Merge pull request #1077 from elastic/confine_elasticsearch-user_providers

Fix more failing master tests

Author: Gavin Williams

.travis.yml

@@ -1,5 +1,5 @@
 sudo: required
-group: deprecated-2017Q4
+# group: deprecated-2017Q4
 services:
 - docker
 cache:
@@ -52,75 +52,39 @@ jobs:
     env:
     - BEAKER_PUPPET_COLLECTION=puppet6
     - TASK=beaker:centos-6-x64:acceptance
-  - env:
-    - BEAKER_PUPPET_COLLECTION=puppet6
-    - TASK=beaker:centos-6-x64:acceptance[5.6.16]
   - env:
     - BEAKER_PUPPET_COLLECTION=puppet6
     - TASK=beaker:centos-7-x64:acceptance
-  - env:
-    - BEAKER_PUPPET_COLLECTION=puppet6
-    - TASK=beaker:centos-7-x64:acceptance[5.6.16]
   - env:
     - BEAKER_PUPPET_COLLECTION=puppet6
     - TASK=beaker:centos-8-x64:acceptance
-  - env:
-    - BEAKER_PUPPET_COLLECTION=puppet6
-    - TASK=beaker:centos-8-x64:acceptance[5.6.16]
   - env:
     - BEAKER_PUPPET_COLLECTION=puppet6
     - TASK=beaker:amazonlinux-1-x64:acceptance
-  - env:
-    - BEAKER_PUPPET_COLLECTION=puppet6
-    - TASK=beaker:amazonlinux-1-x64:acceptance[5.6.16]
   - env:
     - BEAKER_PUPPET_COLLECTION=puppet6
     - TASK=beaker:oracle-6-x64:acceptance
-  - env:
-    - BEAKER_PUPPET_COLLECTION=puppet6
-    - TASK=beaker:oracle-6-x64:acceptance[5.6.16]
   - env:
     - BEAKER_PUPPET_COLLECTION=puppet6
     - TASK=beaker:oracle-7-x64:acceptance
-  - env:
-    - BEAKER_PUPPET_COLLECTION=puppet6
-    - TASK=beaker:oracle-7-x64:acceptance[5.6.16]
   - env:
     - BEAKER_PUPPET_COLLECTION=puppet6
     - TASK=beaker:debian-8-x64:acceptance
-  - env:
-    - BEAKER_PUPPET_COLLECTION=puppet6
-    - TASK=beaker:debian-8-x64:acceptance[5.6.16]
   - env:
     - BEAKER_PUPPET_COLLECTION=puppet6
     - TASK=beaker:debian-9-x64:acceptance
-  - env:
-    - BEAKER_PUPPET_COLLECTION=puppet6
-    - TASK=beaker:debian-9-x64:acceptance[5.6.16]
   - env:
     - BEAKER_PUPPET_COLLECTION=puppet6
     - TASK=beaker:debian-10-x64:acceptance
-  - env:
-    - BEAKER_PUPPET_COLLECTION=puppet6
-    - TASK=beaker:debian-10-x64:acceptance[5.6.16]
   - env:
     - BEAKER_PUPPET_COLLECTION=puppet6
     - TASK=beaker:ubuntu-server-1404-x64:acceptance
-  - env:
-    - BEAKER_PUPPET_COLLECTION=puppet6
-    - TASK=beaker:ubuntu-server-1404-x64:acceptance[5.6.16]
   - env:
     - BEAKER_PUPPET_COLLECTION=puppet6
     - TASK=beaker:ubuntu-server-1604-x64:acceptance
-  - env:
-    - BEAKER_PUPPET_COLLECTION=puppet6
-    - TASK=beaker:ubuntu-server-1604-x64:acceptance[5.6.16]
   - env:
     - BEAKER_PUPPET_COLLECTION=puppet6
     - TASK=beaker:ubuntu-server-1804-x64:acceptance
-  - env:
-    - BEAKER_PUPPET_COLLECTION=puppet6
-    - TASK=beaker:ubuntu-server-1804-x64:acceptance[5.6.16]
   - stage: snapshots
     env:
     - TASK=beaker:ubuntu-server-1404-x64:snapshot

Gemfile

@@ -8,7 +8,7 @@ group :test do
   gem 'xmlrpc'
 
   gem 'ci_reporter_rspec'
-  gem 'facter'
+  gem 'facter', "~> 2.4"
   gem 'pry'
   gem 'puppet-lint'
   gem 'puppet-strings'

