theforeman · ehelms · Oct 27, 2022 · Sep 2, 2022 · Oct 27, 2022 · Oct 27, 2022
diff --git a/lib/puppet/functions/katello/build_dn.rb b/lib/puppet/functions/katello/build_dn.rb
@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require 'yaml'
+# @summary
+#   Convert an array of attribute pairs to a DN string, ignoring empty values
+#
+# @example Pass a set of
+#   $client_dn = katello::build_dn([['CN', 'foo.example.com'], ['O', 'my_org']])
+Puppet::Functions.create_function(:'katello::build_dn') do
+  # @param options
+  dispatch :build_dn do
+    param 'Array[Tuple[String[1], Optional[String[1]]]]', :options
+    return_type 'String'
+  end
+
+  def build_dn(options)
+    options.select { |_key, value| value }.map { |key, value| "#{key}=#{value}" }.join(', ')
+  end
+end
diff --git a/manifests/application.pp b/manifests/application.pp
@@ -13,7 +13,6 @@
   include foreman
   include certs
   include certs::apache
-  include certs::candlepin
   include certs::foreman
   include katello::params
 
@@ -32,11 +31,14 @@
   $candlepin_oauth_key = $katello::params::candlepin_oauth_key
   $candlepin_oauth_secret = $katello::params::candlepin_oauth_secret
   $candlepin_ca_cert = $certs::ca_cert
-  $candlepin_events_ssl_cert = $certs::candlepin::client_cert
-  $candlepin_events_ssl_key = $certs::candlepin::client_key
+  $candlepin_events_ssl_cert = $certs::foreman::client_cert
+  $candlepin_events_ssl_key = $certs::foreman::client_key
   $postgresql_evr_package = $katello::params::postgresql_evr_package
   $manage_db = $foreman::db_manage
 
+  # Used in Candlepin
+  $artemis_client_dn = katello::build_dn([['CN', $certs::foreman::hostname], ['OU', $certs::foreman::org_unit], ['O', $certs::foreman::org], ['ST', $certs::foreman::state], ['C', $certs::foreman::country]])
+
   # Katello database seeding needs candlepin
   Anchor <| title == 'katello::repo' or title ==  'katello::candlepin' |> ->
   foreman::plugin { 'katello':

diff --git a/manifests/candlepin.pp b/manifests/candlepin.pp
@@ -19,6 +19,9 @@
 #   The CA certificate to verify the SSL connection to the database with
 # @param manage_db
 #   Whether to manage the database. Set this to false when using a remote database
+# @param artemis_client_dn
+#   The Distinguished Name of the client certificate that's allowed to access
+#   Artemis. It should still be signed by the correct Certificate Authority.
 class katello::candlepin (
   Stdlib::Host $db_host = 'localhost',
   Optional[Stdlib::Port] $db_port = undef,
@@ -29,6 +32,7 @@
   Boolean $db_ssl_verify = true,
   Optional[Stdlib::Absolutepath] $db_ssl_ca = undef,
   Boolean $manage_db = true,
+  Variant[Undef, Deferred, String[1]] $artemis_client_dn = undef,
 ) {
   include certs
   include katello::params
@@ -50,7 +54,7 @@
     keystore_password            => $certs::candlepin::keystore_password,
     truststore_file              => $certs::candlepin::truststore,
     truststore_password          => $certs::candlepin::truststore_password,
-    artemis_client_dn            => $certs::candlepin::artemis_client_dn,
+    artemis_client_dn            => $artemis_client_dn,
     java_home                    => '/usr/lib/jvm/jre-11',
     java_package                 => 'java-11-openjdk',
     enable_basic_auth            => false,

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -70,23 +70,24 @@
     qpid_hostname          => $qpid_hostname,
   }
 
-  class { 'katello::candlepin':
-    db_host       => $candlepin_db_host,
-    db_port       => $candlepin_db_port,
-    db_name       => $candlepin_db_name,
-    db_user       => $candlepin_db_user,
-    db_password   => $candlepin_db_password,
-    db_ssl        => $candlepin_db_ssl,
-    db_ssl_verify => $candlepin_db_ssl_verify,
-    db_ssl_ca     => $candlepin_db_ssl_ca,
-    manage_db     => $candlepin_manage_db,
-  }
-
   class { 'katello::application':
     rest_client_timeout => $rest_client_timeout,
     hosts_queue_workers => $hosts_queue_workers,
   }
 
+  class { 'katello::candlepin':
+    db_host           => $candlepin_db_host,
+    db_port           => $candlepin_db_port,
+    db_name           => $candlepin_db_name,
+    db_user           => $candlepin_db_user,
+    db_password       => $candlepin_db_password,
+    db_ssl            => $candlepin_db_ssl,
+    db_ssl_verify     => $candlepin_db_ssl_verify,
+    db_ssl_ca         => $candlepin_db_ssl_ca,
+    manage_db         => $candlepin_manage_db,
+    artemis_client_dn => $katello::application::artemis_client_dn,
+  }
+
   class { 'katello::qpid':
     interface        => $qpid_interface,
     wcache_page_size => $qpid_wcache_page_size,

diff --git a/spec/acceptance/candlepin_spec.rb b/spec/acceptance/candlepin_spec.rb
@@ -19,4 +19,12 @@
   describe command('curl -k -s -o /dev/null -w \'%{http_code}\' https://localhost:23443/candlepin/status') do
     its(:stdout) { should eq "200" }
   end
+
+  describe file("/usr/share/tomcat/conf/cert-users.properties") do
+    it { should be_file }
+    it { should be_mode 640 }
+    it { should be_owned_by 'tomcat' }
+    it { should be_grouped_into 'tomcat' }
+    its(:content) { should eq("katelloUser=CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, ST=AMQ, C=AMQ\n") }
+  end
 end
diff --git a/spec/acceptance/katello_spec.rb b/spec/acceptance/katello_spec.rb
@@ -40,4 +40,8 @@
   describe command('hammer --version') do
     its(:stdout) { is_expected.to match(/^hammer/) }
   end
+
+  describe file("/usr/share/tomcat/conf/cert-users.properties") do
+    its(:content) { should eq("katelloUser=CN=#{fact('fqdn')}, OU=PUPPET, O=FOREMAN, ST=North Carolina, C=US\n") }
+  end
 end
diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
@@ -6,7 +6,7 @@
       let(:facts) { facts }
 
       it { is_expected.to compile.with_all_deps }
-      it { is_expected.to contain_class('katello::candlepin') }
+      it { is_expected.to contain_class('katello::candlepin').with_artemis_client_dn('CN=foo.example.com, OU=PUPPET, O=FOREMAN, ST=North Carolina, C=US') }
       it { is_expected.to contain_class('katello::application') }
       it { is_expected.to contain_class('katello::qpid') }
       it { is_expected.to contain_package('rubygem-katello').that_requires('Class[candlepin]') }

diff --git a/spec/functions/katello_build_dn_spec.rb b/spec/functions/katello_build_dn_spec.rb
@@ -0,0 +1,15 @@
+require 'spec_helper'
+
+describe 'katello::build_dn' do
+  it 'should exist' do
+    is_expected.not_to eq(nil)
+  end
+
+  it 'should compute dn' do
+    is_expected.to run.with_params([['a', '1'], ['b', '2']]).and_return("a=1, b=2")
+  end
+
+  it 'should compute dn and ignore empty values' do
+    is_expected.to run.with_params([['a', nil], ['b', '2']]).and_return("b=2")
+  end
+end