#! /usr/bin/env ruby
require 'spec_helper'
require 'puppet/face'

require 'puppet/ssl/host'

describe Puppet::Face[:certificate, '0.0.1'] do
  include PuppetSpec::Files

  let(:ca) { Puppet::SSL::CertificateAuthority.instance }

  before :each do
    Puppet[:confdir] = tmpdir('conf')
    Puppet::SSL::CertificateAuthority.stubs(:ca?).returns true

    Puppet::SSL::Host.ca_location = :local

    # We can't cache the CA between tests, because each one has its own SSL dir.
    ca = Puppet::SSL::CertificateAuthority.new
    Puppet::SSL::CertificateAuthority.stubs(:new).returns ca
    Puppet::SSL::CertificateAuthority.stubs(:instance).returns ca
  end

  it "should have a ca-location option" do
    expect(subject).to be_option :ca_location
  end

  it "should set the ca location when invoked" do
    Puppet::SSL::Host.expects(:ca_location=).with(:local)
    ca.expects(:sign).with do |name,options|
      name == "hello, friend"
    end

    subject.sign "hello, friend", :ca_location => :local
  end

  it "(#7059) should set the ca location when an inherited action is invoked" do
    Puppet::SSL::Host.expects(:ca_location=).with(:local)
    subject.indirection.expects(:find)
    subject.find "hello, friend", :ca_location => :local
  end

  it "should validate the option as required" do
    expect do
      subject.find 'hello, friend'
    end.to raise_exception ArgumentError, /required/i
  end

  it "should validate the option as a supported value" do
    expect do
      subject.find 'hello, friend', :ca_location => :foo
    end.to raise_exception ArgumentError, /valid values/i
  end

  describe "#generate" do
    let(:options) { {:ca_location => 'local'} }
    let(:host) { Puppet::SSL::Host.new(hostname) }
    let(:csr) { host.certificate_request }

    before :each do
      Puppet[:autosign] = false
    end

    describe "for the current host" do
      let(:hostname) { Puppet[:certname] }

      it "should generate a CSR for this host" do
        subject.generate(hostname, options)

        expect(csr.content.subject.to_s).to eq("/CN=#{Puppet[:certname]}")
        expect(csr.name).to eq(Puppet[:certname])
      end

      it "should add dns_alt_names from the global config if not otherwise specified" do
        Puppet[:dns_alt_names] = 'from,the,config'

        subject.generate(hostname, options)

        expected = %W[DNS:from DNS:the DNS:config DNS:#{hostname}]

        expect(csr.subject_alt_names).to match_array(expected)
      end

      it "should add the provided dns_alt_names if they are specified" do
        Puppet[:dns_alt_names] = 'from,the,config'

        subject.generate(hostname, options.merge(:dns_alt_names => 'explicit,alt,names'))

        expected = %W[DNS:explicit DNS:alt DNS:names DNS:#{hostname}]

        expect(csr.subject_alt_names).to match_array(expected)
      end
    end

    describe "for another host" do
      let(:hostname) { Puppet[:certname] + 'different' }

      it "should generate a CSR for the specified host" do
        subject.generate(hostname, options)

        expect(csr.content.subject.to_s).to eq("/CN=#{hostname}")
        expect(csr.name).to eq(hostname)
      end

      it "should fail if a CSR already exists for the host" do
        subject.generate(hostname, options)

        expect do
          subject.generate(hostname, options)
        end.to raise_error(RuntimeError, /#{hostname} already has a requested certificate; ignoring certificate request/)
      end

      it "should add not dns_alt_names from the config file" do
        Puppet[:dns_alt_names] = 'from,the,config'

        subject.generate(hostname, options)

        expect(csr.subject_alt_names).to be_empty
      end

      it "should add the provided dns_alt_names if they are specified" do
        Puppet[:dns_alt_names] = 'from,the,config'

        subject.generate(hostname, options.merge(:dns_alt_names => 'explicit,alt,names'))

        expected = %W[DNS:explicit DNS:alt DNS:names DNS:#{hostname}]

        expect(csr.subject_alt_names).to match_array(expected)
      end
      
      it "should use the global setting if set by CLI" do
        Puppet.settings.patch_value(:dns_alt_names, 'from,the,cli', :cli)
        
        subject.generate(hostname, options)
        
        expected = %W[DNS:from DNS:the DNS:cli DNS:#{hostname}]
        
        expect(csr.subject_alt_names).to match_array(expected)
      end
      
      it "should generate an error if both set on CLI" do
        Puppet.settings.patch_value(:dns_alt_names, 'from,the,cli', :cli)
        expect do
          subject.generate(hostname, options.merge(:dns_alt_names => 'explicit,alt,names'))
        end.to raise_error ArgumentError, /Can't specify both/ 
      end
    end
  end

  describe "#sign" do
    let(:options) { {:ca_location => 'local'} }
    let(:host) { Puppet::SSL::Host.new(hostname) }
    let(:hostname) { "foobar" }

    it "should sign the certificate request if one is waiting", :unless => Puppet.features.microsoft_windows? do
      subject.generate(hostname, options)

      subject.sign(hostname, options)

      expect(host.certificate_request).to be_nil
      expect(host.certificate).to be_a(Puppet::SSL::Certificate)
      expect(host.state).to eq('signed')
    end

    it "should fail if there is no waiting certificate request" do
      expect do
        subject.sign(hostname, options)
      end.to raise_error(ArgumentError, /Could not find certificate request for #{hostname}/)
    end

    describe "when ca_location is local", :unless => Puppet.features.microsoft_windows? do
      describe "when the request has dns alt names" do
        before :each do
          subject.generate(hostname, options.merge(:dns_alt_names => 'some,alt,names'))
        end

        it "should refuse to sign the request if allow_dns_alt_names is not set" do
          expect do
            subject.sign(hostname, options)
          end.to raise_error(Puppet::SSL::CertificateAuthority::CertificateSigningError,
                             /CSR '#{hostname}' contains subject alternative names \(.*?\), which are disallowed. Use `puppet cert --allow-dns-alt-names sign #{hostname}` to sign this request./i)

          expect(host.state).to eq('requested')
        end

        it "should sign the request if allow_dns_alt_names is set" do
          expect do
            subject.sign(hostname, options.merge(:allow_dns_alt_names => true))
          end.not_to raise_error

          expect(host.state).to eq('signed')
        end
      end

      describe "when the request has no dns alt names" do
        before :each do
          subject.generate(hostname, options)
        end

        it "should sign the request if allow_dns_alt_names is set" do
          expect { subject.sign(hostname, options.merge(:allow_dns_alt_names => true)) }.not_to raise_error

          expect(host.state).to eq('signed')
        end

        it "should sign the request if allow_dns_alt_names is not set" do
          expect { subject.sign(hostname, options) }.not_to raise_error

          expect(host.state).to eq('signed')
        end
      end
    end

    describe "when ca_location is remote" do
      let(:options) { {:ca_location => :remote} }
      it "should fail if allow-dns-alt-names is specified" do
        expect do
          subject.sign(hostname, options.merge(:allow_dns_alt_names => true))
        end
      end
    end
  end
end