autosign 0.1.1 → 1.0.1

data/features/autosign.feature

@@ -1,93 +0,0 @@
-Feature: Generate autosign key
-  In order to sign puppet certificates automatically
-  I want to generate autosign keys programatically
-  So I don't have to use static strings as keys
-
-  Scenario: Generate new token
-    Given a pre-shared key of "secret"
-      And a hostname of "foo.example.com"
-      And a file named "autosign.conf" with:
-      """
-      ---
-      jwt_token:
-        validity: '7200'
-        secret: 'secret'
-      """
-    When I run `chmod 600 autosign.conf`
-     And I run `autosign --config autosign.conf generate foo.example.com`
-    Then the output should contain "Autosign token for: foo.example.com"
-     And the output should contain "valid until"
-     And the exit status should be 0
-
-  Scenario: Generate new token using the --bare flag
-    Given a pre-shared key of "secret"
-      And a hostname of "foo.example.com"
-      And a file named "autosign.conf" with:
-      """
-      ---
-      jwt_token:
-        validity: '7200'
-        secret: 'secret'
-      """
-    When I run `chmod 600 autosign.conf`
-     And I run `autosign --config autosign.conf generate --bare foo.example.com`
-    Then the output should be a JSON web token
-     And the output should not contain "Autosign token for: foo.example.com"
-     And the output should not contain "valid until"
-     And the exit status should be 0
-
-  Scenario: Generate new reusable token
-    Given a pre-shared key of "secret"
-      And a hostname of "foo.example.com"
-      And a file named "autosign.conf" with:
-      """
-      ---
-      jwt_token:
-        validity: '7200'
-        secret: 'secret'
-      """
-    When I run `chmod 600 autosign.conf`
-    When I run `autosign --config autosign.conf generate foo.example.com --reusable`
-    Then the output should contain "Autosign token for: foo.example.com"
-     And the output should contain "valid until"
-     And the exit status should be 0
-
-  Scenario: Validate a token
-    Given a pre-shared key of "secret"
-      And a hostname of "foo.example.com"
-      And a file named "autosign.conf" with:
-      """
-      ---
-      jwt_token:
-        secret: 'secret'
-      """
-    When I run `chmod 600 autosign.conf`
-    When I run `autosign --config autosign.conf validate --certname "foo.example.com" "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJkYXRhIjoie1wiY2VydG5hbWVcIjpcImZvby5leGFtcGxlLmNvbVwiLFwicmVxdWVzdGVyXCI6XCJEYW5pZWxzLU1hY0Jvb2stUHJvLTIubG9jYWxcIixcInJldXNhYmxlXCI6ZmFsc2UsXCJ2YWxpZGZvclwiOjI5OTk5OTk5OSxcInV1aWRcIjpcIjlkYTA0Yzc4LWQ5NjUtNDk2OC04MWNjLWVhM2RjZDllZjVjMFwifSIsImV4cCI6IjE3MzY0NjYxMzAifQ.PJwY8rIunVyWi_lw0ypFclME0jx3Vd9xJIQSyhN3VUmul3V8u4Tp9XwDgoAu9DVV0-WEG2Tfxs6F8R6Fn71Ndg"`
-    Then the output should contain "token validated successfully"
-     And the exit status should be 0
-
-  Scenario: Not validate a bad token
-    Given a pre-shared key of "secret"
-      And a hostname of "foo.example.com"
-      And a file named "autosign.conf" with:
-      """
-      ---
-      jwt_token:
-        secret: 'secret'
-      """
-    When I run `chmod 600 autosign.conf`
-    When I run `autosign --config autosign.conf validate --certname "foo.example.com" "invalid_token"`
-    Then the exit status should be 1
-
-  Scenario: Not validate an expired token
-    Given a pre-shared key of "secret"
-      And a hostname of "foo.example.com"
-      And a file named "autosign.conf" with:
-      """
-      ---
-      jwt_token:
-        secret: 'secret'
-      """
-    When I run `chmod 600 autosign.conf`
-    When I run `autosign --config autosign.conf validate --certname "foo.example.com" "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJkYXRhIjoie1wiY2VydG5hbWVcIjpcImZvby5leGFtcGxlLmNvbVwiLFwicmVxdWVzdGVyXCI6XCJEYW5pZWxzLU1hY0Jvb2stUHJvLTIubG9jYWxcIixcInJldXNhYmxlXCI6ZmFsc2UsXCJ2YWxpZGZvclwiOjEsXCJ1dWlkXCI6XCJlNjI1Y2I1Ny02NzY5LTQwMzQtODNiZS0zNzkxNmQ5YmMxMDRcIn0iLCJleHAiOiIxNDM2NDY2MzAyIn0.UXEDEbRqEWx5SdSpQjfowU56JubY5Yz2QN6cckby2es-g2P_n2lyAS6AwFeliBXyCDyVUelIT3g1QP4TdB9EEA"`
-    Then the exit status should be 1

