simp-beaker-helpers 1.8.10 → 1.9.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 19a1973e3ecb4485608ca6f085c003ffa8ed9bcd65f77fefd0c4ecff01dd903a
4
- data.tar.gz: d0d52e31f82650bf6a42a81fcb3af81b70e59ae01ea345ab3a8080fd37c207ae
3
+ metadata.gz: f0593bcb8d63201d20046c6799d7a18c1f6ca7f79302f424dc4d976fd7862c5f
4
+ data.tar.gz: eeb45a788d488c0a12c6b172f9c41bb3e15f592916db72dec843c135f4593470
5
5
  SHA512:
6
- metadata.gz: 56df1ba666079778b9a66f25b9afb16b436455368ec86c4c2f781ea2620f5fb841ebdbb10847a00befbde8862a4cdc0f4b4d80264e7d2d4267c961641d65d03b
7
- data.tar.gz: ac6c5ed1b1e2950df314ee2e3a111246c4fe70ca306f9c009595d4019ef19008a37a9b140be4d62915a49c768aa87af22482559ce700bacef309cc0a98425fd6
6
+ metadata.gz: 3616faeb4838f048f575ed0e6764c26f947be7c7e51fa3925080b464bbe363872075427d528f1025ce148f4965abb08aa67211421aaa61063db06ad993e5b0df
7
+ data.tar.gz: 7611ae390dab78771280651c0101e721a8c2b3abf018d22c59805f146fcbf3db80b1647e00377f4320a0a862a1fc6a21f7a71d77893168393ec232a2aa35d2d0
data/CHANGELOG.md CHANGED
@@ -1,3 +1,8 @@
1
+ ### 1.9.0 / 2018-01-01
2
+ * Ensure that all host IP addresses get added to the internally generated PKI
3
+ keys as subjectAltNames. Kubernetes needs this and it does not hurt to have
4
+ in place for testing.
5
+
1
6
  ### 1.8.10 / 2017-11-02
2
7
  * Fix bug in which dracut was not run on CentOS6, when dracut-fips was
3
8
  installed for a FIPS-enabled test.
data/files/pki/make.sh CHANGED
@@ -1,6 +1,9 @@
1
+ # For ruby
2
+ export PATH=/opt/puppetlabs/puppet/bin:$PATH
3
+
1
4
  DAYS="-days 365"
2
5
  REQ="openssl req $SSLEAY_CONFIG"
3
- CA="openssl ca $SSLEAY_CONFIG -config ca.cnf"
6
+ CA="openssl ca $SSLEAY_CONFIG"
4
7
  VERIFY="openssl verify"
5
8
  X509="openssl x509"
6
9
 
@@ -31,17 +34,58 @@ touch ${CATOP}/index.txt
31
34
  echo "== Making CA certificate ..."
32
35
  sed "s/^\([[:space:]]*commonName_default\).*/\1 \t\t= Fake Org Fake CA - ${CASERIAL}/" template_ca.cnf > ca.cnf
33
36
 
37
+ export OPENSSL_CONF=ca.cnf
38
+
34
39
  $REQ -verbose -batch -passout file:cacertkey -new -x509 -keyout ${CATOP}/private/$CAKEY -out ${CATOP}/$CACERT $DAYS
35
40
 
