Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for cleaning up mosquitto when switching to SSH #744

Merged
merged 1 commit into from
Apr 29, 2022
Merged

Add support for cleaning up mosquitto when switching to SSH #744

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 14 additions & 15 deletions manifests/plugin/remote_execution/mosquitto.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,13 +12,16 @@
#
# === Advanced parameters:
#
# $ensure:: Enable or disable mosquitto configuration and presence
#
# $port:: Port mosquitto will run on
#
# $require_certificate:: When true the client must provide a valid certificate in order to connect successfully
#
# $use_identity_as_username:: Use the CN value from the client certificate as a username
#
class foreman_proxy::plugin::remote_execution::mosquitto (
Enum['absent', 'present'] $ensure = 'present',
Stdlib::Port $port = 1883,
Stdlib::Absolutepath $ssl_ca = undef,
Stdlib::Absolutepath $ssl_cert = undef,
Expand All @@ -31,8 +34,11 @@
$broker = $facts['networking']['fqdn']

class { 'mosquitto':
package_name => 'mosquitto',
config => [
package_name => 'mosquitto',
package_ensure => $ensure,
service_ensure => bool2str($ensure == 'present', 'running', 'stopped'),
service_enable => $ensure == 'present',
config => [
"listener ${port}",
"acl_file ${mosquitto_config_dir}/foreman.acl",
"cafile ${mosquitto_ssl_dir}/ssl_ca.pem",
Expand All @@ -43,16 +49,8 @@
],
}

file { $mosquitto_config_dir:
ensure => directory,
owner => 'root',
group => 'mosquitto',
mode => '0755',
require => Package['mosquitto'],
}

file { "${mosquitto_config_dir}/foreman.acl":
ensure => 'file',
ensure => $ensure,
content => epp(
"${module_name}/plugin/foreman.acl.epp",
{ user => $facts['networking']['fqdn'] }
Expand All @@ -63,30 +61,31 @@
}

file { $mosquitto_ssl_dir:
ensure => directory,
ensure => bool2str($ensure == 'present', 'directory', 'absent'),
force => true,
owner => 'root',
group => 'mosquitto',
mode => '0755',
}

file { "${mosquitto_ssl_dir}/ssl_cert.pem":
ensure => 'file',
ensure => $ensure,
source => $ssl_cert,
owner => 'root',
group => 'mosquitto',
mode => '0440',
}

file { "${mosquitto_ssl_dir}/ssl_key.pem":
ensure => 'file',
ensure => $ensure,
source => $ssl_key,
owner => 'root',
group => 'mosquitto',
mode => '0440',
}

file { "${mosquitto_ssl_dir}/ssl_ca.pem":
ensure => 'file',
ensure => $ensure,
source => $ssl_ca,
owner => 'root',
group => 'mosquitto',
Expand Down
11 changes: 5 additions & 6 deletions manifests/plugin/remote_execution/script.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,12 +71,11 @@
}
}

if $mode == 'pull-mqtt' {
class { 'foreman_proxy::plugin::remote_execution::mosquitto':
ssl_ca => $foreman_proxy::ssl_ca,
ssl_cert => $foreman_proxy::ssl_cert,
ssl_key => $foreman_proxy::ssl_key,
}
class { 'foreman_proxy::plugin::remote_execution::mosquitto':
ensure => bool2str($mode == 'pull-mqtt' and $enabled, 'present', 'absent'),
ssl_ca => $foreman_proxy::ssl_ca,
ssl_cert => $foreman_proxy::ssl_cert,
ssl_key => $foreman_proxy::ssl_key,
}

}
128 changes: 81 additions & 47 deletions spec/acceptance/remote_execution_script_pull_mqtt_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,64 +3,98 @@
describe 'Scenario: install foreman-proxy with remote_execution script plugin with pull-mqtt' do
before(:context) { purge_installed_packages }

include_examples 'the example', 'remote_execution_script_pull_mqtt.pp'
context 'with default params' do
include_examples 'the example', 'remote_execution_script_pull_mqtt.pp'

it_behaves_like 'the default foreman proxy application'
it_behaves_like 'the default foreman proxy application'

describe port(1883) do
it { is_expected.to be_listening }
end
describe port(1883) do
it { is_expected.to be_listening }
end

