diff options
Diffstat (limited to 'spec/integration/ssl')
| -rwxr-xr-x | spec/integration/ssl/certificate_authority.rb | 137 | ||||
| -rwxr-xr-x | spec/integration/ssl/certificate_request.rb | 57 | ||||
| -rwxr-xr-x | spec/integration/ssl/certificate_revocation_list.rb | 42 | ||||
| -rwxr-xr-x | spec/integration/ssl/host.rb | 90 |
4 files changed, 326 insertions, 0 deletions
diff --git a/spec/integration/ssl/certificate_authority.rb b/spec/integration/ssl/certificate_authority.rb new file mode 100755 index 000000000..d838bc586 --- /dev/null +++ b/spec/integration/ssl/certificate_authority.rb @@ -0,0 +1,137 @@ +#!/usr/bin/env ruby +# +# Created by Luke Kanies on 2008-4-17. +# Copyright (c) 2008. All rights reserved. + +require File.dirname(__FILE__) + '/../../spec_helper' + +require 'puppet/ssl/certificate_authority' +require 'tempfile' + +describe Puppet::SSL::CertificateAuthority do + before do + # Get a safe temporary file + file = Tempfile.new("ca_integration_testing") + @dir = file.path + file.delete + + Puppet.settings[:confdir] = @dir + Puppet.settings[:vardir] = @dir + + Puppet::SSL::Host.ca_location = :local + @ca = Puppet::SSL::CertificateAuthority.new + end + + after { + Puppet::SSL::Host.ca_location = :none + + system("rm -rf %s" % @dir) + Puppet.settings.clear + + Puppet::Util::Cacher.invalidate + + Puppet::SSL::CertificateAuthority.instance_variable_set("@instance", nil) + } + + it "should create a CA host" do + @ca.host.should be_ca + end + + it "should be able to generate a certificate" do + @ca.generate_ca_certificate + + @ca.host.certificate.should be_instance_of(Puppet::SSL::Certificate) + end + + it "should be able to generate a new host certificate" do + @ca.generate("newhost") + + Puppet::SSL::Certificate.find("newhost").should be_instance_of(Puppet::SSL::Certificate) + end + + it "should be able to revoke a host certificate" do + pending("This test doesn't actually work yet") do + @ca.generate("newhost") + + @ca.revoke("newhost") + + lambda { @ca.verify("newhost") }.should raise_error + end + end + + it "should have a CRL" do + @ca.generate_ca_certificate + @ca.crl.should_not be_nil + end + + it "should be able to read in a previously created CRL" do + @ca.generate_ca_certificate + + # Create it to start with. + @ca.crl + + Puppet::SSL::CertificateAuthority.new.crl.should_not be_nil + end + + describe "when signing certificates" do + before do + @host = Puppet::SSL::Host.new("luke.madstop.com") + + # We have to provide the key, since when we're in :ca_only mode, we can only interact + # with the CA key. + key = Puppet::SSL::Key.new(@host.name) + key.generate + + @host.key = key + @host.generate_certificate_request + + path = File.join(Puppet[:requestdir], "luke.madstop.com.pem") + end + + it "should be able to sign certificates" do + @ca.sign("luke.madstop.com") + end + + it "should save the signed certificate" do + @ca.sign("luke.madstop.com") + + Puppet::SSL::Certificate.find("luke.madstop.com").should be_instance_of(Puppet::SSL::Certificate) + end + + it "should be able to sign multiple certificates" do + @other = Puppet::SSL::Host.new("other.madstop.com") + okey = Puppet::SSL::Key.new(@other.name) + okey.generate + @other.key = okey + @other.generate_certificate_request + + @ca.sign("luke.madstop.com") + @ca.sign("other.madstop.com") + + Puppet::SSL::Certificate.find("other.madstop.com").should be_instance_of(Puppet::SSL::Certificate) + Puppet::SSL::Certificate.find("luke.madstop.com").should be_instance_of(Puppet::SSL::Certificate) + end + + it "should save the signed certificate to the :signeddir" do + @ca.sign("luke.madstop.com") + + client_cert = File.join(Puppet[:signeddir], "luke.madstop.com.pem") + File.read(client_cert).should == Puppet::SSL::Certificate.find("luke.madstop.com").content.to_s + end + + it "should save valid certificates" do + @ca.sign("luke.madstop.com") + + ssl = %x{which openssl} + + unless ssl + pending "No ssl available" + else + ca_cert = Puppet[:cacert] + client_cert = File.join(Puppet[:signeddir], "luke.madstop.com.pem") + output = %x{openssl verify -CAfile #{ca_cert} #{client_cert}} + $?.should == 0 + end + end + end +end diff --git a/spec/integration/ssl/certificate_request.rb b/spec/integration/ssl/certificate_request.rb new file mode 100755 index 000000000..f428718e7 --- /dev/null +++ b/spec/integration/ssl/certificate_request.rb @@ -0,0 +1,57 @@ +#!