puppet 3.0.0.rc5 → 3.0.0.rc7

data/spec/unit/ssl/certificate_request_spec.rb

@@ -5,143 +5,110 @@ require 'puppet/ssl/certificate_request'
 require 'puppet/ssl/key'
 
 describe Puppet::SSL::CertificateRequest do
-  before do
-    @class = Puppet::SSL::CertificateRequest
-  end
+  let(:request) { described_class.new("myname") }
+  let(:key) {
+    k = Puppet::SSL::Key.new("myname")
+    k.generate
+    k
+  }
+
 
   it "should be extended with the Indirector module" do
-    @class.singleton_class.should be_include(Puppet::Indirector)
+    described_class.singleton_class.should be_include(Puppet::Indirector)
   end
 
   it "should indirect certificate_request" do
-    @class.indirection.name.should == :certificate_request
+    described_class.indirection.name.should == :certificate_request
   end
 
   it "should use any provided name as its name" do
-    @class.new("myname").name.should == "myname"
+    described_class.new("myname").name.should == "myname"
   end
 
   it "should only support the text format" do
-    @class.supported_formats.should == [:s]
+    described_class.supported_formats.should == [:s]
   end
 
   describe "when converting from a string" do
     it "should create a CSR instance with its name set to the CSR subject and its content set to the extracted CSR" do
-      csr = stub 'csr', :subject => "/CN=Foo.madstop.com"
+      csr = stub 'csr', :subject => "/CN=Foo.madstop.com", :is_a? => true
       OpenSSL::X509::Request.expects(:new).with("my csr").returns(csr)
 
       mycsr = stub 'sslcsr'
       mycsr.expects(:content=).with(csr)
 
-      @class.expects(:new).with("foo.madstop.com").returns mycsr
+      described_class.expects(:new).with("Foo.madstop.com").returns mycsr
 
-      @class.from_s("my csr")
+      described_class.from_s("my csr")
     end
   end
 
   describe "when managing instances" do
-    before do
-      @request = @class.new("myname")
-    end
-
     it "should have a name attribute" do
-      @request.name.should == "myname"
+      request.name.should == "myname"
     end
 
     it "should downcase its name" do
-      @class.new("MyName").name.should == "myname"
+      described_class.new("MyName").name.should == "myname"
     end
 
     it "should have a content attribute" do
-      @request.should respond_to(:content)
+      request.should respond_to(:content)
     end
 
     it "should be able to read requests from disk" do
       path = "/my/path"
       File.expects(:read).with(path).returns("my request")
-      request = mock 'request'
-      OpenSSL::X509::Request.expects(:new).with("my request").returns(request)
-      @request.read(path).should equal(request)
-      @request.content.should equal(request)
+      my_req = mock 'request'
+      OpenSSL::X509::Request.expects(:new).with("my request").returns(my_req)
+      request.read(path).should equal(my_req)
+      request.content.should equal(my_req)
     end
 
     it "should return an empty string when converted to a string with no request" do
-      @request.to_s.should == ""
+      request.to_s.should == ""
     end
 
     it "should convert the request to pem format when converted to a string" do
-      request = mock 'request', :to_pem => "pem"
-      @request.content = request
-      @request.to_s.should == "pem"
+      request.generate(key)
+      request.to_s.should == request.content.to_pem
     end
 
     it "should have a :to_text method that it delegates to the actual key" do
       real_request = mock 'request'
       real_request.expects(:to_text).returns "requesttext"
-      @request.content = real_request
-      @request.to_text.should == "requesttext"
+      request.content = real_request
+      request.to_text.should == "requesttext"
     end
   end
 
   describe "when generating" do
-    before do
-      @instance = @class.new("myname")
-
-      key = Puppet::SSL::Key.new("myname")
-      @key = key.generate
-
-      @request = OpenSSL::X509::Request.new
-      OpenSSL::X509::Request.expects(:new).returns(@request)
-
-      @request.stubs(:verify).returns(true)
-    end
-
     it "should use the content of the provided key if the key is a Puppet::SSL::Key instance" do
-      key = Puppet::SSL::Key.new("test")
-      key.expects(:content).returns @key
-
-      @request.expects(:sign).with{ |key, digest| key == @key }
-      @instance.generate(key)
-    end
-
-    it "should log that it is creating a new certificate request" do
-      Puppet.expects(:info).twice
-      @instance.generate(@key)
+      request.generate(key)
+      request.content.verify(key.content.public_key).should be_true
     end
 