data/features/step_definitions/autosign_steps.rb

@@ -1,44 +0,0 @@
-When(/^I get help for "([^"]*)"$/) do |app_name|
-  @app_name = app_name
-  step %(I run `#{app_name} help`)
-end
-
-Given(/^a pre\-shared key of "([^"]*)"$/) do |presharedkey|
-  @psk = presharedkey
-end
-
-Given(/^a hostname of "([^"]*)"$/) do |host|
-  @hostname = host
-end
-
-Given(/^the current time is (\d+)$/) do |time|
-  @current_time = time
-end
-
-Given(/^a static token file containing:$/) do |multiline|
-    @static_token_file = multiline
-end
-
-Given(/^a mocked "\/(\S*)" directory$/)do |directory|
-  dir_name = File.join(File.expand_path(current_dir), "etc")
-  FileUtils.mkdir_p dir_name
-  set_env 'ETCROOT', dir_name
-#  create_dir("etc")
-end
-
-Then(/^a "\/(\S*)" (?:file|directory) should exist$/) do |file|
-  #expect(File.exist?(File.join(File.expand_path(current_dir), file))).to be true
-  fullpath = File.join(File.expand_path(current_dir), file)
-  FileUtils.mkdir_p fullpath
-  $world.puts "path: " + fullpath
-  expect(File.exist?(file)).to be true
-end
-
-#When(/^I pipe in the file "(.*?)"$/) do |file|
-#  in_current_dir do
-#    File.open(file, 'r').each_line do |line|
-#      _write_interactive(line)
-#    end
-#  end
-#  @interactive.stdin.close()
-#end

data/features/support/env.rb

@@ -1,17 +0,0 @@
-require 'aruba/cucumber'
-
-
-ENV['PATH'] = "#{File.expand_path(File.dirname(__FILE__) + '/../../bin')}#{File::PATH_SEPARATOR}#{ENV['PATH']}"
-LIB_DIR = File.join(File.expand_path(File.dirname(__FILE__)),'..','..','lib')
-
-Before do
-  # Using "announce" causes massive warnings on 1.9.2
-  @puts = true
-  @original_rubylib = ENV['RUBYLIB']
-  ENV['RUBYLIB'] = LIB_DIR + File::PATH_SEPARATOR + ENV['RUBYLIB'].to_s
-  $world = self
-end
-
-After do
-  ENV['RUBYLIB'] = @original_rubylib
-end

data/features/validate.feature

@@ -1,22 +0,0 @@
-Feature: Validate autosign key
-  In order to sign puppet certificates automatically
-  I want to validate autosign keys programatically
-  So that I only grant access to allowed systems without needing manual authorization
-
-  Scenario: Validate a certificate signing request
-    Given I set the environment variables to:
-      | variable               | value  |
-      | AUTOSIGN_TESTMODE      | true   |
-      | AUTOSIGN_TEST_SECRET   | secret |
-      | AUTOSIGN_TEST_LOGLEVEL | info   |
-      | AUTOSIGN_TEST_JOURNALFILE | /tmp/autosign_journal |
-    When I run `rm -f /tmp/autosign_journal`
-     And I run `autosign-validator i-7672fe81` interactively
-     And I pipe in the file "../../fixtures/i-7672fe81.pem"
-    Then the output should contain "token validated successfully"
-    Then the exit status should be 0
-
-  Scenario: Do not validate a certificate signing request whose certname does not match the certificate
-    When I run `autosign-validator wrong-certname.example.com` interactively
-     And I pipe in the file "../../fixtures/i-7672fe81.pem"
-    Then the exit status should be 1

