diff --git a/lib/puppet/network/http/webrick.rb b/lib/puppet/network/http/webrick.rb index 820d4556c..aa4f38359 100644 --- a/lib/puppet/network/http/webrick.rb +++ b/lib/puppet/network/http/webrick.rb @@ -1,119 +1,129 @@ require 'webrick' require 'webrick/https' require 'puppet/network/http/webrick/rest' require 'thread' require 'puppet/ssl/certificate' require 'puppet/ssl/certificate_revocation_list' require 'puppet/ssl/configuration' class Puppet::Network::HTTP::WEBrick + CIPHERS = "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA" + def initialize @listening = false end def listen(address, port) - arguments = {:BindAddress => address, :Port => port, :DoNotReverseLookup => true} - arguments.merge!(setup_logger) - arguments.merge!(setup_ssl) + @server = create_server(address, port) - BasicSocket.do_not_reverse_lookup = true - - @server = WEBrick::HTTPServer.new(arguments) @server.listeners.each { |l| l.start_immediately = false } @server.mount('/', Puppet::Network::HTTP::WEBrickREST) raise "WEBrick server is already listening" if @listening @listening = true @thread = Thread.new do @server.start do |sock| timeout = 10.0 if ! IO.select([sock],nil,nil,timeout) raise "Client did not send data within %.1f seconds of connecting" % timeout end sock.accept @server.run(sock) end end sleep 0.1 until @server.status == :Running end def unlisten raise "WEBrick server is not listening" unless @listening @server.shutdown wait_for_shutdown @server = nil @listening = false end def listening? @listening end def wait_for_shutdown @thread.join end + # @api private + def create_server(address, port) + arguments = {:BindAddress => address, :Port => port, :DoNotReverseLookup => true} + arguments.merge!(setup_logger) + arguments.merge!(setup_ssl) + + BasicSocket.do_not_reverse_lookup = true + + server = WEBrick::HTTPServer.new(arguments) + server.ssl_context.ciphers = CIPHERS + server + end + # Configure our http log file. def setup_logger # Make sure the settings are all ready for us. Puppet.settings.use(:main, :ssl, :application) if Puppet.run_mode.master? file = Puppet[:masterhttplog] else file = Puppet[:httplog] end # open the log manually to prevent file descriptor leak file_io = ::File.open(file, "a+") file_io.sync = true if defined?(Fcntl::FD_CLOEXEC) file_io.fcntl(Fcntl::F_SETFD, Fcntl::FD_CLOEXEC) end args = [file_io] args << WEBrick::Log::DEBUG if Puppet::Util::Log.level == :debug logger = WEBrick::Log.new(*args) return :Logger => logger, :AccessLog => [ [logger, WEBrick::AccessLog::COMMON_LOG_FORMAT ], [logger, WEBrick::AccessLog::REFERER_LOG_FORMAT ] ] end # Add all of the ssl cert information. def setup_ssl results = {} # Get the cached copy. We know it's been generated, too. host = Puppet::SSL::Host.localhost raise Puppet::Error, "Could not retrieve certificate for #{host.name} and not running on a valid certificate authority" unless host.certificate results[:SSLPrivateKey] = host.key.content results[:SSLCertificate] = host.certificate.content results[:SSLStartImmediately] = true results[:SSLEnable] = true - results[:SSLOptions] = OpenSSL::SSL::OP_NO_SSLv2 + results[:SSLOptions] = OpenSSL::SSL::OP_NO_SSLv2 | OpenSSL::SSL::OP_NO_SSLv3 raise Puppet::Error, "Could not find CA certificate" unless Puppet::SSL::Certificate.indirection.find(Puppet::SSL::CA_NAME) results[:SSLCACertificateFile] = ssl_configuration.ca_auth_file results[:SSLVerifyClient] = OpenSSL::SSL::VERIFY_PEER results[:SSLCertificateStore] = host.ssl_store results end private def ssl_configuration @ssl_configuration ||= Puppet::SSL::Configuration.new( Puppet[:localcacert], :ca_chain_file => Puppet[:ssl_server_ca_chain], :ca_auth_file => Puppet[:ssl_server_ca_auth]) end end diff --git a/lib/puppet/util/monkey_patches.rb b/lib/puppet/util/monkey_patches.rb index f9110986e..f1c6856f4 100644 --- a/lib/puppet/util/monkey_patches.rb +++ b/lib/puppet/util/monkey_patches.rb @@ -1,225 +1,225 @@ module Puppet::Util::MonkeyPatches end begin Process.maxgroups = 1024 rescue Exception # Actually, I just want to ignore it, since various platforms - JRuby, # Windows, and so forth - don't support it, but only because it isn't a # meaningful or implementable concept there. end module RDoc def self.caller(skip=nil) in_gem_wrapper = false Kernel.caller.reject { |call| in_gem_wrapper ||= call =~ /#{Regexp.escape $0}:\d+:in `load'/ } end end require "yaml" require "puppet/util/zaml.rb" class Symbol def <=> (other) self.to_s <=> other.to_s end unless method_defined? '<=>' def intern self end unless method_defined? 