From 716a7874bf5b7321d710044be32086f4346affa8 Mon Sep 17 00:00:00 2001
From: Martin Magr <mmagr@redhat.com>
Date: Mon, 29 Mar 2021 13:13:38 +0200
Subject: [PATCH] Create SSL certificates from sslProfiles

Adds function for transforming SSL certificate/key content values
into path values with creating the appropriate files.

Change-Id: Idaee3c5fcc90f8107eac7c2ada94c1e5180abce5
(cherry picked from commit 6fd83b96311513f9602117000c4960c03c66409c)
---
 lib/puppet/functions/qdr_ssl_certificate.rb   | 39 +++++++++++++++++++
 manifests/profile/base/metrics/qdr.pp         | 26 ++++++++++++-
 .../tripleo_profile_base_metrics_qdr_spec.rb  | 33 ++++++++++++++++
 3 files changed, 97 insertions(+), 1 deletion(-)
 create mode 100644 lib/puppet/functions/qdr_ssl_certificate.rb

diff --git a/lib/puppet/functions/qdr_ssl_certificate.rb b/lib/puppet/functions/qdr_ssl_certificate.rb
new file mode 100644
index 000000000..adac316f5
--- /dev/null
+++ b/lib/puppet/functions/qdr_ssl_certificate.rb
@@ -0,0 +1,39 @@
+# This adds to ssl profile hash a proper value of "caCertFile" key for "caCertFileContent" key.
+#
+# Given:
+#   ssl_profiles = [{"name": "test", "caCertFileContent": "cert content", ...}, ...]
+#   cert_dir = "/etc/pki/tls/certs/"
+# Returns:
+#   ssl_profiles = [
+#     {"name": "test",
+#      "caCertFileContent": "cert content",
+#      "caCertFile": "/etc/pki/tls/certs/CA_test.pem",
+#      ... },
+#     ...
+#   ]
+Puppet::Functions.create_function(:qdr_ssl_certificate) do
+
+  dispatch :qdr_ssl_certificate do
+    param 'Array', :ssl_profiles
+    param 'String', :cert_dir
+    return_type 'Array'
+  end
+
+  def qdr_ssl_certificate(ssl_profiles, cert_dir)
+    processed_profiles = Array.new
+    ssl_profiles.each do |profile|
+      if profile.key?("caCertFileContent")
+        processed = profile.clone
+        # create certificate path
+        path = File.join(cert_dir, "CA_#{processed["name"]}.pem")
+        # update profile
+        processed["caCertFile"] = path
+        processed_profiles.push(processed)
+      else
+        processed_profiles.push(profile)
+      end
+    end
+    return processed_profiles
+  end
+
+end
diff --git a/manifests/profile/base/metrics/qdr.pp b/manifests/profile/base/metrics/qdr.pp
index 71ea7474e..823da46dc 100644
--- a/manifests/profile/base/metrics/qdr.pp
+++ b/manifests/profile/base/metrics/qdr.pp
@@ -119,6 +119,10 @@
 #   for more details.
 #   Defaults to hiera('step')
 #
+# [*ssl_cert_dir*]
+#   (Optional) Path to directory where SSL certificate files should be created.
+#   Defaults to '/etc/pki/tls/certs/'
+#
 class tripleo::profile::base::metrics::qdr (
   $username                  = undef,
   $password                  = undef,
@@ -142,6 +146,7 @@ class tripleo::profile::base::metrics::qdr (
   $autolink_addresses        = [],
   $router_mode               = 'edge',
   $step                      = Integer(hiera('step')),
+  $ssl_cert_dir              = '/etc/pki/tls/certs/',
 ) {
   if $step >= 1 {
     $interior_nodes = any2array(split($interior_mesh_nodes, ','))
@@ -211,6 +216,25 @@ class tripleo::profile::base::metrics::qdr (
       $all_connectors = $connectors + $internal_connectors
     }
 
+    file { $ssl_cert_dir:
+      ensure => directory,
+      mode   => '0700'
+    }
+    $prep_ssl_profiles = qdr_ssl_certificate($ssl_profiles, $ssl_cert_dir)
+    $final_ssl_profiles = $prep_ssl_profiles.reduce( [] ) |$memo, $prf| {
+      if has_key($prf, 'caCertFileContent') {
+        file { $prf['caCertFile']:
+          ensure  => exists,
+          content => $prf['caCertFileContent'],
+          mode    => '0600',
+          require => File[$ssl_cert_dir]
+        }
+        $memo << delete($prf, 'caCertFileContent')
+      } else {
+        $memo << $prf
+      }
+    }
+
     class { '::qdr':
       listener_addr            => $listener_addr,
       listener_port            => $listener_port,
@@ -224,7 +248,7 @@ class tripleo::profile::base::metrics::qdr (
       listener_trusted_certs   => $listener_trusted_certs,
       router_mode              => $router_mode,
       connectors               => $all_connectors,
-      ssl_profiles             => $ssl_profiles,
+      ssl_profiles             => $final_ssl_profiles,
       extra_addresses          => $addresses,
       autolink_addresses       => $autolink_addresses,
       extra_listeners          => $internal_listeners,
diff --git a/spec/classes/tripleo_profile_base_metrics_qdr_spec.rb b/spec/classes/tripleo_profile_base_metrics_qdr_spec.rb
index 3a420a337..504c3bbd9 100644
--- a/spec/classes/tripleo_profile_base_metrics_qdr_spec.rb
+++ b/spec/classes/tripleo_profile_base_metrics_qdr_spec.rb
@@ -188,6 +188,39 @@ describe 'tripleo::profile::base::metrics::qdr' do
         expect(connectors.length).to match 1
       end
     end
+
+    context 'with step 3 and ssl_profiles' do
+      before do
+        params.merge!({
+          :ssl_cert_dir => '/tmp/certs',
+          :ssl_profiles => [
+            {"name" => "wubba", "caCertFileContent" => "ca_wubba"},
+            {"name" => "lubba", "caCertFileContent" => "ca_lubba", "caCertFile" => "whoops"},
+          ]
+        })
+      end
+
+      it 'should set sslProfiles correctly and create appropriate certificates' do
+        is_expected.to contain_class('qdr').with(:ssl_profiles => [
+          {"name" => "wubba", "caCertFile" => '/tmp/certs/CA_wubba.pem'},
+          {"name" => "lubba", "caCertFile" => '/tmp/certs/CA_lubba.pem'},
+        ])
+        is_expected.to contain_file('/tmp/certs').with(
+          :ensure => 'directory',
+          :mode => '0700'
+        )
+        is_expected.to contain_file('/tmp/certs/CA_wubba.pem').with(
+          :ensure => 'exists',
+          :content => 'ca_wubba',
+          :mode => '0600'
+        )
+        is_expected.to contain_file('/tmp/certs/CA_lubba.pem').with(
+          :ensure => 'exists',
+          :content => 'ca_lubba',
+          :mode => '0600'
+        )
+      end
+    end
   end
 
   on_supported_os.each do |os, facts|