certmeister 1.0.1 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: d5a9e171d0871cb9253d14dca465d5a9803fa07c
-  data.tar.gz: 163ae3a914300d3893107bd791d5a9a8f707a24e
+  metadata.gz: d3a26696f474a3c8396726f7b84840b062172f86
+  data.tar.gz: 1e1e66376dda66c3a1a805b2f9335e516c8503a4
 SHA512:
-  metadata.gz: e2da9a19b6c041e1567cc4e83258d44b8c40084904d53e03b5d0ce8ff1c39c3097aa639f7547ca123615a9d7dda352868a00062690da32624bffdcaf631b468e
-  data.tar.gz: 63887e6513a50bc4418d6aab14ef10c07dae4c614d881a27f7b30bef38526c87f1ac34440e293f4cb90f99e34faa9ee7ca1020849293517761a80c1b0549afc5
+  metadata.gz: 929dbfe79056c3e6150c69571f50a1ef4d46e4a2205790c9b1a0b248a7b6f371b64cab6312eb3853180ccdb99ad740057be4fb2cb1db5ba41f70ae5754ec1f0b
+  data.tar.gz: e3e1e03909bce76551b33b588cc4081e08d5274d7e5966b83545888f8f509b340d4c82fb2d082210a70fce6cdb7baae8c4d6295ca9f20c6b9153953eb09dce8b

data/Gemfile.lock

@@ -1,9 +1,9 @@
 PATH
   remote: .
   specs:
-    certmeister (1.0.1)
-    certmeister-rack (1.0.1)
-      certmeister (= 1.0.1)
+    certmeister (1.1.0)
+    certmeister-rack (1.1.0)
+      certmeister (= 1.1.0)
       rack (~> 1.5)
 
 GEM

data/lib/certmeister/self_test.rb

@@ -0,0 +1,70 @@
+module Certmeister
+
+  class SelfTest
+
+    # Pass in PEM-encoded key for fast tests that don't need lots of entropy.
+    def initialize(ca, key = nil)
+      @ca = ca
+      @key = key
+    end
+
+    def test(req = {cn: 'test', ip: '127.0.0.1'})
+      begin
+        res = @ca.remove(req)
+        res.hit? or res.miss? or raise "Test certificate remove failed: #{res.error}"
+
+        csr = get_csr("C=ZA, ST=Western Cape, L=Cape Town, O=Hetzner PTY Ltd, CN=#{req[:cn]}")
+        res = @ca.sign(cn: 'test', csr: csr.to_pem, ip: '127.0.0.1')
+        res.hit? or raise "Test certificate signing failed: #{res.error}"
+
+        res = @ca.fetch(cn: 'test', ip: '127.0.0.1')
+        res.hit? or raise "Test certificate fetch failed: #{res.error}"
+
+        cert = OpenSSL::X509::Certificate.new(res.pem)
+        cert.subject.to_s =~ /CN=#{req[:cn]}/ or raise "Test certificate common name mismatch"
+
+        Result.new(true, {message: "OK"})
+      rescue Exception => e
+        Result.new(false, {message: e.message})
+      end
+    end
+
+    private
+
+    def get_csr(subject)
+      key = get_key
+      csr = OpenSSL::X509::Request.new
+      csr.version = 0
+      csr.subject = OpenSSL::X509::Name.parse(subject)
+      csr.public_key = key.public_key
+      csr.sign key, OpenSSL::Digest::SHA1.new
+      csr
+    end
+
+    def get_key
+      OpenSSL::PKey::RSA.new(@key || 4096).tap do |key|
+        @key ||= key.to_pem
+      end
+    end
+
+    class Result
+      attr_reader :data
+
+      def initialize(ok, data)
+        @ok = !!ok
+        @data = data
+      end
+
+      def ok?
+        @ok
+      end
+
+      def message
+        @data.fetch(:message, nil) if @data.respond_to?(:fetch)
+      end
+
+    end
+
+  end
+
+end

data/lib/certmeister/version.rb

@@ -1,5 +1,5 @@
 module Certmeister
 
-  VERSION = '1.0.1' unless defined?(VERSION)
+  VERSION = '1.1.0' unless defined?(VERSION)
 
 end

data/spec/certmeister/policy/fcrdns_spec.rb

@@ -9,25 +9,25 @@ describe Certmeister::Policy::Fcrdns do
   end
 
   it "refuses to authenticate a request with a missing cn" do
-    response = subject.authenticate({ip: '127.0.0.1'})
+    response = subject.authenticate({ip: '8.8.8.8'})
     expect(response).to_not be_authenticated
     expect(response.error).to eql "missing cn"
   end
 
