sslcheck 0.9.0

data/spec/certificate_spec.rb

@@ -0,0 +1,134 @@
+require 'spec_helper'
+
+module SSLCheck
+  describe Certificate do
+    before(:each) do
+      @sut = Certificate.new(VALID_CERT)
+    end
+    describe 'to_h' do
+      it 'should easily turn into a hash' do
+        clock = class_double(DateTime, :now => DateTime.parse("2014-12-31 00:00:00"))
+        sut = Certificate.new(VALID_CERT, clock)
+        actual_hash = sut.to_h
+        expected_hash = {
+          :common_name       => "www.npboards.com",
+          :organization_unit => "Domain Control Validated",
+          :not_before        => DateTime.parse("Tue, 17 Jun 2014 18:16:01 +0000"),
+          :not_after         => DateTime.parse("Tue, 17 Jun 2015 18:16:01 +0000"),
+          :issued            => true,
+          :expired           => false,
+          :issuer            => {
+            :common_name  => "Go Daddy Secure Certificate Authority - G2",
+            :country      => "US",
+            :state        => "Arizona",
+            :locality     => "Scottsdale",
+            :organization => "GoDaddy.com, Inc."
+          }
+        }
+
+        expect(actual_hash).to eq(expected_hash)
+      end
+    end
+    describe 'extensions' do
+      describe 'Subject Alternate Name' do
+        context "when it has as subject alternate name extension" do
+          it 'should expose the altername names as alternate common names' do
+            sut = Certificate.new(VALID_CERT)
+
+            expect(sut.alternate_common_names).to include("www.npboards.com")
+            expect(sut.alternate_common_names).to include("npboards.com")
+          end
+        end
+        context "when it only has one alternate name in the extension" do
+          it 'should expose only that name' do
+            ext = OpenSSL::X509::Extension.new "subjectAltName", "DNS:example.com"
+            cert = OpenSSL::X509::Certificate.new VALID_CERT
+
+            allow(cert).to receive(:extensions).and_return [ext]
+            sut = Certificate.new(cert)
+
+            expect(sut.alternate_common_names).to include("example.com")
+            expect(sut.alternate_common_names).to_not include("npboards.com")
+            expect(sut.alternate_common_names).to_not include("www.npboards.com")
+          end
+        end
+        context "when it has no subject alternate name extension" do
+          it 'should expose no alternate names' do
+            cert = OpenSSL::X509::Certificate.new VALID_CERT
+            allow(cert).to receive(:extensions).and_return []
+            sut = Certificate.new(cert)
+
+            expect(sut.alternate_common_names).to eq([])
+          end
+        end
+      end
+    end
+    describe "subject" do
+      it "should expose the certificate's subject" do
+        expect(@sut.subject).to eq "/OU=Domain Control Validated/CN=www.npboards.com"
+      end
+      it "should expose the common name on the certificate" do
+        expect(@sut.common_name).to eq "www.npboards.com"
+      end
+      it "should expose the organizational unit on the certificate" do
+        expect(@sut.organizational_unit).to eq "Domain Control Validated"
+      end
+    end
+    describe "issuer" do
+      it "should expose the certificate's issuer" do
+        expect(@sut.issuer).to eq "/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2"
+      end
+      it "should expose a friendly version of the issuer" do
+        expect(@sut.issued_by).to eq "Go Daddy Secure Certificate Authority - G2"
+      end
+      it "should expose the issuer's country" do
+        expect(@sut.issuer_country).to eq "US"
+      end
+      it "should expose the issuer's state" do
+        expect(@sut.issuer_state).to eq "Arizona"
+      end
+      it "should expose the issuer's locality" do
+        expect(@sut.issuer_locality).to eq "Scottsdale"
+      end
+      it "should expose the issuer's organization" do
+        expect(@sut.issuer_organization).to eq "GoDaddy.com, Inc."
+      end
+      it "should expose the issuer's common name" do
+        expect(@sut.issuer_common_name).to eq "Go Daddy Secure Certificate Authority - G2"
+      end
+    end
+    describe "public key" do
+      it "should expose the certificate's public key" do
+        expect(@sut.public_key).to be_a OpenSSL::PKey::RSA
+      end
+    end
+    describe "verify" do
+      it "should be able to verify a certificate with the public key of another" do
+        ca_bundle = Certificate.new(CA_BUNDLE)
+        expect(@sut.verify(ca_bundle)).to be
+      end
+    end
+    describe "dates" do
+      it "should expose the certificate's issue date" do
+        expect(@sut.not_before).to eq DateTime.parse("Tue, 17 Jun 2014 18:16:01 +0000")
+      end
+      it "should expose the certificate's expiry date" do
+        expect(@sut.not_after).to eq DateTime.parse("Tue, 17 Jun 2015 18:16:01 +0000")
+      end
+    end
+    describe "expired?" do
+      it "should know if it has expired" do
+        clock = class_double(DateTime, :now => DateTime.parse("3000-01-01 00:00:00"))
+        @sut = Certificate.new(VALID_CERT, clock)
+        expect(@sut.expired?).to be
+      end
+    end
+    describe "issued?" do
+      it "should know if it has been issued" do
+        clock = class_double(DateTime, :now => DateTime.parse("3000-01-01 00:00:00"))
+        @sut = Certificate.new(VALID_CERT, clock)
+        expect(@sut.issued?).to be
+      end
+    end
+  end
+end

