X-Git-Url: https://review.fuel-infra.org/gitweb?a=blobdiff_plain;f=spec%2Funit%2Fssl_spec.rb;fp=spec%2Funit%2Fssl_spec.rb;h=3657af30f66299424bd498719f9ea1f393d42138;hb=b87d2f4e68281062df1913440ca5753ae63314a9;hp=0000000000000000000000000000000000000000;hpb=ab0ea530b8ac956091f17b104ab2311336cfc250;p=packages%2Fprecise%2Fmcollective.git diff --git a/spec/unit/ssl_spec.rb b/spec/unit/ssl_spec.rb new file mode 100755 index 0000000..3657af3 --- /dev/null +++ b/spec/unit/ssl_spec.rb @@ -0,0 +1,262 @@ +#!/usr/bin/env rspec + +require 'spec_helper' + +module MCollective + describe SSL do + before do + @rootdir = File.dirname(__FILE__) + @ssl = SSL.new("#{@rootdir}/../fixtures/test-public.pem", "#{@rootdir}/../fixtures/test-private.pem") + end + + it "should be able to decode base64 text it encoded" do + @ssl.base64_decode(@ssl.base64_encode("foo")).should == "foo" + end + + it "should decrypt what it encrypted with RSA" do + crypted = @ssl.aes_encrypt("foo") + decrypted = @ssl.aes_decrypt(crypted[:key], crypted[:data]) + + decrypted.should == "foo" + end + + it "should be able to decrypt using RSA private key what it encrypted with RSA public key" do + crypted = @ssl.rsa_encrypt_with_public("foo") + decrypted = @ssl.rsa_decrypt_with_private(crypted) + + decrypted.should == "foo" + end + + it "should be able to decrypt using RSA public key what it encrypted with RSA private key" do + crypted = @ssl.rsa_encrypt_with_private("foo") + decrypted = @ssl.rsa_decrypt_with_public(crypted) + + decrypted.should == "foo" + end + + it "using a helper it should be able to decrypt with private key what it encrypted using the public key" do + @ssl.decrypt_with_private(@ssl.encrypt_with_public("foo")).should == "foo" + @ssl.decrypt_with_private(@ssl.encrypt_with_public("foo", false), false).should == "foo" + end + + it "using a helper it should be able to decrypt with public key what it encrypted using the private key" do + @ssl.decrypt_with_public(@ssl.encrypt_with_private("foo")).should == "foo" + @ssl.decrypt_with_public(@ssl.encrypt_with_private("foo", false), false).should == "foo" + end + + describe "#initialize" do + it "should default to aes-256-cbc" do + @ssl.ssl_cipher.should == "aes-256-cbc" + end + + it "should take the configured value when present" do + Config.instance.stubs("ssl_cipher").returns("aes-128-cbc") + @ssl = SSL.new("#{@rootdir}/../fixtures/test-public.pem", "#{@rootdir}/../fixtures/test-private.pem") + + @ssl.ssl_cipher.should == "aes-128-cbc" + end + + it "should set the supplied ssl cipher" do + @ssl = SSL.new("#{@rootdir}/../fixtures/test-public.pem", "#{@rootdir}/../fixtures/test-private.pem", nil, "aes-128-cbc") + @ssl.ssl_cipher.should == "aes-128-cbc" + end + + it "should prefer the supplied cipher over configured cipher" do + Config.instance.stubs("aes_key_size").returns("foo-foo-foo") + @ssl = SSL.new("#{@rootdir}/../fixtures/test-public.pem", "#{@rootdir}/../fixtures/test-private.pem", nil, "aes-128-cbc") + + @ssl.ssl_cipher.should == "aes-128-cbc" + end + + it "should fail on invalid ciphers" do + expect { + @ssl = SSL.new("#{@rootdir}/../fixtures/test-public.pem", "#{@rootdir}/../fixtures/test-private.pem", nil, "foo-foo-foo") + }.to raise_error("The supplied cipher 'foo-foo-foo' is not supported") + end + end + + describe "#read_key" do + it "should fail on non exiting files" do + expect { + @ssl.read_key(:public, "/nonexisting") + }.to raise_error("Could not find key /nonexisting") + end + + it "should fail on existing, empty files" do + File.expects(:exist?).with('key').returns(true) + File.expects(:zero?).with('key').returns(true) + expect{ + @ssl.read_key(:public, 'key') + }.to raise_error("public key file 'key' is empty") + end + + it "should fail on unknown key types" do + expect { + @ssl.read_key(:unknown, @ssl.public_key_file) + }.to raise_error("Can only load :public or :private keys") + end + + it "should read a public key" do + @ssl.read_key(:public, "#{@rootdir}/../fixtures/test-public.pem") + end + + it "should read the public key from a certificate" do + @ssl.read_key(:public, "#{@rootdir}/../fixtures/test-cert.pem").to_s.should match(/.+BEGIN.+PUBLIC KEY.+END.+PUBLIC KEY.