(GH-648) Add ability to specify SSL options to API config for Enterpr…

Vagrantfile

@@ -86,4 +86,17 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
     ## Run puppet apply
     client.vm.provision :shell, :path => "tests/provision_client_win.ps1"
   end
+
+  # This system is meant to be started without 'sensu-server' running.
+  config.vm.define "sensu-server-enterprise", autostart: false do |server|
+    server.vm.box = "centos/7"
+    server.vm.hostname = 'sensu-server.example.com'
+    server.vm.network :private_network, ip: "192.168.56.10"
+    server.vm.network :forwarded_port, guest: 4567, host: 4567, auto_correct: true
+    server.vm.network :forwarded_port, guest: 3000, host: 3000, auto_correct: true
+    server.vm.network :forwarded_port, guest: 15672, host: 15672, auto_correct: true
+    server.vm.provision :shell, :path => "tests/provision_basic_el.sh"
+    server.vm.provision :shell, :path => "tests/provision_enterprise_server.sh"
+    server.vm.provision :shell, :path => "tests/rabbitmq.sh"
+  end
 end

lib/puppet/provider/sensu_api_config/json.rb

@@ -122,4 +122,50 @@ def password=(value)
     conf['api']['password'] = value
   end
 
+  # Public: Retrieve the HTTPS (SSL) port number that the API is configured to
+  # listen on. Enterprise only feature.
+  #
+  # Returns the String port number.
+  def ssl_port
+    conf['api']['ssl_port'].to_s
+  end
+
+  # Public: Set the HTTPS (SSL) port that the API should listen on. Enterprise
+  # only feature.
+  #
+  # Returns nothing.
+  def ssl_port=(value)
+    conf['api']['ssl_port'] = value.to_i
+  end
+
+  # Public: Retrieve the file path for the SSL certificate keystore. Enterprise
+  # only feature.
+  #
+  # Returns the String password.
+  def ssl_keystore_file
+    conf['api']['ssl_keystore_file']
+  end
+
+  # Public: Set the file path for the SSL certificate keystore. Enterprise only
+  # feature.
+  #
+  # Returns nothing.
+  def ssl_keystore_file=(value)
+    conf['api']['ssl_keystore_file'] = value
+  end
+
+  # Public: Retrieve the SSL certificate keystore password. Enterprise only
+  # feature.
+  #
+  # Returns the String password.
+  def ssl_keystore_password
+    conf['api']['ssl_keystore_password']
+  end
+
+  # Public: Set the SSL certificate keystore password. Enterprise only feature.
+  #
+  # Returns nothing.
+  def ssl_keystore_password=(value)
+    conf['api']['ssl_keystore_password'] = value
+  end
 end

lib/puppet/type/sensu_api_config.rb

@@ -56,6 +56,18 @@ def initialize(*args)
     desc "The password use for client authentication against the Sensu API"
   end
 
+  newproperty(:ssl_port) do
+    desc "Port of the HTTPS (SSL) sensu api service. Enterprise only feature."
+  end
+
+  newproperty(:ssl_keystore_file) do
+    desc "The file path for the SSL certificate keystore. Enterprise only feature."
+  end
+
+  newproperty(:ssl_keystore_password) do
+    desc "The SSL certificate keystore password. Enterprise only feature."
+  end
+
   autorequire(:package) do
     ['sensu']
   end

manifests/api/config.pp

@@ -22,12 +22,15 @@
   }
 
   sensu_api_config { $::fqdn:
-    ensure    => $ensure,
-    base_path => "${sensu::etc_dir}/conf.d",
-    bind      => $::sensu::api_bind,
-    host      => $::sensu::api_host,
-    port      => $::sensu::api_port,
-    user      => $::sensu::api_user,
-    password  => $::sensu::api_password,
+    ensure                => $ensure,
+    base_path             => "${sensu::etc_dir}/conf.d",
+    bind                  => $::sensu::api_bind,
+    host                  => $::sensu::api_host,
+    port                  => $::sensu::api_port,
+    user                  => $::sensu::api_user,
+    password              => $::sensu::api_password,
+    ssl_port              => $::sensu::api_ssl_port,
+    ssl_keystore_file     => $::sensu::api_ssl_keystore_file,
+    ssl_keystore_password => $::sensu::api_ssl_keystore_password,
   }
 }

