summaryrefslogtreecommitdiffstats
path: root/test/network
diff options
context:
space:
mode:
Diffstat (limited to 'test/network')
-rwxr-xr-xtest/network/client/ca.rb2
-rwxr-xr-xtest/network/handler/ca.rb34
2 files changed, 36 insertions, 0 deletions
diff --git a/test/network/client/ca.rb b/test/network/client/ca.rb
index 0fdbda537..26fb72f40 100755
--- a/test/network/client/ca.rb
+++ b/test/network/client/ca.rb
@@ -2,6 +2,7 @@
$:.unshift("../../lib") if __FILE__ =~ /\.rb$/
+require 'mocha'
require 'puppettest'
require 'puppet/network/client/ca'
require 'puppet/sslcertificates/support'
@@ -48,6 +49,7 @@ class TestClientCA < Test::Unit::TestCase
File.unlink(Puppet[:hostprivkey])
@client = Puppet::Network::Client.ca.new :CA => @ca
+ @ca.expects(:getcert).returns("yay") # not a valid cert
# Now make sure it fails, since we'll get the old cert but have new keys
assert_raise(Puppet::Network::Client::CA::InvalidCertificate, "Did not fail on invalid cert") do
@client.request_cert
diff --git a/test/network/handler/ca.rb b/test/network/handler/ca.rb
index fe2fdbd2e..3c89f597b 100755
--- a/test/network/handler/ca.rb
+++ b/test/network/handler/ca.rb
@@ -229,6 +229,40 @@ class TestCA < Test::Unit::TestCase
# And try a different host
assert(! caserv.autosign?("other.yay.com"), "Host was autosigned")
end
+
+ # Make sure that a CSR created with keys that don't match the existing
+ # cert throws an exception on the server.
+ def test_mismatched_public_keys_throws_exception
+ ca = Puppet::Network::Handler.ca.new()
+
+ # First initialize the server
+ client = Puppet::Network::Client.ca.new :CA => ca
+ client.request_cert
+ File.unlink(Puppet[:hostcsr])
+
+ # Now use a different cert name
+ Puppet[:certname] = "my.host.com"
+ client = Puppet::Network::Client.ca.new :CA => ca
+ firstcsr = client.csr
+ File.unlink(Puppet[:hostcsr]) if FileTest.exists?(Puppet[:hostcsr])
+
+ assert_nothing_raised("Could not get cert") do
+ ca.getcert(firstcsr.to_s)
+ end
+
+ # Now get rid of the public key, forcing a new csr
+ File.unlink(Puppet[:hostprivkey])
+
+ client = Puppet::Network::Client.ca.new :CA => ca
+
+ second_csr = client.csr
+
+ assert(firstcsr.to_s != second_csr.to_s, "CSR did not change")
+
+ assert_raise(Puppet::Error, "CA allowed mismatched keys") do
+ ca.getcert(second_csr.to_s)
+ end
+ end
end
# $Id$
generated by cgit (git 2.34.1) at 2026-01-08 02:22:07 +0000