puppet 6.16.0-x86-mingw32 → 7.0.0-x86-mingw32
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of puppet might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Gemfile +5 -3
- data/Gemfile.lock +31 -33
- data/README.md +4 -5
- data/Rakefile +4 -12
- data/conf/fileserver.conf +5 -10
- data/ext/build_defaults.yaml +1 -1
- data/ext/osx/file_mapping.yaml +0 -5
- data/ext/project_data.yaml +1 -14
- data/ext/redhat/puppet.spec.erb +0 -1
- data/ext/windows/service/daemon.rb +6 -5
- data/install.rb +21 -17
- data/lib/puppet.rb +11 -20
- data/lib/puppet/agent.rb +2 -2
- data/lib/puppet/agent/locker.rb +0 -7
- data/lib/puppet/application.rb +172 -98
- data/lib/puppet/application/agent.rb +22 -6
- data/lib/puppet/application/apply.rb +18 -20
- data/lib/puppet/application/device.rb +100 -104
- data/lib/puppet/application/doc.rb +1 -1
- data/lib/puppet/application/filebucket.rb +15 -11
- data/lib/puppet/application/lookup.rb +16 -4
- data/lib/puppet/application/ssl.rb +1 -1
- data/lib/puppet/configurer.rb +66 -31
- data/lib/puppet/configurer/downloader.rb +31 -10
- data/lib/puppet/configurer/plugin_handler.rb +21 -19
- data/lib/puppet/confine.rb +2 -2
- data/lib/puppet/confine/any.rb +1 -1
- data/lib/puppet/defaults.rb +166 -169
- data/lib/puppet/environments.rb +41 -15
- data/lib/puppet/face/catalog.rb +1 -1
- data/lib/puppet/face/config.rb +56 -16
- data/lib/puppet/face/epp.rb +12 -2
- data/lib/puppet/face/facts.rb +66 -6
- data/lib/puppet/face/help.rb +1 -1
- data/lib/puppet/face/node.rb +3 -3
- data/lib/puppet/face/node/clean.rb +2 -2
- data/lib/puppet/face/plugin.rb +5 -8
- data/lib/puppet/feature/base.rb +1 -1
- data/lib/puppet/ffi/windows.rb +12 -0
- data/lib/puppet/ffi/windows/api_types.rb +311 -0
- data/lib/puppet/ffi/windows/constants.rb +404 -0
- data/lib/puppet/ffi/windows/functions.rb +628 -0
- data/lib/puppet/ffi/windows/structs.rb +338 -0
- data/lib/puppet/file_bucket/dipper.rb +1 -1
- data/lib/puppet/file_serving/configuration.rb +0 -5
- data/lib/puppet/file_serving/configuration/parser.rb +3 -32
- data/lib/puppet/file_serving/http_metadata.rb +13 -1
- data/lib/puppet/file_serving/metadata.rb +4 -1
- data/lib/puppet/file_serving/mount.rb +1 -2
- data/lib/puppet/file_serving/mount/locales.rb +1 -2
- data/lib/puppet/file_serving/mount/pluginfacts.rb +1 -2
- data/lib/puppet/file_serving/mount/plugins.rb +1 -2
- data/lib/puppet/file_serving/terminus_selector.rb +7 -8
- data/lib/puppet/file_system/file_impl.rb +4 -4
- data/lib/puppet/file_system/uniquefile.rb +8 -16
- data/lib/puppet/forge.rb +1 -1
- data/lib/puppet/forge/cache.rb +1 -1
- data/lib/puppet/forge/repository.rb +3 -8
- data/lib/puppet/functions/epp.rb +1 -0
- data/lib/puppet/functions/inline_epp.rb +1 -0
- data/lib/puppet/functions/lstrip.rb +4 -4
- data/lib/puppet/functions/new.rb +8 -3
- data/lib/puppet/functions/reverse_each.rb +1 -1
- data/lib/puppet/functions/rstrip.rb +4 -4
- data/lib/puppet/functions/step.rb +1 -1
- data/lib/puppet/functions/strip.rb +4 -4
- data/lib/puppet/generate/models/type/type.rb +4 -1
- data/lib/puppet/gettext/config.rb +5 -5
- data/lib/puppet/gettext/module_translations.rb +4 -4
- data/lib/puppet/http.rb +23 -13
- data/lib/puppet/http/client.rb +170 -115
- data/lib/puppet/{network/resolver.rb → http/dns.rb} +2 -2
- data/lib/puppet/http/errors.rb +16 -0
- data/lib/puppet/http/external_client.rb +5 -7
- data/lib/puppet/{network/http → http}/factory.rb +8 -11
- data/lib/puppet/{network/http → http}/pool.rb +61 -26
- data/lib/puppet/{network/http/session.rb → http/pool_entry.rb} +2 -3
- data/lib/puppet/http/proxy.rb +137 -0
- data/lib/puppet/http/redirector.rb +13 -19
- data/lib/puppet/http/resolver.rb +10 -23
- data/lib/puppet/http/resolver/server_list.rb +23 -45
- data/lib/puppet/http/resolver/settings.rb +7 -10
- data/lib/puppet/http/resolver/srv.rb +11 -15
- data/lib/puppet/http/response.rb +49 -48
- data/lib/puppet/http/response_converter.rb +24 -0
- data/lib/puppet/http/response_net_http.rb +42 -0
- data/lib/puppet/http/retry_after_handler.rb +4 -13
- data/lib/puppet/http/service.rb +15 -27
- data/lib/puppet/http/service/ca.rb +11 -22
- data/lib/puppet/http/service/compiler.rb +23 -70
- data/lib/puppet/http/service/file_server.rb +19 -28
- data/lib/puppet/http/service/puppetserver.rb +53 -0
- data/lib/puppet/http/service/report.rb +8 -10
- data/lib/puppet/http/session.rb +16 -24
- data/lib/puppet/{network/http → http}/site.rb +1 -2
- data/lib/puppet/indirector.rb +1 -1
- data/lib/puppet/indirector/catalog/compiler.rb +1 -1
- data/lib/puppet/indirector/catalog/rest.rb +2 -4
- data/lib/puppet/indirector/exec.rb +1 -1
- data/lib/puppet/indirector/fact_search.rb +60 -0
- data/lib/puppet/indirector/facts/facter.rb +27 -6
- data/lib/puppet/indirector/facts/json.rb +27 -0
- data/lib/puppet/indirector/facts/rest.rb +3 -22
- data/lib/puppet/indirector/facts/yaml.rb +4 -59
- data/lib/puppet/indirector/file_bucket_file/rest.rb +3 -9
- data/lib/puppet/indirector/file_content/rest.rb +3 -7
- data/lib/puppet/indirector/file_metadata/http.rb +25 -5
- data/lib/puppet/indirector/file_metadata/rest.rb +5 -11
- data/lib/puppet/indirector/file_server.rb +1 -8
- data/lib/puppet/indirector/generic_http.rb +0 -11
- data/lib/puppet/indirector/hiera.rb +4 -0
- data/lib/puppet/indirector/indirection.rb +1 -1
- data/lib/puppet/indirector/json.rb +5 -1
- data/lib/puppet/indirector/msgpack.rb +1 -1
- data/lib/puppet/indirector/node/json.rb +8 -0
- data/lib/puppet/indirector/node/rest.rb +2 -4
- data/lib/puppet/indirector/report/json.rb +34 -0
- data/lib/puppet/indirector/report/processor.rb +2 -2
- data/lib/puppet/indirector/report/rest.rb +3 -8
- data/lib/puppet/indirector/request.rb +2 -103
- data/lib/puppet/indirector/rest.rb +12 -263
- data/lib/puppet/indirector/yaml.rb +1 -1
- data/lib/puppet/module.rb +1 -2
- data/lib/puppet/module_tool/applications.rb +0 -1
- data/lib/puppet/network/authconfig.rb +2 -96
- data/lib/puppet/network/authorization.rb +13 -35
- data/lib/puppet/network/format_support.rb +2 -2
- data/lib/puppet/network/formats.rb +2 -1
- data/lib/puppet/network/http.rb +3 -3
- data/lib/puppet/network/http/api/indirected_routes.rb +3 -21
- data/lib/puppet/network/http/api/master/v3.rb +11 -13
- data/lib/puppet/network/http/api/master/v3/environments.rb +0 -1
- data/lib/puppet/network/http/connection.rb +247 -316
- data/lib/puppet/network/http/handler.rb +0 -1
- data/lib/puppet/network/http/route.rb +2 -2
- data/lib/puppet/network/http_pool.rb +16 -34
- data/lib/puppet/node.rb +1 -30
- data/lib/puppet/node/environment.rb +12 -5
- data/lib/puppet/node/facts.rb +17 -0
- data/lib/puppet/pal/json_catalog_encoder.rb +4 -0
- data/lib/puppet/pal/pal_impl.rb +93 -14
- data/lib/puppet/parameter.rb +1 -1
- data/lib/puppet/parser/ast/leaf.rb +5 -5
- data/lib/puppet/parser/ast/pops_bridge.rb +0 -42
- data/lib/puppet/parser/compiler.rb +1 -199
- data/lib/puppet/parser/compiler/catalog_validator/relationship_validator.rb +14 -39
- data/lib/puppet/parser/functions.rb +21 -17
- data/lib/puppet/parser/functions/create_resources.rb +11 -7
- data/lib/puppet/parser/resource.rb +3 -71
- data/lib/puppet/parser/resource/param.rb +6 -0
- data/lib/puppet/parser/type_loader.rb +2 -2
- data/lib/puppet/pops/adaptable.rb +7 -13
- data/lib/puppet/pops/adapters.rb +8 -4
- data/lib/puppet/pops/evaluator/collectors/abstract_collector.rb +1 -3
- data/lib/puppet/pops/evaluator/evaluator_impl.rb +27 -13
- data/lib/puppet/pops/evaluator/runtime3_converter.rb +2 -2
- data/lib/puppet/pops/evaluator/runtime3_resource_support.rb +3 -3
