From 60e02869656b38797b21ac11261b741ca3dfbd37 Mon Sep 17 00:00:00 2001 From: Gavin Williams Date: Fri, 13 Mar 2020 17:11:23 +0000 Subject: [PATCH 1/6] Tweak the 'confine' statements on the 'elasticsearch_user' providers. With the previous behaviour, _both_ providers were being considered, and the older `users` provider was winning. This meant we were using the deprecated `bin/x-pack/users` script. --- .../elasticsearch_user/elasticsearch_users.rb | 1 + lib/puppet/provider/elasticsearch_user/users.rb | 11 ++++++++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/lib/puppet/provider/elasticsearch_user/elasticsearch_users.rb b/lib/puppet/provider/elasticsearch_user/elasticsearch_users.rb index 9bfe962ec..ba47d9ebf 100644 --- a/lib/puppet/provider/elasticsearch_user/elasticsearch_users.rb +++ b/lib/puppet/provider/elasticsearch_user/elasticsearch_users.rb @@ -5,6 +5,7 @@ :parent => Puppet::Provider::ElasticUserCommand ) do desc 'Provider for OSS X-Pack user resources.' + confine :exists => "#{homedir}/bin/elasticsearch-users" has_feature :manages_plaintext_passwords diff --git a/lib/puppet/provider/elasticsearch_user/users.rb b/lib/puppet/provider/elasticsearch_user/users.rb index 08f01a8bb..83e02ee41 100644 --- a/lib/puppet/provider/elasticsearch_user/users.rb +++ b/lib/puppet/provider/elasticsearch_user/users.rb @@ -5,7 +5,16 @@ :parent => Puppet::Provider::ElasticUserCommand ) do desc 'Provider for X-Pack file (users) user resources.' - confine :false => (Puppet::FileSystem.exist? "#{homedir}/bin/elasticsearch-users") + + # Prefer the newer 'elasticsearch-users' command provider + # if the 'elasticsearch_users' command exists. + # The logic looks a bit backwards here, but that's because + # Puppet evals the 'confine' statement early on. + # So we could hit false-positives due to the package + # being installed in the same Puppet run. + confine :true => begin + false if File.exist?("#{homedir}/bin/elasticsearch-users") + end has_feature :manages_plaintext_passwords From b7b06e5655aab1d92a08ec4a1ca7daea3f479880 Mon Sep 17 00:00:00 2001 From: Gavin Williams Date: Tue, 17 Mar 2020 12:59:06 +0000 Subject: [PATCH 2/6] Use current travis group --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 280d71b06..a297ae075 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,5 +1,5 @@ sudo: required -group: deprecated-2017Q4 +# group: deprecated-2017Q4 services: - docker cache: From fc3b8d790c196a5c6932d82e2a04771830cb5ff9 Mon Sep 17 00:00:00 2001 From: Gavin Williams Date: Thu, 19 Mar 2020 12:47:17 +0000 Subject: [PATCH 3/6] Tweak TLS certificate generation Update signatures to SHA256, and move the certificate SANS config onto the node certs. --- spec/spec_helper_tls.rb | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/spec/spec_helper_tls.rb b/spec/spec_helper_tls.rb index bd9756274..c3a125015 100644 --- a/spec/spec_helper_tls.rb +++ b/spec/spec_helper_tls.rb @@ -6,7 +6,7 @@ def gen_certs(num_certs, path) ca_key = OpenSSL::PKey::RSA.new 2048 # CA Cert - ca_name = OpenSSL::X509::Name.parse 'CN=ca/DC=example' + ca_name = OpenSSL::X509::Name.parse 'CN=ca/DC=example/DC=com' ca_cert = OpenSSL::X509::Certificate.new