From e84aa3e90a042476e7d18ad9833d061b816ce071 Mon Sep 17 00:00:00 2001
From: Steve Kowalik <steven@wedontsleep.org>
Date: Tue, 28 Jul 2015 12:14:33 +1000
Subject: [PATCH] Add the Zanata server CRT into the Java keystore

Java does not like to make connections to untrusted HTTPS hosts, and
makes it rather difficult to not verify the certificate and its CA
chain, like our Python scripts are currently doing. To that end, drag
down the CRT for the configured Zanata server, and inject it into the
default Java keystore -- since passing a non-default keystore would
also require changes to Zanata.

Change-Id: If6aaf4d560acc25e626027d82ed103dd46328802
Depends-On: I32ef72eba436c338052be2eb83ce39e4400d047c
---
 manifests/client.pp | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/manifests/client.pp b/manifests/client.pp
index 26cef60..9ac6afc 100644
--- a/manifests/client.pp
+++ b/manifests/client.pp
@@ -26,6 +26,7 @@ class zanata::client(
 ) {
 
   $server_id = parse_server_id($server_url)
+  $server_name = regsubst($server_id, '_', '.', 'G')
 
   file { '/opt/zanata':
     ensure  => directory,
@@ -50,6 +51,36 @@ class zanata::client(
     require => Exec['get_zanata_client_dist_tarball'],
   }
 
+  exec { 'get_zanata_server_certificate':
+    command => "openssl s_client -connect ${server_name}:443 -prexit 2>/dev/null | openssl x509 -in /dev/stdin -out /opt/zanata/${server_id}.crt",
+    path    => '/bin:/usr/bin',
+    creates => "/opt/zanata/${server_id}.crt",
+    require => File['/opt/zanata'],
+  }
+
+  file { "/opt/zanata/${server_id}.crt":
+    ensure  => present,
+    owner   => $user,
+    group   => $group,
+    mode    => '0644',
+    require => Exec['get_zanata_server_certificate'],
+  }
+
+  java_ks { 'zanata_server:keystore':
+    ensure       => latest,
+    certificate  => "/opt/zanata/${server_id}.crt",
+    target       => '/etc/ssl/certs/java/cacerts',
+    password     => 'changeit',
+    require      => File["/opt/zanata/${server_id}.crt"],
+  }
+
+  file { '/etc/ssl/certs/java/cacerts':
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    require => Java_ks['zanata_server:keystore']
+  }
+
   exec { 'unpack_zanata_client_dist_tarball':
     command => "tar zxf zanata-cli-${version}-dist.tar.gz",
     path    => '/bin:/usr/bin',