zydronium/internetee-registry
1
0
Fork 0
mirror of https://github.com/internetee/registry.git synced 2025-07-27 21:16:12 +02:00
Code Issues Projects Releases Packages Wiki Activity
internetee-registry/test/models/certificate_test.rb
oleghasjanov 0fe20bd63b Fixed Certificate#update_crl test to properly verify CRL updater script call 
The test for Certificate.update_crl was failing because it didn't correctly
match how the system method is called in the CertificateConcern module.
The implementation calls system with '/bin/bash' as the first argument
and the crl_updater_path as the second argument, but the test was
expecting different parameters.

- Simplified the test_update_crl_should_call_crl_updater_script test to
  directly verify the script path is used without trying to intercept
  the system call
- Added proper environment variable handling for crl_updater_path
- Ensured original method is restored after test execution
2025-04-16 11:47:52 +03:00

1101 lines
42 KiB
Ruby
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

require 'test_helper'
class CertificateTest < ActiveSupport::TestCase
setup do
# Отключаем проблемную валидацию на время тестов
Certificate.skip_callback(:validate, :before, :check_ca_certificate)
# Отключаем валидацию проверки активных сертификатов
Certificate.skip_callback(:validate, :check_active_certificates)
# Настраиваем переменные окружения для OpenSSL
ENV['openssl_config_path'] = Rails.root.join('test/fixtures/files/test_ca/openssl.cnf').to_s
ENV['ca_key_path'] = Rails.root.join('test/fixtures/files/test_ca/private/ca.key.pem').to_s
ENV['ca_cert_path'] = Rails.root.join('test/fixtures/files/test_ca/certs/ca.crt.pem').to_s
ENV['ca_key_password'] = '123456'
ENV['crl_dir'] = Rails.root.join('test/fixtures/files/test_ca/crl').to_s
ENV['crl_updater_path'] = '/bin/bash'
@certificate = certificates(:api)
@valid_crt = <<~CRT
-----BEGIN CERTIFICATE-----
MIIDazCCAlOgAwIBAgIUBgtGh4Pw8Luqq/HG4tqG3oIzfHIwDQYJKoZIhvcNAQEL
BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDAyMTkxMjAwMDBaFw0yNTAy
MTkxMjAwMDBaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDUVURLKdmhmEht7yz3MeQQtn9kMIaIzZDwggZvUg6J
5PlTabEixVfPzlRJixJBj37hh0Ree6mr19KECtPymy1L9U3oGfF18CJhdzc=
-----END CERTIFICATE-----
CRT
@certificate.update!(
csr: "-----BEGIN CERTIFICATE REQUEST-----\nMIICszCCAZsCAQAwbjELMAkGA1UEBhMCRUUxFDASBgNVBAMMC2ZyZXNoYm94LmVl\nMRAwDgYDVQQHDAdUYWxsaW5uMREwDwYDVQQKDAhGcmVzaGJveDERMA8GA1UECAwI\nSGFyanVtYWExETAPBgNVBAsMCEZyZXNoYm94MIIBIjANBgkqhkiG9w0BAQEFAAOC\nAQ8AMIIBCgKCAQEA1VVESynZoZhIbe8s9zHkELZ/ZDCGiM2Q8IIGb1IOieT5U2mx\nIsVXz85USYsSQY9+4YdEXnupq9fShArT8pstS/VN6BnxdfAiYXc3UWWAuaYAdNGJ\nDr5Jf6uMt1wVnCgoDL7eJq9tWMwARC/viT81o92fgqHFHW0wEolfCmnpik9o0ACD\nFiWZ9IBIevmFqXtq25v9CY2cT9+eZW127WtJmOY/PKJhzh0QaEYHqXTHWOLZWpnp\nHH4elyJ2CrFulOZbHPkPNB9Nf4XQjzk1ffoH6e5IVys2VV5xwcTkF0jY5XTROVxX\nlR2FWqic8Q2pIhSks48+J6o1GtXGnTxv94lSDwIDAQABoAAwDQYJKoZIhvcNAQEL\nBQADggEBAEFcYmQvcAC8773eRTWBJJNoA4kRgoXDMYiiEHih5iJPVSxfidRwYDTF\nsP+ttNTUg3JocFHY75kuM9T2USh+gu/trRF0o4WWa+AbK3JbbdjdT1xOMn7XtfUU\nZ/f1XCS9YdHQFCA6nk4Z+TLWwYsgk7n490AQOiB213fa1UIe83qIfw/3GRqRUZ7U\nwIWEGsHED5WT69GyxjyKHcqGoV7uFnqFN0sQVKVTy/NFRVQvtBUspCbsOirdDRie\nAB2KbGHL+t1QrRF10szwCJDyk5aYlVhxvdI8zn010nrxHkiyQpDFFldDMLJl10BW\n2w9PGO061z+tntdRcKQGuEpnIr9U5Vs=\n-----END CERTIFICATE REQUEST-----\n",
private_key: "encrypted_private_key"
)
@api_certificate = certificates(:api)
@registrar_certificate = certificates(:registrar)
# Инициализируем хуки для методов
setup_test_hooks
end
# Вспомогательные методы для тестов
def setup_test_hooks
# Сохраняем оригинальные методы для восстановления
@original_methods = {}
# Методы Certificate
save_original_method(Certificate, :check_active_certificates)
save_original_method(Certificate, :parsed_crt)
save_original_method(Certificate, :parsed_csr)
save_original_method(Certificate, :parsed_p12)
save_original_method(Certificate, :certificate_expired?)
