diff --git a/manifests/cabundle.pp b/manifests/cabundle.pp new file mode 100644 index 0000000000000000000000000000000000000000..ac08082ca73267114d5418c913ead19d72cd9f1f --- /dev/null +++ b/manifests/cabundle.pp @@ -0,0 +1,40 @@ +# Copyright © 2015-2020 National Supercomputer Centre, +# Linköping University, Sweden +# Licensed under the GNU LGPL v3+; see the README file for more information. + + +/* + * Manage a CA bundle. + * + * Install the CA certificates in $calist into <NAME>-cabundle.pem + * under /etc/pki/tls/certs. Each element in $calist can be one of + * - A local file name on the client (absolute path). + * - A puppet: URL. + * - The special form "gridca:<CANAME>" (e.g. "gridca:NorduGrid"). + * This installs that CA package, using x509::gridca, and uses the + * certificate file from there. (Note that this will clash if the CA + * package is managed elsewhere in your manifests.) + * - A filename under $source (or $x509certs::config::hostcert_source + * if not specified), without any slashes or colons in it. The suffix + * ".pem" will be added automatically. + * Each such source can itself contain multiple certificates. + */ + +define x509certs::cabundle($calist=[], $owner='root', $group='root', + $source='', $ensure='present') +{ + include x509certs + + concat::file { + "${x509certs::pki_certdir}/${name}-cabundle.pem": + owner => $owner, group => $group, mode => '0444', + ensure => $ensure; + } + if $ensure == 'present' { + $x_calist = regsubst($calist, '^', "${name}: ") + x509certs::cabundle::cacert { + $x_calist: + source => $source; + } + } +} diff --git a/manifests/cabundle/cacert.pp b/manifests/cabundle/cacert.pp new file mode 100644 index 0000000000000000000000000000000000000000..b81890027c6006f334a0c829823ca6e5d72a63f6 --- /dev/null +++ b/manifests/cabundle/cacert.pp @@ -0,0 +1,76 @@ +# Copyright © 2015-2020 National Supercomputer Centre, +# Linköping University, Sweden +# Licensed under the GNU LGPL v3+; see the README file for more information. + + +/* + * Helper for x509certs::cabundle. + * + * The resource name is used for specifying both the bundle where the + * CA certificate is stored, and the source of the CA certificate. It + * should be on the form + * BUNDLENAME ": " CASOURCE + * The actual bundle file will be <BUNDLENAME>-cabundle.pem under + * $x509certs::pki_certdir. See the documentation about the calist + * parameter of x509certs::cabundle for information about what + * CASOURCE can be. + * + * Mostly intended for internal use in the x509certs module, but can + * possibly be useful for users as well, although the API isn't very + * nice to use. + */ +define x509certs::cabundle::cacert($source='', $ensure='present') +{ + include x509certs + include x509certs::config + + $sourcebase = $source ? { + '' => $x509certs::config::hostcert_source, + default => $source + } + + if $name =~ /^(.*): +(.*)$/ { + $bundlename = $1 + $casource = $2 + } else { + fail("X509certs::Cabundle::Cacert[${title}]:", + "Illegal name, no // separator") + } + $bundlefile = "${x509certs::pki_certdir}/${bundlename}-cabundle.pem" + $partname = regsubst($casource, '/', '_', 'G') + $bundle_partfile = "${bundlefile}/${partname}" + + case $ensure + { + 'absent': { + } + 'present': { + if $casource =~ /^gridca:(.*)/ { + $caname = $1 + x509certs::gridca { + $caname: + ensure => 'present'; + } + concat::part { + $bundle_partfile: + source => "${x509certs::grid_cadir}/${caname}.pem", + require => X509certs::Gridca[$caname]; + } + } elsif $casource !~ /.*[\/:].