'intern' end [Object, Exception, Integer, Struct, Date, Time, Range, Regexp, Hash, Array, Float, String, FalseClass, TrueClass, Symbol, NilClass, Class].each { |cls| cls.class_eval do def to_yaml(ignored=nil) ZAML.dump(self) end end } def YAML.dump(*args) ZAML.dump(*args) end # # Workaround for bug in MRI 1.8.7, see # http://redmine.ruby-lang.org/issues/show/2708 # for details # if RUBY_VERSION == '1.8.7' class NilClass def closed? true end end end class Object # ActiveSupport 2.3.x mixes in a dangerous method # that can cause rspec to fork bomb # and other strange things like that. def daemonize raise NotImplementedError, "Kernel.daemonize is too dangerous, please don't try to use it." end end class Symbol # So, it turns out that one of the biggest memory allocation hot-spots in our # code was using symbol-to-proc - because it allocated a new instance every # time it was called, rather than caching (in Ruby 1.8.7 and earlier). # # In Ruby 1.9.3 and later Symbol#to_proc does implement a cache so we skip # our monkey patch. # # Changing this means we can see XX memory reduction... if RUBY_VERSION < "1.9.3" if method_defined? :to_proc alias __original_to_proc to_proc def to_proc @my_proc ||= __original_to_proc end else def to_proc @my_proc ||= Proc.new {|*args| args.shift.__send__(self, *args) } end end end # Defined in 1.9, absent in 1.8, and used for compatibility in various # places, typically in third party gems. def intern return self end unless method_defined? :intern end class String unless method_defined? :lines require 'puppet/util/monkey_patches/lines' include Puppet::Util::MonkeyPatches::Lines end end require 'fcntl' class IO unless method_defined? :lines require 'puppet/util/monkey_patches/lines' include Puppet::Util::MonkeyPatches::Lines end def self.binread(name, length = nil, offset = 0) Puppet.deprecation_warning("This is a monkey-patched implementation of IO.binread on ruby 1.8 and is deprecated. Read the file without this method as it will be removed in a future version.") File.open(name, 'rb') do |f| f.seek(offset) if offset > 0 f.read(length) end end unless singleton_methods.include?(:binread) def self.binwrite(name, string, offset = nil) # Determine if we should truncate or not. Since the truncate method on a # file handle isn't implemented on all platforms, safer to do this in what # looks like the libc / POSIX flag - which is usually pretty robust. # --daniel 2012-03-11 mode = Fcntl::O_CREAT | Fcntl::O_WRONLY | (offset.nil? ? Fcntl::O_TRUNC : 0) # We have to duplicate the mode because Ruby on Windows is a bit precious, # and doesn't actually carry over the mode. It won't work to just use # open, either, because that doesn't like our system modes and the default # open bits don't do what we need, which is awesome. --daniel 2012-03-30 IO.open(IO::sysopen(name, mode), mode) do |f| # ...seek to our desired offset, then write the bytes. Don't try to # seek past the start of the file, eh, because who knows what platform # would legitimately blow up if we did that. # # Double-check the positioning, too, since destroying data isn't my idea # of a good time. --daniel 2012-03-11 target = [0, offset.to_i].max unless (landed = f.sysseek(target, IO::SEEK_SET)) == target raise "unable to seek to target offset #{target} in #{name}: got to #{landed}" end f.syswrite(string) end end unless singleton_methods.include?