manifests/init.pp

@@ -224,6 +224,20 @@
 #   String. Password of the sensu api service
 #   Default: undef
 #
+# [*api_ssl_port*]
+#   Integer. Port of the HTTPS (SSL) sensu api service. Enterprise only
+#   feature.
+#   Default: undef
+#
+# [*api_ssl_keystore_file*]
+#   String. The file path for the SSL certificate keystore. Enterprise only
+#   feature.
+#   Default: undef
+#
+# [*api_ssl_keystore_password*]
+#   String. The SSL certificate keystore password. Enterprise only feature.
+#   Default: undef
+#
 # [*subscriptions*]
 #   Array of strings.  Default suscriptions used by the client
 #   Default: []
@@ -418,6 +432,9 @@
   $api_port                       = 4567,
   $api_user                       = undef,
   $api_password                   = undef,
+  $api_ssl_port                   = undef,
+  $api_ssl_keystore_file          = undef,
+  $api_ssl_keystore_password      = undef,
   $subscriptions                  = [],
   $client_bind                    = '127.0.0.1',
   $client_port                    = '3030',
@@ -484,6 +501,15 @@
   validate_re($transport_type, ['^rabbitmq$', '^redis$'], "Invalid transport type '${transport_type}'. Expected either rabbitmq or redis" )
   if !is_integer($redis_port) { fail('redis_port must be an integer') }
   if !is_integer($api_port) { fail('api_port must be an integer') }
+  if $api_ssl_port != undef and is_integer($api_ssl_port) == false {
+    fail('api_ssl_port must be an integer')
+  }
+  if $api_ssl_keystore_file != undef and is_string($api_ssl_keystore_file) == false {
+    fail('api_ssl_keystore_file must be a string')
+  }
+  if $api_ssl_keystore_password != undef and is_string($api_ssl_keystore_password) == false {
+    fail('api_ssl_keystore_password must be a string')
+  }
   if !is_integer($init_stop_max_wait) { fail('init_stop_max_wait must be an integer') }
   if $dashboard { fail('Sensu-dashboard is deprecated, use a dashboard module. See https://github.com/sensu/sensu-puppet#dashboards')}
   if $purge_config { fail('purge_config is deprecated, set the purge parameter to a hash containing `config => true` instead') }

spec/classes/sensu_api_spec.rb

@@ -4,9 +4,7 @@
   let(:facts) { { :fqdn => 'testhost.domain.com', :osfamily => 'RedHat' } }
 
   context 'without api (default)' do
-
     context 'config' do
-
       context 'with server' do
         let(:params) { { :server => true } }
         it { should contain_file('/etc/sensu/conf.d/api.json').with_ensure('present') }
@@ -19,9 +17,7 @@
         } }
 
         it { should contain_file('/etc/sensu/conf.d/api.json').with_ensure('absent') }
-
       end # purge config
-
     end # config
 
     context 'managing services' do
@@ -36,56 +32,115 @@
       let(:params) { { :manage_services => false } }
       it { should_not contain_service('sensu-api') }
     end # not managing services
-
   end # without api
 
   context 'with api' do
-
     context 'config' do
-
       context 'defaults' do
         let(:params) { { :api => true } }
+
         it { should contain_file('/etc/sensu/conf.d/api.json').with_ensure('present') }
         it { should contain_sensu_api_config('testhost.domain.com').with(
-          :ensure => 'present',
-          :host   => '127.0.0.1',
-          :port   => 4567
+          :ensure                => 'present',
+          :base_path             => '/etc/sensu/conf.d',
+          :bind                  => '0.0.0.0',
+          :host                  => '127.0.0.1',
+          :port                  => 4567,
+          :user                  => nil,
+          :password              => nil,
+          :ssl_port              => nil,
+          :ssl_keystore_file     => nil,
+          :ssl_keystore_password => nil,
         ) }
-        it { should contain_sensu_api_config('testhost.domain.com').without_api_user }
-        it { should contain_sensu_api_config('testhost.domain.com').without_api_password }
-      end # defaults
+      end
+
+      context 'with api_bind specified' do
+        let(:params) { {
+          :api      => true,
+          :api_bind => '10.1.2.3',
+        } }
+
+        it { should contain_sensu_api_config('testhost.domain.com').with(
+          :bind => '10.1.2.3',
+        ) }
+      end
 
