replace concept of <basedir>/<dbname> with just <certdir> for flexibi…

…lity - replaces dbname, basedir params with certdir in nssdb::create & nssdb::add_cert_and_key - add certdir_mode, manage_certdir params to nssdb::create - also convert to 2 space indent + linter fixes
Puppet-Finland · Jan 14, 2014 · 041e0e1 · 041e0e1
1 parent 2145c2b
commit 041e0e1
Show file tree

Hide file tree

Showing 4 changed files with 214 additions and 112 deletions.
diff --git a/manifests/add_cert_and_key.pp b/manifests/add_cert_and_key.pp
@@ -1,56 +1,56 @@
-# Loads a certificate and key into an NSS database. 
+# Loads a certificate and key into an NSS database.
 #
 # Parameters:
-# $dbname - required - the directory to store the db
 # $nickname - required - the nickname for the NSS certificate
 # $cert - required - path to certificate in PEM format
 # $key - required - path to unencrypted key in PEM format
-# $basedir - optional - defaults to /etc/pki
+# $certdir - optional - defaults to $title
 #
 # Actions:
 # loads certificate and key into the NSS database.
 #
 # Requires:
-# $dbname
 # $nickname
 # $cert
 # $key
 #
 # Sample Usage:
-# 
+#
 # nssdb::add_cert_and_key{"qpidd":
 # nickname=> 'Server-Cert',
 # cert => '/tmp/server.crt',
 # key => '/tmp/server.key',
 # }
 #
 define nssdb::add_cert_and_key (
- $dbname = $title,
  $nickname,
  $cert,
  $key,
- $basedir = '/etc/pki'
+ $certdir = $title
 ) {
  package { 'openssl': ensure => present }
 
+ # downcase and change spaces into _s
+ $pkcs12_name = downcase(regsubst("${nickname}.p12", '[\s]', '_', 'GM'))
+
  exec {'generate_pkcs12':
- command => "/usr/bin/openssl pkcs12 -export -in $cert -inkey $key -password 'file:${basedir}/${dbname}/password.conf' -out '${basedir}/${dbname}/$dbname.p12' -name $nickname",
- require => [
-  File["${basedir}/${dbname}/password.conf"],
-  File["${basedir}/${dbname}/cert8.db"],
-  Package['openssl'],
+ command  => "/usr/bin/openssl pkcs12 -export -in ${cert} -inkey ${key} -password 'file:${certdir}/password.conf' -out '${certdir}/${pkcs12_name}' -name '${nickname}'",
+ require  => [
+ File["${certdir}/password.conf"],
+ File["${certdir}/cert8.db"],
+ Package['openssl'],
  ],
- before => Exec['load_pkcs12'],
- notify => Exec['load_pkcs12'],
- subscribe => File["${basedir}/${dbname}/password.conf"],
+ before  => Exec['load_pkcs12'],
+ notify  => Exec['load_pkcs12'],
+ subscribe  => File["${certdir}/password.conf"],
  refreshonly => true,
  }
 
  exec {'load_pkcs12':
- command => "/usr/bin/pk12util -i '${basedir}/${dbname}/$dbname.p12' -d '${basedir}/${dbname}' -w '${basedir}/${dbname}/password.conf' -k '${basedir}/${dbname}/password.conf'",
- require => [
-  Exec["generate_pkcs12"],
-  Package['nss-tools'],
+ command  => "/usr/bin/pk12util -i '${certdir}/${pkcs12_name}' -d '${certdir}' -w '${certdir}/password.conf' -k '${certdir}/password.conf'",
+ require  => [
+ Exec['generate_pkcs12'],
+ Package['nss-tools'],
  ],
  refreshonly => true,
  }

diff --git a/manifests/create.pp b/manifests/create.pp
@@ -1,11 +1,12 @@
 # Create an empty NSS database with a password file.
 #
 # Parameters:
-# $dbname - required - the directory to store the db
 # $owner_id - required - the file/directory user
 # $group_id - required - the file/directory group
 # $password - required - password to set on the database
-# $basedir - optional - defaults to /etc/pki
+# $mode - optional - defaults to '0600'
+# $certdir - optional - defaults to $title
+# $certdir_mode - optional - defaults to '0700'
 # $cacert - optional - path to CA certificate in PEM format
 # $canickname - default CA nickname
 # $catrust - default CT,CT,
@@ -15,7 +16,6 @@
 # cert8.db, key3.db, secmod.db and a password file, password.conf
 #
 # Requires:
-# $dbname must be set
 # $owner_id must be set
 # $group_id must be set
 # $password must be set
@@ -30,64 +30,72 @@
 # This will create an NSS database in /etc/pki/test
 #
 define nssdb::create (
- $dbname = $title,
  $owner_id,
  $group_id,
  $password,
- $mode = '0600',
- $basedir = '/etc/pki',
- $cacert = '/etc/pki/certs/CA/ca.crt',
- $canickname = 'CA',
- $catrust = 'CT,CT,'
+ $mode = '0600',
+ $certdir = $title,
+ $certdir_mode = '0700',
+ $manage_certdir = true,
+ $cacert = '/etc/pki/certs/CA/ca.crt',
+ $canickname = 'CA',
+ $catrust = 'CT,CT,'
 ) {
  package { 'nss-tools': ensure => present }
 