data/fixtures/i-7672fe81.pem

@@ -1,34 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIIF9jCCA94CAQAwFTETMBEGA1UEAwwKaS03NjcyZmU4MTCCAiIwDQYJKoZIhvcN
-AQEBBQADggIPADCCAgoCggIBAKKhHBbqjeZUoeOoeeM2x3OT0CgbwN/GQfpKkuYc
-8WowPKyRqqYnyMuQmEq4g7E5VwCkNWJYhbz+dwqmg+xCetKMD6LXd2y2ro2XmqIp
-QTlEj833Voi3ULiesbqaY3tRZbJ/VyeycjgcClyqXA6JCwgvI3o92imXQSJanNRe
-XN4MWPRkunAKqPahJyQ+++Oov+vBlS6RJdQGa1+2+qi18f323UJlwYeCDvV6psKi
-FRMIBgJVKbuRMC1E381/MXr/J8WQK4IGbJP6oDeOGQujDwRYw6+byrx9Xbi2fvpA
-T0ff4+9aAfBatkBG9O8ZGPxUMk//nPKo78qwEZWo1cCsWXdPZyEafu4uNi7B5nQf
-EAwYofM3Igh6F5tHXmi/IyqNHIubfLJwrR/RFZW41zEyAqTTRcQxZsXR0bqTuFIm
-ki0q7+6E9hPfG9bo2ux4rC5ttmmlEYELdRmpicfybB0S0w4JxVu+qNY4wVnQc2KS
-6Sdif4EA3F+pvi21q0Nil8Xwp2xzdp7HDnTevZm/lKYyDv5XIhhAbCb3MVHuSRg1
-WBEp0YScn4wju1XUwrczgT2FZx9PQ6Pqb8kWvED988tLE8yULqMpMHeDF/goNNJb
-X9I521XSOLTPsKOALGeVt13CafO/Kuji+uQDXvj4hNUjIc49wvm30Gdng0IWnXsx
-srXbAgMBAAGgggGaMIIBlgYJKoZIhvcNAQkHMYIBhxOCAYNleUowZVhBaU9pSktW
-MVFpTENKaGJHY2lPaUpJVXpVeE1pSjkuZXlKa1lYUmhJam9pZTF3aVkyVnlkRzVo
-YldWY0lqcGNJbWt0TnpZM01tWmxPREZjSWl4Y0luSmxjWFZsYzNSbGNsd2lPbHdp
-UkdGdWFXVnNjeTFOWVdOQ2IyOXJMVkJ5YnkweUxteHZZMkZzWENJc1hDSnlaWFZ6
-WVdKc1pWd2lPbVpoYkhObExGd2lkbUZzYVdSbWIzSmNJam94TlRjMk9EQXdNREFz
-WENKMWRXbGtYQ0k2WENKbE16WmtNemt5T1MwNU5XVmxMVFF5TkRRdE9USXdaUzAw
-Tm1aaU4yWTRNVFUzWkRWY0luMGlMQ0psZUhBaU9pSXhOVGsxTVRjM05UYzBJbjAu
-Z2ZUcFVQTEdueHd0dmZNSDVDMHVjV3NYQnFyaEJEX0h2Q2lOSF85enZoRmFmSE1p
-al9uZzE0SzhGLU1NTGdRb0RCbG9PSnVralg4cWNraTVjRm1LS2cwDQYJKoZIhvcN
-AQELBQADggIBABneBgIDyCee43GXJGduaZKVVepGtfYsgmI3Uvq9AU+UNNrF56d/
-PhwsttTDC1V+vHBNuVq3hPgAb5TJ+f3DDT2v/3KenzAsOFRi0WEJ+iXjFRb4pJ8F
-cDsyyPgqTkAnIMTk1dnMvzP3yrROVqnE0XU/EvFv9aiWcFd8e/HSkWXQoo1SnTxp
-Ax6Dz673j9DBJwlg6yiFVvzO/styBAuVZBxA9r1VBUZUXqjmqQ36V8CJ+nATwoWt
-rKQDpz+jR3WoKtFm3IIctHOYzv2G0bUCOhALKPVqqaaXCLnlWS1T+a9IwkwsH5eN
-iOAb/NlSMO8vbXHyNV3zyNHEHGFzBgTYhQKJQvfPWPEpAG10jwvG5lY69wVev9+l
-4rg841j7FNc4A6URyZ4rgKdr45LDZODNyCKgPEc+cU5dPjORbRISo5SAfIAol+yo
-vIrhs1Bgs3sltnhGu9MJn9ffIhLyNkzstPaxP1xg+6yRiMXFTYxeAICtljgCAIPf
-ZKngEMO5ZQUoVEW1TfyFYjkxbXDy76JbmgsLHPaFfDvXBJzquzKjDObAvBHx260Y
-SGV4B8i9/ckcNSApkamuayZNSpelbLkrnkVqJy9XE8cQUgjwv7n8FJQMi/lmbwk6
-NbdRflL16fC52CXimwJD+jmlmjK3nE7B3z96L41dV/vW/pzjXIKuKepH
------END CERTIFICATE REQUEST-----