(:binwrite) end class Float INFINITY = (1.0/0.0) if defined?(Float::INFINITY).nil? end class Range def intersection(other) raise ArgumentError, 'value must be a Range' unless other.kind_of?(Range) return unless other === self.first || self === other.first start = [self.first, other.first].max if self.exclude_end? && self.last <= other.last start ... self.last elsif other.exclude_end? && self.last >= other.last start ... other.last else start .. [ self.last, other.last ].min end end unless method_defined? :intersection alias_method :&, :intersection unless method_defined? :& end # (#19151) Reject all SSLv2 ciphers and handshakes require 'openssl' class OpenSSL::SSL::SSLContext if DEFAULT_PARAMS[:options] - DEFAULT_PARAMS[:options] |= OpenSSL::SSL::OP_NO_SSLv2 + DEFAULT_PARAMS[:options] |= OpenSSL::SSL::OP_NO_SSLv2 | OpenSSL::SSL::OP_NO_SSLv3 else - DEFAULT_PARAMS[:options] = OpenSSL::SSL::OP_NO_SSLv2 + DEFAULT_PARAMS[:options] = OpenSSL::SSL::OP_NO_SSLv2 | OpenSSL::SSL::OP_NO_SSLv3 end DEFAULT_PARAMS[:ciphers] << ':!SSLv2' alias __original_initialize initialize private :__original_initialize def initialize(*args) __original_initialize(*args) params = { :options => DEFAULT_PARAMS[:options], :ciphers => DEFAULT_PARAMS[:ciphers], } set_params(params) end end require 'puppet/util/platform' if Puppet::Util::Platform.windows? require 'puppet/util/windows' require 'openssl' class OpenSSL::X509::Store alias __original_set_default_paths set_default_paths def set_default_paths # This can be removed once openssl integrates with windows # cert store, see http://rt.openssl.org/Ticket/Display.html?id=2158 Puppet::Util::Windows::RootCerts.instance.to_a.uniq.each do |x509| begin add_cert(x509) rescue OpenSSL::X509::StoreError => e warn "Failed to add #{x509.subject.to_s}" end end __original_set_default_paths end end end # Older versions of SecureRandom (e.g. in 1.8.7) don't have the uuid method module SecureRandom def self.uuid # Copied from the 1.9.1 stdlib implementation of uuid ary = self.random_bytes(16).unpack("NnnnnN") ary[2] = (ary[2] & 0x0fff) | 0x4000 ary[3] = (ary[3] & 0x3fff) | 0x8000 "%08x-%04x-%04x-%04x-%04x%08x" % ary end unless singleton_methods.include?(:uuid) end diff --git a/spec/unit/network/http/webrick_spec.rb b/spec/unit/network/http/webrick_spec.rb index edeb439a9..43662e0b4 100755 --- a/spec/unit/network/http/webrick_spec.rb +++ b/spec/unit/network/http/webrick_spec.rb @@ -1,271 +1,290 @@ #! /usr/bin/env ruby require 'spec_helper' require 'puppet/network/http' require 'puppet/network/http/webrick' describe Puppet::Network::HTTP::WEBrick, "after initializing" do it "should not be listening" do Puppet::Network::HTTP::WEBrick.new.should_not be_listening end end describe Puppet::Network::HTTP::WEBrick do include PuppetSpec::Files let(:address) { '127.0.0.1' } let(:port) { 31337 } let(:server) do s = Puppet::Network::HTTP::WEBrick.new s.stubs(:setup_logger).returns(Hash.new) s.stubs(:setup_ssl).returns(Hash.new) s end + let(:mock_ssl_context) do + stub('ssl_context', :ciphers= => nil) + end + let(:mock_webrick) do stub('webrick', :[] => {}, :listeners => [], :status => :Running, :mount => nil, :start => nil, - :shutdown => nil) + :shutdown => nil, + :ssl_context => mock_ssl_context) end before :each do WEBrick::HTTPServer.stubs(:new).returns(mock_webrick) end describe "when turning on listening" do it "should fail if already listening" do server.listen(address, port) expect { server.listen(address, port) }.to raise_error(RuntimeError, /server is already listening/) end it "should tell webrick to listen on the specified address and port" do WEBrick::HTTPServer.expects(:new).with( has_entries(:Port => 31337, :BindAddress => "127.0.0.1") ).returns(mock_webrick) server.listen(address, port) end it "should not perform reverse lookups" do WEBrick::HTTPServer.expects(:new).with( has_entry(:DoNotReverseLookup => true) ).returns(mock_webrick) BasicSocket.expects(:do_not_reverse_lookup=).with(true) server.listen(address, port) end