Use exec for CA CRL instead of file resource
This is because the file resource doesn't properly handle query parameters in URLs. So we are forced to use an exec resource here. It's fine if we always trigger the CRL downloading, as that's a file that gets udpated often. Also ensure we get proper escaped source/destination for the download. Co-Authored-By: Cédric Jeanneret <cjeanner@redhat.com> Change-Id: I15ad3ab0cd129a8e1b9261341c0510265bda8016 Closes-Bug: #1787878
This commit is contained in:
parent
42aa17f606
commit
5d60472d78
@ -85,8 +85,35 @@ class tripleo::certmonger::ca::crl (
|
|||||||
$maxdelay = 0,
|
$maxdelay = 0,
|
||||||
$reload_cmds = [],
|
$reload_cmds = [],
|
||||||
) {
|
) {
|
||||||
|
if $process {
|
||||||
|
$fetched_crl = $crl_preprocessed
|
||||||
|
} else {
|
||||||
|
$fetched_crl = $crl_dest
|
||||||
|
}
|
||||||
|
|
||||||
|
$esc_fetched_crl = shell_escape($fetched_crl)
|
||||||
|
$esc_crl_src = shell_escape($crl_source)
|
||||||
|
|
||||||
if $crl_source {
|
if $crl_source {
|
||||||
$ensure = 'present'
|
$ensure = 'present'
|
||||||
|
# LP(1787878): We need to use an explicit command instead of the file
|
||||||
|
# resource, because puppet won't use query parameters when handling
|
||||||
|
# redirects.
|
||||||
|
# If FreeIPA is being installed in a similar time as the overcloud, the tries
|
||||||
|
# and time in between tries gives it a chance to generate the CRL.
|
||||||
|
exec {'tripleo-ca-crl':
|
||||||
|
command => "curl -Ls --connect-timeout 120 -o ${esc_fetched_crl} ${esc_crl_src}",
|
||||||
|
path => '/usr/bin/',
|
||||||
|
creates => $fetched_crl,
|
||||||
|
tries => 5,
|
||||||
|
try_sleep => 5,
|
||||||
|
} ~>
|
||||||
|
file {'tripleo-ca-crl-file':
|
||||||
|
group => 'root',
|
||||||
|
mode => '0644',
|
||||||
|
owner => 'root',
|
||||||
|
path => $fetched_crl,
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
$ensure = 'absent'
|
$ensure = 'absent'
|
||||||
}
|
}
|
||||||
@ -97,31 +124,21 @@ class tripleo::certmonger::ca::crl (
|
|||||||
$sleep = "sleep `expr \${RANDOM} \\% ${maxdelay}`; "
|
$sleep = "sleep `expr \${RANDOM} \\% ${maxdelay}`; "
|
||||||
}
|
}
|
||||||
|
|
||||||
if $process {
|
|
||||||
$fetched_crl = $crl_preprocessed
|
|
||||||
} else {
|
|
||||||
$fetched_crl = $crl_dest
|
|
||||||
}
|
|
||||||
|
|
||||||
file { 'tripleo-ca-crl' :
|
|
||||||
ensure => $ensure,
|
|
||||||
path => $fetched_crl,
|
|
||||||
source => $crl_source,
|
|
||||||
mode => '0644',
|
|
||||||
}
|
|
||||||
|
|
||||||
if $process and $ensure == 'present' {
|
if $process and $ensure == 'present' {
|
||||||
$crl_dest_format = $crl_preprocessed_format ? {
|
$crl_dest_format = $crl_preprocessed_format ? {
|
||||||
'PEM' => 'DER',
|
'PEM' => 'DER',
|
||||||
'DER' => 'PEM'
|
'DER' => 'PEM'
|
||||||
}
|
}
|
||||||
# transform CRL from DER to PEM or viceversa
|
# transform CRL from DER to PEM or viceversa
|
||||||
$process_cmd = "openssl crl -in ${$crl_preprocessed} -inform ${crl_preprocessed_format} -outform ${crl_dest_format} -out ${crl_dest}"
|
$process_cmd = "openssl crl -in ${crl_preprocessed} -inform ${crl_preprocessed_format} -outform ${crl_dest_format} -out ${crl_dest}"
|
||||||
exec { 'tripleo-ca-crl-process-command' :
