openstack/puppet-tripleo
Code Issues Proposed changes

Add resource to fetch CRL

Browse Source 
This will fetch the CRL file from the specified file or URL. Furtherly
it will set up a cron job to refresh the crl file once a week and notify
the needed services.

bp tls-via-certmonger

Change-Id: I38e163e8ebb80ea5f79cfb8df44a71fdcd284e04
This commit is contained in:
Juan Antonio Osorio Robles 2017-05-04 13:23:33 +03:00
parent 0a75929ade
commit 2bb37b6189
3 changed files with 257 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

149
manifests/certmonger/ca/crl.pp Normal file
View File

@ -0,0 +1,149 @@
# Copyright 2017 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == class: tripleo::certmonger::ca::crl
#
# Class that downloads the appropriate CRL file from the CA. This can
# furtherly be used by services in order for proper certificate revocation to
# come into effect. The class also sets up a cron job that will refresh the CRL
# once a week. Also, processing of the CRL file might be needed. e.g. most CAs
# use DER format to distribute the CRLs, while services such as HAProxy expect
# the CRL to be in PEM format.
#
# === Parameters
#
# [*crl_dest*]
# (Optional) The file where the CRL file will be stored.
# Defaults to '/etc/pki/CA/crl/overcloud-crl.pem'
#
# [*crl_source*]
# (Optional) The URI where the CRL file will be fetched from.
# Defaults to undef
#
# [*process*]
# (Optional) Whether the CRL needs processing before being used. This means
# transforming from DER to PEM format or viceversa. This is because most CRLs
# by default come in DER format, so most likely it needs to be transformed.
# Defaults to true
#
# [*crl_preprocessed*]
# (Optional) The pre-processed CRL file which will be transformed.
# Defaults to '/etc/pki/CA/crl/overcloud-crl.bin'
#
# [*crl_preprocessed_format*]
# (Optional) The pre-processed CRL file's format which will be transformed.
# Defaults to 'DER'
#
# [*minute*]
# (optional) Defaults to '0'.
#
# [*hour*]
# (optional) Defaults to '1'.
#
# [*monthday*]
# (optional) Defaults to '*'.
#
# [*month*]
# (optional) Defaults to '*'.
#
# [*weekday*]
# (optional) Defaults to '6'.
#
# [*maxdelay*]
# (optional) Seconds. Defaults to 0. Should be a positive integer.
# Induces a random delay before running the cronjob to avoid running all
# cron jobs at the same time on all hosts this job is configured.
#
# [*reload_cmds*]
# (Optional) list of commands to be executed after fetching the CRL list in
# the cron job. This will usually be a list of reload commands issued to
# services that use the CRL.
# Defaults to []
#
class tripleo::certmonger::ca::crl (
$crl_dest = '/etc/pki/CA/crl/overcloud-crl.pem',
$crl_source = undef,
$process = true,
$crl_preprocessed = '/etc/pki/CA/crl/overcloud-crl.bin',
$crl_preprocessed_format = 'DER',
$minute = '0',
$hour = '1',
$monthday = '*',
$month = '*',
$weekday = '6',
$maxdelay = 0,
$reload_cmds = [],
) {
if $crl_source {
$ensure = 'present'
} else {
$ensure = 'absent'
}
if $maxdelay == 0 {
$sleep = ''
} else {
$sleep = "sleep `expr \${RANDOM} \\% ${maxdelay}`; "
}
if $process {
$fetched_crl = $crl_preprocessed
} else {
$fetched_crl = $crl_dest
}
file { 'tripleo-ca-crl' :
ensure => $ensure,
path => $fetched_crl,
source => $crl_source,
mode => '0644',
}
if $process and $ensure == 'present' {
$crl_dest_format = $crl_preprocessed_format ? {
'PEM' => 'DER',
'DER' => 'PEM'
}
# transform CRL from DER to PEM or viceversa
$process_cmd = "openssl crl -in ${$crl_preprocessed} -inform ${crl_preprocessed_format} -outform ${crl_dest_format} -out ${crl_dest}"
exec { 'tripleo-ca-crl-process-command' :
command => $process_cmd,
path => '/usr/bin',
refreshonly => true,
subscribe => File['tripleo-ca-crl']
}
} else {
$process_cmd = []
}
if $ensure == 'present' {
# Fetch CRL in cron job and notify needed services
$cmd_list = concat(["${sleep}curl -L -o ${fetched_crl} ${crl_source}"], $process_cmd, $reload_cmds)
$cron_cmd = join($cmd_list, ' && ')
} else {
$cron_cmd = absent
}
cron { 'tripleo-refresh-crl-file':
ensure => $ensure,
command => $cron_cmd,
environment => 'PATH=/usr/bin SHELL=/bin/sh',
user => 'root',
minute => $minute,
hour => $hour,
monthday => $monthday,
month => $month,
weekday => $weekday,
}
}

