mcollective-client 2.5.2 → 2.5.3

data/lib/mcollective.rb

@@ -59,7 +59,7 @@ module MCollective
 
   MCollective::Vendor.load_vendored
 
-  VERSION="2.5.2"
+  VERSION="2.5.3"
 
   def self.version
     VERSION

data/spec/unit/plugins/mcollective/security/aes_security_spec.rb

@@ -0,0 +1,165 @@
+#!/usr/bin/env rspec
+
+require 'spec_helper'
+require File.dirname(__FILE__) + '/../../../../../plugins/mcollective/security/aes_security.rb'
+
+module MCollective
+  module Security
+    # Clear the PluginManager so that security plugin tests do not conflict
+    PluginManager.clear
+    describe Aes_security do
+      let(:pluginconf) do
+        {"aes.client_cert_dir" => "testing"}
+      end
+
+      let(:config) do
+        conf = mock
+        conf.stubs(:identity).returns("test")
+        conf.stubs(:configured).returns(true)
+        conf.stubs(:pluginconf).returns(pluginconf)
+        conf
+      end
+
+      let(:plugin) do
+        Aes_security.new
+      end
+
+      let(:msg) do
+        m = mock
+        m.stubs(:payload)
+        m
+      end
+
+      before :each do
+        stats = mock("stats")
+        MCollective::PluginManager << {:type => "global_stats", :class => stats}
+        MCollective::Config.stubs("instance").returns(config)
+        MCollective::Log.stubs(:debug)
+        MCollective::Log.stubs(:warn)
+      end
+
+      describe "#decodemsg" do
+        let(:body) do
+        {:sslpubkey => "ssl_public_key",
+         :callerid  => "cert=testing",
+         :requestid => 1}
+        end
+
+        before :each do
+          pluginconf["aes.learn_pubkeys"] = "1"
+          plugin.stubs(:should_process_msg?)
+          plugin.stubs(:deserialize).returns(body)
+          plugin.stubs(:decrypt)
+          plugin.stubs(:deserialize).returns(body)
+          plugin.stubs(:update_secure_property)
+        end
+
+        it "should not learn the public key if the key has not been passed" do
+          body.delete(:sslpubkey)
+          plugin.decodemsg(msg)
+          File.expects(:exist?).never
+          File.expects(:open).never
+        end
+
+        it "should not learn the public key if keyfile is present on disk" do
+          File.expects(:exist?).with("testing/testing.pem").returns(true)
+          File.expects(:open).never
+          plugin.decodemsg(msg)
+        end
+
+        it "should not learn the key if there is no ca_cert and insecure_learning is false" do
+          File.expects(:exist?).returns(false)
+          Log.expects(:warn).with() do |msg|
+            msg =~ /No CA certificate specified/
+          end
+          expect {
+            plugin.decodemsg(msg)
+          }.to raise_error SecurityValidationFailed
+        end
+
+        it "should not learn the key if the cert cannot be verified against the CA" do
+          File.expects(:exist?).returns(false)
+          pluginconf["aes.ca_cert"] = "ca_cert"
+          plugin.expects(:validate_certificate).with("ssl_public_key", "testing").returns(false)
+          Log.expects(:warn).with() do |msg|
+            msg.should match(/Unable to validate certificate/)
+          end
+          expect {
+            plugin.decodemsg(msg)
+          }.to raise_error SecurityValidationFailed
+        end
+
+        it "it should learn the public key if insecure_learning is enabled" do
+          pluginconf["aes.insecure_learning"] = "1"
+          File.expects(:exist?).returns(false)
+          Log.expects(:warn).with() do |msg|
+            msg.should match(/Do NOT use this mode in sensitive environments/)
+          end
+          File.expects(:open)
+          plugin.decodemsg(msg)
+        end
+
+        it "should learn the public key if the CA can verify the cert" do
+          File.expects(:exist?).returns(false)
+          pluginconf["aes.ca_cert"] = "ca_cert"
+          File.expects(:read).with("testing/testing.pem").returns("ssl_public_key")
+          plugin.expects(:validate_certificate).with("ssl_public_key", "testing").twice.returns(true)
+          File.expects(:open)
+          plugin.decodemsg(msg)
+        end
+      end
+
+      describe "#validate_certificate" do
+        let(:cert) do
+          mock
+        end
+
+        let(:ca_cert) do
+          ca = mock
+          ca.stubs(:add_file).returns(true)
+          ca
+        end
+
+        let(:callerid) do
+          "rspec_caller"
+        end
+
+        it "should fail if the cert is not a X509 certificate" do
+          OpenSSL::X509::Certificate.expects(:new).with("ssl_cert").raises(OpenSSL::X509::CertificateError)
+          Log.expects(:warn).with() do |msg|
+            msg.should match(/Received public key that is not a X509 certficate/)
+          end
+          plugin.validate_certificate("ssl_cert", callerid).should be_false
+        end
+
+        it "should fail if the name in the cert doesn't match the callerid" do
+          OpenSSL::X509::Certificate.expects(:new).with("ssl_cert").returns(cert)
+          plugin.stubs(:certname_from_certificate).with(cert).returns("not_rspec_caller")
+          Log.expects(:warn).with() do |msg|
+            msg.should match(/certname 'rspec_caller' doesn't match certificate 'not_rspec_caller'/)
+          end
+          plugin.validate_certificate("ssl_cert", callerid).should be_false
+        end
+
+        it "should fail if the cert wasn't signed by the CA" do
+          OpenSSL::X509::Certificate.expects(:new).with("ssl_cert").returns(cert)
+          plugin.stubs(:certname_from_certificate).with(cert).returns("rspec_caller")
+          OpenSSL::X509::Store.stubs(:new).returns(ca_cert)
+          ca_cert.stubs(:verify).with(cert).returns(false)
+          Log.expects(:warn).with() do |msg|
+            msg.should match(/Unable to validate certificate/)
+          end
+          plugin.validate_certificate("ssl_cert", callerid).should be_false
+        end
+
+        it "should validate the cert" do
+          OpenSSL::X509::Certificate.expects(:new).with("ssl_cert").returns(cert)
+          plugin.stubs(:certname_from_certificate).with(cert).returns("rspec_caller")
+          OpenSSL::X509::Store.stubs(:new).returns(ca_cert)
+          ca_cert.stubs(:verify).with(cert).returns(true)
+          plugin.validate_certificate("ssl_cert", callerid).should be_true
+        end
+      end
+    end
+  end
+end

