Add support for cleaning up mosquitto when switching to SSH

Author: ehelms

manifests/plugin/remote_execution/mosquitto.pp

@@ -12,13 +12,16 @@
 #
 # === Advanced parameters:
 #
+# $ensure::                     Enable or disable mosquitto configuration and presence
+#
 # $port::                       Port mosquitto will run on
 #
 # $require_certificate::        When true the client must provide a valid certificate in order to connect successfully
 #
 # $use_identity_as_username::   Use the CN value from the client certificate as a username
 #
 class foreman_proxy::plugin::remote_execution::mosquitto (
+  Enum['absent', 'present'] $ensure = 'present',
   Stdlib::Port $port = 1883,
   Stdlib::Absolutepath $ssl_ca = undef,
   Stdlib::Absolutepath $ssl_cert = undef,
@@ -31,8 +34,11 @@
   $broker = $facts['networking']['fqdn']
 
   class { 'mosquitto':
-    package_name => 'mosquitto',
-    config       => [
+    package_name   => 'mosquitto',
+    package_ensure => $ensure,
+    service_ensure => bool2str($ensure == 'present', 'running', 'stopped'),
+    service_enable => $ensure == 'present',
+    config         => [
       "listener ${port}",
       "acl_file ${mosquitto_config_dir}/foreman.acl",
       "cafile ${mosquitto_ssl_dir}/ssl_ca.pem",
@@ -43,16 +49,8 @@
     ],
   }
 
-  file { $mosquitto_config_dir:
-    ensure  => directory,
-    owner   => 'root',
-    group   => 'mosquitto',
-    mode    => '0755',
-    require => Package['mosquitto'],
-  }
-
   file { "${mosquitto_config_dir}/foreman.acl":
-    ensure  => 'file',
+    ensure  => $ensure,
     content => epp(
       "${module_name}/plugin/foreman.acl.epp",
       { user => $facts['networking']['fqdn'] }
@@ -63,30 +61,31 @@
   }
 
   file { $mosquitto_ssl_dir:
-    ensure => directory,
+    ensure => bool2str($ensure == 'present', 'directory', 'absent'),
+    force  => true,
     owner  => 'root',
     group  => 'mosquitto',
     mode   => '0755',
   }
 
   file { "${mosquitto_ssl_dir}/ssl_cert.pem":
-    ensure => 'file',
+    ensure => $ensure,
     source => $ssl_cert,
     owner  => 'root',
     group  => 'mosquitto',
     mode   => '0440',
   }
 
   file { "${mosquitto_ssl_dir}/ssl_key.pem":
-    ensure => 'file',
+    ensure => $ensure,
     source => $ssl_key,
     owner  => 'root',
     group  => 'mosquitto',
     mode   => '0440',
   }
 
   file { "${mosquitto_ssl_dir}/ssl_ca.pem":
-    ensure => 'file',
+    ensure => $ensure,
     source => $ssl_ca,
     owner  => 'root',
     group  => 'mosquitto',

manifests/plugin/remote_execution/script.pp

@@ -71,12 +71,11 @@
     }
   }
 
-  if $mode == 'pull-mqtt' {
-    class { 'foreman_proxy::plugin::remote_execution::mosquitto':
-      ssl_ca   => $foreman_proxy::ssl_ca,
-      ssl_cert => $foreman_proxy::ssl_cert,
-      ssl_key  => $foreman_proxy::ssl_key,
-    }
+  class { 'foreman_proxy::plugin::remote_execution::mosquitto':
+    ensure   => bool2str($mode == 'pull-mqtt' and $enabled, 'present', 'absent'),
+    ssl_ca   => $foreman_proxy::ssl_ca,
+    ssl_cert => $foreman_proxy::ssl_cert,
+    ssl_key  => $foreman_proxy::ssl_key,
   }
 
 }

spec/acceptance/remote_execution_script_pull_mqtt_spec.rb

@@ -3,64 +3,98 @@
 describe 'Scenario: install foreman-proxy with remote_execution script plugin with pull-mqtt'  do
   before(:context) { purge_installed_packages }
 
-  include_examples 'the example', 'remote_execution_script_pull_mqtt.pp'
+  context 'with default params' do
+    include_examples 'the example', 'remote_execution_script_pull_mqtt.pp'
 
-  it_behaves_like 'the default foreman proxy application'
+    it_behaves_like 'the default foreman proxy application'
 
-  describe port(1883) do
-    it { is_expected.to be_listening }
-  end
+    describe port(1883) do
+      it { is_expected.to be_listening }
+    end
 
-  describe file('/etc/foreman-proxy/settings.d/remote_execution_ssh.yml') do
-    it { should be_file }
-    its(:content) { should match(%r{:mqtt_port: 1883}) }
-    its(:content) { should match(%r{:mqtt_broker: #{host_inventory['fqdn']}}) }
-  end
+    describe file('/etc/foreman-proxy/settings.d/remote_execution_ssh.yml') do
+      it { should be_file }
+      its(:content) { should match(%r{:mqtt_port: 1883}) }
+      its(:content) { should match(%r{:mqtt_broker: #{host_inventory['fqdn']}}) }
+    end
 
