File: key_spec.rb

package info (click to toggle)
puppet 5.5.22-2
  • links: PTS, VCS
  • area: main
  • in suites: bullseye
  • size: 21,316 kB
  • sloc: ruby: 254,925; sh: 1,608; xml: 219; makefile: 153; sql: 103
file content (188 lines) | stat: -rw-r--r-- 6,466 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
 
require 'spec_helper'

require 'puppet/ssl/key'

describe Puppet::SSL::Key do
  before do
    @class = Puppet::SSL::Key
  end

  it "should be extended with the Indirector module" do
    expect(@class.singleton_class).to be_include(Puppet::Indirector)
  end

  it "should indirect key" do
    expect(@class.indirection.name).to eq(:key)
  end

  it "should only support the text format" do
    expect(@class.supported_formats).to eq([:s])
  end

  it "should have a method for determining whether it's a CA key" do
    expect(@class.new("test")).to respond_to(:ca?)
  end

  it "should consider itself a ca key if its name matches the CA_NAME" do
    expect(@class.new(Puppet::SSL::Host.ca_name)).to be_ca
  end

  describe "when initializing" do
    it "should set its password file to the :capass if it's a CA key" do
      Puppet[:capass] = File.expand_path("/ca/pass")

      key = Puppet::SSL::Key.new(Puppet::SSL::Host.ca_name)
      expect(key.password_file).to eq(Puppet[:capass])
    end

    it "should downcase its name" do
      expect(@class.new("MyName").name).to eq("myname")
    end

    it "should set its password file to the default password file if it is not the CA key" do
      Puppet[:passfile] = File.expand_path("/normal/pass")

      key = Puppet::SSL::Key.new("notca")
      expect(key.password_file).to eq(Puppet[:passfile])
    end
  end

  describe "when managing instances" do
    before do
      @key = @class.new("myname")
    end

    it "should have a name attribute" do
      expect(@key.name).to eq("myname")
    end

    it "should have a content attribute" do
      expect(@key).to respond_to(:content)
    end

    it "should be able to read keys from disk" do
      path = "/my/path"
      expect(Puppet::FileSystem).to receive(:read).with(path, :encoding => Encoding::ASCII).and_return("my key")
      key = double('key')
      expect(OpenSSL::PKey::RSA).to receive(:new).and_return(key)
      expect(@key.read(path)).to equal(key)
      expect(@key.content).to equal(key)
    end

    it "should not try to use the provided password file if the file does not exist" do
      allow(Puppet::FileSystem).to receive(:exist?).and_return(false)
      @key.password_file = "/path/to/password"

      path = "/my/path"

      allow(Puppet::FileSystem).to receive(:read).with(path, :encoding => Encoding::ASCII).and_return("my key")
      expect(OpenSSL::PKey::RSA).to receive(:new).with("my key", nil).and_return(double('key'))
      expect(Puppet::FileSystem).not_to receive(:read).with("/path/to/password", :encoding => Encoding::BINARY)

      @key.read(path)
    end

    it "should read the key with the password retrieved from the password file if one is provided" do
      allow(Puppet::FileSystem).to receive(:exist?).and_return(true)
      @key.password_file = "/path/to/password"

      path = "/my/path"
      expect(Puppet::FileSystem).to receive(:read).with(path, :encoding => Encoding::ASCII).and_return("my key")
      expect(Puppet::FileSystem).to receive(:read).with("/path/to/password", :encoding => Encoding::BINARY).and_return("my password")

      key = double('key')
      expect(OpenSSL::PKey::RSA).to receive(:new).with("my key", "my password").and_return(key)
      expect(@key.read(path)).to equal(key)
      expect(@key.content).to equal(key)
    end

    it "should return an empty string when converted to a string with no key" do
      expect(@key.to_s).to eq("")
    end

    it "should convert the key to pem format when converted to a string" do
      key = double('key', :to_pem => "pem")
      @key.content = key
      expect(@key.to_s).to eq("pem")
    end

    it "should have a :to_text method that it delegates to the actual key" do
      real_key = double('key')
      expect(real_key).to receive(:to_text).and_return("keytext")
      @key.content = real_key
      expect(@key.to_text).to eq("keytext")
    end
  end

  describe "when generating the private key" do
    before do
      @instance = @class.new("test")

      @key = double('key')
    end

    it "should create an instance of OpenSSL::PKey::RSA" do
      expect(OpenSSL::PKey::RSA).to receive(:new).and_return(@key)

      @instance.generate
    end

    it "should create the private key with the keylength specified in the settings" do
      Puppet[:keylength] = 513
      expect(OpenSSL::PKey::RSA).to receive(:new).with(513).and_return(@key)

      @instance.generate
    end

    it "should set the content to the generated key" do
      allow(OpenSSL::PKey::RSA).to receive(:new).and_return(@key)
      @instance.generate
      expect(@instance.content).to equal(@key)
    end

    it "should return the generated key" do
      allow(OpenSSL::PKey::RSA).to receive(:new).and_return(@key)
      expect(@instance.generate).to equal(@key)
    end

    it "should return the key in pem format" do
      @instance.generate
      expect(@instance.content).to receive(:to_pem).and_return("my normal key")
      expect(@instance.to_s).to eq("my normal key")
    end

    describe "with a password file set" do
      it "should return a nil password if the password file does not exist" do
        expect(Puppet::FileSystem).to receive(:exist?).with("/path/to/pass").and_return(false)
        expect(Puppet::FileSystem).not_to receive(:read).with("/path/to/pass", :encoding => Encoding::BINARY)

        @instance.password_file = "/path/to/pass"

        expect(@instance.password).to be_nil
      end

      it "should return the contents of the password file as its password" do
        expect(Puppet::FileSystem).to receive(:exist?).with("/path/to/pass").and_return(true)
        expect(Puppet::FileSystem).to receive(:read).with("/path/to/pass", :encoding => Encoding::BINARY).and_return("my password")

        @instance.password_file = "/path/to/pass"

        expect(@instance.password).to eq("my password")
      end

      it "should export the private key to text using the password" do
        @instance.password_file = "/path/to/pass"
        allow(@instance).to receive(:password).and_return("my password")

        expect(OpenSSL::PKey::RSA).to receive(:new).and_return(@key)
        @instance.generate

        cipher = double('cipher')
        expect(OpenSSL::Cipher::DES).to receive(:new).with(:EDE3, :CBC).and_return(cipher)
        expect(@key).to receive(:export).with(cipher, "my password").and_return("my encrypted key")

        expect(@instance.to_s).to eq("my encrypted key")
      end
    end
  end
end