- file {"${basedir}/${dbname}":
- ensure => directory,
- mode => 0600,
- owner => $owner_id,
- group => $group_id,
+ if $manage_certdir {
+ file { $certdir:
+ ensure => directory,
+ mode => $certdir_mode,
+ owner => $owner_id,
+ group => $group_id,
+ }
  }
- file {"${basedir}/${dbname}/password.conf":
+
+ file { "${certdir}/password.conf":
  ensure => file,
  mode => $mode,
  owner => $owner_id,
  group => $group_id,
  content => $password,
  require => [
-  File["${basedir}/${dbname}"],
+ File[$certdir],
  ],
  }
- file { ["${basedir}/${dbname}/cert8.db", "${basedir}/${dbname}/key3.db", "${basedir}/${dbname}/secmod.db"] :
+ file { [
+ "${certdir}/cert8.db",
+ "${certdir}/key3.db",
+ "${certdir}/secmod.db"
+ ]:
  ensure => file,
  mode => $mode,
  owner => $owner_id,
  group => $group_id,
  require => [
-  File["${basedir}/${dbname}/password.conf"],
-  Exec['create_nss_db'],
+ File["${certdir}/password.conf"],
+ Exec['create_nss_db'],
  ],
  }
 
  exec {'create_nss_db':
- command => "/usr/bin/certutil -N -d ${basedir}/${dbname} -f ${basedir}/${dbname}/password.conf",
- creates => ["${basedir}/${dbname}/cert8.db", "${basedir}/${dbname}/key3.db", "${basedir}/${dbname}/secmod.db"],
+ command => "/usr/bin/certutil -N -d ${certdir} -f ${certdir}/password.conf",
+ creates => ["${certdir}/cert8.db", "${certdir}/key3.db", "${certdir}/secmod.db"],
  require => [
- File["${basedir}/${dbname}"],
- File["${basedir}/${dbname}/password.conf"],
- Package['nss-tools'],
+ File[$certdir],
+ File["${certdir}/password.conf"],
+ Package['nss-tools'],
+ ],
+ notify => [
+ Exec['add_ca_cert'],
  ],
- notify => [
- Exec["add_ca_cert"],
- ],
  }
 
  exec {'add_ca_cert':
- command => "/usr/bin/certutil -A -n ${canickname} -d ${basedir}/${dbname} -t ${catrust} -a -i ${cacert}",
- require => [
-  Package['nss-tools'],
+ command  => "/usr/bin/certutil -A -n ${canickname} -d ${certdir} -t ${catrust} -a -i ${cacert}",
+ require  => [
+ Package['nss-tools'],
  ],
  refreshonly => true,
- onlyif => "/usr/bin/test -e $cacert",
+ onlyif  => "/usr/bin/test -e ${cacert}",
  }
 }
diff --git a/spec/defines/nssdb_add_cert_and_key_spec.rb b/spec/defines/nssdb_add_cert_and_key_spec.rb
@@ -1,29 +1,35 @@
 require 'spec_helper'
 
 describe 'nssdb::add_cert_and_key', :type => :define do
-  let(:title) { 'qpidd' }
-  let(:params) do {
-  :nickname => 'Server-Cert',
-  :cert => '/tmp/server.cert',
-  :key  => '/tmp/server.key',
- :basedir => '/obsolete'
-  }
-  end
+ let(:title) { '/dne' }
+ let(:params) do
+ {
+ :nickname => 'Server-Cert',
+ :cert => '/tmp/server.cert',
+ :key => '/tmp/server.key',
+ }
+ end
 
- context 'generate_pkcs12' do
- it{ should contain_exec('generate_pkcs12').with(
- :command => %r{-in /tmp/server.cert -inkey /tmp/server.key.*file:/obsolete/qpidd.*out \'/obsolete/qpidd/qpidd.p12\' -name Server-Cert},
- :require => [ 'File[/obsolete/qpidd/password.conf]',
- 'File[/obsolete/qpidd/cert8.db]',
- 'Package[openssl]' ],
- :subscribe => 'File[/obsolete/qpidd/password.conf]'
- )}
- end
+ context 'generate_pkcs12' do
+ it do
+ should contain_exec('generate_pkcs12').with(
+ :command => "/usr/bin/openssl pkcs12 -export -in /tmp/server.cert -inkey /tmp/server.key -password 'file:/dne/password.conf' -out '/dne/server-cert.p12' -name 'Server-Cert'",
+ :require => [
+ 'File[/dne/password.conf]',
+ 'File[/dne/cert8.db]',
+ 'Package[openssl]'
+ ],
+ :subscribe => 'File[/dne/password.conf]'
+ )
+ end
+ end
 
- context 'load_pkcs12' do
- it{ should contain_exec('load_pkcs12').with(
- :command => %r{-i \'/obsolete/qpidd/qpidd.p12\' -d \'/obsolete/qpidd\' -w \'/obsolete/qpidd.*-k \'/obsolete/qpidd}
- )}
- end
+ context 'load_pkcs12' do
+ it do
+ contain_exec('load_pkcs12').with(
+ :command => "/usr/bin/pk12util -i '/dne/${pkcs12_name}' -d '/dne' -w '/dne/password.conf' -k '/dne/password.conf'"
+ )
+ end
+ end
 
 end