diff options
| author | luke <luke@980ebf18-57e1-0310-9a29-db15c13687c0> | 2007-06-18 19:51:17 +0000 |
|---|---|---|
| committer | luke <luke@980ebf18-57e1-0310-9a29-db15c13687c0> | 2007-06-18 19:51:17 +0000 |
| commit | 2d07334c9b4e8bf06af5c4fc046984f26b4167ac (patch) | |
| tree | 144466dd3563255d7b2272aff89a20459b3692f4 /test/network | |
| parent | 6e16d9feb1468aae964115833a223cd07c37036e (diff) | |
| download | puppet-2d07334c9b4e8bf06af5c4fc046984f26b4167ac.tar.gz puppet-2d07334c9b4e8bf06af5c4fc046984f26b4167ac.tar.xz puppet-2d07334c9b4e8bf06af5c4fc046984f26b4167ac.zip | |
Modifying the CA server so that it will not send back a cert whose public key does not match the csr. We have been getting a lot of instances of this, so this should cut down that problem.
git-svn-id: https://reductivelabs.com/svn/puppet/trunk@2612 980ebf18-57e1-0310-9a29-db15c13687c0
Diffstat (limited to 'test/network')
| -rwxr-xr-x | test/network/client/ca.rb | 2 | ||||
| -rwxr-xr-x | test/network/handler/ca.rb | 34 |
2 files changed, 36 insertions, 0 deletions
diff --git a/test/network/client/ca.rb b/test/network/client/ca.rb index 0fdbda537..26fb72f40 100755 --- a/test/network/client/ca.rb +++ b/test/network/client/ca.rb @@ -2,6 +2,7 @@ $:.unshift("../../lib") if __FILE__ =~ /\.rb$/ +require 'mocha' require 'puppettest' require 'puppet/network/client/ca' require 'puppet/sslcertificates/support' @@ -48,6 +49,7 @@ class TestClientCA < Test::Unit::TestCase File.unlink(Puppet[:hostprivkey]) @client = Puppet::Network::Client.ca.new :CA => @ca + @ca.expects(:getcert).returns("yay") # not a valid cert # Now make sure it fails, since we'll get the old cert but have new keys assert_raise(Puppet::Network::Client::CA::InvalidCertificate, "Did not fail on invalid cert") do @client.request_cert diff --git a/test/network/handler/ca.rb b/test/network/handler/ca.rb index fe2fdbd2e..3c89f597b 100755 --- a/test/network/handler/ca.rb +++ b/test/network/handler/ca.rb @@ -229,6 +229,40 @@ class TestCA < Test::Unit::TestCase # And try a different host assert(! caserv.autosign?("other.yay.com"), "Host was autosigned") end + + # Make sure that a CSR created with keys that don't match the existing + # cert throws an exception on the server. + def test_mismatched_public_keys_throws_exception + ca = Puppet::Network::Handler.ca.new() + + # First initialize the server + client = Puppet::Network::Client.ca.new :CA => ca + client.request_cert + File.unlink(Puppet[:hostcsr]) + + # Now use a different cert name + Puppet[:certname] = "my.host.com" + client = Puppet::Network::Client.ca.new :CA => ca + firstcsr = client.csr + File.unlink(Puppet[:hostcsr]) if FileTest.exists?(Puppet[:hostcsr]) + + assert_nothing_raised("Could not get cert") do + ca.getcert(firstcsr.to_s) + end + + # Now get rid of the public key, forcing a new csr + File.unlink(Puppet[:hostprivkey]) + + client = Puppet::Network::Client.ca.new :CA => ca + + second_csr = client.csr + + assert(firstcsr.to_s != second_csr.to_s, "CSR did not change") + + assert_raise(Puppet::Error, "CA allowed mismatched keys") do + ca.getcert(second_csr.to_s) + end + end end # $Id$ |