tests: provision fb identity in to testing certificates

Summary:
In order to do more complete tests around authentication we need to provide
fb identity in to our test certificates.

Reviewed By: StanislavGlebik

Differential Revision: D15046017

fbshipit-source-id: 3f3cd450425944a2970c6f02e7eb92a878076a05

tests/integration/library.sh

@@ -28,16 +28,16 @@ function random_int() {
 }
 
 function sslcurl {
-  curl --cert "$TESTDIR/testcert.crt" --cacert "$TESTDIR/testcert.crt" --key "$TESTDIR/testcert.key" "$@"
+  curl --cert "$TESTDIR/certs/localhost.crt" --cacert "$TESTDIR/certs/root-ca.crt" --key "$TESTDIR/certs/localhost.key" "$@"
 }
 
 function mononoke {
   export MONONOKE_SOCKET
   MONONOKE_SOCKET=$(get_free_socket)
-  "$MONONOKE_SERVER" "$@" --ca-pem "$TESTDIR/testcert.crt" \
-  --private-key "$TESTDIR/testcert.key" \
-  --cert "$TESTDIR/testcert.crt" \
-  --ssl-ticket-seeds "$TESTDIR/server.pem.seeds" \
+  "$MONONOKE_SERVER" "$@" --ca-pem "$TESTDIR/certs/root-ca.crt" \
+  --private-key "$TESTDIR/certs/localhost.key" \
+  --cert "$TESTDIR/certs/localhost.crt" \
+  --ssl-ticket-seeds "$TESTDIR/certs/server.pem.seeds" \
   --debug \
   --listening-host-port "[::1]:$MONONOKE_SOCKET" \
   -P "$TESTTMP/mononoke-config" \
@@ -349,10 +349,10 @@ function setup_no_ssl_apiserver {
 
 function apiserver {
   $MONONOKE_APISERVER "$@" --mononoke-config-path "$TESTTMP/mononoke-config" \
-    --ssl-ca "$TESTDIR/testcert.crt" \
-    --ssl-private-key "$TESTDIR/testcert.key" \
-    --ssl-certificate "$TESTDIR/testcert.crt" \
-    --ssl-ticket-seeds "$TESTDIR/server.pem.seeds" \
+    --ssl-ca "$TESTDIR/certs/root-ca.crt" \
+    --ssl-private-key "$TESTDIR/certs/localhost.key" \
+    --ssl-certificate "$TESTDIR/certs/localhost.crt" \
+    --ssl-ticket-seeds "$TESTDIR/certs/server.pem.seeds" \
     --do-not-init-cachelib >> "$TESTTMP/apiserver.out" 2>&1 &
   export APISERVER_PID=$!
   echo "$APISERVER_PID" >> "$DAEMON_PIDS"
@@ -577,9 +577,9 @@ function mkcommit() {
 function pushrebase_replay() {
   DB_INDICES=$1
 
-  REPLAY_CA_PEM="$TESTDIR/testcert.crt" \
-  THRIFT_TLS_CL_CERT_PATH="$TESTDIR/testcert.crt" \
-  THRIFT_TLS_CL_KEY_PATH="$TESTDIR/testcert.key" $PUSHREBASE_REPLAY \
+  REPLAY_CA_PEM="$TESTDIR/certs/root-ca.crt" \
+  THRIFT_TLS_CL_CERT_PATH="$TESTDIR/certs/localhost.crt" \
+  THRIFT_TLS_CL_KEY_PATH="$TESTDIR/certs/localhost.key" $PUSHREBASE_REPLAY \
     --mononoke-config-path "$TESTTMP/mononoke-config" \
     --reponame repo \
     --hgcli "$MONONOKE_HGCLI" \

tests/integration/server.pem.seeds

@@ -1 +0,0 @@
-{"old": ["0cdb7746c57e4069f84192f5b73905e040e46439b6afe886ba048fc40700416bb1986ab97729d35cf8b9a3dee0d717a6"], "new": ["cfb5cca1d5715dae1ddecb97e1302dc816238f23c7cb89b6e514961b0bc9e9297c04dac377004000dc31450da1af0f8f"], "current": ["7fe165ba823b01abb8c1b4768a1846070ce9b0dbd3efa52bde4a20d45a89c6d1c8b21fda6d2b33f8ea005f616abf028a"]}

