fix handling of request extensions

voxpupuli · Mar 27, 2024 · 268ae1c · 268ae1c
1 parent 0c03329
commit 268ae1c
Show file tree

Hide file tree

Showing 5 changed files with 14 additions and 7 deletions.
diff --git a/REFERENCE.md b/REFERENCE.md
@@ -1311,7 +1311,7 @@ discover the appropriate provider for your platform.
 
 ##### <a name="-x509_cert--req_ext"></a>`req_ext`
 
-Valid values: `true`, `false`
+Valid values: `true`, `false`, `yes`, `no`
 
 Whether adding v3 SAN from config
 

diff --git a/lib/puppet/provider/x509_cert/openssl.rb b/lib/puppet/provider/x509_cert/openssl.rb
@@ -73,13 +73,21 @@ def create
         '-req',
         '-days', resource[:days],
         '-in', resource[:csr],
-        '-out', resource[:path],
-        '-extfile', resource[:template]
+        '-out', resource[:path]
       ]
       if resource[:ca]
+        options << ['-extfile', resource[:template]]
         options << ['-CAcreateserial']
         options << ['-CA', resource[:ca]]
         options << ['-CAkey', resource[:cakey]]
+      else
+        options << ['-signkey', resource[:private_key]]
+        if resource[:req_ext]
+          options << [
+            '-extensions', 'v3_req',
+            '-extfile', resource[:template]
+          ]
+        end
       end
     else
       options = [

diff --git a/lib/puppet/type/x509_cert.rb b/lib/puppet/type/x509_cert.rb
@@ -42,9 +42,8 @@
     desc 'The optional password for the private key'
   end
 
-  newparam(:req_ext, boolean: true) do
+  newparam(:req_ext, boolean: true, parent: Puppet::Parameter::Boolean) do
     desc 'Whether adding v3 SAN from config'
-    newvalues(:true, :false)
     defaultto false
   end
 

diff --git a/spec/unit/puppet/provider/x509_cert/openssl_spec.rb b/spec/unit/puppet/provider/x509_cert/openssl_spec.rb
@@ -69,7 +69,7 @@
                                                          '-days', 3650,
                                                          '-in', '/tmp/foo.csr',
                                                          '-out', '/tmp/foo.crt',
-                                                         '-extfile', '/tmp/foo.cnf',
+                                                         ['-extfile', '/tmp/foo.cnf'],
                                                          ['-CAcreateserial'],
                                                          ['-CA', '/tmp/foo-ca.crt'],
                                                          ['-CAkey', '/tmp/foo-ca.key'],

diff --git a/spec/unit/puppet/type/x509_cert_spec.rb b/spec/unit/puppet/type/x509_cert_spec.rb
@@ -56,7 +56,7 @@
 
   it 'accepts a valid req_ext parameter' do
     resource[:req_ext] = true
-    expect(resource[:req_ext]).to eq(:true)
+    expect(resource[:req_ext]).to be(true)
   end
 
   it 'does not accept a bad req_ext parameter' do