puppet 3.0.0.rc5 → 3.0.0.rc7

data/spec/unit/indirector/certificate_revocation_list/disabled_ca_spec.rb

@@ -0,0 +1,33 @@
+#! /usr/bin/env ruby -S rspec
+require 'spec_helper'
+require 'puppet/indirector/certificate_revocation_list/disabled_ca'
+
+describe Puppet::SSL::CertificateRevocationList::DisabledCa do
+  def request(type, remote)
+    r = Puppet::Indirector::Request.new(:certificate_revocation_list, type, "foo.com", nil)
+    if remote
+      r.ip   = '10.0.0.1'
+      r.node = 'agent.example.com'
+    end
+    r
+  end
+
+  context "when not a CA" do
+    before :each do
+      Puppet[:ca] = false
+      Puppet::SSL::Host.ca_location = :none
+    end
+
+    [:find, :head, :search, :save, :destroy].each do |name|
+      it "should fail remote #{name} requests" do
+        expect { subject.send(name, request(name, true)) }.
+          to raise_error Puppet::Error, /is not a CA/
+      end
+
+      it "should forward local #{name} requests" do
+        Puppet::SSL::CertificateRevocationList.indirection.terminus(:file).expects(name)
+        subject.send(name, request(name, false))
+      end
+    end
+  end
+end

data/spec/unit/indirector/facts/active_record_spec.rb

@@ -9,7 +9,15 @@ describe "Puppet::Node::Facts::ActiveRecord", :if => Puppet.features.rails? do
     require 'puppet/indirector/facts/active_record'
     Puppet.features.stubs(:rails?).returns true
     Puppet::Rails.stubs(:init)
-    @terminus = Puppet::Node::Facts::ActiveRecord.new
+  end
+
+  let :terminus do
+    Puppet::Node::Facts::ActiveRecord.new
+  end
+
+  it "should issue a deprecation warning" do
+    Puppet.expects(:deprecation_warning).with() { |msg| msg =~ /ActiveRecord-based storeconfigs and inventory are deprecated/ }
+    terminus
   end
 
   it "should be a subclass of the ActiveRecord terminus class" do
@@ -21,24 +29,23 @@ describe "Puppet::Node::Facts::ActiveRecord", :if => Puppet.features.rails? do
   end
 
   describe "when finding an instance" do
-    before do
-      @request = stub 'request', :key => "foo"
+    let :request do
+      stub 'request', :key => "foo"
     end
 
     it "should use the Hosts ActiveRecord class to find the host" do
       Puppet::Rails::Host.expects(:find_by_name).with { |key, args| key == "foo" }
-      @terminus.find(@request)
+      terminus.find(request)
     end
 
     it "should include the fact names and values when finding the host" do
       Puppet::Rails::Host.expects(:find_by_name).with { |key, args| args[:include] == {:fact_values => :fact_name} }
-      @terminus.find(@request)
+      terminus.find(request)
     end
 
     it "should return nil if no host instance can be found" do
       Puppet::Rails::Host.expects(:find_by_name).returns nil
-
-      @terminus.find(@request).should be_nil
+      terminus.find(request).should be_nil
     end
 
     it "should convert the node's parameters into a Facts instance if a host instance is found" do
@@ -47,7 +54,7 @@ describe "Puppet::Node::Facts::ActiveRecord", :if => Puppet.features.rails? do
 
       Puppet::Rails::Host.expects(:find_by_name).returns host
 
-      result = @terminus.find(@request)
+      result = terminus.find(request)
 
       result.should be_instance_of(Puppet::Node::Facts)
       result.name.should == "foo"
@@ -60,43 +67,47 @@ describe "Puppet::Node::Facts::ActiveRecord", :if => Puppet.features.rails? do
 
       Puppet::Rails::Host.expects(:find_by_name).returns host
 
-      @terminus.find(@request).values["one"].should == "two"
+      terminus.find(request).values["one"].should == "two"
     end
   end
 
   describe "when saving an instance" do
+    let :facts do
+      Puppet::Node::Facts.new("foo", "one" => "two", "three" => "four")
+    end
+
+    let :request do
+      stub 'request', :key => "foo", :instance => facts
+    end
+
+    let :host do
+      stub 'host', :name => "foo", :save => nil, :merge_facts => nil
+    end
+
     before do
-      @host = stub 'host', :name => "foo", :save => nil, :merge_facts => nil
-      Puppet::Rails::Host.stubs(:find_by_name).returns @host
-      @facts = Puppet::Node::Facts.new("foo", "one" => "two", "three" => "four")
-      @request = stub 'request', :key => "foo", :instance => @facts
+      Puppet::Rails::Host.stubs(:find_by_name).returns host
     end
 
