clc-cheffish 0.8.clc

data/spec/integration/chef_organization_spec.rb

@@ -0,0 +1,244 @@
+require 'support/spec_support'
+require 'chef/resource/chef_organization'
+require 'chef/provider/chef_organization'
+
+describe Chef::Resource::ChefOrganization do
+  extend SpecSupport
+
+  when_the_chef_server 'is in multi-org mode', :osc_compat => false, :single_org => false do
+    context 'and chef_server_url is pointed at the top level' do
+      user 'u', {}
+      user 'u2', {}
+
+      it 'chef_organization "x" creates the organization' do
+        run_recipe do
+          chef_organization 'x'
+        end
+        expect(chef_run).to have_updated('chef_organization[x]', :create)
+        expect(get('/organizations/x')['full_name']).to eq('x')
+      end
+    end
+
+    context 'and chef_server_url is pointed at /organizations/foo' do
+      organization 'foo'
+
+      before :each do
+        Chef::Config.chef_server_url = URI.join(Chef::Config.chef_server_url, '/organizations/foo').to_s
+      end
+
+      context 'and is empty' do
+        user 'u', {}
+        user 'u2', {}
+
+        it 'chef_organization "x" creates the organization' do
+          run_recipe do
+            chef_organization 'x'
+          end
+          expect(chef_run).to have_updated('chef_organization[x]', :create)
+          expect(get('/organizations/x')['full_name']).to eq('x')
+        end
+
+        it 'chef_organization "x" with full_name creates the organization' do
+          run_recipe do
+            chef_organization 'x' do
+              full_name 'Hi'
+            end
+          end
+          expect(chef_run).to have_updated('chef_organization[x]', :create)
+          expect(get('/organizations/x')['full_name']).to eq('Hi')
+        end
+
+        it 'chef_organization "x" and inviting users creates the invites' do
+          run_recipe do
+            chef_organization 'x' do
+              invites 'u', 'u2'
+            end
+          end
+          expect(chef_run).to have_updated('chef_organization[x]', :create)
+          expect(get('/organizations/x/association_requests').map { |u| u['username'] }).to eq(%w(u u2))
+        end
+
+        it 'chef_organization "x" adds members' do
+          run_recipe do
+            chef_organization 'x' do
+              members 'u', 'u2'
+            end
+          end
+          expect(chef_run).to have_updated('chef_organization[x]', :create)
+          expect(get('/organizations/x/users').map { |u| u['user']['username'] }).to eq(%w(u u2))
+        end
+      end
+
+      context 'and already has an organization named x' do
+        user 'u', {}
+        user 'u2', {}
+        user 'u3', {}
+        user 'member', {}
+        user 'member2', {}
+        user 'invited', {}
+        user 'invited2', {}
+        organization 'x', { 'full_name' => 'Lo' } do
+          org_member 'member', 'member2'
+          org_invite 'invited', 'invited2'
+        end
+
+        it 'chef_organization "x" changes nothing' do
+          run_recipe do
+            chef_organization 'x'
+          end
+          expect(chef_run).not_to have_updated('chef_organization[x]', :create)
+          expect(get('/organizations/x')['full_name']).to eq('Lo')
+        end
+
+        it 'chef_organization "x" with "complete true" reverts the full_name' do
+          run_recipe do
+            chef_organization 'x' do
+              complete true
+            end
+          end
+          expect(chef_run).to have_updated('chef_organization[x]', :create)
+          expect(get('/organizations/x')['full_name']).to eq('x')
+        end
+
+        it 'chef_organization "x" with new full_name updates the organization' do
+          run_recipe do
+            chef_organization 'x' do
+              full_name 'Hi'
+            end
+          end
+          expect(chef_run).to have_updated('chef_organization[x]', :create)
+          expect(get('/organizations/x')['full_name']).to eq('Hi')
+        end
+
+        context 'invites and membership tests' do
+          it 'chef_organization "x" and inviting users creates the invites' do
+            run_recipe do
+              chef_organization 'x' do
+                invites 'u', 'u2'
+              end
+            end
