puppet 6.19.1-universal-darwin → 7.0.0-universal-darwin
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of puppet might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Gemfile +1 -1
- data/Gemfile.lock +19 -20
- data/README.md +1 -1
- data/conf/fileserver.conf +5 -10
- data/ext/build_defaults.yaml +1 -1
- data/ext/osx/file_mapping.yaml +0 -5
- data/ext/project_data.yaml +1 -14
- data/ext/redhat/puppet.spec.erb +0 -1
- data/ext/windows/service/daemon.rb +6 -5
- data/install.rb +21 -17
- data/lib/puppet.rb +11 -20
- data/lib/puppet/application.rb +172 -98
- data/lib/puppet/application/device.rb +100 -104
- data/lib/puppet/application/filebucket.rb +15 -11
- data/lib/puppet/application/ssl.rb +1 -1
- data/lib/puppet/configurer.rb +28 -33
- data/lib/puppet/configurer/plugin_handler.rb +21 -19
- data/lib/puppet/defaults.rb +95 -159
- data/lib/puppet/environments.rb +10 -25
- data/lib/puppet/face/config.rb +10 -0
- data/lib/puppet/face/epp.rb +12 -2
- data/lib/puppet/face/facts.rb +66 -6
- data/lib/puppet/face/help.rb +1 -1
- data/lib/puppet/face/plugin.rb +5 -8
- data/lib/puppet/ffi/windows.rb +12 -0
- data/lib/puppet/ffi/windows/api_types.rb +311 -0
- data/lib/puppet/ffi/windows/constants.rb +404 -0
- data/lib/puppet/ffi/windows/functions.rb +628 -0
- data/lib/puppet/ffi/windows/structs.rb +338 -0
- data/lib/puppet/file_serving/configuration.rb +0 -5
- data/lib/puppet/file_serving/configuration/parser.rb +3 -32
- data/lib/puppet/file_serving/http_metadata.rb +1 -1
- data/lib/puppet/file_serving/mount.rb +1 -2
- data/lib/puppet/forge/repository.rb +0 -1
- data/lib/puppet/functions/epp.rb +1 -0
- data/lib/puppet/functions/inline_epp.rb +1 -0
- data/lib/puppet/generate/models/type/type.rb +4 -1
- data/lib/puppet/http.rb +22 -13
- data/lib/puppet/http/client.rb +164 -114
- data/lib/puppet/{network/resolver.rb → http/dns.rb} +2 -2
- data/lib/puppet/http/errors.rb +16 -0
- data/lib/puppet/http/external_client.rb +5 -7
- data/lib/puppet/{network/http → http}/factory.rb +8 -11
- data/lib/puppet/{network/http → http}/pool.rb +61 -26
- data/lib/puppet/{network/http/session.rb → http/pool_entry.rb} +2 -3
- data/lib/puppet/http/proxy.rb +137 -0
- data/lib/puppet/http/redirector.rb +4 -12
- data/lib/puppet/http/resolver.rb +5 -15
- data/lib/puppet/http/resolver/server_list.rb +6 -10
- data/lib/puppet/http/resolver/settings.rb +4 -7
- data/lib/puppet/http/resolver/srv.rb +7 -11
- data/lib/puppet/http/response.rb +36 -54
- data/lib/puppet/http/response_converter.rb +24 -0
- data/lib/puppet/http/response_net_http.rb +42 -0
- data/lib/puppet/http/retry_after_handler.rb +4 -13
- data/lib/puppet/http/service.rb +12 -26
- data/lib/puppet/http/service/ca.rb +11 -22
- data/lib/puppet/http/service/compiler.rb +22 -69
- data/lib/puppet/http/service/file_server.rb +18 -27
- data/lib/puppet/http/service/puppetserver.rb +26 -12
- data/lib/puppet/http/service/report.rb +8 -10
- data/lib/puppet/http/session.rb +11 -20
- data/lib/puppet/{network/http → http}/site.rb +1 -2
- data/lib/puppet/indirector/catalog/rest.rb +2 -4
- data/lib/puppet/indirector/fact_search.rb +60 -0
- data/lib/puppet/indirector/facts/facter.rb +24 -3
- data/lib/puppet/indirector/facts/json.rb +27 -0
- data/lib/puppet/indirector/facts/rest.rb +3 -22
- data/lib/puppet/indirector/facts/yaml.rb +3 -58
- data/lib/puppet/indirector/file_bucket_file/rest.rb +3 -9
- data/lib/puppet/indirector/file_content/rest.rb +2 -6
- data/lib/puppet/indirector/file_metadata/rest.rb +3 -9
- data/lib/puppet/indirector/file_server.rb +1 -8
- data/lib/puppet/indirector/generic_http.rb +0 -11
- data/lib/puppet/indirector/json.rb +5 -1
- data/lib/puppet/indirector/node/json.rb +8 -0
- data/lib/puppet/indirector/node/rest.rb +2 -4
- data/lib/puppet/indirector/report/json.rb +34 -0
- data/lib/puppet/indirector/report/rest.rb +3 -8
- data/lib/puppet/indirector/request.rb +0 -101
- data/lib/puppet/indirector/rest.rb +12 -263
- data/lib/puppet/module_tool/applications.rb +0 -1
- data/lib/puppet/network/authconfig.rb +2 -96
- data/lib/puppet/network/authorization.rb +13 -35
- data/lib/puppet/network/formats.rb +2 -1
- data/lib/puppet/network/http.rb +3 -3
- data/lib/puppet/network/http/api/indirected_routes.rb +2 -20
- data/lib/puppet/network/http/api/master/v3.rb +11 -13
- data/lib/puppet/network/http/connection.rb +247 -316
- data/lib/puppet/network/http/handler.rb +0 -1
- data/lib/puppet/network/http_pool.rb +16 -34
- data/lib/puppet/node.rb +1 -30
- data/lib/puppet/pal/json_catalog_encoder.rb +4 -0
- data/lib/puppet/pal/pal_impl.rb +73 -18
- data/lib/puppet/parser/ast/pops_bridge.rb +0 -38
- data/lib/puppet/parser/compiler.rb +0 -198
- data/lib/puppet/parser/compiler/catalog_validator/relationship_validator.rb +14 -39
- data/lib/puppet/parser/resource.rb +0 -69
- data/lib/puppet/pops/evaluator/evaluator_impl.rb +22 -8
- data/lib/puppet/pops/evaluator/runtime3_resource_support.rb +3 -3
- data/lib/puppet/pops/evaluator/runtime3_support.rb +1 -1
- data/lib/puppet/pops/issues.rb +0 -5
- data/lib/puppet/pops/loader/ruby_legacy_function_instantiator.rb +6 -8
- data/lib/puppet/pops/model/ast.pp +0 -42
- data/lib/puppet/pops/model/ast.rb +0 -290
- data/lib/puppet/pops/model/factory.rb +0 -45
- data/lib/puppet/pops/model/model_label_provider.rb +0 -5
- data/lib/puppet/pops/model/model_tree_dumper.rb +0 -22
- data/lib/puppet/pops/model/pn_transformer.rb +0 -16
- data/lib/puppet/pops/parser/egrammar.ra +0 -56
- data/lib/puppet/pops/parser/eparser.rb +1520 -1712
- data/lib/puppet/pops/parser/lexer2.rb +4 -4
- data/lib/puppet/pops/parser/parser_support.rb +0 -5
- data/lib/puppet/pops/resource/resource_type_impl.rb +2 -24
- data/lib/puppet/pops/types/type_calculator.rb +0 -7
- data/lib/puppet/pops/types/type_parser.rb +0 -4
- data/lib/puppet/pops/types/types.rb +0 -1
- data/lib/puppet/pops/validation/checker4_0.rb +9 -37
- data/lib/puppet/pops/validation/tasks_checker.rb +0 -12
- data/lib/puppet/pops/validation/validator_factory_4_0.rb +1 -2
- data/lib/puppet/provider.rb +0 -13
- data/lib/puppet/provider/nameservice.rb +0 -18
- data/lib/puppet/provider/package/dpkg.rb +0 -10
- data/lib/puppet/provider/package/gem.rb +23 -3
- data/lib/puppet/provider/package/pip.rb +0 -1
- data/lib/puppet/provider/package/pkg.rb +0 -4
- data/lib/puppet/provider/package/portage.rb +1 -1
- data/lib/puppet/provider/package/puppet_gem.rb +1 -4
- data/lib/puppet/provider/service/smf.rb +191 -73
- data/lib/puppet/provider/user/directoryservice.rb +0 -10
- data/lib/puppet/reference/configuration.rb +2 -0
- data/lib/puppet/reference/indirection.rb +1 -1
- data/lib/puppet/resource.rb +1 -89
- data/lib/puppet/resource/catalog.rb +1 -14
- data/lib/puppet/resource/type.rb +3 -119
- data/lib/puppet/resource/type_collection.rb +3 -48
- data/lib/puppet/runtime.rb +1 -2
- data/lib/puppet/settings.rb +45 -33
- data/lib/puppet/settings/base_setting.rb +26 -2
- data/lib/puppet/settings/integer_setting.rb +17 -0
- data/lib/puppet/settings/port_setting.rb +15 -0
- data/lib/puppet/settings/priority_setting.rb +5 -4
- data/lib/puppet/ssl.rb +10 -6
- data/lib/puppet/ssl/base.rb +3 -5
- data/lib/puppet/ssl/certificate.rb +0 -6
- data/lib/puppet/ssl/certificate_request.rb +1 -12
- data/lib/puppet/ssl/certificate_signer.rb +6 -0
- data/lib/puppet/ssl/oids.rb +3 -1
- data/lib/puppet/ssl/ssl_provider.rb +17 -0
- data/lib/puppet/ssl/state_machine.rb +3 -1
- data/lib/puppet/ssl/verifier.rb +2 -0
- data/lib/puppet/test/test_helper.rb +1 -3
- data/lib/puppet/transaction.rb +1 -7
- data/lib/puppet/transaction/report.rb +2 -4
- data/lib/puppet/type.rb +0 -76
- data/lib/puppet/type/file.rb +5 -7
- data/lib/puppet/type/file/checksum.rb +1 -1
- data/lib/puppet/type/file/source.rb +1 -1
- data/lib/puppet/type/filebucket.rb +3 -3
- data/lib/puppet/type/package.rb +5 -13
- data/lib/puppet/util/execution.rb +0 -11
- data/lib/puppet/util/http_proxy.rb +2 -215
- data/lib/puppet/util/monkey_patches.rb +0 -46
- data/lib/puppet/util/rdoc.rb +0 -7
- data/lib/puppet/util/retry_action.rb +1 -1
- data/lib/puppet/util/rubygems.rb +5 -1
- data/lib/puppet/util/run_mode.rb +9 -1
- data/lib/puppet/util/windows.rb +3 -8
- data/lib/puppet/util/windows/daemon.rb +360 -0
- data/lib/puppet/util/windows/error.rb +1 -0
- data/lib/puppet/util/windows/eventlog.rb +4 -9