it "should configure a logger for webrick" do server.expects(:setup_logger).returns(:Logger => :mylogger) WEBrick::HTTPServer.expects(:new).with {|args| args[:Logger] == :mylogger }.returns(mock_webrick) server.listen(address, port) end it "should configure SSL for webrick" do server.expects(:setup_ssl).returns(:Ssl => :testing, :Other => :yay) WEBrick::HTTPServer.expects(:new).with {|args| args[:Ssl] == :testing and args[:Other] == :yay }.returns(mock_webrick) server.listen(address, port) end it "should be listening" do server.listen(address, port) server.should be_listening end describe "when the REST protocol is requested" do it "should register the REST handler at /" do # We don't care about the options here. mock_webrick.expects(:mount).with("/", Puppet::Network::HTTP::WEBrickREST, anything) server.listen(address, port) end end end describe "when turning off listening" do it "should fail unless listening" do expect { server.unlisten }.to raise_error(RuntimeError, /server is not listening/) end it "should order webrick server to stop" do mock_webrick.expects(:shutdown) server.listen(address, port) server.unlisten end it "should no longer be listening" do server.listen(address, port) server.unlisten server.should_not be_listening end end describe "when configuring an http logger" do let(:server) { Puppet::Network::HTTP::WEBrick.new } before :each do Puppet.settings.stubs(:use) @filehandle = stub 'handle', :fcntl => nil, :sync= => nil File.stubs(:open).returns @filehandle end it "should use the settings for :main, :ssl, and :application" do Puppet.settings.expects(:use).with(:main, :ssl, :application) server.setup_logger end it "should use the masterhttplog if the run_mode is master" do Puppet.run_mode.stubs(:master?).returns(true) log = make_absolute("/master/log") Puppet[:masterhttplog] = log File.expects(:open).with(log, "a+").returns @filehandle server.setup_logger end it "should use the httplog if the run_mode is not master" do Puppet.run_mode.stubs(:master?).returns(false) log = make_absolute("/other/log") Puppet[:httplog] = log File.expects(:open).with(log, "a+").returns @filehandle server.setup_logger end describe "and creating the logging filehandle" do it "should set the close-on-exec flag if supported" do if defined? Fcntl::FD_CLOEXEC @filehandle.expects(:fcntl).with(Fcntl::F_SETFD, Fcntl::FD_CLOEXEC) else @filehandle.expects(:fcntl).never end server.setup_logger end it "should sync the filehandle" do @filehandle.expects(:sync=).with(true) server.setup_logger end end it "should create a new WEBrick::Log instance with the open filehandle" do WEBrick::Log.expects(:new).with(@filehandle) server.setup_logger end it "should set debugging if the current loglevel is :debug" do Puppet::Util::Log.expects(:level).returns :debug WEBrick::Log.expects(:new).with { |handle, debug| debug == WEBrick::Log::DEBUG } server.setup_logger end it "should return the logger as the main log" do logger = mock 'logger' WEBrick::Log.expects(:new).returns logger server.setup_logger[:Logger].should == logger end it "should return the logger as the access log using both the Common and Referer log format" do logger = mock 'logger' WEBrick::Log.expects(:new).returns logger server.setup_logger[:AccessLog].should == [ [logger, WEBrick::AccessLog::COMMON_LOG_FORMAT], [logger, WEBrick::AccessLog::REFERER_LOG_FORMAT] ] end end describe "when configuring ssl" do let(:server) { Puppet::Network::HTTP::WEBrick.new } let(:localcacert) { make_absolute("/ca/crt") } let(:ssl_server_ca_auth) { make_absolute("/ca/ssl_server_auth_file") } let(:key) { stub 'key', :content => "mykey" } let(:cert) { stub 'cert', :content => "mycert" } let(:host) { stub 'host', :key => key, :certificate => cert, :name => "yay", :ssl_store => "mystore" } before :each do Puppet::SSL::Certificate.indirection.stubs(:find).with('ca').returns cert Puppet::SSL::Host.stubs(:localhost).returns host end it "should use the