puppet 2.6.11 → 2.6.12

data/spec/unit/ssl/certificate_authority_spec.rb

@@ -200,8 +200,9 @@ describe Puppet::SSL::CertificateAuthority do
       request = mock 'request'
       Puppet::SSL::CertificateRequest.expects(:new).with(@ca.host.name).returns request
       request.expects(:generate).with(@ca.host.key)
+      request.stubs(:request_extensions => [])
 
-      @ca.expects(:sign).with(@host.name, :ca, request)
+      @ca.expects(:sign).with(@host.name, false, request)
 
       @ca.stubs :generate_password
 
@@ -243,10 +244,10 @@ describe Puppet::SSL::CertificateAuthority do
       @cert.stubs(:save)
 
       # Stub out the factory
-      @factory = stub 'factory', :result => "my real cert"
-      Puppet::SSL::CertificateFactory.stubs(:new).returns @factory
+      Puppet::SSL::CertificateFactory.stubs(:build).returns "my real cert"
 
-      @request = stub 'request', :content => "myrequest", :name => @name
+      @request_content = stub "request content stub", :subject => @name
+      @request = stub 'request', :name => @name, :request_extensions => [], :subject_alt_names => [], :content => @request_content
 
       # And the inventory
       @inventory = stub 'inventory', :add => nil
@@ -297,37 +298,45 @@ describe Puppet::SSL::CertificateAuthority do
       it "should not look up a certificate request for the host" do
         Puppet::SSL::CertificateRequest.expects(:find).never
 
-        @ca.sign(@name, :ca, @request)
+        @ca.sign(@name, true, @request)
       end
 
       it "should use a certificate type of :ca" do
-        Puppet::SSL::CertificateFactory.expects(:new).with do |*args|
+        Puppet::SSL::CertificateFactory.expects(:build).with do |*args|
           args[0] == :ca
-        end.returns @factory
+        end.returns "my real cert"
         @ca.sign(@name, :ca, @request)
       end
 
       it "should pass the provided CSR as the CSR" do
-        Puppet::SSL::CertificateFactory.expects(:new).with do |*args|
-          args[1] == "myrequest"
-        end.returns @factory
+        Puppet::SSL::CertificateFactory.expects(:build).with do |*args|
+          args[1] == @request
+        end.returns "my real cert"
         @ca.sign(@name, :ca, @request)
       end
 
       it "should use the provided CSR's content as the issuer" do
-        Puppet::SSL::CertificateFactory.expects(:new).with do |*args|
-          args[2] == "myrequest"
-        end.returns @factory
+        Puppet::SSL::CertificateFactory.expects(:build).with do |*args|
+          args[2].subject == "myhost"
+        end.returns "my real cert"
         @ca.sign(@name, :ca, @request)
       end
 
       it "should pass the next serial as the serial number" do
-        Puppet::SSL::CertificateFactory.expects(:new).with do |*args|
+        Puppet::SSL::CertificateFactory.expects(:build).with do |*args|
           args[3] == @serial
-        end.returns @factory
+        end.returns "my real cert"
         @ca.sign(@name, :ca, @request)
       end
 
+      it "should sign the certificate request even if it contains alt names" do
+        @request.stubs(:subject_alt_names).returns %w[DNS:foo DNS:bar DNS:baz]
+
+        expect do
+          @ca.sign(@name, false, @request)
+        end.should_not raise_error(Puppet::SSL::CertificateAuthority::CertificateSigningError)
+      end
+
       it "should save the resulting certificate" do
         @cert.expects(:save)
 
@@ -345,9 +354,9 @@ describe Puppet::SSL::CertificateAuthority do
       end
 
       it "should use a certificate type of :server" do
-        Puppet::SSL::CertificateFactory.expects(:new).with do |*args|
+        Puppet::SSL::CertificateFactory.expects(:build).with do |*args|
           args[0] == :server
-        end.returns @factory
+        end.returns "my real cert"
 
