diff --git a/README.md b/README.md index b8c52e5b0..5f31edd73 100644 --- a/README.md +++ b/README.md @@ -11,7 +11,7 @@ Currently Supported modules: * BMC - BMC management of devices supported by freeipmi and ipmitool * DHCP - ISC DHCP and MS DHCP Servers * DNS - Bind and MS DNS Servers - * Puppet - Any Puppet server from 4.4, 6+ recommended + * Puppet - Puppetserver 6 or 7 * Puppet CA - Manage certificate signing, cleaning and autosign on a Puppet CA server * Realm - Manage host registration to a realm (e.g. FreeIPA) * TFTP - any UNIX based tftp server diff --git a/config/settings.d/puppetca.yml.example b/config/settings.d/puppetca.yml.example index 22a092aed..60c288d16 100644 --- a/config/settings.d/puppetca.yml.example +++ b/config/settings.d/puppetca.yml.example @@ -6,6 +6,3 @@ # - puppetca_hostname_whitelisting (verify CSRs based on a hostname whitelist) # - puppetca_token_whitelisting (verify CSRs based on a token whitelist) #:use_provider: puppetca_hostname_whitelisting - -# Puppet version used -#:puppet_version: '4.1' diff --git a/config/settings.d/puppetca_puppet_cert.yml.example b/config/settings.d/puppetca_puppet_cert.yml.example deleted file mode 100644 index ddee3246e..000000000 --- a/config/settings.d/puppetca_puppet_cert.yml.example +++ /dev/null @@ -1,4 +0,0 @@ ---- -#:ssldir: /var/lib/puppet/ssl -#:puppetca_use_sudo: true -#:sudo_command: /usr/bin/sudo diff --git a/lib/smart_proxy_main.rb b/lib/smart_proxy_main.rb index 6428cda65..0ebc22b2c 100644 --- a/lib/smart_proxy_main.rb +++ b/lib/smart_proxy_main.rb @@ -63,7 +63,6 @@ module Proxy require 'dhcp_libvirt/dhcp_libvirt' require 'puppetca/puppetca' require 'puppetca_http_api/puppetca_http_api' - require 'puppetca_puppet_cert/puppetca_puppet_cert' require 'puppetca_hostname_whitelisting/puppetca_hostname_whitelisting' require 'puppetca_token_whitelisting/puppetca_token_whitelisting' require 'puppet_proxy/puppet' diff --git a/modules/puppetca/plugin_configuration.rb b/modules/puppetca/plugin_configuration.rb index c181e99cf..7d42520ad 100644 --- a/modules/puppetca/plugin_configuration.rb +++ b/modules/puppetca/plugin_configuration.rb @@ -6,11 +6,9 @@ def load_classes end def load_programmable_settings(settings) - raise ::Proxy::Error::ConfigurationError, "Parameter ':puppet_version' is expected to have a non-empty value" if settings[:puppet_version].to_s.empty? - use_provider = settings[:use_provider] use_provider = [use_provider].compact unless use_provider.is_a?(Array) - use_provider << ((Gem::Version.new(settings[:puppet_version].to_s) >= Gem::Version.new('6.0')) ? :puppetca_http_api : :puppetca_puppet_cert) + use_provider << :puppetca_http_api settings[:use_provider] = use_provider settings diff --git a/modules/puppetca_puppet_cert/plugin_configuration.rb b/modules/puppetca_puppet_cert/plugin_configuration.rb deleted file mode 100644 index bbf448841..000000000 --- a/modules/puppetca_puppet_cert/plugin_configuration.rb +++ /dev/null @@ -1,15 +0,0 @@ -module Proxy - module PuppetCa - module