36
41
  echo "== Making Client certificates ..."
37
- for hname in $*; do
42
+ for hosts in $*; do
43
+ hosts=`echo $hosts | sed -e 's/[ \t]//g'`
44
+ hname=`echo $hosts | cut -d',' -f1`
45
+
38
46
  echo "-- $hname"
39
47
  mkdir -p "${keydist}/${hname}/cacerts"
40
- sed -e "s/#HOSTNAME#/$hname/" template_host.cnf > "working/${hname}.cnf"
48
+
49
+ sed -e "s/#HOSTNAME#/${hname}/" template_host.cnf > "working/${hname}.cnf"
50
+
51
+ if [ "$hname" != "$hosts" ];
52
+ then
53
+ alts=`echo $hosts | cut -d',' -f1-`
54
+ altnames=''
55
+ for i in `echo $alts | tr ',' '\n'`
56
+ do
57
+ ruby -r ipaddr -e "begin IPAddr.new('$i') rescue exit 1 end"
58
+ if [ $? -eq 0 ]; then
59
+ # This is required due to some applications not properly supporting the
60
+ # IP version of subjectAltName.
61
+ prefixes='IP DNS'
62
+ else
63
+ prefixes='DNS'
64
+ fi
65
+
66
+ for prefix in $prefixes; do
67
+ if [ "$altnames" != '' ]
68
+ then
69
+ altnames+=",$prefix:$i"
70
+ else
71
+ altnames+="$prefix:$i"
72
+ fi
73
+ done
74
+ done
75
+
76
+ sed -i "s/# subjectAltName = #ALTNAMES#/subjectAltName = ${altnames}/" "working/${hname}.cnf"
77
+ fi
78
+
41
79
  echo "-- running openssl req"
42
- $REQ -config "working/${hname}.cnf" -new -nodes -keyout ${keydist}/${hname}/${hname}.pem -out working/"${hname}"req.pem -days 360 -batch;
80
+
81
+ export OPENSSL_CONF="working/${hname}.cnf"
82
+
83
+ $REQ -new -nodes -keyout ${keydist}/${hname}/${hname}.pem -out working/"${hname}"req.pem -days 360 -batch;
84
+
43
85
  echo "-- running openssl ca"
86
+
44
87
  $CA -passin file:cacertkey -batch -out ${keydist}/${hname}/${hname}.pub -infiles working/"${hname}"req.pem
88
+
45
89
  cat ${keydist}/${hname}/${hname}.pub >> ${keydist}/${hname}/${hname}.pem
46
90
  done
47
91
 
@@ -198,6 +198,7 @@ authorityKeyIdentifier=keyid,issuer:always
198
198
  # An alternative to produce certificates that aren't
199
199
  # deprecated according to PKIX.
200
200
  # subjectAltName=email:move
201
+ # subjectAltName = #ALTNAMES#
201
202
 
202
203
  # Copy subject details
203
204
  # issuerAltName=issuer:copy
@@ -401,15 +401,61 @@ DEFAULT_KERNEL_TITLE=`/sbin/grubby --info=\\\${DEFAULT_KERNEL_INFO} | grep -m1 t
401
401
  puts "== Fake PKI CA"
402
402
  pki_dir = File.expand_path( "../../files/pki", File.dirname(__FILE__))
403
403
  host_dir = '/root/pki'
404
- fqdns = fact_on(hosts, 'fqdn')
405
404
 
406
405
  ca_sut.mkdir_p(host_dir)
407
406
  Dir[ File.join(pki_dir, '*') ].each{|f| copy_to( ca_sut, f, host_dir)}
408
407
 
