2 require 'puppet_x/certregen/ca'
4 RSpec.describe PuppetX::Certregen::CA do
6 include_context "Initialize CA"
9 it "errors out when the node is not a CA" do
13 }.to raise_error(RuntimeError, "Unable to set up CA: this node is not a CA server.")
16 it "errors out when the node does not have a signed CA certificate" do
17 FileUtils.rm(Puppet[:cacert])
20 }.to raise_error(RuntimeError, "Unable to set up CA: the CA certificate is not present.")
25 let(:ca) { double('ca') }
27 it 'uses the positional argument form when the Puppet version predates 4.6.0' do
28 stub_const('Puppet::PUPPETVERSION', '4.5.0')
29 expect(ca).to receive(:sign).with('hello', false, true)
30 described_class.sign(ca, 'hello', allow_dns_alt_names: false, self_signing_csr: true)
33 it 'uses the hash argument form when the Puppet version is 4.6.0 or greater' do
34 stub_const('Puppet::PUPPETVERSION', '4.8.0')
35 expect(ca).to receive(:sign).with('hello', allow_dns_alt_names: false, self_signing_csr: false)
36 described_class.sign(ca, 'hello', allow_dns_alt_names: false, self_signing_csr: false)
40 describe '#backup_cacert' do
41 it 'backs up the CA cert based on the current timestamp' do
43 expect(Time).to receive(:now).at_least(:once).and_return now
44 described_class.backup
45 backup = File.join(Puppet[:cadir], "ca_crt.#{Time.now.to_i}.pem")
46 expect(File.read(backup)).to eq(File.read(Puppet[:cacert]))
50 describe '#regenerate_cacert' do
51 it 'generates a certificate with a different serial number' do
52 old_serial = Puppet::SSL::CertificateAuthority.new.host.certificate.content.serial
53 described_class.regenerate(Puppet::SSL::CertificateAuthority.new)
54 new_serial = Puppet::SSL::Certificate.indirection.find("ca").content.serial
55 expect(old_serial).to_not eq new_serial
59 Puppet[:ca_name] = 'bar'
60 described_class.regenerate(Puppet::SSL::CertificateAuthority.new)
63 it 'copies the old subject CN to the new certificate' do
64 new_cacert = Puppet::SSL::Certificate.indirection.find("ca")
65 expect(new_cacert.content.subject.to_a[0][1]).to eq 'Puppet CA: foo'
68 it "matches the issuer field with the old CA and new CA" do
69 new_cacert = Puppet::SSL::Certificate.indirection.find("ca")
70 expect(new_cacert.content.issuer.to_a[0][1]).to eq 'Puppet CA: foo'
73 it "matches the Authority Key Identifier field with the old CA and new CA" do
74 new_cacert = Puppet::SSL::Certificate.indirection.find("ca")
75 aki = new_cacert.content.extensions.find { |ext| ext.oid == 'authorityKeyIdentifier' }
76 expect(aki.value).to match(/Puppet CA: foo/)
79 it 'copies the cacert to the localcacert' do
80 described_class.regenerate(Puppet::SSL::CertificateAuthority.new)
81 cacert = Puppet::SSL::Certificate.from_instance(
82 OpenSSL::X509::Certificate.new(File.read(Puppet[:cacert])))
83 localcacert = Puppet::SSL::Certificate.from_instance(
84 OpenSSL::X509::Certificate.new(File.read(Puppet[:localcacert])))
85 expect(cacert.content.serial).to eq localcacert.content.serial