-
Notifications
You must be signed in to change notification settings - Fork 39
Commit
Signed-off-by: Eric D. Helms <ericdhelms@gmail.com>
- Loading branch information
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,69 @@ | ||
# Contains certs specific configurations for advisor | ||
class certs::iop_advisor_engine ( | ||
Stdlib::Fqdn $hostname = 'localhost', | ||
Boolean $generate = $certs::generate, | ||
Boolean $regenerate = $certs::regenerate, | ||
Boolean $deploy = $certs::deploy, | ||
String[2,2] $country = $certs::country, | ||
String $state = $certs::state, | ||
String $city = $certs::city, | ||
String $org = $certs::org, | ||
String $org_unit = $certs::org_unit, | ||
String $expiration = $certs::expiration, | ||
Stdlib::Absolutepath $ca_key_password_file = $certs::ca_key_password_file, | ||
String $owner = 'root', | ||
String $group = 'root', | ||
Stdlib::Filemode $private_key_mode = '0440', | ||
Stdlib::Filemode $public_key_mode = '0444', | ||
) inherits certs { | ||
include certs::foreman_proxy | ||
|
||
$server_cert_name = "${hostname}-iop-advisor-server" | ||
$server_cert = "${cert_directory}/server.cert" | ||
$server_key = "${cert_directory}/server.key" | ||
$server_ca_cert = $certs::katello_server_ca_cert | ||
|
||
$client_cert = $certs::foreman_proxy::foreman_ssl_cert | ||
$client_key = $certs::foreman_proxy::foreman_ssl_key | ||
$client_ca_cert = $certs::foreman_proxy::foreman_ssl_ca_cert | ||
|
||
cert { $server_cert_name: | ||
ensure => present, | ||
hostname => $hostname, | ||
country => $country, | ||
state => $state, | ||
city => $city, | ||
org => $org, | ||
org_unit => $org_unit, | ||
expiration => $expiration, | ||
ca => $certs::default_ca, | ||
generate => $generate, | ||
regenerate => $regenerate, | ||
password_file => $ca_key_password_file, | ||
build_dir => $certs::ssl_build_dir, | ||
} | ||
|
||
if $deploy { | ||
$cert_directory = '/etc/iop-advisor-engine' | ||
|
||
file { $cert_directory: | ||
ensure => directory, | ||
mode => '0755', | ||
owner => $owner, | ||
group => $group, | ||
} | ||
|
||
certs::keypair { $server_cert_name: | ||
source_dir => "${certs::ssl_build_dir}/${hostname}", | ||
key_file => $server_key, | ||
key_owner => $owner, | ||
key_group => $group, | ||
key_mode => $private_key_mode, | ||
cert_file => $server_cert, | ||
cert_owner => $owner, | ||
cert_group => $group, | ||
cert_mode => $public_key_mode, | ||
require => Cert[$server_cert_name], | ||
} | ||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,115 @@ | ||
require 'spec_helper_acceptance' | ||
|
||
describe 'certs::iop_advisor_engine' do | ||
fqdn = fact('fqdn') | ||
hostname = 'localhost' | ||
|
||
before(:all) do | ||
on default, 'rm -rf /root/ssl-build' | ||
|
||
manifest = <<~MANIFEST | ||
file { '/etc/foreman-proxy': | ||
ensure => directory, | ||
} | ||
group { 'foreman-proxy': | ||
ensure => present, | ||
system => true, | ||
} | ||
file { '/etc/iop-advisor-engine': | ||
ensure => directory, | ||
} | ||
MANIFEST | ||
apply_manifest(manifest, catch_failures: true) | ||
end | ||
|
||
context 'with default parameters' do | ||
it_behaves_like 'an idempotent resource' do | ||
let(:manifest) { 'include certs::iop_advisor_engine' } | ||
end | ||
|
||
describe x509_certificate('/etc/iop-advisor-engine/server.cert') do | ||
it { should be_certificate } | ||
Check failure on line 33 in spec/acceptance/iop_advisor_engine_spec.rb GitHub Actions / Puppet / Puppet 8 - CentOS 9
Check failure on line 33 in spec/acceptance/iop_advisor_engine_spec.rb GitHub Actions / Puppet / Puppet 7 - CentOS 9
Check failure on line 33 in spec/acceptance/iop_advisor_engine_spec.rb GitHub Actions / Puppet / Puppet 8 - AlmaLinux 9
Check failure on line 33 in spec/acceptance/iop_advisor_engine_spec.rb GitHub Actions / Puppet / Puppet 7 - AlmaLinux 9
|
||
it { should be_valid } | ||
Check failure on line 34 in spec/acceptance/iop_advisor_engine_spec.rb GitHub Actions / Puppet / Puppet 8 - CentOS 9
