From 6983107b997e66c4fff5b4d447b29dbc6c251d2c Mon Sep 17 00:00:00 2001 From: Ewoud Kohl van Wijngaarden Date: Fri, 8 Jul 2022 16:33:06 +0200 Subject: [PATCH] Fixes #35184 - Drop puppetca_puppet_cert provider Currently for Puppet 6.0 or higher the Puppetserver REST API is used. Puppet 5 is EOL so this can be dropped. Older versions (dating back to Puppet 4) had an incomplete API, but core methods do work. Just the reporting in the UI is incomplete. This means even with Puppet 5 it won't be completely broken. Dropping this allows us to move forward. The current implementation has some coding techniques which need adjustment on Ruby 3. Since nobody should be using the old code, refactoring it is pointless. --- README.md | 2 +- config/settings.d/puppetca.yml.example | 3 - .../puppetca_puppet_cert.yml.example | 4 - lib/smart_proxy_main.rb | 1 - modules/puppetca/plugin_configuration.rb | 4 +- .../plugin_configuration.rb | 15 -- modules/puppetca_puppet_cert/puppetca_impl.rb | 157 --------------- .../puppetca_puppet_cert.rb | 2 - .../puppetca_puppet_cert_plugin.rb | 11 -- test/puppet/integration_test.rb | 2 +- test/puppetca/puppetca_config_test.rb | 27 --- test/puppetca_http_api/integration_test.rb | 2 +- .../fixtures/ca/ca_crl.pem | 20 -- .../fixtures/ca/inventory.txt | 4 - test/puppetca_puppet_cert/fixtures/puppet | 1 - test/puppetca_puppet_cert/fixtures/sudo | 1 - .../puppetca_puppet_cert_config_test.rb | 9 - .../puppetca_puppet_cert_test.rb | 181 ------------------ 18 files changed, 4 insertions(+), 442 deletions(-) delete mode 100644 config/settings.d/puppetca_puppet_cert.yml.example delete mode 100644 modules/puppetca_puppet_cert/plugin_configuration.rb delete mode 100644 modules/puppetca_puppet_cert/puppetca_impl.rb delete mode 100644 modules/puppetca_puppet_cert/puppetca_puppet_cert.rb delete mode 100644 modules/puppetca_puppet_cert/puppetca_puppet_cert_plugin.rb delete mode 100644 test/puppetca/puppetca_config_test.rb delete mode 100644 test/puppetca_puppet_cert/fixtures/ca/ca_crl.pem delete mode 100644 test/puppetca_puppet_cert/fixtures/ca/inventory.txt delete mode 100644 test/puppetca_puppet_cert/fixtures/puppet delete mode 100644 test/puppetca_puppet_cert/fixtures/sudo delete mode 100644 test/puppetca_puppet_cert/puppetca_puppet_cert_config_test.rb delete mode 100644 test/puppetca_puppet_cert/puppetca_puppet_cert_test.rb diff --git a/README.md b/README.md index b8c52e5b0..5f31edd73 100644 --- a/README.md +++ b/README.md @@ -11,7 +11,7 @@ Currently Supported modules: * BMC - BMC management of devices supported by freeipmi and ipmitool * DHCP - ISC DHCP and MS DHCP Servers * DNS - Bind and MS DNS Servers - * Puppet - Any Puppet server from 4.4, 6+ recommended + * Puppet - Puppetserver 6 or 7 * Puppet CA - Manage certificate signing, cleaning and autosign on a Puppet CA server * Realm - Manage host registration to a realm (e.g. FreeIPA) * TFTP - any UNIX based tftp server diff --git a/config/settings.d/puppetca.yml.example b/config/settings.d/puppetca.yml.example index 22a092aed..60c288d16 100644 --- a/config/settings.d/puppetca.yml.example +++ b/config/settings.d/puppetca.yml.example @@ -6,6 +6,3 @@ # - puppetca_hostname_whitelisting (verify CSRs based on a hostname whitelist) # - puppetca_token_whitelisting (verify CSRs based on a token