~lynxman/ubuntu/precise/puppet/puppetlabsfixbug12844

Viewing changes to test/certmgr/certmgr.rb

Committer: Bazaar Package Importer
Author(s): Marc Deslauriers
Date: 2011-10-24 15:05:12 UTC
Revision ID: james.westby@ubuntu.com-20111024150512-yxqwfdp6hcs6of5l

Tags: 2.7.1-1ubuntu3.2

* SECURITY UPDATE: puppet master impersonation via incorrect certificates
  - debian/patches/CVE-2011-3872.patch: refactor certificate handling.
  - Thanks to upstream for providing the patch.
  - CVE-2011-3872

files added:
.pc/CVE-2011-3872.patch

.pc/CVE-2011-3872.patch/acceptance

.pc/CVE-2011-3872.patch/acceptance/tests

.pc/CVE-2011-3872.patch/acceptance/tests/ticket_5477_master_not_dectect_sitepp.rb

.pc/CVE-2011-3872.patch/acceptance/tests/ticket_7117_broke_env_criteria_authconf.rb

.pc/CVE-2011-3872.patch/lib

.pc/CVE-2011-3872.patch/lib/puppet

.pc/CVE-2011-3872.patch/lib/puppet/application

.pc/CVE-2011-3872.patch/lib/puppet/application/cert.rb

.pc/CVE-2011-3872.patch/lib/puppet/application/kick.rb

.pc/CVE-2011-3872.patch/lib/puppet/defaults.rb

.pc/CVE-2011-3872.patch/lib/puppet/face

.pc/CVE-2011-3872.patch/lib/puppet/face/certificate.rb

.pc/CVE-2011-3872.patch/lib/puppet/network

.pc/CVE-2011-3872.patch/lib/puppet/network/client

.pc/CVE-2011-3872.patch/lib/puppet/network/client.rb

.pc/CVE-2011-3872.patch/lib/puppet/network/client/ca.rb

.pc/CVE-2011-3872.patch/lib/puppet/network/client/file.rb

.pc/CVE-2011-3872.patch/lib/puppet/network/client/proxy.rb

.pc/CVE-2011-3872.patch/lib/puppet/network/client/report.rb

.pc/CVE-2011-3872.patch/lib/puppet/network/client/runner.rb

.pc/CVE-2011-3872.patch/lib/puppet/network/client/status.rb

.pc/CVE-2011-3872.patch/lib/puppet/network/handler

.pc/CVE-2011-3872.patch/lib/puppet/network/handler/ca.rb

.pc/CVE-2011-3872.patch/lib/puppet/network/handler/master.rb

.pc/CVE-2011-3872.patch/lib/puppet/network/handler/runner.rb

.pc/CVE-2011-3872.patch/lib/puppet/network/http_server

.pc/CVE-2011-3872.patch/lib/puppet/network/http_server/webrick.rb

.pc/CVE-2011-3872.patch/lib/puppet/network/xmlrpc

.pc/CVE-2011-3872.patch/lib/puppet/network/xmlrpc/client.rb

.pc/CVE-2011-3872.patch/lib/puppet/ssl

.pc/CVE-2011-3872.patch/lib/puppet/ssl/certificate.rb

.pc/CVE-2011-3872.patch/lib/puppet/ssl/certificate_authority

.pc/CVE-2011-3872.patch/lib/puppet/ssl/certificate_authority.rb

.pc/CVE-2011-3872.patch/lib/puppet/ssl/certificate_authority/interface.rb

.pc/CVE-2011-3872.patch/lib/puppet/ssl/certificate_factory.rb

.pc/CVE-2011-3872.patch/lib/puppet/ssl/certificate_request.rb

.pc/CVE-2011-3872.patch/lib/puppet/ssl/host.rb

.pc/CVE-2011-3872.patch/lib/puppet/sslcertificates

.pc/CVE-2011-3872.patch/lib/puppet/sslcertificates.rb

.pc/CVE-2011-3872.patch/lib/puppet/sslcertificates/ca.rb

.pc/CVE-2011-3872.patch/lib/puppet/sslcertificates/certificate.rb

.pc/CVE-2011-3872.patch/lib/puppet/sslcertificates/inventory.rb

.pc/CVE-2011-3872.patch/lib/puppet/sslcertificates/support.rb

.pc/CVE-2011-3872.patch/lib/puppet/type

.pc/CVE-2011-3872.patch/lib/puppet/type/file.rb

.pc/CVE-2011-3872.patch/lib/puppet/util

