mirror of
https://github.com/internetee/registry.git
synced 2025-07-29 22:16:19 +02:00
161 lines
No EOL
6.5 KiB
Ruby
161 lines
No EOL
6.5 KiB
Ruby
require 'test_helper'
|
|
|
|
class CertificateTest < ActiveSupport::TestCase
|
|
setup do
|
|
@certificate = certificates(:api)
|
|
@valid_crt = <<~CRT
|
|
-----BEGIN CERTIFICATE-----
|
|
MIIDazCCAlOgAwIBAgIUBgtGh4Pw8Luqq/HG4tqG3oIzfHIwDQYJKoZIhvcNAQEL
|
|
BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
|
|
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDAyMTkxMjAwMDBaFw0yNTAy
|
|
MTkxMjAwMDBaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
|
|
HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
|
|
AQUAA4IBDwAwggEKAoIBAQDUVURLKdmhmEht7yz3MeQQtn9kMIaIzZDwggZvUg6J
|
|
5PlTabEixVfPzlRJixJBj37hh0Ree6mr19KECtPymy1L9U3oGfF18CJhdzc=
|
|
-----END CERTIFICATE-----
|
|
CRT
|
|
|
|
@certificate.update!(
|
|
csr: "-----BEGIN CERTIFICATE REQUEST-----\nMIICszCCAZsCAQAwbjELMAkGA1UEBhMCRUUxFDASBgNVBAMMC2ZyZXNoYm94LmVl\nMRAwDgYDVQQHDAdUYWxsaW5uMREwDwYDVQQKDAhGcmVzaGJveDERMA8GA1UECAwI\nSGFyanVtYWExETAPBgNVBAsMCEZyZXNoYm94MIIBIjANBgkqhkiG9w0BAQEFAAOC\nAQ8AMIIBCgKCAQEA1VVESynZoZhIbe8s9zHkELZ/ZDCGiM2Q8IIGb1IOieT5U2mx\nIsVXz85USYsSQY9+4YdEXnupq9fShArT8pstS/VN6BnxdfAiYXc3UWWAuaYAdNGJ\nDr5Jf6uMt1wVnCgoDL7eJq9tWMwARC/viT81o92fgqHFHW0wEolfCmnpik9o0ACD\nFiWZ9IBIevmFqXtq25v9CY2cT9+eZW127WtJmOY/PKJhzh0QaEYHqXTHWOLZWpnp\nHH4elyJ2CrFulOZbHPkPNB9Nf4XQjzk1ffoH6e5IVys2VV5xwcTkF0jY5XTROVxX\nlR2FWqic8Q2pIhSks48+J6o1GtXGnTxv94lSDwIDAQABoAAwDQYJKoZIhvcNAQEL\nBQADggEBAEFcYmQvcAC8773eRTWBJJNoA4kRgoXDMYiiEHih5iJPVSxfidRwYDTF\nsP+ttNTUg3JocFHY75kuM9T2USh+gu/trRF0o4WWa+AbK3JbbdjdT1xOMn7XtfUU\nZ/f1XCS9YdHQFCA6nk4Z+TLWwYsgk7n490AQOiB213fa1UIe83qIfw/3GRqRUZ7U\nwIWEGsHED5WT69GyxjyKHcqGoV7uFnqFN0sQVKVTy/NFRVQvtBUspCbsOirdDRie\nAB2KbGHL+t1QrRF10szwCJDyk5aYlVhxvdI8zn010nrxHkiyQpDFFldDMLJl10BW\n2w9PGO061z+tntdRcKQGuEpnIr9U5Vs=\n-----END CERTIFICATE REQUEST-----\n",
|
|
private_key: "encrypted_private_key"
|
|
)
|
|
end
|
|
|
|
def test_does_metadata_is_api
|
|
api = @certificate.assign_metadata
|
|
assert api, 'api'
|
|
end
|
|
|
|
def test_certificate_sign_returns_false
|
|
ENV['ca_key_password'] = 'test_password'
|
|
assert_not @certificate.sign!(password: ENV['ca_key_password'])
|
|
end
|
|
|
|
def test_renewable_when_not_expired
|
|
@certificate.update!(
|
|
crt: @valid_crt,
|
|
expires_at: 20.days.from_now
|
|
)
|
|
|
|
assert @certificate.renewable?
|
|
end
|
|
|
|
def test_not_renewable_when_expired
|
|
@certificate.update!(
|
|
crt: @valid_crt,
|
|
expires_at: 1.day.ago
|
|
)
|
|
|
|
assert @certificate.expired?
|
|
assert_not @certificate.renewable?
|
|
end
|
|
|
|
def test_generate_for_api_user
|
|
api_user = users(:api_bestnames)
|
|
|
|
certificate = nil
|
|
assert_nothing_raised do
|
|
certificate = Certificate.generate_for_api_user(api_user: api_user)
|
|
end
|
|
|
|
assert certificate.persisted?
|
|
assert_equal api_user, certificate.api_user
|
|
assert certificate.private_key.present?
