diff --git a/manifests/ca.pp b/manifests/ca.pp index e78c424..649a1c4 100644 --- a/manifests/ca.pp +++ b/manifests/ca.pp @@ -48,8 +48,8 @@ Optional[String] $ca_file_group = undef, Optional[String] $ca_file_mode = undef, ) { + include ca_cert include ca_cert::params - include ca_cert::update if $ca_file_group == undef { $file_group = $ca_cert::params::ca_file_group @@ -113,7 +113,7 @@ owner => 'root', group => $file_group, mode => $file_mode, - notify => Class['ca_cert::update'], + notify => Exec['ca_cert_update'], } } 'ftp', 'https', 'http': { @@ -123,7 +123,7 @@ checksum => $checksum, checksum_type => $checksum_type, allow_insecure => !$verify_https_cert, - notify => Class['ca_cert::update'], + notify => Exec['ca_cert_update'], } } 'file': { @@ -135,7 +135,7 @@ owner => 'root', group => $file_group, mode => $file_mode, - notify => Class['ca_cert::update'], + notify => Exec['ca_cert_update'], } } 'text': { @@ -146,7 +146,7 @@ owner => 'root', group => $file_group, mode => $file_mode, - notify => Class['ca_cert::update'], + notify => Exec['ca_cert_update'], } } default: { @@ -157,7 +157,7 @@ 'absent': { file { $ca_cert: ensure => absent, - notify => Class['ca_cert::update'], + notify => Exec['ca_cert_update'], } } default: { diff --git a/manifests/init.pp b/manifests/init.pp index d0b7dc6..c9fb9eb 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -47,15 +47,6 @@ String $package_ensure = 'installed', String $package_name = $ca_cert::params::package_name, ) inherits ca_cert::params { - include ca_cert::params - include ca_cert::update - - if $always_update_certs == true { - Exec <| title=='ca_cert_update' |> { - refreshonly => false, - } - } - $trusted_cert_dir = $ca_cert::params::trusted_cert_dir $cert_dir_group = $ca_cert::params::cert_dir_group $cert_dir_mode = $ca_cert::params::cert_dir_mode @@ -82,5 +73,12 @@ if !empty($ca_certs) { create_resources('ca_cert::ca', $ca_certs) } + + exec { 'ca_cert_update': + command => $ca_cert::params::update_cmd, + logoutput => 'on_failure', + refreshonly => !$always_update_certs, + path => ['/usr/sbin', '/usr/bin', '/bin'], + } } # lint:endignore:variable_is_lowercase diff --git a/manifests/update.pp b/manifests/update.pp deleted file mode 100644 index 1488896..0000000 --- a/manifests/update.pp +++ /dev/null @@ -1,11 +0,0 @@ -# Private class -class ca_cert::update { - require ca_cert - - exec { 'ca_cert_update': - command => $ca_cert::params::update_cmd, - logoutput => 'on_failure', - refreshonly => true, - path => ['/usr/sbin', '/usr/bin', '/bin'], - } -} diff --git a/spec/classes/ca_cert_spec.rb b/spec/classes/ca_cert_spec.rb index 9c6d870..180ba5e 100644 --- a/spec/classes/ca_cert_spec.rb +++ b/spec/classes/ca_cert_spec.rb @@ -1,184 +1,107 @@ require 'spec_helper' describe 'ca_cert', type: :class do - shared_examples 'compiles and includes params class' do - it { is_expected.to compile } - it { is_expected.to contain_class('ca_cert::params') } - it { is_expected.to contain_ca_cert__ca('ca1') } - it { is_expected.to contain_ca_cert__ca('ca2') } - end - - context 'on a Debian based OS' do - let :facts do - { - 'os' => { - 'family' => 'Debian', - 'name' => 'Ubuntu', - }, - } - end - - it_behaves_like 'compiles and includes params class' do - end - it { is_expected.to contain_package('ca-certificates') } - - it { - is_expected.to contain_file('trusted_certs').with( - 'ensure' => 'directory', - 