--- /dev/null
+require 'spec_helper_acceptance'
+require 'yaml'
+require 'json'
+
+describe "puppet certregen healthcheck" do
+ if hosts_with_role(hosts, 'master').length>0 then
+
+ context 'C99803 - cert with more than 10 percent of life' do
+ before(:all) do
+ serial = get_ca_serial_id_on(master)
+ on(master, "puppet certregen ca --ca_serial #{serial}")
+ end
+ it 'should not produce a health warning' do
+ on(master, "puppet certregen healthcheck") do |result|
+ expect(result.stderr).to be_empty
+ expect(result.stdout).to match(/No certificates are approaching expiration/)
+ end
+ end
+ end
+
+ context 'C99804 - cert with less than 10 percent of life' do
+ before(:all) do
+ serial = get_ca_serial_id_on(master)
+ # patch puppet to defeat copywrite date check when generating historical CA
+ patch_puppet_date_check_on(master)
+ @today = get_time_on(master)
+ # set back the clock in order to create a CA that will be approaching its EOL
+ past = @today - (5*YEAR - 20*DAY)
+ on(master, "date #{past.strftime('%m%d%H%M%Y')}")
+ # create old CA
+ on(master, "puppet certregen ca --ca_serial #{serial}")
+ # update to current time
+ on(master, "date #{@today.strftime('%m%d%H%M%Y')}")
+ # revert patch to defeat copywrite date check
+ patch_puppet_date_check_on(master, 'reverse')
+ end
+
+ it 'system should have current date' do
+ today = get_time_on(master)
+ expect(today.utc.strftime('%Y-%m-%d')).to eq @today.utc.strftime('%Y-%m-%d')
+ end
+
+ it 'should warn about pending expiration' do
+ enddate = get_ca_enddate_time_on(master)
+ on(master, "puppet certregen healthcheck") do |result|
+ expect(result.stdout).to match(/Status:\s+expiring/)
+ expect(result.stdout).to match(/Expiration date:\s+#{enddate.utc.strftime('%Y-%m-%d')}/)
+ end
+ end
+
+ end
+
+ context 'C99805 - expired cert' do
+ before(:all) do
+ serial = get_ca_serial_id_on(master)
+ on(master, "puppet certregen ca --ca_serial #{serial} --ca_ttl 1s")
+ sleep 2
+ end
+ it 'should produce a health warning' do
+ on(master, "puppet certregen healthcheck") do |result|
+ expect(result.stdout.gsub("\n", " ")).to match(/ca.*Status: expired/)
+ end
+ end
+ end
+
+ context '--all flag' do
+
+ context 'C99806 --all' do
+ before(:all) do
+ on(master, puppet("cert list --all")) do |result|
+ @certs = result.stdout.scan(/\) ([A-F0-9:]+) /)
+ end
+ @result = on(master, "puppet certregen healthcheck --all")
+ end
+ it 'should contain expiration data for ca cert' do
+ expect(@result.stdout).to match(/"ca".*\n\s*Status:\s*[Ee]xpir/)
+ end
+ it 'should contain expiration data for all node certs' do
+ @certs.each do |cert|
+ expect(@result.stdout).to include cert[0]
+ end
+ end
+ end
+
+ context '--render-as flag' do
+
+ context 'C99808 - --render-as yaml' do
+ before(:all) do
+ on(master, puppet("cert list --all")) do |result|
+ @certs = result.stdout.scan(/\) ([A-F0-9:]+) /)
+ end
+ @result = on(master, "puppet certregen healthcheck --all --render-as yaml")
+ @yaml = YAML.load(@result.stdout)
+ end
+ it 'should return valid yaml' do
+ expect(YAML.parse(@result.stdout)).to be_instance_of(Psych::Nodes::Document)
+ end
+ it 'should contain expiration data for ca cert' do
+ ca = @yaml.find { |record| record[:name] == 'ca' }
+ expect(ca).not_to be nil
+ expect(ca[:expiry][:status]).to eq(:expired)
+ end
+ it 'should contain expiration data for all node certs' do
+ @certs.each do |cert|
+ expect(@yaml.find { |record| record[:digest] =~ /#{cert[0]}/ }).not_to be nil
+ end
+ end
+ end
+
+ context 'C99809 - --render-as json prints valid json containing expiration data' do
+ before(:all) do
+ on(master, puppet("cert list --all")) do |result|
+ @certs = result.stdout.scan(/\) ([A-F0-9:]+) /)
+ end
+ @json = JSON.parse(on(master, "puppet certregen healthcheck --all --render-as json").stdout)
+ end
+ it 'should return valid json' do
+ expect(@json).not_to be nil
+ end
+ it 'should contain expiration data for ca cert' do
+ ca = @json.find { |record| record['name'] == 'ca' }
+ expect(ca).not_to be nil
+ end
+ it 'should contain expiration data for all node certs' do
+ @certs.each do |cert|
+ expect(@json.find { |record| record['digest'] =~ /#{cert[0]}/ }).not_to be nil
+ end
+ end
+ end
+
+ end
+ end
+
+ end
+end