puppet 6.3.0-universal-darwin → 6.4.0-universal-darwin

data/spec/integration/type/file_spec.rb

@@ -1525,15 +1525,6 @@ describe Puppet::Type.type(:file), :uses_checksums => true do
               catalog.apply
             end
 
-            it "should not allow the user to explicitly set the mode to 4 ,and correct to 7" do
-              system_aces = get_aces_for_path_by_sid(path, @sids[:system])
-              expect(system_aces).not_to be_empty
-
-              system_aces.each do |ace|
-                expect(ace.mask).to eq(Puppet::Util::Windows::File::FILE_ALL_ACCESS)
-              end
-            end
-
             it "prepends SYSTEM ace when changing group from system to power users" do
               @file[:group] = @sids[:power_users]
               catalog.apply
@@ -1612,16 +1603,6 @@ describe Puppet::Type.type(:file), :uses_checksums => true do
                 catalog.apply
               end
 
-              it "should not allow the user to explicitly set the mode to 4, and correct to 7" do
-                system_aces = get_aces_for_path_by_sid(dir, @sids[:system])
-                expect(system_aces).not_to be_empty
-
-                system_aces.each do |ace|
-                  # unlike files, Puppet sets execute bit on directories that are readable
-                  expect(ace.mask).to eq(Puppet::Util::Windows::File::FILE_ALL_ACCESS)
-                end
-              end
-
               it "prepends SYSTEM ace when changing group from system to power users" do
                 @directory[:group] = @sids[:power_users]
                 catalog.apply

data/spec/lib/puppet/test_ca.rb

@@ -1,8 +1,8 @@
 module Puppet
   class TestCa
 
-    CERT_VALID_FROM = (Time.now - (60*60*24)).freeze
-    CERT_VALID_UNTIL = (Time.now + 600)
+    CERT_VALID_FROM = Time.at(0).freeze # 1969-12-31 16:00:00 -0800
+    CERT_VALID_UNTIL = (Time.now + (10 * 365 * 24 * 60 * 60)).freeze # 10 years from now
 
     CA_EXTENSIONS = [
       ["basicConstraints", "CA:TRUE", true],
@@ -12,13 +12,78 @@ module Puppet
       ["authorityKeyIdentifier", "keyid:always", false]
     ].freeze
 
-    attr_reader :ca_cert, :ca_crl
+    attr_reader :ca_cert, :ca_crl, :key
+
+    @serial = 0
+    def self.next_serial
+      id = @serial
+      @serial += 1
+      id
+    end
 
     def initialize
       @digest = OpenSSL::Digest::SHA256.new
-      @key = OpenSSL::PKey::RSA.new(1024)
-      @ca_cert = self_signed_ca
-      @ca_crl = create_crl
+      info = create_cacert('Test CA')
+      @key = info[:private_key]
+      @ca_cert = info[:cert]
+      @ca_crl = create_crl(@ca_cert, @key)
+    end
+
+    def create_request(name)
+      key = OpenSSL::PKey::RSA.new(1024)
+      csr = OpenSSL::X509::Request.new
+      csr.public_key = key.public_key
+      csr.subject = OpenSSL::X509::Name.new([["CN", name]])
+      csr.version = 2
+      csr.sign(key, @digest)
+      { private_key: key, csr: csr }
+    end
+
+    def create_cert(name, issuer_cert, issuer_key, opts = {})
+      key, cert = build_cert(name, issuer_cert.subject)
+      ef = extension_factory_for(issuer_cert, cert)
+      if opts[:subject_alt_names]
+        ext = ef.create_extension(["subjectAltName", opts[:subject_alt_names], false])
+        cert.add_extension(ext)
+      end
+      cert.sign(issuer_key, @digest)
+      { private_key: key, cert: cert }
+    end
+
+    def create_intermediate_cert(name, issuer_cert, issuer_key)
+      key, cert = build_cert(name, issuer_cert.subject)
+      ef = extension_factory_for(issuer_cert, cert)
+      CA_EXTENSIONS.each do |ext|
+        cert.add_extension(ef.create_extension(*ext))
+      end
+      cert.sign(issuer_key, @digest)
+      { private_key: key, cert: cert }
+    end
+
+    def create_cacert(name)
+      issuer = OpenSSL::X509::Name.new([["CN", name]])
+      key, cert = build_cert(name, issuer)
+      ef = extension_factory_for(cert, cert)
+      CA_EXTENSIONS.each do |ext|
+        cert.add_extension(ef.create_extension(*ext))
+      end
+      cert.sign(key, @digest)
+      { private_key: key, cert: cert }
+    end
+
+    def create_crl(issuer_cert, issuer_key)
+      crl = OpenSSL::X509::CRL.new
+      crl.version = 1
+      crl.issuer = issuer_cert.subject
+      ef = extension_factory_for(issuer_cert)
+      crl.add_extension(
+        ef.create_extension(["authorityKeyIdentifier", "keyid:always", false]))
+      crl.add_extension(
+        OpenSSL::X509::Extension.new("crlNumber", OpenSSL::ASN1::Integer(0)))
+      crl.last_update = CERT_VALID_FROM
+      crl.next_update = CERT_VALID_UNTIL
+      crl.sign(issuer_key, @digest)
+      crl
     end
 
