puppet 6.16.0-universal-darwin → 6.17.0-universal-darwin
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of puppet might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Gemfile +4 -2
- data/Gemfile.lock +10 -10
- data/README.md +2 -2
- data/lib/puppet/agent.rb +2 -2
- data/lib/puppet/application/agent.rb +14 -3
- data/lib/puppet/configurer.rb +20 -12
- data/lib/puppet/confine.rb +1 -1
- data/lib/puppet/defaults.rb +25 -8
- data/lib/puppet/file_serving/http_metadata.rb +13 -1
- data/lib/puppet/file_serving/metadata.rb +4 -1
- data/lib/puppet/file_serving/terminus_selector.rb +7 -8
- data/lib/puppet/file_system/file_impl.rb +1 -1
- data/lib/puppet/file_system/uniquefile.rb +8 -16
- data/lib/puppet/forge.rb +1 -1
- data/lib/puppet/forge/cache.rb +1 -1
- data/lib/puppet/forge/repository.rb +3 -7
- data/lib/puppet/http/client.rb +5 -0
- data/lib/puppet/http/redirector.rb +9 -7
- data/lib/puppet/http/response.rb +19 -0
- data/lib/puppet/indirector.rb +1 -1
- data/lib/puppet/indirector/file_content/rest.rb +1 -1
- data/lib/puppet/indirector/file_metadata/http.rb +24 -5
- data/lib/puppet/indirector/file_metadata/rest.rb +2 -2
- data/lib/puppet/indirector/request.rb +1 -1
- data/lib/puppet/network/http/api/indirected_routes.rb +1 -1
- data/lib/puppet/network/http/api/master/v3/environment.rb +3 -0
- data/lib/puppet/network/http/connection_adapter.rb +6 -4
- data/lib/puppet/parser/ast/leaf.rb +5 -5
- data/lib/puppet/parser/ast/pops_bridge.rb +0 -4
- data/lib/puppet/parser/compiler.rb +1 -1
- data/lib/puppet/parser/compiler/catalog_validator/env_relationship_validator.rb +2 -0
- data/lib/puppet/parser/compiler/catalog_validator/site_validator.rb +2 -0
- data/lib/puppet/parser/environment_compiler.rb +4 -1
- data/lib/puppet/parser/resource.rb +3 -2
- data/lib/puppet/parser/resource/param.rb +6 -0
- data/lib/puppet/pops/evaluator/evaluator_impl.rb +5 -5
- data/lib/puppet/pops/issues.rb +5 -0
- data/lib/puppet/pops/resource/resource_type_impl.rb +2 -0
- data/lib/puppet/pops/validation/checker4_0.rb +10 -0
- data/lib/puppet/pops/validation/validator_factory_4_0.rb +1 -0
- data/lib/puppet/provider/package/aptitude.rb +1 -1
- data/lib/puppet/provider/package/yum.rb +1 -1
- data/lib/puppet/provider/service/windows.rb +23 -7
- data/lib/puppet/provider/user/useradd.rb +11 -4
- data/lib/puppet/reports/http.rb +2 -0
- data/lib/puppet/resource.rb +2 -1
- data/lib/puppet/resource/type.rb +8 -0
- data/lib/puppet/ssl/ssl_context.rb +2 -2
- data/lib/puppet/ssl/ssl_provider.rb +20 -1
- data/lib/puppet/test/test_helper.rb +8 -10
- data/lib/puppet/trusted_external.rb +29 -1
- data/lib/puppet/type.rb +12 -5
- data/lib/puppet/type/file.rb +38 -13
- data/lib/puppet/type/file/checksum.rb +4 -4
- data/lib/puppet/type/file/source.rb +4 -4
- data/lib/puppet/type/service.rb +49 -0
- data/lib/puppet/util.rb +39 -15
- data/lib/puppet/util/checksums.rb +19 -4
- data/lib/puppet/util/fileparsing.rb +2 -2
- data/lib/puppet/util/provider_features.rb +1 -1
- data/lib/puppet/util/reference.rb +1 -1
- data/lib/puppet/util/windows/api_types.rb +45 -32
- data/lib/puppet/util/windows/eventlog.rb +1 -6
- data/lib/puppet/util/windows/principal.rb +8 -6
- data/lib/puppet/util/windows/registry.rb +11 -11
- data/lib/puppet/util/windows/service.rb +43 -26
- data/lib/puppet/util/windows/user.rb +23 -8
- data/lib/puppet/version.rb +1 -1
- data/locales/puppet.pot +249 -221
- data/man/man5/puppet.conf.5 +19 -8
- data/man/man8/puppet-agent.8 +2 -2
- data/man/man8/puppet-apply.8 +1 -1
- data/man/man8/puppet-catalog.8 +1 -1
- data/man/man8/puppet-config.8 +1 -1
- data/man/man8/puppet-describe.8 +1 -1
- data/man/man8/puppet-device.8 +1 -1
