mkdir -p "$WORKING_DIR"
    20  
    21  DEVSERVER_PORT=8080
    22  DEVSERVER_ADMIN_PORT=8100
    23  CRLSERVER_PORT=8200
    24  
    25  DEVCFG_PATH=`dirname $PWD`/appengine/devcfg/services/$CLOUD_PROJECT_ID
    26  
    27  
    28  # initialize_ca builds a new simple self-signed CA.
    29  #
    30  # See https://jamielinux.com/docs/openssl-certificate-authority/
    31  function initialize_ca {
    32    rm -rf "$CA_DIR"
    33  
    34    mkdir "$CA_DIR"
    35    mkdir "$CA_DIR/certs"
    36    mkdir "$CA_DIR/crl"
    37    mkdir "$CA_DIR/csr"
    38    mkdir "$CA_DIR/newcerts"
    39    mkdir "$CA_DIR/private"
    40  
    41    touch "$CA_DIR/index.txt"
    42    echo 1000 > "$CA_DIR/serial"
    43    echo 1000 > "$CA_DIR/crlnumber"
    44  
    45    cat > "$CA_DIR/openssl.cnf" <<EOL
    46  [ca]
    47  default_ca = CA_default
    48  
    49  [CA_default]
    50  dir               = $CA_DIR
    51  certs             = $CA_DIR/certs
    52  crl_dir           = $CA_DIR/crl
    53  new_certs_dir     = $CA_DIR/newcerts
    54  database          = $CA_DIR/index.txt
    55  serial            = $CA_DIR/serial
    56  RANDFILE          = $CA_DIR/private/.rand
    57  
    58  # The root key and root certificate.
    59  private_key       = $CA_DIR/private/ca.pem
    60  certificate       = $CA_DIR/certs/ca.pem
    61  
    62  # For certificate revocation lists.
    63  crlnumber         = $CA_DIR/crlnumber
    64  crl               = $CA_DIR/crl/crl.pem
    65  crl_extensions    = crl_ext
    66  default_crl_days  = 30
    67  
    68  default_md        = sha256
    69  name_opt          = ca_default
    70  cert_opt          = ca_default
    71  default_days      = 375
    72  preserve          = no
    73  policy            = policy_loose
    74  
    75  [policy_loose]
    76  countryName             = optional
    77  stateOrProvinceName     = optional
    78  localityName            = optional
    79  organizationName        = optional
    80  organizationalUnitName  = optional
    81  commonName              = supplied
    82  emailAddress            = optional
    83  
    84  [req]
    85  default_bits        = 2048
    86  distinguished_name  = req_distinguished_name
    87  string_mask         = utf8only
    88  default_md          = sha256
    89  x509_extensions     = v3_ca
    90  
    91  [req_distinguished_name]
    92  countryName                     = Country Name (2 letter code)
    93  stateOrProvinceName             = State or Province Name
    94  localityName                    = Locality Name
    95  0.organizationName              = Organization Name
    96  organizationalUnitName          = Organizational Unit Name
    97  commonName                      = Common Name
    98  emailAddress                    = Email Address
    99  
   100  [v3_ca]
   101  subjectKeyIdentifier = hash
   102  authorityKeyIdentifier = keyid:always,issuer
   103  basicConstraints = critical, CA:true
   104  keyUsage = critical, digitalSignature, cRLSign, keyCertSign
   105  
   106  [client_cert]
   107  basicConstraints = CA:FALSE
   108  nsCertType = client, email
   109  nsComment = "OpenSSL Generated Client Certificate"
   110  subjectKeyIdentifier = hash
   111  authorityKeyIdentifier = keyid,issuer
   112  keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
   113  extendedKeyUsage = clientAuth, emailProtection
   114  
   115  [crl_ext]
   116  authorityKeyIdentifier=keyid:always
   117  EOL
   118  
   119    # Create the root key pair.
   120    openssl genrsa -out "$CA_DIR/private/ca.pem" 2048
   121  
   122    # Create the root (self-signed) certificate.