+            expect(chef_run).to have_updated('chef_organization[x]', :create)
+            expect(get('/organizations/x/association_requests').map { |u| u['username'] }).to eq(%w(invited invited2 u u2))
+          end
+
+          it 'chef_organization "x" adds members' do
+            run_recipe do
+              chef_organization 'x' do
+                members 'u', 'u2'
+              end
+            end
+            expect(chef_run).to have_updated('chef_organization[x]', :create)
+            expect(get('/organizations/x/users').map { |u| u['user']['username'] }).to eq(%w(member member2 u u2))
+          end
+
+          it 'chef_organization "x" does nothing when inviting already-invited users and members' do
+            run_recipe do
+              chef_organization 'x' do
+                invites 'invited', 'member'
+              end
+            end
+            expect(chef_run).not_to have_updated('chef_organization[x]', :create)
+            expect(get('/organizations/x/association_requests').map { |u| u['username'] }).to eq(%w(invited invited2))
+            expect(get('/organizations/x/users').map { |u| u['user']['username'] }).to eq(%w(member member2))
+          end
+
+          it 'chef_organization "x" does nothing when adding members who are already members' do
+            run_recipe do
+              chef_organization 'x' do
+                members 'member'
+              end
+            end
+            expect(chef_run).not_to have_updated('chef_organization[x]', :create)
+            expect(get('/organizations/x/association_requests').map { |u| u['username'] }).to eq(%w(invited invited2))
+            expect(get('/organizations/x/users').map { |u| u['user']['username'] }).to eq(%w(member member2))
+          end
+
+          it 'chef_organization "x" upgrades invites to members when asked' do
+            run_recipe do
+              chef_organization 'x' do
+                members 'invited'
+              end
+            end
+            expect(chef_run).to have_updated('chef_organization[x]', :create)
+            expect(get('/organizations/x/users').map { |u| u['user']['username'] }).to eq(%w(invited member member2))
+            expect(get('/organizations/x/association_requests').map { |u| u['username'] }).to eq(%w(invited2))
+          end
+
+          it 'chef_organization "x" removes members and invites when asked' do
+            run_recipe do
+              chef_organization 'x' do
+                remove_members 'invited', 'member'
+              end
+            end
+            expect(chef_run).to have_updated('chef_organization[x]', :create)
+            expect(get('/organizations/x/association_requests').map { |u| u['username'] }).to eq(%w(invited2))
+            expect(get('/organizations/x/users').map { |u| u['user']['username'] }).to eq(%w(member2))
+          end
+
+          it 'chef_organization "x" does nothing when asked to remove non-members' do
+            run_recipe do
+              chef_organization 'x' do
+                remove_members 'u', 'u2'
+              end
+            end
+            expect(chef_run).not_to have_updated('chef_organization[x]', :create)
+            expect(get('/organizations/x/association_requests').map { |u| u['username'] }).to eq(%w(invited invited2))
+            expect(get('/organizations/x/users').map { |u| u['user']['username'] }).to eq(%w(member member2))
+          end
+
+          it 'chef_organization "x" with "complete true" reverts the full_name but does not remove invites or members' do
+            run_recipe do
+              chef_organization 'x' do
+                complete true
+              end
+            end
+            expect(chef_run).to have_updated('chef_organization[x]', :create)
+            expect(get('/organizations/x')['full_name']).to eq('x')
+            expect(get('/organizations/x/association_requests').map { |u| u['username'] }).to eq(%w(invited invited2))
+            expect(get('/organizations/x/users').map { |u| u['user']['username'] }).to eq(%w(member member2))
+          end
+
+          it 'chef_organization "x" with members [] and "complete true" removes invites and members' do
+            run_recipe do
+              chef_organization 'x' do
+                members []
