From 373762123a017978f587c49de995921e79eaced6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tibor=20R=C3=A9p=C3=A1si?= Date: Fri, 7 Jun 2024 14:52:45 +0200 Subject: [PATCH] fix logic bug with extkeyusage and altnames --- manifests/certificate/x509.pp | 2 +- spec/defines/openssl_certificate_x509_spec.rb | 80 +++++++++++++++++++ 2 files changed, 81 insertions(+), 1 deletion(-) diff --git a/manifests/certificate/x509.pp b/manifests/certificate/x509.pp index 7543d7e..2aae7c4 100644 --- a/manifests/certificate/x509.pp +++ b/manifests/certificate/x509.pp @@ -184,7 +184,7 @@ csr => $csr, days => $days, password => $password, - req_ext => !empty($altnames) and !empty($extkeyusage), + req_ext => !empty($altnames) or !empty($extkeyusage), force => $force, ca => $ca, cakey => $cakey, diff --git a/spec/defines/openssl_certificate_x509_spec.rb b/spec/defines/openssl_certificate_x509_spec.rb index e2df33d..c3b42d3 100644 --- a/spec/defines/openssl_certificate_x509_spec.rb +++ b/spec/defines/openssl_certificate_x509_spec.rb @@ -422,6 +422,86 @@ } end + context 'when passing altnames, extension is enabled' do + let(:params) do + { + country: 'com', + organization: 'bar', + commonname: 'foo.example.com', + altnames: ['bar.example.com'], + } + end + + it { + is_expected.to contain_x509_cert('/etc/ssl/certs/foo.crt').with( + ensure: 'present', + template: '/etc/ssl/certs/foo.cnf', + csr: '/etc/ssl/certs/foo.csr', + req_ext: true + ) + } + end + + context 'when passing extkeyusage, extension is enabled' do + let(:params) do + { + country: 'com', + organization: 'bar', + commonname: 'foo.example.com', + extkeyusage: ['clientauth'], + } + end + + it { + is_expected.to contain_x509_cert('/etc/ssl/certs/foo.crt').with( + ensure: 'present', + template: '/etc/ssl/certs/foo.cnf', + csr: '/etc/ssl/certs/foo.csr', + req_ext: true + ) + } + end + + context 'when passing altnames and extkeyusage, extension is enabled' do + let(:params) do + { + country: 'com', + organization: 'bar', + commonname: 'foo.example.com', + extkeyusage: ['clientauth'], + altnames: ['bar.example.com'], + } + end + + it { + is_expected.to contain_x509_cert('/etc/ssl/certs/foo.crt').with( + ensure: 'present', + template: '/etc/ssl/certs/foo.cnf', + csr: '/etc/ssl/certs/foo.csr', + req_ext: true + ) + } + end + + context 'w/o passing altnames and extkeyusage, extension is disabled' do + let(:params) do + { + country: 'com', + organization: 'bar', + commonname: 'foo.example.com', + } + end + + it { + is_expected.to contain_x509_cert('/etc/ssl/certs/foo.crt').with( + ensure: 'present', + template: '/etc/ssl/certs/foo.cnf', + csr: '/etc/ssl/certs/foo.csr', + req_ext: false + ) + } + end + context 'when passing all parameters' do let(:params) do {