From 433dadc5ec41c2477fc6a04e056ca061fd818980 Mon Sep 17 00:00:00 2001 From: "Eric D. Helms" Date: Sat, 23 Sep 2023 08:10:57 -0400 Subject: [PATCH] Copy the server CA certificate with file resource --- manifests/ca.pp | 40 +++++++++++++++++------------------ spec/acceptance/certs_spec.rb | 27 +++++++++++++++++++++++ 2 files changed, 47 insertions(+), 20 deletions(-) diff --git a/manifests/ca.pp b/manifests/ca.pp index 8b77a5ab..4cb6eae6 100644 --- a/manifests/ca.pp +++ b/manifests/ca.pp @@ -12,10 +12,8 @@ String $ca_expiration = $certs::ca_expiration, Boolean $generate = $certs::generate, Boolean $deploy = $certs::deploy, - Optional[Stdlib::Absolutepath] $server_cert = $certs::server_cert, - Optional[Stdlib::Absolutepath] $ssl_build_dir = $certs::ssl_build_dir, - String $group = $certs::group, String $owner = $certs::user, + String $group = $certs::group, Stdlib::Absolutepath $katello_server_ca_cert = $certs::katello_server_ca_cert, Stdlib::Absolutepath $ca_key = $certs::ca_key, Stdlib::Absolutepath $ca_cert = $certs::ca_cert, @@ -23,6 +21,8 @@ String $ca_key_password = $certs::ca_key_password, Stdlib::Absolutepath $ca_key_password_file = $certs::ca_key_password_file, ) { + $server_ca_path = "${certs::ssl_build_dir}/${server_ca_name}.crt" + file { "${certs::pki_dir}/private/${default_ca_name}.pwd": ensure => absent, } @@ -51,29 +51,29 @@ } $default_ca = Ca[$default_ca_name] - if $server_cert { - ca { $server_ca_name: - ensure => present, - generate => $generate, - deploy => false, - custom_pubkey => $certs::server_ca_cert, - build_dir => $certs::ssl_build_dir, + if $certs::server_ca_cert { + file { $server_ca_path: + ensure => file, + source => $certs::server_ca_cert, + owner => 'root', + group => 'root', + mode => '0644', } } else { - ca { $server_ca_name: - ensure => present, - generate => $generate, - deploy => false, - custom_pubkey => "${certs::ssl_build_dir}/${default_ca_name}.crt", - build_dir => $certs::ssl_build_dir, + file { $server_ca_path: + ensure => file, + source => "${certs::ssl_build_dir}/${default_ca_name}.crt", + owner => 'root', + group => 'root', + mode => '0644', } } if $generate { - file { "${ssl_build_dir}/KATELLO-TRUSTED-SSL-CERT": + file { "${certs::ssl_build_dir}/KATELLO-TRUSTED-SSL-CERT": ensure => link, - target => "${ssl_build_dir}/${server_ca_name}.crt", - require => Ca[$server_ca_name], + target => $server_ca_path, + require => File[$server_ca_path], } } @@ -94,7 +94,7 @@ file { $katello_server_ca_cert: ensure => file, - source => "${certs::ssl_build_dir}/${server_ca_name}.crt", + source => $server_ca_path, owner => $owner, group => $group, mode => '0644', diff --git a/spec/acceptance/certs_spec.rb b/spec/acceptance/certs_spec.rb index e61c9ea0..3bffe69f 100644 --- a/spec/acceptance/certs_spec.rb +++ b/spec/acceptance/certs_spec.rb @@ -124,4 +124,31 @@ class { 'certs': it { should_not exist } end end + + context 'with server CA cert' do + before(:context) do + source_path = "fixtures/example.partial.solutions-chain.pem" + dest_path = "/server-ca.crt" + scp_to(hosts, source_path, dest_path) + end + + it_behaves_like 'an idempotent resource' do + let(:manifest) do + <<-PUPPET + class { 'certs': + server_ca_cert => '/server-ca.crt', + } + PUPPET + end + end + + describe x509_certificate('/root/ssl-build/katello-server-ca.crt') do + it { should be_certificate } + # Doesn't have to be valid - can be expired since it's a static resource + it { should have_purpose 'CA' } + its(:issuer) { should eq('CN = Fake LE Root X1') } + its(:subject) { should eq('CN = Fake LE Intermediate X1') } + its(:keylength) { should be >= 2048 } + end + end end