     def sign(csr, opts = {})
@@ -27,7 +92,7 @@ module Puppet
       cert.subject = csr.subject
       cert.issuer = @ca_cert.subject
       cert.version = 2
-      cert.serial = 1
+      cert.serial = self.class.next_serial
       cert.not_before = CERT_VALID_FROM
       cert.not_after =  CERT_VALID_UNTIL
       ef = extension_factory_for(@ca_cert, cert)
@@ -39,64 +104,36 @@ module Puppet
       Puppet::SSL::Certificate.from_instance(cert)
     end
 
-    def revoke(cert)
+    def revoke(cert, crl = @crl, issuer_key = @key)
       revoked = OpenSSL::X509::Revoked.new
       revoked.serial = cert.serial
       revoked.time = Time.now
       enum = OpenSSL::ASN1::Enumerated(OpenSSL::OCSP::REVOKED_STATUS_KEYCOMPROMISE)
       ext = OpenSSL::X509::Extension.new("CRLReason", enum)
-      revoked.add_extensions(ext)
-      @crl.add_revoked(revoked)
+      revoked.add_extension(ext)
+      crl.add_revoked(revoked)
+      crl.sign(issuer_key, @digest)
     end
 
     def generate(name, opts)
-      host_key = OpenSSL::PKey::RSA.new(1024)
-      csr = create_csr(name, host_key)
-      { private_key: host_key, csr: csr, cert: sign(csr, opts).content }
+      info = create_request(name)
+      cert = sign(info[:csr], opts).content
+      info.merge(cert: cert)
     end
 
     private
 
-    def create_csr(name, key)
-      csr = OpenSSL::X509::Request.new
-      csr.public_key = key.public_key
-      csr.subject = OpenSSL::X509::Name.new([["CN", name]])
-      csr.version = 2
-      csr.sign(key, @digest)
-      csr
-    end
-
-    def self_signed_ca
+    def build_cert(name, issuer)
+      key = OpenSSL::PKey::RSA.new(1024)
       cert = OpenSSL::X509::Certificate.new
-      cert.public_key = @key.public_key
-      cert.subject = OpenSSL::X509::Name.new([["CN", "Test CA"]])
-      cert.issuer = cert.subject
+      cert.public_key = key.public_key
+      cert.subject = OpenSSL::X509::Name.new([["CN", name]])
+      cert.issuer = issuer
       cert.version = 2
-      cert.serial = 1
+      cert.serial = self.class.next_serial
       cert.not_before = CERT_VALID_FROM
-      cert.not_after  = CERT_VALID_UNTIL
-      ef = extension_factory_for(cert, cert)
-      CA_EXTENSIONS.each do |ext|
-        extension = ef.create_extension(*ext)
-        cert.add_extension(extension)
-      end
-      cert.sign(@key, @digest)
-      cert
-    end
-
-    def create_crl
-      crl = OpenSSL::X509::CRL.new
-      crl.version = 1
-      crl.issuer = @ca_cert.subject
-      ef = extension_factory_for(@ca_cert)
-      crl.add_extension(
-        ef.create_extension(["authorityKeyIdentifier", "keyid:always", false]))
-      crl.add_extension(
-        OpenSSL::X509::Extension.new("crlNumber", OpenSSL::ASN1::Integer(0)))
-      crl.last_update = CERT_VALID_FROM
-      crl.next_update = CERT_VALID_UNTIL
-      crl.sign(@key, @digest)
-      crl
+      cert.not_after = CERT_VALID_UNTIL
+      [key, cert]
     end
 
     def extension_factory_for(ca, cert = nil)

data/spec/lib/puppet_spec/fixtures.rb

@@ -25,4 +25,24 @@ module PuppetSpec::Fixtures
     block_given? and files.each do |file| yield file end
     files
   end
+
+  def pem_content(name)
+    File.read(File.join(PuppetSpec::FIXTURE_DIR, 'ssl', name), encoding: 'UTF-8')
+  end
+
+  def cert_fixture(name)
+    OpenSSL::X509::Certificate.new(pem_content(name))
+  end
+
+  def crl_fixture(name)
+    OpenSSL::X509::CRL.new(pem_content(name))
+  end
+
+  def key_fixture(name)
+    OpenSSL::PKey::RSA.new(pem_content(name))
+  end
+
+  def request_fixture(name)
+    OpenSSL::X509::Request.new(pem_content(name))
+  end
 end

