Handle existing certs and support rerun of cert generation

Will address: https://bugzilla.redhat.com/show_bug.cgi?id=1670138
ManageIQ · Mar 4, 2019 · 6188f05 · 6188f05
1 parent 9eabb10
commit 6188f05
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 9 deletions.
diff --git a/lib/manageiq/appliance_console/certificate.rb b/lib/manageiq/appliance_console/certificate.rb
@@ -1,5 +1,6 @@
 require "awesome_spawn"
-require 'linux_admin'
+require "linux_admin"
+require "fileutils"
 
 module ManageIQ
 module ApplianceConsole
@@ -40,8 +41,11 @@ def initialize(options = {})
     end
 
     def request
+      undo_tracking if complete?
+
       if should_request_key?
         principal.register
+        remove_key_pair
         request_certificate
         # NOTE: status probably changed
         set_owner_of_key unless rejected?
@@ -111,6 +115,22 @@ def enable_certmonger
 
     private
 
+    def remove_key_pair
+      FileUtils.rm_f(cert_filename) if File.exist?(cert_filename)
+      FileUtils.rm_f(key_filename)  if File.exist?(key_filename)
+    end
+
+    def undo_tracking
+      stop_tracking
+      FileUtils.rm_f(root_filename) if File.exist?(root_filename)
+      remove_key_pair
+      clear_status
+    end
+
+    def stop_tracking
+      AwesomeSpawn.run!("/usr/bin/getcert", :params => ["stop-tracking", "-f", cert_filename, "-k", key_filename])
+    end
+
     def request_first
       params = {
         nil  => "request",

diff --git a/spec/certificate_authority_spec.rb b/spec/certificate_authority_spec.rb
@@ -40,7 +40,7 @@
 
     it "should configure http" do
       ipa_configured(true)
-      expect_run(/getcert/, anything, response) # getcert returns: the certificate already exist
+      expect_run(/getcert/, anything, response).at_least(3).times
 
       expect(LinuxAdmin::Service).to receive(:new).and_return(double("Service", :restart => true))
       expect(LinuxAdmin::Service).to receive(:new).and_return(double(:enable => double(:start => nil)))
@@ -66,7 +66,7 @@
 
     it "should configure postgres client" do
       ipa_configured(true)
-      expect_run(/getcert/, anything, response) # getcert returns: the certificate already exist
+      expect_run(/getcert/, anything, response).at_least(3).times
 
       allow(File).to receive(:exist?).and_return(true)
       expect(LinuxAdmin::Service).to receive(:new).and_return(double(:enable => double(:start => nil)))
@@ -91,7 +91,7 @@
 
     it "should install postgres server" do
       ipa_configured(true)
-      expect_run(/getcert/, anything, response) # getcert returns: the certificate already exist
+      expect_run(/getcert/, anything, response).at_least(3).times
 
       expect(ManageIQ::ApplianceConsole::InternalDatabaseConfiguration).to receive(:new)
         .and_return(double("config", :activate => true, :configure_postgres => true))

diff --git a/spec/certificate_spec.rb b/spec/certificate_spec.rb
@@ -12,7 +12,9 @@
                         :hostname      => host,
                         :service       => service,
                         :realm         => realm,
-                        :cert_filename => cert_filename)
+                        :root_filename => root_filename,
+                        :cert_filename => cert_filename,
+                        :key_filename  => key_filename)
   end
 
   it "should set proper realm" do
@@ -31,7 +33,11 @@
     expect_principal_register
     expect_request
     expect_chown
-    expect_chmod([cert_filename])
+    expect_chmod([root_filename, cert_filename])
+    allow(File).to receive(:exist?).with(cert_filename).and_return(true)
+    allow(File).to receive(:exist?).with(key_filename).and_return(true)
+    expect(FileUtils).to receive(:rm_f).with(key_filename).once
+    expect(FileUtils).to receive(:rm_f).with(cert_filename).once
 
     expect(subject.request).to be_complete
     expect(subject.status).to eq(:complete)
@@ -47,9 +53,16 @@
     expect(subject.status).to eq(:rejected)
   end
 
-  it "should only run complete block if keys already exist" do
-    expect_getcert_status(response)
-    expect_chmod([cert_filename])
+  it "should reset tracking if keys already exist" do
+    expect_getcert_status(response).twice
+    expect_getcert_stop_tracking(response)
+    allow(File).to receive(:exist?).with(root_filename).and_return(true)
+    allow(File).to receive(:exist?).with(cert_filename).and_return(true)
+    allow(File).to receive(:exist?).with(key_filename).and_return(true)
+    expect(FileUtils).to receive(:rm_f).with(root_filename).once
+    expect(FileUtils).to receive(:rm_f).with(cert_filename).once
+    expect(FileUtils).to receive(:rm_f).with(key_filename).once
+    expect_chmod([root_filename, cert_filename])
     yielded = false
 
     subject.request { yielded = true }
@@ -88,6 +101,10 @@ def expect_request_again
     expect_run(/getcert/, ["resubmit", "-w", "-f", cert_filename])
   end
 
+  def expect_getcert_stop_tracking(*responses)
+    expect_run(/getcert/, ["stop-tracking", "-f", cert_filename, "-k", key_filename], *responses)
+  end
+
   def expect_getcert_status(*responses)
     expect_run(/getcert/, ["status", "-f", cert_filename], *responses)
   end