     it "should set the subject to [CN, name]" do
-      subject = mock 'subject'
-      OpenSSL::X509::Name.expects(:new).with([["CN", @instance.name]]).returns(subject)
-      @request.expects(:subject=).with(subject)
-      @instance.generate(@key)
-    end
-
-    it "should set the CN to the CSR name when the CSR is not for a CA" do
-      subject = mock 'subject'
-      OpenSSL::X509::Name.expects(:new).with { |subject| subject[0][1] == @instance.name }.returns(subject)
-      @request.expects(:subject=).with(subject)
-      @instance.generate(@key)
+      request.generate(key)
+      # OpenSSL::X509::Name only implements equality as `eql?`
+      request.content.subject.should eql OpenSSL::X509::Name.new([['CN', key.name]])
     end
 
     it "should set the CN to the :ca_name setting when the CSR is for a CA" do
-      subject = mock 'subject'
       Puppet[:ca_name] = "mycertname"
-      OpenSSL::X509::Name.expects(:new).with { |subject| subject[0][1] == "mycertname" }.returns(subject)
-      @request.expects(:subject=).with(subject)
-      Puppet::SSL::CertificateRequest.new(Puppet::SSL::CA_NAME).generate(@key)
+      request = described_class.new(Puppet::SSL::CA_NAME).generate(key)
+      request.subject.should eql OpenSSL::X509::Name.new([['CN', Puppet[:ca_name]]])
     end
 
     it "should set the version to 0" do
-      @request.expects(:version=).with(0)
-      @instance.generate(@key)
+      request.generate(key)
+      request.content.version.should == 0
     end
 
     it "should set the public key to the provided key's public key" do
-      # Yay, the private key extracts a new key each time.
-      pubkey = @key.public_key
-      @key.stubs(:public_key).returns pubkey
-      @request.expects(:public_key=).with(@key.public_key)
-      @instance.generate(@key)
+      request.generate(key)
+      # The openssl bindings do not define equality on keys so we use to_s
+      request.content.public_key.to_s.should == key.content.public_key.to_s
     end
 
     context "without subjectAltName / dns_alt_names" do
@@ -151,14 +118,15 @@ describe Puppet::SSL::CertificateRequest do
 
       ["extreq", "msExtReq"].each do |name|
         it "should not add any #{name} attribute" do
-          @request.expects(:add_attribute).never
-          @request.expects(:attributes=).never
-          @instance.generate(@key)
+          request.generate(key)
+          request.content.attributes.find do |attr|
+            attr.oid == name
+          end.should_not be
         end
 
         it "should return no subjectAltNames" do
-          @instance.generate(@key)
-          @instance.subject_alt_names.should be_empty
+          request.generate(key)
+          request.subject_alt_names.should be_empty
         end
       end
     end
@@ -170,14 +138,15 @@ describe Puppet::SSL::CertificateRequest do
 
       ["extreq", "msExtReq"].each do |name|
         it "should not add any #{name} attribute" do
-          @request.expects(:add_attribute).never
-          @request.expects(:attributes=).never
-          @instance.generate(@key)
+          request.generate(key)
+          request.content.attributes.find do |attr|
+            attr.oid == name
+          end.should_not be
         end
 
         it "should return no subjectAltNames" do
-          @instance.generate(@key)
-          @instance.subject_alt_names.should be_empty
+          request.generate(key)
+          request.subject_alt_names.should be_empty
         end
       end
     end
@@ -188,61 +157,59 @@ describe Puppet::SSL::CertificateRequest do
       end
 
       it "should add an extreq attribute" do
-        @request.expects(:add_attribute).with do |arg|
-          arg.value.value.all? do |x|
-            x.value.all? do |y|
-              y.value[0].value == "subjectAltName"
-            end
-          end
+        request.generate(key, :dns_alt_names => 'one, two')
+        extReq = request.content.attributes.find do |attr|
+          attr.oid == 'extReq'
         end
 
