trocla 0.1.2 → 0.2.0

data/spec/trocla/encryptions/none_spec.rb

@@ -0,0 +1,22 @@
+require File.expand_path(File.dirname(__FILE__) + '/../../spec_helper')
+
+describe "Trocla::Encryptions::None" do
+
+  before(:each) do
+    expect_any_instance_of(Trocla).to receive(:read_config).and_return(test_config_persistent)
+    @trocla = Trocla.new
+  end
+
+  after(:each) do
+    remove_yaml_store
+  end
+
+  describe "none" do
+    include_examples 'encryption_basics'
+
+    it "stores plaintext passwords" do
+      @trocla.set_password('noplain', 'plain', 'plaintext_password')
+      expect(File.readlines(trocla_yaml_file).grep(/plaintext_password/)).to eq(["  plain: plaintext_password\n"])
+    end
+  end
+end

data/spec/trocla/encryptions/ssl_spec.rb

@@ -20,37 +20,7 @@ describe "Trocla::Encryptions::Ssl" do
   end
 
   describe "encrypt" do
-    it "should be able to store random passwords" do
-      @trocla.password('random1', 'plain').length.should eql(12)
-    end
-
-    it "should be able to store long random passwords" do
-      @trocla.set_password('random1_long','plain',4096.times.collect{|s| 'x' }.join('')).length.should eql(4096)
-    end
-
-    it "should be able to retrieve stored random passwords" do
-      stored = @trocla.password('random1', 'plain')
-      retrieved = @trocla.password('random1', 'plain')
-      retrieved_again = @trocla.password('random1', 'plain')
-      retrieved.should eql(stored)
-      retrieved_again.should eql(stored)
-    end
-
-    it "should be able to read encrypted passwords" do
-      @trocla.set_password('some_pass', 'plain', 'super secret')
-      @trocla.get_password('some_pass', 'plain').should eql('super secret')
-    end
-
-    it "should not store plaintext passwords" do
-      @trocla.set_password('noplain', 'plain', 'plaintext_password')
-      File.readlines(trocla_yaml_file).grep(/plaintext_password/).should be_empty
-    end
-
-    it "should make sure identical passwords do not match when stored" do
-      @trocla.set_password('one_key', 'plain', 'super secret')
-      @trocla.set_password('another_key', 'plain', 'super secret')
-      yaml = YAML.load_file(trocla_yaml_file)
-      yaml['one_key']['plain'].should_not eql(yaml['another_key']['plain'])
-    end
+    include_examples 'encryption_basics'
+    include_examples 'verify_encryption'
   end
 end

