Revert the guts of #2890

This patch reverts the semantically significant parts of #2890 due to the issues discussed on #3360 (security concerns when used with autosign, inconsistency between REST & XMLRPC semantics) but leaves the semantically neutral changes (code cleanup, added tests) in place. This patch is intended for 0.25.x, but may also be applied as a step in the resolution of #3450 (refactored #2890, add "remove_certs" flag) in Rolwf.
author: Markus Roberts <Markus@reality.com> 2010-03-29 17:16:05 -0700
committer: test branch <puppet-dev@googlegroups.com> 2010-02-17 06:50:53 -0800
commit: 49be54e5d4c5c19ec1f7e5e454666bb59ebfe88f (patch)
tree: a3efe74b49b771200e9a45b59961266083107434 /spec/unit/ssl
parent: e69b7db9124b9b1cd65ab89a2f5c6968928f256d (diff)
download: puppet-49be54e5d4c5c19ec1f7e5e454666bb59ebfe88f.tar.gz
puppet-49be54e5d4c5c19ec1f7e5e454666bb59ebfe88f.tar.xz
puppet-49be54e5d4c5c19ec1f7e5e454666bb59ebfe88f.zip
1 files changed, 55 insertions, 17 deletions
diff --git a/spec/unit/ssl/host.rb b/spec/unit/ssl/host.rb
index f6f06a993..36d2ed2e6 100755
--- a/spec/unit/ssl/host.rb
+++ b/spec/unit/ssl/host.rb
@@ -90,6 +90,55 @@ describe Puppet::SSL::Host do
         Puppet::SSL::Host.localhost.should equal(two)
     end
 
+    it "should be able to verify its certificate matches its key" do
+        Puppet::SSL::Host.new("foo").should respond_to(:certificate_matches_key?)
+    end
+
+    it "should consider the certificate invalid if it cannot find a key" do
+        host = Puppet::SSL::Host.new("foo")
+        host.expects(:key).returns nil
+
+        host.should_not be_certificate_matches_key
+    end
+
+    it "should consider the certificate invalid if it cannot find a certificate" do
+        host = Puppet::SSL::Host.new("foo")
+        host.expects(:key).returns mock("key")
+        host.expects(:certificate).returns nil
+
+        host.should_not be_certificate_matches_key
+    end
+
+    it "should consider the certificate invalid if the SSL certificate's key verification fails" do
+        host = Puppet::SSL::Host.new("foo")
+
+        key = mock 'key', :content => "private_key"
+        sslcert = mock 'sslcert'
+        certificate = mock 'cert', :content => sslcert
+
+        host.stubs(:key).returns key
+        host.stubs(:certificate).returns certificate
+
+        sslcert.expects(:check_private_key).with("private_key").returns false
+
+        host.should_not be_certificate_matches_key
+    end
+
+    it "should consider the certificate valid if the SSL certificate's key verification succeeds" do
+        host = Puppet::SSL::Host.new("foo")
+
+        key = mock 'key', :content => "private_key"
+        sslcert = mock 'sslcert'
+        certificate = mock 'cert', :content => sslcert
+
+        host.stubs(:key).returns key
+        host.stubs(:certificate).returns certificate
+
+        sslcert.expects(:check_private_key).with("private_key").returns true
+
+        host.should be_certificate_matches_key
+    end
+
     describe "when specifying the CA location" do
         before do
             [Puppet::SSL::Key, Puppet::SSL::Certificate, Puppet::SSL::CertificateRequest, Puppet::SSL::CertificateRevocationList].each do |klass|
@@ -359,11 +408,10 @@ describe Puppet::SSL::Host do
     describe "when managing its certificate" do
         before do
             @realcert = mock 'certificate'
-            @realcert.stubs(:check_private_key).with('private key').returns true
-
-            @cert = stub 'cert', :content => @realcert, :expired? => false
+            @cert = stub 'cert', :content => @realcert
 
-            @host.stubs(:key).returns stub("key",:content => 'private key' )
+            @host.stubs(:key).returns mock("key")
+            @host.stubs(:certificate_matches_key?).returns true
         end
 
         it "should find the CA certificate if it does not have a certificate" do
@@ -411,22 +459,12 @@ describe Puppet::SSL::Host do
             @host.certificate.should equal(@cert)
         end
 
-        it "should immediately expire the cached copy if the found certificate does not match the private key" do
-            @realcert.expects(:check_private_key).with('private key').returns false
-
-            Puppet::SSL::Certificate.stubs(:find).returns @cert
-            Puppet::SSL::Certificate.expects(:expire).with("myname")
-
-            @host.certificate
-        end
-
-        it "should not return a certificate if it does not match the private key" do
-            @realcert.expects(:check_private_key).with('private key').returns false
+        it "should fail if the found certificate does not match the private key" do
+            @host.expects(:certificate_matches_key?).returns false
 
             Puppet::SSL::Certificate.stubs(:find).returns @cert
-            Puppet::SSL::Certificate.stubs(:expire).with("myname")
 
-            @host.certificate.should == nil
+            lambda { @host.certificate }.should raise_error(Puppet::Error)
         end
 
         it "should return any previously found certificate" do
author	Markus Roberts <Markus@reality.com>	2010-03-29 17:16:05 -0700
committer	test branch <puppet-dev@googlegroups.com>	2010-02-17 06:50:53 -0800
commit	49be54e5d4c5c19ec1f7e5e454666bb59ebfe88f (patch)
tree	a3efe74b49b771200e9a45b59961266083107434 /spec/unit/ssl
parent	e69b7db9124b9b1cd65ab89a2f5c6968928f256d (diff)
download	puppet-49be54e5d4c5c19ec1f7e5e454666bb59ebfe88f.tar.gz puppet-49be54e5d4c5c19ec1f7e5e454666bb59ebfe88f.tar.xz puppet-49be54e5d4c5c19ec1f7e5e454666bb59ebfe88f.zip