describe file('/etc/foreman-proxy/settings.d/remote_execution_ssh.yml') do
it { should be_file }
its(:content) { should match(%r{:mqtt_port: 1883}) }
its(:content) { should match(%r{:mqtt_broker: #{host_inventory['fqdn']}}) }
end
describe file('/etc/foreman-proxy/settings.d/remote_execution_ssh.yml') do
it { should be_file }
its(:content) { should match(%r{:mqtt_port: 1883}) }
its(:content) { should match(%r{:mqtt_broker: #{host_inventory['fqdn']}}) }
end

describe file('/etc/mosquitto/foreman.acl') do
it { should be_file }
its(:content) { should match(%r{pattern read yggdrasil\/%u\/data\/in}) }
its(:content) { should match(%r{pattern write yggdrasil\/%u\/control\/out}) }
its(:content) { should match(%r{user #{host_inventory['fqdn']}}) }
its(:content) { should match(%r{topic write yggdrasil\/\+\/data\/in}) }
its(:content) { should match(%r{topic read yggdrasil\/\+\/control\/out}) }
end
describe file('/etc/mosquitto/foreman.acl') do
it { should be_file }
its(:content) { should match(%r{pattern read yggdrasil\/%u\/data\/in}) }
its(:content) { should match(%r{pattern write yggdrasil\/%u\/control\/out}) }
its(:content) { should match(%r{user #{host_inventory['fqdn']}}) }
its(:content) { should match(%r{topic write yggdrasil\/\+\/data\/in}) }
its(:content) { should match(%r{topic read yggdrasil\/\+\/control\/out}) }
end

describe x509_certificate('/etc/mosquitto/ssl/ssl_cert.pem') do
it { should be_certificate }
it { should be_valid }
end
describe x509_certificate('/etc/mosquitto/ssl/ssl_cert.pem') do
it { should be_certificate }
it { should be_valid }
end

describe file('/etc/mosquitto/ssl/ssl_cert.pem') do
it { should be_file }
it { should be_mode 440 }
it { should be_owned_by 'root' }
it { should be_grouped_into 'mosquitto' }
end
describe file('/etc/mosquitto/ssl/ssl_cert.pem') do
it { should be_file }
it { should be_mode 440 }
it { should be_owned_by 'root' }
it { should be_grouped_into 'mosquitto' }
end

describe x509_private_key('/etc/mosquitto/ssl/ssl_key.pem') do
it { should_not be_encrypted }
it { should be_valid }
it { should have_matching_certificate('/etc/mosquitto/ssl/ssl_cert.pem') }
end
describe x509_private_key('/etc/mosquitto/ssl/ssl_key.pem') do
it { should_not be_encrypted }
it { should be_valid }
it { should have_matching_certificate('/etc/mosquitto/ssl/ssl_cert.pem') }
end

describe file('/etc/mosquitto/ssl/ssl_key.pem') do
it { should be_file }
it { should be_mode 440 }
it { should be_owned_by 'root' }
it { should be_grouped_into 'mosquitto' }
end
describe file('/etc/mosquitto/ssl/ssl_key.pem') do
it { should be_file }
it { should be_mode 440 }
it { should be_owned_by 'root' }
it { should be_grouped_into 'mosquitto' }
end

describe x509_certificate('/etc/mosquitto/ssl/ssl_ca.pem') do
it { should be_certificate }
it { should be_valid }
end

describe x509_certificate('/etc/mosquitto/ssl/ssl_ca.pem') do
it { should be_certificate }
it { should be_valid }
describe file('/etc/mosquitto/ssl/ssl_ca.pem') do
it { should be_file }
it { should be_mode 440 }
it { should be_owned_by 'root' }
it { should be_grouped_into 'mosquitto' }
end
end

describe file('/etc/mosquitto/ssl/ssl_ca.pem') do
it { should be_file }
it { should be_mode 440 }
it { should be_owned_by 'root' }
it { should be_grouped_into 'mosquitto' }
context 'with default mode (SSH) after enabling pull-mqtt' do
include_examples 'the example', 'remote_execution_script.pp'

it_behaves_like 'the default foreman proxy application'

describe port(1883) do
it { is_expected.not_to be_listening }
end

describe file('/etc/foreman-proxy/settings.d/remote_execution_ssh.yml') do
it { should be_file }
its(:content) { should_not match(%r{:mqtt_port: 1883}) }
its(:content) { should_not match(%r{:mqtt_broker: #{host_inventory['fqdn']}}) }
end