*/ { + concat::part { + $bundle_partfile: + source => "${sourcebase}/${casource}.pem"; + } + } else { + concat::part { + $bundle_partfile: + source => $casource; + } + } + } + default: { + fail("X509certs::Cabundle::Cacert[${title}]:", + "Bad parameter ensure, ${ensure}") + } + } +} diff --git a/manifests/config.pp b/manifests/config.pp new file mode 100644 index 0000000000000000000000000000000000000000..423a1186220a18b142c6fda243897976d23f6e53 --- /dev/null +++ b/manifests/config.pp @@ -0,0 +1,25 @@ +# Copyright © 2015-2020 National Supercomputer Centre, +# Linköping University, Sweden +# Licensed under the GNU LGPL v3+; see the README file for more information. + + +/* + * Configuration of the x509certs module. + * + * Users of this module must instantiate this class with relevant + * parameters. + * + * NOTE! This replaces the old x509certs::siteconfig class, which + * users previously were expected to define themselves. + */ +class x509certs::config( + # Source directory or Puppet URL where host certificates can be + # found. Typically a puppet: URL that expands to a client-private + # directory on the Puppet master (i.e. one using %h or %H in the + # path in fileserver.conf). + # + $hostcert_source, +) +{ + # Nothing inside this class +} diff --git a/manifests/egi/lcg_cas.pp b/manifests/egi/lcg_cas.pp new file mode 100644 index 0000000000000000000000000000000000000000..0b10a2a762b4c513a07932f8c36ddece237b4c5e --- /dev/null +++ b/manifests/egi/lcg_cas.pp @@ -0,0 +1,21 @@ +# Copyright © 2015-2020 National Supercomputer Centre, +# Linköping University, Sweden +# Licensed under the GNU LGPL v3+; see the README file for more information. + + +/* + * Install the IGTF CA certificates for all CA:s in the LHC Compute Grid. + */ + +class x509certs::egi::lcg_cas +{ + include x509certs::egi::trustanchors + include x509certs::fetchcrl + + package { + [ 'ca-policy-egi-core', 'ca-policy-lcg' ]: + ensure => installed, + require => Class['x509certs::egi::trustanchors'], + notify => Exec['x509certs::fetchcrl::initial']; + } +} diff --git a/manifests/egi/trustanchors.pp b/manifests/egi/trustanchors.pp new file mode 100644 index 0000000000000000000000000000000000000000..29e44e4a355a99ff5156935300a309f2f802347d --- /dev/null +++ b/manifests/egi/trustanchors.pp @@ -0,0 +1,28 @@ +# Copyright © 2015-2020 National Supercomputer Centre, +# Linköping University, Sweden +# Licensed under the GNU LGPL v3+; see the README file for more information. + + +/* + * Configure the EGI trust anchors Yum repository, for CA certificates + * in the International Grid Trust Federation (IGTF). + * + * Note that packages for IGTF CAs also exists in e.g. NorduGrid repos, + * so we set a low priority (i.e. preferred over other repos), as this + * repo only holds CA packages and nothing else. + */ + +class x509certs::egi::trustanchors +{ + $urlbase = 'http://repository.egi.eu/sw/production/cas/1' + + yumrepo { + 'egi-trustanchors': + descr => 'EGI Trust Anchors', + baseurl => "${urlbase}/current", + gpgkey => "${urlbase}/GPG-KEY-EUGridPMA-RPM-3", + priority => 10, + enabled => 1, + gpgcheck => 1; + } +} diff --git a/manifests/fetchcrl.pp b/manifests/fetchcrl.pp new file mode 100644 index 0000000000000000000000000000000000000000..1c9b60fc41a63179e4b6647e46bd6e7ae798b1ff --- /dev/null +++ b/manifests/fetchcrl.pp @@ -0,0 +1,56 @@ +# Copyright © 2015-2020 National Supercomputer Centre, +# Linköping University, Sweden +# Licensed under the GNU LGPL v3+; see the README file for more information. + + +/* + * Make sure the fetch-crl service is installed and running, to download + * updated revocation lists periodically. + */ + +class x509certs::fetchcrl +{ + # Install Perl modules needed for fetch-crl to support HTTPS + case "${::operatingsystem}:${::operatingsystemrelease}" + { + /^(CentOS|RedHat|Scientific):(6)(\.[^:]+)?