conjur-api 5.3.8.pre.319 → 5.4.0

data/spec/api_spec.rb

@@ -0,0 +1,254 @@
+require 'spec_helper'
+require 'fakefs/spec_helpers'
+
+describe Conjur::API do
+
+  let(:account) { 'api-spec-acount' }
+  let(:remote_ip) { nil }
+  before { allow(Conjur.configuration).to receive_messages account: account }
+
+  shared_context "logged in", logged_in: true do
+    let(:login) { "bob" }
+    let(:token) { { 'data' => login, 'timestamp' => Time.now.to_s } }
+    subject(:api) { Conjur::API.new_from_token(token, remote_ip: remote_ip) }
+  end
+
+  shared_context "logged in with an API key", logged_in: :api_key do
+    include_context "logged in"
+    let(:api_key) { "theapikey" }
+    subject(:api) { Conjur::API.new_from_key(login, api_key, account: account ,remote_ip: remote_ip) }
+  end
+
+  shared_context "logged in with a token file", logged_in: :token_file do
+    include FakeFS::SpecHelpers
+    include_context "logged in"
+    let(:token_file) { "token_file" }
+    subject(:api) { Conjur::API.new_from_token_file(token_file, remote_ip: remote_ip) }
+  end
+
+  def time_travel delta
+    allow(api.authenticator).to receive(:gettime).and_wrap_original do |m|
+      m[] + delta
+    end
+    allow(api.authenticator).to receive(:monotonic_time).and_wrap_original do |m|
+      m[] + delta
+    end
+    allow(Time).to receive(:now).and_wrap_original do |m|
+      m[] + delta
+    end
+  end
+
+  describe '#token' do
+    context 'with token file available', logged_in: :token_file do
+      def write_token token
+        File.write token_file, JSON.generate(token)
+      end
+
+      before do
+        write_token token
+      end
+
+      it "reads the file to get a token" do
+        expect(api.instance_variable_get("@token")).to eq(nil)
+        expect(api.token).to eq(token)
+        expect(api.credentials).to eq({ headers: { authorization: "Token token=\"#{Base64.strict_encode64(token.to_json)}\"" }, username: login })
+      end
+
+      context "after expiration" do
+        it 'it reads a new token' do
+          expect(Time.parse(api.token['timestamp'])).to be_within(5.seconds).of(Time.now)
+
+          time_travel 6.minutes
+          new_token = token.merge "timestamp" => Time.now.to_s
+          write_token new_token
+
+          expect(api.token).to eq(new_token)
+        end
+      end
+    end
+
+    context 'with API key available', logged_in: :api_key do
+      it "authenticates to get a token" do
+        expect(Conjur::API).to receive(:authenticate).with(login, api_key, account: account).and_return token
+
+        expect(api.instance_variable_get("@token")).to eq(nil)
+        expect(api.token).to eq(token)