PuppetcaPuppetCert - class PluginConfiguration - def load_classes - require 'puppetca_puppet_cert/puppetca_impl' - end - - def load_dependency_injection_wirings(container_instance, settings) - container_instance.dependency :puppetca_impl, -> { ::Proxy::PuppetCa::PuppetcaPuppetCert::PuppetcaImpl.new } - end - end - end - end -end diff --git a/modules/puppetca_puppet_cert/puppetca_impl.rb b/modules/puppetca_puppet_cert/puppetca_impl.rb deleted file mode 100644 index 36a61aeae..000000000 --- a/modules/puppetca_puppet_cert/puppetca_impl.rb +++ /dev/null @@ -1,157 +0,0 @@ -require 'English' -require 'openssl' -require 'set' - -module ::Proxy::PuppetCa::PuppetcaPuppetCert - class PuppetcaImpl - include ::Proxy::Log - include ::Proxy::Util - - def sign(certname) - puppetca("sign", certname) - end - - def clean(certname) - puppetca("clean", certname) - end - - # list of all certificates and their state/fingerprint - def list - find_puppetca - command = "#{@sudo} #{@puppetca} --list --all" - logger.debug "Executing #{command}" - response = `#{command}` - unless $CHILD_STATUS == 0 - logger.warn "Failed to run puppetca: #{response}" - raise "Execution of puppetca failed, check log files" - end - - hash = {} - response.split("\n").each do |line| - hash.merge! certificate(line) rescue logger.warn("Failed to parse line: #{line}") - end - # merge all data into one - # note that this ignores certificates which were revoked multiple times, displaying only the last - # revocation state - # additionally, we don't merge revocation info if the host has a pending certificate request - hash.merge(ca_inventory) { |key, h1, h2| (h1[:state] == "pending") ? h1 : h1.merge(h2) } - end - - def pending - all.delete_if { |k, v| v[:state] != "pending" } - end - - # helper to find puppetca and sudo binaries - # checks if our CA really exists - def find_puppetca - ssl_dir = Pathname.new ssldir - unless (ssl_dir + "ca").directory? - logger.warn "PuppetCA: SSL/CA unavailable on this machine: ssldir not found at #{ssl_dir}" - raise "SSL/CA unavailable on this machine" - end - - default_path = ["/opt/puppet/bin", "/opt/puppet/sbin", "/opt/puppetlabs/bin"] - @puppetca = which("puppetca", default_path) || which("puppet", default_path) - - unless File.exist?(@puppetca.to_s) - logger.warn "unable to find puppetca binary" - raise "unable to find puppetca" - end - # Append cert to the puppet command if we are not using the old puppetca command - logger.debug "Found puppetca at #{@puppetca}" - @puppetca << " cert" unless @puppetca.include?("puppetca") - - # Tell puppetca to use the ssl dir that Foreman has been told to use - @puppetca << " --ssldir #{ssl_dir}" - - if use_sudo? - @sudo = sudo_command || which("sudo") - unless File.exist?