246
246
# Stub out the factory
247
247
Puppet::SSL::CertificateFactory.stubs(:build).returns "my real cert"
249
@request_content = stub "request content stub", :subject => @name
249
@request_content = stub "request content stub", :subject => OpenSSL::X509::Name.new([['CN', @name]])
250
250
@request = stub 'request', :name => @name, :request_extensions => [], :subject_alt_names => [], :content => @request_content
252
252
# And the inventory
304
304
it "should use a certificate type of :ca" do
305
305
Puppet::SSL::CertificateFactory.expects(:build).with do |*args|
306
args[0].should == :ca
307
307
end.returns "my real cert"
308
308
@ca.sign(@name, :ca, @request)
311
311
it "should pass the provided CSR as the CSR" do
312
312
Puppet::SSL::CertificateFactory.expects(:build).with do |*args|
313
args[1].should == @request
314
314
end.returns "my real cert"
315
315
@ca.sign(@name, :ca, @request)
318
318
it "should use the provided CSR's content as the issuer" do
319
319
Puppet::SSL::CertificateFactory.expects(:build).with do |*args|
320
args[2].subject == "myhost"
320
args[2].subject.to_s.should == "/CN=myhost"
321
321
end.returns "my real cert"
322
322
@ca.sign(@name, :ca, @request)
325
325
it "should pass the next serial as the serial number" do
326
326
Puppet::SSL::CertificateFactory.expects(:build).with do |*args|
327
args[3].should == @serial
328
328
end.returns "my real cert"
329
329
@ca.sign(@name, :ca, @request)
452
452
@cert.stubs :save
455
it "should reject CSRs whose CN doesn't match the name for which we're signing them" do
456
# Shorten this so the test doesn't take too long
457
Puppet[:keylength] = 1024
458
key = Puppet::SSL::Key.new('the_certname')
461
csr = Puppet::SSL::CertificateRequest.new('the_certname')
465
@ca.check_internal_signing_policies('not_the_certname', csr, false)
467
Puppet::SSL::CertificateAuthority::CertificateSigningError,
468
/common name "the_certname" does not match expected certname "not_the_certname"/
472
describe "when validating the CN" do
474
Puppet[:keylength] = 1024
475
@signing_key = Puppet::SSL::Key.new('my_signing_key')
476
@signing_key.generate
482
'so+many(things)-are=allowed.',
483
'this"is#just&madness%you[see]',
484
'and even a (an?) \\!',
485
'waltz, nymph, for quick jigs vex bud.',
486
'{552c04ca-bb1b-11e1-874b-60334b04494e}'
488
it "should accept #{name.inspect}" do
489
csr = Puppet::SSL::CertificateRequest.new(name)
490
csr.generate(@signing_key)
492
@ca.check_internal_signing_policies(name, csr, false)
498
"not\neven\tkind\rof",
500
"hidden\b\b\b\b\b\bmessage",
503
it "should reject #{name.inspect}" do
504
# We aren't even allowed to make objects with these names, so let's
505
# stub that to simulate an invalid one coming from outside Puppet
506
Puppet::SSL::CertificateRequest.stubs(:validate_certname)
507
csr = Puppet::SSL::CertificateRequest.new(name)
508
csr.generate(@signing_key)
511
@ca.check_internal_signing_policies(name, csr, false)
513
Puppet::SSL::CertificateAuthority::CertificateSigningError,
514
/subject contains unprintable or non-ASCII characters/
455
520
it "should reject a critical extension that isn't on the whitelist" do
456
521
@request.stubs(:request_extensions).returns [{ "oid" => "banana",
457
522
"value" => "yumm",
458
523
"critical" => true }]
459
expect { @ca.sign(@name) }.to raise_error(
524
expect { @ca.check_internal_signing_policies(@name, @request, false) }.to raise_error(
460
525
Puppet::SSL::CertificateAuthority::CertificateSigningError,
461
526
/request extensions that are not permitted/
466
531
@request.stubs(:request_extensions).returns [{ "oid" => "peach",
467
532
"value" => "meh",
468
533
"critical" => false }]
469
expect { @ca.sign(@name) }.to raise_error(
534
expect { @ca.check_internal_signing_policies(@name, @request, false) }.to raise_error(
470
535
Puppet::SSL::CertificateAuthority::CertificateSigningError,
471
536
/request extensions that are not permitted/
479
544
{ "oid" => "subjectAltName",
480
545
"value" => "DNS:foo",
481
546
"critical" => true }]
482
expect { @ca.sign(@name) }.to raise_error(
547
expect { @ca.check_internal_signing_policies(@name, @request, false) }.to raise_error(
483
548
Puppet::SSL::CertificateAuthority::CertificateSigningError,
484
549
/request extensions that are not permitted/
488
553
it "should reject a subjectAltName for a non-DNS value" do
489
554
@request.stubs(:subject_alt_names).returns ['DNS:foo', 'email:bar@example.com']
490
expect { @ca.sign(@name, true) }.to raise_error(
555
expect { @ca.check_internal_signing_policies(@name, @request, true) }.to raise_error(
491
556
Puppet::SSL::CertificateAuthority::CertificateSigningError,
492
557
/subjectAltName outside the DNS label space/
497
562
@request.content.stubs(:subject).
498
563
returns(OpenSSL::X509::Name.new([["CN", "*.local"]]))
500
expect { @ca.sign(@name) }.to raise_error(
565
expect { @ca.check_internal_signing_policies('*.local', @request, false) }.to raise_error(
501
566
Puppet::SSL::CertificateAuthority::CertificateSigningError,
502
567
/subject contains a wildcard/
506
571
it "should reject a wildcard subjectAltName" do
507
572
@request.stubs(:subject_alt_names).returns ['DNS:foo', 'DNS:*.bar']
508
expect { @ca.sign(@name, true) }.to raise_error(
573
expect { @ca.check_internal_signing_policies(@name, @request, true) }.to raise_error(
509
574
Puppet::SSL::CertificateAuthority::CertificateSigningError,
510
575
/subjectAltName contains a wildcard/