diff --git a/manifests/ca.pp b/manifests/ca.pp index 124bbb6..e55a65d 100644 --- a/manifests/ca.pp +++ b/manifests/ca.pp @@ -51,8 +51,6 @@ String[1] $ca_file_mode = lookup('ca_cert::ca::ca_file_mode'), String[1] $ca_file_extension = lookup('ca_cert::ca::ca_file_extension'), ) { - include ca_cert::update - if ($ensure == 'trusted' or $ensure == 'distrusted') and $source == 'text' and !$ca_text { fail('ca_text is required if source is set to text') } @@ -103,7 +101,7 @@ owner => 'root', group => $ca_file_group, mode => $ca_file_mode, - notify => Class['ca_cert::update'], + notify => Exec['ca_cert_update'], } } 'ftp', 'https', 'http': { @@ -113,7 +111,7 @@ checksum => $checksum, checksum_type => $checksum_type, allow_insecure => !$verify_https_cert, - notify => Class['ca_cert::update'], + notify => Exec['ca_cert_update'], } } 'file': { @@ -125,7 +123,7 @@ owner => 'root', group => $ca_file_group, mode => $ca_file_mode, - notify => Class['ca_cert::update'], + notify => Exec['ca_cert_update'], } } 'text': { @@ -136,7 +134,7 @@ owner => 'root', group => $ca_file_group, mode => $ca_file_mode, - notify => Class['ca_cert::update'], + notify => Exec['ca_cert_update'], } } default: { @@ -147,7 +145,7 @@ 'absent': { file { $ca_cert: ensure => absent, - notify => Class['ca_cert::update'], + notify => Exec['ca_cert_update'], } } default: { diff --git a/manifests/init.pp b/manifests/init.pp index 341c96c..d04e871 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -68,8 +68,6 @@ String[1] $cert_dir_mode = '0755', Boolean $supported = false, ) { - include ca_cert::update - if $supported == false { fail("Unsupported osfamily (${facts['os']['family']}) or unsupported version (${facts['os']['release']['major']})") } @@ -102,5 +100,31 @@ if !empty($ca_certs) { create_resources('ca_cert::ca', $ca_certs) } + + if ($facts['os']['family'] == 'RedHat' and versioncmp($facts['os']['release']['full'], '7') < 0) { + if $force_enable { + exec { 'enable_ca_trust': + command => 'update-ca-trust force-enable', + logoutput => 'on_failure', + path => ['/usr/sbin', '/usr/bin', '/bin'], + onlyif => 'update-ca-trust check | grep DISABLED', + } + } + else { + exec { 'enable_ca_trust': + command => 'update-ca-trust enable', + logoutput => 'on_failure', + path => ['/usr/sbin', '/usr/bin', '/bin'], + onlyif => 'update-ca-trust check | grep DISABLED', + } + } + } + + exec { 'ca_cert_update': + command => $update_cmd, + logoutput => 'on_failure', + refreshonly => true, + path => ['/usr/sbin', '/usr/bin', '/bin'], + } } # lint:endignore:variable_is_lowercase diff --git a/manifests/update.pp b/manifests/update.pp deleted file mode 100644 index 0201caa..0000000 --- a/manifests/update.pp +++ /dev/null @@ -1,30 +0,0 @@ -# Private class -class ca_cert::update { - require ca_cert - - if ($facts['os']['family'] == 'RedHat' and versioncmp($facts['os']['release']['full'], '7') < 0) { - if $ca_cert::force_enable { - exec { 'enable_ca_trust': - command => 'update-ca-trust force-enable', - logoutput => 'on_failure', - path => ['/usr/sbin', '/usr/bin', '/bin'], - onlyif => 'update-ca-trust check | grep DISABLED', - } - } - else { - exec { 'enable_ca_trust': - command => 'update-ca-trust enable', - logoutput => 