-      context 'set config params' do
+      context 'with api_host specified' do
         let(:params) { {
           :api      => true,
           :api_host => 'sensuapi.domain.com',
-          :api_port => 5678
         } }
+
+        it { should contain_sensu_api_config('testhost.domain.com').with(
+          :host => 'sensuapi.domain.com',
+        ) }
+      end
+
+      context 'with api_port specified' do
+        let(:params) { {
+          :api      => true,
+          :api_port => 1234,
+        } }
+
         it { should contain_sensu_api_config('testhost.domain.com').with(
-          :ensure => 'present',
-          :host   => 'sensuapi.domain.com',
-          :port   => 5678
+          :port => 1234,
         ) }
-        it { should contain_sensu_api_config('testhost.domain.com').without_api_user }
-        it { should contain_sensu_api_config('testhost.domain.com').without_api_password }
-      end # set config params
+      end
 
-      context 'set config params including authentication' do
+      context 'with api_user specified' do
+        let(:params) { {
+          :api      => true,
+          :api_user => 'myuser',
+        } }
+
+        it { should contain_sensu_api_config('testhost.domain.com').with(
+          :user => 'myuser',
+        ) }
+      end
+
+      context 'with api_password specified' do
+        let(:params) { {
+          :api          => true,
+          :api_password => 'mypassword',
+        } }
+
+        it { should contain_sensu_api_config('testhost.domain.com').with(
+          :password => 'mypassword',
+        ) }
+      end
+
+      context 'with api_ssl_port specified' do
         let(:params) { {
           :api          => true,
-          :api_host     => 'sensuapi.domain.com',
-          :api_port     => 5678,
-          :api_user     => 'test_user',
-          :api_password => 'test_password'
+          :api_ssl_port => 242,
+        } }
+
+        it { should contain_sensu_api_config('testhost.domain.com').with(
+          :ssl_port => 242,
+        ) }
+      end
+
+      context 'with api_ssl_keystore_file specified' do
+        let(:params) { {
+          :api                   => true,
+          :api_ssl_keystore_file => '/path/to/api.keystore',
+        } }
+
+        it { should contain_sensu_api_config('testhost.domain.com').with(
+          :ssl_keystore_file => '/path/to/api.keystore',
+        ) }
+      end
+
+      context 'with api_ssl_keystore_password specified' do
+        let(:params) { {
+          :api                       => true,
+          :api_ssl_keystore_password => 'keystore_password',
         } }
+
         it { should contain_sensu_api_config('testhost.domain.com').with(
-          :ensure   => 'present',
-          :host     => 'sensuapi.domain.com',
-          :port     => 5678,
-          :user     => 'test_user',
-          :password => 'test_password'
+          :ssl_keystore_password => 'keystore_password',
         ) }
-      end # set config params
+      end
 
       context 'purge config' do
         let(:params) { {
@@ -95,13 +150,11 @@
         } }
 
         it { should contain_file('/etc/sensu/conf.d/api.json').with_ensure('absent') }
-
+        it { should contain_sensu_api_config('testhost.domain.com').with_ensure('absent') }
       end # purge config
-
     end # config
 
     context 'service' do
-
       context 'managing services' do
         let(:params) { { :api => true } }
         it { should contain_service('sensu-api').with(
@@ -124,9 +177,6 @@
           :hasrestart => false
         )}
       end # with hasrestart=false
-
     end # service
-
   end # with api
-
 end

tests/provision_enterprise_server.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+# setup module dependencies
+puppet module install puppetlabs/rabbitmq
+
+# install dependencies for sensu
+yum -y install redis jq nagios-plugins-ntp
+systemctl start redis
+systemctl enable redis
+
+# run puppet
+puppet apply /vagrant/tests/rabbitmq.pp
+puppet apply /vagrant/tests/sensu-server-enterprise.pp
+puppet apply /vagrant/tests/uchiwa.pp