1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
|
#!/usr/bin/env ruby
$:.unshift("../../lib") if __FILE__ =~ /\.rb$/
require 'puppettest'
require 'puppet/network/server/webrick'
require 'mocha'
class TestWebrickServer < Test::Unit::TestCase
include PuppetTest::ServerTest
def setup
Puppet::Util::SUIDManager.stubs(:asuser).yields
super
end
# Make sure we can create a server, and that it knows how to create its
# certs by default.
def test_basics
server = nil
assert_raise(Puppet::Error, "server succeeded with no cert") do
server = Puppet::Network::Server::WEBrick.new(
:Port => @@port,
:Handlers => {
:Status => nil
}
)
end
assert_nothing_raised("Could not create simple server") do
server = Puppet::Network::Server::WEBrick.new(
:Port => @@port,
:Handlers => {
:CA => {}, # so that certs autogenerate
:Status => nil
}
)
end
assert(server, "did not create server")
assert(server.cert, "did not retrieve cert")
end
# test that we can connect to the server
# we have to use fork here, because we apparently can't use threads
# to talk to other threads
def test_connect_with_fork
Puppet[:autosign] = true
serverpid, server = mk_status_server
# create a status client, and verify it can talk
client = mk_status_client
assert(client.cert, "did not get cert for client")
retval = nil
assert_nothing_raised("Could not connect to server") {
retval = client.status
}
assert_equal(1, retval)
end
# Test that a client whose cert has been revoked really can't connect
def test_certificate_revocation
Puppet[:autosign] = true
serverpid, server = mk_status_server
client = mk_status_client
status = nil
assert_nothing_raised() {
status = client.status
}
assert_equal(1, status)
client.shutdown
# Revoke the client's cert
ca = Puppet::SSLCertificates::CA.new()
ca.revoke(ca.getclientcert(Puppet[:certname])[0].serial)
# Restart the server
@@port += 1
Puppet[:autosign] = false
kill_and_wait(serverpid, server.pidfile)
serverpid, server = mk_status_server
# This time the client should be denied. With keep-alive,
# the client starts its connection immediately, thus throwing
# the error.
assert_raise(OpenSSL::SSL::SSLError) {
client = Puppet::Network::Client.status.new(:Server => "localhost", :Port => @@port)
}
end
def mk_status_client
client = nil
# Otherwise, the client initalization will trip over itself
# since elements created in the last run are still around
Puppet::Type::allclear
assert_nothing_raised() {
client = Puppet::Network::Client.status.new(
:Server => "localhost",
:Port => @@port
)
}
client
end
def mk_status_server
server = nil
assert_nothing_raised() {
server = Puppet::Network::Server::WEBrick.new(
:Port => @@port,
:Handlers => {
:CA => {}, # so that certs autogenerate
:Status => nil
}
)
}
pid = fork {
Puppet[:name] = "puppetmasterd"
assert_nothing_raised() {
trap(:INT) { server.shutdown }
server.start
}
}
@@tmppids << pid
[pid, server]
end
def kill_and_wait(pid, file)
%x{kill -INT #{pid} 2>/dev/null}
count = 0
while count < 30 && File::exist?(file)
count += 1
sleep(1)
end
assert(count < 30, "Killing server #{pid} failed")
end
end
|