adding extra checks to make sure networking is secure, and refactoring a heckuva lot of test

git-svn-id: https://reductivelabs.com/svn/puppet/trunk@671 980ebf18-57e1-0310-9a29-db15c13687c0

1 files changed, 87 insertions, 52 deletions

diff --git a/test/client/tc_client.rb b/test/client/tc_client.rb
index 2c67c35c8..feaa24184 100644
--- a/test/client/tc_client.rb
+++ b/test/client/tc_client.rb
@@ -12,71 +12,30 @@ require 'puppettest.rb'
 
 # $Id$
 
-class TestClient < Test::Unit::TestCase
-    def setup
-        Puppet[:loglevel] = :debug if __FILE__ == $0
-        @@tmpfiles = []
-        @@tmppids = []
-    end
-
-    def teardown
-        Puppet::Type.allclear
-        @@tmpfiles.each { |f|
-            if FileTest.exists?(f)
-                system("rm -rf %s" % f)
-            end
-        }
-
-        @@tmppids.each { |pid|
-            %x{kill -INT #{pid} 2>/dev/null}
-        }
-    end
-
+class TestClient < ServerTest
+    # a single run through of connect, auth, etc.
     def test_sslInitWithAutosigningLocalServer
+        # autosign everything, for simplicity
         Puppet[:autosign] = true
-        Puppet[:ssldir] = "/tmp/puppetclientcertests"
-        @@tmpfiles.push Puppet[:ssldir]
-        @@tmpfiles.push "/tmp/puppetclienttesting"
-        file = "/tmp/testingmanifest.pp"
-        File.open(file, "w") { |f|
-            f.puts '
-file { "/tmp/puppetclienttesting": create => true, mode => 755 }
-'
-        }
 
-        @@tmpfiles << file
-        port = 8085
+        # create a server to which to connect
+        mkserver()
 
-        server = nil
-        assert_nothing_raised {
-            server = Puppet::Server.new(
-                :Port => port,
-                :Handlers => {
-                    :CA => {}, # so that certs autogenerate
-                    :Master => {
-                        :File => file,
-                    },
-                }
-            )
-        }
-
-        spid = fork {
-            trap(:INT) { server.shutdown }
-            server.start
-        }
-
-        @@tmppids << spid
+        # create our client
         client = nil
         assert_nothing_raised {
             client = Puppet::Client::MasterClient.new(
                 :Server => "localhost",
-                :Port => port
+                :Port => @@port
             )
         }
+
+        # get our certs
         assert_nothing_raised {
             client.initcerts
         }
 
+        # make sure all of our cert files exist
         certfile = File.join(Puppet[:certdir], [client.fqdn, "pem"].join("."))
         keyfile = File.join(Puppet[:privatekeydir], [client.fqdn, "pem"].join("."))
         publickeyfile = File.join(Puppet[:publickeydir], [client.fqdn, "pem"].join("."))
@@ -85,18 +44,94 @@ file { "/tmp/puppetclienttesting": create => true, mode => 755 }
         assert(File.exists?(certfile))
         assert(File.exists?(publickeyfile))
 
+        # verify we can retrieve the configuration
         assert_nothing_raised("Client could not retrieve configuration") {
             client.getconfig
         }
 
+        # and apply it
         assert_nothing_raised("Client could not apply configuration") {
             client.apply
         }
 
-        assert(FileTest.exists?("/tmp/puppetclienttesting"),
+        # and verify that it did what it was supposed to
+        assert(FileTest.exists?(@createdfile),
             "Applied file does not exist")
     end
 
+
+    # here we create two servers; we 
+    def test_zzfailureWithUntrustedCerts
+        Puppet[:autosign] = true
+
+        # create a pair of clients with no certs
+        nonemaster = nil
+        assert_nothing_raised {
+            nonemaster = Puppet::Client::MasterClient.new(
+                :Server => "localhost",
+                :Port => @@port
+            )
+        }
+
+        nonebucket = nil
+        assert_nothing_raised {
+            nonebucket = Puppet::Client::Dipper.new(
+                :Server => "localhost",
+                :Port => @@port
+            )
+        }
+
+        # create a ca so we can create a set of certs
+        ca = nil
+        assert_nothing_raised {
+            ca = Puppet::Client::CAClient.new(:CA => true, :Local => true)
+            ca.requestcert
+        }
+
+        # initialize our clients with this set of certs
+        certmaster = nil
+        assert_nothing_raised {
+            certmaster = Puppet::Client::MasterClient.new(
+                :Server => "localhost",
+                :Port => @@port
+            )
+        }
+
+        certbucket = nil
+        assert_nothing_raised {
+            certbucket = Puppet::Client::Dipper.new(
+                :Server => "localhost",
+                :Port => @@port
+            )
+        }
+
+        # clean up the existing certs, so the server creates a new CA
+        system("rm -rf %s" % Puppet[:ssldir])
+
+        # start our server
+        mkserver
+
+        # now verify that our client cannot do non-cert operations
+        # because its certs are signed by a different CA
+        assert_raise(Puppet::NetworkClientError,
+            "Client was allowed to call getconfig with no certs") {
+            nonemaster.getconfig
+        }
+        assert_raise(Puppet::NetworkClientError,
+            "Client was allowed to call getconfig with untrusted certs") {
+            certmaster.getconfig
+        }
+
+        assert_raise(Puppet::NetworkClientError,
+            "Client was allowed to call backup with no certs") {
+            nonebucket.backup("/etc/passwd")
+        }
+        assert_raise(Puppet::NetworkClientError,
+            "Client was allowed to call backup with untrusted certs") {
+            certbucket.backup("/etc/passwd")
+        }
+    end
+
     # disabled because the server needs to have its certs in place
     # in order to start at all
     # i don't think this test makes much sense anyway