2019-06-11 22:24:35 +00:00
require " helper "
require " inspec/resource "
require " inspec/resources/x509_certificate "
2017-03-15 23:57:31 +00:00
2019-06-11 22:24:35 +00:00
describe " Inspec::Resources::X509Certificate " do
2019-05-31 21:59:06 +00:00
let ( :resource_cert ) do
2017-03-15 23:57:31 +00:00
load_resource (
2019-06-11 22:24:35 +00:00
" x509_certificate " ,
" test_certificate.rsa.crt.pem "
2017-03-15 23:57:31 +00:00
)
2019-06-11 22:24:35 +00:00
end
2017-03-15 23:57:31 +00:00
2020-01-22 08:19:35 +00:00
let ( :resource_cert_with_content ) do
load_resource (
" x509_certificate " ,
content : File . read ( " test/fixtures/files/test_certificate.rsa.crt.pem " )
)
end
let ( :resource_cert_with_filepath ) do
load_resource (
" x509_certificate " ,
filepath : " test_certificate.rsa.crt.pem "
)
end
2018-10-15 16:09:46 +00:00
# TODO: Regenerate certificate using `InSpec` not `Inspec`
2021-08-30 23:49:46 +00:00
it " verify subject distinguished name " do
2019-06-11 22:24:35 +00:00
_ ( resource_cert . send ( " subject_dn " ) ) . must_match " Inspec Test Certificate "
2017-03-15 23:57:31 +00:00
end
2018-10-15 16:09:46 +00:00
# TODO: Regenerate certificate using `InSpec` not `Inspec`
2019-06-11 22:24:35 +00:00
it " parses the certificate subject " do
_ ( resource_cert . send ( " subject " ) . CN ) . must_equal " Inspec Test Certificate "
_ ( resource_cert . send ( " subject " ) . emailAddress ) . must_equal " support@chef.io "
2020-01-22 08:19:35 +00:00
_ ( resource_cert_with_content . send ( " subject " ) . CN ) . must_equal " Inspec Test Certificate "
_ ( resource_cert_with_content . send ( " subject " ) . emailAddress ) . must_equal " support@chef.io "
_ ( resource_cert_with_filepath . send ( " subject " ) . CN ) . must_equal " Inspec Test Certificate "
_ ( resource_cert_with_filepath . send ( " subject " ) . emailAddress ) . must_equal " support@chef.io "
2017-03-15 23:57:31 +00:00
end
2018-10-15 16:09:46 +00:00
# TODO: Regenerate certificate using `InSpec` not `Inspec`
2021-08-30 23:49:46 +00:00
it " verify issue distinguished name " do
2019-06-11 22:24:35 +00:00
_ ( resource_cert . send ( " issuer_dn " ) ) . must_match " Inspec Test CA "
2017-03-15 23:57:31 +00:00
end
2018-10-15 16:09:46 +00:00
# TODO: Regenerate certificate using `InSpec` not `Inspec`
2019-06-11 22:24:35 +00:00
it " parses the issuer " do
_ ( resource_cert . send ( " issuer " ) . CN ) . must_equal " Inspec Test CA "
2017-03-15 23:57:31 +00:00
end
2019-06-11 22:24:35 +00:00
it " parses the public key " do
_ ( resource_cert . send ( " public_key " ) . to_s ) . must_match " -----BEGIN PUBLIC KEY----- \n MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxi1Tp4dPQ+GU+RipsguU \n WT50a6fsBCpe+QT0YdW/7GG6kynRzR+fzQ0q1LDxpgqAH+eDIWEAFYoTPc8haAjZ \n vAYn7JlXUQpeoK7fc2BPgYA0lr33Ee0H9nqeZlnytQ+/EVUqqDx61cgeW3ARAK1I \n ODwhuziuTi7XNu+HTx3feH4ohq/FppB26PYfJo1jCmt7YxHxl6AGrYrEX5zubQR0 \n AtPAJzg0/aqDH5GJHJETjloIxh/KLnGlbG3DJylFU+vPxvns1TKM0dezg8UefXer \n RtxDAwSix7sNctXwa0xToc6O+e/StNPR0eLvILS8iR89fuML57Z4AGFWMNdqTYoj \n qwIDAQAB \n -----END PUBLIC KEY----- \n "
2017-03-15 23:57:31 +00:00
end
2019-06-11 22:24:35 +00:00
it " can determine fingerprint " do
_ ( resource_cert . send ( " fingerprint " ) ) . must_equal " 62bb500b0190ae47fd593c29a0b92ddbeb6c1eb6 "
2017-03-15 23:57:31 +00:00
end
2019-06-11 22:24:35 +00:00
it " can determine the key length " do
_ ( resource_cert . send ( " key_length " ) ) . must_equal 2048
2017-03-15 23:57:31 +00:00
end
2019-06-11 22:24:35 +00:00