data/spec/lib/puppet_spec/https.rb

@@ -0,0 +1,84 @@
+require 'spec_helper'
+require 'webrick'
+
+class PuppetSpec::HTTPSServer
+  include PuppetSpec::Fixtures
+
+  attr_reader :ca_cert, :ca_crl, :server_cert, :server_key
+
+  def initialize
+    @ca_cert = cert_fixture('ca.pem')
+    @ca_crl = crl_fixture('crl.pem')
+    @server_key = key_fixture('127.0.0.1-key.pem')
+    @server_cert = cert_fixture('127.0.0.1.pem')
+    @config = WEBrick::Config::HTTP.dup
+  end
+
+  def handle_request(ctx, ssl)
+    req = WEBrick::HTTPRequest.new(@config)
+    req.parse(ssl)
+
+    res = WEBrick::HTTPResponse.new(@config)
+    res.status = 200
+    res.body = 'OK'
+    res.send_response(ssl)
+  end
+
+  def start_server(ctx_proc: nil, &block)
+    errors = []
+
+    IO.pipe {|stop_pipe_r, stop_pipe_w|
+      store = OpenSSL::X509::Store.new
+      store.add_cert(@ca_cert)
+      store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
+      ctx = OpenSSL::SSL::SSLContext.new
+      ctx.cert_store = store
+      ctx.cert = @server_cert
+      ctx.key = @server_key
+      ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
+      ctx_proc.call(ctx) if ctx_proc
+
+      Socket.do_not_reverse_lookup = true
+      tcps = TCPServer.new("127.0.0.1", 0)
+      begin
+        port = tcps.connect_address.ip_port
+        begin
+          server_thread = Thread.new do
+            begin
+              ssls = OpenSSL::SSL::SSLServer.new(tcps, ctx)
+              ssls.start_immediately = true
+
+              loop do
+                readable, = IO.select([ssls, stop_pipe_r])
+                break if readable.include? stop_pipe_r
+
+                ssl = ssls.accept
+                begin
+                  handle_request(ctx, ssl)
+                ensure
+                  ssl.close
+                end
+              end
+            rescue => e
+              # uncomment this line if something goes wrong
+              # puts "SERVER #{e.message}"
+              errors << e
+            end
+          end
+
+          begin
+            yield port
+          ensure
+            stop_pipe_w.close
+          end
+        ensure
+          server_thread.join
+        end
+      ensure
+        tcps.close
+      end
+    }
+
+    errors
+  end
+end

data/spec/unit/application/agent_spec.rb

@@ -24,9 +24,6 @@ describe Puppet::Application::Agent do
     @puppetd.preinit
     Puppet::Util::Log.stubs(:newdestination)
 
-    @ssl_host = stub_everything 'ssl host'
-    Puppet::SSL::Host.stubs(:new).returns(@ssl_host)
-
     Puppet::Node.indirection.stubs(:terminus_class=)
     Puppet::Node.indirection.stubs(:cache_class=)
     Puppet::Node::Facts.indirection.stubs(:terminus_class=)
@@ -129,7 +126,7 @@ describe Puppet::Application::Agent do
       @agent.stubs(:run).returns(2)
       Puppet[:onetime] = true
 
-      @ssl_host.expects(:wait_for_cert).with(0)
+      Puppet::SSL::StateMachine.expects(:new).with(waitforcert: 0).returns(stub(ensure_client_certificate: nil))
 
       expect { execute_agent }.to exit_with 0
     end
@@ -139,20 +136,21 @@ describe Puppet::Application::Agent do
       Puppet[:onetime] = true
       @puppetd.handle_waitforcert(60)
 
-      @ssl_host.expects(:wait_for_cert).with(60)
+      Puppet::SSL::StateMachine.expects(:new).with(waitforcert: 60).returns(stub(ensure_client_certificate: nil))
 
       expect { execute_agent }.to exit_with 0
     end
 
     it "should use a default value for waitforcert when --onetime and --waitforcert are not specified" do
-      @ssl_host.expects(:wait_for_cert).with(120)
+      Puppet::SSL::StateMachine.expects(:new).with(waitforcert: 120).returns(stub(ensure_client_certificate: nil))
 
       execute_agent
     end
 
     it "should use the waitforcert setting when checking for a signed certificate" do
       Puppet[:waitforcert] = 10
-      @ssl_host.expects(:wait_for_cert).with(10)
+
+      Puppet::SSL::StateMachine.expects(:new).with(waitforcert: 10).returns(stub(ensure_client_certificate: nil))
 
       execute_agent
     end
@@ -392,6 +390,8 @@ describe Puppet::Application::Agent do
     it "should inform the daemon about our agent if :client is set to 'true'" do
       @puppetd.options[:client] = true
 
