diff --git a/manifests/ca.pp b/manifests/ca.pp index 9dec333a..bddc3dad 100644 --- a/manifests/ca.pp +++ b/manifests/ca.pp @@ -24,41 +24,43 @@ $default_ca_path = "${certs::ssl_build_dir}/${default_ca_name}.crt" $server_ca_path = "${certs::ssl_build_dir}/${server_ca_name}.crt" - file { $ca_key_password_file: - ensure => file, - content => $ca_key_password, - owner => 'root', - group => 'root', - mode => '0400', - show_diff => false, - } ~> - ca { $default_ca_name: - ensure => present, - common_name => $ca_common_name, - country => $country, - state => $state, - city => $city, - org => $org, - org_unit => $org_unit, - expiration => $ca_expiration, - generate => $generate, - password_file => $ca_key_password_file, - build_dir => $certs::ssl_build_dir, - } + unless $certs::tar_file { + file { $ca_key_password_file: + ensure => file, + content => $ca_key_password, + owner => 'root', + group => 'root', + mode => '0400', + show_diff => false, + } ~> + ca { $default_ca_name: + ensure => present, + common_name => $ca_common_name, + country => $country, + state => $state, + city => $city, + org => $org, + org_unit => $org_unit, + expiration => $ca_expiration, + generate => $generate, + password_file => $ca_key_password_file, + build_dir => $certs::ssl_build_dir, + } - file { $server_ca_path: - ensure => file, - source => pick($certs::server_ca_cert, $default_ca_path), - owner => 'root', - group => 'root', - mode => '0644', - } + file { $server_ca_path: + ensure => file, + source => pick($certs::server_ca_cert, $default_ca_path), + owner => 'root', + group => 'root', + mode => '0644', + } - if $generate { - file { "${certs::ssl_build_dir}/KATELLO-TRUSTED-SSL-CERT": - ensure => link, - target => $server_ca_path, - require => File[$server_ca_path], + if $generate { + file { "${certs::ssl_build_dir}/KATELLO-TRUSTED-SSL-CERT": + ensure => link, + target => $server_ca_path, + require => File[$server_ca_path], + } } } diff --git a/spec/acceptance/certs_spec.rb b/spec/acceptance/certs_spec.rb index 5c3ff365..deaf9d2e 100644 --- a/spec/acceptance/certs_spec.rb +++ b/spec/acceptance/certs_spec.rb @@ -145,4 +145,106 @@ class { 'certs': its(:keylength) { should be >= 2048 } end end + + context 'with tar file' do + context 'with default ca' do + before(:context) do + manifest = <<~PUPPET + class { 'certs': + generate => true, + deploy => false, + } + + class { 'certs::foreman_proxy_content': + foreman_proxy_fqdn => 'foreman-proxy.example.com', + certs_tar => '/root/foreman-proxy.example.com.tar.gz', + } + PUPPET + + apply_manifest(manifest, catch_failures: true) + + on default, 'rm -rf /root/ssl-build' + end + + describe 'deploy certificates' do + manifest = <<-PUPPET + class { 'certs': + tar_file => '/root/foreman-proxy.example.com.tar.gz', + } + PUPPET + # tar extraction is not idempotent + it { apply_manifest(manifest, catch_failures: true) } + end + + describe 'default and server ca certs match' do + it { expect(file('/etc/pki/katello/certs/katello-default-ca.crt').content).to eq(file('/etc/pki/katello/certs/katello-server-ca.crt').content) } + end + + describe x509_certificate('/etc/pki/katello/certs/katello-default-ca.crt') do + it { should be_certificate } + it { should be_valid } + it { should have_purpose 'SSL server CA' } + its(:issuer) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}/) } + its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}/) } + its(:keylength) { should be >= 4096 } + end + end + + context 'with custom certificates' do + before(:context) do + manifest = <<~PUPPET + class { 'certs': + server_cert => '/server.crt', + server_key => '/server.key', + server_ca_cert => '/server-ca.crt', + generate => true, + deploy => false, + } + + class { 'certs::foreman_proxy_content': + foreman_proxy_fqdn => 'foreman-proxy.example.com', + certs_tar => '/root/foreman-proxy.example.com.tar.gz', + } + PUPPET + + apply_manifest(manifest, catch_failures: true) + + on default, 'rm -rf /root/ssl-build' + end + + describe 'deploy certificates' do + manifest = <<-PUPPET + class { 'certs': + tar_file => '/root/foreman-proxy.example.com.tar.gz', + } + PUPPET + # tar extraction is not idempotent + it { apply_manifest(manifest, catch_failures: true) } + end + + describe 'default and server ca certs match' do + it { expect(file('/etc/pki/katello/certs/katello-default-ca.crt').content).not_to eq(file('/etc/pki/katello/certs/katello-server-ca.crt').content) } + end + + describe x509_certificate('/etc/pki/katello/certs/katello-default-ca.crt') do + it { should be_certificate } + it { should be_valid } + it { should have_purpose 'SSL server CA' } + its(:issuer) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}/) } + its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}/) } + its(:keylength) { should be >= 4096 } + end + + describe x509_certificate('/etc/pki/katello/certs/katello-server-ca.crt') do + it { should be_certificate } + it { should be_valid } + it { should have_purpose 'SSL server CA' } + # These don't match since we only configure it with the intermediate + # and not the actual root + its(:issuer) { should match_without_whitespace(/CN = Fake LE Root X1/) } + its(:subject) { should match_without_whitespace(/CN = Fake LE Intermediate X1/) } + its(:keylength) { should be >= 2048 } + end + end + end end