- data/lib/puppet/pops/evaluator/runtime3_support.rb +1 -1
- data/lib/puppet/pops/loader/ruby_legacy_function_instantiator.rb +6 -8
- data/lib/puppet/pops/loader/runtime3_type_loader.rb +4 -2
- data/lib/puppet/pops/loaders.rb +18 -11
- data/lib/puppet/pops/lookup/context.rb +1 -1
- data/lib/puppet/pops/lookup/hiera_config.rb +14 -1
- data/lib/puppet/pops/model/ast.pp +0 -42
- data/lib/puppet/pops/model/ast.rb +0 -290
- data/lib/puppet/pops/model/factory.rb +0 -45
- data/lib/puppet/pops/model/model_label_provider.rb +0 -5
- data/lib/puppet/pops/model/model_tree_dumper.rb +0 -22
- data/lib/puppet/pops/model/pn_transformer.rb +0 -16
- data/lib/puppet/pops/parser/egrammar.ra +0 -56
- data/lib/puppet/pops/parser/eparser.rb +1520 -1712
- data/lib/puppet/pops/parser/lexer2.rb +4 -4
- data/lib/puppet/pops/parser/parser_support.rb +0 -5
- data/lib/puppet/pops/resource/resource_type_impl.rb +2 -22
- data/lib/puppet/pops/types/iterable.rb +34 -8
- data/lib/puppet/pops/types/p_meta_type.rb +1 -1
- data/lib/puppet/pops/types/p_type_set_type.rb +4 -0
- data/lib/puppet/pops/types/type_calculator.rb +0 -7
- data/lib/puppet/pops/types/type_parser.rb +0 -4
- data/lib/puppet/pops/types/types.rb +0 -1
- data/lib/puppet/pops/validation/checker4_0.rb +28 -42
- data/lib/puppet/pops/validation/tasks_checker.rb +0 -12
- data/lib/puppet/pops/validation/validator_factory_4_0.rb +1 -1
- data/lib/puppet/provider.rb +0 -13
- data/lib/puppet/provider/file/windows.rb +1 -1
- data/lib/puppet/provider/nameservice.rb +0 -18
- data/lib/puppet/provider/package/apt.rb +34 -0
- data/lib/puppet/provider/package/aptitude.rb +1 -1
- data/lib/puppet/provider/package/dpkg.rb +1 -11
- data/lib/puppet/provider/package/gem.rb +27 -5
- data/lib/puppet/provider/package/pip.rb +0 -1
- data/lib/puppet/provider/package/pip2.rb +17 -0
- data/lib/puppet/provider/package/pkg.rb +0 -4
- data/lib/puppet/provider/package/portage.rb +1 -1
- data/lib/puppet/provider/package/puppet_gem.rb +6 -4
- data/lib/puppet/provider/package/puppetserver_gem.rb +180 -0
- data/lib/puppet/provider/package/yum.rb +2 -1
- data/lib/puppet/provider/package/zypper.rb +3 -0
- data/lib/puppet/provider/service/smf.rb +191 -73
- data/lib/puppet/provider/service/windows.rb +23 -7
- data/lib/puppet/provider/user/aix.rb +1 -1
- data/lib/puppet/provider/user/directoryservice.rb +0 -10
- data/lib/puppet/provider/user/user_role_add.rb +1 -1
- data/lib/puppet/provider/user/useradd.rb +11 -4
- data/lib/puppet/provider/user/windows_adsi.rb +18 -1
- data/lib/puppet/reference/configuration.rb +2 -0
- data/lib/puppet/reference/indirection.rb +1 -1
- data/lib/puppet/reports/http.rb +2 -0
- data/lib/puppet/resource.rb +3 -90
- data/lib/puppet/resource/catalog.rb +1 -14
- data/lib/puppet/resource/type.rb +5 -112
- data/lib/puppet/resource/type_collection.rb +3 -48
- data/lib/puppet/runtime.rb +1 -2
- data/lib/puppet/settings.rb +84 -35
- data/lib/puppet/settings/base_setting.rb +26 -2
- data/lib/puppet/settings/integer_setting.rb +17 -0
- data/lib/puppet/settings/port_setting.rb +15 -0
- data/lib/puppet/settings/priority_setting.rb +5 -4
- data/lib/puppet/ssl.rb +10 -6
- data/lib/puppet/ssl/base.rb +3 -5
- data/lib/puppet/ssl/certificate.rb +0 -6
- data/lib/puppet/ssl/certificate_request.rb +1 -12
- data/lib/puppet/ssl/certificate_signer.rb +6 -0
- data/lib/puppet/ssl/oids.rb +3 -1
- data/lib/puppet/ssl/ssl_context.rb +2 -2
- data/lib/puppet/ssl/ssl_provider.rb +37 -1
- data/lib/puppet/ssl/state_machine.rb +3 -1
- data/lib/puppet/ssl/verifier.rb +2 -0
- data/lib/puppet/test/test_helper.rb +19 -16
- data/lib/puppet/transaction.rb +3 -9
- data/lib/puppet/transaction/persistence.rb +1 -1
- data/lib/puppet/transaction/report.rb +10 -8
- data/lib/puppet/trusted_external.rb +29 -1
- data/lib/puppet/type.rb +9 -77
- data/lib/puppet/type/file.rb +45 -22
- data/lib/puppet/type/file/checksum.rb +5 -5
- data/lib/puppet/type/file/source.rb +33 -13
- data/lib/puppet/type/filebucket.rb +4 -4
- data/lib/puppet/type/notify.rb +2 -2
- data/lib/puppet/type/package.rb +5 -13
- data/lib/puppet/type/service.rb +53 -0
- data/lib/puppet/type/user.rb +18 -3
- data/lib/puppet/util.rb +41 -3
- data/lib/puppet/util/autoload.rb +9 -7
- data/lib/puppet/util/character_encoding.rb +9 -5
- data/lib/puppet/util/checksums.rb +19 -4
- data/lib/puppet/util/execution.rb +2 -13
- data/lib/puppet/util/fileparsing.rb +2 -2
- data/lib/puppet/util/http_proxy.rb +2 -215
- data/lib/puppet/util/monkey_patches.rb +0 -46
- data/lib/puppet/util/provider_features.rb +1 -1
- data/lib/puppet/util/rdoc.rb +0 -7
- data/lib/puppet/util/reference.rb +1 -1
- data/lib/puppet/util/retry_action.rb +1 -1
- data/lib/puppet/util/rubygems.rb +5 -1
- data/lib/puppet/util/run_mode.rb +14 -2
- data/lib/puppet/util/windows.rb +3 -7
- data/lib/puppet/util/windows/daemon.rb +360 -0
- data/lib/puppet/util/windows/error.rb +1 -0
- data/lib/puppet/util/windows/eventlog.rb +5 -15
- data/lib/puppet/util/windows/file.rb +8 -242
- data/lib/puppet/util/windows/monkey_patches/process.rb +414 -0
- data/lib/puppet/util/windows/principal.rb +8 -6
- data/lib/puppet/util/windows/process.rb +4 -226
- data/lib/puppet/util/windows/registry.rb +11 -11
- data/lib/puppet/util/windows/security.rb +4 -4
- data/lib/puppet/util/windows/service.rb +52 -486
- data/lib/puppet/util/windows/string.rb +12 -13
- data/lib/puppet/util/windows/user.rb +242 -8
- data/lib/puppet/util/yaml.rb +0 -22
- data/lib/puppet/vendor/require_vendored.rb +0 -1
- data/lib/puppet/version.rb +1 -1
- data/lib/puppet/x509.rb +5 -1
- data/lib/puppet/x509/cert_provider.rb +29 -1
- data/locales/puppet.pot +713 -1380
- data/man/man5/puppet.conf.5 +84 -98
- data/man/man8/puppet-agent.8 +7 -4
- data/man/man8/puppet-apply.8 +1 -1
- data/man/man8/puppet-catalog.8 +1 -1
- data/man/man8/puppet-config.8 +6 -6
- data/man/man8/puppet-describe.8 +1 -1
- data/man/man8/puppet-device.8 +1 -1
- data/man/man8/puppet-doc.8 +1 -1
- data/man/man8/puppet-epp.8 +1 -1
- data/man/man8/puppet-facts.8 +55 -9
- data/man/man8/puppet-filebucket.8 +6 -6
- data/man/man8/puppet-generate.8 +1 -1
- data/man/man8/puppet-help.8 +1 -1
- data/man/man8/puppet-lookup.8 +2 -2
- data/man/man8/puppet-module.8 +1 -58
- data/man/man8/puppet-node.8 +7 -4
- data/man/man8/puppet-parser.8 +1 -1
- data/man/man8/puppet-plugin.8 +1 -1
- data/man/man8/puppet-report.8 +4 -1
- data/man/man8/puppet-resource.8 +1 -1
- data/man/man8/puppet-script.8 +1 -1
- data/man/man8/puppet-ssl.8 +1 -1
- data/man/man8/puppet.8 +2 -2
- data/spec/fixtures/integration/application/apply/environments/spec/modules/amod/lib/puppet/provider/applytest/applytest.rb +2 -0
- data/spec/fixtures/integration/application/apply/environments/spec/modules/amod/lib/puppet/type/applytest.rb +25 -0
- data/spec/fixtures/unit/forge/bacula-releases.json +128 -0
- data/spec/fixtures/unit/forge/bacula.tar.gz +0 -0
- data/spec/fixtures/unit/provider/package/puppetserver_gem/gem-list-local-packages +30 -0
- data/spec/fixtures/unit/provider/service/smf/{svcs.out → svcs_instances.out} +0 -0
- data/spec/integration/application/agent_spec.rb +157 -59
- data/spec/integration/application/apply_spec.rb +150 -150
- data/spec/integration/application/doc_spec.rb +16 -6
- data/spec/integration/application/filebucket_spec.rb +78 -29
- data/spec/integration/application/help_spec.rb +44 -0
- data/spec/integration/application/lookup_spec.rb +13 -0
- data/spec/integration/application/module_spec.rb +68 -0
- data/spec/integration/application/plugin_spec.rb +76 -4