.pc/CVE-2011-3872.patch/lib/puppet/util/monkey_patches.rb

.pc/CVE-2011-3872.patch/lib/puppet/util/settings.rb

.pc/CVE-2011-3872.patch/spec

.pc/CVE-2011-3872.patch/spec/integration

.pc/CVE-2011-3872.patch/spec/integration/defaults_spec.rb

.pc/CVE-2011-3872.patch/spec/integration/network

.pc/CVE-2011-3872.patch/spec/integration/network/client_spec.rb

.pc/CVE-2011-3872.patch/spec/integration/network/handler_spec.rb

.pc/CVE-2011-3872.patch/spec/spec_helper.rb

.pc/CVE-2011-3872.patch/spec/unit

.pc/CVE-2011-3872.patch/spec/unit/face

.pc/CVE-2011-3872.patch/spec/unit/face/certificate_spec.rb

.pc/CVE-2011-3872.patch/spec/unit/indirector

.pc/CVE-2011-3872.patch/spec/unit/indirector/certificate_request

.pc/CVE-2011-3872.patch/spec/unit/indirector/certificate_request/ca_spec.rb

.pc/CVE-2011-3872.patch/spec/unit/network

.pc/CVE-2011-3872.patch/spec/unit/network/client_spec.rb

.pc/CVE-2011-3872.patch/spec/unit/network/handler

.pc/CVE-2011-3872.patch/spec/unit/network/handler/ca_spec.rb

.pc/CVE-2011-3872.patch/spec/unit/network/xmlrpc

.pc/CVE-2011-3872.patch/spec/unit/network/xmlrpc/client_spec.rb

.pc/CVE-2011-3872.patch/spec/unit/ssl

.pc/CVE-2011-3872.patch/spec/unit/ssl/certificate_authority

.pc/CVE-2011-3872.patch/spec/unit/ssl/certificate_authority/interface_spec.rb

.pc/CVE-2011-3872.patch/spec/unit/ssl/certificate_authority_spec.rb

.pc/CVE-2011-3872.patch/spec/unit/ssl/certificate_factory_spec.rb

.pc/CVE-2011-3872.patch/spec/unit/ssl/certificate_request_spec.rb

.pc/CVE-2011-3872.patch/spec/unit/ssl/certificate_spec.rb

.pc/CVE-2011-3872.patch/spec/unit/ssl/host_spec.rb

.pc/CVE-2011-3872.patch/spec/unit/sslcertificates

.pc/CVE-2011-3872.patch/spec/unit/sslcertificates/ca_spec.rb

.pc/CVE-2011-3872.patch/spec/unit/util

.pc/CVE-2011-3872.patch/spec/unit/util/settings_spec.rb

.pc/CVE-2011-3872.patch/test

.pc/CVE-2011-3872.patch/test/certmgr

.pc/CVE-2011-3872.patch/test/certmgr/certmgr.rb

.pc/CVE-2011-3872.patch/test/certmgr/inventory.rb

.pc/CVE-2011-3872.patch/test/certmgr/support.rb

.pc/CVE-2011-3872.patch/test/language

.pc/CVE-2011-3872.patch/test/language/functions.rb

.pc/CVE-2011-3872.patch/test/language/snippets.rb

.pc/CVE-2011-3872.patch/test/lib

.pc/CVE-2011-3872.patch/test/lib/puppettest

.pc/CVE-2011-3872.patch/test/lib/puppettest/exetest.rb

.pc/CVE-2011-3872.patch/test/lib/puppettest/servertest.rb

.pc/CVE-2011-3872.patch/test/network

.pc/CVE-2011-3872.patch/test/network/client

.pc/CVE-2011-3872.patch/test/network/client/ca.rb

.pc/CVE-2011-3872.patch/test/network/client/dipper.rb

.pc/CVE-2011-3872.patch/test/network/handler

.pc/CVE-2011-3872.patch/test/network/handler/ca.rb

.pc/CVE-2011-3872.patch/test/network/server

.pc/CVE-2011-3872.patch/test/network/server/mongrel_test.rb

.pc/CVE-2011-3872.patch/test/network/server/webrick.rb

.pc/CVE-2011-3872.patch/test/network/xmlrpc

.pc/CVE-2011-3872.patch/test/network/xmlrpc/client.rb

.pc/CVE-2011-3872.patch/test/rails

.pc/CVE-2011-3872.patch/test/rails/rails.rb

.pc/CVE-2011-3872.patch/test/ral

.pc/CVE-2011-3872.patch/test/ral/type