$/: { + package { + 'perl-IO-Socket-SSL': + ensure => installed, before => Package['fetch-crl'], + notify => Exec['x509certs::fetchcrl::initial']; + } + } + /^(CentOS|RedHat|Scientific):(7)(\.[^:]+)?$/: { + package { + 'perl-LWP-Protocol-https': + ensure => installed, before => Package['fetch-crl'], + notify => Exec['x509certs::fetchcrl::initial']; + } + } + default: { + fail("X509certs::Fetchcrl: Unsupported operating system") + } + } + + package { + 'fetch-crl': + ensure => installed, + notify => Exec['x509certs::fetchcrl::initial']; + 'nordugrid-arc-ca-utils': + # Obsolete; now just an empty package depending on fetch-crl. + ensure => absent; + } + service { + 'fetch-crl-cron': + enable => true, ensure => running, + require => Package['fetch-crl']; + 'fetch-crl-boot': + enable => false, + require => Package['fetch-crl']; + } + exec { + 'x509certs::fetchcrl::initial': + command => '/usr/sbin/fetch-crl -p 16', + refreshonly => true; + } +} diff --git a/manifests/grid_security_dir.pp b/manifests/grid_security_dir.pp new file mode 100644 index 0000000000000000000000000000000000000000..0528f9b953e9868d3b488522fc8bf0a017e681ca --- /dev/null +++ b/manifests/grid_security_dir.pp @@ -0,0 +1,18 @@ +# Copyright © 2015-2020 National Supercomputer Centre, +# Linköping University, Sweden +# Licensed under the GNU LGPL v3+; see the README file for more information. + + +/* + * Helper class, to make sure the /etc/grid-security directory exists. + */ +class x509certs::grid_security_dir +{ + include x509certs + + file { + $x509certs::grid_secdir: + ensure => directory, + owner => 'root', group => 'root', mode => '0755'; + } +} diff --git a/manifests/gridca.pp b/manifests/gridca.pp new file mode 100644 index 0000000000000000000000000000000000000000..ad957579fe469c0251b707a7152af7dfda89fb27 --- /dev/null +++ b/manifests/gridca.pp @@ -0,0 +1,35 @@ +# Copyright © 2015-2020 National Supercomputer Centre, +# Linköping University, Sweden +# Licensed under the GNU LGPL v3+; see the README file for more information. + + +/* + * Manage a grid CA certificate. + * + * These are assumed to be available as (RPM) packages name "ca_<NAME>", + * that provide the PEM file and any extra metadata files needed by the + * WLCG and EGI grids, including CRL URLs for fetch-crl. + * + * Note that configuring a repository where these CA packages + * can be found must be done separately, e.g. by using the + * x509certs::egi::trustanchors class. + */ + +define x509certs::gridca($ensure='present') +{ + include x509certs::fetchcrl + + case $ensure { + 'present', 'absent': { + } + default: { + fail("X509certs::Gridca[${title}]:", + "Bad parameter ensure, ``${ensure}''") + } + } + package { + "ca_${name}": + ensure => $ensure, + notify => Exec['x509certs::fetchcrl::initial']; + } +} diff --git a/manifests/hostcert/combinechain.pp b/manifests/hostcert/combinechain.pp new file mode 100644 index 0000000000000000000000000000000000000000..57fea6fb066d66223f40548c618da910af15379a --- /dev/null +++ b/manifests/hostcert/combinechain.pp @@ -0,0 +1,51 @@ +# Copyright © 2015-2020 National Supercomputer Centre, +# Linköping University, Sweden +# Licensed under the GNU LGPL v3+; see the README file for more information. + + +/* + * Install host certificate and CA chain in one file, and key in another. + * + * The certificate and CA chain will be installed in the same file + * under /etc/pki/tls/certs in <NAME>-cert.pem. The private key will be + * in a separate file <NAME>-key.pem under /etc/pki/tls/private, readable + * only by $owner and $group. + * + * The certificate, private key and CA chain will be loaded from + * separate files using the same logic as x509certs::hostcert::separate. + * + * This format