'on_failure', - path => ['/usr/sbin', '/usr/bin', '/bin'], - onlyif => 'update-ca-trust check | grep DISABLED', - } - } - } - - exec { 'ca_cert_update': - command => $ca_cert::update_cmd, - logoutput => 'on_failure', - refreshonly => true, - path => ['/usr/sbin', '/usr/bin', '/bin'], - } -} diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 52a280b..11aade4 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -12,32 +12,38 @@ end when 'RedHat' trusted_cert_dir = '/etc/pki/ca-trust/source/anchors' + update_cmd = 'update-ca-trust extract' when 'Archlinux' trusted_cert_dir = '/etc/ca-certificates/trust-source/anchors/' + update_cmd = 'trust extract-compat' when 'Suse' if %r{(10|11)}.match?(facts[:os]['release']['major']) trusted_cert_dir = '/etc/ssl/certs' + update_cmd = 'c_rehash' package_name = 'openssl-certs' else trusted_cert_dir = '/etc/pki/trust/anchors' + update_cmd = 'update-ca-certificates' end when 'AIX' trusted_cert_dir = '/var/ssl/certs' + update_cmd = '/usr/bin/c_rehash' cert_dir_group = 'system' when 'Solaris' trusted_cert_dir = '/etc/certs/CA/' + update_cmd = '/usr/sbin/svcadm restart /system/ca-certificates' cert_dir_group = 'sys' end cert_dir_group = 'root' if cert_dir_group.nil? cert_dir_mode = '0755' if cert_dir_mode.nil? + update_cmd = 'update-ca-certificates' if update_cmd.nil? package_name = 'ca-certificates' if package_name.nil? context "on #{os}" do let(:facts) { facts } it { is_expected.to compile } - it { is_expected.to contain_class('ca_cert::update') } it do is_expected.to contain_file('trusted_certs').only_with( @@ -73,6 +79,30 @@ it { is_expected.to contain_file('ca1.crt') } # only here to reach 100% resource coverage it { is_expected.to contain_file('ca2.crt') } # only here to reach 100% resource coverage end + + if facts[:os]['family'] == 'RedHat' && facts[:os]['release']['major'].to_i < 7 + it do + is_expected.to contain_exec('enable_ca_trust').only_with( + { + 'command' => 'update-ca-trust enable', + 'logoutput' => 'on_failure', + 'path' => ['/usr/sbin', '/usr/bin', '/bin'], + 'onlyif' => 'update-ca-trust check | grep DISABLED', + }, + ) + end + end + + it do + is_expected.to contain_exec('ca_cert_update').only_with( + { + 'command' => update_cmd, + 'logoutput' => 'on_failure', + 'refreshonly' => true, + 'path' => ['/usr/sbin', '/usr/bin', '/bin'], + }, + ) + end end end @@ -106,7 +136,7 @@ context 'with always_update_certs set to valid true' do let(:params) { { always_update_certs: true } } - it { is_expected.to contain_exec('ca_cert_update').with_refreshonly(false) } # from ca_cert::update + it { is_expected.to contain_exec('ca_cert_update').with_refreshonly(false) } end context 'with purge_unmanaged_CAs set to valid true' do @@ -116,6 +146,25 @@ it { is_expected.to contain_file('trusted_certs').with_recurse(true) } end + context 'with force_enable set to valid true' do + let(:params) { { force_enable: true } } + + if facts[:os]['family'] == 'RedHat' && facts[:os]['release']['major'].to_i < 7 + it do + is_expected.to contain_exec('enable_ca_trust').only_with( + { + 'command' => 'update-ca-trust force-enable', + 'logoutput' => 'on_failure', + 'path' => ['/usr/sbin', '/usr/bin', '/bin'], + 'onlyif' => 'update-ca-trust check | grep