- data/spec/integration/configurer_spec.rb +14 -0
- data/spec/integration/data_binding_spec.rb +82 -0
- data/spec/integration/defaults_spec.rb +33 -5
- data/spec/integration/directory_environments_spec.rb +17 -17
- data/spec/integration/environments/setting_hooks_spec.rb +1 -1
- data/spec/integration/indirector/facts/facter_spec.rb +8 -6
- data/spec/integration/network/http_pool_spec.rb +29 -30
- data/spec/integration/node/environment_spec.rb +1 -1
- data/spec/integration/parser/catalog_spec.rb +0 -38
- data/spec/integration/parser/compiler_spec.rb +11 -0
- data/spec/integration/parser/node_spec.rb +0 -9
- data/spec/integration/parser/pcore_resource_spec.rb +0 -37
- data/spec/integration/type/file_spec.rb +6 -5
- data/spec/integration/util/execution_spec.rb +22 -0
- data/spec/integration/util/windows/adsi_spec.rb +2 -2
- data/spec/integration/util/windows/monkey_patches/process_spec.rb +231 -0
- data/spec/integration/util/windows/process_spec.rb +26 -32
- data/spec/integration/util/windows/registry_spec.rb +7 -7
- data/spec/integration/util/windows/security_spec.rb +1 -1
- data/spec/integration/util/windows/user_spec.rb +47 -5
- data/spec/integration/util_spec.rb +7 -33
- data/spec/lib/puppet_spec/matchers.rb +0 -80
- data/spec/lib/puppet_spec/puppetserver.rb +9 -1
- data/spec/lib/puppet_spec/settings.rb +7 -1
- data/spec/shared_contexts/types_setup.rb +2 -0
- data/spec/spec_helper.rb +2 -0
- data/spec/unit/agent_spec.rb +0 -2
- data/spec/unit/application/agent_spec.rb +3 -4
- data/spec/unit/application/config_spec.rb +224 -4
- data/spec/unit/application/doc_spec.rb +2 -2
- data/spec/unit/application/face_base_spec.rb +6 -4
- data/spec/unit/application/facts_spec.rb +74 -8
- data/spec/unit/application/filebucket_spec.rb +41 -39
- data/spec/unit/application/resource_spec.rb +3 -1
- data/spec/unit/application/ssl_spec.rb +17 -4
- data/spec/unit/application_spec.rb +9 -4
- data/spec/unit/certificate_factory_spec.rb +1 -1
- data/spec/unit/configurer/downloader_spec.rb +14 -0
- data/spec/unit/configurer/fact_handler_spec.rb +4 -4
- data/spec/unit/configurer/plugin_handler_spec.rb +56 -18
- data/spec/unit/configurer_spec.rb +96 -44
- data/spec/unit/confine_spec.rb +2 -1
- data/spec/unit/context/trusted_information_spec.rb +12 -10
- data/spec/unit/defaults_spec.rb +77 -28
- data/spec/unit/environments_spec.rb +96 -32
- data/spec/unit/face/config_spec.rb +65 -12
- data/spec/unit/face/facts_spec.rb +4 -0
- data/spec/unit/face/node_spec.rb +2 -2
- data/spec/unit/face/plugin_spec.rb +73 -33
- data/spec/unit/file_bucket/file_spec.rb +1 -1
- data/spec/unit/file_serving/configuration/parser_spec.rb +14 -18
- data/spec/unit/file_serving/configuration_spec.rb +6 -12
- data/spec/unit/file_serving/http_metadata_spec.rb +37 -14
- data/spec/unit/file_serving/mount/locales_spec.rb +2 -2
- data/spec/unit/file_serving/mount/pluginfacts_spec.rb +2 -2
- data/spec/unit/file_serving/mount/plugins_spec.rb +2 -2
- data/spec/unit/file_serving/terminus_selector_spec.rb +45 -26
- data/spec/unit/file_system/uniquefile_spec.rb +18 -0
- data/spec/unit/file_system_spec.rb +1 -2
- data/spec/unit/functions/camelcase_spec.rb +1 -1
- data/spec/unit/functions/capitalize_spec.rb +1 -1
- data/spec/unit/functions/downcase_spec.rb +1 -1
- data/spec/unit/functions/inline_epp_spec.rb +26 -1
- data/spec/unit/functions/upcase_spec.rb +1 -1
- data/spec/unit/http/client_spec.rb +71 -17
- data/spec/unit/{network/resolver_spec.rb → http/dns_spec.rb} +3 -3
- data/spec/unit/http/external_client_spec.rb +4 -4
- data/spec/unit/{network/http → http}/factory_spec.rb +5 -11
- data/spec/unit/{network/http/session_spec.rb → http/pool_entry_spec.rb} +3 -3
- data/spec/unit/{network/http → http}/pool_spec.rb +12 -17
- data/spec/unit/{util/http_proxy_spec.rb → http/proxy_spec.rb} +2 -69
- data/spec/unit/http/resolver_spec.rb +34 -15
- data/spec/unit/http/response_spec.rb +6 -0
- data/spec/unit/http/service/ca_spec.rb +2 -3
- data/spec/unit/http/service/compiler_spec.rb +51 -65
- data/spec/unit/http/service/file_server_spec.rb +5 -6
- data/spec/unit/http/service/puppetserver_spec.rb +112 -0
- data/spec/unit/http/service/report_spec.rb +2 -3
- data/spec/unit/http/service_spec.rb +1 -3
- data/spec/unit/http/session_spec.rb +24 -35
- data/spec/unit/{network/http → http}/site_spec.rb +3 -3
- data/spec/unit/indirector/catalog/json_spec.rb +1 -1
- data/spec/unit/indirector/catalog/rest_spec.rb +1 -1
- data/spec/unit/indirector/facts/facter_spec.rb +97 -0
- data/spec/unit/indirector/facts/json_spec.rb +255 -0
- data/spec/unit/indirector/facts/rest_spec.rb +1 -1
- data/spec/unit/indirector/file_bucket_file/file_spec.rb +5 -3
- data/spec/unit/indirector/file_content/rest_spec.rb +0 -4
- data/spec/unit/indirector/file_metadata/http_spec.rb +27 -0
- data/spec/unit/indirector/file_metadata/rest_spec.rb +0 -4
- data/spec/unit/indirector/file_server_spec.rb +1 -15
- data/spec/unit/indirector/json_spec.rb +8 -8
- data/spec/unit/indirector/msgpack_spec.rb +8 -8
- data/spec/unit/indirector/node/json_spec.rb +33 -0
- data/spec/unit/indirector/node/rest_spec.rb +1 -1
- data/spec/{integration/indirector/report/yaml.rb → unit/indirector/report/json_spec.rb} +13 -24
- data/spec/unit/indirector/report/rest_spec.rb +2 -17
- data/spec/unit/indirector/report/yaml_spec.rb +72 -8
- data/spec/unit/indirector/request_spec.rb +3 -267
- data/spec/unit/indirector/rest_spec.rb +98 -752
- data/spec/unit/indirector/yaml_spec.rb +7 -7
- data/spec/unit/interface_spec.rb +3 -3
- data/spec/unit/module_tool/tar/mini_spec.rb +20 -0
- data/spec/unit/network/authconfig_spec.rb +2 -132
- data/spec/unit/network/authorization_spec.rb +2 -55
- data/spec/unit/network/format_support_spec.rb +3 -2
- data/spec/unit/network/formats_spec.rb +4 -4
- data/spec/unit/network/http/api/indirected_routes_spec.rb +3 -98
- data/spec/unit/network/http/api/master/v3/environments_spec.rb +12 -23
- data/spec/unit/network/http/api/master/v3_spec.rb +28 -7
- data/spec/unit/network/http/api_spec.rb +10 -0
- data/spec/unit/network/http/connection_spec.rb +61 -73
- data/spec/unit/network/http/handler_spec.rb +0 -6
- data/spec/unit/network/http_pool_spec.rb +0 -4
- data/spec/unit/node/environment_spec.rb +51 -22
- data/spec/unit/node_spec.rb +2 -54
- data/spec/unit/parser/ast/block_expression_spec.rb +1 -1
- data/spec/unit/parser/functions/create_resources_spec.rb +2 -20
- data/spec/unit/parser/scope_spec.rb +1 -1
- data/spec/unit/pops/evaluator/evaluating_parser_spec.rb +19 -8
- data/spec/unit/pops/loaders/loaders_spec.rb +77 -22
- data/spec/unit/pops/lookup/lookup_spec.rb +25 -0
- data/spec/unit/pops/parser/parse_application_spec.rb +4 -22
- data/spec/unit/pops/parser/parse_basic_expressions_spec.rb +0 -1
- data/spec/unit/pops/parser/parse_capabilities_spec.rb +8 -21
- data/spec/unit/pops/parser/parse_site_spec.rb +20 -24
- data/spec/unit/pops/resource/resource_type_impl_spec.rb +0 -71
- data/spec/unit/pops/serialization/to_from_hr_spec.rb +1 -1
- data/spec/unit/pops/types/type_calculator_spec.rb +7 -17
- data/spec/unit/pops/types/type_factory_spec.rb +1 -1
- data/spec/unit/pops/validator/validator_spec.rb +61 -46
- data/spec/unit/pops/visitor_spec.rb +1 -1
- data/spec/unit/provider/exec_spec.rb +4 -3
- data/spec/unit/provider/nameservice_spec.rb +0 -57
- data/spec/unit/provider/package/apt_spec.rb +77 -0
- data/spec/unit/provider/package/aptitude_spec.rb +1 -0
- data/spec/unit/provider/package/dpkg_spec.rb +22 -55
- data/spec/unit/provider/package/gem_spec.rb +32 -0
