simp-beaker-helpers 1.8.10 → 1.9.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/files/pki/make.sh +48 -4
- data/files/pki/template_host.cnf +1 -0
- data/lib/simp/beaker_helpers.rb +69 -12
- data/lib/simp/beaker_helpers/version.rb +1 -1
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: f0593bcb8d63201d20046c6799d7a18c1f6ca7f79302f424dc4d976fd7862c5f
|
|
4
|
+
data.tar.gz: eeb45a788d488c0a12c6b172f9c41bb3e15f592916db72dec843c135f4593470
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 3616faeb4838f048f575ed0e6764c26f947be7c7e51fa3925080b464bbe363872075427d528f1025ce148f4965abb08aa67211421aaa61063db06ad993e5b0df
|
|
7
|
+
data.tar.gz: 7611ae390dab78771280651c0101e721a8c2b3abf018d22c59805f146fcbf3db80b1647e00377f4320a0a862a1fc6a21f7a71d77893168393ec232a2aa35d2d0
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,8 @@
|
|
|
1
|
+
### 1.9.0 / 2018-01-01
|
|
2
|
+
* Ensure that all host IP addresses get added to the internally generated PKI
|
|
3
|
+
keys as subjectAltNames. Kubernetes needs this and it does not hurt to have
|
|
4
|
+
in place for testing.
|
|
5
|
+
|
|
1
6
|
### 1.8.10 / 2017-11-02
|
|
2
7
|
* Fix bug in which dracut was not run on CentOS6, when dracut-fips was
|
|
3
8
|
installed for a FIPS-enabled test.
|
data/files/pki/make.sh
CHANGED
|
@@ -1,6 +1,9 @@
|
|
|
1
|
+
# For ruby
|
|
2
|
+
export PATH=/opt/puppetlabs/puppet/bin:$PATH
|
|
3
|
+
|
|
1
4
|
DAYS="-days 365"
|
|
2
5
|
REQ="openssl req $SSLEAY_CONFIG"
|
|
3
|
-
CA="openssl ca $SSLEAY_CONFIG
|
|
6
|
+
CA="openssl ca $SSLEAY_CONFIG"
|
|
4
7
|
VERIFY="openssl verify"
|
|
5
8
|
X509="openssl x509"
|
|
6
9
|
|
|
@@ -31,17 +34,58 @@ touch ${CATOP}/index.txt
|
|
|
31
34
|
echo "== Making CA certificate ..."
|
|
32
35
|
sed "s/^\([[:space:]]*commonName_default\).*/\1 \t\t= Fake Org Fake CA - ${CASERIAL}/" template_ca.cnf > ca.cnf
|
|
33
36
|
|
|
37
|
+
export OPENSSL_CONF=ca.cnf
|
|
38
|
+
|
|
34
39
|
$REQ -verbose -batch -passout file:cacertkey -new -x509 -keyout ${CATOP}/private/$CAKEY -out ${CATOP}/$CACERT $DAYS
|
|
35
40
|
|
|
36
41
|
echo "== Making Client certificates ..."
|
|
37
|
-
for
|
|
42
|
+
for hosts in $*; do
|
|
43
|
+
hosts=`echo $hosts | sed -e 's/[ \t]//g'`
|
|
44
|
+
hname=`echo $hosts | cut -d',' -f1`
|
|
45
|
+
|
|
38
46
|
echo "-- $hname"
|
|
39
47
|
mkdir -p "${keydist}/${hname}/cacerts"
|
|
40
|
-
|
|
48
|
+
|
|
49
|
+
sed -e "s/#HOSTNAME#/${hname}/" template_host.cnf > "working/${hname}.cnf"
|
|
50
|
+
|
|
51
|
+
if [ "$hname" != "$hosts" ];
|
|
52
|
+
then
|
|
53
|
+
alts=`echo $hosts | cut -d',' -f1-`
|
|
54
|
+
altnames=''
|
|
55
|
+
for i in `echo $alts | tr ',' '\n'`
|
|
56
|
+
do
|
|
57
|
+
ruby -r ipaddr -e "begin IPAddr.new('$i') rescue exit 1 end"