-  describe file('/etc/mosquitto/foreman.acl') do
-    it { should be_file }
-    its(:content) { should match(%r{pattern read yggdrasil\/%u\/data\/in}) }
-    its(:content) { should match(%r{pattern write yggdrasil\/%u\/control\/out}) }
-    its(:content) { should match(%r{user #{host_inventory['fqdn']}}) }
-    its(:content) { should match(%r{topic write yggdrasil\/\+\/data\/in}) }
-    its(:content) { should match(%r{topic read yggdrasil\/\+\/control\/out}) }
-  end
+    describe file('/etc/mosquitto/foreman.acl') do
+      it { should be_file }
+      its(:content) { should match(%r{pattern read yggdrasil\/%u\/data\/in}) }
+      its(:content) { should match(%r{pattern write yggdrasil\/%u\/control\/out}) }
+      its(:content) { should match(%r{user #{host_inventory['fqdn']}}) }
+      its(:content) { should match(%r{topic write yggdrasil\/\+\/data\/in}) }
+      its(:content) { should match(%r{topic read yggdrasil\/\+\/control\/out}) }
+    end
 
-  describe x509_certificate('/etc/mosquitto/ssl/ssl_cert.pem') do
-    it { should be_certificate }
-    it { should be_valid }
-  end
+    describe x509_certificate('/etc/mosquitto/ssl/ssl_cert.pem') do
+      it { should be_certificate }
+      it { should be_valid }
+    end
 
-  describe file('/etc/mosquitto/ssl/ssl_cert.pem') do
-    it { should be_file }
-    it { should be_mode 440 }
-    it { should be_owned_by 'root' }
-    it { should be_grouped_into 'mosquitto' }
-  end
+    describe file('/etc/mosquitto/ssl/ssl_cert.pem') do
+      it { should be_file }
+      it { should be_mode 440 }
+      it { should be_owned_by 'root' }
+      it { should be_grouped_into 'mosquitto' }
+    end
 
-  describe x509_private_key('/etc/mosquitto/ssl/ssl_key.pem') do
-    it { should_not be_encrypted }
-    it { should be_valid }
-    it { should have_matching_certificate('/etc/mosquitto/ssl/ssl_cert.pem') }
-  end
+    describe x509_private_key('/etc/mosquitto/ssl/ssl_key.pem') do
+      it { should_not be_encrypted }
+      it { should be_valid }
+      it { should have_matching_certificate('/etc/mosquitto/ssl/ssl_cert.pem') }
+    end
 
-  describe file('/etc/mosquitto/ssl/ssl_key.pem') do
-    it { should be_file }
-    it { should be_mode 440 }
-    it { should be_owned_by 'root' }
-    it { should be_grouped_into 'mosquitto' }
-  end
+    describe file('/etc/mosquitto/ssl/ssl_key.pem') do
+      it { should be_file }
+      it { should be_mode 440 }
+      it { should be_owned_by 'root' }
+      it { should be_grouped_into 'mosquitto' }
+    end
+
+    describe x509_certificate('/etc/mosquitto/ssl/ssl_ca.pem') do
+      it { should be_certificate }
+      it { should be_valid }
+    end
 
-  describe x509_certificate('/etc/mosquitto/ssl/ssl_ca.pem') do
-    it { should be_certificate }
-    it { should be_valid }
+    describe file('/etc/mosquitto/ssl/ssl_ca.pem') do
+      it { should be_file }
+      it { should be_mode 440 }
+      it { should be_owned_by 'root' }
+      it { should be_grouped_into 'mosquitto' }
+    end
   end
 
-  describe file('/etc/mosquitto/ssl/ssl_ca.pem') do
-    it { should be_file }
-    it { should be_mode 440 }
-    it { should be_owned_by 'root' }
-    it { should be_grouped_into 'mosquitto' }
+  context 'with default mode (SSH) after enabling pull-mqtt' do
+    include_examples 'the example', 'remote_execution_script.pp'
+
+    it_behaves_like 'the default foreman proxy application'
+
+    describe port(1883) do
+      it { is_expected.not_to be_listening }
+    end
+
+    describe file('/etc/foreman-proxy/settings.d/remote_execution_ssh.yml') do
+      it { should be_file }
+      its(:content) { should_not match(%r{:mqtt_port: 1883}) }
+      its(:content) { should_not match(%r{:mqtt_broker: #{host_inventory['fqdn']}}) }
+    end
+
+    describe file('/etc/mosquitto/foreman.acl') do
+      it { should_not exist }
+    end
+
+    describe file('/etc/mosquitto/ssl/ssl_cert.pem') do
+      it { should_not exist }
+    end
+
+    describe file('/etc/mosquitto/ssl/ssl_key.pem') do
+      it { should_not exist }
+    end
+
+    describe file('/etc/mosquitto/ssl/ssl_ca.pem') do
+      it { should_not exist }
+    end
   end
 
