diff --git a/manifests/add_cert_and_key.pp b/manifests/add_cert_and_key.pp index 9c83a0d..ca93897 100644 --- a/manifests/add_cert_and_key.pp +++ b/manifests/add_cert_and_key.pp @@ -1,23 +1,21 @@ -# Loads a certificate and key into an NSS database. +# Loads a certificate and key into an NSS database. # # Parameters: -# $dbname - required - the directory to store the db # $nickname - required - the nickname for the NSS certificate # $cert - required - path to certificate in PEM format # $key - required - path to unencrypted key in PEM format -# $basedir - optional - defaults to /etc/pki +# $certdir - optional - defaults to $title # # Actions: # loads certificate and key into the NSS database. # # Requires: -# $dbname # $nickname # $cert # $key # # Sample Usage: -# +# # nssdb::add_cert_and_key{"qpidd": # nickname=> 'Server-Cert', # cert => '/tmp/server.crt', @@ -25,32 +23,34 @@ # } # define nssdb::add_cert_and_key ( - $dbname = $title, $nickname, $cert, $key, - $basedir = '/etc/pki' + $certdir = $title ) { package { 'openssl': ensure => present } + # downcase and change spaces into _s + $pkcs12_name = downcase(regsubst("${nickname}.p12", '[\s]', '_', 'GM')) + exec {'generate_pkcs12': - command => "/usr/bin/openssl pkcs12 -export -in $cert -inkey $key -password 'file:${basedir}/${dbname}/password.conf' -out '${basedir}/${dbname}/$dbname.p12' -name $nickname", - require => [ - File["${basedir}/${dbname}/password.conf"], - File["${basedir}/${dbname}/cert8.db"], - Package['openssl'], + command => "/usr/bin/openssl pkcs12 -export -in ${cert} -inkey ${key} -password 'file:${certdir}/password.conf' -out '${certdir}/${pkcs12_name}' -name '${nickname}'", + require => [ + File["${certdir}/password.conf"], + File["${certdir}/cert8.db"], + Package['openssl'], ], - before => Exec['load_pkcs12'], - notify => Exec['load_pkcs12'], - subscribe => File["${basedir}/${dbname}/password.conf"], + before => Exec['load_pkcs12'], + notify => Exec['load_pkcs12'], + subscribe => File["${certdir}/password.conf"], refreshonly => true, } exec {'load_pkcs12': - command => "/usr/bin/pk12util -i '${basedir}/${dbname}/$dbname.p12' -d '${basedir}/${dbname}' -w '${basedir}/${dbname}/password.conf' -k '${basedir}/${dbname}/password.conf'", - require => [ - Exec["generate_pkcs12"], - Package['nss-tools'], + command => "/usr/bin/pk12util -i '${certdir}/${pkcs12_name}' -d '${certdir}' -w '${certdir}/password.conf' -k '${certdir}/password.conf'", + require => [ + Exec['generate_pkcs12'], + Package['nss-tools'], ], refreshonly => true, } diff --git a/manifests/create.pp b/manifests/create.pp index 3d29f29..0709d8d 100644 --- a/manifests/create.pp +++ b/manifests/create.pp @@ -1,11 +1,12 @@ # Create an empty NSS database with a password file. # # Parameters: -# $dbname - required - the directory to store the db # $owner_id - required - the file/directory user # $group_id - required - the file/directory group # $password - required - password to set on the database -# $basedir - optional - defaults to /etc/pki +# $mode - optional - defaults to '0600' +# $certdir - optional - defaults to $title +# $certdir_mode - optional - defaults to '0700' # $cacert - optional - path to CA certificate in PEM format # $canickname - default CA nickname # $catrust - default CT,CT, @@ -15,7 +16,6 @@ # cert8.db, key3.db, secmod.db and a password file, password.conf # # Requires: -# $dbname must be set # $owner_id must be set # $group_id must be set # $password must be set @@ -30,64 +30,72 @@ # This will create an NSS database in /etc/pki/test # define nssdb::create ( - $dbname = $title, $owner_id, $group_id, $password, - $mode = '0600', - $basedir = '/etc/pki', - $cacert = '/etc/pki/certs/CA/ca.crt', - $canickname = 'CA', - $catrust = 'CT,CT,' + $mode = '0600', + $certdir = $title, + $certdir_mode = '0700', + $manage_certdir = true, + $cacert = '/etc/pki/certs/CA/ca.crt', + $canickname = 'CA', + $catrust = 'CT,CT,' ) { package { 'nss-tools': ensure => present } - file {"${basedir}/${dbname}": - ensure => directory, - mode => 0600, - owner => $owner_id, - group => $group_id, + if $manage_certdir { + file { $certdir: + ensure => directory, + mode => $certdir_mode, + owner => $owner_id, + group => $group_id, + } } - file {"${basedir}/${dbname}/password.conf": + + file { "${certdir}/password.conf": ensure => file, mode => $mode, owner => $owner_id, group => $group_id, content => $password, require => [ - File["${basedir}/${dbname}"], + File[$certdir], ], } - file { ["${basedir}/${dbname}/cert8.db", "${basedir}/${dbname}/key3.db", "${basedir}/${dbname}/secmod.db"] : + file { [ + "${certdir}/cert8.db", + "${certdir}/key3.db", + "${certdir}/secmod.db" + ]: ensure => file, mode => $mode, owner => $owner_id, group => $group_id, require => [ - File["${basedir}/${dbname}/password.conf"], - Exec['create_nss_db'], + File["${certdir}/password.conf"], + Exec['create_nss_db'], ], } exec {'create_nss_db': - command => "/usr/bin/certutil -N -d ${basedir}/${dbname} -f ${basedir}/${dbname}/password.conf", - creates => ["${basedir}/${dbname}/cert8.db", "${basedir}/${dbname}/key3.db", "${basedir}/${dbname}/secmod.db"], + command => "/usr/bin/certutil -N -d ${certdir} -f ${certdir}/password.conf", + creates => ["${certdir}/cert8.db", "${certdir}/key3.db", "${certdir}/secmod.db"], require => [ - File["${basedir}/${dbname}"], - File["${basedir}/${dbname}/password.conf"], - Package['nss-tools'], + File[$certdir], + File["${certdir}/password.conf"], + Package['nss-tools'], + ], + notify => [ + Exec['add_ca_cert'], ], - notify => [ - Exec["add_ca_cert"], - ], } exec {'add_ca_cert': - command => "/usr/bin/certutil -A -n ${canickname} -d ${basedir}/${dbname} -t ${catrust} -a -i ${cacert}", - require => [ - Package['nss-tools'], + command => "/usr/bin/certutil -A -n ${canickname} -d ${certdir} -t ${catrust} -a -i ${cacert}", + require => [ + Package['nss-tools'], ], refreshonly => true, - onlyif => "/usr/bin/test -e $cacert", + onlyif => "/usr/bin/test -e ${cacert}", } } diff --git a/spec/defines/nssdb_add_cert_and_key_spec.rb b/spec/defines/nssdb_add_cert_and_key_spec.rb index e4b3e9b..7cb79d2 100644 --- a/spec/defines/nssdb_add_cert_and_key_spec.rb +++ b/spec/defines/nssdb_add_cert_and_key_spec.rb @@ -1,29 +1,35 @@ require 'spec_helper' describe 'nssdb::add_cert_and_key', :type => :define do - let(:title) { 'qpidd' } - let(:params) do { - :nickname => 'Server-Cert', - :cert => '/tmp/server.cert', - :key => '/tmp/server.key', - :basedir => '/obsolete' - } - end + let(:title) { '/dne' } + let(:params) do + { + :nickname => 'Server-Cert', + :cert => '/tmp/server.cert', + :key => '/tmp/server.key', + } + end - context 'generate_pkcs12' do - it{ should contain_exec('generate_pkcs12').with( - :command => %r{-in /tmp/server.cert -inkey /tmp/server.key.*file:/obsolete/qpidd.*out \'/obsolete/qpidd/qpidd.p12\' -name Server-Cert}, - :require => [ 'File[/obsolete/qpidd/password.conf]', - 'File[/obsolete/qpidd/cert8.db]', - 'Package[openssl]' ], - :subscribe => 'File[/obsolete/qpidd/password.conf]' - )} - end + context 'generate_pkcs12' do + it do + should contain_exec('generate_pkcs12').with( + :command => "/usr/bin/openssl pkcs12 -export -in /tmp/server.cert -inkey /tmp/server.key -password 'file:/dne/password.conf' -out '/dne/server-cert.p12' -name 'Server-Cert'", + :require => [ + 'File[/dne/password.conf]', + 'File[/dne/cert8.db]', + 'Package[openssl]' + ], + :subscribe => 'File[/dne/password.conf]' + ) + end + end - context 'load_pkcs12' do - it{ should contain_exec('load_pkcs12').with( - :command => %r{-i \'/obsolete/qpidd/qpidd.p12\' -d \'/obsolete/qpidd\' -w \'/obsolete/qpidd.