From c5ae6d50dd7332f550977d1188d5e297116ff79d Mon Sep 17 00:00:00 2001
From: Thomas Bellman <bellman@nsc.liu.se>
Date: Mon, 11 May 2020 04:23:06 +0200
Subject: [PATCH] Break out classes/definitions to individual files.
In order to support the Puppet autoloader (required from Puppet 4),
and follow common practice in the Puppet world, each definition and
class needs to be in its own manifest file.
---
manifests/cabundle.pp | 40 ++
manifests/cabundle/cacert.pp | 76 ++++
manifests/config.pp | 25 ++
manifests/egi/lcg_cas.pp | 21 +
manifests/egi/trustanchors.pp | 28 ++
manifests/fetchcrl.pp | 56 +++
manifests/grid_security_dir.pp | 18 +
manifests/gridca.pp | 35 ++
manifests/hostcert/combinechain.pp | 51 +++
manifests/hostcert/combinekey_cabundle.pp | 57 +++
manifests/hostcert/separate.pp | 58 +++
manifests/init.pp | 454 +---------------------
12 files changed, 472 insertions(+), 447 deletions(-)
create mode 100644 manifests/cabundle.pp
create mode 100644 manifests/cabundle/cacert.pp
create mode 100644 manifests/config.pp
create mode 100644 manifests/egi/lcg_cas.pp
create mode 100644 manifests/egi/trustanchors.pp
create mode 100644 manifests/fetchcrl.pp
create mode 100644 manifests/grid_security_dir.pp
create mode 100644 manifests/gridca.pp
create mode 100644 manifests/hostcert/combinechain.pp
create mode 100644 manifests/hostcert/combinekey_cabundle.pp
create mode 100644 manifests/hostcert/separate.pp
diff --git a/manifests/cabundle.pp b/manifests/cabundle.pp
new file mode 100644
index 0000000..ac08082
--- /dev/null
+++ b/manifests/cabundle.pp
@@ -0,0 +1,40 @@
+# Copyright © 2015-2020 National Supercomputer Centre,
+# Linköping University, Sweden
+# Licensed under the GNU LGPL v3+; see the README file for more information.
+
+
+/*
+ * Manage a CA bundle.
+ *
+ * Install the CA certificates in $calist into <NAME>-cabundle.pem
+ * under /etc/pki/tls/certs. Each element in $calist can be one of
+ * - A local file name on the client (absolute path).
+ * - A puppet: URL.
+ * - The special form "gridca:<CANAME>" (e.g. "gridca:NorduGrid").
+ * This installs that CA package, using x509::gridca, and uses the
+ * certificate file from there. (Note that this will clash if the CA
+ * package is managed elsewhere in your manifests.)
+ * - A filename under $source (or $x509certs::config::hostcert_source
+ * if not specified), without any slashes or colons in it. The suffix
+ * ".pem" will be added automatically.
+ * Each such source can itself contain multiple certificates.
+ */
+
+define x509certs::cabundle($calist=[], $owner='root', $group='root',
+ $source='', $ensure='present')
+{
+ include x509certs
+
+ concat::file {
+ "${x509certs::pki_certdir}/${name}-cabundle.pem":
+ owner => $owner, group => $group, mode => '0444',
+ ensure => $ensure;
+ }
+ if $ensure == 'present' {
+ $x_calist = regsubst($calist, '^', "${name}: ")
+ x509certs::cabundle::cacert {
+ $x_calist:
+ source => $source;
+ }
+ }
+}
diff --git a/manifests/cabundle/cacert.pp b/manifests/cabundle/cacert.pp
new file mode 100644
index 0000000..b818900
--- /dev/null
+++ b/manifests/cabundle/cacert.pp
@@ -0,0 +1,76 @@
+# Copyright © 2015-2020 National Supercomputer Centre,
+# Linköping University, Sweden
+# Licensed under the GNU LGPL v3+; see the README file for more information.
+
+
+/*
+ * Helper for x509certs::cabundle.
+ *
+ * The resource name is used for specifying both the bundle where the
+ * CA certificate is stored, and the source of the CA certificate. It
+ * should be on the form
+ * BUNDLENAME ": " CASOURCE
+ * The actual bundle file will be <BUNDLENAME>-cabundle.pem under
+ * $x509certs::pki_certdir. See the documentation about the calist
+ * parameter of x509certs::cabundle for information about what
+ * CASOURCE can be.