         @ca.sign(@name)
       end
@@ -364,17 +373,45 @@ describe Puppet::SSL::CertificateAuthority do
         lambda { @ca.sign(@name) }.should raise_error(ArgumentError)
       end
 
+      it "should fail if an unknown request extension is present" do
+        @request.stubs :request_extensions => [{ "oid"   => "bananas",
+                                                 "value" => "delicious" }]
+        expect { @ca.sign(@name) }.
+          should raise_error(/CSR has request extensions that are not permitted/)
+      end
+
+      it "should fail if the CSR contains alt names and they are not expected" do
+        @request.stubs(:subject_alt_names).returns %w[DNS:foo DNS:bar DNS:baz]
+
+        expect do
+          @ca.sign(@name, false)
+        end.to raise_error(Puppet::SSL::CertificateAuthority::CertificateSigningError, /CSR '#{@name}' contains subject alternative names \(.*?\), which are disallowed. Use `puppet cert --allow-dns-alt-names sign #{@name}` to sign this request./)
+      end
+
+      it "should not fail if the CSR does not contain alt names and they are expected" do
+        @request.stubs(:subject_alt_names).returns []
+        expect { @ca.sign(@name, true) }.should_not raise_error
+      end
+
+      it "should reject alt names by default" do
+        @request.stubs(:subject_alt_names).returns %w[DNS:foo DNS:bar DNS:baz]
+
+        expect do
+          @ca.sign(@name)
+        end.to raise_error(Puppet::SSL::CertificateAuthority::CertificateSigningError, /CSR '#{@name}' contains subject alternative names \(.*?\), which are disallowed. Use `puppet cert --allow-dns-alt-names sign #{@name}` to sign this request./)
+      end
+
       it "should use the CA certificate as the issuer" do
-        Puppet::SSL::CertificateFactory.expects(:new).with do |*args|
+        Puppet::SSL::CertificateFactory.expects(:build).with do |*args|
           args[2] == @cacert.content
-        end.returns @factory
+        end.returns "my real cert"
         @ca.sign(@name)
       end
 
       it "should pass the next serial as the serial number" do
-        Puppet::SSL::CertificateFactory.expects(:new).with do |*args|
+        Puppet::SSL::CertificateFactory.expects(:build).with do |*args|
           args[3] == @serial
-        end.returns @factory
+        end.returns "my real cert"
         @ca.sign(@name)
       end
 
@@ -399,6 +436,80 @@ describe Puppet::SSL::CertificateAuthority do
 
         @ca.sign(@name)
       end
+
+      it "should check the internal signing policies" do
+        @ca.expects(:check_internal_signing_policies).returns true
+        @ca.sign(@name)
+      end
+    end
+
+    context "#check_internal_signing_policies" do
+      before do
+        @serial = 10
+        @ca.stubs(:next_serial).returns @serial
+
+        Puppet::SSL::CertificateRequest.stubs(:find).with(@name).returns @request
+        @cert.stubs :save
+      end
+
+      it "should reject a critical extension that isn't on the whitelist" do
+        @request.stubs(:request_extensions).returns [{ "oid" => "banana",
+                                                       "value" => "yumm",
+                                                       "critical" => true }]
+        expect { @ca.sign(@name) }.to raise_error(
+          Puppet::SSL::CertificateAuthority::CertificateSigningError,
+          /request extensions that are not permitted/
+        )
+      end
+
+      it "should reject a non-critical extension that isn't on the whitelist" do
+        @request.stubs(:request_extensions).returns [{ "oid" => "peach",
+                                                       "value" => "meh",
+                                                       "critical" => false }]
+        expect { @ca.sign(@name) }.to raise_error(
+          Puppet::SSL::CertificateAuthority::CertificateSigningError,
+          /request extensions that are not permitted/
+        )
+      end
+
+      it "should reject non-whitelist extensions even if a valid extension is present" do
+        @request.stubs(:request_extensions).returns [{ "oid" => "peach",
+                                                       "value" => "meh",
+                                                       "critical" => false },
+                                                     { "oid" => "subjectAltName",
+                                                       "value" => "DNS:foo",
+                                                       "critical" => true }]
+        expect { @ca.sign(@name) }.to raise_error(
+          Puppet::SSL::CertificateAuthority::CertificateSigningError,
+          /request extensions that are not permitted/
+        )
+      end
+
+      it "should reject a subjectAltName for a non-DNS value" do
+        @request.stubs(:subject_alt_names).returns ['DNS:foo', 'email:bar@example.com']
+        expect { @ca.sign(@name, true) }.to raise_error(
+          Puppet::SSL::CertificateAuthority::CertificateSigningError,
+          /subjectAltName outside the DNS label space/
+        )
+      end
+
+      it "should reject a wildcard subject" do
+        @request.content.stubs(:subject).
+          returns(OpenSSL::X509::Name.new([["CN", "*.local"]]))
+
+        expect { @ca.sign(@name) }.to raise_error(
+          Puppet::SSL::CertificateAuthority::CertificateSigningError,
+          /subject contains a wildcard/
+        )
+      end
+
+      it "should reject a wildcard subjectAltName" do
+        @request.stubs(:subject_alt_names).returns ['DNS:foo', 'DNS:*.bar']
+        expect { @ca.sign(@name, true) }.to raise_error(
+          Puppet::SSL::CertificateAuthority::CertificateSigningError,
+          /subjectAltName contains a wildcard/
+        )
+      end
     end
 
