blob: a4792449e460075612708d3f92e8c9d65ea59b1e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
|
#!/usr/bin/env rspec
require 'spec_helper'
require 'puppet/ssl/certificate_authority'
describe Puppet::SSL::CertificateAuthority, :unless => Puppet.features.microsoft_windows? do
include PuppetSpec::Files
before do
# Get a safe temporary file
dir = tmpdir("ca_integration_testing")
Puppet.settings[:confdir] = dir
Puppet.settings[:vardir] = dir
Puppet.settings[:group] = Process.gid
Puppet::SSL::Host.ca_location = :local
@ca = Puppet::SSL::CertificateAuthority.new
end
after {
Puppet::SSL::Host.ca_location = :none
Puppet.settings.clear
Puppet::SSL::CertificateAuthority.instance_variable_set("@instance", nil)
}
it "should create a CA host" do
@ca.host.should be_ca
end
it "should be able to generate a certificate" do
@ca.generate_ca_certificate
@ca.host.certificate.should be_instance_of(Puppet::SSL::Certificate)
end
it "should be able to generate a new host certificate" do
@ca.generate("newhost")
Puppet::SSL::Certificate.indirection.find("newhost").should be_instance_of(Puppet::SSL::Certificate)
end
it "should be able to revoke a host certificate" do
@ca.generate("newhost")
@ca.revoke("newhost")
lambda { @ca.verify("newhost") }.should raise_error
end
it "should have a CRL" do
@ca.generate_ca_certificate
@ca.crl.should_not be_nil
end
it "should be able to read in a previously created CRL" do
@ca.generate_ca_certificate
# Create it to start with.
@ca.crl
Puppet::SSL::CertificateAuthority.new.crl.should_not be_nil
end
describe "when signing certificates" do
before do
@host = Puppet::SSL::Host.new("luke.madstop.com")
# We have to provide the key, since when we're in :ca_only mode, we can only interact
# with the CA key.
key = Puppet::SSL::Key.new(@host.name)
key.generate
@host.key = key
@host.generate_certificate_request
path = File.join(Puppet[:requestdir], "luke.madstop.com.pem")
end
it "should be able to sign certificates" do
@ca.sign("luke.madstop.com")
end
it "should save the signed certificate" do
@ca.sign("luke.madstop.com")
Puppet::SSL::Certificate.indirection.find("luke.madstop.com").should be_instance_of(Puppet::SSL::Certificate)
end
it "should be able to sign multiple certificates" do
@other = Puppet::SSL::Host.new("other.madstop.com")
okey = Puppet::SSL::Key.new(@other.name)
okey.generate
@other.key = okey
@other.generate_certificate_request
@ca.sign("luke.madstop.com")
@ca.sign("other.madstop.com")
Puppet::SSL::Certificate.indirection.find("other.madstop.com").should be_instance_of(Puppet::SSL::Certificate)
Puppet::SSL::Certificate.indirection.find("luke.madstop.com").should be_instance_of(Puppet::SSL::Certificate)
end
it "should save the signed certificate to the :signeddir" do
@ca.sign("luke.madstop.com")
client_cert = File.join(Puppet[:signeddir], "luke.madstop.com.pem")
File.read(client_cert).should == Puppet::SSL::Certificate.indirection.find("luke.madstop.com").content.to_s
end
it "should save valid certificates" do
@ca.sign("luke.madstop.com")
unless ssl = Puppet::Util::which('openssl')
pending "No ssl available"
else
ca_cert = Puppet[:cacert]
client_cert = File.join(Puppet[:signeddir], "luke.madstop.com.pem")
output = %x{openssl verify -CAfile #{ca_cert} #{client_cert}}
$CHILD_STATUS.should == 0
end
end
end
end
|