grid-proxy 0.1.0

data/spec/grid-proxy/proxy_spec.rb

@@ -0,0 +1,194 @@
+require 'spec_helper'
+
+describe GP::Proxy do
+  include CrtHelpers
+
+  subject { GP::Proxy.new proxy_payload }
+
+  let(:simple_ca) { load_cert 'simple_ca.crt' }
+  let(:simple_ca_crl) { load_cert 'simple_ca.crl' }
+
+
+  it 'loads proxy' do
+    expect(subject.proxycert).to be_an_instance_of OpenSSL::X509::Certificate
+  end
+
+  it 'loads user cert' do
+    expect(subject.usercert).to be_an_instance_of OpenSSL::X509::Certificate
+  end
+
+  describe '#verify!' do
+    context 'when time is ok' do
+      before do
+        Time.stub(:now).and_return(Time.new(2013, 12, 4, 12, 0, 0, "+01:00"))
+      end
+
+      context 'and user cert is signed by ca' do
+        it 'does not throw any exception - proxy is verify' do
+          subject.verify! simple_ca
+        end
+      end
+
+      context 'and user cert is not signed by ca' do
+        let(:polish_grid_ca) { load_cert('other_ca.crt') }
+
+        it 'throws usercert not signed with trusted certificate' do
+          expect_validation_error('Usercert not signed with trusted certificate', polish_grid_ca)
+        end
+      end
+
+      context 'and proxy is signed by other user cert' do
+        subject { GP::Proxy.new(load_cert 'proxy_and_differnt_user_cert') }
+
+        it 'throws proxy not signed with user certificate' do
+          expect_validation_error('Proxy not signed with user certificate', simple_ca)
+        end
+      end
+
+      context 'and proxy subject does not begin with the issuer' do
+        subject { GP::Proxy.new load_cert('wrong_subject') }
+
+        it 'throws proxy subject must begin with the issuer' do
+          expect_validation_error('Proxy subject must begin with the issuer', simple_ca)
+        end
+      end
+
+      context 'and proxy is not actual proxy ("/CN=" not in subject difference")' do
+        subject { GP::Proxy.new load_cert('no_proxy') }
+        it "throws couldn't find '/CN=' in DN, not a proxy" do
+          expect_validation_error("Couldn't find '/CN=' in DN, not a proxy", simple_ca)
+        end
+      end
+
+      context 'and proxy is signed by other user cert' do
+        subject { GP::Proxy.new load_cert('wrong_issuer') }
+
+        it 'throws proxy and user cert mismatch' do
+          expect_validation_error('Proxy and user cert mismatch', simple_ca)
+        end
+      end
+    end
+
+    context 'when it is to early' do
+      before do
+        Time.stub(:now).and_return(Time.new(2013, 12, 3, 12, 0, 0, "+01:00"))
+      end
+
+      it 'throws proxy is not valid yet' do
+        expect_validation_error('Proxy is not valid yet', simple_ca)
+      end
+    end
+
+    context 'when it is to late' do
+      before do
+        Time.stub(:now).and_return(Time.new(2013, 12, 5, 12, 0, 0, "+01:00"))
+      end
+
+      it 'throws proxy expired' do
+        expect_validation_error('Proxy expired', simple_ca)
+      end
+    end
+
+    context 'with invalid proxy key' do
+      before do
+        Time.stub(:now).and_return(Time.new(2013, 12, 4, 12, 0, 0, "+01:00"))
+      end
+
+      context 'when private key does not exist' do
+        subject { GP::Proxy.new(load_cert('without_private_key')) }
+
+        it 'throws missing proxy private key' do
+          expect_validation_error('Private proxy key missing', simple_ca)
+        end
+      end
+
+      context 'when cert and private key does not match' do
+        subject { GP::Proxy.new(load_cert('cert_and_key_mismatch')) }
+        it 'throws private key and cert mismatch' do
+          expect_validation_error('Private proxy key and cert mismatch', simple_ca)
+        end
+      end
+    end
+
+    context 'check for revokation of cert' do
+      before do
+        Time.stub(:now).and_return(Time.new(2014, 4, 14, 20, 0, 0, "+01:00"))
+      end
+
+      context 'usercert was revoked' do
+        subject { GP::Proxy.new load_cert('proxy_revoked.pem') }
+
+        it 'throws proper exception' do
+          expect_validation_error("User cert was revoked", simple_ca, simple_ca_crl)
+        end
+      end
+
+      context 'usercert was not revoked' do
+        subject { GP::Proxy.new load_cert('proxy_notrevoked.pem') }
+
+        it 'does not throw exception' do
+          subject.verify! simple_ca, simple_ca_crl
+        end
+      end
+    end
+
+    context 'when user cert is outdated' do
+      subject { GP::Proxy.new load_cert('proxy_signed_by_outdated_cert.pem') }
+      before do
+        Time.stub(:now).and_return(Time.new(2015, 9, 1, 20, 0, 0, "+01:00"))
+      end
+
+      it 'throws exception' do
+        expect_validation_error('Proxy signed by outdated certificate',
+                                simple_ca)
+      end
+    end
+  end
+
+  describe '#valid?' do
+    context 'when proxy is valid' do
+      before do
+        Time.stub(:now).and_return(Time.new(2013, 12, 4, 12, 0, 0, "+01:00"))
+      end
+
+      it 'returns true' do
+        expect(subject.valid? simple_ca).to eq true
+      end
+    end
+
+    context 'when proxy is not valid' do
+      it 'returns false' do
+        expect(subject.valid? simple_ca).to eq false
+      end
+    end
+  end
+
+  describe '#username' do
+    it 'returns username from proxy subject' do
+      expect(subject.username).to eq 'plgkasztelnik'
+    end
+  end
+
+  describe '#proxy_payload' do
+    it 'returns proxy payload' do
+      expect(subject.proxy_payload).to eq proxy_payload
+    end
+  end
+
+  describe '#revoked?' do
+
+    context 'when proxy is not revoked' do
+      subject { GP::Proxy.new(load_cert('proxy_notrevoked.pem')) }
+      it 'returns false' do
+        expect(subject.revoked? simple_ca_crl).to be_false
+      end
+    end
+
+    context 'when proxy is revoked' do
+      subject { GP::Proxy.new(load_cert('proxy_revoked.pem')) }
+      it 'returns true' do
+        expect(subject.revoked? simple_ca_crl).to be_true
+      end
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,17 @@
+require 'grid-proxy'
+
+Dir["#{File.dirname(__FILE__)}/support/*.rb"].each do |file|
+  require file
+end
+
+RSpec.configure do |config|
+  config.treat_symbols_as_metadata_keys_with_true_values = true
+  config.run_all_when_everything_filtered = true
+  config.filter_run :focus
+
+  # Run specs in random order to surface order dependencies. If you find an
+  # order dependency and want to debug it, you can fix the order by providing
+  # the seed, which is printed after each run.
+  #     --seed 1234
+  config.order = 'random'
+end