is wanted by some software, e.g. Postfix and Dovecot. + */ + +define x509certs::hostcert::combinechain($owner='root', $group='root', + $sourcename='', $source='', + $ensure='present') +{ + include x509certs + include x509certs::config + + $sourcebase = $source ? { + '' => $x509certs::config::hostcert_source, + default => $source + } + $srcname = $sourcename ? { '' => $name, default => $sourcename } + + concat::file { + "${x509certs::pki_certdir}/${name}-cert.pem": + ensure => $ensure, + owner => $owner, group => $group, mode => '0444'; + } + concat::part { + "${x509certs::pki_certdir}/${name}-cert.pem/01-cert.pem": + source => "${sourcebase}/${srcname}-cert.pem", ensure => $ensure; + "${x509certs::pki_certdir}/${name}-cert.pem/02-chain.pem": + source => "${sourcebase}/${srcname}-chain.pem", ensure => $ensure; + } + + file { + "${x509certs::pki_keydir}/${name}-key.pem": + source => "${sourcebase}/${srcname}-key.pem", + owner => $owner, group => $group, mode => '0440', + ensure => $ensure; + } +} diff --git a/manifests/hostcert/combinekey_cabundle.pp b/manifests/hostcert/combinekey_cabundle.pp new file mode 100644 index 0000000000000000000000000000000000000000..1de5077b7291f0bd2c3031b4ec4ab59dc930e30a --- /dev/null +++ b/manifests/hostcert/combinekey_cabundle.pp @@ -0,0 +1,57 @@ +# Copyright © 2015-2020 National Supercomputer Centre, +# Linköping University, Sweden +# Licensed under the GNU LGPL v3+; see the README file for more information. + + +/* + * Install host certificate and private key in one file, and the CA + * chain and other CA certificates in another file. + * + * The certificate and private key will be installed in the same file + * under /etc/pki/tls/certs in <NAME>-cert.pem (readable only by the + * $owner and $group). The CA chain will be in a separate file + * <NAME>-cabundle.pem together with the CA certificates in $calist. + * + * The certificate, private key and CA chain will be loaded from + * separate files using the same logic as x509certs::hostcert::separate. + * + * This is the format e.g. lighttpd requires (server certificate and + * private key in a common file, and all CA certificates, both the chain + * to its server certificate and the CA:s used for client authentication, + * together in another file). + */ + +define x509certs::hostcert::combinekey_cabundle( + $calist=[], $owner='root', $group='root', + $sourcename='', $source='', $ensure='present') +{ + include x509certs + include x509certs::config + + $sourcebase = $source ? { + '' => $x509certs::config::hostcert_source, + default => $source + } + $srcname = $sourcename ? { '' => $name, default => $sourcename } + + concat::file { + "${x509certs::pki_certdir}/${name}-cert.pem": + ensure => $ensure, + owner => $owner, group => $group, mode => '0440'; + } + concat::part { + "${x509certs::pki_certdir}/${name}-cert.pem/cert.pem": + source => "${sourcebase}/${srcname}-cert.pem", ensure => $ensure; + "${x509certs::pki_certdir}/${name}-cert.pem/key.pem": + source => "${sourcebase}/${srcname}-key.pem", ensure => $ensure; + } + x509certs::cabundle { + $name: + owner => $owner, group => $group, source => $source, + calist => $calist, ensure => $ensure; + } + x509certs::cabundle::cacert { + "${name}: ${sourcebase}/${srcname}-chain.pem": + source => $source, ensure => $ensure; + } +} diff --git a/manifests/hostcert/separate.pp b/manifests/hostcert/separate.pp new file mode 100644 index 0000000000000000000000000000000000000000..bf31d679380de8a7ef0de57052b73541ea0e3673 --- /dev/null +++ b/manifests/hostcert/separate.pp @@ -0,0 +1,58 @@ +# Copyright © 2015-2020 National Supercomputer Centre, +# Linköping University, Sweden +# Licensed under the GNU LGPL