From 92cf6cdebb922e3e03205259151cf4eac99d6d22 Mon Sep 17 00:00:00 2001
From: chloesoe <info@chloesoe.ch>
Date: Fri, 22 Mar 2019 14:41:45 +0100
Subject: [PATCH 1/3] Fix client cert revoke error with easyrsa 3.0

In easyrsa 3.0 (used in CentOS) the command has changed. Now there is
only a single binary to run the scripts. Further the generation of CRL
also has changed; now a new crl.pem file is created in keys/crl.pem
which overrides the symlink there. So the revocation check did not work
anymore, because the crl.pem in the base directory was not checked when
a client connected.

Resolves: VSHNOPS-1537
---
 manifests/revoke.pp                 | 30 +++++++++++++++++++++++-----
 spec/defines/openvpn_revoke_spec.rb | 31 ++++++++++++++++++++++++-----
 2 files changed, 51 insertions(+), 10 deletions(-)

diff --git a/manifests/revoke.pp b/manifests/revoke.pp
index 67d926ef..945305f1 100644
--- a/manifests/revoke.pp
+++ b/manifests/revoke.pp
@@ -25,10 +25,30 @@
 
   $etc_directory = $openvpn::etc_directory
 
-  exec { "revoke certificate for ${name} in context of ${server}":
-    command  => ". ./vars && ./revoke-full ${name}; echo \"exit $?\" | grep -qE '(error 23|exit (0|2))' && touch revoked/${name}",
-    cwd      => "${etc_directory}/openvpn/${server}/easy-rsa",
-    creates  => "${etc_directory}/openvpn/${server}/easy-rsa/revoked/${name}",
-    provider => 'shell',
+  case $openvpn::easyrsa_version {
+    '3.0': {
+      exec { "revoke certificate for ${name} in context of ${server}":
+        command  => ". ./vars && ./easyrsa --batch revoke ${name}; echo \"exit $?\" | grep -qE '(error 23|exit (0|2|))' && touch revoked/${name}",
+        cwd      => "${etc_directory}/openvpn/${server}/easy-rsa",
+        creates  => "${etc_directory}/openvpn/${server}/easy-rsa/revoked/${name}",
+        provider => 'shell',
+      }
+      # `easyrsa gen-crl` does not work, since it will create the crl.pem
+      # to keys/crl.pem which is a symlinked to crl.pem in the servers etc
+      # directory
+      exec { "renew crl.pem for ${name}":
+        command  => ". ./vars && EASYRSA_REQ_CN='' EASYRSA_REQ_OU='' openssl ca -gencrl -out ../crl.pem -config ./openssl.cnf",
+        cwd      => "${openvpn::etc_directory}/openvpn/${server}/easy-rsa",
+        provider => 'shell',
+      }
+    }
+    default: {
+      exec { "revoke certificate for ${name} in context of ${server}":
+        command  => ". ./vars && ./revoke-full ${name}; echo \"exit $?\" | grep -qE '(error 23|exit (0|2))' && touch revoked/${name}",
+        cwd      => "${etc_directory}/openvpn/${server}/easy-rsa",
+        creates  => "${etc_directory}/openvpn/${server}/easy-rsa/revoked/${name}",
+        provider => 'shell',
+      }
+    }
   }
 }
diff --git a/spec/defines/openvpn_revoke_spec.rb b/spec/defines/openvpn_revoke_spec.rb
index 75b8eeec..da6ab5f7 100644
--- a/spec/defines/openvpn_revoke_spec.rb
+++ b/spec/defines/openvpn_revoke_spec.rb
@@ -24,12 +24,33 @@
       let(:params) { { 'server' => 'test_server' } }
 
       it { is_expected.to compile.with_all_deps }
+      context 'easyrsa version 2.0' do
+        let(:facts) do
+          super().merge('easyrsa' => '2.0')
+        end
 
