Port cert_date_valid function to Puppet 4.x API (#106)

* Porting functions to the modern Puppet 4.x API * Port mock syntax Co-authored-by: Ben Ford <[email protected]>
voxpupuli · Jan 6, 2020 · 6ceaeb1 · 6ceaeb1
1 parent a2548df
commit 6ceaeb1
Show file tree

Hide file tree

Showing 3 changed files with 99 additions and 40 deletions.
diff --git a/lib/puppet/functions/cert_date_valid.rb b/lib/puppet/functions/cert_date_valid.rb
@@ -0,0 +1,44 @@
+# @summary
+#
+#   Checks SSL cetificate date validity.
+#
+# Parameter: path to ssl certificate
+#
+Puppet::Functions.create_function(:cert_date_valid) do
+  # @param certfile The certificate file to check.
+  #
+  # @return false if the certificate is expired or not yet valid,
+  # or the number of seconds the certificate is still valid for.
+  #
+  dispatch :is_valid do
+    repeated_param 'String', :certfile
+  end
+
+  def is_valid(certfile)
+    require 'time'
+    require 'openssl'
+
+    content = File.read(certfile)
+    cert = OpenSSL::X509::Certificate.new(content)
+
+    if cert.not_before.nil? and cert.not_after.nil?
+      raise "No date found in certificate"
+    end
+
+    now       = Time.now
+
+    if (now > cert.not_after)
+      # certificate is expired
+      false
+    elsif (now < cert.not_before)
+      # certificate is not yet valid
+      false
+    elsif (cert.not_after <= cert.not_before)
+      # certificate will never be valid
+      false
+    else
+      # return number of seconds certificate is still valid for
+      (cert.not_after - now).to_i
+    end
+  end
+end
diff --git a/lib/puppet/parser/functions/cert_date_valid.rb b/lib/puppet/parser/functions/cert_date_valid.rb
diff --git a/spec/functions/cert_date_valid_spec.rb b/spec/functions/cert_date_valid_spec.rb
@@ -0,0 +1,55 @@
+require 'spec_helper'
+
+describe 'cert_date_valid' do
+  it { is_expected.not_to eq(nil) }
+
+  it 'raises an error if called with no argument' do
+    is_expected.to run.with_params.and_raise_error(StandardError)
+  end
+
+  it 'raises an error if there is more than 1 arguments' do
+    is_expected.to run.with_params({ 'foo' => 1 }, 'bar' => 2).and_raise_error(StandardError)
+  end
+
+  it 'raises an error if argument is not the proper type' do
+    is_expected.to run.with_params(true).and_raise_error(ArgumentError)
+  end
+
+  context 'when the argument is correct' do
+    let(:cert) {
+      OpenSSL::X509::Certificate.new
+    }
+
+    before(:each) do
+      allow(File).to receive(:read).and_return('bleh')
+    end
+
+    it 'returns false if cert is not valid anymore' do
+      expect(OpenSSL::X509::Certificate).to receive(:new).with('bleh').and_return(cert)
+      cert.not_before = Time.now - 3600
+      cert.not_after = Time.now - 1000
+      is_expected.to run.with_params('/path/to/cert').and_return(false)
+    end
+
+    it 'returns false if cert is not valid yet' do
+      expect(OpenSSL::X509::Certificate).to receive(:new).with('bleh').and_return(cert)
+      cert.not_before = Time.now + 1000
+      cert.not_after = Time.now + 3600
+      is_expected.to run.with_params('/path/to/cert').and_return(false)
+    end
+
+    it 'returns false if cert will never be valid' do
+      expect(OpenSSL::X509::Certificate).to receive(:new).with('bleh').and_return(cert)
+      cert.not_before = Time.now + 1000
+      cert.not_after = Time.now - 1000
+      is_expected.to run.with_params('/path/to/cert').and_return(false)
+    end
+
+    it 'returns true if it is still valid' do
+      expect(OpenSSL::X509::Certificate).to receive(:new).with('bleh').and_return(cert)
+      cert.not_before = Time.now - 1000
+      cert.not_after = Time.now + 1000
+      is_expected.to run.with_params('/path/to/cert').and_return(999)
+    end
+  end
+end