ca_cert.serial = serial serial += 1 @@ -19,16 +19,16 @@ def gen_certs(num_certs, path) extension_factory = OpenSSL::X509::ExtensionFactory.new extension_factory.subject_certificate = ca_cert extension_factory.issuer_certificate = ca_cert - ca_cert.add_extension extension_factory.create_extension( - 'subjectAltName', ['localhost', '127.0.0.1'].map { |d| "DNS: #{d}" }.join(',') - ) + # ca_cert.add_extension extension_factory.create_extension( + # 'subjectAltName', ['localhost', '127.0.0.1'].map { |d| "DNS: #{d}" }.join(',') + # ) ca_cert.add_extension extension_factory.create_extension( 'subjectKeyIdentifier', 'hash' ) ca_cert.add_extension extension_factory.create_extension( 'basicConstraints', 'CA:TRUE', true ) - ca_cert.sign ca_key, OpenSSL::Digest::SHA1.new + ca_cert.sign ca_key, OpenSSL::Digest::SHA256.new ret[:ca] = { :cert => { :pem => ca_cert.to_pem, @@ -38,7 +38,7 @@ def gen_certs(num_certs, path) num_certs.times do |i| key, cert, serial = gen_cert_pair serial, ca_cert - cert.sign ca_key, OpenSSL::Digest::SHA1.new + cert.sign ca_key, OpenSSL::Digest::SHA256.new ret[:clients] << { :key => { :pem => key.to_pem, @@ -58,7 +58,11 @@ def gen_cert_pair(serial, ca_cert) serial += 1 # Node Key key = OpenSSL::PKey::RSA.new 2048 - node_name = OpenSSL::X509::Name.parse 'CN=localhost/DC=example' + node_name = OpenSSL::X509::Name.parse 'CN=localhost/DC=example/DC=com' + + # prepare SANS list + sans = ['localhost.localdomain', 'localhost', 'localhost.example.com'] + sans_list = sans.map { |domain| "DNS:#{domain}" } # Node Cert cert = OpenSSL::X509::Certificate.new @@ -75,6 +79,10 @@ def gen_cert_pair(serial, ca_cert) csr_extension_factory.subject_certificate = cert csr_extension_factory.issuer_certificate = ca_cert + cert.add_extension csr_extension_factory.create_extension( + 'subjectAltName', + sans_list.join(',') + ) cert.add_extension csr_extension_factory.create_extension( 'basicConstraints', 'CA:FALSE' @@ -83,6 +91,10 @@ def gen_cert_pair(serial, ca_cert) 'keyUsage', 'keyEncipherment,dataEncipherment,digitalSignature' ) + cert.add_extension csr_extension_factory.create_extension( + 'extendedKeyUsage', + 'serverAuth,clientAuth' + ) cert.add_extension csr_extension_factory.create_extension( 'subjectKeyIdentifier', 'hash' ) From a7b2fce0bc04e1a69add68bd557cc411a3bec64e Mon Sep 17 00:00:00 2001 From: Gavin Williams Date: Thu, 19 Mar 2020 14:14:51 +0000 Subject: [PATCH 4/6] Pin facter gem version --- Gemfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile b/Gemfile index 61eef4a7a..6abd16b53 100644 --- a/Gemfile +++ b/Gemfile @@ -8,7 +8,7 @@ group :test do gem 'xmlrpc' gem 'ci_reporter_rspec' - gem 'facter' + gem 'facter', "~> 2.4" gem 'pry' gem 'puppet-lint' gem 'puppet-strings' From b07ce64e4442052697bb7bbf09e61cb305347d30 Mon Sep 17 00:00:00 2001 From: Gavin Williams Date: Thu, 19 Mar 2020 14:48:59 +0000 Subject: [PATCH 5/6] Use documentation format, so can see what's happening --- Rakefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Rakefile b/Rakefile index f453bd560..cc9b964ba 100644 --- a/Rakefile +++ b/Rakefile @@ -140,7 +140,7 @@ beaker_node_sets.each do |node| args.with_defaults(:version => '6.8.6', :filter => nil) task.pattern = 'spec/acceptance/tests/acceptance_spec.rb' task.rspec_opts = [] - task.rspec_opts << '--format documentation' if ENV['CI'].nil? + task.rspec_opts << '--format documentation' task.rspec_opts << "--example '#{args[:filter]}'" if args[:filter] ENV['ELASTICSEARCH_VERSION'] ||= args[:version] Rake::Task['artifact:fetch'].invoke(ENV['ELASTICSEARCH_VERSION']) From 090a31ffce7976e1e49c1e1da16ecf0e181f2fc5 Mon Sep 17 00:00:00 2001 From: Gavin Williams Date: Fri, 20 Mar 2020 11:32:35 +0000 Subject: [PATCH 6/6] Remove Elasticsearch 5 tests. Dropping support from this module for ES 5 means that we only support 'current'' and 'previous' major versions, which is a saner approach. --- .travis.yml | 36 ------------------------------------ 1 file changed, 36 deletions(-) diff --git a/.travis.yml b/.travis.yml index a297ae075..e8eebac3d 100644 --- a/.travis.yml +++ b/.travis.yml @@ -52,75 +52,39 @@ jobs: env: - BEAKER_PUPPET_COLLECTION=puppet6 - TASK=beaker:centos-6-x64:acceptance - - env: - - BEAKER_PUPPET_COLLECTION=puppet6 - - TASK=beaker:centos-6-x64:acceptance[5.6.16] - env: - BEAKER_PUPPET_COLLECTION=puppet6 - TASK=beaker:centos-7-x64:acceptance - - env: - - BEAKER_PUPPET_COLLECTION=puppet6 - - TASK=beaker:centos-7-x64:acceptance[5.6.16] - env: - BEAKER_PUPPET_COLLECTION=puppet6 - TASK=beaker:centos-8-x64:acceptance - - env: - - BEAKER_PUPPET_COLLECTION=puppet6 - - TASK=beaker:centos-8-x64:acceptance[5.6.16] - env: - BEAKER_PUPPET_COLLECTION=puppet6 - TASK=beaker:amazonlinux-1-x64:acceptance - - env: - - BEAKER_PUPPET_COLLECTION=puppet6 - - TASK=beaker:amazonlinux-1-x64:acceptance[5.6.16] - env: - BEAKER_PUPPET_COLLECTION=puppet6 - TASK=beaker:oracle-6-x64:acceptance - - env: - - BEAKER_PUPPET_COLLECTION=puppet6 - - TASK=beaker:oracle-6-x64:acceptance[5.6.16] - env: - BEAKER_PUPPET_COLLECTION=puppet6 - TASK=beaker:oracle-7-x64:acceptance - - env: - - BEAKER_PUPPET_COLLECTION=puppet6 - - TASK=beaker:oracle-7-x64:acceptance[5.6.16] - env: - BEAKER_PUPPET_COLLECTION=puppet6 - TASK=beaker:debian-8-x64:acceptance - - env: - - BEAKER_PUPPET_COLLECTION=puppet6 - - TASK=beaker:debian-8-x64:acceptance[5.6.16] - env: - BEAKER_PUPPET_COLLECTION=puppet6 - TASK=beaker:debian-9-x64:acceptance - - env: - - BEAKER_PUPPET_COLLECTION=puppet6 - - TASK=beaker:debian-9-x64:acceptance[5.6.16] - env: - BEAKER_PUPPET_COLLECTION=puppet6 - TASK=beaker:debian-10-x64:acceptance - - env: - - BEAKER_PUPPET_COLLECTION=puppet6 - - TASK=beaker:debian-10-x64:acceptance[5.6.16] - env: - BEAKER_PUPPET_COLLECTION=puppet6 - TASK=beaker:ubuntu-server-1404-x64:acceptance - - env: - - BEAKER_PUPPET_COLLECTION=puppet6 - - TASK=beaker:ubuntu-server-1404-x64:acceptance[5.6.16] - env: - BEAKER_PUPPET_COLLECTION=puppet6 - TASK=beaker:ubuntu-server-1604-x64:acceptance - - env: - - BEAKER_PUPPET_COLLECTION=puppet6 - - TASK=beaker:ubuntu-server-1604-x64:acceptance[5.6.16] - env: - BEAKER_PUPPET_COLLECTION=puppet6 - TASK=beaker:ubuntu-server-1804-x64:acceptance - - env: - - BEAKER_PUPPET_COLLECTION=puppet6 - - TASK=beaker:ubuntu-server-1804-x64:acceptance[5.6.16] - stage: snapshots env: - TASK=beaker:ubuntu-server-1404-x64:snapshot