Don't generate a CA if a tar file is provided

ekohl · ekohl · commit dc92400f049b · 2024-09-12T21:00:00.000+02:00
The tar file contains both the default and server CA files that are
needed. It actually overwrote the files from the tar file.
diff --git a/manifests/ca.pp b/manifests/ca.pp
@@ -24,41 +24,43 @@
   $default_ca_path = "${certs::ssl_build_dir}/${default_ca_name}.crt"
   $server_ca_path = "${certs::ssl_build_dir}/${server_ca_name}.crt"
 
-  file { $ca_key_password_file:
-    ensure    => file,
-    content   => $ca_key_password,
-    owner     => 'root',
-    group     => 'root',
-    mode      => '0400',
-    show_diff => false,
-  } ~>
-  ca { $default_ca_name:
-    ensure        => present,
-    common_name   => $ca_common_name,
-    country       => $country,
-    state         => $state,
-    city          => $city,
-    org           => $org,
-    org_unit      => $org_unit,
-    expiration    => $ca_expiration,
-    generate      => $generate,
-    password_file => $ca_key_password_file,
-    build_dir     => $certs::ssl_build_dir,
-  }
+  unless $certs::tar_file {
+    file { $ca_key_password_file:
+      ensure    => file,
+      content   => $ca_key_password,
+      owner     => 'root',
+      group     => 'root',
+      mode      => '0400',
+      show_diff => false,
+    } ~>
+    ca { $default_ca_name:
+      ensure        => present,
+      common_name   => $ca_common_name,
+      country       => $country,
+      state         => $state,
+      city          => $city,
+      org           => $org,
+      org_unit      => $org_unit,
+      expiration    => $ca_expiration,
+      generate      => $generate,
+      password_file => $ca_key_password_file,
+      build_dir     => $certs::ssl_build_dir,
+    }
 
-  file { $server_ca_path:
-    ensure => file,
-    source => pick($certs::server_ca_cert, $default_ca_path),
-    owner  => 'root',
-    group  => 'root',
-    mode   => '0644',
-  }
+    file { $server_ca_path:
+      ensure => file,
+      source => pick($certs::server_ca_cert, $default_ca_path),
+      owner  => 'root',
+      group  => 'root',
+      mode   => '0644',
+    }
 
-  if $generate {
-    file { "${certs::ssl_build_dir}/KATELLO-TRUSTED-SSL-CERT":
-      ensure  => link,
-      target  => $server_ca_path,
-      require => File[$server_ca_path],
+    if $generate {
+      file { "${certs::ssl_build_dir}/KATELLO-TRUSTED-SSL-CERT":
+        ensure  => link,
+        target  => $server_ca_path,
+        require => File[$server_ca_path],
+      }
     }
   }
 
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -113,6 +113,9 @@
     certs::tar_extract { $tar_file:
       before => Class['certs::install'],
     }
+    $default_ca = undef
+  } else {
+    $default_ca = Ca[$default_ca_name]
   }
 