data/spec/trocla/formats/x509_spec.rb

@@ -0,0 +1,295 @@
+require File.expand_path(File.dirname(__FILE__) + '/../../spec_helper')
+require 'date'
+
+describe "Trocla::Format::X509" do
+
+  before(:each) do
+    expect_any_instance_of(Trocla).to receive(:read_config).and_return(test_config)
+    @trocla = Trocla.new
+  end
+
+  let(:ca_options) do
+    {
+      'CN'        => 'This is my self-signed certificate which doubles as CA',
+      'become_ca' => true,
+    }
+  end
+  let(:cert_options) do
+    {
+      'ca'       => 'my_shiny_selfsigned_ca',
+      'subject'  => '/C=ZZ/O=Trocla Inc./CN=test/emailAddress=example@example.com',
+    }
+  end
+
+  def verify(ca,cert)
+    store =  OpenSSL::X509::Store.new
+    store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
+    Array(ca).each do |c|
+      store.add_cert(c)
+    end
+    store.verify(cert)
+  end
+
+  describe "x509 selfsigned" do
+    it "is able to create self signed cert without being a ca by default" do
+      cert_str = @trocla.password('my_shiny_selfsigned_ca', 'x509', {
+        'CN'        => 'This is my self-signed certificate',
+        'become_ca' => false,
+      })
+      cert = OpenSSL::X509::Certificate.new(cert_str)
+      # selfsigned?
+      expect(cert.issuer.to_s).to eq(cert.subject.to_s)
+      # default size
+      # https://stackoverflow.com/questions/13747212/determine-key-size-from-public-key-pem-format
+      expect(cert.public_key.n.num_bytes * 8).to eq(4096)
+      expect((Date.parse(cert.not_after.to_s) - Date.today).to_i).to eq(365)
+      # it's a self signed cert and NOT a CA
+      expect(verify(cert,cert)).to be false
+
+      v = cert.extensions.find{|e| e.oid == 'basicConstraints' }.value
+      expect(v).to eq('CA:FALSE')
+      # we want to include only CNs that look like a DNS name
+      expect(cert.extensions.find{|e| e.oid == 'subjectAltName' }).to be_nil
+      ku = cert.extensions.find{|e| e.oid == 'keyUsage' }.value
+      expect(ku).not_to match(/Certificate Sign/)
+      expect(ku).not_to match(/CRL Sign/)
+    end
+
+    it "is able to create a self signed cert that is a CA" do
+      ca_str = @trocla.password('my_shiny_selfsigned_ca', 'x509', ca_options)
+      ca = OpenSSL::X509::Certificate.new(ca_str)
+      # selfsigned?
+      expect(ca.issuer.to_s).to eq(ca.subject.to_s)
+      expect((Date.parse(ca.not_after.to_s) - Date.today).to_i).to eq(365)
+      expect(verify(ca,ca)).to be true
+
+      v = ca.extensions.find{|e| e.oid == 'basicConstraints' }.value
+      expect(v).to eq('CA:TRUE')
+      ku = ca.extensions.find{|e| e.oid == 'keyUsage' }.value
+      expect(ku).to match(/Certificate Sign/)
+      expect(ku).to match(/CRL Sign/)
+    end
+
+  end
+  describe "x509 signed by a ca" do
+    before(:each) do
+      ca_str = @trocla.password('my_shiny_selfsigned_ca', 'x509', ca_options)
+      @ca = OpenSSL::X509::Certificate.new(ca_str)
+    end
+    it 'is able to get a cert signed by the ca' do
+      cert_str = @trocla.password('mycert', 'x509', cert_options)
+      cert = OpenSSL::X509::Certificate.new(cert_str)
+      expect(cert.issuer.to_s).to eq(@ca.subject.to_s)
+      expect((Date.parse(cert.not_after.to_s) - Date.today).to_i).to eq(365)
+      expect(verify(@ca,cert)).to be true
+
+      v = cert.extensions.find{|e| e.oid == 'basicConstraints' }.value
+      expect(v).to eq('CA:FALSE')
+      ku = cert.extensions.find{|e| e.oid == 'keyUsage' }.value
+      expect(ku).not_to match(/Certificate Sign/)
+      expect(ku).not_to match(/CRL Sign/)
+    end
+
+    it 'does not simply increment the serial' do
+      cert_str = @trocla.password('mycert', 'x509', cert_options)
+      cert1 = OpenSSL::X509::Certificate.new(cert_str)
+      cert_str = @trocla.password('mycert2', 'x509', cert_options)
+      cert2 = OpenSSL::X509::Certificate.new(cert_str)
+
+      expect(cert1.serial.to_i).not_to eq(1)
+      expect(cert2.serial.to_i).not_to eq(2)
+      expect((cert2.serial - cert1.serial).to_i).not_to eq(1)
+    end
+
+    it 'is able to get a cert signed by the ca that is again a ca' do
+      cert_str = @trocla.password('mycert', 'x509', cert_options.merge({
+        'become_ca' => true,
+      }))
+      cert = OpenSSL::X509::Certificate.new(cert_str)
+      expect(cert.issuer.to_s).to eq(@ca.subject.to_s)
+      expect((Date.parse(cert.not_after.to_s) - Date.today).to_i).to eq(365)
+      expect(verify(@ca,cert)).to be true
+
+      expect(cert.extensions.find{|e| e.oid == 'basicConstraints' }.value).to eq('CA:TRUE')