whitelist) #:use_provider: puppetca_hostname_whitelisting - -# Puppet version used -#:puppet_version: '4.1' diff --git a/config/settings.d/puppetca_puppet_cert.yml.example b/config/settings.d/puppetca_puppet_cert.yml.example deleted file mode 100644 index ddee3246e..000000000 --- a/config/settings.d/puppetca_puppet_cert.yml.example +++ /dev/null @@ -1,4 +0,0 @@ ---- -#:ssldir: /var/lib/puppet/ssl -#:puppetca_use_sudo: true -#:sudo_command: /usr/bin/sudo diff --git a/lib/smart_proxy_main.rb b/lib/smart_proxy_main.rb index 6428cda65..0ebc22b2c 100644 --- a/lib/smart_proxy_main.rb +++ b/lib/smart_proxy_main.rb @@ -63,7 +63,6 @@ module Proxy require 'dhcp_libvirt/dhcp_libvirt' require 'puppetca/puppetca' require 'puppetca_http_api/puppetca_http_api' - require 'puppetca_puppet_cert/puppetca_puppet_cert' require 'puppetca_hostname_whitelisting/puppetca_hostname_whitelisting' require 'puppetca_token_whitelisting/puppetca_token_whitelisting' require 'puppet_proxy/puppet' diff --git a/modules/puppetca/plugin_configuration.rb b/modules/puppetca/plugin_configuration.rb index c181e99cf..7d42520ad 100644 --- a/modules/puppetca/plugin_configuration.rb +++ b/modules/puppetca/plugin_configuration.rb @@ -6,11 +6,9 @@ def load_classes end def load_programmable_settings(settings) - raise ::Proxy::Error::ConfigurationError, "Parameter ':puppet_version' is expected to have a non-empty value" if settings[:puppet_version].to_s.empty? - use_provider = settings[:use_provider] use_provider = [use_provider].compact unless use_provider.is_a?(Array) - use_provider << ((Gem::Version.new(settings[:puppet_version].to_s) >= Gem::Version.new('6.0')) ? :puppetca_http_api : :puppetca_puppet_cert) + use_provider << :puppetca_http_api settings[:use_provider] = use_provider settings diff --git a/modules/puppetca_puppet_cert/plugin_configuration.rb b/modules/puppetca_puppet_cert/plugin_configuration.rb deleted file mode 100644 index bbf448841..000000000 --- a/modules/puppetca_puppet_cert/plugin_configuration.rb +++ /dev/null @@ -1,15 +0,0 @@ -module Proxy - module PuppetCa - module PuppetcaPuppetCert - class PluginConfiguration - def load_classes - require 'puppetca_puppet_cert/puppetca_impl' - end - - def load_dependency_injection_wirings(container_instance, settings) - container_instance.dependency :puppetca_impl, -> { ::Proxy::PuppetCa::PuppetcaPuppetCert::PuppetcaImpl.new } - end - end - end - end -end diff --git a/modules/puppetca_puppet_cert/puppetca_impl.rb b/modules/puppetca_puppet_cert/puppetca_impl.rb deleted file mode 100644 index 36a61aeae..000000000 --- a/modules/puppetca_puppet_cert/puppetca_impl.rb +++ /dev/null @@ -1,157 +0,0 @@ -require 'English' -require 'openssl' -require 'set' - -module ::Proxy::PuppetCa::PuppetcaPuppetCert - class PuppetcaImpl - include ::Proxy::Log - include ::Proxy::Util - - def sign(certname) - puppetca("sign", certname) - end - - def clean(certname) - puppetca("clean", certname) - end - - # list of all certificates and their state/fingerprint - def list - find_puppetca - command = "#{@sudo} #{@puppetca} --list --all" - logger.debug "Executing #{command}" - response = `#{command}` - unless $CHILD_STATUS == 0 - logger.warn "Failed to run puppetca: #{response}" - raise "Execution of puppetca failed, check log files" - end - - hash = {} - response.split("\n").each