From 2ae5f46740d23c182ffa846b7abed0f3bc9d695d Mon Sep 17 00:00:00 2001
From: Tobias Urdin <tobias.urdin@binero.se>
Date: Wed, 14 Oct 2020 10:24:07 +0200
Subject: [PATCH] Add ssl_verify_client

This adds the ssl_verify_client parameter that
is passed down to the apache::vhost resource.

Without this being set, as of puppetlabs-apache 2.1.0,
the horizon_ca parameter will be ignored and you won't
get the CA/intermediate set in the vhost configuration. [1]

This was introduced a long long time ago which means we should
backport this or SSL is semi-broken when using this module.

[1] https://github.com/puppetlabs/puppetlabs-apache/blob/2.1.0/CHANGELOG.md#changed

Change-Id: I9f60f266400a6d0ccfad757aa33009929c02cde7
(cherry picked from commit 841d4d734e31f17cb1325d573df90c93d1f1683d)
---
 manifests/init.pp                             |  6 +++++
 manifests/wsgi/apache.pp                      |  6 +++++
 ...dd-ssl_verify_client-3e2bc9a7f1d4291a.yaml | 10 +++++++++
 spec/classes/horizon_init_spec.rb             | 22 ++++++++++---------
 spec/classes/horizon_wsgi_apache_spec.rb      | 12 +++++-----
 5 files changed, 41 insertions(+), 15 deletions(-)
 create mode 100644 releasenotes/notes/add-ssl_verify_client-3e2bc9a7f1d4291a.yaml

diff --git a/manifests/init.pp b/manifests/init.pp
index d045976d..ac3fe877 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -217,6 +217,10 @@
 #  [*horizon_ca*]
 #    (required with listen_ssl) CA certificate to use for SSL support.
 #
+# [*ssl_verify_client*]
+#   Set the Certificate verification level for Client Authentication.
+#   Defaults to undef
+#
 #  [*wsgi_processes*]
 #    (optional) Number of Horizon processes to spawn
 #    Defaults to $::os_workers
@@ -498,6 +502,7 @@ class horizon(
   $horizon_cert                        = undef,
   $horizon_key                         = undef,
   $horizon_ca                          = undef,
+  $ssl_verify_client                   = undef,
   $wsgi_processes                      = $::os_workers,
   $wsgi_threads                        = '1',
   $compress_offline                    = true,
@@ -677,6 +682,7 @@ class horizon(
       horizon_cert      => $horizon_cert,
       horizon_key       => $horizon_key,
       horizon_ca        => $horizon_ca,
+      ssl_verify_client => $ssl_verify_client,
       wsgi_processes    => $wsgi_processes,
       wsgi_threads      => $wsgi_threads,
       extra_params      => $vhost_extra_params,
diff --git a/manifests/wsgi/apache.pp b/manifests/wsgi/apache.pp
index ecbc0e4f..98ed40b6 100644
--- a/manifests/wsgi/apache.pp
+++ b/manifests/wsgi/apache.pp
@@ -38,6 +38,10 @@
 # [*horizon_ca*]
 #   (required with listen_ssl) CA certificate to use for SSL support.
 #
+# [*ssl_verify_client*]
+#   Set the Certificate verification level for Client Authentication.
+#   Defaults to undef
+#
 # [*wsgi_processes*]
 #   (optional) Number of Horizon processes to spawn
 #   Defaults to $::os_workers
@@ -102,6 +106,7 @@ class horizon::wsgi::apache (
   $horizon_cert                = undef,
   $horizon_key                 = undef,
   $horizon_ca                  = undef,
+  $ssl_verify_client           = undef,
   $wsgi_processes              = $::os_workers,
   $wsgi_threads                = '1',
   $custom_wsgi_process_options = {},
@@ -236,6 +241,7 @@ class horizon::wsgi::apache (
     ssl_cert                    => $horizon_cert,
     ssl_key                     => $horizon_key,
     ssl_ca                      => $horizon_ca,
+    ssl_verify_client           => $ssl_verify_client,
     wsgi_script_aliases         => hash([$script_url, $::horizon::params::django_wsgi]),
     wsgi_daemon_process         => $::horizon::params::wsgi_group,
     wsgi_daemon_process_options => $wsgi_daemon_process_options,
diff --git a/releasenotes/notes/add-ssl_verify_client-3e2bc9a7f1d4291a.yaml b/releasenotes/notes/add-ssl_verify_client-3e2bc9a7f1d4291a.yaml
new file mode 100644
index 00000000..54f0236e
--- /dev/null
+++ b/releasenotes/notes/add-ssl_verify_client-3e2bc9a7f1d4291a.yaml
@@ -0,0 +1,10 @@
+---
+features:
+  - |
+    Added the ssl_verify_client parameter to init class and horizon::wsgi::apache
+    that is passed down to the created apache::vhost resource.
+upgrade:
+  - |
+    The puppetlabs-apache module 2.1.0 introduced a change where ssl_verify_client
+    is required otherwise the SSL CA certificate passed to the horizon module using
+    the horizon_ca parameter is ignored.
diff --git a/spec/classes/horizon_init_spec.rb b/spec/classes/horizon_init_spec.rb
index 078de096..e5ec55c3 100644
--- a/spec/classes/horizon_init_spec.rb
+++ b/spec/classes/horizon_init_spec.rb
@@ -343,21 +343,23 @@ describe 'horizon' do
     context 'with ssl enabled' do
       before do
         params.merge!({
-          :listen_ssl   => true,
-          :servername   => 'some.host.tld',
-          :horizon_cert => '/etc/pki/tls/certs/httpd.crt',
-          :horizon_key  => '/etc/pki/tls/private/httpd.key',
-          :horizon_ca   => '/etc/pki/tls/certs/ca.crt',
+          :listen_ssl        => true,
+          :servername        => 'some.host.tld',
+          :horizon_cert      => '/etc/pki/tls/certs/httpd.crt',
+          :horizon_key       => '/etc/pki/tls/private/httpd.key',
+          :horizon_ca        => '/etc/pki/tls/certs/ca.crt',
+          :ssl_verify_client => 'optional',
         })
       end
 
