From acfd93742ee5548516d4829c687c6271d74e71d7 Mon Sep 17 00:00:00 2001
From: Martin Pitt <martin@piware.de>
Date: Thu, 12 Dec 2024 09:18:22 +0100
Subject: [PATCH] test: Drop cockpit-ws* groups

Cockpit 330 (RHEL 9.6/10.0/Fedora 40) does not have any static system
groups any more, everything is handled through `DynamicUser=`.

The ownership of the certificate hasn't mattered since Cockpit 257 [1],
which is in RHEL 8.7, 9.0, and all current Fedora/Debian/Ubuntu OSes.

Setting a certificate group *can* be useful to share it with other
services (like symlinking a global LetsEncrypt cert to ws-certs.d/), but
this isn't what our documentation and tests do -- they produce a
certificate exclusively for Cockpit. So just drop the group handling.

[1] https://github.com/cockpit-project/cockpit/commit/644116a0cd
---
 README.md                            |  2 --
 tests/tasks/get_cockpit_group.yml    | 13 -------------
 tests/tests_certificate_external.yml |  5 -----
 tests/tests_certificate_internal.yml |  5 -----
 tests/tests_certificate_runafter.yml |  6 ------
 5 files changed, 31 deletions(-)
 delete mode 100644 tests/tasks/get_cockpit_group.yml

diff --git a/README.md b/README.md
index 36da52d..c1bb70c 100644
--- a/README.md
+++ b/README.md
@@ -212,7 +212,6 @@ assuming your machines are joined to a FreeIPA domain.
           - name: monger-cockpit
             dns: ['localhost', 'www.example.com']
             ca: ipa
-            group: cockpit-ws
 ```
 
 Note: Generating a new certificate using the `certificate` system role in the playbook remains supported.
@@ -235,7 +234,6 @@ This example also installs Cockpit with an IdM-issued web server certificate.
           - name: /etc/cockpit/ws-certs.d/monger-cockpit
             dns: ['localhost', 'www.example.com']
             ca: ipa
-            group: cockpit-ws  # or cockpit-wsinstance on newer cockpit versions
 ```
 
 NOTE: The `certificate` role, unless using IPA and joining the systems to an IPA domain,
diff --git a/tests/tasks/get_cockpit_group.yml b/tests/tasks/get_cockpit_group.yml
deleted file mode 100644
index 8895467..0000000
--- a/tests/tasks/get_cockpit_group.yml
+++ /dev/null
@@ -1,13 +0,0 @@
-# SPDX-License-Identifier: MIT
----
-- name: Get name of cockpit group for tests
-  getent:
-    database: group
-    key: cockpit-wsinstance
-    fail_key: false
-
-- name: Set __cockpit_test_group
-  set_fact:
-    __cockpit_test_group: "{{ 'cockpit-wsinstance'
-      if ansible_facts['getent_group'].get('cockpit-wsinstance')
-      else 'cockpit-ws' }}"
diff --git a/tests/tests_certificate_external.yml b/tests/tests_certificate_external.yml
index 3aeab53..735bb8e 100644
--- a/tests/tests_certificate_external.yml
+++ b/tests/tests_certificate_external.yml
@@ -26,10 +26,6 @@
                 setype: cert_t
                 mode: "0755"
 
-            # returns global variable __cockpit_test_group
-            - name: Get name of cockpit group to use
-              include_tasks: tasks/get_cockpit_group.yml
-
             # has to be done dynamically, as the first step checks it out
             - name: Generate certificate with certificate system role
               include_role:
@@ -39,7 +35,6 @@
                   - name: /etc/cockpit/ws-certs.d/monger-cockpit
                     dns: ['localhost', 'www.example.com']
                     ca: self-sign
-                    group: "{{ __cockpit_test_group }}"
 
             # ostree cannot remove packages and cannot cleanup properly
             # this works around that issue
diff --git a/tests/tests_certificate_internal.yml b/tests/tests_certificate_internal.yml
index b287184..882eabd 100644
--- a/tests/tests_certificate_internal.yml
+++ b/tests/tests_certificate_internal.yml
@@ -17,10 +17,6 @@
               vars:
                 cockpit_packages: minimal
 
-            # returns global variable __cockpit_test_group
-            - name: Get name of cockpit group to use
-              include_tasks: tasks/get_cockpit_group.yml
-
             - name: Install cockpit with cockpit_certificates request
               vars:
                 cockpit_packages: minimal
@@ -28,7 +24,6 @@
                   - name: "{{ cert_name }}"
                     dns: ['localhost', 'www.example.com']
                     ca: self-sign
-                    group: "{{ __cockpit_test_group }}"
               include_role:
                 name: linux-system-roles.cockpit
                 public: true
diff --git a/tests/tests_certificate_runafter.yml b/tests/tests_certificate_runafter.yml
index f86d61b..fef8278 100644
--- a/tests/tests_certificate_runafter.yml
+++ b/tests/tests_certificate_runafter.yml
@@ -24,10 +24,6 @@
         setype: cert_t
         mode: "0755"
 
-    # returns global variable __cockpit_test_group
-    - name: Get name of cockpit group to use
-      include_tasks: tasks/get_cockpit_group.yml
-
     # has to be done dynamically, as the first step checks it out
     - name: Generate certificate with certificate system role
       include_role:
@@ -38,7 +34,6 @@
           - name: monger-cockpit
             dns: ['localhost', 'www.example.com']
             ca: local
-            group: "{{ __cockpit_test_group }}"
             # ideally we'd put the cert directly into /etc/cockpit/ws-certs.d;
             # however, cockpit in RHEL/CentOS 7 does not yet support a separate
             # key file, and lsr.certificate sets wrong permissions
@@ -48,7 +43,6 @@
               cat {{ __certificate_default_directory }}/certs/monger-cockpit.crt \
               {{ __certificate_default_directory }}/private/monger-cockpit.key > $DEST
               chmod 640 $DEST
-              chown root:{{ __cockpit_test_group }} $DEST
 
     - name: Validate installation
       block: