From 80c1919826489edc99e1b59f1bcefbf41f797d39 Mon Sep 17 00:00:00 2001 From: markuszilch Date: Mon, 20 Feb 2023 23:51:16 +0100 Subject: [PATCH 01/12] added ca parameter to type and provider --- lib/puppet/provider/x509_cert/openssl.rb | 1 + lib/puppet/type/x509_cert.rb | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/lib/puppet/provider/x509_cert/openssl.rb b/lib/puppet/provider/x509_cert/openssl.rb index 1bf3f8c5..181e0b05 100644 --- a/lib/puppet/provider/x509_cert/openssl.rb +++ b/lib/puppet/provider/x509_cert/openssl.rb @@ -77,6 +77,7 @@ def create ] options << ['-passin', "pass:#{resource[:password]}"] if resource[:password] options << ['-extensions', 'req_ext'] if resource[:req_ext] != :false + options << ['-CA', 'ca'] if resource[:ca] openssl options end diff --git a/lib/puppet/type/x509_cert.rb b/lib/puppet/type/x509_cert.rb index 32bb216c..099a7967 100644 --- a/lib/puppet/type/x509_cert.rb +++ b/lib/puppet/type/x509_cert.rb @@ -66,6 +66,10 @@ defaultto :rsa end + newparam(:ca) do + desc 'The optional ca certificate filepath' + end + autorequire(:file) do self[:template] end From dd0245cec9c998833d56c66caf067d4af8cfcf27 Mon Sep 17 00:00:00 2001 From: markuszilch Date: Tue, 21 Feb 2023 00:02:05 +0100 Subject: [PATCH 02/12] added cakey to type and provider of x509 cert --- lib/puppet/provider/x509_cert/openssl.rb | 1 + lib/puppet/type/x509_cert.rb | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/lib/puppet/provider/x509_cert/openssl.rb b/lib/puppet/provider/x509_cert/openssl.rb index 181e0b05..7c3de21f 100644 --- a/lib/puppet/provider/x509_cert/openssl.rb +++ b/lib/puppet/provider/x509_cert/openssl.rb @@ -78,6 +78,7 @@ def create options << ['-passin', "pass:#{resource[:password]}"] if resource[:password] options << ['-extensions', 'req_ext'] if resource[:req_ext] != :false options << ['-CA', 'ca'] if resource[:ca] + options << ['-CAkey', 'cakey'] if resource [:cakey] openssl options end diff --git a/lib/puppet/type/x509_cert.rb b/lib/puppet/type/x509_cert.rb index 099a7967..f8d3f34a 100644 --- a/lib/puppet/type/x509_cert.rb +++ b/lib/puppet/type/x509_cert.rb @@ -69,6 +69,10 @@ newparam(:ca) do desc 'The optional ca certificate filepath' end + + newparam(:cakey) do + desc 'The optional ca private key filepath' + end autorequire(:file) do self[:template] From a8cccf68c5ab9d6ac7d941bfcab5dc3ffd95d3af Mon Sep 17 00:00:00 2001 From: markuszilch Date: Tue, 21 Feb 2023 00:05:34 +0100 Subject: [PATCH 03/12] added ca and cakey parameter --- manifests/certificate/x509.pp | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/manifests/certificate/x509.pp b/manifests/certificate/x509.pp index 82ef2978..97166c4c 100644 --- a/manifests/certificate/x509.pp +++ b/manifests/certificate/x509.pp @@ -89,6 +89,12 @@ # specifying the -nodes option during the CSR generation. Turning # off encryption is needed by some applications, such as OpenLDAP. # Defaults to true (key is encrypted) +# @param ca +# Path to CA certificate for signing. Undef means no CA will be +# provided for signing the certificate. +# @param cakey +# Path to CA private key for signing. Undef mean no CAkey will be +# provided. # # @example basic usage # @@ -142,6 +148,8 @@ Boolean $force = true, String $cnf_tpl = 'openssl/cert.cnf.erb', Boolean $encrypted = true, + Optional[Stdlib::Absolutepath] $ca = undef, + Optional[Stdlib::Absolutepath] $cakey = undef, ) { $_key_owner = pick($key_owner, $owner) $_key_group = pick($key_group, $group) @@ -182,6 +190,8 @@ req_ext => $req_ext, force => $force, require => File[$_cnf], + ca => $ca, + cakey => $cakey, } x509_request { $_csr: From 2408ab4a0f496f5137a453cf9473a36e85d18910 Mon Sep 17 00:00:00 2001 From: markuszilch Date: Tue, 21 Feb 2023 00:26:49 +0100 Subject: [PATCH 04/12] updated reference.md to include ca nad cakey parameter for x509_cert and openssl::certificate::x509 --- REFERENCE.md | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/REFERENCE.md b/REFERENCE.md index d7a340ef..aafb67e6 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -368,6 +368,8 @@ The following parameters are available in the `openssl::certificate::x509` defin * [`csr`](#-openssl--certificate--x509--csr) * [`key`](#-openssl--certificate--x509--key) * [`encrypted`](#-openssl--certificate--x509--encrypted) +* [`ca`](#-openssl--certificate--x509--ca) +* [`cakey`](#-openssl--certificate--x509--cakey) ##### `ensure` @@ -631,6 +633,24 @@ Defaults to true (key is encrypted) Default value: `true` +##### `ca` + +Data type: `Optional[Stdlib::Absolutepath]` + +Path to CA certificate for signing. Undef means no CA will be +provided for signing the certificate. + +Default value: `undef` + +##### `cakey` + +Data type: `Optional[Stdlib::Absolutepath]` + +Path to CA private key for signing. Undef mean no CAkey will be +provided. + +Default value: `undef` + ### `openssl::config` Generates an openssl.conf file using defaults @@ -1233,6 +1253,8 @@ Default value: `present` The following parameters are available in the `x509_cert` type. * [`authentication`](#-x509_cert--authentication) +* [`ca`](#-x509_cert--ca) +* [`cakey`](#-x509_cert--cakey) * [`days`](#-x509_cert--days) * [`force`](#-x509_cert--force) * [`password`](#-x509_cert--password) @@ -1250,6 +1272,14 @@ The authentication algorithm: 'rsa', 'dsa or ec' Default value: `rsa` +##### `ca` + +The optional ca certificate filepath + +##### `cakey` + +The optional ca private key filepath + ##### `days` Valid values: `%r{\d+}` From 42c58a2b085edad22cc792404d2906d45c3320b2 Mon Sep 17 00:00:00 2001 From: markuszilch Date: Wed, 22 Feb 2023 15:47:53 +0100 Subject: [PATCH 05/12] corrected whitespace --- lib/puppet/type/x509_cert.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/puppet/type/x509_cert.rb b/lib/puppet/type/x509_cert.rb index f8d3f34a..5cdb4fc9 100644 --- a/lib/puppet/type/x509_cert.rb +++ b/lib/puppet/type/x509_cert.rb @@ -69,7 +69,7 @@ newparam(:ca) do desc 'The optional ca certificate filepath' end - + newparam(:cakey) do desc 'The optional ca private key filepath' end From a8db849aa80ec942e22b5b1440624ffe3c0a2930 Mon Sep 17 00:00:00 2001 From: markuszilch Date: Wed, 22 Feb 2023 15:54:05 +0100 Subject: [PATCH 06/12] corrected parameter propagation to openssl comand for ca and cakey --- lib/puppet/provider/x509_cert/openssl.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/puppet/provider/x509_cert/openssl.rb b/lib/puppet/provider/x509_cert/openssl.rb index 7c3de21f..68d0b792 100644 --- a/lib/puppet/provider/x509_cert/openssl.rb +++ b/lib/puppet/provider/x509_cert/openssl.rb @@ -77,8 +77,8 @@ def create ] options << ['-passin', "pass:#{resource[:password]}"] if resource[:password] options << ['-extensions', 'req_ext'] if resource[:req_ext] != :false - options << ['-CA', 'ca'] if resource[:ca] - options << ['-CAkey', 'cakey'] if resource [:cakey] + options << ['-CA', resource[:ca]] if resource[:ca] + options << ['-CAkey', resource[:cakey]] if resource[:cakey] openssl options end From 59cce7c661a5f893b0c50d7eaae94806b3b08e70 Mon Sep 17 00:00:00 2001 From: markuszilch Date: Sun, 26 Feb 2023 20:00:37 +0100 Subject: [PATCH 07/12] changed openssl command to use x509 instead of req -new x509 --- REFERENCE.md | 5 ++++ lib/puppet/provider/x509_cert/openssl.rb | 30 ++++++++++++++++-------- lib/puppet/type/x509_cert.rb | 12 ++++++++++ 3 files changed, 37 insertions(+), 10 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index aafb67e6..5c4cfa5e 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -1255,6 +1255,7 @@ The following parameters are available in the `x509_cert` type. * [`authentication`](#-x509_cert--authentication) * [`ca`](#-x509_cert--ca) * [`cakey`](#-x509_cert--cakey) +* [`csr`](#-x509_cert--csr) * [`days`](#-x509_cert--days) * [`force`](#-x509_cert--force) * [`password`](#-x509_cert--password) @@ -1280,6 +1281,10 @@ The optional ca certificate filepath The optional ca private key filepath +##### `csr` + +The path to the certificate signing request + ##### `days` Valid values: `%r{\d+}` diff --git a/lib/puppet/provider/x509_cert/openssl.rb b/lib/puppet/provider/x509_cert/openssl.rb index 68d0b792..6823ae11 100644 --- a/lib/puppet/provider/x509_cert/openssl.rb +++ b/lib/puppet/provider/x509_cert/openssl.rb @@ -67,19 +67,29 @@ def exists? end def create - options = [ - 'req', - '-config', resource[:template], - '-new', '-x509', + # reqoptions = [ + # 'req', + # '-config', resource[:template], + # '-new', '-x509', + # '-days', resource[:days], + # '-key', resource[:private_key], + # '-out', resource[:path] + # ] + # reqoptions << ['-passin', "pass:#{resource[:password]}"] if resource[:password] + # reqoptions << ['-extensions', 'req_ext'] if resource[:req_ext] != :false + # openssl reqoptions + + certoptions = [ + 'x509', + '-req', + '-CAcreateserial', '-days', resource[:days], - '-key', resource[:private_key], + '-in', resource[:csr], '-out', resource[:path] ] - options << ['-passin', "pass:#{resource[:password]}"] if resource[:password] - options << ['-extensions', 'req_ext'] if resource[:req_ext] != :false - options << ['-CA', resource[:ca]] if resource[:ca] - options << ['-CAkey', resource[:cakey]] if resource[:cakey] - openssl options + certoptions << ['-CA', resource[:ca]] if resource[:ca] + certoptions << ['-CAkey', resource[:cakey]] if resource[:cakey] + openssl certoptions end def destroy diff --git a/lib/puppet/type/x509_cert.rb b/lib/puppet/type/x509_cert.rb index 5cdb4fc9..9f695b00 100644 --- a/lib/puppet/type/x509_cert.rb +++ b/lib/puppet/type/x509_cert.rb @@ -26,6 +26,18 @@ end end + newparam(:csr) do + desc 'The path to the certificate signing request' + defaultto do + path = Pathname.new(@resource[:path]) + "#{path.dirname}/#{path.basename(path.extname)}.csr" + end + validate do |value| + path = Pathname.new(value) + raise ArgumentError, "Path must be absolute: #{path}" unless path.absolute? + end + end + newparam(:days) do desc 'The validity of the certificate' newvalues(%r{\d+}) From fbe4f6c410cd07c5071097e0b6331c7c506f39ee Mon Sep 17 00:00:00 2001 From: markuszilch Date: Mon, 27 Feb 2023 00:06:48 +0100 Subject: [PATCH 08/12] added condition