+ *
+ * Mostly intended for internal use in the x509certs module, but can
+ * possibly be useful for users as well, although the API isn't very
+ * nice to use.
+ */
+define x509certs::cabundle::cacert($source='', $ensure='present')
+{
+ include x509certs
+ include x509certs::config
+
+ $sourcebase = $source ? {
+ '' => $x509certs::config::hostcert_source,
+ default => $source
+ }
+
+ if $name =~ /^(.*): +(.*)$/ {
+ $bundlename = $1
+ $casource = $2
+ } else {
+ fail("X509certs::Cabundle::Cacert[${title}]:",
+ "Illegal name, no // separator")
+ }
+ $bundlefile = "${x509certs::pki_certdir}/${bundlename}-cabundle.pem"
+ $partname = regsubst($casource, '/', '_', 'G')
+ $bundle_partfile = "${bundlefile}/${partname}"
+
+ case $ensure
+ {
+ 'absent': {
+ }
+ 'present': {
+ if $casource =~ /^gridca:(.*)/ {
+ $caname = $1
+ x509certs::gridca {
+ $caname:
+ ensure => 'present';
+ }
+ concat::part {
+ $bundle_partfile:
+ source => "${x509certs::grid_cadir}/${caname}.pem",
+ require => X509certs::Gridca[$caname];
+ }
+ } elsif $casource !~ /.*[\/:].*/ {
+ concat::part {
+ $bundle_partfile:
+ source => "${sourcebase}/${casource}.pem";
+ }
+ } else {
+ concat::part {
+ $bundle_partfile:
+ source => $casource;
+ }
+ }
+ }
+ default: {
+ fail("X509certs::Cabundle::Cacert[${title}]:",
+ "Bad parameter ensure, ${ensure}")
+ }
+ }
+}
diff --git a/manifests/config.pp b/manifests/config.pp
new file mode 100644
index 0000000..423a118
--- /dev/null
+++ b/manifests/config.pp
@@ -0,0 +1,25 @@
+# Copyright © 2015-2020 National Supercomputer Centre,
+# Linköping University, Sweden
+# Licensed under the GNU LGPL v3+; see the README file for more information.
+
+
+/*
+ * Configuration of the x509certs module.
+ *
+ * Users of this module must instantiate this class with relevant
+ * parameters.
+ *
+ * NOTE! This replaces the old x509certs::siteconfig class, which
+ * users previously were expected to define themselves.
+ */
+class x509certs::config(
+ # Source directory or Puppet URL where host certificates can be
+ # found. Typically a puppet: URL that expands to a client-private
+ # directory on the Puppet master (i.e. one using %h or %H in the
+ # path in fileserver.conf).
+ #
+ $hostcert_source,
+)
+{
+ # Nothing inside this class
+}
diff --git a/manifests/egi/lcg_cas.pp b/manifests/egi/lcg_cas.pp
new file mode 100644
index 0000000..0b10a2a
--- /dev/null
+++ b/manifests/egi/lcg_cas.pp
@@ -0,0 +1,21 @@
+# Copyright © 2015-2020 National Supercomputer Centre,
+# Linköping University, Sweden
+# Licensed under the GNU LGPL v3+; see the README file for more information.
+
+
+/*
+ * Install the IGTF CA certificates for all CA:s in the LHC Compute Grid.
+ */
+
+class x509certs::egi::lcg_cas
+{
+ include x509certs::egi::trustanchors
+ include x509certs::fetchcrl
+
+ package {
+ [ 'ca-policy-egi-core', 'ca-policy-lcg' ]:
+ ensure => installed,
+ require => Class['x509certs::egi::trustanchors'],
+ notify => Exec['x509certs::fetchcrl::initial'];
+ }
+}
diff --git a/manifests/egi/trustanchors.pp b/manifests/egi/trustanchors.pp
new file mode 100644
index 0000000..29e44e4
--- /dev/null
+++ b/manifests/egi/trustanchors.pp
@@ -0,0 +1,28 @@
+# Copyright © 2015-2020 National Supercomputer Centre,
+# Linköping University, Sweden
+# Licensed under the GNU LGPL v3+; see the README file for more information.
+
+
+/*
+ * Configure the EGI trust anchors Yum repository, for CA certificates
+ * in the International Grid Trust Federation (IGTF).
+ *
+ * Note that packages for IGTF CAs also exists in e.g. NorduGrid repos,
+ * so we set a low priority (i.e. preferred over other repos), as this
+ * repo only holds CA packages and nothing else.
