diff --git a/manifests/params.pp b/manifests/params.pp index 34adc20a..25e898f0 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -16,98 +16,71 @@ # class openvpn::params { - case $::osfamily { - 'RedHat': { + case $facts['os']['family'] { + 'RedHat': { # RedHat/CentOS $etc_directory = '/etc' $root_group = 'root' $group = 'nobody' $link_openssl_cnf = true $pam_module_path = '/usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so' $namespecific_rclink = false + $default_easyrsa_ver = '3.0' + $easyrsa_source = '/usr/share/easy-rsa/3' - # Redhat/Centos >= 7.0 - if(versioncmp($::operatingsystemrelease, '7.0') >= 0) and $::operatingsystem != 'Amazon' { - $additional_packages = ['easy-rsa'] - $ldap_auth_plugin_location = undef - $systemd = true - $easyrsa_source = '/usr/share/easy-rsa/3' - $default_easyrsa_ver = '3.0' - # Redhat/Centos == 6.0 - } elsif(versioncmp($::operatingsystemrelease, '6.0') >= 0) and $::operatingsystem != 'Amazon' { - $additional_packages = ['easy-rsa','openvpn-auth-ldap'] - $ldap_auth_plugin_location = '/usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so' - $systemd = false - $easyrsa_source = '/usr/share/easy-rsa/3' - $default_easyrsa_ver = '3.0' - # Redhat/Centos < 6.0 - } else { - $additional_packages = ['easy-rsa'] - $ldap_auth_plugin_location = undef - $systemd = false - $easyrsa_source = '/usr/share/easy-rsa/2.0' - $default_easyrsa_ver = '2.0' + case $facts['os']['release']['major'] { + '7': { + $additional_packages = ['easy-rsa'] + $ldap_auth_plugin_location = undef + $systemd = true + } + '6': { + $additional_packages = ['easy-rsa','openvpn-auth-ldap'] + $ldap_auth_plugin_location = '/usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so' + $systemd = false + } + default: { + fail("unsupported OS ${facts['os']['name']} ${facts['os']['release']['major']}") + } } } 'Debian': { # Debian/Ubuntu - $etc_directory = '/etc' - $root_group = 'root' - $group = 'nogroup' - $link_openssl_cnf = true - $namespecific_rclink = false + $etc_directory = '/etc' + $root_group = 'root' + $group = 'nogroup' + $link_openssl_cnf = true + $namespecific_rclink = false + $default_easyrsa_ver = '2.0' + $additional_packages = ['easy-rsa','openvpn-auth-ldap'] + $easyrsa_source = '/usr/share/easy-rsa/' + $ldap_auth_plugin_location = '/usr/lib/openvpn/openvpn-auth-ldap.so' + $pam_module_path = '/usr/lib/openvpn/openvpn-plugin-auth-pam.so' - case $::operatingsystem { + case $facts['os']['name'] { 'Debian': { - # Version > 8.0, jessie, stretch - $default_easyrsa_ver = '2.0' - if(versioncmp($::operatingsystemrelease, '8.0') >= 0) { - $additional_packages = ['easy-rsa','openvpn-auth-ldap'] - $easyrsa_source = '/usr/share/easy-rsa/' - $ldap_auth_plugin_location = '/usr/lib/openvpn/openvpn-auth-ldap.so' - $pam_module_path = '/usr/lib/openvpn/openvpn-plugin-auth-pam.so' - $systemd = true - - # Version > 7.0, wheezy - } elsif(versioncmp($::operatingsystemrelease, '7.0') >= 0) { - $additional_packages = ['openvpn-auth-ldap'] - $easyrsa_source = '/usr/share/doc/openvpn/examples/easy-rsa/2.0' - $ldap_auth_plugin_location = '/usr/lib/openvpn/openvpn-auth-ldap.so' - $pam_module_path = '/usr/lib/openvpn/openvpn-auth-pam.so' - $systemd = false - } else { - $additional_packages = undef - $easyrsa_source = '/usr/share/doc/openvpn/examples/easy-rsa/2.0' - $ldap_auth_plugin_location = undef - $pam_module_path = '/usr/lib/openvpn/openvpn-auth-pam.so' - $systemd = false + case $facts['os']['release']['major'] { + '8','9': { + $systemd = true + } + default: { + fail("unsupported OS ${facts['os']['name']} ${facts['os']['release']['major']}") + } } } 'Ubuntu': { - $default_easyrsa_ver = '2.0' - # Version > 15.04, vivid - if(versioncmp($::operatingsystemrelease, '15.04') >= 0){ - $additional_packages = ['easy-rsa','openvpn-auth-ldap'] - $easyrsa_source = '/usr/share/easy-rsa/' - $ldap_auth_plugin_location = '/usr/lib/openvpn/openvpn-auth-ldap.so' - $pam_module_path = '/usr/lib/openvpn/openvpn-plugin-auth-pam.so' - $systemd = true - - # Version > 13.10, saucy - } elsif(versioncmp($::operatingsystemrelease, '13.10') >= 0) { - $additional_packages = ['easy-rsa','openvpn-auth-ldap'] - $easyrsa_source = '/usr/share/easy-rsa/' - $ldap_auth_plugin_location = '/usr/lib/openvpn/openvpn-auth-ldap.so' - $pam_module_path = '/usr/lib/openvpn/openvpn-plugin-auth-pam.so' - $systemd = false - } else { - $additional_packages = undef - $easyrsa_source = '/usr/share/doc/openvpn/examples/easy-rsa/2.0' - $ldap_auth_plugin_location = undef - $pam_module_path = '/usr/lib/openvpn/openvpn-auth-pam.so' - $systemd = false + case $facts['os']['release']['major'] { + '16.04': { + $systemd = true + } + '14.04': { + $systemd = false + } + default: { + fail("unsupported OS ${facts['os']['name']} ${facts['os']['release']['major']}") + } } } default: { - fail("Unsupported OS/Distribution ${::osfamily}/${::operatingsystem}") + fail("unsupported OS ${facts['os']['name']} ${facts['os']['release']['major']}") } } } @@ -119,30 +92,11 @@ $easyrsa_source = '/usr/share/easy-rsa/' $group = 'nobody' $ldap_auth_plugin_location = undef # unsupported + $pam_module_path = undef $link_openssl_cnf = true $systemd = true $namespecific_rclink = false } - 'Linux': { - $default_easyrsa_ver = '2.0' - case $::operatingsystem { - 'Amazon': { - $etc_directory = '/etc' - $root_group = 'root' - $group = 'nobody' - $additional_packages = ['easy-rsa'] - $easyrsa_source = '/usr/share/easy-rsa/2.0' - $ldap_auth_plugin_location = undef - $systemd = false - $link_openssl_cnf = true - $pam_module_path = '/usr/lib/openvpn/openvpn-auth-pam.so' - $namespecific_rclink = false - } - default: { - fail("Unsupported OS/Distribution ${::osfamily}/${::operatingsystem}") - } - } - } 'FreeBSD': { $etc_directory = '/usr/local/etc' $root_group = 'wheel' @@ -156,9 +110,10 @@ $systemd = false } default: { - fail("Not supported OS family ${::osfamily}") + fail("unsupported OS ${facts['os']['name']} ${facts['os']['release']['major']}") } } + $easyrsa_version = $facts['easyrsa'] ? { undef => $default_easyrsa_ver, default => $facts['easyrsa'], diff --git a/manifests/server.pp b/manifests/server.pp index f9706025..e6ce7ac7 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -454,7 +454,7 @@ Optional[String] $group = undef, Boolean $ipp = false, Boolean $duplicate_cn = false, - String $local = $::ipaddress_eth0, + String $local = $facts['ipaddress_eth0'], Variant[Boolean, String] $logfile = false, String $port = '1194', Optional[String] $portshare = undef, diff --git a/spec/classes/openvpn_config_spec.rb b/spec/classes/openvpn_config_spec.rb index 991403be..d33e35de 100644 --- a/spec/classes/openvpn_config_spec.rb +++ b/spec/classes/openvpn_config_spec.rb @@ -1,37 +1,41 @@ require 'spec_helper' describe 'openvpn::config', type: :class do - context 'on Debian based machines' do - let(:facts) do - { - osfamily: 'Debian', - operatingsystem: 'Debian', - operatingsystemrelease: '7', - concat_basedir: '/var/lib/puppet/concat' - } - end + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts + end - it { is_expected.to contain_concat('/etc/default/openvpn') } - it { is_expected.to contain_concat__fragment('openvpn.default.header') } + it { is_expected.to compile.with_all_deps } - context 'enabled autostart_all' do - let(:pre_condition) { 'class { "openvpn": autostart_all => true }' } + case facts[:os]['family'] + when 'Debian' + context 'on Debian based machines' do + it { is_expected.to contain_concat('/etc/default/openvpn') } + it { is_expected.to contain_concat__fragment('openvpn.default.header') } - it { - is_expected.to contain_concat__fragment('openvpn.default.header').with( - 'content' => %r{^AUTOSTART="all"} - ) - } - end + context 'enabled autostart_all' do + let(:pre_condition) { 'class { "openvpn": autostart_all => true }' } + + it { + is_expected.to contain_concat__fragment('openvpn.default.header').with( + 'content' => %r{^AUTOSTART="all"} + ) + } + end - context 'disabled autostart_all' do - let(:pre_condition) { 'class { "openvpn": autostart_all => false }' } + context 'disabled autostart_all' do + let(:pre_condition) { 'class { "openvpn": autostart_all => false }' } - it { - is_expected.to contain_concat__fragment('openvpn.default.header').with( - 'content' => %r{^AUTOSTART=""} - ) - } + it { + is_expected.to contain_concat__fragment('openvpn.default.header').with( + 'content' => %r{^AUTOSTART=""} + ) + } + end + end + end end end end diff --git a/spec/classes/openvpn_init_hiera_spec.rb b/spec/classes/openvpn_init_hiera_spec.rb index b16ab929..7f95686c 100644 --- a/spec/classes/openvpn_init_hiera_spec.rb +++ b/spec/classes/openvpn_init_hiera_spec.rb @@ -1,89 +1,87 @@ require 'spec_helper' describe 'openvpn', type: :class do - let(:title) { 'test openvpn hiera lookups' } + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:pre_condition) { 'class { "openvpn" : manage_service => true }' } + let(:facts) do + facts + end + let(:title) { 'test openvpn hiera lookups' } - let(:facts) do - { - concat_basedir: '/var/lib/puppet/concat', - osfamily: 'Debian', - operatingsystem: 'Ubuntu', - operatingsystemrelease: '12.04' - } - end + it { is_expected.to create_class('openvpn') } - it { is_expected.to create_class('openvpn') } - it { is_expected.to contain_class('openvpn::service') } + it do + is_expected.to contain_openvpn__server('winterthur').with( + 'country' => 'CH', + 'province' => 'ZH', + 'city' => 'Winterthur', + 'organization' => 'example.org', + 'email' => 'root@example.org', + 'server' => '10.200.200.0 255.255.255.0' + ) + end - it do - is_expected.to contain_openvpn__server('winterthur').with( - 'country' => 'CH', - 'province' => 'ZH', - 'city' => 'Winterthur', - 'organization' => 'example.org', - 'email' => 'root@example.org', - 'server' => '10.200.200.0 255.255.255.0' - ) - end + it do + is_expected.to contain_openvpn__server('uster').with( + 'country' => 'CH', + 'province' => 'ZH', + 'city' => 'Uster', + 'organization' => 'example.com', + 'email' => 'root@example.com', + 'server' => '10.100.100.0 255.255.255.0' + ) + end - it do - is_expected.to contain_openvpn__server('uster').with( - 'country' => 'CH', - 'province' => 'ZH', - 'city' => 'Uster', - 'organization' => 'example.com', - 'email' => 'root@example.com', - 'server' => '10.100.100.0 255.255.255.0' - ) - end + it do + is_expected.to contain_openvpn__client('winti-client1').with( + 'server' => 'winterthur' + ) + end - it do - is_expected.to contain_openvpn__client('winti-client1').with( - 'server' => 'winterthur' - ) - end + it do + is_expected.to contain_openvpn__client('winti-client2').with( + 'server' => 'winterthur' + ) + end - it do - is_expected.to contain_openvpn__client('winti-client2').with( - 'server' => 'winterthur' - ) - end + it do + is_expected.to contain_openvpn__client('uster-client1').with( + 'server' => 'uster' + ) + end - it do - is_expected.to contain_openvpn__client('uster-client1').with( - 'server' => 'uster' - ) - end + it do + is_expected.to contain_openvpn__client('uster-client2').with( + 'server' => 'uster' + ) + end - it do - is_expected.to contain_openvpn__client('uster-client2').with( - 'server' => 'uster' - ) - end + it do + is_expected.to contain_openvpn__client_specific_config('winti-client1').with( + 'server' => 'winterthur', + 'ifconfig' => '10.200.200.50 10.200.200.51' + ) + end - it do - is_expected.to contain_openvpn__client_specific_config('winti-client1').with( - 'server' => 'winterthur', - 'ifconfig' => '10.200.200.50 10.200.200.51' - ) - end + it do + is_expected.to contain_openvpn__client_specific_config('uster-client1').with( + 'server' => 'uster', + 'ifconfig' => '10.100.100.50 10.100.100.51' + ) + end - it do - is_expected.to contain_openvpn__client_specific_config('uster-client1').with( - 'server' => 'uster', - 'ifconfig' => '10.100.100.50 10.100.100.51' - ) - end - - it do - is_expected.to contain_openvpn__revoke('winti-client2').with( - 'server' => 'winterthur' - ) - end + it do + is_expected.to contain_openvpn__revoke('winti-client2').with( + 'server' => 'winterthur' + ) + end - it do - is_expected.to contain_openvpn__revoke('uster-client2').with( - 'server' => 'uster' - ) + it do + is_expected.to contain_openvpn__revoke('uster-client2').with( + 'server' => 'uster' + ) + end + end end end diff --git a/spec/classes/openvpn_init_spec.rb b/spec/classes/openvpn_init_spec.rb index 491f99f9..e0d59e2a 100644 --- a/spec/classes/openvpn_init_spec.rb +++ b/spec/classes/openvpn_init_spec.rb @@ -1,31 +1,33 @@ require 'spec_helper' describe 'openvpn', type: :class do - context 'non-systemd systems' do - let(:facts) do - { - concat_basedir: '/var/lib/puppet/concat', - osfamily: 'Debian', - operatingsystem: 'Ubuntu', - operatingsystemrelease: '12.04' - } - end + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:pre_condition) { 'class { "openvpn" : manage_service => true }' } + let(:facts) do + facts + end - it { is_expected.to create_class('openvpn') } - it { is_expected.to contain_class('openvpn::service') } - end + it { is_expected.to compile.with_all_deps } - context 'systemd systems' do - let(:facts) do - { - concat_basedir: '/var/lib/puppet/concat', - osfamily: 'RedHat', - operatingsystem: 'CentOS', - operatingsystemrelease: '7.0' - } + os_name = facts[:os]['name'] + os_release = facts[:os]['release']['major'] + case "#{os_name}-#{os_release}" + when 'Ubuntu-14.04', 'CentOS-6', 'RedHat-6', %r{FreeBSD} + context 'system without systemd' do + it { is_expected.to create_class('openvpn') } + it { is_expected.to contain_class('openvpn::service') } + end + when 'Ubuntu-16.04', 'CentOS-7', 'RedHat-7', 'Debian-8', 'Debian-9', %r{Archlinux} + context 'system with systemd' do + it { is_expected.to create_class('openvpn') } + it { is_expected.not_to contain_class('openvpn::service') } + end + else + context 'unsupported systems' do + it { is_expected.to raise_error(%r{unsupported OS}) } + end + end end - - it { is_expected.to create_class('openvpn') } - it { is_expected.not_to contain_class('openvpn::service') } end end diff --git a/spec/classes/openvpn_install_spec.rb b/spec/classes/openvpn_install_spec.rb index 0d794450..95e8eaba 100644 --- a/spec/classes/openvpn_install_spec.rb +++ b/spec/classes/openvpn_install_spec.rb @@ -1,81 +1,47 @@ require 'spec_helper' describe 'openvpn::install', type: :class do - let(:osfamily) { 'Debian' } - let(:operatingsystemmajrelease) { nil } - let(:operatingsystem) { 'Ubuntu' } - let(:operatingsystemrelease) { '13.10' } - let(:facts) do - { - osfamily: osfamily, - operatingsystemmajrelease: operatingsystemmajrelease, - operatingsystemrelease: operatingsystemrelease, - operatingsystem: operatingsystem - } - end - - it { is_expected.to create_class('openvpn::install') } - it { is_expected.to contain_package('openvpn') } - - it { is_expected.to contain_file('/etc/openvpn').with('ensure' => 'directory') } - it { is_expected.to contain_file('/etc/openvpn/keys').with('ensure' => 'directory') } - it { is_expected.to contain_file('/var/log/openvpn').with('ensure' => 'directory') } - - describe 'installed packages' do - context 'debian' do - let(:osfamily) { 'Debian' } - let(:operatingsystem) { 'Debian' } - - context 'squeeze' do - let(:operatingsystemrelease) { '6.5' } - - it { is_expected.not_to