Merge "Explicitly set certmonger's CA cert's permissions"

2019-01-17 14:19:51 +00:00 · 2019-01-17 14:19:51 +00:00 · 0a73e19d01
parent 0439913112 5d6201f9fc
commit 0a73e19d01
2 changed files with 15 additions and 0 deletions
--- a/manifests/certmonger/ca/local.pp
+++ b/manifests/certmonger/ca/local.pp
@ -28,12 +28,19 @@ class tripleo::certmonger::ca::local(
  $ca_pkcs12 = '/var/lib/certmonger/local/creds'
  $extract_cmd = "openssl pkcs12 -in ${ca_pkcs12} -out ${ca_pem} -nokeys -nodes -passin pass:''"
  $trust_ca_cmd = 'update-ca-trust extract'
+
+  file { "${ca_pem}":
+    ensure => present,
+    mode   => '0644',
+    owner  => 'root',
+  }
  exec { 'extract-and-trust-ca':
    command   => "${extract_cmd} && ${trust_ca_cmd}",
    path      => '/usr/bin',
    unless    => "test -e ${ca_pem} && openssl x509 -checkend 0 -noout -in ${ca_pem}",
    tries     => 5,
    try_sleep => 1,
+    notify    => File[$ca_pem]
  }
  Service['certmonger'] ~> Exec<| title == 'extract-and-trust-ca' |>
 }
--- a/spec/classes/tripleo_certmonger_ca_local_spec.rb
+++ b/spec/classes/tripleo_certmonger_ca_local_spec.rb
@ -37,6 +37,14 @@ describe 'tripleo::certmonger::ca::local' do
        :unless => "test -e #{params[:ca_pem]} && openssl x509 -checkend 0 -noout -in #{params[:ca_pem]}",
      )
    end
+
+    it 'set the correct permissions for the CA certificate file' do
+      is_expected.to contain_file(params[:ca_pem]).with(
+        :ensure => 'present',
+        :mode   => '0644',
+        :owner  => 'root'
+      )
+    end
  end

  on_supported_os.each do |os, facts|