180 lines
5.7 KiB
Ruby
180 lines
5.7 KiB
Ruby
require 'chef_helper'
|
|
|
|
RSpec.describe LetsEncrypt do
|
|
subject { ::LetsEncrypt }
|
|
|
|
before do
|
|
allow(Gitlab).to receive(:[]).and_call_original
|
|
end
|
|
|
|
context '.parse_variables' do
|
|
it 'calls to parse_enable' do
|
|
expect(subject).to receive(:parse_enable)
|
|
|
|
subject.parse_variables
|
|
end
|
|
end
|
|
|
|
context '.parse_enable' do
|
|
context 'when specifying letsencrypt enabled' do
|
|
context 'true' do
|
|
before { stub_gitlab_rb(letsencrypt: { enable: true }) }
|
|
|
|
it 'should not call should_auto_enable?' do
|
|
expect(subject).not_to receive(:should_auto_enable?)
|
|
|
|
subject.parse_enable
|
|
end
|
|
end
|
|
|
|
context 'false' do
|
|
before { stub_gitlab_rb(letsencrypt: { enable: false }) }
|
|
|
|
it 'should not call should_auto_enable?' do
|
|
expect(subject).not_to receive(:should_auto_enable?)
|
|
|
|
subject.parse_enable
|
|
end
|
|
end
|
|
|
|
context 'unspecified' do
|
|
it 'should use the value of should_auto_enable' do
|
|
allow(subject).to receive(:should_auto_enable?).and_return('bananas')
|
|
subject.parse_enable
|
|
|
|
expect(Gitlab['letsencrypt']['enable']).to eq('bananas')
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
context '.should_auto_enable?' do
|
|
let(:node) { Mash.new(gitlab: { nginx: {} }) }
|
|
|
|
before do
|
|
stub_gitlab_rb(
|
|
gitlab_rails: {
|
|
gitlab_https: true
|
|
},
|
|
nginx: {
|
|
ssl_certificate_key: 'example.key',
|
|
ssl_certificate: 'example.crt'
|
|
}
|
|
)
|
|
|
|
allow(Gitlab).to receive(:[]).with(:node).and_return(node)
|
|
allow(File).to receive(:exist?).with('example.key').and_return(false)
|
|
allow(File).to receive(:exist?).with('example.crt').and_return(false)
|
|
end
|
|
|
|
it 'is true' do
|
|
expect(subject.should_auto_enable?).to be_truthy
|
|
end
|
|
|
|
it 'is false when not using a https url' do
|
|
stub_gitlab_rb(gitlab_rails: { gitlab_https: false })
|
|
|
|
expect(subject.should_auto_enable?).to be_falsey
|
|
end
|
|
|
|
it 'is false when nginx is not enabled' do
|
|
stub_gitlab_rb(nginx: { enable: false })
|
|
|
|
expect(subject.should_auto_enable?).to be_falsey
|
|
end
|
|
|
|
it 'is false when nginx is disabled by roles' do
|
|
allow(node['gitlab']['nginx']).to receive(:[]).with('enable').and_return(false)
|
|
|
|
expect(subject.should_auto_enable?).to be_falsey
|
|
end
|
|
|
|
it 'is false with explicit nginx.listen_https = false' do
|
|
stub_gitlab_rb(nginx: { listen_https: false })
|
|
|
|
expect(subject.should_auto_enable?).to be_falsey
|
|
end
|
|
|
|
it 'is false with the key present' do
|
|
allow(File).to receive(:exist?).with('example.key').and_return(true)
|
|
|
|
expect(subject.should_auto_enable?).to be_falsey
|
|
end
|
|
|
|
it 'is false with the cert present' do
|
|
mock_cert = OpenSSL::X509::Certificate.new
|
|
allow(mock_cert).to receive(:not_after).and_return(Time.now + 600)
|
|
allow(File).to receive(:exist?).with('example.crt').and_return(true)
|
|
allow(File).to receive(:read).with('example.crt').and_return(nil)
|
|
allow(OpenSSL::X509::Certificate).to receive(:new).and_return(mock_cert)
|
|
|
|
expect(subject.should_auto_enable?).to be_falsey
|
|
end
|
|
|
|
it 'is true when files present, but we provisioned them before' do
|
|
stub_gitlab_rb(letsencrypt: { auto_enabled: true })
|
|
|
|
allow(File).to receive(:exist?).with('example.key').and_return(true)
|
|
allow(File).to receive(:exist?).with('example.crt').and_return(true)
|
|
|
|
expect(subject.should_auto_enable?).to be_truthy
|
|
end
|
|
|
|
it 'is true when files present, but LE certificate is expired' do
|
|
mock_cert = OpenSSL::X509::Certificate.new
|
|
allow(mock_cert).to receive(:not_after).and_return(Time.now - 1)
|
|
allow(mock_cert).to receive(:issuer).and_return(
|
|
OpenSSL::X509::Name.parse(%(/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3)))
|
|
allow(File).to receive(:exist?).with('example.key').and_return(true)
|
|
allow(File).to receive(:exist?).with('example.crt').and_return(true)
|
|
allow(File).to receive(:read).with('example.crt').and_return(nil)
|
|
allow(OpenSSL::X509::Certificate).to receive(:new).and_return(mock_cert)
|
|
|
|
expect(subject.should_auto_enable?).to be_truthy
|
|
end
|
|
|
|
it 'is false when files present, but non-LE certificate is expired' do
|
|
mock_cert = OpenSSL::X509::Certificate.new
|
|
allow(mock_cert).to receive(:not_after).and_return(Time.now - 1)
|
|
allow(mock_cert).to receive(:issuer).and_return(
|
|
OpenSSL::X509::Name.parse('/C=US/O=Example Corporation/CN=Example'))
|
|
allow(File).to receive(:exist?).with('example.key').and_return(true)
|
|
allow(File).to receive(:exist?).with('example.crt').and_return(true)
|
|
allow(File).to receive(:read).with('example.crt').and_return(nil)
|
|
allow(OpenSSL::X509::Certificate).to receive(:new).and_return(mock_cert)
|
|
|
|
expect(subject.should_auto_enable?).to be_falsey
|
|
end
|
|
end
|
|
|
|
context '.save_auto_enabled' do
|
|
it 'does nothing if not auto_enabled' do
|
|
expect(SecretsHelper).not_to receive(:load_gitlab_secrets)
|
|
|
|
subject.save_auto_enabled
|
|
end
|
|
|
|
context 'auto_enabled' do
|
|
before do
|
|
stub_gitlab_rb(letsencrypt: { auto_enabled: true })
|
|
allow(SecretsHelper).to receive(:load_gitlab_secrets).and_return({})
|
|
allow(SecretsHelper).to receive(:write_to_gitlab_secrets)
|
|
end
|
|
|
|
it 'writes when secret is absent' do
|
|
expect(SecretsHelper).to receive(:write_to_gitlab_secrets)
|
|
|
|
subject.save_auto_enabled
|
|
end
|
|
|
|
it 'does not write if secret is already true' do
|
|
allow(SecretsHelper).to receive(:load_gitlab_secrets)
|
|
.and_return('letsencrypt' => { 'auto_enabled' => true })
|
|
expect(SecretsHelper).not_to receive(:write_to_gitlab_secrets)
|
|
|
|
subject.save_auto_enabled
|
|
end
|
|
end
|
|
end
|
|
end
|