   it "refuses to authenticate a request with a missing ip" do
-    response = subject.authenticate({cn: 'localhost'})
+    response = subject.authenticate({cn: 'google-public-dns-a.google.com'})
     expect(response).to_not be_authenticated
     expect(response.error).to eql "missing ip"
   end
 
   it "refuses to authenticate a request with an ip that does not have fcrdns that matches the cn" do
-    response = subject.authenticate({cn: 'bad.example.com', ip: '127.0.0.1'})
+    response = subject.authenticate({cn: 'google-public-dns-a.google.com', ip: '127.0.0.1'})
     expect(response).to_not be_authenticated
     expect(response.error).to eql "cn does not match fcrdns"
   end
 
-  it "authenticates any request with an ip that does not have fcrdns that matches the cn" do
-    response = subject.authenticate({cn: 'localhost', ip: '127.0.0.1'})
+  it "authenticates any request with an ip that has fcrdns that matches the cn" do
+    response = subject.authenticate({cn: 'google-public-dns-a.google.com', ip: '8.8.8.8'})
     expect(response).to be_authenticated
   end
 

data/spec/certmeister/self_test_spec.rb

@@ -0,0 +1,42 @@
+require 'spec_helper'
+require 'helpers/certmeister_config_helper'
+
+require 'certmeister'
+
+describe Certmeister::SelfTest do
+
+  subject { Certmeister::SelfTest.new(ca, File.read('fixtures/client.key')) }
+
+  describe "#test(req = {cn: 'test', ip: '127.0.0.1'})" do
+
+    context "when the CA is functioning correctly" do
+
+      let(:ca) { Certmeister.new(CertmeisterConfigHelper::valid_config) }
+
+      it "returns success" do
+        res = subject.test(cn: 'test', ip: '127.0.0.1')
+        expect(res).to be_ok
+      end
+
+    end
+
+    context "when the CA is malfunctioning" do
+
+      let(:store) { Certmeister::InMemoryStore.new.tap { |o| o.send(:break!) } }
+      let(:ca) { Certmeister.new(CertmeisterConfigHelper::custom_config(store: store)) }
+
+      it "returns an error" do
+        res = subject.test(cn: 'test', ip: '127.0.0.1')
+        expect(res).to_not be_ok
+      end
+
+      it "provides an error message in the response data" do
+        res = subject.test(cn: 'test', ip: '127.0.0.1')
+        expect(res.data[:message]).to match /in-memory store is broken/
+      end
+
+    end
+
+  end
+
+end

data/spec/helpers/certmeister_config_helper.rb

@@ -18,4 +18,8 @@ module CertmeisterConfigHelper
     Certmeister::Config.new(valid_config_options)
   end
 
+  def self.custom_config(options)
+    Certmeister::Config.new(valid_config_options.merge(options))
+  end
+
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: certmeister
 version: !ruby/object:Gem::Version
-  version: 1.0.1
+  version: 1.1.0
 platform: ruby
 authors:
 - Sheldon Hearn
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-01-29 00:00:00.000000000 Z
+date: 2015-02-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -102,6 +102,7 @@ files:
 - lib/certmeister/policy/psk.rb
 - lib/certmeister/policy/response.rb
 - lib/certmeister/response.rb
+- lib/certmeister/self_test.rb
 - lib/certmeister/store_error.rb
 - lib/certmeister/test/memory_store_interface.rb
 - lib/certmeister/version.rb
@@ -119,6 +120,7 @@ files:
 - spec/certmeister/policy/psk_spec.rb
 - spec/certmeister/policy/response_spec.rb
 - spec/certmeister/response_spec.rb
+- spec/certmeister/self_test_spec.rb
 - spec/helpers/certmeister_config_helper.rb
 - spec/helpers/certmeister_fetching_request_helper.rb
 - spec/helpers/certmeister_policy_helper.rb
@@ -164,6 +166,7 @@ test_files:
 - spec/certmeister/policy/psk_spec.rb
 - spec/certmeister/policy/response_spec.rb
 - spec/certmeister/response_spec.rb
+- spec/certmeister/self_test_spec.rb
 - spec/helpers/certmeister_config_helper.rb
 - spec/helpers/certmeister_fetching_request_helper.rb
 - spec/helpers/certmeister_policy_helper.rb