Don't generate a CA if a tar file is provided

ekohl · ekohl · commit 6ba3aee157fc · 2024-09-12T17:52:55.000+02:00
The tar file contains both the default and server CA files that are
needed. It actually overwrote the files from the tar file.
diff --git a/manifests/ca.pp b/manifests/ca.pp
@@ -24,41 +24,43 @@
   $default_ca_path = "${certs::ssl_build_dir}/${default_ca_name}.crt"
   $server_ca_path = "${certs::ssl_build_dir}/${server_ca_name}.crt"
 
-  file { $ca_key_password_file:
-    ensure    => file,
-    content   => $ca_key_password,
-    owner     => 'root',
-    group     => 'root',
-    mode      => '0400',
-    show_diff => false,
-  } ~>
-  ca { $default_ca_name:
-    ensure        => present,
-    common_name   => $ca_common_name,
-    country       => $country,
-    state         => $state,
-    city          => $city,
-    org           => $org,
-    org_unit      => $org_unit,
-    expiration    => $ca_expiration,
-    generate      => $generate,
-    password_file => $ca_key_password_file,
-    build_dir     => $certs::ssl_build_dir,
-  }
+  unless $certs::tar_file {
+    file { $ca_key_password_file:
+      ensure    => file,
+      content   => $ca_key_password,
+      owner     => 'root',
+      group     => 'root',
+      mode      => '0400',
+      show_diff => false,
+    } ~>
+    ca { $default_ca_name:
+      ensure        => present,
+      common_name   => $ca_common_name,
+      country       => $country,
+      state         => $state,
+      city          => $city,
+      org           => $org,
+      org_unit      => $org_unit,
+      expiration    => $ca_expiration,
+      generate      => $generate,
+      password_file => $ca_key_password_file,
+      build_dir     => $certs::ssl_build_dir,
+    }
 
-  file { $server_ca_path:
-    ensure => file,
-    source => pick($certs::server_ca_cert, $default_ca_path),
-    owner  => 'root',
-    group  => 'root',
-    mode   => '0644',
-  }
+    file { $server_ca_path:
+      ensure => file,
+      source => pick($certs::server_ca_cert, $default_ca_path),
+      owner  => 'root',
+      group  => 'root',
+      mode   => '0644',
+    }
 
-  if $generate {
-    file { "${certs::ssl_build_dir}/KATELLO-TRUSTED-SSL-CERT":
-      ensure  => link,
-      target  => $server_ca_path,
-      require => File[$server_ca_path],
+    if $generate {
+      file { "${certs::ssl_build_dir}/KATELLO-TRUSTED-SSL-CERT":
+        ensure  => link,
+        target  => $server_ca_path,
+        require => File[$server_ca_path],
+      }
     }
   }
 
diff --git a/spec/acceptance/certs_spec.rb b/spec/acceptance/certs_spec.rb
@@ -145,4 +145,106 @@ class { 'certs':
       its(:keylength) { should be >= 2048 }
     end
   end
+
+  context 'with tar file' do
+    context 'with default ca' do
+      before(:context) do
+        manifest = <<~PUPPET
+          class { 'certs':
+            generate => true,
+            deploy   => false,
+          }
+
+          class { 'certs::foreman_proxy_content':
+            foreman_proxy_fqdn => 'foreman-proxy.example.com',
+            certs_tar          => '/root/foreman-proxy.example.com.tar.gz',
+          }
+        PUPPET
+
+        apply_manifest(manifest, catch_failures: true)
+
+        on default, 'rm -rf /root/ssl-build'
+      end
+
+      describe 'deploy certificates' do
+        manifest = <<-PUPPET
+          class { 'certs':
+            tar_file => '/root/foreman-proxy.example.com.tar.gz',
+          }
+        PUPPET
+        # tar extraction is not idempotent
+        it { apply_manifest(manifest, catch_failures: true) }
+      end
+
+      describe 'default and server ca certs match' do
+        it { expect(file('/etc/pki/katello/certs/katello-default-ca.crt').content).to eq(file('/etc/pki/katello/certs/katello-server-ca.crt').content) }
+      end
+
+      describe x509_certificate('/etc/pki/katello/certs/katello-default-ca.crt') do
+        it { should be_certificate }
+        it { should be_valid }
+        it { should have_purpose 'SSL server CA' }
+        its(:issuer) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}/) }
+        its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}/) }
+        its(:keylength) { should be >= 4096 }
+      end
+    end
+
+    context 'with custom certificates' do
+      before(:context) do
+        manifest = <<~PUPPET
+          class { 'certs':
+            server_cert    => '/server.crt',
+            server_key     => '/server.key',
+            server_ca_cert => '/server-ca.crt',
+            generate       => true,
+            deploy         => false,
+          }
+
+          class { 'certs::foreman_proxy_content':
+            foreman_proxy_fqdn => 'foreman-proxy.example.com',
+            certs_tar          => '/root/foreman-proxy.example.com.tar.gz',
+          }
+        PUPPET
+
+        apply_manifest(manifest, catch_failures: true)
+
+        on default, 'rm -rf /root/ssl-build'
+      end
+
+      describe 'deploy certificates' do
+        manifest = <<-PUPPET
+          class { 'certs':
+            tar_file => '/root/foreman-proxy.example.com.tar.gz',
+          }
+        PUPPET
+        # tar extraction is not idempotent
+        it { apply_manifest(manifest, catch_failures: true) }
+      end
+
+      describe 'default and server ca certs match' do
+        it { expect(file('/etc/pki/katello/certs/katello-default-ca.crt').content).not_to eq(file('/etc/pki/katello/certs/katello-server-ca.crt').content) }
+      end
+
+      describe x509_certificate('/etc/pki/katello/certs/katello-default-ca.crt') do
+        it { should be_certificate }
+        it { should be_valid }
+        it { should have_purpose 'SSL server CA' }
+        its(:issuer) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}/) }
+        its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}/) }
+        its(:keylength) { should be >= 4096 }
+      end
+
+      describe x509_certificate('/etc/pki/katello/certs/katello-server-ca.crt') do
+        it { should be_certificate }
+        it { should be_valid }
+        it { should have_purpose 'SSL server CA' }
+        # These don't match since we only configure it with the intermediate
+        # and not the actual root
+        its(:issuer) { should match_without_whitespace(/CN = Fake LE Root X1/) }
+        its(:subject) { should match_without_whitespace(/CN = Fake LE Intermediate X1/) }
+        its(:keylength) { should be >= 2048 }
+      end
+    end
+  end
 end
