puppet 2.7.5 → 2.7.6

data/spec/unit/face/certificate_spec.rb

@@ -5,13 +5,32 @@ require 'puppet/face'
 require 'puppet/ssl/host'
 
 describe Puppet::Face[:certificate, '0.0.1'] do
+  include PuppetSpec::Files
+
+  let(:ca) { Puppet::SSL::CertificateAuthority.instance }
+
+  before :each do
+    Puppet[:confdir] = tmpdir('conf')
+    Puppet::SSL::CertificateAuthority.stubs(:ca?).returns true
+
+    Puppet::SSL::Host.ca_location = :local
+
+    # We can't cache the CA between tests, because each one has its own SSL dir.
+    ca = Puppet::SSL::CertificateAuthority.new
+    Puppet::SSL::CertificateAuthority.stubs(:new).returns ca
+    Puppet::SSL::CertificateAuthority.stubs(:instance).returns ca
+  end
+
   it "should have a ca-location option" do
     subject.should be_option :ca_location
   end
 
   it "should set the ca location when invoked" do
     Puppet::SSL::Host.expects(:ca_location=).with(:local)
-    Puppet::SSL::Host.indirection.expects(:save)
+    ca.expects(:sign).with do |name,options|
+      name == "hello, friend"
+    end
+
     subject.sign "hello, friend", :ca_location => :local
   end
 
