Add class to handle creation of certs for advisor service on localhost

Signed-off-by: Eric D. Helms <[email protected]>
theforeman · Jan 14, 2025 · 23e5832 · 23e5832
1 parent c366540
commit 23e5832
Show file tree

Hide file tree

Showing 3 changed files with 190 additions and 0 deletions.
diff --git a/manifests/iop_advisor_engine.pp b/manifests/iop_advisor_engine.pp
@@ -0,0 +1,60 @@
+# Contains certs specific configurations for advisor
+class certs::iop_advisor_engine (
+  Stdlib::Fqdn $hostname = 'localhost',
+  Boolean $generate = $certs::generate,
+  Boolean $regenerate = $certs::regenerate,
+  Boolean $deploy = $certs::deploy,
+  String[2,2] $country = $certs::country,
+  String $state = $certs::state,
+  String $city = $certs::city,
+  String $org = $certs::org,
+  String $org_unit = $certs::org_unit,
+  String $expiration = $certs::expiration,
+  Stdlib::Absolutepath $ca_key_password_file = $certs::ca_key_password_file,
+  String $owner = 'root',
+  String $group = 'root',
+  Stdlib::Filemode $private_key_mode = '0440',
+  Stdlib::Filemode $public_key_mode = '0444',
+) inherits certs {
+  include certs::foreman_proxy
+
+  $server_cert_name = "${hostname}-iop-advisor-server"
+  $server_cert = '/etc/iop-advisor-engine/server.cert'
+  $server_key = '/etc/iop-advisor-engine/server.key'
+  $server_ca_cert = $certs::server_ca_cert
+
+  $client_cert = $certs::foreman_proxy::foreman_ssl_cert
+  $client_key = $certs::foreman_proxy::foreman_ssl_key
+  $client_ca_cert = $certs::foreman_proxy::foreman_ssl_ca_cert
+
+  cert { $server_cert_name:
+    ensure        => present,
+    hostname      => $hostname,
+    country       => $country,
+    state         => $state,
+    city          => $city,
+    org           => $org,
+    org_unit      => $org_unit,
+    expiration    => $expiration,
+    ca            => $certs::default_ca,
+    generate      => $generate,
+    regenerate    => $regenerate,
+    password_file => $ca_key_password_file,
+    build_dir     => $certs::ssl_build_dir,
+  }
+
+  if $deploy {
+    certs::keypair { $server_cert_name:
+      source_dir => "${certs::ssl_build_dir}/${hostname}",
+      key_file   => $server_key,
+      key_owner  => $owner,
+      key_group  => $group,
+      key_mode   => $private_key_mode,
+      cert_file  => $server_cert,
+      cert_owner => $owner,
+      cert_group => $group,
+      cert_mode  => $public_key_mode,
+      require    => Cert[$server_cert_name],
+    }
+  }
+}
diff --git a/spec/acceptance/iop_advisor_engine_spec.rb b/spec/acceptance/iop_advisor_engine_spec.rb
@@ -0,0 +1,115 @@
+require 'spec_helper_acceptance'
+
+describe 'certs::iop_advisor_engine' do
+  fqdn = fact('fqdn')
+  hostname = 'localhost'
+
+  before(:all) do
+    on default, 'rm -rf /root/ssl-build'
+
+    manifest = <<~MANIFEST
+      file { '/etc/foreman-proxy':
+        ensure => directory,
+      }
+
+      group { 'foreman-proxy':
+        ensure => present,
+        system => true,
+      }
+
+      file { '/etc/iop-advisor-engine':
+        ensure => directory,
+      }
+    MANIFEST
+    apply_manifest(manifest, catch_failures: true)
+  end
+
+  context 'with default parameters' do
+    it_behaves_like 'an idempotent resource' do
+      let(:manifest) { 'include certs::iop_advisor_engine' }
+    end
+
+    describe x509_certificate('/etc/iop-advisor-engine/server.cert') do
+      it { should be_certificate }
+      it { should be_valid }
+      it { should have_purpose 'server' }
+      its(:issuer) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fqdn}/) }
+      its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, O = Katello, OU = SomeOrgUnit, CN = #{hostname}/) }
+      its(:keylength) { should be >= 4096 }
+    end
+
+    describe file('/etc/iop-advisor-engine/server.cert') do
+      it { should be_file }
+      it { should be_mode 444 }
+      it { should be_owned_by 'root' }
+      it { should be_grouped_into 'root' }
+    end
+
+    describe x509_private_key('/etc/iop-advisor-engine/server.key') do
+      it { should_not be_encrypted }
+      it { should be_valid }
+      it { should have_matching_certificate('/etc/iop-advisor-engine/server.cert') }
+    end
+
+    describe file('/etc/iop-advisor-engine/server.key') do
+      it { should be_file }
+      it { should be_mode 440 }
+      it { should be_owned_by 'root' }
+      it { should be_grouped_into 'root' }
+    end
+
+    describe x509_certificate("/root/ssl-build/#{hostname}/#{hostname}-iop-advisor-server.crt") do
+      it { should be_certificate }
+      it { should be_valid }
+      it { should have_purpose 'server' }
+      its(:issuer) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fqdn}/) }
+      its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, O = Katello, OU = SomeOrgUnit, CN = #{hostname}/) }
+      its(:keylength) { should be >= 4096 }
+    end
+
+    describe x509_private_key("/root/ssl-build/#{hostname}/#{hostname}-iop-advisor-server.key") do
+      it { should_not be_encrypted }
+      it { should be_valid }
+      it { should have_matching_certificate("/root/ssl-build/#{hostname}/#{hostname}-iop-advisor-server.crt") }
+    end
+  end
+
+  context 'with deploy false' do
+    before(:context) do
+      on default, 'rm -rf /root/ssl-build /etc/iop-advisor-engine'
+    end
+
+    it_behaves_like 'an idempotent resource' do
+      let(:manifest) do
+        <<-PUPPET
+          class { 'certs::iop_advisor_engine':
+            deploy => false
+          }
+        PUPPET
+      end
+    end
+
+    describe x509_certificate("/root/ssl-build/#{hostname}/#{hostname}-iop-advisor-server.crt") do
+      it { should be_certificate }
+      it { should be_valid }
+      it { should have_purpose 'server' }
+      its(:issuer) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fqdn}/) }
+      its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, O = Katello, OU = SomeOrgUnit, CN = #{hostname}/) }
+      its(:keylength) { should be >= 4096 }
+    end
+
+    describe x509_private_key("/root/ssl-build/#{hostname}/#{hostname}-iop-advisor-server.key") do
+      it { should_not be_encrypted }
+      it { should be_valid }
+      it { should have_matching_certificate("/root/ssl-build/#{hostname}/#{hostname}-iop-advisor-server.crt") }
+    end
+
+    describe file('/etc/iop-advisor-engine/server.cert') do
+      it { should_not exist }
+    end
+
+    describe file('/etc/iop-advisor-engine/server.key') do
+      it { should_not exist }
+    end
+  end
+end
diff --git a/spec/classes/certs_iop_advisor_engine_spec.rb b/spec/classes/certs_iop_advisor_engine_spec.rb
@@ -0,0 +1,15 @@
+require 'spec_helper'
+
+describe 'certs::iop_advisor_engine' do
+  on_supported_os.each do |os, os_facts|
+    context "on #{os}" do
+      let :facts do
+        os_facts
+      end
+
+      describe 'with default parameters' do
+        it { should compile.with_all_deps }
+      end
+    end
+  end
+end