+      ku = cert.extensions.find{|e| e.oid == 'keyUsage' }.value
+      expect(ku).to match(/Certificate Sign/)
+      expect(ku).to match(/CRL Sign/)
+    end
+
+    it 'supports simple name constraints for CAs' do
+      ca2_str = @trocla.password('mycert_with_nc', 'x509', cert_options.merge({
+        'name_constraints' => ['example.com','bla.example.net'],
+        'become_ca' => true,
+      }))
+      ca2 = OpenSSL::X509::Certificate.new(ca2_str)
+      expect(ca2.issuer.to_s).to eq(@ca.subject.to_s)
+      expect((Date.parse(ca2.not_after.to_s) - Date.today).to_i).to eq(365)
+      pending_for(:engine => 'jruby',:reason => 'NameConstraints verification seem to be broken in jRuby: https://github.com/jruby/jruby/issues/3502') do
+        expect(verify(@ca,ca2)).to be true
+      end
+
+      expect(ca2.extensions.find{|e| e.oid == 'basicConstraints' }.value).to eq('CA:TRUE')
+      ku = ca2.extensions.find{|e| e.oid == 'keyUsage' }.value
+      expect(ku).to match(/Certificate Sign/)
+      expect(ku).to match(/CRL Sign/)
+      nc = ca2.extensions.find{|e| e.oid == 'nameConstraints' }.value
+      pending_for(:engine => 'jruby',:reason => 'NameConstraints verification seem to be broken in jRuby: https://github.com/jruby/jruby/issues/3502') do
+        expect(nc).to match(/Permitted:\n  DNS:example.com\n  DNS:bla.example.net/)
+      end
+      valid_cert_str = @trocla.password('myvalidexamplecert','x509', {
+        'subject'  => '/C=ZZ/O=Trocla Inc./CN=foo.example.com/emailAddress=example@example.com',
+        'ca' => 'mycert_with_nc'
+      })
+      valid_cert = OpenSSL::X509::Certificate.new(valid_cert_str)
+      expect(valid_cert.issuer.to_s).to eq(ca2.subject.to_s)
+      expect(verify([@ca,ca2],valid_cert)).to be true
+      expect((Date.parse(valid_cert.not_after.to_s) - Date.today).to_i).to eq(365)
+
+      false_cert_str = @trocla.password('myfalseexamplecert','x509', {
+        'subject'  => '/C=ZZ/O=Trocla Inc./CN=foo.example.net/emailAddress=example@example.com',
+        'ca' => 'mycert_with_nc'
+      })
+
+      false_cert = OpenSSL::X509::Certificate.new(false_cert_str)
+      expect(false_cert.issuer.to_s).to eq(ca2.subject.to_s)
+      expect(verify([@ca,ca2],false_cert)).to be false
+      expect((Date.parse(false_cert.not_after.to_s) - Date.today).to_i).to eq(365)
+    end
+
+    it 'supports simple name constraints for CAs with leading dots' do
+      ca2_str = @trocla.password('mycert_with_nc', 'x509', cert_options.merge({
+        'name_constraints' => ['.example.com','.bla.example.net'],
+        'become_ca' => true,
+      }))
+      ca2 = OpenSSL::X509::Certificate.new(ca2_str)
+      expect(ca2.issuer.to_s).to eq(@ca.subject.to_s)
+      expect((Date.parse(ca2.not_after.to_s) - Date.today).to_i).to eq(365)
+      pending_for(:engine => 'jruby',:reason => 'NameConstraints verification seem to be broken in jRuby: https://github.com/jruby/jruby/issues/3502') do
+        expect(verify(@ca,ca2)).to be true
+      end
+
+      expect(ca2.extensions.find{|e| e.oid == 'basicConstraints' }.value).to eq('CA:TRUE')
+      ku = ca2.extensions.find{|e| e.oid == 'keyUsage' }.value
+      expect(ku).to match(/Certificate Sign/)
+      expect(ku).to match(/CRL Sign/)
+      nc = ca2.extensions.find{|e| e.oid == 'nameConstraints' }.value
+      expect(nc).to match(/Permitted:\n  DNS:.example.com\n  DNS:.bla.example.net/)
+      valid_cert_str = @trocla.password('myvalidexamplecert','x509', {
+        'subject'  => '/C=ZZ/O=Trocla Inc./CN=foo.example.com/emailAddress=example@example.com',
+        'ca' => 'mycert_with_nc'
+      })
+      valid_cert = OpenSSL::X509::Certificate.new(valid_cert_str)
+      expect(valid_cert.issuer.to_s).to eq(ca2.subject.to_s)
+      expect((Date.parse(valid_cert.not_after.to_s) - Date.today).to_i).to eq(365)
+      # workaround broken openssl
+      if %x{openssl version} =~ /1\.0\.[2-9]/
+        expect(verify([@ca,ca2],valid_cert)).to be true
+      else
+        skip_for(:engine => 'ruby',:reason => 'NameConstraints verification is broken on older openssl versions https://rt.openssl.org/Ticket/Display.html?id=3562') do
+          expect(verify([@ca,ca2],valid_cert)).to be true
+        end
+      end
+
+      false_cert_str = @trocla.password('myfalseexamplecert','x509', {
+        'subject'  => '/C=ZZ/O=Trocla Inc./CN=foo.example.net/emailAddress=example@example.com',
+        'ca' => 'mycert_with_nc'
+      })
+      false_cert = OpenSSL::X509::Certificate.new(false_cert_str)
