diff --git a/spec/classes/puppet_server_config_spec.rb b/spec/classes/puppet_server_config_spec.rb deleted file mode 100644 index fc8c5dd..0000000 --- a/spec/classes/puppet_server_config_spec.rb +++ /dev/null @@ -1,942 +0,0 @@ -require 'spec_helper' - -describe 'puppet::server::config' do - before :each do - @cacrl = Tempfile.new('cacrl') - File.open(@cacrl, 'w') { |f| f.write "This is my CRL File" } - Puppet.settings[:cacrl] = @cacrl.path - end - - on_os_under_test.each do |os, facts| - next if unsupported_puppetmaster_osfamily(facts[:osfamily]) - context "on #{os}" do - if facts[:osfamily] == 'FreeBSD' - codedir = '/usr/local/etc/puppet' - confdir = '/usr/local/etc/puppet' - conf_file = '/usr/local/etc/puppet/puppet.conf' - environments_dir = '/usr/local/etc/puppet/environments' - logdir = '/var/log/puppet' - rundir = '/var/run/puppet' - vardir = '/var/puppet' - puppetserver_vardir = '/var/puppet/server/data/puppetserver' - puppetserver_logdir = '/var/log/puppetserver' - puppetserver_rundir = '/var/run/puppetserver' - ssldir = '/var/puppet/ssl' - sharedir = '/usr/local/share/puppet' - etcdir = '/usr/local/etc/puppet' - puppetcacmd = '/usr/local/bin/puppet cert' - else - codedir = '/etc/puppetlabs/code' - confdir = '/etc/puppetlabs/puppet' - conf_file = '/etc/puppetlabs/puppet/puppet.conf' - environments_dir = '/etc/puppetlabs/code/environments' - logdir = '/var/log/puppetlabs/puppet' - rundir = '/var/run/puppetlabs' - vardir = '/opt/puppetlabs/puppet/cache' - puppetserver_vardir = '/opt/puppetlabs/server/data/puppetserver' - puppetserver_logdir = '/var/log/puppetlabs/puppetserver' - puppetserver_rundir = '/var/run/puppetlabs/puppetserver' - ssldir = '/etc/puppetlabs/puppet/ssl' - sharedir = '/opt/puppetlabs/puppet' - etcdir = '/etc/puppetlabs/puppet' - puppetcacmd = '/opt/puppetlabs/bin/puppet cert' - end - - let(:facts) do - facts.merge({:clientcert => 'puppetmaster.example.com'}) - end - - describe 'with no custom parameters' do - let :pre_condition do - "class {'puppet': server => true}" - end - - it 'should set up SSL permissions' do - should contain_file("#{ssldir}/private_keys"). \ - with_group('puppet'). \ - with_mode('0750') - - should contain_file("#{ssldir}/private_keys/puppetmaster.example.com.pem"). \ - with_group('puppet'). \ - with_mode('0640') - - should contain_exec('puppet_server_config-create_ssl_dir'). \ - with_creates(ssldir). \ - with_command("/bin/mkdir -p #{ssldir}"). \ - with_umask('0022') - - should contain_exec('puppet_server_config-generate_ca_cert'). \ - with_creates("#{ssldir}/certs/puppetmaster.example.com.pem"). \ - with_command("#{puppetcacmd} --generate puppetmaster.example.com --allow-dns-alt-names"). \ - with_umask('0022'). \ - that_requires(["Concat[#{conf_file}]", 'Exec[puppet_server_config-create_ssl_dir]']) - - should contain_puppet__config__main('environmentpath').with_value(environments_dir) - end - - context 'with non-AIO packages', if: facts[:osfamily] == 'FreeBSD' do - it 'CA cert generation should notify the Apache service' do - should contain_exec('puppet_server_config-generate_ca_cert').that_notifies('Service[httpd]') - end - end - - context 'with AIO packages', unless: facts[:osfamily] == 'FreeBSD' do - it 'CA cert generation should notify the puppetserver service' do - should contain_exec('puppet_server_config-generate_ca_cert').that_notifies('Service[puppetserver]') - end - end - - it 'should set up the ENC' do - should contain_class('foreman::puppetmaster'). - with_foreman_url("https://foo.example.com"). - with_receive_facts(true). - with_puppet_home(puppetserver_vardir). - with_puppet_etcdir(etcdir). - with_timeout(60) - # Since this is managed inside the foreman module it does not - # make sense to test it here - #with_puppet_basedir('/usr/lib/ruby/site_ruby/1.9/puppet'). - end - - it 'should set up the environments' do - should contain_file(environments_dir). - with_ensure('directory'). - with_owner('puppet'). - with_group(nil). - with_mode('0755') - - should contain_file(sharedir).with_ensure('directory') - - should contain_file("#{codedir}/environments/common"). - with_ensure('directory'). - with_owner('puppet'). - with_group(nil). - with_mode('0755') - - should contain_file("#{sharedir}/modules"). - with_ensure('directory'). - with_owner('puppet'). - with_group(nil). - with_mode('0755') - - should contain_puppet__server__env('development') - should contain_puppet__server__env('production') - end - - it 'should configure puppet' do - should contain_puppet__config__main("logdir").with({'value' => "#{logdir}"}) - should contain_puppet__config__main("rundir").with({'value' => "#{rundir}"}) - should contain_puppet__config__main("ssldir").with({'value' => "#{ssldir}"}) - should contain_puppet__config__main("privatekeydir").with({'value' => '$ssldir/private_keys { group = service }'}) - should contain_puppet__config__main("hostprivkey").with({'value' => '$privatekeydir/$certname.pem { mode = 640 }'}) - should contain_puppet__config__main("reports").with({'value' => 'foreman'}) - should contain_puppet__config__main("environmentpath").with({'value' => "#{codedir}/environments"}) - should contain_puppet__config__main("basemodulepath").with({ - 'value' => ["#{codedir}/environments/common","#{codedir}/modules","#{sharedir}/modules","/usr/share/puppet/modules"], - 'joiner' => ':'}) - - should contain_puppet__config__agent('classfile').with({'value' => '$statedir/classes.txt'}) - - should contain_puppet__config__master('external_nodes').with({'value' => "#{etcdir}\/node.rb"}) - should contain_puppet__config__master('node_terminus').with({'value' => 'exec'}) - should contain_puppet__config__master('ca').with({'value' => 'true'}) - should contain_puppet__config__master('ssldir').with({'value' => "#{ssldir}"}) - should contain_puppet__config__master('parser').with({'value' => 'current'}) - should contain_puppet__config__master("autosign").with({'value' => "#{etcdir}\/autosign.conf \{ mode = 0664 \}"}) - - should contain_concat(conf_file) - - should_not contain_puppet__config__master('storeconfigs') - - should contain_file("#{etcdir}/autosign.conf") - end - - it 'should not set configtimeout' do - should_not contain_puppet__config__agent('configtimeout') - end - - it 'should not configure PuppetDB' do - should_not contain_class('puppetdb') - should_not contain_class('puppetdb::master::config') - end - - it 'should not configure custom_trusted_oid_mapping.yaml' do - should_not contain_file('#{confdir}/custom_trusted_oid_mapping.yaml') - end - end - - describe "when autosign => true" do - let :pre_condition do - "class {'puppet': - server => true, - autosign => true, - }" - end - - it 'should contain puppet.conf [main] with autosign = true' do - should contain_puppet__config__master('autosign').with_value(true) - end - end - - describe 'when autosign => /somedir/custom_autosign, autosign_mode => 664' do - let :pre_condition do - "class {'puppet': - server => true, - autosign => '/somedir/custom_autosign', - autosign_mode => '664', - }" - end - - it 'should contain puppet.conf [main] with autosign = /somedir/custom_autosign { mode = 664 }' do - should contain_puppet__config__master('autosign').with_value("/somedir/custom_autosign { mode = 664 }") - end - end - - describe "when autosign_entries is not set" do - let :pre_condition do - "class {'puppet': - server => true, - }" - end - - it 'should contain autosign.conf with out