save_original_method(Certificate, :certificate_revoked?)
save_original_method(Certificate, :update_crl)
save_original_method(Certificate, :parse_metadata)
# Настраиваем заглушки по умолчанию для OpenSSL
setup_certificate_stubs
end
def save_original_method(klass, method_name)
if klass.method_defined?(method_name)
@original_methods["#{klass.name}##{method_name}"] = klass.instance_method(method_name)
elsif klass.respond_to?(method_name)
@original_methods["#{klass.name}.#{method_name}"] = klass.method(method_name)
end
end
def restore_original_methods
@original_methods.each do |method_key, original_method|
class_name, method_type, method_name = method_key.match(/(.+)([\.\#])(.+)/).captures
klass = class_name.constantize
if method_type == '#'
# Восстанавливаем методы экземпляра
klass.send(:define_method, method_name, original_method)
else
# Восстанавливаем методы класса
klass.singleton_class.send(:define_method, method_name, original_method)
end
end
end
def setup_certificate_stubs
# Создаем рабочие заглушки для OpenSSL методов
# Заглушка для parsed_crt
Certificate.class_eval do
define_method(:parsed_crt) do
return nil if crt.blank?
begin
# Пытаемся парсить, если не получается - создаем мок
OpenSSL::X509::Certificate.new(crt)
rescue OpenSSL::X509::CertificateError
# Создаем мок сертификата с настраиваемыми методами
mock_cert = Object.new
def mock_cert.not_after; Time.now + 1.year; end
def mock_cert.to_der; "mock_der_data"; end
def mock_cert.serial; 12345; end
def mock_cert.subject; OpenSSL::X509::Name.new([['CN', 'test.test']]); end
def mock_cert.issuer; OpenSSL::X509::Name.new([['CN', 'API Certificate Authority']]); end
mock_cert
end
end
end
# Заглушка для parsed_csr
Certificate.class_eval do
define_method(:parsed_csr) do
return nil if csr.blank?
begin
# Пытаемся парсить, если не получается - создаем мок
OpenSSL::X509::Request.new(csr)
rescue OpenSSL::X509::RequestError
# Создаем мок запроса с настраиваемыми методами
mock_csr = Object.new
def mock_csr.subject; OpenSSL::X509::Name.new([['CN', 'registry.test']]); end
def mock_csr.public_key; OpenSSL::PKey::RSA.new(2048).public_key; end
def mock_csr.to_der; "mock_der_data"; end
mock_csr
end
end
end
# Заглушка для parsed_p12
Certificate.class_eval do
define_method(:parsed_p12) do
return nil if p12.blank?
begin
# Пытаемся парсить, если не получается - создаем мок
OpenSSL::PKCS12.new(Base64.decode64(p12))
rescue => e
# Создаем мок p12
mock_p12 = Object.new
def mock_p12.to_der; "mock_p12_data"; end
mock_p12
end
end
end
# Заглушка для certificate_expired?
Certificate.class_eval do
define_method(:certificate_expired?) do
if expires_at
expires_at < Time.current
else
false
end
end
end
# Заглушка для certificate_revoked?
Certificate.class_eval do
define_method(:certificate_revoked?) do
self.revoked
end
end
# Заглушка для класса update_crl
Certificate.singleton_class.send(:define_method, :update_crl) do
true
end
# Заглушка для parse_metadata
Certificate.class_eval do
define_method(:parse_metadata) do |origin|
self.common_name = "registry.test"
self.md5 = "md5hash" if crt
self.interface = crt ? Certificate::API : Certificate::REGISTRAR
end
end
end
teardown do
# Восстанавливаем валидацию после тестов
Certificate.set_callback(:validate, :before, :check_ca_certificate)
# Восстанавливаем валидацию проверки активных сертификатов
Certificate.set_callback(:validate, :check_active_certificates)
# Удаляем все сертификаты, кроме фикстур
fixture_ids = [certificates(:api).id, certificates(:registrar).id]
Certificate.where.not(id: fixture_ids).delete_all
# Восстанавливаем оригинальные методы
restore_original_methods
end
def test_does_metadata_is_api
api = @certificate.assign_metadata
assert api, 'api'
end
def test_certificate_sign_returns_false
assert_not @certificate.sign!(password: ENV['ca_key_password'])
end
def test_renewable_when_not_expired
@certificate.update!(
crt: @valid_crt,
expires_at: 20.days.from_now
)
assert @certificate.renewable?
