Refs #28924: Drop amqp key and truststore

theforeman · Apr 15, 2020 · 2ef13b0 · 2ef13b0
1 parent 167d53c
commit 2ef13b0
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 43 deletions.
diff --git a/manifests/candlepin.pp b/manifests/candlepin.pp
@@ -10,9 +10,6 @@
   $pki_dir                = $certs::pki_dir,
   $keystore               = $certs::candlepin_keystore,
   $keystore_password_file = $certs::keystore_password_file,
-  $amqp_truststore        = $certs::candlepin_amqp_truststore,
-  $amqp_keystore          = $certs::candlepin_amqp_keystore,
-  $amqp_store_dir         = $certs::candlepin_amqp_store_dir,
   $country                = $certs::country,
   $state                  = $certs::state,
   $city                   = $certs::city,
@@ -31,6 +28,8 @@
   }
 
   $java_client_cert_name = 'java-client'
+  $artemis_alias = 'artemis-client'
+  $artemis_client_dn = "C=${city}, ST=${state}, O=candlepin, OU=${org_unit}, CN=${hostname}"
 
   cert { $java_client_cert_name:
     ensure        => present,
@@ -117,35 +116,27 @@
       mode   => '0640',
     } ~>
     certs::keypair { 'candlepin':
-      key_pair  => Cert[$java_client_cert_name],
-      key_file  => $client_key,
-      cert_file => $client_cert,
-    } ~>
-    file { $amqp_store_dir:
-      ensure => directory,
-      owner  => 'tomcat',
-      group  => $group,
-      mode   => '0750',
+      key_pair    => Cert[$java_client_cert_name],
+      key_file    => $client_key,
+      cert_file   => $client_cert,
+      manage_cert => true,
+      cert_owner  => $user,
+      cert_group  => $group,
+      cert_mode   => '0440',
+      manage_key  => true,
+      key_owner   => $user,
+      key_group   => $group,
+      key_mode    => '0440',
     } ~>
     exec { 'import CA into Candlepin truststore':
       command => "keytool -import -trustcacerts -v -keystore ${keystore} -storepass ${keystore_password} -alias ${alias} -file ${ca_cert} -noprompt",
       unless  => "keytool -list -keystore ${keystore} -storepass ${keystore_password} -alias ${alias}",
     } ~>
-    exec { 'import CA into Candlepin AMQP truststore':
-      command => "keytool -import -v -keystore ${amqp_truststore} -storepass ${keystore_password} -alias ${alias} -file ${ca_cert} -trustcacerts -noprompt",
-      unless  => "keytool -list -keystore ${amqp_truststore} -storepass ${keystore_password} -alias ${alias}",
-    } ~>
     exec { 'import client certificate into Candlepin keystore':
       # Stupid keytool doesn't allow you to import a keypair.  You can only import a cert.  Hence, we have to
       # create the store as an PKCS12 and convert to JKS.  See http://stackoverflow.com/a/8224863
-      command => "openssl pkcs12 -export -name amqp-client -in ${client_cert} -inkey ${client_key} -out /tmp/keystore.p12 -passout file:${password_file} && keytool -importkeystore -destkeystore ${amqp_keystore} -srckeystore /tmp/keystore.p12 -srcstoretype pkcs12 -alias amqp-client -storepass ${keystore_password} -srcstorepass ${keystore_password} -noprompt && rm /tmp/keystore.p12",
-      unless  => "keytool -list -keystore ${amqp_keystore} -storepass ${keystore_password} -alias amqp-client",
-    } ~>
-    file { $amqp_keystore:
-      ensure => file,
-      owner  => 'tomcat',
-      group  => $group,
-      mode   => '0640',
+      command => "openssl pkcs12 -export -name ${artemis_alias} -in ${client_cert} -inkey ${client_key} -out /tmp/keystore.p12 -passout file:${password_file} && keytool -importkeystore -destkeystore ${keystore} -srckeystore /tmp/keystore.p12 -srcstoretype pkcs12 -alias ${artemis_alias} -storepass ${keystore_password} -srcstorepass ${keystore_password} -noprompt && rm /tmp/keystore.p12",
+      unless  => "keytool -list -keystore ${keystore} -storepass ${keystore_password} -alias ${artemis_alias} | grep $(openssl x509 -noout -fingerprint -in ${client_cert} | cut -d '=' -f 2)",
     }
   }
 }
diff --git a/manifests/params.pp b/manifests/params.pp
@@ -60,9 +60,6 @@
   $candlepin_keystore               = "${candlepin_certs_dir}/keystore"
   $candlepin_ca_cert                = "${candlepin_certs_dir}/candlepin-ca.crt"
   $candlepin_ca_key                 = "${candlepin_certs_dir}/candlepin-ca.key"
-  $candlepin_amqp_store_dir         = "${candlepin_certs_dir}/amqp"
-  $candlepin_amqp_truststore        = "${candlepin_amqp_store_dir}/candlepin.truststore"
-  $candlepin_amqp_keystore          = "${candlepin_amqp_store_dir}/candlepin.jks"
 
