Merge pull request #233 from johngmyers/update-chain

(MODULES-1997) - Update the target when the cert chain changes

Author: Helen

lib/puppet/provider/java_ks/keytool.rb

@@ -162,10 +162,9 @@ def exists?
     end
   end
 
-  # Extract's the fingerprint of a given output
+  # Extracts the fingerprints of a given output
   def extract_fingerprint(output)
-    return output.scan(%r{Certificate fingerprints:\n\s+MD5:  .*\n\s+SHA1: (.*)})[0][0] if output.include? 'MD5:'
-    output.scan(%r{Certificate fingerprints:\n\s+SHA1: (.*)})[0][0]
+    output.scan(%r{Certificate fingerprints:\n\s+(?:MD5:  .*\n\s+)?SHA1: (.*)}).flatten.join('/')
   end
 
   # Reading the fingerprint of the certificate on disk.

spec/acceptance/chain_key_spec.rb

@@ -38,6 +38,35 @@
         end
       end
     end
+
+    it 'updates the chain' do
+      pp = <<-MANIFEST
+        java_ks { 'broker.example.com:#{target}':
+          ensure       => latest,
+          certificate  => "#{@temp_dir}leafchain2.pem",
+          private_key  => "#{@temp_dir}leafkey.pem",
+          password     => 'puppet',
+          path         => #{@resource_path},
+        }
+      MANIFEST
+
+      apply_manifest(pp, catch_failures: true)
+
+      expectations = [
+        %r{Alias name: broker\.example\.com},
+        %r{Entry type: (keyEntry|PrivateKeyEntry)},
+        %r{Certificate chain length: 2},
+        %r{^Serial number: 5$.*^Serial number: 6$}m,
+      ]
+      shell("\"#{@keytool_path}keytool\" -list -v -keystore #{target} -storepass puppet") do |r|
+        expect(r.exit_code).to be_zero
+      end
+      shell("\"#{@keytool_path}keytool\" -list -v -keystore #{target} -storepass puppet") do |r|
+        expectations.each do |expect|
+          expect(r.stdout).to match(expect)
+        end
+      end
+    end
   end
 
   describe 'managing separate java chain keys', unless: UNSUPPORTED_PLATFORMS.include?(fact('operatingsystem')) do
@@ -77,6 +106,36 @@
         end
       end
     end
+
+    it 'updates the chain' do
+      pp = <<-MANIFEST
+        java_ks { 'broker.example.com:#{target}':
+          ensure       => latest,
+          certificate  => "#{@temp_dir}leaf.pem",
+          chain        => "#{@temp_dir}chain2.pem",
+          private_key  => "#{@temp_dir}leafkey.pem",
+          password     => 'puppet',
+          path         => #{@resource_path},
+        }
+      MANIFEST
+
+      apply_manifest(pp, catch_failures: true)
+
+      expectations = [
+        %r{Alias name: broker\.example\.com},
+        %r{Entry type: (keyEntry|PrivateKeyEntry)},
+        %r{Certificate chain length: 2},
+        %r{^Serial number: 5$.*^Serial number: 6$}m,
+      ]
+      shell("\"#{@keytool_path}keytool\" -list -v -keystore #{target} -storepass puppet") do |r|
+        expect(r.exit_code).to be_zero
+      end
+      shell("\"#{@keytool_path}keytool\" -list -v -keystore #{target} -storepass puppet") do |r|
+        expectations.each do |expect|
+          expect(r.stdout).to match(expect)
+        end
+      end
+    end
   end
 
   describe 'managing non existent java chain keys in noop', unless: UNSUPPORTED_PLATFORMS.include?(fact('operatingsystem')) do

spec/acceptance/pkcs12_spec.rb

@@ -46,6 +46,36 @@
         end
       end
     end
+
+    it 'updates the chain' do
+      pp = <<-MANIFEST
+        java_ks { 'Leaf Cert:#{target}':
+            ensure          => #{@ensure_ks},
+            certificate     => "#{@temp_dir}leaf2.p12",
+            storetype       => 'pkcs12',
+            password        => 'puppet',
+            path            => #{@resource_path},
+            source_password => 'pkcs12pass'
+        }
+      MANIFEST
+
+      apply_manifest(pp, catch_failures: true)
+
+      expectations = [
+        %r{Alias name: leaf cert},
+        %r{Entry type: (keyEntry|PrivateKeyEntry)},
+        %r{Certificate chain length: 2},
+        %r{^Serial number: 5$.*^Serial number: 6$}m,
+      ]
+      shell("\"#{@keytool_path}keytool\" -list -v -keystore #{target} -storepass puppet") do |r|
+        expect(r.exit_code).to be_zero
+      end
+      shell("\"#{@keytool_path}keytool\" -list -v -keystore #{target} -storepass puppet") do |r|
+        expectations.each do |expect|
+          expect(r.stdout).to match(expect)
+        end
+      end
+    end
   end # context 'with defaults'
 
   context 'with a different alias' do

spec/spec_helper_acceptance.rb

@@ -76,16 +76,29 @@ def create_certs(host, tmpdir)
   leaf.not_after = leaf.not_before + 360
   leaf.sign(key_chain2, OpenSSL::Digest::SHA256.new)
 
+  chain3 = OpenSSL::X509::Certificate.new
+  chain3.serial = 6
+  chain3.public_key = key_chain2.public_key
+  chain3.subject = OpenSSL::X509::Name.parse chain2_subj
+  chain3.issuer = ca.subject
+  chain3.not_before = Time.now
+  chain3.not_after = chain3.not_before + 360
+  chain3.sign(key, OpenSSL::Digest::SHA256.new)
+
   pkcs12 = OpenSSL::PKCS12.create('pkcs12pass', 'Leaf Cert', key_leaf, leaf, [chain2, chain])
+  pkcs12_chain3 = OpenSSL::PKCS12.create('pkcs12pass', 'Leaf Cert', key_leaf, leaf, [chain3])
 
   create_remote_file(host, "#{tmpdir}/privkey.pem", key.to_pem)
   create_remote_file(host, "#{tmpdir}/ca.pem", ca.to_pem)
   create_remote_file(host, "#{tmpdir}/ca2.pem", ca2.to_pem)
   create_remote_file(host, "#{tmpdir}/chain.pem", chain2.to_pem + chain.to_pem)
+  create_remote_file(host, "#{tmpdir}/chain2.pem", chain3.to_pem)
   create_remote_file(host, "#{tmpdir}/leafkey.pem", key_leaf.to_pem)
   create_remote_file(host, "#{tmpdir}/leaf.pem", leaf.to_pem)
   create_remote_file(host, "#{tmpdir}/leafchain.pem", leaf.to_pem + chain2.to_pem + chain.to_pem)
+  create_remote_file(host, "#{tmpdir}/leafchain2.pem", leaf.to_pem + chain3.to_pem)
   create_remote_file(host, "#{tmpdir}/leaf.p12", pkcs12.to_der)
+  create_remote_file(host, "#{tmpdir}/leaf2.p12", pkcs12_chain3.to_der)
 end
 
 RSpec.configure do |c|