code/environments/production/modules/certregen/spec/acceptance/healthcheck_spec.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135

require 'spec_helper_acceptance'
require 'yaml'
require 'json'

describe "puppet certregen healthcheck" do
  if hosts_with_role(hosts, 'master').length>0 then

    context 'C99803 - cert with more than 10 percent of life' do
      before(:all) do
        serial = get_ca_serial_id_on(master)
        on(master, "puppet certregen ca --ca_serial #{serial}")
      end
      it 'should not produce a health warning' do
        on(master, "puppet certregen healthcheck") do |result|
          expect(result.stderr).to be_empty
          expect(result.stdout).to match(/No certificates are approaching expiration/)
        end
      end
    end

    context 'C99804 - cert with less than 10 percent of life' do
      before(:all) do
        serial = get_ca_serial_id_on(master)
        # patch puppet to defeat copywrite date check when generating historical CA
        patch_puppet_date_check_on(master)
        @today = get_time_on(master)
        # set back the clock in order to create a CA that will be approaching its EOL
        past = @today - (5*YEAR - 20*DAY)
        on(master, "date #{past.strftime('%m%d%H%M%Y')}")
        # create old CA
        on(master, "puppet certregen ca --ca_serial #{serial}")
        # update to current time
        on(master, "date #{@today.strftime('%m%d%H%M%Y')}")
        # revert patch to defeat copywrite date check
        patch_puppet_date_check_on(master, 'reverse')
      end

      it 'system should have current date' do
        today = get_time_on(master)
        expect(today.utc.strftime('%Y-%m-%d')).to eq @today.utc.strftime('%Y-%m-%d')
      end

      it 'should warn about pending expiration' do
        enddate = get_ca_enddate_time_on(master)
        on(master, "puppet certregen healthcheck") do |result|
          expect(result.stdout).to match(/Status:\s+expiring/)
          expect(result.stdout).to match(/Expiration date:\s+#{enddate.utc.strftime('%Y-%m-%d')}/)
        end
      end

    end

    context 'C99805 - expired cert' do
      before(:all) do
        serial = get_ca_serial_id_on(master)
        on(master, "puppet certregen ca --ca_serial #{serial} --ca_ttl 1s")
        sleep 2
      end
      it 'should produce a health warning' do
        on(master, "puppet certregen healthcheck") do |result|
          expect(result.stdout.gsub("\n", " ")).to match(/ca.*Status: expired/)
        end
      end
    end

    context '--all flag' do

      context 'C99806 --all' do
        before(:all) do
          on(master, puppet("cert list --all")) do |result|
            @certs = result.stdout.scan(/\) ([A-F0-9:]+) /)
          end
          @result = on(master, "puppet certregen healthcheck --all")
        end
        it 'should contain expiration data for ca cert' do
          expect(@result.stdout).to match(/"ca".*\n\s*Status:\s*[Ee]xpir/)
        end
        it 'should contain expiration data for all node certs' do
          @certs.each do |cert|
            expect(@result.stdout).to include cert[0]
          end
        end
      end

      context '--render-as flag' do

        context 'C99808 - --render-as yaml' do
          before(:all) do
            on(master, puppet("cert list --all")) do |result|
              @certs = result.stdout.scan(/\) ([A-F0-9:]+) /)
            end
            @result = on(master, "puppet certregen healthcheck --all --render-as yaml")
            @yaml = YAML.load(@result.stdout)
          end
          it 'should return valid yaml' do
            expect(YAML.parse(@result.stdout)).to be_instance_of(Psych::Nodes::Document)
          end
          it 'should contain expiration data for ca cert' do
            ca = @yaml.find { |record| record[:name] == 'ca' }
            expect(ca).not_to be nil
            expect(ca[:expiry][:status]).to eq(:expired)
          end
          it 'should contain expiration data for all node certs' do
            @certs.each do |cert|
              expect(@yaml.find { |record| record[:digest] =~ /#{cert[0]}/ }).not_to be nil
            end
          end
        end

        context 'C99809 - --render-as json prints valid json containing expiration data' do
          before(:all) do
            on(master, puppet("cert list --all")) do |result|
              @certs = result.stdout.scan(/\) ([A-F0-9:]+) /)
            end
            @json = JSON.parse(on(master, "puppet certregen healthcheck --all --render-as json").stdout)
          end
          it 'should return valid json' do
            expect(@json).not_to be nil
          end
          it 'should contain expiration data for ca cert' do
            ca = @json.find { |record| record['name'] == 'ca' }
            expect(ca).not_to be nil
          end
          it 'should contain expiration data for all node certs' do
            @certs.each do |cert|
              expect(@json.find { |record| record['digest'] =~ /#{cert[0]}/ }).not_to be nil
            end
          end
        end

      end
    end

  end
end