- data/man/man8/puppet-doc.8 +1 -1
- data/man/man8/puppet-epp.8 +1 -1
- data/man/man8/puppet-facts.8 +1 -1
- data/man/man8/puppet-filebucket.8 +1 -1
- data/man/man8/puppet-generate.8 +1 -1
- data/man/man8/puppet-help.8 +1 -1
- data/man/man8/puppet-key.8 +1 -1
- data/man/man8/puppet-lookup.8 +1 -1
- data/man/man8/puppet-man.8 +1 -1
- data/man/man8/puppet-module.8 +1 -1
- data/man/man8/puppet-node.8 +1 -1
- data/man/man8/puppet-parser.8 +1 -1
- data/man/man8/puppet-plugin.8 +1 -1
- data/man/man8/puppet-report.8 +1 -1
- data/man/man8/puppet-resource.8 +1 -1
- data/man/man8/puppet-script.8 +1 -1
- data/man/man8/puppet-ssl.8 +1 -1
- data/man/man8/puppet-status.8 +1 -1
- data/man/man8/puppet.8 +2 -2
- data/spec/integration/application/agent_spec.rb +89 -0
- data/spec/integration/defaults_spec.rb +1 -2
- data/spec/integration/network/http_pool_spec.rb +26 -9
- data/spec/integration/parser/compiler_spec.rb +11 -0
- data/spec/integration/type/file_spec.rb +1 -1
- data/spec/integration/util/windows/registry_spec.rb +7 -7
- data/spec/integration/util/windows/user_spec.rb +40 -5
- data/spec/unit/configurer/fact_handler_spec.rb +4 -4
- data/spec/unit/context/trusted_information_spec.rb +10 -4
- data/spec/unit/file_serving/http_metadata_spec.rb +37 -14
- data/spec/unit/file_serving/terminus_selector_spec.rb +45 -26
- data/spec/unit/http/client_spec.rb +64 -8
- data/spec/unit/http/response_spec.rb +6 -0
- data/spec/unit/indirector/file_metadata/http_spec.rb +27 -0
- data/spec/unit/indirector/request_spec.rb +1 -1
- data/spec/unit/interface_spec.rb +3 -3
- data/spec/unit/network/http/api/indirected_routes_spec.rb +2 -1
- data/spec/unit/network/http/connection_spec.rb +42 -32
- data/spec/unit/parser/ast/block_expression_spec.rb +1 -1
- data/spec/unit/parser/environment_compiler_spec.rb +7 -0
- data/spec/unit/parser/scope_spec.rb +1 -1
- data/spec/unit/pops/evaluator/evaluating_parser_spec.rb +15 -1
- data/spec/unit/pops/loaders/loaders_spec.rb +1 -1
- data/spec/unit/pops/types/type_calculator_spec.rb +1 -11
- data/spec/unit/provider/service/windows_spec.rb +22 -14
- data/spec/unit/provider/user/openbsd_spec.rb +1 -0
- data/spec/unit/provider/user/useradd_spec.rb +22 -16
- data/spec/unit/resource_spec.rb +3 -3
- data/spec/unit/ssl/ssl_provider_spec.rb +69 -43
- data/spec/unit/test/test_helper_spec.rb +17 -0
- data/spec/unit/transaction/report_spec.rb +1 -1
- data/spec/unit/type/file/source_spec.rb +3 -3
- data/spec/unit/type/file_spec.rb +122 -96
- data/spec/unit/type/service_spec.rb +176 -0
- data/spec/unit/type_spec.rb +50 -0
- data/spec/unit/util/checksums_spec.rb +16 -0
- data/spec/unit/util/windows/api_types_spec.rb +104 -40
- data/spec/unit/util/windows/service_spec.rb +4 -4
- data/spec/unit/util_spec.rb +3 -3
- data/spec/unit/x509/cert_provider_spec.rb +1 -1
- metadata +5 -5
- data/spec/integration/test/test_helper_spec.rb +0 -31
@@ -45,6 +45,7 @@ describe Puppet::Type.type(:user).provider(:openbsd) do
|
|
45
45
|
describe "#addcmd" do
|
46
46
|
it "should return an array with the full command and expiry as MM/DD/YY" do
|
47
47
|
allow(Facter).to receive(:value).with(:osfamily).and_return('OpenBSD')
|
48
|
+
allow(Facter).to receive(:value).with(:operatingsystemmajrelease)
|
48
49
|
resource[:expiry] = "1997-06-01"
|
49
50
|
expect(provider.addcmd).to eq(['/usr/sbin/useradd', '-e', 'June 01 1997', 'myuser'])
|
50
51
|
end
|
@@ -72,20 +72,24 @@ describe Puppet::Type.type(:user).provider(:useradd) do
|
|
72
72
|
provider.create
|
73
73
|
end
|
74
74
|
|
75
|
-
|
76
|
-
|
77
|
-
|
78
|
-
|
79
|
-
|
80
|
-
|
81
|
-
|
75
|
+
context "when setting groups" do
|
76
|
+
it "uses -G to set groups" do
