Merge pull request #569 from puppetlabs/sslhostconfig

Adding support for sslhostconfig options
puppetlabs · Oct 10, 2024 · 1ac22b2 · 1ac22b2
2 parents 5222a2c + 9a02d64
commit 1ac22b2
Show file tree

Hide file tree

Showing 3 changed files with 60 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -125,6 +125,10 @@ tomcat::instance { 'my_tomcat_app':
     port                  => $https_port,
     protocol              => $http_version,
     purge_connectors      => true,
+    cert_key_file         => '/path/to/key.pem',
+    cert_file             => '/path/to/cert.pem',
+    cert_chain_file       => '/path/to/chain.pem',
+    cert_type             => 'RSA',
     additional_attributes => {
       'SSLEnabled'          => bool2str($https_enabled),
       'maxThreads'          => $https_connector_max_threads,

diff --git a/manifests/config/server/connector.pp b/manifests/config/server/connector.pp
@@ -22,6 +22,14 @@
 #   Specifies a server.xml file to manage. Valid options: a string containing an absolute path.
 # @param show_diff
 #   Specifies display differences when augeas changes files, defaulting to true. Valid options: true or false.
+# @param cert_key_file
+#   Specifies the path to the private key file. Valid options: a string containing an absolute path.
+# @param cert_file
+#   Specifies the path to the certificate file. Valid options: a string containing an absolute path.
+# @param cert_chain_file
+#   Specifies the path to the certificate chain file. Valid options: a string containing an absolute path.
+# @param cert_type
+#   Specifies the type of certificate. Valid options: a string. 'RSA'.
 #
 define tomcat::config::server::connector (
   Optional[Stdlib::Absolutepath]             $catalina_base         = undef,
@@ -34,6 +42,10 @@
   Optional[Boolean]                          $purge_connectors      = undef,
   Optional[Stdlib::Absolutepath]             $server_config         = undef,
   Boolean                                    $show_diff             = true,
+  Optional[Stdlib::Absolutepath]             $cert_key_file         = undef,
+  Optional[Stdlib::Absolutepath]             $cert_file             = undef,
+  Optional[Stdlib::Absolutepath]             $cert_chain_file       = undef,
+  String[1]                                  $cert_type             = 'RSA',
 ) {
   include tomcat
   $_catalina_base = pick($catalina_base, $tomcat::catalina_home)
@@ -85,6 +97,21 @@
     } else {
       $_additional_attributes = undef
     }
+
+    # Add SSLHostConfig if certificate parameters are provided
+    if $cert_key_file and $cert_file and $cert_chain_file {
+      $sslhostconfig_path = "Server/Service/Connector[#attribute/port='${port}']"
+
+      $_sslhostconfig_changes = [
+        "set ${sslhostconfig_path}/SSLHostConfig/Certificate/#attribute/certificateKeyFile ${cert_key_file}",
+        "set ${sslhostconfig_path}/SSLHostConfig/Certificate/#attribute/certificateFile ${cert_file}",
+        "set ${sslhostconfig_path}/SSLHostConfig/Certificate/#attribute/certificateChainFile ${cert_chain_file}",
+        "set ${sslhostconfig_path}/SSLHostConfig/Certificate/#attribute/type ${cert_type}",
+      ]
+    } else {
+      $_sslhostconfig_changes = undef
+    }
+
     if ! empty(any2array($attributes_to_remove)) {
       $_attributes_to_remove = prefix(any2array($attributes_to_remove), "rm ${base_path}/#attribute/")
     } else {
@@ -97,6 +124,7 @@
           $_protocol_change,
           $_additional_attributes,
           $_attributes_to_remove,
+          $_sslhostconfig_changes,
     ]))
   }
 

diff --git a/spec/defines/config/server/connector_spec.rb b/spec/defines/config/server/connector_spec.rb
@@ -29,10 +29,21 @@
           'connectionTimeout' => '20000',
           'spaces' => 'foo bar'
         },
-        attributes_to_remove: ['foo', 'bar', 'baz']
+        attributes_to_remove: ['foo', 'bar', 'baz'],
+        cert_key_file: '/path/to/cert.key',
+        cert_file: '/path/to/cert.pem',
+        cert_chain_file: '/path/to/chain.pem',
+        cert_type: 'RSA'
       }
     end
 