+      expect(false_cert.issuer.to_s).to eq(ca2.subject.to_s)
+      expect((Date.parse(false_cert.not_after.to_s) - Date.today).to_i).to eq(365)
+      expect(verify([@ca,ca2],false_cert)).to be false
+    end
+
+    it 'is able to get a cert signed by the ca that is again a ca that is able to sign certs' do
+      ca2_str = @trocla.password('mycert_and_ca', 'x509', cert_options.merge({
+        'become_ca' => true,
+      }))
+      ca2 = OpenSSL::X509::Certificate.new(ca2_str)
+      expect(ca2.issuer.to_s).to eq(@ca.subject.to_s)
+      expect((Date.parse(ca2.not_after.to_s) - Date.today).to_i).to eq(365)
+      expect(verify(@ca,ca2)).to be true
+
+      cert2_str = @trocla.password('mycert', 'x509', {
+        'ca'        => 'mycert_and_ca',
+        'subject'   => '/C=ZZ/O=Trocla Inc./CN=test2/emailAddress=example@example.com',
+        'become_ca' => true,
+      })
+      cert2 = OpenSSL::X509::Certificate.new(cert2_str)
+      expect(cert2.issuer.to_s).to eq(ca2.subject.to_s)
+      expect((Date.parse(cert2.not_after.to_s) - Date.today).to_i).to eq(365)
+      skip_for(:engine => 'jruby',:reason => 'Chained CA validation seems to be broken on jruby atm.') do
+        expect(verify([@ca,ca2],cert2)).to be true
+      end
+    end
+
+    it 'respects all options' do
+      co = cert_options.merge({
+        'hash'         => 'sha1',
+        'keysize'      => 2048,
+        'days'         => 3650,
+        'subject'      => nil,
+        'C'            => 'AA',
+        'ST'           => 'Earth',
+        'L'            => 'Here',
+        'O'            => 'SSLTrocla',
+        'OU'           => 'root',
+        'CN'           => 'www.test',
+        'emailAddress' => 'test@example.com',
+        'altnames'     => [ 'test', 'test1', 'test2', 'test3' ],
+      })
+      cert_str = @trocla.password('mycert', 'x509', co)
+      cert = OpenSSL::X509::Certificate.new(cert_str)
+      expect(cert.issuer.to_s).to eq(@ca.subject.to_s)
+      ['C','ST','L','O','OU','CN'].each do |field|
+        expect(cert.subject.to_s).to match(/#{field}=#{co[field]}/)
+      end
+      expect(cert.subject.to_s).to match(/(Email|emailAddress)=#{co['emailAddress']}/)
+      hash_match = (defined?(RUBY_ENGINE) &&RUBY_ENGINE == 'jruby') ? 'RSA-SHA1' : 'sha1WithRSAEncryption'
+      expect(cert.signature_algorithm).to eq(hash_match)
+      expect(cert.not_before).to be < Time.now
+      expect((Date.parse(cert.not_after.to_s) - Date.today).to_i).to eq(3650)
+      # https://stackoverflow.com/questions/13747212/determine-key-size-from-public-key-pem-format
+      expect(cert.public_key.n.num_bytes * 8).to eq(2048)
+      expect(verify(@ca,cert)).to be true
+      expect(cert.extensions.find{|e| e.oid == 'subjectAltName' }.value).to eq('DNS:www.test, DNS:test, DNS:test1, DNS:test2, DNS:test3')
+
+      expect(cert.extensions.find{|e| e.oid == 'basicConstraints' }.value).to eq('CA:FALSE')
+      ku = cert.extensions.find{|e| e.oid == 'keyUsage' }.value
+      expect(ku).not_to match(/Certificate Sign/)
+      expect(ku).not_to match(/CRL Sign/)
+    end
+
+    it 'shold not add subject alt name on empty array' do
+      co = cert_options.merge({
+        'CN'           => 'www.test',
+        'altnames'     => []
+      })
+      cert_str = @trocla.password('mycert', 'x509', co)
+      cert = OpenSSL::X509::Certificate.new(cert_str)
+      expect(cert.issuer.to_s).to eq(@ca.subject.to_s)
+      expect((Date.parse(cert.not_after.to_s) - Date.today).to_i).to eq(365)
+      expect(verify(@ca,cert)).to be true
+      expect(cert.extensions.find{|e| e.oid == 'subjectAltName' }).to be_nil
+    end
+
+    it 'prefers full subject of single subject parts' do
+      co = cert_options.merge({
+        'C'            => 'AA',
+        'ST'           => 'Earth',
+        'L'            => 'Here',
+        'O'            => 'SSLTrocla',
+        'OU'           => 'root',
+        'CN'           => 'www.test',
+        'emailAddress' => 'test@example.net',
+      })
+      cert_str = @trocla.password('mycert', 'x509', co)
+      cert = OpenSSL::X509::Certificate.new(cert_str)
+      ['C','ST','L','O','OU','CN'].each do |field|
+        expect(cert.subject.to_s).not_to match(/#{field}=#{co[field]}/)
+      end
+      expect(cert.subject.to_s).not_to match(/(Email|emailAddress)=#{co['emailAddress']}/)
+      expect((Date.parse(cert.not_after.to_s) - Date.today).to_i).to eq(365)
+      expect(verify(@ca,cert)).to be true
+    end
+  end
+end