(@sudo) - logger.warn "unable to find sudo binary" - raise "Unable to find sudo" - end - logger.debug "Found sudo at #{@sudo}" - @sudo = "#{@sudo} -S" - else - @sudo = "" - end - end - - def ssldir - Proxy::PuppetCa::PuppetcaPuppetCert::Plugin.settings.ssldir - end - - def use_sudo? - to_bool(::Proxy::PuppetCa::PuppetcaPuppetCert::Plugin.settings.puppetca_use_sudo, true) - end - - def sudo_command - ::Proxy::PuppetCa::PuppetcaPuppetCert::Plugin.settings.sudo_command - end - - # parse the puppetca --list output - def certificate(str) - case str - when /(\+|\-)\s+["]{0,1}(.*\w)["]{0,1}\s+\((\S+)\)/ - state = ($1 == "-") ? "revoked" : "valid" - { $2.strip => { :state => state, :fingerprint => $3 } } - when /\s*["]{0,1}(.*\w)["]{0,1}\s+\((\S+)\)/ - { $1.strip => { :state => "pending", :fingerprint => $2 } } - else - {} - end - end - - def ca_inventory - inventory = Pathname.new(ssldir).join("ca", "inventory.txt") - raise "Unable to find CA inventory file at #{inventory}" unless File.exist?(inventory) - crl_path = Pathname.new(ssldir).join("ca", "ca_crl.pem") - raise "Unable to find CRL" unless File.exist?(crl_path) - compute_ca_inventory(File.read(inventory), File.read(crl_path)) - end - - def compute_ca_inventory(inventory_contents, crl_cert_contents) - inventory = parse_inventory(inventory_contents) - crl = revoked_serials(crl_cert_contents) - inventory.each do |_, values| - values[:state] = "revoked" if crl.include?(values[:serial]) - end - inventory - end - - def parse_inventory(inventory_contents) - to_return = {} - inventory_contents.each_line do |cert| - # 0x005a 2011-04-16T07:12:46GMT 2016-04-14T07:12:46GMT /CN=uuid - # 0x005c 2017-01-07T11:23:20GMT 2022-01-17T11:23:20GMT /CN=name.mcollective/OU=mcollective - if cert =~ /(0(x|X)(\d|[a-f]|[A-F])+)\s+(\d+\S+)\s+(\d+\S+)\s+\/CN=([^\s\/]+)/ - to_return[$6] = {:serial => $1.to_i(16), :not_before => $4, :not_after => $5} - end - end - to_return - end - - def revoked_serials(crl_cert_contents) - Set.new(OpenSSL::X509::CRL.new(crl_cert_contents).revoked.collect { |r| r.serial.to_i }) - end - - def puppetca(mode, certname) - raise "Invalid mode #{mode}" unless mode =~ /^(clean|sign)$/ - find_puppetca - certname.downcase! - command = "#{@sudo} #{@puppetca} --#{mode} #{certname}" - logger.debug "Executing #{command}" - response = `#{command} 2>&1` - if $CHILD_STATUS.success? - logger.debug "#{mode}ed puppet certificate for #{certname}" - elsif response =~ /Could not find client certificate/ || $CHILD_STATUS.exitstatus == 24 - logger.debug "Attempt to remove nonexistent client certificate for #{certname}" - raise ::Proxy::PuppetCa::NotPresent, "Attempt to remove nonexistent client certificate for #{certname}" - else - logger.warn "Failed to run puppetca: #{response}" - raise "Execution of puppetca failed, check log files" - end - $CHILD_STATUS.success? - end - end -end diff --git a/modules/puppetca_puppet_cert/puppetca_puppet_cert.rb b/modules/puppetca_puppet_cert/puppetca_puppet_cert.rb deleted file mode 100644 index 1015d61fc..000000000 --- a/modules/puppetca_puppet_cert/puppetca_puppet_cert.rb +++ /dev/null @@ -1,2 +0,0 @@ -require 'puppetca_puppet_cert/plugin_configuration' -require 'puppetca_puppet_cert/puppetca_puppet_cert_plugin' diff --git a/modules/puppetca_puppet_cert/puppetca_puppet_cert_plugin.rb