diff --git a/spec/acceptance/certs_spec.rb b/spec/acceptance/certs_spec.rb index 5c3ff365..fc6b4cfe 100644 --- a/spec/acceptance/certs_spec.rb +++ b/spec/acceptance/certs_spec.rb @@ -145,4 +145,109 @@ class { 'certs': its(:keylength) { should be >= 2048 } end end + + context 'with tar file' do + context 'with default ca' do + before(:context) do + manifest = <<~PUPPET + class { 'certs': + server_cert => '/server.crt', + server_key => '/server.key', + server_ca_cert => '/server-ca.crt', + generate => true, + deploy => false, + } + + class { 'certs::foreman_proxy_content': + foreman_proxy_fqdn => 'foreman-proxy.example.com', + certs_tar => '/root/foreman-proxy.example.com.tar.gz', + } + PUPPET + + apply_manifest(manifest, catch_failures: true) + + on default, 'rm -rf /root/ssl-build' + end + + it_behaves_like 'an idempotent resource' do + let(:manifest) do + <<-PUPPET + class { 'certs': + tar_file => '/root/foreman-proxy.example.com.tar.gz', + } + PUPPET + end + end + + describe 'default and server ca certs match' do + it { expect(file('/etc/pki/katello/certs/katello-default-ca.crt').content).to eq(file('/etc/pki/katello/certs/katello-server-ca.crt').content) } + end + + describe x509_certificate('/etc/pki/katello/certs/katello-default-ca.crt') do + it { should be_certificate } + it { should be_valid } + it { should have_purpose 'SSL server CA' } + its(:issuer) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}/) } + its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}/) } + its(:keylength) { should be >= 4096 } + end + end + + context 'with custom certificates' do + before(:context) do + manifest = <<~PUPPET + class { 'certs': + server_cert => '/server.crt', + server_key => '/server.key', + server_ca_cert => '/server-ca.crt', + generate => true, + deploy => false, + } + + class { 'certs::foreman_proxy_content': + foreman_proxy_fqdn => 'foreman-proxy.example.com', + certs_tar => '/root/foreman-proxy.example.com.tar.gz', + } + PUPPET + + apply_manifest(manifest, catch_failures: true) + + on default, 'rm -rf /root/ssl-build' + end + + it_behaves_like 'an idempotent resource' do + let(:manifest) do + <<-PUPPET + class { 'certs': + tar_file => '/root/foreman-proxy.example.com.tar.gz', + } + PUPPET + end + end + + describe 'default and server ca certs match' do + it { expect(file('/etc/pki/katello/certs/katello-default-ca.crt').content).not_to eq(file('/etc/pki/katello/certs/katello-server-ca.crt').content) } + end + + describe x509_certificate('/etc/pki/katello/certs/katello-default-ca.crt') do + it { should be_certificate } + it { should be_valid } + it { should have_purpose 'SSL server CA' } + its(:issuer) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}/) } + its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}/) } + its(:keylength) { should be >= 4096 } + end + + describe x509_certificate('/etc/pki/katello/certs/katello-server-ca.crt') do + it { should be_certificate } + it { should be_valid } + it { should have_purpose 'SSL server CA' } + # These don't match since we only configure it with the intermediate + # and not the actual root + its(:issuer) { should match_without_whitespace(/CN = Fake LE Root X1/) } + its(:subject) { should match_without_whitespace(/CN = Fake LE Intermediate X1/) } + its(:keylength) { should be >= 2048 } + end + end + end end