+ */
+
+class x509certs::egi::trustanchors
+{
+ $urlbase = 'http://repository.egi.eu/sw/production/cas/1'
+
+ yumrepo {
+ 'egi-trustanchors':
+ descr => 'EGI Trust Anchors',
+ baseurl => "${urlbase}/current",
+ gpgkey => "${urlbase}/GPG-KEY-EUGridPMA-RPM-3",
+ priority => 10,
+ enabled => 1,
+ gpgcheck => 1;
+ }
+}
diff --git a/manifests/fetchcrl.pp b/manifests/fetchcrl.pp
new file mode 100644
index 0000000..1c9b60f
--- /dev/null
+++ b/manifests/fetchcrl.pp
@@ -0,0 +1,56 @@
+# Copyright © 2015-2020 National Supercomputer Centre,
+# Linköping University, Sweden
+# Licensed under the GNU LGPL v3+; see the README file for more information.
+
+
+/*
+ * Make sure the fetch-crl service is installed and running, to download
+ * updated revocation lists periodically.
+ */
+
+class x509certs::fetchcrl
+{
+ # Install Perl modules needed for fetch-crl to support HTTPS
+ case "${::operatingsystem}:${::operatingsystemrelease}"
+ {
+ /^(CentOS|RedHat|Scientific):(6)(\.[^:]+)?$/: {
+ package {
+ 'perl-IO-Socket-SSL':
+ ensure => installed, before => Package['fetch-crl'],
+ notify => Exec['x509certs::fetchcrl::initial'];
+ }
+ }
+ /^(CentOS|RedHat|Scientific):(7)(\.[^:]+)?$/: {
+ package {
+ 'perl-LWP-Protocol-https':
+ ensure => installed, before => Package['fetch-crl'],
+ notify => Exec['x509certs::fetchcrl::initial'];
+ }
+ }
+ default: {
+ fail("X509certs::Fetchcrl: Unsupported operating system")
+ }
+ }
+
+ package {
+ 'fetch-crl':
+ ensure => installed,
+ notify => Exec['x509certs::fetchcrl::initial'];
+ 'nordugrid-arc-ca-utils':
+ # Obsolete; now just an empty package depending on fetch-crl.
+ ensure => absent;
+ }
+ service {
+ 'fetch-crl-cron':
+ enable => true, ensure => running,
+ require => Package['fetch-crl'];
+ 'fetch-crl-boot':
+ enable => false,
+ require => Package['fetch-crl'];
+ }
+ exec {
+ 'x509certs::fetchcrl::initial':
+ command => '/usr/sbin/fetch-crl -p 16',
+ refreshonly => true;
+ }
+}
diff --git a/manifests/grid_security_dir.pp b/manifests/grid_security_dir.pp
new file mode 100644
index 0000000..0528f9b
--- /dev/null
+++ b/manifests/grid_security_dir.pp
@@ -0,0 +1,18 @@
+# Copyright © 2015-2020 National Supercomputer Centre,
+# Linköping University, Sweden
+# Licensed under the GNU LGPL v3+; see the README file for more information.
+
+
+/*
+ * Helper class, to make sure the /etc/grid-security directory exists.
+ */
+class x509certs::grid_security_dir
+{
+ include x509certs
+
+ file {
+ $x509certs::grid_secdir:
+ ensure => directory,
+ owner => 'root', group => 'root', mode => '0755';
+ }
+}
diff --git a/manifests/gridca.pp b/manifests/gridca.pp
new file mode 100644
index 0000000..ad95757
--- /dev/null
+++ b/manifests/gridca.pp
@@ -0,0 +1,35 @@
+# Copyright © 2015-2020 National Supercomputer Centre,
+# Linköping University, Sweden
+# Licensed under the GNU LGPL v3+; see the README file for more information.
+
+
+/*
+ * Manage a grid CA certificate.
+ *
+ * These are assumed to be available as (RPM) packages name "ca_<NAME>",
+ * that provide the PEM file and any extra metadata files needed by the
+ * WLCG and EGI grids, including CRL URLs for fetch-crl.
+ *
+ * Note that configuring a repository where these CA packages
+ * can be found must be done separately, e.g. by using the
+ * x509certs::egi::trustanchors class.