.pc/CVE-2011-3872.patch/test/ral/type/filesources.rb

debian/patches/CVE-2011-3872.patch

spec/unit/network/handler/ca_spec.rb

files removed:
lib/puppet/network/client

lib/puppet/network/client.rb

lib/puppet/network/client/ca.rb

lib/puppet/network/client/file.rb

lib/puppet/network/client/proxy.rb

lib/puppet/network/client/report.rb

lib/puppet/network/client/runner.rb

lib/puppet/network/client/status.rb

lib/puppet/network/http_server/webrick.rb

lib/puppet/network/xmlrpc/client.rb

lib/puppet/sslcertificates

lib/puppet/sslcertificates.rb

lib/puppet/sslcertificates/ca.rb

lib/puppet/sslcertificates/certificate.rb

lib/puppet/sslcertificates/inventory.rb

lib/puppet/sslcertificates/support.rb

spec/integration/network/client_spec.rb

spec/unit/network/client_spec.rb

spec/unit/network/xmlrpc

spec/unit/network/xmlrpc/client_spec.rb

spec/unit/sslcertificates

spec/unit/sslcertificates/ca_spec.rb

test/certmgr

test/certmgr/certmgr.rb

test/certmgr/inventory.rb

test/certmgr/support.rb

test/network/client

test/network/client/ca.rb

test/network/client/dipper.rb

test/network/handler/ca.rb

test/network/server

test/network/server/mongrel_test.rb

test/network/server/webrick.rb

test/network/xmlrpc/client.rb

files modified:
.pc/applied-patches

acceptance/tests/ticket_5477_master_not_dectect_sitepp.rb

acceptance/tests/ticket_7117_broke_env_criteria_authconf.rb

debian/changelog

debian/patches/series

lib/puppet/application/cert.rb

lib/puppet/application/kick.rb

lib/puppet/defaults.rb

lib/puppet/face/certificate.rb

lib/puppet/network/handler/ca.rb

lib/puppet/network/handler/master.rb

lib/puppet/network/handler/runner.rb

lib/puppet/ssl/certificate.rb

lib/puppet/ssl/certificate_authority.rb

lib/puppet/ssl/certificate_authority/interface.rb

lib/puppet/ssl/certificate_factory.rb

lib/puppet/ssl/certificate_request.rb

lib/puppet/ssl/host.rb

lib/puppet/type/file.rb

lib/puppet/util/monkey_patches.rb

lib/puppet/util/settings.rb

spec/integration/defaults_spec.rb

spec/integration/network/handler_spec.rb

spec/spec_helper.rb

spec/unit/face/certificate_spec.rb

spec/unit/indirector/certificate_request/ca_spec.rb

spec/unit/ssl/certificate_authority/interface_spec.rb

spec/unit/ssl/certificate_authority_spec.rb

spec/unit/ssl/certificate_factory_spec.rb

spec/unit/ssl/certificate_request_spec.rb

spec/unit/ssl/certificate_spec.rb

spec/unit/ssl/host_spec.rb

spec/unit/util/settings_spec.rb

test/language/functions.rb

test/language/snippets.rb

test/lib/puppettest/exetest.rb

test/lib/puppettest/servertest.rb

test/rails/rails.rb

test/ral/type/filesources.rb

Show diffs side-by-side

added added

removed removed

test/certmgr/certmgr.rb

#!/usr/bin/env ruby

require File.expand_path(File.dirname(__FILE__) + '/../lib/puppettest')

require 'puppet'

require 'puppet/sslcertificates.rb'

require 'puppettest'

require 'puppettest/certificates'

require 'mocha'

class TestCertMgr < Test::Unit::TestCase

include PuppetTest::Certificates

def setup

super

#@dir = File.join(Puppet[:certdir], "testing")