do |line| - hash.merge! certificate(line) rescue logger.warn("Failed to parse line: #{line}") - end - # merge all data into one - # note that this ignores certificates which were revoked multiple times, displaying only the last - # revocation state - # additionally, we don't merge revocation info if the host has a pending certificate request - hash.merge(ca_inventory) { |key, h1, h2| (h1[:state] == "pending") ? h1 : h1.merge(h2) } - end - - def pending - all.delete_if { |k, v| v[:state] != "pending" } - end - - # helper to find puppetca and sudo binaries - # checks if our CA really exists - def find_puppetca - ssl_dir = Pathname.new ssldir - unless (ssl_dir + "ca").directory? - logger.warn "PuppetCA: SSL/CA unavailable on this machine: ssldir not found at #{ssl_dir}" - raise "SSL/CA unavailable on this machine" - end - - default_path = ["/opt/puppet/bin", "/opt/puppet/sbin", "/opt/puppetlabs/bin"] - @puppetca = which("puppetca", default_path) || which("puppet", default_path) - - unless File.exist?(@puppetca.to_s) - logger.warn "unable to find puppetca binary" - raise "unable to find puppetca" - end - # Append cert to the puppet command if we are not using the old puppetca command - logger.debug "Found puppetca at #{@puppetca}" - @puppetca << " cert" unless @puppetca.include?("puppetca") - - # Tell puppetca to use the ssl dir that Foreman has been told to use - @puppetca << " --ssldir #{ssl_dir}" - - if use_sudo? - @sudo = sudo_command || which("sudo") - unless File.exist?(@sudo) - logger.warn "unable to find sudo binary" - raise "Unable to find sudo" - end - logger.debug "Found sudo at #{@sudo}" - @sudo = "#{@sudo} -S" - else - @sudo = "" - end - end - - def ssldir - Proxy::PuppetCa::PuppetcaPuppetCert::Plugin.settings.ssldir - end - - def use_sudo? - to_bool(::Proxy::PuppetCa::PuppetcaPuppetCert::Plugin.settings.puppetca_use_sudo, true) - end - - def sudo_command - ::Proxy::PuppetCa::PuppetcaPuppetCert::Plugin.settings.sudo_command - end - - # parse the puppetca --list output - def certificate(str) - case str - when /(\+|\-)\s+["]{0,1}(.*\w)["]{0,1}\s+\((\S+)\)/ - state = ($1 == "-") ? "revoked" : "valid" - { $2.strip => { :state => state, :fingerprint => $3 } } - when /\s*["]{0,1}(.*\w)["]{0,1}\s+\((\S+)\)/ - { $1.strip => { :state => "pending", :fingerprint => $2 } } - else - {} - end - end - - def ca_inventory - inventory = Pathname.new(ssldir).join("ca", "inventory.txt") - raise "Unable to find CA inventory file at #{inventory}" unless File.exist?(inventory) - crl_path = Pathname.new(ssldir).join("ca", "ca_crl.pem") - raise "Unable to find CRL" unless File.exist?(crl_path) - compute_ca_inventory(File.read(inventory), File.read(crl_path)) - end - - def compute_ca_inventory(inventory_contents, crl_cert_contents) - inventory = parse_inventory(inventory_contents) - crl = revoked_serials(crl_cert_contents) - inventory.each do |_, values| - values[:state] = "revoked" if crl.include?