+                complete true
+              end
+            end
+            expect(chef_run).to have_updated('chef_organization[x]', :create)
+            expect(get('/organizations/x')['full_name']).to eq('x')
+            expect(get('/organizations/x/association_requests').map { |u| u['username'] }).to eq([])
+            expect(get('/organizations/x/users').map { |u| u['user']['username'] }).to eq([])
+          end
+
+          it 'chef_organization "x" with members [] and "complete true" removes invites but not members' do
+            run_recipe do
+              chef_organization 'x' do
+                invites []
+                complete true
+              end
+            end
+            expect(chef_run).to have_updated('chef_organization[x]', :create)
+            expect(get('/organizations/x')['full_name']).to eq('x')
+            expect(get('/organizations/x/association_requests').map { |u| u['username'] }).to eq([])
+            expect(get('/organizations/x/users').map { |u| u['user']['username'] }).to eq(%w(member member2))
+          end
+
+          it 'chef_organization "x" with invites, members and "complete true" removes all non-specified invites and members' do
+            run_recipe do
+              chef_organization 'x' do
+                invites 'invited', 'u'
+                members 'member', 'u2'
+                complete true
+              end
+            end
+            expect(chef_run).to have_updated('chef_organization[x]', :create)
+            expect(get('/organizations/x')['full_name']).to eq('x')
+            expect(get('/organizations/x/association_requests').map { |u| u['username'] }).to eq(%w(invited u))
+            expect(get('/organizations/x/users').map { |u| u['user']['username'] }).to eq(%w(member u2))
+          end
+        end
+      end
+    end
+  end
+end

data/spec/integration/chef_user_spec.rb

@@ -0,0 +1,90 @@
+require 'support/spec_support'
+require 'support/key_support'
+require 'chef/resource/chef_user'
+require 'chef/provider/chef_user'
+
+repo_path = Dir.mktmpdir('chef_repo')
+
+describe Chef::Resource::ChefUser do
+  extend SpecSupport
+
+  with_recipe do
+    private_key "#{repo_path}/blah.pem"
+  end
+
+  when_the_chef_server 'is empty' do
+    context 'and we run a recipe that creates user "blah"'do
+      with_converge do
+        chef_user 'blah' do
+          source_key_path "#{repo_path}/blah.pem"
+        end
+      end
+
+      it 'the user gets created' do
+        expect(chef_run).to have_updated 'chef_user[blah]', :create
+        user = get('/users/blah')
+        expect(user['name']).to eq('blah')
+        key, format = Cheffish::KeyFormatter.decode(user['public_key'])
+        expect(key).to be_public_key_for("#{repo_path}/blah.pem")
+      end
+    end
+
+    context 'and we run a recipe that creates user "blah" with output_key_path' do
+      with_converge do
+        chef_user 'blah' do
+          source_key_path "#{repo_path}/blah.pem"
+          output_key_path "#{repo_path}/blah.pub"
+        end
+      end
+
+      it 'the output public key gets created' do
+        expect(IO.read("#{repo_path}/blah.pub")).to start_with('ssh-rsa ')
+        expect("#{repo_path}/blah.pub").to be_public_key_for("#{repo_path}/blah.pem")
+      end
+    end
+  end
+
+  when_the_chef_server 'is multitenant', :osc_compat => false, :single_org => false do
+    context 'and chef_server_url is pointed at the top level' do
+      context 'and we run a recipe that creates user "blah"'do
+        with_converge do
+          chef_user 'blah' do
+            source_key_path "#{repo_path}/blah.pem"
+          end
+        end
+
+        it 'the user gets created' do
+          expect(chef_run).to have_updated 'chef_user[blah]', :create
+          user = get('/users/blah')
+          expect(user['name']).to eq('blah')
+          key, format = Cheffish::KeyFormatter.decode(user['public_key'])
+          expect(key).to be_public_key_for("#{repo_path}/blah.pem")
+        end
+      end
+    end
+
+    context 'and chef_server_url is pointed at /organizations/foo' do
+      organization 'foo'
+
+      before :each do
+        Chef::Config.chef_server_url = URI.join(Chef::Config.chef_server_url, '/organizations/foo').to_s
