adds tpp retire by thumbprint and tests for tpp and vaas

Pmaraveyias · Pmaraveyias · commit 24e1abd5890b · 2023-12-12T13:19:18.000-05:00
diff --git a/tests/test_tpp_token.py b/tests/test_tpp_token.py
@@ -26,7 +26,7 @@
 from assets import TEST_KEY_ECDSA, TEST_KEY_RSA_4096, TEST_KEY_RSA_2048_ENCRYPTED
 from test_env import TPP_ZONE, TPP_ZONE_ECDSA, TPP_USER, TPP_PASSWORD, TPP_TOKEN_URL
 from test_utils import (random_word, enroll, renew, renew_by_thumbprint, renew_without_key_reuse,
-                        enroll_with_zone_update, simple_enroll)
+                        enroll_with_zone_update, simple_enroll, retire_by_id, retire_by_thumbprint)
 from vcert import (CustomField, KeyType, RevocationRequest, CertificateRequest, IssuerHint, logger, TPPTokenConnection)
 from vcert.errors import ClientBadData, ServerUnexptedBehavior
 
@@ -267,3 +267,22 @@ def test_revoke_access_token(self):
         cn = f"{random_word(10)}.venafi.example.com"
         with self.assertRaises(Exception):
             enroll(self.tpp_conn, self.tpp_zone, cn)
+
+    def test_tpp_token_retire_cert_id(self):
+        cn = f"{random_word(10)}.venafi.example.com"
+        try:
+            req, cert = simple_enroll(self.tpp_conn, self.tpp_zone)
+            ret_data = retire_by_id(id=req.id)
+            assert ret_data['Success'] is True
+        except Exception as err:
+            self.fail(f"Error in tpp retire by id test: {err.message}")
+
+    def test_tpp_token_retire_cert_thumbprint(self):
+        cn = f"{random_word(10)}.venafi.example.com"
+        try:
+            req, cert = simple_enroll(self.tpp_conn, self.tpp_zone)
+            cert = x509.load_pem_x509_certificate(cert.cert.encode(), default_backend())
+            ret_data = retire_by_thumbprint(prev_cert=cert)
+            assert ret_data['Success'] is True
+        except Exception as err:
+            self.fail(f"Error in tpp retire by thumbprint test: {err.message}")
diff --git a/tests/test_utils.py b/tests/test_utils.py
@@ -28,6 +28,7 @@
 
 from test_env import RANDOM_DOMAIN
 from vcert import CertificateRequest, FakeConnection, TPPConnection, TPPTokenConnection, CSR_ORIGIN_SERVICE
+from vcert.common import RetireRequest
 
 
 def random_word(length):
@@ -209,3 +210,18 @@ def renew_by_thumbprint(conn, prev_cert):
     print(prev_cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME))
     assert cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME) == prev_cert.subject.get_attributes_for_oid(
         NameOID.COMMON_NAME)
+
+
+def retire_by_id(conn, prev_cert_id):
+    print("trying to retire by id")
+    ret_request = RetireRequest(req_id=prev_cert_id)
+    retire_data = conn.retire_cert(ret_request)
+    return retire_data
+
+
+def retire_by_thumbprint(conn, prev_cert):
+    print("Trying to retire by thumbprint")
+    thumbprint = binascii.hexlify(prev_cert.fingerprint(hashes.SHA1())).decode()
+    ret_request = RetireRequest(thumbprint=thumbprint)
+    retire_data = conn.retire_cert(ret_request)
+    return retire_data
diff --git a/tests/test_vaas.py b/tests/test_vaas.py
@@ -31,6 +31,7 @@
     get_vaas_zone
 from vcert import CloudConnection, KeyType, CertificateRequest, CustomField, logger, CSR_ORIGIN_SERVICE
 from vcert.policy import KeyPair, DefaultKeyPair, PolicySpecification
+from vcert.common import RetireRequest
 
 log = logger.get_child("test-vaas")
 
@@ -214,3 +215,15 @@ def test_enroll_ec_key_certificate(self):
         if p_key:
             self.assertIsInstance(p_key, EllipticCurvePrivateKey, "returned private key is not of type Elliptic Curve")
             self.assertEqual(p_key.curve.key_size, 384, f"Private Key expected curve: 384. Got: {p_key.curve.key_size}")
+
+    def test_cloud_retire_by_thumbprint(self):
+        try:
+            req, cert = simple_enroll(self.cloud_conn, self.cloud_zone)
+            cert = x509.load_pem_x509_certificate(cert.cert.encode(), default_backend())
+            fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1())).decode()
+            time.sleep(1)
+            ret_request = RetireRequest(thumbprint=fingerprint)
+            ret_data = self.cloud_conn.retire_cert(fingerprint)
+            assert ret_data is True
+        except Exception as e:
+            log.error(msg=f"Error retiring certificate by thumbprint: {e.message}")
diff --git a/vcert/connection_tpp_abstract.py b/vcert/connection_tpp_abstract.py
@@ -362,10 +362,14 @@ def retire_cert(self, request):
                 }
             ]
         }
-        if request.id:
-            cert_guid = self.get_certificate_guid_from_dn(request.id)
-        elif request.guid:
+
+        if request.guid:
             cert_guid = request.guid
+        elif request.id:
+            cert_guid = self.get_certificate_guid_from_dn(request.id)
+        elif request.thumbprint:
+            req_id = self.search_by_thumbprint(request.thumbprint)
+            cert_guid = self.get_certificate_guid_from_dn(req_id)
         else:
             raise ClientBadData
 

Original file line number	Diff line number	Diff line change
`@@ -362,10 +362,14 @@ def retire_cert(self, request):`
`362`	`362`	`}`
`363`	`363`	`]`
`364`	`364`	`}`
`365`		`- if request.id:`
`366`		`- cert_guid = self.get_certificate_guid_from_dn(request.id)`
`367`		`- elif request.guid:`
	`365`	`+`
	`366`	`+ if request.guid:`
`368`	`367`	`cert_guid = request.guid`
	`368`	`+ elif request.id:`
	`369`	`+ cert_guid = self.get_certificate_guid_from_dn(request.id)`
	`370`	`+ elif request.thumbprint:`
	`371`	`+ req_id = self.search_by_thumbprint(request.thumbprint)`
	`372`	`+ cert_guid = self.get_certificate_guid_from_dn(req_id)`
`369`	`373`	`else:`
`370`	`374`	`raise ClientBadData`
`371`	`375`