diff options
1 files changed, 204 insertions, 384 deletions
diff --git a/spec/functional/resource/windows_certificate_spec.rb b/spec/functional/resource/windows_certificate_spec.rb
index 20d444dd59..b5d0484e0c 100644
--- a/spec/functional/resource/windows_certificate_spec.rb
+++ b/spec/functional/resource/windows_certificate_spec.rb
@@ -19,478 +19,298 @@ require "spec_helper"
require "chef/mixin/powershell_exec"
require "chef/resource/windows_certificate"
-module WindowsCertificateHelper
+describe Chef::Resource::WindowsCertificate, :windows_only do
include Chef::Mixin::PowershellExec
- def create_store(store)
- path = "Cert:\\LocalMachine\\" + store
- command = <<~EOC
- New-Item -Path #{path}
+ def create_store
+ powershell_exec <<~EOC
+ New-Item -Path Cert:\\LocalMachine\\#{store}
- powershell_exec(command)
- def cleanup(store)
- path = "Cert:\\LocalMachine\\" + store
- command = <<~EOC
- Remove-Item -Path #{path} -Recurse
+ def delete_store
+ powershell_exec <<~EOC
+ Remove-Item -Path Cert:\\LocalMachine\\#{store} -Recurse
- powershell_exec(command)
- def no_of_certificates
- path = "Cert:\\LocalMachine\\" + store
- # Seems weird that we have to call dir twice right?
- # The powershell pki module cache the last dir in module session state
- # Issuing dir with a different arg (-Force) seems to refresh that state.
- command = <<~EOC
- dir #{path} -Force | Out-Null
- (dir #{path} | measure).Count
+ def certificate_count
+ powershell_exec(<<~EOC).result.to_i
+ (Get-ChildItem -Force -Path Cert:\\LocalMachine\\#{store} | measure).Count
- powershell_exec(command).result.to_i
-describe Chef::Resource::WindowsCertificate, :windows_only do
- include WindowsCertificateHelper
- let(:stdout) { }
- let(:username) { "ChefFunctionalTest" }
- let(:node) { }
- let(:events) { }
- let(:run_context) {, {}, events) }
- let(:new_resource) {, run_context) }
let(:password) { "P@ssw0rd!" }
let(:store) { "Chef-Functional-Test" }
- let(:certificate_path) { File.expand_path(File.join(CHEF_SPEC_DATA, "windows_certificates")) }
- let(:cer_path) { File.join(certificate_path, "test.cer") }
- let(:base64_path) { File.join(certificate_path, "base64_test.cer") }
- let(:pem_path) { File.join(certificate_path, "test.pem") }
- let(:p7b_path) { File.join(certificate_path, "test.p7b") }
- let(:pfx_path) { File.join(certificate_path, "test.pfx") }
- let(:out_path) { File.join(certificate_path, "testout.pem") }
+ let(:cer_path) { File.join(CHEF_SPEC_DATA, "windows_certificates", "test.cer") }
+ let(:base64_path) { File.join(CHEF_SPEC_DATA, "windows_certificates", "base64_test.cer") }
+ let(:pem_path) { File.join(CHEF_SPEC_DATA, "windows_certificates", "test.pem") }
+ let(:p7b_path) { File.join(CHEF_SPEC_DATA, "windows_certificates", "test.p7b") }
+ let(:pfx_path) { File.join(CHEF_SPEC_DATA, "windows_certificates", "test.pfx") }
let(:tests_thumbprint) { "e45a4a7ff731e143cf20b8bfb9c7c4edd5238bb3" }
- let(:other_cer_path) { File.join(certificate_path, "othertest.cer") }
+ let(:other_cer_path) { File.join(CHEF_SPEC_DATA, "windows_certificates", "othertest.cer") }
let(:others_thumbprint) { "6eae1deefaf59daf1a97c9ceeff39c98b3da38cb" }
let(:p7b_thumbprint) { "f867e25b928061318ed2c36ca517681774b06260" }
let(:p7b_nested_thumbprint) { "dc395eae6be5b69951b8b6e1090cfc33df30d2cd" }
+ let(:resource) do
+ run_context =, {},
+"ChefFunctionalTest", run_context).tap do |r|
+ r.store_name = store
+ end
+ end
before do
- opts = { store_name: store }
- key = :store_name
- to_be = ["TRUSTEDPUBLISHER", "TrustedPublisher", "CLIENTAUTHISSUER",
- # Byepassing the validation so that we may create a custom store
+ # Bypass validation of the store name so we can use a fake test store.