data/spec/spec_helper.rb

@@ -1,102 +0,0 @@
-require 'coveralls'
-Coveralls.wear!
-# This file was generated by the `rspec --init` command. Conventionally, all
-# specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
-# The generated `.rspec` file contains `--require spec_helper` which will cause
-# this file to always be loaded, without a need to explicitly require it in any
-# files.
-#
-# Given that it is always loaded, you are encouraged to keep this file as
-# light-weight as possible. Requiring heavyweight dependencies from this file
-# will add to the boot time of your test suite on EVERY test run, even for an
-# individual file that may not need all of that loaded. Instead, consider making
-# a separate helper file that requires the additional dependencies and performs
-# the additional setup, and require it from the spec files that actually need
-# it.
-#
-# The `.rspec` file also contains a few flags that are not defaults but that
-# users commonly want.
-#
-# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
-#
-require_relative "../lib/autosign"
-@fixture_path = File.expand_path(File.join(__FILE__, '..', 'fixtures'))
-
-RSpec.configure do |config|
-  # rspec-expectations config goes here. You can use an alternate
-  # assertion/expectation library such as wrong or the stdlib/minitest
-  # assertions if you prefer.
-  config.expect_with :rspec do |expectations|
-    # This option will default to `true` in RSpec 4. It makes the `description`
-    # and `failure_message` of custom matchers include text for helper methods
-    # defined using `chain`, e.g.:
-    #     be_bigger_than(2).and_smaller_than(4).description
-    #     # => "be bigger than 2 and smaller than 4"
-    # ...rather than:
-    #     # => "be bigger than 2"
-    expectations.include_chain_clauses_in_custom_matcher_descriptions = true
-  end
-
-  # rspec-mocks config goes here. You can use an alternate test double
-  # library (such as bogus or mocha) by changing the `mock_with` option here.
-  config.mock_with :rspec do |mocks|
-    # Prevents you from mocking or stubbing a method that does not exist on
-    # a real object. This is generally recommended, and will default to
-    # `true` in RSpec 4.
-    mocks.verify_partial_doubles = true
-  end
-
-# The settings below are suggested to provide a good initial experience
-# with RSpec, but feel free to customize to your heart's content.
-=begin
-  # These two settings work together to allow you to limit a spec run
-  # to individual examples or groups you care about by tagging them with
-  # `:focus` metadata. When nothing is tagged with `:focus`, all examples
-  # get run.
-  config.filter_run :focus
-  config.run_all_when_everything_filtered = true
-
-  # Allows RSpec to persist some state between runs in order to support
-  # the `--only-failures` and `--next-failure` CLI options. We recommend
-  # you configure your source control system to ignore this file.
-  config.example_status_persistence_file_path = "spec/examples.txt"
-
-  # Limits the available syntax to the non-monkey patched syntax that is
-  # recommended. For more details, see:
-  #   - http://myronmars.to/n/dev-blog/2012/06/rspecs-new-expectation-syntax
-  #   - http://www.teaisaweso.me/blog/2013/05/27/rspecs-new-message-expectation-syntax/
-  #   - http://myronmars.to/n/dev-blog/2014/05/notable-changes-in-rspec-3#new__config_option_to_disable_rspeccore_monkey_patching
-  config.disable_monkey_patching!
-
-  # This setting enables warnings. It's recommended, but in some cases may
-  # be too noisy due to issues in dependencies.
-  config.warnings = true
-
-  # Many RSpec users commonly either run the entire suite or an individual
-  # file, and it's useful to allow more verbose output when running an
-  # individual spec file.
-  if config.files_to_run.one?
-    # Use the documentation formatter for detailed output,
-    # unless a formatter has already been configured
-    # (e.g. via a command-line flag).
-    config.default_formatter = 'doc'
-  end
-
-  # Print the 10 slowest examples and example groups at the
-  # end of the spec run, to help surface which specs are running
-  # particularly slow.
-  config.profile_examples = 10
-
-  # Run specs in random order to surface order dependencies. If you find an
-  # order dependency and want to debug it, you can fix the order by providing
-  # the seed, which is printed after each run.
-  #     --seed 1234
-  config.order = :random
-
-  # Seed global randomization in this process using the `--seed` CLI option.
-  # Setting this allows you to use `--seed` to deterministically reproduce
-  # test failures related to randomization by passing the same `--seed` value
-  # as the one that triggered the failure.
-  Kernel.srand config.seed
-=end
-end