+/m) + end + + it "should return nil if no key was given" do + @ssl.read_key(:public).should == nil + end + + it "should return nil if nil key was given" do + @ssl.read_key(:public, nil).should == nil + end + + it "should clear the OpenSSL error queue on ruby 1.8" do + Util.expects(:ruby_version).returns("1.8.7") + OpenSSL.expects(:errors) + @ssl.read_key(:public, "#{@rootdir}/../fixtures/test-public.pem") + @ssl.read_key(:private, "#{@rootdir}/../fixtures/test-private.pem") + end + + it "should not clear the OpenSSL error queue on ruby > 1.8" do + Util.expects(:ruby_version).returns("1.9.3") + OpenSSL.expects(:errors).never + @ssl.read_key(:public, "#{@rootdir}/../fixtures/test-public.pem") + @ssl.read_key(:private, "#{@rootdir}/../fixtures/test-private.pem") + end + end + + describe "#base64_encode" do + it "should correctly encode" do + @ssl.base64_encode("foo").should == "Zm9v\n" + SSL.base64_encode("foo").should == "Zm9v\n" + end + end + + describe "#base64_decode" do + it "should correctly decode" do + @ssl.base64_decode("Zm9v").should == "foo" + SSL.base64_decode("Zm9v").should == "foo" + end + end + + describe "#aes_encrypt" do + it "should create a key and data" do + crypted = @ssl.aes_encrypt("foo") + + crypted.include?(:key).should == true + crypted.include?(:data).should == true + end + end + + describe "#aes_decrypt" do + it "should decrypt correctly given key and data" do + key = @ssl.base64_decode("rAaCyW6qB0XqZNa9hji0qHwrI3P47t8diLNXoemW9ss=") + data = @ssl.base64_decode("mSthvO/wSl0ArNOcgysTVw==") + + @ssl.aes_decrypt(key, data).should == "foo" + end + + it "should decrypt correctly given key, data and cipher" do + key = @ssl.base64_decode("VEma3a/R7fjw2M4d0NIctA==") + data = @ssl.base64_decode("FkH6qLvKTn7a+uNPe8ciHA==") + + # the default aes-256-cbc should fail here, the key above is 128 bit + # the exception classes changed mid-1.9.2 :( + if OpenSSL.constants.include?("CipherError") + expect { @ssl.aes_decrypt(key, data) }.to raise_error(OpenSSL::CipherError) + else + expect { @ssl.aes_decrypt(key, data) }.to raise_error(OpenSSL::Cipher::CipherError) + end + + # new ssl instance configured for aes-128-cbc, should work + @ssl = SSL.new("#{@rootdir}/../fixtures/test-public.pem", "#{@rootdir}/../fixtures/test-private.pem", nil, "aes-128-cbc") + @ssl.aes_decrypt(key, data).should == "foo" + end + end + + describe "#md5" do + it "should produce correct md5 sums" do + # echo -n 'hello world'|md5sum + @ssl.md5("hello world").should == "5eb63bbbe01eeed093cb22bb8f5acdc3" + end + end + describe "#sign" do + it "should sign the message without base64 by default" do + SSL.md5(@ssl.sign("hello world")).should == "8269b23f55945aaa82efbff857c845a6" + end + + it "should support base64 encoding messages" do + SSL.md5(@ssl.sign("hello world", true)).should == "8a4eb3c3d44d22c46dc36a7e441d8db0" + end + end + + describe "#verify_signature" do + it "should correctly verify a message signed using the same keypair" do + @ssl.verify_signature(@ssl.sign("hello world"), "hello world").should == true + @ssl.verify_signature(@ssl.sign("hello world", true), "hello world", true).should == true + end + + it "should fail to verify messages not signed by the key" do + @ssl.verify_signature("evil fake signature", "hello world").should == false + end + end + + describe "#decrypt_with_public" do + it "should decrypt correctly given key and data in base64 format" do + crypted = {:key=> "YaRcSDdcKgnRZ4Eu2eirl/+lzDgVkPZ41kXAQQNOi+6AfjdbbOW7Zblibx9r\n3TzZAi0ulA94gqNAXPvPC8LaO8W9TtJwlto/RHwDM7ZdfqEImSYoVACFNq28\n+0MLr3K3hIBsB1pyxgFTQul+MrCq+3Fik7Nj7ZKkJUT2veyqbg8=", + :data=>"TLVw1EYeOaGDmEC/R2I/cA=="} + + @ssl.decrypt_with_public(crypted).should == "foo" + end + end + + describe "#decrypt_with_private" do + it "should decrypt correctly given key and data in base64 format" do + crypted = {:key=> "kO1kUgJBiEBdoajN4OHp9BOie6dCznf1YKbBnp3LOyBxcDDQtjxEBlPmjQve\npXrQJ5xpLX6oNBxzU18Pf2SKYUZSbzIkDUb97GQY0WoBQsdM2OwPXH+HtF2A\no5N8iIx9srPAEAFa6hZAdqvcmRT/SzhP1kH+Gyy8fyvW8HGBjNY=", + :data=>"gDTaHCmes/Yua4jtjmgukQ=="} + + @ssl.decrypt_with_private(crypted).should == "foo" + end + end + + describe "#decrypt_with_private" do + it "should fail if not given a key" do + expect { + @ssl.decrypt_with_private({:iv => "x", :data => "x"}) + }.to raise_error("Crypted data should include a key") + end + + it "should fail if not given data" do + expect { + @ssl.decrypt_with_private({:iv => "x", :key => "x"}) + }.to raise_error("Crypted data should include data") + end + end + + describe "#decrypt_with_public" do + it "should fail if not given a key" do + expect { + @ssl.decrypt_with_public({:iv => "x", :data => "x"}) + }.to raise_error("Crypted data should include a key") + end + + it "should fail if not given data" do + expect { + @ssl.decrypt_with_public({:iv => "x", :key => "x"}) + }.to raise_error("Crypted data should include data") + end + end + + describe "#uuid" do + it "should produce repeatable uuids" do + SSL.uuid("hello world").should == SSL.uuid("hello world") + end + + it "should not always produce the same uuid" do + SSL.uuid.should_not == SSL.uuid + end + end + end +end