 end

spec/classes/foreman_proxy__plugin__remote_execution__mosquitto_spec.rb

@@ -0,0 +1,141 @@
+require 'spec_helper'
+
+describe 'foreman_proxy::plugin::remote_execution::mosquitto' do
+  on_plugin_os.each do |os, os_facts|
+    context "on #{os}" do
+      let(:facts) { os_facts }
+      let :params do {
+        :ssl_cert => '/etc/foreman-proxy/ssl_cert.pem',
+        :ssl_key => '/etc/foreman-proxy/ssl_key.pem',
+        :ssl_ca => '/etc/foreman-proxy/ssl_ca.pem'
+      } end
+
+      describe 'with default settings' do
+        it 'should configure mosquitto' do
+          should contain_class('mosquitto').
+            with({
+              :package_name   => 'mosquitto',
+              :package_ensure => 'present',
+              :service_ensure => 'running',
+              :service_enable => true,
+              :config         => [
+                'listener 1883',
+                'acl_file /etc/mosquitto/foreman.acl',
+                'cafile /etc/mosquitto/ssl/ssl_ca.pem',
+                'certfile /etc/mosquitto/ssl/ssl_cert.pem',
+                'keyfile /etc/mosquitto/ssl/ssl_key.pem',
+                'require_certificate true',
+                'use_identity_as_username true'
+              ]
+            })
+        end
+
+        it 'should configure an ACL file' do
+          should contain_file('/etc/mosquitto/foreman.acl').
+            with_content(%r{pattern read yggdrasil/%u/data/in}).
+            with_content(%r{pattern write yggdrasil/%u/control/out}).
+            with_content(%r{user #{facts['fqdn']}}).
+            with_content(%r{topic write yggdrasil/\+/data/in}).
+            with_content(%r{topic read yggdrasil/\+/control/out}).
+            with({
+              :ensure  => 'present',
+              :owner   => 'root',
+              :group   => 'mosquitto',
+              :mode    => '0640'
+            })
+        end
+
+        it 'should configure a SSL directory' do
+          should contain_file('/etc/mosquitto/ssl').
+            with({
+              :ensure => 'directory',
+              :owner  => 'root',
+              :group  => 'mosquitto',
+              :mode   => '0755'
+            })
+        end
+
+        it 'should configure an ssl_cert' do
+          should contain_file('/etc/mosquitto/ssl/ssl_cert.pem').
+            with({
+              :ensure => 'present',
+              :source => '/etc/foreman-proxy/ssl_cert.pem',
+              :owner  => 'root',
+              :group  => 'mosquitto',
+              :mode   => '0440'
+            })
+        end
+
+        it 'should configure an ssl_key' do
+          should contain_file('/etc/mosquitto/ssl/ssl_key.pem').
+            with({
+              :ensure => 'present',
+              :source => '/etc/foreman-proxy/ssl_key.pem',
+              :owner  => 'root',
+              :group  => 'mosquitto',
+              :mode   => '0440'
+            })
+        end
+
+        it 'should configure an ssl_ca' do
+          should contain_file('/etc/mosquitto/ssl/ssl_ca.pem').
+            with({
+              :ensure  => 'present',
+              :source  => '/etc/foreman-proxy/ssl_ca.pem',
+              :owner   => 'root',
+              :group   => 'mosquitto',
+              :mode    => '0440'
+            })
+        end
+      end
+
+      describe '' do
+        let(:params) { super().merge(:ensure => 'absent') }
+
+        it 'should configure mosquitto' do
+          should contain_class('mosquitto').
+            with({
+              :package_ensure => 'absent',
+              :service_ensure => 'stopped',
+              :service_enable => false,
+            })
+        end
+
+        it 'should configure an ACL file' do
+          should contain_file('/etc/mosquitto/foreman.acl').
+            with({
+              :ensure => 'absent',
+            })
+        end
+
+        it 'should configure a SSL directory' do
+          should contain_file('/etc/mosquitto/ssl').
+            with({
+              :ensure => 'absent',
+            })
+        end
+
+        it 'should configure an ssl_cert' do
+          should contain_file('/etc/mosquitto/ssl/ssl_cert.pem').
+            with({
+              :ensure => 'absent',
+            })
+        end
+
+        it 'should configure an ssl_key' do
+          should contain_file('/etc/mosquitto/ssl/ssl_key.pem').
+            with({
+              :ensure => 'absent',
+            })
+        end
+
+        it 'should configure an ssl_ca' do
+          should contain_file('/etc/mosquitto/ssl/ssl_ca.pem').
+            with({
+              :ensure => 'absent',
+            })
+        end
+      end
+    end
+  end
+end