key from the localhost SSL::Host instance" do Puppet::SSL::Host.expects(:localhost).returns host host.expects(:key).returns key server.setup_ssl[:SSLPrivateKey].should == "mykey" end it "should configure the certificate" do server.setup_ssl[:SSLCertificate].should == "mycert" end it "should fail if no CA certificate can be found" do Puppet::SSL::Certificate.indirection.stubs(:find).with('ca').returns nil expect { server.setup_ssl }.to raise_error(Puppet::Error, /Could not find CA certificate/) end it "should specify the path to the CA certificate" do Puppet.settings[:hostcrl] = 'false' Puppet.settings[:localcacert] = localcacert server.setup_ssl[:SSLCACertificateFile].should == localcacert end it "should specify the path to the CA certificate" do Puppet.settings[:hostcrl] = 'false' Puppet.settings[:localcacert] = localcacert Puppet.settings[:ssl_server_ca_auth] = ssl_server_ca_auth server.setup_ssl[:SSLCACertificateFile].should == ssl_server_ca_auth end it "should start ssl immediately" do server.setup_ssl[:SSLStartImmediately].should be_true end it "should enable ssl" do server.setup_ssl[:SSLEnable].should be_true end it "should reject SSLv2" do - server.setup_ssl[:SSLOptions].should == OpenSSL::SSL::OP_NO_SSLv2 + options = server.setup_ssl[:SSLOptions] + + expect(options & OpenSSL::SSL::OP_NO_SSLv2).to eq(OpenSSL::SSL::OP_NO_SSLv2) + end + + it "should reject SSLv3" do + options = server.setup_ssl[:SSLOptions] + + expect(options & OpenSSL::SSL::OP_NO_SSLv3).to eq(OpenSSL::SSL::OP_NO_SSLv3) end it "should configure the verification method as 'OpenSSL::SSL::VERIFY_PEER'" do server.setup_ssl[:SSLVerifyClient].should == OpenSSL::SSL::VERIFY_PEER end it "should add an x509 store" do host.expects(:ssl_store).returns "mystore" server.setup_ssl[:SSLCertificateStore].should == "mystore" end it "should set the certificate name to 'nil'" do server.setup_ssl[:SSLCertName].should be_nil end + + it "specifies the allowable ciphers" do + mock_ssl_context.expects(:ciphers=).with(server.class::CIPHERS) + + server.create_server('localhost', '8888') + end end end diff --git a/spec/unit/util/monkey_patches_spec.rb b/spec/unit/util/monkey_patches_spec.rb index 13e10454c..7c8abb137 100755 --- a/spec/unit/util/monkey_patches_spec.rb +++ b/spec/unit/util/monkey_patches_spec.rb @@ -1,328 +1,340 @@ #! /usr/bin/env ruby require 'spec_helper' require 'puppet/util/monkey_patches' describe Symbol do it "should return self from #intern" do symbol = :foo symbol.should equal symbol.intern end end describe "yaml deserialization" do it "should call yaml_initialize when deserializing objects that have that method defined" do class Puppet::TestYamlInitializeClass attr_reader :foo def yaml_initialize(tag, var) var.should == {'foo' => 100} instance_variables.should == [] @foo = 200 end end obj = YAML.load("--- !ruby/object:Puppet::TestYamlInitializeClass\n foo: 100") obj.foo.should == 200 end it "should not call yaml_initialize if not defined" do class Puppet::TestYamlNonInitializeClass attr_reader :foo end obj = YAML.load("--- !ruby/object:Puppet::TestYamlNonInitializeClass\n foo: 100") obj.foo.should == 100 end end # In Ruby > 1.8.7 this is a builtin, otherwise we monkey patch the method in describe Array do describe "#combination" do it "should fail if wrong number of arguments given" do expect { [1,2,3].combination() }.to raise_error(ArgumentError, /wrong number/) expect { [1,2,3].combination(1,2) }.to raise_error(ArgumentError, /wrong number/) end it "should return an empty array if combo size than array size or negative" do [1,2,3].combination(4).to_a.should == [] [1,2,3].combination(-1).to_a.should == [] end it "should return an empty array with an empty array if combo size == 0" do [1,2,3].combination(0).to_a.should == [[]] end it "should all provide all combinations of size passed in" do [1,2,3,4].combination(1).to_a.should == [[1], [2], [3], [4]] [1,2,3,4].combination(2).to_a.should == [[1, 2], [1, 3], [1, 4], [2, 