simp-beaker-helpers 1.8.10 → 1.9.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/files/pki/make.sh +48 -4
- data/files/pki/template_host.cnf +1 -0
- data/lib/simp/beaker_helpers.rb +69 -12
- data/lib/simp/beaker_helpers/version.rb +1 -1
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: f0593bcb8d63201d20046c6799d7a18c1f6ca7f79302f424dc4d976fd7862c5f
|
|
4
|
+
data.tar.gz: eeb45a788d488c0a12c6b172f9c41bb3e15f592916db72dec843c135f4593470
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 3616faeb4838f048f575ed0e6764c26f947be7c7e51fa3925080b464bbe363872075427d528f1025ce148f4965abb08aa67211421aaa61063db06ad993e5b0df
|
|
7
|
+
data.tar.gz: 7611ae390dab78771280651c0101e721a8c2b3abf018d22c59805f146fcbf3db80b1647e00377f4320a0a862a1fc6a21f7a71d77893168393ec232a2aa35d2d0
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,8 @@
|
|
|
1
|
+
### 1.9.0 / 2018-01-01
|
|
2
|
+
* Ensure that all host IP addresses get added to the internally generated PKI
|
|
3
|
+
keys as subjectAltNames. Kubernetes needs this and it does not hurt to have
|
|
4
|
+
in place for testing.
|
|
5
|
+
|
|
1
6
|
### 1.8.10 / 2017-11-02
|
|
2
7
|
* Fix bug in which dracut was not run on CentOS6, when dracut-fips was
|
|
3
8
|
installed for a FIPS-enabled test.
|
data/files/pki/make.sh
CHANGED
|
@@ -1,6 +1,9 @@
|
|
|
1
|
+
# For ruby
|
|
2
|
+
export PATH=/opt/puppetlabs/puppet/bin:$PATH
|
|
3
|
+
|
|
1
4
|
DAYS="-days 365"
|
|
2
5
|
REQ="openssl req $SSLEAY_CONFIG"
|
|
3
|
-
CA="openssl ca $SSLEAY_CONFIG
|
|
6
|
+
CA="openssl ca $SSLEAY_CONFIG"
|
|
4
7
|
VERIFY="openssl verify"
|
|
5
8
|
X509="openssl x509"
|
|
6
9
|
|
|
@@ -31,17 +34,58 @@ touch ${CATOP}/index.txt
|
|
|
31
34
|
echo "== Making CA certificate ..."
|
|
32
35
|
sed "s/^\([[:space:]]*commonName_default\).*/\1 \t\t= Fake Org Fake CA - ${CASERIAL}/" template_ca.cnf > ca.cnf
|
|
33
36
|
|
|
37
|
+
export OPENSSL_CONF=ca.cnf
|
|
38
|
+
|
|
34
39
|
$REQ -verbose -batch -passout file:cacertkey -new -x509 -keyout ${CATOP}/private/$CAKEY -out ${CATOP}/$CACERT $DAYS
|
|
35
40
|
|
|
36
41
|
echo "== Making Client certificates ..."
|
|
37
|
-
for
|
|
42
|
+
for hosts in $*; do
|
|
43
|
+
hosts=`echo $hosts | sed -e 's/[ \t]//g'`
|
|
44
|
+
hname=`echo $hosts | cut -d',' -f1`
|
|
45
|
+
|
|
38
46
|
echo "-- $hname"
|
|
39
47
|
mkdir -p "${keydist}/${hname}/cacerts"
|
|
40
|
-
|
|
48
|
+
|
|
49
|
+
sed -e "s/#HOSTNAME#/${hname}/" template_host.cnf > "working/${hname}.cnf"
|
|
50
|
+
|
|
51
|
+
if [ "$hname" != "$hosts" ];
|
|
52
|
+
then
|
|
53
|
+
alts=`echo $hosts | cut -d',' -f1-`
|
|
54
|
+
altnames=''
|
|
55
|
+
for i in `echo $alts | tr ',' '\n'`
|
|
56
|
+
do
|
|
57
|
+
ruby -r ipaddr -e "begin IPAddr.new('$i') rescue exit 1 end"
