require 'test_helper' class CertificateTest < ActiveSupport::TestCase setup do @certificate = certificates(:api) @valid_crt = <<~CRT -----BEGIN CERTIFICATE----- MIIDazCCAlOgAwIBAgIUBgtGh4Pw8Luqq/HG4tqG3oIzfHIwDQYJKoZIhvcNAQEL BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDAyMTkxMjAwMDBaFw0yNTAy MTkxMjAwMDBaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQDUVURLKdmhmEht7yz3MeQQtn9kMIaIzZDwggZvUg6J 5PlTabEixVfPzlRJixJBj37hh0Ree6mr19KECtPymy1L9U3oGfF18CJhdzc= -----END CERTIFICATE----- CRT @certificate.update!( csr: "-----BEGIN CERTIFICATE REQUEST-----\nMIICszCCAZsCAQAwbjELMAkGA1UEBhMCRUUxFDASBgNVBAMMC2ZyZXNoYm94LmVl\nMRAwDgYDVQQHDAdUYWxsaW5uMREwDwYDVQQKDAhGcmVzaGJveDERMA8GA1UECAwI\nSGFyanVtYWExETAPBgNVBAsMCEZyZXNoYm94MIIBIjANBgkqhkiG9w0BAQEFAAOC\nAQ8AMIIBCgKCAQEA1VVESynZoZhIbe8s9zHkELZ/ZDCGiM2Q8IIGb1IOieT5U2mx\nIsVXz85USYsSQY9+4YdEXnupq9fShArT8pstS/VN6BnxdfAiYXc3UWWAuaYAdNGJ\nDr5Jf6uMt1wVnCgoDL7eJq9tWMwARC/viT81o92fgqHFHW0wEolfCmnpik9o0ACD\nFiWZ9IBIevmFqXtq25v9CY2cT9+eZW127WtJmOY/PKJhzh0QaEYHqXTHWOLZWpnp\nHH4elyJ2CrFulOZbHPkPNB9Nf4XQjzk1ffoH6e5IVys2VV5xwcTkF0jY5XTROVxX\nlR2FWqic8Q2pIhSks48+J6o1GtXGnTxv94lSDwIDAQABoAAwDQYJKoZIhvcNAQEL\nBQADggEBAEFcYmQvcAC8773eRTWBJJNoA4kRgoXDMYiiEHih5iJPVSxfidRwYDTF\nsP+ttNTUg3JocFHY75kuM9T2USh+gu/trRF0o4WWa+AbK3JbbdjdT1xOMn7XtfUU\nZ/f1XCS9YdHQFCA6nk4Z+TLWwYsgk7n490AQOiB213fa1UIe83qIfw/3GRqRUZ7U\nwIWEGsHED5WT69GyxjyKHcqGoV7uFnqFN0sQVKVTy/NFRVQvtBUspCbsOirdDRie\nAB2KbGHL+t1QrRF10szwCJDyk5aYlVhxvdI8zn010nrxHkiyQpDFFldDMLJl10BW\n2w9PGO061z+tntdRcKQGuEpnIr9U5Vs=\n-----END CERTIFICATE REQUEST-----\n", private_key: "encrypted_private_key" ) end def test_does_metadata_is_api api = @certificate.assign_metadata assert api, 'api' end def test_certificate_sign_returns_false ENV['ca_key_password'] = 'test_password' assert_not @certificate.sign!(password: ENV['ca_key_password']) end def test_renewable_when_not_expired @certificate.update!( crt: @valid_crt, expires_at: 20.days.from_now ) assert @certificate.renewable? end def test_not_renewable_when_expired @certificate.update!( crt: @valid_crt, expires_at: 1.day.ago ) assert @certificate.expired? assert_not @certificate.renewable? end def test_generate_for_api_user api_user = users(:api_bestnames) certificate = nil assert_nothing_raised do certificate = Certificate.generate_for_api_user(api_user: api_user) end assert certificate.persisted? assert_equal api_user, certificate.api_user assert certificate.private_key.present? assert certificate.csr.present? assert certificate.expires_at.present? end def test_certificate_revoked_when_crl_missing crl_dir = ENV['crl_dir'] || Rails.root.join('ca/crl').to_s crl_path = "#{crl_dir}/crl.pem" original_crl = nil if File.exist?(crl_path) original_crl = File.read(crl_path) File.delete(crl_path) end begin File.delete(crl_path) if File.exist?(crl_path) revoked = @certificate.respond_to?