blob: 28f880ededa02711efea8361a11b60989ad119f5 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
|
#!/usr/bin/env ruby
#
# Created by Luke Kanies on 2008-4-17.
# Copyright (c) 2008. All rights reserved.
require File.dirname(__FILE__) + '/../../spec_helper'
require 'puppet/ssl/certificate_authority'
require 'tempfile'
describe Puppet::SSL::CertificateAuthority do
before do
# Get a safe temporary file
file = Tempfile.new("ca_integration_testing")
@dir = file.path
file.delete
Puppet.settings[:confdir] = @dir
Puppet.settings[:vardir] = @dir
Puppet::SSL::Host.ca_location = :local
@ca = Puppet::SSL::CertificateAuthority.new
end
after {
Puppet::SSL::Host.ca_location = :none
system("rm -rf %s" % @dir)
Puppet.settings.clear
# This is necessary so the terminus instances don't lie around.
Puppet::SSL::Key.indirection.clear_cache
Puppet::SSL::Certificate.indirection.clear_cache
Puppet::SSL::CertificateRequest.indirection.clear_cache
Puppet::SSL::CertificateAuthority.instance_variable_set("@instance", nil)
}
it "should create a CA host" do
@ca.host.should be_ca
end
it "should be able to generate a certificate" do
@ca.generate_ca_certificate
@ca.host.certificate.should be_instance_of(Puppet::SSL::Certificate)
end
it "should be able to generate a new host certificate" do
@ca.generate("newhost")
Puppet::SSL::Certificate.find("newhost").should be_instance_of(Puppet::SSL::Certificate)
end
it "should be able to revoke a host certificate" do
pending("This test doesn't actually work yet") do
@ca.generate("newhost")
@ca.revoke("newhost")
lambda { @ca.verify("newhost") }.should raise_error
end
end
it "should have a CRL" do
@ca.generate_ca_certificate
@ca.crl.should_not be_nil
end
it "should be able to read in a previously created CRL" do
@ca.generate_ca_certificate
# Create it to start with.
@ca.crl
Puppet::SSL::CertificateAuthority.new.crl.should_not be_nil
end
describe "when signing certificates" do
before do
@host = Puppet::SSL::Host.new("luke.madstop.com")
# We have to provide the key, since when we're in :ca_only mode, we can only interact
# with the CA key.
key = Puppet::SSL::Key.new(@host.name)
key.generate
@host.key = key
@host.generate_certificate_request
path = File.join(Puppet[:requestdir], "luke.madstop.com.pem")
end
it "should be able to sign certificates" do
@ca.sign("luke.madstop.com")
end
it "should save the signed certificate" do
@ca.sign("luke.madstop.com")
Puppet::SSL::Certificate.find("luke.madstop.com").should be_instance_of(Puppet::SSL::Certificate)
end
it "should be able to sign multiple certificates" do
@other = Puppet::SSL::Host.new("other.madstop.com")
okey = Puppet::SSL::Key.new(@other.name)
okey.generate
@other.key = okey
@other.generate_certificate_request
@ca.sign("luke.madstop.com")
@ca.sign("other.madstop.com")
Puppet::SSL::Certificate.find("other.madstop.com").should be_instance_of(Puppet::SSL::Certificate)
Puppet::SSL::Certificate.find("luke.madstop.com").should be_instance_of(Puppet::SSL::Certificate)
end
it "should save the signed certificate to the :signeddir" do
@ca.sign("luke.madstop.com")
client_cert = File.join(Puppet[:signeddir], "luke.madstop.com.pem")
File.read(client_cert).should == Puppet::SSL::Certificate.find("luke.madstop.com").content.to_s
end
it "should save valid certificates" do
@ca.sign("luke.madstop.com")
ssl = %x{which openssl}
unless ssl
pending "No ssl available"
else
ca_cert = Puppet[:cacert]
client_cert = File.join(Puppet[:signeddir], "luke.madstop.com.pem")
output = %x{openssl verify -CAfile #{ca_cert} #{client_cert}}
$?.should == 0
end
end
end
end
|
