CFINSPEC-84: Add unit test for x509_private_key

Signed-off-by: Sonu Saha <sonu.saha@progress.com>

test/fixtures/cmd/x509-certificate-modulus

@@ -0,0 +1 @@
+2c4097e9fb7a3df2851f110d6d69de66

test/fixtures/files/x509-encrypted-secret-key

@@ -0,0 +1,18 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-128-CBC,F4D341E5BD7D12654CD4F1E3F9E10AA3
+
+wOispCvsWL+/exVJ1W97DoM9jFDUKadlp7nnmRXQqjYYNkrHdPcZkKnqdkwGlEoK
+j0DPgxYOvP97arIuLwpIjrsujBI7jBZdsir6yxOQIypTS+uZnX2sJ6rgcJpRLTbj
+7effshcVY3Q5v8nIxAADKfO/vJcMQZXMfDkwLCNEFFanI8hR3ZqAIwEPhaQDOLJr
+jPo5emLb7pP30pqbxhIyWcI1B8MrvCWcz9D58TGtwJG2SCVYtTPhYGI8BI38ONHT
+VRslMHzSS1I+XJcQ3Y7qkont4P9GFXQSGMaQfORMSYbT8Jik5URsXG6kMMTXWExm
+QbZT9TyvLWUJ+CrmrZ69T8YLpizOINLGtfVUP4CVBdxNw3E/WOa6uTWg0OCZhxXX
+JA1ifAmOCMDx5rdqsKcWpaUt/ESZh1VUZuxwzHpdr5FBz3eMgaTX9vyiU5LxW5r7
+CYgmwJ9RYh7zzzAto0pL3DFnjnDGQvkzvDCpBjY+ag1PiTf0BJ8yi5mzMWS5vpz6
+4mefKFHjEOYVLRNNbN12rOfmaaSzKBAGECoVQdDSQ91W5eGzX2rlhS8S1BWCGZNr
+f35QlSDwJm0jW2/3EJtiEBazyVMKi56nSZ8zItzHkxzA1Yr+2xz98JsccoZAlSWg
++VRP3HJs46MvpLECpRAbPIJ9DtQhv1sZvrpw6U6EEXvAs0atJlfSdsHp2BJs4F2G
+jhT5XIuUBT/cK1IAnMZzpRgSeQ80ctvU1z+iybKvh/OBxtkTIezx1pz/g/KyU1//
+pX7nMe1Pi2blZofYCM+C4ATJxrBdnjrUiLGoxCJ0De/JweAcXiS35N1qcRf8Ldsz
+-----END RSA PRIVATE KEY-----

test/fixtures/files/x509-secret-key

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXwIBAAKBgQDwz32N81R2bcoPbqgaegDEAvqCN9itxllRTT1351jq/50q8nUi
+G7OH2k/bX6vNCDsirfVlCmVjkYaE+DGszWrR5OTGWVPsdfQERT0SISKfSkAUli87
+oq6eDnTJYvSOfDjM3VDVX/r5EaBhYyNljqT7U1liMh0oEN8lBoS4WR7kpQIDAQAB
+AoGBAMz3buCx6oRa8o+sGj1e9uPfvSW1LyLKHyAKZHV4XsC3DSmO8ZA0j9zkPvB0
+QCDmDp93/dUgwie7qAnpzy5MMcwLFKszry7k8Bdaku4p9213y5waUw/qM+NORi7m
+W1fPcnknYI0sZyBkww4KSIHKFx8WCMTWqEVQCiOpevWSyJIBAkEA/DPXQVCP2I6a
+W1UOo9+S93b5yw+dRI24xP69tViM9oSW1tygkk/m5mkHseGF2OMDjTbhJzxoWCDJ
+MNaFilqawQJBAPRvvLX+Q9ddFAbO8YqCLACTwllQFvM+p6bpIWt1TJATD0+ET+md
+nIu0PV7NtZYykL0vsumSqrOGA0NX592d9uUCQQCSHyshYZ7mNsFCF4by9W9+R4W0
+3CgfdwlNwdaCgnqxveJzPMMf4oGCj+nwax0Uq3r8T4amJ/7AyMYosLIQlixBAkEA
+rugRgayqgL2SqfiEr9bLg7I3XE9JzM6linLBPjJWEbYBu6VyxTjJntHfJCpQaGRQ
+W395J1eSnBkl1pddS6BP3QJBALXGPmw0os1meuuEngJSlFhcev93Inqn/5rKJUbP
+F6+pZq8RsW9bSKYwq2Uk6OwTizxCYLp1KxEzsnPUGE4AfeI=
+-----END RSA PRIVATE KEY-----