- data/lib/puppet/util/windows/file.rb +8 -242
- data/lib/puppet/util/windows/monkey_patches/process.rb +414 -0
- data/lib/puppet/util/windows/process.rb +4 -226
- data/lib/puppet/util/windows/service.rb +9 -460
- data/lib/puppet/util/windows/string.rb +12 -13
- data/lib/puppet/util/yaml.rb +0 -22
- data/lib/puppet/vendor/require_vendored.rb +0 -1
- data/lib/puppet/version.rb +1 -1
- data/lib/puppet/x509.rb +5 -1
- data/lib/puppet/x509/cert_provider.rb +29 -1
- data/locales/puppet.pot +531 -1232
- data/man/man5/puppet.conf.5 +37 -97
- data/man/man8/puppet-agent.8 +1 -1
- data/man/man8/puppet-apply.8 +1 -1
- data/man/man8/puppet-catalog.8 +1 -1
- data/man/man8/puppet-config.8 +1 -1
- data/man/man8/puppet-describe.8 +1 -1
- data/man/man8/puppet-device.8 +1 -1
- data/man/man8/puppet-doc.8 +1 -1
- data/man/man8/puppet-epp.8 +1 -1
- data/man/man8/puppet-facts.8 +55 -9
- data/man/man8/puppet-filebucket.8 +6 -6
- data/man/man8/puppet-generate.8 +1 -1
- data/man/man8/puppet-help.8 +1 -1
- data/man/man8/puppet-lookup.8 +1 -1
- data/man/man8/puppet-module.8 +1 -58
- data/man/man8/puppet-node.8 +4 -1
- data/man/man8/puppet-parser.8 +1 -1
- data/man/man8/puppet-plugin.8 +1 -1
- data/man/man8/puppet-report.8 +4 -1
- data/man/man8/puppet-resource.8 +1 -1
- data/man/man8/puppet-script.8 +1 -1
- data/man/man8/puppet-ssl.8 +1 -1
- data/man/man8/puppet.8 +2 -2
- data/spec/fixtures/unit/provider/service/smf/{svcs.out → svcs_instances.out} +0 -0
- data/spec/integration/application/agent_spec.rb +24 -11
- data/spec/integration/application/apply_spec.rb +1 -1
- data/spec/integration/application/filebucket_spec.rb +16 -16
- data/spec/integration/application/help_spec.rb +2 -0
- data/spec/integration/application/plugin_spec.rb +23 -1
- data/spec/integration/defaults_spec.rb +7 -3
- data/spec/integration/environments/setting_hooks_spec.rb +1 -1
- data/spec/integration/network/http_pool_spec.rb +3 -21
- data/spec/integration/parser/catalog_spec.rb +0 -38
- data/spec/integration/parser/node_spec.rb +0 -9
- data/spec/integration/parser/pcore_resource_spec.rb +0 -37
- data/spec/integration/type/file_spec.rb +5 -4
- data/spec/integration/util/windows/monkey_patches/process_spec.rb +231 -0
- data/spec/integration/util/windows/security_spec.rb +1 -1
- data/spec/lib/puppet_spec/puppetserver.rb +1 -1
- data/spec/lib/puppet_spec/settings.rb +7 -1
- data/spec/spec_helper.rb +2 -0
- data/spec/unit/agent_spec.rb +0 -2
- data/spec/unit/application/config_spec.rb +224 -4
- data/spec/unit/application/facts_spec.rb +35 -0
- data/spec/unit/application/filebucket_spec.rb +41 -39
- data/spec/unit/application/ssl_spec.rb +2 -2
- data/spec/unit/certificate_factory_spec.rb +1 -1
- data/spec/unit/configurer/downloader_spec.rb +6 -2
- data/spec/unit/configurer/plugin_handler_spec.rb +56 -18
- data/spec/unit/configurer_spec.rb +12 -9
- data/spec/unit/context/trusted_information_spec.rb +2 -6
- data/spec/unit/defaults_spec.rb +77 -28
- data/spec/unit/environments_spec.rb +0 -3
- data/spec/unit/face/config_spec.rb +27 -32
- data/spec/unit/face/facts_spec.rb +4 -0
- data/spec/unit/face/plugin_spec.rb +73 -33
- data/spec/unit/file_bucket/file_spec.rb +1 -1
- data/spec/unit/file_serving/configuration/parser_spec.rb +14 -18
- data/spec/unit/file_serving/configuration_spec.rb +6 -12
- data/spec/unit/functions/camelcase_spec.rb +1 -1
- data/spec/unit/functions/capitalize_spec.rb +1 -1
- data/spec/unit/functions/downcase_spec.rb +1 -1
- data/spec/unit/functions/inline_epp_spec.rb +26 -1
- data/spec/unit/functions/upcase_spec.rb +1 -1
- data/spec/unit/http/client_spec.rb +7 -8
- data/spec/unit/{network/resolver_spec.rb → http/dns_spec.rb} +3 -3
- data/spec/unit/http/external_client_spec.rb +4 -4
- data/spec/unit/{network/http → http}/factory_spec.rb +5 -11
- data/spec/unit/{network/http/session_spec.rb → http/pool_entry_spec.rb} +3 -3
- data/spec/unit/{network/http → http}/pool_spec.rb +12 -17
- data/spec/unit/{util/http_proxy_spec.rb → http/proxy_spec.rb} +2 -69
- data/spec/unit/http/resolver_spec.rb +13 -13
- data/spec/unit/http/service/compiler_spec.rb +49 -62
- data/spec/unit/http/service/file_server_spec.rb +3 -3
- data/spec/unit/http/service/puppetserver_spec.rb +34 -4
- data/spec/unit/http/service_spec.rb +1 -2
- data/spec/unit/http/session_spec.rb +16 -14
- data/spec/unit/{network/http → http}/site_spec.rb +3 -3
- data/spec/unit/indirector/facts/facter_spec.rb +97 -0
- data/spec/unit/indirector/facts/json_spec.rb +255 -0
- data/spec/unit/indirector/file_bucket_file/file_spec.rb +5 -3
- data/spec/unit/indirector/file_content/rest_spec.rb +0 -4
- data/spec/unit/indirector/file_metadata/rest_spec.rb +0 -4
- data/spec/unit/indirector/file_server_spec.rb +1 -15
- data/spec/unit/indirector/node/json_spec.rb +33 -0
- data/spec/{integration/indirector/report/yaml.rb → unit/indirector/report/json_spec.rb} +13 -24
- data/spec/unit/indirector/report/rest_spec.rb +2 -17
- data/spec/unit/indirector/report/yaml_spec.rb +72 -8
- data/spec/unit/indirector/request_spec.rb +0 -264
- data/spec/unit/indirector/rest_spec.rb +98 -752
- data/spec/unit/network/authconfig_spec.rb +2 -132
- data/spec/unit/network/authorization_spec.rb +2 -55
- data/spec/unit/network/formats_spec.rb +4 -4
- data/spec/unit/network/http/api/indirected_routes_spec.rb +1 -97
- data/spec/unit/network/http/api/master/v3_spec.rb +28 -7
- data/spec/unit/network/http/api_spec.rb +10 -0
- data/spec/unit/network/http/connection_spec.rb +19 -41
- data/spec/unit/network/http/handler_spec.rb +0 -6
- data/spec/unit/network/http_pool_spec.rb +0 -4
- data/spec/unit/node/environment_spec.rb +33 -21
- data/spec/unit/node_spec.rb +2 -54
- data/spec/unit/parser/functions/create_resources_spec.rb +2 -20
- data/spec/unit/pops/evaluator/evaluating_parser_spec.rb +4 -7
- data/spec/unit/pops/loaders/loaders_spec.rb +6 -21
- data/spec/unit/pops/parser/parse_application_spec.rb +4 -22
- data/spec/unit/pops/parser/parse_basic_expressions_spec.rb +0 -1
- data/spec/unit/pops/parser/parse_capabilities_spec.rb +8 -21
- data/spec/unit/pops/parser/parse_site_spec.rb +20 -24
- data/spec/unit/pops/resource/resource_type_impl_spec.rb +0 -71
- data/spec/unit/pops/serialization/to_from_hr_spec.rb +1 -1
- data/spec/unit/pops/types/type_calculator_spec.rb +6 -6
- data/spec/unit/pops/types/type_factory_spec.rb +1 -1
- data/spec/unit/pops/validator/validator_spec.rb +61 -46
- data/spec/unit/pops/visitor_spec.rb +1 -1
- data/spec/unit/provider/nameservice_spec.rb +0 -57
- data/spec/unit/provider/package/dpkg_spec.rb +0 -48
- data/spec/unit/provider/package/gem_spec.rb +32 -0
- data/spec/unit/provider/package/puppet_gem_spec.rb +3 -2
- data/spec/unit/provider/service/smf_spec.rb +401 -165
- data/spec/unit/provider/service/windows_spec.rb +0 -1
- data/spec/unit/provider_spec.rb +0 -12
- data/spec/unit/puppet_pal_catalog_spec.rb +45 -0
- data/spec/unit/resource/type_collection_spec.rb +2 -22
- data/spec/unit/resource_spec.rb +0 -56
- data/spec/unit/settings/http_extra_headers_spec.rb +2 -4
- data/spec/unit/settings/integer_setting_spec.rb +42 -0
- data/spec/unit/settings/port_setting_spec.rb +31 -0
- data/spec/unit/settings/priority_setting_spec.rb +4 -4
- data/spec/unit/settings_spec.rb +423 -236
- data/spec/unit/ssl/base_spec.rb +36 -3
- data/spec/unit/ssl/certificate_request_spec.rb +15 -45
- data/spec/unit/ssl/certificate_spec.rb +2 -11
- data/spec/unit/ssl/ssl_provider_spec.rb +11 -8
- data/spec/unit/ssl/state_machine_spec.rb +0 -1
- data/spec/unit/ssl/verifier_spec.rb +0 -21
- data/spec/unit/transaction/report_spec.rb +0 -2
- data/spec/unit/transaction/resource_harness_spec.rb +2 -2
- data/spec/unit/transaction_spec.rb +45 -79
- data/spec/unit/type/file/checksum_spec.rb +6 -6
- data/spec/unit/type/file/content_spec.rb +1 -1
- data/spec/unit/type/file/ensure_spec.rb +1 -1
- data/spec/unit/type/file/mode_spec.rb +1 -1
- data/spec/unit/type/file/source_spec.rb +0 -1
- data/spec/unit/type/file_spec.rb +12 -6
- data/spec/unit/type/package_spec.rb +1 -1
- data/spec/unit/type_spec.rb +20 -0
- data/spec/unit/util/backups_spec.rb +0 -2
- data/spec/unit/util/execution_spec.rb +0 -29
- data/spec/unit/util/monkey_patches_spec.rb +0 -6
- data/spec/unit/util/rubygems_spec.rb +2 -2