data/spec/support/crt_helpers.rb

@@ -0,0 +1,15 @@
+module CrtHelpers
+  def proxy_payload
+    @proxy_payload ||= load_cert('valid_proxy')
+  end
+
+  def load_cert(cert_name)
+    File.read File.join(File.dirname(__FILE__), '..', 'certs', cert_name)
+  end
+
+  def expect_validation_error(error_msg, ca, crl = nil)
+    expect {
+      subject.verify! ca, crl
+    }.to raise_error(GP::ProxyValidationError, error_msg)
+  end
+end

metadata

@@ -0,0 +1,118 @@
+--- !ruby/object:Gem::Specification
+name: grid-proxy
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Marek Kasztelnik
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-09-08 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Grid proxy utils
+email:
+- mkasztelnik@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- Gemfile
+- Guardfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- grid-proxy.gemspec
+- lib/grid-proxy.rb
+- lib/grid-proxy/exceptions.rb
+- lib/grid-proxy/proxy.rb
+- lib/grid-proxy/version.rb
+- spec/certs/cert_and_key_mismatch
+- spec/certs/invalid_proxy
+- spec/certs/no_proxy
+- spec/certs/other_ca.crt
+- spec/certs/proxy_and_differnt_user_cert
+- spec/certs/proxy_notrevoked.pem
+- spec/certs/proxy_revoked.pem
+- spec/certs/proxy_signed_by_outdated_cert.pem
+- spec/certs/simple_ca.crl
+- spec/certs/simple_ca.crt
+- spec/certs/valid_proxy
+- spec/certs/without_private_key
+- spec/certs/wrong_issuer
+- spec/certs/wrong_subject
+- spec/grid-proxy/proxy_spec.rb
+- spec/spec_helper.rb
+- spec/support/crt_helpers.rb
+homepage: https://github.com/dice-cyfronet/grid-proxy
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.5.1
+signing_key: 
+specification_version: 4
+summary: Grid proxy utils
+test_files:
+- spec/certs/cert_and_key_mismatch
+- spec/certs/invalid_proxy
+- spec/certs/no_proxy
+- spec/certs/other_ca.crt
+- spec/certs/proxy_and_differnt_user_cert
+- spec/certs/proxy_notrevoked.pem
+- spec/certs/proxy_revoked.pem
+- spec/certs/proxy_signed_by_outdated_cert.pem
+- spec/certs/simple_ca.crl
+- spec/certs/simple_ca.crt
+- spec/certs/valid_proxy
+- spec/certs/without_private_key
+- spec/certs/wrong_issuer
+- spec/certs/wrong_subject
+- spec/grid-proxy/proxy_spec.rb
+- spec/spec_helper.rb
+- spec/support/crt_helpers.rb