Merge pull request #202 from pavelkovtunov/feat_refreshable_exports

feat: refreshable exports
voxpupuli · Jul 17, 2024 · 81502ee · 81502ee
2 parents fc41cca + 4feddcc
commit 81502ee
Show file tree

Hide file tree

Showing 6 changed files with 157 additions and 23 deletions.
diff --git a/README.md b/README.md
@@ -118,6 +118,21 @@ openssl::export::pem_key { 'foo':
 }
 ```
 
+### Dynamic refresh of exported files
+
+If you want Puppet to refresh the PKCS#12, PEM/x509 or PEM key file in case the input files changed, set the dynamic mode on and list desired resources for subscription:
+
+```puppet
+openssl::export::pkcs12 { 'bar':
+  ensure    => 'present',
+  basedir   => '/path/to/dir',
+  pkey      => '/here/is/my/private.key',
+  cert      => '/there/is/the/cert.crt',
+  dynamic   => true,
+  resources => File['/here/is/my/private.key','/there/is/the/cert.crt'],
+}
+```
+
 ### Create Diffie-Hellman parameters
 
 The [openssl::dhparam](REFERENCE.md#openssldhparam) defined type and its back-end resource type [dhparam](REFERENCE.md#dhparam) allow to generate Diffie-Hellman parameters.

diff --git a/REFERENCE.md b/REFERENCE.md
@@ -913,12 +913,22 @@ Export certificate(s) to PEM/x509 format
 
 The following parameters are available in the `openssl::export::pem_cert` defined type:
 
+* [`dynamic`](#-openssl--export--pem_cert--dynamic)
 * [`ensure`](#-openssl--export--pem_cert--ensure)
+* [`resources`](#-openssl--export--pem_cert--resources)
 * [`pfx_cert`](#-openssl--export--pem_cert--pfx_cert)
 * [`der_cert`](#-openssl--export--pem_cert--der_cert)
 * [`pem_cert`](#-openssl--export--pem_cert--pem_cert)
 * [`in_pass`](#-openssl--export--pem_cert--in_pass)
 
+##### <a name="-openssl--export--pem_cert--dynamic"></a>`dynamic`
+
+Data type: `Boolean`
+
+dynamically renew certificate file
+
+Default value: `false`
+
 ##### <a name="-openssl--export--pem_cert--ensure"></a>`ensure`
 
 Data type: `Enum['present', 'absent']`
@@ -927,6 +937,14 @@ Whether the certificate file should exist
 
 Default value: `present`
 
+##### <a name="-openssl--export--pem_cert--resources"></a>`resources`
+
+Data type: `Variant[Type, Array[Type]]`
+
+List of resources to subscribe to for certificate file renewal
+
+Default value: `[]`
+
 ##### <a name="-openssl--export--pem_cert--pfx_cert"></a>`pfx_cert`
 
 Data type: `Optional[Stdlib::Absolutepath]`
@@ -969,7 +987,9 @@ The following parameters are available in the `openssl::export::pem_key` defined
 
 * [`pfx_cert`](#-openssl--export--pem_key--pfx_cert)
 * [`pem_key`](#-openssl--export--pem_key--pem_key)
+* [`dynamic`](#-openssl--export--pem_key--dynamic)
 * [`ensure`](#-openssl--export--pem_key--ensure)
+* [`resources`](#-openssl--export--pem_key--resources)
 * [`in_pass`](#-openssl--export--pem_key--in_pass)
 * [`out_pass`](#-openssl--export--pem_key--out_pass)
 
@@ -987,14 +1007,30 @@ PEM certificate
 
 Default value: `$title`
 
+##### <a name="-openssl--export--pem_key--dynamic"></a>`dynamic`
+
+Data type: `Boolean`
+
+dynamically renew key file
+
+Default value: `false`
+
 ##### <a name="-openssl--export--pem_key--ensure"></a>`ensure`
 
 Data type: `Enum['present', 'absent']`
 
-Whether the key file should exist
+Whether the keyfile should exist
 
 Default value: `present`
 
+##### <a name="-openssl--export--pem_key--resources"></a>`resources`
+
+Data type: `Variant[Type, Array[Type]]`
+
+List of resources to subscribe to for key renewal
+
+Default value: `[]`
+
 ##### <a name="-openssl--export--pem_key--in_pass"></a>`in_pass`
 
 Data type: `Optional[String]`