data/spec/specs/config_spec.rb

@@ -1,20 +0,0 @@
-require 'spec_helper'
-
-context Autosign::Config do
-  describe 'basic use case' do
-    let(:settings) { {} }
-    let(:config) { Autosign::Config.new }
-    it 'accepts a hash as the parameter' do
-      expect { Autosign::Config.new(settings) }.to_not raise_error
-    end
-    it 'Returns hash' do
-      expect(config.settings).to be_a(Hash)
-    end
-    it 'Settings contains general section' do
-      expect(config.settings).to include(
-        'general' => be_a(Hash)
-      )
-    end
-
-  end
-end

data/spec/specs/decoder_spec.rb

@@ -1,16 +0,0 @@
-require 'spec_helper'
-
-context Autosign::Decoder do
-  describe '.decode_csr' do
-    let(:csr) { File.read(File.join('fixtures', 'i-7672fe81.pem')) }
-    it 'Accepts a CSR as the parameter' do
-      expect { Autosign::Decoder.decode_csr(csr) }.to_not raise_error
-    end
-    it 'Extracts the challenge_password and common_name from a CSR' do
-      expect(Autosign::Decoder.decode_csr(csr)).to eq({:challenge_password=>"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJkYXRhIjoie1wiY2VydG5hbWVcIjpcImktNzY3MmZlODFcIixcInJlcXVlc3RlclwiOlwiRGFuaWVscy1NYWNCb29rLVByby0yLmxvY2FsXCIsXCJyZXVzYWJsZVwiOmZhbHNlLFwidmFsaWRmb3JcIjoxNTc2ODAwMDAsXCJ1dWlkXCI6XCJlMzZkMzkyOS05NWVlLTQyNDQtOTIwZS00NmZiN2Y4MTU3ZDVcIn0iLCJleHAiOiIxNTk1MTc3NTc0In0.gfTpUPLGnxwtvfMH5C0ucWsXBqrhBD_HvCiNH_9zvhFafHMij_ng14K8F-MMLgQoDBloOJukjX8qcki5cFmKKg", :common_name=>"i-7672fe81"})
-    end
-    it 'Returns nil given an invalid CSR' do
-      expect(Autosign::Decoder.decode_csr("not_a_csr")).to be_nil
-    end
-  end
-end

data/spec/specs/journal_spec.rb

@@ -1,41 +0,0 @@
-require 'spec_helper'
-require 'securerandom'
-
-context Autosign::Journal do
-  let(:settings) { {'journalfile' => '/tmp/test.journal'} }
-  let(:journal) { Autosign::Journal.new(settings) }
-  let(:uuid) { SecureRandom.uuid }
-  let(:validto) { Time.now.to_i + 900 }
-  let(:data) { {'arbitrary_hey' => 'value'} }
-
-
-  context 'class methods' do
-    describe '.new' do
-      it 'accepts a hash as the parameter' do
-        expect { Autosign::Journal.new(settings) }.to_not raise_error
-      end
-    end
-  end
-
-  context 'instance methods' do
-    describe '.add' do
-      it 'Returns hash' do
-        expect(journal.settings).to be_a(Hash)
-      end
-      it 'adds an entry to the journal with a data hash' do
-        expect(journal.add(uuid, validto, data)).to be true
-      end
-      it 'adds an entry to the journal without a data hash' do
-        expect(journal.add(uuid, validto)).to be true
-      end
-      it 'fail when adding two duplicate entries to the journal' do
-        expect(journal.add(uuid, validto, data)).to be true
-        expect(journal.add(uuid, validto, data)).to be false
-      end
-      it 'fail when adding an invalid UUID to the journal' do
-        expect(journal.add('invalid' + uuid, validto, data)).to be false
-      end
-    end
-
-  end
-end