contain_package('openvpn-auth-ldap') } - it { is_expected.not_to contain_package('easy-rsa') } + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:pre_condition) do + 'include openvpn::params' end - - context 'wheezy' do - let(:operatingsystemrelease) { '7.4' } - - it { is_expected.to contain_package('openvpn-auth-ldap') } - it { is_expected.not_to contain_package('easy-rsa') } + let(:facts) do + facts end - context 'jessie' do - let(:operatingsystemrelease) { '8.0' } + it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_package('openvpn-auth-ldap') } - it { is_expected.to contain_package('easy-rsa') } - end + it { is_expected.to create_class('openvpn::install') } + it { is_expected.to contain_package('openvpn') } - context 'stretch' do - let(:operatingsystemrelease) { '9.0' } + it { is_expected.to contain_file('/etc/openvpn').with('ensure' => 'directory') } + it { is_expected.to contain_file('/etc/openvpn/keys').with('ensure' => 'directory') } + it { is_expected.to contain_file('/var/log/openvpn').with('ensure' => 'directory') } - it { is_expected.to contain_package('openvpn-auth-ldap') } - it { is_expected.to contain_package('easy-rsa') } - end - end - - context 'redhat/centos' do - let(:osfamily) { 'RedHat' } - - it { is_expected.not_to contain_package('openvpn-auth-ldap') } - it { is_expected.to contain_package('easy-rsa') } - end - - context 'Amazon' do - let(:osfamily) { 'Linux' } - let(:operatingsystem) { 'Amazon' } - let(:operatingsystemrelease) { nil } - - it { is_expected.not_to contain_package('openvpn-auth-ldap') } it { is_expected.to contain_package('easy-rsa') } - end - - context 'Archlinux' do - let(:osfamily) { 'Archlinux' } - it { is_expected.not_to contain_package('openvpn-auth-ldap') } - it { is_expected.to contain_package('easy-rsa') } + case facts[:os]['family'] + when 'Debian' + context 'debian' do + it { is_expected.to contain_package('openvpn-auth-ldap') } + end + when 'RedHat' + case facts[:os]['release']['major'] + when '6' + context 'redhat/centos 6' do + it { is_expected.to contain_package('openvpn-auth-ldap') } + end + when '7' + context 'redhat/centos 7' do + it { is_expected.not_to contain_package('openvpn-auth-ldap') } + end + end + when 'Archlinux' + context 'Archlinux' do + it { is_expected.not_to contain_package('openvpn-auth-ldap') } + end + end end end end diff --git a/spec/classes/openvpn_service_spec.rb b/spec/classes/openvpn_service_spec.rb index b4e87135..f3ada096 100644 --- a/spec/classes/openvpn_service_spec.rb +++ b/spec/classes/openvpn_service_spec.rb @@ -1,21 +1,22 @@ require 'spec_helper' describe 'openvpn::service', type: :class do - let(:pre_condition) { 'class { "openvpn": manage_service => true }' } - let(:facts) do - { - osfamily: 'Debian', - operatingsystem: 'Debian', - concat_basedir: '/var/lib/puppet/concat', - operatingsystemrelease: '7.0' - } - end + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:pre_condition) { 'class { "openvpn": manage_service => true }' } + let(:facts) do + facts + end + + it { is_expected.to compile.with_all_deps } - it { is_expected.to create_class('openvpn::service') } - it { - is_expected.to contain_service('openvpn').with( - 'ensure' => 'running', - 'enable' => true - ) - } + it { is_expected.to create_class('openvpn::service') } + it { + is_expected.to contain_service('openvpn').with( + 'ensure' => 'running', + 'enable' => true + ) + } + end + end end diff --git a/spec/default_module_facts.yml b/spec/default_module_facts.yml index def64edb..871e8048 100644 --- a/spec/default_module_facts.yml +++ b/spec/default_module_facts.yml @@ -1,3 +1,4 @@ -id: root -path: -ipaddress_eth0: 10.0.0.1 +--- +ipaddress_eth0: '1.2.3.4' +network_eth0: '1.2.3.0' +netmask_eth0: '255.255.255.0' diff --git a/spec/defines/openvpn_ca_spec.rb b/spec/defines/openvpn_ca_spec.rb index bf18d14f..92120b4b 100644 --- a/spec/defines/openvpn_ca_spec.rb +++ b/spec/defines/openvpn_ca_spec.rb @@ -1,189 +1,181 @@ require 'spec_helper' describe 'openvpn::ca', type: :define do - let(:title) { 'test_server' } - - let(:facts) do - { - ipaddress_eth0: '1.2.3.4', - network_eth0: '1.2.3.0', - netmask_eth0: '255.255.255.0', - concat_basedir: '/var/lib/puppet/concat', - osfamily: 'Debian', - operatingsystem: 'Ubuntu', - operatingsystemrelease: '12.04' - } - end - - context 'creating a server with the minimum parameters' do - let(:params) do - { - 'country' => 'CO', - 'province' => 'ST', - 'city' => 'Some City', - 'organization' => 'example.org', - 'email' => 'testemail@example.org' - } - end - - # Files associated with a server config - - it { is_expected.to contain_file('/etc/openvpn/test_server/easy-rsa/vars').with(mode: '0550') } - it { - is_expected.to contain_file('/etc/openvpn/test_server/easy-rsa/keys/crl.pem'). - with(ensure: 'link', target: '/etc/openvpn/test_server/crl.pem') - } - it { - is_expected.to contain_file('/etc/openvpn/test_server/keys'). - with(ensure: 'link', target: '/etc/openvpn/test_server/easy-rsa/keys') - } - - # Execs to working with certificates - - it { is_expected.to contain_exec('generate dh param test_server').with_creates('/etc/openvpn/test_server/easy-rsa/keys/dh2048.pem') } - it { is_expected.to contain_exec('initca test_server') } - it { is_expected.to contain_exec('generate server cert test_server') } - it { is_expected.to contain_exec('create crl.pem on test_server') } - it { is_expected.not_to contain_exec('update crl.pem on test_server') } - - it { is_expected.to contain_file('/etc/openvpn/test_server/easy-rsa/vars').with_content(%r{^export CA_EXPIRE=3650$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/easy-rsa/vars').with_content(%r{^export KEY_EXPIRE=3650$}) } - it { is_expected.not_to contain_file('/etc/openvpn/test_server/easy-rsa/vars').with_content(%r{KEY_CN}) } - it { is_expected.not_to contain_file('/etc/openvpn/test_server/easy-rsa/vars').with_content(%r{KEY_NAME}) } - it { is_expected.not_to contain_file('/etc/openvpn/test_server/easy-rsa/vars').with_content(%r{KEY_OU}) } - end - - context 'creating a ca setting all parameters' do - let(:params) do - { - 'country' => 'CO', - 'province' => 'ST', - 'city' => 'Some City', - 'organization' => 'example.org', - 'email' => 'testemail@example.org', - 'group' => 'someone', - 'ssl_key_size' => 2048, - 'common_name' => 'mylittlepony', - 'ca_expire' => 365, - 'key_expire' => 365, - 'key_cn' => 'yolo', - 'key_name' => 'burp', - 'key_ou' => 'NSA' - } - end - - let(:facts) do - { - ipaddress_eth0: '1.2.3.4', - network_eth0: '1.2.3.0', - netmask_eth0: '255.255.255.0', - concat_basedir: '/var/lib/puppet/concat', - osfamily: 'Debian', - operatingsystem: 'Ubuntu', - operatingsystemrelease: '12.04' - } - end - - it { is_expected.to contain_file('/etc/openvpn/test_server/easy-rsa/vars').with_content(%r{^export CA_EXPIRE=365$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/easy-rsa/vars').with_content(%r{^export KEY_EXPIRE=365$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/easy-rsa/vars').with_content(%r{^export KEY_CN="yolo"$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/easy-rsa/vars').with_content(%r{^export KEY_NAME="burp"$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/easy-rsa/vars').with_content(%r{^export KEY_OU="NSA"$}) } - - it { is_expected.to contain_exec('generate dh param test_server').with_creates('/etc/openvpn/test_server/easy-rsa/keys/dh2048.pem') } - end - - context 'when RedHat based machine' do - let(:params) do - { - 'country' => 'CO', - 'province' => 'ST', - 'city' => 'Some City', - 'organization' => 'example.org', - 'email' => 'testemail@example.org' - } - end - - let(:facts) do - { - osfamily: 'RedHat', - operatingsystem: 'CentOS', - concat_basedir: '/var/lib/puppet/concat', - operatingsystemrelease: '7.0' - } - end - - it { is_expected.to contain_package('easy-rsa').with('ensure' => 'present') } - - it { - is_expected.to contain_file('/etc/openvpn/test_server/crl.pem').with( - 'mode' => '0640', - 'group' => 'nobody' - ) - } - end - - context 'when Debian based machine' do - let(:params) do - { - 'country' => 'CO', - 'province' => 'ST', - 'city' => 'Some City', - 'organization' => 'example.org', - 'email' => 'testemail@example.org' - } - end - - let(:facts) do - { - osfamily: 'Debian', - operatingsystem: 'Debian', - concat_basedir: '/var/lib/puppet/concat', - operatingsystemrelease: '7.0' - } - end - - shared_examples_for 'a newer version than wheezy' do - it { is_expected.to contain_package('easy-rsa').with('ensure' => 'present') } - end - context 'when jessie/stretch/sid' do - before do - facts[:operatingsystem] = 'Debian' - facts[:operatingsystemrelease] = '8.0.1' + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts end - it_behaves_like 'a newer version than wheezy' - end - - context 'when ubuntu 13.10' do - before do - facts[:operatingsystem] = 'Ubuntu' - facts[:operatingsystemrelease] = '13.10' + let(:title) { 'test_server' } + + case facts[:os]['family'] + when 'RedHat' + context 'creating a server with the minimum parameters' do + let(:params) do + { + 'country' => 'CO', + 'province' => 'ST', + 'city' => 'Some City', + 'organization' => 'example.org', + 'email' => 'testemail@example.org' + } + end + + it { is_expected.to contain_package('easy-rsa').with('ensure' => 'present') } + it { + is_expected.to contain_file('/etc/openvpn/test_server/crl.pem').with( + 'mode' => '0640', + 'group' => 'nobody' + ) + } + + # Files associated with a server config + + it { is_expected.to contain_file('/etc/openvpn/test_server/easy-rsa/vars').with(mode: '0550') } + it { + is_expected.to contain_file('/etc/openvpn/test_server/easy-rsa/keys/crl.pem'). + with(ensure: 'link', target: '/etc/openvpn/test_server/crl.pem') + } + it { + is_expected.to contain_file('/etc/openvpn/test_server/keys'). + with(ensure: 'link', target: '/etc/openvpn/test_server/easy-rsa/keys') + } + + # Execs to working with certificates + + it { is_expected.to contain_exec('generate dh param test_server').with_creates('/etc/openvpn/test_server/easy-rsa/keys/dh.pem') } + it { is_expected.to contain_exec('initca test_server') } + it { is_expected.to contain_exec('generate server cert test_server') } + it { is_expected.to contain_exec('create crl.pem on test_server') } + it { is_expected.not_to contain_exec('update crl.pem on test_server') } + + it { is_expected.to contain_file('/etc/openvpn/test_server/easy-rsa/vars').with_content(%r{^export EASYRSA_CA_EXPIRE=3650$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/easy-rsa/vars').with_content(%r{^export EASYRSA_CERT_EXPIRE=3650$}) } + it { is_expected.not_to contain_file('/etc/openvpn/test_server/easy-rsa/vars').with_content(%r{EASYRSA_REQ_CN}) } + it { is_expected.not_to contain_file('/etc/openvpn/test_server/easy-rsa/vars').with_content(%r{EASYRSA_REQ_OU}) } + end + + context 'creating a ca setting all parameters' do + let(:params) do + { + 'country' => 'CO', + 'province' => 'ST', + 'city' => 'Some City', + 'organization' => 'example.org', + 'email' => 'testemail@example.org', + 'group' => 'someone', + 'ssl_key_size' => 2048, + 'common_name' => 'mylittlepony', + 'ca_expire' => 365, + 'key_expire' => 365, + 'key_cn' => 'yolo', + 'key_name' => 'burp', + 'key_ou' => 'NSA' + } + end + + it { is_expected.to contain_file('/etc/openvpn/test_server/easy-rsa/vars').with_content(%r{^export EASYRSA_CA_EXPIRE=365$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/easy-rsa/vars').with_content(%r{^export EASYRSA_CERT_EXPIRE=365$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/easy-rsa/vars').with_content(%r{^export EASYRSA_REQ_CN="yolo"$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/easy-rsa/vars').with_content(%r{^export EASYRSA_REQ_OU="NSA"$}) } + + it { is_expected.to contain_exec('generate dh param test_server').with_creates('/etc/openvpn/test_server/easy-rsa/keys/dh.pem') } + end + when 'Debian' + context 'creating a server with the minimum parameters' do + let(:params) do + { + 'country' => 'CO', + 'province' => 'ST', + 'city' => 'Some City', + 'organization' => 'example.org', + 'email' => 'testemail@example.org' + } + end + + # Files associated with a server config + + it { is_expected.to contain_file('/etc/openvpn/test_server/easy-rsa/vars').with(mode: '0550') } + it { + is_expected.to contain_file('/etc/openvpn/test_server/easy-rsa/keys/crl.pem'). + with(ensure: 'link', target: '/etc/openvpn/test_server/crl.pem') + } + it { + is_expected.to contain_file('/etc/openvpn/test_server/keys'). + with(ensure: 'link', target: '/etc/openvpn/test_server/easy-rsa/keys') + } + + # Execs to working with certificates + + it { is_expected.to contain_exec('generate dh param test_server').with_creates('/etc/openvpn/test_server/easy-rsa/keys/dh2048.pem') } + it { is_expected.to contain_exec('initca test_server') } + it { is_expected.to contain_exec('generate server cert test_server') } + it { is_expected.to contain_exec('create crl.pem on test_server') } + it { is_expected.not_to contain_exec('update crl.pem on test_server') } + + it { is_expected.to contain_file('/etc/openvpn/test_server/easy-rsa/vars').with_content(%r{^export CA_EXPIRE=3650$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/easy-rsa/vars').with_content(%r{^export KEY_EXPIRE=3650$}) } + it { is_expected.not_to contain_file('/etc/openvpn/test_server/easy-rsa/vars').with_content(%r{KEY_CN}) } + it { is_expected.not_to contain_file('/etc/openvpn/test_server/easy-rsa/vars').with_content(%r{KEY_NAME}) } + it { is_expected.not_to contain_file('/etc/openvpn/test_server/easy-rsa/vars').with_content(%r{KEY_OU}) } + end + + context 'creating a ca setting all parameters' do + let(:params) do + { + 'country' => 'CO', + 'province' => 'ST', + 'city' => 'Some City', + 'organization' => 'example.org', + 'email' => 'testemail@example.org', + 'group' => 'someone', + 'ssl_key_size' => 2048, + 'common_name' => 'mylittlepony', + 'ca_expire' => 365, + 'key_expire' => 365, + 'key_cn' => 'yolo', + 'key_name' => 'burp', + 'key_ou' => 'NSA' + } + end + + it { is_expected.to contain_file('/etc/openvpn/test_server/easy-rsa/vars').with_content(%r{^export CA_EXPIRE=365$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/easy-rsa/vars').with_content(%r{^export KEY_EXPIRE=365$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/easy-rsa/vars').with_content(%r{^export KEY_CN="yolo"$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/easy-rsa/vars').with_content(%r{^export KEY_NAME="burp"$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/easy-rsa/vars').with_content(%r{^export KEY_OU="NSA"$}) } + + it { is_expected.to contain_exec('generate dh param test_server').with_creates('/etc/openvpn/test_server/easy-rsa/keys/dh2048.pem') } + end + + context 'when Debian based machine' do + let(:params) do + { + 'country' => 'CO', + 'province' => 'ST', + 'city' => 'Some City', + 'organization' => 'example.org', + 'email' => 'testemail@example.org' + } + end + + it { + is_expected.to contain_file('/etc/openvpn/test_server/easy-rsa/openssl.cnf').with( + 'ensure' => 'link', + 'target' => '/etc/openvpn/test_server/easy-rsa/openssl-1.0.0.cnf', + 'recurse' => nil, + 'group' => 'nogroup' + ) + } + + it { + is_expected.to contain_file('/etc/openvpn/test_server/crl.pem').with( + 'mode' => '0640', + 'group' => 'nogroup' + ) + } + end