beaker-pe 2.0.2 → 2.0.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 4669811fd96282e6cbb309d4d65eb083e25e5222
-  data.tar.gz: f28009cebec926e2ade3db68ce801ab958208718
+  metadata.gz: 472cb8527da6bbb6256c8342fff325b91dfe0d62
+  data.tar.gz: 75b005236142feec1df7954cac688d4d4f9f613c
 SHA512:
-  metadata.gz: d96ae7fc50c9a581781519459735ed8923a843b110f1ad0d9827c8e46b617c333287ad7353dbb915ebf7c12bb4f5d351e73cd8ed21d583b6097db1b8e6e47e88
-  data.tar.gz: 25a4f33451f1faa88aa410c209980ffa607c77f5fba71df18b504b0acc8b3b42be8f83221fae6f7eca17b44f95395fb965bcc2a79c9c5b01569b68d152e73be6
+  metadata.gz: 24d74792e19f75a3d33f30de4644878dcc742a00b872775c8e30965a891e86641a89fff1a106cdf0a6b8fd9260dfb886890c013ac908f55e609d709419d5e554
+  data.tar.gz: 05daf324e0665af413f85c35dbefc81e2cc1e310bfb734328f93adb02ba4298993f4c41843a299e41200f36040efa8b9dd6e6c1d82319c99110337b79ca73a8b

data/Gemfile

@@ -17,9 +17,7 @@ group :acceptance_testing do
   gem "beaker-vmpooler", *location_for(ENV['BEAKER_VMPOOLER_VERSION'] || '~> 1.3')
 end
 
-if ENV['GEM_SOURCE'] =~ /artifactory\.delivery\.puppetlabs\.net/
-  gem "scooter", *location_for(ENV['SCOOTER_VERSION'] || '~> 3.0')
-end
+gem "scooter", *location_for(ENV['SCOOTER_VERSION'] || '~> 4.3')
 
 gem 'deep_merge'
 

data/lib/beaker-pe.rb

@@ -5,6 +5,7 @@ require 'stringify-hash'
 require 'beaker-pe/version'
 require 'beaker-pe/install/pe_defaults'
 require 'beaker-pe/install/pe_utils'
+require 'beaker-pe/install/ca_utils'
 require 'beaker-pe/options/pe_version_scraper'
 require 'beaker-pe/pe-client-tools/config_file_helper'
 require 'beaker-pe/pe-client-tools/install_helper'
@@ -16,6 +17,7 @@ module Beaker
       include Beaker::DSL::InstallUtils::PEDefaults
       include Beaker::DSL::InstallUtils::PEUtils
       include Beaker::DSL::InstallUtils::PEClientTools
+      include Beaker::DSL::InstallUtils::CAUtils
       include Beaker::Options::PEVersionScraper
       include Beaker::DSL::PEClientTools::ConfigFileHelper
       include Beaker::DSL::PEClientTools::ExecutableHelper

