(gh-26) Add configure task for initial openvox-agent configuration

This task provides very basic configuration needed for the initial agent
run.

* It allows generating a puppet.conf from a hash of parameters so that the
  server can set.
* It allows generating a csr_attributes.yaml for autosigning and
  certificate extensions.
* And it allows management of the puppet service.

Author: jpartlow

spec/tasks/configure_spec.rb

@@ -0,0 +1,190 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require_relative '../../tasks/configure'
+
+# rubocop:disable RSpec/MessageSpies
+# rubocop:disable RSpec/StubbedMock
+describe 'openvox_bootstrap::configure' do
+  let(:tmpdir) { Dir.mktmpdir('openvox_bootstrap-configure-spec') }
+  let(:task) { OpenvoxBootstrap::Configure.new }
+
+  around do |example|
+    example.run
+  ensure
+    FileUtils.remove_entry_secure(tmpdir)
+  end
+
+  describe '#write_puppet_conf' do
+    let(:puppet_conf) do
+      {
+        'main' => {
+          'server'   => 'puppet.spec',
+          'certname' => 'agent.spec',
+        },
+        'agent' => {
+          'environment' => 'test'
+        }
+      }
+    end
+    let(:puppet_conf_path) { File.join(tmpdir, 'puppet.conf') }
+    let(:puppet_conf_contents) do
+      <<~CONF
+        [main]
+        server = puppet.spec
+        certname = agent.spec
+
+        [agent]
+        environment = test
+      CONF
+    end
+
+    it 'writes a puppet.conf ini' do
+      expect(task.write_puppet_conf(puppet_conf, tmpdir)).to(
+        eq(
+          {
+            puppet_conf: {
+              path: puppet_conf_path,
+              contents: puppet_conf_contents
+            }
+          }
+        )
+      )
+      expect(File.read(puppet_conf_path)).to eq(puppet_conf_contents)
+    end
+
+    it 'does nothing if given an empty config' do
+      expect(task.write_puppet_conf(nil)).to eq({})
+      expect(task.write_puppet_conf({})).to eq({})
+    end
+  end
+
+  describe '#write_csr_attributes' do
+    let(:csr_attributes) do
+      {
+        'custom_attributes' => {
+          '1.2.840.113549.1.9.7' => 'bar',
+        },
+        'extension_requests' => {
+          'pp_role' => 'spec'
+        }
+      }
+    end
+    let(:csr_attributes_path) { File.join(tmpdir, 'csr_attributes.yaml') }
+    let(:csr_attributes_contents) do
+      <<~YAML
+        ---
+        custom_attributes:
+          1.2.840.113549.1.9.7: bar
+        extension_requests:
+          pp_role: spec
+      YAML
+    end
+
+    it 'writes a csr_attributes.yaml file' do
+      expect(task.write_csr_attributes(csr_attributes, tmpdir)).to(
+        eq(
+          {
+            csr_attributes: {
+              path: csr_attributes_path,
+              contents: csr_attributes_contents,
+            }
+          }
+        )
+      )
+      expect(File.read(csr_attributes_path)).to eq(csr_attributes_contents)
+      expect(File.stat(csr_attributes_path).mode & 0o777).to eq(0o640)
+    end
+
+    it 'does nothing if given an empty config' do
+      expect(task.write_csr_attributes(nil)).to eq({})
+      expect(task.write_csr_attributes({})).to eq({})
+    end
+  end
+
+  describe '#manage_puppet_service' do
+    def status(code = 0)
+      instance_double(Process::Status, exitstatus: code)
+    end
+
+    it 'is successful for a 0 exit code' do
+      command = [
+        'puppet',
+        'apply',
+        '--detailed-exitcodes',
+        '-e',
+        %(service { 'puppet':   ensure => running,   enable => true, }),
+      ]
+      expect(Open3).to receive(:capture2e).with(*command).and_return(['applied', status])
+
+      expect(task.manage_puppet_service(true, true)).to eq(
+        {
+          puppet_service: {
+            command: command.join(' '),
+            output: 'applied',
+            successful: true,
+          }
+        }
+      )
+    end
+
+    it 'is successful for a 2 exit code' do
+      expect(Open3).to receive(:capture2e).and_return(['applied', status(2)])
+
+      result = task.manage_puppet_service(true, true)
+      expect(result.dig(:puppet_service, :successful)).to be true
+    end
+
+    it 'fails for a non 0, 2 exit code' do
+      expect(Open3).to receive(:capture2e).and_return(['applied', status(1)])
+
+      result = task.manage_puppet_service(true, true)
+      expect(result.dig(:puppet_service, :successful)).to be false
+    end
+  end
+
+  describe '#task' do
+    it 'returns a result hash if puppet service is managed successfully' do
+      expect(task).to receive(:manage_puppet_service).and_return({ puppet_service: { successful: true } })
+
+      expect(task.task).to eq(
+        {
+          puppet_service: { successful: true },
+        }
+      )
+    end
+
+    it 'prints results and exits 1 if puppet service fails' do
+      expect(task).to(
+        receive(:manage_puppet_service).
+        and_return(
+          {
+            puppet_service: {
+              successful: false,
+              output: "apply failed\n",
+            }
+          }
+        )
+      )
+
+      expect { task.task }.to(
+        raise_error(SystemExit).and(
+          output(<<~EOM).to_stdout
+            {
+              "puppet_service": {
+                "successful": false,
+                "output": "apply failed\\n"
+              }
+            }
+
+            Failed managing the puppet service:
+
+            apply failed
+          EOM
+        ).and(output('').to_stderr)
+      )
+    end
+  end
+end
+# rubocop:enable RSpec/MessageSpies
+# rubocop:enable RSpec/StubbedMock