data/spec/trocla/store/memory_spec.rb

@@ -0,0 +1,6 @@
+require File.expand_path(File.dirname(__FILE__) + '/../../spec_helper')
+
+require 'trocla/stores/memory'
+describe Trocla::Stores::Memory do
+  include_examples 'store_validation', Trocla::Stores::Memory.new({},nil)
+end

data/spec/trocla/store/moneta_spec.rb

@@ -0,0 +1,6 @@
+require File.expand_path(File.dirname(__FILE__) + '/../../spec_helper')
+
+require 'trocla/stores/moneta'
+describe Trocla::Stores::Moneta do
+  include_examples 'store_validation', Trocla::Stores::Moneta.new({'adapter' => :Memory},{:expires => true})
+end

data/spec/trocla/util_spec.rb

@@ -4,31 +4,43 @@ describe "Trocla::Util" do
 
   { :random_str => 12, :salt => 8 }.each do |m,length|
     describe m do
-      it "should be random" do
-        Trocla::Util.send(m).should_not eql(Trocla::Util.send(m))
+      it "is random" do
+        expect(Trocla::Util.send(m)).not_to eq(Trocla::Util.send(m))
       end
 
-      it "should default to length #{length}" do
-        Trocla::Util.send(m).length.should == length
+      it "defaults to length #{length}" do
+        expect(Trocla::Util.send(m).length).to eq(length)
       end
 
