Move functionality of ca_cert::update to main class

voxpupuli · Aug 22, 2023 · 0049e4e · 0049e4e
1 parent 083b731
commit 0049e4e
Show file tree

Hide file tree

Showing 6 changed files with 96 additions and 151 deletions.
diff --git a/manifests/ca.pp b/manifests/ca.pp
@@ -51,8 +51,6 @@
   String[1] $ca_file_mode            = lookup('ca_cert::ca::ca_file_mode'),
   String[1] $ca_file_extension       = lookup('ca_cert::ca::ca_file_extension'),
 ) {
-  include ca_cert::update
-
   if ($ensure == 'trusted' or $ensure == 'distrusted') and $source == 'text' and !$ca_text {
     fail('ca_text is required if source is set to text')
   }
@@ -103,7 +101,7 @@
             owner  => 'root',
             group  => $ca_file_group,
             mode   => $ca_file_mode,
-            notify => Class['ca_cert::update'],
+            notify => Exec['ca_cert_update'],
           }
         }
         'ftp', 'https', 'http': {
@@ -113,7 +111,7 @@
             checksum       => $checksum,
             checksum_type  => $checksum_type,
             allow_insecure => !$verify_https_cert,
-            notify         => Class['ca_cert::update'],
+            notify         => Exec['ca_cert_update'],
           }
         }
         'file': {
@@ -125,7 +123,7 @@
             owner  => 'root',
             group  => $ca_file_group,
             mode   => $ca_file_mode,
-            notify => Class['ca_cert::update'],
+            notify => Exec['ca_cert_update'],
           }
         }
         'text': {
@@ -136,7 +134,7 @@
             owner   => 'root',
             group   => $ca_file_group,
             mode    => $ca_file_mode,
-            notify  => Class['ca_cert::update'],
+            notify  => Exec['ca_cert_update'],
           }
         }
         default: {
@@ -147,7 +145,7 @@
     'absent': {
       file { $ca_cert:
         ensure => absent,
-        notify => Class['ca_cert::update'],
+        notify => Exec['ca_cert_update'],
       }
     }
     default: {

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -68,8 +68,6 @@
   String[1] $cert_dir_mode                 = '0755',
   Boolean $supported                       = false,
 ) {
-  include ca_cert::update
-
   if $supported == false {
     fail("Unsupported osfamily (${facts['os']['family']}) or unsupported version (${facts['os']['release']['major']})")
   }
@@ -102,5 +100,31 @@
   if !empty($ca_certs) {
     create_resources('ca_cert::ca', $ca_certs)
   }
+
+  if ($facts['os']['family'] == 'RedHat' and versioncmp($facts['os']['release']['full'], '7') < 0) {
+    if $force_enable {
+      exec { 'enable_ca_trust':
+        command   => 'update-ca-trust force-enable',
+        logoutput => 'on_failure',
+        path      => ['/usr/sbin', '/usr/bin', '/bin'],
+        onlyif    => 'update-ca-trust check | grep DISABLED',
+      }
+    }
+    else {
+      exec { 'enable_ca_trust':
+        command   => 'update-ca-trust enable',
+        logoutput => 'on_failure',
+        path      => ['/usr/sbin', '/usr/bin', '/bin'],
+        onlyif    => 'update-ca-trust check | grep DISABLED',
+      }
+    }
+  }
+
+  exec { 'ca_cert_update':
+    command     => $update_cmd,
+    logoutput   => 'on_failure',
+    refreshonly => true,
+    path        => ['/usr/sbin', '/usr/bin', '/bin'],
+  }
 }
 # lint:endignore:variable_is_lowercase
diff --git a/manifests/update.pp b/manifests/update.pp
diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
@@ -12,32 +12,38 @@
       end
     when 'RedHat'
       trusted_cert_dir = '/etc/pki/ca-trust/source/anchors'
+      update_cmd       = 'update-ca-trust extract'
     when 'Archlinux'
       trusted_cert_dir = '/etc/ca-certificates/trust-source/anchors/'
+      update_cmd       = 'trust extract-compat'
     when 'Suse'
       if %r{(10|11)}.match?(facts[:os]['release']['major'])
         trusted_cert_dir = '/etc/ssl/certs'
+        update_cmd       = 'c_rehash'
         package_name     = 'openssl-certs'
       else
         trusted_cert_dir = '/etc/pki/trust/anchors'
+        update_cmd       = 'update-ca-certificates'
       end
     when 'AIX'
       trusted_cert_dir = '/var/ssl/certs'
+      update_cmd       = '/usr/bin/c_rehash'
       cert_dir_group   = 'system'
     when 'Solaris'
       trusted_cert_dir = '/etc/certs/CA/'
+      update_cmd       = '/usr/sbin/svcadm restart /system/ca-certificates'
       cert_dir_group   = 'sys'
     end
 