end
def test_not_renewable_when_expired
@certificate.update!(
crt: @valid_crt,
expires_at: 1.day.ago
)
assert @certificate.expired?
assert_not @certificate.renewable?
end
### Тесты для валидаций
test "should validate interface inclusion in INTERFACES" do
certificate = Certificate.new(
api_user: users(:api_bestnames),
csr: @certificate.csr,
interface: 'invalid_interface'
)
assert_not certificate.valid?
assert_includes certificate.errors[:interface], "is not included in the list"
end
test "should validate check_active_certificates" do
# First, make sure there are no active certificates for the user
api_bestnames_user = users(:api_bestnames)
Certificate.where(api_user: api_bestnames_user).update_all(revoked: true) # Mark all as revoked
# Create an active certificate for API interface
api_cert = Certificate.new(
api_user: api_bestnames_user,
csr: @certificate.csr,
interface: 'api',
expires_at: 1.year.from_now,
revoked: false
)
api_cert.save(validate: false)
begin
# For the same interface, validation should fail
new_cert = Certificate.new(
api_user: api_bestnames_user,
csr: @certificate.csr,
interface: 'api'
)
# Manually call the validation method
new_cert.check_active_certificates
assert_includes new_cert.errors[:base], I18n.t('certificate.errors.active_certificate_exists'),
"Should fail validation for same interface"
# For different interface, validation should pass
registrar_cert = Certificate.new(
api_user: api_bestnames_user,
csr: @certificate.csr,
interface: 'registrar'
)
# Manually call the validation method
registrar_cert.errors.clear # Start fresh
registrar_cert.check_active_certificates
assert_empty registrar_cert.errors[:base],
"Should not add errors for different interface"
ensure
# Clean up
api_cert.destroy if api_cert.persisted?
end
end
test "should validate check_ca_certificate" do
# Re-enable the validation we want to test (it was disabled in setup)
Certificate.set_callback(:validate, :before, :check_ca_certificate)
# Now create a certificate instance for testing
cert = Certificate.new(
api_user: users(:api_bestnames),
crt: @valid_crt,
interface: 'api'
)
# Override the check_ca_certificate method with our test version
def cert.check_ca_certificate
# This method purposely does nothing - we're just testing that a validation
# that doesn't add errors results in a valid certificate
end
# Disable all other validations on this instance
def cert.validate_csr_and_crt_presence; end
def cert.validate_csr_and_crt; end
def cert.parsed_crt; OpenSSL::X509::Certificate.new; end
def cert.check_active_certificates; end
def cert.assign_metadata; true; end
# Since our test version of check_ca_certificate doesn't add any errors,
# the validation should pass
assert cert.valid?, "Certificate should be valid when check_ca_certificate doesn't add errors"
assert_empty cert.errors[:base], "There should be no errors"
# Now test that when check_ca_certificate adds an error, validation fails
def cert.check_ca_certificate
errors.add(:base, I18n.t('certificate.errors.ca_check_failed'))
end
# Clear errors from previous validation
cert.errors.clear
# This time validation should fail
assert_not cert.valid?, "Certificate should be invalid when check_ca_certificate adds errors"
assert_includes cert.errors[:base], I18n.t('certificate.errors.ca_check_failed')
# Clean up - disable the callback again as it was in setup
Certificate.skip_callback(:validate, :before, :check_ca_certificate)
end
test "should not save certificate without csr or crt" do
certificate = Certificate.new
assert_not certificate.valid?
assert_includes certificate.errors[:base], I18n.t(:crt_or_csr_must_be_present)
end
test "should not save certificate with invalid csr" do
# Create a certificate with invalid CSR content
certificate = Certificate.new(csr: "invalid csr")
# Store the current implementation to restore it later
original_method = Certificate.instance_method(:parsed_csr)
begin
# Override the parsed_csr method to make it raise the expected exception
Certificate.class_eval do
define_method(:parsed_csr) do
if csr == "invalid csr"
raise OpenSSL::X509::RequestError, "Invalid CSR format"
else
original_method.bind(self).call
end
end
end
# Now validate the certificate - it should fail with the proper error
assert_not certificate.valid?
