From fedad439ba2f0e75f19935810e2d479c2f21e01f Mon Sep 17 00:00:00 2001
From: Thomas Johansson <thomas.johansson@liu.se>
Date: Wed, 16 Aug 2023 01:17:05 +0200
Subject: [PATCH] Switch from pure binary pkcs7 to base64+pkcs7 for keytabs to
 avoid puppet 8 serialize issues

---
 data/common.yaml  | 26 ++++++++++++++++++++++++++
 manifests/auth.pp | 20 ++++++++++++++++++--
 2 files changed, 44 insertions(+), 2 deletions(-)

diff --git a/data/common.yaml b/data/common.yaml
index e141477..6d593aa 100644
--- a/data/common.yaml
+++ b/data/common.yaml
@@ -26,6 +26,32 @@ aes::auth::keytab_devel: >
   IcAIbgvoQbriFHLJiL9HIWl6GSe6I/jp9n5veEkhHdT3M0nEEc0hbKWBaELj
   gTDWfQoET9V1Lrtv]
 
+aes::auth::keytab_production_base64: >
+  ENC[PKCS7,MIIB6wYJKoZIhvcNAQcDoIIB3DCCAdgCAQAxggEhMIIBHQIBADAFMAACAQEw
+  DQYJKoZIhvcNAQEBBQAEggEAWDNqT2ab63HdYWzW2/9TZrsxEcdDvJBKl87f
+  vNVOQveZOoK2vBSaGb0Mzs5AQrY02ib2mBEZKsIgyI5JIPJRc+KAPVsjOOa1
+  vYx8N/VazTPWEIEtCMXG5wwR2P+ws/mzU9ztcDd4E1Hh5k8bRsu/krTGn783
+  QF1I+FEod9tYd1vMMpRkd1nkGq0GJtRHv9Xteb3DN6XJkdrdMaNpKw8Cemj/
+  N96wTtcL72LvogBpgzueQJ8+XdyFJCmWqk1lQV7pyllOIcnXrIcAz9E7TRXz
+  kCjq3Lr2MPnpptV8CDhoIUuEiNfGAQIWa3DQJIPzuz5gtug9Am1XDvbg9Bxx
+  VQ2FmjCBrQYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQAjUES6mKmlxRmzIZ
+  wu7L04CBgACGs/1vQi4G6v4Lz99FyonAjwsGU/texX/8Xgchp7emzkgLgqqz
+  BnDIXQukEIHBA5sBiBSYbvztTj99QQ2+hjS0fIyclQHa1xACtzeWJeGuf7Wh
+  /SVEJY3QpTspf98UwahjqrDLrGNK/my8Wc0U4ji4dozFhDl1WGcTyYUp5Zgn]
+
+aes::auth::keytab_devel_base64: >
+  ENC[PKCS7,MIIB6wYJKoZIhvcNAQcDoIIB3DCCAdgCAQAxggEhMIIBHQIBADAFMAACAQEw
+  DQYJKoZIhvcNAQEBBQAEggEAIlqY2OywFv+nNU225WBoKCqDOoPLak73Di0u
+  Qm+zyFOroYQMYfzvCQ38U41wQanG3TdRaK9G9EoG3uX9qR/9AEYi9YWCq/YN
+  uhR7baNq4TEGsIkf/DoeMPh/LJGgQm8UGgRFj2cxTVERe/g1PC54LzuvmuHj
+  lk2KS1MYltGhnZoumczTFlk+1qGwzTzyGglSxt8EFbDJgLr5YEwWbgyhHQVg
+  C1HK53N5UeCUdJrRePDOoSfhXTq2TkzcmeuO6DMV+3pnb6IXdweBQTDikGnM
+  Bd5GSOx0U0njCVOeXqSmWAhDu2hCtryshbhhhiv+qL7cQ5yDulZIj6YaRb0X
+  CNCuXDCBrQYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQ1yi1qYaUepK4KbkL
+  YTGfO4CBgKPQ++rfV6Nw1M5qPgLS6gsvkOEAe+9FFiFWH1uTNqoZX9jSO4tZ
+  F0y5pwJ4OpjQS0oiInF+rxET2PTnND6yNtxeSkBncAWnNHA80Z2U7BOZG6Lw
+  BbBuhpmotOaWx2thqdb2sCNlj3yZMT1k62VXU8rBqzRA3Vj7jiRiXXxcSnnQ]
+
 aes::tal_cli::credentials: >
   ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBAD
   AFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAii6nHpFM6+6aPuw1Qnawf77K7f
diff --git a/manifests/auth.pp b/manifests/auth.pp
index ae5ba62..d950cb8 100644
--- a/manifests/auth.pp
+++ b/manifests/auth.pp
@@ -1,12 +1,28 @@
+#  # New keytab base64+pkcs7 encoded
+#  Optional[String] $keytab_base64      = undef, # Kerberos keytab file for HTTP/fqdn (ida-web)
+#  Optional[String] $keytab2_base64     = undef, # Kerberos keytab file for HTTP/fqdn (ida-web2)
+#) {
 class aes::auth (
-  Optional[String] $keytab_production = undef,
-  Optional[String] $keytab_devel = undef
+  # Comment out old keytab params but
+  # keep temporay for comparison
+  #
+  # # Existing keytabs
+  # Optional[String] $keytab_production = undef,
+  # Optional[String] $keytab_devel = undef
+  #
+  # new base64+pkcs7 keytabs
+  Optional[String] $keytab_production_base64 = undef,
+  Optional[String] $keytab_devel_base64 = undef
 ) {
   $auth_user = auth
   $auth_group = $auth_user
   $auth_home = "/srv/${auth_user}"
   $auth_service = 'aes_auth'
 
+  # Decode base64 encoded keytabs
+  $keytab_production  = Binary.new($keytab_production_base64, '%b')
+  $keytab_devel = Binary.new($keytab_devel_base64, '%b')
+
   # Pick the right keytab for the current environment. We use the fqdn rather than 
   # $environment since the keys are tied to the domain name rather than what 
   # environment the machine is configured in.
-- 
GitLab