3], [2, 4], [3, 4]] [1,2,3,4].combination(3).to_a.should == [[1, 2, 3], [1, 2, 4], [1, 3, 4], [2, 3, 4]] end end describe "#count" do it "should equal length" do [].count.should == [].length [1].count.should == [1].length end end describe "#drop" do it "should raise if asked to drop less than zero items" do expect { [].drop(-1) }.to raise_error ArgumentError end it "should return the array when drop 0" do [].drop(0).should == [] [1].drop(0).should == [1] [1,2].drop(0).should == [1,2] end it "should return an empty array when dropping more items than the array" do (1..10).each do |n| [].drop(n).should == [] [1].drop(n).should == [] end end it "should drop the right number of items" do [1,2,3].drop(0).should == [1,2,3] [1,2,3].drop(1).should == [2,3] [1,2,3].drop(2).should == [3] [1,2,3].drop(3).should == [] end end describe "#respond_to?" do it "should return true for a standard method (each)" do [].respond_to?(:each).should be_true end it "should return false for to_hash" do [].respond_to?(:to_hash).should be_false end it "should accept one argument" do lambda { [].respond_to?(:each) }.should_not raise_error end it "should accept two arguments" do lambda { [].respond_to?(:each, false) }.should_not raise_error end end end describe IO do include PuppetSpec::Files let(:file) { tmpfile('io-binary') } let(:content) { "\x01\x02\x03\x04" } describe "::binread" do it "should read in binary mode" do File.open(file, 'wb') {|f| f.write(content) } IO.binread(file).should == content end it "should read with a length and offset" do offset = 1 length = 2 File.open(file, 'wb') {|f| f.write(content) } IO.binread(file, length, offset).should == content[offset..length] end it "should raise an error if the file doesn't exist" do expect { IO.binread('/path/does/not/exist') }.to raise_error(Errno::ENOENT) end end describe "::binwrite" do it "should write in binary mode" do IO.binwrite(file, content).should == content.length File.open(file, 'rb') {|f| f.read.should == content } end (0..10).each do |offset| it "should write correctly using an offset of #{offset}" do IO.binwrite(file, content, offset).should == content.length File.open(file, 'rb') {|f| f.read.should == ("\x00" * offset) + content } end end context "truncation" do let :input do "welcome to paradise, population ... YOU!" end before :each do IO.binwrite(file, input) end it "should truncate if no offset is given" do IO.binwrite(file, "boo").should == 3 File.read(file).should == "boo" end (0..10).each do |offset| it "should not truncate if an offset of #{offset} is given" do expect = input.dup expect[offset, 3] = "BAM" IO.binwrite(file, "BAM", offset).should == 3 File.read(file).should == expect end end it "should pad with NULL bytes if writing past EOF without truncate" do expect = input + ("\x00" * 4) + "BAM" IO.binwrite(file, "BAM", input.length + 4).should == 3 File.read(file).should == expect end end it "should raise an error if the directory containing the file doesn't exist" do expect { IO.binwrite('/path/does/not/exist', 'foo') }.to raise_error(Errno::ENOENT) end end end describe Range do def do_test( range, other, expected ) result = range.intersection(other) result.should == expected end it "should return expected ranges for iterable things" do iterable_tests = { 1 .. 4 => nil, # before 11 .. 15 => nil, # after 1 .. 6 => 5 .. 6, # overlap_begin 9 .. 15 => 9 .. 10, # overlap_end 1 .. 5 => 5 .. 5, # overlap_begin_edge 10 .. 15 => 10 .. 10, # overlap_end_edge 5 .. 10 => 5 .. 10, # overlap_all 6 .. 9 => 6 .. 9, # overlap_inner 1 ... 5 => nil, # before (exclusive range) 1 ... 7 => 5 ... 7, # overlap_begin (exclusive range) 1 ... 6 => 5 ... 6, # overlap_begin_edge (exclusive range) 5 ... 11 => 5 .. 10, # overlap_all (exclusive range) 6 ... 10 => 6 ... 10, # overlap_inner (exclusive range) } iterable_tests.each do |other, expected| do_test( 5..10, other, expected ) do_test( other, 5..10, expected ) end end it "should return expected ranges for noniterable things" do inclusive_base_case = { 1.to_f .. 