1 require 'spec_helper_acceptance'
3 # https://forge.puppet.com/puppetlabs/certregen#refresh-a-ca-thats-expiring-soon
4 describe "C99818 - workflow - regen CA before it expires" do
5 if hosts_with_role(hosts, 'master').length>0 then
6 # This workflow only works with a master to manage the CA
7 context 'setting CA to expire soon' do
9 serial = get_ca_serial_id_on(master)
11 # patch puppet to defeat copywrite date check when generating historical CA
12 patch_puppet_date_check_on(master)
14 # determine current time on master
15 @today = get_time_on(master)
17 # set back the clock in order to create a CA that will be approaching its EOL
18 past = @today - (5*YEAR - 20*DAY)
19 on(master, "date #{past.strftime('%m%d%H%M%Y')}")
21 on(master, puppet(" certregen ca --ca_serial #{serial}"))
22 # update to current time
23 on(master, "date #{@today.strftime('%m%d%H%M%Y')}")
26 it 'should have current date' do
27 today = get_time_on(master)
28 expect(today.utc.strftime('%Y-%m-%d')).to eq @today.utc.strftime('%Y-%m-%d')
31 it 'should warn about pending expiration' do
32 enddate = get_ca_enddate_time_on(master)
33 on(master, puppet("certregen healthcheck")) do |result|
34 expect(result.stdout).to match(/Status:\s+expiring/)
35 expect(result.stdout).to match(/Expiration date:\s+#{enddate.utc.strftime('%Y-%m-%d')}/)
39 context 'restoring previously patched puppet' do
41 # revert patch to defeat copywrite date check
42 patch_puppet_date_check_on(master, 'reverse')
45 context 'regenerating CA prior to expiration' do
47 serial = get_ca_serial_id_on(master)
48 on(master, puppet("certregen ca --ca_serial #{serial}"))
51 it 'should update CA cert enddate' do
52 enddate = get_ca_enddate_time_on(master)
53 future = get_time_on(master, ['-d', "'5 years'"])
54 expect(future - enddate).to be <= (48*HOUR)
57 context 'distribute new ca to linux hosts that have been classified with `certregen::client`' do
59 create_remote_file(master, '/etc/puppetlabs/code/environments/production/manifests/ca.pp', 'include certregen::client')
60 on(master, 'chmod 755 /etc/puppetlabs/code/environments/production/manifests/ca.pp')
61 on(master, puppet('agent -t'), :acceptable_exit_codes => [0,2])
63 it 'should update CA cert on all linux agents' do
64 master_enddate = get_ca_enddate_time_on(master)
65 agents.each do |agent|
66 on(agent, puppet('agent -t'), :acceptable_exit_codes => [0,2])
67 enddate = get_ca_enddate_time_on(agent)
68 expect(enddate).to eq master_enddate