- data/spec/unit/util/run_mode_spec.rb +21 -121
- data/spec/unit/util/windows/string_spec.rb +1 -3
- data/spec/unit/util/yaml_spec.rb +0 -54
- data/spec/unit/util_spec.rb +0 -18
- metadata +50 -176
- data/conf/auth.conf +0 -150
- data/lib/puppet/application/cert.rb +0 -76
- data/lib/puppet/application/key.rb +0 -4
- data/lib/puppet/application/man.rb +0 -4
- data/lib/puppet/application/status.rb +0 -4
- data/lib/puppet/face/key.rb +0 -16
- data/lib/puppet/face/man.rb +0 -145
- data/lib/puppet/face/module/build.rb +0 -14
- data/lib/puppet/face/module/generate.rb +0 -14
- data/lib/puppet/face/module/search.rb +0 -103
- data/lib/puppet/face/status.rb +0 -51
- data/lib/puppet/indirector/certificate/file.rb +0 -9
- data/lib/puppet/indirector/certificate/rest.rb +0 -18
- data/lib/puppet/indirector/certificate_request/file.rb +0 -9
- data/lib/puppet/indirector/certificate_request/memory.rb +0 -7
- data/lib/puppet/indirector/certificate_request/rest.rb +0 -11
- data/lib/puppet/indirector/file_content/http.rb +0 -22
- data/lib/puppet/indirector/key/file.rb +0 -46
- data/lib/puppet/indirector/key/memory.rb +0 -7
- data/lib/puppet/indirector/ssl_file.rb +0 -162
- data/lib/puppet/indirector/status.rb +0 -3
- data/lib/puppet/indirector/status/local.rb +0 -12
- data/lib/puppet/indirector/status/rest.rb +0 -27
- data/lib/puppet/module_tool/applications/searcher.rb +0 -29
- data/lib/puppet/network/auth_config_parser.rb +0 -90
- data/lib/puppet/network/authstore.rb +0 -283
- data/lib/puppet/network/http/api/master/v3/authorization.rb +0 -18
- data/lib/puppet/network/http/api/master/v3/environment.rb +0 -88
- data/lib/puppet/network/http/base_pool.rb +0 -36
- data/lib/puppet/network/http/compression.rb +0 -127
- data/lib/puppet/network/http/connection_adapter.rb +0 -184
- data/lib/puppet/network/http/nocache_pool.rb +0 -28
- data/lib/puppet/network/rest_controller.rb +0 -2
- data/lib/puppet/network/rights.rb +0 -210
- data/lib/puppet/parser/compiler/catalog_validator/env_relationship_validator.rb +0 -66
- data/lib/puppet/parser/compiler/catalog_validator/site_validator.rb +0 -22
- data/lib/puppet/parser/environment_compiler.rb +0 -202
- data/lib/puppet/pops/types/enumeration.rb +0 -16
- data/lib/puppet/resource/capability_finder.rb +0 -154
- data/lib/puppet/rest/errors.rb +0 -15
- data/lib/puppet/rest/response.rb +0 -35
- data/lib/puppet/rest/route.rb +0 -85
- data/lib/puppet/rest/routes.rb +0 -135
- data/lib/puppet/ssl/host.rb +0 -505
- data/lib/puppet/ssl/key.rb +0 -61
- data/lib/puppet/ssl/validator.rb +0 -61
- data/lib/puppet/ssl/validator/default_validator.rb +0 -209
- data/lib/puppet/ssl/validator/no_validator.rb +0 -22
- data/lib/puppet/ssl/verifier_adapter.rb +0 -58
- data/lib/puppet/status.rb +0 -40
- data/lib/puppet/util/connection.rb +0 -88
- data/lib/puppet/util/ssl.rb +0 -83
- data/lib/puppet/util/windows/api_types.rb +0 -309
- data/lib/puppet/util/windows/monkey_patches/dir.rb +0 -40
- data/lib/puppet/vendor/load_pathspec.rb +0 -1
- data/lib/puppet/vendor/pathspec/CHANGELOG.md +0 -2
- data/lib/puppet/vendor/pathspec/LICENSE +0 -201
- data/lib/puppet/vendor/pathspec/PUPPET_README.md +0 -6
- data/lib/puppet/vendor/pathspec/README.md +0 -53
- data/lib/puppet/vendor/pathspec/lib/pathspec.rb +0 -122
- data/lib/puppet/vendor/pathspec/lib/pathspec/gitignorespec.rb +0 -275
- data/lib/puppet/vendor/pathspec/lib/pathspec/regexspec.rb +0 -17
- data/lib/puppet/vendor/pathspec/lib/pathspec/spec.rb +0 -14
- data/man/man8/puppet-key.8 +0 -126
- data/man/man8/puppet-man.8 +0 -76
- data/man/man8/puppet-status.8 +0 -108
- data/spec/integration/application/config_spec.rb +0 -74
- data/spec/integration/network/authconfig_spec.rb +0 -256
- data/spec/integration/util/windows/monkey_patches/dir_spec.rb +0 -11
- data/spec/unit/application/man_spec.rb +0 -52
- data/spec/unit/capability_spec.rb +0 -414
- data/spec/unit/face/catalog_spec.rb +0 -6
- data/spec/unit/face/key_spec.rb +0 -9
- data/spec/unit/face/module/search_spec.rb +0 -231
- data/spec/unit/face/module_spec.rb +0 -3
- data/spec/unit/face/status_spec.rb +0 -9
- data/spec/unit/indirector/certificate/file_spec.rb +0 -14
- data/spec/unit/indirector/certificate/rest_spec.rb +0 -61
- data/spec/unit/indirector/certificate_request/file_spec.rb +0 -14
- data/spec/unit/indirector/certificate_request/rest_spec.rb +0 -25
- data/spec/unit/indirector/key/file_spec.rb +0 -79
- data/spec/unit/indirector/ssl_file_spec.rb +0 -305
- data/spec/unit/indirector/status/local_spec.rb +0 -10
- data/spec/unit/indirector/status/rest_spec.rb +0 -50
- data/spec/unit/module_tool/applications/searcher_spec.rb +0 -38
- data/spec/unit/network/auth_config_parser_spec.rb +0 -115
- data/spec/unit/network/authstore_spec.rb +0 -422
- data/spec/unit/network/http/api/master/v3/authorization_spec.rb +0 -57
- data/spec/unit/network/http/api/master/v3/environment_spec.rb +0 -185
- data/spec/unit/network/http/compression_spec.rb +0 -240
- data/spec/unit/network/http/nocache_pool_spec.rb +0 -64
- data/spec/unit/network/http_spec.rb +0 -9
- data/spec/unit/network/rights_spec.rb +0 -439
- data/spec/unit/parser/environment_compiler_spec.rb +0 -730
- data/spec/unit/pops/types/enumeration_spec.rb +0 -51
- data/spec/unit/resource/capability_finder_spec.rb +0 -143
- data/spec/unit/rest/route_spec.rb +0 -132
- data/spec/unit/ssl/host_spec.rb +0 -650
- data/spec/unit/ssl/key_spec.rb +0 -173
- data/spec/unit/ssl/validator_spec.rb +0 -278
- data/spec/unit/status_spec.rb +0 -45
- data/spec/unit/util/ssl_spec.rb +0 -91
@@ -1,51 +0,0 @@
|
|
1
|
-
require 'spec_helper'
|
2
|
-
require 'puppet/pops'
|
3
|
-
|
4
|
-
module Puppet::Pops::Types
|
5
|
-
describe 'The enumeration support' do
|
6
|
-
it 'produces an enumerator for Array' do
|
7
|
-
expect(Enumeration.enumerator([1,2,3]).respond_to?(:next)).to eql(true)
|
8
|
-
end
|
9
|
-
|
10
|
-
it 'produces an enumerator for Hash' do
|
11
|
-
expect(Enumeration.enumerator({:a=>1}).respond_to?(:next)).to eql(true)
|
12
|
-
end
|
13
|
-
|
14
|
-
it 'produces a char enumerator for String' do
|
15
|
-
enum = Enumeration.enumerator("abc")
|
16
|
-
expect(enum.respond_to?(:next)).to eql(true)
|
17
|
-
expect(enum.next).to eql('a')
|
18
|
-
end
|
19
|
-
|
20
|
-
it 'produces an enumerator for integer times' do
|
21
|
-
enum = Enumeration.enumerator(2)
|
22
|
-
expect(enum.next).to eql(0)
|
23
|
-
expect(enum.next).to eql(1)
|
24
|
-
expect{enum.next}.to raise_error(StopIteration)
|
25
|
-
end
|
26
|
-
|
27
|
-
it 'produces an enumerator for Integer range' do
|
28
|
-
range = TypeFactory.range(1,2)
|
29
|
-
enum = Enumeration.enumerator(range)
|
30
|
-
expect(enum.next).to eql(1)
|
31
|
-
expect(enum.next).to eql(2)
|
32
|
-
expect{enum.next}.to raise_error(StopIteration)
|
33
|
-
end
|
34
|
-
|
35
|
-
it 'does not produce an enumerator for infinite Integer range' do
|
36
|
-
range = TypeFactory.range(1,:default)
|
37
|
-
enum = Enumeration.enumerator(range)
|
38
|
-
expect(enum).to be_nil
|
39
|
-
range = TypeFactory.range(:default,2)
|
40
|
-
enum = Enumeration.enumerator(range)
|
41
|
-
expect(enum).to be_nil
|
42
|
-
end
|
43
|
-
|
44
|
-
[3.14, /.*/, true, false, nil, :something].each do |x|
|
45
|
-
it "does not produce an enumerator for object of type #{x.class}" do
|
46
|
-
enum = Enumeration.enumerator(x)
|
47
|
-
expect(enum).to be_nil
|
48
|
-
end
|
49
|
-
end
|
50
|
-
end
|
51
|
-
end
|
@@ -1,143 +0,0 @@
|
|
1
|
-
require 'spec_helper'
|
2
|
-
require_relative '../pops/parser/parser_rspec_helper'
|
3
|
-
require 'puppet/resource/capability_finder'
|
4
|
-
|
5
|
-
describe Puppet::Resource::CapabilityFinder do
|
6
|
-
context 'when PuppetDB is not configured' do
|
7
|
-
it 'should error' do
|
8
|
-
expect(Puppet::Util).to receive(:const_defined?).with('Puppetdb').and_return(false)
|
9
|
-
expect { Puppet::Resource::CapabilityFinder.find('production', nil, nil) }.to raise_error(/PuppetDB is not available/)
|
10
|
-
end
|
11
|
-
end
|
12
|
-
|
13
|
-
context 'when PuppetDB is configured' do
|
14
|
-
before(:each) do
|
15
|
-
allow_any_instance_of(Puppet::Parser::Compiler).to receive(:loaders).and_return(loaders)
|
16
|
-
Puppet.push_context({:loaders => loaders, :current_environment => env})
|
17
|
-
if mock_pdb
|
18
|
-
module Puppet::Util::Puppetdb
|
19
|
-
class Http; end
