2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
# File 'modules/cfssl/manifests/cert.pp', line 2
define cfssl::cert (
Cfssl::Signer_config $signer_config,
Array[Cfssl::Name] $names = [],
Cfssl::Key $key = {'algo' => 'ecdsa', 'size' => 521},
Wmflib::Ensure $ensure = 'present',
String $owner = 'root',
String $group = 'root',
Boolean $auto_renew = true,
Integer[1800] $renew_seconds = 604800, # 1 week
Optional[String] $label = undef,
Optional[String] $profile = undef,
Optional[Stdlib::Unixpath] $outdir = undef,
Optional[Stdlib::Unixpath] $tls_cert = undef,
Optional[Stdlib::Unixpath] $tls_key = undef,
Optional[Array[Stdlib::Host]] $hosts = [],
) {
include cfssl
if $key['algo'] == 'rsa' and $key['size'] < 2048 {
fail('RSA keys must be either 2048, 4096 or 8192 bits')
}
if $key['algo'] == 'ecdsa' and $key['size'] > 2048 {
fail('ECDSA keys must be either 256, 384 or 521 bits')
}
$ensure_file = $ensure ? {
'present' => 'file',
default => $ensure,
}
$safe_title = $title.regsubst('[^\w\-]', '_', 'G')
$csr_json_path = "${cfssl::csr_dir}/${safe_title}.csr"
$_outdir = $outdir ? {
undef => "${cfssl::ssl_dir}/${safe_title}",
default => $outdir,
}
$_names = $names.map |Cfssl::Name $name| {
{
'C' => $name['country'],
'L' => $name['locality'],
'O' => $name['organisation'],
'OU' => $name['organisational_unit'],
'S' => $name['state'],
}
}
$csr = {
'CN' => $title,
'hosts' => $hosts,
'key' => $key,
'names' => $_names,
}
file{$csr_json_path:
ensure => $ensure_file,
owner => 'root',
group => 'root',
mode => '0400',
content => $csr.to_json_pretty()
}
file {$_outdir:
ensure => ensure_directory($ensure),
owner => $owner,
group => $group,
mode => '0440',
recurse => true,
purge => true,
}
$tls_config = ($tls_cert and $tls_key) ? {
true => "-mutual-tls-client-cert ${tls_cert} -mutual-tls-client-key ${tls_key}",
default => '',
}
$_label = $label ? {
undef => '',
default => "-label ${label}",
}
$_profile = $profile ? {
undef => '',
default => "-profile ${profile}",
}
$signer_args = $signer_config ? {
Stdlib::HTTPUrl => "-remote ${signer_config} ${tls_config} ${_label}",
Cfssl::Signer_config::Client => "-config ${signer_config['config_file']} ${tls_config} ${_label}",
default => @("SIGNER_ARGS"/L)
-ca=${signer_config['config_dir']}/ca/ca.pem \
-ca-key=${signer_config['config_dir']}/ca/ca_key.pem \
-config=${signer_config['config_dir']}/cfssl.conf \
| SIGNER_ARGS
}
$cert_path = "${_outdir}/${safe_title}.pem"
$key_path = "${_outdir}/${safe_title}-key.pem"
$csr_pem_path = "${_outdir}/${safe_title}.csr"
$gen_command = @("GEN_COMMAND"/L)
/usr/bin/cfssl gencert ${signer_args} ${_profile} ${csr_json_path} \
| /usr/bin/cfssljson -bare ${_outdir}/${safe_title}
| GEN_COMMAND
$sign_command = @("SIGN_COMMAND"/L)
/usr/bin/cfssl gencert ${signer_args} ${_profile} ${csr_pem_path} \
| /usr/bin/cfssljson -bare ${_outdir}/${safe_title}
| SIGN_COMMAND
# TODO: would be nice to check its signed with the correct CA
$test_command = @("TEST_COMMAND"/L)
/usr/bin/test \
"$(/usr/bin/openssl x509 -in ${cert_path} -noout -pubkey 2>&1)" == \
"$(/usr/bin/openssl pkey -pubout -in ${key_path} 2>&1)"
| TEST_COMMAND
if $ensure == 'present' {
exec{"Generate cert ${title}":
command => $gen_command,
unless => $test_command,
}
if $auto_renew {
exec {"renew certificate - ${title}":
command => $sign_command,
unless => "/usr/bin/openssl x509 -in ${cert_path} -checkend ${renew_seconds}",
require => Exec["Generate cert ${title}"]
}
}
}
file{[$cert_path, $key_path, $csr_pem_path]:
ensure => $ensure_file,
owner => $owner,
group => $group,
mode => '0440',
}
}
|