-      it "should be possible to change length" do
-        Trocla::Util.send(m,8).length.should == 8
-        Trocla::Util.send(m,32).length.should == 32
-        Trocla::Util.send(m,1).length.should == 1
+      it "is possible to change length" do
+        expect(Trocla::Util.send(m,8).length).to eq(8)
+        expect(Trocla::Util.send(m,32).length).to eq(32)
+        expect(Trocla::Util.send(m,1).length).to eq(1)
       end
     end
   end
 
   describe :numeric_generator do
-    it "should create random numeric password" do
-      Trocla::Util.send(:random_str, 12, 'numeric' ).should =~ /^[0-9]{12}$/
+    10.times.each do |i|
+      it "creates random numeric password #{i}" do
+        expect(Trocla::Util.random_str(12, 'numeric')).to match(/^[0-9]{12}$/)
+      end
+    end
+  end
+
+  describe :hexadecimal_generator do
+    10.times.each do |i|
+      it "creates random hexadecimal password #{i}" do
+        expect(Trocla::Util.random_str(12, 'hexadecimal')).to match(/^[0-9a-f]{12}$/)
+      end
     end
   end
 
   describe :salt do
-    it "should only contain characters and numbers" do
-      Trocla::Util.salt =~ /^[a-z0-9]+$/i
+    10.times.each do |i|
+      it "contains only characters and numbers #{i}" do
+        expect(Trocla::Util.salt).to match(/^[a-z0-9]+$/i)
+      end
     end
   end
 end

data/spec/trocla_spec.rb

@@ -1,128 +1,161 @@
 require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
 
 describe "Trocla" do
-  
+
   before(:each) do
     expect_any_instance_of(Trocla).to receive(:read_config).and_return(test_config)
     @trocla = Trocla.new
   end
-  
+
   describe "password" do
-    it "should generate random passwords by default" do
-      @trocla.password('random1','plain').should_not eql(@trocla.password('random2','plain'))
+    it "generates random passwords by default" do
+      expect(@trocla.password('random1','plain')).not_to eq(@trocla.password('random2','plain'))
     end
 
