spec/unit/puppet/parser/functions/get_certficiate_spec.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158

#!/usr/bin/env rspec

require 'spec_helper'
require 'net/http'
require 'thread'
require 'fileutils'

describe "the get_certificate function" do
  include PuppetSpec::Files

  before :all do
    @sslcert = File.read("spec/master_config/ssl/ca/signed/bob@mydomain.com.pem")

    Puppet::Parser::Functions.autoloader.loadall
  end

  before :each do
    @scope = Puppet::Parser::Scope.new
  end

  it "should exist" do
    Puppet::Parser::Functions.function("get_certificate").should == "function_get_certificate"
  end

  it "should raise a ParseError if there is less than 1 argument" do
    lambda { @scope.function_get_certificate([]) }.should(raise_error(Puppet::ParseError))
  end

  it "should raise a ParseError if the argument is empty" do
    lambda { @scope.function_get_certificate([""]) }.should(raise_error(Puppet::ParseError))
  end

  it "should raise a ParseError if the argument contains strange characters" do
    lambda { @scope.function_get_certificate(["%^&"]) }.should(raise_error(Puppet::ParseError))
  end

  it "should return a valid certificate if CA is local" do
    Puppet[:ca] = true
    Puppet[:signeddir] = "spec/master_config/ssl/ca/signed/"
    result = @scope.function_get_certificate(["bob@mydomain.com"])
    result.should(eq(@sslcert))
  end

  it "should throw an error if CN is missing and CA is local" do
    Puppet[:ca] = true
    Puppet[:signeddir] = "spec/master_config/ssl/ca/signed/"
    result = @scope.function_get_certificate(["missing@mydomain.com"])
    result.should(eq(:undef))
  end

  it "should return a valid certificate if CA is remote" do
    Puppet[:ca] = false
    Puppet[:ssldir] = "spec/master_config/ssl"
    Puppet[:certname] = "puppetmaster"

    # Mock return
    require 'ostruct'
    http = OpenStruct.new
    http.body = @sslcert
    http.code = "200"
   
    # Intercept http start call
    Net::HTTP.any_instance.expects(:start).returns(http)

    result = @scope.function_get_certificate(["bob@mydomain.com"])
    result.should(eq(@sslcert))
  end

  it "should throw an error if CN doesn't exist and CA is remote (stubbed)" do
    Puppet[:ca] = false
    Puppet[:ssldir] = "spec/master_config/ssl"
    Puppet[:certname] = "puppetmaster"

    # Mock return
    require 'ostruct'
    http = OpenStruct.new
    http.code = "404"
   
    # Intercept http start call
    Net::HTTP.any_instance.expects(:start).returns(http)

    result = @scope.function_get_certificate(["missing@mydomain.com"])
    result.should(eq(:undef))
  end

  describe "real puppetmaster" do
    before :all do
      # Prepare fixture for puppetmaster
      @master_tmp = tmpdir("get_certificate") + "/master_config"
      FileUtils.cp_r("spec/master_config",@master_tmp)

      # Fork and start a puppetmaster
      master_config = [
        "--config=/dev/null",
        "--logdest=#{@master_tmp}/var/log/logfile",
        "--confdir=#{@master_tmp}",
        "--no-daemonize",
        "--masterport=9354",
        "--bindaddress=127.0.0.1",
        "--vardir=#{@master_tmp}/var",
        "--ssldir=#{@master_tmp}/ssl",
        "--certname=puppetmaster",
        "--user=#{ENV["USER"]}",
#        "--debug",
      ]
      @master = Process.fork do
        cmd = Puppet::Util::CommandLine.new("master", master_config)
        Puppet::Plugins.on_application_intialization(:application_object => cmd)
        app = Puppet::Application.find("master").new(cmd)
        app.run
      end

      # Wait 1 second for puppetmatser setup
      # TODO: must be a better wait to check if master
      # is listening first before proceeding.
      sleep 1

      Puppet::Parser::Functions.autoloader.loadall
    end

    before :each do
      # Standard puppet setup for each test
      Puppet[:ca] = false
      Puppet[:ssldir] = "#{@master_tmp}/ssl"
      Puppet[:certname] = "puppetmaster"
      Puppet[:ca_port] = "9354"
      Puppet[:ca_server] = "127.0.0.1"
    end

    after :all do
      # Kill and reap puppetmaster
      Process.kill("TERM", @master)
      Process.wait(@master)
    end

    it "should return a valid certificate if CA is remote" do
      result = @scope.function_get_certificate(["bob@mydomain.com"])
      result.should(eq(@sslcert))
    end
  
    it "should throw an error if CN doesn't exist and CA is remote" do
      result = @scope.function_get_certificate(["missing@mydomain.com"])
      result.should(eq(:undef))
    end

    it "should throw a connection refused message if CA is not running on port" do
      Puppet[:ca_port] = "65111"
      lambda { @scope.function_get_certificate(["missing@mydomain.com"]) }.should(raise_error(Puppet::Error))
    end

    it "should raise an exception if connection to CA times out" do
      Puppet[:ca_server] = "10.254.254.254"
      lambda { @scope.function_get_certificate(["missing@mydomain.com", { :conn_timeout => 1}]) }.should(raise_error(Puppet::Error))
    end

  end

end