     it "should create a certificate instance with the content set to the newly signed x509 certificate" do
@@ -763,8 +874,7 @@ describe Puppet::SSL::CertificateAuthority do
       end
 
       it "should sign the generated request" do
-        @ca.expects(:sign).with("him")
-
+        @ca.expects(:sign).with("him", false)
         @ca.generate("him")
       end
     end

data/spec/unit/ssl/certificate_factory_spec.rb

@@ -5,103 +5,123 @@ require File.dirname(__FILE__) + '/../../spec_helper'
 require 'puppet/ssl/certificate_factory'
 
 describe Puppet::SSL::CertificateFactory do
-  before do
-    @cert_type = mock 'cert_type'
-    @name = mock 'name'
-    @csr = stub 'csr', :subject => @name
-    @issuer = mock 'issuer'
-    @serial = mock 'serial'
-
-    @factory = Puppet::SSL::CertificateFactory.new(@cert_type, @csr, @issuer, @serial)
+  let :serial    do OpenSSL::BN.new('12') end
+  let :name      do "example.local" end
+  let :x509_name do OpenSSL::X509::Name.new([['CN', name]]) end
+  let :key       do Puppet::SSL::Key.new(name).generate end
+  let :csr       do
+    csr = Puppet::SSL::CertificateRequest.new(name)
+    csr.generate(key)
+    csr
   end
-
-  describe "when initializing" do
-    it "should set its :cert_type to its first argument" do
-      @factory.cert_type.should equal(@cert_type)
-    end
-
-    it "should set its :csr to its second argument" do
-      @factory.csr.should equal(@csr)
-    end
-
-    it "should set its :issuer to its third argument" do
-      @factory.issuer.should equal(@issuer)
-    end
-
-    it "should set its :serial to its fourth argument" do
-      @factory.serial.should equal(@serial)
-    end
-
-    it "should set its name to the subject of the csr" do
-      @factory.name.should equal(@name)
-    end
+  let :issuer do
+    cert = OpenSSL::X509::Certificate.new
+    cert.subject = OpenSSL::X509::Name.new([["CN", 'issuer.local']])
+    cert
   end
 
