fix logic bug with extkeyusage and altnames

voxpupuli · Jun 7, 2024 · 3737621 · 3737621
1 parent 849bb41
commit 3737621
Show file tree

Hide file tree

Showing 2 changed files with 81 additions and 1 deletion.
diff --git a/manifests/certificate/x509.pp b/manifests/certificate/x509.pp
@@ -184,7 +184,7 @@
     csr      => $csr,
     days     => $days,
     password => $password,
-    req_ext  => !empty($altnames) and !empty($extkeyusage),
+    req_ext  => !empty($altnames) or !empty($extkeyusage),
     force    => $force,
     ca       => $ca,
     cakey    => $cakey,

diff --git a/spec/defines/openssl_certificate_x509_spec.rb b/spec/defines/openssl_certificate_x509_spec.rb
@@ -422,6 +422,86 @@
     }
   end
 
+  context 'when passing altnames, extension is enabled' do
+    let(:params) do
+      {
+        country: 'com',
+        organization: 'bar',
+        commonname: 'foo.example.com',
+        altnames: ['bar.example.com'],
+      }
+    end
+
+    it {
+      is_expected.to contain_x509_cert('/etc/ssl/certs/foo.crt').with(
+        ensure: 'present',
+        template: '/etc/ssl/certs/foo.cnf',
+        csr: '/etc/ssl/certs/foo.csr',
+        req_ext: true
+      )
+    }
+  end
+
+  context 'when passing extkeyusage, extension is enabled' do
+    let(:params) do
+      {
+        country: 'com',
+        organization: 'bar',
+        commonname: 'foo.example.com',
+        extkeyusage: ['clientauth'],
+      }
+    end
+
+    it {
+      is_expected.to contain_x509_cert('/etc/ssl/certs/foo.crt').with(
+        ensure: 'present',
+        template: '/etc/ssl/certs/foo.cnf',
+        csr: '/etc/ssl/certs/foo.csr',
+        req_ext: true
+      )
+    }
+  end
+
+  context 'when passing altnames and extkeyusage, extension is enabled' do
+    let(:params) do
+      {
+        country: 'com',
+        organization: 'bar',
+        commonname: 'foo.example.com',
+        extkeyusage: ['clientauth'],
+        altnames: ['bar.example.com'],
+      }
+    end
+
+    it {
+      is_expected.to contain_x509_cert('/etc/ssl/certs/foo.crt').with(
+        ensure: 'present',
+        template: '/etc/ssl/certs/foo.cnf',
+        csr: '/etc/ssl/certs/foo.csr',
+        req_ext: true
+      )
+    }
+  end
+
+  context 'w/o passing altnames and extkeyusage, extension is disabled' do
+    let(:params) do
+      {
+        country: 'com',
+        organization: 'bar',
+        commonname: 'foo.example.com',
+      }
+    end
+
+    it {
+      is_expected.to contain_x509_cert('/etc/ssl/certs/foo.crt').with(
+        ensure: 'present',
+        template: '/etc/ssl/certs/foo.cnf',
+        csr: '/etc/ssl/certs/foo.csr',
+        req_ext: false
+      )
+    }
+  end
+
   context 'when passing all parameters' do
     let(:params) do
       {