[Unix] Create a framework for certbot integration tests: PART 3c (#6948)

Following #6821, this PR continues to convert certbot integration tests into certbot-ci. This PR add tests covering about renew, on L283-396 in tests/certbot-boulder-integration.sh (by including existing test_renew_files_permissions and test_renew_with_hook_scripts). Previous lines are covered with existing tests, or by #6946 and #6947. * Add tests * Correct assertion about world permission
2026-06-09 00:32:12 -04:00 · 2019-04-16 00:09:57 +02:00 · 2019-04-16 00:09:57 +02:00 · b73c551f14
commit b73c551f14
parent 471f8aecc0
1 changed files with 154 additions and 0 deletions
--- a/certbot-ci/certbot_integration_tests/certbot_tests/test_main.py
+++ b/certbot-ci/certbot_integration_tests/certbot_tests/test_main.py
@ -160,6 +160,10 @@ def test_auth_and_install_with_csr(context):
        '--key-path', key_path
    ])

+    context.certbot(['renew', '--cert-name', certname, '--authenticator', 'manual'])
+
+    assert_cert_count_for_lineage(context.config_dir, certname, 2)
+

 def test_renew_files_permissions(context):
    """Test proper certificate file permissions upon renewal"""
@ -195,3 +199,153 @@ def test_renew_with_hook_scripts(context):

