1 require 'spec_helper_acceptance'
4 # https://forge.puppet.com/puppetlabs/certregen#revive-a-ca-thats-already-expired
5 describe "C99821 - workflow - regen CA after it expires" do
6 if find_install_type == 'pe' then
7 # This workflow only works with a master to manage the CA
8 # This workflow only works with a puppetdb instance to query hostnames from
9 context 'create CA to be expired and update agents' do
12 serial = get_ca_serial_id_on(master)
13 on(master, puppet("certregen ca --ca_serial #{serial} --ca_ttl #{ttl}s"))
15 agents.each do |agent|
16 on(agent, puppet('agent -t'), :acceptable_exit_codes => [0,2])
19 elapsed_time = (finish - start).to_i
20 sleep (ttl - elapsed_time) if elapsed_time < ttl
24 it 'should warn that ca is expired' do
25 on(master, puppet("certregen healthcheck")) do |result|
26 expect(result.stdout).to match(/Status:\s+expired/)
30 context 'regenerate CA' do
32 serial = get_ca_serial_id_on(master)
33 on(master, puppet("certregen ca --ca_serial #{serial}"))
36 it 'should update CA cert enddate' do
37 enddate = get_ca_enddate_time_on(master)
38 future = get_time_on(master, ['-d', "'5 years'"])
39 expect(future - enddate).to be <= (48*HOUR)
42 context 'automatically distribute new ca to linux hosts' do
44 # distribute ssh key for root to agents
45 on(master, "ssh-keygen -t rsa -f $HOME/.ssh/id_rsa -P ''")
46 on(master, "cat $HOME/.ssh/id_rsa.pub") do |result|
47 key_array = result.stdout.split(' ')
48 fail_test('could not get ssh key from master') unless key_array.size > 1
49 @public_key = key_array[1]
51 agents.each do |agent|
52 unless agent['platform'] =~ /windows/
53 args = ['ensure=present',
56 "key='#{@public_key}'",
58 on(agent, puppet_resource('ssh_authorized_key', master.hostname, args))
59 on(master, "ssh -o StrictHostKeyChecking=no #{agent.hostname} ls")
62 on(master, "/opt/puppetlabs/puppet/bin/gem install chloride")
63 result = on(master, puppet("certregen redistribute"))
64 @report = JSON.parse(result.stdout)
68 on(master, "rm -f $HOME/.ssh/id_rsa $HOME/.ssh/id_rsa.pub", :acceptable_exit_codes => [0,1])
69 agents.each do |agent|
70 on(agent, puppet_resource('ssh_authorized_key', master.hostname, ['ensure=absent', "user='root'"]), :acceptable_exit_codes => [0,1])
74 it 'should emit a report in valid json' do
75 expect(@report).not_to be nil
77 it 'should emit a report with a succeeded key' do
78 expect(@report['succeeded']).not_to be nil
80 it 'should emit a report with a failed key' do
81 expect(@report['failed']).not_to be nil
83 it 'should report success on all linux agents' do
84 agents.each do |agent|
85 if agent['platform'] =~ /debian|ubuntu|cumulus|huaweios|el-|centos|fedora|redhat|oracle|scientific|eos|archlinux|sles/
86 expect(@report['succeeded']).to include agent.hostname
90 it 'should update CA cert on all linux agents' do
91 master_enddate = get_ca_enddate_time_on(master)
92 agents.each do |agent|
93 if agent['platform'] =~ /debian|ubuntu|cumulus|huaweios|el-|centos|fedora|redhat|oracle|scientific|eos|archlinux|sles/
94 on(agent, puppet('agent -t'), :acceptable_exit_codes => [0,2])
95 enddate = get_ca_enddate_time_on(agent)
96 expect(enddate).to eq master_enddate