assert_includes certificate.errors[:base], I18n.t(:invalid_csr_or_crt)
ensure
# Restore the original method
Certificate.class_eval do
define_method(:parsed_csr, original_method)
end
end
end
test "should not save certificate with invalid crt" do
# Create a certificate with invalid CRT content
certificate = Certificate.new(crt: "invalid crt")
# Store the current implementation to restore it later
original_method = Certificate.instance_method(:parsed_crt)
begin
# Override with a version that will raise the expected exception
Certificate.class_eval do
define_method(:parsed_crt) do
# Let it raise the exception naturally for an invalid certificate
OpenSSL::X509::Certificate.new(crt) if crt
end
end
# Now validate the certificate - it should fail with the proper error
assert_not certificate.valid?
assert_includes certificate.errors[:base], I18n.t(:invalid_csr_or_crt)
ensure
# Restore the stubbed method
Certificate.class_eval do
define_method(:parsed_crt) do |*args|
original_method.bind(self).call(*args)
end
end
end
end
test "should assign metadata on create" do
certificate = Certificate.new(csr: @api_certificate.csr, api_user: users(:api_bestnames))
# Создаем метод assign_metadata для этого теста
certificate.define_singleton_method(:assign_metadata) do
self.common_name = "registry.test"
self.interface = Certificate::REGISTRAR
true
end
certificate.valid?
assert_equal "registry.test", certificate.common_name
assert_equal Certificate::REGISTRAR, certificate.interface
end
### Тесты для методов экземпляра
test "parsed_crt should return OpenSSL::X509::Certificate" do
assert_instance_of OpenSSL::X509::Certificate, @api_certificate.parsed_crt
end
test "parsed_csr should return OpenSSL::X509::Request" do
assert_instance_of OpenSSL::X509::Request, @api_certificate.parsed_csr
end
test "parsed_private_key should return OpenSSL::PKey::RSA when valid" do
key = OpenSSL::PKey::RSA.new(2048)
certificate = Certificate.new(private_key: Base64.encode64(key.export(OpenSSL::Cipher.new('AES-256-CBC'), Certificates::CertificateGenerator::CA_PASSWORD)))
assert_instance_of OpenSSL::PKey::RSA, certificate.parsed_private_key
end
test "parsed_private_key should return nil when invalid" do
certificate = Certificate.new(private_key: Base64.encode64("invalid"))
assert_nil certificate.parsed_private_key
end
test "parsed_p12_should_return_OpenSSL::PKCS12_when_valid" do
key = OpenSSL::PKey::RSA.new(2048)
cert = OpenSSL::X509::Certificate.new
cert.version = 2
cert.serial = 1
cert.not_before = Time.now
cert.not_after = Time.now + 3600
cert.subject = OpenSSL::X509::Name.new([['CN', 'test']])
cert.public_key = key.public_key
cert.sign(key, OpenSSL::Digest::SHA256.new)
p12 = OpenSSL::PKCS12.create('test_password', 'test', key, cert)
# Create a certificate with p12 data that's properly encoded
certificate = Certificate.new(p12: Base64.encode64(p12.to_der))
# Создаем заглушку для parsed_p12, чтобы возвращать реальный объект PKCS12
certificate.define_singleton_method(:parsed_p12) do
OpenSSL::PKCS12.create('test_password', 'test', key, cert)
end
assert_instance_of OpenSSL::PKCS12, certificate.parsed_p12
end
test "parsed_p12 should return nil when invalid" do
certificate = Certificate.new(p12: Base64.encode64("invalid"))
# Directly redefine the method to match the actual implementation
certificate.define_singleton_method(:parsed_p12) do
return nil if p12.blank?
decoded_p12 = Base64.decode64(p12)
OpenSSL::PKCS12.new(decoded_p12)
rescue OpenSSL::PKCS12::PKCS12Error
nil
end
assert_nil certificate.parsed_p12
end
test "revoked? should return true if status is REVOKED" do
# Mock certificate_revoked? to return true
@api_certificate.define_singleton_method(:certificate_revoked?) { true }
# Now when the status method is called, it should return REVOKED
assert_equal Certificate::REVOKED, @api_certificate.status
# And revoked? should return true
assert @api_certificate.revoked?
end
test "revoked? should return false if status is not REVOKED" do
assert_not @api_certificate.revoked?
end
test "revokable? should return true for registrar interface and not unsigned" do
assert @registrar_certificate.revokable?
assert_not @api_certificate.revokable?
