diff --git a/.travis.yml b/.travis.yml index 280d71b06..e8eebac3d 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,5 +1,5 @@ sudo: required -group: deprecated-2017Q4 +# group: deprecated-2017Q4 services: - docker cache: @@ -52,75 +52,39 @@ jobs: env: - BEAKER_PUPPET_COLLECTION=puppet6 - TASK=beaker:centos-6-x64:acceptance - - env: - - BEAKER_PUPPET_COLLECTION=puppet6 - - TASK=beaker:centos-6-x64:acceptance[5.6.16] - env: - BEAKER_PUPPET_COLLECTION=puppet6 - TASK=beaker:centos-7-x64:acceptance - - env: - - BEAKER_PUPPET_COLLECTION=puppet6 - - TASK=beaker:centos-7-x64:acceptance[5.6.16] - env: - BEAKER_PUPPET_COLLECTION=puppet6 - TASK=beaker:centos-8-x64:acceptance - - env: - - BEAKER_PUPPET_COLLECTION=puppet6 - - TASK=beaker:centos-8-x64:acceptance[5.6.16] - env: - BEAKER_PUPPET_COLLECTION=puppet6 - TASK=beaker:amazonlinux-1-x64:acceptance - - env: - - BEAKER_PUPPET_COLLECTION=puppet6 - - TASK=beaker:amazonlinux-1-x64:acceptance[5.6.16] - env: - BEAKER_PUPPET_COLLECTION=puppet6 - TASK=beaker:oracle-6-x64:acceptance - - env: - - BEAKER_PUPPET_COLLECTION=puppet6 - - TASK=beaker:oracle-6-x64:acceptance[5.6.16] - env: - BEAKER_PUPPET_COLLECTION=puppet6 - TASK=beaker:oracle-7-x64:acceptance - - env: - - BEAKER_PUPPET_COLLECTION=puppet6 - - TASK=beaker:oracle-7-x64:acceptance[5.6.16] - env: - BEAKER_PUPPET_COLLECTION=puppet6 - TASK=beaker:debian-8-x64:acceptance - - env: - - BEAKER_PUPPET_COLLECTION=puppet6 - - TASK=beaker:debian-8-x64:acceptance[5.6.16] - env: - BEAKER_PUPPET_COLLECTION=puppet6 - TASK=beaker:debian-9-x64:acceptance - - env: - - BEAKER_PUPPET_COLLECTION=puppet6 - - TASK=beaker:debian-9-x64:acceptance[5.6.16] - env: - BEAKER_PUPPET_COLLECTION=puppet6 - TASK=beaker:debian-10-x64:acceptance - - env: - - BEAKER_PUPPET_COLLECTION=puppet6 - - TASK=beaker:debian-10-x64:acceptance[5.6.16] - env: - BEAKER_PUPPET_COLLECTION=puppet6 - TASK=beaker:ubuntu-server-1404-x64:acceptance - - env: - - BEAKER_PUPPET_COLLECTION=puppet6 - - TASK=beaker:ubuntu-server-1404-x64:acceptance[5.6.16] - env: - BEAKER_PUPPET_COLLECTION=puppet6 - TASK=beaker:ubuntu-server-1604-x64:acceptance - - env: - - BEAKER_PUPPET_COLLECTION=puppet6 - - TASK=beaker:ubuntu-server-1604-x64:acceptance[5.6.16] - env: - BEAKER_PUPPET_COLLECTION=puppet6 - TASK=beaker:ubuntu-server-1804-x64:acceptance - - env: - - BEAKER_PUPPET_COLLECTION=puppet6 - - TASK=beaker:ubuntu-server-1804-x64:acceptance[5.6.16] - stage: snapshots env: - TASK=beaker:ubuntu-server-1404-x64:snapshot diff --git a/Gemfile b/Gemfile index 61eef4a7a..6abd16b53 100644 --- a/Gemfile +++ b/Gemfile @@ -8,7 +8,7 @@ group :test do gem 'xmlrpc' gem 'ci_reporter_rspec' - gem 'facter' + gem 'facter', "~> 2.4" gem 'pry' gem 'puppet-lint' gem 'puppet-strings' diff --git a/Rakefile b/Rakefile index f453bd560..cc9b964ba 100644 --- a/Rakefile +++ b/Rakefile @@ -140,7 +140,7 @@ beaker_node_sets.each do |node| args.with_defaults(:version => '6.8.6', :filter => nil) task.pattern = 'spec/acceptance/tests/acceptance_spec.rb' task.rspec_opts = [] - task.rspec_opts << '--format documentation' if ENV['CI'].nil? + task.rspec_opts << '--format documentation' task.rspec_opts << "--example '#{args[:filter]}'" if args[:filter] ENV['ELASTICSEARCH_VERSION'] ||= args[:version] Rake::Task['artifact:fetch'].invoke(ENV['ELASTICSEARCH_VERSION']) diff --git a/lib/puppet/provider/elasticsearch_user/elasticsearch_users.rb b/lib/puppet/provider/elasticsearch_user/elasticsearch_users.rb index 9bfe962ec..ba47d9ebf 100644 --- a/lib/puppet/provider/elasticsearch_user/elasticsearch_users.rb +++ b/lib/puppet/provider/elasticsearch_user/elasticsearch_users.rb @@ -5,6 +5,7 @@ :parent => Puppet::Provider::ElasticUserCommand ) do desc 'Provider for OSS X-Pack