@@ -1022,7 +1058,9 @@ The following parameters are available in the `openssl::export::pkcs12` defined
 * [`basedir`](#-openssl--export--pkcs12--basedir)
 * [`pkey`](#-openssl--export--pkcs12--pkey)
 * [`cert`](#-openssl--export--pkcs12--cert)
+* [`dynamic`](#-openssl--export--pkcs12--dynamic)
 * [`ensure`](#-openssl--export--pkcs12--ensure)
+* [`resources`](#-openssl--export--pkcs12--resources)
 * [`in_pass`](#-openssl--export--pkcs12--in_pass)
 * [`out_pass`](#-openssl--export--pkcs12--out_pass)
 * [`chaincert`](#-openssl--export--pkcs12--chaincert)
@@ -1045,6 +1083,14 @@ Data type: `Stdlib::Absolutepath`
 
 Certificate
 
+##### <a name="-openssl--export--pkcs12--dynamic"></a>`dynamic`
+
+Data type: `Boolean`
+
+dynamically renew PKCS12 file
+
+Default value: `false`
+
 ##### <a name="-openssl--export--pkcs12--ensure"></a>`ensure`
 
 Data type: `Enum['present', 'absent']`
@@ -1053,6 +1099,14 @@ Whether the PKCS12 file should exist
 
 Default value: `present`
 
+##### <a name="-openssl--export--pkcs12--resources"></a>`resources`
+
+Data type: `Variant[Type, Array[Type]]`
+
+List of resources to subscribe to for PKCS12 renewal
+
+Default value: `[]`
+
 ##### <a name="-openssl--export--pkcs12--in_pass"></a>`in_pass`
 
 Data type: `Optional[String]`

diff --git a/manifests/export/pem_cert.pp b/manifests/export/pem_cert.pp
@@ -1,7 +1,11 @@
 # @summary Export certificate(s) to PEM/x509 format
 #
+# @param dynamic
+#   dynamically renew certificate file
 # @param ensure
 #   Whether the certificate file should exist
+# @param resources
+#   List of resources to subscribe to for certificate file renewal
 # @param pfx_cert
 #   PFX certificate/key container
 # @param der_cert
@@ -12,11 +16,13 @@
 #   PFX password
 #
 define openssl::export::pem_cert (
-  Enum['present', 'absent']       $ensure   = present,
-  Stdlib::Absolutepath            $pem_cert = $title,
-  Optional[Stdlib::Absolutepath]  $pfx_cert = undef,
-  Optional[Stdlib::Absolutepath]  $der_cert = undef,
-  Optional[String]                $in_pass  = undef,
+  Boolean                         $dynamic   = false,
+  Enum['present', 'absent']       $ensure    = present,
+  Variant[Type, Array[Type]]      $resources = [],
+  Stdlib::Absolutepath            $pem_cert  = $title,
+  Optional[Stdlib::Absolutepath]  $pfx_cert  = undef,
+  Optional[Stdlib::Absolutepath]  $der_cert  = undef,
+  Optional[String]                $in_pass   = undef,
 
 ) {
   #local variables
@@ -54,10 +60,19 @@
       $passin_opt,
     ]
 
+    if $dynamic {
+      $exec_params = {
+        refreshonly => true,
+        subscribe   => $resources,
+      }
+    } else {
+      $exec_params = { creates => $pem_cert, }
+    }
+
     exec { "Export ${in_cert} to ${pem_cert}":
       command => inline_template('<%= @cmd.join(" ") %>'),
       path    => $facts['path'],
-      creates => $pem_cert,
+      *       => $exec_params,
     }
   } else {
     file { $pem_cert:

diff --git a/manifests/export/pem_key.pp b/manifests/export/pem_key.pp
@@ -4,19 +4,25 @@
 #   PFX certificate/key container
 # @param pem_key
 #   PEM certificate
+# @param dynamic
+#   dynamically renew key file
 # @param ensure
-#   Whether the key file should exist
+#   Whether the keyfile should exist
+# @param resources
+#   List of resources to subscribe to for key renewal
 # @param in_pass
 #   PFX container password
 # @param out_pass
 #   PEM key password
 #
 define openssl::export::pem_key (
-  Stdlib::Absolutepath      $pfx_cert,
-  Stdlib::Absolutepath      $pem_key  = $title,
-  Enum['present', 'absent'] $ensure   = present,
-  Optional[String]          $in_pass  = undef,