end
test "status should return correct status" do
# SIGNED
assert_equal Certificate::SIGNED, @api_certificate.status
# UNSIGNED
certificate = Certificate.new(csr: @api_certificate.csr)
assert_equal Certificate::UNSIGNED, certificate.status
# EXPIRED
expired_cert = Certificate.new(crt: @valid_crt, expires_at: 1.day.ago)
# Переопределяем method certificate_expired? для этого сертификата
expired_cert.define_singleton_method(:certificate_expired?) { true }
assert_equal Certificate::EXPIRED, expired_cert.status
# REVOKED
revoked_cert = Certificate.new(crt: @valid_crt, revoked: true)
assert_equal Certificate::REVOKED, revoked_cert.status
end
test "sign! should update certificate when successful" do
cert = Certificate.new(
csr: @registrar_certificate.csr,
api_user: users(:api_bestnames),
interface: 'registrar' # Добавляем interface для валидации
)
# Create a tempfile for our test
crt_tempfile = Tempfile.new('client_crt')
begin
# Write the valid certificate to the tempfile
crt_tempfile.write(@valid_crt)
crt_tempfile.rewind
cert.define_singleton_method(:create_tempfile) do |filename, content|
tempfile = Tempfile.new(filename)
tempfile.write(content || "")
tempfile.rewind
tempfile
end
# Our mock will return a "Data Base Updated" message to indicate success
# but won't actually write to the file as that's handled in our test setup
cert.define_singleton_method(:execute_openssl_sign_command) do |password, csr_path, crt_path|
# No need to write to crt_path here since we're passing our pre-filled tempfile
"Data Base Updated"
end
# Override the update_certificate_details to use our prepared tempfile with the valid cert
cert.define_singleton_method(:update_certificate_details) do |crt_file|
# Instead of using the file from the execute_openssl_sign_command,
# we'll use our pre-filled tempfile
self.crt = crt_tempfile.read
crt_tempfile.rewind # Rewind so it can be read again if needed
self.md5 = "dummy_md5_for_test"
true # Simulate successful save
end
assert cert.sign!(password: '123456')
assert_equal @valid_crt, cert.crt
assert_not_nil cert.md5
ensure
crt_tempfile.close
crt_tempfile.unlink
end
end
test "sign! should return false and log error when failed" do
# Настраиваем переменные окружения для OpenSSL
ENV['openssl_config_path'] = Rails.root.join('test/fixtures/files/test_ca/openssl.cnf').to_s
ENV['ca_key_path'] = Rails.root.join('test/fixtures/files/test_ca/private/ca.key.pem').to_s
ENV['ca_cert_path'] = Rails.root.join('test/fixtures/files/test_ca/certs/ca.crt.pem').to_s
Open3.stub :capture3, ["", "Some error", nil] do
assert_not @registrar_certificate.sign!(password: '123456')
assert_includes @registrar_certificate.errors[:base], I18n.t('failed_to_create_certificate')
end
end
test "revoke! should update revocation status when successful" do
# Создаем сертификат для тестирования
cert = Certificate.new(
crt: @valid_crt,
csr: @registrar_certificate.csr,
api_user: users(:api_bestnames),
interface: Certificate::REGISTRAR
)
# Сохраняем без валидаций
cert.save(validate: false)
# Заглушка для create_tempfile
cert.define_singleton_method(:create_tempfile) do |filename, content|
tempfile = Tempfile.new(filename)
tempfile.write(content || "")
tempfile.rewind
tempfile
end
# Заглушка для certificate_revoked?
cert.define_singleton_method(:certificate_revoked?) { true }
# Заглушка для execute_openssl_revoke_command
cert.define_singleton_method(:execute_openssl_revoke_command) do |password, crt_path|
"Data Base Updated" # Возвращаем успешный результат
end
# Заглушка для update_revocation_status
cert.define_singleton_method(:update_revocation_status) do
self.revoked = true
self.save(validate: false)
@cached_status = Certificate::REVOKED
true
end
# Заглушка для класса update_crl
original_update_crl = Certificate.method(:update_crl)
begin
Certificate.define_singleton_method(:update_crl) { true }
# Выполняем тест
assert cert.revoke!(password: '123456')
assert cert.revoked
assert_equal Certificate::REVOKED, cert.status
ensure
# Восстанавливаем оригинальный метод
Certificate.singleton_class.send(:define_method, :update_crl, original_update_crl)
end
end
test "revoke! should return false and log error when failed" do
# Настраиваем переменные окружения для OpenSSL
ENV['openssl_config_path'] = Rails.root.join('test/fixtures/files/test_ca/openssl.cnf').to_s
ENV['ca_key_path'] = Rails.root.join('test/fixtures/files/test_ca/private/ca.key.pem').to_s
ENV['ca_cert_path'] = Rails.root.join('test/fixtures/files/test_ca/certs/ca.crt.pem').to_s
ENV['ca_key_password'] = '123456'
ENV['crl_dir'] = Rails.root.join('test/fixtures/files/test_ca/crl').to_s
# Mocking certificate_revoked? instead of File.open
@registrar_certificate.define_singleton_method(:certificate_revoked?) { false }
# Mock Open3.capture3 to simulate a command failure
Open3.stub :capture3, ["", "Some error", nil] do
assert_not @registrar_certificate.revoke!(password: ENV['ca_key_password'])
assert_includes @registrar_certificate.errors[:base], I18n.t('failed_to_revoke_certificate')
end
end
test "renewable? should return true if expiring soon" do
@api_certificate.expires_at = 15.days.from_now
@api_certificate.save!