+        expect(api.credentials).to eq({ headers: { authorization: "Token token=\"#{Base64.strict_encode64(token.to_json)}\"" }, username: login })
+      end
+
+      context "after expiration" do
+
+        shared_examples "it gets a new token" do
+          it 'by refreshing' do
+            allow(Conjur::API).to receive(:authenticate).with(login, api_key, account: account).and_return token
+            expect(Time.parse(api.token['timestamp'])).to be_within(5.seconds).of(Time.now)
+
+            time_travel 6.minutes
+            new_token = token.merge "timestamp" => Time.now.to_s
+
+            expect(Conjur::API).to receive(:authenticate).with(login, api_key, account: account).and_return new_token
+            expect(api.token).to eq(new_token)
+          end
+        end
+
+        it_should_behave_like "it gets a new token"
+      end
+    end
+
+    context 'with no API key available', logged_in: true do
+      it "returns the token used to create it" do
+        expect(api.token).to eq token
+      end
+
+      it "doesn't try to refresh an old token" do
+        expect(Conjur::API).not_to receive :authenticate
+        api.token # vivify
+        time_travel 6.minutes
+        expect { api.token }.not_to raise_error
+      end
+    end
+  end
+
+  context "credential handling", logged_in: true do
+    context "from token" do
+      describe '#credentials' do
+        subject { super().credentials }
+        it { is_expected.to eq({ headers: { authorization: "Token token=\"#{Base64.strict_encode64(token.to_json)}\"" }, username: login }) }
+      end
+
+      context "with remote_ip" do
+        let(:remote_ip) { "66.0.0.1" }
+        describe '#credentials' do
+          subject { super().credentials }
+          it { is_expected.to eq({ headers: { authorization: "Token token=\"#{Base64.strict_encode64(token.to_json)}\"", :x_forwarded_for=>"66.0.0.1" }, username: login }) }
+        end
+      end
+    end
+
+    context "from logged-in RestClient::Resource" do
+      let (:authz_header) { %Q{Token token="#{token_encoded}"} }
+      let (:priv_header) { nil }
+      let (:forwarded_for_header) { nil }
+      let (:audit_roles_header) { nil }
+      let (:audit_resources_header) { nil }
+      let (:username) { 'bob' }
+      subject { resource.conjur_api }
+
+      shared_examples "it can clone itself" do
+        it "has the authz header" do
+          expect(subject.credentials[:headers][:authorization]).to eq(authz_header)
+        end
+        it "has the username" do
+          expect(subject.credentials[:username]).to eq(username)
+        end
+      end
+