- data/spec/unit/provider/package/openbsd_spec.rb +2 -0
- data/spec/unit/provider/package/pip2_spec.rb +36 -0
- data/spec/unit/provider/package/puppet_gem_spec.rb +6 -2
- data/spec/unit/provider/package/puppetserver_gem_spec.rb +137 -0
- data/spec/unit/provider/package/yum_spec.rb +31 -0
- data/spec/unit/provider/package/zypper_spec.rb +14 -0
- data/spec/unit/provider/service/base_spec.rb +2 -4
- data/spec/unit/provider/service/bsd_spec.rb +5 -1
- data/spec/unit/provider/service/daemontools_spec.rb +1 -1
- data/spec/unit/provider/service/debian_spec.rb +3 -5
- data/spec/unit/provider/service/freebsd_spec.rb +1 -1
- data/spec/unit/provider/service/gentoo_spec.rb +4 -5
- data/spec/unit/provider/service/init_spec.rb +45 -5
- data/spec/unit/provider/service/launchd_spec.rb +5 -6
- data/spec/unit/provider/service/openrc_spec.rb +4 -5
- data/spec/unit/provider/service/openwrt_spec.rb +1 -1
- data/spec/unit/provider/service/redhat_spec.rb +1 -1
- data/spec/unit/provider/service/runit_spec.rb +2 -1
- data/spec/unit/provider/service/smf_spec.rb +402 -166
- data/spec/unit/provider/service/src_spec.rb +3 -5
- data/spec/unit/provider/service/systemd_spec.rb +3 -6
- data/spec/unit/provider/service/upstart_spec.rb +4 -5
- data/spec/unit/provider/service/windows_spec.rb +50 -15
- data/spec/unit/provider/user/openbsd_spec.rb +1 -0
- data/spec/unit/provider/user/useradd_spec.rb +22 -16
- data/spec/unit/provider/user/windows_adsi_spec.rb +82 -0
- data/spec/unit/provider_spec.rb +0 -12
- data/spec/unit/puppet_pal_2pec.rb +40 -0
- data/spec/unit/puppet_pal_catalog_spec.rb +45 -0
- data/spec/unit/reports/store_spec.rb +17 -13
- data/spec/unit/resource/type_collection_spec.rb +2 -22
- data/spec/unit/resource_spec.rb +3 -59
- data/spec/unit/settings/http_extra_headers_spec.rb +2 -4
- data/spec/unit/settings/integer_setting_spec.rb +42 -0
- data/spec/unit/settings/port_setting_spec.rb +31 -0
- data/spec/unit/settings/priority_setting_spec.rb +4 -4
- data/spec/unit/settings_spec.rb +586 -239
- data/spec/unit/ssl/base_spec.rb +36 -3
- data/spec/unit/ssl/certificate_request_spec.rb +15 -45
- data/spec/unit/ssl/certificate_spec.rb +2 -11
- data/spec/unit/ssl/ssl_provider_spec.rb +78 -49
- data/spec/unit/ssl/state_machine_spec.rb +0 -1
- data/spec/unit/ssl/verifier_spec.rb +0 -21
- data/spec/unit/test/test_helper_spec.rb +17 -0
- data/spec/unit/transaction/persistence_spec.rb +15 -0
- data/spec/unit/transaction/report_spec.rb +3 -3
- data/spec/unit/transaction/resource_harness_spec.rb +2 -2
- data/spec/unit/transaction_spec.rb +45 -79
- data/spec/unit/type/file/checksum_spec.rb +6 -6
- data/spec/unit/type/file/content_spec.rb +1 -1
- data/spec/unit/type/file/ensure_spec.rb +1 -1
- data/spec/unit/type/file/mode_spec.rb +1 -1
- data/spec/unit/type/file/source_spec.rb +4 -5
- data/spec/unit/type/file_spec.rb +134 -102
- data/spec/unit/type/filebucket_spec.rb +1 -1
- data/spec/unit/type/package_spec.rb +1 -1
- data/spec/unit/type/service_spec.rb +209 -0
- data/spec/unit/type/user_spec.rb +31 -2
- data/spec/unit/type_spec.rb +70 -0
- data/spec/unit/util/backups_spec.rb +0 -2
- data/spec/unit/util/character_encoding_spec.rb +4 -4
- data/spec/unit/util/checksums_spec.rb +16 -0
- data/spec/unit/util/command_line_spec.rb +11 -6
- data/spec/unit/util/execution_spec.rb +0 -29
- data/spec/unit/util/monkey_patches_spec.rb +0 -6
- data/spec/unit/util/rubygems_spec.rb +2 -2
- data/spec/unit/util/run_mode_spec.rb +27 -127
- data/spec/unit/util/windows/api_types_spec.rb +104 -40
- data/spec/unit/util/windows/service_spec.rb +4 -4
- data/spec/unit/util/windows/string_spec.rb +1 -3
- data/spec/unit/util/yaml_spec.rb +0 -54
- data/spec/unit/util_spec.rb +3 -21
- data/spec/unit/x509/cert_provider_spec.rb +1 -1
- metadata +76 -270
- data/conf/auth.conf +0 -150
- data/lib/puppet/application/cert.rb +0 -76
- data/lib/puppet/application/key.rb +0 -4
- data/lib/puppet/application/man.rb +0 -4
- data/lib/puppet/application/status.rb +0 -4
- data/lib/puppet/face/key.rb +0 -16
- data/lib/puppet/face/man.rb +0 -145
- data/lib/puppet/face/module/build.rb +0 -14
- data/lib/puppet/face/module/generate.rb +0 -14
- data/lib/puppet/face/module/search.rb +0 -103
- data/lib/puppet/face/status.rb +0 -51
- data/lib/puppet/indirector/certificate/file.rb +0 -9
- data/lib/puppet/indirector/certificate/rest.rb +0 -18
- data/lib/puppet/indirector/certificate_request/file.rb +0 -9
- data/lib/puppet/indirector/certificate_request/memory.rb +0 -7
- data/lib/puppet/indirector/certificate_request/rest.rb +0 -11
- data/lib/puppet/indirector/file_content/http.rb +0 -22
- data/lib/puppet/indirector/key/file.rb +0 -46
- data/lib/puppet/indirector/key/memory.rb +0 -7
- data/lib/puppet/indirector/ssl_file.rb +0 -162
- data/lib/puppet/indirector/status.rb +0 -3
- data/lib/puppet/indirector/status/local.rb +0 -12
- data/lib/puppet/indirector/status/rest.rb +0 -27
- data/lib/puppet/module_tool/applications/searcher.rb +0 -29
- data/lib/puppet/network/auth_config_parser.rb +0 -90
- data/lib/puppet/network/authstore.rb +0 -283
- data/lib/puppet/network/http/api/master/v3/authorization.rb +0 -18
- data/lib/puppet/network/http/api/master/v3/environment.rb +0 -85
- data/lib/puppet/network/http/base_pool.rb +0 -36
- data/lib/puppet/network/http/compression.rb +0 -127
- data/lib/puppet/network/http/connection_adapter.rb +0 -182
- data/lib/puppet/network/http/nocache_pool.rb +0 -28
- data/lib/puppet/network/rest_controller.rb +0 -2
- data/lib/puppet/network/rights.rb +0 -210
- data/lib/puppet/parser/compiler/catalog_validator/env_relationship_validator.rb +0 -64
- data/lib/puppet/parser/compiler/catalog_validator/site_validator.rb +0 -20
- data/lib/puppet/parser/environment_compiler.rb +0 -199
- data/lib/puppet/pops/types/enumeration.rb +0 -16
- data/lib/puppet/resource/capability_finder.rb +0 -154
- data/lib/puppet/rest/errors.rb +0 -15
- data/lib/puppet/rest/response.rb +0 -35
- data/lib/puppet/rest/route.rb +0 -85
- data/lib/puppet/rest/routes.rb +0 -135
- data/lib/puppet/ssl/host.rb +0 -505
- data/lib/puppet/ssl/key.rb +0 -61
- data/lib/puppet/ssl/validator.rb +0 -61
- data/lib/puppet/ssl/validator/default_validator.rb +0 -209
- data/lib/puppet/ssl/validator/no_validator.rb +0 -22
- data/lib/puppet/ssl/verifier_adapter.rb +0 -58
- data/lib/puppet/status.rb +0 -40
- data/lib/puppet/util/connection.rb +0 -88
- data/lib/puppet/util/ssl.rb +0 -83
- data/lib/puppet/util/windows/api_types.rb +0 -282
- data/lib/puppet/vendor/load_pathspec.rb +0 -1
- data/lib/puppet/vendor/pathspec/CHANGELOG.md +0 -2
- data/lib/puppet/vendor/pathspec/LICENSE +0 -201
- data/lib/puppet/vendor/pathspec/PUPPET_README.md +0 -6
- data/lib/puppet/vendor/pathspec/README.md +0 -53
- data/lib/puppet/vendor/pathspec/lib/pathspec.rb +0 -122
- data/lib/puppet/vendor/pathspec/lib/pathspec/gitignorespec.rb +0 -275
- data/lib/puppet/vendor/pathspec/lib/pathspec/regexspec.rb +0 -17
- data/lib/puppet/vendor/pathspec/lib/pathspec/spec.rb +0 -14
- data/man/man8/puppet-key.8 +0 -126
- data/man/man8/puppet-man.8 +0 -76
- data/man/man8/puppet-status.8 +0 -108
- data/spec/integration/faces/config_spec.rb +0 -91
- data/spec/integration/faces/documentation_spec.rb +0 -57
- data/spec/integration/file_bucket/file_spec.rb +0 -50
- data/spec/integration/file_serving/content_spec.rb +0 -7
- data/spec/integration/file_serving/fileset_spec.rb +0 -12
- data/spec/integration/file_serving/metadata_spec.rb +0 -8
- data/spec/integration/file_serving/terminus_helper_spec.rb +0 -20