-        @instance.generate(@key, :dns_alt_names => 'one, two')
+        extReq.should be
+        extReq.value.value.all? do |x|
+          x.value.all? do |y|
+            y.value[0].value.should == "subjectAltName"
+          end
+        end
       end
 
       it "should return the subjectAltName values" do
-        @instance.generate(@key, :dns_alt_names => 'one,two')
-        @instance.subject_alt_names.should =~ ["DNS:myname", "DNS:one", "DNS:two"]
+        request.generate(key, :dns_alt_names => 'one,two')
+        request.subject_alt_names.should =~ ["DNS:myname", "DNS:one", "DNS:two"]
       end
     end
 
-    it "should sign the csr with the provided key and a digest" do
-      digest = mock 'digest'
-      OpenSSL::Digest::SHA256.expects(:new).returns(digest)
-      @request.expects(:sign).with(@key, digest)
-      @instance.generate(@key)
+    it "should sign the csr with the provided key" do
+      request.generate(key)
+      request.content.verify(key.content.public_key).should be_true
     end
 
     it "should verify the generated request using the public key" do
       # Stupid keys don't have a competent == method.
-      @request.expects(:verify).with { |public_key| public_key.to_s == @key.public_key.to_s }.returns true
-      @instance.generate(@key)
+      OpenSSL::X509::Request.any_instance.expects(:verify).with { |public_key|
+        public_key.to_s == key.content.public_key.to_s
+      }.returns true
+      request.generate(key)
     end
 
     it "should fail if verification fails" do
-      @request.expects(:verify).returns false
-
-      lambda { @instance.generate(@key) }.should raise_error(Puppet::Error)
-    end
+      OpenSSL::X509::Request.any_instance.expects(:verify).with { |public_key|
+        public_key.to_s == key.content.public_key.to_s
+      }.returns false
 
-    it "should fingerprint the request" do
-      @instance.expects(:fingerprint)
-      @instance.generate(@key)
+      expect {
+        request.generate(key)
+      }.to raise_error(Puppet::Error, /CSR sign verification failed/)
     end
 
-    it "should display the fingerprint" do
+    it "should log the fingerprint" do
+      Puppet::SSL::Digest.any_instance.stubs(:to_hex).returns("FINGERPRINT")
       Puppet.stubs(:info)
-      @instance.stubs(:fingerprint).returns("FINGERPRINT")
       Puppet.expects(:info).with { |s| s =~ /FINGERPRINT/ }
-      @instance.generate(@key)
+      request.generate(key)
     end
 
     it "should return the generated request" do
-      @instance.generate(@key).should equal(@request)
-    end
-
-    it "should set its content to the generated request" do
-      @instance.generate(@key)
-      @instance.content.should equal(@request)
+      generated = request.generate(key)
+      generated.should be_a(OpenSSL::X509::Request)
+      generated.should be(request.content)
     end
   end
 

data/spec/unit/ssl/certificate_revocation_list_spec.rb

@@ -17,7 +17,7 @@ describe Puppet::SSL::CertificateRevocationList do
 
   describe "when converting from a string" do
     it "should create a CRL instance with its name set to 'foo' and its content set to the extracted CRL" do
-      crl = stub 'crl'
+      crl = stub 'crl', :is_a? => true
       OpenSSL::X509::CRL.expects(:new).returns(crl)
 
       mycrl = stub 'sslcrl'

data/spec/unit/ssl/certificate_spec.rb

@@ -26,13 +26,13 @@ describe Puppet::SSL::Certificate do
 
   describe "when converting from a string" do
     it "should create a certificate instance with its name set to the certificate subject and its content set to the extracted certificate" do
-      cert = stub 'certificate', :subject => "/CN=Foo.madstop.com"
+      cert = stub 'certificate', :subject => "/CN=Foo.madstop.com", :is_a? => true
       OpenSSL::X509::Certificate.expects(:new).with("my certificate").returns(cert)
 
       mycert = stub 'sslcert'
       mycert.expects(:content=).with(cert)
 