.to receive(:_pv_equal_to)
- .with(opts, key, to_be)
+ .with({ store_name: store }, :store_name, anything)
- # Creating a custom store for the testing
- create_store(store)
+ create_store
+ end
+ after { delete_store }
- allow(Chef::Log).to receive(:info) do |msg|
- stdout.puts(msg)
+ describe "action: create" do
+ it "starts with no certificates" do
+ expect(certificate_count).to eq(0)
- end
- after { cleanup(store) }
+ it "can add a certificate idempotently" do
+ resource.source = cer_path
+ resource.run_action(:create)
- subject(:win_certificate) do
- new_resource.store_name = store
- new_resource
- end
+ expect(certificate_count).to eq(1)
+ expect(resource).to be_updated_by_last_action
- it "Initially there are no certificates" do
- expect(no_of_certificates).to eq(0)
- end
+ # Adding the cert again should have no effect
+ resource.run_action(:create)
+ expect(certificate_count).to eq(1)
+ expect(resource).not_to be_updated_by_last_action
- describe "action :create" do
- before do
- win_certificate.source = cer_path
- win_certificate.run_action(:create)
- end
+ # Adding the cert again with a different format should have no effect
+ resource.source = pem_path
+ resource.run_action(:create)
+ expect(certificate_count).to eq(1)
+ expect(resource).not_to be_updated_by_last_action
- context "Adding a certificate" do
- it "Imports certificate into store" do
- expect(no_of_certificates).to eq(1)
- end
+ # Adding another cert should work correctly
+ resource.source = other_cer_path
+ resource.run_action(:create)
- it "Converges while addition" do
- expect(win_certificate).to be_updated_by_last_action
- end
+ expect(certificate_count).to eq(2)
+ expect(resource).to be_updated_by_last_action
- context "Again adding the same certificate" do
- before do
- win_certificate.run_action(:create)
- end
- it "Does not imports certificate into store" do
- expect(no_of_certificates).to eq(1)
- end
- it "Idempotent: Does not converge while addition" do
- expect(no_of_certificates).to eq(1)
- expect(win_certificate).not_to be_updated_by_last_action
- end
- end
+ it "can add a base64 encoded certificate idempotently" do
+ resource.source = base64_path
+ resource.run_action(:create)
- context "Again adding the same certificate of other format" do
- before do
- win_certificate.source = pem_path
- win_certificate.run_action(:create)
- end
- it "Does not imports certificate into store" do
- expect(no_of_certificates).to eq(1)
- end
- it "Idempotent: Does not converge while addition" do
- expect(no_of_certificates).to eq(1)
- expect(win_certificate).not_to be_updated_by_last_action
- end
- end
+ expect(certificate_count).to eq(1)
- context "Adding another certificate" do
- before do
- win_certificate.source = other_cer_path
- win_certificate.run_action(:create)
- end
- it "Imports certificate into store" do
- expect(no_of_certificates).to eq(2)
- end
- it "Converges while addition" do
- expect(no_of_certificates).to eq(2)
- expect(win_certificate).to be_updated_by_last_action
- end
+ resource.run_action(:create)
+ expect(certificate_count).to eq(1)
+ expect(resource).not_to be_updated_by_last_action
- end
- describe "Works for various formats" do
- context "Adds CER" do
- before do
- win_certificate.source = cer_path
- win_certificate.run_action(:create)
- end
- it "Imports certificate into store" do
- expect(no_of_certificates).to eq(1)
- end
- it "Idempotent: Does not converge while adding again" do
- win_certificate.run_action(:create)
- expect(no_of_certificates).to eq(1)
- expect(win_certificate).not_to be_updated_by_last_action
- end
- end
+ it "can add a PEM certificate idempotently" do
+ resource.source = pem_path
+ resource.run_action(:create)
- context "Adds Base64 Encoded CER" do
- before do
- win_certificate.source = base64_path
- win_certificate.run_action(:create)
- end
- it "Imports certificate into store" do
- expect(no_of_certificates).to eq(1)
- end
- it "Idempotent: Does not converge while adding again" do
- win_certificate.run_action(:create)
- expect(no_of_certificates).to eq(1)
- expect(win_certificate).not_to be_updated_by_last_action
- end
+ expect(certificate_count).to eq(1)
+ resource.run_action(:create)