Rakefile

@@ -140,7 +140,7 @@ beaker_node_sets.each do |node|
     args.with_defaults(:version => '6.8.6', :filter => nil)
     task.pattern = 'spec/acceptance/tests/acceptance_spec.rb'
     task.rspec_opts = []
-    task.rspec_opts << '--format documentation' if ENV['CI'].nil?
+    task.rspec_opts << '--format documentation'
     task.rspec_opts << "--example '#{args[:filter]}'" if args[:filter]
     ENV['ELASTICSEARCH_VERSION'] ||= args[:version]
     Rake::Task['artifact:fetch'].invoke(ENV['ELASTICSEARCH_VERSION'])

lib/puppet/provider/elasticsearch_user/elasticsearch_users.rb

@@ -5,6 +5,7 @@
   :parent => Puppet::Provider::ElasticUserCommand
 ) do
   desc 'Provider for OSS X-Pack user resources.'
+  confine :exists => "#{homedir}/bin/elasticsearch-users"
 
   has_feature :manages_plaintext_passwords
 

lib/puppet/provider/elasticsearch_user/users.rb

@@ -5,7 +5,16 @@
   :parent => Puppet::Provider::ElasticUserCommand
 ) do
   desc 'Provider for X-Pack file (users) user resources.'
-  confine :false => (Puppet::FileSystem.exist? "#{homedir}/bin/elasticsearch-users")
+
+  # Prefer the newer 'elasticsearch-users' command provider
+  # if the 'elasticsearch_users' command exists.
+  # The logic looks a bit backwards here, but that's because
+  # Puppet evals the 'confine' statement early on.
+  # So we could hit false-positives due to the package
+  # being installed in the same Puppet run.
+  confine :true => begin
+    false if File.exist?("#{homedir}/bin/elasticsearch-users")
+  end
 
   has_feature :manages_plaintext_passwords
 

spec/spec_helper_tls.rb

@@ -6,7 +6,7 @@ def gen_certs(num_certs, path)
   ca_key = OpenSSL::PKey::RSA.new 2048
 
   # CA Cert
-  ca_name = OpenSSL::X509::Name.parse 'CN=ca/DC=example'
+  ca_name = OpenSSL::X509::Name.parse 'CN=ca/DC=example/DC=com'
   ca_cert = OpenSSL::X509::Certificate.new
   ca_cert.serial = serial
   serial += 1
@@ -19,16 +19,16 @@ def gen_certs(num_certs, path)
   extension_factory = OpenSSL::X509::ExtensionFactory.new
   extension_factory.subject_certificate = ca_cert
   extension_factory.issuer_certificate = ca_cert
-  ca_cert.add_extension extension_factory.create_extension(
-    'subjectAltName', ['localhost', '127.0.0.1'].map { |d| "DNS: #{d}" }.join(',')
-  )
+  # ca_cert.add_extension extension_factory.create_extension(
+  #   'subjectAltName', ['localhost', '127.0.0.1'].map { |d| "DNS: #{d}" }.join(',')
+  # )
   ca_cert.add_extension extension_factory.create_extension(
     'subjectKeyIdentifier', 'hash'
   )
   ca_cert.add_extension extension_factory.create_extension(
     'basicConstraints', 'CA:TRUE', true
   )
-  ca_cert.sign ca_key, OpenSSL::Digest::SHA1.new
+  ca_cert.sign ca_key, OpenSSL::Digest::SHA256.new
   ret[:ca] = {
     :cert => {
       :pem => ca_cert.to_pem,
@@ -38,7 +38,7 @@ def gen_certs(num_certs, path)
 
   num_certs.times do |i|
     key, cert, serial = gen_cert_pair serial, ca_cert
-    cert.sign ca_key, OpenSSL::Digest::SHA1.new
+    cert.sign ca_key, OpenSSL::Digest::SHA256.new
     ret[:clients] << {
       :key => {
         :pem => key.to_pem,
@@ -58,7 +58,11 @@ def gen_cert_pair(serial, ca_cert)
   serial += 1
   # Node Key
   key = OpenSSL::PKey::RSA.new 2048
-  node_name = OpenSSL::X509::Name.parse 'CN=localhost/DC=example'
+  node_name = OpenSSL::X509::Name.parse 'CN=localhost/DC=example/DC=com'
+
+  # prepare SANS list
+  sans = ['localhost.localdomain', 'localhost', 'localhost.example.com']
+  sans_list = sans.map { |domain| "DNS:#{domain}" }
 
   # Node Cert
   cert = OpenSSL::X509::Certificate.new
@@ -75,6 +79,10 @@ def gen_cert_pair(serial, ca_cert)
   csr_extension_factory.subject_certificate = cert
   csr_extension_factory.issuer_certificate = ca_cert
 
+  cert.add_extension csr_extension_factory.create_extension(
+    'subjectAltName',
+    sans_list.join(',')
+  )
   cert.add_extension csr_extension_factory.create_extension(
     'basicConstraints',
     'CA:FALSE'
@@ -83,6 +91,10 @@ def gen_cert_pair(serial, ca_cert)
     'keyUsage',
     'keyEncipherment,dataEncipherment,digitalSignature'
   )
+  cert.add_extension csr_extension_factory.create_extension(
+    'extendedKeyUsage',
+    'serverAuth,clientAuth'
+  )
   cert.add_extension csr_extension_factory.create_extension(
     'subjectKeyIdentifier', 'hash'
   )