4.to_f => nil, # before 11.to_f .. 15.to_f => nil, # after 1.to_f .. 6.to_f => 5.to_f .. 6.to_f, # overlap_begin 9.to_f .. 15.to_f => 9.to_f .. 10.to_f, # overlap_end 1.to_f .. 5.to_f => 5.to_f .. 5.to_f, # overlap_begin_edge 10.to_f .. 15.to_f => 10.to_f .. 10.to_f, # overlap_end_edge 5.to_f .. 10.to_f => 5.to_f .. 10.to_f, # overlap_all 6.to_f .. 9.to_f => 6.to_f .. 9.to_f, # overlap_inner 1.to_f ... 5.to_f => nil, # before (exclusive range) 1.to_f ... 7.to_f => 5.to_f ... 7.to_f, # overlap_begin (exclusive range) 1.to_f ... 6.to_f => 5.to_f ... 6.to_f, # overlap_begin_edge (exclusive range) 5.to_f ... 11.to_f => 5.to_f .. 10.to_f, # overlap_all (exclusive range) 6.to_f ... 10.to_f => 6.to_f ... 10.to_f, # overlap_inner (exclusive range) } inclusive_base_case.each do |other, expected| do_test( 5.to_f..10.to_f, other, expected ) do_test( other, 5.to_f..10.to_f, expected ) end exclusive_base_case = { 1.to_f .. 4.to_f => nil, # before 11.to_f .. 15.to_f => nil, # after 1.to_f .. 6.to_f => 5.to_f .. 6.to_f, # overlap_begin 9.to_f .. 15.to_f => 9.to_f ... 10.to_f, # overlap_end 1.to_f .. 5.to_f => 5.to_f .. 5.to_f, # overlap_begin_edge 10.to_f .. 15.to_f => nil, # overlap_end_edge 5.to_f .. 10.to_f => 5.to_f ... 10.to_f, # overlap_all 6.to_f .. 9.to_f => 6.to_f .. 9.to_f, # overlap_inner 1.to_f ... 5.to_f => nil, # before (exclusive range) 1.to_f ... 7.to_f => 5.to_f ... 7.to_f, # overlap_begin (exclusive range) 1.to_f ... 6.to_f => 5.to_f ... 6.to_f, # overlap_begin_edge (exclusive range) 5.to_f ... 11.to_f => 5.to_f ... 10.to_f, # overlap_all (exclusive range) 6.to_f ... 10.to_f => 6.to_f ... 10.to_f, # overlap_inner (exclusive range) } exclusive_base_case.each do |other, expected| do_test( 5.to_f...10.to_f, other, expected ) do_test( other, 5.to_f...10.to_f, expected ) end end end describe OpenSSL::SSL::SSLContext do it 'disables SSLv2 via the SSLContext#options bitmask' do (subject.options & OpenSSL::SSL::OP_NO_SSLv2).should == OpenSSL::SSL::OP_NO_SSLv2 end + + it 'disables SSLv3 via the SSLContext#options bitmask' do + (subject.options & OpenSSL::SSL::OP_NO_SSLv3).should == OpenSSL::SSL::OP_NO_SSLv3 + end + it 'explicitly disable SSLv2 ciphers using the ! prefix so they cannot be re-added' do cipher_str = OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ciphers] cipher_str.split(':').should include('!SSLv2') end + + it 'does not exclude SSLv3 ciphers shared with TLSv1' do + cipher_str = OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ciphers] + cipher_str.split(':').should_not include('!SSLv3') + end + it 'sets parameters on initialization' do described_class.any_instance.expects(:set_params) subject end + it 'has no ciphers with version SSLv2 enabled' do ciphers = subject.ciphers.select do |name, version, bits, alg_bits| /SSLv2/.match(version) end ciphers.should be_empty end end describe OpenSSL::X509::Store, :if => Puppet::Util::Platform.windows? do let(:store) { described_class.new } let(:cert) { OpenSSL::X509::Certificate.new(File.read(my_fixture('x509.pem'))) } def with_root_certs(certs) Puppet::Util::Windows::RootCerts.expects(:instance).returns(certs) end it "adds a root cert to the store" do with_root_certs([cert]) store.set_default_paths end it "ignores duplicate root certs" do with_root_certs([cert, cert]) store.expects(:add_cert).with(cert).once store.set_default_paths end it "warns when adding a certificate that already exists" do with_root_certs([cert]) store.add_cert(cert) store.expects(:warn).with('Failed to add /DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority') store.set_default_paths end it "raises when adding an invalid certificate" do with_root_certs(['notacert']) expect { store.set_default_paths }.to raise_error(TypeError) end end describe SecureRandom do it 'generates a properly formatted uuid' do SecureRandom.uuid.should =~ /[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/i end end