3rdparty/modules/certregen/spec/acceptance/workflow_regen_before_expire_spec.rb

   1 require 'spec_helper_acceptance'
   2
   3 # https://forge.puppet.com/puppetlabs/certregen#refresh-a-ca-thats-expiring-soon
   4 describe "C99818 - workflow - regen CA before it expires" do
   5   if hosts_with_role(hosts, 'master').length>0 then
   6     # This workflow only works with a master to manage the CA
   7     context 'setting CA to expire soon' do
   8       before(:all) do
   9         serial = get_ca_serial_id_on(master)
  10
  11         # patch puppet to defeat copywrite date check when generating historical CA
  12         patch_puppet_date_check_on(master)
  13
  14         # determine current time on master
  15         @today = get_time_on(master)
  16
  17         # set back the clock in order to create a CA that will be approaching its EOL
  18         past = @today - (5*YEAR - 20*DAY)
  19         on(master, "date #{past.strftime('%m%d%H%M%Y')}")
  20         # create old CA
  21         on(master, puppet(" certregen ca --ca_serial #{serial}"))
  22         # update to current time
  23         on(master, "date #{@today.strftime('%m%d%H%M%Y')}")
  24       end
  25
  26       it 'should have current date' do
  27         today = get_time_on(master)
  28         expect(today.utc.strftime('%Y-%m-%d')).to eq @today.utc.strftime('%Y-%m-%d')
  29       end
  30
  31       it 'should warn about pending expiration' do
  32         enddate = get_ca_enddate_time_on(master)
  33         on(master, puppet("certregen healthcheck")) do |result|
  34           expect(result.stdout).to match(/Status:\s+expiring/)
  35           expect(result.stdout).to match(/Expiration date:\s+#{enddate.utc.strftime('%Y-%m-%d')}/)
  36         end
  37       end
  38
  39       context 'restoring previously patched puppet' do
  40         before(:all) do
  41           # revert patch to defeat copywrite date check
  42           patch_puppet_date_check_on(master, 'reverse')
  43         end
  44
  45         context 'regenerating CA prior to expiration' do
  46           before(:all) do
  47             serial = get_ca_serial_id_on(master)
  48             on(master, puppet("certregen ca --ca_serial #{serial}"))
  49           end
  50           # validate time stamp
  51           it 'should update CA cert enddate' do
  52             enddate = get_ca_enddate_time_on(master)
  53             future = get_time_on(master, ['-d', "'5 years'"])
  54             expect(future - enddate).to be <= (48*HOUR)
  55           end
  56
  57           context 'distribute new ca to linux hosts that have been classified with `certregen::client`' do
  58             before(:all) do
  59               create_remote_file(master, '/etc/puppetlabs/code/environments/production/manifests/ca.pp', 'include certregen::client')
  60               on(master, 'chmod 755 /etc/puppetlabs/code/environments/production/manifests/ca.pp')
  61               on(master, puppet('agent -t'), :acceptable_exit_codes => [0,2])
  62             end
  63             it 'should update CA cert on all linux agents' do
  64               master_enddate = get_ca_enddate_time_on(master)
  65               agents.each do |agent|
  66                 on(agent, puppet('agent -t'), :acceptable_exit_codes => [0,2])
  67                 enddate = get_ca_enddate_time_on(agent)
  68                 expect(enddate).to eq master_enddate
  69               end
  70             end
  71           end
  72
  73         end
  74       end
  75     end
  76   end
  77 end