puppet 2.7.17 → 2.7.18

data/spec/unit/file_serving/content_spec.rb

@@ -6,7 +6,7 @@ require 'puppet/file_serving/content'
 describe Puppet::FileServing::Content do
   let(:path) { File.expand_path('/path') }
 
-  it "should should be a subclass of Base" do
+  it "should be a subclass of Base" do
     Puppet::FileServing::Content.superclass.should equal(Puppet::FileServing::Base)
   end
 
@@ -14,10 +14,6 @@ describe Puppet::FileServing::Content do
     Puppet::FileServing::Content.indirection.name.should == :file_content
   end
 
-  it "should should include the IndirectionHooks module in its indirection" do
-    Puppet::FileServing::Content.indirection.singleton_class.included_modules.should include(Puppet::FileServing::IndirectionHooks)
-  end
-
   it "should only support the raw format" do
     Puppet::FileServing::Content.supported_formats.should == [:raw]
   end

data/spec/unit/file_serving/metadata_spec.rb

@@ -6,7 +6,7 @@ require 'puppet/file_serving/metadata'
 describe Puppet::FileServing::Metadata do
   let(:foobar) { File.expand_path('/foo/bar') }
 
-  it "should should be a subclass of Base" do
+  it "should be a subclass of Base" do
     Puppet::FileServing::Metadata.superclass.should equal(Puppet::FileServing::Base)
   end
 
@@ -14,10 +14,6 @@ describe Puppet::FileServing::Metadata do
     Puppet::FileServing::Metadata.indirection.name.should == :file_metadata
   end
 
-  it "should should include the IndirectionHooks module in its indirection" do
-    Puppet::FileServing::Metadata.indirection.singleton_class.included_modules.should include(Puppet::FileServing::IndirectionHooks)
-  end
-
   it "should have a method that triggers attribute collection" do
     Puppet::FileServing::Metadata.new(foobar).should respond_to(:collect)
   end

data/spec/unit/file_serving/mount/modules_spec.rb

@@ -11,6 +11,10 @@ describe Puppet::FileServing::Mount::Modules do
   end
 
   describe "when finding files" do
+    it "should fail if no module is specified" do
+      expect { @mount.find("", @request) }.to raise_error(/No module specified/)
+    end
+
     it "should use the provided environment to find the module" do
       @environment.expects(:module)
 
@@ -36,6 +40,10 @@ describe Puppet::FileServing::Mount::Modules do
   end
 
   describe "when searching for files" do
+    it "should fail if no module is specified" do
+      expect { @mount.find("", @request) }.to raise_error(/No module specified/)
+    end
+
     it "should use the node's environment to search the module" do
       @environment.expects(:module)
 

data/spec/unit/file_serving/{indirection_hooks_spec.rb → terminus_selector_spec.rb}

@@ -1,12 +1,12 @@
 #!/usr/bin/env rspec
 require 'spec_helper'
 
-require 'puppet/file_serving/indirection_hooks'
+require 'puppet/file_serving/terminus_selector'
 
-describe Puppet::FileServing::IndirectionHooks do
+describe Puppet::FileServing::TerminusSelector do
   before do
     @object = Object.new
-    @object.extend(Puppet::FileServing::IndirectionHooks)
+    @object.extend(Puppet::FileServing::TerminusSelector)
 
     @request = stub 'request', :key => "mymod/myfile", :options => {:node => "whatever"}, :server => nil, :protocol => nil
   end
@@ -14,17 +14,17 @@ describe Puppet::FileServing::IndirectionHooks do
   describe "when being used to select termini" do
     it "should return :file if the request key is fully qualified" do
       @request.expects(:key).returns File.expand_path('/foo')
-      @object.select_terminus(@request).should == :file
+      @object.select(@request).should == :file
     end
 
     it "should return :file if the URI protocol is set to 'file'" do
       @request.expects(:protocol).returns "file"
-      @object.select_terminus(@request).should == :file
+      @object.select(@request).should == :file
     end
 
     it "should fail when a protocol other than :puppet or :file is used" do
       @request.stubs(:protocol).returns "http"
-      proc { @object.select_terminus(@request) }.should raise_error(ArgumentError)
+      proc { @object.select(@request) }.should raise_error(ArgumentError)
     end
 
     describe "and the protocol is 'puppet'" do
@@ -35,15 +35,15 @@ describe Puppet::FileServing::IndirectionHooks do
       it "should choose :rest when a server is specified" do
         @request.stubs(:protocol).returns "puppet"
         @request.expects(:server).returns "foo"
-        @object.select_terminus(@request).should == :rest
+        @object.select(@request).should == :rest
       end
 
