Merge branch '2019.2' into merge-2019.2

2025-04-17 10:10:20 +00:00 · 2019-04-05 13:38:40 -07:00 · 2019-04-05 13:38:40 -07:00 · 16733da066
commit 16733da066
parent fe13214bd1 6bae227f77
4 changed files with 110 additions and 4 deletions
--- a/salt/modules/x509.py
+++ b/salt/modules/x509.py
@ -26,6 +26,7 @@ import sys
 import salt.utils.files
 import salt.utils.path
 import salt.utils.stringutils
+import salt.utils.data
 import salt.utils.platform
 import salt.exceptions
 from salt.ext import six
@ -366,7 +367,6 @@ def _get_certificate_obj(cert):
    '''
    if isinstance(cert, M2Crypto.X509.X509):
        return cert
-
    text = _text_or_file(cert)
    text = get_pem_entry(text, pem_type='CERTIFICATE')
    return M2Crypto.X509.load_cert_string(text)
@ -1391,11 +1391,10 @@ def create_certificate(
        for ignore in list(_STATE_INTERNAL_KEYWORDS) + \
                ['listen_in', 'preqrequired', '__prerequired__']:
            kwargs.pop(ignore, None)
-
        certs = __salt__['publish.publish'](
            tgt=ca_server,
            fun='x509.sign_remote_certificate',
-            arg=six.text_type(kwargs))
+            arg=salt.utils.data.decode_dict(kwargs, to_str=True))

        if not any(certs):
            raise salt.exceptions.SaltInvocationError(
--- a/tests/integration/files/conf/master.d/peers.conf
+++ b/tests/integration/files/conf/master.d/peers.conf
@ -0,0 +1,3 @@
+peer:
+  .*:
+    - x509.sign_remote_certificate
--- a/tests/integration/files/file/base/test_cert.sls
+++ b/tests/integration/files/file/base/test_cert.sls
@ -0,0 +1,65 @@
+{% set tmp_dir = pillar['tmp_dir'] %}
+
+{{ tmp_dir }}/pki:
+  file.directory
+
+{{ tmp_dir  }}/pki/issued_certs:
+  file.directory
+
+{{ tmp_dir  }}/pki/ca.key:
+  x509.private_key_managed:
+    - bits: 4096
+    - require:
+      - file: {{ tmp_dir }}/pki
+
+{{ tmp_dir  }}/pki/ca.crt:
+  x509.certificate_managed:
+    - signing_private_key: {{ tmp_dir  }}/pki/ca.key
+    - CN: ca.example.com
+    - C: US
+    - ST: Utah
+    - L: Salt Lake City
+    - basicConstraints: "critical CA:true"
+    - keyUsage: "critical cRLSign, keyCertSign"
+    - subjectKeyIdentifier: hash
+    - authorityKeyIdentifier: keyid,issuer:always
+    - days_valid: 3650
+    - days_remaining: 0
+    - backup: True
+    - managed_private_key:
+        name: {{ tmp_dir  }}/pki/ca.key
+        bits: 4096
+        backup: True
+    - require:
+      - file: {{ tmp_dir  }}/pki
+      - {{ tmp_dir  }}/pki/ca.key
+
+mine.send:
+  module.run:
+    - func: x509.get_pem_entries
+    - kwargs:
+        glob_path: {{ tmp_dir  }}/pki/ca.crt
+    - onchanges:
+      - x509: {{ tmp_dir  }}/pki/ca.crt
+
+{{ tmp_dir  }}/pki/test.key:
+  x509.private_key_managed:
+    - bits: 4096
+    - backup: True
+
+test_crt:
+  x509.certificate_managed:
+    - name: {{ tmp_dir  }}/pki/test.crt
+    - ca_server: minion
+    - signing_policy: ca_policy
+    - public_key: {{ tmp_dir  }}/pki/test.key
+    - CN: minion
+    - days_remaining: 30
+    - backup: True
+    - managed_private_key:
+        name: {{ tmp_dir  }}/pki/test.key
+        bits: 4096
+        backup: True
+    - require:
+        - {{ tmp_dir  }}/pki/ca.crt
+        - {{ tmp_dir  }}/pki/test.key
--- a/tests/integration/states/test_x509.py
+++ b/tests/integration/states/test_x509.py
@ -5,9 +5,10 @@ import logging

 import salt.utils.files
 from salt.ext import six
+import textwrap

 from tests.support.helpers import with_tempfile
-from tests.support.paths import BASE_FILES
+from tests.support.paths import BASE_FILES, TMP, TMP_PILLAR_TREE
 from tests.support.case import ModuleCase
 from tests.support.unit import skipIf
 from tests.support.mixins import SaltReturnAssertsMixin
@ -31,6 +32,36 @@ class x509Test(ModuleCase, SaltReturnAssertsMixin):
        with salt.utils.files.fopen(cert_path) as fp:
            cls.x509_cert_text = fp.read()

+    def setUp(self):
+        with salt.utils.files.fopen(os.path.join(TMP_PILLAR_TREE, 'signing_policies.sls'), 'w') as fp:
+            fp.write(textwrap.dedent('''\
+                x509_signing_policies:
+                  ca_policy:
+                    - minions: '*'
+                    - signing_private_key: {0}/pki/ca.key
+                    - signing_cert: {0}/pki/ca.crt
+                    - O: Test Company
+                    - basicConstraints: "CA:false"
+                    - keyUsage: "critical digitalSignature, keyEncipherment"
+                    - extendedKeyUsage: "critical serverAuth, clientAuth"
+                    - subjectKeyIdentifier: hash
+                    - authorityKeyIdentifier: keyid
+                    - days_valid: 730
+                    - copypath: {0}/pki
+                     '''.format(TMP)))
+        with salt.utils.files.fopen(os.path.join(TMP_PILLAR_TREE, 'top.sls'), 'w') as fp:
+            fp.write(textwrap.dedent('''\
+                     base:
+                       '*':
+                         - signing_policies
+                     '''))
+        self.run_function('saltutil.refresh_pillar')
+
+    def tearDown(self):
+        os.remove(os.path.join(TMP_PILLAR_TREE, 'signing_policies.sls'))
+        os.remove(os.path.join(TMP_PILLAR_TREE, 'top.sls'))
+        self.run_function('saltutil.refresh_pillar')
+
    def run_function(self, *args, **kwargs):
        ret = super(x509Test, self).run_function(*args, **kwargs)
        log.debug('ret = %s', ret)
@ -61,3 +92,11 @@ class x509Test(ModuleCase, SaltReturnAssertsMixin):
            assert state_result['result'] is True, state_result
        assert os.path.exists(keyfile)
        assert os.path.exists(crtfile)
+
+    def test_cert_signing(self):
+        ret = self.run_function('state.apply', ['test_cert'], pillar={'tmp_dir': TMP})
+        key = 'x509_|-test_crt_|-{}/pki/test.crt_|-certificate_managed'.format(TMP)
+        assert key in ret
+        assert 'changes' in ret[key]
+        assert 'Certificate' in ret[key]['changes']
+        assert 'New' in ret[key]['changes']['Certificate']