3
require File.expand_path(File.dirname(__FILE__) + '/../lib/puppettest')
6
require 'puppet/sslcertificates.rb'
8
require 'puppettest/certificates'
11
class TestCertMgr < Test::Unit::TestCase
12
include PuppetTest::Certificates
15
#@dir = File.join(Puppet[:certdir], "testing")
16
@dir = File.join(@configpath, "certest")
17
system("mkdir -p #{@dir}")
19
Puppet::Util::SUIDManager.stubs(:asuser).yields
22
def testCreateSelfSignedCertificate
27
Puppet::SSLCertificates::Certificate.new(
34
assert_nothing_raised {
37
assert_nothing_raised {
41
assert_raise(Puppet::Error) {
45
assert_nothing_raised {
49
assert(FileTest.exists?(cert.certfile))
51
assert_nothing_raised {
55
assert_nothing_raised {
58
assert_nothing_raised {
62
assert_nothing_raised {
68
def disabled_testCreateEncryptedSelfSignedCertificate
72
assert_nothing_raised {
74
cert = Puppet::SSLCertificates::Certificate.new(
82
assert_nothing_raised {
85
assert_nothing_raised {
89
assert_raise(Puppet::Error) {
93
assert(FileTest.exists?(cert.certfile))
94
assert(FileTest.exists?(cert.hash))
96
assert_nothing_raised {
100
assert_nothing_raised {
104
assert_nothing_raised {
112
assert_nothing_raised {
113
ca = Puppet::SSLCertificates::CA.new
116
# make the CA again and verify it doesn't fail because everything
118
assert_nothing_raised {
119
ca = Puppet::SSLCertificates::CA.new
128
assert_nothing_raised {
130
cert = Puppet::SSLCertificates::Certificate.new(
132
:name => "signedcertest",
134
:city => "Nashville",
136
:email => "luke@madstop.com",
138
:ou => "Development",
140
:encrypt => mkPassFile()
145
assert_nothing_raised {
152
assert_nothing_raised {
153
signedcert, cacert = ca.sign(cert.csr)
156
assert_instance_of(OpenSSL::X509::Certificate, signedcert)
157
assert_instance_of(OpenSSL::X509::Certificate, cacert)
159
assert_nothing_raised {
160
cert.cert = signedcert
164
#system("find #{Puppet[:ssldir]}")
165
#system("cp -R #{Puppet[:ssldir]} /tmp/ssltesting")
168
assert_nothing_raised {
169
output = %x{openssl verify -CAfile #{Puppet[:cacert]} -purpose sslserver #{cert.certfile}}
170
#output = %x{openssl verify -CApath #{Puppet[:certdir]} -purpose sslserver #{cert.certfile}}
173
assert_equal($CHILD_STATUS,0)
174
assert_equal(File.join(Puppet[:certdir], "signedcertest.pem: OK\n"), output)
178
def test_interactiveca
181
assert_nothing_raised {
182
ca = Puppet::SSLCertificates::CA.new
185
# basic initialization
186
hostname = "test.hostname.com"
187
cert = mkcert(hostname)
191
assert_nothing_raised {
195
assert_nothing_raised {
196
ca.storeclientcsr(csr)
201
assert_nothing_raised {
202
pulledcsr = ca.getclientcsr(hostname)
205
assert_equal(csr.to_pem, pulledcsr.to_pem)
208
assert_nothing_raised {
209
signedcert, cacert = ca.sign(csr)
212
assert_instance_of(OpenSSL::X509::Certificate, signedcert)
214
assert_nothing_raised {
215
newsignedcert, cacert = ca.getclientcert(hostname)
218
assert(newsignedcert)
220
assert_equal(signedcert.to_pem, newsignedcert.to_pem)
226
assert_nothing_raised {
227
cert, cacert = ca.getclientcert("nohost")
234
h1 = mksignedcert(ca, "host1.example.com")
235
h2 = mksignedcert(ca, "host2.example.com")
237
assert(ca.cert.verify(ca.cert.public_key))
238
assert(h1.verify(ca.cert.public_key))
239
assert(h2.verify(ca.cert.public_key))
245
assert( store.verify(ca.cert))
246
assert( store.verify(h1, [ca.cert]))
247
assert( store.verify(h2, [ca.cert]))
251
oldcert = File.read(Puppet.settings[:cacert])
252
oldserial = File.read(Puppet.settings[:serial])
254
# Recreate the CA from disk
256
newcert = File.read(Puppet.settings[:cacert])
257
newserial = File.read(Puppet.settings[:serial])
258
assert_equal(oldcert, newcert, "The certs are not equal after making a new CA.")
259
assert_equal(oldserial, newserial, "The serials are not equal after making a new CA.")
261
assert( store.verify(ca.cert), "Could not verify CA certs after reloading certs.")
262
assert(!store.verify(h1, [ca.cert]), "Incorrectly verified revoked cert.")
263
assert( store.verify(h2, [ca.cert]), "Could not verify certs with reloaded CA.")
266
assert_equal(1, ca.crl.extensions.size)
268
# Recreate the CA from disk
271
assert( store.verify(ca.cert))
272
assert(!store.verify(h1, [ca.cert]), "first revoked cert passed")
273
assert(!store.verify(h2, [ca.cert]), "second revoked cert passed")
278
assert_equal(5 * 365 * 24 * 60 * 60, cert.not_after - cert.not_before)
280
Puppet[:ca_ttl] = 7 * 24 * 60 * 60
282
assert_equal(7 * 24 * 60 * 60, cert.not_after - cert.not_before)
284
Puppet[:ca_ttl] = "2y"
286
assert_equal(2 * 365 * 24 * 60 * 60, cert.not_after - cert.not_before)
288
Puppet[:ca_ttl] = "2y"
290
assert_equal(2 * 365 * 24 * 60 * 60, cert.not_after - cert.not_before)
292
Puppet[:ca_ttl] = "1h"
294
assert_equal(60 * 60, cert.not_after - cert.not_before)
296
Puppet[:ca_ttl] = "900s"
298
assert_equal(900, cert.not_after - cert.not_before)
300
# This needs to be last, to make sure that setting ca_days
301
# overrides setting ca_ttl
304
assert_equal(3 * 24 * 60 * 60, cert.not_after - cert.not_before)