-      @class.expects(:new).with("foo.madstop.com").returns mycert
+      @class.expects(:new).with("Foo.madstop.com").returns mycert
 
       @class.from_s("my certificate")
     end
@@ -151,4 +151,28 @@ describe Puppet::SSL::Certificate do
       @certificate.to_text.should == "certificatetext"
     end
   end
+
+  describe "when checking if the certificate's expiration is approaching" do
+    before do
+      @days = 24*60*60
+      @certificate = @class.new("myname")
+      @certificate.stubs(:expiration).returns(Time.now.utc() + 30*@days)
+    end
+
+    it "should be true if the expiration is within the given interval from now" do
+      @certificate.near_expiration?(31*@days).should be_true
+    end
+
+    it "should be false if there is no expiration" do
+      @certificate.stubs(:expiration).returns(nil)
+      @certificate.near_expiration?.should be_false
+    end
+
+    it "should default to using the `certificate_expire_warning` setting as the interval" do
+      Puppet[:certificate_expire_warning] = 31*@days
+      @certificate.near_expiration?.should be_true
+      Puppet[:certificate_expire_warning] = 29*@days
+      @certificate.near_expiration?.should be_false
+    end
+  end
 end

data/spec/unit/ssl/digest_spec.rb

@@ -0,0 +1,35 @@
+#! /usr/bin/env ruby -S rspec
+require 'spec_helper'
+
+require 'puppet/ssl/digest'
+
+describe Puppet::SSL::Digest do
+  it "defaults to sha256" do
+    digest = described_class.new(nil, 'blah')
+    digest.name.should == 'SHA256'
+    digest.digest.hexdigest.should == "8b7df143d91c716ecfa5fc1730022f6b421b05cedee8fd52b1fc65a96030ad52"
+  end
+
+  describe '#name' do
+    it "prints the hashing algorithm used by the openssl digest" do
+      described_class.new('SHA224', 'blah').name.should == 'SHA224'
+    end
+
+    it "upcases the hashing algorithm" do
+      described_class.new('sha224', 'blah').name.should == 'SHA224'
+    end
+  end
+
+  describe '#to_hex' do
+    it "returns ':' separated upper case hex pairs" do
+      described_class.new(nil, 'blah').to_hex =~ /\A([A-Z0-9]:)+[A-Z0-9]\Z/
+    end
+  end
+
+  describe '#to_s' do
+    it "formats the digest algorithm and the digest as a string" do
+      digest = described_class.new('sha512', 'some content')
+      digest.to_s.should == "(#{digest.name}) #{digest.to_hex}"
+    end
+  end
+end

data/spec/unit/ssl/host_spec.rb

@@ -3,6 +3,12 @@ require 'spec_helper'
 
 require 'puppet/ssl/host'
 
+def base_pson_comparison(result, pson_hash)
+  result["fingerprint"].should == pson_hash["fingerprint"]
+  result["name"].should        == pson_hash["name"]
+  result["state"].should       == pson_hash["desired_state"]
+end
+
 describe Puppet::SSL::Host do
   include PuppetSpec::Files
 
@@ -322,10 +328,10 @@ describe Puppet::SSL::Host do
       end
 
       it "should set the terminus class for Key, Certificate, CertificateRevocationList, and CertificateRequest as :file" do
-        Puppet::SSL::Key.indirection.terminus_class.should == :file
-        Puppet::SSL::Certificate.indirection.terminus_class.should == :file
-        Puppet::SSL::CertificateRequest.indirection.terminus_class.should == :file
-        Puppet::SSL::CertificateRevocationList.indirection.terminus_class.should == :file
+        Puppet::SSL::Key.indirection.terminus_class.should == :disabled_ca
+        Puppet::SSL::Certificate.indirection.terminus_class.should == :disabled_ca
+        Puppet::SSL::CertificateRequest.indirection.terminus_class.should == :disabled_ca
+        Puppet::SSL::CertificateRevocationList.indirection.terminus_class.should == :disabled_ca
       end
 
       it "should set the terminus class for Host to 'none'" do
@@ -792,23 +798,71 @@ describe Puppet::SSL::Host do
     end
 
