1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
|
require 'spec_helper'
require 'puppet/application/ssl'
require 'openssl'
require 'puppet/test_ca'
describe Puppet::Application::Ssl, unless: Puppet::Util::Platform.jruby? do
include PuppetSpec::Files
let(:ssl) do
app = Puppet::Application[:ssl]
app.options[:verbose] = true
app.setup_logs
app
end
let(:name) { 'ssl-client' }
before :all do
@ca = Puppet::TestCa.new
@ca_cert = @ca.ca_cert
@crl = @ca.ca_crl
@host = @ca.generate('ssl-client', {})
end
before do
Puppet.settings.use(:main)
Puppet[:certname] = name
Puppet[:vardir] = tmpdir("ssl_testing")
# Host assumes ca cert and crl are present
File.write(Puppet[:localcacert], @ca_cert.to_pem)
File.write(Puppet[:hostcrl], @crl.to_pem)
# Setup our ssl client
File.write(Puppet[:hostprivkey], @host[:private_key].to_pem)
File.write(Puppet[:hostpubkey], @host[:private_key].public_key.to_pem)
end
def expects_command_to_pass(expected_output = nil)
expect {
ssl.run_command
}.to output(expected_output).to_stdout
end
def expects_command_to_fail(message)
expect {
expect {
ssl.run_command
}.to raise_error(Puppet::Error, message)
}.to output(/.*/).to_stdout
end
shared_examples_for 'an ssl action' do
it 'downloads the CA bundle first when missing' do
File.delete(Puppet[:localcacert])
stub_request(:get, %r{puppet-ca/v1/certificate/ca}).to_return(status: 200, body: @ca.ca_cert.to_pem)
stub_request(:put, %r{puppet-ca/v1/certificate_request/#{name}}).to_return(status: 200)
stub_request(:get, %r{puppet-ca/v1/certificate/#{name}}).to_return(status: 200, body: @host[:cert].to_pem)
expects_command_to_pass
expect(File.read(Puppet[:localcacert])).to eq(@ca.ca_cert.to_pem)
end
it 'downloads the CRL bundle first when missing' do
File.delete(Puppet[:hostcrl])
stub_request(:get, %r{puppet-ca/v1/certificate_revocation_list/ca}).to_return(status: 200, body: @crl.to_pem)
stub_request(:put, %r{puppet-ca/v1/certificate_request/#{name}}).to_return(status: 200)
stub_request(:get, %r{puppet-ca/v1/certificate/#{name}}).to_return(status: 200, body: @host[:cert].to_pem)
expects_command_to_pass
expect(File.read(Puppet[:hostcrl])).to eq(@crl.to_pem)
end
end
it 'uses the agent run mode' do
# make sure the ssl app resolves certname, server, etc
# the same way the agent application does
expect(ssl.class.run_mode.name).to eq(:agent)
end
context 'when generating help' do
it 'prints a message when an unknown action is specified' do
ssl.command_line.args << 'whoops'
expects_command_to_fail(/Unknown action 'whoops'/)
end
it 'prints a message requiring an action to be specified' do
expects_command_to_fail(/An action must be specified/)
end
end
context 'when submitting a CSR' do
let(:csr_path) { Puppet[:hostcsr] }
before do
ssl.command_line.args << 'submit_request'
end
it_behaves_like 'an ssl action'
it 'generates an RSA private key' do
File.unlink(Puppet[:hostprivkey])
stub_request(:put, %r{puppet-ca/v1/certificate_request/#{name}}).to_return(status: 200)
stub_request(:get, %r{puppet-ca/v1/certificate/#{name}}).to_return(status: 404)
expects_command_to_pass(%r{Submitted certificate request for '#{name}' to https://.*})
end
it 'generates an EC private key' do
Puppet[:key_type] = 'ec'
File.unlink(Puppet[:hostprivkey])
stub_request(:put, %r{puppet-ca/v1/certificate_request/#{name}}).to_return(status: 200)
stub_request(:get, %r{puppet-ca/v1/certificate/#{name}}).to_return(status: 404)
expects_command_to_pass(%r{Submitted certificate request for '#{name}' to https://.*})
end
it 'registers OIDs' do