+      let(:token_encoded) { Base64.strict_encode64(token.to_json) }
+      let(:base_headers) { { authorization: authz_header } }
+      let(:headers) { base_headers }
+      let(:resource) { RestClient::Resource.new("http://example.com", { headers: headers })}
+      context 'basic functioning' do
+        it_behaves_like 'it can clone itself'
+      end
+
+      context "forwarded for" do
+        let(:forwarded_for_header) { "66.0.0.1" }
+        let(:headers) { base_headers.merge(x_forwarded_for: forwarded_for_header) }
+        it_behaves_like 'it can clone itself'
+      end
+    end
+  end
+
+  describe "#role_from_username", logged_in: true do
+    it "returns a user role when username is plain" do
+      expect(Conjur::API.role_from_username(api, "plain-username", account).id).to eq("#{account}:user:plain-username")
+    end
+
+    it "returns an appropriate role kind when username is qualified" do
+      expect(Conjur::API.role_from_username(api, "host/foo/bar", account).id).to eq("#{account}:host:foo/bar")
+    end
+  end
+
+  describe "#username" do
+    let(:jwt_payload) do
+      'eyJzdWIiOiJ1c2VyLTlhYjBiYmZiOWJlNjA5Yzk2ZjUyN2Y1YiIsImlhdCI6MTYwMzQ5MDA4MH0='
+    end
+
+    let(:jwt_header) do
+      'eyJhbGciOiJjb25qdXIub3JnL3Nsb3NpbG8vdjIiLCJraWQiOiI2MWZjOGRiZDM4MjA4NDll' \
+      'ZDI4YTZhYTAwMzFjNjM5MjkxZjJmMDQzNDVjYTU0MWI5NzUxMGQ5NjkyM2I3NDlmIn0='
+    end
+
+    let(:conjur_token) do
+      {
+        'data' => 'conjur-user-1234',
+        'timestamp' => Time.now.to_s
+      }
+    end
+
+    let(:jwt_token) do
+      {
+        'protected' => jwt_header,
+        'payload' => jwt_payload,
+      }
+    end
+
+    it "can correctly extract the username from old Conjur token" do
+      expect(Conjur::API.new_from_token(conjur_token).username).to(
+        eq('conjur-user-1234')
+      )
+    end
+
+    context 'when using JWT token' do
+      it "can correctly extract username" do
+        expect(Conjur::API.new_from_token(jwt_token).username).to(
+          eq('user-9ab0bbfb9be609c96f527f5b')
+        )
+      end
+
+      it "returns nil when JWT token has no payload field" do
+        no_payload_jwt_token = { 'protected' => jwt_header }
+        expect(Conjur::API.new_from_token(no_payload_jwt_token).username).to be_nil
+      end
+
+      it "returns nil when JWT token has no 'sub' field in payload" do
+        no_sub_token = { 'payload' => 'eyJpYXQiOjE2MDM0OTAwODB9' }
+        expect(Conjur::API.new_from_token(no_sub_token).username).to be_nil
+      end
+    end
+  end
+
+  describe "#current_role", logged_in: true do
+    context "when logged in as user" do
+      let(:login) { 'joerandom' }
