(gh-26) Chown csr_attributes.yaml puppet:puppet on server

File.chown ignores nils, so if the puppet user/group do not exist,
nothing is done, and the file remains root:root which is correct for the
agent.

This chown is only important on the node running openvox-server , as
puppetserver may otherwise choke on first startup because the file can't
be read during its ca bootstrap. (I think because puppetserver runs as
the puppet user and is calling puppet ssl at some point.)

Note that it is the openvox-server package that creates the puppet
user/group at install.

Author: jpartlow

spec/tasks/configure_spec.rb

@@ -59,6 +59,33 @@
     end
   end
 
+  def check_returned_id(uid_or_gid)
+    case uid_or_gid
+    when Integer
+      uid_or_gid > 0
+    when nil
+      true # If the user does not exist, it returns nil.
+    else
+      false # Should not return anything else.
+    end
+  end
+
+  describe '#puppet_uid' do
+    it 'returns the UID of the puppet user' do
+      expect(task.puppet_uid).to satisfy do |uid|
+        check_returned_id(uid)
+      end
+    end
+  end
+
+  describe '#puppet_gid' do
+    it 'returns the GID of the puppet group' do
+      expect(task.puppet_gid).to satisfy do |gid|
+        check_returned_id(gid)
+      end
+    end
+  end
+
   describe '#write_csr_attributes' do
     let(:csr_attributes) do
       {

tasks/configure.rb

@@ -2,11 +2,24 @@
 # frozen_string_literal: true
 
 require_relative '../lib/openvox_bootstrap/task'
+require 'etc'
 require 'open3'
 require 'yaml'
 
 module OpenvoxBootstrap
   class Configure < Task
+    def puppet_uid
+      Etc.getpwnam('puppet').uid
+    rescue ArgumentError
+      nil
+    end
+
+    def puppet_gid
+      Etc.getgrnam('puppet').gid
+    rescue ArgumentError
+      nil
+    end
+
     # Overwrite puppet.conf with the values in the puppet_conf hash.
     #
     # Does nothing if given an empty or nil puppet_conf.
@@ -42,6 +55,9 @@ def write_puppet_conf(puppet_conf, etc_puppet_path = '/etc/puppetlabs/puppet')
     # Does nothing if given an empty or nil csr_attributes.
     #
     # The file will be mode 640.
+    # It will either be owned root:root (assuming task is run as root,
+    # as expected), or puppet:puppet if the puppet user and group
+    # exist (openvox-server package is installed).
     #
     # @param csr_attributes [Hash] A hash of custom_attributes
     #   and extension_requests to write to the csr_attributes.yaml
@@ -55,6 +71,8 @@ def write_csr_attributes(csr_attributes, etc_puppet_path = '/etc/puppetlabs/pupp
       File.open(csr_attributes_path, 'w', perm: 0o640) do |f|
         f.write(csr_attributes_contents)
       end
+      # nil uid/gid are ignored by FileUtils.chown...
+      File.chown(puppet_uid, puppet_gid, csr_attributes_path)
 
       {
         csr_attributes: {