b/modules/puppetca_puppet_cert/puppetca_puppet_cert_plugin.rb deleted file mode 100644 index f6542b621..000000000 --- a/modules/puppetca_puppet_cert/puppetca_puppet_cert_plugin.rb +++ /dev/null @@ -1,11 +0,0 @@ -module ::Proxy::PuppetCa::PuppetcaPuppetCert - class Plugin < ::Proxy::Provider - plugin :puppetca_puppet_cert, ::Proxy::VERSION - - requires :puppetca, ::Proxy::VERSION - default_settings :ssldir => '/var/lib/puppet/ssl' - - load_classes ::Proxy::PuppetCa::PuppetcaPuppetCert::PluginConfiguration - load_dependency_injection_wirings ::Proxy::PuppetCa::PuppetcaPuppetCert::PluginConfiguration - end -end diff --git a/test/puppet/integration_test.rb b/test/puppet/integration_test.rb index 6ff877f37..3eb9ddc2e 100644 --- a/test/puppet/integration_test.rb +++ b/test/puppet/integration_test.rb @@ -18,7 +18,7 @@ def test_features ssl_key = Tempfile.new('ssl_key') begin - Proxy::DefaultModuleLoader.any_instance.expects(:load_configuration_file).with('puppet.yml').returns(enabled: true, puppet_version: '5.5.8') + Proxy::DefaultModuleLoader.any_instance.expects(:load_configuration_file).with('puppet.yml').returns(enabled: true) Proxy::DefaultModuleLoader.any_instance.expects(:load_configuration_file).with('puppet_proxy_puppet_api.yml').returns( puppet_url: 'https://puppet.example.com:8140', puppet_ssl_ca: ssl_ca.path, diff --git a/test/puppetca/puppetca_config_test.rb b/test/puppetca/puppetca_config_test.rb deleted file mode 100644 index be104b15b..000000000 --- a/test/puppetca/puppetca_config_test.rb +++ /dev/null @@ -1,27 +0,0 @@ -require 'test_helper' -require 'puppetca/puppetca' - -class PuppetCAConfigTest < Test::Unit::TestCase - def test_omitted_settings_have_default_values - Proxy::PuppetCa::Plugin.load_test_settings() - assert_equal 'puppetca_hostname_whitelisting', Proxy::PuppetCa::Plugin.settings.use_provider - end - - def test_set_puppet_cert_ca_provider_for_4_2 - Proxy::PuppetCa::Plugin.load_test_settings(:puppet_version => '4.2') - configuration = Proxy::PuppetCa::PluginConfiguration.new - assert_includes configuration.load_programmable_settings(Proxy::PuppetCa::Plugin.settings)[:use_provider], :puppetca_puppet_cert - end - - def test_set_puppet_cert_ca_provider_for_4_10_1 - Proxy::PuppetCa::Plugin.load_test_settings(:puppet_version => '4.10.1') - configuration = Proxy::PuppetCa::PluginConfiguration.new - assert_includes configuration.load_programmable_settings(Proxy::PuppetCa::Plugin.settings)[:use_provider], :puppetca_puppet_cert - end - - def test_set_puppet_cert_ca_provider_for_6_6 - Proxy::PuppetCa::Plugin.load_test_settings(:puppet_version => '6.0') - configuration = Proxy::PuppetCa::PluginConfiguration.new - assert_includes configuration.load_programmable_settings(Proxy::PuppetCa::Plugin.settings)[:use_provider], :puppetca_http_api - end -end diff --git a/test/puppetca_http_api/integration_test.rb b/test/puppetca_http_api/integration_test.rb index f770fb80e..2b08b2f40 100644 --- a/test/puppetca_http_api/integration_test.rb +++ b/test/puppetca_http_api/integration_test.rb @@ -19,7 +19,7 @@ def test_features ssl_key = Tempfile.new('ssl_key') begin - Proxy::DefaultModuleLoader.any_instance.expects(:load_configuration_file).with('puppetca.yml').returns(enabled: true, puppet_version: '6.0.0') + Proxy::DefaultModuleLoader.any_instance.expects(:load_configuration_file).with('puppetca.yml').returns(enabled: true) Proxy::DefaultModuleLoader.any_instance.expects(:load_configuration_file).with('puppetca_hostname_whitelisting.yml').returns({}) Proxy::DefaultModuleLoader.any_instance.expects(:load_configuration_file).with('puppetca_http_api.yml').returns( puppet_url: 'https://puppet.example.com:8140', diff --git a/test/puppetca_puppet_cert/fixtures/ca/ca_crl.pem b/test/puppetca_puppet_cert/fixtures/ca/ca_crl.pem deleted file mode 100644 index dd4e0a50c..000000000 --- a/test/puppetca_puppet_cert/fixtures/ca/ca_crl.pem +++ /dev/null @@ -1,20 +0,0 @@ ------BEGIN X509 CRL----- -MIIDMDCCARgCAQEwDQYJKoZIhvcNAQELBQAwKjEoMCYGA1UEAwwfUHVwcGV0IENB -OiB0Zm1kZW1vLmJlaXNwaWVsLnh5ehcNMTgwOTEzMTY1MjU1WhcNMjMwOTEyMTY1 -MjU2WjCBiDAgAgEDFw0xODA5MTMxNTUxMTVaMAwwCgYDVR0VBAMKAQEwIAIBAxcN -MTgwOTEzMTYzMzUwWjAMMAoGA1UdFQQDCgEBMCACAQMXDTE4MDkxMzE2MzgwOFow -DDAKBgNVHRUEAwoBATAgAgEDFw0xODA5MTMxNjUyNTZaMAwwCgYDVR0VBAMKAQGg -LzAtMB8GA1UdIwQYMBaAFLZCFAMZYmB00yMXkvOwFCSizD3YMAoGA1UdFAQDAgEE -MA0GCSqGSIb3DQEBCwUAA4ICAQCmr+8cez96ncdo9EM/Njk9iFibyUAqD76C63Xj -l80mArQ4zfYVcBis7vWZkQePZXYVRHWso25lpTPgFxceQBVEO92/VFRZEtDD8sf2 -GrXzYRFwLu5csKVP1V9KDbz4IkH3/56P0n1sDhbmjBcZ35VkfQGCv72zcge1kcZn -HFIx8fe+tborkWy4N4AxDmAyVHVU8XjlDQ+w/vJeVYmf2ZY11kj2i7SPRhJyGL/1 -+sPPAOKjfoDq8fjr9M9H3AIKKxqt5pZpwA1Qf+TSlk6givpEVvZJ9un7jLbfnDz/ -THGnTX8aWg7xMgtx5YlDJ8uhHZ0FtLB5clskZj2h/1KiQW1owORdC9rxXVzPgL/k -kWsDpouF9Vd/a8cCg2TpzmODJ9fKhpFbc8yfAQBsSEkaC/MD5ps3KysjUjo5m7pC -nwwXhA/bUBtZufNPwzJC/Ghpxsge23v3m++Qt8gbzGEJNcJ0YWpebMUxTuswL4yH -K04N5kSTzXl675+ga34mWEZcEscQDIrbH4Q4+2jiZQcuqrZRGeUyA9i5OrPb/FE0 -8hYa64XXXsGU04+xq99RGLcfmNudmKTJ8r+u8ux9PQQdMalIj9/LJSBpfwEH2KHF -BE1XXks7mkpcoM2gPLYRyLSpC6+yDWA+JAnkD/dcSFeGvVoCbdymcoWlBysRoXt/ -OGnNPQ== ------END X509 CRL----- diff --git a/test/puppetca_puppet_cert/fixtures/ca/inventory.txt b/test/puppetca_puppet_cert/fixtures/ca/inventory.txt deleted file mode 100644 index 141dcb832..000000000 --- a/test/puppetca_puppet_cert/fixtures/ca/inventory.txt +++ /dev/null @@ -1,4 +0,0 @@ -0x0001 2018-06-09T09:30:19UTC 2023-06-09T09:30:19UTC /CN=Puppet CA: tfmdemo.beispiel.xyz -0x0002 2018-06-09T09:30:21UTC 2023-06-09T09:30:21UTC /CN=tfmdemo.beispiel.xyz -0x0003 2018-06-09T13:38:05UTC 2023-06-09T13:38:05UTC /CN=tfmcentos7.beispiel.xyz -0x0004 2018-09-12T17:31:00UTC 2023-09-12T17:31:00UTC /CN=tfmcentos7.beispiel.xyz diff --git a/test/puppetca_puppet_cert/fixtures/puppet b/test/puppetca_puppet_cert/fixtures/puppet deleted file mode 100644 index 9a3bc4107..000000000 --- a/test/puppetca_puppet_cert/fixtures/puppet +++ /dev/null @@ -1 +0,0 @@ -# deliberately empty file to simulate the puppet command for tests diff --git