+      it "returns a user role" do
+        expect(api.current_role(account).id).to eq("#{account}:user:joerandom")
+      end
+    end
+
+    context "when logged in as host" do
+      let(:host) { "somehost" }
+      let(:login) { "host/#{host}" }
+      it "returns a host role" do
+        expect(api.current_role(account).id).to eq("#{account}:host:somehost")
+      end
+    end
+  end
+
+  describe 'url escapes' do
+    let(:urls){[
+        'foo/bar@baz',
+        '/test/some group with spaces'
+    ]}
+
+    describe '#fully_escape' do
+      let(:expected){[
+        'foo%2Fbar%40baz',
+        '%2Ftest%2Fsome%20group%20with%20spaces'
+      ]}
+      it 'escapes the urls correctly' do
+        expect(urls.map{|u| Conjur::API.fully_escape u}).to eq(expected)
+      end
+    end
+  end
+end

data/spec/base_object_spec.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Conjur::BaseObject do
+
+  it "returns custom string for #inspect" do
+    id_str = 'foo:bar:baz'
+    base_obj = Conjur::BaseObject.new(Conjur::Id.new(id_str), { username: 'foo' })
+    expect(base_obj.inspect).to include("id='#{id_str}'")
+    expect(base_obj.inspect).to include(Conjur::BaseObject.name)
+  end
+end

data/spec/cert_utils_spec.rb

@@ -0,0 +1,173 @@
+require 'spec_helper'
+
+describe Conjur::CertUtils do
+  describe '.parse_certs' do
+    let(:cert1_raw) do
+      """-----BEGIN CERTIFICATE-----
+MIIDPjCCAiagAwIBAgIVAKW1gdmOFrXt6xB0iQmYQ4z8Pf+kMA0GCSqGSIb3DQEB
+CwUAMD0xETAPBgNVBAoTCGN1Y3VtYmVyMRIwEAYDVQQLEwlDb25qdXIgQ0ExFDAS
+BgNVBAMTC2N1a2UtbWFzdGVyMB4XDTE1MTAwNzE2MzAwNloXDTI1MTAwNDE2MzAw
+NlowFjEUMBIGA1UEAwwLY3VrZS1tYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQC9e8bGIHOLOypKA4lsLcAOcDLAq+ICuVxn9Vg0No0m32Ok/K7G
+uEGtlC8RidObntblUwqdX2uP7mqAQm19j78UTl1KT97vMmmFrpVZ7oQvEm1FUq3t
+FBmJglthJrSbpdZjLf7a7eL1NnunkfBdI1DK9QL9ndMjNwZNFbXhld4fC5zuSr/L
+PxawSzTEsoTaB0Nw0DdRowaZgrPxc0hQsrj9OF20gTIJIYO7ctZzE/JJchmBzgI4
+CdfAYg7zNS+0oc0ylV0CWMerQtLICI6BtiQ482bCuGYJ00NlDcdjd3w+A2cj7PrH
+wH5UhtORL5Q6i9EfGGUCDbmfpiVD9Bd3ukbXAgMBAAGjXDBaMA4GA1UdDwEB/wQE
+AwIFoDAdBgNVHQ4EFgQU2jmj7l5rSw0yVb/vlWAYkK/YBwkwKQYDVR0RBCIwIIIL
+Y3VrZS1tYXN0ZXKCCWxvY2FsaG9zdIIGY29uanVyMA0GCSqGSIb3DQEBCwUAA4IB
+AQBCepy6If67+sjuVnT9NGBmjnVaLa11kgGNEB1BZQnvCy0IN7gpLpshoZevxYDR
+3DnPAetQiZ70CSmCwjL4x6AVxQy59rRj0Awl9E1dgFTYI3JxxgLsI9ePdIRVEPnH
+dhXqPY5ZIZhvdHlLStjsXX7laaclEtMeWfSzxe4AmP/Sm/er4ks0gvLQU6/XJNIu
+RnRH59ZB1mZMsIv9Ii790nnioYFR54JmQu1JsIib77ZdSXIJmxAtraJSTLcZbU1E
++SM3XCE423Xols7onyluMYDy3MCUTFwoVMRBcRWCAk5gcv6XvZDfLi6Zwdne6x3Y
+bGenr4vsPuSFsycM03/EcQDT
+-----END CERTIFICATE-----
+"""
+    end
+    let(:cert2_raw) do
+      """-----BEGIN CERTIFICATE-----
