Pass openssl commands as an array

Puppet 7.9 introduced support to pass an array, which avoids using a
shell altogether. This simplifies the code because there's no more need
to escape and join options.

manifests/export/pem_cert.pp

@@ -37,28 +37,20 @@
   }
 
   if $der_cert {
-    $sslmodule = 'x509'
+    $sslmodule = ['x509', '-inform', 'DER']
     $in_cert   = $der_cert
-    $module_opt  = '-inform DER'
   } else {
-    $sslmodule  = 'pkcs12'
+    $sslmodule  = ['pkcs12']
     $in_cert    = $pfx_cert
-    $module_opt   = ''
   }
 
   $passin_opt = $in_pass ? {
-    undef   => '',
-    default => "-nokeys -passin pass:${shellquote($in_pass)}",
+    undef   => [],
+    default => ['-nokeys', '-passin', "pass:${in_pass}"],
   }
 
   if $ensure == 'present' {
-    $cmd = [
-      "openssl ${sslmodule}",
-      $module_opt,
-      "-in ${in_cert}",
-      "-out ${pem_cert}",
-      $passin_opt,
-    ]
+    $cmd = ['openssl'] + $sslmodule + ['-in', $in_cert, '-out', $pem_cert] + $passin_opt
 
     if $dynamic {
       $exec_params = {
@@ -70,7 +62,7 @@
     }
 
     exec { "Export ${in_cert} to ${pem_cert}":
-      command => inline_template('<%= @cmd.join(" ") %>'),
+      command => $cmd,
       path    => $facts['path'],
       *       => $exec_params,
     }

manifests/export/pem_key.pp

@@ -26,23 +26,21 @@
 ) {
   if $ensure == 'present' {
     $passin_opt = $in_pass ? {
-      undef   => '',
-      default => "-passin pass:${shellquote($in_pass)}",
+      undef   => [],
+      default => ['-passin', "pass:${in_pass}"],
     }
 
     $passout_opt = $out_pass ? {
-      undef   => '-nodes',
-      default => "-passout pass:${shellquote($out_pass)}",
+      undef   => ['-nodes'],
+      default => ['-passout', "pass:${out_pass}"],
     }
 
     $cmd = [
-      'openssl pkcs12',
-      "-in ${pfx_cert}",
-      "-out ${pem_key}",
+      'openssl', 'pkcs12',
+      '-in', $pfx_cert,
+      '-out', $pem_key,
       '-nocerts',
-      $passin_opt,
-      $passout_opt,
-    ]
+    ] + $passin_opt + $passout_opt
 
     if $dynamic {
       $exec_params = {
@@ -54,7 +52,7 @@
     }
 
     exec { "Export ${pfx_cert} to ${pem_key}":
-      command => inline_template('<%= @cmd.join(" ") %>'),
+      command => $cmd,
       path    => $facts['path'],
       *       => $exec_params,
     }

manifests/export/pkcs12.pp

@@ -30,35 +30,32 @@
   Optional[String]           $in_pass   = undef,
   Optional[String]           $out_pass  = undef,
 ) {
+  $full_path = "${basedir}/${name}.p12"
+
   if $ensure == 'present' {
     $pass_opt = $in_pass ? {
-      undef   => '',
-      default => "-passin pass:${shellquote($in_pass)}",
+      undef   => [],
+      default => ['-passin', "pass:${in_pass}"],
     }
 
     $passout_opt = $out_pass ? {
-      undef   => '',
-      default => "-passout pass:${shellquote($out_pass)}",
+      undef   => [],
+      default => ['-passout', "pass:${out_pass}"],
     }
 
     $chain_opt = $chaincert ? {
-      undef   => '',
-      default => "-chain -CAfile ${chaincert}",
+      undef   => [],
+      default => ['-chain', '-CAfile', $chaincert],
     }
 
