OpenVoxProject · bastelfreak · Jul 8, 2025 · Jun 29, 2025 · Jun 29, 2025 · Jun 29, 2025
diff --git a/.github/workflows/unit_tests.yaml b/.github/workflows/unit_tests.yaml
@@ -0,0 +1,45 @@
+---
+name: Unit tests
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+# minimal permissions
+permissions:
+  contents: read
+
+env:
+  CI: true
+
+jobs:
+  linux_unit_tests:
+    name: Ruby version
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby:
+          - '2.7'
+          - '3.0'
+          - '3.2'
+          - '3.3'
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout current PR
+        uses: actions/checkout@v4
+
+      - name: Rspec checks
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+          bundler-cache: true
+
+      - name: Display bundle environment
+        run: |
+          bundle env
+
+      - run: bundle exec rake spec_random
diff --git a/.rspec b/.rspec
@@ -1,3 +1,2 @@
---format documentation
 --color
 --require spec_helper
diff --git a/Rakefile b/Rakefile
@@ -1,6 +1,5 @@
 require "bundler/gem_tasks"
-require "rspec/core/rake_task"
 
-RSpec::Core::RakeTask.new(:spec)
+Dir.glob(File.join('tasks/**/*.rake')).each { |file| load file }
 
-task :default => :spec
+task default: :spec
diff --git a/lib/puppetserver/ca/action/prune.rb b/lib/puppetserver/ca/action/prune.rb
@@ -136,12 +136,27 @@ def prune_CRL(crl)
         end
 
         def update_pruned_CRL(crl, pkey)
-          number_ext, other_ext = crl.extensions.partition{ |ext| ext.oid == "crlNumber" }
-          number_ext.each do |crl_number|
-            updated_crl_number = OpenSSL::BN.new(crl_number.value) + OpenSSL::BN.new(1)
-            crl_number.value=(OpenSSL::ASN1::Integer(updated_crl_number))
+          # Updating extensions in-place does not work with some ruby versions / implementation. Copy & recreate them.
+          extensions = crl.extensions
+          crl.extensions = []
+
+          ef = OpenSSL::X509::ExtensionFactory.new
+          ef.crl = crl
+
+          extensions.each do |ext|
+            if ext.oid == "crlNumber"
+              if RUBY_ENGINE == "jruby"
+                # Creating a crlNumber extension without an ExtensionFactory produce incorrect result on jruby
+                crl.add_extension(ef.create_extension("crlNumber", ext.value.next))
+              else
+                # Creating a crlNumber extension with an ExtensionFactory rais on exception on MRI
+                crl.add_extension(OpenSSL::X509::Extension.new("crlNumber", ext.value.next))
+              end
+            else
+              crl.add_extension(ext)
+            end
           end
-          crl.extensions=(number_ext + other_ext)
+
           crl.sign(pkey, OpenSSL::Digest::SHA256.new)
         end
 

diff --git a/lib/puppetserver/ca/host.rb b/lib/puppetserver/ca/host.rb
@@ -80,7 +80,6 @@ def create_csr(name:, key:, cli_extensions: [], csr_attributes_path: '')
         csr = OpenSSL::X509::Request.new
         csr.public_key = key.public_key
         csr.subject = OpenSSL::X509::Name.new([["CN", name]])
-        csr.version = 2
 
         custom_attributes = get_custom_attributes(csr_attributes_path)
         extension_requests = get_extension_requests(csr_attributes_path)

diff --git a/lib/puppetserver/ca/local_certificate_authority.rb b/lib/puppetserver/ca/local_certificate_authority.rb
@@ -15,8 +15,8 @@ class LocalCertificateAuthority
       # before the user expected it to when they asked for "one year".
       CERT_VALID_FROM = (Time.now - (60*60*24)).freeze
 
-      SSL_SERVER_CERT = "1.3.6.1.5.5.7.3.1"
-      SSL_CLIENT_CERT = "1.3.6.1.5.5.7.3.2"
+      SSL_SERVER_CERT = "serverAuth"
+      SSL_CLIENT_CERT = "clientAuth"
 
       CLI_AUTH_EXT_OID = "1.3.6.1.4.1.34380.1.3.39"
 
@@ -252,6 +252,15 @@ def create_crl_for(cert, key)
         crl.next_update = valid_until
         crl.sign(key, @digest)
 
+        # FIXME: Workaround a bug in jruby-openssl. Without this, #to_pem return an invalid CRL:
+        # ----BEGIN X509 CRL-----
+        # MAA=
+        # -----END X509 CRL-----
+        # See:
+        # https://github.com/jruby/jruby-openssl/issues/163
+        # https://github.com/jruby/jruby-openssl/pull/333
+        crl = OpenSSL::X509::CRL.new(crl.to_der)
+
         crl
       end
 

diff --git a/spec/puppetserver/ca/action/sign_spec.rb b/spec/puppetserver/ca/action/sign_spec.rb
@@ -65,9 +65,9 @@
     let(:get_success)   { response.new('200', 'Stuff') }
     let(:not_found)     { response.new('404', 'Not Found') }
     let(:empty)         { response.new('404', '[]') }
-    let(:status_url)    { Puppetserver::Ca::Utils::HttpClient::URL.new('https','localhost','8140','status','v1','services') }
-    let(:bulk_sign_url) { Puppetserver::Ca::Utils::HttpClient::URL.new('https','localhost','8140','puppet-ca','v1','sign', nil, {}) }
-    let(:bulk_sign_all_url) { Puppetserver::Ca::Utils::HttpClient::URL.new('https','localhost','8140','puppet-ca','v1','sign','all', {}) }
+    let(:status_url)    { Puppetserver::Ca::Utils::HttpClient::URL.new('https','puppet','8140','status','v1','services') }
+    let(:bulk_sign_url) { Puppetserver::Ca::Utils::HttpClient::URL.new('https','puppet','8140','puppet-ca','v1','sign', nil, {}) }
+    let(:bulk_sign_all_url) { Puppetserver::Ca::Utils::HttpClient::URL.new('https','puppet','8140','puppet-ca','v1','sign','all', {}) }
     let(:status_old_server) { response.new('200', '{"ca":{"service_version":"7.4.1"}}') }
     let(:status_new_server) { response.new('200', '{"ca":{"service_version":"8.4.1"}}') }
     let(:connection) { double }

diff --git a/spec/utils/ssl.rb b/spec/utils/ssl.rb
@@ -65,6 +65,15 @@ def create_crl(cert, key, certs_to_revoke = [])
       crl.next_update = Time.now + 360000
       crl.sign(key, OpenSSL::Digest::SHA256.new)
 
+      # FIXME: Workaround a bug in jruby-openssl. Without this, #to_pem return an invalid CRL:
+      # ----BEGIN X509 CRL-----
+      # MAA=
+      # -----END X509 CRL-----
+      # See:
+      # https://github.com/jruby/jruby-openssl/issues/163
+      # https://github.com/jruby/jruby-openssl/pull/333
+      crl = OpenSSL::X509::CRL.new(crl.to_der)
+
       return crl
     end
 

diff --git a/tasks/spec.rake b/tasks/spec.rake
@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+begin
+  require 'rspec/core/rake_task'
+
+  desc 'Run rspec test in sequential order'
+  RSpec::Core::RakeTask.new(:spec)
+
+  desc 'Run rspec test in random order'
+  RSpec::Core::RakeTask.new(:spec_random) do |t|
+    t.rspec_opts = '--order random'
+  end
+rescue LoadError
+  puts 'Could not load rspec'
+end