|
|
58
|
+
if [ $? -eq 0 ]; then
|
|
59
|
+
# This is required due to some applications not properly supporting the
|
|
60
|
+
# IP version of subjectAltName.
|
|
61
|
+
prefixes='IP DNS'
|
|
62
|
+
else
|
|
63
|
+
prefixes='DNS'
|
|
64
|
+
fi
|
|
65
|
+
|
|
66
|
+
for prefix in $prefixes; do
|
|
67
|
+
if [ "$altnames" != '' ]
|
|
68
|
+
then
|
|
69
|
+
altnames+=",$prefix:$i"
|
|
70
|
+
else
|
|
71
|
+
altnames+="$prefix:$i"
|
|
72
|
+
fi
|
|
73
|
+
done
|
|
74
|
+
done
|
|
75
|
+
|
|
76
|
+
sed -i "s/# subjectAltName = #ALTNAMES#/subjectAltName = ${altnames}/" "working/${hname}.cnf"
|
|
77
|
+
fi
|
|
78
|
+
|
|
41
79
|
echo "-- running openssl req"
|
|
42
|
-
|
|
80
|
+
|
|
81
|
+
export OPENSSL_CONF="working/${hname}.cnf"
|
|
82
|
+
|
|
83
|
+
$REQ -new -nodes -keyout ${keydist}/${hname}/${hname}.pem -out working/"${hname}"req.pem -days 360 -batch;
|
|
84
|
+
|
|
43
85
|
echo "-- running openssl ca"
|
|
86
|
+
|
|
44
87
|
$CA -passin file:cacertkey -batch -out ${keydist}/${hname}/${hname}.pub -infiles working/"${hname}"req.pem
|
|
88
|
+
|
|
45
89
|
cat ${keydist}/${hname}/${hname}.pub >> ${keydist}/${hname}/${hname}.pem
|
|
46
90
|
done
|
|
47
91
|
|
data/files/pki/template_host.cnf
CHANGED
|
@@ -198,6 +198,7 @@ authorityKeyIdentifier=keyid,issuer:always
|
|
|
198
198
|
# An alternative to produce certificates that aren't
|
|
199
199
|
# deprecated according to PKIX.
|
|
200
200
|
# subjectAltName=email:move
|
|
201
|
+
# subjectAltName = #ALTNAMES#
|
|
201
202
|
|
|
202
203
|
# Copy subject details
|
|
203
204
|
# issuerAltName=issuer:copy
|
data/lib/simp/beaker_helpers.rb
CHANGED
|
@@ -401,15 +401,61 @@ DEFAULT_KERNEL_TITLE=`/sbin/grubby --info=\\\${DEFAULT_KERNEL_INFO} | grep -m1 t
|
|
|
401
401
|
puts "== Fake PKI CA"
|
|
402
402
|
pki_dir = File.expand_path( "../../files/pki", File.dirname(__FILE__))
|
|
403
403
|
host_dir = '/root/pki'
|
|
404
|
-
fqdns = fact_on(hosts, 'fqdn')
|
|
405
404
|
|
|
406
405
|
ca_sut.mkdir_p(host_dir)
|
|
407
406
|
Dir[ File.join(pki_dir, '*') ].each{|f| copy_to( ca_sut, f, host_dir)}
|
|
408
407
|
|
|
408
|
+
# Collect network information from all SUTs
|
|
409
|
+
#
|
|
410
|
+
# We need this so that we don't insert any common IP addresses into certs
|
|
411
|
+
suts_network_info = {}
|
|
412
|
+
|
|
413
|
+
hosts.each do |host|
|
|
414
|
+
fqdn = fact_on(host, 'fqdn').strip
|
|
415
|
+
|
|
416
|
+
host_entry = { fqdn => [] }
|
|
417
|
+
|
|
418
|
+
# Ensure that all interfaces are active prior to collecting data
|
|
419
|
+
activate_interfaces(host)
|
|
420
|
+
|
|
421
|
+
# Gather the IP Addresses for the host to embed in the cert
|
|
422
|
+
interfaces = fact_on(host, 'interfaces').strip.split(',')
|
|
423
|
+
interfaces.each do |interface|
|
|
424
|
+
ipaddress = fact_on(host, "ipaddress_#{interface}")
|
|
425
|
+
|
|
426
|
+
next if ipaddress.nil? || ipaddress.empty? || ipaddress.start_with?('127.')
|
|
427
|
+
|
|
428
|
+
host_entry[fqdn] << ipaddress.strip
|
|
429
|
+
|
|
430
|
+
unless host_entry[fqdn].empty?
