3rdparty/modules/certregen/spec/acceptance/workflow_regen_after_expire_spec.rb

   1 require 'spec_helper_acceptance'
   2 require 'json'
   3
   4 # https://forge.puppet.com/puppetlabs/certregen#revive-a-ca-thats-already-expired
   5 describe "C99821 - workflow - regen CA after it expires" do
   6   if find_install_type == 'pe' then
   7     # This workflow only works with a master to manage the CA
   8     # This workflow only works with a puppetdb instance to query hostnames from
   9     context 'create CA to be expired and update agents' do
  10       before(:all) do
  11         ttl = 60
  12         serial = get_ca_serial_id_on(master)
  13         on(master, puppet("certregen ca --ca_serial #{serial} --ca_ttl #{ttl}s"))
  14         start = Time.now
  15         agents.each do |agent|
  16           on(agent, puppet('agent -t'), :acceptable_exit_codes => [0,2])
  17         end
  18         finish = Time.now
  19         elapsed_time = (finish - start).to_i
  20         sleep (ttl - elapsed_time) if elapsed_time < ttl
  21         sleep 1
  22       end
  23
  24       it 'should warn that ca is expired' do
  25         on(master, puppet("certregen healthcheck")) do |result|
  26           expect(result.stdout).to match(/Status:\s+expired/)
  27         end
  28       end
  29
  30       context 'regenerate CA' do
  31         before(:all) do
  32           serial = get_ca_serial_id_on(master)
  33           on(master, puppet("certregen ca --ca_serial #{serial}"))
  34         end
  35
  36         it 'should update CA cert enddate' do
  37           enddate = get_ca_enddate_time_on(master)
  38           future = get_time_on(master, ['-d', "'5 years'"])
  39           expect(future - enddate).to be <= (48*HOUR)
  40         end
  41
  42         context 'automatically distribute new ca to linux hosts' do
  43           before(:all) do
  44             # distribute ssh key for root to agents
  45             on(master, "ssh-keygen -t rsa -f $HOME/.ssh/id_rsa -P ''")
  46             on(master, "cat $HOME/.ssh/id_rsa.pub") do |result|
  47               key_array = result.stdout.split(' ')
  48               fail_test('could not get ssh key from master') unless key_array.size > 1
  49               @public_key = key_array[1]
  50             end
  51             agents.each do |agent|
  52               unless agent['platform'] =~ /windows/
  53                 args = ['ensure=present',
  54                         "user='root'",
  55                         "type='rsa'",
  56                         "key='#{@public_key}'",
  57                        ]
  58                 on(agent, puppet_resource('ssh_authorized_key', master.hostname, args))
  59                 on(master, "ssh -o StrictHostKeyChecking=no #{agent.hostname} ls")
  60               end
  61             end
  62             on(master, "/opt/puppetlabs/puppet/bin/gem install chloride")
  63             result = on(master, puppet("certregen redistribute"))
  64             @report = JSON.parse(result.stdout)
  65           end
  66
  67           after(:all) do
  68             on(master, "rm -f $HOME/.ssh/id_rsa $HOME/.ssh/id_rsa.pub", :acceptable_exit_codes => [0,1])
  69             agents.each do |agent|
  70               on(agent, puppet_resource('ssh_authorized_key', master.hostname, ['ensure=absent', "user='root'"]), :acceptable_exit_codes => [0,1])
  71             end
  72           end
  73
  74           it 'should emit a report in valid json' do
  75             expect(@report).not_to be nil
  76           end
  77           it 'should emit a report with a succeeded key' do
  78             expect(@report['succeeded']).not_to be nil
  79           end
  80           it 'should emit a report with a failed key' do
  81             expect(@report['failed']).not_to be nil
  82           end
  83           it 'should report success on all linux agents' do
  84             agents.each do |agent|
  85               if agent['platform'] =~ /debian|ubuntu|cumulus|huaweios|el-|centos|fedora|redhat|oracle|scientific|eos|archlinux|sles/
  86                 expect(@report['succeeded']).to include agent.hostname
  87               end
  88             end
  89           end
  90           it 'should update CA cert on all linux agents' do
  91             master_enddate = get_ca_enddate_time_on(master)
  92             agents.each do |agent|
  93               if agent['platform'] =~ /debian|ubuntu|cumulus|huaweios|el-|centos|fedora|redhat|oracle|scientific|eos|archlinux|sles/
  94                 on(agent, puppet('agent -t'), :acceptable_exit_codes => [0,2])
  95                 enddate = get_ca_enddate_time_on(agent)
  96                 expect(enddate).to eq master_enddate
  97               end
  98             end
  99           end
 100         end
 101
 102       end
 103     end
 104   end
 105 end