tests/integration/test-apiserver.t

@@ -53,8 +53,8 @@ starts api server
   $ APISERVER_PORT=$(get_free_socket)
   $ apiserver -H "[::1]" -p $APISERVER_PORT
   $ wait_for_apiserver
-  $ function sslcurl() { curl --silent --cert "$TESTDIR/testcert.crt" --cacert "$TESTDIR/testcert.crt" --key "$TESTDIR/testcert.key" "$@"; }
-  $ function s_client() { openssl s_client -connect $APIHOST -cert "$TESTDIR/testcert.crt" -key "$TESTDIR/testcert.key" -ign_eof "$@"; }
+  $ function sslcurl() { curl --silent --cert "$TESTDIR/certs/localhost.crt" --cacert "$TESTDIR/certs/root-ca.crt" --key "$TESTDIR/certs/localhost.key" "$@"; }
+  $ function s_client() { openssl s_client -connect $APIHOST -CAfile "$TESTDIR/certs/root-ca.crt" -cert "$TESTDIR/certs/localhost.crt" -key "$TESTDIR/certs/localhost.key" -ign_eof "$@"; }
 
 ping test
   $ sslcurl -i $APISERVER/health_check | grep -iv "date"
@@ -263,10 +263,9 @@ test get changeset
 test TLS Session/Ticket resumption when using client certs
   $ TMPFILE=$(mktemp)
   $ RUN1=$(echo -e "GET /health_check HTTP/1.1\r\n" | s_client -sess_out $TMPFILE | grep -E "^(HTTP|\s+Session-ID:)")
-  depth=0 C = uk, L = Default City, O = Default Company Ltd, CN = localhost
-  verify error:num=18:self signed certificate
+  depth=1 C = US, ST = CA, O = FakeRootCanal, CN = fbmononoke.com
   verify return:1
-  depth=0 C = uk, L = Default City, O = Default Company Ltd, CN = localhost
+  depth=0 CN = localhost, O = Mononoke, C = US, ST = CA
   verify return:1
   $ RUN2=$(echo -e "GET /health_check HTTP/1.1\r\n" | s_client -sess_in $TMPFILE | grep -E "^(HTTP|\s+Session-ID:)")
   $ echo "$RUN1"

tests/integration/test-server.t

@@ -19,15 +19,14 @@ setup data
 start mononoke
   $ mononoke
   $ wait_for_mononoke $TESTTMP/repo
-  $ function s_client () { openssl s_client -connect localhost:$MONONOKE_SOCKET -cert "$TESTDIR/testcert.crt" -key "$TESTDIR/testcert.key" -ign_eof "$@"; }
+  $ function s_client () { openssl s_client -connect localhost:$MONONOKE_SOCKET -CAfile "$TESTDIR/certs/root-ca.crt" -cert "$TESTDIR/certs/localhost.crt" -key "$TESTDIR/certs/localhost.key" -ign_eof "$@"; }
 
 test TLS Session/Ticket resumption when using client certs
   $ TMPFILE=$(mktemp)
   $ RUN1=$(echo -e "hello\n" | s_client -sess_out $TMPFILE | grep -E "^(HTTP|\s+Session-ID:)")
-  depth=0 C = uk, L = Default City, O = Default Company Ltd, CN = localhost
-  verify error:num=18:self signed certificate
+  depth=1 C = US, ST = CA, O = FakeRootCanal, CN = fbmononoke.com
   verify return:1
-  depth=0 C = uk, L = Default City, O = Default Company Ltd, CN = localhost
+  depth=0 CN = localhost, O = Mononoke, C = US, ST = CA
   verify return:1
   read:errno=0
   $ RUN2=$(echo -e "hello\n" | s_client -sess_in $TMPFILE | grep -E "^(HTTP|\s+Session-ID:)")
@@ -43,7 +42,7 @@ test TLS Tickets use encryption keys from seeds - sessions should persist across
   [137]
   $ mononoke
   $ wait_for_mononoke $TESTTMP/repo
-  $ alias s_client="openssl s_client -connect localhost:$MONONOKE_SOCKET -cert \"$TESTDIR/testcert.crt\" -key \"$TESTDIR/testcert.key\" -ign_eof"
+  $ alias s_client="openssl s_client -connect localhost:$MONONOKE_SOCKET -CAfile \"$TESTDIR/certs/root-ca.crt\" -cert \"$TESTDIR/certs/localhost.crt\" -key \"$TESTDIR/certs/localhost.key\" -ign_eof"
   $ echo -e "hello\n" | s_client -sess_in $TMPFILE -state | grep -E "^SSL_connect"
   SSL_connect:before/connect initialization
   SSL_connect:SSLv3 write client hello A