       # This is so a given file location works when bootstrapping with no server.
       it "should choose :rest when the Settings name isn't 'puppet'" do
         @request.stubs(:protocol).returns "puppet"
-        @request.stubs(:server).returns "foo"
+        # We have to stub this because we can't set name
         Puppet.settings.stubs(:value).with(:name).returns "foo"
-        @object.select_terminus(@request).should == :rest
+        @object.select(@request).should == :rest
       end
 
       it "should choose :file_server when the settings name is 'puppet' and no server is specified" do
@@ -51,8 +51,7 @@ describe Puppet::FileServing::IndirectionHooks do
 
         @request.expects(:protocol).returns "puppet"
         @request.expects(:server).returns nil
-        Puppet.settings.expects(:value).with(:name).returns "puppet"
-        @object.select_terminus(@request).should == :file_server
+        @object.select(@request).should == :file_server
       end
     end
   end

data/spec/unit/indirector/file_bucket_file/selector_spec.rb

@@ -0,0 +1,29 @@
+#!/usr/bin/env rspec
+require 'spec_helper'
+
+require 'puppet/indirector/file_bucket_file/selector'
+require 'puppet/indirector/file_bucket_file/file'
+require 'puppet/indirector/file_bucket_file/rest'
+
+describe Puppet::FileBucketFile::Selector do
+  %w[head find save search destroy].each do |method|
+    describe "##{method}" do
+      it "should proxy to rest terminus for https requests" do
+        request = stub 'request', :protocol => 'https'
+
+        Puppet::FileBucketFile::Rest.any_instance.expects(method).with(request)
+
+        subject.send(method, request)
+      end
+
+      it "should proxy to file terminus for other requests" do
+        request = stub 'request', :protocol => 'file'
+
+        Puppet::FileBucketFile::File.any_instance.expects(method).with(request)
+
+        subject.send(method, request)
+      end
+    end
+  end
+end
+

data/spec/unit/indirector/file_content/selector_spec.rb

@@ -0,0 +1,10 @@
+#!/usr/bin/env rspec
+require 'spec_helper'
+
+require 'puppet/indirector/file_content/selector'
+
+describe Puppet::Indirector::FileContent::Selector do
+  include PuppetSpec::Files
+
+  it_should_behave_like "Puppet::FileServing::Files", :file_content
+end

data/spec/unit/indirector/file_metadata/selector_spec.rb

@@ -0,0 +1,11 @@
+#!/usr/bin/env rspec
+require 'spec_helper'
+
+require 'puppet/indirector/file_metadata/selector'
+
+describe Puppet::Indirector::FileMetadata::Selector do
+  include PuppetSpec::Files
+
+  it_should_behave_like "Puppet::FileServing::Files", :file_metadata
+end
+

data/spec/unit/network/handler/ca_spec.rb

@@ -31,6 +31,7 @@ describe Puppet::Network::Handler::CA, :unless => Puppet.features.microsoft_wind
       Puppet::SSL::CertificateAuthority.stubs(:ca?).returns false
 
       csr = OpenSSL::X509::Request.new
+      csr.subject = OpenSSL::X509::Name.new([["CN", "anything"]])
       subject.getcert(csr.to_pem).should == ''
     end
 

data/spec/unit/reports/store_spec.rb

@@ -44,5 +44,33 @@ describe processor do
       FileUtils.expects(:mv).in_sequence(writeseq).with(File.join(Dir.tmpdir, "foo123"), File.join(Puppet[:reportdir], @report.host, "201101061200.yaml"))
       @report.process
     end
+
+    ['..', 'hello/', '/hello', 'he/llo', 'hello/..', '.'].each do |node|
+      it "rejects #{node.inspect}" do
+        @report.host = node
+        expect { @report.process }.to raise_error(ArgumentError, /Invalid node/)
+      end
+    end
+
+    ['.hello', 'hello.', '..hi', 'hi..'].each do |node|
+      it "accepts #{node.inspect}" do
+        @report.host = node
+        @report.process
+      end
+    end
+  end
+
+  describe "::destroy" do
+    ['..', 'hello/', '/hello', 'he/llo', 'hello/..', '.'].each do |node|
+      it "rejects #{node.inspect}" do
+        expect { processor.destroy(node) }.to raise_error(ArgumentError, /Invalid node/)
+      end
+    end
+
+    ['.hello', 'hello.', '..hi', 'hi..'].each do |node|
+      it "accepts #{node.inspect}" do
+        processor.destroy(node)
+      end
+    end
   end
 end

data/spec/unit/ssl/certificate_authority/interface_spec.rb

@@ -216,9 +216,9 @@ describe Puppet::SSL::CertificateAuthority::Interface do
           applier = @class.new(:list, :to => [])
 
           applier.expects(:puts).with(<<-OUTPUT.chomp)
-  host1 (fingerprint)
-  host2 (fingerprint)
-  host3 (fingerprint)
+  "host1" (fingerprint)
+  "host2" (fingerprint)
+  "host3" (fingerprint)
           OUTPUT
 