|
20
|
-
end
|
21
|
-
end
|
22
|
-
make_cap_type
|
23
|
-
end
|
24
|
-
|
25
|
-
after(:each) do
|
26
|
-
Puppet::Util.send(:remove_const, 'Puppetdb') if mock_pdb
|
27
|
-
Puppet::Type.rmtype(:cap)
|
28
|
-
Puppet.pop_context()
|
29
|
-
end
|
30
|
-
|
31
|
-
let(:mock_pdb) { !Puppet::Util.const_defined?('Puppetdb') }
|
32
|
-
let(:env) { Puppet::Node::Environment.create(:testing, []) }
|
33
|
-
let(:loaders) { Puppet::Pops::Loaders.new(env) }
|
34
|
-
|
35
|
-
let(:response_body) { [{"type"=>"Cap", "title"=>"cap", "parameters"=>{"host"=>"ahost"}}] }
|
36
|
-
let(:response) { double('response', :body => response_body.to_json) }
|
37
|
-
|
38
|
-
def make_cap_type
|
39
|
-
Puppet::Type.newtype :cap, :is_capability => true do
|
40
|
-
newparam :name
|
41
|
-
newparam :host
|
42
|
-
end
|
43
|
-
end
|
44
|
-
|
45
|
-
describe "when query_puppetdb method is available" do
|
46
|
-
it 'should call use the query_puppetdb method if available' do
|
47
|
-
expect(Puppet::Util::Puppetdb).to receive(:query_puppetdb).and_return(response_body)
|
48
|
-
expect(Puppet::Util::Puppetdb::Http).not_to receive(:action)
|
49
|
-
|
50
|
-
result = Puppet::Resource::CapabilityFinder.find('production', nil, Puppet::Resource.new('Cap', 'cap'))
|
51
|
-
expect(result['host']).to eq('ahost')
|
52
|
-
end
|
53
|
-
end
|
54
|
-
|
55
|
-
describe "when query_puppetdb method is unavailable" do
|
56
|
-
before :each do
|
57
|
-
allow(Puppet::Util::Puppetdb).to receive(:respond_to?).with(:query_puppetdb).and_return(false)
|
58
|
-
end
|
59
|
-
|
60
|
-
it 'should call Puppet::Util::PuppetDB::Http.action' do
|
61
|
-
expect(Puppet::Util::Puppetdb::Http).to receive(:action).and_return(response)
|
62
|
-
result = Puppet::Resource::CapabilityFinder.find('production', nil, Puppet::Resource.new('Cap', 'cap'))
|
63
|
-
expect(result['host']).to eq('ahost')
|
64
|
-
end
|
65
|
-
end
|
66
|
-
|
67
|
-
describe '#find' do
|
68
|
-
let(:capability) { Puppet::Resource.new('Cap', 'cap') }
|
69
|
-
let(:code_id) { 'b59e5df0578ef411f773ee6c33d8073c50e7b8fe' }
|
70
|
-
|
71
|
-
it 'should search for the resource without including code_id or environment' do
|
72
|
-
resources = [{"type"=>"Cap", "title"=>"cap", "parameters"=>{"host"=>"ahost"}}]
|
73
|
-
allow(Puppet::Resource::CapabilityFinder).to receive(:search).with(nil, nil, capability).and_return(resources)
|
74
|
-
|
75
|
-
result = Puppet::Resource::CapabilityFinder.find('production', code_id, Puppet::Resource.new('Cap', 'cap'))
|
76
|
-
expect(result['host']).to eq('ahost')
|
77
|
-
end
|
78
|
-
|
79
|
-
it 'should return nil if no resource is found' do
|
80
|
-
allow(Puppet::Resource::CapabilityFinder).to receive(:search).with(nil, nil, capability).and_return([])
|
81
|
-
|
82
|
-
result = Puppet::Resource::CapabilityFinder.find('production', code_id, capability)
|
83
|
-
expect(result).to be_nil
|
84
|
-
end
|
85
|
-
|
86
|
-
describe 'when multiple results are returned for different environments' do
|
87
|
-
let(:resources) do
|
88
|
-
[{"type"=>"Cap", "title"=>"cap", "parameters"=>{"host"=>"ahost"}, "tags"=>["producer:production"]},
|
89
|
-
{"type"=>"Cap", "title"=>"cap", "parameters"=>{"host"=>"bhost"}, "tags"=>["producer:other_env"]}]
|
90
|
-
end
|
91
|
-
|
92
|
-
before :each do
|
93
|
-
allow(Puppet::Resource::CapabilityFinder).to receive(:search).with(nil, nil, capability).and_return(resources)
|
94
|
-
end
|
95
|
-
|
96
|
-
it 'should return the resource matching environment' do
|
97
|
-
result = Puppet::Resource::CapabilityFinder.find('production', code_id, capability)
|
98
|
-
expect(result['host']).to eq('ahost')
|
99
|
-
end
|
100
|
-
|
101
|
-
it 'should return nil if no resource matches environment' do
|
102
|
-
result = Puppet::Resource::CapabilityFinder.find('bad_env', code_id, capability)
|
103
|
-
expect(result).to be_nil
|
104
|
-
end
|
105
|
-
end
|
106
|
-
|
107
|
-
describe 'when multiple results are returned for the same environment' do
|
108
|
-
let(:resources) do
|
109
|
-
[{"type"=>"Cap", "title"=>"cap", "parameters"=>{"host"=>"ahost"}, "tags"=>["producer:production"]},
|
110
|
-
{"type"=>"Cap", "title"=>"cap", "parameters"=>{"host"=>"bhost"}, "tags"=>["producer:production"]}]
|
111
|
-
end
|
112
|
-
|
113
|
-
before :each do
|
114
|
-
allow(Puppet::Resource::CapabilityFinder).to receive(:search).with(nil, nil, capability).and_return(resources)
|
115
|
-
end
|
116
|
-
|
117
|
-
it 'should return the resource matching code_id' do
|
118
|
-
allow(Puppet::Resource::CapabilityFinder).to receive(:search).with('production', code_id, capability).and_return([{"type"=>"Cap", "title"=>"cap", "parameters"=>{"host"=>"chost"}}])
|
119
|
-
|
120
|
-
result = Puppet::Resource::CapabilityFinder.find('production', code_id, capability)
|
121
|
-
expect(result['host']).to eq('chost')
|
122
|
-
end
|
123
|
-
|
124
|
-
it 'should fail if no resource matches code_id' do
|
125
|
-
allow(Puppet::Resource::CapabilityFinder).to receive(:search).with('production', code_id, capability).and_return([])
|
126
|
-
|
127
|
-
expect { Puppet::Resource::CapabilityFinder.find('production', code_id, capability) }.to raise_error(Puppet::Error, /expected exactly one resource but got 2/)
|
128
|
-
end
|
129
|
-
|
130
|
-
it 'should fail if multiple resources match code_id' do
|
131
|
-
allow(Puppet::Resource::CapabilityFinder).to receive(:search).with('production', code_id, capability).and_return(resources)
|
132
|
-
|
133
|
-
expect { Puppet::Resource::CapabilityFinder.find('production', code_id, capability) }.to raise_error(Puppet::DevError, /expected exactly one resource but got 2/)
|
134
|
-
end
|
135
|
-
|
136
|
-
it 'should fail if no code_id was specified' do
|
137
|
-
allow(Puppet::Resource::CapabilityFinder).to receive(:search).with('production', nil, capability).and_return(resources)
|
138
|
-
expect { Puppet::Resource::CapabilityFinder.find('production', nil, capability) }.to raise_error(Puppet::DevError, /expected exactly one resource but got 2/)
|
139
|
-
end
|
140
|
-
end
|
141
|
-
end
|
142
|
-
end
|
143
|
-
end
|
@@ -1,132 +0,0 @@
|
|
1
|
-
require 'spec_helper'
|
2
|
-
|
3
|
-
require 'puppet/rest/route'
|
4
|
-
|
5
|
-
describe Puppet::Rest::Route do
|
6
|
-
describe '#with_base_url'do
|
7
|
-
let(:dns_resolver) { double('dns resolver') }
|
8
|
-
|
9
|
-
context 'when not using SRV records' do
|
10
|
-
before :each do
|
11
|
-
Puppet.settings[:use_srv_records] = false
|
12
|
-
end
|
13
|
-
|
14
|
-
it "yields a base URL with the values from the specified settings" do
|
15
|
-
Puppet[:ca_server] = 'testserver'
|
16
|
-
Puppet[:ca_port] = 555
|
17
|
-
ca_route = Puppet::Rest::Route.new(api: '/fakeapi/v1/',
|
18
|
-
server_setting: :ca_server,
|
19
|
-
port_setting: :ca_port,
|
20
|
-
srv_service: :test_service)
|
21
|
-
count = 0
|
22
|
-
rval = ca_route.with_base_url(dns_resolver) do |url|
|
23
|
-
count += 1
|
24
|
-
expect(url.to_s).to eq('https://testserver:555/fakeapi/v1/')
|
25
|
-
'Block return value'
|
26
|
-
end
|
27
|
-
expect(count).to eq(1)
|
28
|
-
expect(rval).to eq('Block return value')
|
29
|
-
end
|
30
|
-
|
31
|
-
it "yields a base URL with Puppet's configured server and port when no defaults are specified" do
|
32
|
-
Puppet[:server] = 'configured.net'
|
33
|
-
Puppet[:serverport] = 8140
|
34
|
-
fallback_route = Puppet::Rest::Route.new(api: '/fakeapi/v1/')
|
35
|
-
count = 0
|
36
|
-
rval = fallback_route.with_base_url(dns_resolver) do |url|
|
37
|
-
count += 1
|
38
|
-
expect(url.to_s).to eq('https://configured.net:8140/fakeapi/v1/')
|
39
|
-
'Block return value'
|
40
|
-
end
|
41
|
-
expect(count).to eq(1)
|
42
|
-
expect(rval).to eq('Block return value')
|
43
|
-
end
|
44
|
-
|
45
|
-
it 'yields the first entry in the server list when server_list is in use' do
|
46
|
-
Puppet[:server_list] = [['one.net', 111], ['two.net', 222]]
|
47
|
-
fallback_route = Puppet::Rest::Route.new(api: '/fakeapi/v1/')
|
48
|
-
count = 0
|
49
|
-
rval = fallback_route.with_base_url(dns_resolver) do |url|
|
50
|
-
count += 1
|
51
|
-
expect(url.to_s).to eq('https://one.net:111/fakeapi/v1/')
|
52
|
-
'Block return value'
|
53
|
-
end
|
54
|
-
expect(count).to eq(1)
|
55
|
-
expect(rval).to eq('Block return value')
|
56
|
-
end
|
57
|
-
|
58
|
-
