Merge pull request #164 from zilchms/x509confmanagement

moves config management to config provider for X509 certificate; moves certificate from v1 to v3

REFERENCE.md

@@ -358,7 +358,6 @@ The following parameters are available in the `openssl::certificate::x509` defin
 * [`key_mode`](#-openssl--certificate--x509--key_mode)
 * [`password`](#-openssl--certificate--x509--password)
 * [`force`](#-openssl--certificate--x509--force)
-* [`cnf_tpl`](#-openssl--certificate--x509--cnf_tpl)
 * [`cnf_dir`](#-openssl--certificate--x509--cnf_dir)
 * [`crt_dir`](#-openssl--certificate--x509--crt_dir)
 * [`csr_dir`](#-openssl--certificate--x509--csr_dir)
@@ -542,14 +541,6 @@ if private key changes
 
 Default value: `true`
 
-##### <a name="-openssl--certificate--x509--cnf_tpl"></a>`cnf_tpl`
-
-Data type: `String`
-
-Specify an other template to generate ".cnf" file.
-
-Default value: `'openssl/cert.cnf.erb'`
-
 ##### <a name="-openssl--certificate--x509--cnf_dir"></a>`cnf_dir`
 
 Data type: `Optional[Stdlib::Absolutepath]`
@@ -719,15 +710,15 @@ value for organization
 
 ##### <a name="-openssl--config--owner"></a>`owner`
 
-Data type: `String[1]`
+Data type: `Variant[String[1],Integer]`
 
 owner for the configuration file
 
 Default value: `'root'`
 
 ##### <a name="-openssl--config--group"></a>`group`
 
-Data type: `String[1]`
+Data type: `Variant[String[1],Integer]`
 
 group for the configuration file
 

lib/puppet/provider/x509_cert/openssl.rb

@@ -73,7 +73,8 @@ def create
         '-req',
         '-days', resource[:days],
         '-in', resource[:csr],
-        '-out', resource[:path]
+        '-out', resource[:path],
+        '-extfile', resource[:template]
       ]
       if resource[:ca]
         options << ['-CAcreateserial']
@@ -91,7 +92,7 @@ def create
       ]
     end
     options << ['-passin', "pass:#{resource[:password]}"] if resource[:password]
-    options << ['-extensions', 'req_ext'] if resource[:req_ext] != :false
+    options << ['-extensions', 'v3_req'] if resource[:req_ext] != :false
     openssl options
   end
 

manifests/certificate/x509.pp

@@ -58,8 +58,6 @@
 # @param force
 #   whether to override certificate and request
 #   if private key changes
-# @param cnf_tpl
-#   Specify an other template to generate ".cnf" file.
 # @param cnf_dir
 #   where cnf should be placed.
 #   Directory must exist, defaults to $base_dir.
@@ -146,7 +144,6 @@
   String                             $key_mode = '0600',
   Optional[String]                   $password = undef,
   Boolean                            $force = true,
-  String                             $cnf_tpl = 'openssl/cert.cnf.erb',
   Boolean                            $encrypted = true,
   Optional[Stdlib::Absolutepath]     $ca = undef,
   Optional[Stdlib::Absolutepath]     $cakey = undef,
@@ -168,43 +165,43 @@
     $req_ext = false
   }
 
-  file { $_cnf:
-    ensure  => $ensure,
-    owner   => $owner,
-    group   => $group,
-    content => template($cnf_tpl),
-  }
-
   ssl_pkey { $_key:
     ensure   => $ensure,
     password => $password,
     size     => $key_size,
   }
-
-  x509_cert { $_crt:
-    ensure      => $ensure,
-    template    => $_cnf,
-    private_key => $_key,
-    days        => $days,
-    password    => $password,
-    req_ext     => $req_ext,
-    force       => $force,
-    require     => File[$_cnf],
-    ca          => $ca,
-    cakey       => $cakey,
-    csr         => $csr,
+  ~> openssl::config { $_cnf:
+    ensure            => $ensure,
+    owner             => $owner,
+    group             => $group,
+    commonname        => $commonname,
+    country           => $country,
+    state             => $state,
+    locality          => $locality,
+    organization      => $organization,
+    unit              => $unit,
+    email             => $email,
+    extendedkeyusages => $extkeyusage,
+    subjectaltnames   => $altnames,
   }
-
-  x509_request { $_csr:
+  ~> x509_request { $_csr:
     ensure      => $ensure,
     template    => $_cnf,
     private_key => $_key,
     password    => $password,
     force       => $force,
     encrypted   => $encrypted,
-    require     => File[$_cnf],
-    subscribe   => File[$_cnf],
-    notify      => X509_cert[$_crt],
+  }
+  ~> x509_cert { $_crt:
+    ensure   => $ensure,
+    template => $_cnf,
+    csr      => $_csr,
+    days     => $days,
+    password => $password,
+    req_ext  => $req_ext,
+    force    => $force,
+    ca       => $ca,
+    cakey    => $cakey,
   }
 