4
releasenotes/notes/Add-CRL-resource-d2263462d40f01c0.yaml Normal file
View File

@ -0,0 +1,4 @@
---
features:
- The resource ::tripleo::certmonger::ca::crl was added. The purpose of this
resource is to fetch a CRL file and set up a cron job to refresh that file.

104
spec/classes/tripleo_certmonger_ca_crl_spec.rb Normal file
View File

@ -0,0 +1,104 @@
#
# Copyright (C) 2017 Red Hat Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Unit tests for tripleo
#
require 'spec_helper'
describe 'tripleo::certmonger::ca::crl' do
shared_examples_for 'tripleo::certmonger::ca::crl' do
context 'with default parameters (no crl_source)' do
it 'should ensure no CRL nor cron job are present' do
is_expected.to contain_file('tripleo-ca-crl').with(
:ensure => 'absent'
)
is_expected.to contain_cron('tripleo-refresh-crl-file').with(
:ensure => 'absent'
)
end
end
context 'with defined CRL source' do
let :params do
{
:crl_dest => '/etc/pki/CA/crl/overcloud-crl.pem',
:crl_preprocessed => '/etc/pki/CA/crl/overcloud-crl.bin',
:crl_source => 'file://tmp/some/crl.bin',
}
end
let :process_cmd do
"openssl crl -in #{params[:crl_preprocessed]} -inform DER -outform PEM -out #{params[:crl_dest]}"
end
let :cron_cmd do
"curl -L -o #{params[:crl_preprocessed]} #{params[:crl_source]} && #{process_cmd}"
end
it 'should create and process CRL file' do
is_expected.to contain_file('tripleo-ca-crl').with(
:ensure => 'present',
:source => params[:crl_source]
)
is_expected.to contain_exec('tripleo-ca-crl-process-command').with(
:command => process_cmd
)
is_expected.to contain_cron('tripleo-refresh-crl-file').with(
:ensure => 'present',
:command => cron_cmd
)
end
end
context 'with defined CRL source and no processing' do
let :params do
{
:crl_dest => '/etc/pki/CA/crl/overcloud-crl.pem',
:crl_source => 'file://tmp/some/crl.pem',
:process => false
}
end
let :cron_cmd do
"curl -L -o #{params[:crl_dest]} #{params[:crl_source]}"
end
it 'should create and process CRL file' do
is_expected.to contain_file('tripleo-ca-crl').with(
:ensure => 'present',
:source => params[:crl_source]
)
is_expected.to_not contain_exec('tripleo-ca-crl-process-command')
is_expected.to contain_cron('tripleo-refresh-crl-file').with(
:ensure => 'present',
:command => cron_cmd
)
end
end
end
on_supported_os.each do |os, facts|
context "on #{os}" do
let(:facts) do
facts.merge({})
end
it_behaves_like 'tripleo::certmonger::ca::crl'
end
end
end