certmeister 0.0.1

data/spec/certmeister/base_spec.rb

@@ -0,0 +1,205 @@
+require 'spec_helper'
+require 'helpers/certmeister_config_helper'
+require 'helpers/certmeister_signing_request_helper'
+
+require 'certmeister'
+require 'openssl'
+
+describe Certmeister do
+
+  it "is configured at instantiation" do
+    expect { Certmeister.new(CertmeisterConfigHelper::valid_config) }.to_not raise_error
+  end
+
+  it "cannot be instantiated with an invalid config" do
+    expect { Certmeister.new(Certmeister::Config.new({})) }.to raise_error(RuntimeError, /invalid config/)
+  end
+
+  describe "#sign(request)" do
+
+    let(:valid_request) { CertmeisterSigningRequestHelper::valid_request }
+
+    describe "refuses" do
+
+      it "refuses the request if it has no cn" do
+        ca = Certmeister.new(CertmeisterConfigHelper::valid_config)
+        response = ca.sign({})
+        invalid_request = valid_request.tap { |o| o.delete(:cn) }
+        response = ca.sign(invalid_request)
+        expect(response.error).to match /CN/
+      end
+
+      it "refuses the request if the sign policy declines it" do
+        options = CertmeisterConfigHelper::valid_config_options
+        options[:sign_policy] = Certmeister::Policy::Blackhole.new
+        ca = Certmeister.new(Certmeister::Config.new(options))
+        response = ca.sign(valid_request)
+        expect(response.error).to eql "request refused (blackholed)"
+      end
+
+      it "refuses to sign an invalid CSR" do
+        ca = Certmeister.new(CertmeisterConfigHelper::valid_config)
+        invalid_request = valid_request.tap { |o| o[:csr] = "a terrible misunderstanding" }
+        response = ca.sign(invalid_request)
+        expect(response.error).to eql "invalid CSR (not enough data)"
+      end
+
+      it "refuses to sign a CSR if the subject does not agree with the request CN" do
+        request = valid_request.tap { |r| r[:cn] = "monkeyface.example.com" }
+        ca = Certmeister.new(CertmeisterConfigHelper::valid_config)
+        response = ca.sign(request)
+        expect(response.error).to eql "CSR subject (axl.hetzner.africa) disagrees with request CN (monkeyface.example.com)"
+      end
+
+    end
+
+    describe "signing" do
+
+      def sign_valid_request
+        ca = Certmeister.new(CertmeisterConfigHelper::valid_config)
+        ca.sign(valid_request)
+      end
+
+      it "signs a CSR if the sign policy passes the request" do
+        response = sign_valid_request
+        expect(response).to be_hit
+      end
+
+      it "sets the issuer to the subject of the CA certificate" do
+        response = sign_valid_request
+        cert = OpenSSL::X509::Certificate.new(response.pem)
+        expect(cert.issuer.to_s).to match /CN=Certmeister Test CA/
+      end
+
+      it "sets the subject to the subject of the CSR" do
+        response = sign_valid_request
+        cert = OpenSSL::X509::Certificate.new(response.pem)
+        expect(cert.subject.to_s).to match /CN=axl.hetzner.africa/
+      end
+
+      it "sets validity to 5 years from now" do
+        now = (DateTime.now.to_time - 1)
+        response = sign_valid_request
+        cert = OpenSSL::X509::Certificate.new(response.pem)
+        expect(cert.not_before).to be >= now
+        expect(cert.not_after - cert.not_before).to be < (5 * 365 * 24 * 60 * 60 + 2)
+        expect(cert.not_after - cert.not_before).to be >= (5 * 365 * 24 * 60 * 60)
+      end
+
+      it "stores the signed certificate, indexed on request CN" do
+        config = CertmeisterConfigHelper::valid_config
+        ca = Certmeister.new(config)
+        response = ca.sign(valid_request)
+        stored = config.store.fetch('axl.hetzner.africa')
+        expect(stored).to eql response.pem
+      end
+
