Explicitly set certmonger's CA cert's permissions

We were relying on the default permissions that were being set by the
command that extracts the certificate into a PEM file. This wasn't the
right approach, as it could be too restrictive in some setups.

Here, we explicitly tell puppet to set the appropriate permissions
instead.

Given this is a certificate file, and there's no private key involved,
we can set it as world readable (0644). As folks in the system need to
access the file.

Change-Id: I4b2cb1071e3fd5a1277d54b86822e8fef2df0d78
Closes-bug: #1788257
This commit is contained in:
Juan Antonio Osorio Robles 2019-01-16 14:43:54 +02:00
parent a2c549a2ff
commit 5d6201f9fc
2 changed files with 15 additions and 0 deletions

View File

@ -28,12 +28,19 @@ class tripleo::certmonger::ca::local(
$ca_pkcs12 = '/var/lib/certmonger/local/creds'
$extract_cmd = "openssl pkcs12 -in ${ca_pkcs12} -out ${ca_pem} -nokeys -nodes -passin pass:''"
$trust_ca_cmd = 'update-ca-trust extract'
file { "${ca_pem}":
ensure => present,
mode => '0644',
owner => 'root',
}
exec { 'extract-and-trust-ca':
command => "${extract_cmd} && ${trust_ca_cmd}",
path => '/usr/bin',
unless => "test -e ${ca_pem} && openssl x509 -checkend 0 -noout -in ${ca_pem}",
tries => 5,
try_sleep => 1,
notify => File[$ca_pem]
}
Service['certmonger'] ~> Exec<| title == 'extract-and-trust-ca' |>
}

View File

@ -37,6 +37,14 @@ describe 'tripleo::certmonger::ca::local' do
:unless => "test -e #{params[:ca_pem]} && openssl x509 -checkend 0 -noout -in #{params[:ca_pem]}",
)
end
it 'set the correct permissions for the CA certificate file' do
is_expected.to contain_file(params[:ca_pem]).with(
:ensure => 'present',
:mode => '0644',
:owner => 'root'
)
end
end
on_supported_os.each do |os, facts|