Check failure on line 34 in spec/acceptance/iop_advisor_engine_spec.rb GitHub Actions / Puppet / Puppet 7 - CentOS 9
Check failure on line 34 in spec/acceptance/iop_advisor_engine_spec.rb GitHub Actions / Puppet / Puppet 8 - AlmaLinux 9
Check failure on line 34 in spec/acceptance/iop_advisor_engine_spec.rb GitHub Actions / Puppet / Puppet 7 - AlmaLinux 9
|
||
it { should have_purpose 'server' } | ||
Check failure on line 35 in spec/acceptance/iop_advisor_engine_spec.rb GitHub Actions / Puppet / Puppet 8 - CentOS 9
Check failure on line 35 in spec/acceptance/iop_advisor_engine_spec.rb GitHub Actions / Puppet / Puppet 7 - CentOS 9
Check failure on line 35 in spec/acceptance/iop_advisor_engine_spec.rb GitHub Actions / Puppet / Puppet 8 - AlmaLinux 9
Check failure on line 35 in spec/acceptance/iop_advisor_engine_spec.rb GitHub Actions / Puppet / Puppet 7 - AlmaLinux 9
|
||
its(:issuer) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fqdn}/) } | ||
Check failure on line 36 in spec/acceptance/iop_advisor_engine_spec.rb GitHub Actions / Puppet / Puppet 8 - CentOS 9
Check failure on line 36 in spec/acceptance/iop_advisor_engine_spec.rb GitHub Actions / Puppet / Puppet 7 - CentOS 9
Check failure on line 36 in spec/acceptance/iop_advisor_engine_spec.rb GitHub Actions / Puppet / Puppet 8 - AlmaLinux 9
Check failure on line 36 in spec/acceptance/iop_advisor_engine_spec.rb GitHub Actions / Puppet / Puppet 7 - AlmaLinux 9
|
||
its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, O = Katello, OU = SomeOrgUnit, CN = #{hostname}/) } | ||
Check failure on line 37 in spec/acceptance/iop_advisor_engine_spec.rb GitHub Actions / Puppet / Puppet 8 - CentOS 9
Check failure on line 37 in spec/acceptance/iop_advisor_engine_spec.rb GitHub Actions / Puppet / Puppet 7 - CentOS 9
Check failure on line 37 in spec/acceptance/iop_advisor_engine_spec.rb GitHub Actions / Puppet / Puppet 8 - AlmaLinux 9
Check failure on line 37 in spec/acceptance/iop_advisor_engine_spec.rb GitHub Actions / Puppet / Puppet 7 - AlmaLinux 9
|
||
its(:keylength) { should be >= 4096 } | ||
Check failure on line 38 in spec/acceptance/iop_advisor_engine_spec.rb GitHub Actions / Puppet / Puppet 8 - CentOS 9
Check failure on line 38 in spec/acceptance/iop_advisor_engine_spec.rb GitHub Actions / Puppet / Puppet 7 - CentOS 9
Check failure on line 38 in spec/acceptance/iop_advisor_engine_spec.rb GitHub Actions / Puppet / Puppet 8 - AlmaLinux 9
Check failure on line 38 in spec/acceptance/iop_advisor_engine_spec.rb GitHub Actions / Puppet / Puppet 7 - AlmaLinux 9
|
||
end | ||
|
||
describe file('/etc/iop-advisor-engine/server.cert') do | ||
it { should be_file } | ||
Check failure on line 42 in spec/acceptance/iop_advisor_engine_spec.rb GitHub Actions / Puppet / Puppet 8 - CentOS 9
Check failure on line 42 in spec/acceptance/iop_advisor_engine_spec.rb GitHub Actions / Puppet / Puppet 7 - CentOS 9
Check failure on line 42 in spec/acceptance/iop_advisor_engine_spec.rb GitHub Actions / Puppet / Puppet 8 - AlmaLinux 9
Check failure on line 42 in spec/acceptance/iop_advisor_engine_spec.rb GitHub Actions / Puppet / Puppet 7 - AlmaLinux 9
|
||
it { should be_mode 444 } | ||
Check failure on line 43 in spec/acceptance/iop_advisor_engine_spec.rb GitHub Actions / Puppet / Puppet 8 - CentOS 9
Check failure on line 43 in spec/acceptance/iop_advisor_engine_spec.rb GitHub Actions / Puppet / Puppet 7 - CentOS 9
Check failure on line 43 in spec/acceptance/iop_advisor_engine_spec.rb GitHub Actions / Puppet / Puppet 8 - AlmaLinux 9
Check failure on line 43 in spec/acceptance/iop_advisor_engine_spec.rb GitHub Actions / Puppet / Puppet 7 - AlmaLinux 9
|
||
it { should be_owned_by 'root' } | ||
Check failure on line 44 in spec/acceptance/iop_advisor_engine_spec.rb GitHub Actions / Puppet / Puppet 7 - CentOS 9