data/spec/check_spec.rb

@@ -0,0 +1,172 @@
+require 'spec_helper'
+
+module SSLCheck
+  describe Check do
+    before do
+      @peer_cert       = SSLCheck::Certificate.new(VALID_CERT)
+      @ca_parent       = SSLCheck::Certificate.new(CA_PARENT)
+      @ca_grand_parent = SSLCheck::Certificate.new(CA_GRAND_PARENT)
+      @ca_bundle       = [@ca_parent, @ca_grand_parent]
+    end
+
+    it 'should not be failed by default' do
+      sut = Check.new(FakeClient.new)
+      expect(sut.failed?).to_not be
+      expect(sut.errors).to be_empty
+    end
+
+    it 'should be invalid by default' do
+      sut = Check.new(FakeClient.new)
+      expect(sut.valid?).to_not be
+    end
+
+    it 'should not be done checking by default' do
+      sut = Check.new(FakeClient.new)
+      expect(sut.checked?).to_not be
+    end
+
+    describe 'checking' do
+      it 'should tell the client to get the certs' do
+        fake_client = FakeClient.new
+        @sut = Check.new(fake_client, FakeValidator.new)
+        expect(fake_client).to receive(:get).with("www.example.com").and_return(FakeClientResponse.new)
+        @sut.check('www.example.com')
+      end
+
+      it 'should expose the certificates that were found' do
+        @sut = Check.new(FakeClient.new(FakeClientResponse.new(@peer_cert, @ca_bundle)), FakeValidator.new)
+        @sut.check('www.example.com')
+        expect(@sut.peer_cert).to be
+        expect(@sut.ca_bundle).to be
+      end
+
+      it 'should expose the hostname parsed from the URL' do
+        @sut = Check.new(FakeClient.new(FakeClientResponse.new(@peer_cert, @ca_bundle, "www.example.com")), FakeValidator.new)
+        @sut.check('www.example.com')
+        expect(@sut.host_name).to eq("www.example.com")
+      end
+
+      it 'should know when the check has completed' do
+        @sut = Check.new(FakeClient.new(FakeClientResponse.new(@peer_cert, @ca_bundle)), FakeValidator.new)
+        @sut.check('www.example.com')
+        expect(@sut.checked?).to be
+      end
+
+      it 'should know what URL was checked' do
+        @sut = Check.new(FakeClient.new(FakeClientResponse.new(@peer_cert, @ca_bundle)), FakeValidator.new)
+        @sut.check('www.example.com')
+        expect(@sut.url).to eq("www.example.com")
+      end
+
+      context "when there is an error checking the certificate" do
+        it 'should not be valid' do
+          error = SSLCheck::Errors::GenericError.new({:name => :invalid_uri, :message => "Invalid URI"})
+          @sut  = Check.new(FakeClient.new(nil, [error]), FakeValidator.new)
+          @sut.check('www.example.com')
+          expect(@sut.valid?).to_not be
+        end
+        context "when the URI is malformed" do
+          it 'should add an error to the error list' do
+            error = SSLCheck::Errors::GenericError.new({:name => :invalid_uri, :message => "Invalid URI"})
+            validator = FakeValidator.new