+ */
+
+define x509certs::gridca($ensure='present')
+{
+ include x509certs::fetchcrl
+
+ case $ensure {
+ 'present', 'absent': {
+ }
+ default: {
+ fail("X509certs::Gridca[${title}]:",
+ "Bad parameter ensure, ``${ensure}''")
+ }
+ }
+ package {
+ "ca_${name}":
+ ensure => $ensure,
+ notify => Exec['x509certs::fetchcrl::initial'];
+ }
+}
diff --git a/manifests/hostcert/combinechain.pp b/manifests/hostcert/combinechain.pp
new file mode 100644
index 0000000..57fea6f
--- /dev/null
+++ b/manifests/hostcert/combinechain.pp
@@ -0,0 +1,51 @@
+# Copyright © 2015-2020 National Supercomputer Centre,
+# Linköping University, Sweden
+# Licensed under the GNU LGPL v3+; see the README file for more information.
+
+
+/*
+ * Install host certificate and CA chain in one file, and key in another.
+ *
+ * The certificate and CA chain will be installed in the same file
+ * under /etc/pki/tls/certs in <NAME>-cert.pem. The private key will be
+ * in a separate file <NAME>-key.pem under /etc/pki/tls/private, readable
+ * only by $owner and $group.
+ *
+ * The certificate, private key and CA chain will be loaded from
+ * separate files using the same logic as x509certs::hostcert::separate.
+ *
+ * This format is wanted by some software, e.g. Postfix and Dovecot.
+ */
+
+define x509certs::hostcert::combinechain($owner='root', $group='root',
+ $sourcename='', $source='',
+ $ensure='present')
+{
+ include x509certs
+ include x509certs::config
+
+ $sourcebase = $source ? {
+ '' => $x509certs::config::hostcert_source,
+ default => $source
+ }
+ $srcname = $sourcename ? { '' => $name, default => $sourcename }
+
+ concat::file {
+ "${x509certs::pki_certdir}/${name}-cert.pem":
+ ensure => $ensure,
+ owner => $owner, group => $group, mode => '0444';
+ }
+ concat::part {
+ "${x509certs::pki_certdir}/${name}-cert.pem/01-cert.pem":
+ source => "${sourcebase}/${srcname}-cert.pem", ensure => $ensure;
+ "${x509certs::pki_certdir}/${name}-cert.pem/02-chain.pem":
+ source => "${sourcebase}/${srcname}-chain.pem", ensure => $ensure;
+ }
+
+ file {
+ "${x509certs::pki_keydir}/${name}-key.pem":
+ source => "${sourcebase}/${srcname}-key.pem",
+ owner => $owner, group => $group, mode => '0440',
+ ensure => $ensure;
+ }
+}
diff --git a/manifests/hostcert/combinekey_cabundle.pp b/manifests/hostcert/combinekey_cabundle.pp
new file mode 100644
index 0000000..1de5077
--- /dev/null
+++ b/manifests/hostcert/combinekey_cabundle.pp
@@ -0,0 +1,57 @@
+# Copyright © 2015-2020 National Supercomputer Centre,
+# Linköping University, Sweden
+# Licensed under the GNU LGPL v3+; see the README file for more information.
+
+
+/*
+ * Install host certificate and private key in one file, and the CA
+ * chain and other CA certificates in another file.
+ *
+ * The certificate and private key will be installed in the same file
+ * under /etc/pki/tls/certs in <NAME>-cert.pem (readable only by the
+ * $owner and $group). The CA chain will be in a separate file
+ * <NAME>-cabundle.pem together with the CA certificates in $calist.
+ *
+ * The certificate, private key and CA chain will be loaded from
+ * separate files using the same logic as x509certs::hostcert::separate.
+ *
+ * This is the format e.g. lighttpd requires (server certificate and
+ * private key in a common file, and all CA certificates, both the chain
+ * to its server certificate and the CA:s used for client authentication,
+ * together in another file).