-  Optional[String]          $out_pass = undef,
+  Stdlib::Absolutepath       $pfx_cert,
+  Stdlib::Absolutepath       $pem_key   = $title,
+  Boolean                    $dynamic   = false,
+  Enum['present', 'absent']  $ensure    = present,
+  Variant[Type, Array[Type]] $resources = [],
+  Optional[String]           $in_pass   = undef,
+  Optional[String]           $out_pass  = undef,
 ) {
   if $ensure == 'present' {
     $passin_opt = $in_pass ? {
@@ -38,10 +44,19 @@
       $passout_opt,
     ]
 
+    if $dynamic {
+      $exec_params = {
+        refreshonly => true,
+        subscribe   => $resources,
+      }
+    } else {
+      $exec_params = { creates => $pem_key, }
+    }
+
     exec { "Export ${pfx_cert} to ${pem_key}":
       command => inline_template('<%= @cmd.join(" ") %>'),
       path    => $facts['path'],
-      creates => $pem_key,
+      *       => $exec_params,
     }
   } else {
     file { $pem_key:

diff --git a/manifests/export/pkcs12.pp b/manifests/export/pkcs12.pp
@@ -6,8 +6,12 @@
 #   Private key
 # @param cert
 #   Certificate
+# @param dynamic
+#   dynamically renew PKCS12 file
 # @param ensure
 #   Whether the PKCS12 file should exist
+# @param resources
+#   List of resources to subscribe to for PKCS12 renewal
 # @param in_pass
 #   Private key password
 # @param out_pass
@@ -16,13 +20,15 @@
 #   Chain certificate to include in pkcs12
 #
 define openssl::export::pkcs12 (
-  Stdlib::Absolutepath      $basedir,
-  Stdlib::Absolutepath      $pkey,
-  Stdlib::Absolutepath      $cert,
-  Enum['present', 'absent'] $ensure    = present,
-  Optional[String]          $chaincert = undef,
-  Optional[String]          $in_pass   = undef,
-  Optional[String]          $out_pass  = undef,
+  Stdlib::Absolutepath       $basedir,
+  Stdlib::Absolutepath       $pkey,
+  Stdlib::Absolutepath       $cert,
+  Boolean                    $dynamic   = false,
+  Enum['present', 'absent']  $ensure    = present,
+  Variant[Type, Array[Type]] $resources = [],
+  Optional[String]           $chaincert = undef,
+  Optional[String]           $in_pass   = undef,
+  Optional[String]           $out_pass  = undef,
 ) {
   if $ensure == 'present' {
     $pass_opt = $in_pass ? {
@@ -52,10 +58,21 @@
       $passout_opt,
     ]
 
-    exec { "Export ${name} to ${basedir}/${name}.p12":
+    $full_path = "${basedir}/${name}.p12"
+
+    if $dynamic {
+      $exec_params = {
+        refreshonly => true,
+        subscribe   => $resources,
+      }
+    } else {
+      $exec_params = { creates => $full_path, }
+    }
+
+    exec { "Export ${name} to ${full_path}":
       command => inline_template('<%= @cmd.join(" ") %>'),
       path    => $facts['path'],
-      creates => "${basedir}/${name}.p12",
+      *       => $exec_params,
     }
   } else {
     file { "${basedir}/${name}.p12":

diff --git a/spec/defines/openssl_export_pem_cert_spec.rb b/spec/defines/openssl_export_pem_cert_spec.rb
@@ -49,6 +49,24 @@
     }
   end
 
+  context 'when using defaults pkcs12 to PEM with dynamic refresh' do
+    let(:params) do
+      {
+        ensure: :present,
+        pfx_cert: '/etc/ssl/certs/foo.pfx',
+        dynamic: true,
+      }
+    end
+
+    it {
+      is_expected.to contain_exec('Export /etc/ssl/certs/foo.pfx to /etc/ssl/certs/foo.pem').with(
+        command: 'openssl pkcs12  -in /etc/ssl/certs/foo.pfx -out /etc/ssl/certs/foo.pem ',
+        path: '/usr/bin:/bin:/usr/sbin:/sbin',
+        refreshonly: true
+      )
+    }
+  end
+
   context 'when converting pkcs12 to PEM with password for just the certificate' do
     let(:params) do
       {