|
77
|
+
allow(Facter).to receive(:value).with(:osfamily).and_return('Solaris')
|
78
|
+
allow(Facter).to receive(:value).with(:operatingsystemmajrelease)
|
79
|
+
resource[:ensure] = :present
|
80
|
+
resource[:groups] = ['group1', 'group2']
|
81
|
+
expect(provider).to receive(:execute).with(['/usr/sbin/useradd', '-G', 'group1,group2', 'myuser'], kind_of(Hash))
|
82
|
+
provider.create
|
83
|
+
end
|
82
84
|
|
83
|
-
|
84
|
-
|
85
|
-
|
86
|
-
|
87
|
-
|
88
|
-
|
85
|
+
it "uses -G to set groups with -M on supported systems" do
|
86
|
+
allow(Facter).to receive(:value).with(:osfamily).and_return('RedHat')
|
87
|
+
allow(Facter).to receive(:value).with(:operatingsystemmajrelease)
|
88
|
+
resource[:ensure] = :present
|
89
|
+
resource[:groups] = ['group1', 'group2']
|
90
|
+
expect(provider).to receive(:execute).with(['/usr/sbin/useradd', '-G', 'group1,group2', '-M', 'myuser'], kind_of(Hash))
|
91
|
+
provider.create
|
92
|
+
end
|
89
93
|
end
|
90
94
|
|
91
95
|
it "should add -o when allowdupe is enabled and the user is being created" do
|
@@ -429,15 +433,17 @@ describe Puppet::Type.type(:user).provider(:useradd) do
|
|
429
433
|
provider.delete
|
430
434
|
end
|
431
435
|
|
432
|
-
it "should use -M flag if home is not managed
|
436
|
+
it "should use -M flag if home is not managed on a supported system" do
|
433
437
|
allow(Facter).to receive(:value).with(:osfamily).and_return("RedHat")
|
438
|
+
allow(Facter).to receive(:value).with(:operatingsystemmajrelease)
|
434
439
|
resource[:managehome] = :false
|
435
440
|
expect(provider).to receive(:execute).with(include('-M'), kind_of(Hash))
|
436
441
|
provider.create
|
437
442
|
end
|
438
443
|
|
439
|
-
it "should not use -M flag if home is not managed
|
440
|
-
allow(Facter).to receive(:value).with(:osfamily).and_return("
|
444
|
+
it "should not use -M flag if home is not managed on an unsupported system" do
|
445
|
+
allow(Facter).to receive(:value).with(:osfamily).and_return("Suse")
|
446
|
+
allow(Facter).to receive(:value).with(:operatingsystemmajrelease).and_return("11")
|
441
447
|
resource[:managehome] = :false
|
442
448
|
expect(provider).to receive(:execute).with(excluding('-M'), kind_of(Hash))
|
443
449
|
provider.create
|
data/spec/unit/resource_spec.rb
CHANGED
@@ -283,7 +283,7 @@ describe Puppet::Resource do
|
|
283
283
|
let(:scope) { Puppet::Parser::Scope.new(compiler) }
|
284
284
|
|
285
285
|
def ast_leaf(value)
|
286
|
-
Puppet::Parser::AST::Leaf.new(
|
286
|
+
Puppet::Parser::AST::Leaf.new(value: value)
|
287
287
|
end
|
288
288
|
|
289
289
|
it "should fail when asked to set default values and it is not a parser resource" do
|
@@ -389,7 +389,7 @@ describe Puppet::Resource do
|
|
389
389
|
context "when a value is provided" do
|
390
390
|
let(:port_parameter) do
|
391
391
|
Puppet::Parser::Resource::Param.new(
|
392
|
-
|
392
|
+
name: 'port', value: '8080'
|
393
393
|
)
|
394
394
|
end
|
395
395
|
|
@@ -414,7 +414,7 @@ describe Puppet::Resource do
|
|
414
414
|
expect_lookup('apache::port', returns: '443')
|
415
415
|
|
416
416
|
rs = Puppet::Parser::Resource.new("class", "apache", :scope => scope,
|
417
|
-
:parameters => [Puppet::Parser::Resource::Param.new(
|
417
|
+
:parameters => [Puppet::Parser::Resource::Param.new(name: 'port', value: nil)])
|
418
418
|
|
419
419
|
rs.resource_type.set_resource_parameters(rs, scope)
|
420
420
|
expect(rs[:port]).to eq('443')
|
@@ -42,20 +42,20 @@ describe Puppet::SSL::SSLProvider do
|
|
42
42
|
let(:config) { { cacerts: [], crls: [], revocation: false } }
|
43
43
|
|
44
44
|
it 'accepts empty list of certs and crls' do
|
45
|
-
sslctx = subject.create_root_context(config)