tasks/configure.json

@@ -0,0 +1,24 @@
+{
+  "description": "Provides initial configuration for a freshly installed openvox-agent.",
+  "input_method": "stdin",
+  "parameters": {
+    "puppet_conf": {
+      "description": "Hash of puppet configuration settings to write to the puppet.conf ini file. NOTE: This will completely overwrite any existing settings in the file; there is no merging behavior in this task.",
+      "type": "Optional[OpenvoxBootstrap::IniFile]"
+    },
+    "csr_attributes": {
+      "description": "Hash of CSR attributes (custom_attributes and extension_requests) to write to the csr_attributes.yaml file. NOTE: This will completely overwrite any existing settings in the file; there is no merging behavior in this task.",
+      "type": "Optional[OpenvoxBootstrap::CsrAttributes]"
+    },
+    "puppet_service_running": {
+      "description": "Whether the Puppet service should be running after this task completes. Defaults to true.",
+      "type": "Boolean",
+      "default": true
+    },
+    "puppet_service_enabled": {
+      "description": "Whether the Puppet service should be enabled to start on boot after this task completes. Defaults to true.",
+      "type": "Boolean",
+      "default": true
+    }
+  }
+}

tasks/configure.rb

@@ -0,0 +1,123 @@
+#! /opt/puppetlabs/puppet/bin/ruby
+# frozen_string_literal: true
+
+require_relative '../lib/openvox_bootstrap/task'
+require 'open3'
+require 'yaml'
+
+module OpenvoxBootstrap
+  class Configure < Task
+    # Overwrite puppet.conf with the values in the puppet_conf hash.
+    #
+    # Does nothing if given an empty or nil puppet_conf.
+    #
+    # @param puppet_conf [Hash<String,Hash<String,String>>] A hash of
+    #   sections and settings to write to the puppet.conf file.
+    # @return [Hash]
+    def write_puppet_conf(puppet_conf, etc_puppet_path = '/etc/puppetlabs/puppet')
+      return {} if puppet_conf.nil? || puppet_conf.empty?
+
+      conf_path = File.join(etc_puppet_path, 'puppet.conf')
+      sections = puppet_conf.map do |section, settings|
+        "[#{section}]\n" +
+          settings.map { |key, value| "#{key} = #{value}" }.join("\n")
+      end
+      puppet_conf_contents = "#{sections.join("\n\n")}\n"
+
+      File.open(conf_path, 'w', perm: 0o644) do |f|
+        f.write(puppet_conf_contents)
+      end
+
+      {
+        puppet_conf: {
+          path: conf_path,
+          contents: puppet_conf_contents,
+        }
+      }
+    end
+
+    # Overwrite the csr_attributes.yaml file with the given
+    # csr_attributes hash.
+    #
+    # Does nothing if given an empty or nil csr_attributes.
+    #
+    # The file will be mode 640.
+    #
+    # @param csr_attributes [Hash] A hash of custom_attributes
+    #   and extension_requests to write to the csr_attributes.yaml
+    #   file.
+    # @return [Hash]
+    def write_csr_attributes(csr_attributes, etc_puppet_path = '/etc/puppetlabs/puppet')
+      return {} if csr_attributes.nil? || csr_attributes.empty?
+
+      csr_attributes_path = File.join(etc_puppet_path, 'csr_attributes.yaml')
+      csr_attributes_contents = csr_attributes.to_yaml
+      File.open(csr_attributes_path, 'w', perm: 0o640) do |f|
+        f.write(csr_attributes_contents)
+      end
+
+      {
+        csr_attributes: {
+          path: csr_attributes_path,
+          contents: csr_attributes_contents,