     it "should find the Rails host with the same name" do
-      Puppet::Rails::Host.expects(:find_by_name).with("foo").returns @host
-
-      @terminus.save(@request)
+      Puppet::Rails::Host.expects(:find_by_name).with("foo").returns host
+      terminus.save(request)
     end
 
     it "should create a new Rails host if none can be found" do
       Puppet::Rails::Host.expects(:find_by_name).with("foo").returns nil
-
-      Puppet::Rails::Host.expects(:create).with(:name => "foo").returns @host
-
-      @terminus.save(@request)
+      Puppet::Rails::Host.expects(:create).with(:name => "foo").returns host
+      terminus.save(request)
     end
 
     it "should set the facts as facts on the Rails host instance" do
       # There is other stuff added to the hash.
-      @host.expects(:merge_facts).with { |args| args["one"] == "two" and args["three"] == "four" }
-
-      @terminus.save(@request)
+      host.expects(:merge_facts).with { |args| args["one"] == "two" and args["three"] == "four" }
+      terminus.save(request)
     end
 
     it "should save the Rails host instance" do
-      @host.expects(:save)
-
-      @terminus.save(@request)
+      host.expects(:save)
+      terminus.save(request)
     end
   end
 end

data/spec/unit/indirector/facts/inventory_active_record_spec.rb

@@ -23,6 +23,11 @@ describe "Puppet::Node::Facts::InventoryActiveRecord", :if => can_use_scratch_da
     setup_scratch_database
   end
 
+  it "should issue a deprecation warning" do
+    Puppet.expects(:deprecation_warning).with() { |msg| msg =~ /ActiveRecord-based storeconfigs and inventory are deprecated/ }
+    terminus
+  end
+
   describe "#save" do
     let(:node) {
       Puppet::Rails::InventoryNode.new(:name => "foo", :timestamp => Time.now)

data/spec/unit/indirector/hiera_spec.rb

@@ -1,5 +1,6 @@
 require 'spec_helper'
 require 'puppet/indirector/hiera'
+require 'hiera/backend'
 
 describe Puppet::Indirector::Hiera do
   include PuppetSpec::Files
@@ -65,7 +66,7 @@ describe Puppet::Indirector::Hiera do
   let(:datadir) { my_fixture_dir }
 
   it "should be the default data_binding terminus" do
-    Puppet.settings[:data_binding_terminus].should == 'hiera'
+    Puppet.settings[:data_binding_terminus].should == :hiera
   end
 
   it "should raise an error if we don't have the hiera feature" do

data/spec/unit/indirector/key/disabled_ca_spec.rb

@@ -0,0 +1,33 @@
+#! /usr/bin/env ruby -S rspec
+require 'spec_helper'
+require 'puppet/indirector/key/disabled_ca'
+
+describe Puppet::SSL::Key::DisabledCa do
+  def request(type, remote)
+    r = Puppet::Indirector::Request.new(:key, type, "foo.com", nil)
+    if remote
+      r.ip   = '10.0.0.1'
+      r.node = 'agent.example.com'
+    end
+    r
+  end
+
+  context "when not a CA" do
+    before :each do
+      Puppet[:ca] = false
+      Puppet::SSL::Host.ca_location = :none
+    end
+
+    [:find, :head, :search, :save, :destroy].each do |name|
+      it "should fail remote #{name} requests" do
+        expect { subject.send(name, request(name, true)) }.
+          to raise_error Puppet::Error, /is not a CA/
+      end
+
+      it "should forward local #{name} requests" do
+        Puppet::SSL::Key.indirection.terminus(:file).expects(name)
+        subject.send(name, request(name, false))
+      end
+    end
+  end
+end

data/spec/unit/indirector/node/active_record_spec.rb

@@ -17,6 +17,13 @@ describe "Puppet::Node::ActiveRecord", :if => Puppet.features.rails? && Puppet.f
     require 'puppet/indirector/node/active_record'
   end
 