v3+; see the README file for more information. + + +/* + * Install host certificate, private key and CA chain. + * These three will be installed in separate files under /etc/pki/tls. + * Source is <SOURCE>/<SOURCENAME>-{cert,chain,key}.pem. $sourcename + * defaults to the name for the resource if not specified. If $source + * is not specified, $x509certs::config::hostcert_source is used. + * + * If the certificate is self-signed, and thus no CA chain exists, + * the chain source file must still exist, and should then either be + * empty, or contain the certificate itself. (Apache httpd, e.g, does + * not like the chain file being empty, but repeating the certificate + * in the chain file works fine; other applications may have other + * rules.) + */ + +define x509certs::hostcert::separate($owner='root', $group='root', + $sourcename='', $source='', + $ensure='present') +{ + include x509certs + include x509certs::config + + case $ensure { + 'present', 'absent': { + } + default: { + fail("X509certs::Hostcert::Separate[${title}]:", + "Bad parameter ensure, ``${ensure}''") + } + } + $sourcebase = $source ? { + '' => $x509certs::config::hostcert_source, + default => $source + } + $srcname = $sourcename ? { '' => $name, default => $sourcename } + + file { + "${x509certs::pki_certdir}/${name}-cert.pem": + source => "${sourcebase}/${srcname}-cert.pem", + owner => $owner, group => $group, mode => '0444', + ensure => $ensure; + + "${x509certs::pki_certdir}/${name}-chain.pem": + source => "${sourcebase}/${srcname}-chain.pem", + owner => $owner, group => $group, mode => '0444', + ensure => $ensure; + + "${x509certs::pki_keydir}/${name}-key.pem": + source => "${sourcebase}/${srcname}-key.pem", + owner => $owner, group => $group, mode => '0440', + ensure => $ensure; + } +} diff --git a/manifests/init.pp b/manifests/init.pp index 1909044f1c174c93d93365475b9b437c353ce1a9..7530ed0be3b9540cbdf46cac105cd9cfebe59cd4 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -3,314 +3,6 @@ # Licensed under the GNU LGPL v3+; see the README file for more information. -/* - * Configuration of the x509certs module. - * - * Users of this module must instantiate this class with relevant - * parameters. - * - * NOTE! This replaces the old x509certs::siteconfig class, which - * users previously were expected to define themselves. - */ -class x509certs::config( - # Source directory or Puppet URL where host certificates can be - # found. Typically a puppet: URL that expands to a client-private - # directory on the Puppet master (i.e. one using %h or %H in the - # path in fileserver.conf). - # - $hostcert_source, -) -{ - # Nothing inside this class -} - - - -/* - * Directory locations and other constants. - * - * This currently assumes a RedHat:ish system. - */ -class x509certs -{ - $pki_certdir = '/etc/pki/tls/certs' - $pki_keydir = '/etc/pki/tls/private' - $grid_secdir = '/etc/grid-security' - $grid_cadir = "${grid_secdir}/certificates" -} - - - -/* - * Install host certificate, private key and CA chain. - * These three will be installed in separate files under /etc/pki/tls. - * Source is <SOURCE>/<SOURCENAME>-{cert,chain,key}.pem. $sourcename - * defaults to the name for the resource if not specified. If $source - * is not specified, $x509certs::config::hostcert_source is used. - * - * If the certificate is self-signed, and thus no CA chain exists, - * the chain source file must still exist, and should then either be - * empty, or contain the certificate itself. (Apache httpd, e.g, does - * not like the chain file being empty, but repeating the certificate - * in the chain file works fine; other applications may have other - * rules.) - */ - -define