it 'falls back to :server and :serverport if nil is passed' do
|
59
|
-
Puppet[:server] = 'one.net'
|
60
|
-
Puppet[:serverport] = 111
|
61
|
-
nil_route = Puppet::Rest::Route.new(api: '/fakeapi/v1/',
|
62
|
-
server_setting: nil,
|
63
|
-
port_setting: nil)
|
64
|
-
count = 0
|
65
|
-
rval = nil_route.with_base_url(dns_resolver) do |url|
|
66
|
-
count += 1
|
67
|
-
expect(url.to_s).to eq('https://one.net:111/fakeapi/v1/')
|
68
|
-
'Block return value'
|
69
|
-
end
|
70
|
-
expect(count).to eq(1)
|
71
|
-
expect(rval).to eq('Block return value')
|
72
|
-
end
|
73
|
-
end
|
74
|
-
|
75
|
-
context 'when using SRV records' do
|
76
|
-
context "when SRV returns servers" do
|
77
|
-
let(:route) { Puppet::Rest::Route.new(api: '/fakeapi/v1/',
|
78
|
-
srv_service: :test_service) }
|
79
|
-
|
80
|
-
before :each do
|
81
|
-
Puppet.settings[:use_srv_records] = true
|
82
|
-
Puppet.settings[:srv_domain] = 'example.com'
|
83
|
-
|
84
|
-
@dns_mock = double('dns')
|
85
|
-
expect(Resolv::DNS).to receive(:new).and_return(@dns_mock)
|
86
|
-
|
87
|
-
@port = 7502
|
88
|
-
@target = 'example.com'
|
89
|
-
record = Resolv::DNS::Resource::IN::SRV.new(0, 0, @port, @target)
|
90
|
-
record.instance_variable_set(:@ttl, 10)
|
91
|
-
@srv_records = [record]
|
92
|
-
|
93
|
-
expect(@dns_mock).to receive(:getresources).
|
94
|
-
with("_x-puppet-test_service._tcp.example.com", Resolv::DNS::Resource::IN::SRV).
|
95
|
-
and_return(@srv_records)
|
96
|
-
end
|
97
|
-
|
98
|
-
it "yields a URL using the server and port from the SRV record" do
|
99
|
-
count = 0
|
100
|
-
rval = route.with_base_url(Puppet::Network::Resolver.new) do |url|
|
101
|
-
count += 1
|
102
|
-
expect(url.to_s).to eq('https://example.com:7502/fakeapi/v1/')
|
103
|
-
'Block return value'
|
104
|
-
end
|
105
|
-
expect(count).to eq(1)
|
106
|
-
|
107
|
-
expect(rval).to eq('Block return value')
|
108
|
-
end
|
109
|
-
|
110
|
-
it "should fall back to the default server when the block raises a SystemCallError" do
|
111
|
-
Puppet[:server] = "testserver"
|
112
|
-
Puppet[:serverport] = 555
|
113
|
-
|
114
|
-
count = 0
|
115
|
-
rval = route.with_base_url(Puppet::Network::Resolver.new) do |url|
|
116
|
-
count += 1
|
117
|
-
if url.to_s =~ /example.com/ then
|
118
|
-
raise SystemCallError, "example failure"
|
119
|
-
else
|
120
|
-
expect(url.to_s).to eq('https://testserver:555/fakeapi/v1/')
|
121
|
-
end
|
122
|
-
|
123
|
-
'Block return value'
|
124
|
-
end
|
125
|
-
|
126
|
-
expect(count).to eq(2)
|
127
|
-
expect(rval).to eq('Block return value')
|
128
|
-
end
|
129
|
-
end
|
130
|
-
end
|
131
|
-
end
|
132
|
-
end
|
data/spec/unit/ssl/host_spec.rb
DELETED
@@ -1,650 +0,0 @@
|
|
1
|
-
require 'spec_helper'
|
2
|
-
require 'puppet/test_ca'
|
3
|
-
|
4
|
-
require 'puppet/ssl/host'
|
5
|
-
require 'matchers/json'
|
6
|
-
require 'puppet_spec/ssl'
|
7
|
-
require 'puppet/rest/routes'
|
8
|
-
|
9
|
-
def base_json_comparison(result, json_hash)
|
10
|
-
expect(result["fingerprint"]).to eq(json_hash["fingerprint"])
|
11
|
-
expect(result["name"]).to eq(json_hash["name"])
|
12
|
-
expect(result["state"]).to eq(json_hash["desired_state"])
|
13
|
-
end
|
14
|
-
|
15
|
-
describe Puppet::SSL::Host, if: !Puppet::Util::Platform.jruby? do
|
16
|
-
include JSONMatchers
|
17
|
-
include PuppetSpec::Files
|
18
|
-
|
19
|
-
before do
|
20
|
-
# Get a safe temporary file
|
21
|
-
dir = tmpdir("ssl_host_testing")
|
22
|
-
Puppet.settings[:confdir] = dir
|
23
|
-
Puppet.settings[:vardir] = dir
|
24
|
-
Puppet.settings.use :main, :ssl
|
25
|
-
|
26
|
-
@host = Puppet::SSL::Host.new("myname")
|
27
|
-
end
|
28
|
-
|
29
|
-
after do
|
30
|
-
# Cleaned out any cached localhost instance.
|
31
|
-
Puppet::SSL::Host.reset
|
32
|
-
end
|
33
|
-
|
34
|
-
it "should use any provided name as its name" do
|
35
|
-
expect(@host.name).to eq("myname")
|
36
|
-
end
|
37
|
-
|
38
|
-
it "should retrieve its public key from its private key" do
|
39
|
-
realkey = double('realkey')
|
40
|
-
key = double('key', :content => realkey)
|
41
|
-
allow(Puppet::SSL::Key.indirection).to receive(:find).and_return(key)
|
42
|
-
pubkey = double('public_key')
|
43
|
-
expect(realkey).to receive(:public_key).and_return(pubkey)
|
44
|
-
|
45
|
-
expect(@host.public_key).to equal(pubkey)
|
46
|
-
end
|
47
|
-
|
48
|
-
describe 'localhost' do
|
49
|
-
before(:each) do
|
50
|
-
allow_any_instance_of(Puppet::SSL::Host).to receive(:certificate).and_return(nil)
|
51
|
-
allow_any_instance_of(Puppet::SSL::Host).to receive(:generate)
|
52
|
-
end
|
53
|
-
|
54
|
-
it "is deprecated" do
|
55
|
-
Puppet::SSL::Host.localhost
|
56
|
-
|
57
|
-
expect(@logs).to include(an_object_having_attributes(message: /Puppet::SSL::Host is deprecated/))
|
58
|
-
end
|
59
|
-
|
60
|
-
it "should allow to reset localhost" do
|
61
|
-
previous_host = Puppet::SSL::Host.localhost
|
62
|
-
Puppet::SSL::Host.reset
|
63
|
-
expect(Puppet::SSL::Host.localhost).not_to eq(previous_host)
|
64
|
-
end
|
65
|
-
|
66
|
-
it "should generate the certificate for the localhost instance if no certificate is available" do
|
67
|
-
host = double('host', :key => nil)
|
68
|
-
expect(Puppet::SSL::Host).to receive(:new).and_return(host)
|
69
|
-
|
70
|
-
expect(host).to receive(:certificate).and_return(nil)
|
71
|
-
expect(host).to receive(:generate)
|
72
|
-
|
73
|
-
expect(Puppet::SSL::Host.localhost).to equal(host)
|
74
|
-
end
|
75
|
-
|
76
|
-
it "should always read the key for the localhost instance in from disk" do
|
77
|
-
host = double('host', :certificate => "eh")
|
78
|
-
expect(host).to receive(:key)
|
79
|
-
expect(Puppet::SSL::Host).to receive(:new).and_return(host)
|
80
|
-
|
81
|
-
Puppet::SSL::Host.localhost
|
82
|
-
end
|
83
|
-
|
84
|
-
it "should cache the localhost instance" do
|
85
|
-
host = double('host', :certificate => "eh", :key => 'foo')
|
86
|
-
expect(Puppet::SSL::Host).to receive(:new).once.and_return(host)
|
87
|
-
expect(Puppet::SSL::Host.localhost).to eq(Puppet::SSL::Host.localhost)
|
88
|
-
end
|
89
|
-
end
|
90
|
-
|
91
|
-
context "with dns_alt_names" do
|
92
|
-
before :each do
|
93
|
-
@key = double('key content')
|
94
|
-
key = double('key', :generate => true, :content => @key)
|
95
|
-
allow(Puppet::SSL::Key).to receive(:new).and_return(key)
|
96
|
-
allow(Puppet::SSL::Key.indirection).to receive(:save).with(key)
|
97
|
-
|
98
|
-
@cr = double('certificate request', :render => "csr pem")
|
99
|
-
allow(Puppet::SSL::CertificateRequest).to receive(:new).and_return(@cr)
|
100
|
-
allow_any_instance_of(Puppet::SSL::Host).to receive(:submit_certificate_request)
|
101
|
-
end
|
102
|
-
|
103
|
-
describe "explicitly specified" do
|
104
|
-
before :each do
|
105
|
-
Puppet[:dns_alt_names] = 'one, two'
|
106
|
-
end
|
107
|
-
|
108
|
-
it "should not include subjectAltName if not the local node" do
|
109
|
-
expect(@cr).to receive(:generate).with(@key, {})
|
110
|
-
|
111
|
-
Puppet::SSL::Host.new('not-the-' + Puppet[:certname]).generate_certificate_request
|
112
|
-
end
|
113
|
-
|
114
|
-
it "should include subjectAltName if the local node" do
|
115
|
-
expect(@cr).to receive(:generate).with(@key, { :dns_alt_names => 'one, two' })
|
116
|
-
|
117
|
-
Puppet::SSL::Host.new(Puppet[:certname]).generate_certificate_request
|
118
|
-
end
|
119
|
-
end
|
120
|
-
end
|
121
|
-
|
122
|
-
it "should be able to verify its certificate matches its key" do
|
123
|
-
expect(Puppet::SSL::Host.new("foo")).to respond_to(:validate_certificate_with_key)
|
124
|
-
end
|
125
|
-
|
126
|
-
it "should consider the certificate invalid if it cannot find a key" do
|
127
|
-
host = Puppet::SSL::Host.new("foo")
|
128
|
-
certificate = double('cert', :fingerprint => 'DEADBEEF')
|
129
|
-
expect(host).to receive(:key).and_return(nil)
|
130
|
-
expect { host.validate_certificate_with_key(certificate) }.to raise_error(Puppet::Error, "No private key with which to validate certificate with fingerprint: DEADBEEF")
|
131
|
-
end
|
132
|
-
|
133
|
-
it "should consider the certificate invalid if it cannot find a certificate" do
|
134
|
-
host = Puppet::SSL::Host.new("foo")
|
135
|
-
expect(host).not_to receive(:key)
|
136
|
-
expect { host.validate_certificate_with_key(nil) }.to raise_error(Puppet::Error, "No certificate to validate.")
