Skip to content

Commit

Permalink
Don't generate a CA if a tar file is provided
Browse files Browse the repository at this point in the history 
The tar file contains both the default and server CA files that are
needed. It actually overwrote the files from the tar file.
  • Loading branch information
@ekohl
ekohl committed Sep 12, 2024
1 parent a236b33 commit 6ba3aee
Show file tree
Hide file tree
Showing 2 changed files with 137 additions and 33 deletions.
68 changes: 35 additions & 33 deletions manifests/ca.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,41 +24,43 @@
$default_ca_path = "${certs::ssl_build_dir}/${default_ca_name}.crt"
$server_ca_path = "${certs::ssl_build_dir}/${server_ca_name}.crt"

file { $ca_key_password_file:
ensure => file,
content => $ca_key_password,
owner => 'root',
group => 'root',
mode => '0400',
show_diff => false,
} ~>
ca { $default_ca_name:
ensure => present,
common_name => $ca_common_name,
country => $country,
state => $state,
city => $city,
org => $org,
org_unit => $org_unit,
expiration => $ca_expiration,
generate => $generate,
password_file => $ca_key_password_file,
build_dir => $certs::ssl_build_dir,
}
unless $certs::tar_file {
file { $ca_key_password_file:
ensure => file,
content => $ca_key_password,
owner => 'root',
group => 'root',
mode => '0400',
show_diff => false,
} ~>
ca { $default_ca_name:
ensure => present,
common_name => $ca_common_name,
country => $country,
state => $state,
city => $city,
org => $org,
org_unit => $org_unit,
expiration => $ca_expiration,
generate => $generate,
password_file => $ca_key_password_file,
build_dir => $certs::ssl_build_dir,
}

file { $server_ca_path:
ensure => file,
source => pick($certs::server_ca_cert, $default_ca_path),
owner => 'root',
group => 'root',
mode => '0644',
}
file { $server_ca_path:
ensure => file,
source => pick($certs::server_ca_cert, $default_ca_path),
owner => 'root',
group => 'root',
mode => '0644',
}

if $generate {
file { "${certs::ssl_build_dir}/KATELLO-TRUSTED-SSL-CERT":
ensure => link,
target => $server_ca_path,
require => File[$server_ca_path],
if $generate {
file { "${certs::ssl_build_dir}/KATELLO-TRUSTED-SSL-CERT":
ensure => link,
target => $server_ca_path,
require => File[$server_ca_path],
}
}
}

Expand Down
102 changes: 102 additions & 0 deletions spec/acceptance/certs_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -145,4 +145,106 @@ class { 'certs':
its(:keylength) { should be >= 2048 }
end
end

context 'with tar file' do
context 'with default ca' do
before(:context) do
manifest = <<~PUPPET
class { 'certs':
generate => true,
deploy => false,
}
class { 'certs::foreman_proxy_content':
foreman_proxy_fqdn => 'foreman-proxy.example.com',
certs_tar => '/root/foreman-proxy.example.com.tar.gz',
}
PUPPET

apply_manifest(manifest, catch_failures: true)

on default, 'rm -rf /root/ssl-build'
end

describe 'deploy certificates' do
manifest = <<-PUPPET
class { 'certs':
tar_file => '/root/foreman-proxy.example.com.tar.gz',
}
PUPPET
# tar extraction is not idempotent
it { apply_manifest(manifest, catch_failures: true) }
end

describe 'default and server ca certs match' do
it { expect(file('/etc/pki/katello/certs/katello-default-ca.crt').content).to eq(file('/etc/pki/katello/certs/katello-server-ca.crt').content) }
end

describe x509_certificate('/etc/pki/katello/certs/katello-default-ca.crt') do
it { should be_certificate }
it { should be_valid }
it { should have_purpose 'SSL server CA' }
its(:issuer) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}/) }
its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}/) }
its(:keylength) { should be >= 4096 }
end
end

context 'with custom certificates' do
before(:context) do
manifest = <<~PUPPET
class { 'certs':
server_cert => '/server.crt',
server_key => '/server.key',
server_ca_cert => '/server-ca.crt',
generate => true,
deploy => false,
}
class { 'certs::foreman_proxy_content':
foreman_proxy_fqdn => 'foreman-proxy.example.com',
certs_tar => '/root/foreman-proxy.example.com.tar.gz',
}
PUPPET

apply_manifest(manifest, catch_failures: true)

on default, 'rm -rf /root/ssl-build'
end

describe 'deploy certificates' do
manifest = <<-PUPPET
class { 'certs':
tar_file => '/root/foreman-proxy.example.com.tar.gz',
}
PUPPET
# tar extraction is not idempotent
it { apply_manifest(manifest, catch_failures: true) }
end

describe 'default and server ca certs match' do
it { expect(file('/etc/pki/katello/certs/katello-default-ca.crt').content).not_to eq(file('/etc/pki/katello/certs/katello-server-ca.crt').content) }
end

describe x509_certificate('/etc/pki/katello/certs/katello-default-ca.crt') do
it { should be_certificate }
it { should be_valid }
it { should have_purpose 'SSL server CA' }
its(:issuer) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}/) }
its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}/) }
its(:keylength) { should be >= 4096 }
end

describe x509_certificate('/etc/pki/katello/certs/katello-server-ca.crt') do
it { should be_certificate }
it { should be_valid }
it { should have_purpose 'SSL server CA' }
# These don't match since we only configure it with the intermediate
# and not the actual root
its(:issuer) { should match_without_whitespace(/CN = Fake LE Root X1/) }
its(:subject) { should match_without_whitespace(/CN = Fake LE Intermediate X1/) }
its(:keylength) { should be >= 2048 }
end
end
end
end

0 comments on commit 6ba3aee

Please sign in to comment.