+      end
+
+      context 'and we run a recipe that creates user "blah"'do
+        with_converge do
+          chef_user 'blah' do
+            source_key_path "#{repo_path}/blah.pem"
+          end
+        end
+
+        it 'the user gets created' do
+          expect(chef_run).to have_updated 'chef_user[blah]', :create
+          user = get('/users/blah')
+          expect(user['name']).to eq('blah')
+          key, format = Cheffish::KeyFormatter.decode(user['public_key'])
+          expect(key).to be_public_key_for("#{repo_path}/blah.pem")
+        end
+      end
+    end
+  end
+end

data/spec/integration/private_key_spec.rb

@@ -0,0 +1,446 @@
+require 'support/spec_support'
+require 'chef/resource/private_key'
+require 'chef/provider/private_key'
+require 'chef/resource/public_key'
+require 'chef/provider/public_key'
+require 'support/key_support'
+
+repo_path = Dir.mktmpdir('chef_repo')
+
+describe Chef::Resource::PrivateKey do
+  extend SpecSupport
+
+  before :each do
+    FileUtils.remove_entry_secure(repo_path)
+    Dir.mkdir(repo_path)
+  end
+
+  context 'with a recipe with a private_key' do
+    with_recipe do
+      private_key "#{repo_path}/blah"
+    end
+
+    it 'the private_key is created in pem format' do
+      expect(chef_run).to have_updated "private_key[#{repo_path}/blah]", :create
+      expect(IO.read("#{repo_path}/blah")).to start_with('-----BEGIN')
+      expect(OpenSSL::PKey.read(IO.read("#{repo_path}/blah"))).to be_kind_of(OpenSSL::PKey::RSA)
+    end
+  end
+
+  context 'with a private_key "blah" resource' do
+    before :each do
+      Dir.mkdir("#{repo_path}/other_keys")
+      Chef::Config.private_key_paths = [ repo_path, "#{repo_path}/other_keys" ]
+    end
+
+    with_recipe do
+      private_key 'blah'
+    end
+
+    it 'the private key is created in the private_key_write_path' do
+      expect(chef_run).to have_updated "private_key[blah]", :create
+      expect(Chef::Config.private_key_write_path).to eq(repo_path)
+      expect(File.exist?("#{repo_path}/blah")).to be true
+      expect(File.exist?("#{repo_path}/other_keys/blah")).to be false
+      expect(OpenSSL::PKey.read(IO.read("#{repo_path}/blah"))).to be_kind_of(OpenSSL::PKey::RSA)
+      expect(OpenSSL::PKey.read(Cheffish.get_private_key('blah'))).to be_kind_of(OpenSSL::PKey::RSA)
+    end
+
+    context 'and the private key already exists somewhere not in the write path' do
+      before :each do
+        Cheffish::BasicChefClient.converge_block do
+          private_key "#{repo_path}/other_keys/blah"
+        end
+      end
+
+      it 'the private expect(key).to not update' do
+        expect(chef_run).not_to have_updated "private_key[blah]", :create
+
+        expect(File.exist?("#{repo_path}/blah")).to be false
+        expect(File.exist?("#{repo_path}/other_keys/blah")).to be true
+      end
+    end
+  end
+
+  context 'with a private key' do
+    before :each do
+      Cheffish::BasicChefClient.converge_block do
+        private_key "#{repo_path}/blah"
+      end
+    end
+
+    context 'and a private_key that copies it in der format' do
+      with_converge do
+        private_key "#{repo_path}/blah.der" do
+          source_key_path "#{repo_path}/blah"
+          format :der
+        end
+      end
+
+      it 'the private_key is copied in der format and is identical' do
+        expect(chef_run).to have_updated "private_key[#{repo_path}/blah.der]", :create
+        key_str = IO.read("#{repo_path}/blah.der")
+        expect(key_str).not_to start_with('-----BEGIN')
+        expect(key_str).not_to start_with('ssh-')
+        expect("#{repo_path}/blah.der").to match_private_key("#{repo_path}/blah")
+      end
+    end
+
+    it 'a private_key that copies it from in-memory as a string succeeds' do
+      run_recipe do
+        private_key "#{repo_path}/blah.der" do
+          source_key IO.read("#{repo_path}/blah")
+          format :der
+        end
+      end
+
+      expect(chef_run).to have_updated "private_key[#{repo_path}/blah.der]", :create
+      key_str = IO.read("#{repo_path}/blah.der")
+      expect(key_str).not_to start_with('-----BEGIN')
+      expect(key_str).not_to start_with('ssh-')
+      expect("#{repo_path}/blah.der").to match_private_key("#{repo_path}/blah")