@@ -32,4 +51,152 @@ describe Puppet::Face[:certificate, '0.0.1'] do
       subject.find 'hello, friend', :ca_location => :foo
     end.to raise_exception ArgumentError, /valid values/i
   end
+
+  describe "#generate" do
+    let(:options) { {:ca_location => 'local'} }
+    let(:host) { Puppet::SSL::Host.new(hostname) }
+    let(:csr) { host.certificate_request }
+
+    describe "for the current host" do
+      let(:hostname) { Puppet[:certname] }
+
+      it "should generate a CSR for this host" do
+        subject.generate(hostname, options)
+
+        csr.content.subject.to_s.should == "/CN=#{Puppet[:certname]}"
+        csr.name.should == Puppet[:certname]
+      end
+
+      it "should add dns_alt_names from the global config if not otherwise specified" do
+        Puppet[:dns_alt_names] = 'from,the,config'
+
+        subject.generate(hostname, options)
+
+        expected = %W[DNS:from DNS:the DNS:config DNS:#{hostname}]
+
+        csr.subject_alt_names.should =~ expected
+      end
+
+      it "should add the provided dns_alt_names if they are specified" do
+        Puppet[:dns_alt_names] = 'from,the,config'
+
+        subject.generate(hostname, options.merge(:dns_alt_names => 'explicit,alt,names'))
+
+        expected = %W[DNS:explicit DNS:alt DNS:names DNS:#{hostname}]
+
+        csr.subject_alt_names.should =~ expected
+      end
+    end
+
+    describe "for another host" do
+      let(:hostname) { Puppet[:certname] + 'different' }
+
+      it "should generate a CSR for the specified host" do
+        subject.generate(hostname, options)
+
+        csr.content.subject.to_s.should == "/CN=#{hostname}"
+        csr.name.should == hostname
+      end
+
+      it "should fail if a CSR already exists for the host" do
+        subject.generate(hostname, options)
+
+        expect do
+          subject.generate(hostname, options)
+        end.to raise_error(RuntimeError, /#{hostname} already has a requested certificate; ignoring certificate request/)
+      end
+
+      it "should add not dns_alt_names from the config file" do
+        Puppet[:dns_alt_names] = 'from,the,config'
+
+        subject.generate(hostname, options)
+
+        csr.subject_alt_names.should be_empty
+      end
+
+      it "should add the provided dns_alt_names if they are specified" do
+        Puppet[:dns_alt_names] = 'from,the,config'
+
+        subject.generate(hostname, options.merge(:dns_alt_names => 'explicit,alt,names'))
+
+        expected = %W[DNS:explicit DNS:alt DNS:names DNS:#{hostname}]
+
+        csr.subject_alt_names.should =~ expected
+      end
+    end
+  end
+
+  describe "#sign" do
+    let(:options) { {:ca_location => 'local'} }
+    let(:host) { Puppet::SSL::Host.new(hostname) }
+    let(:hostname) { "foobar" }
+
+    it "should sign the certificate request if one is waiting" do
+      subject.generate(hostname, options)
+
+      subject.sign(hostname, options)
+
+      host.certificate_request.should be_nil
+      host.certificate.should be_a(Puppet::SSL::Certificate)
+      host.state.should == 'signed'
+    end
+
+    it "should fail if there is no waiting certificate request" do
+      expect do
+        subject.sign(hostname, options)
+      end.to raise_error(ArgumentError, /Could not find certificate request for #{hostname}/)
+    end
+
+    describe "when ca_location is local" do
+      describe "when the request has dns alt names" do
+        before :each do
+          subject.generate(hostname, options.merge(:dns_alt_names => 'some,alt,names'))
+        end
+
+        it "should refuse to sign the request if allow_dns_alt_names is not set" do
+          expect do
+            subject.sign(hostname, options)
+          end.to raise_error(Puppet::SSL::CertificateAuthority::CertificateSigningError,
+                             /CSR '#{hostname}' contains subject alternative names \(.*?\), which are disallowed. Use `puppet cert --allow-dns-alt-names sign #{hostname}` to sign this request./i)
+
+          host.state.should == 'requested'
+        end
+
+        it "should sign the request if allow_dns_alt_names is set" do
+          expect do
+            subject.sign(hostname, options.merge(:allow_dns_alt_names => true))
+          end.not_to raise_error
+
+          host.state.should == 'signed'
+        end
+      end
+
+      describe "when the request has no dns alt names" do
+        before :each do
+          subject.generate(hostname, options)
+        end
+
+        it "should sign the request if allow_dns_alt_names is set" do
+          expect { subject.sign(hostname, options.merge(:allow_dns_alt_names => true)) }.not_to raise_error
+
+          host.state.should == 'signed'
+        end
+
+        it "should sign the request if allow_dns_alt_names is not set" do
+          expect { subject.sign(hostname, options) }.not_to raise_error
+
+          host.state.should == 'signed'
+        end
+      end
+    end
+
+    describe "when ca_location is remote" do
+      let(:options) { {:ca_location => :remote} }
+      it "should fail if allow-dns-alt-names is specified" do
+        expect do
+          subject.sign(hostname, options.merge(:allow_dns_alt_names => true))
+        end
+      end
+    end
+  end
 end

data/spec/unit/file_serving/fileset_spec.rb

@@ -26,7 +26,7 @@ describe Puppet::FileServing::Fileset, " when initializing" do
   end
 
   it "should not fail if the path is just the file separator" do
-    path = make_absolute(File::SEPARATOR)
+    path = File.expand_path(File::SEPARATOR)
     File.stubs(:lstat).with(path).returns stub('stat')
     fileset = Puppet::FileServing::Fileset.new(path)
     fileset.path.should == path

data/spec/unit/file_serving/indirection_hooks_spec.rb

@@ -13,7 +13,7 @@ describe Puppet::FileServing::IndirectionHooks do
 
   describe "when being used to select termini" do
     it "should return :file if the request key is fully qualified" do
-      @request.expects(:key).returns "#{File::SEPARATOR}foo"
+      @request.expects(:key).returns File.expand_path('/foo')
       @object.select_terminus(@request).should == :file
     end
 