|
45
|
+
sslctx = subject.create_root_context(**config)
|
46
46
|
expect(sslctx.cacerts).to eq([])
|
47
47
|
expect(sslctx.crls).to eq([])
|
48
48
|
end
|
49
49
|
|
50
50
|
it 'accepts valid root certs' do
|
51
51
|
certs = [cert_fixture('ca.pem')]
|
52
|
-
sslctx = subject.create_root_context(config.merge(cacerts: certs))
|
52
|
+
sslctx = subject.create_root_context(**config.merge(cacerts: certs))
|
53
53
|
expect(sslctx.cacerts).to eq(certs)
|
54
54
|
end
|
55
55
|
|
56
56
|
it 'accepts valid intermediate certs' do
|
57
57
|
certs = [cert_fixture('ca.pem'), cert_fixture('intermediate.pem')]
|
58
|
-
sslctx = subject.create_root_context(config.merge(cacerts: certs))
|
58
|
+
sslctx = subject.create_root_context(**config.merge(cacerts: certs))
|
59
59
|
expect(sslctx.cacerts).to eq(certs)
|
60
60
|
end
|
61
61
|
|
@@ -63,19 +63,19 @@ describe Puppet::SSL::SSLProvider do
|
|
63
63
|
expired = [cert_fixture('ca.pem'), cert_fixture('intermediate.pem')]
|
64
64
|
expired.each { |x509| x509.not_after = Time.at(0) }
|
65
65
|
|
66
|
-
sslctx = subject.create_root_context(config.merge(cacerts: expired))
|
66
|
+
sslctx = subject.create_root_context(**config.merge(cacerts: expired))
|
67
67
|
expect(sslctx.cacerts).to eq(expired)
|
68
68
|
end
|
69
69
|
|
70
70
|
it 'raises if the frozen context is modified' do
|
71
|
-
sslctx = subject.create_root_context(config)
|
71
|
+
sslctx = subject.create_root_context(**config)
|
72
72
|
expect {
|
73
73
|
sslctx.verify_peer = false
|
74
74
|
}.to raise_error(/can't modify frozen/)
|
75
75
|
end
|
76
76
|
|
77
77
|
it 'verifies peer' do
|
78
|
-
sslctx = subject.create_root_context(config)
|
78
|
+
sslctx = subject.create_root_context(**config)
|
79
79
|
expect(sslctx.verify_peer).to eq(true)
|
80
80
|
end
|
81
81
|
end
|
@@ -134,6 +134,32 @@ describe Puppet::SSL::SSLProvider do
|
|
134
134
|
expect(sslctx.client_cert).to be_nil
|
135
135
|
expect(sslctx.private_key).to be_nil
|
136
136
|
end
|
137
|
+
|
138
|
+
it 'trusts additional system certs' do
|
139
|
+
path = tmpfile('system_cacerts')
|
140
|
+
File.write(path, cert_fixture('ca.pem').to_pem)
|
141
|
+
|
142
|
+
expect_any_instance_of(OpenSSL::X509::Store).to receive(:add_file).with(path)
|
143
|
+
|
144
|
+
subject.create_system_context(cacerts: [], path: path)
|
145
|
+
end
|
146
|
+
|
147
|
+
it 'ignores empty files' do
|
148
|
+
path = tmpfile('system_cacerts')
|
149
|
+
FileUtils.touch(path)
|
150
|
+
|
151
|
+
subject.create_system_context(cacerts: [], path: path)
|
152
|
+
|
153
|
+
expect(@logs).to eq([])
|
154
|
+
end
|
155
|
+
|
156
|
+
it 'prints an error if it is not a file' do
|
157
|
+
path = tmpdir('system_cacerts')
|
158
|
+
|
159
|
+
subject.create_system_context(cacerts: [], path: path)
|
160
|
+
|
161
|
+
expect(@logs).to include(an_object_having_attributes(level: :warning, message: /^The 'ssl_trust_store' setting does not refer to a file and will be ignored/))
|
162
|
+
end
|
137
163
|
end
|
138
164
|
|
139
165
|
context 'when creating an ssl context with crls' do
|
@@ -142,14 +168,14 @@ describe Puppet::SSL::SSLProvider do
|
|
142
168
|
it 'accepts valid CRLs' do
|
143
169
|
certs = [cert_fixture('ca.pem')]
|
144
170
|
crls = [crl_fixture('crl.pem')]
|
145
|
-
sslctx = subject.create_root_context(config.merge(cacerts: certs, crls: crls))
|
171
|
+
sslctx = subject.create_root_context(**config.merge(cacerts: certs, crls: crls))
|
146
172
|
expect(sslctx.crls).to eq(crls)
|
147
173
|
end
|
148
174
|
|
149
175
|
it 'accepts valid CRLs for intermediate certs' do
|
150
176
|
certs = [cert_fixture('ca.pem'), cert_fixture('intermediate.pem')]
|
151
177
|