+ */
+
+define x509certs::hostcert::combinekey_cabundle(
+ $calist=[], $owner='root', $group='root',
+ $sourcename='', $source='', $ensure='present')
+{
+ include x509certs
+ include x509certs::config
+
+ $sourcebase = $source ? {
+ '' => $x509certs::config::hostcert_source,
+ default => $source
+ }
+ $srcname = $sourcename ? { '' => $name, default => $sourcename }
+
+ concat::file {
+ "${x509certs::pki_certdir}/${name}-cert.pem":
+ ensure => $ensure,
+ owner => $owner, group => $group, mode => '0440';
+ }
+ concat::part {
+ "${x509certs::pki_certdir}/${name}-cert.pem/cert.pem":
+ source => "${sourcebase}/${srcname}-cert.pem", ensure => $ensure;
+ "${x509certs::pki_certdir}/${name}-cert.pem/key.pem":
+ source => "${sourcebase}/${srcname}-key.pem", ensure => $ensure;
+ }
+ x509certs::cabundle {
+ $name:
+ owner => $owner, group => $group, source => $source,
+ calist => $calist, ensure => $ensure;
+ }
+ x509certs::cabundle::cacert {
+ "${name}: ${sourcebase}/${srcname}-chain.pem":
+ source => $source, ensure => $ensure;
+ }
+}
diff --git a/manifests/hostcert/separate.pp b/manifests/hostcert/separate.pp
new file mode 100644
index 0000000..bf31d67
--- /dev/null
+++ b/manifests/hostcert/separate.pp
@@ -0,0 +1,58 @@
+# Copyright © 2015-2020 National Supercomputer Centre,
+# Linköping University, Sweden
+# Licensed under the GNU LGPL v3+; see the README file for more information.
+
+
+/*
+ * Install host certificate, private key and CA chain.
+ * These three will be installed in separate files under /etc/pki/tls.
+ * Source is <SOURCE>/<SOURCENAME>-{cert,chain,key}.pem. $sourcename
+ * defaults to the name for the resource if not specified. If $source
+ * is not specified, $x509certs::config::hostcert_source is used.
+ *
+ * If the certificate is self-signed, and thus no CA chain exists,
+ * the chain source file must still exist, and should then either be
+ * empty, or contain the certificate itself. (Apache httpd, e.g, does
+ * not like the chain file being empty, but repeating the certificate
+ * in the chain file works fine; other applications may have other
+ * rules.)
+ */
+
+define x509certs::hostcert::separate($owner='root', $group='root',
+ $sourcename='', $source='',
+ $ensure='present')
+{
+ include x509certs
+ include x509certs::config
+
+ case $ensure {
+ 'present', 'absent': {
+ }
+ default: {
+ fail("X509certs::Hostcert::Separate[${title}]:",
+ "Bad parameter ensure, ``${ensure}''")
+ }
+ }
+ $sourcebase = $source ? {
+ '' => $x509certs::config::hostcert_source,
+ default => $source
+ }
+ $srcname = $sourcename ? { '' => $name, default => $sourcename }
+
+ file {
+ "${x509certs::pki_certdir}/${name}-cert.pem":
+ source => "${sourcebase}/${srcname}-cert.pem",
+ owner => $owner, group => $group, mode => '0444',
+ ensure => $ensure;
+
+ "${x509certs::pki_certdir}/${name}-chain.pem":
+ source => "${sourcebase}/${srcname}-chain.pem",
+ owner => $owner, group => $group, mode => '0444',
+ ensure => $ensure;
+
+ "${x509certs::pki_keydir}/${name}-key.pem":
+ source => "${sourcebase}/${srcname}-key.pem",
+ owner => $owner, group => $group, mode => '0440',
+ ensure => $ensure;
+ }
+}
diff --git a/manifests/init.pp b/manifests/init.pp
index 1909044..7530ed0 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -3,314 +3,6 @@
# Licensed under the GNU LGPL v3+; see the README file for more information.
-/*
- * Configuration of the x509certs module.
- *
- * Users of this module must instantiate this class with relevant
- * parameters.
- *
- * NOTE! This replaces the old x509certs::siteconfig class, which
- * users previously were expected to define themselves.
- */
-class x509certs::config(
- # Source directory or Puppet URL where host certificates can be
- # found. Typically a puppet: URL that expands to a client-private
- # directory on the Puppet master (i.e. one using %h or %H in the
- # path in fileserver.conf).
- #
- $hostcert_source,
-)
-{
- # Nothing inside this class
-}
-
-
-
-/*
- * Directory locations and other constants.
- *
- * This currently assumes a RedHat:ish system.
- */
-class x509certs
-{
- $pki_certdir = '/etc/pki/tls/certs'
- $pki_keydir = '/etc/pki/tls/private'
- $grid_secdir = '/etc/grid-security'
- $grid_cadir = "${grid_secdir}/certificates"
-}
-
-
-
-/*
- * Install host certificate, private key and CA chain.
- * These three will be installed in separate files under /etc/pki/tls.