to only include CA parameters when CA file is specified --- lib/puppet/provider/x509_cert/openssl.rb | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/lib/puppet/provider/x509_cert/openssl.rb b/lib/puppet/provider/x509_cert/openssl.rb index 6823ae11..34be2b0e 100644 --- a/lib/puppet/provider/x509_cert/openssl.rb +++ b/lib/puppet/provider/x509_cert/openssl.rb @@ -82,13 +82,15 @@ def create certoptions = [ 'x509', '-req', - '-CAcreateserial', '-days', resource[:days], '-in', resource[:csr], '-out', resource[:path] ] - certoptions << ['-CA', resource[:ca]] if resource[:ca] - certoptions << ['-CAkey', resource[:cakey]] if resource[:cakey] + if resource[:ca] + certoptions << ['CAcreateserial'] + certoptions << ['-CA', resource[:ca]] + certoptions << ['-CAkey', resource[:cakey]] + end openssl certoptions end From 5d2369088839f58301aa4428cb6b48582af6b263 Mon Sep 17 00:00:00 2001 From: markuszilch Date: Wed, 1 Mar 2023 18:32:27 +0100 Subject: [PATCH 09/12] readded extension and passin arguments, some codecleanup of intermidiate comments and removal of unused private key parameter for x509_cert type --- REFERENCE.md | 5 ---- lib/puppet/provider/x509_cert/openssl.rb | 24 ++++++------------- lib/puppet/type/x509_cert.rb | 12 ---------- .../puppet/provider/x509_cert/openssl_spec.rb | 10 ++++---- 4 files changed, 13 insertions(+), 38 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 5c4cfa5e..28fd9f11 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -1260,7 +1260,6 @@ The following parameters are available in the `x509_cert` type. * [`force`](#-x509_cert--force) * [`password`](#-x509_cert--password) * [`path`](#-x509_cert--path) -* [`private_key`](#-x509_cert--private_key) * [`provider`](#-x509_cert--provider) * [`req_ext`](#-x509_cert--req_ext) * [`template`](#-x509_cert--template) @@ -1309,10 +1308,6 @@ The optional password for the private key The path to the certificate -##### `private_key` - -The path to the private key - ##### `provider` The specific backend to use for this `x509_cert` resource. You will seldom need to specify this --- Puppet will usually diff --git a/lib/puppet/provider/x509_cert/openssl.rb b/lib/puppet/provider/x509_cert/openssl.rb index 34be2b0e..2bfd8dad 100644 --- a/lib/puppet/provider/x509_cert/openssl.rb +++ b/lib/puppet/provider/x509_cert/openssl.rb @@ -67,19 +67,7 @@ def exists? end def create - # reqoptions = [ - # 'req', - # '-config', resource[:template], - # '-new', '-x509', - # '-days', resource[:days], - # '-key', resource[:private_key], - # '-out', resource[:path] - # ] - # reqoptions << ['-passin', "pass:#{resource[:password]}"] if resource[:password] - # reqoptions << ['-extensions', 'req_ext'] if resource[:req_ext] != :false - # openssl reqoptions - - certoptions = [ + options = [ 'x509', '-req', '-days', resource[:days], @@ -87,11 +75,13 @@ def create '-out', resource[:path] ] if resource[:ca] - certoptions << ['CAcreateserial'] - certoptions << ['-CA', resource[:ca]] - certoptions << ['-CAkey', resource[:cakey]] + options << ['-CAcreateserial'] + options << ['-CA', resource[:ca]] + options << ['-CAkey', resource[:cakey]] end - openssl certoptions + options << ['-passin', "pass:#{resource[:password]}"] if resource[:password] + options << ['-extensions', 'req_ext'] if resource[:req_ext] != :false + openssl options end def destroy diff --git a/lib/puppet/type/x509_cert.rb