+            @sut  = Check.new(FakeClient.new(nil, [error]), validator)
+
+            expect(validator).to_not receive(:validate)
+            @sut.check('www.example.com')
+          end
+          it 'should not try to validate the certificate' do
+            error = SSLCheck::Errors::GenericError.new({:name => :invalid_uri, :message => "Invalid URI"})
+            @sut  = Check.new(FakeClient.new(nil, [error]))
+            @sut.check('www.example.com')
+          end
+        end
+        context "when there was an OpenSSL error" do
+          it 'should add an error to the error list' do
+            error = SSLCheck::Errors::GenericError.new({:name => :openssl_error, :message => "OpenSSL Verification Error"})
+            @sut  = Check.new(FakeClient.new(nil, [error]))
+            @sut.check('www.example.com')
+            expect(@sut.errors).to eq([error])
+            expect(@sut.failed?).to be
+          end
+        end
+      end
+    end
+
+    describe 'validation' do
+      it 'should tell the validator to validate the peer certificate' do
+        validator = FakeValidator.new
+        @sut = Check.new(FakeClient.new(FakeClientResponse.new(@peer_cert, @ca_bundle)), validator)
+        expect(validator).to receive(:validate).with("www.example.com", @peer_cert, @ca_bundle)
+        @sut.check("www.example.com")
+      end
+      context "when the certificate is valid" do
+        it 'should have no errors' do
+          @sut = Check.new(FakeClient.new(FakeClientResponse.new(@peer_cert, @ca_bundle)), FakeValidator.new)
+          @sut.check('www.example.com')
+          expect(@sut.errors).to eq([])
+        end
+        it 'should be valid' do
+          @sut = Check.new(FakeClient.new(FakeClientResponse.new(@peer_cert, @ca_bundle)), FakeValidator.new)
+          @sut.check('www.example.com')
+          expect(@sut.valid?).to be
+        end
+      end
+    end
+  end
+end
+
+class FakeClient
+  def initialize(response=nil, errors=[])
+    @response = response  || FakeClientResponse.new
+    @errors = errors
+  end
+  def get(url)
+    @response
+
+    @errors.each do |error|
+      @response.errors << error
+    end
+    @response
+  end
+end
+
+class FakeClientResponse
+  def initialize(peer_cert=nil, ca_bundle=nil, host_name=nil)
+    @peer_cert = peer_cert || SSLCheck::Certificate.new(VALID_CERT)
+    @ca_bundle = ca_bundle || [SSLCheck::Certificate.new(CA_PARENT), SSLCheck::Certificate.new(CA_GRAND_PARENT)]
+    @host_name = host_name || "www.example.com"
+    @errors = []
+  end
+
+  def peer_cert
+    @peer_cert
+  end
+
+  def ca_bundle
+    @ca_bundle
+  end
+
+  def host_name
+    @host_name
+  end
+
+  def errors
+    @errors
+  end
+end
+
+
+class FakeValidator
+  def initialize(valid=true, errors=[])
+    @valid = valid
+    @errors = errors
+  end
+
+  def validate(common_name, peer_cert, ca_bundle)
+    @valid
+  end
+
+  def errors
+    @errors
+  end
+end