- * Source is <SOURCE>/<SOURCENAME>-{cert,chain,key}.pem. $sourcename
- * defaults to the name for the resource if not specified. If $source
- * is not specified, $x509certs::config::hostcert_source is used.
- *
- * If the certificate is self-signed, and thus no CA chain exists,
- * the chain source file must still exist, and should then either be
- * empty, or contain the certificate itself. (Apache httpd, e.g, does
- * not like the chain file being empty, but repeating the certificate
- * in the chain file works fine; other applications may have other
- * rules.)
- */
-
-define x509certs::hostcert::separate($owner='root', $group='root',
- $sourcename='', $source='',
- $ensure='present')
-{
- include x509certs
- include x509certs::config
-
- case $ensure {
- 'present', 'absent': {
- }
- default: {
- fail("X509certs::Hostcert::Separate[${title}]:",
- "Bad parameter ensure, ``${ensure}''")
- }
- }
- $sourcebase = $source ? {
- '' => $x509certs::config::hostcert_source,
- default => $source
- }
- $srcname = $sourcename ? { '' => $name, default => $sourcename }
-
- file {
- "${x509certs::pki_certdir}/${name}-cert.pem":
- source => "${sourcebase}/${srcname}-cert.pem",
- owner => $owner, group => $group, mode => '0444',
- ensure => $ensure;
-
- "${x509certs::pki_certdir}/${name}-chain.pem":
- source => "${sourcebase}/${srcname}-chain.pem",
- owner => $owner, group => $group, mode => '0444',
- ensure => $ensure;
-
- "${x509certs::pki_keydir}/${name}-key.pem":
- source => "${sourcebase}/${srcname}-key.pem",
- owner => $owner, group => $group, mode => '0440',
- ensure => $ensure;
- }
-}
-
-
-
-/*
- * Install host certificate and private key in one file, and the CA
- * chain and other CA certificates in another file.
- *
- * The certificate and private key will be installed in the same file
- * under /etc/pki/tls/certs in <NAME>-cert.pem (readable only by the
- * $owner and $group). The CA chain will be in a separate file
- * <NAME>-cabundle.pem together with the CA certificates in $calist.
- *
- * The certificate, private key and CA chain will be loaded from
- * separate files using the same logic as x509certs::hostcert::separate.
- *
- * This is the format e.g. lighttpd requires (server certificate and
- * private key in a common file, and all CA certificates, both the chain
- * to its server certificate and the CA:s used for client authentication,
- * together in another file).
- */
-
-define x509certs::hostcert::combinekey_cabundle(
- $calist=[], $owner='root', $group='root',
- $sourcename='', $source='', $ensure='present')
-{
- include x509certs
- include x509certs::config
-
- $sourcebase = $source ? {
- '' => $x509certs::config::hostcert_source,
- default => $source
- }
- $srcname = $sourcename ? { '' => $name, default => $sourcename }
-
- concat::file {
- "${x509certs::pki_certdir}/${name}-cert.pem":
- ensure => $ensure,
- owner => $owner, group => $group, mode => '0440';
- }
- concat::part {
- "${x509certs::pki_certdir}/${name}-cert.pem/cert.pem":
- source => "${sourcebase}/${srcname}-cert.pem", ensure => $ensure;
- "${x509certs::pki_certdir}/${name}-cert.pem/key.pem":
- source => "${sourcebase}/${srcname}-key.pem", ensure => $ensure;
- }
- x509certs::cabundle {
- $name:
- owner => $owner, group => $group, source => $source,
- calist => $calist, ensure => $ensure;
- }
- x509certs::cabundle::cacert {
- "${name}: ${sourcebase}/${srcname}-chain.pem":
- source => $source, ensure => $ensure;
- }
-}
-
-
-
-/*
- * Install host certificate and CA chain in one file, and key in another.
- *
- * The certificate and CA chain will be installed in the same file
- * under /etc/pki/tls/certs in <NAME>-cert.pem. The private key will be
- * in a separate file <NAME>-key.pem under /etc/pki/tls/private, readable
- * only by $owner and $group.
- *
- * The certificate, private key and CA chain will be loaded from
- * separate files using the same logic as x509certs::hostcert::separate.
- *
- * This format is wanted by some software, e.g. Postfix and Dovecot.