- data/spec/integration/file_system/uniquefile_spec.rb +0 -26
- data/spec/integration/module_tool/forge_spec.rb +0 -51
- data/spec/integration/module_tool/tar/mini_spec.rb +0 -28
- data/spec/integration/network/authconfig_spec.rb +0 -256
- data/spec/integration/provider/service/init_spec.rb +0 -48
- data/spec/integration/provider/service/systemd_spec.rb +0 -25
- data/spec/integration/provider/service/windows_spec.rb +0 -50
- data/spec/integration/reference/providers_spec.rb +0 -21
- data/spec/integration/reports_spec.rb +0 -13
- data/spec/integration/ssl/certificate_request_spec.rb +0 -44
- data/spec/integration/ssl/host_spec.rb +0 -72
- data/spec/integration/ssl/key_spec.rb +0 -99
- data/spec/integration/test/test_helper_spec.rb +0 -31
- data/spec/shared_behaviours/file_serving_model.rb +0 -51
- data/spec/unit/capability_spec.rb +0 -414
- data/spec/unit/face/catalog_spec.rb +0 -6
- data/spec/unit/face/key_spec.rb +0 -9
- data/spec/unit/face/man_spec.rb +0 -25
- data/spec/unit/face/module/search_spec.rb +0 -231
- data/spec/unit/face/module_spec.rb +0 -3
- data/spec/unit/face/status_spec.rb +0 -9
- data/spec/unit/indirector/certificate/file_spec.rb +0 -14
- data/spec/unit/indirector/certificate/rest_spec.rb +0 -61
- data/spec/unit/indirector/certificate_request/file_spec.rb +0 -14
- data/spec/unit/indirector/certificate_request/rest_spec.rb +0 -25
- data/spec/unit/indirector/key/file_spec.rb +0 -79
- data/spec/unit/indirector/ssl_file_spec.rb +0 -305
- data/spec/unit/indirector/status/local_spec.rb +0 -10
- data/spec/unit/indirector/status/rest_spec.rb +0 -50
- data/spec/unit/man_spec.rb +0 -31
- data/spec/unit/module_tool/applications/searcher_spec.rb +0 -38
- data/spec/unit/network/auth_config_parser_spec.rb +0 -115
- data/spec/unit/network/authstore_spec.rb +0 -422
- data/spec/unit/network/http/api/master/v3/authorization_spec.rb +0 -57
- data/spec/unit/network/http/api/master/v3/environment_spec.rb +0 -185
- data/spec/unit/network/http/compression_spec.rb +0 -240
- data/spec/unit/network/http/nocache_pool_spec.rb +0 -64
- data/spec/unit/network/http_spec.rb +0 -9
- data/spec/unit/network/rights_spec.rb +0 -439
- data/spec/unit/parser/environment_compiler_spec.rb +0 -723
- data/spec/unit/pops/types/enumeration_spec.rb +0 -51
- data/spec/unit/resource/capability_finder_spec.rb +0 -143
- data/spec/unit/rest/route_spec.rb +0 -132
- data/spec/unit/ssl/host_spec.rb +0 -650
- data/spec/unit/ssl/key_spec.rb +0 -173
- data/spec/unit/ssl/validator_spec.rb +0 -278
- data/spec/unit/status_spec.rb +0 -45
- data/spec/unit/util/ssl_spec.rb +0 -91
data/spec/unit/ssl/base_spec.rb
CHANGED
@@ -38,9 +38,8 @@ describe Puppet::SSL::Certificate do
|
|
38
38
|
|
39
39
|
describe "when determining a name from a certificate subject" do
|
40
40
|
it "should extract only the CN and not any other components" do
|
41
|
-
|
42
|
-
expect(
|
43
|
-
expect(@class.name_from_subject(subject)).to eq('host.domain.com')
|
41
|
+
name = OpenSSL::X509::Name.parse('/CN=host.domain.com/L=Portland/ST=Oregon')
|
42
|
+
expect(@class.name_from_subject(name)).to eq('host.domain.com')
|
44
43
|
end
|
45
44
|
end
|
46
45
|
|
@@ -90,4 +89,38 @@ describe Puppet::SSL::Certificate do
|
|
90
89
|
}.to raise_error(Puppet::Error, "Unknown signature algorithm 'nonsense'")
|
91
90
|
end
|
92
91
|
end
|
92
|
+
|
93
|
+
describe "when getting a CN from a subject" do
|
94
|
+
def parse(dn)
|
95
|
+
OpenSSL::X509::Name.parse(dn)
|
96
|
+
end
|
97
|
+
|
98
|
+
def cn_from(subject)
|
99
|
+
@class.name_from_subject(subject)
|
100
|
+
end
|
101
|
+
|
102
|
+
it "should correctly parse a subject containing only a CN" do
|
103
|
+
subj = parse('/CN=foo')
|
104
|
+
expect(cn_from(subj)).to eq('foo')
|
105
|
+
end
|
106
|
+
|
107
|
+
it "should correctly parse a subject containing other components" do
|
108
|
+
subj = parse('/CN=Root CA/OU=Server Operations/O=Example Org')
|
109
|
+
expect(cn_from(subj)).to eq('Root CA')
|
110
|
+
end
|
111
|
+
|
112
|
+
it "should correctly parse a subject containing other components with CN not first" do
|
113
|
+
subj = parse('/emailAddress=foo@bar.com/CN=foo.bar.com/O=Example Org')
|
114
|
+
expect(cn_from(subj)).to eq('foo.bar.com')
|
115
|
+
end
|
116
|
+
|
117
|
+
it "should return nil for a subject with no CN" do
|
118
|
+
subj = parse('/OU=Server Operations/O=Example Org')
|
119
|
+
expect(cn_from(subj)).to eq(nil)
|
120
|
+
end
|
121
|
+
|
122
|
+
it "should return nil for a bare string" do
|
123
|
+
expect(cn_from("/CN=foo")).to eq(nil)
|
124
|
+
end
|
125
|
+
end
|
93
126
|
end
|
@@ -1,23 +1,10 @@
|
|
1
1
|
require 'spec_helper'
|
2
2
|
|
3
3
|
require 'puppet/ssl/certificate_request'
|
4
|
-
require 'puppet/ssl/key'
|
5
4
|
|
6
5
|
describe Puppet::SSL::CertificateRequest do
|
7
6
|
let(:request) { described_class.new("myname") }
|
8
|
-
let(:key) {
|
9
|
-
k = Puppet::SSL::Key.new("myname")
|
10
|
-
k.generate
|
11
|
-
k
|
12
|
-
}
|
13
|
-
|
14
|
-
it "should be extended with the Indirector module" do
|
15
|
-
expect(described_class.singleton_class).to be_include(Puppet::Indirector)
|
16
|
-
end
|
17
|
-
|
18
|
-
it "should indirect certificate_request" do
|
19
|
-
expect(described_class.indirection.name).to eq(:certificate_request)
|
20
|
-
end
|
7
|
+
let(:key) { OpenSSL::PKey::RSA.new(Puppet[:keylength]) }
|
21
8
|
|
22
9
|
it "should use any provided name as its name" do
|
23
10
|
expect(described_class.new("myname").name).to eq("myname")
|
@@ -83,14 +70,9 @@ describe Puppet::SSL::CertificateRequest do
|
|
83
70
|
end
|
84
71
|
|
85
72
|
describe "when generating", :unless => RUBY_PLATFORM == 'java' do
|
86
|
-
it "should
|
73
|
+
it "should verify the CSR using the public key associated with the private key" do
|
87
74
|
request.generate(key)
|
88
|
-
expect(request.content.verify(key.
|
89
|
-
end
|
90
|
-
|
91
|
-
it "should set the subject to [CN, name]" do
|
92
|
-
request.generate(key)
|
93
|
-
expect(request.content.subject).to eq OpenSSL::X509::Name.new([['CN', key.name]])
|
75
|
+
expect(request.content.verify(key.public_key)).to be_truthy
|
94
76
|
end
|
95
77
|
|
96
78
|
it "should set the version to 0" do
|
@@ -101,7 +83,7 @@ describe Puppet::SSL::CertificateRequest do
|
|
101
83
|
it "should set the public key to the provided key's public key" do
|
102
84
|
request.generate(key)
|
103
85
|
# The openssl bindings do not define equality on keys so we use to_s
|
104
|
-
expect(request.content.public_key.to_s).to eq(key.
|
86
|
+
expect(request.content.public_key.to_s).to eq(key.public_key.to_s)
|
105
87
|
end
|
106
88
|
|
107
89
|
context "without subjectAltName / dns_alt_names" do
|
@@ -295,20 +277,20 @@ describe Puppet::SSL::CertificateRequest do
|
|
295
277
|
|
296
278
|
it "should sign the csr with the provided key" do
|
297
279
|
request.generate(key)
|
298
|
-
expect(request.content.verify(key.
|
280
|
+
expect(request.content.verify(key.public_key)).to be_truthy
|
299
281
|
end
|
300
282
|
|
301
283
|
it "should verify the generated request using the public key" do
|
302
284
|
# Stupid keys don't have a competent == method.
|
303
285
|
expect_any_instance_of(OpenSSL::X509::Request).to receive(:verify) do |public_key|
|
304
|
-
public_key.to_s == key.
|
286
|
+
public_key.to_s == key.public_key.to_s
|
305
287
|
end.and_return(true)
|
306
288
|
request.generate(key)
|
307
289
|
end
|
308
290
|
|
309
291
|
it "should fail if verification fails" do
|
310
292
|
expect_any_instance_of(OpenSSL::X509::Request).to receive(:verify) do |public_key|
|
311
|
-
public_key.to_s == key.
