File: ca_spec.rb

package info (click to toggle)
puppet 2.6.2-5%2Bsqueeze9
  • links: PTS, VCS
  • area: main
  • in suites: squeeze
  • size: 13,728 kB
  • ctags: 8,726
  • sloc: ruby: 110,196; sh: 934; lisp: 263; xml: 122; sql: 103; makefile: 90; python: 84
file content (88 lines) | stat: -rw-r--r-- 2,665 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
 
require 'spec_helper'

require 'puppet/network/handler/ca'

describe Puppet::Network::Handler::CA do
  include PuppetSpec::Files

  describe "#getcert" do
    let(:host)      { "testhost" }
    let(:x509_name) { OpenSSL::X509::Name.new [['CN', host]] }
    let(:key)       { Puppet::SSL::Key.new(host).generate }

    let(:csr) do
      csr = OpenSSL::X509::Request.new
      csr.subject = x509_name
      csr.public_key = key.public_key
      csr
    end

    let(:ca)     { Puppet::SSL::CertificateAuthority.new }
    let(:cacert) { ca.instance_variable_get(:@certificate) }

    before :each do
      Puppet[:confdir] = tmpdir('conf')

      Puppet::SSL::CertificateAuthority.stubs(:ca?).returns true
      Puppet::SSL::CertificateAuthority.stubs(:singleton_instance).returns ca
    end

    it "should do nothing if the master is not a CA" do
      Puppet::SSL::CertificateAuthority.stubs(:ca?).returns false

      csr = OpenSSL::X509::Request.new
      csr.subject = OpenSSL::X509::Name.new([["CN", "anything"]])
      subject.getcert(csr.to_pem).should == ''
    end

    describe "when a certificate already exists for the host" do
      let(:cert)    { ca.generate(host) }

      it "should return the existing cert if it matches the public key of the CSR" do
        csr.public_key = cert.content.public_key

        subject.getcert(csr.to_pem).should == [cert.to_s, cacert.to_s]
      end

      it "should fail if the public key of the CSR does not match the existing cert" do
        cert
        expect do
          subject.getcert(csr.to_pem)
        end.to raise_error(Puppet::Error, /Certificate request does not match existing certificate/)
      end
    end

    describe "when autosign is enabled" do
      before :each do
        Puppet[:autosign] = true
      end

      it "should return the new cert and the CA cert" do
        cert_str, cacert_str = subject.getcert(csr.to_pem)

        returned_cert = Puppet::SSL::Certificate.from_s(cert_str)
        returned_cacert = Puppet::SSL::Certificate.from_s(cacert_str)

        returned_cert.name.should == host
        returned_cacert.content.subject.cmp(cacert.content.subject).should == 0
      end
    end

    describe "when autosign is disabled" do
      before :each do
        Puppet[:autosign] = false
      end

      it "should save the CSR without signing it" do
        subject.getcert(csr.to_pem)

        Puppet::SSL::Certificate.find(host).should be_nil
        Puppet::SSL::CertificateRequest.find(host).should be_a(Puppet::SSL::CertificateRequest)
      end

      it "should not return a cert" do
        subject.getcert(csr.to_pem).should be_nil
      end
    end
  end
end