content set' do - should contain_file("#{confdir}/autosign.conf") - should_not contain_file("#{confdir}/autosign.conf").with_content(/# Managed by Puppet/) - should_not contain_file("#{confdir}/autosign.conf").with_content(/foo.bar/) - end - end - - describe "when autosign_entries set to ['foo.bar']" do - let :pre_condition do - "class {'puppet': - server => true, - autosign_entries => ['foo.bar'], - }" - end - - it 'should contain autosign.conf with content set' do - should contain_file("#{confdir}/autosign.conf") - should contain_file("#{confdir}/autosign.conf").with_content(/# Managed by Puppet/) - should contain_file("#{confdir}/autosign.conf").with_content(/foo.bar/) - end - end - - describe "when autosign_content => set to foo.bar and and autosign_entries set to ['foo.bar']=> true" do - let :pre_condition do - "class {'puppet': - server => true, - autosign_content => 'foo.bar', - autosign_entries => ['foo.bar'], - }" - end - - it { should raise_error(Puppet::Error, /Cannot set both autosign_content\/autosign_source and autosign_entries/) } - end - - describe "when autosign_source => set to puppet:///foo/bar and and autosign_entries set to ['foo.bar']=> true" do - let :pre_condition do - "class {'puppet': - server => true, - autosign_source => 'puppet:///foo/bar', - autosign_entries => ['foo.bar'], - }" - end - - it { should raise_error(Puppet::Error, /Cannot set both autosign_content\/autosign_source and autosign_entries/) } - end - - describe "when autosign => #{confdir}/custom_autosign.sh, autosign_mode => 775 and autosign_content set to 'foo.bar'" do - let :pre_condition do - "class {'puppet': - server => true, - autosign => '#{confdir}/custom_autosign.sh', - autosign_mode => '775', - autosign_content => 'foo.bar', - }" - end - - it 'should contain puppet.conf [main] with autosign = /somedir/custom_autosign { mode = 775 }' do - should contain_puppet__config__master('autosign').with_value("#{confdir}/custom_autosign.sh { mode = 775 }") - end - - it 'should contain custom_autosign.sh with content set' do - should contain_file("#{confdir}/custom_autosign.sh") - should contain_file("#{confdir}/custom_autosign.sh").with_content(/foo.bar/) - end - end - - describe "when autosign => #{confdir}/custom_autosign.sh, autosign_mode => 775 and autosign_source set to 'puppet:///foo/bar'" do - let :pre_condition do - "class {'puppet': - server => true, - autosign => '#{confdir}/custom_autosign.sh', - autosign_mode => '775', - autosign_source => 'puppet:///foo/bar', - }" - end - - it 'should contain puppet.conf [main] with autosign = /somedir/custom_autosign { mode = 775 }' do - should contain_puppet__config__master('autosign').with_value("#{confdir}/custom_autosign.sh { mode = 775 }") - end - - it 'should contain custom_autosign.sh with content set' do - should contain_file("#{confdir}/custom_autosign.sh") - should contain_file("#{confdir}/custom_autosign.sh").with_source('puppet:///foo/bar') - end - end - - describe "when hiera_config => '$confdir/hiera.yaml'" do - let :pre_condition do - "class {'puppet': - server => true, - hiera_config => '/etc/puppet/hiera/production/hiera.yaml', - }" - end - - it 'should contain puppet.conf [main] with non-default hiera_config' do - should contain_puppet__config__main("hiera_config").with_value('/etc/puppet/hiera/production/hiera.yaml') - end - end - - describe 'without foreman' do - let :pre_condition do - "class {'puppet': - server => true, - server_reports => 'store', - server_external_nodes => '', - }" - end - - it 'should contain an empty external_nodes' do - should_not contain_puppet__config__master('external_nodes') - end - end - - describe 'without external_nodes' do - let :pre_condition do - "class {'puppet': - server => true, - server_external_nodes => '', - }" - end - - it 'should not contain external_nodes' do - should_not contain_puppet__config__master('external_nodes') - should_not contain_puppet__config__master('node_terminus') - end - end - - - describe 'with server_default_manifest => true and undef content' do - let :pre_condition do - 'class { "::puppet": - server_default_manifest => true, - server => true - }' - end - - it 'should contain default_manifest setting in puppet.conf' do - should contain_puppet__config__main('default_manifest').with_value('/etc/puppet/manifests/default_manifest.pp') - end - - it 'should_not contain default manifest /etc/puppet/manifests/default_manifest.pp' do - should_not contain_file('/etc/puppet/manifests/default_manifest.pp') - end - end - - describe 'with server_default_manifest => true and server_default_manifest_content => "include foo"' do - let :pre_condition do - 'class { "::puppet": - server_default_manifest => true, - server_default_manifest_content => "include foo", - server => true - }' - end - - it 'should contain default_manifest setting in puppet.conf' do - should contain_puppet__config__main('default_manifest').with({'value' => '/etc/puppet/manifests/default_manifest.pp'}) - end - - it 'should contain default manifest /etc/puppet/manifests/default_manifest.pp' do - should contain_file('/etc/puppet/manifests/default_manifest.pp').with_content(/include foo/) - end - end - - describe 'with git repo' do - let :pre_condition do - "class {'puppet': - server => true, - server_git_repo => true, - }" - end - - it 'should set up the environments directory' do - should contain_file(environments_dir). \ - with_ensure('directory'). \ - with_owner('puppet') - end - - it 'should create the puppet user' do - shell = case facts[:osfamily] - when /^(FreeBSD|DragonFly)$/ - '/usr/local/bin/git-shell' - else - '/usr/bin/git-shell' - end - should contain_user('puppet'). - with_shell(shell). - that_requires('Class[git]') - end - - it 'should create the git repo' do - should contain_file(vardir). - with_ensure('directory'). - with_owner('puppet') - - should contain_git__repo('puppet_repo'). - with_bare(true). - with_target("#{vardir}/puppet.git"). - with_user('puppet'). - that_requires("File[#{environments_dir}]") - - should contain_file("#{vardir}/puppet.git/hooks/post-receive"). - with_owner('puppet'). \ - with_mode('0755'). \ - with_require(%r{Git::Repo\[puppet_repo\]}). \ - with_content(%r{BRANCH_MAP = \{[^a-zA-Z=>]\}}) - end - - it { should_not contain_puppet__server__env('development') } - it { should_not contain_puppet__server__env('production') } - - context 'with directory environments' do - let :pre_condition do - "class {'puppet': - server => true, - server_git_repo => true, - server_directory_environments => true, - }" - end - - it 'should configure puppet.conf' do - should_not contain_puppet__config__master('config_version') - - should contain_puppet__config__main('environmentpath').with_value(environments_dir) - end - end - - context 'with config environments' do - let :pre_condition do - "class {'puppet': - server => true, - server_git_repo => true, - server_directory_environments => false, - }" - end - - it 'should configure puppet.conf' do - should contain_puppet__config__master('manifest').with_value("#{environments_dir}/\$environment/manifests/site.pp") - should contain_puppet__config__master('modulepath').with_value("#{environments_dir}/\$environment/modules") - should contain_puppet__config__master('config_version').with_value("git --git-dir #{environments_dir}/\$environment/.git describe --all --long") - end - end - end - - describe 'with dynamic environments' do - context 