tests/integration/testcert.crt

@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDfzCCAmegAwIBAgIJAI/dL7poNg7oMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV
-BAYTAnVrMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQg
-Q29tcGFueSBMdGQxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xODExMTUxMTUwNTRa
-Fw0yODExMTIxMTUwNTRaMFYxCzAJBgNVBAYTAnVrMRUwEwYDVQQHDAxEZWZhdWx0
-IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQxEjAQBgNVBAMMCWxv
-Y2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKNYjRvGEpNo
-FzAK8mm2cNHG3tcyvx25IxZup4hpfzet0DKgOFK0cRCMOFPQqYUdwioI7vYtIOOR
-yYV2UON6hdMFSOD1YzTF0jaOxDV0t4cTGlrY/oxCwzK0uLaWkBwAXnSc//UWCGMe
-z6WGSCvlVBAN3T5rgK3vnHTg+DexTy9ilRLo7VHP29ncA76v0LHqS3l/1UBZZ5sO
-9p8PkfurSSeFVtesriKvfhG8k1uvlWXqLsVM7o1Kwu4LcysHDtxz4JtV5A8KEjvS
-BpG/7r5GZkEYZNu2iJ/JPyJuektWTLUnatCsZlCyHVSKcfNpkSxegQWQKRk1HmNo
-TamTLQKm3+sCAwEAAaNQME4wHQYDVR0OBBYEFL31PGbhXmI7ygw9YnWcpxulCzFC
-MB8GA1UdIwQYMBaAFL31PGbhXmI7ygw9YnWcpxulCzFCMAwGA1UdEwQFMAMBAf8w
-DQYJKoZIhvcNAQELBQADggEBAFIX9G62bb+EGPCBTp3seQZ+PStHwNtR6F2IdhbY
-L28vc4CsS51PxKv44cuLyhgLLjwJPh/eh9F8OhF56gFs2BOD1oVo5JT+7OVzvnLG
-VucfOIJxroA9kiAyXpWuMU6mFbjwi/hIqzlydq0bwNq8yD5baWjelXtdYk5J/ODe
-jP5jwjzVhlBTCtfJO3VxR1Jlul2eAH5V29G+BUBANbjAVtXj/q39StLbX3YhtUye
-C3f6yyClnQMcNZiwgTT/SFej4HmGBLlC67h161mvLtHny+/4k8ki3HXhIoSaFYR1
-QIe8/5fpa9g6q644UN1aH/CnpaSjW7ojJTnL8WITsDFCLqs=
------END CERTIFICATE-----