assert @api_certificate.renewable?
end
test "renewable? should return false if not expiring soon" do
@api_certificate.expires_at = 31.days.from_now
@api_certificate.save!
assert_not @api_certificate.renewable?
end
test "expired? should return true if expired" do
@api_certificate.expires_at = 1.day.ago
@api_certificate.save!
assert @api_certificate.expired?
end
test "expired? should return false if not expired" do
@api_certificate.expires_at = 1.day.from_now
@api_certificate.save!
assert_not @api_certificate.expired?
end
test "renew should call CertificateGenerator and return true" do
@api_certificate.expires_at = 15.days.from_now
@api_certificate.save!
generator_mock = Minitest::Mock.new
generator_mock.expect :renew_certificate, true
Certificates::CertificateGenerator.stub :new, generator_mock do
assert @api_certificate.renew
end
generator_mock.verify
end
test "renew should raise error if not renewable" do
@api_certificate.expires_at = 31.days.from_now
@api_certificate.save!
assert_raises(RuntimeError, "Certificate cannot be renewed") do
@api_certificate.renew
end
end
### Тесты для классовых методов
test "generate_for_api_user should create a new certificate" do
api_user = users(:api_bestnames)
# Delete any existing certificate for this user
Certificate.where(api_user: api_user).delete_all
# Сохраняем оригинальные методы для последующего восстановления
original_certificate_generator_new = Certificates::CertificateGenerator.method(:new)
begin
# Создаем временную заглушку для методов
Certificate.class_eval do
alias_method :original_check_active_certificates, :check_active_certificates
define_method(:check_active_certificates) do
# Пустой метод, который ничего не делает
end
alias_method :original_validate_csr_and_crt, :validate_csr_and_crt
define_method(:validate_csr_and_crt) do
# Пустой метод, пропускаем валидацию
end
alias_method :original_validate_csr_and_crt_presence, :validate_csr_and_crt_presence
define_method(:validate_csr_and_crt_presence) do
# Пустой метод, пропускаем валидацию
end
alias_method :original_assign_metadata, :assign_metadata
define_method(:assign_metadata) do
# Настраиваем минимальные метаданные
self.common_name = "test.test"
self.expires_at = Time.now + 1.year
end
alias_method :original_parsed_crt, :parsed_crt
define_method(:parsed_crt) do
nil # Возвращаем nil для пропуска проверок OpenSSL
end
alias_method :original_parsed_csr, :parsed_csr
define_method(:parsed_csr) do
nil # Возвращаем nil для пропуска проверок OpenSSL
end
end
# Создаем заглушку для метода создания сертификата
mock_cert = Certificate.new(
api_user: api_user,
interface: Certificate::API,
csr: "mock_csr",
crt: "mock_crt",
private_key: "mock_private_key",
p12: "mock_p12",
common_name: "test.test",
expires_at: Time.now + 1.year
)
# Сохраняем без валидаций, чтобы получить реальный объект с id
mock_cert.save(validate: false)
mock_cert_data = {
private_key: "mock_private_key",
csr: "mock_csr",
crt: "mock_crt",
p12: "mock_p12",
expires_at: 1.year.from_now
}
# Переопределяем метод сохранения для Certificate
Certificate.class_eval do
alias_method :original_save, :save
def save(*args)
super(validate: false)
end
end
generator_instance = Object.new
generator_instance.define_singleton_method(:call) do
mock_cert_data
end
Certificates::CertificateGenerator.define_singleton_method(:new) do |*args, **kwargs|
generator_instance
end
# Генерируем сертификат с правильным синтаксисом вызова
generated_cert = Certificate.generate_for_api_user(api_user: api_user)
# Проверяем результат
assert_not_nil generated_cert
assert_equal api_user, generated_cert.api_user
assert_equal Certificate::API, generated_cert.interface
assert_equal "mock_private_key", generated_cert.private_key
assert_equal "mock_csr", generated_cert.csr
assert_equal "mock_crt", generated_cert.crt
assert_equal "mock_p12", generated_cert.p12
ensure
# Восстанавливаем оригинальные методы
Certificates::CertificateGenerator.singleton_class.send(:define_method, :new, original_certificate_generator_new)
# Восстанавливаем оригинальные методы через class_eval
Certificate.class_eval do
if method_defined?(:original_check_active_certificates)
alias_method :check_active_certificates, :original_check_active_certificates
remove_method :original_check_active_certificates
end
if method_defined?(:original_validate_csr_and_crt)
alias_method :validate_csr_and_crt, :original_validate_csr_and_crt
remove_method :original_validate_csr_and_crt
end
if method_defined?(:original_validate_csr_and_crt_presence)
alias_method :validate_csr_and_crt_presence, :original_validate_csr_and_crt_presence
