|
170 | 170 | end |
171 | 171 | end |
172 | 172 |
|
| 173 | + describe 'gpg key generation' do |
| 174 | + let(:gpg_dir) { '/etc/passbolt/gpg' } |
| 175 | + let(:gpg_private_key) { "#{gpg_dir}/serverkey_private.asc" } |
| 176 | + let(:gpg_public_key) { "#{gpg_dir}/serverkey.asc" } |
| 177 | + let(:gnupghome) { '/var/lib/passbolt/.gnupg' } |
| 178 | + |
| 179 | + let(:list_keys_cmd) do |
| 180 | + if ENV['ROOTLESS'] == 'true' |
| 181 | + ['gpg', '--homedir', gnupghome, '--list-keys', '--with-colons'] |
| 182 | + else |
| 183 | + ['su', '-s', '/bin/bash', '-c', "gpg --homedir #{gnupghome} --list-keys --with-colons", 'www-data'] |
| 184 | + end |
| 185 | + end |
| 186 | + |
| 187 | + let(:healthcheck_cmd) do |
| 188 | + if ENV['ROOTLESS'] == 'true' |
| 189 | + ['bash', '-c', 'source /etc/environment && /usr/share/php/passbolt/bin/cake passbolt healthcheck --gpg'] |
| 190 | + else |
| 191 | + ['su', '-s', '/bin/bash', '-c', 'source /etc/environment && /usr/share/php/passbolt/bin/cake passbolt healthcheck --gpg', 'www-data'] |
| 192 | + end |
| 193 | + end |
| 194 | + |
| 195 | + describe 'generated keys' do |
| 196 | + it 'should have created private key file' do |
| 197 | + expect(file(gpg_private_key)).to exist |
| 198 | + expect(file(gpg_private_key)).to be_file |
| 199 | + expect(file(gpg_private_key)).to be_readable |
| 200 | + expect(file(gpg_private_key)).to be_owned_by('www-data') |
| 201 | + expect(file(gpg_private_key)).to be_grouped_into('www-data') |
| 202 | + end |
| 203 | + |
| 204 | + it 'should have created public key file' do |
| 205 | + expect(file(gpg_public_key)).to exist |
| 206 | + expect(file(gpg_public_key)).to be_file |
| 207 | + expect(file(gpg_public_key)).to be_readable |
| 208 | + expect(file(gpg_public_key)).to be_owned_by('www-data') |
| 209 | + expect(file(gpg_public_key)).to be_grouped_into('www-data') |
| 210 | + end |
| 211 | + |
| 212 | + it 'should have correct key usage for primary key' do |
| 213 | + output = @container.exec(list_keys_cmd)[0].join |
| 214 | + pub_line = output.lines.find { |line| line.start_with?('pub:') } |
| 215 | + expect(pub_line).not_to be_nil |
| 216 | + |
| 217 | + fields = pub_line.split(':') |
| 218 | + usage_flags = fields[11] |
| 219 | + |
| 220 | + expect(usage_flags).to include('s') |
| 221 | + expect(usage_flags).to include('c') |
| 222 | + expect(usage_flags).not_to include('e') |
| 223 | + |
| 224 | + end |
| 225 | + |
| 226 | + |
| 227 | + it 'should have correct key usage for subkey' do |
| 228 | + output = @container.exec(list_keys_cmd)[0].join |
| 229 | + sub_line = output.lines.find { |line| line.start_with?('sub:') } |
| 230 | + expect(sub_line).not_to be_nil |
| 231 | + |
| 232 | + fields = sub_line.split(':') |
| 233 | + usage_flags = fields[11] |
| 234 | + |
| 235 | + expect(usage_flags).to include('e') |
| 236 | + expect(usage_flags).not_to include('s') |
| 237 | + expect(usage_flags).not_to include('c') |
| 238 | + end |
| 239 | + end |
| 240 | + |
| 241 | + it 'should pass all GPG checks' do |
| 242 | + output = @container.exec(healthcheck_cmd)[0].join |
| 243 | + |
| 244 | + expect(output).to include('[PASS] PHP GPG Module is installed and loaded') |
| 245 | + expect(output).to include('[PASS] The environment variable GNUPGHOME is set') |
| 246 | + expect(output).to include('[PASS] The server OpenPGP key is not the default one') |
| 247 | + expect(output).to include('[PASS] The public key file is defined') |
| 248 | + expect(output).to include('[PASS] The private key file is defined') |
| 249 | + |
| 250 | + pass_count = output.scan(/\[PASS\]/).count |
| 251 | + fail_count = output.scan(/\[FAIL\]/).count |
| 252 | + |
| 253 | + expect(pass_count).to be >= 10 |
| 254 | + expect(fail_count).to eq(0) |
| 255 | + |
| 256 | + expect(output).to include('[PASS] No error found') |
| 257 | + end |
| 258 | + end |
| 259 | + |
| 260 | + |
173 | 261 | describe 'jwt configuration' do |
174 | 262 | it 'should have the correct permissions' do |
175 | 263 | expect(file(jwt_conf)).to be_a_directory |
|
0 commit comments