Skip to content

Commit

Permalink
Handle more unknown password errors
Browse files Browse the repository at this point in the history
When using keytool on a truststore the error is different than on a
keystore.

Fixes: 6fea0bb ("Support changing passwords on keystores & truststores")
  • Loading branch information
ekohl committed Oct 5, 2023
1 parent cd5c4ca commit b0451d1
Show file tree
Hide file tree
Showing 2 changed files with 112 additions and 2 deletions.
2 changes: 1 addition & 1 deletion lib/puppet_x/certs/provider/keystore.rb
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ def exists?
'-storepass:file', resource[:password_file],
)
rescue Puppet::ExecutionFailure => e
if e.message.include?('java.security.UnrecoverableKeyException')
if e.message.include?('java.security.UnrecoverableKeyException') || e.message.include?('keystore password was incorrect')
Puppet.debug("Invalid password for #{store}")
return false
else
Expand Down
112 changes: 111 additions & 1 deletion spec/acceptance/truststore_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@
it { should be_grouped_into 'root' }
end

describe command("keytool -list -keystore #{truststore_path} -storepass:file #{truststore_password_file}") do
describe command("keytool -list -keystore #{truststore_path} -storepass testpassword") do
its(:exit_status) { should eq 0 }
its(:stdout) { should match(/^Keystore type: PKCS12$/i) }
its(:stdout) { should match(/^Your keystore contains 0 entries$/) }
Expand Down Expand Up @@ -87,5 +87,115 @@
its(:stdout) { should match(/^Owner: CN=#{host_inventory['fqdn']}$/) }
its(:stdout) { should match(/^Issuer: CN=#{host_inventory['fqdn']}$/) }
end

describe 'changing password' do
describe 'apply puppet' do
let(:manifest) do
<<-PUPPET
$truststore_password_file = '/etc/pki/truststore_password-file'
package { 'java-11-openjdk-headless':
ensure => installed,
}
file { $truststore_password_file:
ensure => file,
content => 'other-password',
owner => 'root',
group => 'root',
mode => '0440',
show_diff => false,
}
truststore { "/etc/pki/truststore":
ensure => present,
password_file => $truststore_password_file,
owner => 'root',
group => 'root',
mode => '0640',
}
PUPPET
end

it 'applies changes with no errors' do
apply_manifest_on(default, manifest, expect_changes: true)
end

it 'applies a second time without changes' do
apply_manifest_on(default, manifest, catch_changes: true)
end
end

describe command("keytool -list -keystore #{truststore_path} -storepass other-password") do
its(:exit_status) { should eq 0 }
its(:stdout) { should match(/^Keystore type: PKCS12$/i) }
its(:stdout) { should match(/^Your keystore contains 0 entries$/) }
end
end

describe 'noop' do
describe 'change password file' do
let(:manifest) do
<<-PUPPET
file { '/etc/pki/truststore_password-file':
ensure => file,
content => 'wrong-password',
owner => 'root',
group => 'root',
mode => '0440',
show_diff => false,
}
PUPPET
end

it 'applies changes with no errors' do
apply_manifest_on(default, manifest, catch_failures: true)
end
end

describe 'run in noop mode with wrong password' do
let(:manifest) do
<<-PUPPET
$truststore_password_file = '/etc/pki/truststore_password-file'
package { 'java-11-openjdk-headless':
ensure => installed,
}
file { $truststore_password_file:
ensure => file,
content => 'other-password',
owner => 'root',
group => 'root',
mode => '0440',
show_diff => false,
}
truststore { "/etc/pki/truststore":
ensure => present,
password_file => $truststore_password_file,
owner => 'root',
group => 'root',
mode => '0640',
}
PUPPET
end

it 'applies changes with no errors' do
apply_manifest_on(default, manifest, noop: true)
end
end

describe file(truststore_path) do
it { is_expected.to be_file }
end

# Should still be readable with the old password
describe command("keytool -list -keystore #{truststore_path} -storepass other-password") do
its(:exit_status) { should eq 0 }
its(:stdout) { should match(/^Keystore type: PKCS12$/i) }
its(:stdout) { should match(/^Your keystore contains 0 entries$/) }
end
end
end
end

0 comments on commit b0451d1

Please sign in to comment.