|
137
|
-
end
|
138
|
-
|
139
|
-
it "should consider the certificate invalid if the SSL certificate's key verification fails" do
|
140
|
-
host = Puppet::SSL::Host.new("foo")
|
141
|
-
key = double('key', :content => "private_key")
|
142
|
-
sslcert = double('sslcert')
|
143
|
-
certificate = double('cert', {:content => sslcert, :fingerprint => 'DEADBEEF'})
|
144
|
-
allow(host).to receive(:key).and_return(key)
|
145
|
-
expect(sslcert).to receive(:check_private_key).with("private_key").and_return(false)
|
146
|
-
expect { host.validate_certificate_with_key(certificate) }.to raise_error(Puppet::Error, /DEADBEEF/)
|
147
|
-
end
|
148
|
-
|
149
|
-
it "should consider the certificate valid if the SSL certificate's key verification succeeds" do
|
150
|
-
host = Puppet::SSL::Host.new("foo")
|
151
|
-
key = double('key', :content => "private_key")
|
152
|
-
sslcert = double('sslcert')
|
153
|
-
certificate = double('cert', :content => sslcert)
|
154
|
-
allow(host).to receive(:key).and_return(key)
|
155
|
-
expect(sslcert).to receive(:check_private_key).with("private_key").and_return(true)
|
156
|
-
expect{ host.validate_certificate_with_key(certificate) }.not_to raise_error
|
157
|
-
end
|
158
|
-
|
159
|
-
it "should output agent-specific commands when validation fails" do
|
160
|
-
host = Puppet::SSL::Host.new("foo")
|
161
|
-
key = double('key', :content => "private_key")
|
162
|
-
sslcert = double('sslcert')
|
163
|
-
certificate = double('cert', {:content => sslcert, :fingerprint => 'DEADBEEF'})
|
164
|
-
allow(host).to receive(:key).and_return(key)
|
165
|
-
expect(sslcert).to receive(:check_private_key).with("private_key").and_return(false)
|
166
|
-
expect { host.validate_certificate_with_key(certificate) }.to raise_error(Puppet::Error, /puppet ssl clean \n/)
|
167
|
-
end
|
168
|
-
|
169
|
-
it "should output device-specific commands when validation fails" do
|
170
|
-
Puppet[:certname] = "device.example.com"
|
171
|
-
host = Puppet::SSL::Host.new("device.example.com", true)
|
172
|
-
key = double('key', :content => "private_key")
|
173
|
-
sslcert = double('sslcert')
|
174
|
-
certificate = double('cert', {:content => sslcert, :fingerprint => 'DEADBEEF'})
|
175
|
-
allow(host).to receive(:key).and_return(key)
|
176
|
-
expect(sslcert).to receive(:check_private_key).with("private_key").and_return(false)
|
177
|
-
expect { host.validate_certificate_with_key(certificate) }.to raise_error(Puppet::Error, /puppet ssl clean --target device.example.com/)
|
178
|
-
end
|
179
|
-
|
180
|
-
describe "when initializing" do
|
181
|
-
it "should default its name to the :certname setting" do
|
182
|
-
Puppet[:certname] = "myname"
|
183
|
-
|
184
|
-
expect(Puppet::SSL::Host.new.name).to eq("myname")
|
185
|
-
end
|
186
|
-
|
187
|
-
it "should downcase a passed in name" do
|
188
|
-
expect(Puppet::SSL::Host.new("Host.Domain.Com").name).to eq("host.domain.com")
|
189
|
-
end
|
190
|
-
end
|
191
|
-
|
192
|
-
describe "when managing its private key" do
|
193
|
-
before do
|
194
|
-
@realkey = "mykey"
|
195
|
-
@key = Puppet::SSL::Key.new("mykey")
|
196
|
-
@key.content = @realkey
|
197
|
-
end
|
198
|
-
|
199
|
-
it "should return nil if the key is not set and cannot be found" do
|
200
|
-
expect(Puppet::SSL::Key.indirection).to receive(:find).with("myname").and_return(nil)
|
201
|
-
expect(@host.key).to be_nil
|
202
|
-
end
|
203
|
-
|
204
|
-
it "should find the key in the Key class and return the Puppet instance" do
|
205
|
-
expect(Puppet::SSL::Key.indirection).to receive(:find).with("myname").and_return(@key)
|
206
|
-
expect(@host.key).to equal(@key)
|
207
|
-
end
|
208
|
-
|
209
|
-
it "should be able to generate and save a new key" do
|
210
|
-
expect(Puppet::SSL::Key).to receive(:new).with("myname").and_return(@key)
|
211
|
-
|
212
|
-
expect(@key).to receive(:generate)
|
213
|
-
expect(Puppet::SSL::Key.indirection).to receive(:save)
|
214
|
-
|
215
|
-
expect(@host.generate_key).to be_truthy
|
216
|
-
expect(@host.key).to equal(@key)
|
217
|
-
end
|
218
|
-
|
219
|
-
it "should not retain keys that could not be saved" do
|
220
|
-
expect(Puppet::SSL::Key).to receive(:new).with("myname").and_return(@key)
|
221
|
-
|
222
|
-
expect(@key).to receive(:generate)
|
223
|
-
expect(Puppet::SSL::Key.indirection).to receive(:save).and_raise("eh")
|
224
|
-
|
225
|
-
expect { @host.generate_key }.to raise_error(RuntimeError)
|
226
|
-
expect(@host.key).to be_nil
|
227
|
-
end
|
228
|
-
|
229
|
-
it "should return any previously found key without requerying" do
|
230
|
-
expect(Puppet::SSL::Key.indirection).to receive(:find).with("myname").and_return(@key).once
|
231
|
-
expect(@host.key).to equal(@key)
|
232
|
-
expect(@host.key).to equal(@key)
|
233
|
-
end
|
234
|
-
end
|
235
|
-
|
236
|
-
describe "when managing its certificate request" do
|
237
|
-
before(:all) do
|
238
|
-
@pki = PuppetSpec::SSL.create_chained_pki
|
239
|
-
end
|
240
|
-
|
241
|
-
before(:each) do
|
242
|
-
Puppet[:requestdir] = tmpdir('requests')
|
243
|
-
end
|
244
|
-
|
245
|
-
let(:key) { Puppet::SSL::Key.from_s(@pki[:leaf_key].to_s, @host.name) }
|
246
|
-
|
247
|
-
it "should generate a new key when generating the cert request if no key exists" do
|
248
|
-
expect(@host).to receive(:key).exactly(2).times.and_return(nil, key)
|
249
|
-
expect(@host).to receive(:generate_key).and_return(key)
|
250
|
-
|
251
|
-
allow(@host).to receive(:submit_certificate_request)
|
252
|
-
|
253
|
-
@host.generate_certificate_request
|
254
|
-
expect(Puppet::FileSystem.exist?(File.join(Puppet[:requestdir], "#{@host.name}.pem"))).to be true
|
255
|
-
end
|
256
|
-
|
257
|
-
it "should be able to generate and save a new request using the private key" do
|
258
|
-
allow(@host).to receive(:key).and_return(key)
|
259
|
-
allow(@host).to receive(:submit_certificate_request)
|
260
|
-
|
261
|
-
expect(@host.generate_certificate_request).to be_truthy
|
262
|
-
expect(Puppet::FileSystem.exist?(File.join(Puppet[:requestdir], "#{@host.name}.pem"))).to be true
|
263
|
-
end
|
264
|
-
|
265
|
-
it "should send a new request to the CA for signing" do
|
266
|
-
@http = double("http")
|
267
|
-
allow(@host).to receive(:http_client).and_return(@http)
|
268
|
-
allow(@host).to receive(:ssl_store).and_return(double("ssl store"))
|
269
|
-
allow(@host).to receive(:key).and_return(key)
|
270
|
-
request = double("request")
|
271
|
-
allow(request).to receive(:generate)
|
272
|
-
expect(request).to receive(:render).and_return("my request").twice
|
273
|
-
expect(Puppet::SSL::CertificateRequest).to receive(:new).and_return(request)
|
274
|
-
|
275
|
-
expect(Puppet::Rest::Routes).to receive(:put_certificate_request)
|
276
|
-
.with("my request", @host.name, anything)
|
277
|
-
.and_return(nil)
|
278
|
-
|
279
|
-
expect(@host.generate_certificate_request).to be true
|
280
|
-
end
|
281
|
-
|
282
|
-
it "should return any previously found request without requerying" do
|
283
|
-
request = double("request")
|
284
|
-
expect(@host).to receive(:load_certificate_request_from_file).and_return(request).once
|
285
|
-
|
286
|
-
expect(@host.certificate_request).to equal(request)
|
287
|
-
expect(@host.certificate_request).to equal(request)
|
288
|
-
end
|
289
|
-
|
290
|
-
it "should not keep its certificate request in memory if the request cannot be saved" do
|
291
|
-
allow(@host).to receive(:key).and_return(key)
|
292
|
-
allow(@host).to receive(:submit_certificate_request)
|
293
|
-
expect(Puppet::Util).to receive(:replace_file).and_raise(RuntimeError)
|
294
|
-
|
295
|
-
expect { @host.generate_certificate_request }.to raise_error(RuntimeError)
|
296
|
-
|
297
|
-
expect(@host.instance_eval { @certificate_request }).to be_nil
|
298
|
-
end
|
299
|
-
end
|
300
|
-
|