'path' => '/usr/local/share/ca-certificates', - 'group' => 'staff', - 'purge' => 'false' - ) - } - - context 'with purge_unmanaged_CAs set to true' do - let :params do - { - purge_unmanaged_CAs: true, - } + on_supported_os.each do |os, facts| + case facts[:os]['family'] + when 'Debian' + trusted_cert_dir = '/usr/local/share/ca-certificates' + cert_dir_group = 'staff' + if facts[:os]['name'] == 'Debian' + cert_dir_mode = '2665' end - - it { - is_expected.to contain_file('trusted_certs').with( - 'ensure' => 'directory', - 'path' => '/usr/local/share/ca-certificates', - 'group' => 'staff', - 'purge' => 'true' - ) - } + when 'RedHat' + trusted_cert_dir = '/etc/pki/ca-trust/source/anchors' + update_cmd = 'update-ca-trust extract' + when 'Archlinux' + trusted_cert_dir = '/etc/ca-certificates/trust-source/anchors/' + update_cmd = 'trust extract-compat' + when 'Suse' + trusted_cert_dir = '/etc/pki/trust/anchors' + update_cmd = 'update-ca-certificates' end - end - - context 'on a RedHat based OS' do - let :facts do - { - 'os' => { - 'family' => 'RedHat', - 'release' => { - 'major' => '7', - 'minor' => '0', - 'full' => '7.0', + + cert_dir_group = 'root' if cert_dir_group.nil? + cert_dir_mode = '0755' if cert_dir_mode.nil? + update_cmd = 'update-ca-certificates' if update_cmd.nil? + package_name = 'ca-certificates' if package_name.nil? + + context "on #{os}" do + let(:facts) { facts } + + it { is_expected.to compile } + it { is_expected.to contain_class('ca_cert::params') } + + it do + is_expected.to contain_file('trusted_certs').only_with( + { + 'ensure' => 'directory', + 'path' => trusted_cert_dir, + 'owner' => 'root', + 'group' => cert_dir_group, + 'mode' => cert_dir_mode, + 'purge' => false, + 'recurse' => false, + 'notify' => 'Exec[ca_cert_update]', }, - }, - } - end - - it_behaves_like 'compiles and includes params class' do - end - it { is_expected.to contain_package('ca-certificates') } - - it { - is_expected.to contain_file('trusted_certs').with( - 'ensure' => 'directory', - 'path' => '/etc/pki/ca-trust/source/anchors', - 'group' => 'root', - 'purge' => 'false' - ) - } - - context 'with purge_unmanaged_CAs set to true' do - let :params do - { - purge_unmanaged_CAs: true, - } + ) end - it { - is_expected.to contain_file('trusted_certs').with( - 'ensure' => 'directory', - 'path' => '/etc/pki/ca-trust/source/anchors', - 'group' => 'root', - 'purge' => 'true' + it do + is_expected.to contain_package(package_name).only_with( + { + 'ensure' => 'installed', + 'before' => ['Ca_cert::Ca[ca1]', 'Ca_cert::Ca[ca2]'], + }, ) - } - end - end + end - %w[10 11].each do |osmajrel| - context "on a Suse #{osmajrel} based OS" do - let :facts do - { - 'os' => { - 'family' => 'Suse', - 'release' => { - 'major' => osmajrel.to_s, - }, + it do + is_expected.to contain_exec('ca_cert_update').only_with( + { + 'command' => update_cmd, + 'logoutput' => 'on_failure', + 'refreshonly' => true, + 'path' => ['/usr/sbin', '/usr/bin', '/bin'], }, - } + ) end - it_behaves_like 'compiles and includes params class' do + it { is_expected.to contain_ca_cert__ca('ca1') } # from ./spec/fixtures/hiera + it { is_expected.to contain_ca_cert__ca('ca2') } # from ./spec/fixtures/hiera + it { is_expected.to contain_file('ca1.crt').with_source('puppet:///modules/ca_cert/ca1.pem') } + it { is_expected.to contain_file('ca2.crt').with_source('puppet:///modules/ca_cert/ca2.pem') } + + context 'with always_update_certs