(:certificate_revoked?) ? @certificate.certificate_revoked? : nil if revoked != nil assert_not revoked, "Certificate should not be considered revoked when CRL is missing" end ensure if original_crl FileUtils.mkdir_p(File.dirname(crl_path)) File.write(crl_path, original_crl) end end end def test_certificate_status # Skip this test if the Certificate model doesn't have the status attribute in the database skip unless Certificate.column_names.include?('status') # Now we know the column exists, so we can safely update it @certificate.update(status: "signed") assert_equal "signed", @certificate.status assert_not @certificate.revoked?, "Certificate with 'signed' status should not be considered revoked" @certificate.update(status: "revoked") assert_equal "revoked", @certificate.status assert @certificate.revoked?, "Certificate with 'revoked' status should be considered revoked" end def test_p12_status_with_properly_initialized_crl # Skip if either certificate_revoked? method is missing or status column doesn't exist skip unless (@certificate.respond_to?(:certificate_revoked?) && Certificate.column_names.include?('status')) crl_dir = ENV['crl_dir'] || Rails.root.join('ca/crl').to_s crl_path = "#{crl_dir}/crl.pem" original_crl = nil if File.exist?(crl_path) original_crl = File.read(crl_path) end begin FileUtils.mkdir_p(crl_dir) unless Dir.exist?(crl_dir) File.write(crl_path, "-----BEGIN X509 CRL-----\nMIHsMIGTAgEBMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNVBAMMCVRlc3QgQ0EgMhcN\nMjQwNTEzMTcyMDM1WhcNMjUwNTEzMTcyMDM1WjBEMBMCAgPoFw0yMTA1MTMxNzIw\nMzVaMBMCAgPpFw0yMTA1MTMxNzIwMzVaMBMCAgPqFw0yMTA1MTMxNzIwMzVaMA0G\nCSqGSIb3DQEBCwUAA4GBAGX5rLzwJVAPhJ1iQZLFfzjwVJVGqDIZXt1odApM7/KA\nXrQ5YLVunSBGQTbuRQKNQZQO+snGnZUxJ5OW9eRqp8HWFpCFZbWSJ86eNfuX+GD3\nwgGP/1Zv+iRiZG8ccHQC4fNxQNctMFMccRVmcpOJ8s7h+Y5ohiUXyGTiLbBu4Np3\n-----END X509 CRL-----") assert_not @certificate.certificate_revoked?, "Certificate should not be considered revoked with an empty CRL" # Only update the status if the status column exists @certificate.update(status: "signed") assert_equal "signed", @certificate.status # Use a regular stub instead of Mocha if possible if @certificate.respond_to?(:stubs) @certificate.stubs(:certificate_revoked?).returns(true) else # Simple stub alternative def @certificate.certificate_revoked?; true; end end assert @certificate.certificate_revoked? # Skip the expectations part if we can't use Mocha if defined?(Mocha) && @certificate.respond_to?(:expects) if @certificate.respond_to?(:p12=) @certificate.expects(:status=).with("revoked").at_least_once end end ensure if original_crl File.write(crl_path, original_crl) else File.delete(crl_path) if File.exist?(crl_path) end # Restore the original method if we used the simple stub if !@certificate.respond_to?(:stubs) && @certificate.respond_to?(:certificate_revoked?) class << @certificate remove_method :certificate_revoked? end end end end end