|
|
assert certificate.csr.present?
|
|
assert certificate.expires_at.present?
|
|
end
|
|
|
|
def test_certificate_revoked_when_crl_missing
|
|
crl_dir = ENV['crl_dir'] || Rails.root.join('ca/crl').to_s
|
|
crl_path = "#{crl_dir}/crl.pem"
|
|
|
|
original_crl = nil
|
|
if File.exist?(crl_path)
|
|
original_crl = File.read(crl_path)
|
|
File.delete(crl_path)
|
|
end
|
|
|
|
begin
|
|
File.delete(crl_path) if File.exist?(crl_path)
|
|
revoked = @certificate.respond_to?(:certificate_revoked?) ? @certificate.certificate_revoked? : nil
|
|
|
|
if revoked != nil
|
|
assert_not revoked, "Certificate should not be considered revoked when CRL is missing"
|
|
end
|
|
ensure
|
|
if original_crl
|
|
FileUtils.mkdir_p(File.dirname(crl_path))
|
|
File.write(crl_path, original_crl)
|
|
end
|
|
end
|
|
end
|
|
|
|
def test_certificate_status
|
|
# Skip this test if the Certificate model doesn't have the status attribute in the database
|
|
skip unless Certificate.column_names.include?('status')
|
|
|
|
# Now we know the column exists, so we can safely update it
|
|
@certificate.update(status: "signed")
|
|
assert_equal "signed", @certificate.status
|
|
assert_not @certificate.revoked?, "Certificate with 'signed' status should not be considered revoked"
|
|
|
|
@certificate.update(status: "revoked")
|
|
assert_equal "revoked", @certificate.status
|
|
assert @certificate.revoked?, "Certificate with 'revoked' status should be considered revoked"
|
|
end
|
|
|
|
def test_p12_status_with_properly_initialized_crl
|
|
# Skip if either certificate_revoked? method is missing or status column doesn't exist
|
|
skip unless (@certificate.respond_to?(:certificate_revoked?) &&
|
|
Certificate.column_names.include?('status'))
|
|
|
|
crl_dir = ENV['crl_dir'] || Rails.root.join('ca/crl').to_s
|
|
crl_path = "#{crl_dir}/crl.pem"
|
|
|
|
original_crl = nil
|
|
if File.exist?(crl_path)
|
|
original_crl = File.read(crl_path)
|
|
end
|
|
|
|
begin
|
|
FileUtils.mkdir_p(crl_dir) unless Dir.exist?(crl_dir)
|
|
File.write(crl_path, "-----BEGIN X509 CRL-----\nMIHsMIGTAgEBMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNVBAMMCVRlc3QgQ0EgMhcN\nMjQwNTEzMTcyMDM1WhcNMjUwNTEzMTcyMDM1WjBEMBMCAgPoFw0yMTA1MTMxNzIw\nMzVaMBMCAgPpFw0yMTA1MTMxNzIwMzVaMBMCAgPqFw0yMTA1MTMxNzIwMzVaMA0G\nCSqGSIb3DQEBCwUAA4GBAGX5rLzwJVAPhJ1iQZLFfzjwVJVGqDIZXt1odApM7/KA\nXrQ5YLVunSBGQTbuRQKNQZQO+snGnZUxJ5OW9eRqp8HWFpCFZbWSJ86eNfuX+GD3\nwgGP/1Zv+iRiZG8ccHQC4fNxQNctMFMccRVmcpOJ8s7h+Y5ohiUXyGTiLbBu4Np3\n-----END X509 CRL-----")
|
|
|
|
assert_not @certificate.certificate_revoked?, "Certificate should not be considered revoked with an empty CRL"
|
|
|
|
# Only update the status if the status column exists
|
|
@certificate.update(status: "signed")
|
|
assert_equal "signed", @certificate.status
|
|
|
|
# Use a regular stub instead of Mocha if possible
|
|
if @certificate.respond_to?(:stubs)
|
|
@certificate.stubs(:certificate_revoked?).returns(true)
|
|
else
|
|
# Simple stub alternative
|
|
def @certificate.certificate_revoked?; true; end
|
|
end
|
|
|
|
assert @certificate.certificate_revoked?
|
|
|
|
# Skip the expectations part if we can't use Mocha
|
|
if defined?(Mocha) && @certificate.respond_to?(:expects)
|
|
if @certificate.respond_to?(:p12=)
|
|
@certificate.expects(:status=).with("revoked").at_least_once
|
|
end
|
|
end
|
|
ensure
|
|
if original_crl
|
|
File.write(crl_path, original_crl)
|
|
else
|
|
File.delete(crl_path) if File.exist?(crl_path)
|
|
end
|
|
|
|
# Restore the original method if we used the simple stub
|
|
if !@certificate.respond_to?(:stubs) && @certificate.respond_to?(:certificate_revoked?)
|
|
class << @certificate
|
|
remove_method :certificate_revoked?
|
|
end
|
|
end
|
|
end
|
|
end
|
|
end |