Use exec for CA CRL instead of file resource

This is because the file resource doesn't properly handle query
parameters in URLs. So we are forced to use an exec resource here. It's
fine if we always trigger the CRL downloading, as that's a file that
gets udpated often.

Also ensure we get proper escaped source/destination for the download.

Co-Authored-By: Cédric Jeanneret <cjeanner@redhat.com>
Change-Id: I15ad3ab0cd129a8e1b9261341c0510265bda8016
Closes-Bug: #1787878
This commit is contained in:
Juan Antonio Osorio Robles 2018-08-20 08:36:33 +03:00
parent 42aa17f606
commit 5d60472d78
2 changed files with 53 additions and 24 deletions
manifests/certmonger/ca
spec/classes

View File

@ -85,8 +85,35 @@ class tripleo::certmonger::ca::crl (
$maxdelay = 0, $maxdelay = 0,
$reload_cmds = [], $reload_cmds = [],
) { ) {
if $process {
$fetched_crl = $crl_preprocessed
} else {
$fetched_crl = $crl_dest
}
$esc_fetched_crl = shell_escape($fetched_crl)
$esc_crl_src = shell_escape($crl_source)
if $crl_source { if $crl_source {
$ensure = 'present' $ensure = 'present'
# LP(1787878): We need to use an explicit command instead of the file
# resource, because puppet won't use query parameters when handling
# redirects.
# If FreeIPA is being installed in a similar time as the overcloud, the tries
# and time in between tries gives it a chance to generate the CRL.
exec {'tripleo-ca-crl':
command => "curl -Ls --connect-timeout 120 -o ${esc_fetched_crl} ${esc_crl_src}",
path => '/usr/bin/',
creates => $fetched_crl,
tries => 5,
try_sleep => 5,
} ~>
file {'tripleo-ca-crl-file':
group => 'root',
mode => '0644',
owner => 'root',
path => $fetched_crl,
}
} else { } else {
$ensure = 'absent' $ensure = 'absent'
} }
@ -97,31 +124,21 @@ class tripleo::certmonger::ca::crl (
$sleep = "sleep `expr \${RANDOM} \\% ${maxdelay}`; " $sleep = "sleep `expr \${RANDOM} \\% ${maxdelay}`; "
} }
if $process {
$fetched_crl = $crl_preprocessed
} else {
$fetched_crl = $crl_dest
}
file { 'tripleo-ca-crl' :
ensure => $ensure,
path => $fetched_crl,
source => $crl_source,
mode => '0644',
}
if $process and $ensure == 'present' { if $process and $ensure == 'present' {
$crl_dest_format = $crl_preprocessed_format ? { $crl_dest_format = $crl_preprocessed_format ? {
'PEM' => 'DER', 'PEM' => 'DER',
'DER' => 'PEM' 'DER' => 'PEM'
} }
# transform CRL from DER to PEM or viceversa # transform CRL from DER to PEM or viceversa
$process_cmd = "openssl crl -in ${$crl_preprocessed} -inform ${crl_preprocessed_format} -outform ${crl_dest_format} -out ${crl_dest}" $process_cmd = "openssl crl -in ${crl_preprocessed} -inform ${crl_preprocessed_format} -outform ${crl_dest_format} -out ${crl_dest}"
exec { 'tripleo-ca-crl-process-command' : exec { 'tripleo-ca-crl-process-command' :
command => $process_cmd, command => $process_cmd,
path => '/usr/bin', path => '/usr/bin',
refreshonly => true, refreshonly => true,
subscribe => File['tripleo-ca-crl'] subscribe => [
Exec['tripleo-ca-crl'],
File['tripleo-ca-crl-file']
]
} }
} else { } else {
$process_cmd = [] $process_cmd = []

View File

@ -24,9 +24,7 @@ describe 'tripleo::certmonger::ca::crl' do
context 'with default parameters (no crl_source)' do context 'with default parameters (no crl_source)' do
it 'should ensure no CRL nor cron job are present' do it 'should ensure no CRL nor cron job are present' do
is_expected.to contain_file('tripleo-ca-crl').with( is_expected.not_to contain_exec('tripleo-ca-crl')
:ensure => 'absent'
)
is_expected.to contain_cron('tripleo-refresh-crl-file').with( is_expected.to contain_cron('tripleo-refresh-crl-file').with(
:ensure => 'absent' :ensure => 'absent'
) )
@ -51,9 +49,16 @@ describe 'tripleo::certmonger::ca::crl' do
end end
it 'should create and process CRL file' do it 'should create and process CRL file' do
is_expected.to contain_file('tripleo-ca-crl').with( is_expected.to contain_exec('tripleo-ca-crl').with(
:ensure => 'present', :command => "curl -Ls --connect-timeout 120 -o #{params[:crl_preprocessed]} #{params[:crl_source]}",
:source => params[:crl_source] :tries => 5,
:try_sleep => 5
)
is_expected.to contain_file('tripleo-ca-crl-file').with(
:group => 'root',
:mode => '0644',
:owner => 'root',
:path => "#{params[:crl_preprocessed]}"
) )
is_expected.to contain_exec('tripleo-ca-crl-process-command').with( is_expected.to contain_exec('tripleo-ca-crl-process-command').with(
:command => process_cmd :command => process_cmd
@ -79,9 +84,16 @@ describe 'tripleo::certmonger::ca::crl' do
end end
it 'should create and process CRL file' do it 'should create and process CRL file' do
is_expected.to contain_file('tripleo-ca-crl').with( is_expected.to contain_exec('tripleo-ca-crl').with(
:ensure => 'present', :command => "curl -Ls --connect-timeout 120 -o #{params[:crl_dest]} #{params[:crl_source]}",
:source => params[:crl_source] :tries => 5,
:try_sleep => 5
)
is_expected.to contain_file('tripleo-ca-crl-file').with(
:group => 'root',
:mode => '0644',
:owner => 'root',
:path => "#{params[:crl_dest]}"
) )
is_expected.to_not contain_exec('tripleo-ca-crl-process-command') is_expected.to_not contain_exec('tripleo-ca-crl-process-command')
is_expected.to contain_cron('tripleo-refresh-crl-file').with( is_expected.to contain_cron('tripleo-refresh-crl-file').with(