data/lib/beaker-pe/install/ca_utils.rb

@@ -0,0 +1,192 @@
+#Much of this is taken from PuppetSpec:SSL
+require "openssl"
+
+module Beaker
+  module DSL
+    module InstallUtils
+      module CAUtils
+        PRIVATE_KEY_LENGTH = 2048
+        FIVE_YEARS = 5 * 365 * 24 * 60 * 60
+        CA_EXTENSIONS = [
+        ["basicConstraints", "CA:TRUE", true],
+        ["keyUsage", "keyCertSign, cRLSign", true],
+        ["subjectKeyIdentifier", "hash", false],
+        ["authorityKeyIdentifier", "keyid:always", false]
+        ]
+        NODE_EXTENSIONS = [
+        ["keyUsage", "digitalSignature", true],
+        ["subjectKeyIdentifier", "hash", false]
+        ]
+        DEFAULT_SIGNING_DIGEST = OpenSSL::Digest::SHA256.new
+        DEFAULT_REVOCATION_REASON = OpenSSL::OCSP::REVOKED_STATUS_KEYCOMPROMISE
+        ROOT_CA_NAME = "/CN=root-ca"
+        INT_CA_NAME = "/CN=intermediate-ca"
+        EXPLANATORY_TEXT = <<-EOT
+# Root Issuer: #{ROOT_CA_NAME}
+# Intermediate Issuer: #{INT_CA_NAME}
+EOT
+
+        # Generate CA bundle with root and intermediate certs, as well as CRL chain and private key for
+        # the intermediate CA, pushed to the host for use during PE install with pe_install::signing_ca
+        #
+        # @param [Host] host  The host to create CA bundle files on.  Defaults to global 'master' object.
+        # @param [String] targetdir  Location to save files on host, to be referenced in pe.conf for install.
+        # @return [Hash] File names => where they were put on the host
+        def generate_ca_bundle_on(host = master, targetdir = '/tmp/ca_bundle')
+          files = {}
+          pki = create_chained_pki
+          on(host, "mkdir -p #{targetdir}", :acceptable_exit_codes => [0])
+          pki.each do |name,cert|
+            create_remote_file(host, "#{targetdir}/#{name}", cert.to_s, :acceptable_exit_codes => [0])
+            files["#{name}".to_sym] = "#{targetdir}/#{name}"
+          end
+          files
+        end
+
+        def create_private_key(length = PRIVATE_KEY_LENGTH)
+          OpenSSL::PKey::RSA.new(length)
+        end
+
+        def self_signed_ca(key, name)
+          cert = OpenSSL::X509::Certificate.new
+
+          cert.public_key = key.public_key
+          cert.subject = OpenSSL::X509::Name.parse(name)
+          cert.issuer = cert.subject
+          cert.version = 2
+          cert.serial = rand(2**128)
+
+          not_before = just_now
+          cert.not_before = not_before
+          cert.not_after = not_before + FIVE_YEARS
+
+          ext_factory = extension_factory_for(cert, cert)
+          CA_EXTENSIONS.each do |ext|
+            extension = ext_factory.create_extension(*ext)
+            cert.add_extension(extension)
+          end
+
+          cert.sign(key, DEFAULT_SIGNING_DIGEST)
+
+          cert
+        end
+
+        def create_csr(key, name)
+          csr = OpenSSL::X509::Request.new
+
+          csr.public_key = key.public_key
+          csr.subject = OpenSSL::X509::Name.parse(name)
+          csr.version = 2
+          csr.sign(key, DEFAULT_SIGNING_DIGEST)
+
+          csr
+        end
+
+        def sign(ca_key, ca_cert, csr, extensions = NODE_EXTENSIONS)
+          cert = OpenSSL::X509::Certificate.new
+
+          cert.public_key = csr.public_key
+          cert.subject = csr.subject
+          cert.issuer = ca_cert.subject
+          cert.version = 2
+          cert.serial = rand(2**128)
+
+          not_before = just_now
+          cert.not_before = not_before
+          cert.not_after = not_before + FIVE_YEARS
+
+          ext_factory = extension_factory_for(ca_cert, cert)
+          extensions.each do |ext|
+            extension = ext_factory.create_extension(*ext)
+            cert.add_extension(extension)
+          end
+
+          cert.sign(ca_key, DEFAULT_SIGNING_DIGEST)
+
+          cert
+        end
+
+        def create_crl_for(ca_cert, ca_key)
+          crl = OpenSSL::X509::CRL.new
+          crl.version = 1
+          crl.issuer = ca_cert.subject
+
+          ef = extension_factory_for(ca_cert)
+          crl.add_extension(
+            ef.create_extension(["authorityKeyIdentifier", "keyid:always", false]))
+          crl.add_extension(
+            OpenSSL::X509::Extension.new("crlNumber", OpenSSL::ASN1::Integer(0)))
+
+          not_before = just_now
+          crl.last_update = not_before
+          crl.next_update = not_before + FIVE_YEARS
+          crl.sign(ca_key, DEFAULT_SIGNING_DIGEST)
+
+          crl
+        end
+
+        def revoke(serial, crl, ca_key)
+          revoked = OpenSSL::X509::Revoked.new
+          revoked.serial = serial
+          revoked.time = Time.now
+          revoked.add_extension(
+            OpenSSL::X509::Extension.new("CRLReason",
+                                        OpenSSL::ASN1::Enumerated(DEFAULT_REVOCATION_REASON)))
+
+          crl.add_revoked(revoked)
+          extensions = crl.extensions.group_by{|e| e.oid == 'crlNumber' }
+          crl_number = extensions[true].first
+          unchanged_exts = extensions[false]
+
+          next_crl_number = crl_number.value.to_i + 1
+          new_crl_number_ext = OpenSSL::X509::Extension.new("crlNumber",
+                                                            OpenSSL::ASN1::Integer(next_crl_number))
+
+          crl.extensions = unchanged_exts + [new_crl_number_ext]
+          crl.sign(ca_key, DEFAULT_SIGNING_DIGEST)
+
+          crl
+        end
+
+        def create_chained_pki
+          root_key = create_private_key
+          root_cert = self_signed_ca(root_key, ROOT_CA_NAME)
+          root_crl = create_crl_for(root_cert, root_key)
+
+          int_key = create_private_key
+          int_csr = create_csr(int_key, INT_CA_NAME)
+          int_cert = sign(root_key, root_cert, int_csr, CA_EXTENSIONS)
+          int_crl = create_crl_for(int_cert, int_key)
+
+          int_ca_bundle = bundle(int_cert, root_cert)
+          int_crl_chain = bundle(int_crl, root_crl)
+
+          {
+              :root_cert => root_cert,
+              :int_cert => int_cert,
+              :int_ca_bundle => int_ca_bundle,
+              :int_key  => int_key,
+              :int_crl_chain => int_crl_chain,
+          }
+        end
+
+        def just_now
+          Time.now - 1
+        end
+
+        def extension_factory_for(ca, cert = nil)
+          ef = OpenSSL::X509::ExtensionFactory.new
+          ef.issuer_certificate  = ca
+          ef.subject_certificate = cert if cert
+
+          ef
+        end
+
+        def bundle(*items)
+          items.map {|i| EXPLANATORY_TEXT + i.to_pem }.join("\n")
+        end
+
+      end
+    end
+  end
+end