data/spec/unit/file_serving/metadata_spec.rb

@@ -99,148 +99,192 @@ describe Puppet::FileServing::Metadata do
   end
 end
 
-describe Puppet::FileServing::Metadata, " when finding the file to use for setting attributes" do
-  before do
-    @path = "/my/path"
-    @metadata = Puppet::FileServing::Metadata.new(@path)
+describe Puppet::FileServing::Metadata do
+  include PuppetSpec::Files
+
+  shared_examples_for "metadata collector" do
+    let(:metadata) do
+      data = described_class.new(path)
+      data.collect
+      data
+    end
+
+    describe "when collecting attributes" do
+      describe "when managing files" do
+        let(:path) { tmpfile('file_serving_metadata') }
+
+        before :each do
+          FileUtils.touch(path)
+        end
+
+        it "should be able to produce xmlrpc-style attribute information" do
+          metadata.should respond_to(:attributes_with_tabs)
+        end
+
+        it "should set the owner to the file's current owner" do
+          metadata.owner.should == owner
+        end
+
+        it "should set the group to the file's current group" do
+          metadata.group.should == group
+        end
+
+        it "should set the mode to the file's masked mode" do
+          set_mode(33261, path)
+
+          metadata.mode.should == 0755
+        end
 
-    # Use a link because it's easier to test -- no checksumming
-    @stat = stub "stat", :uid => 10, :gid => 20, :mode => 0755, :ftype => "link"
+        describe "#checksum" do
+          let(:checksum) { Digest::MD5.hexdigest("some content\n") }
 
-    # Not quite.  We don't want to checksum links, but we must because they might be being followed.
-    @checksum = Digest::MD5.hexdigest("some content\n") # Remove these when :managed links are no longer checksumed.
-    @metadata.stubs(:md5_file).returns(@checksum)           #
-  end
+          before :each do
+            File.open(path, "w") {|f| f.print("some content\n")}
+          end
 
-  it "should accept a base path path to which the file should be relative" do
-    File.expects(:lstat).with(@path).returns @stat
-    File.expects(:readlink).with(@path).returns "/what/ever"
-    @metadata.collect
-  end
+          it "should default to a checksum of type MD5 with the file's current checksum" do
+            metadata.checksum.should == "{md5}#{checksum}"
+          end
 
-  it "should use the set base path if one is not provided" do
-    File.expects(:lstat).with(@path).returns @stat
-    File.expects(:readlink).with(@path).returns "/what/ever"
-    @metadata.collect
-  end
+          it "should give a mtime checksum when checksum_type is set" do
+            time = Time.now
+            metadata.checksum_type = "mtime"
+            metadata.expects(:mtime_file).returns(@time)
+            metadata.collect
+            metadata.checksum.should == "{mtime}#{@time}"
+          end
 
-  it "should raise an exception if the file does not exist" do
-    File.expects(:lstat).with(@path).raises(Errno::ENOENT)
-    proc { @metadata.collect}.should raise_error(Errno::ENOENT)
-  end
-end
+          it "should produce tab-separated mode, type, owner, group, and checksum for xmlrpc" do
+            set_mode(0755, path)
 
-describe Puppet::FileServing::Metadata, " when collecting attributes" do
-  before do
-    @path = "/my/file"
-    # Use a real file mode, so we can validate the masking is done.
-    @stat = stub 'stat', :uid => 10, :gid => 20, :mode => 33261, :ftype => "file"
-    File.stubs(:lstat).returns(@stat)
-    @checksum = Digest::MD5.hexdigest("some content\n")
-    @metadata = Puppet::FileServing::Metadata.new("/my/file")
-    @metadata.stubs(:md5_file).returns(@checksum)
-    @metadata.collect
-  end
+            metadata.attributes_with_tabs.should == "#{0755.to_s}\tfile\t#{owner}\t#{group}\t{md5}#{checksum}"
+          end
+        end
+      end
 
-  it "should be able to produce xmlrpc-style attribute information" do
-    @metadata.should respond_to(:attributes_with_tabs)
-  end
+      describe "when managing directories" do
+        let(:path) { tmpdir('file_serving_metadata_dir') }
+        let(:time) { Time.now }
 