b/lib/puppet/type/x509_cert.rb index 9f695b00..e200b1ed 100644 --- a/lib/puppet/type/x509_cert.rb +++ b/lib/puppet/type/x509_cert.rb @@ -14,18 +14,6 @@ end end - newparam(:private_key) do - desc 'The path to the private key' - defaultto do - path = Pathname.new(@resource[:path]) - "#{path.dirname}/#{path.basename(path.extname)}.key" - end - validate do |value| - path = Pathname.new(value) - raise ArgumentError, "Path must be absolute: #{path}" unless path.absolute? - end - end - newparam(:csr) do desc 'The path to the certificate signing request' defaultto do diff --git a/spec/unit/puppet/provider/x509_cert/openssl_spec.rb b/spec/unit/puppet/provider/x509_cert/openssl_spec.rb index 40fd8585..c2464cf5 100644 --- a/spec/unit/puppet/provider/x509_cert/openssl_spec.rb +++ b/spec/unit/puppet/provider/x509_cert/openssl_spec.rb @@ -27,9 +27,10 @@ it 'creates a certificate with the proper options' do expect(provider_class).to receive(:openssl).with([ - 'req', '-config', '/tmp/foo.cnf', '-new', '-x509', + 'x509', + '-req', '-days', 3650, - '-key', '/tmp/foo.key', + '-in', '/tmp/foo.csr', '-out', '/tmp/foo.crt', ['-extensions', 'req_ext'] ]) @@ -40,9 +41,10 @@ it 'creates a certificate with the proper options' do resource[:password] = '2x6${' expect(provider_class).to receive(:openssl).with([ - 'req', '-config', '/tmp/foo.cnf', '-new', '-x509', + 'x509', + '-req', '-days', 3650, - '-key', '/tmp/foo.key', + '-in', '/tmp/foo.csr', '-out', '/tmp/foo.crt', ['-passin', 'pass:2x6${'], ['-extensions', 'req_ext'] From 4d28149a7f80e63ab247cda4f081d0383398df75 Mon Sep 17 00:00:00 2001 From: markuszilch Date: Fri, 10 Mar 2023 23:05:19 +0100 Subject: [PATCH 10/12] add backwards compatible CA signing, restore previous testcases and add new tests --- lib/puppet/provider/x509_cert/openssl.rb | 42 ++++++++++++------- lib/puppet/type/x509_cert.rb | 10 +++-- manifests/certificate/x509.pp | 1 + .../puppet/provider/x509_cert/openssl_spec.rb | 36 +++++++++++++--- spec/unit/puppet/type/x509_cert_spec.rb | 5 +++ 5 files changed, 71 insertions(+), 23 deletions(-) diff --git a/lib/puppet/provider/x509_cert/openssl.rb b/lib/puppet/provider/x509_cert/openssl.rb index 2bfd8dad..908a8a55 100644 --- a/lib/puppet/provider/x509_cert/openssl.rb +++ b/lib/puppet/provider/x509_cert/openssl.rb @@ -67,21 +67,35 @@ def exists? end def create - options = [ - 'x509', - '-req', - '-days', resource[:days], - '-in', resource[:csr], - '-out', resource[:path] - ] - if resource[:ca] - options << ['-CAcreateserial'] - options << ['-CA', resource[:ca]] - options << ['-CAkey', resource[:cakey]] + unless resource[:csr] + options = [ + 'req', + '-config', resource[:template], + '-new', '-x509', + '-days', resource[:days], + '-key', resource[:private_key], + '-out', resource[:path] + ] + options << ['-passin', "pass:#{resource[:password]}"] if resource[:password] + options << ['-extensions', 'req_ext'] if resource[:req_ext] != :false + openssl options + else + options = [ + 'x509', + '-req', + '-days', resource[:days], + '-in', resource[:csr], + '-out', resource[:path] + ] + if resource[:ca] + options << ['-CAcreateserial'] + options << ['-CA', resource[:ca]] + options << ['-CAkey', resource[:cakey]] + end + options << ['-passin', "pass:#{resource[:password]}"] if resource[:password] + options << ['-extensions', 'req_ext'] if resource[:req_ext] != :false + openssl options end - options << ['-passin', "pass:#{resource[:password]}"] if resource[:password] - options << ['-extensions', 'req_ext'] if resource[:req_ext] != :false - openssl options end def destroy diff --git a/lib/puppet/type/x509_cert.rb b/lib/puppet/type/x509_cert.rb index e200b1ed..0edbffc3 100644 --- a/lib/puppet/type/x509_cert.rb +++ b/lib/puppet/type/x509_cert.rb @@ -14,11 +14,11 @@ end end - newparam(:csr) do - desc 'The path to the certificate signing request' + newparam(:private_key) do + desc 'The path to the private key' defaultto do path = Pathname.new(@resource[:path]) - "#{path.dirname}/#{path.basename(path.extname)}.csr" + "#{path.dirname}/#{path.basename(path.extname)}.key" end validate do |value| path = Pathname.new(value) @@ -66,6 +66,10 @@ defaultto :rsa end + newparam(:csr) do + desc 'The optional certificate signing request path' + end + newparam(:ca) do desc 'The optional ca certificate filepath' end diff --git a/manifests/certificate/x509.pp b/manifests/certificate/x509.pp index 97166c4c..44b5d276 100644 --- a/manifests/certificate/x509.pp +++ b/manifests/certificate/x509.pp @@ -192,6 +192,7 @@ require => File[$_cnf], ca => $ca, cakey => $cakey, + csr => $csr, } x509_request { $_csr: diff --git a/spec/unit/puppet/provider/x509_cert/openssl_spec.rb b/spec/unit/puppet/provider/x509_cert/openssl_spec.rb index c2464cf5..fc264daf 100644 --- a/spec/unit/puppet/provider/x509_cert/openssl_spec.rb +++ b/spec/unit/puppet/provider/x509_cert/openssl_spec.rb @@ -27,10 +27,12 @@ it 'creates a certificate with the proper options' do expect(provider_class).to receive(:openssl).with([ - 'x509', - '-req', + 'req', + '-config', '/tmp/foo.cnf', + '-new', + '-x509', '-days', 3650, - '-in', '/tmp/foo.csr', + '-key', '/tmp/foo.key', '-out', '/tmp/foo.crt', ['-extensions', 'req_ext'] ]) @@ -41,10 +43,12 @@ it 'creates a certificate with the proper options' do resource[:password] = '2x6${' expect(provider_class).to receive(:openssl).with([ - 'x509', - '-req', + 'req', + '-config', '/tmp/foo.cnf', + '-new', + '-x509', '-days', 3650, - '-in', '/tmp/foo.csr', + '-key', '/tmp/foo.key', '-out', '/tmp/foo.crt', ['-passin', 'pass:2x6${'], ['-extensions', 'req_ext'] @@ -54,6 +58,26 @@ end end + context 'when using a CA for signing' do + it 'creates a certificate with the proper options' do + resource[:csr] = '/tmp/foo.csr' + resource[:ca] = '/tmp/foo-ca.crt' + resource[:cakey] = '/tmp/foo-ca.key' + expect(provider_class).to receive(:openssl).with([ + 'x509', + '-req', + '-days', 3650, + '-in', '/tmp/foo.csr', + '-out', '/tmp/foo.crt', + ["-CAcreateserial"], + ["-CA", "/tmp/foo-ca.crt"], + ["-CAkey", "/tmp/foo-ca.key"], + ['-extensions', 'req_ext'] + ]) + resource.provider.create + end + end + context 'when forcing key' do it 'exists? should return true if certificate exists and is synced' do resource[:force] = true diff --git a/spec/unit/puppet/type/x509_cert_spec.rb b/spec/unit/puppet/type/x509_cert_spec.rb index ad484a0f..649e3353 100644 --- a/spec/unit/puppet/type/x509_cert_spec.rb +++ b/spec/unit/puppet/type/x509_cert_spec.rb @@ -79,4 +79,9 @@ resource[:authentication] = :foo end.to raise_error(Puppet::Error, %r{Invalid value :foo}) end + + it 'accepts a valid csr parameter' do + resource[:csr] = '/tmp/foo.csr' + expect(resource[:csr]).to eq('/tmp/foo.csr') + end end From 84e659f07f65b0a449306e0b0a51c4a4c9b2a688 Mon Sep 17 00:00:00 2001 From: markuszilch Date: Fri, 10 Mar 2023 23:07:22 +0100 Subject: [PATCH 11/12] reference autogenerate --- REFERENCE.