data/lib/beaker-pe/version.rb

@@ -3,7 +3,7 @@ module Beaker
     module PE
 
       module Version
-        STRING = '2.0.2'
+        STRING = '2.0.3'
       end
 
     end

data/spec/beaker-pe/install/ca_utils_spec.rb

@@ -0,0 +1,42 @@
+require 'spec_helper'
+include Beaker::DSL::InstallUtils::CAUtils
+
+describe Beaker::DSL::InstallUtils::CAUtils do
+  let(:dummy_pki) {
+      {
+        :root_cert => 'dummy_root_cert',
+        :int_cert => 'dummy_int_cert',
+        :int_ca_bundle => 'dummy_int_bundle',
+        :int_key  => 'dummy_int_key',
+        :int_crl_chain => 'dummy_int_crl_chain',
+      }
+    }
+
+    before(:each) do
+      allow(subject).to receive(:create_chained_pki).and_return(dummy_pki)
+    end
+
+  describe 'generate_ca_bundle_on' do
+    let(:host) { make_host( 'unixhost', { :platform => 'linux'})}
+    let(:bundledir) { '/tmp/ca_bundle' }
+    let(:expected) { 
+      {
+        :root_cert => "#{bundledir}/root_cert",
+        :int_cert => "#{bundledir}/int_cert",
+        :int_ca_bundle => "#{bundledir}/int_ca_bundle",
+        :int_key => "#{bundledir}/int_key",
+        :int_crl_chain => "#{bundledir}/int_crl_chain",
+      }
+    }
+
+    it "generates certs on host" do
+      expect(subject).to receive(:on).with(host, "mkdir -p #{bundledir}", :acceptable_exit_codes => [0])
+      expect(subject).to receive(:create_remote_file).with(host,"#{bundledir}/root_cert", "dummy_root_cert", :acceptable_exit_codes => [0])
+      expect(subject).to receive(:create_remote_file).with(host,"#{bundledir}/int_cert", "dummy_int_cert", :acceptable_exit_codes => [0])
+      expect(subject).to receive(:create_remote_file).with(host,"#{bundledir}/int_ca_bundle", "dummy_int_bundle", :acceptable_exit_codes => [0])
+      expect(subject).to receive(:create_remote_file).with(host,"#{bundledir}/int_key", "dummy_int_key", :acceptable_exit_codes => [0])
+      expect(subject).to receive(:create_remote_file).with(host,"#{bundledir}/int_crl_chain", "dummy_int_crl_chain", :acceptable_exit_codes => [0])
+      expect( subject.generate_ca_bundle_on(host,"#{bundledir}") ).to eq(expected)
+    end
+  end
+end