(values[:serial]) - end - inventory - end - - def parse_inventory(inventory_contents) - to_return = {} - inventory_contents.each_line do |cert| - # 0x005a 2011-04-16T07:12:46GMT 2016-04-14T07:12:46GMT /CN=uuid - # 0x005c 2017-01-07T11:23:20GMT 2022-01-17T11:23:20GMT /CN=name.mcollective/OU=mcollective - if cert =~ /(0(x|X)(\d|[a-f]|[A-F])+)\s+(\d+\S+)\s+(\d+\S+)\s+\/CN=([^\s\/]+)/ - to_return[$6] = {:serial => $1.to_i(16), :not_before => $4, :not_after => $5} - end - end - to_return - end - - def revoked_serials(crl_cert_contents) - Set.new(OpenSSL::X509::CRL.new(crl_cert_contents).revoked.collect { |r| r.serial.to_i }) - end - - def puppetca(mode, certname) - raise "Invalid mode #{mode}" unless mode =~ /^(clean|sign)$/ - find_puppetca - certname.downcase! - command = "#{@sudo} #{@puppetca} --#{mode} #{certname}" - logger.debug "Executing #{command}" - response = `#{command} 2>&1` - if $CHILD_STATUS.success? - logger.debug "#{mode}ed puppet certificate for #{certname}" - elsif response =~ /Could not find client certificate/ || $CHILD_STATUS.exitstatus == 24 - logger.debug "Attempt to remove nonexistent client certificate for #{certname}" - raise ::Proxy::PuppetCa::NotPresent, "Attempt to remove nonexistent client certificate for #{certname}" - else - logger.warn "Failed to run puppetca: #{response}" - raise "Execution of puppetca failed, check log files" - end - $CHILD_STATUS.success? - end - end -end diff --git a/modules/puppetca_puppet_cert/puppetca_puppet_cert.rb b/modules/puppetca_puppet_cert/puppetca_puppet_cert.rb deleted file mode 100644 index 1015d61fc..000000000 --- a/modules/puppetca_puppet_cert/puppetca_puppet_cert.rb +++ /dev/null @@ -1,2 +0,0 @@ -require 'puppetca_puppet_cert/plugin_configuration' -require 'puppetca_puppet_cert/puppetca_puppet_cert_plugin' diff --git a/modules/puppetca_puppet_cert/puppetca_puppet_cert_plugin.rb b/modules/puppetca_puppet_cert/puppetca_puppet_cert_plugin.rb deleted file mode 100644 index f6542b621..000000000 --- a/modules/puppetca_puppet_cert/puppetca_puppet_cert_plugin.rb +++ /dev/null @@ -1,11 +0,0 @@ -module ::Proxy::PuppetCa::PuppetcaPuppetCert - class Plugin < ::Proxy::Provider - plugin :puppetca_puppet_cert, ::Proxy::VERSION - - requires :puppetca, ::Proxy::VERSION - default_settings :ssldir => '/var/lib/puppet/ssl' - - load_classes ::Proxy::PuppetCa::PuppetcaPuppetCert::PluginConfiguration - load_dependency_injection_wirings ::Proxy::PuppetCa::PuppetcaPuppetCert::PluginConfiguration - end -end diff --git a/test/puppet/integration_test.rb b/test/puppet/integration_test.rb index 6ff877f37..3eb9ddc2e 100644 --- a/test/puppet/integration_test.rb +++ b/test/puppet/integration_test.rb @@ -18,7 +18,7 @@ def test_features ssl_key = Tempfile.new('ssl_key') begin - Proxy::DefaultModuleLoader.any_instance.expects(:load_configuration_file).with('puppet.yml').returns(enabled: true, puppet_version: '5.5.8') + Proxy::DefaultModuleLoader.any_instance.expects(:load_configuration_file).with('puppet.yml').returns(enabled: true) Proxy::DefaultModuleLoader.any_instance.expects(:load_configuration_file).with('puppet_proxy_puppet_api.yml').returns( puppet_url: 'https://puppet.example.com:8140', puppet_ssl_ca: ssl_ca.path, diff --git a/test/puppetca/puppetca_config_test.rb b/test/puppetca/puppetca_config_test.rb deleted file mode 100644 index be104b15b..000000000 --- a/test/puppetca/puppetca_config_test.rb +++ /dev/null @@ -1,27 +0,0 @@ -require 'test_helper' -require 'puppetca/puppetca' - -class PuppetCAConfigTest < Test::Unit::TestCase - def test_omitted_settings_have_default_values - Proxy::PuppetCa::Plugin.load_test_settings() - assert_equal 'puppetca_hostname_whitelisting', Proxy::PuppetCa::Plugin.settings.use_provider - end - - def test_set_puppet_cert_ca_provider_for_4_2 - Proxy::PuppetCa::Plugin.load_test_settings(:puppet_version => '4.2') - configuration = Proxy::PuppetCa::PluginConfiguration.new - assert_includes configuration.load_programmable_settings(Proxy::PuppetCa::Plugin.settings)[:use_provider], :puppetca_puppet_cert - end - - def test_set_puppet_cert_ca_provider_for_4_10_1 - Proxy::PuppetCa::Plugin.load_test_settings(:puppet_version => '4.10.1') - configuration = Proxy::PuppetCa::PluginConfiguration.new - assert_includes configuration.load_programmable_settings(Proxy::PuppetCa::Plugin.settings)[:use_provider], :puppetca_puppet_cert - end - - def test_set_puppet_cert_ca_provider_for_6_6 - Proxy::PuppetCa::Plugin.load_test_settings(:puppet_version => '6.0') - configuration = Proxy::PuppetCa::PluginConfiguration.new - assert_includes configuration.load_programmable_settings(Proxy::PuppetCa::Plugin.settings)[:use_provider], :puppetca_http_api - end -end diff --git a/test/puppetca_http_api/integration_test.rb b/test/puppetca_http_api/integration_test.rb index f770fb80e..2b08b2f40 100644 --- a/test/puppetca_http_api/integration_test.rb +++ b/test/puppetca_http_api/integration_test.rb @@ -19,7 +19,7 @@ def test_features ssl_key = Tempfile.new('ssl_key') begin - Proxy::DefaultModuleLoader.any_instance.expects(:load_configuration_file).with('puppetca.yml').returns(enabled: true, puppet_version: '6.0.0') + Proxy::DefaultModuleLoader.any_instance.expects(:load_configuration_file).with('puppetca.yml').returns(enabled: true) Proxy::DefaultModuleLoader.any_instance.expects(:load_configuration_file).with('puppetca_hostname_whitelisting.yml').returns({}) Proxy::DefaultModuleLoader.any_instance.expects(:load_configuration_file).with('puppetca_http_api.yml').returns( puppet_url: 'https://puppet.example.com:8140', diff --git a/test/puppetca_puppet_cert/fixtures/ca/ca_crl.pem b/test/puppetca_puppet_cert/fixtures/ca/ca_crl.pem deleted file mode 100644 index dd4e0a50c..000000000 --- a/test/puppetca_puppet_cert/fixtures/ca/ca_crl.pem +++ /dev/null @@ -1,20 +0,0 @@ ------BEGIN X509 CRL----- -MIIDMDCCARgCAQEwDQYJKoZIhvcNAQELBQAwKjEoMCYGA1UEAwwfUHVwcGV0IENB -OiB0Zm1kZW1vLmJlaXNwaWVsLnh5ehcNMTgwOTEzMTY1MjU1WhcNMjMwOTEyMTY1 -MjU2WjCBiDAgAgEDFw0xODA5MTMxNTUxMTVaMAwwCgYDVR0VBAMKAQEwIAIBAxcN -MTgwOTEzMTYzMzUwWjAMMAoGA1UdFQQDCgEBMCACAQMXDTE4MDkxMzE2MzgwOFow -DDAKBgNVHRUEAwoBATAgAgEDFw0xODA5MTMxNjUyNTZaMAwwCgYDVR0VBAMKAQGg -LzAtMB8GA1UdIwQYMBaAFLZCFAMZYmB00yMXkvOwFCSizD3YMAoGA1UdFAQDAgEE -MA0GCSqGSIb3DQEBCwUAA4ICAQCmr+8cez96ncdo9EM/Njk9iFibyUAqD76C63Xj -l80mArQ4zfYVcBis7vWZkQePZXYVRHWso25lpTPgFxceQBVEO92/VFRZEtDD8sf2 -GrXzYRFwLu5csKVP1V9KDbz4IkH3/56P0n1sDhbmjBcZ35VkfQGCv72zcge1kcZn -HFIx8fe+tborkWy4N4AxDmAyVHVU8XjlDQ+w/vJeVYmf2ZY11kj2i7SPRhJyGL/1 -+sPPAOKjfoDq8fjr9M9H3AIKKxqt5pZpwA1Qf+TSlk6givpEVvZJ9un7jLbfnDz/ -THGnTX8aWg7xMgtx5YlDJ8uhHZ0FtLB5clskZj2h/1KiQW1owORdC9rxXVzPgL/k -kWsDpouF9Vd/a8cCg2TpzmODJ9fKhpFbc8yfAQBsSEkaC/MD5ps3KysjUjo5m7pC -nwwXhA/bUBtZufNPwzJC/Ghpxsge23v3m++Qt8gbzGEJNcJ0YWpebMUxTuswL4yH -K04N5kSTzXl675+ga34mWEZcEscQDIrbH4Q4+2jiZQcuqrZRGeUyA9i5OrPb/FE0 -8hYa64XXXsGU04+xq99RGLcfmNudmKTJ8r+u8ux9PQQdMalIj9/LJSBpfwEH2KHF -BE1XXks7mkpcoM2gPLYRyLSpC6+yDWA+JAnkD/dcSFeGvVoCbdymcoWlBysRoXt/ -OGnNPQ== ------END X509 CRL----- diff --git