Merge branch '2019.2' into unused-salt-crypt

2025-04-17 10:10:20 +00:00 · 2019-04-08 13:48:24 -06:00 · 2019-04-08 13:48:24 -06:00 · 4b26dea9b6
commit 4b26dea9b6
parent 9607c38065 bd3ad7b83c
9 changed files with 157 additions and 12 deletions
--- a/doc/topics/releases/2019.2.0.rst
+++ b/doc/topics/releases/2019.2.0.rst
@ -289,7 +289,7 @@ a BGP policy referenced in many places, you can do so by running:

 .. code-block:: bash

-    salt '*' net.replae_pattern OLD-POLICY-CONFIG new-policy-config
+    salt '*' net.replace_pattern OLD-POLICY-CONFIG new-policy-config

 Similarly, you can also replace entire configuration blocks using the
 :mod:`net.blockreplace <salt.modules.napalm_network.blockreplace>` function.
--- a/salt/grains/core.py
+++ b/salt/grains/core.py
@ -2141,6 +2141,12 @@ def locale_info():
 def hostname():
    '''
    Return fqdn, hostname, domainname
+
+    .. note::
+        On Windows the ``domain`` grain may refer to the dns entry for the host
+        instead of the Windows domain to which the host is joined. It may also
+        be empty if not a part of any domain. Refer to the ``windowsdomain``
+        grain instead
    '''
    # This is going to need some work
    # Provides:
--- a/salt/modules/x509.py
+++ b/salt/modules/x509.py
@ -26,6 +26,7 @@ import sys
 import salt.utils.files
 import salt.utils.path
 import salt.utils.stringutils
+import salt.utils.data
 import salt.utils.platform
 import salt.exceptions
 from salt.ext import six
@ -366,7 +367,6 @@ def _get_certificate_obj(cert):
    '''
    if isinstance(cert, M2Crypto.X509.X509):
        return cert
-
    text = _text_or_file(cert)
    text = get_pem_entry(text, pem_type='CERTIFICATE')
    return M2Crypto.X509.load_cert_string(text)
@ -1391,11 +1391,10 @@ def create_certificate(
        for ignore in list(_STATE_INTERNAL_KEYWORDS) + \
                ['listen_in', 'preqrequired', '__prerequired__']:
            kwargs.pop(ignore, None)
-
        certs = __salt__['publish.publish'](
            tgt=ca_server,
            fun='x509.sign_remote_certificate',
-            arg=six.text_type(kwargs))
+            arg=salt.utils.data.decode_dict(kwargs, to_str=True))

        if not any(certs):
            raise salt.exceptions.SaltInvocationError(
--- a/tests/integration/files/conf/master.d/peers.conf
+++ b/tests/integration/files/conf/master.d/peers.conf
@ -0,0 +1,3 @@
+peer:
+  .*:
+    - x509.sign_remote_certificate
--- a/tests/integration/files/file/base/test_cert.sls
+++ b/tests/integration/files/file/base/test_cert.sls
@ -0,0 +1,65 @@
+{% set tmp_dir = pillar['tmp_dir'] %}
+
+{{ tmp_dir }}/pki:
+  file.directory
+
+{{ tmp_dir  }}/pki/issued_certs:
+  file.directory
+
+{{ tmp_dir  }}/pki/ca.key:
+  x509.private_key_managed:
+    - bits: 4096
+    - require:
+      - file: {{ tmp_dir }}/pki
+
+{{ tmp_dir  }}/pki/ca.crt:
+  x509.certificate_managed:
+    - signing_private_key: {{ tmp_dir  }}/pki/ca.key
+    - CN: ca.example.com
+    - C: US
+    - ST: Utah
+    - L: Salt Lake City
+    - basicConstraints: "critical CA:true"
+    - keyUsage: "critical cRLSign, keyCertSign"
+    - subjectKeyIdentifier: hash
+    - authorityKeyIdentifier: keyid,issuer:always
+    - days_valid: 3650
+    - days_remaining: 0
+    - backup: True
+    - managed_private_key:
+        name: {{ tmp_dir  }}/pki/ca.key
+        bits: 4096
+        backup: True
+    - require:
+      - file: {{ tmp_dir  }}/pki
+      - {{ tmp_dir  }}/pki/ca.key
+
+mine.send:
+  module.run:
+    - func: x509.get_pem_entries
+    - kwargs:
+        glob_path: {{ tmp_dir  }}/pki/ca.crt
+    - onchanges:
+      - x509: {{ tmp_dir  }}/pki/ca.crt
+
+{{ tmp_dir  }}/pki/test.key:
+  x509.private_key_managed:
+    - bits: 4096
+    - backup: True
+
+test_crt:
+  x509.certificate_managed:
+    - name: {{ tmp_dir  }}/pki/test.crt
+    - ca_server: minion
+    - signing_policy: ca_policy
+    - public_key: {{ tmp_dir  }}/pki/test.key
+    - CN: minion
+    - days_remaining: 30
+    - backup: True
+    - managed_private_key:
+        name: {{ tmp_dir  }}/pki/test.key
+        bits: 4096
+        backup: True
+    - require:
+        - {{ tmp_dir  }}/pki/ca.crt
+        - {{ tmp_dir  }}/pki/test.key
--- a/tests/integration/states/test_x509.py
+++ b/tests/integration/states/test_x509.py
@ -5,9 +5,10 @@ import logging