-  # LAK:FIXME This should actually change at some point
-  it "should set the owner by id" do
-    @metadata.owner.should be_instance_of(Fixnum)
-  end
+        before :each do
+          metadata.expects(:ctime_file).returns(time)
+        end
 
-  # LAK:FIXME This should actually change at some point
-  it "should set the group by id" do
-    @metadata.group.should be_instance_of(Fixnum)
-  end
+        it "should only use checksums of type 'ctime' for directories" do
+          metadata.collect
+          metadata.checksum.should == "{ctime}#{time}"
+        end
 
-  it "should set the owner to the file's current owner" do
-    @metadata.owner.should == 10
-  end
+        it "should only use checksums of type 'ctime' for directories even if checksum_type set" do
+          metadata.checksum_type = "mtime"
+          metadata.expects(:mtime_file).never
+          metadata.collect
+          metadata.checksum.should == "{ctime}#{time}"
+        end
 
-  it "should set the group to the file's current group" do
-    @metadata.group.should == 20
-  end
+        it "should produce tab-separated mode, type, owner, group, and checksum for xmlrpc" do
+          set_mode(0755, path)
+          metadata.collect
 
-  it "should set the mode to the file's masked mode" do
-    @metadata.mode.should == 0755
-  end
+          metadata.attributes_with_tabs.should == "#{0755.to_s}\tdirectory\t#{owner}\t#{group}\t{ctime}#{time.to_s}"
+        end
+      end
 
-  it "should set the checksum to the file's current checksum" do
-    @metadata.checksum.should == "{md5}#{@checksum}"
-  end
+      describe "when managing links", :unless => Puppet.features.microsoft_windows? do
+        # 'path' is a link that points to 'target'
+        let(:path) { tmpfile('file_serving_metadata_link') }
+        let(:target) { tmpfile('file_serving_metadata_target') }
+        let(:checksum) { Digest::MD5.hexdigest("some content\n") }
+        let(:fmode) { File.lstat(path).mode & 0777 }
 
-  describe "when managing files" do
-    it "should default to a checksum of type MD5" do
-      @metadata.checksum.should == "{md5}#{@checksum}"
-    end
+        before :each do
+          File.open(target, "w") {|f| f.print("some content\n")}
+          set_mode(0644, target)
 
-    it "should give a mtime checksum when checksum_type is set" do
-      time = Time.now
-      @metadata.checksum_type = "mtime"
-      @metadata.expects(:mtime_file).returns(@time)
-      @metadata.collect
-      @metadata.checksum.should == "{mtime}#{@time}"
-    end
+          FileUtils.symlink(target, path)
+        end
 
-    it "should produce tab-separated mode, type, owner, group, and checksum for xmlrpc" do
-      @metadata.attributes_with_tabs.should == "#{0755.to_s}\tfile\t10\t20\t{md5}#{@checksum}"
-    end
-  end
+        it "should read links instead of returning their checksums" do
+          metadata.destination.should == target
+        end
 
-  describe "when managing directories" do
-    before do
-      @stat.stubs(:ftype).returns("directory")
-      @time = Time.now
-      @metadata.expects(:ctime_file).returns(@time)
-    end
+        pending "should produce tab-separated mode, type, owner, group, and destination for xmlrpc" do
+          # "We'd like this to be true, but we need to always collect the checksum because in the server/client/server round trip we lose the distintion between manage and follow."
+          metadata.attributes_with_tabs.should == "#{0755}\tlink\t#{owner}\t#{group}\t#{target}"
+        end
 
-    it "should only use checksums of type 'ctime' for directories" do
-      @metadata.collect
-      @metadata.checksum.should == "{ctime}#{@time}"
+        it "should produce tab-separated mode, type, owner, group, checksum, and destination for xmlrpc" do
+          metadata.attributes_with_tabs.should == "#{fmode}\tlink\t#{owner}\t#{group}\t{md5}eb9c2bf0eb63f3a7bc0ea37ef18aeba5\t#{target}"
+        end
+      end
     end
 