     describe "when converting to PSON" do
+      let(:host) do
+        Puppet::SSL::Host.new("bazinga")
+      end
+      
+      let(:pson_hash) do
+        {
+          "fingerprint"   => host.certificate_request.fingerprint,
+          "desired_state" => 'requested',
+          "name"          => host.name
+        }
+      end
+      
       it "should be able to identify a host with an unsigned certificate request" do
-        host = Puppet::SSL::Host.new("bazinga")
         host.generate_certificate_request
-        pson_hash = {
-          "fingerprint"          => host.certificate_request.fingerprint,
-          "desired_state"        => 'requested',
-          "name"                 => host.name
-        }
 
         result = PSON.parse(Puppet::SSL::Host.new(host.name).to_pson)
-        result["fingerprint"].should == pson_hash["fingerprint"]
-        result["name"].should        == pson_hash["name"]
-        result["state"].should       == pson_hash["desired_state"]
-      end
+        
+        base_pson_comparison result, pson_hash
+      end
+      
+      describe "explicit fingerprints" do
+        [:SHA1, :SHA256, :SHA512].each do |md|
+          it "should include #{md}" do
+            mds = md.to_s
+            host.generate_certificate_request
+            pson_hash["fingerprints"] = {}
+            pson_hash["fingerprints"][mds] = host.certificate_request.fingerprint(md)
+
+            result = PSON.parse(Puppet::SSL::Host.new(host.name).to_pson)
+            base_pson_comparison result, pson_hash
+            result["fingerprints"][mds].should == pson_hash["fingerprints"][mds]
+          end
+        end
+      end
+      
+      describe "dns_alt_names" do
+        describe "when not specified" do
+          it "should include the dns_alt_names associated with the certificate" do
+            host.generate_certificate_request
+            pson_hash["desired_alt_names"] = host.certificate_request.subject_alt_names
+
+            result = PSON.parse(Puppet::SSL::Host.new(host.name).to_pson)
+            base_pson_comparison result, pson_hash
+            result["dns_alt_names"].should == pson_hash["desired_alt_names"]
+          end
+        end
+
+        [ "", 
+          "test, alt, names"
+        ].each do |alt_names|
+          describe "when #{alt_names}" do
+            it "should include the dns_alt_names associated with the certificate" do
+              host.generate_certificate_request :dns_alt_names => alt_names
+              pson_hash["desired_alt_names"] = host.certificate_request.subject_alt_names
+
+              result = PSON.parse(Puppet::SSL::Host.new(host.name).to_pson)
+              base_pson_comparison result, pson_hash
+              result["dns_alt_names"].should == pson_hash["desired_alt_names"]
+            end
+          end
+        end
+      end
+      
 
       it "should be able to identify a host with a signed certificate" do
-        host = Puppet::SSL::Host.new("bazinga")
         host.generate_certificate_request
         @ca.sign(host.name)
         pson_hash = {
@@ -818,26 +872,18 @@ describe Puppet::SSL::Host do
         }
 
         result = PSON.parse(Puppet::SSL::Host.new(host.name).to_pson)
-        result["fingerprint"].should == pson_hash["fingerprint"]
-        result["name"].should        == pson_hash["name"]
-        result["state"].should       == pson_hash["desired_state"]
+        base_pson_comparison result, pson_hash
       end
 
       it "should be able to identify a host with a revoked certificate" do
-        host = Puppet::SSL::Host.new("bazinga")
         host.generate_certificate_request
         @ca.sign(host.name)
         @ca.revoke(host.name)
-        pson_hash = {
-          "fingerprint"          => Puppet::SSL::Certificate.indirection.find(host.name).fingerprint,
-          "desired_state"        => 'revoked',
-          "name"                 => host.name,
-        }
+        pson_hash["fingerprint"] = Puppet::SSL::Certificate.indirection.find(host.name).fingerprint
+        pson_hash["desired_state"] = 'revoked'
 
         result = PSON.parse(Puppet::SSL::Host.new(host.name).to_pson)
-        result["fingerprint"].should == pson_hash["fingerprint"]
-        result["name"].should        == pson_hash["name"]
-        result["state"].should       == pson_hash["desired_state"]
+        base_pson_comparison result, pson_hash
       end
     end