X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=3rdparty%2Fmodules%2Fcertregen%2Fspec%2Facceptance%2Fworkflow_regen_after_expire_spec.rb;fp=3rdparty%2Fmodules%2Fcertregen%2Fspec%2Facceptance%2Fworkflow_regen_after_expire_spec.rb;h=3ae0a9e706fc5481c5637e38b246721c0618004a;hb=8c20cc97eaf30a0aaf9abfba2f33d5b5f9f06ae2;hp=0000000000000000000000000000000000000000;hpb=1f80b78f88d98160faf661374fc8e760252d131b;p=mirror%2Fdsa-puppet.git

diff --git a/3rdparty/modules/certregen/spec/acceptance/workflow_regen_after_expire_spec.rb b/3rdparty/modules/certregen/spec/acceptance/workflow_regen_after_expire_spec.rb
new file mode 100644
index 000000000..3ae0a9e70
--- /dev/null
+++ b/3rdparty/modules/certregen/spec/acceptance/workflow_regen_after_expire_spec.rb
@@ -0,0 +1,105 @@
+require 'spec_helper_acceptance'
+require 'json'
+
+# https://forge.puppet.com/puppetlabs/certregen#revive-a-ca-thats-already-expired
+describe "C99821 - workflow - regen CA after it expires" do
+  if find_install_type == 'pe' then
+    # This workflow only works with a master to manage the CA
+    # This workflow only works with a puppetdb instance to query hostnames from
+    context 'create CA to be expired and update agents' do
+      before(:all) do
+        ttl = 60
+        serial = get_ca_serial_id_on(master)
+        on(master, puppet("certregen ca --ca_serial #{serial} --ca_ttl #{ttl}s"))
+        start = Time.now
+        agents.each do |agent|
+          on(agent, puppet('agent -t'), :acceptable_exit_codes => [0,2])
+        end
+        finish = Time.now
+        elapsed_time = (finish - start).to_i
+        sleep (ttl - elapsed_time) if elapsed_time < ttl
+        sleep 1
+      end
+
+      it 'should warn that ca is expired' do
+        on(master, puppet("certregen healthcheck")) do |result|
+          expect(result.stdout).to match(/Status:\s+expired/)
+        end
+      end
+
+      context 'regenerate CA' do
+        before(:all) do
+          serial = get_ca_serial_id_on(master)
+          on(master, puppet("certregen ca --ca_serial #{serial}"))
+        end
+
+        it 'should update CA cert enddate' do
+          enddate = get_ca_enddate_time_on(master)
+          future = get_time_on(master, ['-d', "'5 years'"])
+          expect(future - enddate).to be <= (48*HOUR)
+        end
+
+        context 'automatically distribute new ca to linux hosts' do
+          before(:all) do
+            # distribute ssh key for root to agents
+            on(master, "ssh-keygen -t rsa -f $HOME/.ssh/id_rsa -P ''")
+            on(master, "cat $HOME/.ssh/id_rsa.pub") do |result|
+              key_array = result.stdout.split(' ')
+              fail_test('could not get ssh key from master') unless key_array.size > 1
+              @public_key = key_array[1]
+            end
+            agents.each do |agent|
+              unless agent['platform'] =~ /windows/
+                args = ['ensure=present',
+                        "user='root'",
+                        "type='rsa'",
+                        "key='#{@public_key}'",
+                       ]
+                on(agent, puppet_resource('ssh_authorized_key', master.hostname, args))
+                on(master, "ssh -o StrictHostKeyChecking=no #{agent.hostname} ls")
+              end
+            end
+            on(master, "/opt/puppetlabs/puppet/bin/gem install chloride")
+            result = on(master, puppet("certregen redistribute"))
+            @report = JSON.parse(result.stdout)
+          end
+
+          after(:all) do
+            on(master, "rm -f $HOME/.ssh/id_rsa $HOME/.ssh/id_rsa.pub", :acceptable_exit_codes => [0,1])
+            agents.each do |agent|
+              on(agent, puppet_resource('ssh_authorized_key', master.hostname, ['ensure=absent', "user='root'"]), :acceptable_exit_codes => [0,1])
+            end
+          end
+
+          it 'should emit a report in valid json' do
+            expect(@report).not_to be nil
+          end
+          it 'should emit a report with a succeeded key' do
+            expect(@report['succeeded']).not_to be nil
+          end
+          it 'should emit a report with a failed key' do
+            expect(@report['failed']).not_to be nil
+          end
+          it 'should report success on all linux agents' do
+            agents.each do |agent|
+              if agent['platform'] =~ /debian|ubuntu|cumulus|huaweios|el-|centos|fedora|redhat|oracle|scientific|eos|archlinux|sles/
+                expect(@report['succeeded']).to include agent.hostname
+              end
+            end
+          end
+          it 'should update CA cert on all linux agents' do
+            master_enddate = get_ca_enddate_time_on(master)
+            agents.each do |agent|
+              if agent['platform'] =~ /debian|ubuntu|cumulus|huaweios|el-|centos|fedora|redhat|oracle|scientific|eos|archlinux|sles/
+                on(agent, puppet('agent -t'), :acceptable_exit_codes => [0,2])
+                enddate = get_ca_enddate_time_on(agent)
+                expect(enddate).to eq master_enddate
+              end
+            end
+          end
+        end
+
+      end
+    end
+  end
+end