|
|
58
|
+
if [ $? -eq 0 ]; then
|
|
59
|
+
# This is required due to some applications not properly supporting the
|
|
60
|
+
# IP version of subjectAltName.
|
|
61
|
+
prefixes='IP DNS'
|
|
62
|
+
else
|
|
63
|
+
prefixes='DNS'
|
|
64
|
+
fi
|
|
65
|
+
|
|
66
|
+
for prefix in $prefixes; do
|
|
67
|
+
if [ "$altnames" != '' ]
|
|
68
|
+
then
|
|
69
|
+
altnames+=",$prefix:$i"
|
|
70
|
+
else
|
|
71
|
+
altnames+="$prefix:$i"
|
|
72
|
+
fi
|
|
73
|
+
done
|
|
74
|
+
done
|
|
75
|
+
|
|
76
|
+
sed -i "s/# subjectAltName = #ALTNAMES#/subjectAltName = ${altnames}/" "working/${hname}.cnf"
|
|
77
|
+
fi
|
|
78
|
+
|
|
41
79
|
echo "-- running openssl req"
|
|
42
|
-
|
|
80
|
+
|
|
81
|
+
export OPENSSL_CONF="working/${hname}.cnf"
|
|
82
|
+
|
|
83
|
+
$REQ -new -nodes -keyout ${keydist}/${hname}/${hname}.pem -out working/"${hname}"req.pem -days 360 -batch;
|
|
84
|
+
|
|
43
85
|
echo "-- running openssl ca"
|
|
86
|
+
|
|
44
87
|
$CA -passin file:cacertkey -batch -out ${keydist}/${hname}/${hname}.pub -infiles working/"${hname}"req.pem
|
|
88
|
+
|
|
45
89
|
cat ${keydist}/${hname}/${hname}.pub >> ${keydist}/${hname}/${hname}.pem
|
|
46
90
|
done
|
|
47
91
|
|
data/files/pki/template_host.cnf
CHANGED
|
@@ -198,6 +198,7 @@ authorityKeyIdentifier=keyid,issuer:always
|
|
|
198
198
|
# An alternative to produce certificates that aren't
|
|
199
199
|
# deprecated according to PKIX.
|
|
200
200
|
# subjectAltName=email:move
|
|
201
|
+
# subjectAltName = #ALTNAMES#
|
|
201
202
|
|
|
202
203
|
# Copy subject details
|
|
203
204
|
# issuerAltName=issuer:copy
|
data/lib/simp/beaker_helpers.rb
CHANGED
|
@@ -401,15 +401,61 @@ DEFAULT_KERNEL_TITLE=`/sbin/grubby --info=\\\${DEFAULT_KERNEL_INFO} | grep -m1 t
|
|
|
401
401
|
puts "== Fake PKI CA"
|
|
402
402
|
pki_dir = File.expand_path( "../../files/pki", File.dirname(__FILE__))
|
|
403
403
|
host_dir = '/root/pki'
|
|
404
|
-
fqdns = fact_on(hosts, 'fqdn')
|
|
405
404
|
|
|
406
405
|
ca_sut.mkdir_p(host_dir)
|
|
407
406
|
Dir[ File.join(pki_dir, '*') ].each{|f| copy_to( ca_sut, f, host_dir)}
|
|
408
407
|
|
|
408
|
+
# Collect network information from all SUTs
|
|
409
|
+
#
|
|
410
|
+
# We need this so that we don't insert any common IP addresses into certs
|
|
411
|
+
suts_network_info = {}
|
|
412
|
+
|
|
413
|
+
hosts.each do |host|
|
|
414
|
+
fqdn = fact_on(host, 'fqdn').strip
|
|
415
|
+
|
|
416
|
+
host_entry = { fqdn => [] }
|
|
417
|
+
|
|
418
|
+
# Ensure that all interfaces are active prior to collecting data
|
|
419
|
+
activate_interfaces(host)
|
|
420
|
+
|
|
421
|
+
# Gather the IP Addresses for the host to embed in the cert
|
|
422
|
+
interfaces = fact_on(host, 'interfaces').strip.split(',')
|
|
423
|
+
interfaces.each do |interface|
|
|
424
|
+
ipaddress = fact_on(host, "ipaddress_#{interface}")
|
|
425
|
+
|
|
426
|
+
next if ipaddress.nil? || ipaddress.empty? || ipaddress.start_with?('127.')
|
|
427
|
+
|
|
428
|
+
host_entry[fqdn] << ipaddress.strip
|
|
429
|
+
|
|
430
|
+
unless host_entry[fqdn].empty?
