Generate a ca-bundle of the default and server certificates

Author: ehelms

.fixtures.yml

@@ -1,5 +1,6 @@
 fixtures:
   repositories:
+    concat:            "https://github.com/puppetlabs/puppetlabs-concat"
     extlib:            "https://github.com/voxpupuli/puppet-extlib"
     foreman:           "https://github.com/theforeman/puppet-foreman"
     redis:             "https://github.com/voxpupuli/puppet-redis"

manifests/ca.pp

@@ -20,6 +20,7 @@
 ) {
   $default_ca_path = "${certs::ssl_build_dir}/${default_ca_name}.crt"
   $server_ca_path = "${certs::ssl_build_dir}/${server_ca_name}.crt"
+  $ca_bundle_path = "${certs::ssl_build_dir}/ca-bundle.crt"
 
   file { $ca_key_password_file:
     ensure    => file,
@@ -51,6 +52,28 @@
       group  => 'root',
       mode   => '0644',
     }
+
+    concat { $ca_bundle_path:
+      ensure => present,
+    }
+
+    concat::fragment { 'default-ca':
+      target => $ca_bundle_path,
+      source => $default_ca_path,
+      order  => '01',
+    }
+
+    if $certs::server_ca_cert {
+      concat::fragment { 'server-ca':
+        target => $ca_bundle_path,
+        source => $server_ca_path,
+        order  => '02',
+      }
+    }
+
+    file { "${certs::ssl_build_dir}/KATELLO-TRUSTED-SSL-CERT":
+      ensure  => absent,
+    }
   }
 
   if $deploy {

spec/acceptance/certs_spec.rb

@@ -32,6 +32,12 @@
       its(:keylength) { should be >= 4096 }
     end
 
+    describe ca_bundle('/root/ssl-build/ca-bundle.crt') do
+      it { should exist }
+      its(:size) { should equal 1 }
+      it { should have_cert('/root/ssl-build/katello-default-ca.crt') }
+    end
+
     describe x509_private_key('/root/ssl-build/katello-default-ca.key') do
       it { should be_encrypted }
     end
@@ -150,5 +156,12 @@ class { 'certs':
       its(:subject) { should match_without_whitespace(/CN = Fake LE Intermediate X1/) }
       its(:keylength) { should be >= 2048 }
     end
+
+    describe ca_bundle('/root/ssl-build/ca-bundle.crt') do
+      it { should exist }
+      its(:size) { should equal 1 }
+      it { should have_cert('/root/ssl-build/katello-default-ca.crt') }
+      it { should have_cert('/root/ssl-build/katello-server-ca.crt') }
+    end
   end
 end

spec/support/acceptance/ca_bundle.rb

@@ -0,0 +1,49 @@
+begin
+  require 'serverspec'
+rescue LoadError
+  # Not using acceptance tests
+else
+  module Serverspec
+    module Type
+      class CaBundle < Base
+        def content
+          if @content.nil?
+            @content = load_fullchain(@runner.get_file_content(@name).stdout)
+          end
+          @content
+        end
+
+        def exist?
+          @runner.check_file_exists(@name)
+        end
+
+        def size
+          content.length
+        end
+
+        def has_cert?(file_path)
+          target_cert = OpenSSL::X509::Certificate.new(@runner.get_file_content(file_path).stdout)
+          content.any? do |actual_cert|
+            target_cert = actual_cert
+          end
+        end
+
+        def load_fullchain(bundle_pem)
+          bundle_pem.
+            lines.
+            slice_after(/^-----END CERTIFICATE-----/).
+            filter { |pem| pem.join.include?('-----END CERTIFICATE-----') }.
+            map { |pem| OpenSSL::X509::Certificate.new(pem.join) }
+        end
+      end
+    end
+
+    module Helper
+      module Type
+        def ca_bundle(*args)
+          Serverspec::Type::CaBundle.new(*args)
+        end
+      end
+    end
+  end
+end