diff options
author | Luke Kanies <luke@madstop.com> | 2009-02-27 17:52:01 -0600 |
---|---|---|
committer | James Turnbull <james@lovedthanlost.net> | 2009-02-28 11:09:11 +1100 |
commit | 09bee9137d7a6415609a8abfdf727ee0361139e0 (patch) | |
tree | b3adb6eec8c8cca1c1a3085193855dacc361bd00 /spec/unit/ssl | |
parent | cf1cb1474f13ae2fc4ec27142fd34d494826c929 (diff) | |
download | puppet-09bee9137d7a6415609a8abfdf727ee0361139e0.tar.gz puppet-09bee9137d7a6415609a8abfdf727ee0361139e0.tar.xz puppet-09bee9137d7a6415609a8abfdf727ee0361139e0.zip |
Fixing #2028 - Better failures when a cert is found with no key
The problem was that the server had a certificate
for the client. Initially the client just didn't have a
key, because it assumed that if it had a certificate then
it had a key. Upon fixing it to create the key, the key then
did not match the found certificate.
This commit fixes both of those: The key is always found
before the certificate, and when the certificate is found
it's verified against the private key and an exception
is thrown if they don't match.
It's always a failure, so this just makes the failure
more informative.
Signed-off-by: Luke Kanies <luke@madstop.com>
Diffstat (limited to 'spec/unit/ssl')
-rwxr-xr-x | spec/unit/ssl/host.rb | 78 |
1 files changed, 77 insertions, 1 deletions
diff --git a/spec/unit/ssl/host.rb b/spec/unit/ssl/host.rb index 646f7b55b..e4140f44c 100755 --- a/spec/unit/ssl/host.rb +++ b/spec/unit/ssl/host.rb @@ -90,6 +90,55 @@ describe Puppet::SSL::Host do Puppet::SSL::Host.localhost.should equal(two) end + it "should be able to verify its certificate matches its key" do + Puppet::SSL::Host.new("foo").should respond_to(:certificate_matches_key?) + end + + it "should consider the certificate invalid if it cannot find a key" do + host = Puppet::SSL::Host.new("foo") + host.expects(:key).returns nil + + host.should_not be_certificate_matches_key + end + + it "should consider the certificate invalid if it cannot find a certificate" do + host = Puppet::SSL::Host.new("foo") + host.expects(:key).returns mock("key") + host.expects(:certificate).returns nil + + host.should_not be_certificate_matches_key + end + + it "should consider the certificate invalid if the SSL certificate's key verification fails" do + host = Puppet::SSL::Host.new("foo") + + key = mock 'key', :content => "private_key" + sslcert = mock 'sslcert' + certificate = mock 'cert', :content => sslcert + + host.stubs(:key).returns key + host.stubs(:certificate).returns certificate + + sslcert.expects(:check_private_key).with("private_key").returns false + + host.should_not be_certificate_matches_key + end + + it "should consider the certificate valid if the SSL certificate's key verification succeeds" do + host = Puppet::SSL::Host.new("foo") + + key = mock 'key', :content => "private_key" + sslcert = mock 'sslcert' + certificate = mock 'cert', :content => sslcert + + host.stubs(:key).returns key + host.stubs(:certificate).returns certificate + + sslcert.expects(:check_private_key).with("private_key").returns true + + host.should be_certificate_matches_key + end + describe "when specifying the CA location" do before do [Puppet::SSL::Key, Puppet::SSL::Certificate, Puppet::SSL::CertificateRequest, Puppet::SSL::CertificateRevocationList].each do |klass| @@ -360,6 +409,9 @@ describe Puppet::SSL::Host do before do @realcert = mock 'certificate' @cert = stub 'cert', :content => @realcert + + @host.stubs(:key).returns mock("key") + @host.stubs(:certificate_matches_key?).returns true end it "should find the CA certificate if it does not have a certificate" do @@ -384,6 +436,22 @@ describe Puppet::SSL::Host do @host.certificate.should be_nil end + it "should find the key if it does not have one" do + Puppet::SSL::Certificate.stubs(:find) + @host.expects(:key).returns mock("key") + + @host.certificate + end + + it "should generate the key if one cannot be found" do + Puppet::SSL::Certificate.stubs(:find) + + @host.expects(:key).returns nil + @host.expects(:generate_key) + + @host.certificate + end + it "should find the certificate in the Certificate class and return the Puppet certificate instance" do Puppet::SSL::Certificate.expects(:find).with("ca").returns mock("cacert") Puppet::SSL::Certificate.expects(:find).with("myname").returns @cert @@ -391,6 +459,14 @@ describe Puppet::SSL::Host do @host.certificate.should equal(@cert) end + it "should fail if the found certificate does not match the private key" do + @host.expects(:certificate_matches_key?).returns false + + Puppet::SSL::Certificate.stubs(:find).returns @cert + + lambda { @host.certificate }.should raise_error(Puppet::Error) + end + it "should return any previously found certificate" do Puppet::SSL::Certificate.expects(:find).with("ca").returns mock("cacert") Puppet::SSL::Certificate.expects(:find).with("myname").returns(@cert).once @@ -468,7 +544,7 @@ describe Puppet::SSL::Host do end it "should generate a key if one is not present" do - @host.expects(:key).returns nil + @host.stubs(:key).returns nil @host.expects(:generate_key) @host.generate |