   describe "when generating the certificate" do
-    before do
-      @cert = mock 'cert'
-
-      @cert.stub_everything
-
-      @factory.stubs :build_extensions
-
-      @factory.stubs :set_ttl
-
-      @issuer_name = mock 'issuer_name'
-      @issuer.stubs(:subject).returns @issuer_name
-
-      @public_key = mock 'public_key'
-      @csr.stubs(:public_key).returns @public_key
-
-      OpenSSL::X509::Certificate.stubs(:new).returns @cert
-    end
-
     it "should return a new X509 certificate" do
-      OpenSSL::X509::Certificate.expects(:new).returns @cert
-      @factory.result.should equal(@cert)
+      subject.build(:server, csr, issuer, serial).should_not ==
+        subject.build(:server, csr, issuer, serial)
     end
 
     it "should set the certificate's version to 2" do
-      @cert.expects(:version=).with 2
-      @factory.result
+      subject.build(:server, csr, issuer, serial).version.should == 2
     end
 
     it "should set the certificate's subject to the CSR's subject" do
-      @cert.expects(:subject=).with @name
-      @factory.result
+      cert = subject.build(:server, csr, issuer, serial)
+      cert.subject.should eql x509_name
     end
 
     it "should set the certificate's issuer to the Issuer's subject" do
-      @cert.expects(:issuer=).with @issuer_name
-      @factory.result
+      cert = subject.build(:server, csr, issuer, serial)
+      cert.issuer.should eql issuer.subject
     end
 
     it "should set the certificate's public key to the CSR's public key" do
-      @cert.expects(:public_key=).with @public_key
-      @factory.result
+      cert = subject.build(:server, csr, issuer, serial)
+      cert.public_key.should be_public
+      cert.public_key.to_s.should == csr.content.public_key.to_s
     end
 
     it "should set the certificate's serial number to the provided serial number" do
-      @cert.expects(:serial=).with @serial
-      @factory.result
+      cert = subject.build(:server, csr, issuer, serial)
+      cert.serial.should == serial
+    end
+
+    it "should have 24 hours grace on the start of the cert" do
+      cert = subject.build(:server, csr, issuer, serial)
+      cert.not_before.should be_within(1).of(Time.now - 24*60*60)
+    end
+
+    it "should set the default TTL of the certificate" do
+      ttl  = Puppet::SSL::CertificateFactory.ttl
+      cert = subject.build(:server, csr, issuer, serial)
+      cert.not_after.should be_within(1).of(Time.now + ttl)
+    end
+
+    it "should respect a custom TTL for the CA" do
+      Puppet[:ca_ttl] = 12
+      cert = subject.build(:server, csr, issuer, serial)
+      cert.not_after.should be_within(1).of(Time.now + 12)
     end
 
     it "should build extensions for the certificate" do
-      @factory.expects(:build_extensions)
-      @factory.result
+      cert = subject.build(:server, csr, issuer, serial)
+      cert.extensions.map {|x| x.to_h }.find {|x| x["oid"] == "nsComment" }.should ==
+        { "oid"      => "nsComment",
+          "value"    => "Puppet Ruby/OpenSSL Internal Certificate",
+          "critical" => false }
     end
 
-    it "should set the ttl of the certificate" do
-      @factory.expects(:set_ttl)
-      @factory.result
+    # See #2848 for why we are doing this: we need to make sure that
+    # subjectAltName is set if the CSR has it, but *not* if it is set when the
+    # certificate is built!
+    it "should not add subjectAltNames from dns_alt_names" do
+      Puppet[:dns_alt_names] = 'one, two'
+      # Verify the CSR still has no extReq, just in case...
+      csr.request_extensions.should == []
+      cert = subject.build(:server, csr, issuer, serial)
+
+      cert.extensions.find {|x| x.oid == 'subjectAltName' }.should be_nil
     end
-  end
 
-  describe "when building extensions" do
-    it "should have tests"
-  end
+    it "should add subjectAltName when the CSR requests them" do
+      Puppet[:dns_alt_names] = ''
+
+      expect = %w{one two} + [name]
+
+      csr = Puppet::SSL::CertificateRequest.new(name)
+      csr.generate(key, :dns_alt_names => expect.join(', '))
 