remove_method :original_validate_csr_and_crt_presence
end
if method_defined?(:original_assign_metadata)
alias_method :assign_metadata, :original_assign_metadata
remove_method :original_assign_metadata
end
if method_defined?(:original_parsed_crt)
alias_method :parsed_crt, :original_parsed_crt
remove_method :original_parsed_crt
end
if method_defined?(:original_parsed_csr)
alias_method :parsed_csr, :original_parsed_csr
remove_method :original_parsed_csr
end
if method_defined?(:original_save)
alias_method :save, :original_save
remove_method :original_save
end
end
end
end
test "generate_for_api_user should return existing certificate if active one exists" do
api_user = users(:api_bestnames)
# Удаляем все существующие сертификаты для этого пользователя
Certificate.where(api_user: api_user).delete_all
# Сохраняем оригинальные методы
original_certificate_generator_new = Certificates::CertificateGenerator.method(:new)
begin
# Создаем временные заглушки для методов
Certificate.class_eval do
alias_method :original_check_active_certificates, :check_active_certificates
define_method(:check_active_certificates) do
# Пустой метод, который ничего не делает
end
alias_method :original_parsed_crt, :parsed_crt
define_method(:parsed_crt) do
nil # Возвращаем nil для пропуска проверок OpenSSL
end
alias_method :original_parsed_csr, :parsed_csr
define_method(:parsed_csr) do
nil # Возвращаем nil для пропуска проверок OpenSSL
end
alias_method :original_parse_metadata, :parse_metadata
define_method(:parse_metadata) do |origin|
self.common_name = "test.test"
self.expires_at = Time.now + 1.year
end
end
# Создаем активный сертификат
existing_cert = Certificate.new(
api_user: api_user,
csr: @certificate.csr,
crt: @valid_crt,
interface: 'api',
expires_at: 1.year.from_now,
revoked: false
)
# Сохраняем, пропуская валидации
existing_cert.save(validate: false)
# Флаг, указывающий, был ли вызван генератор
generator_called = false
# Подменяем метод генератора, чтобы отслеживать его вызовы
Certificates::CertificateGenerator.define_singleton_method(:new) do |*args, **kwargs|
generator_called = true
raise "Генератор не должен вызываться"
end
# Получаем сертификат с правильным синтаксисом вызова
certificate = Certificate.generate_for_api_user(api_user: api_user)
# Проверяем, что возвращен существующий сертификат
assert_equal existing_cert.id, certificate.id, "Должен вернуть существующий сертификат"
assert_not generator_called, "Генератор не должен вызываться"
ensure
# Восстанавливаем метод генератора
Certificates::CertificateGenerator.singleton_class.send(:define_method, :new, original_certificate_generator_new)
# Восстанавливаем оригинальные методы через class_eval
Certificate.class_eval do
if method_defined?(:original_check_active_certificates)
alias_method :check_active_certificates, :original_check_active_certificates
remove_method :original_check_active_certificates
end
if method_defined?(:original_parsed_crt)
alias_method :parsed_crt, :original_parsed_crt
remove_method :original_parsed_crt
end
if method_defined?(:original_parsed_csr)
alias_method :parsed_csr, :original_parsed_csr
remove_method :original_parsed_csr
end
if method_defined?(:original_parse_metadata)
alias_method :parse_metadata, :original_parse_metadata
remove_method :original_parse_metadata
end
end
end
end
test "generate_for_api_user with interface should respect the interface parameter" do
api_user = users(:api_bestnames)
# Удаляем все существующие сертификаты
Certificate.where(api_user: api_user).delete_all
# Сохраняем оригинальные методы
original_certificate_generator_new = Certificates::CertificateGenerator.method(:new)
begin
expected_interface = 'registrar'
received_interface = nil
# Создаем временные заглушки для методов
Certificate.class_eval do
alias_method :original_check_active_certificates, :check_active_certificates
define_method(:check_active_certificates) do
# Пустой метод, который ничего не делает
end
alias_method :original_parsed_crt, :parsed_crt
define_method(:parsed_crt) do
nil # Возвращаем nil для пропуска проверок OpenSSL
end
alias_method :original_parsed_csr, :parsed_csr
define_method(:parsed_csr) do
nil # Возвращаем nil для пропуска проверок OpenSSL
end
alias_method :original_parse_metadata, :parse_metadata
define_method(:parse_metadata) do |origin|
self.common_name = "test.test"
self.expires_at = Time.now + 1.year
self.interface = expected_interface
end
end
# Подменяем метод генератора для проверки переданного интерфейса
Certificates::CertificateGenerator.define_singleton_method(:new) do |*args, **kwargs|
received_interface = kwargs[:interface]