data/spec/common_name_validator_spec.rb

@@ -0,0 +1,40 @@
+require 'spec_helper'
+
+module SSLCheck
+  describe 'CommonNameValidatorSpec' do
+    before do
+      @cert = Certificate.new(VALID_CERT)
+      @ca_bundle = [Certificate.new(CA_PARENT), Certificate.new(CA_GRAND_PARENT)]
+    end
+    context "when the common name is valid" do
+      it 'should return nothing' do
+        sut = Validators::CommonName.new("npboards.com", @cert, @ca_bundle)
+        result = sut.validate
+        expect(result).to_not be
+      end
+      context "when the certificate was issued to a wildcard domain" do
+        it 'should return nothing' do
+          wildcard_cert = Certificate.new(WILDCARD_CERT)
+          sut = Validators::CommonName.new("example.squarespace.com", wildcard_cert, @ca_bundle)
+          result = sut.validate
+          expect(result).to_not be
+        end
+      end
+      context "when the certificate has alternate subject names" do
+        it 'should allow matches against the supplied common name' do
+          sut = Validators::CommonName.new("npboards.com", @cert, @ca_bundle)
+          result = sut.validate
+          expect(result).to_not be
+        end
+      end
+
+    end
+    context "when the common name is mismatched" do
+      it 'should return errors' do
+        sut = Validators::CommonName.new("example.com", @cert, @ca_bundle)
+        result = sut.validate
+        expect(result).to be_a SSLCheck::Errors::Validation::CommonNameMismatch
+      end
+    end
+  end
+end

data/spec/expiration_date_validator_spec.rb

@@ -0,0 +1,36 @@
+require 'spec_helper'
+
+module SSLCheck
+  describe 'ExpirationDateValidatorSpec' do
+    before do
+      @cert = Certificate.new(VALID_CERT)
+      @ca_bundle = [Certificate.new(CA_PARENT), Certificate.new(CA_GRAND_PARENT)]
+    end
+    context "when the expiration date is in the future" do
+      it 'should return errors' do
+        sut = Validators::ExpirationDate.new("npboards.com", @cert, @ca_bundle)
+        result = sut.validate(FutureClock.new)
+        expect(result).to be_a SSLCheck::Errors::Validation::CertificateExpired
+      end
+    end
+    context "when the expiration date is in the past" do
+      it 'should return nothing' do
+        sut = Validators::ExpirationDate.new("npboards.com", @cert, @ca_bundle)
+        result = sut.validate(PastClock.new)
+        expect(result).to_not be
+      end
+    end
+  end
+end
+
+class FutureClock
+  def now
+    DateTime.parse("3000-01-01 00:00:00")
+  end
+end
+
+class PastClock
+  def now
+    DateTime.parse("1000-01-01 00:00:00")
+  end
+end

data/spec/issue_date_validator_spec.rb

@@ -0,0 +1,36 @@
+require 'spec_helper'
+
+module SSLCheck
+  describe 'IssueDateValidatorSpec' do
+    before do
+      @cert = Certificate.new(VALID_CERT)
+      @ca_bundle = [Certificate.new(CA_PARENT), Certificate.new(CA_GRAND_PARENT)]
+    end
+    context "when the issue date is in the past" do
+      it 'should return nothing' do
+        sut = Validators::IssueDate.new("npboards.com", @cert, @ca_bundle)
+        result = sut.validate(FutureClock.new)
+        expect(result).to_not be
+      end
+    end
+    context "when the issue date is in the future" do
+      it 'should return errors' do
+        sut = Validators::IssueDate.new("npboards.com", @cert, @ca_bundle)
+        result = sut.validate(PastClock.new)
+        expect(result).to be_a SSLCheck::Errors::Validation::NotYetIssued
+      end
+    end
+  end
+end
+
+class FutureClock
+  def now
+    DateTime.parse("3000-01-01 00:00:00")
+  end
+end
+
+class PastClock
+  def now
+    DateTime.parse("1000-01-01 00:00:00")
+  end
+end