@dir = File.join(@configpath, "certest")

system("mkdir -p #{@dir}")

Puppet::Util::SUIDManager.stubs(:asuser).yields

end

def testCreateSelfSignedCertificate

cert = nil

name = "testing"

newcert = proc {

Puppet::SSLCertificates::Certificate.new(

:name => name,

:selfsign => true

)

}

assert_nothing_raised {

cert = newcert.call

}

assert_nothing_raised {

cert.mkselfsigned

}

assert_raise(Puppet::Error) {

cert.mkselfsigned

}

assert_nothing_raised {

cert.write

}

assert(FileTest.exists?(cert.certfile))

assert_nothing_raised {

cert.delete

}

assert_nothing_raised {

cert = newcert.call

}

assert_nothing_raised {

cert.mkselfsigned

}

assert_nothing_raised {

cert.delete

}

end

def disabled_testCreateEncryptedSelfSignedCertificate

cert = nil

name = "testing"

keyfile = mkPassFile

assert_nothing_raised {

cert = Puppet::SSLCertificates::Certificate.new(

:name => name,

:selfsign => true,

:capass => keyfile

)

}

assert_nothing_raised {

cert.mkselfsigned

}

assert_nothing_raised {

cert.mkhash

}

assert_raise(Puppet::Error) {

cert.mkselfsigned

}

assert(FileTest.exists?(cert.certfile))

assert(FileTest.exists?(cert.hash))

assert_nothing_raised {

cert.delete

}

100

assert_nothing_raised {

101

cert.mkselfsigned

102

}

103

104

assert_nothing_raised {

105

cert.delete

106

}

107

108

end

109

110

def testCreateCA

111

ca = nil

112

assert_nothing_raised {

113

ca = Puppet::SSLCertificates::CA.new

114

}

115

116

# make the CA again and verify it doesn't fail because everything

117

# still exists

118

assert_nothing_raised {

119

ca = Puppet::SSLCertificates::CA.new

120

}

121

122

end

123

124

def testSignCert

125

ca = mkCA()

126

127

cert = nil

128

assert_nothing_raised {

129

130

cert = Puppet::SSLCertificates::Certificate.new(

131

132

:name => "signedcertest",

133

:property => "TN",

134

:city => "Nashville",

135

:country => "US",

136

:email => "luke@madstop.com",

137

:org => "Puppet",

138

:ou => "Development",

139

140

:encrypt => mkPassFile()

141

)

142

143

}

144

145

assert_nothing_raised {

146

cert.mkcsr

147

}

148

149

signedcert = nil

150

cacert = nil

151

152

assert_nothing_raised {

153

signedcert, cacert = ca.sign(cert.csr)

154

}

155

156

assert_instance_of(OpenSSL::X509::Certificate, signedcert)

157

assert_instance_of(OpenSSL::X509::Certificate, cacert)

158

159

assert_nothing_raised {

160

cert.cert = signedcert

161

cert.cacert = cacert

162

cert.write

163

}

164

#system("find #{Puppet[:ssldir]}")

165

#system("cp -R #{Puppet[:ssldir]} /tmp/ssltesting")

166

167

output = nil

168

assert_nothing_raised {

169

output = %x{openssl verify -CAfile #{Puppet[:cacert]} -purpose sslserver #{cert.certfile}}

170

#output = %x{openssl verify -CApath #{Puppet[:certdir]} -purpose sslserver #{cert.certfile}}

171

}

172

173

assert_equal($CHILD_STATUS,0)

174

assert_equal(File.join(Puppet[:certdir], "signedcertest.pem: OK\n"), output)

175

end

176

177

178

def test_interactiveca

179

ca = nil

180

181

assert_nothing_raised {

182

ca = Puppet::SSLCertificates::CA.new

183

}

184

185

# basic initialization

186

hostname = "test.hostname.com"

187

cert = mkcert(hostname)

188

189

# create the csr

190

csr = nil

191

assert_nothing_raised {

192

csr = cert.mkcsr

193

}

194

195

assert_nothing_raised {

196

ca.storeclientcsr(csr)