|
293
|
+
public_key.to_s == key.public_key.to_s
|
312
294
|
end.and_return(false)
|
313
295
|
|
314
296
|
expect do
|
@@ -334,8 +316,8 @@ describe Puppet::SSL::CertificateRequest do
|
|
334
316
|
expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA256").and_return(false)
|
335
317
|
expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA1").and_return(true)
|
336
318
|
signer = Puppet::SSL::CertificateSigner.new
|
337
|
-
signer.sign(csr, key
|
338
|
-
expect(csr.verify(key
|
319
|
+
signer.sign(csr, key)
|
320
|
+
expect(csr.verify(key)).to be_truthy
|
339
321
|
end
|
340
322
|
|
341
323
|
# Attempts to use SHA512 and SHA384 for signing certificates don't seem to work
|
@@ -348,8 +330,8 @@ describe Puppet::SSL::CertificateRequest do
|
|
348
330
|
expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA1").and_return(false)
|
349
331
|
expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA512").and_return(true)
|
350
332
|
signer = Puppet::SSL::CertificateSigner.new
|
351
|
-
signer.sign(csr, key
|
352
|
-
expect(csr.verify(key
|
333
|
+
signer.sign(csr, key)
|
334
|
+
expect(csr.verify(key)).to be_truthy
|
353
335
|
end
|
354
336
|
|
355
337
|
# Attempts to use SHA512 and SHA384 for signing certificates don't seem to work
|
@@ -363,8 +345,8 @@ describe Puppet::SSL::CertificateRequest do
|
|
363
345
|
expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA512").and_return(false)
|
364
346
|
expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA384").and_return(true)
|
365
347
|
signer = Puppet::SSL::CertificateSigner.new
|
366
|
-
signer.sign(csr, key
|
367
|
-
expect(csr.verify(key
|
348
|
+
signer.sign(csr, key)
|
349
|
+
expect(csr.verify(key)).to be_truthy
|
368
350
|
end
|
369
351
|
|
370
352
|
it "should use SHA224 to sign the csr when SHA256/SHA1/SHA512/SHA384 aren't available" do
|
@@ -375,8 +357,8 @@ describe Puppet::SSL::CertificateRequest do
|
|
375
357
|
expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA384").and_return(false)
|
376
358
|
expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA224").and_return(true)
|
377
359
|
signer = Puppet::SSL::CertificateSigner.new
|
378
|
-
signer.sign(csr, key
|
379
|
-
expect(csr.verify(key
|
360
|
+
signer.sign(csr, key)
|
361
|
+
expect(csr.verify(key)).to be_truthy
|
380
362
|
end
|
381
363
|
|
382
364
|
it "should raise an error if neither SHA256/SHA1/SHA512/SHA384/SHA224 are available" do
|
@@ -390,16 +372,4 @@ describe Puppet::SSL::CertificateRequest do
|
|
390
372
|
}.to raise_error(Puppet::Error)
|
391
373
|
end
|
392
374
|
end
|
393
|
-
|
394
|
-
it "should save the CSR" do
|
395
|
-
csr = Puppet::SSL::CertificateRequest.new("me")
|
396
|
-
terminus = double('terminus')
|
397
|
-
allow(terminus).to receive(:validate)
|
398
|
-
expect(Puppet::SSL::CertificateRequest.indirection).to receive(:prepare).and_return(terminus)
|
399
|
-
expect(terminus).to receive(:save) do |request|
|
400
|
-
expect(request.instance).to eq(csr)
|
401
|
-
expect(request.key).to eq("me")
|
402
|
-
end
|
403
|
-
Puppet::SSL::CertificateRequest.indirection.save(csr)
|
404
|
-
end
|
405
375
|
end
|
@@ -4,7 +4,7 @@ require 'puppet/certificate_factory'
|
|
4
4
|
require 'puppet/ssl/certificate'
|
5
5
|
|
6
6
|
describe Puppet::SSL::Certificate do
|
7
|
-
let :key do
|
7
|
+
let :key do OpenSSL::PKey::RSA.new(Puppet[:keylength]) end
|
8
8
|
|
9
9
|
# Sign the provided cert so that it can be DER-decoded later
|
10
10
|
def sign_wrapped_cert(cert)
|
@@ -16,14 +16,6 @@ describe Puppet::SSL::Certificate do
|
|
16
16
|
@class = Puppet::SSL::Certificate
|
17
17
|
end
|
18
18
|
|
19
|
-
it "should be extended with the Indirector module" do
|
20
|
-
expect(@class.singleton_class).to be_include(Puppet::Indirector)
|
21
|
-
end
|
22
|
-
|
23
|
-
it "should indirect certificate" do
|
24
|
-
expect(@class.indirection.name).to eq(:certificate)
|
25
|
-
end
|
26
|
-
|
27
19
|
it "should only support the text format" do
|
28
20
|
expect(@class.supported_formats).to eq([:s])
|
29
21
|
end
|
@@ -82,8 +74,7 @@ describe Puppet::SSL::Certificate do
|
|
82
74
|
|
83
75
|
describe "when managing instances" do
|
84
76
|
def build_cert(opts)
|
85
|
-
key =
|
86
|
-
key.generate
|
77
|
+
key = OpenSSL::PKey::RSA.new(Puppet[:keylength])
|
87
78
|
csr = Puppet::SSL::CertificateRequest.new('quux')
|
88
79
|
csr.generate(key, opts)
|
89
80
|
|
@@ -42,20 +42,20 @@ describe Puppet::SSL::SSLProvider do
|
|
42
42
|
let(:config) { { cacerts: [], crls: [], revocation: false } }
|
43
43
|
|
44
44
|
it 'accepts empty list of certs and crls' do
|
45
|
-
sslctx = subject.create_root_context(config)
|
45
|
+
sslctx = subject.create_root_context(**config)
|
46
46
|
expect(sslctx.cacerts).to eq([])
|
47
47
|
expect(sslctx.crls).to eq([])
|
48
48
|
end
|
49
49
|
|
50
50
|
it 'accepts valid root certs' do
|
51
51
|
certs = [cert_fixture('ca.pem')]
|
52
|
-
sslctx = subject.create_root_context(config.merge(cacerts: certs))
|
52
|
+
sslctx = subject.create_root_context(**config.merge(cacerts: certs))
|
53
53
|
expect(sslctx.cacerts).to eq(certs)
|
54
54
|
end
|
55
55
|
|
56
56
|
it 'accepts valid intermediate certs' do
|
57
57
|
certs = [cert_fixture('ca.pem'), cert_fixture('intermediate.pem')]
|
58
|
-
sslctx = subject.create_root_context(config.merge(cacerts: certs))
|
58
|
+
sslctx = subject.create_root_context(**config.merge(cacerts: certs))
|
59
59
|
expect(sslctx.cacerts).to eq(certs)
|
60
60
|
end
|
61
61
|
|
@@ -63,19 +63,19 @@ describe Puppet::SSL::SSLProvider do
|
|
63
63
|
expired = [cert_fixture('ca.pem'), cert_fixture('intermediate.pem')]
|
64
64
|
expired.each { |x509| x509.not_after = Time.at(0) }
|
65
65
|
|
66
|
-
sslctx = subject.create_root_context(config.merge(cacerts: expired))
|
66
|
+
sslctx = subject.create_root_context(**config.merge(cacerts: expired))
|
67
67
|
expect(sslctx.cacerts).to eq(expired)
|
68
68
|
end
|
69
69
|
|
70
70
|
it 'raises if the frozen context is modified' do
|
71
|
-
sslctx = subject.create_root_context(config)
|
71
|
+
sslctx = subject.create_root_context(**config)
|
72
72
|
expect {
|
73
73
|
sslctx.verify_peer = false
|
74
74
|
}.to raise_error(/can't modify frozen/)
|
75
75
|
end
|
76
76
|
|
77
77
|
it 'verifies peer' do
|
78
|
-
sslctx = subject.create_root_context(config)
|
78
|
+
sslctx = subject.create_root_context(**config)
|
79
79
|
expect(sslctx.verify_peer).to eq(true)
|
80
80
|
end
|
81
81
|
end
|
@@ -134,6 +134,32 @@ describe Puppet::SSL::SSLProvider do
|
|
134
134
|
expect(sslctx.client_cert).to be_nil
|
135
135
|
expect(sslctx.private_key).to be_nil
|
136
136
|
end
|
137
|
+
|
138
|
+
it 'trusts additional system certs' do
|
139
|
+
path = tmpfile('system_cacerts')
|
140
|
+
File.write(path, cert_fixture('ca.pem').to_pem)
|
141
|
+
|
142
|
+
expect_any_instance_of(OpenSSL::X509::Store).to receive(:add_file).with(path)
|
143
|
+
|
144
|
+
subject.create_system_context(cacerts: [], path: path)
|
145
|
+
end
|
146
|
+
|
147
|
+
it 'ignores empty files' do
|
148
|
+
path = tmpfile('system_cacerts')
|
149
|
+
FileUtils.touch(path)
|
150
|
+
|
151
|
+
subject.create_system_context(cacerts: [], path: path)
|
152
|
+
|
153
|
+
expect(@logs).to eq([])
|
154
|
+
end
|
155
|
+
|
156
|
+
it 'prints an error if it is not a file' do
|
157
|
+
path = tmpdir('system_cacerts')
|
158
|
+
|
159
|
+
subject.create_system_context(cacerts: [], path: path)
|
160
|
+
|
161
|
+
expect(@logs).to include(an_object_having_attributes(level: :warning, message: /^The 'ssl_trust_store' setting does not refer to a file and will be ignored/))
|
162
|
+
end
|
137
163
|
end
|
138
164
|
|
139
165
|
context 'when creating an ssl context with crls' do
|
@@ -142,14 +168,14 @@ describe Puppet::SSL::SSLProvider do
|
|
142
168
|
it 'accepts valid CRLs' do
|
143