DISABLED', + }, + ) + end + else + it { is_expected.not_to contain_exec('enable_ca_trust') } + end + end + context 'with install_package set to valid false' do let(:params) { { install_package: false } } @@ -126,7 +175,7 @@ context 'with force_enable set to valid true' do let(:params) { { force_enable: true } } - it { is_expected.to contain_exec('enable_ca_trust').with_command('update-ca-trust force-enable') } # from ca_cert::update + it { is_expected.to contain_exec('enable_ca_trust').with_command('update-ca-trust force-enable') } end context 'with ca_certs set to valid hash' do diff --git a/spec/classes/update_spec.rb b/spec/classes/update_spec.rb deleted file mode 100644 index d8d3646..0000000 --- a/spec/classes/update_spec.rb +++ /dev/null @@ -1,95 +0,0 @@ -require 'spec_helper' - -describe 'ca_cert::update', type: :class do - on_supported_os.sort.each do |os, facts| - # define os specific defaults - case facts[:os]['family'] - when 'RedHat' - update_cmd = 'update-ca-trust extract' - when 'Archlinux' - update_cmd = 'trust extract-compat' - when 'Suse' - update_cmd = if %r{(10|11)}.match?(facts[:os]['release']['major']) - 'c_rehash' - else - 'update-ca-certificates' - end - when 'AIX' - update_cmd = '/usr/bin/c_rehash' - when 'Solaris' - update_cmd = '/usr/sbin/svcadm restart /system/ca-certificates' - end - - update_cmd = 'update-ca-certificates' if update_cmd.nil? - - context "on #{os}" do - let(:facts) { facts } - - it { is_expected.to compile } - it { is_expected.to contain_class('ca_cert') } - - # only here to reach 100% resource coverage - it { is_expected.to contain_ca_cert__ca('ca1') } - it { is_expected.to contain_ca_cert__ca('ca2') } - it { is_expected.to contain_file('trusted_certs') } - if facts[:os]['family'] == 'RedHat' && facts[:os]['release']['major'].to_i < 7 - it { is_expected.to contain_exec('enable_ca_trust') } - end - if facts[:os]['family'] == 'Suse' && facts[:os]['release']['major'] =~ %r{(10|11)} || facts[:os]['family'] == 'Solaris' - it { is_expected.to contain_file('ca1.pem') } - it { is_expected.to contain_file('ca2.pem') } - else - it { is_expected.to contain_file('ca1.crt') } - it { is_expected.to contain_file('ca2.crt') } - end - if facts[:os]['family'] == 'Suse' && facts[:os]['release']['major'] =~ %r{(10|11)} - it { is_expected.to contain_package('openssl-certs') } - else - it { is_expected.to contain_package('ca-certificates') } - end - # /only here to reach 100% resource coverage - - if facts[:os]['family'] == 'RedHat' && facts[:os]['release']['major'].to_i < 7 - it do - is_expected.to contain_exec('enable_ca_trust').only_with( - { - 'command' => 'update-ca-trust enable', - 'logoutput' => 'on_failure', - 'path' => ['/usr/sbin', '/usr/bin', '/bin'], - 'onlyif' => 'update-ca-trust check | grep DISABLED', - }, - ) - end - end - - it do - is_expected.to contain_exec('ca_cert_update').only_with( - { - 'command' => update_cmd, - 'logoutput' => 'on_failure', - 'refreshonly' => true, - 'path' => ['/usr/sbin', '/usr/bin', '/bin'], - }, - ) - end - end - - context "on #{os} when ca_cert::force_enable is true" do - let(:facts) { facts } - let(:pre_condition) { 'class { ca_cert: force_enable => true }' } - - if facts[:os]['family'] == 