|
exec { 'tripleo-ca-crl-process-command' :
|
||||||
command => $process_cmd,
|
command => $process_cmd,
|
||||||
path => '/usr/bin',
|
path => '/usr/bin',
|
||||||
refreshonly => true,
|
refreshonly => true,
|
||||||
subscribe => File['tripleo-ca-crl']
|
subscribe => [
|
||||||
|
Exec['tripleo-ca-crl'],
|
||||||
|
File['tripleo-ca-crl-file']
|
||||||
|
]
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
$process_cmd = []
|
$process_cmd = []
|
||||||
|
@ -24,9 +24,7 @@ describe 'tripleo::certmonger::ca::crl' do
|
|||||||
|
|
||||||
context 'with default parameters (no crl_source)' do
|
context 'with default parameters (no crl_source)' do
|
||||||
it 'should ensure no CRL nor cron job are present' do
|
it 'should ensure no CRL nor cron job are present' do
|
||||||
is_expected.to contain_file('tripleo-ca-crl').with(
|
is_expected.not_to contain_exec('tripleo-ca-crl')
|
||||||
:ensure => 'absent'
|
|
||||||
)
|
|
||||||
is_expected.to contain_cron('tripleo-refresh-crl-file').with(
|
is_expected.to contain_cron('tripleo-refresh-crl-file').with(
|
||||||
:ensure => 'absent'
|
:ensure => 'absent'
|
||||||
)
|
)
|
||||||
@ -51,9 +49,16 @@ describe 'tripleo::certmonger::ca::crl' do
|
|||||||
end
|
end
|
||||||
|
|
||||||
it 'should create and process CRL file' do
|
it 'should create and process CRL file' do
|
||||||
is_expected.to contain_file('tripleo-ca-crl').with(
|
is_expected.to contain_exec('tripleo-ca-crl').with(
|
||||||
:ensure => 'present',
|
:command => "curl -Ls --connect-timeout 120 -o #{params[:crl_preprocessed]} #{params[:crl_source]}",
|
||||||
:source => params[:crl_source]
|
:tries => 5,
|
||||||
|
:try_sleep => 5
|
||||||
|
)
|
||||||
|
is_expected.to contain_file('tripleo-ca-crl-file').with(
|
||||||
|
:group => 'root',
|
||||||
|
:mode => '0644',
|
||||||
|
:owner => 'root',
|
||||||
|
:path => "#{params[:crl_preprocessed]}"
|
||||||
)
|
)
|
||||||
is_expected.to contain_exec('tripleo-ca-crl-process-command').with(
|
is_expected.to contain_exec('tripleo-ca-crl-process-command').with(
|
||||||
:command => process_cmd
|
:command => process_cmd
|
||||||
@ -79,9 +84,16 @@ describe 'tripleo::certmonger::ca::crl' do
|
|||||||
end
|
end
|
||||||
|
|
||||||
it 'should create and process CRL file' do
|
it 'should create and process CRL file' do
|
||||||
is_expected.to contain_file('tripleo-ca-crl').with(
|
is_expected.to contain_exec('tripleo-ca-crl').with(
|
||||||
:ensure => 'present',
|
:command => "curl -Ls --connect-timeout 120 -o #{params[:crl_dest]} #{params[:crl_source]}",
|
||||||
:source => params[:crl_source]
|
:tries => 5,
|
||||||
|
:try_sleep => 5
|
||||||
|
)
|
||||||
|
is_expected.to contain_file('tripleo-ca-crl-file').with(
|
||||||
|
:group => 'root',
|
||||||
|
:mode => '0644',
|
||||||
|
:owner => 'root',
|
||||||
|
:path => "#{params[:crl_dest]}"
|
||||||
)
|
)
|
||||||
is_expected.to_not contain_exec('tripleo-ca-crl-process-command')
|
is_expected.to_not contain_exec('tripleo-ca-crl-process-command')
|
||||||
is_expected.to contain_cron('tripleo-refresh-crl-file').with(
|
is_expected.to contain_cron('tripleo-refresh-crl-file').with(
|
||||||
|
Loading…
Reference in New Issue
Block a user