3
require File.expand_path(File.dirname(__FILE__) + '/../../lib/puppettest')
6
require 'puppet/network/handler/ca'
9
$short = (ARGV.length > 0 and ARGV[0] == "short")
11
class TestCA < Test::Unit::TestCase
12
include PuppetTest::ServerTest
15
Puppet::Util::SUIDManager.stubs(:asuser).yields
19
# Verify that we're autosigning. We have to autosign a "different" machine,
20
# since we always autosign the CA server's certificate.
21
def test_autocertgeneration
25
assert_nothing_raised {
26
ca = Puppet::Network::Handler.ca.new(:autosign => true)
29
# create a cert with a fake name
33
hostname = "test.domain.com"
34
assert_nothing_raised {
35
cert = Puppet::SSLCertificates::Certificate.new(
36
:name => "test.domain.com"
41
assert_nothing_raised {
48
assert_nothing_raised {
49
certtext, cacerttext = ca.getcert(cert.csr.to_s)
52
# they should both be strings
53
assert_instance_of(String, certtext)
54
assert_instance_of(String, cacerttext)
56
# and they should both be valid certs
57
assert_nothing_raised {
58
OpenSSL::X509::Certificate.new(certtext)
60
assert_nothing_raised {
61
OpenSSL::X509::Certificate.new(cacerttext)
64
# and pull it again, just to make sure we're getting the same thing
66
assert_nothing_raised {
67
newtext, cacerttext = ca.getcert(
68
cert.csr.to_s, "test.reductivelabs.com", "127.0.0.1"
72
assert_equal(certtext,newtext)
75
# this time don't use autosign
81
assert_nothing_raised {
82
caserv = Puppet::Network::Handler.ca.new(:autosign => false)
85
# retrieve the actual ca object
86
assert_nothing_raised {
90
# make our test cert again
94
hostname = "test.domain.com"
95
assert_nothing_raised {
96
cert = Puppet::SSLCertificates::Certificate.new(
97
:name => "anothertest.domain.com"
101
assert_nothing_raised {
107
assert_nothing_raised {
108
certtext, cacerttext = caserv.getcert(
109
cert.csr.to_s, "test.reductivelabs.com", "127.0.0.1"
113
# verify we got nothing back, since autosign is off
114
assert_equal("", certtext)
116
# now sign it manually, with the CA object
118
assert_nothing_raised {
119
x509, cacert = ca.sign(cert.csr)
124
assert_nothing_raised {
128
assert(File.exists?(cert.certfile))
130
# now get them again, and verify that we actually get them
132
assert_nothing_raised {
133
newtext, cacerttext = caserv.getcert(cert.csr.to_s)
137
assert_nothing_raised {
138
OpenSSL::X509::Certificate.new(newtext)
141
# Now verify that we can clean a given host's certs
142
assert_nothing_raised {
143
ca.clean("anothertest.domain.com")
146
assert(!File.exists?(cert.certfile), "Cert still exists after clean")
149
# and now test the autosign file
151
autosign = File.join(tmpdir, "autosigntesting")
152
@@tmpfiles << autosign
153
File.open(autosign, "w") { |f|
154
f.puts "hostmatch.domain.com"
159
assert_nothing_raised {
160
caserv = Puppet::Network::Handler.ca.new(:autosign => autosign)
163
# make sure we know what's going on
164
assert(caserv.autosign?("hostmatch.domain.com"))
165
assert(caserv.autosign?("fakehost.other.com"))
166
assert(!caserv.autosign?("kirby.reductivelabs.com"))
167
assert(!caserv.autosign?("culain.domain.com"))
170
# verify that things aren't autosigned by default
171
def test_nodefaultautosign
173
assert_nothing_raised {
174
caserv = Puppet::Network::Handler.ca.new
177
# make sure we know what's going on
178
assert(!caserv.autosign?("hostmatch.domain.com"))
179
assert(!caserv.autosign?("fakehost.other.com"))
180
assert(!caserv.autosign?("kirby.reductivelabs.com"))
181
assert(!caserv.autosign?("culain.domain.com"))
184
# We want the CA to autosign its own certificate, because otherwise
185
# the puppetmasterd CA does not autostart.
188
Puppet.stubs(:master?).returns true
189
assert_nothing_raised {
191
server = Puppet::Network::HTTPServer::WEBrick.new(
196
:CA => {}, # so that certs autogenerate
203
# Make sure true/false causes the file to be ignored.
204
def test_autosign_true_beats_file
206
assert_nothing_raised {
207
caserv = Puppet::Network::Handler.ca.new
210
host = "hostname.domain.com"
212
# Create an autosign file
214
Puppet[:autosign] = file
216
File.open(file, "w") { |f|
221
Puppet[:autosign] = false
223
assert(! caserv.autosign?(host), "Host was incorrectly autosigned")
225
# Then set it to true
226
Puppet[:autosign] = true
227
assert(caserv.autosign?(host), "Host was not autosigned")
228
# And try a different host
229
assert(caserv.autosign?("other.yay.com"), "Host was not autosigned")
231
# And lastly the file
232
Puppet[:autosign] = file
233
assert(caserv.autosign?(host), "Host was not autosigned")
235
# And try a different host
236
assert(! caserv.autosign?("other.yay.com"), "Host was autosigned")
239
# Make sure that a CSR created with keys that don't match the existing
240
# cert throws an exception on the server.
241
def test_mismatched_public_keys_throws_exception
242
ca = Puppet::Network::Handler.ca.new
244
# First initialize the server
245
client = Puppet::Network::Client.ca.new :CA => ca
247
File.unlink(Puppet[:hostcsr])
249
# Now use a different cert name
250
Puppet[:certname] = "my.host.com"
251
client = Puppet::Network::Client.ca.new :CA => ca
252
firstcsr = client.csr
253
File.unlink(Puppet[:hostcsr]) if FileTest.exists?(Puppet[:hostcsr])
255
assert_nothing_raised("Could not get cert") do
256
ca.getcert(firstcsr.to_s)
259
# Now get rid of the public key, forcing a new csr
260
File.unlink(Puppet[:hostprivkey])
262
client = Puppet::Network::Client.ca.new :CA => ca
264
second_csr = client.csr
266
assert(firstcsr.to_s != second_csr.to_s, "CSR did not change")
268
assert_raise(Puppet::Error, "CA allowed mismatched keys") do
269
ca.getcert(second_csr.to_s)