'RedHat' && facts[:os]['release']['major'].to_i < 7 - it do - is_expected.to contain_exec('enable_ca_trust').only_with( - { - 'command' => 'update-ca-trust force-enable', - 'logoutput' => 'on_failure', - 'path' => ['/usr/sbin', '/usr/bin', '/bin'], - 'onlyif' => 'update-ca-trust check | grep DISABLED', - }, - ) - end - end - end - end -end diff --git a/spec/defines/ca_spec.rb b/spec/defines/ca_spec.rb index 5c5e233..35ce3e4 100644 --- a/spec/defines/ca_spec.rb +++ b/spec/defines/ca_spec.rb @@ -51,7 +51,6 @@ let(:params) { { ca_text: 'testing' } } it { is_expected.to compile } - it { is_expected.to contain_class('ca_cert::update') } # only here to reach 100% resource coverage it { is_expected.to contain_ca_cert__ca('ca1') } @@ -84,7 +83,7 @@ 'owner' => 'root', 'group' => ca_file_group, 'mode' => ca_file_mode, - 'notify' => 'Class[Ca_cert::Update]', + 'notify' => 'Exec[ca_cert_update]', }, ) end @@ -105,7 +104,7 @@ 'owner' => 'root', 'group' => ca_file_group, 'mode' => ca_file_mode, - 'notify' => 'Class[Ca_cert::Update]', + 'notify' => 'Exec[ca_cert_update]', }, ) end @@ -124,7 +123,7 @@ 'owner' => 'root', 'group' => ca_file_group, 'mode' => ca_file_mode, - 'notify' => 'Class[Ca_cert::Update]', + 'notify' => 'Exec[ca_cert_update]', }, ) end @@ -145,7 +144,7 @@ 'checksum' => nil, 'checksum_type' => nil, 'allow_insecure' => false, - 'notify' => 'Class[Ca_cert::Update]', + 'notify' => 'Exec[ca_cert_update]', }, ) end @@ -163,7 +162,7 @@ 'checksum' => nil, 'checksum_type' => nil, 'allow_insecure' => false, - 'notify' => 'Class[Ca_cert::Update]', + 'notify' => 'Exec[ca_cert_update]', }, ) end @@ -185,7 +184,7 @@ 'owner' => 'root', 'group' => ca_file_group, 'mode' => ca_file_mode, - 'notify' => 'Class[Ca_cert::Update]', + 'notify' => 'Exec[ca_cert_update]', }, ) end @@ -204,7 +203,7 @@ 'owner' => 'root', 'group' => ca_file_group, 'mode' => ca_file_mode, - 'notify' => 'Class[Ca_cert::Update]', + 'notify' => 'Exec[ca_cert_update]', }, ) end @@ -222,7 +221,7 @@ 'owner' => 'root', 'group' => ca_file_group, 'mode' => ca_file_mode, - 'notify' => 'Class[Ca_cert::Update]', + 'notify' => 'Exec[ca_cert_update]', }, ) end @@ -242,7 +241,7 @@ is_expected.to contain_file(trusted_cert_dir + '/Globalsign_Org_Intermediate.' + ca_file_extension).only_with( { 'ensure' => 'absent', - 'notify' => 'Class[Ca_cert::Update]', + 'notify' => 'Exec[ca_cert_update]', }, ) end @@ -258,7 +257,7 @@ 'owner' => 'root', 'group' => ca_file_group, 'mode' => ca_file_mode, - 'notify' => 'Class[Ca_cert::Update]', + 'notify' => 'Exec[ca_cert_update]', }, ) end @@ -273,7 +272,7 @@ is_expected.to contain_file(trusted_cert_dir + '/Globalsign_Org_Intermediate.' + ca_file_extension).only_with( { 'ensure' => 'absent', - 'notify' => 'Class[Ca_cert::Update]', + 'notify' => 'Exec[ca_cert_update]', }, ) end @@ -289,7 +288,7 @@ 'owner' => 'root', 'group' => ca_file_group, 'mode' => ca_file_mode, - 'notify' => 'Class[Ca_cert::Update]', + 'notify' => 'Exec[ca_cert_update]', }, ) end @@ -303,7 +302,7 @@ is_expected.to contain_file(trusted_cert_dir + '/Globalsign_Org_Intermediate.' + ca_file_extension).only_with( { 'ensure' => 'absent', - 'notify' => 'Class[Ca_cert::Update]', + 'notify' => 'Exec[ca_cert_update]', }, ) end