crls = [crl_fixture('crl.pem'), crl_fixture('intermediate-crl.pem')]
|
152
|
-
sslctx = subject.create_root_context(config.merge(cacerts: certs, crls: crls))
|
178
|
+
sslctx = subject.create_root_context(**config.merge(cacerts: certs, crls: crls))
|
153
179
|
expect(sslctx.crls).to eq(crls)
|
154
180
|
end
|
155
181
|
|
@@ -157,12 +183,12 @@ describe Puppet::SSL::SSLProvider do
|
|
157
183
|
expired = [crl_fixture('crl.pem'), crl_fixture('intermediate-crl.pem')]
|
158
184
|
expired.each { |x509| x509.last_update = Time.at(0) }
|
159
185
|
|
160
|
-
sslctx = subject.create_root_context(config.merge(crls: expired))
|
186
|
+
sslctx = subject.create_root_context(**config.merge(crls: expired))
|
161
187
|
expect(sslctx.crls).to eq(expired)
|
162
188
|
end
|
163
189
|
|
164
190
|
it 'verifies peer' do
|
165
|
-
sslctx = subject.create_root_context(config)
|
191
|
+
sslctx = subject.create_root_context(**config)
|
166
192
|
expect(sslctx.verify_peer).to eq(true)
|
167
193
|
end
|
168
194
|
end
|
@@ -174,49 +200,49 @@ describe Puppet::SSL::SSLProvider do
|
|
174
200
|
|
175
201
|
it 'raises if CA certs are missing' do
|
176
202
|
expect {
|
177
|
-
subject.create_context(config.merge(cacerts: nil))
|
203
|
+
subject.create_context(**config.merge(cacerts: nil))
|
178
204
|
}.to raise_error(ArgumentError, /CA certs are missing/)
|
179
205
|
end
|
180
206
|
|
181
207
|
it 'raises if CRLs are are missing' do
|
182
208
|
expect {
|
183
|
-
subject.create_context(config.merge(crls: nil))
|
209
|
+
subject.create_context(**config.merge(crls: nil))
|
184
210
|
}.to raise_error(ArgumentError, /CRLs are missing/)
|
185
211
|
end
|
186
212
|
|
187
213
|
it 'raises if private key is missing' do
|
188
214
|
expect {
|
189
|
-
subject.create_context(config.merge(private_key: nil))
|
215
|
+
subject.create_context(**config.merge(private_key: nil))
|
190
216
|
}.to raise_error(ArgumentError, /Private key is missing/)
|
191
217
|
end
|
192
218
|
|
193
219
|
it 'raises if client cert is missing' do
|
194
220
|
expect {
|
195
|
-
subject.create_context(config.merge(client_cert: nil))
|
221
|
+
subject.create_context(**config.merge(client_cert: nil))
|
196
222
|
}.to raise_error(ArgumentError, /Client cert is missing/)
|
197
223
|
end
|
198
224
|
|
199
225
|
it 'accepts RSA keys' do
|
200
|
-
sslctx = subject.create_context(config)
|
226
|
+
sslctx = subject.create_context(**config)
|
201
227
|
expect(sslctx.private_key).to eq(private_key)
|
202
228
|
end
|
203
229
|
|
204
230
|
it 'accepts EC keys' do
|
205
231
|
ec_key = ec_key_fixture('ec-key.pem')
|
206
232
|
ec_cert = cert_fixture('ec.pem')
|
207
|
-
sslctx = subject.create_context(config.merge(client_cert: ec_cert, private_key: ec_key))
|
233
|
+
sslctx = subject.create_context(**config.merge(client_cert: ec_cert, private_key: ec_key))
|
208
234
|
expect(sslctx.private_key).to eq(ec_key)
|
209
235
|
end
|
210
236
|
|
211
237
|
it 'raises if private key is unsupported' do
|
212
238
|
dsa_key = OpenSSL::PKey::DSA.new
|
213
239
|
expect {
|
214
|
-
subject.create_context(config.merge(private_key: dsa_key))
|
240
|
+
subject.create_context(**config.merge(private_key: dsa_key))
|
215
241
|
}.to raise_error(Puppet::SSL::SSLError, /Unsupported key 'OpenSSL::PKey::DSA'/)
|
216
242
|
end
|
217
243
|
|
218
244
|
it 'resolves the client chain from leaf to root' do
|
219
|
-
sslctx = subject.create_context(config)
|
245
|
+
sslctx = subject.create_context(**config)
|
220
246
|
expect(
|
221
247
|
sslctx.client_chain.map(&:subject).map(&:to_utf8)
|
222
248
|
).to eq(['CN=signed', 'CN=Test CA Subauthority', 'CN=Test CA'])
|
@@ -225,21 +251,21 @@ describe Puppet::SSL::SSLProvider do
