diff --git a/README.md b/README.md index fb2374b5..3dd8b46e 100644 --- a/README.md +++ b/README.md @@ -32,10 +32,6 @@ for communication between services inside the Katello deployment. | ${hostname}-foreman-proxy | a server certificate for Foreman-proxy https | server | | ${hostname}-foreman-client | a client certificate for Foreman -> Foreman-proxy communication | default | | ${hostname}-puppet-client | a client certificate for Puppet ENC -> Foreman communication | default | -| ${hostname}-parent-cert | a client certificate to read content from Pulp parent (distributed to the child over qpid) | default | -| ${hostname}-qpid-broker | a client certificate for qpid broker | default | -| ${hostname}-qpid-client-cert | a client certificate for Pulp to connect to qpid | default | -| java-client | a client certificate for Candlepin to connect to qpid | default | # Phases diff --git a/lib/puppet/provider/nssdb/certutil.rb b/lib/puppet/provider/nssdb/certutil.rb deleted file mode 100644 index f733719b..00000000 --- a/lib/puppet/provider/nssdb/certutil.rb +++ /dev/null @@ -1,50 +0,0 @@ -require 'fileutils' - -Puppet::Type.type(:nssdb).provide(:certutil) do - commands :certutil => 'certutil' - - def create - destroy_nssdb - create_nssdb_dir - generate_nssdb - end - - def destroy - destroy_nssdb - end - - def exists? - nssdb_exists? - end - - private - - def create_nssdb_dir - FileUtils.mkdir_p(resource[:nssdb_dir]) - end - - def generate_nssdb - certutil( - '-N', - '-d', resource[:nssdb_dir], - '-f', resource[:password_file] - ) - rescue Puppet::ExecutionFailure => e - raise Puppet::Error.new("Failed to generate new NSS database at #{resource[:nssdb_dir]} with password file #{resource[:password_file]}: #{e}", e) - end - - def destroy_nssdb - FileUtils.rm_rf(resource[:nssdb_dir], secure: true) - end - - def nssdb_exists? - certutil( - '-K', - '-d', resource[:nssdb_dir], - '-f', resource[:password_file] - ) - rescue Puppet::ExecutionFailure => e - Puppet.debug("Unable to verify NSS database at #{resource[:nssdb_dir]} with password file #{resource[:password_file]}: #{e}") - return false - end -end diff --git a/lib/puppet/provider/nssdb_certificate/certutil.rb b/lib/puppet/provider/nssdb_certificate/certutil.rb deleted file mode 100644 index 9727e48d..00000000 --- a/lib/puppet/provider/nssdb_certificate/certutil.rb +++ /dev/null @@ -1,128 +0,0 @@ -Puppet::Type.type(:nssdb_certificate).provide(:certutil) do - commands :certutil => 'certutil' - commands :openssl => 'openssl' - commands :pk12util => 'pk12util' - - def create - add_certificate - add_private_key if resource[:private_key] - end - - def destroy - if resource[:private_key] - delete_combined_private_key_and_certificate - else - delete_certificate - end - end - - def exists? - nssdb_content - end - - def certificate - nssdb_fingerprint - end - - def certificate=(value) - unless nssdb_content.nil? - if resource[:private_key] - delete_combined_private_key_and_certificate - else - delete_certificate - end - end - add_certificate - add_private_key if resource[:private_key] - end - - def fingerprint(file) - return unless File.exist?(file) - - openssl('x509', '-sha256', '-noout', '-fingerprint', '-in', file).strip.split('=')[1] - rescue Puppet::ExecutionFailure => e - Puppet.warn("Failed to read certificate #{file}: #{e}") - nil - end - - private - - def add_certificate - certutil( - '-A', - '-a', - '-d', resource[:nssdb], - '-n', resource[:cert_name], - '-t', resource[:trustargs], - '-i', resource[:certificate], - '-f', resource[:password_file] - ) - end - - def delete_certificate - certutil( - '-D', - '-d', resource[:nssdb], - '-n', resource[:cert_name] - ) - end - - def add_private_key - Tempfile.open('pkcs12') do |pkcs12| - openssl( - 'pkcs12', - '-export', - '-in', resource[:certificate], - '-inkey', resource[:private_key], - '-out', pkcs12.path, - '-password', "file:#{resource[:password_file]}", - '-name', resource[:cert_name] - ) - - pk12util( - '-i', pkcs12.path, - '-d', resource[:nssdb], - '-w', resource[:password_file], - '-k', resource[:password_file] - ) - end - end - - def delete_combined_private_key_and_certificate - certutil( - '-F', - '-d', resource[:nssdb], - '-n', resource[:cert_name], - '-f', resource[:password_file] - ) - end - - def nssdb_content - return unless directory_readable?