a/test/puppetca_puppet_cert/fixtures/sudo b/test/puppetca_puppet_cert/fixtures/sudo deleted file mode 100644 index 574a06c19..000000000 --- a/test/puppetca_puppet_cert/fixtures/sudo +++ /dev/null @@ -1 +0,0 @@ -# fake sudo command diff --git a/test/puppetca_puppet_cert/puppetca_puppet_cert_config_test.rb b/test/puppetca_puppet_cert/puppetca_puppet_cert_config_test.rb deleted file mode 100644 index 8f345a98d..000000000 --- a/test/puppetca_puppet_cert/puppetca_puppet_cert_config_test.rb +++ /dev/null @@ -1,9 +0,0 @@ -require 'test_helper' -require 'puppetca_puppet_cert/puppetca_puppet_cert' - -class PuppetCaPuppetCertConfigTest < Test::Unit::TestCase - def test_omitted_settings_have_default_values - Proxy::PuppetCa::PuppetcaPuppetCert::Plugin.load_test_settings() - assert_equal '/var/lib/puppet/ssl', Proxy::PuppetCa::PuppetcaPuppetCert::Plugin.settings.ssldir - end -end diff --git a/test/puppetca_puppet_cert/puppetca_puppet_cert_test.rb b/test/puppetca_puppet_cert/puppetca_puppet_cert_test.rb deleted file mode 100644 index 51b6b2a8a..000000000 --- a/test/puppetca_puppet_cert/puppetca_puppet_cert_test.rb +++ /dev/null @@ -1,181 +0,0 @@ -require 'test_helper' -require 'tempfile' -require 'fileutils' - -require 'puppetca/puppetca' -require 'puppetca_puppet_cert/puppetca_puppet_cert' -require 'puppetca_puppet_cert/puppetca_impl' - -class PuppetCaPuppetCertImplTest < Test::Unit::TestCase - def setup - @puppet_cert = Proxy::PuppetCa::PuppetcaPuppetCert::PuppetcaImpl.new - end - - def test_which_should_return_a_binary_path - ENV.stubs(:[]).with('PATH').returns(['/foo', '/bin', '/usr/bin'].join(File::PATH_SEPARATOR)) - { '/foo' => false, '/bin' => true, '/usr/bin' => false, '/usr/sbin' => false, '/usr/local/bin' => false, '/usr/local/sbin' => false }.each do |p, r| - FileTest.stubs(:file?).with("#{p}/ls").returns(r) - FileTest.stubs(:executable?).with("#{p}/ls").returns(r) - end - assert_equal '/bin/ls', @puppet_cert.which('ls') - end - - INVENTORY_CONTENTS = <<~EOF - 0x0002 2015-09-01T15:15:57UTC 2020-08-31T15:15:57UTC /CN=revoked.my.domain - 0x0003 2015-09-02T08:34:59UTC 2020-09-01T08:34:59UTC /CN=active.my.domain - 0x0004 2017-01-11T15:04:35UTC 2022-01-11T15:04:35UTC /CN=revoked.my.domain - 0x0005 2017-01-14T12:01:22UTC 2022-01-14T12:01:22UTC /CN=second-active.my.domain/OU=mydepartment - EOF - def test_parse_inventory - assert_equal({"revoked.my.domain" => {:serial => 4, :not_before => "2017-01-11T15:04:35UTC", :not_after => "2022-01-11T15:04:35UTC"}, - "active.my.domain" => {:serial => 3, :not_before => "2015-09-02T08:34:59UTC", :not_after => "2020-09-01T08:34:59UTC"}, - "second-active.my.domain" => {:serial => 5, :not_before => "2017-01-14T12:01:22UTC", :not_after => "2022-01-14T12:01:22UTC"}}, - @puppet_cert.parse_inventory(INVENTORY_CONTENTS)) - end - - CRL_CONTENTS = <<~EOF - -----BEGIN X509 CRL----- - MIIC9DCB3QIBATANBgkqhkiG9w0BAQUFADA0MTIwMAYDVQQDDClQdXBwZXQgQ0E6 - IGx1Y2lkLW5vbnNlbnNlLmFwcGxpZWRsb2dpYy5jYRcNMTcwMTEyMTUzNjM1WhcN - MjIwMTExMTUzNjM2WjBEMCACAQIXDTE3MDExMjEzMDEwOVowDDAKBgNVHRUEAwoB - ATAgAgEEFw0xNzAxMTIxNTM2MzZaMAwwCgYDVR0VBAMKAQGgLzAtMB8GA1UdIwQY - MBaAFPXwC6fTTZGAEGWebeMJobxzTq0IMAoGA1UdFAQDAgECMA0GCSqGSIb3DQEB - BQUAA4ICAQBevzkpnkJOelipZsd8GbV5r7b/5Mc/X9fIoNb7wfDGzRWMNDvp/pqd - 3TeXvHKsgFqjgchQlI+dd+K1eouJm3pYSsT5MYVrJYUJ6kzPgC89tgtEDApnYOjx - rZIWyF6PeWjL8E7ZKNVFX6RS2HbhWLZStDnkJvckXAhN4GXdLdm5FulkXQ7asQTy - 8u1bXWDvRESNuveHuuVyQpfzbnznxUSgf+gJzQ35wbNGZCJDoNlEth6UnIz26LIY - /3dRt/HcybDLoSIV+PF7m2VZZxwcpRCIgjvhCz0fWdfakPYoCn5l3ZGZnv6vL/ss - Mt7bh+b9C0u4g9sQxAYsW21EEFcxVjREXQNn9t/9iqwNn+W90Fee3TJGmWQINO29 - zzPgmYyWZQFHCVPuQE/R6cVrRIFte1PjEycsxcTjVv4f71vIWd/54VW7/7TjXYq5 - 7CnBxWUlWs8N8GwJLzem5DgJvF85YUbVACfNs8JhZc7osLPxFhnZcKz2dLyJgXOj - tzZtHJZG7qxR1n9GmERVpk6OSeK0KKYmb+N9u4mGXYTDG6kl+nj1dU/Uh/yoAwG8 - UCEaly81c8sSHjLI3GetK4WxND0cElcSaFY3q22bDay7drhhCMftcbhxoh9ROI5h - Ldr9eKhzX/iwBRnlcwxVCLSUEP+46oGi8hawrhEUnPxPtftMjPVFTQ== - -----END X509 CRL----- - EOF - - PUPPET_CERT_LIST_OUTPUT = <<~OUTPUT - + "tfmcentos7.beispiel.xyz" (SHA256) B1:7C:A8:EC:2A:37:E6:2D:A6:55:B9:00:DE:2B:36:6B:E1:F0:BA:49:42:91:3D:60:4B:42:81:6F:5E:18:78:C8 - + "tfmdemo.beispiel.xyz" (SHA256) 79:E3:98:2C:FF:53:74:02:6F:96:6D:61:05:85:1A:5F:C6:FB:67:AF:A6:05:24:FA:16:42:21:14:46:86:AC:AF (alt names: "DNS:puppet", "DNS:puppet.beispiel.xyz", "DNS:tfmdemo.beispiel.xyz") - OUTPUT - - PUPPET_CERT_CLEAN_OUTPUT = <<~OUTPUT - Notice: Revoked certificate with serial 4 - Notice: Removing file Puppet::SSL::Certificate tfmcentos7.beispiel.xyz at '/etc/puppetlabs/puppet/ssl/ca/signed/tfmcentos7.beispiel.xyz.pem' - Notice: Removing file Puppet::SSL::Certificate tfmcentos7.beispiel.xyz at '/etc/puppetlabs/puppet/ssl/certs/tfmcentos7.beispiel.xyz.pem' - OUTPUT - - PUPPET_CERT_SIGN_OUTPUT = <<~OUTPUT - Signing Certificate Request for: - "tfmcentos7.beispiel.xyz" (SHA256) 23:B0:F0:83:72:ED:69:8A:E1:06:83:0E:A6:DE:0B:5D:83:0B:58:3B:AB:EE:82:F1:30:1B:39:19:84:5B:4B:10 ** - Notice: Signed certificate request for tfmcentos7.beispiel.xyz - Notice: Removing file Puppet::SSL::CertificateRequest tfmcentos7.beispiel.xyz at '/etc/puppetlabs/puppet/ssl/ca/requests/tfmcentos7.beispiel.xyz.pem' - OUTPUT - - def test_revoked_serials - assert_equal Set.new([2, 4]), @puppet_cert.revoked_serials(CRL_CONTENTS) - end - - def test_compute_ca_inventory - assert_equal({"revoked.my.domain" => {:serial => 4, :not_before => "2017-01-11T15:04:35UTC", :not_after => "2022-01-11T15:04:35UTC", :state => "revoked"}, - "active.my.domain" => {:serial => 3, :not_before => "2015-09-02T08:34:59UTC", :not_after => "2020-09-01T08:34:59UTC"}, - "second-active.my.domain" => {:serial => 5, :not_before => "2017-01-14T12:01:22UTC", :not_after => "2022-01-14T12:01:22UTC"}}, - @puppet_cert.compute_ca_inventory(INVENTORY_CONTENTS, CRL_CONTENTS)) - end - - def test_should_clean_host - @puppet_cert.stubs(:find_puppetca) - @puppet_cert.instance_variable_set('@puppetca', '/tmp/puppet cert') - @puppet_cert.instance_variable_set('@sudo', '') - @puppet_cert.stubs('`').with(' /tmp/puppet cert --clean tfmcentos7.beispiel.xyz 