'with directory environments' do - let :pre_condition do - "class {'puppet': - server => true, - server_dynamic_environments => true, - server_directory_environments => true, - server_environments_owner => 'apache', - }" - end - - it 'should set up the environments directory' do - should contain_file(environments_dir). \ - with_ensure('directory'). \ - with_owner('apache') - end - - it 'should configure puppet.conf' do - should contain_puppet__config__main('environmentpath').with_value(environments_dir) - should contain_puppet__config__main('basemodulepath').with_value(["#{environments_dir}/common","#{codedir}/modules","#{sharedir}/modules","/usr/share/puppet/modules"]) - end - - it { should_not contain_puppet__server__env('development') } - it { should_not contain_puppet__server__env('production') } - end - - context 'with no common modules directory' do - let :pre_condition do - "class {'puppet': - server => true, - server_dynamic_environments => true, - server_directory_environments => true, - server_environments_owner => 'apache', - server_common_modules_path => '', - }" - end - - it 'should configure puppet.conf' do - should_not contain_puppet__config__main('basemodulepath') - end - end - - context 'with config environments' do - let :pre_condition do - "class {'puppet': - server => true, - server_dynamic_environments => true, - server_directory_environments => false, - server_environments_owner => 'apache', - }" - end - - it 'should set up the environments directory' do - should contain_file(environments_dir). \ - with_ensure('directory'). \ - with_owner('apache') - end - - it 'should configure puppet.conf' do - should contain_puppet__config__master('manifest').with_value("#{environments_dir}/\$environment/manifests/site.pp") - should contain_puppet__config__master('modulepath').with_value("#{environments_dir}/\$environment/modules") - end - - it { should_not contain_puppet__server__env('development') } - it { should_not contain_puppet__server__env('production') } - end - end - - describe 'with SSL path overrides' do - let :pre_condition do - "class {'puppet': - server => true, - server_foreman_ssl_ca => '/etc/example/ca.pem', - server_foreman_ssl_cert => '/etc/example/cert.pem', - server_foreman_ssl_key => '/etc/example/key.pem', - }" - end - - it 'should pass SSL parameters to the ENC' do - should contain_class('foreman::puppetmaster'). - with_ssl_ca('/etc/example/ca.pem'). - with_ssl_cert('/etc/example/cert.pem'). - with_ssl_key('/etc/example/key.pem') - end - end - - describe 'with a PuppetDB host set' do - let :pre_condition do - "class {'puppet': - server => true, - server_puppetdb_host => 'mypuppetdb.example.com', - server_storeconfigs_backend => 'puppetdb', - }" - end - - it 'should configure PuppetDB' do - should compile.with_all_deps - should contain_class('puppetdb::master::config'). - with_puppetdb_server('mypuppetdb.example.com'). - with_puppetdb_port(8081). - with_puppetdb_soft_write_failure(false). - with_manage_storeconfigs(false). - with_restart_puppet(false) - end - end - - describe 'with a puppet git branch map' do - let :pre_condition do - "class {'puppet': - server => true, - server_git_repo => true, - server_git_branch_map => { 'a' => 'b', 'c' => 'd' } - }" - end - - it 'should add the branch map to the post receive hook' do - should contain_file("#{vardir}/puppet.git/hooks/post-receive"). - with_content(/BRANCH_MAP = \{\n "a" => "b",\n "c" => "d",\n\}/) - end - end - - describe 'with additional settings' do - let :pre_condition do - "class {'puppet': - server => true, - server_additional_settings => {stringify_facts => true}, - }" - end - - it 'should configure puppet.conf' do - should contain_puppet__config__master('stringify_facts').with_value(true) - end - end - - describe 'with server_parser => future' do - let :pre_condition do - "class {'puppet': - server => true, - server_parser => 'future', - }" - end - - it 'should configure future parser' do - should contain_puppet__config__master('parser').with_value('future') - end - end - - describe 'with server_environment_timeout set' do - let :pre_condition do - "class {'puppet': - server => true, - server_environment_timeout => '10m', - }" - end - - it 'should configure environment_timeout accordingly' do - should contain_puppet__config__master('environment_timeout').with_value('10m') - end - end - - describe 'with no ssldir managed for master' do - let :pre_condition do - "class {'puppet': server => true, server_ssl_dir_manage => false}" - end - - it 'should not contain ssl_dir configuration setting in the master section' do - should_not contain_puppet__config__master('ssl_dir') - end - end - - describe 'with ssl key management disabled for server' do - let :pre_condition do - "class {'puppet': - server => true, - server_certname => 'servercert', - server_ssl_key_manage => false, - server_ssl_dir => '/etc/custom/puppetlabs/puppet/ssl' - }" - end - - it 'should not contain a default ssl key definition' do - should_not contain_file('/etc/custom/puppetlabs/puppet/ssl/private_keys/servercert.pem') - end - end - - describe 'with nondefault CA settings' do - let :pre_condition do - "class {'puppet': - server => true, - server_ca => false, - }" - end - - it 'should create the ssl directory' do - should contain_exec('puppet_server_config-create_ssl_dir') - end - - it 'should not generate CA certificates' do - should_not contain_exec('puppet_server_config-generate_ca_cert') - end - end - - describe 'with server_implementation => "puppetserver"' do - let :pre_condition do - "class {'puppet': - server => true, - server_implementation => 'puppetserver' - }" - end - - it 'should configure puppet.conf' do - should contain_puppet__config__master("vardir").with_value(puppetserver_vardir) - should contain_puppet__config__master("logdir").with_value(puppetserver_logdir) - should contain_puppet__config__master("rundir").with_value(puppetserver_rundir) - end - end - - describe 'with server_ca_crl_sync => true' do - context 'with server_ca => false and running "puppet apply"' do - let :pre_condition do - "class {'puppet': - server => true, - server_ca_crl_sync => true, - server_ca => false, - server_ssl_dir => '/etc/custom/puppetlabs/puppet/ssl' - }" - end - - it 'should not sync the crl' do - should_not contain_file('/etc/custom/puppetlabs/puppet/ssl/crl.pem') - end - end - - context 'with server_ca => false: running "puppet agent -t"' do - let :pre_condition do - "class {'puppet': - server => true, - server_ca_crl_sync => true, - server_ca => false, - server_ssl_dir => '/etc/custom/puppetlabs/puppet/ssl' - }" - end - let(:facts) do - facts.merge({:servername => 'myserver' }) - end - - it 'should sync the crl from the ca' do - should contain_file('/etc/custom/puppetlabs/puppet/ssl/crl.pem'). - with_content("This is my CRL File") - end - end - - context 'with server_ca => true: running "puppet agent -t"' do - let :pre_condition do - "class {'puppet': - server => true, - server_ca_crl_sync => true, - server_ca => true, - server_ssl_dir => '/etc/custom/puppetlabs/puppet/ssl' - }" - end - - let(:facts) do - facts.merge({:servername => 'myserver' }) - end - - it 'should not sync the crl' do - should_not contain_file('/etc/custom/puppetlabs/puppet/ssl/crl.pem') - end - end - end - - describe 'allow crl checking' do - context 'as ca' do - let :pre_condition do - "class {'puppet': - server => true, - server_implementation => 'puppetserver', - server_ca => true, - server_puppetserver_dir => '/etc/custom/puppetserver', - server_jruby_gem_home => '/opt/puppetlabs/server/data/puppetserver/jruby-gems' - }" - end - - it 'should use the ca_crl.pem file' do - should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf'). - with_content(/ssl-crl-path: #{ssldir}\/ca\/ca_crl.pem/) - end - end - - context 'as non-ca with default' do - let :pre_condition do - "class {'puppet': - server => true, - server_implementation => 'puppetserver', - server_ca => false, - server_puppetserver_dir => '/etc/custom/puppetserver', - server_jruby_gem_home => '/opt/puppetlabs/server/data/puppetserver/jruby-gems' - }" - end - - it 'should use the ca_crl.pem file' do - should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf'). - without_content(/ssl-crl-path: #{ssldir}\/crl.pem/) - end - end - context 'as non-ca with server_crl_enable' do - let :pre_condition do - "class {'puppet': - server => true, - server_implementation => 'puppetserver', - server_ca => false, - server_crl_enable => true, - server_puppetserver_dir => '/etc/custom/puppetserver', - server_jruby_gem_home => '/opt/puppetlabs/server/data/puppetserver/jruby-gems' - }" - end - it 'should use the crl.pem file' do - should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf'). - with_content(/ssl-crl-path: #{ssldir}\/crl.pem/) - end - end - end - - describe 'with ssl_protocols overwritten' do - let :pre_condition do - "class {'puppet': - server => true, - server_implementation => 'puppetserver', - server_ca => true, - server_puppetserver_dir => '/etc/custom/puppetserver', - server_ssl_protocols => ['TLSv1.1', 'TLSv1.2'], - }" - end - - it 'should set the ssl protocols' do - should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf'). - with_content(/ssl-protocols: \[\n( +)TLSv1.1,\n( +)TLSv1.2,\n( +)\]/) - end - end - - describe 'with cipher-suites overwritten' do - let :pre_condition do - "class {'puppet': - server => true, - server_implementation => 'puppetserver', - server_ca => true, - server_puppetserver_dir => '/etc/custom/puppetserver', - server_cipher_suites => ['TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA'], - }" - end - - it 'should set the cipher suite' do - should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf'). - with_content(/cipher-suites: \[\n( +)TLS_RSA_WITH_AES_256_CBC_SHA256,\n( +)TLS_RSA_WITH_AES_256_CBC_SHA,\n( +)\]/) - end - end - - - describe 'with ssl_chain_filepath overwritten' do - let :pre_condition do - "class {'puppet': - server => true, - server_implementation => 'puppetserver', - server_ca => true, - server_puppetserver_dir => '/etc/custom/puppetserver', - server_jruby_gem_home => '/opt/puppetlabs/server/data/puppetserver/jruby-gems', - server_ssl_chain_filepath => '/etc/example/certchain.pem', - }" - end - - it 'should use the server_ssl_chain_filepath file' do - should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf'). - with_content(/ssl-cert-chain: \/etc\/example\/certchain.pem/) - end - end - - describe 'with server_custom_trusted_oid_mapping overwritten' do - let :pre_condition do - "class {'puppet': - server => true, - server_custom_trusted_oid_mapping => { - '1.3.6.1.4.1.34380.1.2.1.1' => { - shortname => 'myshortname', - longname => 'My Long Name', - }, - '1.3.6.1.4.1.34380.1.2.1.2' => { - shortname => 'myothershortname', - }, - } - }" - end - - it 'should have a configured custom_trusted_oid_mapping.yaml' do - verify_exact_contents(catalogue, "#{confdir}/custom_trusted_oid_mapping.yaml", [ - '---', - 'oid_mapping:', - ' 1.3.6.1.4.1.34380.1.2.1.1:', - ' shortname: myshortname', - ' longname: My Long Name', - ' 1.3.6.1.4.1.34380.1.2.1.2:', - ' shortname: myothershortname', - ]) - end - end - - describe 'with server_ip parameter given to the puppet class' do - let :pre_condition do - "class {'puppet': - server => true, - server_implementation => 'puppetserver', - server_puppetserver_dir => '/etc/custom/puppetserver', - server_ip => '127.0.0.1', - }" - end - - it 'should put the correct ip address in webserver.conf' do - should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf').with_content(/ssl-host:\s127\.0\.0\.1/) - end - end - - describe 'with server_certname parameter' do - let :pre_condition do - "class {'puppet': - server => true, - server_implementation => 'puppetserver', - server_puppetserver_dir => '/etc/custom/puppetserver', - server_certname => 'puppetserver43.example.com', - server_ssl_dir => '/etc/custom/puppet/ssl', - }" - end - - it 'should put the correct ssl key path in webserver.conf' do - should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf'). - with_content(%r{ssl-key: /etc/custom/puppet/ssl/private_keys/puppetserver43\.example\.com\.pem}) - end - - it 'should put the correct ssl cert path in webserver.conf' do - should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf'). - with_content(%r{ssl-cert: /etc/custom/puppet/ssl/certs/puppetserver43\.example\.com\.pem}) - end - end - - describe 'with server_http parameter set to true for the puppet class' do - let :pre_condition do - "class {'puppet': - server => true, - server_implementation => 'puppetserver', - server_puppetserver_dir => '/etc/custom/puppetserver', - server_http => true, - }" - end - - it do - should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf'). - with_content(/ host:\s0\.0\.0\.0/). - with_content(/ port:\s8139/). - with({}) - end - - it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). - with_content(/allow-header-cert-info: true/). - with({}) - } - end - - describe 'with server_allow_header_cert_info parameter set to true for the puppet class' do - let :pre_condition do - "class {'puppet': - server => true, - server_implementation => 'puppetserver', - server_puppetserver_dir => '/etc/custom/puppetserver', - server_allow_header_cert_info => true, - }" - end - - it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). - with_content(/allow-header-cert-info: true/). - with({}) - } - end - - describe 'with server_http_allow parameter set for the puppet class' do - let :pre_condition do - "class {'puppet': - server => true, - server_implementation => 'puppetserver', - server_puppetserver_dir => '/etc/custom/puppetserver', - server_http => true, - server_http_allow => ['1.2.3.4'], - }" - end - - it { should raise_error(Puppet::Error, /setting \$server_http_allow is not supported for puppetserver as it would have no effect/) } - end - end - end -end diff --git a/spec/classes/puppet_server_rack_spec.rb b/spec/classes/puppet_server_rack_spec.rb deleted file mode 100644 index b48275f..0000000 --- a/spec/classes/puppet_server_rack_spec.rb +++ /dev/null @@ -1,82 +0,0 @@ -require 'spec_helper' - -describe 'puppet::server::rack' do - on_os_under_test.each do |os, facts| - next if facts[:osfamily] == 'windows' - context "on #{os}" do - let(:facts) do - facts - end - - let(:default_params) do { - :app_root => '/etc/puppet/rack', - :confdir => '/etc/puppet', - :vardir => '/var/lib/puppet', - :user => 'puppet', - :rack_arguments => [], - } end - - describe 'defaults' do - let(:params) { default_params } - - it 'should create server_app_root' do - should contain_file('/etc/puppet/rack').with({ - :ensure => 'directory', - :owner => 'puppet', - :mode => '0755', - }) - end - - it 'should create server_app_root public' do - should contain_file('/etc/puppet/rack/public').with({ - :ensure => 'directory', - :owner => 'puppet', - :mode => '0755', - }) - end - - it 'should create server_app_root tmp' do - should contain_file('/etc/puppet/rack/tmp').with({ - :ensure => 'directory', - :owner => 'puppet', - :mode => '0755', - }) - end - - it 'should create config.ru' do - should contain_file('/etc/puppet/rack/config.ru').with({ - :owner => 'puppet', - }) - end - - it 'should manage config.ru contents' do - verify_contents(catalogue, '/etc/puppet/rack/config.ru', [ - '$0 = "master"', - 'ARGV << "--rack"', - 'ARGV << "--confdir" << "/etc/puppet"', - 'ARGV << "--vardir" << "/var/lib/puppet"', - 'Encoding.default_external = Encoding::UTF_8 if defined? Encoding', - 'require \'puppet/util/command_line\'', - 'run Puppet::Util::CommandLine.new.execute', - ]) - end - end - - describe 'when rack_arguments defined' do - let(:params) { default_params.merge(:rack_arguments => ['--profile', '--logdest', '/dne/log']) } - - it 'should set ARGV values' do - verify_contents(catalogue, '/etc/puppet/rack/config.ru', [ - 'ARGV << "--rack"', - 'ARGV << "--confdir" << "/etc/puppet"', - 'ARGV << "--vardir" << "/var/lib/puppet"', - 'ARGV << "--profile"', - 'ARGV << "--logdest"', - 'ARGV << "/dne/log"', - ]) - end - end - - end - end -end diff --git a/spec/classes/puppet_server_spec.rb b/spec/classes/puppet_server_spec.rb index 783ad88..75185c1 100644 --- a/spec/classes/puppet_server_spec.rb +++ b/spec/classes/puppet_server_spec.rb @@ -1,182 +1,752 @@ require 'spec_helper' -describe 'puppet::server' do +describe 'puppet' do on_os_under_test.each do |os, facts| - next if unsupported_puppetmaster_osfamily(facts[:osfamily]) - context "on #{os}" do + context "on #{os}", unless: unsupported_puppetmaster_osfamily(facts[:osfamily]) do if facts[:osfamily] == 'FreeBSD' - ssldir = '/var/puppet/ssl' + codedir = '/usr/local/etc/puppet' + conf_d_dir = '/usr/local/etc/puppetserver/conf.d' + conf_file = '/usr/local/etc/puppet/puppet.conf' + confdir = '/usr/local/etc/puppet' + environments_dir = '/usr/local/etc/puppet/environments' + etcdir = '/usr/local/etc/puppet' + puppetcacmd = '/usr/local/bin/puppet cert' + puppetserver_logdir = '/var/log/puppetserver' + puppetserver_rundir = '/var/run/puppetserver' + puppetserver_vardir = '/var/puppet/server/data/puppetserver' + sharedir = '/usr/local/share/puppet' + ssldir = '/var/puppet/ssl' + vardir = '/var/puppet' else - ssldir = '/etc/puppetlabs/puppet/ssl' + codedir = '/etc/puppetlabs/code' + conf_d_dir = '/etc/puppetlabs/puppetserver/conf.d' + conf_file = '/etc/puppetlabs/puppet/puppet.conf' + confdir = '/etc/puppetlabs/puppet' + environments_dir = '/etc/puppetlabs/code/environments' + etcdir = '/etc/puppetlabs/puppet' + puppetcacmd = '/opt/puppetlabs/bin/puppet cert' + puppetserver_logdir = '/var/log/puppetlabs/puppetserver' + puppetserver_rundir = '/var/run/puppetlabs/puppetserver' + puppetserver_vardir = '/opt/puppetlabs/server/data/puppetserver' + sharedir = '/opt/puppetlabs/puppet' + ssldir = '/etc/puppetlabs/puppet/ssl' + vardir = '/opt/puppetlabs/puppet/cache' end - if facts[:osfamily] == 'Debian' - server_package = 'puppet-master' - else - server_package = 'puppet-server' + let(:facts) { facts } + + let(:params) do + { + server: true, + server_certname: 'puppetmaster.example.com' + } end - let(:facts) { facts } + describe 'with no custom parameters' do + it { should compile.with_all_deps } - describe 'basic case' do - let :pre_condition do - "class {'puppet': server => true, server_implementation => 'master'}" - end - - describe 'with no custom parameters' do - it { should compile.with_all_deps } - it 'should include classes' do - should contain_class('puppet::server::install') - should contain_class('puppet::server::config') - should contain_class('puppet::server::service'). - with_httpd_service('httpd'). - with_puppetmaster(false). - with_puppetserver(nil). - with_rack(true) - end - it { should contain_user('puppet') } - it { should_not contain_notify('ip_not_supported') } - # No server_package for FreeBSD - unless facts[:osfamily] == 'FreeBSD' - it { should contain_package(server_package) } - end - if facts[:osfamily] == 'Debian' - it do - should contain_file('/etc/default/puppetmaster'). - with_content("START=no\n"). - that_comes_before("Package[#{server_package}]") - end - end + # install + it { should contain_class('puppet::server::install') } + it { should contain_user('puppet') } + it { should contain_package('puppetserver') } + + # config + it { should contain_class('puppet::server::config') } + it { should contain_puppet__config__main('reports').with_value('foreman') } + it { should contain_puppet__config__main('hiera_config').with_value('$confdir/hiera.yaml') } + it { should contain_puppet__config__main('environmentpath').with_value("#{codedir}/environments") } + it do + should contain_puppet__config__main('basemodulepath') + .with_value(["#{codedir}/environments/common", "#{codedir}/modules", "#{sharedir}/modules", '/usr/share/puppet/modules']) + .with_joiner(':') end - end + it { should_not contain_puppet__config__main('default_manifest') } + it { should contain_puppet__config__master('autosign').with_value("#{etcdir}\/autosign.conf \{ mode = 0664 \}") } + it { should contain_puppet__config__master('ca').with_value('true') } + it { should contain_puppet__config__master('certname').with_value('puppetmaster.example.com') } + it { should contain_puppet__config__master('parser').with_value('current') } + it { should contain_puppet__config__master('strict_variables').with_value('false') } + it { should contain_puppet__config__master('ssldir').with_value(ssldir) } + it { should_not contain_puppet__config__master('environment_timeout') } + it { should_not contain_puppet__config__master('storeconfigs') } + it { should_not contain_puppet__config__master('storeconfigs_backend') } + it { should_not contain_puppet__config__master('manifest') } + it { should_not contain_puppet__config__master('modulepath') } + it { should_not contain_puppet__config__master('config_version') } - describe 'with uppercase hostname' do - let :pre_condition do - "class {'puppet': server => true, server_implementation => 'master'}" + it { should contain_puppet__config__master('external_nodes').with_value("#{etcdir}\/node.rb") } + it { should contain_puppet__config__master('node_terminus').with_value('exec') } + it { should contain_puppet__config__master('logdir').with_value(puppetserver_logdir) } + it { should contain_puppet__config__master('rundir').with_value(puppetserver_rundir) } + it { should contain_puppet__config__master('vardir').with_value(puppetserver_vardir) } + + it 'should set up SSL permissions' do + should contain_file("#{ssldir}/private_keys") \ + .with_group('puppet') \ + .with_mode('0750') + + should contain_file("#{ssldir}/private_keys/puppetmaster.example.com.pem") \ + .with_group('puppet') \ + .with_mode('0640') + + should contain_exec('puppet_server_config-create_ssl_dir') \ + .with_creates(ssldir) \ + .with_command("/bin/mkdir -p #{ssldir}") \ + .with_umask('0022') + + should contain_exec('puppet_server_config-generate_ca_cert') \ + .with_creates("#{ssldir}/certs/puppetmaster.example.com.pem") \ + .with_command("#{puppetcacmd} --generate puppetmaster.example.com --allow-dns-alt-names") \ + .with_umask('0022') \ + .that_requires(["Concat[#{conf_file}]", 'Exec[puppet_server_config-create_ssl_dir]']) + end + + it { should