     $cmd = [
-      'openssl pkcs12 -export',
-      "-in ${cert}",
-      "-inkey ${pkey}",
-      "-out ${basedir}/${name}.p12",
-      "-name ${name}",
-      '-nodes -noiter',
-      $chain_opt,
-      $pass_opt,
-      $passout_opt,
-    ]
-
-    $full_path = "${basedir}/${name}.p12"
+      'openssl', 'pkcs12', '-export',
+      '-in', $cert,
+      '-inkey', $pkey,
+      '-out', $full_path,
+      '-name', $name,
+      '-nodes', '-noiter',
+    ] + $chain_opt + $pass_opt + $passout_opt
 
     if $dynamic {
       $exec_params = {
@@ -70,12 +67,12 @@
     }
 
     exec { "Export ${name} to ${full_path}":
-      command => inline_template('<%= @cmd.join(" ") %>'),
+      command => $cmd,
       path    => $facts['path'],
       *       => $exec_params,
     }
   } else {
-    file { "${basedir}/${name}.p12":
+    file { $full_path:
       ensure => absent,
     }
   }

metadata.json

@@ -86,7 +86,7 @@
   "requirements": [
     {
       "name": "puppet",
-      "version_requirement": ">= 7.0.0 < 9.0.0"
+      "version_requirement": ">= 7.9.0 < 9.0.0"
     }
   ]
 }

spec/defines/openssl_export_pem_cert_spec.rb

@@ -42,7 +42,7 @@
 
     it {
       is_expected.to contain_exec('Export /etc/ssl/certs/foo.pfx to /etc/ssl/certs/foo.pem').with(
-        command: 'openssl pkcs12  -in /etc/ssl/certs/foo.pfx -out /etc/ssl/certs/foo.pem ',
+        command: ['openssl', 'pkcs12', '-in', '/etc/ssl/certs/foo.pfx', '-out', '/etc/ssl/certs/foo.pem'],
         creates: '/etc/ssl/certs/foo.pem',
         path: '/usr/bin:/bin:/usr/sbin:/sbin'
       )
@@ -60,7 +60,7 @@
 
     it {
       is_expected.to contain_exec('Export /etc/ssl/certs/foo.pfx to /etc/ssl/certs/foo.pem').with(
-        command: 'openssl pkcs12  -in /etc/ssl/certs/foo.pfx -out /etc/ssl/certs/foo.pem ',
+        command: ['openssl', 'pkcs12', '-in', '/etc/ssl/certs/foo.pfx', '-out', '/etc/ssl/certs/foo.pem'],
         path: '/usr/bin:/bin:/usr/sbin:/sbin',
         refreshonly: true
       )
@@ -79,7 +79,7 @@
 
     it {
       is_expected.to contain_exec('Export /etc/ssl/certs/foo.pfx to /etc/ssl/certs/foo.pem').with(
-        command: "openssl pkcs12  -in /etc/ssl/certs/foo.pfx -out /etc/ssl/certs/foo.pem -nokeys -passin pass:'5r$}^'",
+        command: ['openssl', 'pkcs12', '-in', '/etc/ssl/certs/foo.pfx', '-out', '/etc/ssl/certs/foo.pem', '-nokeys', '-passin', 'pass:5r$}^'],
         creates: '/etc/ssl/certs/foo.pem',
         path: '/usr/bin:/bin:/usr/sbin:/sbin'
       )
@@ -96,7 +96,7 @@
 
     it {
       is_expected.to contain_exec('Export /etc/ssl/certs/foo.der to /etc/ssl/certs/foo.pem').with(
-        command: 'openssl x509 -inform DER -in /etc/ssl/certs/foo.der -out /etc/ssl/certs/foo.pem ',
+        command: ['openssl', 'x509', '-inform', 'DER', '-in', '/etc/ssl/certs/foo.der', '-out', '/etc/ssl/certs/foo.pem'],
         creates: '/etc/ssl/certs/foo.pem',
         path: '/usr/bin:/bin:/usr/sbin:/sbin'
       )