       it 'configures apache' do
         is_expected.to contain_class('horizon::wsgi::apache').with({
-          :bind_address => nil,
-          :listen_ssl   => true,
-          :horizon_cert => '/etc/pki/tls/certs/httpd.crt',
-          :horizon_key  => '/etc/pki/tls/private/httpd.key',
-          :horizon_ca   => '/etc/pki/tls/certs/ca.crt',
+          :bind_address      => nil,
+          :listen_ssl        => true,
+          :horizon_cert      => '/etc/pki/tls/certs/httpd.crt',
+          :horizon_key       => '/etc/pki/tls/private/httpd.key',
+          :horizon_ca        => '/etc/pki/tls/certs/ca.crt',
+          :ssl_verify_client => 'optional',
         })
       end
     end
diff --git a/spec/classes/horizon_wsgi_apache_spec.rb b/spec/classes/horizon_wsgi_apache_spec.rb
index e749c1a2..ca6ee8b1 100644
--- a/spec/classes/horizon_wsgi_apache_spec.rb
+++ b/spec/classes/horizon_wsgi_apache_spec.rb
@@ -125,11 +125,12 @@ describe 'horizon::wsgi::apache' do
     context 'with ssl enabled' do
       before do
         params.merge!({
-          :listen_ssl   => true,
-          :ssl_redirect => true,
-          :horizon_cert => '/etc/pki/tls/certs/httpd.crt',
-          :horizon_key  => '/etc/pki/tls/private/httpd.key',
-          :horizon_ca   => '/etc/pki/tls/certs/ca.crt',
+          :listen_ssl        => true,
+          :ssl_redirect      => true,
+          :horizon_cert      => '/etc/pki/tls/certs/httpd.crt',
+          :horizon_key       => '/etc/pki/tls/private/httpd.key',
+          :horizon_ca        => '/etc/pki/tls/certs/ca.crt',
+          :ssl_verify_client => 'optional',
         })
       end
 
@@ -148,6 +149,7 @@ describe 'horizon::wsgi::apache' do
         :ssl_cert               => '/etc/pki/tls/certs/httpd.crt',
         :ssl_key                => '/etc/pki/tls/private/httpd.key',
         :ssl_ca                 => '/etc/pki/tls/certs/ca.crt',
+        :ssl_verify_client      => 'optional',
         :redirectmatch_status   => 'permanent',
         :redirectmatch_regexp   => '^/$',
         :redirectmatch_dest     => platforms_params[:root_url],