+MIIDhzCCAm+gAwIBAgIJAJnsrJ1+j9MhMA0GCSqGSIb3DQEBCwUAMD0xETAPBgNV
+BAoTCGN1Y3VtYmVyMRIwEAYDVQQLEwlDb25qdXIgQ0ExFDASBgNVBAMTC2N1a2Ut
+bWFzdGVyMB4XDTE1MTAwNzE2MzAwM1oXDTI1MTAwNDE2MzAwM1owPTERMA8GA1UE
+ChMIY3VjdW1iZXIxEjAQBgNVBAsTCUNvbmp1ciBDQTEUMBIGA1UEAxMLY3VrZS1t
+YXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsuZ06Ld4JDhxZ
+FcxKVxu7MTjXVv6W8pI7qFKmgr39aNqmDpKYJ1H9aM+r9zaTAeithpM4wJpVswkJ
+d0RSuKdm1LOx11yHLyZ1OvlPHFhsVWdZIQZ6R9srhPYBUCMem4sHR5IAcBBX+HkR
+35gaPYUl1uFV/9zCniekt92Kdta+it1WL7XinXTBURlhDawiD/kv1C9x6dICEJVe
+IT/jRohmqHAoM/JSOQTthaDli3Qvu5K8XAx8UXvWVmv3eStZFVDbC4ZEueRd9KAe
+4IZ5FxdpFYkPBgt2lBYeydYKRShyYrDKye1uJBDkeplNaYW4cS4mOhYuRkdKn7MH
+uY/xb1lFAgMBAAGjgYkwgYYwKQYDVR0RBCIwIIILY3VrZS1tYXN0ZXKCCWxvY2Fs
+aG9zdIIGY29uanVyMB0GA1UdDgQWBBRHpGF7aQbHdORYgQKDC2hV6NzEKzAfBgNV
+HSMEGDAWgBRHpGF7aQbHdORYgQKDC2hV6NzEKzAMBgNVHRMEBTADAQH/MAsGA1Ud
+DwQEAwIB5jANBgkqhkiG9w0BAQsFAAOCAQEAGZT9Wek1hYluIVaxu03wSKCKIJ4p
+KxTHw+mLDapg1y9t3Fa/5IQQK0Bx0xGU2qWiQKjda3vdFPJWO6l6XJvsUY5Nwtm5
+Gcsk8l3L/zWCrjrFTH3TdVad5E+DTwVhThelmEjw68AyM+WuOL61j0MItd9mLW74
+Lv2zouj9nQBdnUBHWQ0EL/9d5cfaCVu/bFlDfYt7Yj0IzXCuaWZfJeHodU1hmqVX
+BvYRjnTB2LSxfmSnkrCeFPmhE11bWVtsLIdrGIgtEMX0/s9xg58QuNnva1U3pJsW
+RjvSxre4Xg2qlI9Laybb4oZ4g6DI8hRbL0VdFAsveg6SXg2RxgJcXeJUFw==
+-----END CERTIFICATE-----
+"""
+    end
+
+    let(:cert1) { OpenSSL::X509::Certificate.new cert1_raw }
+    let(:cert2) { OpenSSL::X509::Certificate.new cert2_raw }
+
+    it 'parses a certificate' do
+      expect(Conjur::CertUtils.parse_certs(cert1_raw).map(&:to_der))\
+          .to eq [cert1.to_der]
+    end
+
+    it 'parses two certificates' do
+      expect(Conjur::CertUtils.parse_certs(cert1_raw + cert2_raw).map(&:to_der))\
+          .to eq [cert1.to_der, cert2.to_der]
+    end
+
+    it 'parses the certificate correctly even if the whitespace is wrong' do
+      bad_whitespace = cert1_raw.gsub "\n", " "
+      expect(Conjur::CertUtils.parse_certs(bad_whitespace).map(&:to_der))\
+          .to eq [cert1.to_der]
+    end
+
+    it 'shows a bad cert in error message' do
+      bad_cert = "-----BEGIN CERTIFICATE-----\nfoo\n-----END CERTIFICATE-----\n"
+      expect do
+        Conjur::CertUtils.parse_certs(bad_cert)
+      end.to raise_error(OpenSSL::X509::CertificateError) do |exn|
+        expect(exn.message).to include bad_cert
+      end
+    end
+  end
+
+  describe '.add_chained_cert' do
+    let(:one_certificate_chain) do
+        """-----BEGIN CERTIFICATE-----
+MIIDPjCCAiagAwIBAgIVAKW1gdmOFrXt6xB0iQmYQ4z8Pf+kMA0GCSqGSIb3DQEB
+CwUAMD0xETAPBgNVBAoTCGN1Y3VtYmVyMRIwEAYDVQQLEwlDb25qdXIgQ0ExFDAS
+BgNVBAMTC2N1a2UtbWFzdGVyMB4XDTE1MTAwNzE2MzAwNloXDTI1MTAwNDE2MzAw