2>&1').returns(PUPPET_CERT_CLEAN_OUTPUT) - - assert @puppet_cert.clean('tfmcentos7.beispiel.xyz') - end - - def test_should_sign_host - @puppet_cert.stubs(:find_puppetca) - @puppet_cert.instance_variable_set('@puppetca', '/tmp/puppet cert') - @puppet_cert.instance_variable_set('@sudo', '') - @puppet_cert.stubs('`').with(' /tmp/puppet cert --sign tfmcentos7.beispiel.xyz 2>&1').returns(PUPPET_CERT_SIGN_OUTPUT) - - assert @puppet_cert.sign('tfmcentos7.beispiel.xyz') - end - - def test_should_list_certs - @puppet_cert.stubs(:find_puppetca) - @puppet_cert.stubs(:ssldir).returns(File.expand_path(File.join(__dir__, '.', 'fixtures'))) - @puppet_cert.instance_variable_set('@puppetca', '/tmp/puppet cert') - @puppet_cert.stubs('`').with(' /tmp/puppet cert --list --all').returns(PUPPET_CERT_LIST_OUTPUT) - Process::Status.any_instance.stubs(:exitstatus).returns(0) - - expected = { - 'Puppet' => { - :not_after => '2023-06-09T09:30:19UTC', - :not_before => '2018-06-09T09:30:19UTC', - :serial => 1, - }, - 'tfmcentos7.beispiel.xyz' => - { - :fingerprint => 'SHA256', - :not_after => '2023-09-12T17:31:00UTC', - :not_before => '2018-09-12T17:31:00UTC', - :serial => 4, - :state => 'valid', - }, - 'tfmdemo.beispiel.xyz' => { - :fingerprint => 'SHA256', - :not_after => '2023-06-09T09:30:21UTC', - :not_before => '2018-06-09T09:30:21UTC', - :serial => 2, - :state => 'valid', - }, - } - - assert_equal expected, @puppet_cert.list - end - - def test_find_puppetca_without_sudo - stub_puppetca_executables - - @puppet_cert.stubs(:use_sudo?).returns(false) - @puppet_cert.find_puppetca - puppetca = @puppet_cert.instance_variable_get('@puppetca') - sudo = @puppet_cert.instance_variable_get('@sudo') - assert_equal "#{@ssldir}/puppet --ssldir #{@ssldir}", puppetca - assert_equal '', sudo - end - - def test_find_puppetca_with_sudo - stub_puppetca_executables - - @puppet_cert.stubs(:use_sudo?).returns(true) - @puppet_cert.find_puppetca - puppetca = @puppet_cert.instance_variable_get('@puppetca') - sudo = @puppet_cert.instance_variable_get('@sudo') - assert_equal "#{@ssldir}/puppet --ssldir #{@ssldir}", puppetca - assert_equal "#{@ssldir}/sudo -S", sudo - end - - def test_find_puppetca_with_sudo_command - stub_puppetca_executables - - @puppet_cert.stubs(:use_sudo?).returns(true) - @puppet_cert.stubs(:sudo_command).returns("#{@ssldir}/sudo") - @puppet_cert.find_puppetca - puppetca = @puppet_cert.instance_variable_get('@puppetca') - sudo = @puppet_cert.instance_variable_get('@sudo') - assert_equal "#{@ssldir}/puppet --ssldir #{@ssldir}", puppetca - assert_equal "#{@ssldir}/sudo -S", sudo - end - - private - - def stub_puppetca_executables - @ssldir = File.expand_path(File.join(__dir__, '.', 'fixtures')) - @puppet_cert.stubs(:ssldir).returns(@ssldir) - - @puppet_cert.stubs(:which).with('puppetca', anything).returns(nil) - @puppet_cert.stubs(:which).with('puppet', anything).returns(File.join(@ssldir, 'puppet')) - @puppet_cert.stubs(:which).with('sudo').returns(File.join(@ssldir, 'sudo')) - end -end