+ expect(certificate_count).to eq(1)
+ expect(resource).not_to be_updated_by_last_action
- context "Adds PEM" do
- before do
- win_certificate.source = pem_path
- win_certificate.run_action(:create)
- end
- it "Imports certificate into store" do
- expect(no_of_certificates).to eq(1)
- end
- it "Idempotent: Does not converge while adding again" do
- win_certificate.run_action(:create)
- expect(no_of_certificates).to eq(1)
- expect(win_certificate).not_to be_updated_by_last_action
- end
+ it "can add a P7B certificate idempotently" do
+ resource.source = p7b_path
+ resource.run_action(:create)
+ # A P7B cert includes nested certs
+ expect(certificate_count).to eq(3)
+ resource.run_action(:create)
+ expect(resource).not_to be_updated_by_last_action
+ expect(certificate_count).to eq(3)
- context "Adds P7B" do
- before do
- win_certificate.source = p7b_path
- win_certificate.run_action(:create)
- end
- it "Imports certificate into store" do
- expect(no_of_certificates).not_to eq(0)
- end
- it "Idempotent: Does not converge while adding again" do
- win_certificate.run_action(:create)
- expect(win_certificate).not_to be_updated_by_last_action
- end
- it "Nested certificates are also imported" do
- expect(no_of_certificates).to eq(3)
- end
+ it "can add a PFX certificate idempotently with a valid password" do
+ resource.source = pfx_path
+ resource.pfx_password = password
+ resource.run_action(:create)
+ expect(certificate_count).to eq(1)
+ resource.run_action(:create)
+ expect(certificate_count).to eq(1)
+ expect(resource).not_to be_updated_by_last_action
- context "Adds PFX" do
- context "With valid password" do
- before do
- win_certificate.source = pfx_path
- win_certificate.pfx_password = password
- win_certificate.run_action(:create)
- end
- it "Imports certificate into store" do
- expect(no_of_certificates).to eq(1)
- end
- it "Idempotent: Does not converge while adding again" do
- win_certificate.run_action(:create)
- expect(no_of_certificates).to eq(1)
- expect(win_certificate).not_to be_updated_by_last_action
- end
- end
+ it "raises an error when adding a PFX certificate with an invalid password" do
+ resource.source = pfx_path
+ resource.pfx_password = "Invalid password"
- context "With Invalid password" do
- before do
- win_certificate.source = pfx_path
- win_certificate.pfx_password = "Invalid password"
- end
- it "Raises an error" do
- expect { win_certificate.run_action(:create) }.to raise_error(OpenSSL::PKCS12::PKCS12Error)
- end
- end
+ expect { resource.run_action(:create) }.to raise_error(OpenSSL::PKCS12::PKCS12Error)
describe "action: verify" do
- context "When a certificate is not present" do
- before do
- win_certificate.source = tests_thumbprint
- win_certificate.run_action(:verify)
- end
- it "Initial check if certificate is not present" do
- expect(no_of_certificates).to eq(0)
- end
- it "Displays correct message" do
- expect(stdout.string.strip).to eq("Certificate not found")
- end
- it "Does not converge while verifying" do
- expect(win_certificate).not_to be_updated_by_last_action
- end
+ it "fails with no certificates in the store" do
+ expect(Chef::Log).to receive(:info).with("Certificate not found")
+ resource.source = tests_thumbprint
+ resource.run_action(:verify)
+ expect(resource).not_to be_updated_by_last_action
- context "When a certificate is present" do
+ context "with a certificate in the store" do
before do
- win_certificate.source = cer_path
- win_certificate.run_action(:create)
+ resource.source = cer_path
+ resource.run_action(:create)
- context "For a valid thumbprint" do
- before do
- win_certificate.source = tests_thumbprint
- win_certificate.run_action(:verify)
- end
- it "Initial check if certificate is present" do
- expect(no_of_certificates).to eq(1)
- end
- it "Displays correct message" do
- expect(stdout.string.strip).to eq("Certificate is valid")
- end
- it "Does not converge while verifying" do
- expect(win_certificate).not_to be_updated_by_last_action
- end
+ it "succeeds with a valid thumbprint" do
+ expect(Chef::Log).to receive(:info).with("Certificate is valid")
+ resource.source = tests_thumbprint
+ resource.run_action(:verify)
+ expect(resource).not_to be_updated_by_last_action