it " parses the serial number " do
_ ( resource_cert . send ( " serial " ) ) . must_equal 37
2017-03-15 23:57:31 +00:00
end
2019-06-11 22:24:35 +00:00
it " parses the signature algorithm " do
_ ( resource_cert . send ( " signature_algorithm " ) ) . must_equal " sha256WithRSAEncryption "
2017-03-15 23:57:31 +00:00
end
2019-06-11 22:24:35 +00:00
it " parses the x.509 certificate version " do
_ ( resource_cert . send ( " version " ) ) . must_equal 2
2017-03-15 23:57:31 +00:00
end
2019-06-11 22:24:35 +00:00
it " includes the standard extensions even if they are not in the certificate " do
_ ( resource_cert . send ( " extensions " ) . length ) . must_equal 16
_ ( resource_cert . send ( " extensions " ) ) . must_include " keyUsage "
_ ( resource_cert . send ( " extensions " ) ) . must_include " extendedKeyUsage "
_ ( resource_cert . send ( " extensions " ) ) . must_include " subjectAltName "
2017-03-15 23:57:31 +00:00
end
2019-06-11 22:24:35 +00:00
it " parses the x.509 certificate extensions " do
_ ( resource_cert . send ( " extensions " ) [ " keyUsage " ] ) . must_include " Digital Signature "
_ ( resource_cert . send ( " extensions " ) [ " keyUsage " ] ) . must_include " Non Repudiation "
_ ( resource_cert . send ( " extensions " ) [ " keyUsage " ] ) . must_include " Data Encipherment "
_ ( resource_cert . send ( " extensions " ) [ " extendedKeyUsage " ] ) . must_include " TLS Web Server Authentication "
_ ( resource_cert . send ( " extensions " ) [ " extendedKeyUsage " ] ) . must_include " Code Signing "
_ ( resource_cert . send ( " extensions " ) [ " subjectAltName " ] ) . must_include " email:support@chef.io "
2017-03-15 23:57:31 +00:00
end
2019-06-11 22:24:35 +00:00
it " parses missing x.509 certificate extensions " do
_ ( resource_cert . send ( " extensions " ) [ " nameConstraints " ] ) . wont_include " Fried Chicken "
2017-03-15 23:57:31 +00:00
end
2019-06-11 22:24:35 +00:00
it " calculates the remaining days of validity " do
2017-03-15 23:57:31 +00:00
# Still valid
2019-06-11 22:24:35 +00:00
Time . stub :now , Time . new ( 2018 , 2 , 1 , 1 , 28 , 57 , " +00:00 " ) do
_ ( resource_cert . send ( " validity_in_days " ) ) . must_equal 28
2017-03-15 23:57:31 +00:00
end
# Expired
2019-06-11 22:24:35 +00:00
Time . stub :now , Time . new ( 2018 , 4 , 1 , 1 , 28 , 57 , " +00:00 " ) do
2019-05-31 21:59:06 +00:00
_ ( resource_cert . send ( " validity_in_days " ) ) . must_equal ( - 31 )
2017-03-15 23:57:31 +00:00
end
end
2022-05-06 10:25:16 +00:00
it " checks enhanced matchers & properties: email, keylength, subject_alt_names and has_purpose " do
resource = MockLoader . new ( " ubuntu " . to_sym ) . load_resource ( " x509_certificate " , " test_certificate.rsa.crt.pem " )
_ ( resource . email ) . must_equal " support@chef.io "
_ ( resource . keylength ) . must_equal 2048
_ ( resource . subject_alt_names ) . must_include " email:support@chef.io "
2022-05-06 10:51:19 +00:00
_ ( resource . has_purpose? ( " SSL server CA : Yes " ) ) . must_equal true
_ ( resource . has_purpose? ( " SSL client CA : Yes " ) ) . must_equal true
2022-05-06 10:25:16 +00:00
end
2022-06-02 11:15:24 +00:00
it " checks for resource_id for current resource " do
_ ( resource_cert . resource_id ) . must_equal " test_certificate.rsa.crt.pem "
_ ( resource_cert_with_content . resource_id ) . must_equal " Inspec Test Certificate "
_ ( resource_cert_with_filepath . resource_id ) . must_equal " test_certificate.rsa.crt.pem "
end
2017-03-15 23:57:31 +00:00
end