169
|
certs = [cert_fixture('ca.pem')]
|
144
170
|
crls = [crl_fixture('crl.pem')]
|
145
|
-
sslctx = subject.create_root_context(config.merge(cacerts: certs, crls: crls))
|
171
|
+
sslctx = subject.create_root_context(**config.merge(cacerts: certs, crls: crls))
|
146
172
|
expect(sslctx.crls).to eq(crls)
|
147
173
|
end
|
148
174
|
|
149
175
|
it 'accepts valid CRLs for intermediate certs' do
|
150
176
|
certs = [cert_fixture('ca.pem'), cert_fixture('intermediate.pem')]
|
151
177
|
crls = [crl_fixture('crl.pem'), crl_fixture('intermediate-crl.pem')]
|
152
|
-
sslctx = subject.create_root_context(config.merge(cacerts: certs, crls: crls))
|
178
|
+
sslctx = subject.create_root_context(**config.merge(cacerts: certs, crls: crls))
|
153
179
|
expect(sslctx.crls).to eq(crls)
|
154
180
|
end
|
155
181
|
|
@@ -157,12 +183,12 @@ describe Puppet::SSL::SSLProvider do
|
|
157
183
|
expired = [crl_fixture('crl.pem'), crl_fixture('intermediate-crl.pem')]
|
158
184
|
expired.each { |x509| x509.last_update = Time.at(0) }
|
159
185
|
|
160
|
-
sslctx = subject.create_root_context(config.merge(crls: expired))
|
186
|
+
sslctx = subject.create_root_context(**config.merge(crls: expired))
|
161
187
|
expect(sslctx.crls).to eq(expired)
|
162
188
|
end
|
163
189
|
|
164
190
|
it 'verifies peer' do
|
165
|
-
sslctx = subject.create_root_context(config)
|
191
|
+
sslctx = subject.create_root_context(**config)
|
166
192
|
expect(sslctx.verify_peer).to eq(true)
|
167
193
|
end
|
168
194
|
end
|
@@ -174,49 +200,49 @@ describe Puppet::SSL::SSLProvider do
|
|
174
200
|
|
175
201
|
it 'raises if CA certs are missing' do
|
176
202
|
expect {
|
177
|
-
subject.create_context(config.merge(cacerts: nil))
|
203
|
+
subject.create_context(**config.merge(cacerts: nil))
|
178
204
|
}.to raise_error(ArgumentError, /CA certs are missing/)
|
179
205
|
end
|
180
206
|
|
181
207
|
it 'raises if CRLs are are missing' do
|
182
208
|
expect {
|
183
|
-
subject.create_context(config.merge(crls: nil))
|
209
|
+
subject.create_context(**config.merge(crls: nil))
|
184
210
|
}.to raise_error(ArgumentError, /CRLs are missing/)
|
185
211
|
end
|
186
212
|
|
187
213
|
it 'raises if private key is missing' do
|
188
214
|
expect {
|
189
|
-
subject.create_context(config.merge(private_key: nil))
|
215
|
+
subject.create_context(**config.merge(private_key: nil))
|
190
216
|
}.to raise_error(ArgumentError, /Private key is missing/)
|
191
217
|
end
|
192
218
|
|
193
219
|
it 'raises if client cert is missing' do
|
194
220
|
expect {
|
195
|
-
subject.create_context(config.merge(client_cert: nil))
|
221
|
+
subject.create_context(**config.merge(client_cert: nil))
|
196
222
|
}.to raise_error(ArgumentError, /Client cert is missing/)
|
197
223
|
end
|
198
224
|
|
199
225
|
it 'accepts RSA keys' do
|
200
|
-
sslctx = subject.create_context(config)
|
226
|
+
sslctx = subject.create_context(**config)
|
201
227
|
expect(sslctx.private_key).to eq(private_key)
|
202
228
|
end
|
203
229
|
|
204
230
|
it 'accepts EC keys' do
|
205
231
|
ec_key = ec_key_fixture('ec-key.pem')
|
206
232
|
ec_cert = cert_fixture('ec.pem')
|
207
|
-
sslctx = subject.create_context(config.merge(client_cert: ec_cert, private_key: ec_key))
|
233
|
+
sslctx = subject.create_context(**config.merge(client_cert: ec_cert, private_key: ec_key))
|
208
234
|
expect(sslctx.private_key).to eq(ec_key)
|
209
235
|
end
|
210
236
|
|
211
237
|
it 'raises if private key is unsupported' do
|
212
238
|
dsa_key = OpenSSL::PKey::DSA.new
|
213
239
|
expect {
|
214
|
-
subject.create_context(config.merge(private_key: dsa_key))
|
240
|
+
subject.create_context(**config.merge(private_key: dsa_key))
|
215
241
|
}.to raise_error(Puppet::SSL::SSLError, /Unsupported key 'OpenSSL::PKey::DSA'/)
|
216
242
|
end
|
217
243
|
|
218
244
|
it 'resolves the client chain from leaf to root' do
|
219
|
-
sslctx = subject.create_context(config)
|
245
|
+
sslctx = subject.create_context(**config)
|
220
246
|
expect(
|
221
247
|
sslctx.client_chain.map(&:subject).map(&:to_utf8)
|
222
248
|
).to eq(['CN=signed', 'CN=Test CA Subauthority', 'CN=Test CA'])
|
@@ -225,34 +251,37 @@ describe Puppet::SSL::SSLProvider do
|
|
225
251
|
it 'raises if client cert signature is invalid' do
|
226
252
|
client_cert.sign(wrong_key, OpenSSL::Digest::SHA256.new)
|
227
253
|
expect {
|
228
|
-
subject.create_context(config.merge(client_cert: client_cert))
|
254
|
+
subject.create_context(**config.merge(client_cert: client_cert))
|
229
255
|
}.to raise_error(Puppet::SSL::CertVerifyError,
|
230
256
|
"Invalid signature for certificate 'CN=signed'")
|
231
257
|
end
|
232
258
|
|
233
259
|
it 'raises if client cert and private key are mismatched' do
|
234
260
|
expect {
|
235
|
-
subject.create_context(config.merge(private_key: wrong_key))
|
261
|
+
subject.create_context(**config.merge(private_key: wrong_key))
|
236
262
|
}.to raise_error(Puppet::SSL::SSLError,
|
237
263
|
"The certificate for 'CN=signed' does not match its private key")
|
238
264
|
end
|
239
265
|
|
240
266
|
it "raises if client cert's public key has been replaced" do
|
241
267
|
expect {
|
242
|
-
subject.create_context(config.merge(client_cert: cert_fixture('tampered-cert.pem')))
|
268
|
+
subject.create_context(**config.merge(client_cert: cert_fixture('tampered-cert.pem')))
|
243
269
|
}.to raise_error(Puppet::SSL::CertVerifyError,
|
244
270
|
"Invalid signature for certificate 'CN=signed'")
|
245
271
|
end
|
246
272
|
|
247
273
|
# This option is only available in openssl 1.1
|
248
|
-
|
249
|
-
|
250
|
-
|
274
|
+
# TODO PUP-10689 behavior changed in openssl 1.1.1h
|
275
|
+
if Puppet::Util::Package.versioncmp(OpenSSL::OPENSSL_LIBRARY_VERSION.split[1], '1.1.1h') < 0
|
276
|
+
it 'raises if root cert signature is invalid', if: defined?(OpenSSL::X509::V_FLAG_CHECK_SS_SIGNATURE) do
|
277
|
+
ca = global_cacerts.first
|
278
|
+
ca.sign(wrong_key, OpenSSL::Digest::SHA256.new)
|
251
279
|
|
252
|
-
|
253
|
-
|
254
|
-
|
255
|
-
|
280
|
+
expect {
|
281
|
+
subject.create_context(**config.merge(cacerts: global_cacerts))
|
282
|
+
}.to raise_error(Puppet::SSL::CertVerifyError,
|
283
|
+
"Invalid signature for certificate 'CN=Test CA'")
|
284
|
+
end
|
256
285
|
end
|
257
286
|
|
258
287
|
it 'raises if intermediate CA signature is invalid' do
|
@@ -260,7 +289,7 @@ describe Puppet::SSL::SSLProvider do
|
|
260
289
|
int.sign(wrong_key, OpenSSL::Digest::SHA256.new)
|
261
290
|
|
262
291
|
expect {
|
263
|
-
subject.create_context(config.merge(cacerts: global_cacerts))
|
292
|
+
subject.create_context(**config.merge(cacerts: global_cacerts))
|
264
293
|
}.to raise_error(Puppet::SSL::CertVerifyError,
|
265
294
|
"Invalid signature for certificate 'CN=Test CA Subauthority'")
|
266
295
|
end
|
@@ -270,7 +299,7 @@ describe Puppet::SSL::SSLProvider do
|
|
270
299
|
crl.sign(wrong_key, OpenSSL::Digest::SHA256.new)
|
271
300
|
|
272
301
|
expect {
|
273
|
-
subject.create_context(config.merge(crls: global_crls))
|
302
|
+
subject.create_context(**config.merge(crls: global_crls))
|
274
303
|
}.to raise_error(Puppet::SSL::CertVerifyError,
|
275
304
|
"Invalid signature for CRL issued by 'CN=Test CA'")
|
276
305
|
end
|
@@ -280,14 +309,14 @@ describe Puppet::SSL::SSLProvider do
|
|
280
309
|
crl.sign(wrong_key, OpenSSL::Digest::SHA256.new)
|
281
310
|
|
282
311
|
expect {
|
283
|
-
subject.create_context(config.merge(crls: global_crls))
|
312
|
+
subject.create_context(**config.merge(crls: global_crls))
|
284
313
|
}.to raise_error(Puppet::SSL::CertVerifyError,
|
285
314
|
"Invalid signature for CRL issued by 'CN=Test CA Subauthority'")
|
286
315
|
end
|
287
316
|
|
288
317
|
it 'raises if client cert is revoked' do
|
289
318
|
expect {
|
290
|
-
