diff --git a/src/clj/puppetlabs/puppetserver/certificate_authority.clj b/src/clj/puppetlabs/puppetserver/certificate_authority.clj index 7f6be7934..f897d1541 100644 --- a/src/clj/puppetlabs/puppetserver/certificate_authority.clj +++ b/src/clj/puppetlabs/puppetserver/certificate_authority.clj @@ -1687,6 +1687,7 @@ (create-agent-extensions csr cacert))] + (common/record-action {:type :add :targets [subject] :meta {:type :certificate}}) (write-cert-to-inventory! signed-cert ca-settings) (write-cert signed-cert (path-to-cert signeddir subject)) (delete-certificate-request! ca-settings subject) @@ -2514,5 +2515,6 @@ result))] ;; submit the signing activity as one entry for all the hosts. (when-not (empty? (:signed results)) + (common/record-action {:type :add :targets (:signed results) :meta {:type :certificate}}) (report-activity (:signed results) "signed")) results))))) \ No newline at end of file diff --git a/test/integration/puppetlabs/services/certificate_authority/certificate_authority_int_test.clj b/test/integration/puppetlabs/services/certificate_authority/certificate_authority_int_test.clj index 5fc29995a..1475911ed 100644 --- a/test/integration/puppetlabs/services/certificate_authority/certificate_authority_int_test.clj +++ b/test/integration/puppetlabs/services/certificate_authority/certificate_authority_int_test.clj @@ -1193,6 +1193,10 @@ (let [certname (ks/rand-str :alpha-lower 16) certname-no-exist (ks/rand-str :alpha-lower 16) certname-with-bad-extension (ks/rand-str :alpha-lower 16) + call-results (atom []) + old-fn @common/action-registration-function + new-fn (fn [value] (swap! call-results conj value)) + _ (reset! common/action-registration-function new-fn) _ (generate-a-csr certname [] []) _ (generate-a-csr certname-with-bad-extension [{:oid "1.9.9.9.9.9.0" :value "true" :critical false}] []) response (http-client/post @@ -1207,7 +1211,12 @@ (is (= {:signed [certname] :no-csr [certname-no-exist] :signing-errors [certname-with-bad-extension]} - (json/parse-string (:body response) true))))) + (json/parse-string (:body response) true))) + (is (= [{:type :add + :targets [certname] + :meta {:type :certificate}}] + @call-results)) + (reset! common/action-registration-function old-fn))) (testing "throws schema violation for invalid certname" (let [error-msg "{\"kind\":\"schema-violation\"" response (http-client/post @@ -1237,38 +1246,47 @@ :ssl-key (str bootstrap/server-conf-dir "/ssl/private_keys/localhost.pem") :ssl-ca-cert (str bootstrap/server-conf-dir "/ca/ca_crt.pem") :ssl-crl-path (str bootstrap/server-conf-dir "/ssl/crl.pem")}} - (testing "PE-37634 PE-sign-all with no pending certs returns 200 with expected payload" - (let [response (http-client/post - "https://localhost:8140/puppet-ca/v1/sign/all" - {:ssl-cert (str bootstrap/server-conf-dir "/ca/ca_crt.pem") - :ssl-key (str bootstrap/server-conf-dir "/ca/ca_key.pem") - :ssl-ca-cert (str bootstrap/server-conf-dir "/ca/ca_crt.pem") - :as :text - :headers {"Accept" "application/json"}})] - (is (= 200 (:status response))) - (is (= {:signed [] - :no-csr [] - :signing-errors []} - (json/parse-string (:body response) true))))) - (testing "returns 200 with valid payload" - ;; note- more extensive testing of the behavior is done with the testing in sign-multiple-certificate-signing-requests!-test - (let [certname (ks/rand-str :alpha-lower 16) - certname-with-bad-extension (ks/rand-str :alpha-lower 16) - _ (generate-a-csr certname [] []) - _ (generate-a-csr certname-with-bad-extension [{:oid "1.9.9.9.9.9.0" :value "true" :critical false}] []) - response (http-client/post - "https://localhost:8140/puppet-ca/v1/sign/all" - {:ssl-cert (str bootstrap/server-conf-dir "/ca/ca_crt.pem") - :ssl-key (str bootstrap/server-conf-dir "/ca/ca_key.pem") - :ssl-ca-cert (str bootstrap/server-conf-dir "/ca/ca_crt.pem") - :as :text - :headers {"Accept" "application/json"}})] - (is (= 200 (:status response))) - (is (= {:signed [certname] - ;; this would represent any files that are removed between when the set is collected, and when they are processed. - :no-csr [] - :signing-errors [certname-with-bad-extension]} - (json/parse-string (:body response) true)))))))) + (let [old-fn @common/action-registration-function + call-results (atom []) + new-fn (fn [value] (swap! call-results conj value))] + (reset! common/action-registration-function new-fn) + (testing "PE-37634 PE-sign-all with no pending certs returns 200 with expected payload" + (let [response (http-client/post + "https://localhost:8140/puppet-ca/v1/sign/all" + {:ssl-cert (str bootstrap/server-conf-dir "/ca/ca_crt.pem") + :ssl-key (str bootstrap/server-conf-dir "/ca/ca_key.pem") + :ssl-ca-cert (str bootstrap/server-conf-dir "/ca/ca_crt.pem") + :as :text + :headers {"Accept" "application/json"}})] + (is (= 200 (:status response))) + (is (= {:signed [] + :no-csr [] + :signing-errors []} + (json/parse-string (:body response) true))) + (is (= [] @call-results)))) + (testing "returns 200 with valid payload" + ;; note- more extensive testing of the behavior is done with the testing in sign-multiple-certificate-signing-requests!