+        }
+      }
+    end
+
+    # Manage the puppet service using puppet apply.
+    def manage_puppet_service(running, enabled)
+      manifest = <<~MANIFEST
+        service { 'puppet':
+          ensure => #{running ? 'running' : 'stopped'},
+          enable => #{enabled},
+        }
+      MANIFEST
+
+      command = [
+        'puppet',
+        'apply',
+        '--detailed-exitcodes',
+        '-e',
+        manifest.gsub(%r{\n}, ' ').strip,
+      ]
+
+      output, status = Open3.capture2e(*command)
+      success = [0, 2].include?(status.exitstatus)
+
+      {
+        puppet_service: {
+          command: command.join(' '),
+          output: output,
+          successful: success,
+        }
+      }
+    end
+
+    def task(
+      puppet_conf: {},
+      csr_attributes: {},
+      puppet_service_running: true,
+      puppet_service_enabled: true
+    )
+      puppet_conf_result = write_puppet_conf(puppet_conf)
+      csr_result = write_csr_attributes(csr_attributes)
+      puppet_service_result = manage_puppet_service(puppet_service_running, puppet_service_enabled)
+
+      results = puppet_conf_result.merge(
+        csr_result
+      ).merge(puppet_service_result)
+
+      success = results[:puppet_service][:successful]
+      if success
+        results
+      else
+        puts JSON.pretty_generate(results)
+        puts "\nFailed managing the puppet service:\n\n"
+        puts results[:puppet_service][:output]
+        exit 1
+      end
+    end
+  end
+end
+
+OpenvoxBootstrap::Configure.run if __FILE__ == $PROGRAM_NAME

types/cer_short_names.pp

@@ -0,0 +1,34 @@
+# Certificate extension request short names.
+# These are the allowed short names documented for Puppet(TM)
+# extension requests per [csr_attributes.yaml](https://help.puppet.com/core/current/Content/PuppetCore/config_file_csr_attributes.htm)
+type OpenvoxBootstrap::CerShortNames = Enum[
+  # 1.3.6.1.4.1.34380.1.1 range
+  'pp_uuid',
+  'pp_instance_id',
+  'pp_image_name',
+  'pp_preshared_key',
+  'pp_cost_center',
+  'pp_product',
+  'pp_project',
+  'pp_application',
+  'pp_service',
+  'pp_employee',
+  'pp_created_by',
+  'pp_environment',
+  'pp_role',
+  'pp_software_version',
+  'pp_department',
+  'pp_cluster',
+  'pp_provisioner',
+  'pp_region',
+  'pp_datacenter',
+  'pp_zone',
+  'pp_network',
+  'pp_securitypolicy',
+  'pp_cloudplatform',
+  'pp_apptier',
+  'pp_hostname',
+  # 1.3.6.1.4.1.34380.1.3 range
+  'pp_authorization',
+  'pp_auth_role',
+]

types/csr_attributes.pp

@@ -0,0 +1,13 @@
+# [csr_attributes.yaml](https://help.puppet.com/core/current/Content/PuppetCore/config_file_csr_attributes.htm)
+type OpenvoxBootstrap::CsrAttributes = Struct[
+  {
+    Optional['custom_attributes']  => Hash[
+      OpenvoxBootstrap::Oid,
+      String
+    ],
+    Optional['extension_requests'] => Hash[
+      Variant[OpenvoxBootstrap::Oid,OpenvoxBootstrap::CerShortNames],
+      String
+    ],
+  }
+]

types/ini_file.pp

@@ -0,0 +1,5 @@
+# Simple type for data to be transformed to an INI file format.
+type OpenvoxBootstrap::IniFile = Hash[
+  String,              # Section name
+  Hash[String, String] # Key-value pairs within the section
+]

types/oid.pp

@@ -0,0 +1,2 @@
+# Object Identifier per https://en.wikipedia.org/wiki/Object_identifier
+type OpenvoxBootstrap::Oid = Pattern[/\d+(\.\d+)*/]