Check failure on line 44 in spec/acceptance/iop_advisor_engine_spec.rb GitHub Actions / Puppet / Puppet 7 - AlmaLinux 9
|
||
it { should be_grouped_into 'root' } | ||
Check failure on line 45 in spec/acceptance/iop_advisor_engine_spec.rb GitHub Actions / Puppet / Puppet 7 - CentOS 9
Check failure on line 45 in spec/acceptance/iop_advisor_engine_spec.rb GitHub Actions / Puppet / Puppet 7 - AlmaLinux 9
|
||
end | ||
|
||
describe x509_private_key('/etc/iop-advisor-engine/server.key') do | ||
it { should_not be_encrypted } | ||
it { should be_valid } | ||
it { should have_matching_certificate('/etc/iop-advisor-engine/server.cert') } | ||
end | ||
|
||
describe file('/etc/iop-advisor-engine/server.key') do | ||
it { should be_file } | ||
it { should be_mode 440 } | ||
it { should be_owned_by 'root' } | ||
it { should be_grouped_into 'root' } | ||
end | ||
|
||
describe x509_certificate("/root/ssl-build/#{hostname}/#{hostname}-iop-advisor-server.crt") do | ||
it { should be_certificate } | ||
it { should be_valid } | ||
it { should have_purpose 'server' } | ||
its(:issuer) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fqdn}/) } | ||
its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, O = Katello, OU = SomeOrgUnit, CN = #{hostname}/) } | ||
its(:keylength) { should be >= 4096 } | ||
end | ||
|
||
describe x509_private_key("/root/ssl-build/#{hostname}/#{hostname}-iop-advisor-server.key") do | ||
it { should_not be_encrypted } | ||
it { should be_valid } | ||
it { should have_matching_certificate("/root/ssl-build/#{hostname}/#{hostname}-iop-advisor-server.crt") } | ||
end | ||
end | ||
|
||
context 'with deploy false' do | ||
before(:context) do | ||
on default, 'rm -rf /root/ssl-build /etc/iop-advisor-engine' | ||
end | ||
|
||
it_behaves_like 'an idempotent resource' do | ||
let(:manifest) do | ||
<<-PUPPET | ||
class { 'certs::iop_advisor_engine': | ||
deploy => false | ||
} | ||
PUPPET | ||
end | ||
end | ||
|
||
describe x509_certificate("/root/ssl-build/#{hostname}/#{hostname}-iop-advisor-server.crt") do | ||
it { should be_certificate } | ||
it { should be_valid } | ||
it { should have_purpose 'server' } | ||
its(:issuer) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fqdn}/) } | ||
its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, O = Katello, OU = SomeOrgUnit, CN = #{hostname}/) } | ||
its(:keylength) { should be >= 4096 } | ||
end | ||
|
||
describe x509_private_key("/root/ssl-build/#{hostname}/#{hostname}-iop-advisor-server.key") do | ||
it { should_not be_encrypted } | ||
it { should be_valid } | ||
it { should have_matching_certificate("/root/ssl-build/#{hostname}/#{hostname}-iop-advisor-server.crt") } | ||
end | ||
|
||
describe file('/etc/iop-advisor-engine/server.cert') do | ||
it { should_not exist } | ||
end | ||
|
||
describe file('/etc/iop-advisor-engine/server.key') do | ||
it { should_not exist } | ||
end | ||
end | ||
end |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
require 'spec_helper' | ||
|
||
describe 'certs::iop_advisor_engine' do | ||
on_supported_os.each do |os, os_facts| | ||
context "on #{os}" do | ||
let :facts do | ||
os_facts | ||
end | ||
|
||
describe 'with default parameters' do | ||
it { should compile.with_all_deps } | ||
Check failure on line 11 in spec/classes/certs_iop_advisor_engine_spec.rb GitHub Actions / Puppet / 8 (Ruby 3.2)
Check failure on line 11 in spec/classes/certs_iop_advisor_engine_spec.rb GitHub Actions / Puppet / 8 (Ruby 3.2)
Check failure on line 11 in spec/classes/certs_iop_advisor_engine_spec.rb GitHub Actions / Puppet / 8 (Ruby 3.2)
Check failure on line 11 in spec/classes/certs_iop_advisor_engine_spec.rb GitHub Actions / Puppet / 7 (Ruby 2.7)
Check failure on line 11 in spec/classes/certs_iop_advisor_engine_spec.rb GitHub Actions / Puppet / 7 (Ruby 2.7)
Check failure on line 11 in spec/classes/certs_iop_advisor_engine_spec.rb GitHub Actions / Puppet / 7 (Ruby 2.7)
|
||
end | ||
end | ||
end | ||
end |