 import salt.utils.files
 from salt.ext import six
+import textwrap

 from tests.support.helpers import with_tempfile
-from tests.support.paths import BASE_FILES
+from tests.support.paths import BASE_FILES, TMP, TMP_PILLAR_TREE
 from tests.support.case import ModuleCase
 from tests.support.unit import skipIf
 from tests.support.mixins import SaltReturnAssertsMixin
@ -31,6 +32,36 @@ class x509Test(ModuleCase, SaltReturnAssertsMixin):
        with salt.utils.files.fopen(cert_path) as fp:
            cls.x509_cert_text = fp.read()

+    def setUp(self):
+        with salt.utils.files.fopen(os.path.join(TMP_PILLAR_TREE, 'signing_policies.sls'), 'w') as fp:
+            fp.write(textwrap.dedent('''\
+                x509_signing_policies:
+                  ca_policy:
+                    - minions: '*'
+                    - signing_private_key: {0}/pki/ca.key
+                    - signing_cert: {0}/pki/ca.crt
+                    - O: Test Company
+                    - basicConstraints: "CA:false"
+                    - keyUsage: "critical digitalSignature, keyEncipherment"
+                    - extendedKeyUsage: "critical serverAuth, clientAuth"
+                    - subjectKeyIdentifier: hash
+                    - authorityKeyIdentifier: keyid
+                    - days_valid: 730
+                    - copypath: {0}/pki
+                     '''.format(TMP)))
+        with salt.utils.files.fopen(os.path.join(TMP_PILLAR_TREE, 'top.sls'), 'w') as fp:
+            fp.write(textwrap.dedent('''\
+                     base:
+                       '*':
+                         - signing_policies
+                     '''))
+        self.run_function('saltutil.refresh_pillar')
+
+    def tearDown(self):
+        os.remove(os.path.join(TMP_PILLAR_TREE, 'signing_policies.sls'))
+        os.remove(os.path.join(TMP_PILLAR_TREE, 'top.sls'))
+        self.run_function('saltutil.refresh_pillar')
+
    def run_function(self, *args, **kwargs):
        ret = super(x509Test, self).run_function(*args, **kwargs)
        log.debug('ret = %s', ret)
@ -61,3 +92,11 @@ class x509Test(ModuleCase, SaltReturnAssertsMixin):
            assert state_result['result'] is True, state_result
        assert os.path.exists(keyfile)
        assert os.path.exists(crtfile)
+
+    def test_cert_signing(self):
+        ret = self.run_function('state.apply', ['test_cert'], pillar={'tmp_dir': TMP})
+        key = 'x509_|-test_crt_|-{}/pki/test.crt_|-certificate_managed'.format(TMP)
+        assert key in ret
+        assert 'changes' in ret[key]
+        assert 'Certificate' in ret[key]['changes']
+        assert 'New' in ret[key]['changes']['Certificate']
--- a/tests/unit/grains/test_core.py
+++ b/tests/unit/grains/test_core.py
@ -136,6 +136,28 @@ class CoreGrainsTestCase(TestCase, LoaderModuleMockMixin):
            os_release = core._parse_os_release('/etc/os-release', '/usr/lib/os-release')
        self.assertEqual(os_release, {})

