spec/unit/ssl/certificate_revocation_list_spec.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168

#!/usr/bin/env ruby

require 'spec_helper'

require 'puppet/ssl/certificate_revocation_list'

describe Puppet::SSL::CertificateRevocationList do
  before do
    @cert = stub 'cert', :subject => "mysubject"
    @key = stub 'key', :private? => true

    @class = Puppet::SSL::CertificateRevocationList
  end

  it "should only support the text format" do
    @class.supported_formats.should == [:s]
  end

  describe "when converting from a string" do
    it "should create a CRL instance with its name set to 'foo' and its content set to the extracted CRL" do
      crl = stub 'crl'
      OpenSSL::X509::CRL.expects(:new).returns(crl)

      mycrl = stub 'sslcrl'
      mycrl.expects(:content=).with(crl)

      @class.expects(:new).with("foo").returns mycrl

      @class.from_s("my crl").should == mycrl
    end
  end

  describe "when an instance" do
    before do
      @class.any_instance.stubs(:read_or_generate)

      @crl = @class.new("whatever")
    end

    it "should always use 'crl' for its name" do
      @crl.name.should == "crl"
    end

    it "should have a content attribute" do
      @crl.should respond_to(:content)
    end
  end

  describe "when generating the crl" do
    before do
      @real_crl = mock 'crl'
      @real_crl.stub_everything

      OpenSSL::X509::CRL.stubs(:new).returns(@real_crl)

      @class.any_instance.stubs(:read_or_generate)

      @crl = @class.new("crl")
    end

    it "should set its issuer to the subject of the passed certificate" do
      @real_crl.expects(:issuer=).with(@cert.subject)

      @crl.generate(@cert, @key)
    end

    it "should set its version to 1" do
      @real_crl.expects(:version=).with(1)

      @crl.generate(@cert, @key)
    end

    it "should create an instance of OpenSSL::X509::CRL" do
      OpenSSL::X509::CRL.expects(:new).returns(@real_crl)

      @crl.generate(@cert, @key)
    end

    # The next three tests aren't good, but at least they
    # specify the behaviour.
    it "should add an extension for the CRL number" do
      @real_crl.expects(:extensions=)
      @crl.generate(@cert, @key)
    end

    it "should set the last update time" do
      @real_crl.expects(:last_update=)
      @crl.generate(@cert, @key)
    end

    it "should set the next update time" do
      @real_crl.expects(:next_update=)
      @crl.generate(@cert, @key)
    end

    it "should sign the CRL" do
      @real_crl.expects(:sign).with { |key, digest| key == @key }
      @crl.generate(@cert, @key)
    end

    it "should set the content to the generated crl" do
      @crl.generate(@cert, @key)
      @crl.content.should equal(@real_crl)
    end

    it "should return the generated crl" do
      @crl.generate(@cert, @key).should equal(@real_crl)
    end
  end

  # This test suite isn't exactly complete, because the
  # SSL stuff is very complicated.  It just hits the high points.
  describe "when revoking a certificate" do
    before do
      @class.wrapped_class.any_instance.stubs(:issuer=)
      @class.wrapped_class.any_instance.stubs(:sign)

      @crl = @class.new("crl")
      @crl.generate(@cert, @key)
      @crl.content.stubs(:sign)

      Puppet::SSL::CertificateRevocationList.indirection.stubs :save

      @key = mock 'key'
    end

    it "should require a serial number and the CA's private key" do
      lambda { @crl.revoke }.should raise_error(ArgumentError)
    end

    it "should default to OpenSSL::OCSP::REVOKED_STATUS_KEYCOMPROMISE as the revocation reason" do
      # This makes it a bit more of an integration test than we'd normally like, but that's life
      # with openssl.
      reason = OpenSSL::ASN1::Enumerated(OpenSSL::OCSP::REVOKED_STATUS_KEYCOMPROMISE)
      OpenSSL::ASN1.expects(:Enumerated).with(OpenSSL::OCSP::REVOKED_STATUS_KEYCOMPROMISE).returns reason

      @crl.revoke(1, @key)
    end

    it "should mark the CRL as updated" do
      time = Time.now
      Time.stubs(:now).returns time

      @crl.content.expects(:last_update=).with(time)

      @crl.revoke(1, @key)
    end

    it "should mark the CRL valid for five years" do
      time = Time.now
      Time.stubs(:now).returns time

      @crl.content.expects(:next_update=).with(time + (5 * 365*24*60*60))

      @crl.revoke(1, @key)
    end

    it "should sign the CRL with the CA's private key and a digest instance" do
      @crl.content.expects(:sign).with { |key, digest| key == @key and digest.is_a?(OpenSSL::Digest::SHA1) }
      @crl.revoke(1, @key)
    end

    it "should save the CRL" do
      Puppet::SSL::CertificateRevocationList.indirection.expects(:save).with(@crl, nil)
      @crl.revoke(1, @key)
    end
  end
end