+      Puppet::SSL::StateMachine.stubs(:new).returns(stub(ensure_client_certificate: nil))
+
       execute_agent
 
       expect(@daemon.agent).to eq(@agent)
@@ -402,6 +402,8 @@ describe Puppet::Application::Agent do
       Puppet[:daemonize] = true
       Signal.stubs(:trap)
 
+      Puppet::SSL::StateMachine.stubs(:new).returns(stub(ensure_client_certificate: nil))
+
       @daemon.expects(:daemonize)
 
       execute_agent
@@ -409,7 +411,8 @@ describe Puppet::Application::Agent do
 
     it "should wait for a certificate" do
       @puppetd.options[:waitforcert] = 123
-      @ssl_host.expects(:wait_for_cert).with(123)
+
+      Puppet::SSL::StateMachine.expects(:new).with(waitforcert: 123).returns(stub(ensure_client_certificate: nil))
 
       execute_agent
     end
@@ -420,11 +423,11 @@ describe Puppet::Application::Agent do
       @puppetd.options[:digest] = 'MD5'
 
       certificate = mock 'certificate'
-      certificate.stubs(:digest).with('MD5').returns('ABCDE')
-      @ssl_host.stubs(:certificate).returns(certificate)
+      certificate.stubs(:to_der).returns('ABCDE')
+      ssl_context = mock('ssl_context', client_cert: certificate)
+      Puppet::SSL::StateMachine.stubs(:new).with(onetime: true).returns(stub(ensure_client_certificate: ssl_context))
 
-      @ssl_host.expects(:wait_for_cert).never
-      @puppetd.expects(:puts).with('ABCDE')
+      @puppetd.expects(:puts).with('(MD5) 2E:CD:DE:39:59:05:1D:91:3F:61:B1:45:79:EA:13:6D')
 
       execute_agent
     end
@@ -473,23 +476,25 @@ describe Puppet::Application::Agent do
     it "should dispatch to fingerprint if --fingerprint is used" do
       @puppetd.options[:fingerprint] = true
 
-      @puppetd.stubs(:fingerprint)
+      @puppetd.expects(:fingerprint)
 
       execute_agent
     end
 
     it "should dispatch to onetime if --onetime is used" do
-      @puppetd.options[:onetime] = true
+      Puppet[:onetime] = true
+      Puppet::SSL::StateMachine.stubs(:new).returns(stub(ensure_client_certificate: nil))
 
-      @puppetd.stubs(:onetime)
+      @puppetd.expects(:onetime)
 
       execute_agent
     end
 
     it "should dispatch to main if --onetime and --fingerprint are not used" do
-      @puppetd.options[:onetime] = false
+      Puppet[:onetime] = false
+      Puppet::SSL::StateMachine.stubs(:new).returns(stub(ensure_client_certificate: nil))
 
-      @puppetd.stubs(:main)
+      @puppetd.expects(:main)
 
       execute_agent
     end
@@ -501,6 +506,8 @@ describe Puppet::Application::Agent do
         Puppet[:onetime] = true
         @puppetd.options[:client] = :client
         @puppetd.options[:detailed_exitcodes] = false
+
+        Puppet::SSL::StateMachine.stubs(:new).returns(stub(ensure_client_certificate: nil))
       end
 
       it "should setup traps" do
@@ -557,20 +564,11 @@ describe Puppet::Application::Agent do
       end
 
       it "should fingerprint the certificate if it exists" do
-        @ssl_host.stubs(:certificate).returns(@cert)
-        @cert.stubs(:digest).with('MD5').returns "fingerprint"
-
-        @puppetd.expects(:puts).with "fingerprint"
-
-        @puppetd.fingerprint
-      end
-
-      it "should fingerprint the certificate request if no certificate have been signed" do
-        @ssl_host.stubs(:certificate).returns(nil)
-        @ssl_host.stubs(:certificate_request).returns(@cert)
-        @cert.stubs(:digest).with('MD5').returns "fingerprint"
+        @cert.stubs(:to_der).returns('ABCDE')
+        ssl_context = mock('ssl_context', client_cert: @cert)
+        Puppet::SSL::StateMachine.stubs(:new).with(onetime: true).returns(stub(ensure_client_certificate: ssl_context))
 
-        @puppetd.expects(:puts).with "fingerprint"
+        @puppetd.expects(:puts).with('(MD5) 2E:CD:DE:39:59:05:1D:91:3F:61:B1:45:79:EA:13:6D')
 
         @puppetd.fingerprint
       end
@@ -579,6 +577,7 @@ describe Puppet::Application::Agent do
     describe "without --onetime and --fingerprint" do
       before :each do
         Puppet.stubs(:notice)
+        Puppet::SSL::StateMachine.stubs(:new).returns(stub(ensure_client_certificate: nil))
       end
 
       it "should start our daemon" do