x509certs::hostcert::separate($owner='root', $group='root', - $sourcename='', $source='', - $ensure='present') -{ - include x509certs - include x509certs::config - - case $ensure { - 'present', 'absent': { - } - default: { - fail("X509certs::Hostcert::Separate[${title}]:", - "Bad parameter ensure, ``${ensure}''") - } - } - $sourcebase = $source ? { - '' => $x509certs::config::hostcert_source, - default => $source - } - $srcname = $sourcename ? { '' => $name, default => $sourcename } - - file { - "${x509certs::pki_certdir}/${name}-cert.pem": - source => "${sourcebase}/${srcname}-cert.pem", - owner => $owner, group => $group, mode => '0444', - ensure => $ensure; - - "${x509certs::pki_certdir}/${name}-chain.pem": - source => "${sourcebase}/${srcname}-chain.pem", - owner => $owner, group => $group, mode => '0444', - ensure => $ensure; - - "${x509certs::pki_keydir}/${name}-key.pem": - source => "${sourcebase}/${srcname}-key.pem", - owner => $owner, group => $group, mode => '0440', - ensure => $ensure; - } -} - - - -/* - * Install host certificate and private key in one file, and the CA - * chain and other CA certificates in another file. - * - * The certificate and private key will be installed in the same file - * under /etc/pki/tls/certs in <NAME>-cert.pem (readable only by the - * $owner and $group). The CA chain will be in a separate file - * <NAME>-cabundle.pem together with the CA certificates in $calist. - * - * The certificate, private key and CA chain will be loaded from - * separate files using the same logic as x509certs::hostcert::separate. - * - * This is the format e.g. lighttpd requires (server certificate and - * private key in a common file, and all CA certificates, both the chain - * to its server certificate and the CA:s used for client authentication, - * together in another file). - */ - -define x509certs::hostcert::combinekey_cabundle( - $calist=[], $owner='root', $group='root', - $sourcename='', $source='', $ensure='present') -{ - include x509certs - include x509certs::config - - $sourcebase = $source ? { - '' => $x509certs::config::hostcert_source, - default => $source - } - $srcname = $sourcename ? { '' => $name, default => $sourcename } - - concat::file { - "${x509certs::pki_certdir}/${name}-cert.pem": - ensure => $ensure, - owner => $owner, group => $group, mode => '0440'; - } - concat::part { - "${x509certs::pki_certdir}/${name}-cert.pem/cert.pem": - source => "${sourcebase}/${srcname}-cert.pem", ensure => $ensure; - "${x509certs::pki_certdir}/${name}-cert.pem/key.pem": - source => "${sourcebase}/${srcname}-key.pem", ensure => $ensure; - } - x509certs::cabundle { - $name: - owner => $owner, group => $group, source => $source, - calist => $calist, ensure => $ensure; - } - x509certs::cabundle::cacert { - "${name}: ${sourcebase}/${srcname}-chain.pem": - source => $source, ensure => $ensure; - } -} - - - -/* - * Install host certificate and CA chain in one file, and key in another. - * - * The certificate and CA chain will be installed in the same file - * under /etc/pki/tls/certs in <NAME>-cert.pem. The private key will be - * in a separate file <NAME>-key.pem under /etc/pki/tls/private, readable - * only by $owner and $group. - * - * The certificate, private key and CA chain will be loaded from - * separate files using the same logic as x509certs::hostcert::separate. - * - * This format is wanted by some software, e.g. Postfix and Dovecot. - */ - -define x509certs::hostcert::combinechain($owner='root', $group='root', - $sourcename='', $source='', - $ensure='present') -{ - include x509certs - include x509certs::config - - $sourcebase = $source ? { - '' => $x509certs::config::hostcert_source, - default => $source - } - $srcname = $sourcename ? { '' => $name, default => $sourcename } - - concat::file { - "${x509certs::pki_certdir}/${name}-cert.pem": - ensure => $ensure, - owner => $owner, group => $group, mode => '0444'; - } - concat::part { - "${x509certs::pki_certdir}/${name}-cert.pem/01-cert.pem": - source => "${sourcebase}/${srcname}-cert.pem", ensure => $ensure; - "${x509certs::pki_certdir}/${name}-cert.pem/02-chain.pem": - source => "${sourcebase}/${srcname}-chain.pem", ensure => $ensure; - } - - file { - "${x509certs::pki_keydir}/${name}-key.pem": - source => "${sourcebase}/${srcname}-key.pem", - owner => $owner, group => $group, mode => '0440', - ensure => $ensure; - } -} - - - -/* - * Manage a CA bundle. - * - * Install the CA certificates in $calist into <NAME>-cabundle.pem - * under /etc/pki/tls/certs. Each element in $calist can be one of - * - A local file name on the client (absolute path). - * - A puppet: URL. - * - The special form "gridca:<CANAME>" (e.g. "gridca:NorduGrid"). - * This installs that CA package, using x509::gridca, and uses the - * certificate file from there. (Note that this will clash if the CA - * package is managed elsewhere in your manifests.) - * - A filename under $source (or $x509certs::config::hostcert_source - * if not specified), without any slashes or colons in it. The suffix - * ".pem" will be added automatically. - * Each such source can itself contain multiple certificates. - */ - -define x509certs::cabundle($calist=[], $owner='root', $group='root', - $source='', $ensure='present') -{ - include x509certs - - concat::file { - "${x509certs::pki_certdir}/${name}-cabundle.pem": - owner => $owner, group => $group, mode => '0444', - ensure => $ensure; - } - if $ensure == 'present' { - $x_calist = regsubst($calist, '^', "${name}: ") - x509certs::cabundle::cacert { - $x_calist: - source => $source; - } - } -} - - -/* - * Helper for x509certs::cabundle. - * - * The resource name is used for specifying both the bundle where the - * CA certificate is stored, and the source of the CA certificate. It - * should be on the form - * BUNDLENAME ": " CASOURCE - * The actual bundle file will be <BUNDLENAME>-cabundle.pem under - * $x509certs::pki_certdir. See the documentation about the calist - * parameter of x509certs::cabundle for information about what - * CASOURCE can be. - * - * Mostly intended for internal use in the x509certs module, but can - * possibly be useful for users as well, although the API isn't very - * nice to use. - */ -define x509certs::cabundle::cacert($source='', $ensure='present') -{ - include x509certs - include x509certs::config - - $sourcebase = $source ? { - '' => $x509certs::config::hostcert_source, - default => $source - } - - if $name =~ /^(.*): +(.*)$/ { - $bundlename = $1 - $casource = $2 - } else { - fail("X509certs::Cabundle::Cacert[${title}]:", - "Illegal name, no // separator") - } - $bundlefile = "${x509certs::pki_certdir}/${bundlename}-cabundle.pem" - $partname = regsubst($casource, '/', '_', 'G') - $bundle_partfile = "${bundlefile}/${partname}" - - case $ensure - { - 'absent': { - } - 'present': { - if $casource =~ /^gridca:(.*)/ { - $caname = $1 - x509certs::gridca { - $caname: - ensure => 'present'; - } - concat::part { - $bundle_partfile: - source => "${x509certs::grid_cadir}/${caname}.pem", - require => X509certs::Gridca[$caname]; - } - } elsif $casource !~ /.*[\/:].