           applier.apply(@ca)
@@ -232,12 +232,12 @@ describe Puppet::SSL::CertificateAuthority::Interface do
           applier = @class.new(:list, :to => :all)
 
           applier.expects(:puts).with(<<-OUTPUT.chomp)
-  host1 (fingerprint)
-  host2 (fingerprint)
-  host3 (fingerprint)
-+ host5 (fingerprint)
-+ host6 (fingerprint)
-- host4 (fingerprint) (certificate revoked)
+  "host1" (fingerprint)
+  "host2" (fingerprint)
+  "host3" (fingerprint)
++ "host5" (fingerprint)
++ "host6" (fingerprint)
+- "host4" (fingerprint) (certificate revoked)
           OUTPUT
 
           applier.apply(@ca)
@@ -249,9 +249,9 @@ describe Puppet::SSL::CertificateAuthority::Interface do
           applier = @class.new(:list, :to => :signed)
 
           applier.expects(:puts).with(<<-OUTPUT.chomp)
-+ host4 (fingerprint)
-+ host5 (fingerprint)
-+ host6 (fingerprint)
++ "host4" (fingerprint)
++ "host5" (fingerprint)
++ "host6" (fingerprint)
           OUTPUT
 
           applier.apply(@ca)
@@ -263,7 +263,7 @@ describe Puppet::SSL::CertificateAuthority::Interface do
           applier = @class.new(:list, :to => ['host1'])
 
           applier.expects(:puts).with(<<-OUTPUT.chomp)
-  host1 (fingerprint) (alt names: DNS:foo, DNS:bar)
+  "host1" (fingerprint) (alt names: "DNS:foo", "DNS:bar")
           OUTPUT
 
           applier.apply(@ca)
@@ -275,10 +275,10 @@ describe Puppet::SSL::CertificateAuthority::Interface do
           applier = @class.new(:list, :to => %w{host1 host2 host4 host5})
 
           applier.expects(:puts).with(<<-OUTPUT.chomp)
-  host1 (fingerprint)
-  host2 (fingerprint)
-+ host4 (fingerprint)
-+ host5 (fingerprint)
+  "host1" (fingerprint)
+  "host2" (fingerprint)
++ "host4" (fingerprint)
++ "host5" (fingerprint)
             OUTPUT
 
           applier.apply(@ca)

data/spec/unit/ssl/certificate_authority_spec.rb

@@ -246,7 +246,7 @@ describe Puppet::SSL::CertificateAuthority do
       # Stub out the factory
       Puppet::SSL::CertificateFactory.stubs(:build).returns "my real cert"
 
-      @request_content = stub "request content stub", :subject => @name
+      @request_content = stub "request content stub", :subject => OpenSSL::X509::Name.new([['CN', @name]])
       @request = stub 'request', :name => @name, :request_extensions => [], :subject_alt_names => [], :content => @request_content
 
       # And the inventory
@@ -303,28 +303,28 @@ describe Puppet::SSL::CertificateAuthority do
 
       it "should use a certificate type of :ca" do
         Puppet::SSL::CertificateFactory.expects(:build).with do |*args|
-          args[0] == :ca
+          args[0].should == :ca
         end.returns "my real cert"
         @ca.sign(@name, :ca, @request)
       end
 
       it "should pass the provided CSR as the CSR" do
         Puppet::SSL::CertificateFactory.expects(:build).with do |*args|
-          args[1] == @request
+          args[1].should == @request
         end.returns "my real cert"
         @ca.sign(@name, :ca, @request)
       end
 
       it "should use the provided CSR's content as the issuer" do
         Puppet::SSL::CertificateFactory.expects(:build).with do |*args|
-          args[2].subject == "myhost"
+          args[2].subject.to_s.should == "/CN=myhost"
         end.returns "my real cert"
         @ca.sign(@name, :ca, @request)
       end
 
       it "should pass the next serial as the serial number" do
         Puppet::SSL::CertificateFactory.expects(:build).with do |*args|
-          args[3] == @serial
+          args[3].should == @serial
         end.returns "my real cert"
         @ca.sign(@name, :ca, @request)
       end
@@ -452,11 +452,76 @@ describe Puppet::SSL::CertificateAuthority do
         @cert.stubs :save
       end
 