+    end
+
+    it 'a private_key that copies it from in-memory as a key succeeds' do
+      key = OpenSSL::PKey.read(IO.read("#{repo_path}/blah"))
+      run_recipe do
+        private_key "#{repo_path}/blah.der" do
+          source_key key
+          format :der
+        end
+      end
+
+      expect(chef_run).to have_updated "private_key[#{repo_path}/blah.der]", :create
+      key_str = IO.read("#{repo_path}/blah.der")
+      expect(key_str).not_to start_with('-----BEGIN')
+      expect(key_str).not_to start_with('ssh-')
+      expect("#{repo_path}/blah.der").to match_private_key("#{repo_path}/blah")
+    end
+
+    context 'and a public_key recipe' do
+      with_converge do
+        public_key "#{repo_path}/blah.pub" do
+          source_key_path "#{repo_path}/blah"
+        end
+      end
+
+      it 'the public_key is created' do
+        expect(chef_run).to have_updated "public_key[#{repo_path}/blah.pub]", :create
+        expect(IO.read("#{repo_path}/blah.pub")).to start_with('ssh-rsa ')
+        expect("#{repo_path}/blah.pub").to be_public_key_for "#{repo_path}/blah"
+      end
+    end
+
+    context 'and a public key' do
+      before :each do
+        Cheffish::BasicChefClient.converge_block do
+          public_key "#{repo_path}/blah.pub" do
+            source_key_path "#{repo_path}/blah"
+          end
+        end
+      end
+
+      context 'and public_key resource based off the public key file' do
+        with_converge do
+          public_key "#{repo_path}/blah.pub2" do
+            source_key_path "#{repo_path}/blah.pub"
+          end
+        end
+
+        it 'the second public_key is created' do
+          expect(chef_run).to have_updated "public_key[#{repo_path}/blah.pub2]", :create
+          expect(IO.read("#{repo_path}/blah.pub")).to start_with('ssh-rsa ')
+          expect("#{repo_path}/blah.pub").to be_public_key_for "#{repo_path}/blah"
+        end
+      end
+
+      context 'and another public_key based off the first public_key in-memory in a string' do
+        with_converge do
+          public_key "#{repo_path}/blah.pub2" do
+            source_key IO.read("#{repo_path}/blah.pub")
+          end
+        end
+
+        it 'the second public_key is created' do
+          expect(chef_run).to have_updated "public_key[#{repo_path}/blah.pub2]", :create
+          expect(IO.read("#{repo_path}/blah.pub")).to start_with('ssh-rsa ')
+          expect("#{repo_path}/blah.pub").to be_public_key_for "#{repo_path}/blah"
+        end
+      end
+
+      it 'and another public_key based off the first public_key in-memory in a key, the second public_key is created' do
+        key, format = Cheffish::KeyFormatter.decode(IO.read("#{repo_path}/blah.pub"))
+
+        run_recipe do
+          public_key "#{repo_path}/blah.pub2" do
+            source_key key
+          end
+        end
+
+        expect(chef_run).to have_updated "public_key[#{repo_path}/blah.pub2]", :create
+        expect(IO.read("#{repo_path}/blah.pub")).to start_with('ssh-rsa ')
+        expect("#{repo_path}/blah.pub").to be_public_key_for "#{repo_path}/blah"
+      end
+
+      context 'and another public_key in :pem format based off the first public_key' do
+        with_converge do
+          public_key "#{repo_path}/blah.pub2" do
+            source_key_path "#{repo_path}/blah.pub"
+            format :pem
+          end
+        end
+
+        it 'the second public_key is created' do
+          expect(chef_run).to have_updated "public_key[#{repo_path}/blah.pub2]", :create
+          expect(IO.read("#{repo_path}/blah.pub")).to start_with('ssh-rsa ')
+          expect("#{repo_path}/blah.pub").to be_public_key_for "#{repo_path}/blah"
+        end
+      end
+
+      context 'and another public_key in :der format based off the first public_key' do
+        with_converge do
+          public_key "#{repo_path}/blah.pub2" do
+            source_key_path "#{repo_path}/blah.pub"
+            format :pem
+          end
+        end
+
+        it 'the second public_key is created' do
+          expect(chef_run).to have_updated "public_key[#{repo_path}/blah.pub2]", :create
+          expect(IO.read("#{repo_path}/blah.pub")).to start_with('ssh-rsa ')