   # Set owner of all files

manifests/config.pp

@@ -51,8 +51,8 @@
   String[1]                            $country,
   String[1]                            $organization,
   Enum['absent','present']             $ensure            = 'present',
-  String[1]                            $owner             = 'root',
-  String[1]                            $group             = 'root',
+  Variant[String[1],Integer]           $owner             = 'root',
+  Variant[String[1],Integer]           $group             = 'root',
   String[1]                            $mode              = '0640',
   Optional[String[1]]                  $state             = undef,
   Optional[String[1]]                  $locality          = undef,

spec/defines/openssl_certificate_x509_spec.rb

@@ -407,7 +407,7 @@
       is_expected.to contain_x509_cert('/etc/ssl/certs/foo.crt').with(
         ensure: 'present',
         template: '/etc/ssl/certs/foo.cnf',
-        private_key: '/etc/ssl/certs/foo.key',
+        csr: '/etc/ssl/certs/foo.csr',
         days: 365,
         password: nil,
         force: true
@@ -486,9 +486,15 @@
       ).with_content(
         %r{emailAddress\s+=\s+contact@foo\.com}
       ).with_content(
-        %r{subjectAltName\s+=\s+"DNS: a\.com, DNS: b\.com, DNS: c\.com"}
+        %r{extendedKeyUsage\s+=\s+serverAuth,\s+clientAuth}
+      ).with_content(
+        %r{subjectAltName\s+=\s+@alt_names}
+      ).with_content(
+        %r{DNS\.0\s+=\s+a\.com}
       ).with_content(
-        %r{extendedKeyUsage\s+=\s+"serverAuth, clientAuth"}
+        %r{DNS\.1\s+=\s+b\.com}
+      ).with_content(
+        %r{DNS\.2\s+=\s+c\.com}
       )
     }
 
@@ -504,7 +510,7 @@
       is_expected.to contain_x509_cert('/tmp/foobar/foo.crt').with(
         ensure: 'present',
         template: '/tmp/foobar/foo.cnf',
-        private_key: '/tmp/foobar/foo.key',
+        csr: '/tmp/foobar/foo.csr',
         days: 4567,
         password: '5r$}^',
         force: false

spec/unit/puppet/provider/x509_cert/openssl_spec.rb

@@ -34,7 +34,7 @@
                                                          '-days', 3650,
                                                          '-key', '/tmp/foo.key',
                                                          '-out', '/tmp/foo.crt',
-                                                         ['-extensions', 'req_ext']
+                                                         ['-extensions', 'v3_req']
                                                        ])
       resource.provider.create
     end
@@ -51,7 +51,7 @@
                                                            '-key', '/tmp/foo.key',
                                                            '-out', '/tmp/foo.crt',
                                                            ['-passin', 'pass:2x6${'],
-                                                           ['-extensions', 'req_ext']
+                                                           ['-extensions', 'v3_req']
                                                          ])
         resource.provider.create
       end
@@ -69,10 +69,11 @@
                                                          '-days', 3650,
                                                          '-in', '/tmp/foo.csr',
                                                          '-out', '/tmp/foo.crt',
+                                                         '-extfile', '/tmp/foo.cnf',
                                                          ['-CAcreateserial'],
                                                          ['-CA', '/tmp/foo-ca.crt'],
                                                          ['-CAkey', '/tmp/foo-ca.key'],
-                                                         ['-extensions', 'req_ext']
+                                                         ['-extensions', 'v3_req']
                                                        ])
       resource.provider.create
     end