data/spec/response_spec.rb

@@ -0,0 +1,13 @@
+require 'spec_helper'
+
+module SSLCheck
+  describe Client::Response do
+    it 'should alias ca_bundle to peer_cert_chain' do
+      response = Client::Response.new
+      response.raw_peer_cert_chain = [CA_PARENT, CA_GRAND_PARENT]
+      expect(response.ca_bundle).to be
+      expect(response.ca_bundle.first.to_s).to eq(Certificate.new(CA_PARENT).to_s)
+      expect(response.ca_bundle.last.to_s).to eq(Certificate.new(CA_GRAND_PARENT).to_s)
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,100 @@
+# This file was generated by the `rspec --init` command. Conventionally, all
+# specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
+# The generated `.rspec` file contains `--require spec_helper` which will cause
+# this file to always be loaded, without a need to explicitly require it in any
+# files.
+#
+# Given that it is always loaded, you are encouraged to keep this file as
+# light-weight as possible. Requiring heavyweight dependencies from this file
+# will add to the boot time of your test suite on EVERY test run, even for an
+# individual file that may not need all of that loaded. Instead, consider making
+# a separate helper file that requires the additional dependencies and performs
+# the additional setup, and require it from the spec files that actually need
+# it.
+
+require 'simplecov'
+SimpleCov.start do
+  add_filter "/spec/"
+end
+
+require_relative '../lib/sslcheck'
+require 'cert_fixtures'
+
+#
+# The `.rspec` file also contains a few flags that are not defaults but that
+# users commonly want.
+#
+# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
+RSpec.configure do |config|
+  # rspec-expectations config goes here. You can use an alternate
+  # assertion/expectation library such as wrong or the stdlib/minitest
+  # assertions if you prefer.
+  config.expect_with :rspec do |expectations|
+    # This option will default to `true` in RSpec 4. It makes the `description`
+    # and `failure_message` of custom matchers include text for helper methods
+    # defined using `chain`, e.g.:
+    #     be_bigger_than(2).and_smaller_than(4).description
+    #     # => "be bigger than 2 and smaller than 4"
+    # ...rather than:
+    #     # => "be bigger than 2"
+    expectations.include_chain_clauses_in_custom_matcher_descriptions = true
+  end
+
+  # rspec-mocks config goes here. You can use an alternate test double
+  # library (such as bogus or mocha) by changing the `mock_with` option here.
+  config.mock_with :rspec do |mocks|
+    # Prevents you from mocking or stubbing a method that does not exist on
+    # a real object. This is generally recommended, and will default to
+    # `true` in RSpec 4.
+    mocks.verify_partial_doubles = true
+  end
+
+# The settings below are suggested to provide a good initial experience
+# with RSpec, but feel free to customize to your heart's content.
+=begin
+  # These two settings work together to allow you to limit a spec run
+  # to individual examples or groups you care about by tagging them with
+  # `:focus` metadata. When nothing is tagged with `:focus`, all examples
+  # get run.
+  config.filter_run :focus
+  config.run_all_when_everything_filtered = true
+
+  # Limits the available syntax to the non-monkey patched syntax that is
+  # recommended. For more details, see:
+  #   - http://myronmars.to/n/dev-blog/2012/06/rspecs-new-expectation-syntax
+  #   - http://teaisaweso.me/blog/2013/05/27/rspecs-new-message-expectation-syntax/
+  #   - http://myronmars.to/n/dev-blog/2014/05/notable-changes-in-rspec-3#new__config_option_to_disable_rspeccore_monkey_patching
+  config.disable_monkey_patching!
+
+  # This setting enables warnings. It's recommended, but in some cases may
+  # be too noisy due to issues in dependencies.
+  config.warnings = true
+
+  # Many RSpec users commonly either run the entire suite or an individual
+  # file, and it's useful to allow more verbose output when running an
+  # individual spec file.
+  if config.files_to_run.one?
+    # Use the documentation formatter for detailed output,
+    # unless a formatter has already been configured
+    # (e.g. via a command-line flag).
+    config.default_formatter = 'doc'
+  end
+
+  # Print the 10 slowest examples and example groups at the
+  # end of the spec run, to help surface which specs are running
+  # particularly slow.
+  config.profile_examples = 10
+
+  # Run specs in random order to surface order dependencies. If you find an
+  # order dependency and want to debug it, you can fix the order by providing
+  # the seed, which is printed after each run.
+  #     --seed 1234
+  config.order = :random
+
+  # Seed global randomization in this process using the `--seed` CLI option.
+  # Setting this allows you to use `--seed` to deterministically reproduce
+  # test failures related to randomization by passing the same `--seed` value
+  # as the one that triggered the failure.
+  Kernel.srand config.seed
+=end
+end