user resources.' + confine :exists => "#{homedir}/bin/elasticsearch-users" has_feature :manages_plaintext_passwords diff --git a/lib/puppet/provider/elasticsearch_user/users.rb b/lib/puppet/provider/elasticsearch_user/users.rb index 08f01a8bb..83e02ee41 100644 --- a/lib/puppet/provider/elasticsearch_user/users.rb +++ b/lib/puppet/provider/elasticsearch_user/users.rb @@ -5,7 +5,16 @@ :parent => Puppet::Provider::ElasticUserCommand ) do desc 'Provider for X-Pack file (users) user resources.' - confine :false => (Puppet::FileSystem.exist? "#{homedir}/bin/elasticsearch-users") + + # Prefer the newer 'elasticsearch-users' command provider + # if the 'elasticsearch_users' command exists. + # The logic looks a bit backwards here, but that's because + # Puppet evals the 'confine' statement early on. + # So we could hit false-positives due to the package + # being installed in the same Puppet run. + confine :true => begin + false if File.exist?("#{homedir}/bin/elasticsearch-users") + end has_feature :manages_plaintext_passwords diff --git a/spec/spec_helper_tls.rb b/spec/spec_helper_tls.rb index bd9756274..c3a125015 100644 --- a/spec/spec_helper_tls.rb +++ b/spec/spec_helper_tls.rb @@ -6,7 +6,7 @@ def gen_certs(num_certs, path) ca_key = OpenSSL::PKey::RSA.new 2048 # CA Cert - ca_name = OpenSSL::X509::Name.parse 'CN=ca/DC=example' + ca_name = OpenSSL::X509::Name.parse 'CN=ca/DC=example/DC=com' ca_cert = OpenSSL::X509::Certificate.new ca_cert.serial = serial serial += 1 @@ -19,16 +19,16 @@ def gen_certs(num_certs, path) extension_factory = OpenSSL::X509::ExtensionFactory.new extension_factory.subject_certificate = ca_cert extension_factory.issuer_certificate = ca_cert - ca_cert.add_extension extension_factory.create_extension( - 'subjectAltName', ['localhost', '127.0.0.1'].map { |d| "DNS: #{d}" }.join(',') - ) + # ca_cert.add_extension extension_factory.create_extension( + # 'subjectAltName', ['localhost', '127.0.0.1'].map { |d| "DNS: #{d}" }.join(',') + # ) ca_cert.add_extension extension_factory.create_extension( 'subjectKeyIdentifier', 'hash' ) ca_cert.add_extension extension_factory.create_extension( 'basicConstraints', 'CA:TRUE', true ) - ca_cert.sign ca_key, OpenSSL::Digest::SHA1.new + ca_cert.sign ca_key, OpenSSL::Digest::SHA256.new ret[:ca] = { :cert => { :pem => ca_cert.to_pem, @@ -38,7 +38,7 @@ def gen_certs(num_certs, path) num_certs.times do |i| key, cert, serial = gen_cert_pair serial, ca_cert - cert.sign ca_key, OpenSSL::Digest::SHA1.new + cert.sign ca_key, OpenSSL::Digest::SHA256.new ret[:clients] << { :key => { :pem => key.to_pem, @@ -58,7 +58,11 @@ def gen_cert_pair(serial, ca_cert) serial += 1 # Node Key key = OpenSSL::PKey::RSA.new 2048 - node_name = OpenSSL::X509::Name.parse 'CN=localhost/DC=example' + node_name = OpenSSL::X509::Name.parse 'CN=localhost/DC=example/DC=com' + + # prepare SANS list + sans = ['localhost.localdomain', 'localhost', 'localhost.example.com'] + sans_list = sans.map { |domain| "DNS:#{domain}" } # Node Cert cert = OpenSSL::X509::Certificate.new @@ -75,6 +79,10 @@ def gen_cert_pair(serial, ca_cert) csr_extension_factory.subject_certificate = cert csr_extension_factory.issuer_certificate = ca_cert + cert.add_extension csr_extension_factory.create_extension( + 'subjectAltName', + sans_list.join(',') + ) cert.add_extension csr_extension_factory.create_extension( 'basicConstraints', 'CA:FALSE' @@ -83,6 +91,10 @@ def gen_cert_pair(serial, ca_cert) 'keyUsage', 'keyEncipherment,dataEncipherment,digitalSignature' ) + cert.add_extension csr_extension_factory.create_extension( + 'extendedKeyUsage', + 'serverAuth,clientAuth' + ) cert.add_extension csr_extension_factory.create_extension( 'subjectKeyIdentifier', 'hash' )