|
|
225
251
|
it 'raises if client cert signature is invalid' do
|
226
252
|
client_cert.sign(wrong_key, OpenSSL::Digest::SHA256.new)
|
227
253
|
expect {
|
228
|
-
subject.create_context(config.merge(client_cert: client_cert))
|
254
|
+
subject.create_context(**config.merge(client_cert: client_cert))
|
229
255
|
}.to raise_error(Puppet::SSL::CertVerifyError,
|
230
256
|
"Invalid signature for certificate 'CN=signed'")
|
231
257
|
end
|
232
258
|
|
233
259
|
it 'raises if client cert and private key are mismatched' do
|
234
260
|
expect {
|
235
|
-
subject.create_context(config.merge(private_key: wrong_key))
|
261
|
+
subject.create_context(**config.merge(private_key: wrong_key))
|
236
262
|
}.to raise_error(Puppet::SSL::SSLError,
|
237
263
|
"The certificate for 'CN=signed' does not match its private key")
|
238
264
|
end
|
239
265
|
|
240
266
|
it "raises if client cert's public key has been replaced" do
|
241
267
|
expect {
|
242
|
-
subject.create_context(config.merge(client_cert: cert_fixture('tampered-cert.pem')))
|
268
|
+
subject.create_context(**config.merge(client_cert: cert_fixture('tampered-cert.pem')))
|
243
269
|
}.to raise_error(Puppet::SSL::CertVerifyError,
|
244
270
|
"Invalid signature for certificate 'CN=signed'")
|
245
271
|
end
|
@@ -250,7 +276,7 @@ describe Puppet::SSL::SSLProvider do
|
|
250
276
|
ca.sign(wrong_key, OpenSSL::Digest::SHA256.new)
|
251
277
|
|
252
278
|
expect {
|
253
|
-
subject.create_context(config.merge(cacerts: global_cacerts))
|
279
|
+
subject.create_context(**config.merge(cacerts: global_cacerts))
|
254
280
|
}.to raise_error(Puppet::SSL::CertVerifyError,
|
255
281
|
"Invalid signature for certificate 'CN=Test CA'")
|
256
282
|
end
|
@@ -260,7 +286,7 @@ describe Puppet::SSL::SSLProvider do
|
|
260
286
|
int.sign(wrong_key, OpenSSL::Digest::SHA256.new)
|
261
287
|
|
262
288
|
expect {
|
263
|
-
subject.create_context(config.merge(cacerts: global_cacerts))
|
289
|
+
subject.create_context(**config.merge(cacerts: global_cacerts))
|
264
290
|
}.to raise_error(Puppet::SSL::CertVerifyError,
|
265
291
|
"Invalid signature for certificate 'CN=Test CA Subauthority'")
|
266
292
|
end
|
@@ -270,7 +296,7 @@ describe Puppet::SSL::SSLProvider do
|
|
270
296
|
crl.sign(wrong_key, OpenSSL::Digest::SHA256.new)
|
271
297
|
|
272
298
|
expect {
|
273
|
-
subject.create_context(config.merge(crls: global_crls))
|
299
|
+
subject.create_context(**config.merge(crls: global_crls))
|
274
300
|
}.to raise_error(Puppet::SSL::CertVerifyError,
|
275
301
|
"Invalid signature for CRL issued by 'CN=Test CA'")
|
276
302
|
end
|
@@ -280,14 +306,14 @@ describe Puppet::SSL::SSLProvider do
|
|
280
306
|
crl.sign(wrong_key, OpenSSL::Digest::SHA256.new)
|
281
307
|
|
282
308
|
expect {
|
283
|
-
subject.create_context(config.merge(crls: global_crls))
|
309
|
+
subject.create_context(**config.merge(crls: global_crls))
|
284
310
|
}.to raise_error(Puppet::SSL::CertVerifyError,
|
285
311
|
"Invalid signature for CRL issued by 'CN=Test CA Subauthority'")
|
286
312
|
end
|
287
313
|
|
288
314
|
it 'raises if client cert is revoked' do
|
289
315
|
expect {
|
290
|
-
subject.create_context(config.merge(private_key: key_fixture('revoked-key.pem'), client_cert: cert_fixture('revoked.pem')))
|
316
|
+
subject.create_context(**config.merge(private_key: key_fixture('revoked-key.pem'), client_cert: cert_fixture('revoked.pem')))
|
291
317
|
}.to raise_error(Puppet::SSL::CertVerifyError,
|
292
318
|
"Certificate 'CN=revoked' is revoked")
|
293
319
|
end
|
@@ -295,12 +321,12 @@ describe Puppet::SSL::SSLProvider do
|
|
295
321
|
it 'warns if intermediate issuer is missing' do
