Enforce appropriate depth for cert file

The octavia::certificates class ensures the directory where the cert file is located. However the current implementation has a few problems. - In case the path is not an absolute path then the resource fails unexpectedly - In case a user places the key file in the core directory such as / or /etc, then owner of the core directory is changed to the octavia user This ensures the certificate files are in the directories deep enough to avoid these problems. Change-Id: Icee84c58a8d29b9c89b571ba075b38f99330bdad
2024-01-12 15:33:28 +09:00 · 2024-01-12 15:33:28 +09:00 · c9aae154be
parent 869993e13a
commit c9aae154be
3 changed files with 72 additions and 22 deletions
--- a/manifests/certificates.pp
+++ b/manifests/certificates.pp
@ -94,27 +94,27 @@
 #   Defaults to 'octavia'
 #
 class octavia::certificates (
-  $cert_generator              = $facts['os_service_default'],
-  $cert_manager                = $facts['os_service_default'],
-  $barbican_auth               = $facts['os_service_default'],
-  $service_name                = $facts['os_service_default'],
-  $endpoint                    = $facts['os_service_default'],
-  $region_name                 = $facts['os_service_default'],
-  $endpoint_type               = $facts['os_service_default'],
-  $ca_certificate              = $facts['os_service_default'],
-  $ca_private_key              = $facts['os_service_default'],
-  $server_certs_key_passphrase = 'insecure-key-do-not-use-this-key',
-  $ca_private_key_passphrase   = $facts['os_service_default'],
-  $signing_digest              = $facts['os_service_default'],
-  $cert_validity_time          = $facts['os_service_default'],
-  $client_ca                   = undef,
-  $client_cert                 = $facts['os_service_default'],
-  $ca_certificate_data         = undef,
-  $ca_private_key_data         = undef,
-  $client_ca_data              = undef,
-  $client_cert_data            = undef,
-  $file_permission_owner       = $::octavia::params::user,
-  $file_permission_group       = $::octavia::params::group,
+  $cert_generator                               = $facts['os_service_default'],
+  $cert_manager                                 = $facts['os_service_default'],
+  $barbican_auth                                = $facts['os_service_default'],
+  $service_name                                 = $facts['os_service_default'],
+  $endpoint                                     = $facts['os_service_default'],
+  $region_name                                  = $facts['os_service_default'],
+  $endpoint_type                                = $facts['os_service_default'],
+  $ca_certificate                               = $facts['os_service_default'],
+  Octavia::CertificatePath $ca_private_key      = $facts['os_service_default'],
+  $server_certs_key_passphrase                  = 'insecure-key-do-not-use-this-key',
+  $ca_private_key_passphrase                    = $facts['os_service_default'],
+  $signing_digest                               = $facts['os_service_default'],
+  $cert_validity_time                           = $facts['os_service_default'],
+  Optional[Octavia::CertificatePath] $client_ca = undef,
+  Octavia::CertificatePath $client_cert         = $facts['os_service_default'],
+  $ca_certificate_data                          = undef,
+  $ca_private_key_data                          = undef,
+  $client_ca_data                               = undef,
+  $client_cert_data                             = undef,
+  $file_permission_owner                        = $::octavia::params::user,
+  $file_permission_group                        = $::octavia::params::group,
 ) inherits octavia::params {

  include octavia::deps
@ -194,7 +194,15 @@ class octavia::certificates (
      tag       => 'octavia-certificate',
    }
  }
-  if $client_ca and $client_ca_data {
+  if $client_ca_data {
+    if ! $client_ca {
+      fail('client_ca is required when client_ca_data is set')
+    }
+
+    if is_service_default($client_ca) {
+      fail('client_ca should be a valid path instead of os_service_default fact')
+    }
+
    ensure_resource('file', dirname($client_ca), {
      ensure => directory,
      owner  => $file_permission_owner,
--- a/spec/type_aliases/certficatepath_spec.rb
+++ b/spec/type_aliases/certficatepath_spec.rb
@ -0,0 +1,38 @@
+require 'spec_helper'
+
+describe 'Octavia::CertificatePath' do
+  describe 'valid types' do
+    context 'with valid types' do
+      [
+        '<SERVICE DEFAULT>',
+        '/etc/octavia/certfile',
+        '/etc/octavia/certs/certfile'
+      ].each do |value|
+        describe value.inspect do
+          it { is_expected.to allow_value(value) }
+        end
+      end
+    end
+  end
+
+  describe 'invalid types' do
+    context 'with garbage inputs' do
+      [
+        'certfile',
+        '/certfile',
+        '/etc/certfile',
+        'somethink',
+        true,
+        nil,
+        {},
+        '',
+        55555,
+      ].each do |value|
+        describe value.inspect do
+          it { is_expected.not_to allow_value(value) }
+        end
+      end
+    end
+  end
+end
+
--- a/types/certficatepath.pp
+++ b/types/certficatepath.pp
@ -0,0 +1,4 @@
+type Octavia::CertificatePath = Variant[
+  Openstacklib::ServiceDefault,
+  Pattern[/^\/.+\/.+\/.*$/]
+]