+      it "does not capture errors from the store" do
+        config = CertmeisterConfigHelper::valid_config
+        config.store.send(:break!)
+        ca = Certmeister.new(config)
+        expect { ca.sign(valid_request) }.to raise_error(Certmeister::StoreError)
+      end
+
+    end
+
+  end
+
+  describe "#fetch(request)" do
+
+    describe "refuses" do
+
+      it "refuses the request if it has no cn" do
+        ca = Certmeister.new(CertmeisterConfigHelper::valid_config)
+        response = ca.fetch({})
+        expect(response.error).to match /CN/
+      end
+
+      it "refuses the request if the fetch policy declines it" do
+        options = CertmeisterConfigHelper::valid_config_options
+        options[:fetch_policy] = Certmeister::Policy::Blackhole.new
+        ca = Certmeister.new(Certmeister::Config.new(options))
+        response = ca.fetch(cn: 'axl.starjuice.net')
+        expect(response.error).to eql "request refused (blackholed)"
+      end
+
+    end
+    
+    it "returns a miss if the store has no certificate for the cn" do
+      ca = Certmeister.new(CertmeisterConfigHelper::valid_config)
+      expect(ca.fetch(cn: 'axl.starjuice.net')).to be_miss
+    end
+
+    it "returns the certificate as a PEM-encoded string when the store has a certificate for the cn" do
+      config = CertmeisterConfigHelper::valid_config
+      config.store.store('axl.starjuice.net', '...')
+      ca = Certmeister.new(config)
+      expect(ca.fetch(cn: 'axl.starjuice.net').pem).to eql '...'
+    end
+
+    class StoreWithBrokenFetch
+      def store(cn, cert); end
+      def fetch(cn); raise Certmeister::StoreError.new("simulated error"); end
+      def health_check; end
+    end
+
+    it "does not capture errors from the store" do
+      config = CertmeisterConfigHelper::valid_config
+      config.store.send(:break!)
+      ca = Certmeister.new(config)
+      expect { ca.fetch(cn: 'axl.starjuice.net') }.to raise_error(Certmeister::StoreError)
+    end
+
+  end
+
+  describe "#remove(cn)" do
+
+    describe "refuses" do
+
+      it "refuses the request if it has no cn" do
+        ca = Certmeister.new(CertmeisterConfigHelper::valid_config)
+        response = ca.remove({})
+        expect(response.error).to match /CN/
+      end
+
+      it "refuses the request if the fetch policy declines it" do
+        options = CertmeisterConfigHelper::valid_config_options
+        options[:remove_policy] = Certmeister::Policy::Blackhole.new
+        ca = Certmeister.new(Certmeister::Config.new(options))
+        response = ca.remove(cn: 'axl.starjuice.net')
+        expect(response.error).to eql "request refused (blackholed)"
+      end
+
+    end
+    
+    it "returns a hit if the certificate existed in the store" do
+      config = CertmeisterConfigHelper::valid_config
+      config.store.store('axl.starjuice.net', '...')
+      ca = Certmeister.new(config)
+      expect(ca.remove(cn: 'axl.starjuice.net')).to be_hit
+    end
+
+    it "returns a miss if the certificate did not exist in the store" do
+      ca = Certmeister.new(CertmeisterConfigHelper::valid_config)
+      expect(ca.remove(cn: 'axl.starjuice.net')).to be_miss
+    end
+
+    it "removes the certificate from the store" do
+      config = CertmeisterConfigHelper::valid_config
+      config.store.store('axl.starjuice.net', '...')
+      ca = Certmeister.new(config)
+      ca.remove(cn: 'axl.starjuice.net')
+      expect(config.store.fetch('axl.starjuice.net')).to be_nil
+    end
+
+    it "does not capture errors from the store" do
+      config = CertmeisterConfigHelper::valid_config
+      config.store.send(:break!)
+      ca = Certmeister.new(config)
+      expect { ca.remove(cn: 'axl.starjuice.net') }.to raise_error(Certmeister::StoreError)
+    end
+
+  end
+
+end
+