     cert_dir_group = 'root' if cert_dir_group.nil?
     cert_dir_mode  = '0755' if cert_dir_mode.nil?
+    update_cmd     = 'update-ca-certificates' if update_cmd.nil?
     package_name   = 'ca-certificates' if package_name.nil?
 
     context "on #{os}" do
       let(:facts) { facts }
 
       it { is_expected.to compile }
-      it { is_expected.to contain_class('ca_cert::update') }
 
       it do
         is_expected.to contain_file('trusted_certs').only_with(
@@ -73,6 +79,30 @@
         it { is_expected.to contain_file('ca1.crt') } # only here to reach 100% resource coverage
         it { is_expected.to contain_file('ca2.crt') } # only here to reach 100% resource coverage
       end
+
+      if facts[:os]['family'] == 'RedHat' && facts[:os]['release']['major'].to_i < 7
+        it do
+          is_expected.to contain_exec('enable_ca_trust').only_with(
+            {
+              'command'   => 'update-ca-trust enable',
+              'logoutput' => 'on_failure',
+              'path'      => ['/usr/sbin', '/usr/bin', '/bin'],
+              'onlyif'    => 'update-ca-trust check | grep DISABLED',
+            },
+          )
+        end
+      end
+
+      it do
+        is_expected.to contain_exec('ca_cert_update').only_with(
+          {
+            'command'     => update_cmd,
+            'logoutput'   => 'on_failure',
+            'refreshonly' => true,
+            'path'        => ['/usr/sbin', '/usr/bin', '/bin'],
+          },
+        )
+      end
     end
   end
 
@@ -106,7 +136,7 @@
       context 'with always_update_certs set to valid true' do
         let(:params) { { always_update_certs: true } }
 
-        it { is_expected.to contain_exec('ca_cert_update').with_refreshonly(false) } # from ca_cert::update
+        it { is_expected.to contain_exec('ca_cert_update').with_refreshonly(false) }
       end
 
       context 'with purge_unmanaged_CAs set to valid true' do
@@ -116,6 +146,25 @@
         it { is_expected.to contain_file('trusted_certs').with_recurse(true) }
       end
 
+      context 'with force_enable set to valid true' do
+        let(:params) { { force_enable: true } }
+
+        if facts[:os]['family'] == 'RedHat' && facts[:os]['release']['major'].to_i < 7
+          it do
+            is_expected.to contain_exec('enable_ca_trust').only_with(
+              {
+                'command'   => 'update-ca-trust force-enable',
+                'logoutput' => 'on_failure',
+                'path'      => ['/usr/sbin', '/usr/bin', '/bin'],
+                'onlyif'    => 'update-ca-trust check | grep DISABLED',
+              },
+            )
+          end
+        else
+          it { is_expected.not_to contain_exec('enable_ca_trust') }
+        end
+      end
+
       context 'with install_package set to valid false' do
         let(:params) { { install_package: false } }
 
@@ -126,7 +175,7 @@
       context 'with force_enable set to valid true' do
         let(:params) { { force_enable: true } }
 
-        it { is_expected.to contain_exec('enable_ca_trust').with_command('update-ca-trust force-enable') } # from ca_cert::update
+        it { is_expected.to contain_exec('enable_ca_trust').with_command('update-ca-trust force-enable') }
       end
 
       context 'with ca_certs set to valid hash' do

diff --git a/spec/classes/update_spec.rb b/spec/classes/update_spec.rb