1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
|
#! /usr/bin/env ruby
require 'spec_helper'
require 'puppet/ssl/certificate'
describe Puppet::SSL::Certificate do
before do
@class = Puppet::SSL::Certificate
end
after do
@class.instance_variable_set("@ca_location", nil)
end
it "should be extended with the Indirector module" do
@class.singleton_class.should be_include(Puppet::Indirector)
end
it "should indirect certificate" do
@class.indirection.name.should == :certificate
end
it "should only support the text format" do
@class.supported_formats.should == [:s]
end
describe "when converting from a string" do
it "should create a certificate instance with its name set to the certificate subject and its content set to the extracted certificate" do
cert = stub 'certificate',
:subject => OpenSSL::X509::Name.parse("/CN=Foo.madstop.com"),
:is_a? => true
OpenSSL::X509::Certificate.expects(:new).with("my certificate").returns(cert)
mycert = stub 'sslcert'
mycert.expects(:content=).with(cert)
@class.expects(:new).with("Foo.madstop.com").returns mycert
@class.from_s("my certificate")
end
it "should create multiple certificate instances when asked" do
cert1 = stub 'cert1'
@class.expects(:from_s).with("cert1").returns cert1
cert2 = stub 'cert2'
@class.expects(:from_s).with("cert2").returns cert2
@class.from_multiple_s("cert1\n---\ncert2").should == [cert1, cert2]
end
end
describe "when converting to a string" do
before do
@certificate = @class.new("myname")
end
it "should return an empty string when it has no certificate" do
@certificate.to_s.should == ""
end
it "should convert the certificate to pem format" do
certificate = mock 'certificate', :to_pem => "pem"
@certificate.content = certificate
@certificate.to_s.should == "pem"
end
it "should be able to convert multiple instances to a string" do
cert2 = @class.new("foo")
@certificate.expects(:to_s).returns "cert1"
cert2.expects(:to_s).returns "cert2"
@class.to_multiple_s([@certificate, cert2]).should == "cert1\n---\ncert2"
end
end
describe "when managing instances" do
def build_cert(opts)
key = Puppet::SSL::Key.new('quux')
key.generate
csr = Puppet::SSL::CertificateRequest.new('quux')
csr.generate(key, opts)
raw_cert = Puppet::SSL::CertificateFactory.build('client', csr, csr.content, 14)
@class.from_instance(raw_cert)
end
before do
@certificate = @class.new("myname")
end
it "should have a name attribute" do
@certificate.name.should == "myname"
end
it "should convert its name to a string and downcase it" do
@class.new(:MyName).name.should == "myname"
end
it "should have a content attribute" do
@certificate.should respond_to(:content)
end
describe "#subject_alt_names" do
it "should list all alternate names when the extension is present" do
certificate = build_cert(:dns_alt_names => 'foo, bar,baz')
certificate.subject_alt_names.
should =~ ['DNS:foo', 'DNS:bar', 'DNS:baz', 'DNS:quux']
end
it "should return an empty list of names if the extension is absent" do
certificate = build_cert({})
certificate.subject_alt_names.should be_empty
end
end
describe "custom extensions" do
it "returns extensions under the ppRegCertExt" do
exts = {'pp_uuid' => 'abcdfd'}
cert = build_cert(:extension_requests => exts)
expect(cert.custom_extensions).to include('oid' => 'pp_uuid', 'value' => 'abcdfd')
end
it "returns extensions under the ppPrivCertExt" do
exts = {'1.3.6.1.4.1.34380.1.2.1' => 'x509 :('}
cert = build_cert(:extension_requests => exts)
expect(cert.custom_extensions).to include('oid' => '1.3.6.1.4.1.34380.1.2.1', 'value' => 'x509 :(')
end
it "doesn't return standard extensions" do
cert = build_cert(:dns_alt_names => 'foo')
expect(cert.custom_extensions).to be_empty
end
end
it "should return a nil expiration if there is no actual certificate" do
@certificate.stubs(:content).returns nil
@certificate.expiration.should be_nil
end
it "should use the expiration of the certificate as its expiration date" do
cert = stub 'cert'
@certificate.stubs(:content).returns cert
cert.expects(:not_after).returns "sometime"
@certificate.expiration.should == "sometime"
end
it "should be able to read certificates from disk" do
path = "/my/path"
File.expects(:read).with(path).returns("my certificate")
certificate = mock 'certificate'
OpenSSL::X509::Certificate.expects(:new).with("my certificate").returns(certificate)
@certificate.read(path).should equal(certificate)
@certificate.content.should equal(certificate)
end
it "should have a :to_text method that it delegates to the actual key" do
real_certificate = mock 'certificate'
real_certificate.expects(:to_text).returns "certificatetext"
@certificate.content = real_certificate
@certificate.to_text.should == "certificatetext"
end
end
describe "when checking if the certificate's expiration is approaching" do
before do
@days = 24*60*60
@certificate = @class.new("myname")
@certificate.stubs(:expiration).returns(Time.now.utc() + 30*@days)
end
it "should be true if the expiration is within the given interval from now" do
@certificate.near_expiration?(31*@days).should be_true
end
it "should be false if there is no expiration" do
@certificate.stubs(:expiration).returns(nil)
@certificate.near_expiration?.should be_false
end
it "should default to using the `certificate_expire_warning` setting as the interval" do
Puppet[:certificate_expire_warning] = 31*@days
@certificate.near_expiration?.should be_true
Puppet[:certificate_expire_warning] = 29*@days
@certificate.near_expiration?.should be_false
end
end
end
|