- */
-
-define x509certs::hostcert::combinechain($owner='root', $group='root',
- $sourcename='', $source='',
- $ensure='present')
-{
- include x509certs
- include x509certs::config
-
- $sourcebase = $source ? {
- '' => $x509certs::config::hostcert_source,
- default => $source
- }
- $srcname = $sourcename ? { '' => $name, default => $sourcename }
-
- concat::file {
- "${x509certs::pki_certdir}/${name}-cert.pem":
- ensure => $ensure,
- owner => $owner, group => $group, mode => '0444';
- }
- concat::part {
- "${x509certs::pki_certdir}/${name}-cert.pem/01-cert.pem":
- source => "${sourcebase}/${srcname}-cert.pem", ensure => $ensure;
- "${x509certs::pki_certdir}/${name}-cert.pem/02-chain.pem":
- source => "${sourcebase}/${srcname}-chain.pem", ensure => $ensure;
- }
-
- file {
- "${x509certs::pki_keydir}/${name}-key.pem":
- source => "${sourcebase}/${srcname}-key.pem",
- owner => $owner, group => $group, mode => '0440',
- ensure => $ensure;
- }
-}
-
-
-
-/*
- * Manage a CA bundle.
- *
- * Install the CA certificates in $calist into <NAME>-cabundle.pem
- * under /etc/pki/tls/certs. Each element in $calist can be one of
- * - A local file name on the client (absolute path).
- * - A puppet: URL.
- * - The special form "gridca:<CANAME>" (e.g. "gridca:NorduGrid").
- * This installs that CA package, using x509::gridca, and uses the
- * certificate file from there. (Note that this will clash if the CA
- * package is managed elsewhere in your manifests.)
- * - A filename under $source (or $x509certs::config::hostcert_source
- * if not specified), without any slashes or colons in it. The suffix
- * ".pem" will be added automatically.
- * Each such source can itself contain multiple certificates.
- */
-
-define x509certs::cabundle($calist=[], $owner='root', $group='root',
- $source='', $ensure='present')
-{
- include x509certs
-
- concat::file {
- "${x509certs::pki_certdir}/${name}-cabundle.pem":
- owner => $owner, group => $group, mode => '0444',
- ensure => $ensure;
- }
- if $ensure == 'present' {
- $x_calist = regsubst($calist, '^', "${name}: ")
- x509certs::cabundle::cacert {
- $x_calist:
- source => $source;
- }
- }
-}
-
-
-/*
- * Helper for x509certs::cabundle.
- *
- * The resource name is used for specifying both the bundle where the
- * CA certificate is stored, and the source of the CA certificate. It
- * should be on the form
- * BUNDLENAME ": " CASOURCE
- * The actual bundle file will be <BUNDLENAME>-cabundle.pem under
- * $x509certs::pki_certdir. See the documentation about the calist
- * parameter of x509certs::cabundle for information about what
- * CASOURCE can be.
- *
- * Mostly intended for internal use in the x509certs module, but can
- * possibly be useful for users as well, although the API isn't very
- * nice to use.
- */
-define x509certs::cabundle::cacert($source='', $ensure='present')
-{
- include x509certs
- include x509certs::config
-
- $sourcebase = $source ? {
- '' => $x509certs::config::hostcert_source,
- default => $source
- }
-
- if $name =~ /^(.*): +(.*)$/ {
- $bundlename = $1
- $casource = $2
- } else {
- fail("X509certs::Cabundle::Cacert[${title}]:",
- "Illegal name, no // separator")
- }
- $bundlefile = "${x509certs::pki_certdir}/${bundlename}-cabundle.pem"
- $partname = regsubst($casource, '/', '_', 'G')
- $bundle_partfile = "${bundlefile}/${partname}"
-
- case $ensure
- {
- 'absent': {
- }
- 'present': {
- if $casource =~ /^gridca:(.*)/ {
- $caname = $1
- x509certs::gridca {
- $caname:
- ensure => 'present';
- }
- concat::part {
- $bundle_partfile:
- source => "${x509certs::grid_cadir}/${caname}.pem",
- require => X509certs::Gridca[$caname];
- }
- } elsif $casource !~ /.*[\/:].*/ {
- concat::part {
- $bundle_partfile:
- source => "${sourcebase}/${casource}.pem";
- }
- } else {
- concat::part {
- $bundle_partfile:
- source => $casource;
- }
- }
- }
- default: {
- fail("X509certs::Cabundle::Cacert[${title}]:",
- "Bad parameter ensure, ${ensure}")
- }
- }
-}
-
-
/*
* Manage a "grid host certificate".