data/spec/specs/token_spec.rb

@@ -1,102 +0,0 @@
-require 'spec_helper'
-require 'securerandom'
-
-context Autosign::Token do
-  let(:certname)  { 'host.example.com' }
-  let(:reusable)  { false }
-  let(:validfor)  { rand(60..604800) }
-  let(:requester) { 'Autosign::Token rspec_test' }
-  let(:secret)    { 'very_secret' }
-  let(:token)     { Autosign::Token.new(certname, reusable, validfor, requester, secret) }
-  let(:reusable_token)     { Autosign::Token.new(certname, true, validfor, requester, secret) }
-  let(:signed_token)     { token.sign }
-  let(:wildcard_signed_token)     { Autosign::Token.new('/.*\.example\.com/', reusable, validfor, requester, secret).sign }
-  let(:expired_token)     { Autosign::Token.new(certname, reusable, -1, requester, secret).sign }
-  let(:reconstituted_token) { Autosign::Token.from_token(signed_token, secret) }
-
-
-  context 'class methods' do
-    describe '.new' do
-      it 'accepts expected parameters' do
-        expect { Autosign::Token.new(certname, reusable, validfor, requester, secret) }.to_not raise_error
-      end
-    end
-    describe '.validate' do
-      it 'validates a previously-generated token' do
-        expect(Autosign::Token.validate(certname, signed_token, secret)).to be true
-      end
-      it 'validates a previously-generated wildcard token' do
-        expect(Autosign::Token.validate(certname, wildcard_signed_token, secret)).to be true
-      end
-      it 'does not validate a previously-generated wildcard token when it does not match the hostname' do
-        expect(Autosign::Token.validate('not_the_regex', wildcard_signed_token, secret)).to be false
-      end
-      it 'does not validate a token when the secret does not match' do
-        expect(Autosign::Token.validate(certname, signed_token, 'wrong_secret')).to be false
-      end
-      it 'does not validate a token when the certname does not match' do
-        expect(Autosign::Token.validate('wrong' + certname, signed_token, secret)).to be false
-      end
-      it 'does not validate an expired token' do
-        expect(Autosign::Token.validate(certname, expired_token, secret)).to be false
-      end
-    end
-    describe '.from_token' do
-      it 'returns an Autosign::Token instance' do
-        expect(Autosign::Token.from_token(signed_token, secret)).to be_a(Autosign::Token)
-      end
-      it 'has the same hash values as the original token' do
-        expect(reconstituted_token.to_hash).to eq(token.to_hash)
-      end
-    end
-    describe '.token_validto' do
-      it 'returns an integer' do
-        expect(Autosign::Token.token_validto(signed_token, secret)).to be_an(Integer)
-      end
-      it 'returns valid POSIX time' do
-        expect(Time.at(Autosign::Token.token_validto(signed_token, secret))).to be_a(Time)
-      end
-      it 'returns time reasonable close to the current time' do
-        expect(Time.at(Autosign::Token.token_validto(signed_token, secret)).between?(Time.now, Time.now + 604801)).to be true
-      end
-    end
-  end
-
-  context 'instance methods' do
-    describe '.validto' do
-      it 'returns an integer' do
-        expect(token.validfor).to be_a(Integer)
-      end
-      it 'Returns validto time' do
-        expect(token.validfor).to eq(validfor)
-      end
-    end
-    describe '.reusable' do
-      it 'returns the expected value' do
-        expect(token.reusable).to be(reusable)
-        expect(reusable_token.reusable).to be true
-      end
-    end
-    describe '.to_hash' do
-      it 'returns a hash' do
-        expect(token.to_hash).to be_a(Hash)
-      end
-      it 'includes the expected certname, requester, reusable, validfor, and a uuid' do
-        expect(token.to_hash).to include(
-          "certname"  => eq(certname),
-          "requester" => eq(requester),
-          "reusable"  => eq(reusable),
-          "validfor"  => eq(validfor),
-          "uuid"      => be_a(String)
-        )
-      end
-    end
-    describe '.sign' do
-      it 'returns a string' do
-        expect(token.sign).to be_a(String)
-      end
-    end
-
-
-  end
-end