+  it "should issue a deprecation warning" do
+    Puppet.expects(:deprecation_warning).with() { |msg| msg =~ /ActiveRecord-based storeconfigs and inventory are deprecated/ }
+    Puppet[:statedir] = tmpdir('active_record_tmp')
+    Puppet[:railslog] = '$statedir/rails.log'
+    node_indirection
+  end
+
   it "should be a subclass of the ActiveRecord terminus class" do
     Puppet::Node::ActiveRecord.ancestors.should be_include(Puppet::Indirector::ActiveRecord)
   end

data/spec/unit/indirector/request_spec.rb

@@ -510,4 +510,26 @@ describe Puppet::Indirector::Request do
       end
     end
   end
+
+  describe "#remote?" do
+    def request(options = {})
+      Puppet::Indirector::Request.new('node', 'find', 'localhost', nil, options)
+    end
+
+    it "should not be unless node or ip is set" do
+      request.should_not be_remote
+    end
+
+    it "should be remote if node is set" do
+      request(:node => 'example.com').should be_remote
+    end
+
+    it "should be remote if ip is set" do
+      request(:ip => '127.0.0.1').should be_remote
+    end
+
+    it "should be remote if node and ip are set" do
+      request(:node => 'example.com', :ip => '127.0.0.1').should be_remote
+    end
+  end
 end

data/spec/unit/indirector/resource/active_record_spec.rb

@@ -27,6 +27,11 @@ describe "Puppet::Resource::ActiveRecord", :if => can_use_scratch_database? do
     ActiveRecord::Base.should be_connected
   end
 
+  it "should issue a deprecation warning" do
+    Puppet.expects(:deprecation_warning).with() { |msg| msg =~ /ActiveRecord-based storeconfigs and inventory are deprecated/ }
+    Puppet::Resource::ActiveRecord.new
+  end
+
   describe "#search" do
     before :each do Puppet::Rails.init end
 

data/spec/unit/module_tool/application_spec.rb

@@ -20,7 +20,7 @@ describe Puppet::ModuleTool::Applications::Application do
 
     bad_versions.each do |ver|
       it "should not accept version string #{ver}" do
-        expect { app.parse_filename("puppetlabs-ntp-#{ver}") }.should raise_error
+        expect { app.parse_filename("puppetlabs-ntp-#{ver}") }.to raise_error
       end
     end
   end

data/spec/unit/network/authentication_spec.rb

@@ -0,0 +1,86 @@
+#! /usr/bin/env ruby -S rspec
+require 'spec_helper'
+load 'puppet/network/authentication.rb'
+
+class AuthenticationTest
+  include Puppet::Network::Authentication
+end
+
+describe Puppet::Network::Authentication do
+  subject     { AuthenticationTest.new }
+  let(:now)   { Time.now }
+  let(:cert)  { Puppet::SSL::Certificate.new('cert') }
+  let(:host)  { stub 'host', :certificate => cert }
+
+  # this is necessary since the logger is a class variable, and it needs to be stubbed
+  def reload_module
+    load 'puppet/network/authentication.rb'
+  end
+
+  describe "when warning about upcoming expirations" do
+    before do
+      Puppet::SSL::CertificateAuthority.stubs(:ca?).returns(false)
+      FileTest.stubs(:exist?).returns(false)
+    end
+
+    it "should check the expiration of the CA certificate" do
+      ca = stub 'ca', :host => host
+      Puppet::SSL::CertificateAuthority.stubs(:ca?).returns(true)
+      Puppet::SSL::CertificateAuthority.stubs(:instance).returns(ca)
+      cert.expects(:near_expiration?).returns(false)
+      subject.warn_if_near_expiration
+    end
+
+    it "should check the expiration of the localhost certificate" do
+      Puppet::SSL::Host.stubs(:localhost).returns(host)
+      cert.expects(:near_expiration?).returns(false)
+      FileTest.stubs(:exist?).with(Puppet[:hostcert]).returns(true)
+      subject.warn_if_near_expiration
+    end
+
+    it "should check the expiration of any certificates passed in as arguments" do
+      cert.expects(:near_expiration?).twice.returns(false)
+      subject.warn_if_near_expiration(cert, cert)
+    end
+
+    it "should accept instances of OpenSSL::X509::Certificate" do
+      raw_cert = stub 'cert'
+      raw_cert.stubs(:is_a?).with(OpenSSL::X509::Certificate).returns(true)
+      Puppet::SSL::Certificate.stubs(:from_instance).with(raw_cert).returns(cert)
+      cert.expects(:near_expiration?).returns(false)
+      subject.warn_if_near_expiration(raw_cert)
+    end
+
+    it "should use a rate-limited logger for expiration warnings that uses `runinterval` as its interval" do
+      Puppet::Util::Log::RateLimitedLogger.expects(:new).with(Puppet[:runinterval])
+      reload_module
+    end
+
+    context "in the logs" do
+      let(:logger) { stub 'logger' }
+
+      before do
+        Puppet::Util::Log::RateLimitedLogger.stubs(:new).returns(logger)
+        reload_module
+        cert.stubs(:near_expiration?).returns(true)
+        cert.stubs(:expiration).returns(now)
+        cert.stubs(:unmunged_name).returns('foo')
+      end
+
+      it "should log a warning if a certificate's expiration is near" do
+        logger.expects(:warning)
+        subject.warn_if_near_expiration(cert)
+      end
+
+      it "should use the certificate's unmunged name in the message" do
+        logger.expects(:warning).with { |message| message.include? 'foo' }
+        subject.warn_if_near_expiration(cert)
+      end
+
+      it "should show certificate's expiration date in the message using ISO 8601 format" do
+        logger.expects(:warning).with { |message| message.include? now.strftime('%Y-%m-%dT%H:%M:%S%Z') }
+        subject.warn_if_near_expiration(cert)
+      end
+    end
+  end
+end