- context "For an invalid thumbprint" do
- before do
- win_certificate.source = others_thumbprint
- win_certificate.run_action(:verify)
- end
- it "Initial check if certificate is present" do
- expect(no_of_certificates).to eq(1)
- end
- it "Displays correct message" do
- expect(stdout.string.strip).to eq("Certificate not found")
- end
- it "Does not converge while verifying" do
- expect(win_certificate).not_to be_updated_by_last_action
- end
+ it "fails with an invalid thumbprint" do
+ expect(Chef::Log).to receive(:info).with("Certificate not found")
+ resource.source = others_thumbprint
+ resource.run_action(:verify)
+ expect(resource).not_to be_updated_by_last_action
- context "When multiple certificates are present" do
+ context "with a nested certificate in the store" do
before do
- win_certificate.source = p7b_path
- win_certificate.run_action(:create)
+ resource.source = p7b_path
+ resource.run_action(:create)
- context "With main certificate's thumbprint" do
- before do
- win_certificate.source = p7b_thumbprint
- win_certificate.run_action(:verify)
- end
- it "Initial check if certificate is present" do
- expect(no_of_certificates).to eq(3)
- end
- it "Displays correct message" do
- expect(stdout.string.strip).to eq("Certificate is valid")
- end
- it "Does not converge while verifying" do
- expect(win_certificate).not_to be_updated_by_last_action
- end
+ it "succeeds with the main certificate's thumbprint" do
+ expect(Chef::Log).to receive(:info).with("Certificate is valid")
+ resource.source = p7b_thumbprint
+ resource.run_action(:verify)
+ expect(resource).not_to be_updated_by_last_action
- context "With nested certificate's thumbprint" do
- before do
- win_certificate.source = p7b_nested_thumbprint
- win_certificate.run_action(:verify)
- end
- it "Initial check if certificate is present" do
- expect(no_of_certificates).to eq(3)
- end
- it "Displays correct message" do
- expect(stdout.string.strip).to eq("Certificate is valid")
- end
- it "Does not converge while verifying" do
- expect(win_certificate).not_to be_updated_by_last_action
- end
+ it "succeeds with the nested certificate's thumbprint" do
+ expect(Chef::Log).to receive(:info).with("Certificate is valid")
+ resource.source = p7b_nested_thumbprint
+ resource.run_action(:verify)
+ expect(resource).not_to be_updated_by_last_action
- context "For an invalid thumbprint" do
- before do
- win_certificate.source = others_thumbprint
- win_certificate.run_action(:verify)
- end
- it "Initial check if certificate is present" do
- expect(no_of_certificates).to eq(3)
- end
- it "Displays correct message" do
- expect(stdout.string.strip).to eq("Certificate not found")
- end
- it "Does not converge while verifying" do
- expect(win_certificate).not_to be_updated_by_last_action
- end
+ it "fails with an invalid thumbprint" do
+ expect(Chef::Log).to receive(:info).with("Certificate not found")
+ resource.source = others_thumbprint
+ resource.run_action(:verify)
+ expect(resource).not_to be_updated_by_last_action
describe "action: fetch" do
- context "When a certificate is not present" do
- before do
- win_certificate.source = tests_thumbprint
- win_certificate.run_action(:fetch)
- end
- it "Initial check if certificate is not present" do
- expect(no_of_certificates).to eq(0)
- end
- it "Does not show any content" do
- expect(stdout.string.strip).to be_empty
- end
- it "Does not converge while fetching" do
- expect(win_certificate).not_to be_updated_by_last_action
- end
+ it "does nothing with no certificates in the store" do
+ expect(Chef::Log).not_to receive(:info)
+ resource.source = tests_thumbprint
+ resource.run_action(:fetch)
+ expect(resource).not_to be_updated_by_last_action
- context "When a certificate is present" do
+ context "with a certificate in the store" do
before do
- win_certificate.source = cer_path
- win_certificate.run_action(:create)
+ resource.source = cer_path
+ resource.run_action(:create)
- after do
- if File.exist?(out_path)
- File.delete(out_path)
- end
- end
+ it "succeeds with a valid thumbprint" do
+ resource.source = tests_thumbprint
- context "For a valid thumbprint" do
- before do
- win_certificate.source = tests_thumbprint