+          expect("#{repo_path}/blah.pub").to be_public_key_for "#{repo_path}/blah"
+        end
+      end
+    end
+
+    context 'and a public_key resource in pem format' do
+      with_converge do
+        public_key "#{repo_path}/blah.pub" do
+          source_key_path "#{repo_path}/blah"
+          format :pem
+        end
+      end
+
+      it 'the public_key is created' do
+        expect(chef_run).to have_updated "public_key[#{repo_path}/blah.pub]", :create
+        expect(IO.read("#{repo_path}/blah.pub")).to start_with('-----BEGIN')
+        expect("#{repo_path}/blah.pub").to be_public_key_for "#{repo_path}/blah"
+      end
+    end
+
+    context 'and a public_key resource in der format' do
+      with_converge do
+        public_key "#{repo_path}/blah.pub" do
+          source_key_path "#{repo_path}/blah"
+          format :der
+        end
+      end
+
+      it 'the public_key is created in openssh format' do
+        expect(chef_run).to have_updated "public_key[#{repo_path}/blah.pub]", :create
+        expect(IO.read("#{repo_path}/blah.pub")).not_to start_with('-----BEGIN')
+        expect(IO.read("#{repo_path}/blah.pub")).not_to start_with('ssh-rsa')
+        expect("#{repo_path}/blah.pub").to be_public_key_for "#{repo_path}/blah"
+      end
+    end
+  end
+
+  context 'with a recipe with a private_key in der format' do
+    with_recipe do
+      private_key "#{repo_path}/blah" do
+        format :der
+      end
+    end
+
+    it 'the private_key is created' do
+      expect(chef_run).to have_updated "private_key[#{repo_path}/blah]", :create
+      expect(IO.read("#{repo_path}/blah")).not_to start_with('-----BEGIN')
+      expect(OpenSSL::PKey.read(IO.read("#{repo_path}/blah"))).to be_kind_of(OpenSSL::PKey::RSA)
+    end
+  end
+
+  context 'with a private key in der format' do
+    before :each do
+      Cheffish::BasicChefClient.converge_block do
+        private_key "#{repo_path}/blah" do
+          format :der
+        end
+      end
+    end
+
+    context 'and a public_key' do
+      with_converge do
+        public_key "#{repo_path}/blah.pub" do
+          source_key_path "#{repo_path}/blah"
+        end
+      end
+
+      it 'the public_key is created in openssh format' do
+        expect(chef_run).to have_updated "public_key[#{repo_path}/blah.pub]", :create
+        expect(IO.read("#{repo_path}/blah.pub")).to start_with('ssh-rsa ')
+        expect("#{repo_path}/blah.pub").to be_public_key_for "#{repo_path}/blah"
+      end
+    end
+  end
+
+  context 'with a recipe with a private_key with a pass_phrase' do
+    with_converge do
+      private_key "#{repo_path}/blah" do
+        pass_phrase 'hello'
+      end
+    end
+
+    it 'the private_key is created' do
+      expect(chef_run).to have_updated "private_key[#{repo_path}/blah]", :create
+      expect(IO.read("#{repo_path}/blah")).to start_with('-----BEGIN')
+      expect(OpenSSL::PKey.read(IO.read("#{repo_path}/blah"), 'hello')).to be_kind_of(OpenSSL::PKey::RSA)
+    end
+  end
+
+  context 'with a private key with a pass phrase' do
+    before :each do
+      Cheffish::BasicChefClient.converge_block do
+        private_key "#{repo_path}/blah" do
+          pass_phrase 'hello'
+        end
+      end
+    end
+
+    context 'and a private_key that copies it in der format' do
+      with_converge do
+        private_key "#{repo_path}/blah.der" do
+          source_key_path "#{repo_path}/blah"
+          source_key_pass_phrase 'hello'
+          format :der
+        end
+      end
+
+      it 'the private_key is copied in der format and is identical' do
+        expect(chef_run).to have_updated "private_key[#{repo_path}/blah.der]", :create
+        key_str = IO.read("#{repo_path}/blah.der")
+        expect(key_str).not_to start_with('-----BEGIN')
+        expect(key_str).not_to start_with('ssh-')
+        expect("#{repo_path}/blah.der").to match_private_key("#{repo_path}/blah", 'hello')
+      end
+    end
+
+    context 'and a private_key resource pointing at it without a pass_phrase' do
+      with_recipe do
+        private_key "#{repo_path}/blah"
+      end
+
+      it 'the run fails with an exception' do
+        expect { chef_run }.to raise_error
+      end
+    end
+