197

}

198

199

# store it

200

pulledcsr = nil

201

assert_nothing_raised {

202

pulledcsr = ca.getclientcsr(hostname)

203

}

204

205

assert_equal(csr.to_pem, pulledcsr.to_pem)

206

207

signedcert = nil

208

assert_nothing_raised {

209

signedcert, cacert = ca.sign(csr)

210

}

211

212

assert_instance_of(OpenSSL::X509::Certificate, signedcert)

213

newsignedcert = nil

214

assert_nothing_raised {

215

newsignedcert, cacert = ca.getclientcert(hostname)

216

}

217

218

assert(newsignedcert)

219

220

assert_equal(signedcert.to_pem, newsignedcert.to_pem)

221

end

222

223

def test_cafailures

224

ca = mkCA()

225

cert = cacert = nil

226

assert_nothing_raised {

227

cert, cacert = ca.getclientcert("nohost")

228

}

229

assert_nil(cert)

230

end

231

232

def test_crl

233

ca = mkCA()

234

h1 = mksignedcert(ca, "host1.example.com")

235

h2 = mksignedcert(ca, "host2.example.com")

236

237

assert(ca.cert.verify(ca.cert.public_key))

238

assert(h1.verify(ca.cert.public_key))

239

assert(h2.verify(ca.cert.public_key))

240

241

crl = ca.crl

242

assert_not_nil(crl)

243

244

store = mkStore(ca)

245

assert( store.verify(ca.cert))

246

assert( store.verify(h1, [ca.cert]))

247

assert( store.verify(h2, [ca.cert]))

248

249

ca.revoke(h1.serial)

250

251

oldcert = File.read(Puppet.settings[:cacert])

252

oldserial = File.read(Puppet.settings[:serial])

253

254

# Recreate the CA from disk

255

ca = mkCA()

256

newcert = File.read(Puppet.settings[:cacert])

257

newserial = File.read(Puppet.settings[:serial])

258

assert_equal(oldcert, newcert, "The certs are not equal after making a new CA.")

259

assert_equal(oldserial, newserial, "The serials are not equal after making a new CA.")

260

store = mkStore(ca)

261

assert( store.verify(ca.cert), "Could not verify CA certs after reloading certs.")

262

assert(!store.verify(h1, [ca.cert]), "Incorrectly verified revoked cert.")

263

assert( store.verify(h2, [ca.cert]), "Could not verify certs with reloaded CA.")

264

265

ca.revoke(h2.serial)

266

assert_equal(1, ca.crl.extensions.size)

267

268

# Recreate the CA from disk

269

ca = mkCA()

270

store = mkStore(ca)

271

assert( store.verify(ca.cert))

272

assert(!store.verify(h1, [ca.cert]), "first revoked cert passed")

273

assert(!store.verify(h2, [ca.cert]), "second revoked cert passed")

274

end

275

276

def test_ttl

277

cert = mksignedcert

278

assert_equal(5 * 365 * 24 * 60 * 60, cert.not_after - cert.not_before)

279

280

Puppet[:ca_ttl] = 7 * 24 * 60 * 60

281

cert = mksignedcert

282

assert_equal(7 * 24 * 60 * 60, cert.not_after - cert.not_before)

283

284

Puppet[:ca_ttl] = "2y"

285

cert = mksignedcert

286

assert_equal(2 * 365 * 24 * 60 * 60, cert.not_after - cert.not_before)

287

288

Puppet[:ca_ttl] = "2y"

289

cert = mksignedcert

290

assert_equal(2 * 365 * 24 * 60 * 60, cert.not_after - cert.not_before)

291

292

Puppet[:ca_ttl] = "1h"

293

cert = mksignedcert

294

assert_equal(60 * 60, cert.not_after - cert.not_before)

295

296

Puppet[:ca_ttl] = "900s"

297

cert = mksignedcert

298

assert_equal(900, cert.not_after - cert.not_before)

299

300

# This needs to be last, to make sure that setting ca_days

301

# overrides setting ca_ttl

302

Puppet[:ca_days] = 3

303

cert = mksignedcert

304

assert_equal(3 * 24 * 60 * 60, cert.not_after - cert.not_before)

305

306

end

307

end

308

Older »