+NlowFjEUMBIGA1UEAwwLY3VrZS1tYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQC9e8bGIHOLOypKA4lsLcAOcDLAq+ICuVxn9Vg0No0m32Ok/K7G
+uEGtlC8RidObntblUwqdX2uP7mqAQm19j78UTl1KT97vMmmFrpVZ7oQvEm1FUq3t
+FBmJglthJrSbpdZjLf7a7eL1NnunkfBdI1DK9QL9ndMjNwZNFbXhld4fC5zuSr/L
+PxawSzTEsoTaB0Nw0DdRowaZgrPxc0hQsrj9OF20gTIJIYO7ctZzE/JJchmBzgI4
+CdfAYg7zNS+0oc0ylV0CWMerQtLICI6BtiQ482bCuGYJ00NlDcdjd3w+A2cj7PrH
+wH5UhtORL5Q6i9EfGGUCDbmfpiVD9Bd3ukbXAgMBAAGjXDBaMA4GA1UdDwEB/wQE
+AwIFoDAdBgNVHQ4EFgQU2jmj7l5rSw0yVb/vlWAYkK/YBwkwKQYDVR0RBCIwIIIL
+Y3VrZS1tYXN0ZXKCCWxvY2FsaG9zdIIGY29uanVyMA0GCSqGSIb3DQEBCwUAA4IB
+AQBCepy6If67+sjuVnT9NGBmjnVaLa11kgGNEB1BZQnvCy0IN7gpLpshoZevxYDR
+3DnPAetQiZ70CSmCwjL4x6AVxQy59rRj0Awl9E1dgFTYI3JxxgLsI9ePdIRVEPnH
+dhXqPY5ZIZhvdHlLStjsXX7laaclEtMeWfSzxe4AmP/Sm/er4ks0gvLQU6/XJNIu
+RnRH59ZB1mZMsIv9Ii790nnioYFR54JmQu1JsIib77ZdSXIJmxAtraJSTLcZbU1E
++SM3XCE423Xols7onyluMYDy3MCUTFwoVMRBcRWCAk5gcv6XvZDfLi6Zwdne6x3Y
+bGenr4vsPuSFsycM03/EcQDT
+-----END CERTIFICATE-----
+"""
+    end
+
+    let(:two_certificates_chain) do
+      """-----BEGIN CERTIFICATE-----
+MIIDPjCCAiagAwIBAgIVAKW1gdmOFrXt6xB0iQmYQ4z8Pf+kMA0GCSqGSIb3DQEB
+CwUAMD0xETAPBgNVBAoTCGN1Y3VtYmVyMRIwEAYDVQQLEwlDb25qdXIgQ0ExFDAS
+BgNVBAMTC2N1a2UtbWFzdGVyMB4XDTE1MTAwNzE2MzAwNloXDTI1MTAwNDE2MzAw
+NlowFjEUMBIGA1UEAwwLY3VrZS1tYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQC9e8bGIHOLOypKA4lsLcAOcDLAq+ICuVxn9Vg0No0m32Ok/K7G
+uEGtlC8RidObntblUwqdX2uP7mqAQm19j78UTl1KT97vMmmFrpVZ7oQvEm1FUq3t
+FBmJglthJrSbpdZjLf7a7eL1NnunkfBdI1DK9QL9ndMjNwZNFbXhld4fC5zuSr/L
+PxawSzTEsoTaB0Nw0DdRowaZgrPxc0hQsrj9OF20gTIJIYO7ctZzE/JJchmBzgI4
+CdfAYg7zNS+0oc0ylV0CWMerQtLICI6BtiQ482bCuGYJ00NlDcdjd3w+A2cj7PrH
+wH5UhtORL5Q6i9EfGGUCDbmfpiVD9Bd3ukbXAgMBAAGjXDBaMA4GA1UdDwEB/wQE
+AwIFoDAdBgNVHQ4EFgQU2jmj7l5rSw0yVb/vlWAYkK/YBwkwKQYDVR0RBCIwIIIL
+Y3VrZS1tYXN0ZXKCCWxvY2FsaG9zdIIGY29uanVyMA0GCSqGSIb3DQEBCwUAA4IB
+AQBCepy6If67+sjuVnT9NGBmjnVaLa11kgGNEB1BZQnvCy0IN7gpLpshoZevxYDR
+3DnPAetQiZ70CSmCwjL4x6AVxQy59rRj0Awl9E1dgFTYI3JxxgLsI9ePdIRVEPnH
+dhXqPY5ZIZhvdHlLStjsXX7laaclEtMeWfSzxe4AmP/Sm/er4ks0gvLQU6/XJNIu
+RnRH59ZB1mZMsIv9Ii790nnioYFR54JmQu1JsIib77ZdSXIJmxAtraJSTLcZbU1E
++SM3XCE423Xols7onyluMYDy3MCUTFwoVMRBcRWCAk5gcv6XvZDfLi6Zwdne6x3Y
+bGenr4vsPuSFsycM03/EcQDT
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDhzCCAm+gAwIBAgIJAJnsrJ1+j9MhMA0GCSqGSIb3DQEBCwUAMD0xETAPBgNV
+BAoTCGN1Y3VtYmVyMRIwEAYDVQQLEwlDb25qdXIgQ0ExFDASBgNVBAMTC2N1a2Ut
+bWFzdGVyMB4XDTE1MTAwNzE2MzAwM1oXDTI1MTAwNDE2MzAwM1owPTERMA8GA1UE
+ChMIY3VjdW1iZXIxEjAQBgNVBAsTCUNvbmp1ciBDQTEUMBIGA1UEAxMLY3VrZS1t
+YXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsuZ06Ld4JDhxZ