stub_request(:put, %r{puppet-ca/v1/certificate_request/#{name}}).to_return(status: 200)
stub_request(:get, %r{puppet-ca/v1/certificate/#{name}}).to_return(status: 404)
expect(Puppet::SSL::Oids).to receive(:register_puppet_oids)
expects_command_to_pass(%r{Submitted certificate request for '#{name}' to https://.*})
end
it 'submits the CSR and saves it locally' do
stub_request(:put, %r{puppet-ca/v1/certificate_request/#{name}}).to_return(status: 200)
stub_request(:get, %r{puppet-ca/v1/certificate/#{name}}).to_return(status: 404)
expects_command_to_pass(%r{Submitted certificate request for '#{name}' to https://.*})
expect(Puppet::FileSystem).to be_exist(csr_path)
end
it 'detects when a CSR with the same public key has already been submitted' do
stub_request(:put, %r{puppet-ca/v1/certificate_request/#{name}}).to_return(status: 200)
stub_request(:get, %r{puppet-ca/v1/certificate/#{name}}).to_return(status: 404)
expects_command_to_pass(%r{Submitted certificate request for '#{name}' to https://.*})
stub_request(:get, %r{puppet-ca/v1/certificate/#{name}}).to_return(status: 404)
expects_command_to_pass
end
it 'downloads the certificate when autosigning is enabled' do
stub_request(:put, %r{puppet-ca/v1/certificate_request/#{name}}).to_return(status: 200)
stub_request(:get, %r{puppet-ca/v1/certificate/#{name}}).to_return(status: 200, body: @host[:cert].to_pem)
expects_command_to_pass(%r{Submitted certificate request for '#{name}' to https://.*})
expect(Puppet::FileSystem).to be_exist(Puppet[:hostcert])
expect(Puppet::FileSystem).to_not be_exist(csr_path)
end
it 'accepts dns alt names' do
Puppet[:dns_alt_names] = 'majortom'
stub_request(:put, %r{puppet-ca/v1/certificate_request/#{name}}).to_return(status: 200)
stub_request(:get, %r{puppet-ca/v1/certificate/#{name}}).to_return(status: 404)
expects_command_to_pass
csr = Puppet::SSL::CertificateRequest.new(name)
csr.read(csr_path)
expect(csr.subject_alt_names).to include('DNS:majortom')
end
end
context 'when downloading a certificate' do
before do
ssl.command_line.args << 'download_cert'
end
it_behaves_like 'an ssl action'
it 'downloads a new cert' do
stub_request(:get, %r{puppet-ca/v1/certificate/#{name}}).to_return(status: 200, body: @host[:cert].to_pem)
expects_command_to_pass(%r{Downloaded certificate '#{name}' with fingerprint .*})
expect(File.read(Puppet[:hostcert])).to eq(@host[:cert].to_pem)
end
it 'overwrites an existing cert' do
File.write(Puppet[:hostcert], "existing certificate")
stub_request(:get, %r{puppet-ca/v1/certificate/#{name}}).to_return(status: 200, body: @host[:cert].to_pem)
expects_command_to_pass(%r{Downloaded certificate '#{name}' with fingerprint .*})
expect(File.read(Puppet[:hostcert])).to eq(@host[:cert].to_pem)
end
it "reports an error if the downloaded cert's public key doesn't match our private key" do
File.write(Puppet[:hostcert], "existing cert")
# generate a new host key, whose public key doesn't match the cert
private_key = OpenSSL::PKey::RSA.new(512)
File.write(Puppet[:hostprivkey], private_key.to_pem)
File.write(Puppet[:hostpubkey], private_key.public_key.to_pem)
stub_request(:get, %r{puppet-ca/v1/certificate/#{name}}).to_return(status: 200, body: @host[:cert].to_pem)
expects_command_to_fail(
%r{^Failed to download certificate: The certificate for 'CN=ssl-client' does not match its private key}
)
end
it "prints a message if there isn't a cert to download" do
stub_request(:get, %r{puppet-ca/v1/certificate/#{name}}).to_return(status: 404)