    assert_cert_count_for_lineage(context.config_dir, certname, 2)
    assert_hook_execution(context.hook_probe, 'deploy')
+
+
+def test_renew_files_propagate_permissions(context):
+    """Test proper certificate renewal with custom permissions propagated on private key."""
+    certname = context.get_domain('renew')
+    context.certbot(['-d', certname])
+
+    assert_cert_count_for_lineage(context.config_dir, certname, 1)
+
+    os.chmod(join(context.config_dir, 'archive', certname, 'privkey1.pem'), 0o444)
+    context.certbot(['renew'])
+
+    assert_cert_count_for_lineage(context.config_dir, certname, 2)
+    assert_world_permissions(
+        join(context.config_dir, 'archive', certname, 'privkey2.pem'), 4)
+    assert_equals_permissions(
+        join(context.config_dir, 'archive', certname, 'privkey1.pem'),
+        join(context.config_dir, 'archive', certname, 'privkey2.pem'), 0o074)
+
+
+def test_graceful_renew_it_is_not_time(context):
+    """Test graceful renew is not done when it is not due time."""
+    certname = context.get_domain('renew')
+    context.certbot(['-d', certname])
+
+    assert_cert_count_for_lineage(context.config_dir, certname, 1)
+
+    context.certbot_no_force_renew([
+        'renew', '--deploy-hook', 'echo deploy >> "{0}"'.format(context.hook_probe)])
+
+    assert_cert_count_for_lineage(context.config_dir, certname, 1)
+    with pytest.raises(AssertionError):
+        assert_hook_execution(context.hook_probe, 'deploy')
+
+
+def test_graceful_renew_it_is_time(context):
+    """Test graceful renew is done when it is due time."""
+    certname = context.get_domain('renew')
+    context.certbot(['-d', certname])
+
+    assert_cert_count_for_lineage(context.config_dir, certname, 1)
+
+    with open(join(context.config_dir, 'renewal', '{0}.conf'.format(certname)), 'r') as file:
+        lines = file.readlines()
+    lines.insert(4, 'renew_before_expiry = 100 years{0}'.format(os.linesep))
+    with open(join(context.config_dir, 'renewal', '{0}.conf'.format(certname)), 'w') as file:
+        file.writelines(lines)
+
+    context.certbot_no_force_renew([
+        'renew', '--deploy-hook', 'echo deploy >> "{0}"'.format(context.hook_probe)])
+
+    assert_cert_count_for_lineage(context.config_dir, certname, 2)
+    assert_hook_execution(context.hook_probe, 'deploy')
+
+
+def test_renew_with_changed_private_key_complexity(context):
+    """Test proper renew with updated private key complexity."""
+    certname = context.get_domain('renew')
+    context.certbot(['-d', certname, '--rsa-key-size', '4096'])
+
+    key1 = join(context.config_dir, 'archive', certname, 'privkey1.pem')
+    assert os.stat(key1).st_size > 3000  # 4096 bits keys takes more than 3000 bytes
+    assert_cert_count_for_lineage(context.config_dir, certname, 1)
+
+    context.certbot(['renew'])
+    
+    assert_cert_count_for_lineage(context.config_dir, certname, 2)
+    key2 = join(context.config_dir, 'archive', certname, 'privkey2.pem')
+    assert os.stat(key2).st_size > 3000
+
+    context.certbot(['renew', '--rsa-key-size', '2048'])
+
+    assert_cert_count_for_lineage(context.config_dir, certname, 3)
+    key3 = join(context.config_dir, 'archive', certname, 'privkey3.pem')
+    assert os.stat(key3).st_size < 1800  # 2048 bits keys takes less than 1800 bytes
+
+
+def test_renew_ignoring_directory_hooks(context):
+    """Test hooks are ignored during renewal with relevant CLI flag."""
+    certname = context.get_domain('renew')
+    context.certbot(['-d', certname])
+
+    assert_cert_count_for_lineage(context.config_dir, certname, 1)
+
+    misc.generate_test_file_hooks(context.config_dir, context.hook_probe)
+    context.certbot(['renew', '--no-directory-hooks'])
+
+    assert_cert_count_for_lineage(context.config_dir, certname, 2)
+    with pytest.raises(AssertionError):
+        assert_hook_execution(context.hook_probe, 'deploy')
+
+
+def test_renew_empty_hook_scripts(context):
+    """Test proper renew with empty hook scripts."""
+    certname = context.get_domain('renew')
+    context.certbot(['-d', certname])
+
+    assert_cert_count_for_lineage(context.config_dir, certname, 1)
+
+    misc.generate_test_file_hooks(context.config_dir, context.hook_probe)
+    for hook_dir in misc.list_renewal_hooks_dirs(context.config_dir):
+        shutil.rmtree(hook_dir)
+        os.makedirs(join(hook_dir, 'dir'))
+        open(join(hook_dir, 'file'), 'w').close()
+    context.certbot(['renew'])
+
+    assert_cert_count_for_lineage(context.config_dir, certname, 2)
+
+
+def test_renew_hook_override(context):
+    """Test correct hook override on renew."""
+    certname = context.get_domain('override')
+    context.certbot([
+        'certonly', '-d', certname,
+        '--preferred-challenges', 'http-01',
+        '--pre-hook', 'echo pre >> "{0}"'.format(context.hook_probe),
+        '--post-hook', 'echo post >> "{0}"'.format(context.hook_probe),
+        '--deploy-hook', 'echo deploy >> "{0}"'.format(context.hook_probe)
+    ])
+
+    assert_hook_execution(context.hook_probe, 'pre')
+    assert_hook_execution(context.hook_probe, 'post')
+    assert_hook_execution(context.hook_probe, 'deploy')
+
+    # Now we override all previous hooks during next renew.
+    open(context.hook_probe, 'w').close()
+    context.certbot([
+        'renew', '--cert-name', certname,
+        '--pre-hook', 'echo pre-override >> "{0}"'.format(context.hook_probe),
+        '--post-hook', 'echo post-override >> "{0}"'.format(context.hook_probe),
+        '--deploy-hook', 'echo deploy-override >> "{0}"'.format(context.hook_probe)
+    ])
+
+    assert_hook_execution(context.hook_probe, 'pre-override')
+    assert_hook_execution(context.hook_probe, 'post-override')
+    assert_hook_execution(context.hook_probe, 'deploy-override')
+    with pytest.raises(AssertionError):
+        assert_hook_execution(context.hook_probe, 'pre')
+    with pytest.raises(AssertionError):
+        assert_hook_execution(context.hook_probe, 'post')
+    with pytest.raises(AssertionError):
+        assert_hook_execution(context.hook_probe, 'deploy')
+
+    # Expect that this renew will reuse new hooks registered in the previous renew.
+    open(context.hook_probe, 'w').close()
+    context.certbot(['renew', '--cert-name', certname])
+
+    assert_hook_execution(context.hook_probe, 'pre-override')
+    assert_hook_execution(context.hook_probe, 'post-override')
+    assert_hook_execution(context.hook_probe, 'deploy-override')