- win_certificate.cert_path = out_path
- win_certificate.run_action(:fetch)
- end
- it "Initial check if certificate is present" do
- expect(no_of_certificates).to eq(1)
- end
- it "Stores Certificate content at given path" do
- expect(File.exist?(out_path)).to be_truthy
- end
- it "Does not converge while fetching" do
- expect(win_certificate).not_to be_updated_by_last_action
+ Dir.mktmpdir do |dir|
+ path = File.join(dir, "test.pem")
+ expect(Chef::Log).to receive(:info).with("Certificate export in #{path}")
+ resource.cert_path = path
+ resource.run_action(:fetch)
+ expect(File.exist?(path)).to be_truthy
+ expect(resource).not_to be_updated_by_last_action
- context "For an invalid thumbprint" do
- before do
- win_certificate.source = others_thumbprint
- win_certificate.cert_path = out_path
- win_certificate.run_action(:fetch)
- end
- it "Initial check if certificate is present" do
- expect(no_of_certificates).to eq(1)
- end
- it "Does not show any content" do
- expect(stdout.string.strip).to be_empty
- end
- it "Does not store certificate content at given path" do
- expect(File.exist?(out_path)).to be_falsy
- end
- it "Does not converge while fetching" do
- expect(win_certificate).not_to be_updated_by_last_action
+ it "fails with an invalid thumbprint" do
+ expect(Chef::Log).not_to receive(:info)
+ resource.source = others_thumbprint
+ Dir.mktmpdir do |dir|
+ path = File.join(dir, "test.pem")
+ resource.cert_path = path
+ resource.run_action(:fetch)
+ expect(File.exist?(path)).to be_falsy
+ expect(resource).not_to be_updated_by_last_action
describe "action: delete" do
- context "When a certificate is not present" do
- before do
- win_certificate.source = tests_thumbprint
- win_certificate.run_action(:delete)
- end
- it "Initial check if certificate is not present" do
- expect(no_of_certificates).to eq(0)
- end
- it "Does not delete any certificate" do
- expect(stdout.string.strip).to be_empty
- end
+ it "does nothing when attempting to delete a certificate that doesn't exist" do
+ expect(Chef::Log).to receive(:debug).with("Certificate not found")
+ resource.source = tests_thumbprint
+ resource.run_action(:delete)
- context "When a certificate is present" do
- before do
- win_certificate.source = cer_path
- win_certificate.run_action(:create)
- end
- before { win_certificate.source = tests_thumbprint }
- it "Initial check if certificate is present" do
- expect(no_of_certificates).to eq(1)
- end
- it "Deletes the certificate" do
- win_certificate.run_action(:delete)
- expect(no_of_certificates).to eq(0)
- end
- it "Converges while deleting" do
- win_certificate.run_action(:delete)
- expect(win_certificate).to be_updated_by_last_action
- end
- it "Idempotent: Does not converge while deleting again" do
- win_certificate.run_action(:delete)
- win_certificate.run_action(:delete)
- expect(no_of_certificates).to eq(0)
- expect(win_certificate).not_to be_updated_by_last_action
- end
- it "Deletes the valid certificate" do
- # Add another certificate"
- win_certificate.source = other_cer_path
- win_certificate.run_action(:create)
- expect(no_of_certificates).to eq(2)
- # Delete previously added certificate
- win_certificate.source = tests_thumbprint
- win_certificate.run_action(:delete)
- expect(no_of_certificates).to eq(1)
- # Verify another certificate still exists
- win_certificate.source = others_thumbprint
- win_certificate.run_action(:verify)
- expect(stdout.string.strip).to eq("Certificate is valid")
- end
+ it "deletes an existing certificate while leaving other certificates alone" do
+ # Add two certs
+ resource.source = cer_path
+ resource.run_action(:create)
+ resource.source = other_cer_path
+ resource.run_action(:create)
+ # Delete the first cert added
+ resource.source = tests_thumbprint
+ resource.run_action(:delete)
+ expect(certificate_count).to eq(1)
+ expect(resource).to be_updated_by_last_action
+ resource.run_action(:delete)
+ expect(certificate_count).to eq(1)
+ expect(resource).not_to be_updated_by_last_action
+ # Verify second cert still exists
+ expect(Chef::Log).to receive(:info).with("Certificate is valid")
+ resource.source = others_thumbprint
+ resource.run_action(:verify)