-      it {
-        is_expected.to contain_exec('revoke certificate for test_client in context of test_server').with(
-          'command' => ". ./vars && ./revoke-full test_client; echo \"exit $?\" | grep -qE '(error 23|exit (0|2))' && touch revoked/test_client"
-        )
-      }
+        it {
+          is_expected.to contain_exec('revoke certificate for test_client in context of test_server').with(
+            'command' => ". ./vars && ./revoke-full test_client; echo \"exit $?\" | grep -qE '(error 23|exit (0|2))' && touch revoked/test_client"
+          )
+        }
+      end
+      context 'easyrsa version 3.0' do
+        let(:facts) do
+          super().merge('easyrsa' => '3.0')
+        end
+
+        it {
+          is_expected.to contain_exec('revoke certificate for test_client in context of test_server').with(
+            'command' => ". ./vars && ./easyrsa --batch revoke test_client; echo \"exit $?\" | grep -qE '(error 23|exit (0|2|))' && touch revoked/test_client"
+          )
+        }
+        it {
+          is_expected.to contain_exec('renew crl.pem for test_client').with(
+            'command' => ". ./vars && EASYRSA_REQ_CN='' EASYRSA_REQ_OU='' openssl ca -gencrl -out ../crl.pem -config ./openssl.cnf"
+          )
+        }
+      end
     end
   end
 end

From d6d736062e43f6bf3c052d699fd34ca7e68c743a Mon Sep 17 00:00:00 2001
From: chloesoe <info@chloesoe.ch>
Date: Fri, 10 May 2019 08:30:09 +0200
Subject: [PATCH 2/3] Use version number instead of default

As requested in the pull request.
---
 manifests/revoke.pp | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/manifests/revoke.pp b/manifests/revoke.pp
index 945305f1..57ed5d30 100644
--- a/manifests/revoke.pp
+++ b/manifests/revoke.pp
@@ -42,7 +42,7 @@
         provider => 'shell',
       }
     }
-    default: {
+    '2.0': {
       exec { "revoke certificate for ${name} in context of ${server}":
         command  => ". ./vars && ./revoke-full ${name}; echo \"exit $?\" | grep -qE '(error 23|exit (0|2))' && touch revoked/${name}",
         cwd      => "${etc_directory}/openvpn/${server}/easy-rsa",
@@ -50,5 +50,8 @@
         provider => 'shell',
       }
     }
+    default: {
+      fail("unexepected value for EasyRSA version, got '${openvpn::easyrsa_version}', expect 2.0 or 3.0.")
+    }
   }
 }

From 1be53fc184e962cfde05298dde5b9b632ae8c98f Mon Sep 17 00:00:00 2001
From: chloesoe <info@chloesoe.ch>
Date: Mon, 13 May 2019 14:57:45 +0200
Subject: [PATCH 3/3] WIP Add new client to test revoke (not working)

Add a new client with an additional revoke test. Unfortunately I was not
able to get the tests working. Command to start the test is:

`PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet5 BEAKER_debug=true BEAKER_setfile=ubuntu1804-64vpnserver.ma{hostname=vpnserver}-ubuntu1804-64vpnclienta.a{hostname=vpnclienta} BEAKER_HYPERVISOR=docker LANG=C LC_ALL=C  bundle exec rake beaker`

It looks like, there weren't any revoke tests yet. So as I'm new to
puppet I was not able to create revoking tests from scratch in a
reasonable time.
---
 spec/acceptance/openvpn_spec.rb | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/spec/acceptance/openvpn_spec.rb b/spec/acceptance/openvpn_spec.rb
index c0ef64b0..9f5153ee 100644
--- a/spec/acceptance/openvpn_spec.rb
+++ b/spec/acceptance/openvpn_spec.rb
@@ -36,6 +36,7 @@
       apply_manifest_on(hosts_as('vpnserver'), pp, catch_failures: true)
       apply_manifest_on(hosts_as('vpnserver'), pp, catch_changes: true)
     end
+
     it 'creates openvpn client certificate idempotently' do
       pp = %(
         openvpn::server { 'test_openvpn_server':
@@ -56,7 +57,18 @@
           remote_host => $facts['networking']['ip'],
           tls_cipher  => 'TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA',
         }
-      )
+
+  openvpn::client { 'vpnclientb' :
+          server      => 'test_openvpn_server',
+          require     => Openvpn::Server['test_openvpn_server'],
+          remote_host => $facts['networking']['ip'],
+          tls_cipher  => 'TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA',
+        }
+
+  openvpn::revoke { 'vpnclientb' :
+          server      => 'test_openvpn_server',
+        }
+       )
       apply_manifest_on(hosts_as('vpnserver'), pp, catch_failures: true)
       apply_manifest_on(hosts_as('vpnserver'), pp, catch_changes: true)
     end