contain_puppet__config__main('environmentpath').with_value(environments_dir) } + it { should contain_exec('puppet_server_config-generate_ca_cert').that_notifies('Service[puppetserver]') } + + it 'should set up the environments' do + should contain_file(environments_dir) + .with_ensure('directory') + .with_owner('puppet') + .with_group(nil) + .with_mode('0755') + + should contain_file(sharedir).with_ensure('directory') + + should contain_file("#{codedir}/environments/common") + .with_ensure('directory') + .with_owner('puppet') + .with_group(nil) + .with_mode('0755') + + should contain_file("#{sharedir}/modules") + .with_ensure('directory') + .with_owner('puppet') + .with_group(nil) + .with_mode('0755') + + should contain_puppet__server__env('development') + should contain_puppet__server__env('production') end + it { should contain_concat(conf_file) } + + it { should_not contain_puppet__config__agent('configtimeout') } + it { should_not contain_class('puppetdb') } + it { should_not contain_class('puppetdb::master::config') } + it { should_not contain_file("#{confdir}/custom_trusted_oid_mapping.yaml") } + + it { should contain_file("#{confdir}/autosign.conf") } + it { should_not contain_file("#{confdir}/autosign.conf").with_content(/# Managed by Puppet/) } + it { should_not contain_file("#{confdir}/autosign.conf").with_content(/foo.bar/) } + + it 'should set up the ENC' do + should contain_class('foreman::puppetmaster') + .with_foreman_url('https://foo.example.com') + .with_receive_facts(true) + .with_puppet_home(puppetserver_vardir) + .with_puppet_etcdir(etcdir) + .with_timeout(60) + .with_puppet_basedir('/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet') + end + + # service + it { should contain_class('puppet::server::service') } + it { should contain_class('puppet::server::puppetserver') } + end + + describe 'with uppercase hostname' do let(:facts) do - facts.merge( - :fqdn => 'PUPPETMASTER.example.com', + super().merge( + fqdn: 'PUPPETMASTER.example.com', # clientcert is always lowercase by Puppet design - :clientcert => 'puppetmaster.example.com', + clientcert: 'puppetmaster.example.com' ) end - describe 'with no custom parameters' do - it 'should use lowercase certificates' do - should contain_class('puppet::server::passenger'). - with_ssl_cert("#{ssldir}/certs/puppetmaster.example.com.pem"). - with_ssl_cert_key("#{ssldir}/private_keys/puppetmaster.example.com.pem"). - with_ssl_ca_crl("#{ssldir}/ca/ca_crl.pem") - end + it { should compile.with_all_deps } + + it 'should use lowercase certificates' do + should contain_class('puppet::server::puppetserver') + .with_server_ssl_cert("#{ssldir}/certs/puppetmaster.example.com.pem") + .with_server_ssl_cert_key("#{ssldir}/private_keys/puppetmaster.example.com.pem") end end describe 'with ip parameter' do - describe 'with default server implementation' do - let :pre_condition do - "class {'puppet': server_ip => '127.0.0.1', server_implementation => 'master'}" + let(:params) do + super().merge(server_ip: '127.0.0.1') + end + + it { should compile.with_all_deps } + it { should contain_class('puppet::server').with_ip('127.0.0.1') } + it { should contain_file("#{conf_d_dir}/webserver.conf").with_content(/host: 127.0.0.1/) } + it { should contain_file("#{conf_d_dir}/webserver.conf").with_content(/ssl-host: 127.0.0.1/) } + end + + context 'manage_packages' do + tests = { + false => false, + 'agent' => false, + 'server' => true + } + + tests.each do |value, expected| + describe "when manage_packages => #{value.inspect}" do + let(:params) do + super().merge(manage_packages: value) + end + + it { should compile.with_all_deps } + if expected + it { should contain_package('puppetserver') } + else + it { should_not contain_package('puppetserver') } + end end + end + end + + describe 'when autosign => true' do + let(:params) do + super().merge(autosign: true) + end + + it { should contain_puppet__config__master('autosign').with_value(true) } + end + + describe 'when autosign => /somedir/custom_autosign, autosign_mode => 664' do + let(:params) do + super().merge( + autosign: '/somedir/custom_autosign', + autosign_mode: '664' + ) + end + + it { should contain_puppet__config__master('autosign').with_value('/somedir/custom_autosign { mode = 664 }') } + end + + describe "when autosign_entries set to ['foo.bar']" do + let(:params) do + super().merge(autosign_entries: ['foo.bar']) + end + + it 'should contain autosign.conf with content set' do + should contain_file("#{confdir}/autosign.conf") + should contain_file("#{confdir}/autosign.conf").with_content(/# Managed by Puppet/) + should contain_file("#{confdir}/autosign.conf").with_content(/foo.bar/) + end + end - it 'should issue a warning because server_ip is not supported by default implementation' do - should contain_notify('ip_not_supported'). - with_message('Bind IP address is unsupported for the master implementation.'). - with_loglevel('warning') + describe "when autosign_content => set to foo.bar and and autosign_entries set to ['foo.bar']=> true" do + let(:params) do + super().merge( + autosign_content: 'foo.bar', + autosign_entries: ['foo.bar'] + ) + end + + it { should raise_error(Puppet::Error, %r{Cannot set both autosign_content/autosign_source and autosign_entries}) } + end + + describe "when autosign_source => set to puppet:///foo/bar and and autosign_entries set to ['foo.bar']=> true" do + let(:params) do + super().merge( + autosign_source: 'puppet:///foo/bar', + autosign_entries: ['foo.bar'] + ) + end + + it { should raise_error(Puppet::Error, %r{Cannot set both autosign_content\/autosign_source and autosign_entries}) } + end + + context 'when autosign => /usr/local/bin/custom_autosign.sh, autosign_mode => 775' do + let(:params) do + super().merge( + autosign: '/usr/local/bin/custom_autosign.sh', + autosign_mode: '775' + ) + end + + describe "when autosign_content set to 'foo.bar'" do + let(:params) do + super().merge(autosign_content: 'foo.bar') end + + it { should contain_puppet__config__master('autosign').with_value('/usr/local/bin/custom_autosign.sh { mode = 775 }') } + it { should contain_file('/usr/local/bin/custom_autosign.sh').with_content('foo.bar') } end - describe 'with server_implementation => "puppetserver"' do - let :pre_condition do - "class {'puppet': server_ip => '127.0.0.1', server_implementation => 'puppetserver'}" + describe "autosign_source set to 'puppet:///foo/bar'" do + let(:params) do + super().merge(autosign_source: 'puppet:///foo/bar') end - it { should_not contain_notify('ip_not_supported') } + it { should contain_puppet__config__master('autosign').with_value('/usr/local/bin/custom_autosign.sh { mode = 775 }') } + it { should contain_file('/usr/local/bin/custom_autosign.sh').with_source('puppet:///foo/bar') } end end - describe 'with server_passenger => false' do - let :pre_condition do - "class {'puppet': server => true, server_implementation => 'master', server_passenger => false}" + describe "when hiera_config => '/etc/puppet/hiera/production/hiera.yaml'" do + let(:params) do + super().merge(hiera_config: '/etc/puppet/hiera/production/hiera.yaml') + end + + it { should contain_puppet__config__main('hiera_config').with_value('/etc/puppet/hiera/production/hiera.yaml') } + end + + describe 'without foreman' do + let(:params) do + super().merge( + server_foreman: false, + server_reports: 'store', + server_external_nodes: '' + ) + end + + it { should_not