spec/models/x509_certificate_spec.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131

# frozen_string_literal: true

require 'spec_helper'

RSpec.describe X509Certificate do
  describe 'validation' do
    it { is_expected.to validate_presence_of(:subject_key_identifier) }
    it { is_expected.to validate_presence_of(:subject) }
    it { is_expected.to validate_presence_of(:email) }
    it { is_expected.to validate_presence_of(:serial_number) }
    it { is_expected.to validate_presence_of(:x509_issuer_id) }
  end

  describe 'associations' do
    it { is_expected.to belong_to(:x509_issuer).required }
  end

  describe '.safe_create!' do
    let(:subject_key_identifier) { 'CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD' }
    let(:subject) { 'CN=gitlab@example.com,OU=Example,O=World' }
    let(:email) { 'gitlab@example.com' }
    let(:serial_number) { '123456789' }
    let(:issuer) { create(:x509_issuer) }

    let(:attributes) do
      {
        subject_key_identifier: subject_key_identifier,
        subject: subject,
        email: email,
        serial_number: serial_number,
        x509_issuer_id: issuer.id
      }
    end

    it 'creates a new certificate if it was not found' do
      expect { described_class.safe_create!(attributes) }.to change { described_class.count }.by(1)
    end

    it 'assigns the correct attributes when creating' do
      certificate = described_class.safe_create!(attributes)

      expect(certificate.subject_key_identifier).to eq(subject_key_identifier)
      expect(certificate.subject).to eq(subject)
      expect(certificate.email).to eq(email)
    end

    it 'calls mark_commit_signatures_unverified' do
      expect_any_instance_of(described_class).to receive(:mark_commit_signatures_unverified)

      described_class.safe_create!(attributes)
    end

    context 'certificate revocation handling' do
      let(:x509_certificate) { create(:x509_certificate) }

      it 'starts a revoke worker if certificate is revoked' do
        expect(X509CertificateRevokeWorker).to receive(:perform_async).with(x509_certificate.id)

        x509_certificate.revoked!
      end

      it 'does not starts a revoke worker for good certificates' do
        expect(X509CertificateRevokeWorker).not_to receive(:perform_async).with(x509_certificate.id)

        x509_certificate
      end
    end
  end

  describe 'validators' do
    let_it_be(:issuer) { create(:x509_issuer) }

    it 'accepts correct subject_key_identifier' do
      subject_key_identifiers = [
        'AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB',
        'CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD'
      ]

      subject_key_identifiers.each do |identifier|
        expect(build(:x509_certificate, x509_issuer: issuer, subject_key_identifier: identifier)).to be_valid
      end
    end

    it 'rejects invalid subject_key_identifier' do
      subject_key_identifiers = [
        'AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB',
        'CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:GG',
        'random string',
        '12321342545356434523412341245452345623453542345234523453245'
      ]

      subject_key_identifiers.each do |identifier|
        expect(build(:x509_certificate, x509_issuer: issuer, subject_key_identifier: identifier)).to be_invalid
      end
    end

    it 'accepts correct email address' do
      emails = [
        'smime@example.org',
        'smime@example.com'
      ]

      emails.each do |email|
        expect(build(:x509_certificate, x509_issuer: issuer, email: email)).to be_valid
      end
    end

    it 'rejects invalid email' do
      emails = [
        'this is not an email',
        '@example.org'
      ]

      emails.each do |email|
        expect(build(:x509_certificate, x509_issuer: issuer, email: email)).to be_invalid
      end
    end

    it 'accepts valid serial_number' do
      expect(build(:x509_certificate, x509_issuer: issuer, serial_number: 123412341234)).to be_valid

      # rfc 5280 - 4.1.2.2  Serial number (20 octets is the maximum)
      expect(build(:x509_certificate, x509_issuer: issuer, serial_number: 1461501637330902918203684832716283019655932542975)).to be_valid
      expect(build(:x509_certificate, x509_issuer: issuer, serial_number: 'ffffffffffffffffffffffffffffffffffffffff'.to_i(16))).to be_valid
    end

    it 'rejects invalid serial_number' do
      expect(build(:x509_certificate, x509_issuer: issuer, serial_number: "sgsgfsdgdsfg")).to be_invalid
    end
  end
end