data/spec/unit/runner_spec.rb

@@ -205,7 +205,7 @@ module MCollective
 
         before :each do
           PluginManager.stubs(:[]).with("registration_plugin").returns(registration_agent)
-          Data.expects(:load_data_sources)
+          Data.stubs(:load_data_sources)
           Util.expects(:subscribe).twice
           Util.expects(:make_subscriptions).twice
         end
@@ -217,6 +217,16 @@ module MCollective
           runner.send(:receiver_thread)
         end
 
+        it 'should load agents before data plugins' do
+          load_order = sequence('load_order')
+          Agents.expects(:new).in_sequence(load_order)
+          Data.expects(:load_data_sources).in_sequence(load_order)
+          runner.expects(:receive).returns(request)
+          runner.expects(:agentmsg).with(request)
+          runner.instance_variable_set(:@exit_receiver_thread, true)
+          runner.send(:receiver_thread)
+        end
+
         it 'should discard controller messages with an error message' do
           runner.expects(:receive).returns(request)
           request.stubs(:agent).returns("mcollective")

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: mcollective-client
 version: !ruby/object:Gem::Version
-  version: 2.5.2
+  version: 2.5.3
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-06-10 00:00:00.000000000 Z
+date: 2014-07-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: systemu
@@ -219,6 +219,7 @@ files:
 - spec/unit/plugins/mcollective/packagers/modulepackage_packager_spec.rb
 - spec/unit/plugins/mcollective/packagers/ospackage_spec.rb
 - spec/unit/plugins/mcollective/packagers/rpmpackage_packager_spec.rb
+- spec/unit/plugins/mcollective/security/aes_security_spec.rb
 - spec/unit/plugins/mcollective/security/psk_spec.rb
 - spec/unit/plugins/mcollective/validator/array_validator_spec.rb
 - spec/unit/plugins/mcollective/validator/ipv4address_validator_spec.rb
@@ -363,6 +364,7 @@ test_files:
 - spec/unit/plugins/mcollective/packagers/modulepackage_packager_spec.rb
 - spec/unit/plugins/mcollective/packagers/ospackage_spec.rb
 - spec/unit/plugins/mcollective/packagers/rpmpackage_packager_spec.rb
+- spec/unit/plugins/mcollective/security/aes_security_spec.rb
 - spec/unit/plugins/mcollective/security/psk_spec.rb
 - spec/unit/plugins/mcollective/validator/array_validator_spec.rb
 - spec/unit/plugins/mcollective/validator/ipv4address_validator_spec.rb