Fix issue #51869 and add cert signing test

2025-04-17 10:10:20 +00:00 · 2019-04-02 02:24:14 +00:00 · 2019-04-02 02:24:14 +00:00 · 0bd08261be
commit 0bd08261be
parent 27e6cbf26a
5 changed files with 97 additions and 4 deletions
--- a/salt/modules/x509.py
+++ b/salt/modules/x509.py
@ -26,6 +26,7 @@ import sys
 import salt.utils.files
 import salt.utils.path
 import salt.utils.stringutils
+import salt.utils.data
 import salt.utils.platform
 import salt.exceptions
 from salt.ext import six
@ -366,7 +367,6 @@ def _get_certificate_obj(cert):
    '''
    if isinstance(cert, M2Crypto.X509.X509):
        return cert
-
    text = _text_or_file(cert)
    text = get_pem_entry(text, pem_type='CERTIFICATE')
    return M2Crypto.X509.load_cert_string(text)
@ -1391,11 +1391,10 @@ def create_certificate(
        for ignore in list(_STATE_INTERNAL_KEYWORDS) + \
                ['listen_in', 'preqrequired', '__prerequired__']:
            kwargs.pop(ignore, None)
-
        certs = __salt__['publish.publish'](
            tgt=ca_server,
            fun='x509.sign_remote_certificate',
-            arg=six.text_type(kwargs))
+            arg=salt.utils.data.decode_dict(kwargs, to_str=True))

        if not any(certs):
            raise salt.exceptions.SaltInvocationError(
--- a/tests/integration/files/conf/master.d/peers.conf
+++ b/tests/integration/files/conf/master.d/peers.conf
@ -0,0 +1,3 @@
+peer:
+  .*:
+    - x509.sign_remote_certificate
--- a/tests/integration/files/conf/minion.d/signing_policies.conf
+++ b/tests/integration/files/conf/minion.d/signing_policies.conf
@ -0,0 +1,14 @@
+x509_signing_policies:
+  ca_policy:
+    - minions: '*'
+    - signing_private_key: /etc/pki/ca.key
+    - signing_cert: /etc/pki/ca.crt
+    - O: Test Company
+    - basicConstraints: "CA:false"
+    - keyUsage: "critical digitalSignature, keyEncipherment"
+    - extendedKeyUsage: "critical serverAuth, clientAuth"
+    - subjectKeyIdentifier: hash
+    - authorityKeyIdentifier: keyid
+    - days_valid: 730
+    - copypath: /etc/pki
+
--- a/tests/integration/files/file/base/test_cert.sls
+++ b/tests/integration/files/file/base/test_cert.sls
@ -0,0 +1,68 @@
+{% set tmp_dir = pillar['tmp_dir'] %}
+salt-minion:
+  service.running:
+    - enable: True
+    - listen:
+      - file: /tmp/salt-tests-tmpdir/config/minion.d/signing_policies.conf
+
+{{ tmp_dir }}/pki:
+  file.directory
+
+{{ tmp_dir  }}/pki/issued_certs:
+  file.directory
+
+{{ tmp_dir  }}/pki/ca.key:
+  x509.private_key_managed:
+    - bits: 4096
+    - require:
+      - file: /etc/pki
+
+{{ tmp_dir  }}/pki/ca.crt:
+  x509.certificate_managed:
+    - signing_private_key: {{ tmp_dir  }}/pki/ca.key
+    - CN: ca.example.com
+    - C: US
+    - ST: Utah
+    - L: Salt Lake City
+    - basicConstraints: "critical CA:true"
+    - keyUsage: "critical cRLSign, keyCertSign"
+    - subjectKeyIdentifier: hash
+    - authorityKeyIdentifier: keyid,issuer:always
+    - days_valid: 3650
+    - days_remaining: 0
+    - backup: True
+    - managed_private_key:
+        name: {{ tmp_dir  }}/pki/ca.key
+        bits: 4096
+        backup: True
+    - require:
+      - file: {{ tmp_dir  }}/pki
+      - salt-minion
+      - {{ tmp_dir  }}/pki/ca.key
+
+mine.send:
+  module.run:
+    - func: x509.get_pem_entries
+    - kwargs:
+        glob_path: {{ tmp_dir  }}/pki/ca.crt
+    - onchanges:
+      - x509: {{ tmp_dir  }}/pki/ca.crt
+
+{{ tmp_dir  }}/pki/test.key:
+  x509.private_key_managed:
+    - bits: 4096
+    - backup: True
+
+test_crt:
+  x509.certificate_managed:
+    - name: {{ tmp_dir  }}/pki/test.crt
+    - ca_server: minion
+    - signing_policy: ca_policy
+    - public_key: {{ tmp_dir  }}/pki/test.key
+    - CN: minion
+    - days_remaining: 30
+    - backup: True
+    - managed_private_key:
+        name: {{ tmp_dir  }}/pki/test.key
+        bits: 4096
+        backup: True
--- a/tests/integration/states/test_x509.py
+++ b/tests/integration/states/test_x509.py
@ -1,13 +1,14 @@
 # -*- coding: utf-8 -*-
 from __future__ import absolute_import, unicode_literals
 import os
+import pprint
 import logging

 import salt.utils.files
 from salt.ext import six

 from tests.support.helpers import with_tempfile
-from tests.support.paths import BASE_FILES
+from tests.support.paths import BASE_FILES, TMP
 from tests.support.case import ModuleCase
 from tests.support.unit import skipIf
 from tests.support.mixins import SaltReturnAssertsMixin
@ -61,3 +62,11 @@ class x509Test(ModuleCase, SaltReturnAssertsMixin):
            assert state_result['result'] is True, state_result
        assert os.path.exists(keyfile)
        assert os.path.exists(crtfile)
+
+    def test_cert_signing(self):
+        ret = self.run_function('state.apply', ['test_cert'], pillar={'tmp_dir': TMP})
+        key = 'x509_|-test_crt_|-{}/pki/test.crt_|-certificate_managed'.format(TMP)
+        assert key in ret
+        assert 'changes' in ret[key]
+        assert 'Certificate' in ret[key]['changes']
+        assert 'New' in ret[key]['changes']['Certificate']