blob: 51e4a0aef07e2e2207de1f508301e028cabaa292 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
|
#!/usr/bin/env ruby
#
# Created by Luke Kanies on 2008-4-17.
# Copyright (c) 2008. All rights reserved.
require File.dirname(__FILE__) + '/../../spec_helper'
require 'puppet/ssl/certificate_authority'
require 'tempfile'
describe Puppet::SSL::CertificateAuthority do
before do
# Get a safe temporary file
file = Tempfile.new("host_integration_testing")
@dir = file.path
file.delete
Puppet.settings[:confdir] = @dir
Puppet.settings[:vardir] = @dir
Puppet::SSL::Host.ca_location = :local
@ca = Puppet::SSL::CertificateAuthority.new
end
after {
Puppet::SSL::Host.ca_location = :none
system("rm -rf %s" % @dir)
Puppet.settings.clear
# This is necessary so the terminus instances don't lie around.
Puppet::SSL::Key.indirection.clear_cache
Puppet::SSL::Certificate.indirection.clear_cache
Puppet::SSL::CertificateRequest.indirection.clear_cache
}
it "should create a CA host" do
@ca.host.should be_ca
end
it "should be able to generate a certificate" do
@ca.generate_ca_certificate
@ca.host.certificate.should be_instance_of(Puppet::SSL::Certificate)
end
it "should be able to generate a new host certificate" do
@ca.generate("newhost")
Puppet::SSL::Certificate.find("newhost").should be_instance_of(Puppet::SSL::Certificate)
end
it "should be able to revoke a host certificate" do
pending("This test doesn't actually work yet") do
@ca.generate("newhost")
@ca.revoke("newhost")
lambda { @ca.verify("newhost") }.should raise_error
end
end
describe "when signing certificates" do
before do
@host = Puppet::SSL::Host.new("luke.madstop.com")
# We have to provide the key, since when we're in :ca_only mode, we can only interact
# with the CA key.
key = Puppet::SSL::Key.new(@host.name)
key.generate
@host.key = key
@host.generate_certificate_request
path = File.join(Puppet[:requestdir], "luke.madstop.com.pem")
end
it "should be able to sign certificates" do
@ca.sign("luke.madstop.com")
end
it "should save the signed certificate" do
@ca.sign("luke.madstop.com")
Puppet::SSL::Certificate.find("luke.madstop.com").should be_instance_of(Puppet::SSL::Certificate)
end
it "should be able to sign multiple certificates" do
@other = Puppet::SSL::Host.new("other.madstop.com")
okey = Puppet::SSL::Key.new(@other.name)
okey.generate
@other.key = okey
@other.generate_certificate_request
@ca.sign("luke.madstop.com")
@ca.sign("other.madstop.com")
Puppet::SSL::Certificate.find("other.madstop.com").should be_instance_of(Puppet::SSL::Certificate)
Puppet::SSL::Certificate.find("luke.madstop.com").should be_instance_of(Puppet::SSL::Certificate)
end
it "should save the signed certificate to the :signeddir" do
@ca.sign("luke.madstop.com")
client_cert = File.join(Puppet[:signeddir], "luke.madstop.com.pem")
File.read(client_cert).should == Puppet::SSL::Certificate.find("luke.madstop.com").content.to_s
end
it "should save valid certificates" do
@ca.sign("luke.madstop.com")
ssl = %x{which openssl}
unless ssl
pending "No ssl available"
else
ca_cert = Puppet[:cacert]
client_cert = File.join(Puppet[:signeddir], "luke.madstop.com.pem")
output = %x{openssl verify -CAfile #{ca_cert} #{client_cert}}
$?.should == 0
end
end
end
end
|
