mcollective-client 2.5.2 → 2.5.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
data/lib/mcollective.rb
CHANGED
|
@@ -0,0 +1,165 @@
|
|
|
1
|
+
#!/usr/bin/env rspec
|
|
2
|
+
|
|
3
|
+
require 'spec_helper'
|
|
4
|
+
require File.dirname(__FILE__) + '/../../../../../plugins/mcollective/security/aes_security.rb'
|
|
5
|
+
|
|
6
|
+
module MCollective
|
|
7
|
+
module Security
|
|
8
|
+
# Clear the PluginManager so that security plugin tests do not conflict
|
|
9
|
+
PluginManager.clear
|
|
10
|
+
describe Aes_security do
|
|
11
|
+
let(:pluginconf) do
|
|
12
|
+
{"aes.client_cert_dir" => "testing"}
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
let(:config) do
|
|
16
|
+
conf = mock
|
|
17
|
+
conf.stubs(:identity).returns("test")
|
|
18
|
+
conf.stubs(:configured).returns(true)
|
|
19
|
+
conf.stubs(:pluginconf).returns(pluginconf)
|
|
20
|
+
conf
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
let(:plugin) do
|
|
24
|
+
Aes_security.new
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
let(:msg) do
|
|
28
|
+
m = mock
|
|
29
|
+
m.stubs(:payload)
|
|
30
|
+
m
|
|
31
|
+
end
|
|
32
|
+
|
|
33
|
+
before :each do
|
|
34
|
+
stats = mock("stats")
|
|
35
|
+
MCollective::PluginManager << {:type => "global_stats", :class => stats}
|
|
36
|
+
MCollective::Config.stubs("instance").returns(config)
|
|
37
|
+
MCollective::Log.stubs(:debug)
|
|
38
|
+
MCollective::Log.stubs(:warn)
|
|
39
|
+
end
|
|
40
|
+
|
|
41
|
+
describe "#decodemsg" do
|
|
42
|
+
let(:body) do
|
|
43
|
+
{:sslpubkey => "ssl_public_key",
|
|
44
|
+
:callerid => "cert=testing",
|
|
45
|
+
:requestid => 1}
|
|
46
|
+
end
|
|
47
|
+
|
|
48
|
+
before :each do
|
|
49
|
+
pluginconf["aes.learn_pubkeys"] = "1"
|
|
50
|
+
plugin.stubs(:should_process_msg?)
|
|
51
|
+
plugin.stubs(:deserialize).returns(body)
|
|
52
|
+
plugin.stubs(:decrypt)
|
|
53
|
+
plugin.stubs(:deserialize).returns(body)
|
|
54
|
+
plugin.stubs(:update_secure_property)
|
|
55
|
+
end
|
|
56
|
+
|
|
57
|
+
it "should not learn the public key if the key has not been passed" do
|
|
58
|
+
body.delete(:sslpubkey)
|
|
59
|
+
plugin.decodemsg(msg)
|
|
60
|
+
File.expects(:exist?).never
|
|
61
|
+
File.expects(:open).never
|
|
62
|
+
end
|
|
63
|
+
|
|
64
|
+
it "should not learn the public key if keyfile is present on disk" do
|
|
65
|
+
File.expects(:exist?).with("testing/testing.pem").returns(true)
|
|
66
|
+
File.expects(:open).never
|
|
67
|
+
plugin.decodemsg(msg)
|
|
68
|
+
end
|
|
69
|
+
|
|
70
|
+
it "should not learn the key if there is no ca_cert and insecure_learning is false" do
|
|
71
|
+
File.expects(:exist?).returns(false)
|
|
72
|
+
Log.expects(:warn).with() do |msg|
|
|
73
|
+
msg =~ /No CA certificate specified/
|
|
74
|
+
end
|
|
75
|
+
expect {
|
|
76
|
+
plugin.decodemsg(msg)
|
|
77
|
+
}.to raise_error SecurityValidationFailed
|
|
78
|
+
end
|
|
79
|
+
|
|
80
|
+
it "should not learn the key if the cert cannot be verified against the CA" do
|
|
81
|
+
File.expects(:exist?).returns(false)
|
|
82
|
+
pluginconf["aes.ca_cert"] = "ca_cert"
|
|
83
|
+
plugin.expects(:validate_certificate).with("ssl_public_key", "testing").returns(false)
|
|
84
|
+
Log.expects(:warn).with() do |msg|
|
|
85
|
+
msg.should match(/Unable to validate certificate/)
|
|
86
|
+
end
|
|
87
|
+
expect {
|
|
88
|
+
plugin.decodemsg(msg)
|
|
89
|
+
}.to raise_error SecurityValidationFailed
|
|
90
|
+
end
|
|
91
|
+
|
|
92
|
+
it "it should learn the public key if insecure_learning is enabled" do