data/spec/beaker-pe/pe-client-tools/executable_helper_spec.rb

@@ -64,25 +64,66 @@ describe MixedWithExecutableHelper do
 
   context 'puppet access login with lifetime parameter' do
     let(:logger) {Beaker::Logger.new}
-    let(:test_host) {Beaker::Host.create('my_super_host',
-                                         {:roles => ['master', 'agent'],
-                                          :platform => 'linux',
-                                          :type => 'pe'},
-                                          make_opts)}
-    let(:username) {'T'}
-    let(:password) {'Swift'}
-    let(:credentials) {{:login => username, :password => password}}
-    let(:test_dispatcher) {Scooter::HttpDispatchers::ConsoleDispatcher.new('my_super_host', credentials)}
+    let(:test_host) {
+      make_host('my_super_host', {
+          :roles => ['master', 'agent'],
+          :platform => 'linux',
+          :type => 'pe'
+        }
+      )
+    }
+    let(:credentials) {
+      mock = Object.new
+      allow(mock).to receive(:login).and_return('T')
+      allow(mock).to receive(:password).and_return('Swift')
+      mock
+    }
+    let(:test_dispatcher) {
+      mock = Object.new
+      allow(mock).to receive(:credentials).and_return(credentials)
+      mock
+    }
 
     before do
       allow(logger).to receive(:debug) { true }
-      expect(test_dispatcher).to be_kind_of(Scooter::HttpDispatchers::ConsoleDispatcher)
       expect(test_host).to be_kind_of(Beaker::Host)
-      expect(test_host).to receive(:exec)
     end
 
-    it 'accepts correct value' do
-      expect{subject.login_with_puppet_access_on(test_host, test_dispatcher, {:lifetime => '5d'})}.not_to raise_error
+    it 'passes the lifetime value to :puppet_access_on on linux' do
+      lifetime_value = '5d'
+
+      expect(subject).to receive(:puppet_access_on).with(
+        test_host,
+        "login",
+        "--lifetime #{lifetime_value}",
+        anything
+      )
+
+      expect{
+        subject.login_with_puppet_access_on(
+          test_host,
+          test_dispatcher,
+          {:lifetime => lifetime_value}
+        )
+      }.not_to raise_error
+    end
+
+    it 'passes the lifetime value to the passed dispatcher on windows' do
+      test_host[:platform] = "win-stuff"
+      allow(subject).to receive(:create_remote_file)
+      lifetime_value = '6d'
+
+      expect(test_dispatcher).to receive(
+        :acquire_token_with_credentials
+      ).with(lifetime_value)
+
+      expect{
+        subject.login_with_puppet_access_on(
+          test_host,
+          test_dispatcher,
+          {:lifetime => lifetime_value}
+        )
+      }.not_to raise_error
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: beaker-pe
 version: !ruby/object:Gem::Version
-  version: 2.0.2
+  version: 2.0.3
 platform: ruby
 authors:
 - Puppetlabs
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-09-12 00:00:00.000000000 Z
+date: 2018-10-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rspec
@@ -253,6 +253,7 @@ files:
 - bin/beaker-template
 - docs/how_to/install_puppet_enterprise.md
 - lib/beaker-pe.rb
+- lib/beaker-pe/install/ca_utils.rb
 - lib/beaker-pe/install/feature_flags.rb
 - lib/beaker-pe/install/pe_defaults.rb
 - lib/beaker-pe/install/pe_utils.rb
@@ -262,6 +263,7 @@ files:
 - lib/beaker-pe/pe-client-tools/install_helper.rb
 - lib/beaker-pe/version.rb
 - spec/beaker-pe/helpers_spec.rb
+- spec/beaker-pe/install/ca_utils_spec.rb
 - spec/beaker-pe/install/feature_flags_spec.rb
 - spec/beaker-pe/install/pe_defaults_spec.rb
 - spec/beaker-pe/install/pe_utils_spec.rb