5
5
require 'puppet/ssl/host'
7
7
describe Puppet::Face[:certificate, '0.0.1'] do
8
include PuppetSpec::Files
10
let(:ca) { Puppet::SSL::CertificateAuthority.instance }
13
Puppet[:confdir] = tmpdir('conf')
14
Puppet::SSL::CertificateAuthority.stubs(:ca?).returns true
16
Puppet::SSL::Host.ca_location = :local
18
# We can't cache the CA between tests, because each one has its own SSL dir.
19
ca = Puppet::SSL::CertificateAuthority.new
20
Puppet::SSL::CertificateAuthority.stubs(:new).returns ca
21
Puppet::SSL::CertificateAuthority.stubs(:instance).returns ca
8
24
it "should have a ca-location option" do
9
25
subject.should be_option :ca_location
12
28
it "should set the ca location when invoked" do
13
Puppet::SSL::Host.expects(:ca_location=).with(:foo)
14
Puppet::SSL::Host.indirection.expects(:save)
15
subject.sign "hello, friend", :ca_location => :foo
29
Puppet::SSL::Host.expects(:ca_location=).with(:local)
30
ca.expects(:sign).with do |name,options|
31
name == "hello, friend"
34
subject.sign "hello, friend", :ca_location => :local
18
37
it "(#7059) should set the ca location when an inherited action is invoked" do
20
39
subject.indirection.expects(:find)
21
40
subject.find "hello, friend", :ca_location => :foo
43
describe "#generate" do
44
let(:options) { {:ca_location => 'local'} }
45
let(:host) { Puppet::SSL::Host.new(hostname) }
46
let(:csr) { host.certificate_request }
48
describe "for the current host" do
49
let(:hostname) { Puppet[:certname] }
51
it "should generate a CSR for this host" do
52
subject.generate(hostname, options)
54
csr.content.subject.to_s.should == "/CN=#{Puppet[:certname]}"
55
csr.name.should == Puppet[:certname]
58
it "should add dns_alt_names from the global config if not otherwise specified" do
59
Puppet[:dns_alt_names] = 'from,the,config'
61
subject.generate(hostname, options)
63
expected = %W[DNS:from DNS:the DNS:config DNS:#{hostname}]
65
csr.subject_alt_names.should =~ expected
68
it "should add the provided dns_alt_names if they are specified" do
69
Puppet[:dns_alt_names] = 'from,the,config'
71
subject.generate(hostname, options.merge(:dns_alt_names => 'explicit,alt,names'))
73
expected = %W[DNS:explicit DNS:alt DNS:names DNS:#{hostname}]
75
csr.subject_alt_names.should =~ expected
79
describe "for another host" do
80
let(:hostname) { Puppet[:certname] + 'different' }
82
it "should generate a CSR for the specified host" do
83
subject.generate(hostname, options)
85
csr.content.subject.to_s.should == "/CN=#{hostname}"
86
csr.name.should == hostname
89
it "should fail if a CSR already exists for the host" do
90
subject.generate(hostname, options)
93
subject.generate(hostname, options)
94
end.to raise_error(RuntimeError, /#{hostname} already has a requested certificate; ignoring certificate request/)
97
it "should add not dns_alt_names from the config file" do
98
Puppet[:dns_alt_names] = 'from,the,config'
100
subject.generate(hostname, options)
102
csr.subject_alt_names.should be_empty
105
it "should add the provided dns_alt_names if they are specified" do
106
Puppet[:dns_alt_names] = 'from,the,config'
108
subject.generate(hostname, options.merge(:dns_alt_names => 'explicit,alt,names'))
110
expected = %W[DNS:explicit DNS:alt DNS:names DNS:#{hostname}]
112
csr.subject_alt_names.should =~ expected
118
let(:options) { {:ca_location => 'local'} }
119
let(:host) { Puppet::SSL::Host.new(hostname) }
120
let(:hostname) { "foobar" }
122
it "should sign the certificate request if one is waiting" do
123
subject.generate(hostname, options)
125
subject.sign(hostname, options)
127
host.certificate_request.should be_nil
128
host.certificate.should be_a(Puppet::SSL::Certificate)
129
host.state.should == 'signed'
132
it "should fail if there is no waiting certificate request" do
134
subject.sign(hostname, options)
135
end.to raise_error(ArgumentError, /Could not find certificate request for #{hostname}/)
138
describe "when ca_location is local" do
139
describe "when the request has dns alt names" do
141
subject.generate(hostname, options.merge(:dns_alt_names => 'some,alt,names'))
144
it "should refuse to sign the request if allow_dns_alt_names is not set" do
146
subject.sign(hostname, options)
147
end.to raise_error(Puppet::SSL::CertificateAuthority::CertificateSigningError,
148
/CSR '#{hostname}' contains subject alternative names \(.*?\), which are disallowed. Use `puppet cert --allow-dns-alt-names sign #{hostname}` to sign this request./i)
150
host.state.should == 'requested'
153
it "should sign the request if allow_dns_alt_names is set" do
155
subject.sign(hostname, options.merge(:allow_dns_alt_names => true))
156
end.not_to raise_error
158
host.state.should == 'signed'
162
describe "when the request has no dns alt names" do
164
subject.generate(hostname, options)
167
it "should sign the request if allow_dns_alt_names is set" do
168
expect { subject.sign(hostname, options.merge(:allow_dns_alt_names => true)) }.not_to raise_error
170
host.state.should == 'signed'
173
it "should sign the request if allow_dns_alt_names is not set" do
174
expect { subject.sign(hostname, options) }.not_to raise_error
176
host.state.should == 'signed'
181
describe "when ca_location is remote" do
182
let(:options) { {:ca_location => :remote} }
183
it "should fail if allow-dns-alt-names is specified" do
185
subject.sign(hostname, options.merge(:allow_dns_alt_names => true))