   123    openssl req -config "$CA_DIR/openssl.cnf" \
   124      -key "$CA_DIR/private/ca.pem" \
   125      -new -x509 -days 7300 -sha256 -extensions v3_ca \
   126      -out "$CA_DIR/certs/ca.pem" \
   127      -subj "/C=US/ST=California/L=Blah/O=Stuff Inc/CN=$CA_NAME"
   128  
   129    # Generate first CRL.
   130    regen_crl
   131  }
   132  
   133  
   134  # create_client_certificate creates a new client key pair and signs the cert.
   135  #
   136  # Uses CA initialized with initialize_ca.
   137  function create_client_certificate {
   138    local name=$1
   139  
   140    # Generate a key pair.
   141    openssl genrsa -out "$CA_DIR/private/$name.pem" 2048
   142  
   143    # Generate a certificate signing request.
   144    openssl req -config "$CA_DIR/openssl.cnf" \
   145      -key "$CA_DIR/private/$name.pem" \
   146      -new -sha256 -out "$CA_DIR/csr/$name.pem" \
   147      -subj "/C=US/ST=California/L=Blah/O=Stuff Inc/CN=$name"
   148  
   149    # Ask CA to sign the certificate.
   150    openssl ca -batch -config "$CA_DIR/openssl.cnf" \
   151      -extensions client_cert -days 375 -notext -md sha256 \
   152      -in "$CA_DIR/csr/$name.pem" \
   153      -out "$CA_DIR/certs/$name.pem"
   154  
   155    regen_crl
   156  }
   157  
   158  # revoke_client_certificate revokes previously issued certificate.
   159  #
   160  # Uses CA initialized with initialize_ca.
   161  function revoke_client_certificate {
   162    local name=$1
   163  
   164    openssl ca -config "$CA_DIR/openssl.cnf" -revoke "$CA_DIR/certs/$name.pem"
   165    regen_crl
   166  }
   167  
   168  
   169  # regen_crl regenerates certificate revocation list file.
   170  function regen_crl {
   171    openssl ca -config "$CA_DIR/openssl.cnf" -gencrl -out "$CA_DIR/crl/crl.pem"
   172    openssl crl -outform der -in "$CA_DIR/crl/crl.pem" -out "$CA_DIR/crl/crl.der"
   173  }
   174  
   175  
   176  # call_rpc invokes pRPC method on devserver instance.
   177  #
   178  # It reads method body as JSON from stdin.
   179  function call_rpc {
   180    echo "Calling $1..."
   181    rpc call -format json "localhost:$DEVSERVER_PORT" $1
   182    if [ $? -ne 0 ]
   183    then
   184      echo "RPC call $1 failed!"
   185      exit 1
   186    fi
   187  }
   188  
   189  
   190  # import_config imports CA config into the token server.
   191  function import_config {
   192    mkdir -p $DEVCFG_PATH/certs
   193    cp $CA_DIR/certs/ca.pem $DEVCFG_PATH/certs/ca.pem
   194  
   195    cat >$DEVCFG_PATH/tokenserver.cfg <<EOL
   196  certificate_authority {
   197    cn: "$CA_NAME"
   198    cert_path: "certs/ca.pem"
   199    crl_url: "http://localhost:$CRLSERVER_PORT/ca/crl/crl.der"
   200    use_oauth: false
   201  
   202    known_domains: {
   203      domain: "fake.domain"
   204      machine_token_lifetime: 3600
   205    }
   206  }
   207  EOL
   208  
   209    # Ask the server to reread the config.
   210    echo "{}" | call_rpc "tokenserver.admin.Admin.ImportCAConfigs"
   211  
   212    # Wait a bit for cached config to expire.
   213    sleep 0.5
   214  }
   215  
   216  
   217  # fetch_crl imports current CRL into the token server.
   218  function fetch_crl {
   219    call_rpc "tokenserver.admin.CertificateAuthorities.FetchCRL" <<EOL
   220    {
   221      "cn": "$CA_NAME",
   222      "force": true
   223    }
   224  EOL
   225  }