From 481243e628a8632af0f0fc3647fc36eb8f5b38c1 Mon Sep 17 00:00:00 2001
From: Christian Kellner <christian@kellner.me>
Date: Wed, 16 Sep 2020 14:09:49 +0200
Subject: [PATCH] test: add make-certs script to generate SSL certs

This will create the a certificate authority (CA) and then create
a cert for composer and another one for the worker. The worker
one can also be used by the koji plugin.
The configuration file is needed to get subjectAltName working.
---
 test/data/composer.ssl.conf | 17 ++++++++++++
 test/make-certs.sh          | 54 +++++++++++++++++++++++++++++++++++++
 2 files changed, 71 insertions(+)
 create mode 100644 test/data/composer.ssl.conf
 create mode 100755 test/make-certs.sh

diff --git a/test/data/composer.ssl.conf b/test/data/composer.ssl.conf
new file mode 100644
index 0000000..90896a7
--- /dev/null
+++ b/test/data/composer.ssl.conf
@@ -0,0 +1,17 @@
+[req]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+prompt = no
+
+[req_distinguished_name]
+CN = localhost
+
+[v3_req]
+keyUsage = critical,keyEncipherment, dataEncipherment, digitalSignature
+extendedKeyUsage = critical,serverAuth,clientAuth,emailProtection
+basicConstraints = critical,CA:FALSE
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = localhost
+DNS.2 = composer
diff --git a/test/make-certs.sh b/test/make-certs.sh
new file mode 100755
index 0000000..901fa45
--- /dev/null
+++ b/test/make-certs.sh
@@ -0,0 +1,54 @@
+#!/bin/bash
+set -euo pipefail
+
+# this script must be run as root
+if [ $UID != 0 ]; then
+  echo This script must be run as root.
+  exit 1
+fi
+
+TEST_DATA=${TEST_DATA:-test/data}
+
+CA_DIR="/etc/osbuild-composer"
+echo "Generating certificates"
+mkdir -p ${CA_DIR}
+
+# The CA
+openssl req -new -nodes -x509 -days 365 \
+        -keyout "${CA_DIR}/ca-key.pem" \
+        -out "${CA_DIR}/ca-crt.pem" \
+        -subj "/CN=osbuild.org"
+openssl genrsa -out "${CA_DIR}/key.pem" 2048
+
+# composer
+ALT_NAMES="DNS:localhost,DNS:org.osbuild.koji.composer,DNS:composer"
+openssl genrsa -out ${CA_DIR}/composer-key.pem 2048
+openssl req -new -sha256 \
+        -key ${CA_DIR}/composer-key.pem	\
+        -out ${CA_DIR}/composer-csr.pem \
+        -config ${TEST_DATA}/composer.ssl.conf
+openssl x509 -req \
+        -in ${CA_DIR}/composer-csr.pem \
+        -CA ${CA_DIR}/ca-crt.pem \
+        -CAkey ${CA_DIR}/ca-key.pem \
+        -CAcreateserial \
+        -out ${CA_DIR}/composer-crt.pem \
+        -extfile ${TEST_DATA}/composer.ssl.conf \
+        -extensions v3_req
+
+# worker
+openssl genrsa -out ${CA_DIR}/worker-key.pem 2048
+openssl req -new -sha256 \
+        -key ${CA_DIR}/worker-key.pem	\
+        -out ${CA_DIR}/worker-csr.pem \
+        -subj "/CN=localhost"
+
+openssl x509 -req \
+        -in ${CA_DIR}/worker-csr.pem \
+        -CA ${CA_DIR}/ca-crt.pem \
+        -CAkey ${CA_DIR}/ca-key.pem \
+        -CAcreateserial \
+        -out ${CA_DIR}/worker-crt.pem
+
+# fix permissions for composer
+chown _osbuild-composer:_osbuild-composer ${CA_DIR}/composer-*