@@ -412,148 +104,16 @@ class x509certs::hostcert::gridcert::absent
-/*
- * Make sure the fetch-crl service is installed and running, to download
- * updated revocation lists periodically.
- */
-
-class x509certs::fetchcrl
-{
- # Install Perl modules needed for fetch-crl to support HTTPS
- case "${::operatingsystem}:${::operatingsystemrelease}"
- {
- /^(CentOS|RedHat|Scientific):(6)(\.[^:]+)?$/: {
- package {
- 'perl-IO-Socket-SSL':
- ensure => installed, before => Package['fetch-crl'],
- notify => Exec['x509certs::fetchcrl::initial'];
- }
- }
- /^(CentOS|RedHat|Scientific):(7)(\.[^:]+)?$/: {
- package {
- 'perl-LWP-Protocol-https':
- ensure => installed, before => Package['fetch-crl'],
- notify => Exec['x509certs::fetchcrl::initial'];
- }
- }
- default: {
- fail("X509certs::Fetchcrl: Unsupported operating system")
- }
- }
-
- package {
- 'fetch-crl':
- ensure => installed,
- notify => Exec['x509certs::fetchcrl::initial'];
- 'nordugrid-arc-ca-utils':
- # Obsolete; now just an empty package depending on fetch-crl.
- ensure => absent;
- }
- service {
- 'fetch-crl-cron':
- enable => true, ensure => running,
- require => Package['fetch-crl'];
- 'fetch-crl-boot':
- enable => false,
- require => Package['fetch-crl'];
- }
- exec {
- 'x509certs::fetchcrl::initial':
- command => '/usr/sbin/fetch-crl -p 16',
- refreshonly => true;
- }
-}
-
-
/*
- * Manage a grid CA certificate.
- *
- * These are assumed to be available as (RPM) packages name "ca_<NAME>",
- * that provide the PEM file and any extra metadata files needed by the
- * WLCG and EGI grids, including CRL URLs for fetch-crl.
- *
- * Note that configuring a repository where these CA packages
- * can be found must be done separately, e.g. by using the
- * x509certs::egi::trustanchors class.
- */
-
-define x509certs::gridca($ensure='present')
-{
- include x509certs::fetchcrl
-
- case $ensure {
- 'present', 'absent': {
- }
- default: {
- fail("X509certs::Gridca[${title}]:",
- "Bad parameter ensure, ``${ensure}''")
- }
- }
- package {
- "ca_${name}":
- ensure => $ensure,
- notify => Exec['x509certs::fetchcrl::initial'];
- }
-}
-
-
-
-/*
- * Configure the EGI trust anchors Yum repository, for CA certificates
- * in the International Grid Trust Federation (IGTF).
+ * Directory locations and other constants.
*
- * Note that packages for IGTF CAs also exists in e.g. NorduGrid repos,
- * so we set a low priority (i.e. preferred over other repos), as this
- * repo only holds CA packages and nothing else.
- */
-
-class x509certs::egi::trustanchors
-{
- $urlbase = 'http://repository.egi.eu/sw/production/cas/1'
-
- yumrepo {
- 'egi-trustanchors':
- descr => 'EGI Trust Anchors',
- baseurl => "${urlbase}/current",
- gpgkey => "${urlbase}/GPG-KEY-EUGridPMA-RPM-3",
- priority => 10,
- enabled => 1,
- gpgcheck => 1;
- }
-}
-
-
-
-/*
- * Install the IGTF CA certificates for all CA:s in the LHC Compute Grid.
- */
-
-class x509certs::egi::lcg_cas
-{
- include x509certs::egi::trustanchors
- include x509certs::fetchcrl
-
- package {
- [ 'ca-policy-egi-core', 'ca-policy-lcg' ]:
- ensure => installed,
- require => Class['x509certs::egi::trustanchors'],
- notify => Exec['x509certs::fetchcrl::initial'];
- }
-}
-
-
-
-/*
- * Helper class, to make sure the /etc/grid-security directory exists.
+ * This currently assumes a RedHat:ish system.
*/
-class x509certs::grid_security_dir
+class x509certs
{
- include x509certs
-
- file {
- $x509certs::grid_secdir:
- ensure => directory,
- owner => 'root', group => 'root', mode => '0755';
- }
+ $pki_certdir = '/etc/pki/tls/certs'
+ $pki_keydir = '/etc/pki/tls/private'
+ $grid_secdir = '/etc/grid-security'
+ $grid_cadir = "${grid_secdir}/certificates"
}
--
GitLab