   contain certs::install
@@ -122,6 +125,4 @@
   Class['certs::install'] ->
   Class['certs::config'] ->
   Class['certs::ca']
-
-  $default_ca = Ca[$default_ca_name]
 }
diff --git a/spec/acceptance/certs_spec.rb b/spec/acceptance/certs_spec.rb
@@ -145,4 +145,106 @@ class { 'certs':
       its(:keylength) { should be >= 2048 }
     end
   end
+
+  context 'with tar file' do
+    context 'with default ca' do
+      before(:context) do
+        manifest = <<~PUPPET
+          class { 'certs':
+            generate => true,
+            deploy   => false,
+          }
+
+          class { 'certs::foreman_proxy_content':
+            foreman_proxy_fqdn => 'foreman-proxy.example.com',
+            certs_tar          => '/root/foreman-proxy.example.com.tar.gz',
+          }
+        PUPPET
+
+        apply_manifest(manifest, catch_failures: true)
+
+        on default, 'rm -rf /root/ssl-build'
+      end
+
+      describe 'deploy certificates' do
+        manifest = <<-PUPPET
+          class { 'certs':
+            tar_file => '/root/foreman-proxy.example.com.tar.gz',
+          }
+        PUPPET
+        # tar extraction is not idempotent
+        it { apply_manifest(manifest, catch_failures: true) }
+      end
+
+      describe 'default and server ca certs match' do
+        it { expect(file('/etc/pki/katello/certs/katello-default-ca.crt').content).to eq(file('/etc/pki/katello/certs/katello-server-ca.crt').content) }
+      end
+
+      describe x509_certificate('/etc/pki/katello/certs/katello-default-ca.crt') do
+        it { should be_certificate }
+        it { should be_valid }
+        it { should have_purpose 'SSL server CA' }
+        its(:issuer) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}/) }
+        its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}/) }
+        its(:keylength) { should be >= 4096 }
+      end
+    end
+
+    context 'with custom certificates' do
+      before(:context) do
+        manifest = <<~PUPPET
+          class { 'certs':
+            server_cert    => '/server.crt',
+            server_key     => '/server.key',
+            server_ca_cert => '/server-ca.crt',
+            generate       => true,
+            deploy         => false,
+          }
+
+          class { 'certs::foreman_proxy_content':
+            foreman_proxy_fqdn => 'foreman-proxy.example.com',
+            certs_tar          => '/root/foreman-proxy.example.com.tar.gz',
+          }
+        PUPPET
+
+        apply_manifest(manifest, catch_failures: true)
+
+        on default, 'rm -rf /root/ssl-build'
+      end
+
+      describe 'deploy certificates' do
+        manifest = <<-PUPPET
+          class { 'certs':
+            tar_file => '/root/foreman-proxy.example.com.tar.gz',
+          }
+        PUPPET
+        # tar extraction is not idempotent
+        it { apply_manifest(manifest, catch_failures: true) }
+      end
+
+      describe 'default and server ca certs match' do
+        it { expect(file('/etc/pki/katello/certs/katello-default-ca.crt').content).not_to eq(file('/etc/pki/katello/certs/katello-server-ca.crt').content) }
+      end
+
+      describe x509_certificate('/etc/pki/katello/certs/katello-default-ca.crt') do
+        it { should be_certificate }
+        it { should be_valid }
+        it { should have_purpose 'SSL server CA' }
+        its(:issuer) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}/) }
+        its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}/) }
+        its(:keylength) { should be >= 4096 }
+      end
+
+      describe x509_certificate('/etc/pki/katello/certs/katello-server-ca.crt') do
+        it { should be_certificate }
+        it { should be_valid }
+        it { should have_purpose 'SSL server CA' }
+        # These don't match since we only configure it with the intermediate
+        # and not the actual root
+        its(:issuer) { should match_without_whitespace(/CN = Fake LE Root X1/) }
+        its(:subject) { should match_without_whitespace(/CN = Fake LE Intermediate X1/) }
+        its(:keylength) { should be >= 2048 }
+      end
+    end
+  end
 end

Original file line number	Diff line number	Diff line change
`@@ -113,6 +113,9 @@`
`113`	`113`	`certs::tar_extract { $tar_file:`
`114`	`114`	`before => Class['certs::install'],`
`115`	`115`	`}`
	`116`	`+ $default_ca = undef`
	`117`	`+ } else {`
	`118`	`+ $default_ca = Ca[$default_ca_name]`
`116`	`119`	`}`
`117`	`120`
`118`	`121`	`contain certs::install`
`@@ -122,6 +125,4 @@`
`122`	`125`	`Class['certs::install'] ->`
`123`	`126`	`Class['certs::config'] ->`
`124`	`127`	`Class['certs::ca']`
`125`		`-`
`126`		`- $default_ca = Ca[$default_ca_name]`
`127`	`128`	`}`