expects_command_to_fail(/The certificate for '#{name}' has not yet been signed/)
end
end
context 'when verifying' do
before do
ssl.command_line.args << 'verify'
File.write(Puppet[:hostcert], @host[:cert].to_pem)
end
it 'reports if the key is missing' do
File.delete(Puppet[:hostprivkey])
expects_command_to_fail(/The private key is missing from/)
end
it 'reports if the cert is missing' do
File.delete(Puppet[:hostcert])
expects_command_to_fail(/The client certificate is missing from/)
end
it 'reports if the key and cert are mismatched' do
# generate new keys
private_key = OpenSSL::PKey::RSA.new(512)
public_key = private_key.public_key
File.write(Puppet[:hostprivkey], private_key.to_pem)
File.write(Puppet[:hostpubkey], public_key.to_pem)
expects_command_to_fail(%r{The certificate for 'CN=ssl-client' does not match its private key})
end
it 'reports if the cert verification fails' do
# generate a new CA to force an error
new_ca = Puppet::TestCa.new
File.write(Puppet[:localcacert], new_ca.ca_cert.to_pem)
# and CRL for that CA
File.write(Puppet[:hostcrl], new_ca.ca_crl.to_pem)
expects_command_to_fail(%r{Invalid signature for certificate 'CN=ssl-client'})
end
it 'reports when verification succeeds' do
expects_command_to_pass(%r{Verified client certificate 'CN=ssl-client' fingerprint})
end
it 'reports when verification succeeds with a password protected private key' do
FileUtils.cp(File.join(PuppetSpec::FIXTURE_DIR, 'ssl', 'encrypted-key.pem'), Puppet[:hostprivkey])
FileUtils.cp(File.join(PuppetSpec::FIXTURE_DIR, 'ssl', 'signed.pem'), Puppet[:hostcert])
# To verify the client cert we need the root and intermediate certs and crls.
# We don't need to do this with `ssl-client` cert above, because it is issued
# directly from the generated TestCa above.
File.open(Puppet[:localcacert], 'w') do |f|
f.write(File.read(File.join(PuppetSpec::FIXTURE_DIR, 'ssl', 'ca.pem')))
f.write(File.read(File.join(PuppetSpec::FIXTURE_DIR, 'ssl', 'intermediate.pem')))
end
File.open(Puppet[:hostcrl], 'w') do |f|
f.write(File.read(File.join(PuppetSpec::FIXTURE_DIR, 'ssl', 'crl.pem')))
f.write(File.read(File.join(PuppetSpec::FIXTURE_DIR, 'ssl', 'intermediate-crl.pem')))
end
Puppet[:passfile] = file_containing('passfile', '74695716c8b6')
expects_command_to_pass(%r{Verified client certificate 'CN=signed' fingerprint})
end
it 'reports if the private key password is incorrect' do
FileUtils.cp(File.join(PuppetSpec::FIXTURE_DIR, 'ssl', 'encrypted-key.pem'), Puppet[:hostprivkey])
FileUtils.cp(File.join(PuppetSpec::FIXTURE_DIR, 'ssl', 'signed.pem'), Puppet[:hostcert])
Puppet[:passfile] = file_containing('passfile', 'wrongpassword')
expects_command_to_fail(/Failed to load private key for host 'ssl-client'/)
end
end
context 'when cleaning' do
before do
ssl.command_line.args << 'clean'
end
it 'deletes the hostcert' do
File.write(Puppet[:hostcert], @host[:cert].to_pem)
expects_command_to_pass(%r{Removed certificate #{Puppet[:cert]}})
end
it 'deletes the private key' do
File.write(Puppet[:hostprivkey], @host[:private_key].to_pem)
expects_command_to_pass(%r{Removed private key #{Puppet[:hostprivkey]}})
end
it 'deletes the public key' do
File.write(Puppet[:hostpubkey], @host[:private_key].public_key.to_pem)
expects_command_to_pass(%r{Removed public key #{Puppet[:hostpubkey]}})
end
it 'deletes the request' do
path = Puppet[:hostcsr]
File.write(path, @host[:csr].to_pem)
expects_command_to_pass(%r{Removed certificate request #{path}})
end
it 'deletes the passfile' do
FileUtils.touch(Puppet[:passfile])