a/test/puppetca_puppet_cert/fixtures/ca/inventory.txt b/test/puppetca_puppet_cert/fixtures/ca/inventory.txt deleted file mode 100644 index 141dcb832..000000000 --- a/test/puppetca_puppet_cert/fixtures/ca/inventory.txt +++ /dev/null @@ -1,4 +0,0 @@ -0x0001 2018-06-09T09:30:19UTC 2023-06-09T09:30:19UTC /CN=Puppet CA: tfmdemo.beispiel.xyz -0x0002 2018-06-09T09:30:21UTC 2023-06-09T09:30:21UTC /CN=tfmdemo.beispiel.xyz -0x0003 2018-06-09T13:38:05UTC 2023-06-09T13:38:05UTC /CN=tfmcentos7.beispiel.xyz -0x0004 2018-09-12T17:31:00UTC 2023-09-12T17:31:00UTC /CN=tfmcentos7.beispiel.xyz diff --git a/test/puppetca_puppet_cert/fixtures/puppet b/test/puppetca_puppet_cert/fixtures/puppet deleted file mode 100644 index 9a3bc4107..000000000 --- a/test/puppetca_puppet_cert/fixtures/puppet +++ /dev/null @@ -1 +0,0 @@ -# deliberately empty file to simulate the puppet command for tests diff --git a/test/puppetca_puppet_cert/fixtures/sudo b/test/puppetca_puppet_cert/fixtures/sudo deleted file mode 100644 index 574a06c19..000000000 --- a/test/puppetca_puppet_cert/fixtures/sudo +++ /dev/null @@ -1 +0,0 @@ -# fake sudo command diff --git a/test/puppetca_puppet_cert/puppetca_puppet_cert_config_test.rb b/test/puppetca_puppet_cert/puppetca_puppet_cert_config_test.rb deleted file mode 100644 index 8f345a98d..000000000 --- a/test/puppetca_puppet_cert/puppetca_puppet_cert_config_test.rb +++ /dev/null @@ -1,9 +0,0 @@ -require 'test_helper' -require 'puppetca_puppet_cert/puppetca_puppet_cert' - -class PuppetCaPuppetCertConfigTest < Test::Unit::TestCase - def test_omitted_settings_have_default_values - Proxy::PuppetCa::PuppetcaPuppetCert::Plugin.load_test_settings() - assert_equal '/var/lib/puppet/ssl', Proxy::PuppetCa::PuppetcaPuppetCert::Plugin.settings.ssldir - end -end diff --git a/test/puppetca_puppet_cert/puppetca_puppet_cert_test.rb b/test/puppetca_puppet_cert/puppetca_puppet_cert_test.rb deleted file mode 100644 index 51b6b2a8a..000000000 --- a/test/puppetca_puppet_cert/puppetca_puppet_cert_test.rb +++ /dev/null @@ -1,181 +0,0 @@ -require 'test_helper' -require 'tempfile' -require 'fileutils' - -require 'puppetca/puppetca' -require 'puppetca_puppet_cert/puppetca_puppet_cert' -require 'puppetca_puppet_cert/puppetca_impl' - -class PuppetCaPuppetCertImplTest < Test::Unit::TestCase - def setup - @puppet_cert = Proxy::PuppetCa::PuppetcaPuppetCert::PuppetcaImpl.new - end - - def test_which_should_return_a_binary_path - ENV.stubs(:[]).with('PATH').returns(['/foo', '/bin', '/usr/bin'].join(File::PATH_SEPARATOR)) - { '/foo' => false, '/bin' => true, '/usr/bin' => false, '/usr/sbin' => false, '/usr/local/bin' => false, '/usr/local/sbin' => false }.each do |p, r| - FileTest.stubs(:file?).with("#{p}/ls").returns(r) - FileTest.stubs(:executable?).with("#{p}/ls").returns(r) - end - assert_equal '/bin/ls', @puppet_cert.which('ls') - end - - INVENTORY_CONTENTS = <<~EOF - 0x0002 2015-09-01T15:15:57UTC 2020-08-31T15:15:57UTC /CN=revoked.my.domain - 0x0003 2015-09-02T08:34:59UTC 2020-09-01T08:34:59UTC /CN=active.my.domain - 0x0004 2017-01-11T15:04:35UTC 2022-01-11T15:04:35UTC /CN=revoked.my.domain - 0x0005 2017-01-14T12:01:22UTC 2022-01-14T12:01:22UTC /CN=second-active.my.domain/OU=mydepartment - EOF - def test_parse_inventory - assert_equal({"revoked.my.domain" => {:serial => 4, :not_before => "2017-01-11T15:04:35UTC", :not_after => "2022-01-11T15:04:35UTC"}, - "active.my.domain" => {:serial => 3, :not_before => "2015-09-02T08:34:59UTC", :not_after => "2020-09-01T08:34:59UTC"}, - "second-active.my.domain" => {:serial => 5, :not_before => "2017-01-14T12:01:22UTC", :not_after => "2022-01-14T12:01:22UTC"}}, - @puppet_cert.parse_inventory(INVENTORY_CONTENTS)) - end - - CRL_CONTENTS = <<~EOF - -----BEGIN X509 CRL----- - MIIC9DCB3QIBATANBgkqhkiG9w0BAQUFADA0MTIwMAYDVQQDDClQdXBwZXQgQ0E6 - IGx1Y2lkLW5vbnNlbnNlLmFwcGxpZWRsb2dpYy5jYRcNMTcwMTEyMTUzNjM1WhcN - MjIwMTExMTUzNjM2WjBEMCACAQIXDTE3MDExMjEzMDEwOVowDDAKBgNVHRUEAwoB - ATAgAgEEFw0xNzAxMTIxNTM2MzZaMAwwCgYDVR0VBAMKAQGgLzAtMB8GA1UdIwQY - MBaAFPXwC6fTTZGAEGWebeMJobxzTq0IMAoGA1UdFAQDAgECMA0GCSqGSIb3DQEB - BQUAA4ICAQBevzkpnkJOelipZsd8GbV5r7b/5Mc/X9fIoNb7wfDGzRWMNDvp/pqd - 3TeXvHKsgFqjgchQlI+dd+K1eouJm3pYSsT5MYVrJYUJ6kzPgC89tgtEDApnYOjx - rZIWyF6PeWjL8E7ZKNVFX6RS2HbhWLZStDnkJvckXAhN4GXdLdm5FulkXQ7asQTy - 8u1bXWDvRESNuveHuuVyQpfzbnznxUSgf+gJzQ35wbNGZCJDoNlEth6UnIz26LIY - /3dRt/HcybDLoSIV+PF7m2VZZxwcpRCIgjvhCz0fWdfakPYoCn5l3ZGZnv6vL/ss - Mt7bh+b9C0u4g9sQxAYsW21EEFcxVjREXQNn9t/9iqwNn+W90Fee3TJGmWQINO29 - zzPgmYyWZQFHCVPuQE/R6cVrRIFte1PjEycsxcTjVv4f71vIWd/54VW7/7TjXYq5 - 7CnBxWUlWs8N8GwJLzem5DgJvF85YUbVACfNs8JhZc7osLPxFhnZcKz2dLyJgXOj - tzZtHJZG7qxR1n9GmERVpk6OSeK0KKYmb+N9u4mGXYTDG6kl+nj1dU/Uh/yoAwG8 - UCEaly81c8sSHjLI3GetK4WxND0cElcSaFY3q22bDay7drhhCMftcbhxoh9ROI5h - Ldr9eKhzX/iwBRnlcwxVCLSUEP+46oGi8hawrhEUnPxPtftMjPVFTQ== - -----END X509 CRL----- - EOF - - PUPPET_CERT_LIST_OUTPUT = <<~OUTPUT - + "tfmcentos7.beispiel.xyz" (SHA256) B1:7C:A8:EC:2A:37:E6:2D:A6:55:B9:00:DE:2B:36:6B:E1:F0:BA:49:42:91:3D:60:4B:42:81:6F:5E:18:78:C8 - + "tfmdemo.beispiel.xyz" (SHA256) 79:E3:98:2C:FF:53:74:02:6F:96:6D:61:05:85:1A:5F:C6:FB:67:AF:A6:05:24:FA:16:42:21:14:46:86:AC:AF (alt names: "DNS:puppet", "DNS:puppet.beispiel.xyz", "DNS:tfmdemo.beispiel.xyz") - OUTPUT - - PUPPET_CERT_CLEAN_OUTPUT = <<~OUTPUT - Notice: Revoked certificate with serial 4 - Notice: Removing file Puppet::SSL::Certificate tfmcentos7.beispiel.xyz at '/etc/puppetlabs/puppet/ssl/ca/signed/tfmcentos7.beispiel.xyz.pem' - Notice: Removing file Puppet::SSL::Certificate tfmcentos7.beispiel.xyz at '/etc/puppetlabs/puppet/ssl/certs/tfmcentos7.beispiel.xyz.pem' - OUTPUT - - PUPPET_CERT_SIGN_OUTPUT = <<~OUTPUT - Signing Certificate Request for: - "tfmcentos7.beispiel.xyz" (SHA256) 23:B0:F0:83:72:ED:69:8A:E1:06:83:0E:A6:DE:0B:5D:83:0B:58:3B:AB:EE:82:F1:30:1B:39:19:84:5B:4B:10 ** - Notice: Signed certificate request for tfmcentos7.beispiel.xyz - Notice: Removing file Puppet::SSL::CertificateRequest tfmcentos7.beispiel.xyz at '/etc/puppetlabs/puppet/ssl/ca/requests/tfmcentos7.beispiel.xyz.pem' - OUTPUT - - def test_revoked_serials - assert_equal Set.new([2, 4]), @puppet_cert.revoked_serials(CRL_CONTENTS) - end - - def test_compute_ca_inventory - assert_equal({"revoked.my.domain" => {:serial => 4, :not_before => "2017-01-11T15:04:35UTC", :not_after => "2022-01-11T15:04:35UTC", :state => "revoked"}, - "active.my.domain" => {:serial => 3, :not_before => "2015-09-02T08:34:59UTC", :not_after => "2020-09-01T08:34:59UTC"}, - "second-active.my.domain" => {:serial => 5, :not_before => "2017-01-14T12:01:22UTC", :not_after => "2022-01-14T12:01:22UTC"}}, - @puppet_cert.compute_ca_inventory(INVENTORY_CONTENTS, CRL_CONTENTS)) - end - - def test_should_clean_host - @puppet_cert.stubs(:find_puppetca) - @puppet_cert.instance_variable_set('@puppetca', '/tmp/puppet cert') - @puppet_cert.instance_variable_set('@sudo', '') - @puppet_cert.stubs('`').with(' /tmp/puppet cert --clean tfmcentos7.beispiel.xyz 2>&1').returns(PUPPET_CERT_CLEAN_OUTPUT) - - assert @puppet_cert.clean('tfmcentos7.beispiel.xyz') - end - - def test_should_sign_host - @puppet_cert.stubs(:find_puppetca) - @puppet_cert.instance_variable_set('@puppetca', '/tmp/puppet cert') - @puppet_cert.instance_variable_set('@sudo', '') - @puppet_cert.stubs('`').with(' /tmp/puppet cert --sign tfmcentos7.beispiel.xyz 2>&1').returns(PUPPET_CERT_SIGN_OUTPUT) - - assert @puppet_cert.sign('tfmcentos7.beispiel.xyz') - end - - def test_should_list_certs - @puppet_cert.stubs(:find_puppetca) - @puppet_cert.stubs(:ssldir).returns(File.expand_path(File.join(__dir__, '.', 'fixtures'))) - @puppet_cert.instance_variable_set('@puppetca', '/tmp/puppet cert') - @puppet_cert.stubs('`').with(' /tmp/puppet cert --list --all').returns(PUPPET_CERT_LIST_OUTPUT) - Process::Status.any_instance.stubs(:exitstatus).returns(0) - - expected = { - 'Puppet' => { - :not_after => '2023-06-09T09:30:19UTC', - :not_before => '2018-06-09T09:30:19UTC', - :serial => 1, - }, - 'tfmcentos7.beispiel.xyz' => - { - :fingerprint => 'SHA256', - :not_after => '2023-09-12T17:31:00UTC', - :not_before => '2018-09-12T17:31:00UTC', - :serial => 4, - :state => 'valid', - }, - 'tfmdemo.beispiel.xyz' => { - :fingerprint => 'SHA256', - :not_after => '2023-06-09T09:30:21UTC', - :not_before => '2018-06-09T09:30:21UTC', - :serial => 2, - :state => 'valid', - }, - } - - assert_equal expected, @puppet_cert.list - end - - def test_find_puppetca_without_sudo - stub_puppetca_executables - - @puppet_cert.stubs(:use_sudo?).returns(false) - @puppet_cert.find_puppetca - puppetca = @puppet_cert.instance_variable_get('@puppetca') - sudo = @puppet_cert.instance_variable_get('@sudo') - assert_equal "#{@ssldir}/puppet --ssldir #{@ssldir}", puppetca - assert_equal '', sudo - end - - def test_find_puppetca_with_sudo - stub_puppetca_executables - - @puppet_cert.stubs(:use_sudo?).returns(true) - @puppet_cert.find_puppetca - puppetca = @puppet_cert.instance_variable_get('@puppetca') - sudo = @puppet_cert.instance_variable_get('@sudo') - assert_equal "#{@ssldir}/puppet --ssldir #{@ssldir}", puppetca - assert_equal "#{@ssldir}/sudo -S", sudo - end - - def test_find_puppetca_with_sudo_command - stub_puppetca_executables - - @puppet_cert.stubs(:use_sudo?).returns(true) - @puppet_cert.stubs(:sudo_command).returns("#{@ssldir}/sudo") - @puppet_cert.find_puppetca - puppetca = @puppet_cert.instance_variable_get('@puppetca') - sudo = @puppet_cert.instance_variable_get('@sudo') - assert_equal "#{@ssldir}/puppet --ssldir #{@ssldir}", puppetca - assert_equal "#{@ssldir}/sudo -S", sudo - end - - private - - def stub_puppetca_executables - @ssldir = File.expand_path(File.join(__dir__, '.', 'fixtures')) - @puppet_cert.stubs(:ssldir).returns(@ssldir) - - @puppet_cert.stubs(:which).with('puppetca', anything).returns(nil) - @puppet_cert.stubs(:which).with('puppet', anything).returns(File.join(@ssldir, 'puppet')) - @puppet_cert.stubs(:which).with('sudo').returns(File.join(@ssldir, 'sudo')) - end -end