Revoke command missing on easy-rsa 3.0 #331

[jasonsattler]

#331

This block of code works for me.

 each($revoked) |$name| {
    exec { "revoke certificate for ${name} in context of ${server}":
      command  => ". ./vars && echo yes | ./easyrsa revoke ${name} 2>&1 | grep -E 'Already revoked|was successful|not a valid certificate' && ./easyrsa gen-crl && /bin/cp -f keys/crl.pem ../crl.pem && touch revoked/${name}",
      cwd      => "/etc/openvpn/${server}/easy-rsa",
      creates  => "/etc/openvpn/${server}/easy-rsa/revoked/${name}",
      provider => 'shell',
      notify   => Service["openvpn@${server}"]
    }
  }

Pull Request (PR) description

This Pull Request (PR) fixes the following issues

[Dan33l]

Thank you @jasonsattler for this PR. I added an inline comment.

Are you able to update acceptance tests by revoking certificate of the client produced by tests ?

[jasonsattler]

New to ruby. Also still setting up my env. I am little stuck on how to add the notify to the tests. Any help or direction would be great. Commented it out of the puppet manifest for now.

[jasonsattler]

Found that I had the wrong name in the notify.

[Dan33l]

First step acceptance are here https://github.com/voxpupuli/puppet-openvpn/blob/master/spec/acceptance/openvpn_spec.rb.

Second step what is the puppet code used to revoke a client certificate ?
Here is the client defined during the tests : https://github.com/voxpupuli/puppet-openvpn/blob/master/spec/acceptance/openvpn_spec.rb#L53

3rd step is to run this code two times like here https://github.com/voxpupuli/puppet-openvpn/blob/master/spec/acceptance/openvpn_spec.rb#L60

4rd check the result

If you want to try you can join slack or IRC for asking questions on #voxpupuli
Or gives the puppet code of 2sd step and i'll code acceptance test.

[jasonsattler]

Thank you for the direction. I will try to find some time today to look at that. Last night was able to get the notify back in and get the following test to work.

bundle exec rake spec SPEC=spec/defines/openvpn_revoke_spec.rb

Looks like this one is failing. Which I have not had time to look at yet.

bundle exec rake spec SPEC=spec/classes/openvpn_init_spec.rb

output:

 1) openvpn on archlinux-4-x86_64 should compile into a catalogue without dependency cycles
     Failure/Error: it { is_expected.to compile.with_all_deps }
     
       dependency cycles found: (Concat_file[/etc/openvpn/uster/download-configs/uster-client2.ovpn] => Concat[/etc/openvpn/uster/download-configs/uster-client2.ovpn] => Openvpn::Client[uster-client2] => Openvpn::Revoke[uster-client2] => Exec[revoke certificate for uster-client2 in context of uster] => Service[openvpn@uster] => Openvpn::Server[uster] => Openvpn::Revoke[uster-client2])
       ; (Concat_file[/etc/openvpn/winterthur/download-configs/winti-client2.ovpn] => Concat[/etc/openvpn/winterthur/download-configs/winti-client2.ovpn] => Openvpn::Client[winti-client2] => Openvpn::Revoke[winti-client2] => Exec[revoke certificate for winti-client2 in context of winterthur] => Service[openvpn@winterthur] => Openvpn::Server[winterthur] => Openvpn::Revoke[winti-client2])
     # ./spec/classes/openvpn_init_spec.rb:8:in `block (4 levels) in <top (required)>'

[bastelfreak]

A bit annoying that this is so ugly to automate :(

[jasonsattler]

I agree 100%!!!!!! I was not very happy to find that.

[Dan33l]

this is why acceptance tests are mandatory IMO. This will permit to check if it is not too much fragile.

[matschundbrei]

May I ask, why you are using 'echo yes' instead of the --batch switch on easyrsa?

I just hacked together a 'revoke-full' temp fix and found this to be simpler.
./easyrsa --batch revoke ${name}

Cheers,
Jan

[jasonsattler]

No reason, just missed that flag.

[Dan33l]

hum ... it looks that we have an other PR about same topic #338

[jasonsattler]

Sorry I have not gotten back to this. Been busy rolling a new service out to production. If the other PR has test feel free to close this one.

[Dan33l]

So i close this PR.
Thank you guys.