subject.create_context(config.merge(private_key: key_fixture('revoked-key.pem'), client_cert: cert_fixture('revoked.pem')))
|
319
|
+
subject.create_context(**config.merge(private_key: key_fixture('revoked-key.pem'), client_cert: cert_fixture('revoked.pem')))
|
291
320
|
}.to raise_error(Puppet::SSL::CertVerifyError,
|
292
321
|
"Certificate 'CN=revoked' is revoked")
|
293
322
|
end
|
@@ -295,12 +324,12 @@ describe Puppet::SSL::SSLProvider do
|
|
295
324
|
it 'warns if intermediate issuer is missing' do
|
296
325
|
expect(Puppet).to receive(:warning).with("The issuer 'CN=Test CA Subauthority' of certificate 'CN=signed' cannot be found locally")
|
297
326
|
|
298
|
-
subject.create_context(config.merge(cacerts: [cert_fixture('ca.pem')]))
|
327
|
+
subject.create_context(**config.merge(cacerts: [cert_fixture('ca.pem')]))
|
299
328
|
end
|
300
329
|
|
301
330
|
it 'raises if root issuer is missing' do
|
302
331
|
expect {
|
303
|
-
subject.create_context(config.merge(cacerts: [cert_fixture('intermediate.pem')]))
|
332
|
+
subject.create_context(**config.merge(cacerts: [cert_fixture('intermediate.pem')]))
|
304
333
|
}.to raise_error(Puppet::SSL::CertVerifyError,
|
305
334
|
"The issuer 'CN=Test CA' of certificate 'CN=Test CA Subauthority' is missing")
|
306
335
|
end
|
@@ -308,7 +337,7 @@ describe Puppet::SSL::SSLProvider do
|
|
308
337
|
it 'raises if cert is not valid yet', unless: Puppet::Util::Platform.jruby? do
|
309
338
|
client_cert.not_before = Time.now + (5 * 60 * 60)
|
310
339
|
expect {
|
311
|
-
subject.create_context(config.merge(client_cert: client_cert))
|
340
|
+
subject.create_context(**config.merge(client_cert: client_cert))
|
312
341
|
}.to raise_error(Puppet::SSL::CertVerifyError,
|
313
342
|
"The certificate 'CN=signed' is not yet valid, verify time is synchronized")
|
314
343
|
end
|
@@ -316,7 +345,7 @@ describe Puppet::SSL::SSLProvider do
|
|
316
345
|
it 'raises if cert is expired', unless: Puppet::Util::Platform.jruby? do
|
317
346
|
client_cert.not_after = Time.at(0)
|
318
347
|
expect {
|
319
|
-
subject.create_context(config.merge(client_cert: client_cert))
|
348
|
+
subject.create_context(**config.merge(client_cert: client_cert))
|
320
349
|
}.to raise_error(Puppet::SSL::CertVerifyError,
|
321
350
|
"The certificate 'CN=signed' has expired, verify time is synchronized")
|
322
351
|
end
|
@@ -327,7 +356,7 @@ describe Puppet::SSL::SSLProvider do
|
|
327
356
|
future_crls.first.last_update = Time.now + (5 * 60 * 60)
|
328
357
|
|
329
358
|
expect {
|
330
|
-
subject.create_context(config.merge(crls: future_crls))
|
359
|
+
subject.create_context(**config.merge(crls: future_crls))
|
331
360
|
}.to raise_error(Puppet::SSL::CertVerifyError,
|
332
361
|
"The CRL issued by 'CN=Test CA' is not yet valid, verify time is synchronized")
|
333
362
|
end
|
@@ -338,7 +367,7 @@ describe Puppet::SSL::SSLProvider do
|
|
338
367
|
past_crls.first.next_update = Time.at(0)
|
339
368
|
|
340
369
|
expect {
|
341
|
-
subject.create_context(config.merge(crls: past_crls))
|
370
|
+
subject.create_context(**config.merge(crls: past_crls))
|
342
371
|
}.to raise_error(Puppet::SSL::CertVerifyError,
|
343
372
|
"The CRL issued by 'CN=Test CA' has expired, verify time is synchronized")
|
344
373
|
end
|
@@ -346,7 +375,7 @@ describe Puppet::SSL::SSLProvider do
|
|
346
375
|
it 'raises if the root CRL is missing' do
|
347
376
|
crls = [crl_fixture('intermediate-crl.pem')]
|
348
377
|
expect {
|
349
|
-
subject.create_context(config.merge(crls: crls, revocation: :chain))
|
378
|
+
subject.create_context(**config.merge(crls: crls, revocation: :chain))
|
350
379
|
}.to raise_error(Puppet::SSL::CertVerifyError,
|
351
380
|
"The CRL issued by 'CN=Test CA' is missing")
|
352
381
|
end
|
@@ -354,23 +383,23 @@ describe Puppet::SSL::SSLProvider do
|
|
354
383
|
it 'raises if the intermediate CRL is missing' do
|
355
384
|
crls = [crl_fixture('crl.pem')]
|
356
385
|
expect {
|
357
|
-
subject.create_context(config.merge(crls: crls))
|
386
|
+
subject.create_context(**config.merge(crls: crls))
|
358
387
|
}.to raise_error(Puppet::SSL::CertVerifyError,
|
359
388
|
"The CRL issued by 'CN=Test CA Subauthority' is missing")
|
360
389
|
end
|
361
390
|
|
362
391
|
it "doesn't raise if the root CRL is missing and we're just checking the leaf" do
|
363
392
|
crls = [crl_fixture('intermediate-crl.pem')]
|
364
|
-
subject.create_context(config.merge(crls: crls, revocation: :leaf))
|
393
|
+
subject.create_context(**config.merge(crls: crls, revocation: :leaf))
|
365
394
|
end
|
366
395
|
|
367
396
|
it "doesn't raise if the intermediate CRL is missing and revocation checking is disabled" do
|
368
397
|
crls = [crl_fixture('crl.pem')]
|
369
|
-
subject.create_context(config.merge(crls: crls, revocation: false))
|
398
|
+
subject.create_context(**config.merge(crls: crls, revocation: false))
|
370
399
|
end
|
371
400
|
|
372
401
|
it "doesn't raise if both CRLs are missing and revocation checking is disabled" do
|
373
|
-
subject.create_context(config.merge(crls: [], revocation: false))
|
402
|
+
subject.create_context(**config.merge(crls: [], revocation: false))
|
374
403
|
end
|
375
404
|
|
376
405
|
# OpenSSL < 1.1 does not verify basicConstraints
|
@@ -378,7 +407,7 @@ describe Puppet::SSL::SSLProvider do
|
|
378
407
|
certs = [cert_fixture('bad-basic-constraints.pem'), cert_fixture('intermediate.pem')]
|
379
408
|
|
380
409
|
expect {
|
381
|
-
subject.create_context(config.merge(cacerts: certs, crls: [], revocation: false))
|
410
|
+
subject.create_context(**config.merge(cacerts: certs, crls: [], revocation: false))
|
382
411
|
}.to raise_error(Puppet::SSL::CertVerifyError,
|
383
412
|
"Certificate 'CN=Test CA' failed verification (24): invalid CA certificate")
|
384
413
|
end
|
@@ -388,32 +417,32 @@ describe Puppet::SSL::SSLProvider do
|
|
388
417
|
certs = [cert_fixture('ca.pem'), cert_fixture('bad-int-basic-constraints.pem')]
|
389
418
|
|
390
419
|
expect {
|
391
|
-
subject.create_context(config.merge(cacerts: certs, crls: [], revocation: false))
|
420
|
+
subject.create_context(**config.merge(cacerts: certs, crls: [], revocation: false))
|
392
421
|
}.to raise_error(Puppet::SSL::CertVerifyError,
|
393
422
|
"Certificate 'CN=Test CA Subauthority' failed verification (24): invalid CA certificate")
|
394
423
|
end
|
395
424
|
|
396
425
|
it 'accepts CA certs in any order' do
|
397
|
-
sslctx = subject.create_context(config.merge(cacerts: global_cacerts.reverse))
|
426
|
+
sslctx = subject.create_context(**config.merge(cacerts: global_cacerts.reverse))
|
398
427
|
# certs in ruby+openssl 1.0.x are not comparable, so compare subjects
|
399
428
|
expect(sslctx.client_chain.map(&:subject).map(&:to_utf8)).to contain_exactly('CN=Test CA', 'CN=Test CA Subauthority', 'CN=signed')
|
400
429
|
end
|
401
430
|
|
402
431
|
it 'accepts CRLs in any order' do
|
403
|
-
sslctx = subject.create_context(config.merge(crls: global_crls.reverse))
|
432
|
+
sslctx = subject.create_context(**config.merge(crls: global_crls.reverse))
|
404
433
|
# certs in ruby+openssl 1.0.x are not comparable, so compare subjects
|
405
434
|
expect(sslctx.client_chain.map(&:subject).map(&:to_utf8)).to contain_exactly('CN=Test CA', 'CN=Test CA Subauthority', 'CN=signed')
|
406
435
|
end
|
407
436
|
|
408
437
|
it 'raises if the frozen context is modified' do
|
409
|
-
sslctx = subject.create_context(config)
|
438
|
+
sslctx = subject.create_context(**config)
|
410
439
|
expect {
|
411
440
|
sslctx.verify_peer = false
|
412
441
|
}.to raise_error(/can't modify frozen/)
|
413
442
|
end
|
414
443
|
|
415
444
|
it 'verifies peer' do
|
416
|
-
sslctx = subject.create_context(config)
|
445
|
+
sslctx = subject.create_context(**config)
|
417
446
|
expect(sslctx.verify_peer).to eq(true)
|
418
447
|
end
|
419
448
|
end
|