data/spec/certmeister/config_spec.rb

@@ -0,0 +1,170 @@
+require 'spec_helper'
+require 'helpers/certmeister_config_helper'
+require 'helpers/certmeister_policy_helper'
+
+require 'certmeister'
+
+describe Certmeister::Config do
+
+  let(:options) { CertmeisterConfigHelper::valid_config_options }
+
+  def config_option_is_required(option)
+    options.delete(option)
+    config = Certmeister::Config.new(options)
+    expect(config).to_not be_valid
+    expect(config.errors[option]).to eql "is required"
+  end
+
+  def config_option_provides_method_with_arity(option, method, arity)
+    arity_name = case arity
+                 when 0 then "nullary"
+                 when 1 then "unary"
+                 when 2 then "binary"
+                 when 3 then "ternary"
+                 else
+                   raise "broken test helper does not support arity #{4}"
+                 end
+    options[option].send(:define_singleton_method, method) { |wrong, number, of, arguments| }
+
+    config = Certmeister::Config.new(options)
+    expect(config).to_not be_valid
+    expect(config.errors[option]).to eql "must provide a #{arity_name} #{method} method"
+  end
+
+  it "does not allow unknown options" do
+    options[:unknown] = 1
+    config = Certmeister::Config.new(options)
+    expect(config).to_not be_valid
+    expect(config.errors[:unknown]).to eql "is not a supported option"
+  end
+
+  describe ":ca_cert" do
+
+    it "is required" do
+      config_option_is_required(:ca_cert)
+    end
+
+    it "must be a PEM-encoded x509 certificate" do
+      options[:ca_cert] = "-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----\n"
+      config = Certmeister::Config.new(options)
+      expect(config).to_not be_valid
+      expect(config.errors[:ca_cert]).to eql "must be a PEM-encoded x509 certificate (nested asn1 error)"
+    end
+
+    it "is accessible as an OpenSSL::X509::Certificate object" do
+      config = Certmeister::Config.new(options)
+      expect(config.ca_cert).to be_a(OpenSSL::X509::Certificate)
+    end
+
+  end
+
+  describe ":ca_key" do
+
+    it "is required" do
+      config_option_is_required(:ca_key)
+    end
+
+    it "must be a string containing an x509 certificate in PEM encoding" do
+      options[:ca_key] = "-----BEGIN RSA PRIVATE KEY-----\n-----END RSA PRIVATE KEY-----\n"
+      config = Certmeister::Config.new(options)
+      expect(config).to_not be_valid
+      expect(config.errors[:ca_key]).to eql "must be a PEM-encoded private key (Could not parse PKey)"
+    end
+
+    it "is accessible as an OpenSSL::PKey::PKey object" do
+      config = Certmeister::Config.new(options)
+      expect(config.ca_key).to be_a(OpenSSL::PKey::PKey)
+    end
+
+  end
+
+  describe ":store" do
+
+    it "is required" do
+      config_option_is_required(:store)
+    end
+
+    it "must provide a binary store method" do
+      config_option_provides_method_with_arity(:store, :store, 2)
+    end
+
+    it "must provide a unary fetch method" do
+      config_option_provides_method_with_arity(:store, :fetch, 1)
+    end
+
+    it "must provide a unary remove method" do
+      config_option_provides_method_with_arity(:store, :remove, 1)
+    end
+
+    it "must provide a nullary health_check method" do
+      config_option_provides_method_with_arity(:store, :health_check, 0)
+    end
+
+    it "is accessible" do
+      config = Certmeister::Config.new(options)
+      expect(config.store).to eql options[:store]
+    end
+
+  end
+
+  [:sign_policy, :fetch_policy, :remove_policy].each do |policy|
+    describe ":#{policy}" do
+
+      it "is required" do
+        config_option_is_required(policy)
+      end
+
+      it "must provide a unary authenticate method" do
+        config_option_provides_method_with_arity(policy, :authenticate, 1)
+      end
+
+      it "must return a Certmeister::Policy::Response from the authenticate method" do
+        options[policy] = CertmeisterPolicyHelper::BrokenPolicy.new
+        config = Certmeister::Config.new(options)
+        expect(config).to_not be_valid
+        expect(config.errors[policy]).to eql "must return a policy response"
+      end
+
+      it "is accessible" do
+        config = Certmeister::Config.new(options)
+        expect(config.send(policy)).to eql options[policy]
+      end
+
+    end
+  end
+
+  describe "error_list" do
+
+    it "is empty if the config has no errors" do
+      config = Certmeister::Config.new(options)
+      config.valid?
+      expect(config.error_list).to be_empty
+    end
+
+    it "includes one string (option and message) per error if the config has errors" do
+      options.delete(:ca_cert)
+      options.delete(:ca_key)
+      config = Certmeister::Config.new(options)
+      config.valid?
+      expect(config.error_list).to match_array ["ca_cert is required", "ca_key is required"]
+    end
+
+  end
+
+  describe "openssl_digest" do
+
+    it "causes a validation failure if the OpenSSL library doesn't provide one" do
+      expect(OpenSSL::Digest).to receive(:const_defined?).twice.and_return(nil)
+      config = Certmeister::Config.new(options)
+      expect(config).to_not be_valid
+      expect(config.errors[:openssl_digest]).to eql "can't find FIPS 140-2 compliant algorithm in OpenSSL::Digest"
+    end
+
+    it "is accessible without being supplied" do
+      config = Certmeister::Config.new(options)
+      expect([OpenSSL::Digest::SHA256, OpenSSL::Digest::SHA1]).to include(config.openssl_digest)
+    end
+
+  end
+
+end