-    it "should generate passwords of length #{default_config['options']['length']}" do
-      @trocla.password('random1','plain').length.should eql(default_config['options']['length'])
+    it "generates passwords of length #{default_config['options']['length']}" do
+      expect(@trocla.password('random1','plain').length).to eq(default_config['options']['length'])
     end
-    
+
     Trocla::Formats.all.each do |format|
       describe "#{format} password format" do
-        it "should return a password hashed in the #{format} format" do
-          @trocla.password('some_test',format,format_options[format]).should_not be_empty
+        it "retursn a password hashed in the #{format} format" do
+          expect(@trocla.password('some_test',format,format_options[format])).not_to be_empty
         end
-        
-        it "should return the same hashed for the #{format} format on multiple invocations" do
-          (round1=@trocla.password('some_test',format,format_options[format])).should_not be_empty
-          @trocla.password('some_test',format,format_options[format]).should eql(round1)
+
+        it "returns the same hashed for the #{format} format on multiple invocations" do
+          expect(round1=@trocla.password('some_test',format,format_options[format])).not_to be_empty
+          expect(@trocla.password('some_test',format,format_options[format])).to eq(round1)
         end
-        
-        it "should also store the plain password by default" do
+
+        it "also stores the plain password by default" do
           pwd = @trocla.password('some_test','plain')
-          pwd.should_not be_empty
-          pwd.length.should eql(12)
+          expect(pwd).not_to be_empty
+          expect(pwd.length).to eq(16)
         end
       end
     end
-    
+
     Trocla::Formats.all.reject{|f| f == 'plain' }.each do |format|
-      it "should raise an exception if not a random password is asked but plain password is not present for format #{format}" do
-        lambda{ @trocla.password('not_random',format, 'random' => false) }.should raise_error
+      it "raises an exception if not a random password is asked but plain password is not present for format #{format}" do
+        expect{@trocla.password('not_random',format, 'random' => false)}.to raise_error(/Password must be present as plaintext/)
+      end
+    end
+
+    describe 'with profiles' do
+      it 'raises an exception on unknown profile' do
+        expect{@trocla.password('no profile known','plain',
+          'profiles' => 'unknown_profile') }.to raise_error(/No such profile unknown_profile defined/)
+      end
+
+      it 'takes a profile and merge its options' do
+        pwd = @trocla.password('some_test','plain', 'profiles' => 'rootpw')
+        expect(pwd).not_to be_empty
+        expect(pwd.length).to eq(32)
+        expect(pwd).to_not match(/[={}\[\]\?%\*()&!]+/)
+      end
+
+      it 'is possible to combine profiles but first profile wins' do
+        pwd = @trocla.password('some_test','plain', 'profiles' => ['rootpw','login'])
+        expect(pwd).not_to be_empty
+        expect(pwd.length).to eq(32)
+        expect(pwd).not_to match(/[={}\[\]\?%\*()&!]+/)
+      end
+      it 'is possible to combine profiles but first profile wins 2' do
+        pwd = @trocla.password('some_test','plain', 'profiles' => ['login','mysql'])
+        expect(pwd).not_to be_empty
+        expect(pwd.length).to eq(16)
+        expect(pwd).not_to match(/[={}\[\]\?%\*()&!]+/)
+      end
+      it 'is possible to combine profiles but first profile wins 3' do
+        pwd = @trocla.password('some_test','plain', 'profiles' => ['mysql','login'])
+        expect(pwd).not_to be_empty
+        expect(pwd.length).to eq(32)
+        expect(pwd).to match(/[+%\/@=\?_.,:]+/)
       end
     end
   end
-  
+
   describe "set_password" do
-    it "should reset hashed passwords on a new plain password" do
-      @trocla.password('set_test','mysql').should_not be_empty
-      @trocla.get_password('set_test','mysql').should_not be_nil
-      (old_plain=@trocla.password('set_test','mysql')).should_not be_empty
-      
-      @trocla.set_password('set_test','plain','foobar').should_not eql(old_plain)
-      @trocla.get_password('set_test','mysql').should be_nil
+    it "resets hashed passwords on a new plain password" do
+      expect(@trocla.password('set_test','mysql')).not_to be_empty
+      expect(@trocla.get_password('set_test','mysql')).not_to be_nil
+      expect(old_plain=@trocla.password('set_test','mysql')).not_to be_empty
+
+      expect(@trocla.set_password('set_test','plain','foobar')).not_to eq(old_plain)
+      expect(@trocla.get_password('set_test','mysql')).to be_nil
     end
-    
-    it "should otherwise only update the hash" do
-      (mysql = @trocla.password('set_test2','mysql')).should_not be_empty