+    sslhostconfig_changes = [
+      "set Server/Service/Connector[#attribute/port='8180']/SSLHostConfig/Certificate/#attribute/certificateKeyFile /path/to/cert.key",
+      "set Server/Service/Connector[#attribute/port='8180']/SSLHostConfig/Certificate/#attribute/certificateFile /path/to/cert.pem",
+      "set Server/Service/Connector[#attribute/port='8180']/SSLHostConfig/Certificate/#attribute/certificateChainFile /path/to/chain.pem",
+      "set Server/Service/Connector[#attribute/port='8180']/SSLHostConfig/Certificate/#attribute/type RSA",
+    ]
+
     changes = [
       'set Server/Service[#attribute/name=\'Catalina2\']/Connector[#attribute/port=\'8180\']/#attribute/port 8180',
       'set Server/Service[#attribute/name=\'Catalina2\']/Connector[#attribute/port=\'8180\']/#attribute/protocol AJP/1.3',
@@ -42,7 +53,8 @@
       'rm Server/Service[#attribute/name=\'Catalina2\']/Connector[#attribute/port=\'8180\']/#attribute/foo',
       'rm Server/Service[#attribute/name=\'Catalina2\']/Connector[#attribute/port=\'8180\']/#attribute/bar',
       'rm Server/Service[#attribute/name=\'Catalina2\']/Connector[#attribute/port=\'8180\']/#attribute/baz',
-    ]
+    ].concat(sslhostconfig_changes)
+
     it {
       expect(subject).to contain_augeas('server-/opt/apache-tomcat/test-Catalina2-connector-8180').with(
         'lens' => 'Xml.lns',
@@ -64,10 +76,21 @@
           'redirectPort' => '8543',
           'connectionTimeout' => '20000'
         },
-        attributes_to_remove: ['foo', 'bar', 'baz']
+        attributes_to_remove: ['foo', 'bar', 'baz'],
+        cert_key_file: '/path/to/cert.key',
+        cert_file: '/path/to/cert.pem',
+        cert_chain_file: '/path/to/chain.pem',
+        cert_type: 'RSA'
       }
     end
 
+    sslhostconfig_changes = [
+      "set Server/Service/Connector[#attribute/port='8180']/SSLHostConfig/Certificate/#attribute/certificateKeyFile /path/to/cert.key",
+      "set Server/Service/Connector[#attribute/port='8180']/SSLHostConfig/Certificate/#attribute/certificateFile /path/to/cert.pem",
+      "set Server/Service/Connector[#attribute/port='8180']/SSLHostConfig/Certificate/#attribute/certificateChainFile /path/to/chain.pem",
+      "set Server/Service/Connector[#attribute/port='8180']/SSLHostConfig/Certificate/#attribute/type RSA",
+    ]
+
     changes = [
       'rm Server//Connector[#attribute/protocol=\'AJP/1.3\'][#attribute/port!=\'8180\']',
       'set Server/Service[#attribute/name=\'Catalina2\']/Connector[#attribute/port=\'8180\']/#attribute/port 8180',
@@ -77,7 +100,8 @@
       'rm Server/Service[#attribute/name=\'Catalina2\']/Connector[#attribute/port=\'8180\']/#attribute/foo',
       'rm Server/Service[#attribute/name=\'Catalina2\']/Connector[#attribute/port=\'8180\']/#attribute/bar',
       'rm Server/Service[#attribute/name=\'Catalina2\']/Connector[#attribute/port=\'8180\']/#attribute/baz',
-    ]
+    ].concat(sslhostconfig_changes)
+
     it {
       expect(subject).to contain_augeas('server-/opt/apache-tomcat/test-Catalina2-connector-8180').with(
         'lens' => 'Xml.lns',