← Back to branch summary

~lynxman/ubuntu/precise/puppet/puppetlabsfixbug12844

« back to all changes in this revision

Viewing changes to test/network/client/ca.rb

  • Committer: Bazaar Package Importer
  • Author(s): Marc Deslauriers
  • Date: 2011-10-24 15:05:12 UTC
  • Revision ID: james.westby@ubuntu.com-20111024150512-yxqwfdp6hcs6of5l
Tags: 2.7.1-1ubuntu3.2
* SECURITY UPDATE: puppet master impersonation via incorrect certificates
  - debian/patches/CVE-2011-3872.patch: refactor certificate handling.
  - Thanks to upstream for providing the patch.
  - CVE-2011-3872

Show diffs side-by-side

added added

removed removed

Lines of Context:
test/network/client/ca.rb
1
 
#!/usr/bin/env ruby
2
 
 
3
 
require File.expand_path(File.dirname(__FILE__) + '/../../lib/puppettest')
4
 
 
5
 
require 'mocha'
6
 
require 'puppettest'
7
 
require 'puppet/network/client/ca'
8
 
require 'puppet/sslcertificates/support'
9
 
 
10
 
class TestClientCA < Test::Unit::TestCase
11
 
  include PuppetTest::ServerTest
12
 
 
13
 
  def setup
14
 
    Puppet::Util::SUIDManager.stubs(:asuser).yields
15
 
    super
16
 
    @ca = Puppet::Network::Handler.ca.new
17
 
    @client = Puppet::Network::Client.ca.new :CA => @ca
18
 
  end
19
 
 
20
 
  def test_request_cert
21
 
    assert_nothing_raised("Could not request cert") do
22
 
      @client.request_cert
23
 
    end
24
 
 
25
 
    [:hostprivkey, :hostcert, :localcacert].each do |name|
26
 
      assert(FileTest.exists?(Puppet.settings[name]), "Did not create cert #{name}")
27
 
    end
28
 
  end
29
 
 
30
 
  # Make sure the ca defaults to specific ports and names
31
 
  def test_ca_server
32
 
    Puppet.settings.stubs(:value).returns "eh"
33
 
    Puppet.settings.expects(:value).with(:ca_server).returns("myca")
34
 
    Puppet.settings.expects(:value).with(:ca_port).returns(321)
35
 
    Puppet.settings.stubs(:value).with(:http_proxy_host).returns(nil)
36
 
    Puppet.settings.stubs(:value).with(:http_proxy_port).returns(nil)
37
 
    Puppet.settings.stubs(:value).with(:http_keepalive).returns(false)
38
 
    Puppet.settings.stubs(:value).with(:configtimeout).returns(180)
39
 
 
40
 
    # Just throw an error; the important thing is the values, not what happens next.
41
 
    Net::HTTP.stubs(:new).with("myca", 321, nil, nil).raises(ArgumentError)
42
 
    assert_raise(ArgumentError) { Puppet::Network::Client.ca.new }
43
 
  end
44
 
 
45
 
  # #578
46
 
  def test_invalid_certs_are_not_written
47
 
    # Run the get once, which should be valid
48
 
 
49
 
    assert_nothing_raised("Could not get a certificate") do
50
 
      @client.request_cert
51
 
    end
52
 
 
53
 
    # Now remove the cert and keys, so we get a broken cert
54
 
    File.unlink(Puppet[:hostcert])
55
 
    File.unlink(Puppet[:localcacert])
56
 
    File.unlink(Puppet[:hostprivkey])
57
 
 
58
 
    @client = Puppet::Network::Client.ca.new :CA => @ca
59
 
    @ca.expects(:getcert).returns("yay") # not a valid cert
60
 
    # Now make sure it fails, since we'll get the old cert but have new keys
61
 
    assert_raise(Puppet::Network::Client::CA::InvalidCertificate, "Did not fail on invalid cert") do
62
 
      @client.request_cert
63
 
    end
64
 
 
65
 
    # And then make sure the cert isn't written to disk
66
 
    assert(! FileTest.exists?(Puppet[:hostcert]), "Invalid cert got written to disk")
67
 
  end
68
 
end
69