test/helpers/mock_loader.rb

@@ -184,6 +184,9 @@ class MockLoader
       "myjson.json" => mockfile.call("node.json"),
       "myyaml.yml" => mockfile.call("kitchen.yml"),
       "myinvalid.file" => mockfile.call("default.xml"),
+      # x509_secret_key
+      "/home/openssl_activity/bob_private.pem" => mockfile.call("x509-secret-key"),
+      "/home/openssl_activity/alice_private.pem" => mockfile.call("x509-encrypted-secret-key"),
     }
 
     mock.files = mock_files
@@ -408,6 +411,16 @@ class MockLoader
       "/usr/sbin/auditctl -s | grep pid" => cmd.call("auditctl-s-pid"),
       "/usr/sbin/auditctl -l" => cmd.call("auditctl-l"),
       %{sh -c 'type "/usr/sbin/auditctl"'} => empty.call,
+      # x509_private_key
+      %{sh -c 'type "openssl"'} => empty.call,
+      %{type "openssl"} => empty.call,
+      "openssl rsa -in /home/openssl_activity/bob_private.pem -check -noout" => empty.call,
+      "openssl rsa -in /home/openssl_activity/alice_private.pem -check -noout -passin pass:password@123" => empty.call,
+      "openssl x509 -noout -modulus -in /home/openssl_activity/bob_certificate.crt | openssl md5" => cmd.call("x509-certificate-modulus"),
+      "openssl rsa -noout -modulus -in /home/openssl_activity/bob_private.pem | openssl md5" => cmd.call("x509-certificate-modulus"),
+      "openssl x509 -noout -modulus -in /home/openssl_activity/alice_certificate.crt | openssl md5" => cmd.call("x509-certificate-modulus"),
+      "openssl rsa -noout -modulus -in /home/openssl_activity/alice_private.pem -passin pass:password@123 | openssl md5" => cmd.call("x509-certificate-modulus"),
+
       # apache_conf
       "sh -c 'find /etc/apache2/ports.conf -type f -maxdepth 1'" => cmd.call("find-apache2-ports-conf"),
       "sh -c 'find /etc/httpd/conf.d/*.conf -type f -maxdepth 1'" => cmd.call("find-httpd-ssl-conf"),

test/unit/resources/x509_private_key_test.rb

@@ -0,0 +1,48 @@
+require "inspec/globals"
+require "#{Inspec.src_root}/test/helper"
+require_relative "../../../lib/inspec/resources/x509_private_key"
+
+describe Inspec::Resources::X509PrivateKey do
+  # linux
+  it "checks x509 secret key with no passphrase on linux" do
+    resource = MockLoader.new("ubuntu".to_sym).load_resource("x509_private_key", "/home/openssl_activity/bob_private.pem")
+    _(resource.valid?).must_equal true
+    _(resource.encrypted?).must_be_nil
+    _(resource.has_matching_certificate?("/home/openssl_activity/bob_certificate.crt")).must_equal true
+  end
+
+  # linux - with password
+  it "checks x509 secret key with passphrase on linux" do
+    resource = MockLoader.new("ubuntu".to_sym).load_resource("x509_private_key", "/home/openssl_activity/alice_private.pem", "password@123")
+    _(resource.valid?).must_equal true
+    _(resource.encrypted?).wont_be_nil
+    _(resource.has_matching_certificate?("/home/openssl_activity/alice_certificate.crt")).must_equal true
+  end
+
+  # darwin
+  it "checks x509 secret key with no passphrase on darwin" do
+    resource = MockLoader.new(:macos10_10).load_resource("x509_private_key", "/home/openssl_activity/bob_private.pem")
+    _(resource.valid?).must_equal true
+    _(resource.encrypted?).must_be_nil
+    _(resource.has_matching_certificate?("/home/openssl_activity/bob_certificate.crt")).must_equal true
+  end
+
+  # freebsd
+  it "checks x509 secret key with no passphrase on darwin" do
+    resource = MockLoader.new(:freebsd10).load_resource("x509_private_key", "/home/openssl_activity/bob_private.pem")
+    _(resource.valid?).must_equal true
+    _(resource.encrypted?).must_be_nil
+    _(resource.has_matching_certificate?("/home/openssl_activity/bob_certificate.crt")).must_equal true
+  end
+
+  # linux
+  it "checks unavailable x509 secret key with no passphrase on linux" do
+    secret_key_path = "/home/openssl_activity/ghost_private.pem"
+    resource = MockLoader.new("ubuntu".to_sym).load_resource("x509_private_key", secret_key_path)
+    _(resource.valid?).must_equal false
+    ex = _{ resource.encrypted? }.must_raise(Inspec::Exceptions::ResourceFailed)
+    _(ex.message).must_include "The given secret key #{secret_key_path} does not exist."
+    ex = _{ resource.has_matching_certificate?("/home/openssl_activity/ghost_cert.crt") }.must_raise(Inspec::Exceptions::ResourceFailed)
+    _(ex.message).must_include "Executing openssl x509 -noout -modulus -in /home/openssl_activity/ghost_cert.crt | openssl md5 failed:"
+  end
+end