-  describe "when setting the ttl" do
-    it "should have tests"
+      csr.request_extensions.should_not be_nil
+      csr.subject_alt_names.should =~ expect.map{|x| "DNS:#{x}"}
+
+      cert = subject.build(:server, csr, issuer, serial)
+      san = cert.extensions.find {|x| x.oid == 'subjectAltName' }
+      san.should_not be_nil
+      expect.each do |name|
+        san.value.should =~ /DNS:#{name}\b/i
+      end
+    end
+
+    # Can't check the CA here, since that requires way more infrastructure
+    # that I want to build up at this time.  We can verify the critical
+    # values, though, which are non-CA certs. --daniel 2011-10-11
+    { :ca            => 'CA:TRUE',
+      :terminalsubca => ['CA:TRUE', 'pathlen:0'],
+      :server        => 'CA:FALSE',
+      :ocsp          => 'CA:FALSE',
+      :client        => 'CA:FALSE',
+    }.each do |name, value|
+      it "should set basicConstraints for #{name} #{value.inspect}" do
+        cert = subject.build(name, csr, issuer, serial)
+        bc = cert.extensions.find {|x| x.oid == 'basicConstraints' }
+        bc.should be
+        bc.value.split(/\s*,\s*/).should =~ Array(value)
+      end
+    end
   end
 end

data/spec/unit/ssl/certificate_request_spec.rb

@@ -126,7 +126,7 @@ describe Puppet::SSL::CertificateRequest do
 
     it "should set the CN to the :ca_name setting when the CSR is for a CA" do
       subject = mock 'subject'
-      Puppet.settings.expects(:value).with(:ca_name).returns "mycertname"
+      Puppet[:ca_name] = "mycertname"
       OpenSSL::X509::Name.expects(:new).with { |subject| subject[0][1] == "mycertname" }.returns(subject)
       @request.expects(:subject=).with(subject)
       Puppet::SSL::CertificateRequest.new(Puppet::SSL::CA_NAME).generate(@key)
@@ -145,6 +145,67 @@ describe Puppet::SSL::CertificateRequest do
       @instance.generate(@key)
     end
 
+    context "without subjectAltName / dns_alt_names" do
+      before :each do
+        Puppet[:dns_alt_names] = ""
+      end
+
+      ["extreq", "msExtReq"].each do |name|
+        it "should not add any #{name} attribute" do
+          @request.expects(:add_attribute).never
+          @request.expects(:attributes=).never
+          @instance.generate(@key)
+        end
+
+        it "should return no subjectAltNames" do
+          @instance.generate(@key)
+          @instance.subject_alt_names.should be_empty
+        end
+      end
+    end
+
+    context "with dns_alt_names" do
+      before :each do
+        Puppet[:dns_alt_names] = "one, two, three"
+      end
+
+      ["extreq", "msExtReq"].each do |name|
+        it "should not add any #{name} attribute" do
+          @request.expects(:add_attribute).never
+          @request.expects(:attributes=).never
+          @instance.generate(@key)
+        end
+
+        it "should return no subjectAltNames" do
+          @instance.generate(@key)
+          @instance.subject_alt_names.should be_empty
+        end
+      end
+    end
+
+    context "with subjectAltName to generate request" do
+      before :each do
+        Puppet[:dns_alt_names] = ""
+      end
+
+      it "should add an extreq attribute" do
+        @request.expects(:add_attribute).with do |arg|
+          arg.value.value.all? do |x|
+            x.value.all? do |y|
+              y.value[0].value == "subjectAltName"
+            end
+          end
+        end
+
+        @instance.generate(@key, :dns_alt_names => 'one, two')
+      end
+
+      it "should return the subjectAltName values" do
+        @instance.generate(@key, :dns_alt_names => 'one,two')
+        @instance.subject_alt_names.should =~ ["DNS:myname", "DNS:one", "DNS:two"]
+      end
+    end
+
     it "should sign the csr with the provided key and a digest" do
       digest = mock 'digest'
       OpenSSL::Digest::MD5.expects(:new).returns(digest)