-      (md5crypt = @trocla.password('set_test2','md5crypt')).should_not be_empty
-      (plain = @trocla.get_password('set_test2','plain')).should_not be_empty
-      
-      (new_mysql = @trocla.set_password('set_test2','mysql','foo')).should_not eql(mysql)
-      @trocla.get_password('set_test2','mysql').should eql(new_mysql)
-      @trocla.get_password('set_test2','md5crypt').should eql(md5crypt)
-      @trocla.get_password('set_test2','plain').should eql(plain)
+
+    it "otherwise updates only the hash" do
+      expect(mysql = @trocla.password('set_test2','mysql')).not_to be_empty
+      expect(md5crypt = @trocla.password('set_test2','md5crypt')).not_to be_empty
+      expect(plain = @trocla.get_password('set_test2','plain')).not_to be_empty
+
+      expect(new_mysql = @trocla.set_password('set_test2','mysql','foo')).not_to eql(mysql)
+      expect(@trocla.get_password('set_test2','mysql')).to eq(new_mysql)
+      expect(@trocla.get_password('set_test2','md5crypt')).to eq(md5crypt)
+      expect(@trocla.get_password('set_test2','plain')).to eq(plain)
     end
   end
-  
+
   describe "reset_password" do
-    it "should reset a password" do
+    it "resets a password" do
       plain1 = @trocla.password('reset_pwd','plain')
       plain2 = @trocla.reset_password('reset_pwd','plain')
-      
-      plain1.should_not eql(plain2)
+
+      expect(plain1).not_to eq(plain2)
     end
-    
-    it "should not reset other formats" do
-      (mysql = @trocla.password('reset_pwd2','mysql')).should_not be_empty
-      (md5crypt1 = @trocla.password('reset_pwd2','md5crypt')).should_not be_empty
-      
-      (md5crypt2 = @trocla.reset_password('reset_pwd2','md5crypt')).should_not be_empty
-      md5crypt2.should_not eql(md5crypt1)
-      
-      @trocla.get_password('reset_pwd2','mysql').should eql(mysql)
+
+    it "does not reset other formats" do
+      expect(mysql = @trocla.password('reset_pwd2','mysql')).not_to be_empty
+      expect(md5crypt1 = @trocla.password('reset_pwd2','md5crypt')).not_to be_empty
+
+      expect(md5crypt2 = @trocla.reset_password('reset_pwd2','md5crypt')).not_to be_empty
+      expect(md5crypt2).not_to eq(md5crypt1)
+
+      expect(@trocla.get_password('reset_pwd2','mysql')).to eq(mysql)
     end
   end
-  
+
   describe "delete_password" do
-    it "should delete all passwords if no format is given" do
-      @trocla.password('delete_test1','mysql').should_not be_nil
-      @trocla.get_password('delete_test1','plain').should_not be_nil
-      
+    it "deletes all passwords if no format is given" do
+      expect(@trocla.password('delete_test1','mysql')).not_to be_nil
+      expect(@trocla.get_password('delete_test1','plain')).not_to be_nil
+
       @trocla.delete_password('delete_test1')
-      @trocla.get_password('delete_test1','plain').should be_nil
-      @trocla.get_password('delete_test1','mysql').should be_nil
+      expect(@trocla.get_password('delete_test1','plain')).to be_nil
+      expect(@trocla.get_password('delete_test1','mysql')).to be_nil
     end
-    
-    it "should delete only a given format" do
-      @trocla.password('delete_test2','mysql').should_not be_nil
-      @trocla.get_password('delete_test2','plain').should_not be_nil
-      
+
+    it "deletes only a given format" do
+      expect(@trocla.password('delete_test2','mysql')).not_to be_nil
+      expect(@trocla.get_password('delete_test2','plain')).not_to be_nil
+
       @trocla.delete_password('delete_test2','plain')
-      @trocla.get_password('delete_test2','plain').should be_nil
-      @trocla.get_password('delete_test2','mysql').should_not be_nil
+      expect(@trocla.get_password('delete_test2','plain')).to be_nil
+      expect(@trocla.get_password('delete_test2','mysql')).not_to be_nil
     end
-    
-    it "should delete only a given non-plain format" do
-      @trocla.password('delete_test3','mysql').should_not be_nil
-      @trocla.get_password('delete_test3','plain').should_not be_nil
-      
+
+    it "deletes only a given non-plain format" do
+      expect(@trocla.password('delete_test3','mysql')).not_to be_nil
+      expect(@trocla.get_password('delete_test3','plain')).not_to be_nil
+
       @trocla.delete_password('delete_test3','mysql')
-      @trocla.get_password('delete_test3','mysql').should be_nil
-      @trocla.get_password('delete_test3','plain').should_not be_nil
+      expect(@trocla.get_password('delete_test3','mysql')).to be_nil
+      expect(@trocla.get_password('delete_test3','plain')).not_to be_nil
     end
   end
-  
+
   def format_options
     @format_options ||= Hash.new({}).merge({
       'pgsql' => { 'username' => 'test' },
       'x509'  => { 'CN' => 'test' },
     })
   end
-  
+
 end
 
 describe "VERSION" do
-  it "should return a version" do
-    Trocla::VERSION::STRING.should_not be_empty
+  it "returns a version" do
+    expect(Trocla::VERSION::STRING).not_to be_empty
   end
 end