|
296
322
|
expect(Puppet).to receive(:warning).with("The issuer 'CN=Test CA Subauthority' of certificate 'CN=signed' cannot be found locally")
|
297
323
|
|
298
|
-
subject.create_context(config.merge(cacerts: [cert_fixture('ca.pem')]))
|
324
|
+
subject.create_context(**config.merge(cacerts: [cert_fixture('ca.pem')]))
|
299
325
|
end
|
300
326
|
|
301
327
|
it 'raises if root issuer is missing' do
|
302
328
|
expect {
|
303
|
-
subject.create_context(config.merge(cacerts: [cert_fixture('intermediate.pem')]))
|
329
|
+
subject.create_context(**config.merge(cacerts: [cert_fixture('intermediate.pem')]))
|
304
330
|
}.to raise_error(Puppet::SSL::CertVerifyError,
|
305
331
|
"The issuer 'CN=Test CA' of certificate 'CN=Test CA Subauthority' is missing")
|
306
332
|
end
|
@@ -308,7 +334,7 @@ describe Puppet::SSL::SSLProvider do
|
|
308
334
|
it 'raises if cert is not valid yet', unless: Puppet::Util::Platform.jruby? do
|
309
335
|
client_cert.not_before = Time.now + (5 * 60 * 60)
|
310
336
|
expect {
|
311
|
-
subject.create_context(config.merge(client_cert: client_cert))
|
337
|
+
subject.create_context(**config.merge(client_cert: client_cert))
|
312
338
|
}.to raise_error(Puppet::SSL::CertVerifyError,
|
313
339
|
"The certificate 'CN=signed' is not yet valid, verify time is synchronized")
|
314
340
|
end
|
@@ -316,7 +342,7 @@ describe Puppet::SSL::SSLProvider do
|
|
316
342
|
it 'raises if cert is expired', unless: Puppet::Util::Platform.jruby? do
|
317
343
|
client_cert.not_after = Time.at(0)
|
318
344
|
expect {
|
319
|
-
subject.create_context(config.merge(client_cert: client_cert))
|
345
|
+
subject.create_context(**config.merge(client_cert: client_cert))
|
320
346
|
}.to raise_error(Puppet::SSL::CertVerifyError,
|
321
347
|
"The certificate 'CN=signed' has expired, verify time is synchronized")
|
322
348
|
end
|
@@ -327,7 +353,7 @@ describe Puppet::SSL::SSLProvider do
|
|
327
353
|
future_crls.first.last_update = Time.now + (5 * 60 * 60)
|
328
354
|
|
329
355
|
expect {
|
330
|
-
subject.create_context(config.merge(crls: future_crls))
|
356
|
+
subject.create_context(**config.merge(crls: future_crls))
|
331
357
|
}.to raise_error(Puppet::SSL::CertVerifyError,
|
332
358
|
"The CRL issued by 'CN=Test CA' is not yet valid, verify time is synchronized")
|
333
359
|
end
|
@@ -338,7 +364,7 @@ describe Puppet::SSL::SSLProvider do
|
|
338
364
|
past_crls.first.next_update = Time.at(0)
|
339
365
|
|
340
366
|
expect {
|
341
|
-
subject.create_context(config.merge(crls: past_crls))
|
367
|
+
subject.create_context(**config.merge(crls: past_crls))
|
342
368
|
}.to raise_error(Puppet::SSL::CertVerifyError,
|
343
369
|
"The CRL issued by 'CN=Test CA' has expired, verify time is synchronized")
|
344
370
|
end
|
@@ -346,7 +372,7 @@ describe Puppet::SSL::SSLProvider do
|
|
346
372
|
it 'raises if the root CRL is missing' do
|
347
373
|
crls = [crl_fixture('intermediate-crl.pem')]
|
348
374
|
expect {
|
349
|
-
subject.create_context(config.merge(crls: crls, revocation: :chain))
|
375
|
+
subject.create_context(**config.merge(crls: crls, revocation: :chain))
|
350
376
|
}.to raise_error(Puppet::SSL::CertVerifyError,
|
351
377
|
"The CRL issued by 'CN=Test CA' is missing")
|
352
378
|
end
|
@@ -354,23 +380,23 @@ describe Puppet::SSL::SSLProvider do
|
|
354
380
|
it 'raises if the intermediate CRL is missing' do
|
355
381
|
crls = [crl_fixture('crl.pem')]
|
356
382
|
expect {
|
357
|
-
subject.create_context(config.merge(crls: crls))
|
383
|
+
subject.create_context(**config.merge(crls: crls))
|
358
384
|
}.to raise_error(Puppet::SSL::CertVerifyError,
|
359
385
|