data/spec/unit/network/http/connection_spec.rb

@@ -1,6 +1,7 @@
 #! /usr/bin/env ruby -S rspec
 require 'spec_helper'
 require 'puppet/network/http/connection'
+require 'puppet/network/authentication'
 
 describe Puppet::Network::HTTP::Connection do
 
@@ -189,6 +190,7 @@ describe Puppet::Network::HTTP::Connection do
 
     def a_connection_that_verifies(args)
       connection = Net::HTTP.new(host, port)
+      connection.stubs(:warn_if_near_expiration)
       connection.stubs(:get).with do
         connection.verify_callback.call(args[:has_passed_pre_checks], args[:in_context])
         true
@@ -240,5 +242,24 @@ describe Puppet::Network::HTTP::Connection do
         subject.request(:get, stub('request'))
       end.to raise_error(/some other message/)
     end
+
+    it "should check all peer certificates for upcoming expiration", :unless => Puppet.features.microsoft_windows? do
+      connection = Net::HTTP.new('my_server', 8140)
+      subject.stubs(:create_connection).returns(connection)
+
+      cert = stubs 'cert'
+      Puppet::SSL::Certificate.expects(:from_instance).twice.returns(cert)
+
+      connection.stubs(:get).with do
+        context = a_store_context(:for_server => 'a_server', :with_error_string => false)
+        connection.verify_callback.call(true, context)
+        connection.verify_callback.call(true, context)
+        true
+      end
+
+      subject.expects(:warn_if_near_expiration).with(cert, cert)
+
+      subject.request(:get, stubs('request'))
+    end
   end
 end

data/spec/unit/network/http/handler_spec.rb

@@ -2,6 +2,7 @@
 require 'spec_helper'
 require 'puppet/network/http/handler'
 require 'puppet/network/authorization'
+require 'puppet/network/authentication'
 
 class HttpHandled
   include Puppet::Network::HTTP::Handler
@@ -51,6 +52,7 @@ describe Puppet::Network::HTTP::Handler do
       @result = stub 'result', :render => "mytext"
 
       @handler.stubs(:check_authorization)
+      @handler.stubs(:warn_if_near_expiration)
 
       stub_server_interface
     end
@@ -66,6 +68,16 @@ describe Puppet::Network::HTTP::Handler do
       @handler.stubs(:http_method        ).returns("GET")
       @handler.stubs(:params             ).returns({})
       @handler.stubs(:content_type       ).returns("text/plain")
+      @handler.stubs(:client_cert        ).returns(nil)
+    end
+
+    it "should check the client certificate for upcoming expiration" do
+      cert = mock 'cert'
+      @handler.stubs(:uri2indirection).returns(["facts", :mymethod, "key", {:node => "name"}])
+      @handler.expects(:client_cert).returns(cert).with(@request)
+      @handler.expects(:warn_if_near_expiration).with(cert)
+
+      @handler.process(@request, @response)
     end
 
     it "should create an indirection request from the path, parameters, and http method" do

data/spec/unit/network/http/rack/rest_spec.rb

@@ -57,6 +57,13 @@ describe "Puppet::Network::HTTP::RackREST", :if => Puppet.features.rack? do
         @handler.body(req).should == "mybody"
       end
 
+      it "should return the an OpenSSL::X509::Certificate instance as the client_cert" do
+        cert = stub 'cert'
+        req = mk_req('/foo/bar', 'SSL_CLIENT_CERT' => 'certificate in pem format')
+        OpenSSL::X509::Certificate.expects(:new).with('certificate in pem format').returns(cert)
+        @handler.client_cert(req).should == cert
+      end
+
       it "should set the response's content-type header when setting the content type" do
         @header = mock 'header'
         @response.expects(:header).returns @header