Added safety measures for running in noop mode and updated the acceptance tests

jitran · jitran · commit b88856d9d7de · 2015-02-28T21:13:03.000+11:00
diff --git a/lib/puppet/provider/java_ks/keytool.rb b/lib/puppet/provider/java_ks/keytool.rb
@@ -84,29 +84,39 @@ def exists?
 
   # Reading the fingerprint of the certificate on disk.
   def latest
-    cmd = [
-        command_keytool,
-        '-v', '-printcert', '-file', certificate
-    ]
-    output = run_command(cmd)
-    latest = output.scan(/MD5:\s+(.*)/)[0][0]
-    return latest
+    # The certificate file may not exist during a puppet noop run as it's managed by puppet.
+    # Return value must be different to provider.current to signify a possible trigger event.
+    if Puppet[:noop] and !File.exists?(certificate)
+      return 'latest'
+    else
+      cmd = [
+          command_keytool,
+          '-v', '-printcert', '-file', certificate
+      ]
+      output = run_command(cmd)
+      latest = output.scan(/MD5:\s+(.*)/)[0][0]
+      return latest
+    end
   end
 
   # Reading the fingerprint of the certificate currently in the keystore.
   def current
-    output = ''
-    cmd = [
-        command_keytool,
-        '-list', '-v',
-        '-keystore', @resource[:target],
-        '-alias', @resource[:name]
-    ]
-    tmpfile = password_file
-    output = run_command(cmd, false, tmpfile)
-    tmpfile.close!
-    current = output.scan(/Certificate fingerprints:\n\s+MD5:  (.*)/)[0][0]
-    return current
+    # The keystore file may not exist during a puppet noop run as it's managed by puppet.
+    if Puppet[:noop] and !File.exists?(@resource[:target])
+      return 'current'
+    else
+      cmd = [
+          command_keytool,
+          '-list', '-v',
+          '-keystore', @resource[:target],
+          '-alias', @resource[:name]
+      ]
+      tmpfile = password_file
+      output = run_command(cmd, false, tmpfile)
+      tmpfile.close!
+      current = output.scan(/Certificate fingerprints:\n\s+MD5:  (.*)/)[0][0]
+      return current
+    end
   end
 
   # Determine if we need to do an import of a private_key and certificate pair
diff --git a/spec/acceptance/chain_key_spec.rb b/spec/acceptance/chain_key_spec.rb
@@ -34,3 +34,82 @@
     end
   end
 end
+
+describe 'managing non existent java chain keys in noop', :unless => UNSUPPORTED_PLATFORMS.include?(fact('operatingsystem')) do
+  include_context 'common variables'
+
+  case fact('osfamily')
+    when "windows"
+      target = 'c:/noop_chain_key.ks'
+      temp_dir = 'C:/tmp/'
+    else
+      target = '/etc/noop_chain_key.ks'
+      temp_dir = '/tmp/'
+  end
+  it 'does not create a new keystore in noop' do
+    pp = <<-EOS
+      $filenames = ["#{temp_dir}noop_ca.pem",
+                    "#{temp_dir}noop_chain.pem",
+                    "#{temp_dir}noop_privkey.pem"]
+      file { $filenames:
+        ensure  => file,
+        content => 'content',
+      } ->
+      java_ks { 'broker.example.com:#{target}':
+        ensure       => latest,
+        certificate  => "#{temp_dir}noop_ca.pem",
+        chain        => "#{temp_dir}noop_chain.pem",
+        private_key  => "#{temp_dir}noop_privkey.pem",
+        password     => 'puppet',
+        path         => #{@resource_path},
+      }
+    EOS
+
+    # in noop mode, when the dependent certificate files are not present in the system,
+    # java_ks will not invoke openssl to validate their status, thus noop will succeed
+    apply_manifest(pp, :catch_failures => true, :noop => true)
+  end
+
+  # verifies the dependent files are missing
+  ["#{temp_dir}noop_ca.pem", "#{temp_dir}noop_chain.pem", "#{temp_dir}noop_privkey.pem"].each do |filename|
+    describe file("#{filename}") do
+      it { should_not be_file }
+    end
+  end
+
+  # verifies the keystore is not created
+  describe file("#{target}") do
+    it { should_not be_file }
+  end
+end
+
+describe 'managing existing java chain keys in noop', :unless => UNSUPPORTED_PLATFORMS.include?(fact('operatingsystem')) do
+  include_context 'common variables'
+
+  case fact('osfamily')
+    when "windows"
+      target = 'c:/noop2_chain_key.ks'
+    else
+      target = '/etc/noop2_chain_key.ks'
+  end
+  it 'does not create a new keystore in noop' do
+    pp = <<-EOS
+      java_ks { 'broker.example.com:#{target}':
+        ensure       => latest,
+        certificate  => "#{@temp_dir}ca.pem",
+        chain        => "#{@temp_dir}chain.pem",
+        private_key  => "#{@temp_dir}privkey.pem",
+        password     => 'puppet',
+        path         => #{@resource_path},
+      }
+    EOS
+
+    apply_manifest(pp, :catch_failures => true, :noop => true)
+  end
+
+  # in noop mode, when the dependent certificate files are present in the system,
+  # java_ks will invoke openssl to validate their status, but will not create the keystore
+  describe file("#{target}") do
+    it { should_not be_file }
+  end
+end