"The CRL issued by 'CN=Test CA Subauthority' is missing")
|
360
386
|
end
|
361
387
|
|
362
388
|
it "doesn't raise if the root CRL is missing and we're just checking the leaf" do
|
363
389
|
crls = [crl_fixture('intermediate-crl.pem')]
|
364
|
-
subject.create_context(config.merge(crls: crls, revocation: :leaf))
|
390
|
+
subject.create_context(**config.merge(crls: crls, revocation: :leaf))
|
365
391
|
end
|
366
392
|
|
367
393
|
it "doesn't raise if the intermediate CRL is missing and revocation checking is disabled" do
|
368
394
|
crls = [crl_fixture('crl.pem')]
|
369
|
-
subject.create_context(config.merge(crls: crls, revocation: false))
|
395
|
+
subject.create_context(**config.merge(crls: crls, revocation: false))
|
370
396
|
end
|
371
397
|
|
372
398
|
it "doesn't raise if both CRLs are missing and revocation checking is disabled" do
|
373
|
-
subject.create_context(config.merge(crls: [], revocation: false))
|
399
|
+
subject.create_context(**config.merge(crls: [], revocation: false))
|
374
400
|
end
|
375
401
|
|
376
402
|
# OpenSSL < 1.1 does not verify basicConstraints
|
@@ -378,7 +404,7 @@ describe Puppet::SSL::SSLProvider do
|
|
378
404
|
certs = [cert_fixture('bad-basic-constraints.pem'), cert_fixture('intermediate.pem')]
|
379
405
|
|
380
406
|
expect {
|
381
|
-
subject.create_context(config.merge(cacerts: certs, crls: [], revocation: false))
|
407
|
+
subject.create_context(**config.merge(cacerts: certs, crls: [], revocation: false))
|
382
408
|
}.to raise_error(Puppet::SSL::CertVerifyError,
|
383
409
|
"Certificate 'CN=Test CA' failed verification (24): invalid CA certificate")
|
384
410
|
end
|
@@ -388,32 +414,32 @@ describe Puppet::SSL::SSLProvider do
|
|
388
414
|
certs = [cert_fixture('ca.pem'), cert_fixture('bad-int-basic-constraints.pem')]
|
389
415
|
|
390
416
|
expect {
|
391
|
-
subject.create_context(config.merge(cacerts: certs, crls: [], revocation: false))
|
417
|
+
subject.create_context(**config.merge(cacerts: certs, crls: [], revocation: false))
|
392
418
|
}.to raise_error(Puppet::SSL::CertVerifyError,
|
393
419
|
"Certificate 'CN=Test CA Subauthority' failed verification (24): invalid CA certificate")
|
394
420
|
end
|
395
421
|
|
396
422
|
it 'accepts CA certs in any order' do
|
397
|
-
sslctx = subject.create_context(config.merge(cacerts: global_cacerts.reverse))
|
423
|
+
sslctx = subject.create_context(**config.merge(cacerts: global_cacerts.reverse))
|
398
424
|
# certs in ruby+openssl 1.0.x are not comparable, so compare subjects
|
399
425
|
expect(sslctx.client_chain.map(&:subject).map(&:to_utf8)).to contain_exactly('CN=Test CA', 'CN=Test CA Subauthority', 'CN=signed')
|
400
426
|
end
|
401
427
|
|
402
428
|
it 'accepts CRLs in any order' do
|
403
|
-
sslctx = subject.create_context(config.merge(crls: global_crls.reverse))
|
429
|
+
sslctx = subject.create_context(**config.merge(crls: global_crls.reverse))
|
404
430
|
# certs in ruby+openssl 1.0.x are not comparable, so compare subjects
|
405
431
|
expect(sslctx.client_chain.map(&:subject).map(&:to_utf8)).to contain_exactly('CN=Test CA', 'CN=Test CA Subauthority', 'CN=signed')
|
406
432
|
end
|
407
433
|
|
408
434
|
it 'raises if the frozen context is modified' do
|
409
|
-
sslctx = subject.create_context(config)
|
435
|
+
sslctx = subject.create_context(**config)
|
410
436
|
expect {
|
411
437
|
sslctx.verify_peer = false
|
412
438
|
}.to raise_error(/can't modify frozen/)
|
413
439
|
end
|
414
440
|
|
415
441
|
it 'verifies peer' do
|
416
|
-
sslctx = subject.create_context(config)
|
442
|
+
sslctx = subject.create_context(**config)
|
417
443
|
expect(sslctx.verify_peer).to eq(true)
|
418
444
|
end
|
419
445
|
end
|