end - it_behaves_like 'a newer version than wheezy' end - - context 'when ubuntu 14.04' do - before do - facts[:operatingsystem] = 'Ubuntu' - facts[:operatingsystemrelease] = '14.04' - end - it_behaves_like 'a newer version than wheezy' - end - - it { - is_expected.to contain_file('/etc/openvpn/test_server/easy-rsa/openssl.cnf').with( - 'ensure' => 'link', - 'target' => '/etc/openvpn/test_server/easy-rsa/openssl-1.0.0.cnf', - 'recurse' => nil, - 'group' => 'nogroup' - ) - } - - it { - is_expected.to contain_file('/etc/openvpn/test_server/crl.pem').with( - 'mode' => '0640', - 'group' => 'nogroup' - ) - } end end diff --git a/spec/defines/openvpn_client_spec.rb b/spec/defines/openvpn_client_spec.rb index 8f947eb7..3f42fb85 100644 --- a/spec/defines/openvpn_client_spec.rb +++ b/spec/defines/openvpn_client_spec.rb @@ -1,231 +1,283 @@ require 'spec_helper' describe 'openvpn::client', type: :define do - let(:title) { 'test_client' } - let(:params) { { 'server' => 'test_server' } } - let(:facts) do - { - fqdn: 'somehost', - concat_basedir: '/var/lib/puppet/concat', - osfamily: 'Debian', - operatingsystem: 'Ubuntu', - operatingsystemrelease: '12.04' - } - end - let(:pre_condition) do - 'openvpn::server { "test_server": - country => "CO", - province => "ST", - city => "Some City", - organization => "example.org", - email => "testemail@example.org" - }' - end + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:pre_condition) do + 'openvpn::server { "test_server": + country => "CO", + province => "ST", + city => "Some City", + organization => "example.org", + email => "testemail@example.org" + }' + end + let(:facts) do + facts + end + let(:title) { 'test_client' } + let(:params) { { server: 'test_server' } } - it { is_expected.to contain_exec('generate certificate for test_client in context of test_server') } + it { is_expected.to compile.with_all_deps } - ['test_client', 'test_client/keys/test_client'].each do |directory| - it { is_expected.to contain_file("/etc/openvpn/test_server/download-configs/#{directory}") } - end + it { is_expected.to contain_exec('generate certificate for test_client in context of test_server') } - ['test_client.crt', 'test_client.key', 'ca.crt'].each do |file| - it { - is_expected.to contain_file("/etc/openvpn/test_server/download-configs/test_client/keys/test_client/#{file}").with( - 'ensure' => 'link', - 'target' => "/etc/openvpn/test_server/easy-rsa/keys/#{file}" - ) - } - end + ['test_client', 'test_client/keys/test_client'].each do |directory| + it { is_expected.to contain_file("/etc/openvpn/test_server/download-configs/#{directory}") } + end - it { - is_expected.to contain_exec('tar the thing test_server with test_client').with( - 'cwd' => '/etc/openvpn/test_server/download-configs/', - 'command' => '/bin/rm test_client.tar.gz; tar --exclude=\*.conf.d -chzvf test_client.tar.gz test_client test_client.tblk' - ) - } - - context 'setting the minimum parameters' do - let(:params) { { 'server' => 'test_server' } } - - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^client$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^ca\s+keys/test_client/ca\.crt$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^cert\s+keys/test_client/test_client.crt$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^key\s+keys/test_client/test_client\.key$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^dev\s+tun$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^proto\s+tcp$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^remote\s+somehost\s+1194$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^comp-lzo$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^resolv-retry\s+infinite$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^nobind$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^persist-key$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^persist-tun$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^mute-replay-warnings$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^ns\-cert\-type\s+server$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^verb\s+3$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^mute\s+20$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^auth-retry\s+none$}) } - it { is_expected.not_to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^tls-client$}) } - it { is_expected.not_to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^verify-x509-name}) } - it { is_expected.not_to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^sndbuf}) } - it { is_expected.not_to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^rcvbuf}) } - it { is_expected.not_to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^pull}) } - end + case facts[:os]['family'] + when 'Ubuntu', 'Debian' + context 'system with easyrsa2' do + ['test_client.crt', 'test_client.key', 'ca.crt'].each do |file| + it { + is_expected.to contain_file("/etc/openvpn/test_server/download-configs/test_client/keys/test_client/#{file}").with( + 'ensure' => 'link', + 'target' => "/etc/openvpn/test_server/easy-rsa/keys/#{file}" + ) + } + end + end + when 'CentOS', 'RedHat', %r{Archlinux}, %r{FreeBSD} + context 'system with easyrsa3' do + it { + is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/keys/test_client/test_client.crt').with( + 'ensure' => 'link', + 'target' => '/etc/openvpn/test_server/easy-rsa/keys/issued/test_client.crt' + ) + } + it { + is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/keys/test_client/test_client.key').with( + 'ensure' => 'link', + 'target' => '/etc/openvpn/test_server/easy-rsa/keys/private/test_client.key' + ) + } + it { + is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/keys/test_client/ca.crt').with( + 'ensure' => 'link', + 'target' => '/etc/openvpn/test_server/easy-rsa/keys/ca.crt' + ) + } + end + else + context 'unsupported systems' do + it { is_expected.to raise_error(%r{unsupported OS}) } + end + end - context 'setting all of the parameters' do - let(:params) do - { - 'server' => 'test_server', - 'compression' => 'comp-something', - 'dev' => 'tap', - 'mute' => 10, - 'mute_replay_warnings' => false, - 'nobind' => false, - 'persist_key' => false, - 'persist_tun' => false, - 'cipher' => 'AES-256-CBC', - 'tls_cipher' => 'TLS-DHE-RSA-WITH-AES-256-CBC-SHA', - 'port' => '123', - 'proto' => 'udp', - 'remote_host' => %w[somewhere galaxy], - 'resolv_retry' => '2m', - 'auth_retry' => 'interact', - 'verb' => '1', - 'setenv' => { 'CLIENT_CERT' => '0' }, - 'setenv_safe' => { 'FORWARD_COMPATIBLE' => '1' }, - 'tls_auth' => true, - 'x509_name' => 'test_server', - 'sndbuf' => 393_216, - 'rcvbuf' => 393_215, - 'readme' => 'readme text', - 'pull' => true, - 'ns_cert_type' => false, - 'remote_cert_tls' => true - } - end - let(:facts) do - { - fqdn: 'somehost', - concat_basedir: '/var/lib/puppet/concat', - osfamily: 'Debian', - operatingsystem: 'Ubuntu', - operatingsystemrelease: '12.04' + it { + is_expected.to contain_exec('tar the thing test_server with test_client').with( + 'cwd' => '/etc/openvpn/test_server/download-configs/', + 'command' => '/bin/rm test_client.tar.gz; tar --exclude=\*.conf.d -chzvf test_client.tar.gz test_client test_client.tblk' + ) } - end - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^client$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^ca\s+keys\/test_client\/ca\.crt$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^cert\s+keys\/test_client\/test_client.crt$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^key\s+keys\/test_client\/test_client\.key$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^dev\s+tap$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^proto\s+udp$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^remote\s+somewhere\s+123$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^remote\s+galaxy\s+123$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^comp-something$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^resolv-retry\s+2m$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^verb\s+1$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^mute\s+10$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^auth-retry\s+interact$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^setenv\s+CLIENT_CERT\s+0$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^setenv_safe\s+FORWARD_COMPATIBLE\s+1$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^cipher\s+AES-256-CBC$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^tls-cipher\s+TLS-DHE-RSA-WITH-AES-256-CBC-SHA$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^tls-client$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^verify-x509-name\s+"test_server"\s+name$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^sndbuf\s+393216$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^rcvbuf\s+393215$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/README').with_content(%r{^readme text$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^pull$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^remote-cert-tls\s+server$}) } - end + context 'setting the minimum parameters' do + let(:params) { { 'server' => 'test_server' } } - context 'omitting the cipher key' do - let(:params) { { 'server' => 'test_server' } } + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^client$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^ca\s+keys/test_client/ca\.crt$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^cert\s+keys/test_client/test_client.crt$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^key\s+keys/test_client/test_client\.key$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^dev\s+tun$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^proto\s+tcp$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^remote\s+foo.example.com\s+1194$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^comp-lzo$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^resolv-retry\s+infinite$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^nobind$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^persist-key$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^persist-tun$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^mute-replay-warnings$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^ns\-cert\-type\s+server$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^verb\s+3$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^mute\s+20$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^auth-retry\s+none$}) } + it { is_expected.not_to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^tls-client$}) } + it { is_expected.not_to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^verify-x509-name}) } + it { is_expected.not_to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^sndbuf}) } + it { is_expected.not_to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^rcvbuf}) } + it { is_expected.not_to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^pull}) } + end - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^cipher AES-256-CBC$}) } - end + context 'setting all of the parameters' do + let(:params) do + { + 'server' => 'test_server', + 'compression' => 'comp-something', + 'dev' => 'tap', + 'mute' => 10, + 'mute_replay_warnings' => false, + 'nobind' => false, + 'persist_key' => false, + 'persist_tun' => false, + 'cipher' => 'AES-256-CBC', + 'tls_cipher' => 'TLS-DHE-RSA-WITH-AES-256-CBC-SHA', + 'port' => '123', + 'proto' => 'udp', + 'remote_host' => %w[somewhere galaxy], + 'resolv_retry' => '2m', + 'auth_retry' => 'interact', + 'verb' => '1', + 'setenv' => { 'CLIENT_CERT' => '0' }, + 'setenv_safe' => { 'FORWARD_COMPATIBLE' => '1' }, + 'tls_auth' => true, + 'x509_name' => 'test_server', + 'sndbuf' => 393_216, + 'rcvbuf' => 393_215, + 'readme' => 'readme text', + 'pull' => true, + 'ns_cert_type' => false, + 'remote_cert_tls' => true + } + end - context 'should fail if specifying an openvpn::server with extca_enabled=true' do - let(:params) do - { - 'server' => 'test_server_extca' - } - end + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^client$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^ca\s+keys\/test_client\/ca\.crt$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^cert\s+keys\/test_client\/test_client.crt$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^key\s+keys\/test_client\/test_client\.key$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^dev\s+tap$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^proto\s+udp$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^remote\s+somewhere\s+123$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^remote\s+galaxy\s+123$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^comp-something$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^resolv-retry\s+2m$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^verb\s+1$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^mute\s+10$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^auth-retry\s+interact$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^setenv\s+CLIENT_CERT\s+0$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^setenv_safe\s+FORWARD_COMPATIBLE\s+1$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^cipher\s+AES-256-CBC$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^tls-cipher\s+TLS-DHE-RSA-WITH-AES-256-CBC-SHA$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^tls-client$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^verify-x509-name\s+"test_server"\s+name$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^sndbuf\s+393216$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^rcvbuf\s+393215$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/README').with_content(%r{^readme text$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^pull$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^remote-cert-tls\s+server$}) } + end - before do - pre_condition << ' - openvpn::server { "text_server_extca": - tls_auth => true, - extca_enabled => true, - extca_ca_cert_file => "/etc/ipa/ca.crt", - extca_ca_crl_file => "/etc/ipa/ca_crl.pem", - extca_server_cert_file => "/etc/pki/tls/certs/localhost.crt", - extca_server_key_file => "/etc/pki/tls/private/localhost.key", - extca_dh_file => "/etc/ipa/dh.pem", - extca_tls_auth_key_file => "/etc/openvpn/keys/ta.key", - } - ' - end - it { expect { is_expected.to contain_file('test') }.to raise_error(Puppet::Error) } - end + context 'omitting the cipher key' do + let(:params) { { 'server' => 'test_server' } } - context 'when using shared ca' do - let(:params) do - { - 'server' => 'test_server', - 'shared_ca' => 'my_already_existing_ca' - } - end + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^cipher AES-256-CBC$}) } + end - before do - pre_condition << ' - openvpn::server { "my_already_existing_ca": - country => "CO", - province => "ST", - city => "Some City", - organization => "example.org", - email => "testemail@example.org" - } - ' - end + context 'should fail if specifying an openvpn::server with extca_enabled=true' do + let(:params) do + { + 'server' => 'test_server_extca' + } + end - it { is_expected.to contain_openvpn__ca('my_already_existing_ca') } + before do + pre_condition << ' + openvpn::server { "text_server_extca": + tls_auth => true, + extca_enabled => true, + extca_ca_cert_file => "/etc/ipa/ca.crt", + extca_ca_crl_file => "/etc/ipa/ca_crl.pem", + extca_server_cert_file => "/etc/pki/tls/certs/localhost.crt", + extca_server_key_file => "/etc/pki/tls/private/localhost.key", + extca_dh_file => "/etc/ipa/dh.pem", + extca_tls_auth_key_file => "/etc/openvpn/keys/ta.key", + } + ' + end + it { expect { is_expected.to contain_file('test') }.to raise_error(Puppet::Error) } + end - it { is_expected.to contain_exec('generate certificate for test_client in context of my_already_existing_ca') } - ['test_client.crt', 'test_client.key', 'ca.crt'].each do |file| - it { - is_expected.to contain_file("/etc/openvpn/test_server/download-configs/test_client/keys/test_client/#{file}").with( - 'ensure' => 'link', - 'target' => "/etc/openvpn/my_already_existing_ca/easy-rsa/keys/#{file}" - ) - } - end + context 'when using shared ca' do + let(:params) do + { + 'server' => 'test_server', + 'shared_ca' => 'my_already_existing_ca' + } + end - # Check that certificate files point to the provided CA - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^client$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^ca\s+keys/test_client/ca\.crt$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^cert\s+keys/test_client/test_client.crt$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^key\s+keys/test_client/test_client\.key$}) } - end + before do + pre_condition << ' + openvpn::server { "my_already_existing_ca": + country => "CO", + province => "ST", + city => "Some City", + organization => "example.org", + email => "testemail@example.org" + } + ' + end - context 'when using not existed shared ca' do - let(:params) do - { - 'server' => 'test_server', - 'shared_ca' => 'my_already_existing_ca' - } - end + it { is_expected.to contain_openvpn__ca('my_already_existing_ca') } - it { expect { is_expected.to contain_file('test') }.to raise_error(Puppet::Error) } - end + it { is_expected.to contain_exec('generate certificate for test_client in context of my_already_existing_ca') } - context 'custom options' do - let(:params) do - { - 'server' => 'test_server', - 'custom_options' => { 'this' => 'that' } - } - end + # Check that certificate files point to the provided CA + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^client$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^ca\s+keys/test_client/ca\.crt$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^cert\s+keys/test_client/test_client.crt$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^key\s+keys/test_client/test_client\.key$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^this that$}) } + case facts[:os]['family'] + when 'Ubuntu', 'Debian' + context 'system with easyrsa2' do + ['test_client.crt', 'test_client.key', 'ca.crt'].each do |file| + it { + is_expected.to contain_file("/etc/openvpn/test_server/download-configs/test_client/keys/test_client/#{file}").with( + 'ensure' => 'link', + 'target' => "/etc/openvpn/my_already_existing_ca/easy-rsa/keys/#{file}" + ) + } + end + end + when 'CentOS', 'RedHat', %r{Archlinux}, %r{FreeBSD} + context 'system with easyrsa3' do + it { + is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/keys/test_client/test_client.crt').with( + 'ensure' => 'link', + 'target' => '/etc/openvpn/my_already_existing_ca/easy-rsa/keys/issued/test_client.crt' + ) + } + it { + is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/keys/test_client/test_client.key').with( + 'ensure' => 'link', + 'target' => '/etc/openvpn/my_already_existing_ca/easy-rsa/keys/private/test_client.key' + ) + } + it { + is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/keys/test_client/ca.crt').with( + 'ensure' => 'link', + 'target' => '/etc/openvpn/my_already_existing_ca/easy-rsa/keys/ca.crt' + ) + } + end + else + context 'unsupported systems' do + it { is_expected.to raise_error(%r{unsupported OS}) } + end + end + end + + context 'when using not existed shared ca' do + let(:params) do + { + 'server' => 'test_server', + 'shared_ca' => 'my_already_existing_ca' + } + end + + it { expect { is_expected.to contain_file('test') }.to raise_error(Puppet::Error) } + end + + context 'custom options' do + let(:params) do + { + 'server' => 'test_server', + 'custom_options' => { 'this' => 'that' } + } + end + + it { is_expected.to contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(%r{^this that$}) } + end + end end end diff --git a/spec/defines/openvpn_client_specific_config_spec.rb b/spec/defines/openvpn_client_specific_config_spec.rb index cf11d84e..f1d454d2 100644 --- a/spec/defines/openvpn_client_specific_config_spec.rb +++ b/spec/defines/openvpn_client_specific_config_spec.rb @@ -1,54 +1,60 @@ require 'spec_helper' describe 'openvpn::client_specific_config', type: :define do - let(:title) { 'test_client' } - let(:params) { { 'server' => 'test_server' } } - let(:facts) do - { - fqdn: 'somehost', - concat_basedir: '/var/lib/puppet/concat', - osfamily: 'Debian', - operatingsystem: 'Ubuntu', - operatingsystemrelease: '12.04' - } - end - let(:pre_condition) do - [ - 'openvpn::server { "test_server": - country => "CO", - province => "ST", - city => "Some City", - organization => "example.org", - email => "testemail@example.org" - }', - 'openvpn::client { "test_client": - server => "test_server" - }' - ].join - end + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:pre_condition) do + [ + 'openvpn::server { "test_server": + country => "CO", + province => "ST", + city => "Some City", + organization => "example.org", + email => "testemail@example.org" + }', + 'openvpn::client { "test_client": + server => "test_server" + }' + ].join + end + let(:facts) do + facts + end + let(:title) { 'test_client' } + let(:params) do + { + server: 'test_server' + } + end - it { is_expected.to contain_file('/etc/openvpn/test_server/client-configs/test_client') } + it { is_expected.to compile.with_all_deps } - describe 'setting no paramter at all' do - it { is_expected.to contain_file('/etc/openvpn/test_server/client-configs/test_client').with_content(%r{\A\n\z}) } - end + it { is_expected.to contain_file('/etc/openvpn/test_server/client-configs/test_client') } - describe 'setting all parameters' do - let(:params) do - { server: 'test_server', - iroute: ['10.0.1.0 255.255.255.0'], - iroute_ipv6: ['2001:db8:1234::/64'], - ifconfig: '10.10.10.2 255.255.255.0', - route: ['10.200.100.0 255.255.255.0 10.10.10.1'], - dhcp_options: ['DNS 8.8.8.8'], - redirect_gateway: true } - end + describe 'setting no paramter at all' do + it { is_expected.to contain_file('/etc/openvpn/test_server/client-configs/test_client').with_content(%r{\A\n\z}) } + end + + describe 'setting all parameters' do + let(:params) do + { + server: 'test_server', + iroute: ['10.0.1.0 255.255.255.0'], + iroute_ipv6: ['2001:db8:1234::/64'], + ifconfig: '10.10.10.2 255.255.255.0', + route: ['10.200.100.0 255.255.255.0 10.10.10.1'], + dhcp_options: ['DNS 8.8.8.8'], + redirect_gateway: true + } + end - it { is_expected.to contain_file('/etc/openvpn/test_server/client-configs/test_client').with_content(%r{^iroute 10.0.1.0 255.255.255.0$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/client-configs/test_client').with_content(%r{^iroute-ipv6 2001:db8:1234::/64$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/client-configs/test_client').with_content(%r{^ifconfig-push 10.10.10.2 255.255.255.0$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/client-configs/test_client').with_content(%r{^push dhcp-option DNS 8.8.8.8$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/client-configs/test_client').with_content(%r{^push redirect-gateway def1$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/client-configs/test_client').with_content(%r{^push "route 10.200.100.0 255.255.255.0 10.10.10.1"$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/client-configs/test_client').with_content(%r{^iroute 10.0.1.0 255.255.255.0$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/client-configs/test_client').with_content(%r{^iroute-ipv6 2001:db8:1234::/64$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/client-configs/test_client').with_content(%r{^ifconfig-push 10.10.10.2 255.255.255.0$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/client-configs/test_client').with_content(%r{^push dhcp-option DNS 8.8.8.8$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/client-configs/test_client').with_content(%r{^push redirect-gateway def1$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/client-configs/test_client').with_content(%r{^push "route 10.200.100.0 255.255.255.0 10.10.10.1"$}) } + end + end end end diff --git a/spec/defines/openvpn_deploy_client_spec.rb b/spec/defines/openvpn_deploy_client_spec.rb index a724fec9..8d74baec 100644 --- a/spec/defines/openvpn_deploy_client_spec.rb +++ b/spec/defines/openvpn_deploy_client_spec.rb @@ -1,33 +1,45 @@ require 'spec_helper' describe 'openvpn::deploy::client', type: :define do - let(:title) { 'test_client' } - let(:params) { { 'server' => 'test_server' } } - let(:facts) do - { - fqdn: 'somehost', - concat_basedir: '/var/lib/puppet/concat', - osfamily: 'Debian', - operatingsystem: 'Ubuntu', - operatingsystemrelease: '12.04' - } - end + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts + end + let(:title) { 'test_client' } - it { is_expected.to contain_file('/etc/openvpn/keys/test_client') } + context 'with manage_etc false' do + let(:params) do + { + server: 'test_server', + manage_etc: false + } + end - it { is_expected.to contain_package('openvpn') } - it { - is_expected.to contain_service('openvpn').with( - ensure: 'running', - enable: true - ) - } + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_file('/etc/openvpn/keys/test_client') } + it { is_expected.to contain_package('openvpn') } + it { + is_expected.to contain_service('openvpn').with( + ensure: 'running', + enable: true + ) + } + end - context 'with manage_etc' do - let(:params) { { 'server' => 'test_server', 'manage_etc' => true } } + context 'with manage_etc true' do + let(:params) do + { + server: 'test_server', + manage_etc: true + } + end - it { is_expected.to contain_file('/etc/openvpn') } - it { is_expected.to contain_file('/etc/openvpn/keys') } - it { is_expected.to contain_file('/etc/openvpn/keys/test_client') } + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_file('/etc/openvpn') } + it { is_expected.to contain_file('/etc/openvpn/keys') } + it { is_expected.to contain_file('/etc/openvpn/keys/test_client') } + end + end end end diff --git a/spec/defines/openvpn_deploy_export_spec.rb b/spec/defines/openvpn_deploy_export_spec.rb index eeb359b3..c9154dcc 100644 --- a/spec/defines/openvpn_deploy_export_spec.rb +++ b/spec/defines/openvpn_deploy_export_spec.rb @@ -1,55 +1,46 @@ require 'spec_helper' describe 'openvpn::deploy::export', type: :define do - let(:title) { 'test_client' } - let(:params) { { 'server' => 'test_server' } } - let(:facts) do - { - 'fqdn' => 'somehost', - 'concat_basedir' => '/var/lib/puppet/concat', - 'osfamily' => 'Debian', - 'operatingsystem' => 'Ubuntu', - 'operatingsystemrelease' => '12.04', - 'openvpn' => { - 'test_server' => { - 'test_client' => { - 'conf' => 'config', - 'crt' => 'crt', - 'ca' => 'ca', - 'key' => 'key', - 'ta' => 'ta' - } - } - } - } - end - let(:pre_condition) do - [ - 'openvpn::server { "test_server": - country => "CO", - province => "ST", - city => "Some City", - organization => "example.org", - email => "testemail@example.org" - }', - 'openvpn::client { "test_client": - server => "test_server" - }' - ].join - end + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:pre_condition) do + [ + 'openvpn::server { "test_server": + country => "CO", + province => "ST", + city => "Some City", + organization => "example.org", + email => "testemail@example.org" + }', + 'openvpn::client { "test_client": + server => "test_server" + }' + ].join + end + let(:facts) do + facts.merge( + openvpn: { 'test_server' => { 'test_client' => { 'conf' => 'config', 'crt' => 'crt', 'ca' => 'ca', 'key' => 'key', 'ta' => 'ta' } } } + ) + end + let(:title) { 'test_client' } + let(:params) { { 'server' => 'test_server' } } + + it { is_expected.to compile.with_all_deps } - context 'exported resources' do - subject { exported_resources } + context 'exported resources' do + subject { exported_resources } - it { is_expected.to contain_file('exported-test_server-test_client-config').with_content('config') } - it { is_expected.to contain_file('exported-test_server-test_client-ca').with_content('ca') } - it { is_expected.to contain_file('exported-test_server-test_client-crt').with_content('crt') } - it { is_expected.to contain_file('exported-test_server-test_client-key').with_content('key') } + it { is_expected.to contain_file('exported-test_server-test_client-config').with_content('config') } + it { is_expected.to contain_file('exported-test_server-test_client-ca').with_content('ca') } + it { is_expected.to contain_file('exported-test_server-test_client-crt').with_content('crt') } + it { is_expected.to contain_file('exported-test_server-test_client-key').with_content('key') } - context 'with tls_auth' do - let(:params) { { 'server' => 'test_server', 'tls_auth' => true } } + context 'with tls_auth' do + let(:params) { { 'server' => 'test_server', 'tls_auth' => true } } - it { is_expected.to contain_file('exported-test_server-test_client-ta').with_content('ta') } + it { is_expected.to contain_file('exported-test_server-test_client-ta').with_content('ta') } + end + end end end end diff --git a/spec/defines/openvpn_revoke_spec.rb b/spec/defines/openvpn_revoke_spec.rb index 47a08b88..75b8eeec 100644 --- a/spec/defines/openvpn_revoke_spec.rb +++ b/spec/defines/openvpn_revoke_spec.rb @@ -1,35 +1,35 @@ require 'spec_helper' describe 'openvpn::revoke', type: :define do - let(:title) { 'test_client' } - let(:params) { { 'server' => 'test_server' } } - let(:facts) do - { - fqdn: 'somehost', - concat_basedir: '/var/lib/puppet/concat', - osfamily: 'Debian', - operatingsystem: 'Ubuntu', - operatingsystemrelease: '12.04' - } - end - let(:pre_condition) do - [ - 'openvpn::server { "test_server": - country => "CO", - province => "ST", - city => "Some City", - organization => "example.org", - email => "testemail@example.org" - }', - 'openvpn::client { "test_client": - server => "test_server" - }' - ].join - end + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:pre_condition) do + [ + 'openvpn::server { "test_server": + country => "CO", + province => "ST", + city => "Some City", + organization => "example.org", + email => "testemail@example.org" + }', + 'openvpn::client { "test_client": + server => "test_server" + }' + ].join + end + let(:facts) do + facts + end + let(:title) { 'test_client' } + let(:params) { { 'server' => 'test_server' } } - it { - is_expected.to contain_exec('revoke certificate for test_client in context of test_server').with( - 'command' => ". ./vars && ./revoke-full test_client; echo \"exit $?\" | grep -qE '(error 23|exit (0|2))' && touch revoked/test_client" - ) - } + it { is_expected.to compile.with_all_deps } + + it { + is_expected.to contain_exec('revoke certificate for test_client in context of test_server').with( + 'command' => ". ./vars && ./revoke-full test_client; echo \"exit $?