-    it "should only use checksums of type 'ctime' for directories even if checksum_type set" do
-      @metadata.checksum_type = "mtime"
-      @metadata.expects(:mtime_file).never
-      @metadata.collect
-      @metadata.checksum.should == "{ctime}#{@time}"
-    end
+    describe Puppet::FileServing::Metadata, " when finding the file to use for setting attributes" do
+      let(:path) { tmpfile('file_serving_metadata_find_file') }
+
+      before :each do
+        File.open(path, "w") {|f| f.print("some content\n")}
+        set_mode(0755, path)
+      end
+
+      it "should accept a base path to which the file should be relative" do
+        dir = tmpdir('metadata_dir')
+        metadata = described_class.new(dir)
+        metadata.relative_path = 'relative_path'
+
+        FileUtils.touch(metadata.full_path)
+
+        metadata.collect
+      end
+
+      it "should use the set base path if one is not provided" do
+        metadata.collect
+      end
 
-    it "should produce tab-separated mode, type, owner, group, and checksum for xmlrpc" do
-      @metadata.collect
-      @metadata.attributes_with_tabs.should == "#{0755.to_s}\tdirectory\t10\t20\t{ctime}#{@time.to_s}"
+      it "should raise an exception if the file does not exist" do
+        File.delete(path)
+
+        proc { metadata.collect}.should raise_error(Errno::ENOENT)
+      end
     end
   end
 
-  describe "when managing links" do
-    before do
-      @stat.stubs(:ftype).returns("link")
-      File.expects(:readlink).with("/my/file").returns("/path/to/link")
-      @metadata.collect
+  describe "on POSIX systems", :if => Puppet.features.posix? do
+    let(:owner) {10}
+    let(:group) {20}
 
-      @checksum = Digest::MD5.hexdigest("some content\n") # Remove these when :managed links are no longer checksumed.
-      @file.stubs(:md5_file).returns(@checksum)           #
+    before :each do
+      File::Stat.any_instance.stubs(:uid).returns owner
+      File::Stat.any_instance.stubs(:gid).returns group
     end
 
-    it "should read links instead of returning their checksums" do
-      @metadata.destination.should == "/path/to/link"
+    it_should_behave_like "metadata collector"
+
+    def set_mode(mode, path)
+      File.chmod(mode, path)
     end
+  end
+
+  describe "on Windows systems", :if => Puppet.features.microsoft_windows? do
+    let(:owner) {'S-1-1-50'}
+    let(:group) {'S-1-1-51'}
 
-    pending "should produce tab-separated mode, type, owner, group, and destination for xmlrpc" do
-      # "We'd like this to be true, but we need to always collect the checksum because in the server/client/server round trip we lose the distintion between manage and follow."
-      @metadata.attributes_with_tabs.should == "#{0755}\tlink\t10\t20\t/path/to/link"
+    before :each do
+      require 'puppet/util/windows/security'
+      Puppet::Util::Windows::Security.stubs(:get_owner).returns owner
+      Puppet::Util::Windows::Security.stubs(:get_group).returns group
     end
 
-    it "should produce tab-separated mode, type, owner, group, checksum, and destination for xmlrpc" do
-      @metadata.attributes_with_tabs.should == "#{0755}\tlink\t10\t20\t{md5}eb9c2bf0eb63f3a7bc0ea37ef18aeba5\t/path/to/link"
+    it_should_behave_like "metadata collector"
+
+    def set_mode(mode, path)
+      Puppet::Util::Windows::Security.set_mode(mode, path)
     end
   end
 end
 
-describe Puppet::FileServing::Metadata, " when pointing to a link" do
+
+describe Puppet::FileServing::Metadata, " when pointing to a link", :unless => Puppet.features.microsoft_windows? do
   describe "when links are managed" do
     before do
       @file = Puppet::FileServing::Metadata.new("/base/path/my/file", :links => :manage)