tests/integration/testcert.key

@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCjWI0bxhKTaBcw
-CvJptnDRxt7XMr8duSMWbqeIaX83rdAyoDhStHEQjDhT0KmFHcIqCO72LSDjkcmF
-dlDjeoXTBUjg9WM0xdI2jsQ1dLeHExpa2P6MQsMytLi2lpAcAF50nP/1FghjHs+l
-hkgr5VQQDd0+a4Ct75x04Pg3sU8vYpUS6O1Rz9vZ3AO+r9Cx6kt5f9VAWWebDvaf
-D5H7q0knhVbXrK4ir34RvJNbr5Vl6i7FTO6NSsLuC3MrBw7cc+CbVeQPChI70gaR
-v+6+RmZBGGTbtoifyT8ibnpLVky1J2rQrGZQsh1UinHzaZEsXoEFkCkZNR5jaE2p
-ky0Cpt/rAgMBAAECggEBAIcaDZQELocHF+6fj0KKKCQJpXQ+P75Yy0GZgi2cfCFU
-PJgy1oLpRX7XSxtfwWYdZ+OWgfbQ+pvej9w4MM0FILyZaV7O9x/F4olHadeA0u8A
-iNLNGTRvX72HpiM2wri2QWmYFUfj0koRSNNyDi1oPzAMF4qyJbs3LKOrEwIVQBZC
-05tfpaGMQTO1c7NYkwO7E8d2EAl5i85IrhPs+uD9ed6WORXAYeMA1TXPtzHmW/Fx
-fTCNFYZ9uCRtyBfi8/colXWiiRESFUuEfRwGjOLgliEilVht/GpsB0gi9HyfRuUX
-wcFnb5zoVZN4OgKfw7mXmzYBGD1patU5mZIJ3T5iikkCgYEA2BEdRW6L8cygVlla
-RuLtPV3lBj5urQRizkcaG6v7l8G/8A0xPX1VJIEnq4yetcRpJG+GGM+XzgpqMIjN
-vzhKA1HZWe20vl3COJ+Ujzi8SVxYO1TuVSzr+mLPDmHtILnR1JDGfJQkqrI/+8+j
-hjT9KJ0j+02tdBsZ3ASLoBEGyf0CgYEAwYkFyL5RvAEjvrJKgkPIf0wCcshZCcp5
-hwACp2VFyNnJWfHsxmkMddKyV777bFy1pRBJ5ut9gqEm6J5TzB17A3hO90Hh2TG8
-n5RnglTawnLEVbyWY+SzbQOyO/j1ncfoxigz7dgAc2BY4MIG0bvOHgpe/dxfg/CL
-iz1Ay1+e4gcCgYEAjQHOSou0hN74HKI/ild6YDwwxPxlmkBsgxZf8YMxtH5bVrwl
-UG3E7Qfk7c3dnd5Kh97IctS3y118o6QEMjD4DGaUJF4/QKVLpUxv1XA/YNkFM+Nf
-jvK8JjHp0wcRi/P4/nJlNtQvgb7Ghv2hSGq4dJLo8o5lDorJO48z2AiEl7kCgYBQ
-EQkEkMAtwGbyWL58f+Bt0Ztds0cqxspaMIXojPw+6OLlRDIJr6IJCJ7hsFBB92Tq
-of+A+kHVjigTqpTOaA/hUp+QqX/vJCV9+56LC+Ho+iQBuGCbeR1F53aQWyH6IZ9K
-g41gQ7GECgMbEQpTMJhIU1ATRF17r0N72l55BNktdwKBgFSAWAXKog9mcH5QB3hk
-zV0m5cxvpTXVp+ncUkPzlE7Y1FhYK7ZtAe03p1MGkF4D1Mjz9Jit0/rRikRGPKSD
-FhfNTzfyNSxpnGERFn7nNQoVoVgRbAvj8V8IpvEeY7MwW+rszKFeSUr8UqHoKZZw
-X3oSQUkEH4R2W83ZblEO71eh
------END PRIVATE KEY-----

tests/integration/third_party/dummyssh.py

@@ -25,9 +25,9 @@ if os.name == "nt":
 
 log = open("dummylog", "a+b")
 
-cert = os.path.join(os.getenv("TESTDIR"), "testcert.crt")
-capem = os.path.join(os.getenv("TESTDIR"), "testcert.crt")
-privatekey = os.path.join(os.getenv("TESTDIR"), "testcert.key")
+cert = os.path.join(os.getenv("TESTDIR"), "certs/localhost.crt")
+capem = os.path.join(os.getenv("TESTDIR"), "certs/root-ca.crt")
+privatekey = os.path.join(os.getenv("TESTDIR"), "certs/localhost.key")
 
 if "hgcli" in hgcmd:
     hgcmd += (