301
|
-
describe "when managing its certificate" do
|
302
|
-
before(:all) do
|
303
|
-
@pki = PuppetSpec::SSL.create_chained_pki
|
304
|
-
end
|
305
|
-
|
306
|
-
before(:each) do
|
307
|
-
Puppet[:certdir] = tmpdir('certs')
|
308
|
-
allow(@host).to receive(:key).and_return(double("key"))
|
309
|
-
allow(@host).to receive(:validate_certificate_with_key)
|
310
|
-
allow(@host).to receive(:http_client).and_return(@http)
|
311
|
-
allow(@host).to receive(:ssl_store).and_return(double("ssl store"))
|
312
|
-
end
|
313
|
-
|
314
|
-
let(:ca_cert_response) { @pki[:ca_bundle] }
|
315
|
-
let(:crl_response) { @pki[:crl_chain] }
|
316
|
-
let(:host_cert_response) { @pki[:unrevoked_leaf_node_cert] }
|
317
|
-
|
318
|
-
it "should find the CA certificate and save it to disk" do
|
319
|
-
stub_request(:get, %r{puppet-ca/v1/certificate/ca}).to_return(status: 200, body: ca_cert_response)
|
320
|
-
stub_request(:get, %r{puppet-ca/v1/certificate_revocation_list/ca}).to_return(status: 200, body: crl_response)
|
321
|
-
stub_request(:get, %r{puppet-ca/v1/certificate/#{@host.name}}).to_return(status: 404)
|
322
|
-
|
323
|
-
@host.certificate
|
324
|
-
actual_ca_bundle = Puppet::FileSystem.read(Puppet[:localcacert])
|
325
|
-
expect(actual_ca_bundle).to match(/BEGIN CERTIFICATE.*END CERTIFICATE.*BEGIN CERTIFICATE/m)
|
326
|
-
end
|
327
|
-
|
328
|
-
it "should raise if it cannot find a CA certificate" do
|
329
|
-
stub_request(:get, %r{puppet-ca/v1/certificate/ca}).to_return(status: 404)
|
330
|
-
|
331
|
-
expect(@host).not_to receive(:get_host_certificate)
|
332
|
-
|
333
|
-
expect {
|
334
|
-
@host.certificate
|
335
|
-
}.to raise_error(Puppet::Error, /CA certificate is missing from the server/)
|
336
|
-
end
|
337
|
-
|
338
|
-
it "should find the key if it does not have one" do
|
339
|
-
stub_request(:get, %r{puppet-ca/v1/certificate/ca}).to_return(status: 200, body: ca_cert_response)
|
340
|
-
stub_request(:get, %r{puppet-ca/v1/certificate_revocation_list/ca}).to_return(status: 200, body: crl_response)
|
341
|
-
|
342
|
-
expect(@host).to receive(:get_host_certificate).and_return(nil)
|
343
|
-
expect(@host).to receive(:key).and_return(double("key"))
|
344
|
-
@host.certificate
|
345
|
-
end
|
346
|
-
|
347
|
-
it "should generate the key if one cannot be found" do
|
348
|
-
stub_request(:get, %r{puppet-ca/v1/certificate/ca}).to_return(status: 200, body: ca_cert_response)
|
349
|
-
stub_request(:get, %r{puppet-ca/v1/certificate_revocation_list/ca}).to_return(status: 200, body: crl_response)
|
350
|
-
|
351
|
-
expect(@host).to receive(:get_host_certificate).and_return(nil)
|
352
|
-
expect(@host).to receive(:key).and_return(nil)
|
353
|
-
expect(@host).to receive(:generate_key)
|
354
|
-
@host.certificate
|
355
|
-
end
|
356
|
-
|
357
|
-
it "should find the host certificate, write it to file, and return the Puppet certificate instance" do
|
358
|
-
stub_request(:get, %r{puppet-ca/v1/certificate/ca}).to_return(status: 200, body: ca_cert_response)
|
359
|
-
stub_request(:get, %r{puppet-ca/v1/certificate_revocation_list/ca}).to_return(status: 200, body: crl_response)
|
360
|
-
stub_request(:get, %r{puppet-ca/v1/certificate/#{@host.name}}).to_return(status: 200, body: host_cert_response.to_pem)
|
361
|
-
|
362
|
-
expected_cert = Puppet::SSL::Certificate.from_s(@pki[:unrevoked_leaf_node_cert])
|
363
|
-
actual_cert = @host.certificate
|
364
|
-
expect(actual_cert).to be_a(Puppet::SSL::Certificate)
|
365
|
-
expect(actual_cert.to_s).to eq(expected_cert.to_s)
|
366
|
-
host_cert_from_file = Puppet::FileSystem.read(File.join(Puppet[:certdir], "#{@host.name}.pem"))
|
367
|
-
expect(host_cert_from_file).to eq(expected_cert.to_s)
|
368
|
-
end
|
369
|
-
|
370
|
-
it "should return any previously found certificate" do
|
371
|
-
cert = double('cert')
|
372
|
-
stub_request(:get, %r{puppet-ca/v1/certificate/ca}).to_return(status: 200, body: ca_cert_response)
|
373
|
-
stub_request(:get, %r{puppet-ca/v1/certificate_revocation_list/ca}).to_return(status: 200, body: crl_response)
|
374
|
-
expect(@host).to receive(:get_host_certificate).and_return(cert).once
|
375
|
-
|
376
|
-
expect(@host.certificate).to equal(cert)
|
377
|
-
expect(@host.certificate).to equal(cert)
|
378
|
-
end
|
379
|
-
|
380
|
-
context 'invalid certificates' do
|
381
|
-
it "should raise if the CA certificate downloaded from CA is invalid" do
|
382
|
-
stub_request(:get, %r{puppet-ca/v1/certificate/ca}).to_return(status: 200, body: 'garbage')
|
383
|
-
|
384
|
-
expect { @host.certificate }.to raise_error(OpenSSL::X509::CertificateError, /Failed to parse CA certificates as PEM/)
|
385
|
-
end
|
386
|
-
|
387
|
-
it "should warn if the host certificate downloaded from CA is invalid" do
|
388
|
-
stub_request(:get, %r{puppet-ca/v1/certificate/ca}).to_return(status: 200, body: ca_cert_response)
|
389
|
-
stub_request(:get, %r{puppet-ca/v1/certificate_revocation_list/ca}).to_return(status: 200, body: crl_response)
|
390
|
-
stub_request(:get, %r{puppet-ca/v1/certificate/#{@host.name}}).to_return(status: 200, body: 'garbage')
|
391
|
-
|
392
|
-
expect { @host.certificate }.to raise_error(Puppet::Error, /did not contain a valid certificate for #{@host.name}/)
|
393
|
-
end
|
394
|
-
|
395
|
-
it 'should warn if the CA certificate loaded from disk is invalid' do
|
396
|
-
Puppet::FileSystem.open(Puppet[:localcacert], nil, "w:ASCII") do |f|
|
397
|
-
f.puts 'garbage'
|
398
|
-
end
|
399
|
-
expect { @host.certificate }.to raise_error(OpenSSL::X509::CertificateError, /Failed to parse CA certificates as PEM/)
|
400
|
-
end
|
401
|
-
|
402
|
-
it 'should warn if the host certificate loaded from disk in invalid' do
|
403
|
-
stub_request(:get, %r{puppet-ca/v1/certificate/ca}).to_return(status: 200, body: ca_cert_response)
|
404
|
-
stub_request(:get, %r{puppet-ca/v1/certificate_revocation_list/ca}).to_return(status: 200, body: crl_response)
|
405
|
-
|
406
|
-
Puppet::FileSystem.open(File.join(Puppet[:certdir], "#{@host.name}.pem"), nil, "w:ASCII") do |f|
|
407
|
-
f.puts 'garbage'
|
408
|
-
end
|
409
|
-
expect { @host.certificate }.to raise_error(Puppet::Error, /The certificate.*invalid/)
|
410
|
-
end
|
411
|
-
end
|
412
|
-
end
|
413
|
-
|
414
|
-
it "should have a method for generating all necessary files" do
|
415
|
-
expect(Puppet::SSL::Host.new("me")).to respond_to(:generate)
|
416
|
-
end
|
417
|
-
|
418
|
-
describe "when generating files" do
|
419
|
-
before do
|
420
|
-
@host = Puppet::SSL::Host.new("me")
|
421
|
-
allow(@host).to receive(:generate_key)
|
422
|
-
allow(@host).to receive(:generate_certificate_request)
|
423
|
-
allow(@host).to receive(:certificate_request)
|
424
|
-
allow(@host).to receive(:certificate)
|
425
|
-
end
|
426
|
-
|
427
|
-
it "should generate a key if one is not present" do
|
428
|
-
allow(@host).to receive(:key).and_return nil
|
429
|
-
expect(@host).to receive(:generate_key)
|
430
|
-
|
431
|
-
@host.generate
|
432
|
-
end
|
433
|
-
|
434
|
-
it "should generate a certificate request if one is not present" do
|
435
|
-
expect(@host).to receive(:certificate_request).and_return nil
|
436
|
-
expect(@host).to receive(:generate_certificate_request)
|
437
|
-
|
438
|
-
@host.generate
|
439
|
-
end
|
440
|
-
end
|
441
|
-
|
442
|
-
it "should have a method for creating an SSL store" do
|
443
|
-
expect(Puppet::SSL::Host.new("me")).to respond_to(:ssl_store)
|
444
|
-
end
|
445
|
-
|
446
|
-
describe "when creating an SSL store" do
|
447
|
-
before do
|
448
|
-
Puppet[:localcacert] = "ssl_host_testing"
|
449
|
-
end
|
450
|
-
|
451
|
-
it "should accept a purpose" do
|
452
|
-
store = double('store', :add_file => nil)
|
453
|
-
expect(OpenSSL::X509::Store).to receive(:new).and_return(store)
|
454
|
-