+    context 'and a private_key resource with no pass phrase and regenerate_if_different' do
+      with_recipe do
+        private_key "#{repo_path}/blah" do
+          regenerate_if_different true
+        end
+      end
+
+      it 'the private_key is regenerated' do
+        expect(chef_run).to have_updated "private_key[#{repo_path}/blah]", :create
+        expect(IO.read("#{repo_path}/blah")).to start_with('-----BEGIN')
+        expect(OpenSSL::PKey.read(IO.read("#{repo_path}/blah"))).to be_kind_of(OpenSSL::PKey::RSA)
+      end
+    end
+
+    it 'a private_key resource that copies it from in-memory as a string succeeds' do
+      run_recipe do
+        private_key "#{repo_path}/blah.der" do
+          source_key IO.read("#{repo_path}/blah")
+          source_key_pass_phrase 'hello'
+          format :der
+        end
+      end
+
+      expect(chef_run).to have_updated "private_key[#{repo_path}/blah.der]", :create
+      key_str = IO.read("#{repo_path}/blah.der")
+      expect(key_str).not_to start_with('-----BEGIN')
+      expect(key_str).not_to start_with('ssh-')
+      expect("#{repo_path}/blah.der").to match_private_key("#{repo_path}/blah", 'hello')
+    end
+
+    context 'and a public_key' do
+      with_converge do
+        public_key "#{repo_path}/blah.pub" do
+          source_key_path "#{repo_path}/blah"
+          source_key_pass_phrase 'hello'
+        end
+      end
+
+      it 'the public_key is created in openssh format' do
+        expect(chef_run).to have_updated "public_key[#{repo_path}/blah.pub]", :create
+        expect(IO.read("#{repo_path}/blah.pub")).to start_with('ssh-rsa ')
+        expect("#{repo_path}/blah.pub").to be_public_key_for "#{repo_path}/blah", 'hello'
+      end
+    end
+
+    context 'and a public_key derived from the private key in an in-memory string' do
+      with_converge do
+        public_key "#{repo_path}/blah.pub" do
+          source_key IO.read("#{repo_path}/blah")
+          source_key_pass_phrase 'hello'
+        end
+      end
+
+      it 'the public_key is created in openssh format' do
+        expect(chef_run).to have_updated "public_key[#{repo_path}/blah.pub]", :create
+        expect(IO.read("#{repo_path}/blah.pub")).to start_with('ssh-rsa ')
+        expect("#{repo_path}/blah.pub").to be_public_key_for "#{repo_path}/blah", 'hello'
+      end
+    end
+  end
+
+  context 'with a recipe with a private_key and public_key_path' do
+    with_converge do
+      private_key "#{repo_path}/blah" do
+        public_key_path "#{repo_path}/blah.pub"
+      end
+    end
+
+    it 'the private_key and public_key are created' do
+      expect(chef_run).to have_updated "private_key[#{repo_path}/blah]", :create
+      expect(IO.read("#{repo_path}/blah")).to start_with('-----BEGIN')
+      expect(OpenSSL::PKey.read(IO.read("#{repo_path}/blah"))).to be_kind_of(OpenSSL::PKey::RSA)
+      expect(IO.read("#{repo_path}/blah.pub")).to start_with('ssh-rsa ')
+      expect("#{repo_path}/blah.pub").to be_public_key_for("#{repo_path}/blah")
+    end
+  end
+
+  context 'with a recipe with a private_key and public_key_path and public_key_format' do
+    with_converge do
+      private_key "#{repo_path}/blah" do
+        public_key_path "#{repo_path}/blah.pub.der"
+        public_key_format :der
+      end
+    end
+
+    it 'the private_key and public_key are created' do
+      expect(chef_run).to have_updated "private_key[#{repo_path}/blah]", :create
+      expect(IO.read("#{repo_path}/blah")).to start_with('-----BEGIN')
+      expect(OpenSSL::PKey.read(IO.read("#{repo_path}/blah"))).to be_kind_of(OpenSSL::PKey::RSA)
+      expect(IO.read("#{repo_path}/blah.pub.der")).not_to start_with('ssh-rsa ')
+      expect("#{repo_path}/blah.pub.der").to be_public_key_for("#{repo_path}/blah")
+    end
+  end
+
+  context 'with a recipe with a private_key with path :none' do
+    it 'the private_key is created' do
+      got_private_key = nil
+      run_recipe do
+        private_key 'in_memory' do
+          path :none
+          after { |resource, private_key| got_private_key = private_key }
+        end
+      end
+
+      expect(chef_run).to have_updated "private_key[in_memory]", :create
+      expect(got_private_key).to be_kind_of(OpenSSL::PKey::RSA)
+    end
+  end
+
+end