describe file('/etc/mosquitto/foreman.acl') do
it { should_not exist }
end

describe file('/etc/mosquitto/ssl/ssl_cert.pem') do
it { should_not exist }
end

describe file('/etc/mosquitto/ssl/ssl_key.pem') do
it { should_not exist }
end

describe file('/etc/mosquitto/ssl/ssl_ca.pem') do
it { should_not exist }
end
end

end
141 changes: 141 additions & 0 deletions spec/classes/foreman_proxy__plugin__remote_execution__mosquitto_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,141 @@
require 'spec_helper'

describe 'foreman_proxy::plugin::remote_execution::mosquitto' do
on_plugin_os.each do |os, os_facts|
context "on #{os}" do
let(:facts) { os_facts }
let :params do {
:ssl_cert => '/etc/foreman-proxy/ssl_cert.pem',
:ssl_key => '/etc/foreman-proxy/ssl_key.pem',
:ssl_ca => '/etc/foreman-proxy/ssl_ca.pem'
} end

describe 'with default settings' do
it 'should configure mosquitto' do
should contain_class('mosquitto').
with({
:package_name => 'mosquitto',
:package_ensure => 'present',
:service_ensure => 'running',
:service_enable => true,
:config => [
'listener 1883',
'acl_file /etc/mosquitto/foreman.acl',
'cafile /etc/mosquitto/ssl/ssl_ca.pem',
'certfile /etc/mosquitto/ssl/ssl_cert.pem',
'keyfile /etc/mosquitto/ssl/ssl_key.pem',
'require_certificate true',
'use_identity_as_username true'
]
})
end

it 'should configure an ACL file' do
should contain_file('/etc/mosquitto/foreman.acl').
with_content(%r{pattern read yggdrasil/%u/data/in}).
with_content(%r{pattern write yggdrasil/%u/control/out}).
with_content(%r{user #{facts['fqdn']}}).
with_content(%r{topic write yggdrasil/\+/data/in}).
with_content(%r{topic read yggdrasil/\+/control/out}).
with({
:ensure => 'present',
:owner => 'root',
:group => 'mosquitto',
:mode => '0640'
})
end

it 'should configure a SSL directory' do
should contain_file('/etc/mosquitto/ssl').
with({
:ensure => 'directory',
:owner => 'root',
:group => 'mosquitto',
:mode => '0755'
})
end

it 'should configure an ssl_cert' do
should contain_file('/etc/mosquitto/ssl/ssl_cert.pem').
with({
:ensure => 'present',
:source => '/etc/foreman-proxy/ssl_cert.pem',
:owner => 'root',
:group => 'mosquitto',
:mode => '0440'
})
end

it 'should configure an ssl_key' do
should contain_file('/etc/mosquitto/ssl/ssl_key.pem').
with({
:ensure => 'present',
:source => '/etc/foreman-proxy/ssl_key.pem',
:owner => 'root',
:group => 'mosquitto',
:mode => '0440'
})
end

it 'should configure an ssl_ca' do
should contain_file('/etc/mosquitto/ssl/ssl_ca.pem').
with({
:ensure => 'present',
:source => '/etc/foreman-proxy/ssl_ca.pem',
:owner => 'root',
:group => 'mosquitto',
:mode => '0440'
})
end
end

describe '' do
let(:params) { super().merge(:ensure => 'absent') }

it 'should configure mosquitto' do
should contain_class('mosquitto').
with({
:package_ensure => 'absent',
:service_ensure => 'stopped',
:service_enable => false,
})
end

it 'should configure an ACL file' do
should contain_file('/etc/mosquitto/foreman.acl').
with({
:ensure => 'absent',
})
end

it 'should configure a SSL directory' do
should contain_file('/etc/mosquitto/ssl').
with({
:ensure => 'absent',
})
end

it 'should configure an ssl_cert' do
should contain_file('/etc/mosquitto/ssl/ssl_cert.pem').
with({
:ensure => 'absent',
})
end

it 'should configure an ssl_key' do
should contain_file('/etc/mosquitto/ssl/ssl_key.pem').
with({
:ensure => 'absent',
})
end

it 'should configure an ssl_ca' do
should contain_file('/etc/mosquitto/ssl/ssl_ca.pem').
with({
:ensure => 'absent',
})
end
end
end
end
end
Loading