contain_class('foreman::puppetmaster') } + it { should_not contain_puppet__config__master('node_terminus') } + it { should_not contain_puppet__config__master('external_nodes') } + end + + describe 'with server_default_manifest => true and undef content' do + let(:params) do + super().merge(server_default_manifest: true) + end + + it { should contain_puppet__config__main('default_manifest').with_value('/etc/puppet/manifests/default_manifest.pp') } + it { should_not contain_file('/etc/puppet/manifests/default_manifest.pp') } + end + + describe 'with server_default_manifest => true and server_default_manifest_content => "include foo"' do + let(:params) do + super().merge( + server_default_manifest: true, + server_default_manifest_content: 'include foo' + ) + end + + it { should contain_puppet__config__main('default_manifest').with_value('/etc/puppet/manifests/default_manifest.pp') } + it { should contain_file('/etc/puppet/manifests/default_manifest.pp').with_content('include foo') } + end + + describe 'with git repo' do + let(:params) do + super().merge(server_git_repo: true) end - it { should compile.with_all_deps } - it { should_not contain_class('apache') } it do - should contain_class('puppet::server::service'). - with_puppetmaster(true). - with_puppetserver(nil). - with_rack(false) + should contain_class('puppet::server') + .with_git_repo(true) + .with_git_repo_path("#{vardir}/puppet.git") + .with_post_hook_name('post-receive') + end + + it 'should set up the environments directory' do + should contain_file(environments_dir) \ + .with_ensure('directory') \ + .with_owner('puppet') + end + + it 'should create the puppet user' do + shell = case facts[:osfamily] + when /^(FreeBSD|DragonFly)$/ + '/usr/local/bin/git-shell' + else + '/usr/bin/git-shell' + end + should contain_user('puppet') + .with_shell(shell) + .that_requires('Class[git]') end - describe "and server_service_fallback => false" do - let :pre_condition do - "class {'puppet': server => true, server_implementation => 'master', server_passenger => false, server_service_fallback => false}" + it do + should contain_file(vardir) + .with_ensure('directory') + .with_owner('puppet') + end + + it do + should contain_git__repo('puppet_repo') + .with_bare(true) + .with_target("#{vardir}/puppet.git") + .with_user('puppet') + .that_requires("File[#{environments_dir}]") + end + + it do + should contain_file("#{vardir}/puppet.git/hooks/post-receive") + .with_owner('puppet') \ + .with_mode('0755') \ + .that_requires('Git::Repo[puppet_repo]') \ + .with_content(/BRANCH_MAP = \{[^a-zA-Z=>]\}/) + end + + it { should_not contain_puppet__server__env('development') } + it { should_not contain_puppet__server__env('production') } + + describe 'with a puppet git branch map' do + let(:params) do + super().merge(server_git_branch_map: { 'a' => 'b', 'c' => 'd' }) + end + + it 'should add the branch map to the post receive hook' do + should contain_file("#{vardir}/puppet.git/hooks/post-receive") + .with_content(/BRANCH_MAP = \{\n "a" => "b",\n "c" => "d",\n\}/) + end + end + + context 'with directory environments' do + let(:params) do + super().merge(server_directory_environments: true) end - it { should compile.with_all_deps } - it do - should contain_class('puppet::server::service'). - with_puppetmaster(false). - with_puppetserver(nil). - with_rack(false) + it 'should configure puppet.conf' do + should_not contain_puppet__config__master('config_version') + + should contain_puppet__config__main('environmentpath').with_value(environments_dir) + end + end + + context 'with config environments' do + let(:params) do + super().merge(server_directory_environments: false) + end + + it 'should configure puppet.conf' do + should contain_puppet__config__master('manifest').with_value("#{environments_dir}/\$environment/manifests/site.pp") + should contain_puppet__config__master('modulepath').with_value("#{environments_dir}/\$environment/modules") + should contain_puppet__config__master('config_version').with_value("git --git-dir #{environments_dir}/\$environment/.git describe --all --long") end end end - describe 'with server_implementation => "puppetserver"' do - let :pre_condition do - "class {'puppet': server => true, server_implementation => 'puppetserver'}" + describe 'with dynamic environments' do + let(:params) do + super().merge(server_dynamic_environments: true) end - it { should compile.with_all_deps } - it { should_not contain_class('apache') } - it { should_not contain_notify('ip_not_supported') } - it do - should contain_class('puppet::server::service'). - with_puppetmaster(nil). - with_puppetserver(true). - with_rack(false) + + context 'with directory environments' do + let(:params) do + super().merge( + server_directory_environments: true, + server_environments_owner: 'apache' + ) + end + + it 'should set up the environments directory' do + should contain_file(environments_dir) \ + .with_ensure('directory') \ + .with_owner('apache') + end + + it 'should configure puppet.conf' do + should contain_puppet__config__main('environmentpath').with_value(environments_dir) + should contain_puppet__config__main('basemodulepath').with_value(["#{environments_dir}/common", "#{codedir}/modules", "#{sharedir}/modules", '/usr/share/puppet/modules']) + end + + it { should_not contain_puppet__server__env('development') } + it { should_not contain_puppet__server__env('production') } + end + + context 'with no common modules directory' do + let(:params) do + super().merge( + server_directory_environments: true, + server_environments_owner: 'apache', + server_common_modules_path: '' + ) + end + + it { should_not contain_puppet__config__main('basemodulepath') } + end + + context 'with config environments' do + let(:params) do + super().merge( + server_directory_environments: false, + server_environments_owner: 'apache' + ) + end + + it 'should set up the environments directory' do + should contain_file(environments_dir) \ + .with_ensure('directory') \ + .with_owner('apache') + end + + it 'should configure puppet.conf' do + should contain_puppet__config__master('manifest').with_value("#{environments_dir}/\$environment/manifests/site.pp") + should contain_puppet__config__master('modulepath').with_value("#{environments_dir}/\$environment/modules") + end + + it { should_not contain_puppet__server__env('development') } + it { should_not contain_puppet__server__env('production') } end - it { should contain_class('puppet::server::puppetserver') } - it { should contain_package('puppetserver') } end - describe "when manage_packages => false" do - let :pre_condition do - "class { 'puppet': server => true, manage_packages => false, - server_implementation => 'master' }" + describe 'with SSL path overrides' do + let(:params) do + super().merge( + server_foreman_ssl_ca: '/etc/example/ca.pem', + server_foreman_ssl_cert: '/etc/example/cert.pem', + server_foreman_ssl_key: '/etc/example/key.pem' + ) end - it { should compile.with_all_deps } - it "should not contain Package[#{server_package}]" do - should_not contain_package(server_package) + it 'should pass SSL parameters to the ENC' do + should contain_class('foreman::puppetmaster') + .with_ssl_ca('/etc/example/ca.pem') + .with_ssl_cert('/etc/example/cert.pem') + .with_ssl_key('/etc/example/key.pem') end end - describe "when manage_packages => 'agent'" do - let :pre_condition do - "class { 'puppet': server => true, manage_packages => 'agent', - server_implementation => 'master' }" + describe 'with a PuppetDB host set' do + let(:params) do + super().merge( + server_puppetdb_host: 'mypuppetdb.example.com', + server_storeconfigs_backend: 'puppetdb' + ) end - it { should compile.with_all_deps } - it "should not contain Package[#{server_package}]" do - should_not contain_package(server_package) + it 'should configure PuppetDB' do + should compile.with_all_deps + should contain_class('puppetdb::master::config') + .with_puppetdb_server('mypuppetdb.example.com') + .with_puppetdb_port(8081) + .with_puppetdb_soft_write_failure(false) + .with_manage_storeconfigs(false) + .with_restart_puppet(false) end end - describe "when manage_packages => 'server'" do - let :pre_condition do - "class { 'puppet': server => true, manage_packages => 'server', - server_implementation => 'master' }" + describe 'with additional settings' do + let(:params) do + super().merge(server_additional_settings: { 'stringify_facts' => true }) end - it { should compile.with_all_deps } - # Puppetmaster is not a separate package on FreeBSD - unless facts[:osfamily] == 'FreeBSD' - it { should contain_package(server_package) } + it 'should configure puppet.conf' do + should contain_puppet__config__master('stringify_facts').with_value(true) + end + end + + describe 'with server_parser => future' do + let(:params) do + super().merge(server_parser: 'future') + end + + it { should contain_puppet__config__master('parser').with_value('future') } + end + + describe 'with server_environment_timeout set' do + let(:params) do + super().merge(server_environment_timeout: '10m') + end + + it { should contain_puppet__config__master('environment_timeout').with_value('10m') } + end + + describe 'with no ssldir managed for master' do + let(:params) do + super().merge(server_ssl_dir_manage: false) + end + + it { should_not contain_puppet__config__master('ssl_dir') } + end + + describe 'with ssl key management disabled for server' do + let(:params) do + super().merge( + server_certname: 'servercert', + server_ssl_dir: '/etc/custom/puppetlabs/puppet/ssl', + server_ssl_key_manage: false + ) + end + + it { should_not contain_file('/etc/custom/puppetlabs/puppet/ssl/private_keys/servercert.pem') } + end + + describe 'with nondefault CA settings' do + let(:params) do + super().merge(server_ca: false) + end + + it { should contain_exec('puppet_server_config-create_ssl_dir') } + it { should_not contain_exec('puppet_server_config-generate_ca_cert') } + end + + describe 'with server_ca_crl_sync => true' do + let(:params) do + super().merge(server_ca_crl_sync: true) + end + + context 'with server_ca => false and running "puppet apply"' do + let(:params) do + super().merge( + server_ca: false, + server_ssl_dir: '/etc/custom/puppetlabs/puppet/ssl' + ) + end + + it 'should not sync the crl' do + should_not contain_file('/etc/custom/puppetlabs/puppet/ssl/crl.pem') + end + end + + context 'with server_ca => false: running "puppet agent -t"' do + let(:params) do + super().merge( + server_ca: false, + server_ssl_dir: '/etc/custom/puppetlabs/puppet/ssl' + ) + end + + let(:facts) do + facts.merge(servername: 'myserver') + end + + before :context do + @cacrl = Tempfile.new('cacrl') + File.open(@cacrl, 'w') { |f| f.write 'This is my CRL File' } + Puppet.settings[:cacrl] = @cacrl.path + end + + it 'should sync the crl from the ca' do + should contain_file('/etc/custom/puppetlabs/puppet/ssl/crl.pem') + .with_content('This is my CRL File') + end + end + + context 'with server_ca => true: running "puppet agent -t"' do + let(:params) do + super().merge( + server_ca: true, + server_ssl_dir: '/etc/custom/puppetlabs/puppet/ssl' + ) + end + + let(:facts) do + facts.merge(servername: 'myserver') + end + + it 'should not sync the crl' do + should_not contain_file('/etc/custom/puppetlabs/puppet/ssl/crl.pem') + end + end + end + + describe 'allow crl checking' do + context 'as ca' do + let(:params) do + super().merge(server_ca: true) + end + + it { should contain_file("#{conf_d_dir}/webserver.conf").with_content(%r{ssl-crl-path: #{ssldir}/ca/ca_crl\.pem}) } end + + context 'as non-ca' do + let(:params) do + super().merge(server_ca: false) + end + + it { should contain_file("#{conf_d_dir}/webserver.conf").without_content(%r{ssl-crl-path: #{ssldir}/crl\.pem}) } + + context 'server_crl_enable' do + let(:params) do + super().merge(server_crl_enable: true) + end + + it { should contain_file("#{conf_d_dir}/webserver.conf").with_content(%r{ssl-crl-path: #{ssldir}/crl\.pem}) } + end + end + end + + describe 'with ssl_protocols overwritten' do + let(:params) do + super().merge(server_ssl_protocols: ['TLSv1.1', 'TLSv1.2']) + end + + it { should contain_file("#{conf_d_dir}/webserver.conf").with_content(/ssl-protocols: \[\n( +)TLSv1.1,\n( +)TLSv1.2,\n( +)\]/) } + end + + describe 'with ssl_protocols overwritten' do + let(:params) do + super().merge(server_cipher_suites: %w[TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA]) + end + + it { should contain_file("#{conf_d_dir}/webserver.conf").with_content(/cipher-suites: \[\n( +)TLS_RSA_WITH_AES_256_CBC_SHA256,\n( +)TLS_RSA_WITH_AES_256_CBC_SHA,\n( +)\]/) } + end + + describe 'with ssl_chain_filepath overwritten' do + let(:params) do + super().merge(server_ssl_chain_filepath: '/etc/example/certchain.pem') + end + + it { should contain_file("#{conf_d_dir}/webserver.conf").with_content(%r{ssl-cert-chain: /etc/example/certchain.pem}) } + end + + describe 'with server_custom_trusted_oid_mapping overwritten' do + let(:params) do + super().merge(server_custom_trusted_oid_mapping: { + '1.3.6.1.4.1.34380.1.2.1.1' => { + shortname: 'myshortname', + longname: 'My Long Name' + }, + '1.3.6.1.4.1.34380.1.2.1.2' => { + shortname: 'myothershortname' + } + }) + end + + it 'should have a configured custom_trusted_oid_mapping.yaml' do + verify_exact_contents(catalogue, "#{confdir}/custom_trusted_oid_mapping.yaml", [ + '---', + 'oid_mapping:', + ' 1.3.6.1.4.1.34380.1.2.1.1:', + ' shortname: myshortname', + ' longname: My Long Name', + ' 1.3.6.1.4.1.34380.1.2.1.2:', + ' shortname: myothershortname' + ]) + end + end + + describe 'with server_certname parameter' do + let(:params) do + super().merge( + server_certname: 'puppetserver43.example.com', + server_ssl_dir: '/etc/custom/puppet/ssl' + ) + end + + it 'should put the correct ssl key path in webserver.conf' do + should contain_file("#{conf_d_dir}/webserver.conf") + .with_content(%r{ssl-key: /etc/custom/puppet/ssl/private_keys/puppetserver43\.example\.com\.pem}) + end + + it 'should put the correct ssl cert path in webserver.conf' do + should contain_file("#{conf_d_dir}/webserver.conf") + .with_content(%r{ssl-cert: /etc/custom/puppet/ssl/certs/puppetserver43\.example\.com\.pem}) + end + end + + describe 'with server_http parameter set to true for the puppet class' do + let(:params) do + super().merge(server_http: true) + end + + it { should contain_file("#{conf_d_dir}/webserver.conf").with_content(/ host:\s0\.0\.0\.0/).with_content(/ port:\s8139/) } + it { should contain_file("#{conf_d_dir}/auth.conf").with_content(/allow-header-cert-info: true/) } + end + + describe 'with server_allow_header_cert_info => true' do + let(:params) do + super().merge(server_allow_header_cert_info: true) + end + + it { should contain_file("#{conf_d_dir}/auth.conf").with_content(/allow-header-cert-info: true/) } end end end end