expects_command_to_pass(%r{Removed private key password file #{Puppet[:passfile]}})
end
it 'skips files that do not exist' do
File.delete(Puppet[:hostprivkey])
expect {
ssl.run_command
}.to_not output(%r{Removed private key #{Puppet[:hostprivkey]}}).to_stdout
end
it "raises if we fail to retrieve server's cert that we're about to clean" do
Puppet[:certname] = name
Puppet[:server] = name
stub_request(:get, %r{puppet-ca/v1/certificate/#{name}}).to_raise(Errno::ECONNREFUSED)
expects_command_to_fail(%r{Failed to connect to the CA to determine if certificate #{name} has been cleaned})
end
context 'when deleting local CA' do
before do
ssl.command_line.args << '--localca'
ssl.parse_options
end
it 'deletes the local CA cert' do
File.write(Puppet[:localcacert], @ca_cert.to_pem)
expects_command_to_pass(%r{Removed local CA certificate #{Puppet[:localcacert]}})
end
it 'deletes the local CRL' do
File.write(Puppet[:hostcrl], @crl.to_pem)
expects_command_to_pass(%r{Removed local CRL #{Puppet[:hostcrl]}})
end
end
context 'on the puppetserver host' do
before :each do
Puppet[:certname] = 'puppetserver'
Puppet[:server] = 'puppetserver'
end
it "prints an error when the CA is local and the CA has not cleaned its cert" do
stub_request(:get, %r{puppet-ca/v1/certificate/puppetserver}).to_return(status: 200, body: @host[:cert].to_pem)
expects_command_to_fail(%r{The certificate puppetserver must be cleaned from the CA first})
end
it "cleans the cert when the CA is local and the CA has already cleaned its cert" do
File.write(Puppet[:hostcert], @host[:cert].to_pem)
stub_request(:get, %r{puppet-ca/v1/certificate/puppetserver}).to_return(status: 404)
expects_command_to_pass(%r{Removed certificate .*puppetserver.pem})
end
it "cleans the cert when run on a puppetserver that isn't the CA" do
File.write(Puppet[:hostcert], @host[:cert].to_pem)
Puppet[:ca_server] = 'caserver'
expects_command_to_pass(%r{Removed certificate .*puppetserver.pem})
end
end
context 'when cleaning a device' do
before do
ssl.command_line.args = ['clean', '--target', 'device.example.com']
ssl.parse_options
end
it 'deletes the device certificate' do
device_cert_path = File.join(Puppet[:devicedir], 'device.example.com', 'ssl', 'certs')
device_cert_file = File.join(device_cert_path, 'device.example.com.pem')
FileUtils.mkdir_p(device_cert_path)
File.write(device_cert_file, 'device.example.com')
expects_command_to_pass(%r{Removed certificate #{device_cert_file}})
end
end
end
context 'when bootstrapping' do
before do
ssl.command_line.args << 'bootstrap'
end
it 'registers the OIDs' do
expect_any_instance_of(Puppet::SSL::StateMachine).to receive(:ensure_client_certificate).and_return(
double('ssl_context')
)
expect(Puppet::SSL::Oids).to receive(:register_puppet_oids)
expects_command_to_pass
end
it 'returns an SSLContext with the loaded CA certs, CRLs, private key and client cert' do
expect_any_instance_of(Puppet::SSL::StateMachine).to receive(:ensure_client_certificate).and_return(
double('ssl_context')
)
expects_command_to_pass
end
end
context 'when showing' do
before do
ssl.command_line.args << 'show'
File.write(Puppet[:hostcert], @host[:cert].to_pem)
end
it 'reports if the key is missing' do
File.delete(Puppet[:hostprivkey])
expects_command_to_fail(/The private key is missing from/)
end
it 'reports if the cert is missing' do
File.delete(Puppet[:hostcert])
expects_command_to_fail(/The client certificate is missing from/)
end
it 'prints certificate information' do
expects_command_to_pass(@host[:cert].to_text)
end
end
end
|