/usr/bin/env ruby +# +# Created by Luke Kanies on 2008-4-17. +# Copyright (c) 2008. All rights reserved. + +require File.dirname(__FILE__) + '/../../spec_helper' + +require 'puppet/ssl/certificate_request' +require 'tempfile' + +describe Puppet::SSL::CertificateRequest do + before do + # Get a safe temporary file + file = Tempfile.new("csr_integration_testing") + @dir = file.path + file.delete + + Puppet.settings.clear + + Puppet.settings[:confdir] = @dir + Puppet.settings[:vardir] = @dir + + @csr = Puppet::SSL::CertificateRequest.new("luke.madstop.com") + + @key = OpenSSL::PKey::RSA.new(512) + end + + after do + system("rm -rf %s" % @dir) + Puppet.settings.clear + + # This is necessary so the terminus instances don't lie around. + Puppet::Util::Cacher.invalidate + end + + it "should be able to generate CSRs" do + @csr.generate(@key) + end + + it "should be able to save CSRs" do + @csr.save + end + + it "should be able to find saved certificate requests via the Indirector" do + @csr.generate(@key) + @csr.save + + Puppet::SSL::CertificateRequest.find("luke.madstop.com").should be_instance_of(Puppet::SSL::CertificateRequest) + end + + it "should save the completely CSR when saving" do + @csr.generate(@key) + @csr.save + + Puppet::SSL::CertificateRequest.find("luke.madstop.com").content.to_s.should == @csr.content.to_s + end +end diff --git a/spec/integration/ssl/certificate_revocation_list.rb b/spec/integration/ssl/certificate_revocation_list.rb new file mode 100755 index 000000000..246654816 --- /dev/null +++ b/spec/integration/ssl/certificate_revocation_list.rb @@ -0,0 +1,42 @@ +#!/usr/bin/env ruby +# +# Created by Luke Kanies on 2008-5-5. +# Copyright (c) 2008. All rights reserved. + +require File.dirname(__FILE__) + '/../../spec_helper' + +require 'puppet/ssl/certificate_revocation_list' +require 'tempfile' + +describe Puppet::SSL::CertificateRevocationList do + before do + # Get a safe temporary file + file = Tempfile.new("ca_integration_testing") + @dir = file.path + file.delete + + Puppet.settings[:confdir] = @dir + Puppet.settings[:vardir] = @dir + + Puppet::SSL::Host.ca_location = :local + end + + after { + Puppet::SSL::Host.ca_location = :none + + system("rm -rf %s" % @dir) + Puppet.settings.clear + + # This is necessary so the terminus instances don't lie around. + Puppet::Util::Cacher.invalidate + } + + it "should be able to read in written out CRLs with no revoked certificates" do + ca = Puppet::SSL::CertificateAuthority.new + + raise "CRL not created" unless FileTest.exist?(Puppet[:hostcrl]) + + crl = Puppet::SSL::CertificateRevocationList.new("crl_int_testing") + crl.read(Puppet[:hostcrl]) + end +end diff --git a/spec/integration/ssl/host.rb b/spec/integration/ssl/host.rb new file mode 100755 index 000000000..65f10cef3 --- /dev/null +++ b/spec/integration/ssl/host.rb @@ -0,0 +1,90 @@ +#!/usr/bin/env ruby +# +# Created by Luke Kanies on 2008-4-17. +# Copyright (c) 2008. All rights reserved. + +require File.dirname(__FILE__) + '/../../spec_helper' + +require 'puppet/ssl/host' +require 'tempfile' + +describe Puppet::SSL::Host do + before do + # Get a safe temporary file + file = Tempfile.new("host_integration_testing") + @dir = file.path + file.delete + + Puppet.settings[:confdir] = @dir + Puppet.settings[:vardir] = @dir + + Puppet::SSL::Host.ca_location = :local + + @host = Puppet::SSL::Host.new("luke.madstop.com") + @ca = Puppet::SSL::CertificateAuthority.new + end + + after { + Puppet::SSL::Host.ca_location = :none + + system("rm -rf %s" % @dir) + Puppet.settings.clear + Puppet::Util::Cacher.invalidate + } + + it "should be considered a CA host if its name is equal to 'ca'" do + Puppet::SSL::Host.new("ca").should be_ca + end + + describe "when managing its key" do + it "should be able to generate and save a key" do + @host.generate_key + end + + it "should save the key such that the Indirector can find it" do + @host.generate_key + + Puppet::SSL::Key.find(@host.name).content.to_s.should == @host.key.to_s + end + + it "should save the private key into the :privatekeydir" do + @host.generate_key + File.read(File.join(Puppet.settings[:privatekeydir], "luke.madstop.com.pem")).should == @host.key.to_s + end + end + + describe "when managing its certificate request" do + it "should be able to generate and save a certificate request" do + @host.generate_certificate_request + end + + it "should save the certificate request such that the Indirector can find it" do + @host.generate_certificate_request + + Puppet::SSL::CertificateRequest.find(@host.name).content.to_s.should == @host.certificate_request.to_s + end + + it "should save the private certificate request into the :privatekeydir" do + @host.generate_certificate_request + File.read(File.join(Puppet.settings[:requestdir], "luke.madstop.com.pem")).should == @host.certificate_request.to_s + end + end + + describe "when the CA host" do + it "should never store its key in the :privatekeydir" do + Puppet.settings.use(:main, :ssl, :ca) + @ca = Puppet::SSL::Host.new(Puppet::SSL::Host.ca_name) + @ca.generate_key + + FileTest.should_not be_exist(File.join(Puppet[:privatekeydir], "ca.pem")) + end + end + + it "should pass the verification of its own SSL store" do + @host.generate + @ca = Puppet::SSL::CertificateAuthority.new + @ca.sign(@host.name) + + @host.ssl_store.verify(@host.certificate.content).should be_true + end +end |