2 require 'puppet/face/certregen'
4 describe Puppet::Face[:certregen, :current] do
6 allow(Puppet::SSL::CertificateAuthority).to receive(:instance) { Puppet::SSL::CertificateAuthority.new }
9 include_context "Initialize CA"
11 describe "ca action" do
12 it "invokes the cacert and crl actions" do
13 expect(described_class).to receive(:cacert).with(ca_serial: "01")
14 expect(described_class).to receive(:crl)
15 described_class.ca(ca_serial: "01")
19 describe "cacert action" do
20 it "raises an error when the ca_serial option is not provided" do
23 }.to raise_error(RuntimeError, /The serial number of the CA certificate to rotate must be provided/)
26 it "raises an error when the ca_serial option is not provided" do
28 described_class.ca(ca_serial: "02")
29 }.to raise_error(RuntimeError, /The serial number of the current CA certificate \(01\) does not match the serial number/)
32 it "backs up the old CA cert and regenerates a new CA cert" do
33 old_cacert_serial = Puppet::SSL::CertificateAuthority.new.host.certificate.content.serial
34 described_class.ca(ca_serial: "01")
35 new_cacert_serial = Puppet::SSL::CertificateAuthority.new.host.certificate.content.serial
36 expect(old_cacert_serial).to_not eq(new_cacert_serial)
39 it "returns the new CA certificate" do
40 returned_cacert = described_class.ca(ca_serial: "01").first
41 new_cacert = Puppet::SSL::CertificateAuthority.new.host.certificate.content
42 expect(returned_cacert.content.serial).to eq new_cacert.serial
43 expect(returned_cacert.content.not_after).to eq new_cacert.not_after
47 describe 'healthcheck action' do
48 let(:not_before) { Time.now - (60 * 60 * 24 * 365 * 4) }
49 let(:not_after) { Time.now + (60 * 60 * 24 * 30) }
50 it 'warns about expiring CA certificates' do
51 ca = Puppet::SSL::CertificateAuthority.new
52 cert = backdate_certificate(ca, ca.host.certificate, not_before, not_after)
53 Puppet::SSL::Certificate.indirection.save(cert)
55 allow(PuppetX::Certregen::CA).to receive(:setup).and_return Puppet::SSL::CertificateAuthority.new
56 healthchecked = described_class.healthcheck
57 expect(healthchecked.size).to eq(1)
58 expect(healthchecked.first.digest.to_s).to eq(cert.digest.to_s)
61 it 'warns about expiring client certificates' do
62 cert = make_certificate("expiring", not_before, not_after)
63 Puppet::SSL::Certificate.indirection.save(cert)
65 healthchecked = described_class.healthcheck
66 expect(healthchecked.size).to eq(1)
67 expect(healthchecked.first.digest.to_s).to eq(cert.digest.to_s)
70 it 'orders certificates from shortest expiry to longest expiry' do
71 Puppet::SSL::Certificate.indirection.save(make_certificate("first", not_before, not_after))
72 Puppet::SSL::Certificate.indirection.save(make_certificate("last", not_before + 1, not_after + 1))
74 expect(described_class.healthcheck.map(&:name)).to eq %w[first last]