set to true' do + let(:params) { { always_update_certs: true } } + + it { is_expected.to contain_exec('ca_cert_update').with_refreshonly(false) } end - it { is_expected.to contain_package('openssl-certs') } - - it { - is_expected.to contain_file('trusted_certs').with( - 'ensure' => 'directory', - 'path' => '/etc/ssl/certs', - 'group' => 'root', - 'purge' => 'false' - ) - } context 'with purge_unmanaged_CAs set to true' do - let :params do - { - purge_unmanaged_CAs: true, - } - end - - it { - is_expected.to contain_file('trusted_certs').with( - 'ensure' => 'directory', - 'path' => '/etc/ssl/certs', - 'group' => 'root', - 'purge' => 'true' - ) - } + let(:params) { { purge_unmanaged_CAs: true } } + + it { is_expected.to contain_file('trusted_certs').with_purge(true) } + it { is_expected.to contain_file('trusted_certs').with_recurse(true) } end - end - end - context 'on a Suse 12 based OS' do - let :facts do - { - 'os' => { - 'family' => 'Suse', - 'release' => { - 'major' => '12', - }, - }, - } - end + context 'with install_package set to false' do + let(:params) { { install_package: false } } - it_behaves_like 'compiles and includes params class' do - end - it { is_expected.to contain_package('ca-certificates') } - - it { - is_expected.to contain_file('trusted_certs').with( - 'ensure' => 'directory', - 'path' => '/etc/pki/trust/anchors', - 'group' => 'root', - 'purge' => 'false' - ) - } - - context 'with purge_unmanaged_CAs set to true' do - let :params do - { - purge_unmanaged_CAs: true, - } + it { is_expected.not_to contain_package(package_name) } + it { is_expected.to have_package_resource_count(0) } end - it { - is_expected.to contain_file('trusted_certs').with( - 'ensure' => 'directory', - 'path' => '/etc/pki/trust/anchors', - 'group' => 'root', - 'purge' => 'true' - ) - } + context 'with package_ensure set to absent' do + let(:params) { { package_ensure: 'absent' } } + + it { is_expected.to contain_package(package_name).with_ensure('absent') } + end + + context 'with package_name set to testing' do + let(:params) { { package_name: 'testing' } } + + it { is_expected.to contain_package('testing') } + end end end diff --git a/spec/classes/update_spec.rb b/spec/classes/update_spec.rb deleted file mode 100644 index a02ab23..0000000 --- a/spec/classes/update_spec.rb +++ /dev/null @@ -1,53 +0,0 @@ -require 'spec_helper' -# rubocop:disable RSpec/RepeatedExample - -describe 'ca_cert::update', type: :class do - on_supported_os.each do |os, facts| - context "on #{os}" do - let(:facts) do - facts - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('ca_cert::params') } - - case facts[:os]['family'] - when 'Debian' - it { is_expected.not_to contain_exec('enable_ca_trust') } - - it { - is_expected.to contain_exec('ca_cert_update').with( - command: 'update-ca-certificates', - refreshonly: true - ) - } - when 'RedHat' - it { - is_expected.to contain_exec('ca_cert_update').with( - command: 'update-ca-trust extract', - refreshonly: true - ) - } - when 'Suse' - it { is_expected.not_to contain_exec('enable_ca_trust') } - - case facts[:os]['release']['major'] - when '10', '11' - it { - is_expected.to contain_exec('ca_cert_update').with( - command: 'c_rehash', - refreshonly: true - ) - } - when '12', '13', '42' - it { - is_expected.to contain_exec('ca_cert_update').with( - command: 'update-ca-certificates', - refreshonly: true - ) - } - end - end - end - end -end