diff --git a/lib/puppet/provider/x509_cert/openssl.rb b/lib/puppet/provider/x509_cert/openssl.rb index 05d146d..f5f9339 100644 --- a/lib/puppet/provider/x509_cert/openssl.rb +++ b/lib/puppet/provider/x509_cert/openssl.rb @@ -68,14 +68,14 @@ def create '-out', resource[:path] ] if resource[:ca] - options << ['-extfile', resource[:template]] - options << ['-CAcreateserial'] - options << ['-CA', resource[:ca]] - options << ['-CAkey', resource[:cakey]] + options += ['-extfile', resource[:template]] + options += ['-CAcreateserial'] + options += ['-CA', resource[:ca]] + options += ['-CAkey', resource[:cakey]] else - options << ['-signkey', resource[:private_key]] + options += ['-signkey', resource[:private_key]] if resource[:req_ext] - options << [ + options += [ '-extensions', 'v3_req', '-extfile', resource[:template] ] @@ -95,11 +95,14 @@ def create password = resource[:cakey_password] || resource[:password] if password - options << ['-passin', 'env:CERTIFICATE_PASSIN'] + options += ['-passin', 'env:CERTIFICATE_PASSIN'] env['CERTIFICATE_PASSIN'] = password end - options << ['-extensions', 'v3_req'] if resource[:req_ext] != :false - openssl options, environment: env + options += ['-extensions', 'v3_req'] if resource[:req_ext] != :false + + # openssl(options) doesn't work because it's impossible to pass an env + # https://github.com/puppetlabs/puppet/issues/9493 + execute([command('openssl')] + options, { failonfail: true, combine: true, custom_environment: env }) end def destroy diff --git a/lib/puppet/provider/x509_request/openssl.rb b/lib/puppet/provider/x509_request/openssl.rb index 131bf30..05a7c8c 100644 --- a/lib/puppet/provider/x509_request/openssl.rb +++ b/lib/puppet/provider/x509_request/openssl.rb @@ -37,12 +37,14 @@ def create ] if resource[:password] - options << ['-passin', 'env:CERTIFICATE_PASSIN'] + options += ['-passin', 'env:CERTIFICATE_PASSIN'] env['CERTIFICATE_PASSIN'] = resource[:password] end - options << ['-nodes'] unless resource[:encrypted] + options << '-nodes' unless resource[:encrypted] - openssl options, environment: env + # openssl(options) doesn't work because it's impossible to pass an env + # https://github.com/puppetlabs/puppet/issues/9493 + execute([command('openssl')] + options, { failonfail: true, combine: true, custom_environment: env }) end def destroy diff --git a/manifests/export/pem_cert.pp b/manifests/export/pem_cert.pp index fe5de3f..d19132f 100644 --- a/manifests/export/pem_cert.pp +++ b/manifests/export/pem_cert.pp @@ -66,7 +66,7 @@ exec { "Export ${in_cert} to ${pem_cert}": command => $cmd, - environment => $passin_env + environment => $passin_env, path => $facts['path'], * => $exec_params, } diff --git a/spec/unit/puppet/provider/x509_cert/openssl_spec.rb b/spec/unit/puppet/provider/x509_cert/openssl_spec.rb index fa40eb4..4b94ce7 100644 --- a/spec/unit/puppet/provider/x509_cert/openssl_spec.rb +++ b/spec/unit/puppet/provider/x509_cert/openssl_spec.rb @@ -5,7 +5,6 @@ require 'pathname' require 'puppet/type/x509_cert' -provider_class = Puppet::Type.type(:x509_cert).provider(:openssl) describe 'The openssl provider for the x509_cert type' do let(:path) { '/tmp/foo.crt' } let(:pathname) { Pathname.new(path) } @@ -31,33 +30,49 @@ end it 'creates a certificate with the proper options' do - expect(provider_class).to receive(:openssl).with([ - 'req', - '-config', '/tmp/foo.cnf', - '-new', - '-x509', - '-days', 3650, - '-key', '/tmp/foo.key', - '-out', '/tmp/foo.crt', - ['-extensions', 'v3_req'] - ]) + expect(resource.provider).to receive(:execute).with( + [ + '/usr/bin/openssl', + 'req', + '-config', '/tmp/foo.cnf', + '-new', + '-x509', + '-days', 3650, + '-key', '/tmp/foo.key', + '-out', '/tmp/foo.crt', + '-extensions', 'v3_req', + ], + { + combine: true, + custom_environment: {}, + failonfail: true, + } + ) resource.provider.create end context 'when using password' do it 'creates a certificate with the proper options' do resource[:password] = '2x6${' - expect(provider_class).to receive(:openssl).with([ - 'req', - '-config', '/tmp/foo.cnf', - '-new', - '-x509', - '-days', 