Extract client_cert profile

mlibrary · Aug 1, 2022 · 9b20978 · 9b20978
1 parent 98ae5fc
commit 9b20978
Show file tree

Hide file tree

Showing 5 changed files with 91 additions and 25 deletions.
diff --git a/manifests/profile/client_cert.pp b/manifests/profile/client_cert.pp
@@ -0,0 +1,37 @@
+# Copyright (c) 2022 The Regents of the University of Michigan.
+# All Rights Reserved. Licensed according to the terms of the Revised
+# BSD License. See LICENSE.txt for details.
+
+# nebula::profile::client_cert
+#
+# Put a copy of the certificate this host uses to talk to the
+# puppetserver where apache can see it. This way, the host will be able
+# to verify its authenticity with anyone that trusts our puppet CA.
+#
+# @example Including the profile
+#   include nebula::profile::client_cert
+#
+# @example Adding the certificate to an apache vhost
+#   ssl_proxy_machine_cert => $nebula::profile::client_cert::path,
+class nebula::profile::client_cert {
+  $certname = $trusted['certname'];
+  $path = "/etc/ssl/private/${certname}.pem";
+
+  concat { $path:
+    ensure => 'present',
+    mode   => '0600',
+    owner  => 'root',
+  }
+
+  concat::fragment { "${path} cert":
+    target => $path,
+    source => "/etc/puppetlabs/puppet/ssl/certs/${certname}.pem",
+    order  =>  1
+  }
+
+  concat::fragment { "${path} key":
+    target => $path,
+    source => "/etc/puppetlabs/puppet/ssl/private_keys/${certname}.pem",
+    order  =>  2
+  }
+}
diff --git a/manifests/profile/hathitrust/apache/babel.pp b/manifests/profile/hathitrust/apache/babel.pp
@@ -1,4 +1,4 @@
-# Copyright (c) 2018 The Regents of the University of Michigan.
+# Copyright (c) 2018, 2022 The Regents of the University of Michigan.
 # All Rights Reserved. Licensed according to the terms of the Revised
 # BSD License. See LICENSE.txt for details.
 
@@ -25,6 +25,8 @@
   Array[String] $cache_paths = [ ],
 ) {
 
+  include nebula::profile::client_cert
+
   ### MONITORING
 
   $monitor_location = '/monitor'
@@ -58,29 +60,6 @@
     hour    => '1',
   }
 
-  ### client cert
-
-  $certname = $trusted['certname'];
-  $client_cert = "/etc/ssl/private/${certname}.pem";
-
-  concat { $client_cert:
-    ensure => 'present',
-    mode   => '0600',
-    owner  => 'root',
-  }
-
-  concat::fragment { 'client cert':
-    target => $client_cert,
-    source => "/etc/puppetlabs/puppet/ssl/certs/${certname}.pem",
-    order  =>  1
-  }
-
-  concat::fragment { 'client key':
-    target => $client_cert,
-    source => "/etc/puppetlabs/puppet/ssl/private_keys/${certname}.pem",
-    order  =>  2
-  }
-
   ## VHOST DEFINITION
 
   $servername = "${prefix}babel.${domain}"
@@ -353,7 +332,7 @@
     ssl_proxyengine             => true,
     ssl_proxy_check_peer_name   => 'on',
     ssl_proxy_check_peer_expire => 'on',
-    ssl_proxy_machine_cert      => $client_cert,
+    ssl_proxy_machine_cert      => $nebula::profile::client_cert::path,
 
     custom_fragment             => "
     <Proxy \"fcgi://${imgsrv_address}\" enablereuse=off max=10>

diff --git a/manifests/role/mgetit_log.pp b/manifests/role/mgetit_log.pp
@@ -12,4 +12,5 @@
   include nebula::profile::named_instances
   include nebula::profile::nodejs
   include nebula::profile::php73
+  include nebula::profile::client_cert
 }
diff --git a/spec/classes/profile/client_cert_spec.rb b/spec/classes/profile/client_cert_spec.rb
@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+# Copyright (c) 2022 The Regents of the University of Michigan.
+# All Rights Reserved. Licensed according to the terms of the Revised
+# BSD License. See LICENSE.txt for details.
+require 'spec_helper'
+
+describe 'nebula::profile::client_cert' do
+  on_supported_os.each do |os, os_facts|
+    context "on #{os}" do
+      let(:facts) { os_facts }
+
+      it { is_expected.to compile }
+
+      context 'on a host called default.invalid' do
+        let(:node) { 'default.invalid' }
+        let(:cert_path) { '/etc/ssl/private/default.invalid.pem' }
+        let(:puppet_ssl) { '/etc/puppetlabs/puppet/ssl' }
+
+        it { is_expected.to compile }
+        it { is_expected.to contain_concat(cert_path) }
+        it { is_expected.to contain_concat__fragment("#{cert_path} cert").with_target(cert_path) }
+        it { is_expected.to contain_concat__fragment("#{cert_path} cert").with_source("#{puppet_ssl}/certs/default.invalid.pem") }
+        it { is_expected.to contain_concat__fragment("#{cert_path} key").with_target(cert_path) }
+        it { is_expected.to contain_concat__fragment("#{cert_path} key").with_source("#{puppet_ssl}/private_keys/default.invalid.pem") }
+      end
+
+      context 'on a host called abc' do
+        let(:node) { 'abc' }
+        let(:cert_path) { '/etc/ssl/private/abc.pem' }
+        let(:puppet_ssl) { '/etc/puppetlabs/puppet/ssl' }
+
+        it { is_expected.to compile }
+        it { is_expected.to contain_concat(cert_path) }
+        it { is_expected.to contain_concat__fragment("#{cert_path} cert").with_target(cert_path) }
+        it { is_expected.to contain_concat__fragment("#{cert_path} cert").with_source("#{puppet_ssl}/certs/abc.pem") }
+        it { is_expected.to contain_concat__fragment("#{cert_path} key").with_target(cert_path) }
+        it { is_expected.to contain_concat__fragment("#{cert_path} key").with_source("#{puppet_ssl}/private_keys/abc.pem") }
+      end
+    end
+  end
+end
diff --git a/spec/classes/profile/hathitrust/apache/babel_spec.rb b/spec/classes/profile/hathitrust/apache/babel_spec.rb
@@ -42,6 +42,13 @@
         end
 
       end
+
+      context 'with certname set to myhostname.tld' do
+        let(:node) { 'myhostname.tld' }
+
+        it { is_expected.to compile }
+        it { is_expected.to contain_apache__vhost('babel.hathitrust.org ssl').with_ssl_proxy_machine_cert('/etc/ssl/private/myhostname.tld.pem') }
+      end
     end
   end
 end