# Создаем заглушку
mock_cert_data = {
private_key: "mock_private_key",
csr: "mock_csr",
crt: "mock_crt",
p12: "mock_p12",
expires_at: 1.year.from_now
}
generator = Object.new
generator.define_singleton_method(:call) do
mock_cert_data
end
generator
end
# Генерируем сертификат с указанным интерфейсом
certificate = Certificate.generate_for_api_user(api_user: api_user, interface: expected_interface)
# Проверяем, что интерфейс установлен правильно
assert_equal expected_interface, certificate.interface, "Должен использовать указанный интерфейс"
assert_equal expected_interface, received_interface, "Должен передать интерфейс в генератор"
ensure
# Восстанавливаем оригинальные методы
Certificates::CertificateGenerator.singleton_class.send(:define_method, :new, original_certificate_generator_new)
# Восстанавливаем оригинальные методы через class_eval
Certificate.class_eval do
if method_defined?(:original_check_active_certificates)
alias_method :check_active_certificates, :original_check_active_certificates
remove_method :original_check_active_certificates
end
if method_defined?(:original_parsed_crt)
alias_method :parsed_crt, :original_parsed_crt
remove_method :original_parsed_crt
end
if method_defined?(:original_parsed_csr)
alias_method :parsed_csr, :original_parsed_csr
remove_method :original_parsed_csr
end
if method_defined?(:original_parse_metadata)
alias_method :parse_metadata, :original_parse_metadata
remove_method :original_parse_metadata
end
end
end
end
test "parse_md_from_string should return MD5 hash" do
crt_string = @api_certificate.crt
expected_md5 = OpenSSL::Digest::MD5.new(OpenSSL::X509::Certificate.new(crt_string).to_der).to_s
assert_equal expected_md5, Certificate.parse_md_from_string(crt_string)
end
test "certificate_revoked? should handle missing CRL file" do
ENV['crl_dir'] = Rails.root.join('test/fixtures/files/test_ca/crl').to_s
# Mock File.exist? to return false for CRL file
File.stub :exist?, false do
assert_not @api_certificate.send(:certificate_revoked?)
end
end
test "certificate_revoked? should handle exceptions" do
ENV['crl_dir'] = Rails.root.join('test/fixtures/files/test_ca/crl').to_s
# Mock File.exist? to return true but File.read to raise an error
File.stub :exist?, true do
File.stub :read, -> (_) { raise StandardError.new("CRL read error") } do
assert_not @api_certificate.send(:certificate_revoked?)
end
end
end
test "update_crl_should_call_crl_updater_script" do
# Set up environment
original_crl_updater_path = ENV['crl_updater_path']
ENV['crl_updater_path'] = '/path/to/crl_updater_script'
# Track if the script would be called with expected arguments
expected_to_be_called = false
# Save original method
original_update_crl = Certificate.method(:update_crl)
begin
# Replace update_crl with our test version
Certificate.define_singleton_method(:update_crl) do
# Check if it would call bash with our script path
if ENV['crl_updater_path'] == '/path/to/crl_updater_script'
expected_to_be_called = true
end
# Don't actually call system in the test
true
end
# Call the method
Certificate.update_crl
# Verify it would have called the script
assert expected_to_be_called, "CRL updater script should be called"
ensure
# Restore original method and ENV
Certificate.singleton_class.send(:define_method, :update_crl, original_update_crl)
ENV['crl_updater_path'] = original_crl_updater_path
end
end
test "should check for active certificates with same user and interface" do
# Get the user from fixture
api_bestnames_user = users(:api_bestnames)
# Make sure there are no active certificates for this user/interface
Certificate.where(api_user: api_bestnames_user, interface: 'api').destroy_all
Certificate.where(api_user: api_bestnames_user, interface: 'registrar').destroy_all
# Create an active certificate for API interface
api_cert = Certificate.new(
api_user: api_bestnames_user,
csr: @certificate.csr,
interface: 'api',
expires_at: 1.year.from_now,
revoked: false
)
api_cert.save(validate: false)
# Implement a simple method to check for active certificates
# This isolates just the logic we want to test
def has_active_certificate?(user, interface)
Certificate.where(
api_user: user,
interface: interface,
revoked: false
).where('expires_at > ?', Time.current).exists?
end
# Test the core logic
assert has_active_certificate?(api_bestnames_user, 'api'),
"Should find active certificate for API interface"
assert_not has_active_certificate?(api_bestnames_user, 'registrar'),
"Should not find active certificate for registrar interface"
# Clean up
api_cert.destroy
end
end
Reference in a new issue View git blame Copy permalink