+    @skipIf(not salt.utils.platform.is_windows(), 'System is not Windows')
+    def test__windows_platform_data(self):
+        grains = core._windows_platform_data()
+        keys = ['biosversion',
+                'osrelease',
+                'domain',
+                'kernelrelease',
+                'motherboard',
+                'serialnumber',
+                'timezone',
+                'manufacturer',
+                'kernelversion',
+                'osservicepack',
+                'virtual',
+                'productname',
+                'osfullname',
+                'osmanufacturer',
+                'osversion',
+                'windowsdomain']
+        for key in keys:
+            self.assertIn(key, grains)
+
    @skipIf(not salt.utils.platform.is_linux(), 'System is not Linux')
    def test_gnu_slash_linux_in_os_name(self):
        '''
--- a/tests/unit/test_config.py
+++ b/tests/unit/test_config.py
@ -197,9 +197,12 @@ class SampleConfTest(TestCase):
        commented out. This test loops through all of the files in that directory to check
        for any lines that are not commented or blank.
        '''
-        cloud_sample_files = os.listdir(SAMPLE_CONF_DIR + 'cloud.profiles.d/')
+        cloud_sample_dir = SAMPLE_CONF_DIR + 'cloud.profiles.d/'
+        if not os.path.exists(cloud_sample_dir):
+            self.skipTest("Sample config directory '{}' is missing.".format(cloud_sample_dir))
+        cloud_sample_files = os.listdir(cloud_sample_dir)
        for conf_file in cloud_sample_files:
-            profile_conf = SAMPLE_CONF_DIR + 'cloud.profiles.d/' + conf_file
+            profile_conf = cloud_sample_dir + conf_file
            ret = salt.config._read_conf_file(profile_conf)
            self.assertEqual(
                ret,
@ -215,9 +218,12 @@ class SampleConfTest(TestCase):
        commented out. This test loops through all of the files in that directory to check
        for any lines that are not commented or blank.
        '''
-        cloud_sample_files = os.listdir(SAMPLE_CONF_DIR + 'cloud.providers.d/')
+        cloud_sample_dir = SAMPLE_CONF_DIR + 'cloud.providers.d/'
+        if not os.path.exists(cloud_sample_dir):
+            self.skipTest("Sample config directory '{}' is missing.".format(cloud_sample_dir))
+        cloud_sample_files = os.listdir(cloud_sample_dir)
        for conf_file in cloud_sample_files:
-            provider_conf = SAMPLE_CONF_DIR + 'cloud.providers.d/' + conf_file
+            provider_conf = cloud_sample_dir + conf_file
            ret = salt.config._read_conf_file(provider_conf)
            self.assertEqual(
                ret,
@ -233,9 +239,12 @@ class SampleConfTest(TestCase):
        commented out. This test loops through all of the files in that directory to check
        for any lines that are not commented or blank.
        '''
-        cloud_sample_files = os.listdir(SAMPLE_CONF_DIR + 'cloud.maps.d/')
+        cloud_sample_dir = SAMPLE_CONF_DIR + 'cloud.maps.d/'
+        if not os.path.exists(cloud_sample_dir):
+            self.skipTest("Sample config directory '{}' is missing.".format(cloud_sample_dir))
+        cloud_sample_files = os.listdir(cloud_sample_dir)
        for conf_file in cloud_sample_files:
-            map_conf = SAMPLE_CONF_DIR + 'cloud.maps.d/' + conf_file
+            map_conf = cloud_sample_dir + conf_file
            ret = salt.config._read_conf_file(map_conf)
            self.assertEqual(
                ret,
--- a/tests/unit/utils/test_extend.py
+++ b/tests/unit/utils/test_extend.py
@ -14,7 +14,7 @@ import shutil
 from datetime import date

 # Import Salt Testing libs
-from tests.support.unit import TestCase
+from tests.support.unit import TestCase, skipIf
 from tests.support.mock import MagicMock, patch

 # Import salt libs
@ -35,6 +35,8 @@ class ExtendTestCase(TestCase):
                shutil.rmtree(self.out, True)
        os.chdir(self.starting_dir)

+    @skipIf(not os.path.exists(os.path.join(integration.CODE_DIR, 'templates')),
+            "Test template directory 'templates/' missing.")
    def test_run(self):
        with patch('sys.exit', MagicMock):
            out = salt.utils.extend.run('test', 'test', 'this description', integration.CODE_DIR, False)