|
|
93
|
+
pluginconf["aes.insecure_learning"] = "1"
|
|
94
|
+
File.expects(:exist?).returns(false)
|
|
95
|
+
Log.expects(:warn).with() do |msg|
|
|
96
|
+
msg.should match(/Do NOT use this mode in sensitive environments/)
|
|
97
|
+
end
|
|
98
|
+
File.expects(:open)
|
|
99
|
+
plugin.decodemsg(msg)
|
|
100
|
+
end
|
|
101
|
+
|
|
102
|
+
it "should learn the public key if the CA can verify the cert" do
|
|
103
|
+
File.expects(:exist?).returns(false)
|
|
104
|
+
pluginconf["aes.ca_cert"] = "ca_cert"
|
|
105
|
+
File.expects(:read).with("testing/testing.pem").returns("ssl_public_key")
|
|
106
|
+
plugin.expects(:validate_certificate).with("ssl_public_key", "testing").twice.returns(true)
|
|
107
|
+
File.expects(:open)
|
|
108
|
+
plugin.decodemsg(msg)
|
|
109
|
+
end
|
|
110
|
+
end
|
|
111
|
+
|
|
112
|
+
describe "#validate_certificate" do
|
|
113
|
+
let(:cert) do
|
|
114
|
+
mock
|
|
115
|
+
end
|
|
116
|
+
|
|
117
|
+
let(:ca_cert) do
|
|
118
|
+
ca = mock
|
|
119
|
+
ca.stubs(:add_file).returns(true)
|
|
120
|
+
ca
|
|
121
|
+
end
|
|
122
|
+
|
|
123
|
+
let(:callerid) do
|
|
124
|
+
"rspec_caller"
|
|
125
|
+
end
|
|
126
|
+
|
|
127
|
+
it "should fail if the cert is not a X509 certificate" do
|
|
128
|
+
OpenSSL::X509::Certificate.expects(:new).with("ssl_cert").raises(OpenSSL::X509::CertificateError)
|
|
129
|
+
Log.expects(:warn).with() do |msg|
|
|
130
|
+
msg.should match(/Received public key that is not a X509 certficate/)
|
|
131
|
+
end
|
|
132
|
+
plugin.validate_certificate("ssl_cert", callerid).should be_false
|
|
133
|
+
end
|
|
134
|
+
|
|
135
|
+
it "should fail if the name in the cert doesn't match the callerid" do
|
|
136
|
+
OpenSSL::X509::Certificate.expects(:new).with("ssl_cert").returns(cert)
|
|
137
|
+
plugin.stubs(:certname_from_certificate).with(cert).returns("not_rspec_caller")
|
|
138
|
+
Log.expects(:warn).with() do |msg|
|
|
139
|
+
msg.should match(/certname 'rspec_caller' doesn't match certificate 'not_rspec_caller'/)
|
|
140
|
+
end
|
|
141
|
+
plugin.validate_certificate("ssl_cert", callerid).should be_false
|
|
142
|
+
end
|
|
143
|
+
|
|
144
|
+
it "should fail if the cert wasn't signed by the CA" do
|
|
145
|
+
OpenSSL::X509::Certificate.expects(:new).with("ssl_cert").returns(cert)
|
|
146
|
+
plugin.stubs(:certname_from_certificate).with(cert).returns("rspec_caller")
|
|
147
|
+
OpenSSL::X509::Store.stubs(:new).returns(ca_cert)
|
|
148
|
+
ca_cert.stubs(:verify).with(cert).returns(false)
|
|
149
|
+
Log.expects(:warn).with() do |msg|
|
|
150
|
+
msg.should match(/Unable to validate certificate/)
|
|
151
|
+
end
|
|
152
|
+
plugin.validate_certificate("ssl_cert", callerid).should be_false
|
|
153
|
+
end
|
|
154
|
+
|
|
155
|
+
it "should validate the cert" do
|
|
156
|
+
OpenSSL::X509::Certificate.expects(:new).with("ssl_cert").returns(cert)
|
|
157
|
+
plugin.stubs(:certname_from_certificate).with(cert).returns("rspec_caller")
|
|
158
|
+
OpenSSL::X509::Store.stubs(:new).returns(ca_cert)
|
|
159
|
+
ca_cert.stubs(:verify).with(cert).returns(true)
|
|
160
|
+
plugin.validate_certificate("ssl_cert", callerid).should be_true
|
|
161
|
+
end
|
|
162
|
+
end
|
|
163
|
+
end
|
|
164
|
+
end
|
|
165
|
+
end
|
data/spec/unit/runner_spec.rb
CHANGED
|
@@ -205,7 +205,7 @@ module MCollective
|
|
|
205
205
|
|
|
206
206
|
before :each do
|
|
207
207
|
PluginManager.stubs(:[]).with("registration_plugin").returns(registration_agent)
|
|
208
|
-
Data.