+FcxKVxu7MTjXVv6W8pI7qFKmgr39aNqmDpKYJ1H9aM+r9zaTAeithpM4wJpVswkJ
+d0RSuKdm1LOx11yHLyZ1OvlPHFhsVWdZIQZ6R9srhPYBUCMem4sHR5IAcBBX+HkR
+35gaPYUl1uFV/9zCniekt92Kdta+it1WL7XinXTBURlhDawiD/kv1C9x6dICEJVe
+IT/jRohmqHAoM/JSOQTthaDli3Qvu5K8XAx8UXvWVmv3eStZFVDbC4ZEueRd9KAe
+4IZ5FxdpFYkPBgt2lBYeydYKRShyYrDKye1uJBDkeplNaYW4cS4mOhYuRkdKn7MH
+uY/xb1lFAgMBAAGjgYkwgYYwKQYDVR0RBCIwIIILY3VrZS1tYXN0ZXKCCWxvY2Fs
+aG9zdIIGY29uanVyMB0GA1UdDgQWBBRHpGF7aQbHdORYgQKDC2hV6NzEKzAfBgNV
+HSMEGDAWgBRHpGF7aQbHdORYgQKDC2hV6NzEKzAMBgNVHRMEBTADAQH/MAsGA1Ud
+DwQEAwIB5jANBgkqhkiG9w0BAQsFAAOCAQEAGZT9Wek1hYluIVaxu03wSKCKIJ4p
+KxTHw+mLDapg1y9t3Fa/5IQQK0Bx0xGU2qWiQKjda3vdFPJWO6l6XJvsUY5Nwtm5
+Gcsk8l3L/zWCrjrFTH3TdVad5E+DTwVhThelmEjw68AyM+WuOL61j0MItd9mLW74
+Lv2zouj9nQBdnUBHWQ0EL/9d5cfaCVu/bFlDfYt7Yj0IzXCuaWZfJeHodU1hmqVX
+BvYRjnTB2LSxfmSnkrCeFPmhE11bWVtsLIdrGIgtEMX0/s9xg58QuNnva1U3pJsW
+RjvSxre4Xg2qlI9Laybb4oZ4g6DI8hRbL0VdFAsveg6SXg2RxgJcXeJUFw==
+-----END CERTIFICATE-----
+"""
+    end
+
+    let(:store){ double('default store') }
+
+    context 'with one certificate in the chain' do
+      subject{ Conjur::CertUtils.add_chained_cert(store, one_certificate_chain) }
+
+      it 'adds one certificate to the store' do
+        expect(store).to receive(:add_cert).once
+        expect(subject).to be_truthy
+      end
+    end
+
+    context 'with two certificate in the chain' do
+      subject{ Conjur::CertUtils.add_chained_cert(store, two_certificates_chain) }
+
+      it 'adds both certificate to the store' do
+        expect(store).to receive(:add_cert).twice
+        expect(subject).to be_truthy
+      end
+    end
+
+  end
+end

data/spec/cidr_spec.rb

@@ -0,0 +1,34 @@
+require 'conjur/cidr'
+
+describe Conjur::CIDR do
+  def cidr addr
+    Conjur::CIDR.validate addr
+  end
+
+  describe '.validate' do
+    it 'rejects malformed addresses' do
+      expect { Conjur::CIDR.validate '192.0.2.2/255.255.0.255' }.to raise_error ArgumentError
+      expect { Conjur::CIDR.validate '192.0.2.2/0.255.0.0' }.to raise_error ArgumentError
+      expect { Conjur::CIDR.validate '192.0.256.2' }.to raise_error ArgumentError
+      expect { Conjur::CIDR.validate '::/:ffff:' }.to raise_error ArgumentError
+    end
+  end
+
+  describe '#prefixlen' do
+    it 'calculates prefix mask length' do
+      expected = {
+        '0.0.0.0/0' => 0,
+        '192.0.2.0/24' => 24,
+        '192.0.2.1' => 32,
+        '192.0.2.0/255.255.255.0' => 24,
+        '10.0.0.0/255.0.0.0' => 8,
+        '1234::/42' => 42,
+        '1234::/ffff::' => 16,
+        '::/::' => 0,
+      }
+      expected.each do |addr, len|
+        expect(Conjur::CIDR.validate(addr).prefixlen).to eq len
+      end
+    end
+  end
+end