408
+ # Collect network information from all SUTs
409
+ #
410
+ # We need this so that we don't insert any common IP addresses into certs
411
+ suts_network_info = {}
412
+
413
+ hosts.each do |host|
414
+ fqdn = fact_on(host, 'fqdn').strip
415
+
416
+ host_entry = { fqdn => [] }
417
+
418
+ # Ensure that all interfaces are active prior to collecting data
419
+ activate_interfaces(host)
420
+
421
+ # Gather the IP Addresses for the host to embed in the cert
422
+ interfaces = fact_on(host, 'interfaces').strip.split(',')
423
+ interfaces.each do |interface|
424
+ ipaddress = fact_on(host, "ipaddress_#{interface}")
425
+
426
+ next if ipaddress.nil? || ipaddress.empty? || ipaddress.start_with?('127.')
427
+
428
+ host_entry[fqdn] << ipaddress.strip
429
+
430
+ unless host_entry[fqdn].empty?
431
+ suts_network_info[fqdn] = host_entry[fqdn]
432
+ end
433
+ end
434
+ end
435
+
436
+ # Get all of the repeated SUT IP addresses:
437
+ # 1. Create a hash of elements that have a key that is the value and
438
+ # elements that are the same value
439
+ # 2. Grab all elements that have more than one value (therefore, were
440
+ # repeated)
441
+ # 3. Pull out an Array of all of the common element keys for future
442
+ # comparison
443
+ common_ip_addresses = suts_network_info
444
+ .values.flatten
445
+ .group_by{ |x| x }
446
+ .select{|k,v| v.size > 1}
447
+ .keys
448
+
409
449
  # generate PKI certs for each SUT
410
450
  Dir.mktmpdir do |dir|
411
451
  pki_hosts_file = File.join(dir, 'pki.hosts')
412
- File.open(pki_hosts_file, 'w'){|fh| fqdns.each{|fqdn| fh.puts fqdn}}
452
+
453
+ File.open(pki_hosts_file, 'w') do |fh|
454
+ suts_network_info.each do |fqdn, ipaddresses|
455
+ fh.puts ([fqdn] + (ipaddresses - common_ip_addresses)) .join(',')
456
+ end
457
+ end
458
+
413
459
  copy_to(ca_sut, pki_hosts_file, host_dir)
414
460
  # generate certs
415
461
  on(ca_sut, "cd #{host_dir}; cat #{host_dir}/pki.hosts | xargs bash make.sh")
@@ -489,6 +535,26 @@ done
489
535
  end
490
536
 
491
537
 
538
+ # Activate all network interfaces on the target system
539
+ #
540
+ # This is generally needed if the upstream vendor does not activate all
541
+ # interfaces by default (EL7 for example)
542
+ #
543
+ # Can be passed any number of hosts either singly or as an Array
544
+ def activate_interfaces(hosts)
545
+ Array(hosts).each do |host|
546
+ interfaces = fact_on(host, 'interfaces').strip.split(',')
547
+ interfaces.delete_if { |x| x =~ /^lo/ }
548
+
549
+ interfaces.each do |iface|
550
+ if fact_on(host, "ipaddress_#{iface}").strip.empty?
551
+ on(host, "ifup #{iface}", :accept_all_exit_codes => true)
552
+ end
553
+ end
554
+ end
555
+ end
556
+
557
+
492
558
  ## Inline Hiera Helpers ##
493
559
  ## These will be integrated into core Beaker at some point ##
494
560
 
@@ -505,16 +571,7 @@ done
505
571
  # We can't guarantee that the upstream vendor isn't disabling interfaces so
506
572
  # we need to turn them on at each context run
507
573
  c.before(:context) do
508
- hosts.each do |host|
509
- interfaces = fact_on(host, 'interfaces').strip.split(',')
510
- interfaces.delete_if { |x| x =~ /^lo/ }
511
-
512
- interfaces.each do |iface|
513
- if fact_on(host, "ipaddress_#{iface}").strip.empty?
514
- on(host, "ifup #{iface}", :accept_all_exit_codes => true)
515
- end
516
- end
517
- end
574
+ activate_interfaces(hosts)
518
575
  end
519
576
 
520
577
  c.after(:all) do
@@ -1,5 +1,5 @@
1
1
  module Simp; end
2
2
 
3
3
  module Simp::BeakerHelpers
4
- VERSION = '1.8.10'
4
+ VERSION = '1.9.0'
5
5
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: simp-beaker-helpers
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.8.10
4
+ version: 1.9.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Chris Tessmer
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2017-11-02 00:00:00.000000000 Z
12
+ date: 2018-01-02 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: beaker
@@ -94,7 +94,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
94
94
  version: '0'
95
95
  requirements: []
96
96
  rubyforge_project:
97
- rubygems_version: 2.7.0
97
+ rubygems_version: 2.7.4
98
98
  signing_key:
99
99
  specification_version: 4
100
100
  summary: beaker helper methods for SIMP