|
|
431
|
+
suts_network_info[fqdn] = host_entry[fqdn]
|
|
432
|
+
end
|
|
433
|
+
end
|
|
434
|
+
end
|
|
435
|
+
|
|
436
|
+
# Get all of the repeated SUT IP addresses:
|
|
437
|
+
# 1. Create a hash of elements that have a key that is the value and
|
|
438
|
+
# elements that are the same value
|
|
439
|
+
# 2. Grab all elements that have more than one value (therefore, were
|
|
440
|
+
# repeated)
|
|
441
|
+
# 3. Pull out an Array of all of the common element keys for future
|
|
442
|
+
# comparison
|
|
443
|
+
common_ip_addresses = suts_network_info
|
|
444
|
+
.values.flatten
|
|
445
|
+
.group_by{ |x| x }
|
|
446
|
+
.select{|k,v| v.size > 1}
|
|
447
|
+
.keys
|
|
448
|
+
|
|
409
449
|
# generate PKI certs for each SUT
|
|
410
450
|
Dir.mktmpdir do |dir|
|
|
411
451
|
pki_hosts_file = File.join(dir, 'pki.hosts')
|
|
412
|
-
|
|
452
|
+
|
|
453
|
+
File.open(pki_hosts_file, 'w') do |fh|
|
|
454
|
+
suts_network_info.each do |fqdn, ipaddresses|
|
|
455
|
+
fh.puts ([fqdn] + (ipaddresses - common_ip_addresses)) .join(',')
|
|
456
|
+
end
|
|
457
|
+
end
|
|
458
|
+
|
|
413
459
|
copy_to(ca_sut, pki_hosts_file, host_dir)
|
|
414
460
|
# generate certs
|
|
415
461
|
on(ca_sut, "cd #{host_dir}; cat #{host_dir}/pki.hosts | xargs bash make.sh")
|
|
@@ -489,6 +535,26 @@ done
|
|
|
489
535
|
end
|
|
490
536
|
|
|
491
537
|
|
|
538
|
+
# Activate all network interfaces on the target system
|
|
539
|
+
#
|
|
540
|
+
# This is generally needed if the upstream vendor does not activate all
|
|
541
|
+
# interfaces by default (EL7 for example)
|
|
542
|
+
#
|
|
543
|
+
# Can be passed any number of hosts either singly or as an Array
|
|
544
|
+
def activate_interfaces(hosts)
|
|
545
|
+
Array(hosts).each do |host|
|
|
546
|
+
interfaces = fact_on(host, 'interfaces').strip.split(',')
|
|
547
|
+
interfaces.delete_if { |x| x =~ /^lo/ }
|
|
548
|
+
|
|
549
|
+
interfaces.each do |iface|
|
|
550
|
+
if fact_on(host, "ipaddress_#{iface}").strip.empty?
|
|
551
|
+
on(host, "ifup #{iface}", :accept_all_exit_codes => true)
|
|
552
|
+
end
|
|
553
|
+
end
|
|
554
|
+
end
|
|
555
|
+
end
|
|
556
|
+
|
|
557
|
+
|
|
492
558
|
## Inline Hiera Helpers ##
|
|
493
559
|
## These will be integrated into core Beaker at some point ##
|
|
494
560
|
|
|
@@ -505,16 +571,7 @@ done
|
|
|
505
571
|
# We can't guarantee that the upstream vendor isn't disabling interfaces so
|
|
506
572
|
# we need to turn them on at each context run
|
|
507
573
|
c.before(:context) do
|
|
508
|
-
hosts
|
|
509
|
-
interfaces = fact_on(host, 'interfaces').strip.split(',')
|
|
510
|
-
interfaces.delete_if { |x| x =~ /^lo/ }
|
|
511
|
-
|
|
512
|
-
interfaces.each do |iface|
|
|
513
|
-
if fact_on(host, "ipaddress_#{iface}").strip.empty?
|
|
514
|
-
on(host, "ifup #{iface}", :accept_all_exit_codes => true)
|
|
515
|
-
end
|
|
516
|
-
end
|
|
517
|
-
end
|
|
574
|
+
activate_interfaces(hosts)
|
|
518
575
|
end
|
|
519
576
|
|
|
520
577
|
c.after(:all) do
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: simp-beaker-helpers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.9.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Chris Tessmer
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date:
|
|
12
|
+
date: 2018-01-02 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: beaker
|
|
@@ -94,7 +94,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
94
94
|
version: '0'
|
|
95
95
|
requirements: []
|
|
96
96
|
rubyforge_project:
|
|
97
|
-
rubygems_version: 2.7.
|
|
97
|
+
rubygems_version: 2.7.4
|
|
98
98
|
signing_key:
|
|
99
99
|
specification_version: 4
|
|
100
100
|
summary: beaker helper methods for SIMP
|