|
|
208
|
+
Data.stubs(:load_data_sources)
|
|
209
209
|
Util.expects(:subscribe).twice
|
|
210
210
|
Util.expects(:make_subscriptions).twice
|
|
211
211
|
end
|
|
@@ -217,6 +217,16 @@ module MCollective
|
|
|
217
217
|
runner.send(:receiver_thread)
|
|
218
218
|
end
|
|
219
219
|
|
|
220
|
+
it 'should load agents before data plugins' do
|
|
221
|
+
load_order = sequence('load_order')
|
|
222
|
+
Agents.expects(:new).in_sequence(load_order)
|
|
223
|
+
Data.expects(:load_data_sources).in_sequence(load_order)
|
|
224
|
+
runner.expects(:receive).returns(request)
|
|
225
|
+
runner.expects(:agentmsg).with(request)
|
|
226
|
+
runner.instance_variable_set(:@exit_receiver_thread, true)
|
|
227
|
+
runner.send(:receiver_thread)
|
|
228
|
+
end
|
|
229
|
+
|
|
220
230
|
it 'should discard controller messages with an error message' do
|
|
221
231
|
runner.expects(:receive).returns(request)
|
|
222
232
|
request.stubs(:agent).returns("mcollective")
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: mcollective-client
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.5.
|
|
4
|
+
version: 2.5.3
|
|
5
5
|
prerelease:
|
|
6
6
|
platform: ruby
|
|
7
7
|
authors:
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2014-
|
|
12
|
+
date: 2014-07-14 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: systemu
|
|
@@ -219,6 +219,7 @@ files:
|
|
|
219
219
|
- spec/unit/plugins/mcollective/packagers/modulepackage_packager_spec.rb
|
|
220
220
|
- spec/unit/plugins/mcollective/packagers/ospackage_spec.rb
|
|
221
221
|
- spec/unit/plugins/mcollective/packagers/rpmpackage_packager_spec.rb
|
|
222
|
+
- spec/unit/plugins/mcollective/security/aes_security_spec.rb
|
|
222
223
|
- spec/unit/plugins/mcollective/security/psk_spec.rb
|
|
223
224
|
- spec/unit/plugins/mcollective/validator/array_validator_spec.rb
|
|
224
225
|
- spec/unit/plugins/mcollective/validator/ipv4address_validator_spec.rb
|
|
@@ -363,6 +364,7 @@ test_files:
|
|
|
363
364
|
- spec/unit/plugins/mcollective/packagers/modulepackage_packager_spec.rb
|
|
364
365
|
- spec/unit/plugins/mcollective/packagers/ospackage_spec.rb
|
|
365
366
|
- spec/unit/plugins/mcollective/packagers/rpmpackage_packager_spec.rb
|
|
367
|
+
- spec/unit/plugins/mcollective/security/aes_security_spec.rb
|
|
366
368
|
- spec/unit/plugins/mcollective/security/psk_spec.rb
|
|
367
369
|
- spec/unit/plugins/mcollective/validator/array_validator_spec.rb
|
|
368
370
|
- spec/unit/plugins/mcollective/validator/ipv4address_validator_spec.rb
|