(resource[:nssdb]) - - certutil( - '-L', - '-a', - '-d', resource[:nssdb], - '-n', resource[:cert_name] - ) - rescue Puppet::ExecutionFailure => e - Puppet.debug("Failed to read nssdb contents from #{resource[:nssdb]}: #{e}") - nil - end - - def nssdb_fingerprint - cert_info = nssdb_content - return unless cert_info - - Tempfile.open('cert') do |temp_cert| - temp_cert.write(cert_info) - temp_cert.rewind - fingerprint(temp_cert.path) - end - end - - def directory_readable?(file) - File.directory?(file) && File.readable?(file) - end -end diff --git a/lib/puppet/type/nssdb.rb b/lib/puppet/type/nssdb.rb deleted file mode 100644 index 076e6203..00000000 --- a/lib/puppet/type/nssdb.rb +++ /dev/null @@ -1,57 +0,0 @@ -require 'puppet/type/file/owner' -require 'puppet/type/file/group' -require 'puppet/type/file/mode' - -Puppet::Type.newtype(:nssdb) do - desc "Generates an empty NSS database" - - ensurable - - newparam(:nssdb_dir, :namevar => true) do - desc "Path to NSS database directory" - isrequired - end - - newparam(:password_file) do - desc "Path to file containing the NSS database password" - isrequired - end - - newparam(:owner, parent: Puppet::Type::File::Owner) do - desc "Specifies the owner of the NSS database directory and files. Valid options: a string containing a username or integer containing a uid." - end - - newparam(:group, parent: Puppet::Type::File::Group) do - desc "Specifies a permissions group for the NSS database directory and files. Valid options: a string containing a group name or integer containing a gid." - end - - newparam(:mode, parent: Puppet::Type::File::Mode) do - desc "Specifies the permissions mode of the NSS database files. Valid options: a string containing a permission mode value in octal notation." - end - - autorequire(:file) do - [self[:password_file]] - end - - def generate - file_opts = { - :path => self[:nssdb_dir], - :ensure => self[:ensure] == :absent ? :absent : :directory, - :recurse => true - } - - [:owner, :group, :mode].each do |param| - file_opts[param] = self[param] unless self[param].nil? - end - - excluded_metaparams = [:before, :notify, :require, :subscribe, :tag] - - Puppet::Type.metaparams.each do |metaparam| - unless self[metaparam].nil? || excluded_metaparams.include?(metaparam) - file_opts[metaparam] = self[metaparam] - end - end - - [Puppet::Type.type(:file).new(file_opts)] - end -end diff --git a/lib/puppet/type/nssdb_certificate.rb b/lib/puppet/type/nssdb_certificate.rb deleted file mode 100644 index bf922ce0..00000000 --- a/lib/puppet/type/nssdb_certificate.rb +++ /dev/null @@ -1,52 +0,0 @@ -Puppet::Type.newtype(:nssdb_certificate) do - desc 'adds a certificate to an nssdb' - - ensurable - - def self.title_patterns - [ [ /(.+):(.+)/m, [ [:nssdb], [:cert_name] ] ] ] - end - - newparam(:cert_name, :namevar => true) do - desc "The certificate name used to store inside the nssdb" - end - - newparam(:nssdb, :namevar => true) do - desc "Path to the nssdb to use or create when importing the certificate" - isrequired - end - - newproperty(:certificate) do - desc "Path to the certificate to add to the nssdb" - - def fingerprint(file) - provider.fingerprint(file) - end - - def should_to_s(newvalue) - self.class.format_value_for_display(fingerprint(newvalue)) - end - - def insync?(is) - is == fingerprint(should) - end - end - - newparam(:private_key) do - desc "Path to the private key to add to the nssdb" - end - - newparam(:trustargs) do - desc "Certificate trust flags for certificate inside the nssdb. Changing the trustargs on an existing certificate in the NSS database is not supported." - isrequired - end - - newparam(:password_file) do - desc "Path to file containing the nssdb password" - isrequired - end - - autorequire(:file) do - [self[:password_file], self[:nssdb], self[:certificate], self[:private_key]] - end -end diff --git a/manifests/foreman_proxy_content.pp b/manifests/foreman_proxy_content.pp index 43ee82ed..9e2318ff 100644 --- a/manifests/foreman_proxy_content.pp +++ b/manifests/foreman_proxy_content.pp @@ -27,11 +27,8 @@ class { 'certs::foreman': hostname => $foreman_proxy_fqdn, cname => $foreman_proxy_cname } class { 'certs::foreman_proxy': hostname => $foreman_proxy_fqdn, cname => $foreman_proxy_cname } class { 'certs::apache': hostname => $foreman_proxy_fqdn, cname => $foreman_proxy_cname } - class { 'certs::qpid': hostname => $foreman_proxy_fqdn, cname => $foreman_proxy_cname } - class { 'certs::qpid_router::server': hostname => $foreman_proxy_fqdn, cname => $foreman_proxy_cname } - class { 'certs::qpid_router::client': hostname => $foreman_proxy_fqdn, cname => $foreman_proxy_cname } certs::tar_create { $certs_tar: - subscribe => Class['certs::puppet', 'certs::foreman', 'certs::foreman_proxy', 'certs::qpid', 'certs::qpid_router::server', 'certs::qpid_router::client', 'certs::apache'], + subscribe => Class['certs::puppet', 'certs::foreman', 'certs::foreman_proxy', 'certs::apache'], } } diff --git a/manifests/params.pp b/manifests/params.pp index 62c29d7f..47719083 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -19,12 +19,4 @@ $candlepin_ca_key = "${candlepin_certs_dir}/candlepin-ca.key" $pulp_pki_dir = '/etc/pki/pulp' - - $qpid_client_cert = "${pulp_pki_dir}/qpid/client.crt" - $qpid_client_ca_cert = "${pulp_pki_dir}/qpid/ca.crt" - - $qpid_router_server_cert = "${pki_dir}/qpid_router_server.crt" - $qpid_router_client_cert = "${pki_dir}/qpid_router_client.crt" - $qpid_router_server_key = "${pki_dir}/qpid_router_server.key" - $qpid_router_client_key = "${pki_dir}/qpid_router_client.key" } diff --git a/manifests/qpid.pp b/manifests/qpid.pp deleted file mode 100644 index 9832245a..00000000 --- a/manifests/qpid.pp +++ /dev/null @@ -1,71 +0,0 @@ -# Handles Qpid cert configuration -class certs::qpid ( - Stdlib::Fqdn $hostname = $certs::node_fqdn, - Array[Stdlib::Fqdn] $cname = $certs::cname, - Boolean $generate = $certs::generate, - Boolean $regenerate = $certs::regenerate, - Boolean $deploy = $certs::deploy, - String[2,2] $country = $certs::country, - String $state = $certs::state, - String $city = $certs::city, - String $org_unit = $certs::org_unit, - String $expiration = $certs::expiration, - Stdlib::Absolutepath $ca_key_password_file = $certs::ca_key_password_file, - Stdlib::Absolutepath $pki_dir = $certs::pki_dir, - Stdlib::Absolutepath $ca_cert = $certs::ca_cert, - String $qpidd_group = 'qpidd', - String $nss_cert_name = 'broker', -) inherits certs { - $qpid_cert_name = "${hostname}-qpid-broker" - - cert { $qpid_cert_name: - ensure => present, - hostname => $hostname, - cname => concat($cname, 'localhost'), - country => $country, - state => $state, - city => $city, - org => 'pulp', - org_unit => $org_unit, - expiration => $expiration, - ca => $certs::default_ca, - generate => $generate, - regenerate => $regenerate, - deploy => false, - password_file => $ca_key_password_file, - build_dir => $certs::ssl_build_dir, - } - - if $deploy { - include certs::ssltools::nssdb - $nss_db_dir = $certs::ssltools::nssdb::nss_db_dir - $nss_db_password_file = $certs::ssltools::nssdb::nss_db_password_file - - $client_cert = "${pki_dir}/certs/${qpid_cert_name}.crt" - $client_key = "${pki_dir}/private/${qpid_cert_name}.key" - - # Ensure files located at /etc/pki/katello no longer exist - file { $client_key: - ensure => absent, - } - - file { $client_cert: - ensure => absent, - } - - nssdb_certificate { "${nss_db_dir}:ca": - ensure => present, - certificate => $ca_cert, - trustargs => 'TCu,Cu,Tuw', - password_file => $nss_db_password_file, - } - - nssdb_certificate { "${nss_db_dir}:${nss_cert_name}": - ensure => present, - certificate => "${certs::ssl_build_dir}/${hostname}/${qpid_cert_name}.crt", - private_key => "${certs::ssl_build_dir}/${hostname}/${qpid_cert_name}.key", - trustargs => ',,', - password_file => $nss_db_password_file, - } - } -} diff --git a/manifests/qpid_router/client.pp b/manifests/qpid_router/client.pp deleted file mode 100644 index 448436e2..00000000 --- a/manifests/qpid_router/client.pp +++ /dev/null @@ -1,54 +0,0 @@ -# Constains certs specific configurations for qpid dispatch router -class certs::qpid_router::client ( - String $hostname = $certs::node_fqdn, - Array[Stdlib::Fqdn] $cname = $certs::cname, - Boolean $generate = $certs::generate, - Boolean $regenerate = $certs::regenerate, - Boolean $deploy = $certs::deploy, - Stdlib::Absolutepath $cert = $certs::qpid_router_client_cert, - Stdlib::Absolutepath $key = $certs::qpid_router_client_key, - String $owner = 'qdrouterd', - String $group = 'root', - String[2,2] $country = $certs::country, - String $state = $certs::state, - String $city = $certs::city, - String $org_unit = $certs::org_unit, - String $expiration = $certs::expiration, - Stdlib::Absolutepath $ca_key_password_file = $certs::ca_key_password_file, -) inherits certs { - $client_keypair = "${hostname}-qpid-router-client" - - cert { $client_keypair: - ensure => present, - hostname => $hostname, - cname => $cname, - country => $country, - state => $state, - city => $city, - org => 'dispatch client', - org_unit => $org_unit, - expiration => $expiration, - ca => $certs::default_ca, - generate => $generate, - regenerate => $regenerate, - deploy => false, - purpose => 'client', - password_file => $ca_key_password_file, - build_dir => $certs::ssl_build_dir, - } - - if $deploy { - certs::keypair { $client_keypair: - source_dir => "${certs::ssl_build_dir}/${hostname}", - key_file => $key, - key_owner => $owner, - key_group => $group, - key_mode => '0440', - cert_file => $cert, - cert_owner => $owner, - cert_group => $group, - cert_mode => '0640', - require => Cert[$client_keypair], - } - } -} diff --git a/manifests/qpid_router/server.pp b/manifests/qpid_router/server.pp deleted file mode 100644 index ead22864..00000000 --- a/manifests/qpid_router/server.pp +++ /dev/null @@ -1,54 +0,0 @@ -# Constains certs specific configurations for qpid dispatch router -class certs::qpid_router::server ( - Stdlib::Fqdn $hostname = $certs::node_fqdn, - Array[Stdlib::Fqdn] $cname = $certs::cname, - Boolean $generate = $certs::generate, - Boolean $regenerate = $certs::regenerate, - Boolean $deploy = $certs::deploy, - Stdlib::Absolutepath $cert = $certs::qpid_router_server_cert, - Stdlib::Absolutepath $key = $certs::qpid_router_server_key, - String $owner = 'qdrouterd', - String $group = 'root', - String[2,2] $country = $certs::country, - String $state = $certs::state, - String $city = $certs::city, - String $org_unit = $certs::org_unit, - String $expiration = $certs::expiration, - Stdlib::Absolutepath $ca_key_password_file = $certs::ca_key_password_file, -) inherits certs { - $server_keypair = "${hostname}-qpid-router-server" - - cert { $server_keypair: - ensure => present, - hostname => $hostname, - cname => $cname, - country => $country, - state => $state, - city => $city, - org => 'dispatch server', - org_unit => $org_unit, - expiration => $expiration, - ca => $certs::default_ca, - generate => $generate, - regenerate => $regenerate, - deploy => false, - purpose => 'server', - password_file => $ca_key_password_file, - build_dir => $certs::ssl_build_dir, - } - - if $deploy { - certs::keypair { $server_keypair: - source_dir => "${certs::ssl_build_dir}/${hostname}", - key_file => $key, - key_owner => $owner, - key_group => $group, - key_mode => '0440', - cert_file => $cert, - cert_owner => $owner, - cert_group => $group, - cert_mode => '0640', - require => Cert[$server_keypair], - } - } -} diff --git a/manifests/ssltools/certutil.pp b/manifests/ssltools/certutil.pp deleted file mode 100644 index d748fabe..00000000 --- a/manifests/ssltools/certutil.pp +++ /dev/null @@ -1,28 +0,0 @@ -# type to append cert to nssdb -define certs::ssltools::certutil ( - Stdlib::Absolutepath $nss_db_dir, - Stdlib::Absoluatepath $client_cert, - String $cert_name = $title, - Boolean $refreshonly = true, - Boolean $trustargs = ',,', -) { - include certs::ssltools::nssdb - - # lint:ignore:relative_classname_reference - Class['::certs::ssltools::nssdb'] -> - # lint:endignore - exec { "delete ${cert_name}": - path => ['/bin', '/usr/bin'], - command => "certutil -D -d ${nss_db_dir} -n '${cert_name}'", - onlyif => "certutil -L -d ${nss_db_dir} | grep '^${cert_name}\\b'", - logoutput => true, - refreshonly => $refreshonly, - } -> - exec { $cert_name: - path => ['/bin', '/usr/bin'], - command => "certutil -A -d '${nss_db_dir}' -n '${cert_name}' -t '${trustargs}' -a -i '${client_cert}' -f '${certs::ssltools::nssdb::nss_db_password_file}'", - unless => "certutil -L -d ${nss_db_dir} | grep '^${cert_name}\\b'", - logoutput => true, - refreshonly => $refreshonly, - } -} diff --git a/manifests/ssltools/nssdb.pp b/manifests/ssltools/nssdb.pp deleted file mode 100644 index ec90db70..00000000 --- a/manifests/ssltools/nssdb.pp +++ /dev/null @@ -1,26 +0,0 @@ -# Sets up nssdb -class certs::ssltools::nssdb ( - Stdlib::Absolutepath $nss_db_dir = "${certs::pki_dir}/nssdb", - Stdlib::Absolutepath $nss_db_password_file = "${certs::pki_dir}/nss_db_password-file", - String[10] $nss_db_password = extlib::cache_data('foreman_cache_data', 'certs-nss-db-password', extlib::random_password(32)), - String[1] $group = 'qpidd', -) { - stdlib::ensure_packages(['nss-tools']) - - file { $nss_db_password_file: - ensure => file, - content => $nss_db_password, - show_diff => false, - owner => 'root', - group => $group, - mode => '0640', - } - - nssdb { $nss_db_dir: - ensure => present, - password_file => $nss_db_password_file, - owner => 'root', - group => $group, - mode => '0640', - } -} diff --git a/spec/acceptance/foreman_proxy_content_spec.rb b/spec/acceptance/foreman_proxy_content_spec.rb index bdab6658..3554a32e 100644 --- a/spec/acceptance/foreman_proxy_content_spec.rb +++ b/spec/acceptance/foreman_proxy_content_spec.rb @@ -35,25 +35,16 @@ class { 'certs::foreman_proxy_content': 'ssl-build/foreman-proxy.example.com/foreman-proxy.example.com-foreman-proxy-1.0-1.noarch.rpm', 'ssl-build/foreman-proxy.example.com/foreman-proxy.example.com-foreman-proxy-client-1.0-1.noarch.rpm', 'ssl-build/foreman-proxy.example.com/foreman-proxy.example.com-puppet-client-1.0-1.noarch.rpm', - 'ssl-build/foreman-proxy.example.com/foreman-proxy.example.com-qpid-broker-1.0-1.noarch.rpm', - 'ssl-build/foreman-proxy.example.com/foreman-proxy.example.com-qpid-router-client-1.0-1.noarch.rpm', - 'ssl-build/foreman-proxy.example.com/foreman-proxy.example.com-qpid-router-server-1.0-1.noarch.rpm', 'ssl-build/foreman-proxy.example.com/foreman-proxy.example.com-apache.crt', 'ssl-build/foreman-proxy.example.com/foreman-proxy.example.com-foreman-client.crt', 'ssl-build/foreman-proxy.example.com/foreman-proxy.example.com-foreman-proxy-client.crt', 'ssl-build/foreman-proxy.example.com/foreman-proxy.example.com-foreman-proxy.crt', 'ssl-build/foreman-proxy.example.com/foreman-proxy.example.com-puppet-client.crt', - 'ssl-build/foreman-proxy.example.com/foreman-proxy.example.com-qpid-broker.crt', - 'ssl-build/foreman-proxy.example.com/foreman-proxy.example.com-qpid-router-client.crt', - 'ssl-build/foreman-proxy.example.com/foreman-proxy.example.com-qpid-router-server.crt', 'ssl-build/foreman-proxy.example.com/foreman-proxy.example.com-apache.key', 'ssl-build/foreman-proxy.example.com/foreman-proxy.example.com-foreman-client.key', 'ssl-build/foreman-proxy.example.com/foreman-proxy.example.com-foreman-proxy-client.key', 'ssl-build/foreman-proxy.example.com/foreman-proxy.example.com-foreman-proxy.key', 'ssl-build/foreman-proxy.example.com/foreman-proxy.example.com-puppet-client.key', - 'ssl-build/foreman-proxy.example.com/foreman-proxy.example.com-qpid-broker.key', - 'ssl-build/foreman-proxy.example.com/foreman-proxy.example.com-qpid-router-client.key', - 'ssl-build/foreman-proxy.example.com/foreman-proxy.example.com-qpid-router-server.key', ] end diff --git a/spec/acceptance/qpid_router_client_spec.rb b/spec/acceptance/qpid_router_client_spec.rb deleted file mode 100644 index 378108d4..00000000 --- a/spec/acceptance/qpid_router_client_spec.rb +++ /dev/null @@ -1,114 +0,0 @@ -require 'spec_helper_acceptance' - -describe 'certs::qpid_router::client' do - fqdn = fact('fqdn') - - before(:all) do - on default, 'rm -rf /root/ssl-build' - - manifest = <<~MANIFEST - user { 'qdrouterd': - ensure => present, - system => true, - } - MANIFEST - apply_manifest(manifest, catch_failures: true) - end - - context 'with default parameters' do - it_behaves_like 'an idempotent resource' do - let(:manifest) { 'include certs::qpid_router::client' } - end - - describe x509_certificate('/etc/pki/katello/qpid_router_client.crt') do - it { should be_certificate } - it { should be_valid } - it { should have_purpose 'client' } - its(:issuer) { should eq("C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fqdn}") } - its(:subject) { should eq("C = US, ST = North Carolina, O = dispatch client, OU = SomeOrgUnit, CN = #{fqdn}") } - its(:keylength) { should be >= 4096 } - end - - describe file('/etc/pki/katello/qpid_router_client.crt') do - it { should be_file } - it { should be_mode 640 } - it { should be_owned_by 'qdrouterd' } - it { should be_grouped_into 'root' } - end - - describe x509_private_key('/etc/pki/katello/qpid_router_client.key') do - it { should_not be_encrypted } - it { should be_valid } - it { should have_matching_certificate('/etc/pki/katello/qpid_router_client.crt') } - end - - describe file('/etc/pki/katello/qpid_router_client.key') do - it { should be_file } - it { should be_mode 440 } - it { should be_owned_by 'qdrouterd' } - it { should be_grouped_into 'root' } - end - - describe x509_certificate("/root/ssl-build/#{fqdn}/#{fqdn}-qpid-router-client.crt") do - it { should be_certificate } - it { should be_valid } - it { should have_purpose 'client' } - its(:issuer) { should eq("C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fqdn}") } - its(:subject) { should eq("C = US, ST = North Carolina, O = dispatch client, OU = SomeOrgUnit, CN = #{fqdn}") } - its(:keylength) { should be >= 4096 } - end - - describe x509_private_key("/root/ssl-build/#{fqdn}/#{fqdn}-qpid-router-client.key") do - it { should_not be_encrypted } - it { should be_valid } - it { should have_matching_certificate("/root/ssl-build/#{fqdn}/#{fqdn}-qpid-router-client.crt") } - end - - describe package("#{fact('fqdn')}-qpid-router-client") do - it { should_not be_installed } - end - end - - context 'with deploy false' do - before(:context) do - on default, 'rm -rf /root/ssl-build /etc/pki/katello' - end - - it_behaves_like 'an idempotent resource' do - let(:manifest) do - <<-PUPPET - class { 'certs::qpid_router::client': - deploy => false - } - PUPPET - end - end - - describe x509_certificate("/root/ssl-build/#{fact('fqdn')}/#{fact('fqdn')}-qpid-router-client.crt") do - it { should be_certificate } - it { should be_valid } - it { should have_purpose 'client' } - its(:issuer) { should eq("C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}") } - its(:subject) { should eq("C = US, ST = North Carolina, O = dispatch client, OU = SomeOrgUnit, CN = #{fact('fqdn')}") } - its(:keylength) { should be >= 4096 } - end - - describe x509_private_key("/root/ssl-build/#{fact('fqdn')}/#{fact('fqdn')}-qpid-router-client.key") do - it { should_not be_encrypted } - it { should be_valid } - it { should have_matching_certificate("/root/ssl-build/#{fact('fqdn')}/#{fact('fqdn')}-qpid-router-client.crt") } - end - - describe file('/etc/pki/katello/certs/qpid_router_client.crt') do - it { should_not exist } - end - - describe file('/etc/pki/katello/private/qpid_router_client.key') do - it { should_not exist } - end - - describe package("#{fact('fqdn')}-qpid-router-client") do - it { should_not be_installed } - end - end -end diff --git a/spec/acceptance/qpid_router_server_spec.rb b/spec/acceptance/qpid_router_server_spec.rb deleted file mode 100644 index d525b724..00000000 --- a/spec/acceptance/qpid_router_server_spec.rb +++ /dev/null @@ -1,114 +0,0 @@ -require 'spec_helper_acceptance' - -describe 'certs::qpid_router::server' do - fqdn = fact('fqdn') - - before(:all) do - on default, 'rm -rf /root/ssl-build' - - manifest = <<~MANIFEST - user { 'qdrouterd': - ensure => present, - system => true, - } - MANIFEST - apply_manifest(manifest, catch_failures: true) - end - - context 'with default parameters' do - it_behaves_like 'an idempotent resource' do - let(:manifest) { 'include certs::qpid_router::server' } - end - - describe x509_certificate('/etc/pki/katello/qpid_router_server.crt') do - it { should be_certificate } - it { should be_valid } - it { should have_purpose 'server' } - its(:issuer) { should eq("C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fqdn}") } - its(:subject) { should eq("C = US, ST = North Carolina, O = dispatch server, OU = SomeOrgUnit, CN = #{fqdn}") } - its(:keylength) { should be >= 4096 } - end - - describe file('/etc/pki/katello/qpid_router_server.crt') do - it { should be_file } - it { should be_mode 640 } - it { should be_owned_by 'qdrouterd' } - it { should be_grouped_into 'root' } - end - - describe x509_private_key('/etc/pki/katello/qpid_router_server.key') do - it { should_not be_encrypted } - it { should be_valid } - it { should have_matching_certificate('/etc/pki/katello/qpid_router_server.crt') } - end - - describe file('/etc/pki/katello/qpid_router_server.key') do - it { should be_file } - it { should be_mode 440 } - it { should be_owned_by 'qdrouterd' } - it { should be_grouped_into 'root' } - end - - describe x509_certificate("/root/ssl-build/#{fqdn}/#{fqdn}-qpid-router-server.crt") do - it { should be_certificate } - it { should be_valid } - it { should have_purpose 'server' } - its(:issuer) { should eq("C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fqdn}") } - its(:subject) { should eq("C = US, ST = North Carolina, O = dispatch server, OU = SomeOrgUnit, CN = #{fqdn}") } - its(:keylength) { should be >= 4096 } - end - - describe x509_private_key("/root/ssl-build/#{fqdn}/#{fqdn}-qpid-router-server.key") do - it { should_not be_encrypted } - it { should be_valid } - it { should have_matching_certificate("/root/ssl-build/#{fqdn}/#{fqdn}-qpid-router-server.crt") } - end - - describe package("#{fact('fqdn')}-qpid-router-server") do - it { should_not be_installed } - end - end - - context 'with deploy false' do - before(:context) do - on default, 'rm -rf /root/ssl-build /etc/pki/katello' - end - - it_behaves_like 'an idempotent resource' do - let(:manifest) do - <<-PUPPET - class { 'certs::qpid_router::server': - deploy => false - } - PUPPET - end - end - - describe x509_certificate("/root/ssl-build/#{fact('fqdn')}/#{fact('fqdn')}-qpid-router-server.crt") do - it { should be_certificate } - it { should be_valid } - it { should have_purpose 'server' } - its(:issuer) { should eq("C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}") } - its(:subject) { should eq("C = US, ST = North Carolina, O = dispatch server, OU = SomeOrgUnit, CN = #{fact('fqdn')}") } - its(:keylength) { should be >= 4096 } - end - - describe x509_private_key("/root/ssl-build/#{fact('fqdn')}/#{fact('fqdn')}-qpid-router-server.key") do - it { should_not be_encrypted } - it { should be_valid } - it { should have_matching_certificate("/root/ssl-build/#{fact('fqdn')}/#{fact('fqdn')}-qpid-router-server.crt") } - end - - describe file('/etc/pki/katello/certs/qpid_router_server.crt') do - it { should_not exist } - end - - describe file('/etc/pki/katello/private/qpid_router_server.key') do - it { should_not exist } - end - - describe package("#{fact('fqdn')}-qpid-router-server") do - it { should_not be_installed } - end - end -end diff --git a/spec/acceptance/qpid_spec.rb b/spec/acceptance/qpid_spec.rb deleted file mode 100644 index 252a9a01..00000000 --- a/spec/acceptance/qpid_spec.rb +++ /dev/null @@ -1,108 +0,0 @@ -require 'spec_helper_acceptance' - -describe 'certs' do - nssdb_dir = '/etc/pki/katello/nssdb' - nssdb_password_file = "/etc/pki/katello/nss_db_password-file" - fqdn = fact('fqdn') - - before(:all) do - on default, 'rm -rf /root/ssl-build' - end - - context 'with default params' do - it_behaves_like 'an idempotent resource' do - let(:manifest) do - <<-PUPPET - user { 'qpidd': - ensure => present, - } - - include certs::qpid - PUPPET - end - end - - describe file("/etc/pki/katello/certs/#{fqdn}-qpid-broker.crt") do - it { should_not exist } - end - - describe file("/etc/pki/katello/private/#{fqdn}-qpid-broker.key") do - it { should_not exist } - end - - describe file(nssdb_password_file) do - it { should be_file } - it { should be_mode 640 } - it { should be_owned_by 'root' } - it { should be_grouped_into 'qpidd' } - end - - describe file(nssdb_dir) do - it { should be_directory } - it { should be_mode 750 } - it { should be_owned_by 'root' } - it { should be_grouped_into 'qpidd' } - end - - describe command("certutil -L -d #{nssdb_dir}") do - its(:exit_status) { should eq 0 } - its(:stdout) { should match(/^ca CT,C,c$/i) } - its(:stdout) { should match(/^broker u,u,u$/i) } - end - - describe command("certutil -L -d #{nssdb_dir} -n ca") do - its(:exit_status) { should eq 0 } - its(:stdout) { should match_without_whitespace(/Subject: "CN=#{fqdn},OU=SomeOrgUnit,O=Katello,L=Raleigh,ST=North Carolina,C=US"/) } - its(:stdout) { should match_without_whitespace(/Issuer: "CN=#{fqdn},OU=SomeOrgUnit,O=Katello,L=Raleigh,ST=North Carolina,C=US"/) } - end - - describe command("certutil -L -d #{nssdb_dir} -n broker") do - its(:exit_status) { should eq 0 } - its(:stdout) { should match_without_whitespace(/Subject: "CN=#{fqdn},OU=SomeOrgUnit,O=pulp,ST=North Carolina,C=US"/) } - its(:stdout) { should match_without_whitespace(/Issuer: "CN=#{fqdn},OU=SomeOrgUnit,O=Katello,L=Raleigh,ST=North Carolina,C=US"/) } - end - - describe command("certutil -K -d #{nssdb_dir} -f #{nssdb_password_file} -n broker") do - its(:exit_status) { should eq 0 } - its(:stdout) { should match(/rsa/) } - end - end - - context 'updates certificate in nssdb if it changes' do - let(:pp) do - <<-PUPPET - user { 'qpidd': - ensure => present, - } - - include certs::qpid - PUPPET - end - - it "checks that the fingerprint matches" do - apply_manifest(pp, catch_failures: true) - - initial_fingerprint_output = on default, "openssl x509 -noout -fingerprint -sha256 -in /root/ssl-build/#{fqdn}/#{fqdn}-qpid-broker.crt" - initial_fingerprint = initial_fingerprint_output.output.strip.split('=').last - initial_truststore_output = on default, "certutil -L -d #{nssdb_dir} -n broker" - initial_nssdb_private_key_output = on default, "certutil -K -d #{nssdb_dir} -f #{nssdb_password_file} -n broker" - initial_nssdb_private_key_modulus = initial_nssdb_private_key_output.output.strip.split("\n").last.match(%r{.*rsa(?.*)broker})[:modulus].strip - expect(initial_truststore_output.output.strip).to include(initial_fingerprint) - - on default, "rm -rf /root/ssl-build/#{fqdn}" - apply_manifest(pp, catch_failures: true) - - fingerprint_output = on default, "openssl x509 -noout -fingerprint -sha256 -in /root/ssl-build/#{fqdn}/#{fqdn}-qpid-broker.crt" - fingerprint = fingerprint_output.output.strip.split('=').last - initial_truststore_output = on default, "certutil -L -d #{nssdb_dir} -n broker" - truststore_output = on default, "certutil -L -d #{nssdb_dir} -n broker" - nssdb_private_key_output = on default, "certutil -K -d #{nssdb_dir} -f #{nssdb_password_file} -n broker" - nssdb_private_key_modulus = nssdb_private_key_output.output.strip.split("\n").last.match(%r{.*rsa(?.*)broker})[:modulus].strip - - expect(nssdb_private_key_modulus.to_s).not_to eq(initial_nssdb_private_key_modulus.to_s) - expect(truststore_output.output.strip).to include(fingerprint) - expect(fingerprint).not_to eq(initial_fingerprint) - expect(truststore_output.output.strip).not_to include(initial_fingerprint) - end - end -end diff --git a/spec/classes/certs_qpid_router_client_spec.rb b/spec/classes/certs_qpid_router_client_spec.rb deleted file mode 100644 index ae193a5c..00000000 --- a/spec/classes/certs_qpid_router_client_spec.rb +++ /dev/null @@ -1,15 +0,0 @@ -require 'spec_helper' - -describe 'certs::qpid_router::client' do - on_supported_os.each do |os, os_facts| - context "on #{os}" do - let :facts do - os_facts - end - - describe 'with default parameters' do - it { should compile.with_all_deps } - end - end - end -end diff --git a/spec/classes/certs_qpid_router_server_spec.rb b/spec/classes/certs_qpid_router_server_spec.rb deleted file mode 100644 index fd18d415..00000000 --- a/spec/classes/certs_qpid_router_server_spec.rb +++ /dev/null @@ -1,15 +0,0 @@ -require 'spec_helper' - -describe 'certs::qpid_router::server' do - on_supported_os.each do |os, os_facts| - context "on #{os}" do - let :facts do - os_facts - end - - describe 'with default parameters' do - it { should compile.with_all_deps } - end - end - end -end diff --git a/spec/classes/certs_qpid_spec.rb b/spec/classes/certs_qpid_spec.rb deleted file mode 100644 index 6a195ac1..00000000 --- a/spec/classes/certs_qpid_spec.rb +++ /dev/null @@ -1,40 +0,0 @@ -require 'spec_helper' - -describe 'certs::qpid' do - on_supported_os.each do |os, os_facts| - context "on #{os}" do - let :facts do - os_facts - end - - describe "with default parameters" do - it { is_expected.to compile.with_all_deps } - - it do - is_expected.to contain_cert('foo.example.com-qpid-broker') - .with_hostname('foo.example.com') - .with_cname(['localhost']) - end - - it { is_expected.to contain_class('certs::ssltools::nssdb') } - - it do - is_expected.to contain_nssdb_certificate('/etc/pki/katello/nssdb:ca') - .with_ensure('present') - .with_certificate('/etc/pki/katello/certs/katello-default-ca.crt') - .with_trustargs('TCu,Cu,Tuw') - .with_password_file('/etc/pki/katello/nss_db_password-file') - end - - it do - is_expected.to contain_nssdb_certificate('/etc/pki/katello/nssdb:broker') - .with_ensure('present') - .with_certificate('/root/ssl-build/foo.example.com/foo.example.com-qpid-broker.crt') - .with_private_key('/root/ssl-build/foo.example.com/foo.example.com-qpid-broker.key') - .with_trustargs(',,') - .with_password_file('/etc/pki/katello/nss_db_password-file') - end - end - end - end -end