+      it "should reject CSRs whose CN doesn't match the name for which we're signing them" do
+        # Shorten this so the test doesn't take too long
+        Puppet[:keylength] = 1024
+        key = Puppet::SSL::Key.new('the_certname')
+        key.generate
+
+        csr = Puppet::SSL::CertificateRequest.new('the_certname')
+        csr.generate(key)
+
+        expect do
+          @ca.check_internal_signing_policies('not_the_certname', csr, false)
+        end.to raise_error(
+          Puppet::SSL::CertificateAuthority::CertificateSigningError,
+          /common name "the_certname" does not match expected certname "not_the_certname"/
+        )
+      end
+
+      describe "when validating the CN" do
+        before :all do
+          Puppet[:keylength] = 1024
+          @signing_key = Puppet::SSL::Key.new('my_signing_key')
+          @signing_key.generate
+        end
+
+        [
+         'completely_okay',
+         'sure, why not? :)',
+         'so+many(things)-are=allowed.',
+         'this"is#just&madness%you[see]',
+         'and even a (an?) \\!',
+         'waltz, nymph, for quick jigs vex bud.',
+         '{552c04ca-bb1b-11e1-874b-60334b04494e}'
+        ].each do |name|
+          it "should accept #{name.inspect}" do
+            csr = Puppet::SSL::CertificateRequest.new(name)
+            csr.generate(@signing_key)
+
+            @ca.check_internal_signing_policies(name, csr, false)
+          end
+        end
+
+        [
+         'super/bad',
+         "not\neven\tkind\rof",
+         "ding\adong\a",
+         "hidden\b\b\b\b\b\bmessage",
+         "☃ :("
+        ].each do |name|
+          it "should reject #{name.inspect}" do
+            # We aren't even allowed to make objects with these names, so let's
+            # stub that to simulate an invalid one coming from outside Puppet
+            Puppet::SSL::CertificateRequest.stubs(:validate_certname)
+            csr = Puppet::SSL::CertificateRequest.new(name)
+            csr.generate(@signing_key)
+
+            expect do
+              @ca.check_internal_signing_policies(name, csr, false)
+            end.to raise_error(
+              Puppet::SSL::CertificateAuthority::CertificateSigningError,
+              /subject contains unprintable or non-ASCII characters/
+            )
+          end
+        end
+      end
+
       it "should reject a critical extension that isn't on the whitelist" do
         @request.stubs(:request_extensions).returns [{ "oid" => "banana",
                                                        "value" => "yumm",
                                                        "critical" => true }]
-        expect { @ca.sign(@name) }.to raise_error(
+        expect { @ca.check_internal_signing_policies(@name, @request, false) }.to raise_error(
           Puppet::SSL::CertificateAuthority::CertificateSigningError,
           /request extensions that are not permitted/
         )
@@ -466,7 +531,7 @@ describe Puppet::SSL::CertificateAuthority do
         @request.stubs(:request_extensions).returns [{ "oid" => "peach",
                                                        "value" => "meh",
                                                        "critical" => false }]
-        expect { @ca.sign(@name) }.to raise_error(
+        expect { @ca.check_internal_signing_policies(@name, @request, false) }.to raise_error(
           Puppet::SSL::CertificateAuthority::CertificateSigningError,
           /request extensions that are not permitted/
         )
@@ -479,7 +544,7 @@ describe Puppet::SSL::CertificateAuthority do
                                                      { "oid" => "subjectAltName",
                                                        "value" => "DNS:foo",
                                                        "critical" => true }]
-        expect { @ca.sign(@name) }.to raise_error(
+        expect { @ca.check_internal_signing_policies(@name, @request, false) }.to raise_error(
           Puppet::SSL::CertificateAuthority::CertificateSigningError,
           /request extensions that are not permitted/
         )
@@ -487,7 +552,7 @@ describe Puppet::SSL::CertificateAuthority do
 
       it "should reject a subjectAltName for a non-DNS value" do
         @request.stubs(:subject_alt_names).returns ['DNS:foo', 'email:bar@example.com']
-        expect { @ca.sign(@name, true) }.to raise_error(
+        expect { @ca.check_internal_signing_policies(@name, @request, true) }.to raise_error(
           Puppet::SSL::CertificateAuthority::CertificateSigningError,
           /subjectAltName outside the DNS label space/
         )
@@ -497,7 +562,7 @@ describe Puppet::SSL::CertificateAuthority do
         @request.content.stubs(:subject).
           returns(OpenSSL::X509::Name.new([["CN", "*.local"]]))
 
-        expect { @ca.sign(@name) }.to raise_error(
+        expect { @ca.check_internal_signing_policies('*.local', @request, false) }.to raise_error(
           Puppet::SSL::CertificateAuthority::CertificateSigningError,
           /subject contains a wildcard/
         )
@@ -505,7 +570,7 @@ describe Puppet::SSL::CertificateAuthority do
 
       it "should reject a wildcard subjectAltName" do
         @request.stubs(:subject_alt_names).returns ['DNS:foo', 'DNS:*.bar']
-        expect { @ca.sign(@name, true) }.to raise_error(
+        expect { @ca.check_internal_signing_policies(@name, @request, true) }.to raise_error(
           Puppet::SSL::CertificateAuthority::CertificateSigningError,
           /subjectAltName contains a wildcard/
         )