   # Settings for uploading packages to Katello
   $katello_user           = undef

diff --git a/spec/acceptance/candlepin_spec.rb b/spec/acceptance/candlepin_spec.rb
@@ -10,7 +10,7 @@
         ensure => present,
       }
 
-      ['/usr/share/tomcat/conf', '/etc/candlepin/certs/amqp'].each |$dir| {
+      ['/usr/share/tomcat/conf', '/etc/candlepin/certs'].each |$dir| {
         exec { "mkdir -p ${dir}":
           creates => $dir,
           path    => ['/bin', '/usr/bin'],
@@ -88,7 +88,7 @@
     describe command("keytool -list -keystore /etc/candlepin/certs/keystore -storepass $(cat #{keystore_password_file})") do
       its(:exit_status) { should eq 0 }
       its(:stdout) { should match(/^Keystore type: PKCS12$/i) }
-      its(:stdout) { should match(/^Your keystore contains 2 entries$/) }
+      its(:stdout) { should match(/^Your keystore contains 3 entries$/) }
       its(:stdout) { should match(/^tomcat, .+, PrivateKeyEntry, $/) }
       its(:stdout) { should match(/^candlepin-ca, .+, trustedCertEntry, $/) }
     end
@@ -98,20 +98,6 @@
       its(:stdout) { should match(/^Owner: CN=#{host_inventory['fqdn']}, OU=SomeOrgUnit, O=Katello, L=Raleigh, ST=North Carolina, C=US$/) }
       its(:stdout) { should match(/^Issuer: CN=#{host_inventory['fqdn']}, OU=SomeOrgUnit, O=Katello, L=Raleigh, ST=North Carolina, C=US$/) }
     end
-
-    describe command("keytool -list -keystore /etc/candlepin/certs/amqp/candlepin.truststore -storepass $(cat #{keystore_password_file})") do
-      its(:exit_status) { should eq 0 }
-      its(:stdout) { should match(/^Keystore type: JKS$/i) }
-      its(:stdout) { should match(/^Your keystore contains 1 entry$/) }
-      its(:stdout) { should match(/^candlepin-ca, .+, trustedCertEntry, $/) }
-    end
-
-    describe command("keytool -list -keystore /etc/candlepin/certs/amqp/candlepin.jks -storepass $(cat #{keystore_password_file})") do
-      its(:exit_status) { should eq 0 }
-      its(:stdout) { should match(/^Keystore type: JKS$/i) }
-      its(:stdout) { should match(/^Your keystore contains 1 entry$/) }
-      its(:stdout) { should match(/^amqp-client, .+, PrivateKeyEntry, $/) }
-    end
   end
 
   describe 'with localhost' do