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/REFERENCE.md b/REFERENCE.md index 28fd9f11..8dcb94a6 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -1260,6 +1260,7 @@ The following parameters are available in the `x509_cert` type. * [`force`](#-x509_cert--force) * [`password`](#-x509_cert--password) * [`path`](#-x509_cert--path) +* [`private_key`](#-x509_cert--private_key) * [`provider`](#-x509_cert--provider) * [`req_ext`](#-x509_cert--req_ext) * [`template`](#-x509_cert--template) @@ -1282,7 +1283,7 @@ The optional ca private key filepath ##### `csr` -The path to the certificate signing request +The optional certificate signing request path ##### `days` @@ -1308,6 +1309,10 @@ The optional password for the private key The path to the certificate +##### `private_key` + +The path to the private key + ##### `provider` The specific backend to use for this `x509_cert` resource. You will seldom need to specify this --- Puppet will usually From cc6240ebc29a7c21282a236a550e263f5c30a624 Mon Sep 17 00:00:00 2001 From: markuszilch Date: Fri, 10 Mar 2023 23:11:10 +0100 Subject: [PATCH 12/12] rubocop violations fixed --- lib/puppet/provider/x509_cert/openssl.rb | 29 +++++++++---------- .../puppet/provider/x509_cert/openssl_spec.rb | 6 ++-- 2 files changed, 16 insertions(+), 19 deletions(-) diff --git a/lib/puppet/provider/x509_cert/openssl.rb b/lib/puppet/provider/x509_cert/openssl.rb index 908a8a55..f1c40f16 100644 --- a/lib/puppet/provider/x509_cert/openssl.rb +++ b/lib/puppet/provider/x509_cert/openssl.rb @@ -67,19 +67,7 @@ def exists? end def create - unless resource[:csr] - options = [ - 'req', - '-config', resource[:template], - '-new', '-x509', - '-days', resource[:days], - '-key', resource[:private_key], - '-out', resource[:path] - ] - options << ['-passin', "pass:#{resource[:password]}"] if resource[:password] - options << ['-extensions', 'req_ext'] if resource[:req_ext] != :false - openssl options - else + if resource[:csr] options = [ 'x509', '-req', @@ -92,10 +80,19 @@ def create options << ['-CA', resource[:ca]] options << ['-CAkey', resource[:cakey]] end - options << ['-passin', "pass:#{resource[:password]}"] if resource[:password] - options << ['-extensions', 'req_ext'] if resource[:req_ext] != :false - openssl options + else + options = [ + 'req', + '-config', resource[:template], + '-new', '-x509', + '-days', resource[:days], + '-key', resource[:private_key], + '-out', resource[:path] + ] end + options << ['-passin', "pass:#{resource[:password]}"] if resource[:password] + options << ['-extensions', 'req_ext'] if resource[:req_ext] != :false + openssl options end def destroy diff --git a/spec/unit/puppet/provider/x509_cert/openssl_spec.rb b/spec/unit/puppet/provider/x509_cert/openssl_spec.rb index fc264daf..7cc759c7 100644 --- a/spec/unit/puppet/provider/x509_cert/openssl_spec.rb +++ b/spec/unit/puppet/provider/x509_cert/openssl_spec.rb @@ -69,9 +69,9 @@ '-days', 3650, '-in', '/tmp/foo.csr', '-out', '/tmp/foo.crt', - ["-CAcreateserial"], - ["-CA", "/tmp/foo-ca.crt"], - ["-CAkey", "/tmp/foo-ca.key"], + ['-CAcreateserial'], + ['-CA', '/tmp/foo-ca.crt'], + ['-CAkey', '/tmp/foo-ca.key'], ['-extensions', 'req_ext'] ]) resource.provider.create