-
-
Notifications
You must be signed in to change notification settings - Fork 51
/
ca.pp
124 lines (121 loc) · 4.02 KB
/
ca.pp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
# @summary
# Manage a CA Certificate in the the shared system-wide truststore.
#
# @example
# ca_cert::ca { 'globalsign_org_intermediate':
# source => 'http://secure.globalsign.com/cacert/gsorganizationvalsha2g2r1.crt',
# }
#
# @param ensure
# Whether or not the CA certificate should be on a system or not.
# - `present`/`absent` is used to manage local/none default CAs.
# - `trusted`/`distrusted` is used to manage system CAs.
#
# @param allow_insecure_source
# Whether to allow insecure download or not.
#
# @param source
# A source certificate, which will be copied into place on the local system.
# This attribute is mutually exclusive with `content`
# Uri support, see puppet-archive.
#
# @param content
# PEM formatted certificate content
# This attribute is mutually exclusive with `source`
#
# @param checksum
# The checksum of the file.
#
# @param checksum_type
# The type of file checksum.
#
# @param proxy_server
# Proxy address to use when accessing source
#
# @param proxy_type
# Proxy type ( See `archive::proxy_type )
#
define ca_cert::ca (
Enum['present', 'absent', 'trusted', 'distrusted'] $ensure = 'present',
Boolean $allow_insecure_source = false,
Optional[String[1]] $source = undef,
Optional[String[1]] $content = undef,
Optional[String[1]] $checksum = undef,
Optional[String[1]] $checksum_type = undef,
Optional[String[1]] $proxy_server = undef,
Optional[String[1]] $proxy_type = undef,
) {
include ca_cert
# Determine Full Resource Name
$resource_name = "${name}.${ca_cert::ca_file_extension}"
case $ensure {
'present', 'absent': {
$ca_cert = "${ca_cert::trusted_cert_dir}/${resource_name}"
}
'trusted', 'distrusted': {
$ca_cert = "${ca_cert::distrusted_cert_dir}/${resource_name}"
}
default: {}
}
# On Debian we trust/distrust Os provided CAs in config
if $facts['os']['family'] == 'Debian' and member(['trusted', 'distrusted'], $ensure) {
if $ensure == 'trusted' {
exec { "trust ca ${resource_name}":
command => "sed -ri \'s|!(.*)${resource_name}|\\1${resource_name}|\' ${ca_cert::ca_certificates_conf}",
onlyif => "grep -q ${resource_name} ${ca_cert::ca_certificates_conf} && grep -q \'^!.*${resource_name}\' ${ca_cert::ca_certificates_conf}",
path => ['/bin','/usr/bin'],
notify => Exec['ca_cert_update'],
}
} else {
exec { "distrust ca ${resource_name}":
command => "sed -ri \'s|(.*)${resource_name}|!\\1${resource_name}|\' ${ca_cert::ca_certificates_conf}",
onlyif => "grep -q ${resource_name} ${ca_cert::ca_certificates_conf} && grep -q \'^[^!].*${resource_name}\' ${ca_cert::ca_certificates_conf}",
path => ['/bin','/usr/bin'],
notify => Exec['ca_cert_update'],
}
}
}
else {
case $ensure {
'present', 'distrusted': {
if $source {
archive { $ca_cert:
ensure => 'present',
source => $source,
checksum => $checksum,
checksum_type => $checksum_type,
allow_insecure => $allow_insecure_source,
proxy_server => $proxy_server,
proxy_type => $proxy_type,
notify => Exec['ca_cert_update'],
}
-> file { $ca_cert:
ensure => 'file',
owner => 'root',
group => $ca_cert::ca_file_group,
mode => $ca_cert::ca_file_mode,
notify => Exec['ca_cert_update'],
}
} elsif $content {
file { $ca_cert:
ensure => 'file',
content => $content,
owner => 'root',
group => $ca_cert::ca_file_group,
mode => $ca_cert::ca_file_mode,
notify => Exec['ca_cert_update'],
}
} else {
fail('Either `source` or `content` is required')
}
}
'absent', 'trusted': {
file { $ca_cert:
ensure => absent,
notify => Exec['ca_cert_update'],
}
}
default: {}
}
}
}