-test + (let [certname (ks/rand-str :alpha-lower 16) + certname-with-bad-extension (ks/rand-str :alpha-lower 16) + _ (generate-a-csr certname [] []) + _ (generate-a-csr certname-with-bad-extension [{:oid "1.9.9.9.9.9.0" :value "true" :critical false}] []) + response (http-client/post + "https://localhost:8140/puppet-ca/v1/sign/all" + {:ssl-cert (str bootstrap/server-conf-dir "/ca/ca_crt.pem") + :ssl-key (str bootstrap/server-conf-dir "/ca/ca_key.pem") + :ssl-ca-cert (str bootstrap/server-conf-dir "/ca/ca_crt.pem") + :as :text + :headers {"Accept" "application/json"}})] + (is (= 200 (:status response))) + (is (= {:signed [certname] + ;; this would represent any files that are removed between when the set is collected, and when they are processed. + :no-csr [] + :signing-errors [certname-with-bad-extension]} + (json/parse-string (:body response) true))) + (is (= [{:type :add + :targets [certname] + :meta {:type :certificate}}] @call-results)))) + (reset! common/action-registration-function old-fn))))) (deftest ca-certificate-renew-endpoint-test (testing "with the feature enabled" diff --git a/test/unit/puppetlabs/puppetserver/certificate_authority_test.clj b/test/unit/puppetlabs/puppetserver/certificate_authority_test.clj index cb35a5cfa..31c5e9d07 100644 --- a/test/unit/puppetlabs/puppetserver/certificate_authority_test.clj +++ b/test/unit/puppetlabs/puppetserver/certificate_authority_test.clj @@ -448,7 +448,11 @@ csr (-> (:csrdir settings) (ca/path-to-cert-request "test-agent") (utils/pem->csr)) - expected-cert-path (ca/path-to-cert (:signeddir settings) "test-agent")] + expected-cert-path (ca/path-to-cert (:signeddir settings) "test-agent") + old-fn @common/action-registration-function + call-results (atom []) + new-fn (fn [value] (swap! call-results conj value))] + (reset! common/action-registration-function new-fn) ;; Fix the value of "now" so we can reliably test the dates (time/do-at now (ca/autosign-certificate-request! "test-agent" csr settings (constantly nil))) @@ -469,7 +473,14 @@ (testing "not-before is 1 day before now" (is (= (time/minus now (time/days 1)) not-before))) (testing "not-after is 2 years from now" - (is (= (time/plus now (time/years 2)) not-after)))))))) + (is (= (time/plus now (time/years 2)) not-after))))) + + (testing "correctly reports node activity" + (is (= [{:type :add, + :targets ["test-agent"], + :meta {:type :certificate}}] + @call-results))) + (reset! common/action-registration-function old-fn)))) (deftest autosign-without-capub (testing "The CA public key file is not necessary to autosign" @@ -1320,7 +1331,10 @@ (ca/process-csr-submission! subject-name csr settings (constantly nil)) (is (= [{:type :info :targets [subject-name] - :meta {:what :csr :action :submit}}] + :meta {:what :csr :action :submit}} + {:type :add + :targets [subject-name] + :meta {:type :certificate}}] @call-results)) (reset! common/action-registration-function old-fn))))) @@ -2385,6 +2399,10 @@ all-csrs (concat good-csrs bad-names unauthorized unapproved-extensions) _ (println "add in bad names and shuffle") all-names (shuffle (concat (map :subject-name all-csrs) random-csr-names)) + old-fn @common/action-registration-function + call-results (atom []) + new-fn (fn [value] (swap! call-results conj value)) + _ (reset! common/action-registration-function new-fn) result (ca/sign-multiple-certificate-signing-requests! all-names settings report-activity) signed-set (set (:signed result)) not-found-set (set (:no-csr result)) @@ -2397,6 +2415,10 @@ (testing "all the signed entries should be present" (is (= good-csrs-set signed-set)) + (is (= 1 (count @call-results))) + (is (= {:type :add :targets good-csrs-set :meta {:type :certificate}} + ;; convert the targets to a set for comparison + (update-in (first @call-results) [:targets] set))) (testing "none of the valid csrs should be in the not-signed set" (is (empty? (clojure.set/intersection unsigned-set good-csrs-set)))) (testing "all of the random names should be in the not-found-set" @@ -2406,7 +2428,8 @@ (testing "all of the unauthorized names should be in the not-signed" (is (= unauthorized-set (clojure.set/intersection unsigned-set unauthorized-set)))) (testing "all of the unapproved names should be in the not-signed" - (is (= unapproved-extensions-set (clojure.set/intersection unsigned-set unapproved-extensions-set))))))))) + (is (= unapproved-extensions-set (clojure.set/intersection unsigned-set unapproved-extensions-set))))) + (reset! common/action-registration-function old-fn))))) (def default-permissions (into-array FileAttribute [(ks-file/perms->attribute "rw-------")]))