f configure chown csr_attributes.yaml on server

Author: jpartlow

spec/tasks/configure_spec.rb

@@ -59,6 +59,33 @@
     end
   end
 
+  def check_returned_id(uid_or_gid)
+    case uid_or_gid
+    when Integer
+      uid_or_gid > 0
+    when nil
+      true # If the user does not exist, it returns nil.
+    else
+      false # Should not return anything else.
+    end
+  end
+
+  describe '#puppet_uid' do
+    it 'returns the UID of the puppet user' do
+      expect(task.puppet_uid).to satisfy do |uid|
+        check_returned_id(uid)
+      end
+    end
+  end
+
+  describe '#puppet_gid' do
+    it 'returns the GID of the puppet group' do
+      expect(task.puppet_gid).to satisfy do |gid|
+        check_returned_id(gid)
+      end
+    end
+  end
+
   describe '#write_csr_attributes' do
     let(:csr_attributes) do
       {

tasks/configure.rb

@@ -2,11 +2,24 @@
 # frozen_string_literal: true
 
 require_relative '../lib/openvox_bootstrap/task'
+require 'etc'
 require 'open3'
 require 'yaml'
 
 module OpenvoxBootstrap
   class Configure < Task
+    def puppet_uid
+      Etc.getpwnam('puppet').uid
+    rescue ArgumentError
+      nil
+    end
+
+    def puppet_gid
+      Etc.getgrnam('puppet').gid
+    rescue ArgumentError
+      nil
+    end
+
     # Overwrite puppet.conf with the values in the puppet_conf hash.
     #
     # Does nothing if given an empty or nil puppet_conf.
@@ -55,6 +68,17 @@ def write_csr_attributes(csr_attributes, etc_puppet_path = '/etc/puppetlabs/pupp
       File.open(csr_attributes_path, 'w', perm: 0o640) do |f|
         f.write(csr_attributes_contents)
       end
+      # File.chown ignores nils, so if the puppet user/group do not
+      # exist, nothing is done, and the file remains root:root
+      # which is correct for the agent.
+      #
+      # This chown is only important on the node running openvox-server
+      # (this package creates the puppet user), as puppetserver may
+      # otherwise choke on first startup because the file
+      # can't be read during its ca bootstrap. (I think because
+      # puppetserver runs as the puppet user and is calling puppet ssl
+      # at some point.)
+      File.chown(puppet_uid, puppet_gid, csr_attributes_path)
 
       {
         csr_attributes: {