*/ { - concat::part { - $bundle_partfile: - source => "${sourcebase}/${casource}.pem"; - } - } else { - concat::part { - $bundle_partfile: - source => $casource; - } - } - } - default: { - fail("X509certs::Cabundle::Cacert[${title}]:", - "Bad parameter ensure, ${ensure}") - } - } -} - - /* * Manage a "grid host certificate". @@ -412,148 +104,16 @@ class x509certs::hostcert::gridcert::absent -/* - * Make sure the fetch-crl service is installed and running, to download - * updated revocation lists periodically. - */ - -class x509certs::fetchcrl -{ - # Install Perl modules needed for fetch-crl to support HTTPS - case "${::operatingsystem}:${::operatingsystemrelease}" - { - /^(CentOS|RedHat|Scientific):(6)(\.[^:]+)?$/: { - package { - 'perl-IO-Socket-SSL': - ensure => installed, before => Package['fetch-crl'], - notify => Exec['x509certs::fetchcrl::initial']; - } - } - /^(CentOS|RedHat|Scientific):(7)(\.[^:]+)?$/: { - package { - 'perl-LWP-Protocol-https': - ensure => installed, before => Package['fetch-crl'], - notify => Exec['x509certs::fetchcrl::initial']; - } - } - default: { - fail("X509certs::Fetchcrl: Unsupported operating system") - } - } - - package { - 'fetch-crl': - ensure => installed, - notify => Exec['x509certs::fetchcrl::initial']; - 'nordugrid-arc-ca-utils': - # Obsolete; now just an empty package depending on fetch-crl. - ensure => absent; - } - service { - 'fetch-crl-cron': - enable => true, ensure => running, - require => Package['fetch-crl']; - 'fetch-crl-boot': - enable => false, - require => Package['fetch-crl']; - } - exec { - 'x509certs::fetchcrl::initial': - command => '/usr/sbin/fetch-crl -p 16', - refreshonly => true; - } -} - - /* - * Manage a grid CA certificate. - * - * These are assumed to be available as (RPM) packages name "ca_<NAME>", - * that provide the PEM file and any extra metadata files needed by the - * WLCG and EGI grids, including CRL URLs for fetch-crl. - * - * Note that configuring a repository where these CA packages - * can be found must be done separately, e.g. by using the - * x509certs::egi::trustanchors class. - */ - -define x509certs::gridca($ensure='present') -{ - include x509certs::fetchcrl - - case $ensure { - 'present', 'absent': { - } - default: { - fail("X509certs::Gridca[${title}]:", - "Bad parameter ensure, ``${ensure}''") - } - } - package { - "ca_${name}": - ensure => $ensure, - notify => Exec['x509certs::fetchcrl::initial']; - } -} - - - -/* - * Configure the EGI trust anchors Yum repository, for CA certificates - * in the International Grid Trust Federation (IGTF). + * Directory locations and other constants. * - * Note that packages for IGTF CAs also exists in e.g. NorduGrid repos, - * so we set a low priority (i.e. preferred over other repos), as this - * repo only holds CA packages and nothing else. - */ - -class x509certs::egi::trustanchors -{ - $urlbase = 'http://repository.egi.eu/sw/production/cas/1' - - yumrepo { - 'egi-trustanchors': - descr => 'EGI Trust Anchors', - baseurl => "${urlbase}/current", - gpgkey => "${urlbase}/GPG-KEY-EUGridPMA-RPM-3", - priority => 10, - enabled => 1, - gpgcheck => 1; - } -} - - - -/* - * Install the IGTF CA certificates for all CA:s in the LHC Compute Grid. - */ - -class x509certs::egi::lcg_cas -{ - include x509certs::egi::trustanchors - include x509certs::fetchcrl - - package { - [ 'ca-policy-egi-core', 'ca-policy-lcg' ]: - ensure => installed, - require => Class['x509certs::egi::trustanchors'], - notify => Exec['x509certs::fetchcrl::initial']; - } -} - - - -/* - * Helper class, to make sure the /etc/grid-security directory exists. + * This currently assumes a RedHat:ish system. */ -class x509certs::grid_security_dir +class x509certs { - include x509certs - - file { - $x509certs::grid_secdir: - ensure => directory, - owner => 'root', group => 'root', mode => '0755'; - } + $pki_certdir = '/etc/pki/tls/certs' + $pki_keydir = '/etc/pki/tls/private' + $grid_secdir = '/etc/grid-security' + $grid_cadir = "${grid_secdir}/certificates" }