data/spec/certmeister/in_memory_store_spec.rb

@@ -0,0 +1,40 @@
+require 'spec_helper'
+require 'certmeister/test/memory_store_interface'
+
+require 'certmeister/in_memory_store'
+
+describe Certmeister::InMemoryStore do
+
+  class << self
+    include Certmeister::Test::MemoryStoreInterface
+  end
+
+  it_behaves_like_a_certmeister_store
+
+  describe "for use in testing" do
+
+    it "can be initialized with an existing data set" do
+      existing = {'axl.hetzner.africa' => '...cert...'}
+      store = Certmeister::InMemoryStore.new(existing)
+      expect(store.fetch('axl.hetzner.africa')).to eql '...cert...'
+    end
+
+    it "store raises Certmeister::StoreError when broken" do
+      subject.send(:break!)
+      expect { subject.store('axl.hetzner.africa', "first") }.to raise_error(Certmeister::StoreError)
+    end
+
+    it "fetch raises Certmeister::StoreError when broken" do
+      subject.send(:break!)
+      expect { subject.fetch('axl.hetzner.africa') }.to raise_error(Certmeister::StoreError, "in-memory store is broken")
+    end
+
+    it "remove raises Certmeister::StoreError when broken" do
+      subject.send(:break!)
+      expect { subject.remove('axl.hetzner.africa') }.to raise_error(Certmeister::StoreError, "in-memory store is broken")
+    end
+
+  end
+
+end
+

data/spec/certmeister/policy/blackhole_spec.rb

@@ -0,0 +1,19 @@
+require 'spec_helper'
+require 'helpers/certmeister_signing_request_helper'
+
+require 'certmeister/policy/blackhole'
+
+describe Certmeister::Policy::Blackhole do
+
+  it "demands a request" do
+    expect { subject.authenticate }.to raise_error(ArgumentError)
+  end
+
+  it "refuses any request" do
+    response = subject.authenticate(CertmeisterSigningRequestHelper::valid_request)
+    expect(response).to_not be_authenticated
+    expect(response.error).to eql "blackholed"
+  end
+
+end
+

data/spec/certmeister/policy/chain_all_spec.rb

@@ -0,0 +1,40 @@
+require 'spec_helper'
+require 'certmeister/policy/blackhole'
+require 'certmeister/policy/noop'
+
+require 'certmeister/policy/chain_all'
+
+describe Certmeister::Policy::ChainAll do
+
+  it "must be configured with a list of policys" do
+    expected_error = "enumerable collection of policys required"
+    expect { Certmeister::Policy::ChainAll.new }.to raise_error(ArgumentError)
+    expect { Certmeister::Policy::ChainAll.new(Certmeister::Policy::Noop.new) }.to raise_error(ArgumentError, expected_error)
+    expect { Certmeister::Policy::ChainAll.new([]) }.to raise_error(ArgumentError, expected_error)
+  end
+
+  it "demands a request" do
+    policy = Certmeister::Policy::ChainAll.new([Certmeister::Policy::Noop.new])
+    expect { policy.authenticate }.to raise_error(ArgumentError)
+  end
+
+  it "authenticates a request that all its chained policys authenticate" do
+    policy = Certmeister::Policy::ChainAll.new([Certmeister::Policy::Noop.new, Certmeister::Policy::Noop.new])
+    response = policy.authenticate({anything: 'something'})
+    expect(response).to be_authenticated
+  end
+
+  it "refuses a request that any one of its chained policys refuses" do
+    refuse_last = Certmeister::Policy::ChainAll.new([ Certmeister::Policy::Noop.new, Certmeister::Policy::Blackhole.new])
+    refuse_first = Certmeister::Policy::ChainAll.new([ Certmeister::Policy::Blackhole.new, Certmeister::Policy::Noop.new])
+    policys = [refuse_last, refuse_first]
+
+    policys.each do |policy|
+      response = policy.authenticate({anything: 'something'})
+      expect(response).to_not be_authenticated
+      expect(response.error).to eql "blackholed"
+    end
+  end
+
+end
+