|
|
431
|
+
suts_network_info[fqdn] = host_entry[fqdn]
|
|
432
|
+
end
|
|
433
|
+
end
|
|
434
|
+
end
|
|
435
|
+
|
|
436
|
+
# Get all of the repeated SUT IP addresses:
|
|
437
|
+
# 1. Create a hash of elements that have a key that is the value and
|
|
438
|
+
# elements that are the same value
|
|
439
|
+
# 2. Grab all elements that have more than one value (therefore, were
|
|
440
|
+
# repeated)
|
|
441
|
+
# 3. Pull out an Array of all of the common element keys for future
|
|
442
|
+
# comparison
|
|
443
|
+
common_ip_addresses = suts_network_info
|
|
444
|
+
.values.flatten
|
|
445
|
+
.group_by{ |x| x }
|
|
446
|
+
.select{|k,v| v.size > 1}
|
|
447
|
+
.keys
|
|
448
|
+
|
|
409
449
|
# generate PKI certs for each SUT
|
|
410
450
|
Dir.mktmpdir do |dir|
|
|
411
451
|
pki_hosts_file = File.join(dir, 'pki.hosts')
|
|
412
|
-
|
|
452
|
+
|
|
453
|
+
File.open(pki_hosts_file, 'w') do |fh|
|
|
454
|
+
suts_network_info.each do |fqdn, ipaddresses|
|
|
455
|
+
fh.puts ([fqdn] + (ipaddresses - common_ip_addresses)) .join(',')
|
|
456
|
+
end
|
|
457
|
+
end
|
|
458
|
+
|
|
413
459
|
copy_to(ca_sut, pki_hosts_file, host_dir)
|
|
414
460
|
# generate certs
|
|
415
461
|
on(ca_sut, "cd #{host_dir}; cat #{host_dir}/pki.hosts | xargs bash make.sh")
|
|
@@ -489,6 +535,26 @@ done
|
|
|
489
535
|
end
|
|
490
536
|
|
|
491
537
|
|
|
538
|
+
# Activate all network interfaces on the target system
|
|
539
|
+
#
|
|
540
|
+
# This is generally needed if the upstream vendor does not activate all
|
|
541
|
+
# interfaces by default (EL7 for example)
|
|
542
|
+
#
|
|
543
|
+
# Can be passed any number of hosts either singly or as an Array
|
|
544
|
+
def activate_interfaces(hosts)
|
|
545
|
+
Array(hosts).each do |host|
|
|
546
|
+
interfaces = fact_on(host, 'interfaces').strip.split(',')
|
|
547
|
+
interfaces.delete_if { |x| x =~ /^lo/ }
|
|
548
|
+
|
|
549
|
+
interfaces.each do |iface|
|
|
550
|
+
if fact_on(host, "ipaddress_#{iface}").strip.empty?
|
|
551
|
+
on(host, "ifup #{iface}", :accept_all_exit_codes => true)
|
|
552
|
+
end
|
|
553
|
+
end
|
|
554
|
+
end
|
|
555
|
+
end
|
|
556
|
+
|
|
557
|
+
|
|
492
558
|
## Inline Hiera Helpers ##
|
|
493
559
|
## These will be integrated into core Beaker at some point ##
|
|
494
560
|
|
|
@@ -505,16 +571,7 @@ done
|
|
|
505
571
|
# We can't guarantee that the upstream vendor isn't disabling interfaces so
|
|
506
572
|
# we need to turn them on at each context run
|
|
507
573
|
c.before(:context) do
|
|
508
|
-
hosts
|
|
509
|
-
interfaces = fact_on(host, 'interfaces').strip.split(',')
|
|
510
|
-
interfaces.delete_if { |x| x =~ /^lo/ }
|
|
511
|
-
|
|
512
|
-
interfaces.each do |iface|
|
|
513
|
-
if fact_on(host, "ipaddress_#{iface}").strip.empty?
|
|
514
|
-
on(host, "ifup #{iface}", :accept_all_exit_codes => true)
|
|
515
|
-
end
|
|
516
|
-
end
|
|
517
|
-
end
|
|
574
|
+
activate_interfaces(hosts)
|
|
518
575
|
end
|
|
519
576
|
|
|
520
577
|
c.after(:all) do
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: simp-beaker-helpers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.9.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Chris Tessmer
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date:
|
|
12
|
+
date: 2018-01-02 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: beaker
|
|
@@ -94,7 +94,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
94
94
|
version: '0'
|
|
95
95
|
requirements: []
|
|
96
96
|
rubyforge_project:
|
|
97
|
-
rubygems_version: 2.7.
|
|
97
|
+
rubygems_version: 2.7.4
|
|
98
98
|
signing_key:
|
|
99
99
|
specification_version: 4
|
|
100
100
|
summary: beaker helper methods for SIMP
|