Skip to content

Commit

Permalink
Merge pull request #228 from ekohl/fix-syntax
Browse files Browse the repository at this point in the history 
Fix syntax in pem_cert.pp and correctly pass in a flat array
  • Loading branch information
@ekohl
ekohl authored Oct 1, 2024
2 parents a38c6ad + b62720f commit b16ac47
Show file tree
Hide file tree
Showing 5 changed files with 125 additions and 74 deletions.
21 changes: 12 additions & 9 deletions lib/puppet/provider/x509_cert/openssl.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,14 +68,14 @@ def create
'-out', resource[:path]
]
if resource[:ca]
options << ['-extfile', resource[:template]]
options << ['-CAcreateserial']
options << ['-CA', resource[:ca]]
options << ['-CAkey', resource[:cakey]]
options += ['-extfile', resource[:template]]
options += ['-CAcreateserial']
options += ['-CA', resource[:ca]]
options += ['-CAkey', resource[:cakey]]
else
options << ['-signkey', resource[:private_key]]
options += ['-signkey', resource[:private_key]]
if resource[:req_ext]
options << [
options += [
'-extensions', 'v3_req',
'-extfile', resource[:template]
]
Expand All @@ -95,11 +95,14 @@ def create
password = resource[:cakey_password] || resource[:password]

if password
options << ['-passin', 'env:CERTIFICATE_PASSIN']
options += ['-passin', 'env:CERTIFICATE_PASSIN']
env['CERTIFICATE_PASSIN'] = password
end
options << ['-extensions', 'v3_req'] if resource[:req_ext] != :false
openssl options, environment: env
options += ['-extensions', 'v3_req'] if resource[:req_ext] != :false

# openssl(options) doesn't work because it's impossible to pass an env
# https://github.com/puppetlabs/puppet/issues/9493
execute([command('openssl')] + options, { failonfail: true, combine: true, custom_environment: env })
end

def destroy
Expand Down
8 changes: 5 additions & 3 deletions lib/puppet/provider/x509_request/openssl.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,12 +37,14 @@ def create
]

if resource[:password]
options << ['-passin', 'env:CERTIFICATE_PASSIN']
options += ['-passin', 'env:CERTIFICATE_PASSIN']
env['CERTIFICATE_PASSIN'] = resource[:password]
end
options << ['-nodes'] unless resource[:encrypted]
options << '-nodes' unless resource[:encrypted]

openssl options, environment: env
# openssl(options) doesn't work because it's impossible to pass an env
# https://github.com/puppetlabs/puppet/issues/9493
execute([command('openssl')] + options, { failonfail: true, combine: true, custom_environment: env })
end

def destroy
Expand Down
2 changes: 1 addition & 1 deletion manifests/export/pem_cert.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@

exec { "Export ${in_cert} to ${pem_cert}":
command => $cmd,
environment => $passin_env
environment => $passin_env,
path => $facts['path'],
* => $exec_params,
}
Expand Down
125 changes: 78 additions & 47 deletions spec/unit/puppet/provider/x509_cert/openssl_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@
require 'pathname'
require 'puppet/type/x509_cert'

provider_class = Puppet::Type.type(:x509_cert).provider(:openssl)
describe 'The openssl provider for the x509_cert type' do
let(:path) { '/tmp/foo.crt' }
let(:pathname) { Pathname.new(path) }
Expand All @@ -31,33 +30,49 @@
end

it 'creates a certificate with the proper options' do
expect(provider_class).to receive(:openssl).with([
'req',
'-config', '/tmp/foo.cnf',
'-new',
'-x509',
'-days', 3650,
'-key', '/tmp/foo.key',
'-out', '/tmp/foo.crt',
['-extensions', 'v3_req']
])
expect(resource.provider).to receive(:execute).with(
[
'/usr/bin/openssl',
'req',
'-config', '/tmp/foo.cnf',
'-new',
'-x509',
'-days', 3650,
'-key', '/tmp/foo.key',
'-out', '/tmp/foo.crt',
'-extensions', 'v3_req',
],
{
combine: true,
custom_environment: {},
failonfail: true,
}
)
resource.provider.create
end

context 'when using password' do
it 'creates a certificate with the proper options' do
resource[:password] = '2x6${'
expect(provider_class).to receive(:openssl).with([
'req',
'-config', '/tmp/foo.cnf',
'-new',
'-x509',
'-days', 3650,
'-key', '/tmp/foo.key',
'-out', '/tmp/foo.crt',
['-passin', 'pass:2x6${'],
['-extensions', 'v3_req']
])
expect(resource.provider).to receive(:execute).with(
[
'/usr/bin/openssl',
'req',
'-config', '/tmp/foo.cnf',
'-new',
'-x509',
'-days', 3650,
'-key', '/tmp/foo.key',
'-out', '/tmp/foo.crt',
'-passin', 'env:CERTIFICATE_PASSIN',
'-extensions', 'v3_req',
],
{
combine: true,
custom_environment: { 'CERTIFICATE_PASSIN' => '2x6${' },
failonfail: true,
}
)
resource.provider.create
end
end
Expand All @@ -68,18 +83,26 @@
resource[:csr] = '/tmp/foo.csr'
resource[:ca] = '/tmp/foo-ca.crt'
resource[:cakey] = '/tmp/foo-ca.key'
expect(provider_class).to receive(:openssl).with([
'x509',
'-req',
'-days', 3650,
'-in', '/tmp/foo.csr',
'-out', '/tmp/foo.crt',
['-extfile', '/tmp/foo.cnf'],
['-CAcreateserial'],
['-CA', '/tmp/foo-ca.crt'],
['-CAkey', '/tmp/foo-ca.key'],
['-extensions', 'v3_req']
])
expect(resource.provider).to receive(:execute).with(
[
'/usr/bin/openssl',
'x509',
'-req',
'-days', 3650,
'-in', '/tmp/foo.csr',
'-out', '/tmp/foo.crt',
'-extfile', '/tmp/foo.cnf',
'-CAcreateserial',
'-CA', '/tmp/foo-ca.crt',
'-CAkey', '/tmp/foo-ca.key',
'-extensions', 'v3_req',
],
{
combine: true,
custom_environment: {},
failonfail: true,
}
)
resource.provider.create
end
end
Expand All @@ -90,19 +113,27 @@
resource[:ca] = '/tmp/foo-ca.crt'
resource[:cakey] = '/tmp/foo-ca.key'
resource[:cakey_password] = '5i;6%'
expect(provider_class).to receive(:openssl).with([
'x509',
'-req',
'-days', 3650,
'-in', '/tmp/foo.csr',
'-out', '/tmp/foo.crt',
['-extfile', '/tmp/foo.cnf'],
['-CAcreateserial'],
['-CA', '/tmp/foo-ca.crt'],
['-CAkey', '/tmp/foo-ca.key'],
['-passin', 'pass:5i;6%'],
['-extensions', 'v3_req']
])
expect(resource.provider).to receive(:execute).with(
[
'/usr/bin/openssl',
'x509',
'-req',
'-days', 3650,
'-in', '/tmp/foo.csr',
'-out', '/tmp/foo.crt',
'-extfile', '/tmp/foo.cnf',
'-CAcreateserial',
'-CA', '/tmp/foo-ca.crt',
'-CAkey', '/tmp/foo-ca.key',
'-passin', 'env:CERTIFICATE_PASSIN',
'-extensions', 'v3_req',
],
{
combine: true,
custom_environment: { 'CERTIFICATE_PASSIN' => '5i;6%' },
failonfail: true,
}
)
resource.provider.create
end
end
Expand Down
43 changes: 29 additions & 14 deletions spec/unit/puppet/provider/x509_request/openssl_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@
require 'pathname'
require 'puppet/type/x509_request'

provider_class = Puppet::Type.type(:x509_request).provider(:openssl)
describe 'The openssl provider for the x509_request type' do
let(:path) { '/tmp/foo.csr' }
let(:pathname) { Pathname.new(path) }
Expand All @@ -27,26 +26,42 @@
end

it 'creates a certificate with the proper options' do
expect(provider_class).to receive(:openssl).with([
'req', '-new',
'-key', '/tmp/foo.key',
'-config', '/tmp/foo.cnf',
'-out', '/tmp/foo.csr'
])
expect(resource.provider).to receive(:execute).with(
[
'/usr/bin/openssl',
'req', '-new',
'-key', '/tmp/foo.key',
'-config', '/tmp/foo.cnf',
'-out', '/tmp/foo.csr'
],
{
combine: true,
custom_environment: {},
failonfail: true,
}
)
resource.provider.create
end
end

context 'when using password' do
it 'creates a certificate with the proper options' do
resource[:password] = '2x6${'
expect(provider_class).to receive(:openssl).with([
'req', '-new',
'-key', '/tmp/foo.key',
'-config', '/tmp/foo.cnf',
'-out', '/tmp/foo.csr',
['-passin', 'pass:2x6${']
])
expect(resource.provider).to receive(:execute).with(
[
'/usr/bin/openssl',
'req', '-new',
'-key', '/tmp/foo.key',
'-config', '/tmp/foo.cnf',
'-out', '/tmp/foo.csr',
'-passin', 'env:CERTIFICATE_PASSIN',
],
{
combine: true,
custom_environment: { 'CERTIFICATE_PASSIN' => '2x6${' },
failonfail: true,
}
)
resource.provider.create
end
end
Expand Down

0 comments on commit b16ac47

Please sign in to comment.