Enforce appropriate depth for cert file
The octavia::certificates class ensures the directory where the cert file is located. However the current implementation has a few problems. - In case the path is not an absolute path then the resource fails unexpectedly - In case a user places the key file in the core directory such as / or /etc, then owner of the core directory is changed to the octavia user This ensures the certificate files are in the directories deep enough to avoid these problems. Change-Id: Icee84c58a8d29b9c89b571ba075b38f99330bdad
This commit is contained in:
parent
869993e13a
commit
30ad79441b
|
@ -94,27 +94,27 @@
|
|||
# Defaults to 'octavia'
|
||||
#
|
||||
class octavia::certificates (
|
||||
$cert_generator = $facts['os_service_default'],
|
||||
$cert_manager = $facts['os_service_default'],
|
||||
$barbican_auth = $facts['os_service_default'],
|
||||
$service_name = $facts['os_service_default'],
|
||||
$endpoint = $facts['os_service_default'],
|
||||
$region_name = $facts['os_service_default'],
|
||||
$endpoint_type = $facts['os_service_default'],
|
||||
$ca_certificate = $facts['os_service_default'],
|
||||
$ca_private_key = $facts['os_service_default'],
|
||||
$server_certs_key_passphrase = 'insecure-key-do-not-use-this-key',
|
||||
$ca_private_key_passphrase = $facts['os_service_default'],
|
||||
$signing_digest = $facts['os_service_default'],
|
||||
$cert_validity_time = $facts['os_service_default'],
|
||||
$client_ca = undef,
|
||||
$client_cert = $facts['os_service_default'],
|
||||
$ca_certificate_data = undef,
|
||||
$ca_private_key_data = undef,
|
||||
$client_ca_data = undef,
|
||||
$client_cert_data = undef,
|
||||
$file_permission_owner = $::octavia::params::user,
|
||||
$file_permission_group = $::octavia::params::group,
|
||||
$cert_generator = $facts['os_service_default'],
|
||||
$cert_manager = $facts['os_service_default'],
|
||||
$barbican_auth = $facts['os_service_default'],
|
||||
$service_name = $facts['os_service_default'],
|
||||
$endpoint = $facts['os_service_default'],
|
||||
$region_name = $facts['os_service_default'],
|
||||
$endpoint_type = $facts['os_service_default'],
|
||||
$ca_certificate = $facts['os_service_default'],
|
||||
Octavia::CertificatePath $ca_private_key = $facts['os_service_default'],
|
||||
$server_certs_key_passphrase = 'insecure-key-do-not-use-this-key',
|
||||
$ca_private_key_passphrase = $facts['os_service_default'],
|
||||
$signing_digest = $facts['os_service_default'],
|
||||
$cert_validity_time = $facts['os_service_default'],
|
||||
Optional[Octavia::CertificatePath] $client_ca = undef,
|
||||
Octavia::CertificatePath $client_cert = $facts['os_service_default'],
|
||||
$ca_certificate_data = undef,
|
||||
$ca_private_key_data = undef,
|
||||
$client_ca_data = undef,
|
||||
$client_cert_data = undef,
|
||||
$file_permission_owner = $::octavia::params::user,
|
||||
$file_permission_group = $::octavia::params::group,
|
||||
) inherits octavia::params {
|
||||
|
||||
include octavia::deps
|
||||
|
@ -194,7 +194,15 @@ class octavia::certificates (
|
|||
tag => 'octavia-certificate',
|
||||
}
|
||||
}
|
||||
if $client_ca and $client_ca_data {
|
||||
if $client_ca_data {
|
||||
if ! $client_ca {
|
||||
fail('client_ca is required when client_ca_data is set')
|
||||
}
|
||||
|
||||
if is_service_default($client_ca) {
|
||||
fail('client_ca should be a valid path instead of os_service_default fact')
|
||||
}
|
||||
|
||||
ensure_resource('file', dirname($client_ca), {
|
||||
ensure => directory,
|
||||
owner => $file_permission_owner,
|
||||
|
|
|
@ -0,0 +1,38 @@
|
|||
require 'spec_helper'
|
||||
|
||||
describe 'Octavia::CertificatePath' do
|
||||
describe 'valid types' do
|
||||
context 'with valid types' do
|
||||
[
|
||||
'<SERVICE DEFAULT>',
|
||||
'/etc/octavia/certfile',
|
||||
'/etc/octavia/certs/certfile'
|
||||
].each do |value|
|
||||
describe value.inspect do
|
||||
it { is_expected.to allow_value(value) }
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe 'invalid types' do
|
||||
context 'with garbage inputs' do
|
||||
[
|
||||
'certfile',
|
||||
'/certfile',
|
||||
'/etc/certfile',
|
||||
'somethink',
|
||||
true,
|
||||
nil,
|
||||
{},
|
||||
'',
|
||||
55555,
|
||||
].each do |value|
|
||||
describe value.inspect do
|
||||
it { is_expected.not_to allow_value(value) }
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
type Octavia::CertificatePath = Variant[
|
||||
Openstacklib::ServiceDefault,
|
||||
Pattern[/^\/.+\/.+\/.*$/]
|
||||
]
|
Loading…
Reference in New Issue