\" | grep -qE '(error 23|exit (0|2))' && touch revoked/test_client" + ) + } + end + end end diff --git a/spec/defines/openvpn_server_spec.rb b/spec/defines/openvpn_server_spec.rb index a930f934..8dbf9587 100644 --- a/spec/defines/openvpn_server_spec.rb +++ b/spec/defines/openvpn_server_spec.rb @@ -1,801 +1,851 @@ require 'spec_helper' -describe 'openvpn::server', type: :define do - let(:title) { 'test_server' } - - let(:facts) do - { - ipaddress_eth0: '1.2.3.4', - network_eth0: '1.2.3.0', - netmask_eth0: '255.255.255.0', - concat_basedir: '/var/lib/puppet/concat', - osfamily: 'Debian', - operatingsystem: 'Ubuntu', - operatingsystemrelease: '12.04' - } - end - - context 'creating a server without any parameter' do - let(:params) { {} } - - it { expect { is_expected.to contain_file('/etc/openvpn/test_server') }.to raise_error(Puppet::PreformattedError) } - end - - context 'creating a server partial parameters: country' do - let(:params) { { 'country' => 'CO' } } - - it { expect { is_expected.to contain_file('/etc/openvpn/test_server') }.to raise_error(Puppet::PreformattedError) } - end - - context 'creating a server partial parameters: country, province' do - let(:params) do - { - 'country' => 'CO', - 'province' => 'ST' - } - end - - it { expect { is_expected.to contain_file('/etc/openvpn/test_server') }.to raise_error(Puppet::PreformattedError) } - end - - context 'creating a server partial parameters: country, province, city' do - let(:params) do - { - 'country' => 'CO', - 'province' => 'ST', - 'city' => 'Some City' - } - end - - it { expect { is_expected.to contain_file('/etc/openvpn/test_server') }.to raise_error(Puppet::PreformattedError) } - end - - context 'creating a server partial parameters: country, province, city, organization' do - let(:params) do - { - 'country' => 'CO', - 'province' => 'ST', - 'city' => 'Some City', - 'organization' => 'example.org' - } - end - - it { expect { is_expected.to contain_file('/etc/openvpn/test_server') }.to raise_error(Puppet::PreformattedError) } - end - - context 'creating a server with the minimum parameters' do - let(:params) do - { - 'country' => 'CO', - 'province' => 'ST', - 'city' => 'Some City', - 'organization' => 'example.org', - 'email' => 'testemail@example.org' - } - end - - # Files associated with a server config - it { - is_expected.to contain_file('/etc/openvpn/test_server'). - with(ensure: 'directory', mode: '0750', group: 'nogroup') - } - it { - is_expected.to contain_file('/etc/openvpn/test_server/client-configs'). - with(ensure: 'directory', mode: '0750', recurse: true, group: 'nogroup') - } - it { - is_expected.to contain_file('/etc/openvpn/test_server/download-configs'). - with(ensure: 'directory', mode: '0750', recurse: true, group: 'nogroup') - } - it { - is_expected.to contain_file('/etc/openvpn/test_server/auth'). - with(ensure: 'directory', mode: '0750', recurse: true, group: 'nogroup') - } - - # OpenVPN easy-rsa CA - it { is_expected.to contain_openvpn__ca('test_server').with(params) } - - # VPN server config file itself - - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^mode\s+server$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^client\-config\-dir\s+\/etc\/openvpn\/test_server\/client\-configs$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^ca\s+\/etc\/openvpn\/test_server\/keys\/ca.crt$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^cert\s+\/etc\/openvpn\/test_server\/keys\/server.crt$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^key\s+\/etc\/openvpn\/test_server\/keys\/server.key$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^dh\s+\/etc\/openvpn\/test_server\/keys\/dh2048.pem$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^proto\s+tcp-server$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^tls-server$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^port\s+1194$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^comp-lzo$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^group\s+nogroup$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^user\s+nobody$}) } - it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^log\-append\s+test_server\/openvpn\.log$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^status\s+/var/log/openvpn/test_server-status\.log$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^dev\s+tun0$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^local\s+1\.2\.3\.4$}) } - it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^ifconfig-pool-persist}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^crl-verify\s+\/etc\/openvpn\/test_server\/crl.pem$}) } - it { is_expected.not_to contain_schedule('renew crl.pem schedule on test_server') } - it { is_expected.not_to contain_exec('renew crl.pem on test_server') } - it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^secret}) } - - it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{verb}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{cipher AES-256-CBC}) } - it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{persist-key}) } - it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{persist-tun}) } - it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^duplicate-cn$}) } - it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^ns-cert-type server}) } - it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^tls-auth}) } - it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^fragment}) } - it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^port-share}) } - - it { is_expected.to contain_file('/etc/openvpn/test_server/keys/pre-shared.secret').with(ensure: 'absent') } - end - - context 'creating a server setting all parameters' do - let(:params) do - { - 'country' => 'CO', - 'province' => 'ST', - 'city' => 'Some City', - 'organization' => 'example.org', - 'email' => 'testemail@example.org', - 'compression' => 'fake_compression', - 'port' => '123', - 'proto' => 'udp', - 'group' => 'someone', - 'user' => 'someone', - 'logfile' => '/var/log/openvpn/test_server.log', - 'status_log' => '/tmp/test_server_status.log', - 'dev' => 'tun1', - 'up' => '/tmp/up', - 'down' => '/tmp/down', - 'local' => '2.3.4.5', - 'ipp' => true, - 'server' => '2.3.4.0 255.255.0.0', - 'server_ipv6' => 'fe80:1337:1337:1337::/64', - 'push' => ['dhcp-option DNS 172.31.0.30', 'route 172.31.0.0 255.255.0.0'], - 'route' => ['192.168.30.0 255.255.255.0', '192.168.35.0 255.255.0.0'], - 'route_ipv6' => ['2001:db8:1234::/64', '2001:db8:abcd::/64'], - 'keepalive' => '10 120', - 'topology' => 'subnet', - 'ssl_key_size' => 2048, - 'management' => true, - 'management_ip' => '1.3.3.7', - 'management_port' => 1337, - 'common_name' => 'mylittlepony', - 'ca_expire' => 365, - 'crl_auto_renew' => true, - 'key_expire' => 365, - 'key_cn' => 'yolo', - 'key_name' => 'burp', - 'key_ou' => 'NSA', - 'verb' => 'mute', - 'cipher' => 'DES-CBC', - 'tls_cipher' => 'TLS-DHE-RSA-WITH-AES-256-CBC-SHA', - 'persist_key' => true, - 'persist_tun' => true, - 'duplicate_cn' => true, - 'tls_auth' => true, - 'tls_server' => true, - 'fragment' => 1412, - 'custom_options' => { 'this' => 'that' }, - 'portshare' => '127.0.0.1 8443', - 'secret' => 'secretsecret1234', - 'remote_cert_tls' => true - } - end - - let(:facts) do - { - ipaddress_eth0: '1.2.3.4', - network_eth0: '1.2.3.0', - netmask_eth0: '255.255.255.0', - concat_basedir: '/var/lib/puppet/concat', - osfamily: 'Debian', - operatingsystem: 'Ubuntu', - operatingsystemrelease: '12.04' - } - end - - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^mode\s+server$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^client-config-dir\s+/etc/openvpn/test_server/client-configs$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^ca\s+/etc/openvpn/test_server/keys/ca.crt$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^cert\s+/etc/openvpn/test_server/keys/mylittlepony.crt$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^key\s+/etc/openvpn/test_server/keys/mylittlepony.key$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^dh\s+/etc/openvpn/test_server/keys/dh2048.pem$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^proto\s+udp$}) } - it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^proto\s+tls-server$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^port\s+123$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^fake_compression$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^group\s+someone$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^user\s+someone$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^log\-append\s+/var/log/openvpn/test_server\.log$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^status\s+/tmp/test_server_status\.log$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^dev\s+tun1$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^local\s+2\.3\.4\.5$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^server\s+2\.3\.4\.0\s+255\.255\.0\.0$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^server-ipv6\s+fe80:1337:1337:1337::/64$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^push\s+"dhcp-option\s+DNS\s+172\.31\.0\.30"$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^push\s+"route\s+172\.31\.0\.0\s+255\.255\.0\.0"$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^route\s+192.168.30.0\s+255.255.255.0$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^route\s+192.168.35.0\s+255.255.0.0$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^route-ipv6\s+2001:db8:1234::/64$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^route-ipv6\s+2001:db8:abcd::/64$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^keepalive\s+10\s+120$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^topology\s+subnet$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^management\s+1.3.3.7 1337$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^verb mute$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^cipher DES-CBC$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^tls-cipher\s+TLS-DHE-RSA-WITH-AES-256-CBC-SHA$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^persist-key$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^persist-tun$}) } - - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^up "/tmp/up"$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^down "/tmp/down"$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^script-security 2$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^duplicate-cn$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^tls-server$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^tls-auth\s+/etc/openvpn/test_server/keys/ta.key$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^key-direction 0$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^this that$}) } - - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^fragment 1412$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^port-share 127.0.0.1 8443$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^secret /etc/openvpn/test_server/keys/pre-shared.secret$}) } - - it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^server-poll-timeout}) } - it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^ping-timer-rem}) } - it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^sndbuf}) } - it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^rcvbuf}) } - it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^remote-cert-tls server$}) } - - it { is_expected.to contain_file('/etc/openvpn/test_server/keys/pre-shared.secret').with_content(%r{^secretsecret1234$}).with(ensure: 'present') } - it { is_expected.to contain_schedule('renew crl.pem schedule on test_server') } - it { is_expected.to contain_exec('renew crl.pem on test_server') } - - # OpenVPN easy-rsa CA - it { - is_expected.to contain_openvpn__ca('test_server'). - with(country: 'CO', - province: 'ST', - city: 'Some City', - organization: 'example.org', - email: 'testemail@example.org', - group: 'someone', - ssl_key_size: 2048, - common_name: 'mylittlepony', - ca_expire: 365, - key_expire: 365, - key_cn: 'yolo', - key_name: 'burp', - key_ou: 'NSA', - tls_auth: true) - } - end - - context 'creating a server in client mode' do - let(:title) { 'test_client' } - let(:nobind) { false } - let(:params) do - { - 'remote' => ['vpn.example.com 12345'], - 'server_poll_timeout' => 1, - 'ping_timer_rem' => true, - 'tls_auth' => true, - 'tls_client' => true, - 'nobind' => nobind - } - end - let(:facts) do - { - ipaddress_eth0: '1.2.3.4', - network_eth0: '1.2.3.0', - netmask_eth0: '255.255.255.0', - concat_basedir: '/var/lib/puppet/concat', - osfamily: 'Debian', - operatingsystem: 'Ubuntu', - operatingsystemrelease: '12.04' - } - end - - context 'nobind is true' do - let(:nobind) { true } - - it { is_expected.to contain_file('/etc/openvpn/test_client.conf').with_content(%r{^nobind$}) } - it { is_expected.not_to contain_file('/etc/openvpn/test_client.conf').with_content(%r{port\s+\d+}) } - end - - it { is_expected.to contain_file('/etc/openvpn/test_client.conf').with_content(%r{^client$}) } - it { - is_expected.to contain_file('/etc/openvpn/test_client.conf'). - with_content(%r{^remote\s+vpn.example.com\s+12345$}) - } - it { is_expected.to contain_file('/etc/openvpn/test_client.conf').with_content(%r{^server-poll-timeout\s+1$}) } - it { is_expected.to contain_file('/etc/openvpn/test_client.conf').with_content(%r{^ping-timer-rem$}) } - it { - is_expected.to contain_file('/etc/openvpn/test_client.conf'). - with_content(%r{^ca /etc/openvpn/test_client/keys/ca.crt$}) - } - it { - is_expected.to contain_file('/etc/openvpn/test_client.conf'). - with_content(%r{^cert /etc/openvpn/test_client/keys/test_client.crt$}) - } - it { - is_expected.to contain_file('/etc/openvpn/test_client.conf'). - with_content(%r{^key /etc/openvpn/test_client/keys/test_client.key$}) - } - it { - is_expected.to contain_file('/etc/openvpn/test_client/keys'). - with(ensure: 'directory', mode: '0750', group: 'nogroup') - } - it { is_expected.to contain_file('/etc/openvpn/test_client.conf').with_content(%r{^ns-cert-type server}) } - it { is_expected.not_to contain_file('/etc/openvpn/test_client.conf').with_content(%r{^mode\s+server$}) } - it { is_expected.not_to contain_file('/etc/openvpn/test_client.conf').with_content(%r{^client-config-dir}) } - it { is_expected.not_to contain_file('/etc/openvpn/test_client.conf').with_content(%r{^dh}) } - it { is_expected.to contain_file('/etc/openvpn/test_client.conf').with_content(%r{^tls-client$}) } - it { is_expected.to contain_file('/etc/openvpn/test_client.conf').with_content(%r{^key-direction 1$}) } - it { is_expected.not_to contain_file('/etc/openvpn/test_client.conf').with_content(%r{nobind}) } - it { is_expected.to contain_file('/etc/openvpn/test_client.conf').with_content(%r{^port\s+\d+$}) } - - context 'systemd enabled RedHat' do - let(:pre_condition) { "class { 'openvpn': manage_service => true }" } - let(:params) do - { - 'remote' => ['vpn.example.com 12345'] - } - end +describe 'openvpn::server' do + on_supported_os.each do |os, facts| + context "on #{os}" do let(:facts) do - { - concat_basedir: '/var/lib/puppet/concat', - operatingsystem: 'CentOS', - osfamily: 'RedHat', - operatingsystemrelease: '7.0' - } + facts end + let(:title) { 'test_server' } - it { - is_expected.to contain_service('openvpn@test_client').with( - ensure: 'running', - enable: true - ) - } - it { - is_expected.not_to contain_service('openvpn@test_client').that_requires('Openvpn::Ca[test_client]') - } - end - - it { is_expected.not_to contain_openvpn__ca('test_client') } - end - - context 'when altering send and receive buffers' do - let(:params) do - { - 'country' => 'CO', - 'province' => 'ST', - 'city' => 'Some City', - 'organization' => 'example.org', - 'email' => 'testemail@example.org', - 'sndbuf' => 393_216, - 'rcvbuf' => 393_215 - } - end - - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^sndbuf\s+393216$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^rcvbuf\s+393215$}) } - end - - context 'when using shared ca' do - let(:params) do - { - 'shared_ca' => 'my_already_existing_ca' - } - end - let(:pre_condition) do - ' - openvpn::ca{ "my_already_existing_ca": - common_name => "custom_common_name", - country => "CO", - province => "ST", - city => "Some City", - organization => "example.org", - email => "testemail@example.org" - }' - end - - it { is_expected.to contain_openvpn__ca('my_already_existing_ca') } - - # Check that certificate files point to the provide CA + # common tests for any easyrsa version + context 'creating a server without any parameter' do + let(:params) { {} } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^mode\s+server$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^client\-config\-dir\s+\/etc\/openvpn\/test_server\/client\-configs$}) } - - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^ca\s+\/etc\/openvpn\/my_already_existing_ca\/keys\/ca.crt$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^cert\s+\/etc\/openvpn\/my_already_existing_ca\/keys\/custom_common_name.crt$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^key\s+\/etc\/openvpn\/my_already_existing_ca\/keys\/custom_common_name.key$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^dh\s+\/etc\/openvpn\/my_already_existing_ca\/keys\/dh2048.pem$}) } - end - - context 'when using not existed shared ca' do - let(:params) do - { - 'shared_ca' => 'my_already_existing_ca' - } - end - - it { expect { is_expected.to contain_file('/etc/openvpn/test_server') }.to raise_error(Puppet::PreformattedError) } - end + it { expect { is_expected.to contain_file('/etc/openvpn/test_server') }.to raise_error(Puppet::PreformattedError) } + end - context 'when RedHat based machine' do - let(:params) do - { - 'country' => 'CO', - 'province' => 'ST', - 'city' => 'Some City', - 'organization' => 'example.org', - 'email' => 'testemail@example.org', - 'pam' => true - } - end + context 'creating a server partial parameters: country' do + let(:params) { { 'country' => 'CO' } } - let(:facts) do - { - osfamily: 'RedHat', - operatingsystem: 'CentOS', - concat_basedir: '/var/lib/puppet/concat', - operatingsystemrelease: '7.0' - } - end + it { expect { is_expected.to contain_file('/etc/openvpn/test_server') }.to raise_error(Puppet::PreformattedError) } + end - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^group\s+nobody$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so "?login"?$}) } - end + context 'creating a server partial parameters: country, province' do + let(:params) do + { + 'country' => 'CO', + 'province' => 'ST' + } + end - context 'when RedHat based machine with different pam_module_arguments and crl_verify disabled' do - let(:params) do - { - 'country' => 'CO', - 'province' => 'ST', - 'city' => 'Some City', - 'organization' => 'example.org', - 'email' => 'testemail@example.org', - 'pam' => true, - 'pam_module_arguments' => 'openvpn login USERNAME password PASSWORD', - 'crl_verify' => false - } - end + it { expect { is_expected.to contain_file('/etc/openvpn/test_server') }.to raise_error(Puppet::PreformattedError) } + end - let(:facts) do - { - osfamily: 'RedHat', - operatingsystem: 'CentOS', - concat_basedir: '/var/lib/puppet/concat', - operatingsystemrelease: '7.0' - } - end + context 'creating a server partial parameters: country, province, city' do + let(:params) do + { + 'country' => 'CO', + 'province' => 'ST', + 'city' => 'Some City' + } + end - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so "openvpn login USERNAME password PASSWORD"$}) } - it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^crl-verify}) } - end + it { expect { is_expected.to contain_file('/etc/openvpn/test_server') }.to raise_error(Puppet::PreformattedError) } + end - context 'when Debian based machine' do - let(:params) do - { - 'country' => 'CO', - 'province' => 'ST', - 'city' => 'Some City', - 'organization' => 'example.org', - 'email' => 'testemail@example.org', - 'pam' => true - } - end + context 'creating a server partial parameters: country, province, city, organization' do + let(:params) do + { + 'country' => 'CO', + 'province' => 'ST', + 'city' => 'Some City', + 'organization' => 'example.org' + } + end + + it { expect { is_expected.to contain_file('/etc/openvpn/test_server') }.to raise_error(Puppet::PreformattedError) } + end - let(:facts) do - { - osfamily: 'Debian', - operatingsystem: 'Debian', - operatingsystemrelease: '7.0', - concat_basedir: '/var/lib/puppet/concat' - } - end + context 'when using not existed shared ca' do + let(:params) do + { + 'shared_ca' => 'my_already_existing_ca' + } + end - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^group\s+nogroup$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^plugin /usr/lib/openvpn/openvpn-auth-pam.so "?login"?$}) } + it { expect { is_expected.to contain_file('/etc/openvpn/test_server') }.to raise_error(Puppet::PreformattedError) } + end - context 'enabled autostart_all' do - let(:pre_condition) { 'class { "openvpn": autostart_all => true }' } + context 'should fail if setting extca_enabled=true without specifying any other extca_* options' do + let(:params) do + { + 'extca_enabled' => true + } + end - it { is_expected.not_to contain_concat__fragment('openvpn.default.autostart.test_server') } - end + it { expect { is_expected.to contain_file('/etc/openvpn/test_server') }.to raise_error(Puppet::PreformattedError) } + end - context 'disabled autostart_all' do - let(:pre_condition) { 'class { "openvpn": autostart_all => false }' } + context 'should fail if setting extca_enabled=true and tls_auth=true without providing extca_tls_auth_key_file' do + let(:params) do + { + 'tls_auth' => true, + 'extca_enabled' => true, + 'extca_ca_cert_file' => '/etc/ipa/ca.crt', + 'extca_ca_crl_file' => '/etc/ipa/ca_crl.pem', + 'extca_server_cert_file' => '/etc/pki/tls/certs/localhost.crt', + 'extca_server_key_file' => '/etc/pki/tls/private/localhost.key', + 'extca_dh_file' => '/etc/ipa/dh.pem' + } + end + + it { expect { is_expected.to contain_file('/etc/openvpn/test_server') }.to raise_error(Puppet::PreformattedError) } + end - it { is_expected.not_to contain_concat__fragment('openvpn.default.autostart.test_server') } + context 'when altering send and receive buffers' do + let(:params) do + { + 'country' => 'CO', + 'province' => 'ST', + 'city' => 'Some City', + 'organization' => 'example.org', + 'email' => 'testemail@example.org', + 'sndbuf' => 393_216, + 'rcvbuf' => 393_215 + } + end + + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^sndbuf\s+393216$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^rcvbuf\s+393215$}) } + end - context 'but machine has autostart' do - before { params['autostart'] = true } + context 'creating a server in client mode' do + let(:title) { 'test_client' } + let(:nobind) { false } + let(:params) do + { + 'remote' => ['vpn.example.com 12345'], + 'server_poll_timeout' => 1, + 'ping_timer_rem' => true, + 'tls_auth' => true, + 'tls_client' => true, + 'nobind' => nobind + } + end + + context 'nobind is true' do + let(:nobind) { true } + + it { is_expected.to contain_file('/etc/openvpn/test_client.conf').with_content(%r{^nobind$}) } + it { is_expected.not_to contain_file('/etc/openvpn/test_client.conf').with_content(%r{port\s+\d+}) } + end + + it { is_expected.to contain_file('/etc/openvpn/test_client.conf').with_content(%r{^client$}) } it { - is_expected.to contain_concat__fragment('openvpn.default.autostart.test_server').with( - 'content' => "AUTOSTART=\"$AUTOSTART test_server\"\n", - 'target' => '/etc/default/openvpn' - ) + is_expected.to contain_file('/etc/openvpn/test_client.conf'). + with_content(%r{^remote\s+vpn.example.com\s+12345$}) } + it { is_expected.to contain_file('/etc/openvpn/test_client.conf').with_content(%r{^server-poll-timeout\s+1$}) } + it { is_expected.to contain_file('/etc/openvpn/test_client.conf').with_content(%r{^ping-timer-rem$}) } + it { is_expected.to contain_file('/etc/openvpn/test_client.conf').with_content(%r{^ns-cert-type server}) } + it { is_expected.not_to contain_file('/etc/openvpn/test_client.conf').with_content(%r{^mode\s+server$}) } + it { is_expected.not_to contain_file('/etc/openvpn/test_client.conf').with_content(%r{^client-config-dir}) } + it { is_expected.not_to contain_file('/etc/openvpn/test_client.conf').with_content(%r{^dh}) } + it { is_expected.to contain_file('/etc/openvpn/test_client.conf').with_content(%r{^tls-client$}) } + it { is_expected.to contain_file('/etc/openvpn/test_client.conf').with_content(%r{^key-direction 1$}) } + it { is_expected.not_to contain_file('/etc/openvpn/test_client.conf').with_content(%r{nobind}) } + it { is_expected.to contain_file('/etc/openvpn/test_client.conf').with_content(%r{^port\s+\d+$}) } + + it { is_expected.not_to contain_openvpn__ca('test_client') } + + case facts[:os]['family'] + when 'RedHat' + it { + is_expected.to contain_file('/etc/openvpn/test_client/keys'). + with(ensure: 'directory', mode: '0750', group: 'nobody') + } + end end - end - end - - context 'when FreeBSD based machine' do - let(:params) do - { - 'country' => 'CO', - 'province' => 'ST', - 'city' => 'Some City', - 'organization' => 'example.org', - 'email' => 'testemail@example.org', - 'pam' => true - } - end - - let(:facts) do - { - osfamily: 'FreeBSD', - operatingsystem: 'FreeBSD', - concat_basedir: '/var/lib/puppet/concat' - } - end - - it { is_expected.to contain_file('/etc/rc.conf.d/openvpn_test_server') } - it { is_expected.to contain_service('openvpn_test_server') } - it { is_expected.to contain_file('/usr/local/etc/openvpn/test_server') } - it { is_expected.to contain_file('/usr/local/etc/rc.d/openvpn_test_server') } - it { is_expected.to contain_file('/usr/local/etc/openvpn/test_server.conf').with_content(%r{/usr/local/etc}) } - end - - context 'ldap' do - before do - facts[:osfamily] = 'Debian' - facts[:operatingsystem] = 'Debian' - facts[:operatingsystemrelease] = '8.0.0' - end - let(:params) do - { - 'country' => 'CO', - 'province' => 'ST', - 'city' => 'Some City', - 'organization' => 'example.org', - 'email' => 'testemail@example.org', - - 'username_as_common_name' => true, - 'client_cert_not_required' => true, - - 'ldap_enabled' => true, - 'ldap_server' => 'ldaps://ldap.example.org:636', - 'ldap_binddn' => 'dn=root,dc=example,dc=org', - 'ldap_bindpass' => 'secret password', - 'ldap_u_basedn' => 'ou=people,dc=example,dc=org', - 'ldap_u_filter' => 'call me user filter', - 'ldap_g_basedn' => 'ou=groups,dc=example,dc=org', - 'ldap_gmember' => true, - 'ldap_g_filter' => 'call me group filter', - 'ldap_memberatr' => 'iCanTyping', - - 'ldap_tls_enable' => true, - 'ldap_tls_ca_cert_file' => '/somewhere/ca.crt', - 'ldap_tls_ca_cert_dir' => '/etc/ssl/certs', - 'ldap_tls_client_cert_file' => '/somewhere/client.crt', - 'ldap_tls_client_key_file' => '/somewhere/client.key' - } - end - - it { is_expected.to contain_package('openvpn-auth-ldap').with('ensure' => 'present') } - - it { is_expected.to contain_file('/etc/openvpn/test_server/auth/ldap.conf').with_content(%r{^\s+URL ldaps://ldap\.example\.org:636$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/auth/ldap.conf').with_content(%r{^\s+BindDN dn=root,dc=example,dc=org$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/auth/ldap.conf').with_content(%r{^\s+Password secret password$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/auth/ldap.conf').with_content(%r{^\s+BaseDN ou=people,dc=example,dc=org$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/auth/ldap.conf').with_content(%r{^\s+SearchFilter "call me user filter"$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/auth/ldap.conf').with_content(%r{^\s+RequireGroup true$}) } - - it { is_expected.to contain_file('/etc/openvpn/test_server/auth/ldap.conf').with_content(%r{^\s+BaseDN ou=groups,dc=example,dc=org$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/auth/ldap.conf').with_content(%r{^\s+SearchFilter "call me group filter"$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/auth/ldap.conf').with_content(%r{^\s+MemberAttribute iCanTyping$}) } - - it { is_expected.to contain_file('/etc/openvpn/test_server/auth/ldap.conf').with_content(%r{^\s+TLSEnable yes$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/auth/ldap.conf').with_content(%r{^\s+TLSCACertFile /somewhere/ca.crt$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/auth/ldap.conf').with_content(%r{^\s+TLSCACertDir /etc/ssl/certs$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/auth/ldap.conf').with_content(%r{^\s+TLSCertFile /somewhere/client.crt$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server/auth/ldap.conf').with_content(%r{^\s+TLSKeyFile /somewhere/client.key$}) } - - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^plugin /usr/lib/openvpn/openvpn-auth-ldap.so "/etc/openvpn/test_server/auth/ldap.conf"$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^username-as-common-name$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^client-cert-not-required$}) } - end - - context 'RedHat using an external CA and without tls-auth' do - let(:params) do - { - 'extca_enabled' => true, - 'extca_ca_cert_file' => '/etc/ipa/ca.crt', - 'extca_ca_crl_file' => '/etc/ipa/ca_crl.pem', - 'extca_server_cert_file' => '/etc/pki/tls/certs/localhost.crt', - 'extca_server_key_file' => '/etc/pki/tls/private/localhost.key', - 'extca_dh_file' => '/etc/ipa/dh.pem', - 'extca_tls_auth_key_file' => '/etc/openvpn/keys/ta.key' - } - end - - let(:facts) do - { - osfamily: 'Redhat', - operatingsystem: 'CentOS', - operatingsystemrelease: '7.0', - concat_basedir: '/var/lib/puppet/concat' - } - end - - it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^ca\s+/etc/openvpn/test_server/keys}) } - it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^crl-verify\s+/etc/openvpn/test_server}) } - it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^cert\s+/etc/openvpn/test_server/keys}) } - it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^key\s+/etc/openvpn/test_server/keys}) } - it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^dh\s+/etc/openvpn/test_server/keys}) } - it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^tls-auth}) } - - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^ca\s+/etc/ipa/ca.crt$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^crl-verify\s+/etc/ipa/ca_crl.pem$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^cert\s+/etc/pki/tls/certs/localhost.crt$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^key\s+/etc/pki/tls/private/localhost.key$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^dh\s+/etc/ipa/dh.pem$}) } - end - - context 'RedHat using an external CA and enabling tls-auth' do - let(:params) do - { - 'tls_auth' => true, - 'extca_enabled' => true, - 'extca_ca_cert_file' => '/etc/ipa/ca.crt', - 'extca_ca_crl_file' => '/etc/ipa/ca_crl.pem', - 'extca_server_cert_file' => '/etc/pki/tls/certs/localhost.crt', - 'extca_server_key_file' => '/etc/pki/tls/private/localhost.key', - 'extca_dh_file' => '/etc/ipa/dh.pem', - 'extca_tls_auth_key_file' => '/etc/openvpn/keys/ta.key' - } - end - - let(:facts) do - { - osfamily: 'RedHat', - operatingsystem: 'CentOS', - operatingsystemrelease: '7.0', - concat_basedir: '/var/lib/puppet/concat' - } - end - - it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^ca\s+\/etc\/openvpn\/test_server\/keys\/ca.crt$}) } - it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^crl-verify\s+\/etc\/openvpn\/test_server\/crl.pem$}) } - it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^cert\s+\/etc\/openvpn\/test_server\/keys\/server.crt$}) } - it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^key\s+\/etc\/openvpn\/test_server\/keys\/server.key$}) } - it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^dh\s+\/etc\/openvpn\/test_server\/keys\/dh2048.pem$}) } - it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^tls-auth\s+\/etc\/openvpn\/test_server\/keys\/ta.key$}) } - - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^ca\s+/etc/ipa/ca.crt$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^crl-verify\s+/etc/ipa/ca_crl.pem$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^cert\s+/etc/pki/tls/certs/localhost.crt$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^key\s+/etc/pki/tls/private/localhost.key$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^dh\s+/etc/ipa/dh.pem$}) } - it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^tls-auth\s+/etc/openvpn/keys/ta.key$}) } - end - - context 'should fail if setting extca_enabled=true without specifying any other extca_* options' do - let(:params) do - { - 'extca_enabled' => true - } - end - - it { expect { is_expected.to contain_file('/etc/openvpn/test_server') }.to raise_error(Puppet::PreformattedError) } - end - - context 'should fail if setting extca_enabled=true and tls_auth=true without providing extca_tls_auth_key_file' do - let(:params) do - { - 'tls_auth' => true, - 'extca_enabled' => true, - 'extca_ca_cert_file' => '/etc/ipa/ca.crt', - 'extca_ca_crl_file' => '/etc/ipa/ca_crl.pem', - 'extca_server_cert_file' => '/etc/pki/tls/certs/localhost.crt', - 'extca_server_key_file' => '/etc/pki/tls/private/localhost.key', - 'extca_dh_file' => '/etc/ipa/dh.pem' - } - end - - it { expect { is_expected.to contain_file('/etc/openvpn/test_server') }.to raise_error(Puppet::PreformattedError) } - end - - context 'systemd enabled RedHat' do - let(:pre_condition) { "class { 'openvpn': manage_service => #{manage_service} }" } - let(:facts) do - { - concat_basedir: '/var/lib/puppet/concat', - operatingsystem: 'CentOS', - osfamily: 'RedHat', - operatingsystemrelease: '7.0' - } - end - let(:params) do - { - 'country' => 'CO', - 'province' => 'ST', - 'city' => 'Some City', - 'organization' => 'example.org', - 'email' => 'testemail@example.org' - } - end - - context 'service is managed' do - let(:manage_service) { true } - - it { - is_expected.to contain_service('openvpn@test_server').with( - ensure: 'running', - enable: true - ) - } - end - context 'service is unmanaged' do - let(:manage_service) { false } - - it { - is_expected.not_to contain_service('openvpn@test_server').with( - ensure: 'running', - enable: true - ) - } - end - end - - context 'systemd enabled Debian' do - let(:pre_condition) { "class { 'openvpn': manage_service => #{manage_service} }" } - let(:facts) do - { - concat_basedir: '/var/lib/puppet/concat', - osfamily: 'Debian', - operatingsystem: 'Debian', - operatingsystemrelease: '8.0' - } - end - - let(:params) do - { - 'country' => 'CO', - 'province' => 'ST', - 'city' => 'Some City', - 'organization' => 'example.org', - 'email' => 'testemail@example.org' - } - end - - context 'service is managed' do - let(:manage_service) { true } - - it { - is_expected.to contain_service('openvpn@test_server').with( - ensure: 'running', - enable: true - ) - } - end + context 'creating a server setting all parameters' do + let(:params) do + { + 'country' => 'CO', + 'province' => 'ST', + 'city' => 'Some City', + 'organization' => 'example.org', + 'email' => 'testemail@example.org', + 'compression' => 'fake_compression', + 'port' => '123', + 'proto' => 'udp', + 'group' => 'someone', + 'user' => 'someone', + 'logfile' => '/var/log/openvpn/test_server.log', + 'status_log' => '/tmp/test_server_status.log', + 'dev' => 'tun1', + 'up' => '/tmp/up', + 'down' => '/tmp/down', + 'local' => '2.3.4.5', + 'ipp' => true, + 'server' => '2.3.4.0 255.255.0.0', + 'server_ipv6' => 'fe80:1337:1337:1337::/64', + 'push' => ['dhcp-option DNS 172.31.0.30', 'route 172.31.0.0 255.255.0.0'], + 'route' => ['192.168.30.0 255.255.255.0', '192.168.35.0 255.255.0.0'], + 'route_ipv6' => ['2001:db8:1234::/64', '2001:db8:abcd::/64'], + 'keepalive' => '10 120', + 'topology' => 'subnet', + 'ssl_key_size' => 2048, + 'management' => true, + 'management_ip' => '1.3.3.7', + 'management_port' => 1337, + 'common_name' => 'mylittlepony', + 'ca_expire' => 365, + 'crl_auto_renew' => true, + 'key_expire' => 365, + 'key_cn' => 'yolo', + 'key_name' => 'burp', + 'key_ou' => 'NSA', + 'verb' => 'mute', + 'cipher' => 'DES-CBC', + 'tls_cipher' => 'TLS-DHE-RSA-WITH-AES-256-CBC-SHA', + 'persist_key' => true, + 'persist_tun' => true, + 'duplicate_cn' => true, + 'tls_auth' => true, + 'tls_server' => true, + 'fragment' => 1412, + 'custom_options' => { 'this' => 'that' }, + 'portshare' => '127.0.0.1 8443', + 'secret' => 'secretsecret1234', + 'remote_cert_tls' => true + } + end + + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^mode\s+server$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^client-config-dir\s+/etc/openvpn/test_server/client-configs$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^ca\s+/etc/openvpn/test_server/keys/ca.crt$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^proto\s+udp$}) } + it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^proto\s+tls-server$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^port\s+123$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^fake_compression$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^group\s+someone$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^user\s+someone$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^log\-append\s+/var/log/openvpn/test_server\.log$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^status\s+/tmp/test_server_status\.log$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^dev\s+tun1$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^local\s+2\.3\.4\.5$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^server\s+2\.3\.4\.0\s+255\.255\.0\.0$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^server-ipv6\s+fe80:1337:1337:1337::/64$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^push\s+"dhcp-option\s+DNS\s+172\.31\.0\.30"$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^push\s+"route\s+172\.31\.0\.0\s+255\.255\.0\.0"$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^route\s+192.168.30.0\s+255.255.255.0$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^route\s+192.168.35.0\s+255.255.0.0$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^route-ipv6\s+2001:db8:1234::/64$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^route-ipv6\s+2001:db8:abcd::/64$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^keepalive\s+10\s+120$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^topology\s+subnet$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^management\s+1.3.3.7 1337$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^verb mute$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^cipher DES-CBC$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^tls-cipher\s+TLS-DHE-RSA-WITH-AES-256-CBC-SHA$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^persist-key$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^persist-tun$}) } + + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^up "/tmp/up"$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^down "/tmp/down"$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^script-security 2$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^duplicate-cn$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^tls-server$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^tls-auth\s+/etc/openvpn/test_server/keys/ta.key$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^key-direction 0$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^this that$}) } + + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^fragment 1412$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^port-share 127.0.0.1 8443$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^secret /etc/openvpn/test_server/keys/pre-shared.secret$}) } + + it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^server-poll-timeout}) } + it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^ping-timer-rem}) } + it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^sndbuf}) } + it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^rcvbuf}) } + it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^remote-cert-tls server$}) } + + it { is_expected.to contain_file('/etc/openvpn/test_server/keys/pre-shared.secret').with_content(%r{^secretsecret1234$}).with(ensure: 'present') } + it { is_expected.to contain_schedule('renew crl.pem schedule on test_server') } + it { is_expected.to contain_exec('renew crl.pem on test_server') } + + # OpenVPN easy-rsa CA + it { + is_expected.to contain_openvpn__ca('test_server'). + with(country: 'CO', + province: 'ST', + city: 'Some City', + organization: 'example.org', + email: 'testemail@example.org', + group: 'someone', + ssl_key_size: 2048, + common_name: 'mylittlepony', + ca_expire: 365, + key_expire: 365, + key_cn: 'yolo', + key_name: 'burp', + key_ou: 'NSA', + tls_auth: true) + } + end - context 'service is unmanaged' do - let(:manage_service) { false } + # tests dedicated to easyrsa version 2 + context 'with easyrsa 2.0' do + let(:facts) do + facts.merge( + easyrsa: '2.0', + ipaddress_eth0: '1.2.3.4' + ) + end + + context 'creating a server setting all parameters' do + let(:params) do + { + 'country' => 'CO', + 'province' => 'ST', + 'city' => 'Some City', + 'organization' => 'example.org', + 'email' => 'testemail@example.org', + 'compression' => 'fake_compression', + 'port' => '123', + 'proto' => 'udp', + 'group' => 'someone', + 'user' => 'someone', + 'logfile' => '/var/log/openvpn/test_server.log', + 'status_log' => '/tmp/test_server_status.log', + 'dev' => 'tun1', + 'up' => '/tmp/up', + 'down' => '/tmp/down', + 'local' => '2.3.4.5', + 'ipp' => true, + 'server' => '2.3.4.0 255.255.0.0', + 'server_ipv6' => 'fe80:1337:1337:1337::/64', + 'push' => ['dhcp-option DNS 172.31.0.30', 'route 172.31.0.0 255.255.0.0'], + 'route' => ['192.168.30.0 255.255.255.0', '192.168.35.0 255.255.0.0'], + 'route_ipv6' => ['2001:db8:1234::/64', '2001:db8:abcd::/64'], + 'keepalive' => '10 120', + 'topology' => 'subnet', + 'ssl_key_size' => 2048, + 'management' => true, + 'management_ip' => '1.3.3.7', + 'management_port' => 1337, + 'common_name' => 'mylittlepony', + 'ca_expire' => 365, + 'crl_auto_renew' => true, + 'key_expire' => 365, + 'key_cn' => 'yolo', + 'key_name' => 'burp', + 'key_ou' => 'NSA', + 'verb' => 'mute', + 'cipher' => 'DES-CBC', + 'tls_cipher' => 'TLS-DHE-RSA-WITH-AES-256-CBC-SHA', + 'persist_key' => true, + 'persist_tun' => true, + 'duplicate_cn' => true, + 'tls_auth' => true, + 'tls_server' => true, + 'fragment' => 1412, + 'custom_options' => { 'this' => 'that' }, + 'portshare' => '127.0.0.1 8443', + 'secret' => 'secretsecret1234', + 'remote_cert_tls' => true + } + end + + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^cert\s+/etc/openvpn/test_server/keys/mylittlepony.crt$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^key\s+/etc/openvpn/test_server/keys/mylittlepony.key$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^dh\s+/etc/openvpn/test_server/keys/dh2048.pem$}) } + end + + context 'creating a server in client mode' do + let(:title) { 'test_client' } + let(:nobind) { false } + let(:params) do + { + 'remote' => ['vpn.example.com 12345'], + 'server_poll_timeout' => 1, + 'ping_timer_rem' => true, + 'tls_auth' => true, + 'tls_client' => true, + 'nobind' => nobind + } + end + + it { + is_expected.to contain_file('/etc/openvpn/test_client.conf'). + with_content(%r{^ca /etc/openvpn/test_client/keys/ca.crt$}) + } + it { + is_expected.to contain_file('/etc/openvpn/test_client.conf'). + with_content(%r{^cert /etc/openvpn/test_client/keys/test_client.crt$}) + } + it { + is_expected.to contain_file('/etc/openvpn/test_client.conf'). + with_content(%r{^key /etc/openvpn/test_client/keys/test_client.key$}) + } + end + + context 'when using shared ca' do + let(:params) do + { + 'shared_ca' => 'my_already_existing_ca' + } + end + let(:pre_condition) do + ' + openvpn::ca{ "my_already_existing_ca": + common_name => "custom_common_name", + country => "CO", + province => "ST", + city => "Some City", + organization => "example.org", + email => "testemail@example.org" + }' + end + + it { is_expected.to contain_openvpn__ca('my_already_existing_ca') } + + # Check that certificate files point to the provide CA + + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^mode\s+server$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^client\-config\-dir\s+\/etc\/openvpn\/test_server\/client\-configs$}) } + + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^ca\s+\/etc\/openvpn\/my_already_existing_ca\/keys\/ca.crt$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^cert\s+\/etc\/openvpn\/my_already_existing_ca\/keys\/custom_common_name.crt$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^key\s+\/etc\/openvpn\/my_already_existing_ca\/keys\/custom_common_name.key$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^dh\s+\/etc\/openvpn\/my_already_existing_ca\/keys\/dh2048.pem$}) } + end + context 'creating a server with the minimum parameters' do + let(:params) do + { + 'country' => 'CO', + 'province' => 'ST', + 'city' => 'Some City', + 'organization' => 'example.org', + 'email' => 'testemail@example.org' + } + end + + # OpenVPN easy-rsa CA + it { is_expected.to contain_openvpn__ca('test_server').with(params) } + + # VPN server config file itself + + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^mode\s+server$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^client\-config\-dir\s+\/etc\/openvpn\/test_server\/client\-configs$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^ca\s+\/etc\/openvpn\/test_server\/keys\/ca.crt$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^cert\s+\/etc\/openvpn\/test_server\/keys\/server.crt$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^key\s+\/etc\/openvpn\/test_server\/keys\/server.key$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^dh\s+\/etc\/openvpn\/test_server\/keys\/dh2048.pem$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^proto\s+tcp-server$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^tls-server$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^port\s+1194$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^comp-lzo$}) } + it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^log\-append\s+test_server\/openvpn\.log$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^status\s+/var/log/openvpn/test_server-status\.log$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^dev\s+tun0$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^local\s+1\.2\.3\.4$}) } + it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^ifconfig-pool-persist}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^crl-verify\s+\/etc\/openvpn\/test_server\/crl.pem$}) } + it { is_expected.not_to contain_schedule('renew crl.pem schedule on test_server') } + it { is_expected.not_to contain_exec('renew crl.pem on test_server') } + it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^secret}) } + + it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{verb}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{cipher AES-256-CBC}) } + it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{persist-key}) } + it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{persist-tun}) } + it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^duplicate-cn$}) } + it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^ns-cert-type server}) } + it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^tls-auth}) } + it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^fragment}) } + it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^port-share}) } + + it { is_expected.to contain_file('/etc/openvpn/test_server/keys/pre-shared.secret').with(ensure: 'absent') } + end + + case facts[:os]['family'] + when %r{FreeBSD} + context 'when FreeBSD based machine' do + let(:params) do + { + 'country' => 'CO', + 'province' => 'ST', + 'city' => 'Some City', + 'organization' => 'example.org', + 'email' => 'testemail@example.org', + 'pam' => true + } + end + + it { is_expected.to contain_file('/etc/rc.conf.d/openvpn_test_server') } + it { is_expected.to contain_service('openvpn_test_server') } + it { is_expected.to contain_file('/usr/local/etc/openvpn/test_server') } + it { is_expected.to contain_file('/usr/local/etc/rc.d/openvpn_test_server') } + it { is_expected.to contain_file('/usr/local/etc/openvpn/test_server.conf').with_content(%r{/usr/local/etc}) } + end + context 'creating a server with the minimum parameters' do + let(:params) do + { + 'country' => 'CO', + 'province' => 'ST', + 'city' => 'Some City', + 'organization' => 'example.org', + 'email' => 'testemail@example.org' + } + end + + # Files associated with a server config + it { + is_expected.to contain_file('/etc/openvpn/test_server'). + with(ensure: 'directory', mode: '0750', group: 'nogroup') + } + it { + is_expected.to contain_file('/etc/openvpn/test_server/client-configs'). + with(ensure: 'directory', mode: '0750', recurse: true, group: 'nogroup') + } + it { + is_expected.to contain_file('/etc/openvpn/test_server/download-configs'). + with(ensure: 'directory', mode: '0750', recurse: true, group: 'nogroup') + } + it { + is_expected.to contain_file('/etc/openvpn/test_server/auth'). + with(ensure: 'directory', mode: '0750', recurse: true, group: 'nogroup') + } + + # VPN server config file itself + + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^group\s+nogroup$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^user\s+nobody$}) } + end + + when 'Debian' + context 'creating a server with the minimum parameters' do + let(:params) do + { + 'country' => 'CO', + 'province' => 'ST', + 'city' => 'Some City', + 'organization' => 'example.org', + 'email' => 'testemail@example.org' + } + end + + # Files associated with a server config + it { + is_expected.to contain_file('/etc/openvpn/test_server'). + with(ensure: 'directory', mode: '0750', group: 'nogroup') + } + it { + is_expected.to contain_file('/etc/openvpn/test_server/client-configs'). + with(ensure: 'directory', mode: '0750', recurse: true, group: 'nogroup') + } + it { + is_expected.to contain_file('/etc/openvpn/test_server/download-configs'). + with(ensure: 'directory', mode: '0750', recurse: true, group: 'nogroup') + } + it { + is_expected.to contain_file('/etc/openvpn/test_server/auth'). + with(ensure: 'directory', mode: '0750', recurse: true, group: 'nogroup') + } + + # VPN server config file itself + + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^group\s+nogroup$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^user\s+nobody$}) } + end + + context 'when Debian based machine' do + let(:params) do + { + 'country' => 'CO', + 'province' => 'ST', + 'city' => 'Some City', + 'organization' => 'example.org', + 'email' => 'testemail@example.org', + 'pam' => true + } + end + + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^group\s+nogroup$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so "login"$}) } + + context 'enabled autostart_all' do + let(:pre_condition) { 'class { "openvpn": autostart_all => true }' } + + it { is_expected.not_to contain_concat__fragment('openvpn.default.autostart.test_server') } + end + + context 'disabled autostart_all' do + let(:pre_condition) { 'class { "openvpn": autostart_all => false }' } + + it { is_expected.not_to contain_concat__fragment('openvpn.default.autostart.test_server') } + + context 'but machine has autostart' do + before { params['autostart'] = true } + it { + is_expected.to contain_concat__fragment('openvpn.default.autostart.test_server').with( + 'content' => "AUTOSTART=\"$AUTOSTART test_server\"\n", + 'target' => '/etc/default/openvpn' + ) + } + end + end + end + end + end - it { - is_expected.not_to contain_service('openvpn@test_server').with( - ensure: 'running', - enable: true - ) - } + # tests with easyrsa version 3 + context 'with easyrsa 3.0' do + let(:facts) do + facts.merge( + easyrsa: '3.0', + ipaddress_eth0: '1.2.3.4' + ) + end + + context 'creating a server setting all parameters' do + let(:params) do + { + 'country' => 'CO', + 'province' => 'ST', + 'city' => 'Some City', + 'organization' => 'example.org', + 'email' => 'testemail@example.org', + 'compression' => 'fake_compression', + 'port' => '123', + 'proto' => 'udp', + 'group' => 'someone', + 'user' => 'someone', + 'logfile' => '/var/log/openvpn/test_server.log', + 'status_log' => '/tmp/test_server_status.log', + 'dev' => 'tun1', + 'up' => '/tmp/up', + 'down' => '/tmp/down', + 'local' => '2.3.4.5', + 'ipp' => true, + 'server' => '2.3.4.0 255.255.0.0', + 'server_ipv6' => 'fe80:1337:1337:1337::/64', + 'push' => ['dhcp-option DNS 172.31.0.30', 'route 172.31.0.0 255.255.0.0'], + 'route' => ['192.168.30.0 255.255.255.0', '192.168.35.0 255.255.0.0'], + 'route_ipv6' => ['2001:db8:1234::/64', '2001:db8:abcd::/64'], + 'keepalive' => '10 120', + 'topology' => 'subnet', + 'ssl_key_size' => 2048, + 'management' => true, + 'management_ip' => '1.3.3.7', + 'management_port' => 1337, + 'common_name' => 'mylittlepony', + 'ca_expire' => 365, + 'crl_auto_renew' => true, + 'key_expire' => 365, + 'key_cn' => 'yolo', + 'key_name' => 'burp', + 'key_ou' => 'NSA', + 'verb' => 'mute', + 'cipher' => 'DES-CBC', + 'tls_cipher' => 'TLS-DHE-RSA-WITH-AES-256-CBC-SHA', + 'persist_key' => true, + 'persist_tun' => true, + 'duplicate_cn' => true, + 'tls_auth' => true, + 'tls_server' => true, + 'fragment' => 1412, + 'custom_options' => { 'this' => 'that' }, + 'portshare' => '127.0.0.1 8443', + 'secret' => 'secretsecret1234', + 'remote_cert_tls' => true + } + end + + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^cert\s+/etc/openvpn/test_server/keys/issued/mylittlepony.crt$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^key\s+/etc/openvpn/test_server/keys/private/mylittlepony.key$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^dh\s+/etc/openvpn/test_server/keys/dh.pem$}) } + end + + context 'creating a server in client mode' do + let(:title) { 'test_client' } + let(:nobind) { false } + let(:params) do + { + 'remote' => ['vpn.example.com 12345'], + 'server_poll_timeout' => 1, + 'ping_timer_rem' => true, + 'tls_auth' => true, + 'tls_client' => true, + 'nobind' => nobind + } + end + + it { + is_expected.to contain_file('/etc/openvpn/test_client.conf'). + with_content(%r{^ca /etc/openvpn/test_client/keys/ca.crt$}) + } + it { + is_expected.to contain_file('/etc/openvpn/test_client.conf'). + with_content(%r{^cert /etc/openvpn/test_client/keys/issued/test_client.crt$}) + } + it { + is_expected.to contain_file('/etc/openvpn/test_client.conf'). + with_content(%r{^key /etc/openvpn/test_client/keys/private/test_client.key$}) + } + end + + context 'when using shared ca' do + let(:params) do + { + 'shared_ca' => 'my_already_existing_ca' + } + end + let(:pre_condition) do + ' + openvpn::ca{ "my_already_existing_ca": + common_name => "custom_common_name", + country => "CO", + province => "ST", + city => "Some City", + organization => "example.org", + email => "testemail@example.org" + }' + end + + it { is_expected.to contain_openvpn__ca('my_already_existing_ca') } + + # Check that certificate files point to the provide CA + + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^mode\s+server$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^client\-config\-dir\s+\/etc\/openvpn\/test_server\/client\-configs$}) } + + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^ca\s+\/etc\/openvpn\/my_already_existing_ca\/keys\/ca.crt$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^cert\s+\/etc\/openvpn\/my_already_existing_ca\/keys\/issued/custom_common_name.crt$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^key\s+\/etc\/openvpn\/my_already_existing_ca\/keys\/private\/custom_common_name.key$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^dh\s+\/etc\/openvpn\/my_already_existing_ca\/keys\/dh.pem$}) } + end + + case facts[:os]['family'] + when 'RedHat' + context 'creating a server with the minimum parameters' do + let(:params) do + { + 'country' => 'CO', + 'province' => 'ST', + 'city' => 'Some City', + 'organization' => 'example.org', + 'email' => 'testemail@example.org' + } + end + + # Files associated with a server config + it { + is_expected.to contain_file('/etc/openvpn/test_server'). + with(ensure: 'directory', mode: '0750', group: 'nobody') + } + it { + is_expected.to contain_file('/etc/openvpn/test_server/client-configs'). + with(ensure: 'directory', mode: '0750', recurse: true, group: 'nobody') + } + it { + is_expected.to contain_file('/etc/openvpn/test_server/download-configs'). + with(ensure: 'directory', mode: '0750', recurse: true, group: 'nobody') + } + it { + is_expected.to contain_file('/etc/openvpn/test_server/auth'). + with(ensure: 'directory', mode: '0750', recurse: true, group: 'nobody') + } + + # VPN server config file itself + + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^group\s+nobody$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^user\s+nobody$}) } + end + + context 'RedHat using an external CA and enabling tls-auth' do + let(:params) do + { + 'tls_auth' => true, + 'extca_enabled' => true, + 'extca_ca_cert_file' => '/etc/ipa/ca.crt', + 'extca_ca_crl_file' => '/etc/ipa/ca_crl.pem', + 'extca_server_cert_file' => '/etc/pki/tls/certs/localhost.crt', + 'extca_server_key_file' => '/etc/pki/tls/private/localhost.key', + 'extca_dh_file' => '/etc/ipa/dh.pem', + 'extca_tls_auth_key_file' => '/etc/openvpn/keys/ta.key' + } + end + + it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^ca\s+\/etc\/openvpn\/test_server\/keys\/ca.crt$}) } + it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^crl-verify\s+\/etc\/openvpn\/test_server\/crl.pem$}) } + it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^cert\s+\/etc\/openvpn\/test_server\/keys\/server.crt$}) } + it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^key\s+\/etc\/openvpn\/test_server\/keys\/server.key$}) } + it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^dh\s+\/etc\/openvpn\/test_server\/keys\/dh2048.pem$}) } + it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^tls-auth\s+\/etc\/openvpn\/test_server\/keys\/ta.key$}) } + + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^ca\s+/etc/ipa/ca.crt$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^crl-verify\s+/etc/ipa/ca_crl.pem$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^cert\s+/etc/pki/tls/certs/localhost.crt$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^key\s+/etc/pki/tls/private/localhost.key$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^dh\s+/etc/ipa/dh.pem$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^tls-auth\s+/etc/openvpn/keys/ta.key$}) } + end + + context 'RedHat using an external CA and without tls-auth' do + let(:params) do + { + 'extca_enabled' => true, + 'extca_ca_cert_file' => '/etc/ipa/ca.crt', + 'extca_ca_crl_file' => '/etc/ipa/ca_crl.pem', + 'extca_server_cert_file' => '/etc/pki/tls/certs/localhost.crt', + 'extca_server_key_file' => '/etc/pki/tls/private/localhost.key', + 'extca_dh_file' => '/etc/ipa/dh.pem', + 'extca_tls_auth_key_file' => '/etc/openvpn/keys/ta.key' + } + end + + it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^ca\s+/etc/openvpn/test_server/keys}) } + it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^crl-verify\s+/etc/openvpn/test_server}) } + it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^cert\s+/etc/openvpn/test_server/keys}) } + it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^key\s+/etc/openvpn/test_server/keys}) } + it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^dh\s+/etc/openvpn/test_server/keys}) } + it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^tls-auth}) } + + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^ca\s+/etc/ipa/ca.crt$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^crl-verify\s+/etc/ipa/ca_crl.pem$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^cert\s+/etc/pki/tls/certs/localhost.crt$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^key\s+/etc/pki/tls/private/localhost.key$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^dh\s+/etc/ipa/dh.pem$}) } + end + + context 'when RedHat based machine with different pam_module_arguments and crl_verify disabled' do + let(:params) do + { + 'country' => 'CO', + 'province' => 'ST', + 'city' => 'Some City', + 'organization' => 'example.org', + 'email' => 'testemail@example.org', + 'pam' => true, + 'pam_module_arguments' => 'openvpn login USERNAME password PASSWORD', + 'crl_verify' => false + } + end + + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so "openvpn login USERNAME password PASSWORD"$}) } + it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^crl-verify}) } + end + + context 'when RedHat based machine' do + let(:params) do + { + 'country' => 'CO', + 'province' => 'ST', + 'city' => 'Some City', + 'organization' => 'example.org', + 'email' => 'testemail@example.org', + 'pam' => true + } + end + + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^group\s+nobody$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so "?login"?$}) } + end + end + end end end end