3650, - '-key', '/tmp/foo.key', - '-out', '/tmp/foo.crt', - ['-passin', 'pass:2x6${'], - ['-extensions', 'v3_req'] - ]) + expect(resource.provider).to receive(:execute).with( + [ + '/usr/bin/openssl', + 'req', + '-config', '/tmp/foo.cnf', + '-new', + '-x509', + '-days', 3650, + '-key', '/tmp/foo.key', + '-out', '/tmp/foo.crt', + '-passin', 'env:CERTIFICATE_PASSIN', + '-extensions', 'v3_req', + ], + { + combine: true, + custom_environment: { 'CERTIFICATE_PASSIN' => '2x6${' }, + failonfail: true, + } + ) resource.provider.create end end @@ -68,18 +83,26 @@ resource[:csr] = '/tmp/foo.csr' resource[:ca] = '/tmp/foo-ca.crt' resource[:cakey] = '/tmp/foo-ca.key' - expect(provider_class).to receive(:openssl).with([ - 'x509', - '-req', - '-days', 3650, - '-in', '/tmp/foo.csr', - '-out', '/tmp/foo.crt', - ['-extfile', '/tmp/foo.cnf'], - ['-CAcreateserial'], - ['-CA', '/tmp/foo-ca.crt'], - ['-CAkey', '/tmp/foo-ca.key'], - ['-extensions', 'v3_req'] - ]) + expect(resource.provider).to receive(:execute).with( + [ + '/usr/bin/openssl', + 'x509', + '-req', + '-days', 3650, + '-in', '/tmp/foo.csr', + '-out', '/tmp/foo.crt', + '-extfile', '/tmp/foo.cnf', + '-CAcreateserial', + '-CA', '/tmp/foo-ca.crt', + '-CAkey', '/tmp/foo-ca.key', + '-extensions', 'v3_req', + ], + { + combine: true, + custom_environment: {}, + failonfail: true, + } + ) resource.provider.create end end @@ -90,19 +113,27 @@ resource[:ca] = '/tmp/foo-ca.crt' resource[:cakey] = '/tmp/foo-ca.key' resource[:cakey_password] = '5i;6%' - expect(provider_class).to receive(:openssl).with([ - 'x509', - '-req', - '-days', 3650, - '-in', '/tmp/foo.csr', - '-out', '/tmp/foo.crt', - ['-extfile', '/tmp/foo.cnf'], - ['-CAcreateserial'], - ['-CA', '/tmp/foo-ca.crt'], - ['-CAkey', '/tmp/foo-ca.key'], - ['-passin', 'pass:5i;6%'], - ['-extensions', 'v3_req'] - ]) + expect(resource.provider).to receive(:execute).with( + [ + '/usr/bin/openssl', + 'x509', + '-req', + '-days', 3650, + '-in', '/tmp/foo.csr', + '-out', '/tmp/foo.crt', + '-extfile', '/tmp/foo.cnf', + '-CAcreateserial', + '-CA', '/tmp/foo-ca.crt', + '-CAkey', '/tmp/foo-ca.key', + '-passin', 'env:CERTIFICATE_PASSIN', + '-extensions', 'v3_req', + ], + { + combine: true, + custom_environment: { 'CERTIFICATE_PASSIN' => '5i;6%' }, + failonfail: true, + } + ) resource.provider.create end end diff --git a/spec/unit/puppet/provider/x509_request/openssl_spec.rb b/spec/unit/puppet/provider/x509_request/openssl_spec.rb index dc240ff..57d113e 100644 --- a/spec/unit/puppet/provider/x509_request/openssl_spec.rb +++ b/spec/unit/puppet/provider/x509_request/openssl_spec.rb @@ -4,7 +4,6 @@ require 'pathname' require 'puppet/type/x509_request' -provider_class = Puppet::Type.type(:x509_request).provider(:openssl) describe 'The openssl provider for the x509_request type' do let(:path) { '/tmp/foo.csr' } let(:pathname) { Pathname.new(path) } @@ -27,12 +26,20 @@ end it 'creates a certificate with the proper options' do - expect(provider_class).to receive(:openssl).with([ - 'req', '-new', - '-key', '/tmp/foo.key', - '-config', '/tmp/foo.cnf', - '-out', '/tmp/foo.csr' - ]) + expect(resource.provider).to receive(:execute).with( + [ + '/usr/bin/openssl', + 'req', '-new', + '-key', '/tmp/foo.key', + '-config', '/tmp/foo.cnf', + '-out', '/tmp/foo.csr' + ], + { + combine: true, + custom_environment: {}, + failonfail: true, + } + ) resource.provider.create end end @@ -40,13 +47,21 @@ context 'when using password' do it 'creates a certificate with the proper options' do resource[:password] = '2x6${' - expect(provider_class).to receive(:openssl).with([ - 'req', '-new', - '-key', '/tmp/foo.key', - '-config', '/tmp/foo.cnf', - '-out', '/tmp/foo.csr', - ['-passin', 'pass:2x6${'] - ]) + expect(resource.provider).to receive(:execute).with( + [ + '/usr/bin/openssl', + 'req', '-new', + '-key', '/tmp/foo.key', + '-config', '/tmp/foo.cnf', + '-out', '/tmp/foo.csr', + '-passin', 'env:CERTIFICATE_PASSIN', + ], + { + combine: true, + custom_environment: { 'CERTIFICATE_PASSIN' => '2x6${' }, + failonfail: true, + } + ) resource.provider.create end end