expect(store).to receive(:purpose=).with(OpenSSL::X509::PURPOSE_SSL_SERVER)
|
455
|
-
host = Puppet::SSL::Host.new("me")
|
456
|
-
host.crl_usage = false
|
457
|
-
|
458
|
-
host.ssl_store(OpenSSL::X509::PURPOSE_SSL_SERVER)
|
459
|
-
end
|
460
|
-
|
461
|
-
context "and the CRL is not on disk" do
|
462
|
-
before do
|
463
|
-
@pki = PuppetSpec::SSL.create_chained_pki
|
464
|
-
@revoked_cert = @pki[:revoked_root_node_cert]
|
465
|
-
localcacert = Puppet.settings[:localcacert]
|
466
|
-
Puppet::Util.replace_file(localcacert, 0644) {|f| f.write @pki[:ca_bundle] }
|
467
|
-
@http = double('http')
|
468
|
-
allow(@host).to receive(:http_client).and_return(@http)
|
469
|
-
end
|
470
|
-
|
471
|
-
after do
|
472
|
-
Puppet::FileSystem.unlink(Puppet.settings[:localcacert])
|
473
|
-
Puppet::FileSystem.unlink(Puppet.settings[:hostcrl])
|
474
|
-
end
|
475
|
-
|
476
|
-
it "retrieves it from the server" do
|
477
|
-
expect(Puppet::Rest::Routes).to receive(:get_crls)
|
478
|
-
.with(Puppet::SSL::CA_NAME, anything)
|
479
|
-
.and_return(@pki[:crl_chain])
|
480
|
-
|
481
|
-
@host.ssl_store
|
482
|
-
expect(Puppet::FileSystem.read(Puppet.settings[:hostcrl], :encoding => Encoding::UTF_8)).to eq(@pki[:crl_chain])
|
483
|
-
end
|
484
|
-
end
|
485
|
-
|
486
|
-
describe "and a CRL is available" do
|
487
|
-
before do
|
488
|
-
pki = PuppetSpec::SSL.create_chained_pki
|
489
|
-
|
490
|
-
@revoked_cert_from_self_signed_root = pki[:revoked_root_node_cert]
|
491
|
-
@revoked_cert_from_ca_with_untrusted_chain = pki[:revoked_leaf_node_cert]
|
492
|
-
@unrevoked_cert_from_self_signed_root = pki[:unrevoked_root_node_cert]
|
493
|
-
@unrevoked_cert_from_revoked_ca = pki[:unrevoked_int_node_cert]
|
494
|
-
@unrevoked_cert_from_ca_with_untrusted_chain = pki[:unrevoked_leaf_node_cert]
|
495
|
-
|
496
|
-
localcacert = Puppet.settings[:localcacert]
|
497
|
-
hostcrl = Puppet.settings[:hostcrl]
|
498
|
-
|
499
|
-
Puppet::Util.replace_file(localcacert, 0644) {|f| f.write pki[:ca_bundle] }
|
500
|
-
Puppet::Util.replace_file(hostcrl, 0644) {|f| f.write pki[:crl_chain] }
|
501
|
-
end
|
502
|
-
|
503
|
-
after do
|
504
|
-
Puppet::FileSystem.unlink(Puppet.settings[:localcacert])
|
505
|
-
Puppet::FileSystem.unlink(Puppet.settings[:hostcrl])
|
506
|
-
end
|
507
|
-
|
508
|
-
[true, :chain].each do |crl_setting|
|
509
|
-
describe "and 'certificate_revocation' is #{crl_setting}" do
|
510
|
-
before do
|
511
|
-
@host = Puppet::SSL::Host.new(crl_setting.to_s)
|
512
|
-
@host.crl_usage = crl_setting
|
513
|
-
end
|
514
|
-
|
515
|
-
it "should verify unrevoked certs" do
|
516
|
-
expect(
|
517
|
-
@host.ssl_store.verify(@unrevoked_cert_from_self_signed_root)
|
518
|
-
).to be true
|
519
|
-
end
|
520
|
-
|
521
|
-
it "should not verify revoked certs" do
|
522
|
-
[@revoked_cert_from_self_signed_root,
|
523
|
-
@revoked_cert_from_ca_with_untrusted_chain,
|
524
|
-
@unrevoked_cert_from_revoked_ca,
|
525
|
-
@unrevoked_cert_from_ca_with_untrusted_chain].each do |cert|
|
526
|
-
expect(@host.ssl_store.verify(cert)).to be false
|
527
|
-
end
|
528
|
-
end
|
529
|
-
end
|
530
|
-
end
|
531
|
-
|
532
|
-
describe "and 'certificate_revocation' is leaf" do
|
533
|
-
before do
|
534
|
-
@host = Puppet::SSL::Host.new("leaf")
|
535
|
-
@host.crl_usage = :leaf
|
536
|
-
end
|
537
|
-
|
538
|
-
it "should verify unrevoked certs regardless of signing CA's revocation status" do
|
539
|
-
[@unrevoked_cert_from_self_signed_root,
|
540
|
-
@unrevoked_cert_from_revoked_ca,
|
541
|
-
@unrevoked_cert_from_ca_with_untrusted_chain].each do |cert|
|
542
|
-
expect(@host.ssl_store.verify(cert)).to be true
|
543
|
-
end
|
544
|
-
end
|
545
|
-
|
546
|
-
it "should not verify certs revoked by their signing CA" do
|
547
|
-
[@revoked_cert_from_self_signed_root,
|
548
|
-
@revoked_cert_from_ca_with_untrusted_chain].each do |cert|
|
549
|
-
expect(@host.ssl_store.verify(cert)).to be false
|
550
|
-
end
|
551
|
-
end
|
552
|
-
end
|
553
|
-
|
554
|
-
describe "and 'certificate_revocation' is false" do
|
555
|
-
before do
|
556
|
-
@host = Puppet::SSL::Host.new("host")
|
557
|
-
@host.crl_usage = false
|
558
|
-
end
|
559
|
-
|
560
|
-
it "should verify valid certs regardless of revocation status" do
|
561
|
-
[@revoked_cert_from_self_signed_root,
|
562
|
-
@revoked_cert_from_ca_with_untrusted_chain,
|
563
|
-
@unrevoked_cert_from_self_signed_root,
|
564
|
-
@unrevoked_cert_from_revoked_ca,
|
565
|
-
@unrevoked_cert_from_ca_with_untrusted_chain].each do |cert|
|
566
|
-
expect(@host.ssl_store.verify(cert)).to be true
|
567
|
-
end
|
568
|
-
end
|
569
|
-
end
|
570
|
-
end
|
571
|
-
end
|
572
|
-
|
573
|
-
describe "when waiting for a cert" do
|
574
|
-
before do
|
575
|
-
@host = Puppet::SSL::Host.new("me")
|
576
|
-
end
|
577
|
-
|
578
|
-
it "should generate its certificate request and attempt to read the certificate again if no certificate is found" do
|
579
|
-
expect(@host).to receive(:certificate).twice.and_return(nil, "foo")
|
580
|
-
expect(@host).to receive(:generate)
|
581
|
-
@host.wait_for_cert(1)
|
582
|
-
end
|
583
|
-
|
584
|
-
it "should catch and log errors during CSR saving" do
|
585
|
-
expect(@host).to receive(:certificate).twice.and_return(nil, "foo")
|
586
|
-
times_generate_called = 0
|
587
|
-
expect(@host).to receive(:generate) do
|
588
|
-
times_generate_called += 1
|
589
|
-
raise RuntimeError if times_generate_called == 1
|
590
|
-
nil
|
591
|
-
end
|
592
|
-
allow(@host).to receive(:sleep)
|
593
|
-
@host.wait_for_cert(1)
|
594
|
-
end
|
595
|
-
|
596
|
-
it "should sleep and retry after failures saving the CSR if waitforcert is enabled" do
|
597
|
-
expect(@host).to receive(:certificate).twice.and_return(nil, "foo")
|
598
|
-
times_generate_called = 0
|
599
|
-
expect(@host).to receive(:generate) do
|
600
|
-
times_generate_called += 1
|
601
|
-
raise RuntimeError if times_generate_called == 1
|
602
|
-
nil
|
603
|
-
end
|
604
|
-
expect(@host).to receive(:sleep).with(1)
|
605
|
-
@host.wait_for_cert(1)
|
606
|
-
end
|
607
|
-
|
608
|
-
it "should exit after failures saving the CSR of waitforcert is disabled" do
|
609
|
-
expect(@host).to receive(:certificate).and_return(nil)
|
610
|
-
expect(@host).to receive(:generate).and_raise(RuntimeError)
|
611
|
-
expect(@host).to receive(:puts)
|
612
|
-
expect { @host.wait_for_cert(0) }.to exit_with 1
|
613
|
-
end
|
614
|
-
|
615
|
-
it "should exit if the wait time is 0 and it can neither find nor retrieve a certificate" do
|
616
|
-
allow(@host).to receive(:certificate).and_return(nil)
|
617
|
-
expect(@host).to receive(:generate)
|
618
|
-
expect(@host).to receive(:puts)
|
619
|
-
expect { @host.wait_for_cert(0) }.to exit_with 1
|
620
|
-
end
|
621
|
-
|
622
|
-
it "should sleep for the specified amount of time if no certificate is found after generating its certificate request" do
|
623
|
-
expect(@host).to receive(:certificate).exactly(3).times().and_return(nil, nil, "foo")
|
624
|
-
expect(@host).to receive(:generate)
|
625
|
-
|
626
|
-
expect(@host).to receive(:sleep).with(1)
|
627
|
-
|
628
|
-
@host.wait_for_cert(1)
|
629
|
-
end
|
630
|
-
|
631
|
-
it "should catch and log exceptions during certificate retrieval" do
|
632
|
-
times_certificate_called = 0
|
633
|
-
expect(@host).to receive(:certificate) do
|
634
|
-
times_certificate_called += 1
|
635
|
-
if times_certificate_called == 1
|
636
|
-
return nil
|
637
|
-
elsif times_certificate_called == 2
|
638
|
-
raise RuntimeError
|
639
|
-
end
|
640
|
-
"foo"
|
641
|
-
end.exactly(3).times()
|
642
|
-
allow(@host).to receive(:generate)
|
643
|
-
allow(@host).to receive(:sleep)
|
644
|
-
|
645
|
-
expect(Puppet).to receive(:log_exception).at_least(:once)
|
646
|
-
|
647
|
-
@host.wait_for_cert(1)
|
648
|
-
end
|
649
|
-
end
|
650
|
-
end
|