3rdparty/modules/certregen/spec/integration/puppet/face/certregen_spec.rb

   1 require 'spec_helper'
   2 require 'puppet/face/certregen'
   3
   4 describe Puppet::Face[:certregen, :current] do
   5   before(:each) do
   6     allow(Puppet::SSL::CertificateAuthority).to receive(:instance) { Puppet::SSL::CertificateAuthority.new }
   7   end
   8
   9   include_context "Initialize CA"
  10
  11   describe "ca action" do
  12     it "invokes the cacert and crl actions" do
  13       expect(described_class).to receive(:cacert).with(ca_serial: "01")
  14       expect(described_class).to receive(:crl)
  15       described_class.ca(ca_serial: "01")
  16     end
  17   end
  18
  19   describe "cacert action" do
  20     it "raises an error when the ca_serial option is not provided" do
  21       expect {
  22         described_class.ca
  23       }.to raise_error(RuntimeError, /The serial number of the CA certificate to rotate must be provided/)
  24     end
  25
  26     it "raises an error when the ca_serial option is not provided" do
  27       expect {
  28         described_class.ca(ca_serial: "02")
  29       }.to raise_error(RuntimeError, /The serial number of the current CA certificate \(01\) does not match the serial number/)
  30     end
  31
  32     it "backs up the old CA cert and regenerates a new CA cert" do
  33       old_cacert_serial = Puppet::SSL::CertificateAuthority.new.host.certificate.content.serial
  34       described_class.ca(ca_serial: "01")
  35       new_cacert_serial = Puppet::SSL::CertificateAuthority.new.host.certificate.content.serial
  36       expect(old_cacert_serial).to_not eq(new_cacert_serial)
  37     end
  38
  39     it "returns the new CA certificate" do
  40       returned_cacert = described_class.ca(ca_serial: "01").first
  41       new_cacert = Puppet::SSL::CertificateAuthority.new.host.certificate.content
  42       expect(returned_cacert.content.serial).to eq new_cacert.serial
  43       expect(returned_cacert.content.not_after).to eq new_cacert.not_after
  44     end
  45   end
  46
  47   describe 'healthcheck action' do
  48     let(:not_before) { Time.now - (60 * 60 * 24 * 365 * 4) }
  49     let(:not_after) { Time.now + (60 * 60 * 24 * 30) }
  50     it 'warns about expiring CA certificates' do
  51       ca = Puppet::SSL::CertificateAuthority.new
  52       cert = backdate_certificate(ca, ca.host.certificate, not_before, not_after)
  53       Puppet::SSL::Certificate.indirection.save(cert)
  54
  55       allow(PuppetX::Certregen::CA).to receive(:setup).and_return Puppet::SSL::CertificateAuthority.new
  56       healthchecked = described_class.healthcheck
  57       expect(healthchecked.size).to eq(1)
  58       expect(healthchecked.first.digest.to_s).to eq(cert.digest.to_s)
  59     end
  60
  61     it 'warns about expiring client certificates' do
  62       cert = make_certificate("expiring", not_before, not_after)
  63       Puppet::SSL::Certificate.indirection.save(cert)
  64
  65       healthchecked = described_class.healthcheck
  66       expect(healthchecked.size).to eq(1)
  67       expect(healthchecked.first.digest.to_s).to eq(cert.digest.to_s)
  68     end
  69
  70     it 'orders certificates from shortest expiry to longest expiry' do
  71       Puppet::SSL::Certificate.indirection.save(make_certificate("first", not_before, not_after))
  72       Puppet::SSL::Certificate.indirection.save(make_certificate("last", not_before + 1, not_after + 1))
  73
  74       expect(described_class.healthcheck.map(&:name)).to eq %w[first last]
  75     end
  76   end
  77 end