*-k \'/obsolete/qpidd} - )} - end + context 'load_pkcs12' do + it do + contain_exec('load_pkcs12').with( + :command => "/usr/bin/pk12util -i '/dne/${pkcs12_name}' -d '/dne' -w '/dne/password.conf' -k '/dne/password.conf'" + ) + end + end end diff --git a/spec/defines/nssdb_create_spec.rb b/spec/defines/nssdb_create_spec.rb index 10fdf2f..3ef12ac 100644 --- a/spec/defines/nssdb_create_spec.rb +++ b/spec/defines/nssdb_create_spec.rb @@ -1,63 +1,151 @@ require 'spec_helper' describe 'nssdb::create', :type => :define do - let(:title) { 'test' } - let(:params) do { - :owner_id => 'nobody', - :group_id => 'nobody', - :mode => '0660', - :password => 'secret', - :basedir => '/obsolete', - :cacert => '/ca.crt', - :canickname => 'ca', - :catrust => 'CTu' - } + context 'default params' do + let(:title) { '/obsolete' } + let(:params) do + { + :owner_id => 'nobody', + :group_id => 'nobody', + :password => 'secret', + } end context 'nssdb directory' do - it{ should contain_file('/obsolete/test').with( - :owner => 'nobody', - :group => 'nobody' - )} + it do + should contain_file('/obsolete').with( + :owner => 'nobody', + :group => 'nobody', + :mode => '0700' + ) + end end context 'password file' do - it{ should contain_file('/obsolete/test/password.conf').with( + it do + should contain_file('/obsolete/password.conf').with( + :owner => 'nobody', + :group => 'nobody', + :mode => '0600', + :content => 'secret', + :require => 'File[/obsolete]' + ) + end + end + + context 'database files' do + databases = ['cert8.db', 'key3.db', 'secmod.db'] + databases.each do |db| + it do + should contain_file('/obsolete/' + db).with( :owner => 'nobody', :group => 'nobody', - :mode => '0660', - :content => 'secret', - :require => 'File[/obsolete/test]' - )} + :mode => '0600', + :require => [ 'File[/obsolete/password.conf]', 'Exec[create_nss_db]'] + ) + end + end + end + + context 'create nss db' do + it do + should contain_exec('create_nss_db').with( + :command => %r{-d /obsolete -f /obsolete}, + :creates => [ + '/obsolete/cert8.db', + '/obsolete/key3.db', + '/obsolete/secmod.db' + ], + :require => [ + 'File[/obsolete]', + 'File[/obsolete/password.conf]', + 'Package[nss-tools]' + ] + ) + end + end + + context 'add ca cert' do + it do + should contain_exec('add_ca_cert').with( + :command => '/usr/bin/certutil -A -n CA -d /obsolete -t CT,CT, -a -i /etc/pki/certs/CA/ca.crt', + :onlyif => '/usr/bin/test -e /etc/pki/certs/CA/ca.crt', + ) + end + end + end # default params + + context 'all params' do + let(:title) { '/obsolete' } + let(:params) do + { + :owner_id => 'nobody', + :group_id => 'nobody', + :mode => '0660', + :password => 'secret', + :manage_certdir => false, + :certdir_mode => '0770', + :cacert => '/ca.crt', + :canickname => 'ca', + :catrust => 'CTu' + } + end + + context 'nssdb directory' do + it { should_not contain_file('/obsolete') } + end + + context 'password file' do + it do + should contain_file('/obsolete/password.conf').with( + :owner => 'nobody', + :group => 'nobody', + :mode => '0660', + :content => 'secret', + :require => 'File[/obsolete]' + ) + end end context 'database files' do - databases = ['cert8.db', 'key3.db', 'secmod.db'] - databases.each do |db| - it{ should contain_file('/obsolete/test/' + db).with( - :owner => 'nobody', - :group => 'nobody', - :mode => '0660', - :require => [ 'File[/obsolete/test/password.conf]', 'Exec[create_nss_db]'] - )} + databases = ['cert8.db', 'key3.db', 'secmod.db'] + databases.each do |db| + it do + should contain_file('/obsolete/' + db).with( + :owner => 'nobody', + :group => 'nobody', + :mode => '0660', + :require => [ 'File[/obsolete/password.conf]', 'Exec[create_nss_db]'] + ) end + end end context 'create nss db' do - it{ should contain_exec('create_nss_db').with( - :command => %r{-d /obsolete/test -f /obsolete/test}, - :creates => [ '/obsolete/test/cert8.db', '/obsolete/test/key3.db', '/obsolete/test/secmod.db'], - :require => [ 'File[/obsolete/test]', - 'File[/obsolete/test/password.conf]', - 'Package[nss-tools]' ] - )} + it do + should contain_exec('create_nss_db').with( + :command => %r{-d /obsolete -f /obsolete}, + :creates => [ + '/obsolete/cert8.db', + '/obsolete/key3.db', + '/obsolete/secmod.db' + ], + :require => [ + 'File[/obsolete]', + 'File[/obsolete/password.conf]', + 'Package[nss-tools]' + ] + ) + end end context 'add ca cert' do - it{ should contain_exec('add_ca_cert').with( - :command => %r{-n ca -d /obsolete/test -t CTu.*-i /ca.crt}, - :onlyif => %r{-e /ca.crt} - )} + it do + should contain_exec('add_ca_cert').with( + :command => %r{-n ca -d /obsolete -t CTu.*-i /ca.crt}, + :onlyif => %r{-e /ca.crt} + ) + end end - + end # all params end