(SIMP-2448) Updated pki scheme (#26)

(SIMP-2448) Updated pki scheme
* Pki quickfix
* Application certs now in x509
SIMP-2448 #close

.fixtures.yml

@@ -17,6 +17,7 @@ fixtures:
     rsyslog: https://github.com/simp/pupmod-simp-rsyslog
     simpcat: https://github.com/simp/pupmod-simp-simpcat
     simplib: https://github.com/simp/pupmod-simp-simplib
+    simp_options: https://github.com/simp/pupmod-simp-simp_options
     stdlib: https://github.com/simp/puppetlabs-stdlib
   symlinks:
     postfix: "#{source_dir}"

CHANGELOG

@@ -1,3 +1,7 @@
+* Tue Jan 10 2017 Nick Markowski <[email protected]> - 5.0.1-0
+- Updated the pki scheme
+- Application certs now managed in /etc/pki/simp_apps/postfix/x509
+
 * Wed Jan 04 2017 Nick Miller <[email protected]> - 5.0.1-0
 - Strong type module
 - Use simp_options catalyst lookups and parameter names

manifests/server.pp

@@ -35,15 +35,37 @@
 #   If true, include haveged to assist with entropy generation.
 #
 # @param pki
-#   If simp, include SIMP's ::pki module and use pki::copy to manage certs
-#   If true, don't include SIMP's ::pki module, but still use pki::copy
-#   If false, don't include SIMP's ::pki module, and don't use pki::copy
+#   * If 'simp', include SIMP's pki module and use pki::copy to manage
+#     application certs in /etc/pki/simp_apps/postfix/x509
+#   * If true, do *not* include SIMP's pki module, but still use pki::copy
+#     to manage certs in /etc/pki/simp_apps/postfix/x509
+#   * If false, do not include SIMP's pki module and do not use pki::copy
+#     to manage certs.  You will need to appropriately assign a subset of:
+#     * app_pki_dir
+#     * app_pki_key
+#     * app_pki_cert
+#     * app_pki_ca
+#     * app_pki_ca_dir
 #
 # @param app_pki_external_source
-#   Where to copy certs from for TLS.
+#   * If pki = 'simp' or true, this is the directory from which certs will be
+#     copied, via pki::copy.  Defaults to /etc/pki/simp/x509.
+#
+#   * If pki = false, this variable has no effect.
 #
 # @param app_pki_dir
-#   Where to copy certs to for TLS.
+#   This variable controls the basepath of $app_pki_key, $app_pki_cert,
+#   $app_pki_ca, $app_pki_ca_dir, and $app_pki_crl.
+#   It defaults to /etc/pki/simp_apps/postfix/pki.
+#
+# @param app_pki_key
+#   Path and name of the private SSL key file
+#
+# @param app_pki_cert
+#   Path and name of the public SSL certificate
+#
+# @param app_pki_ca_dir
+#   Path to the CA.
 #
 # @author Trevor Vaughan <[email protected]>
 #
@@ -56,12 +78,12 @@
   Boolean                        $enforce_tls             = true,
   Postfix::ManCiphers            $mandatory_ciphers       = 'high',
   Boolean                        $haveged                 = simplib::lookup('simp_options::haveged', { 'default_value'      => false }),
-  Stdlib::Absolutepath           $app_pki_dir             = '/etc/postfix',
-  Stdlib::Absolutepath           $app_pki_external_source = simplib::lookup('simp_options::pki::source', { 'default_value'  => '/etc/simp/pki' }),
-  Stdlib::Absolutepath           $app_pki_key             = "${app_pki_dir}/pki/private/${facts['fqdn']}.pem",
-  Stdlib::Absolutepath           $app_pki_cert            = "${app_pki_dir}/pki/public/${facts['fqdn']}.pub",
-  Stdlib::Absolutepath           $app_pki_ca_dir          = "${app_pki_dir}/pki/cacerts",
-  Variant[Enum['simp'],Boolean]  $pki                     = simplib::lookup('simp_options::pki', { 'default_value'          => false })
+  Variant[Enum['simp'],Boolean]  $pki                     = simplib::lookup('simp_options::pki', { 'default_value'          => false }),
+  Stdlib::Absolutepath           $app_pki_external_source = simplib::lookup('simp_options::pki::source', { 'default_value'  => '/etc/pki/simp/x509' }),
+  Stdlib::Absolutepath           $app_pki_dir             = '/etc/pki/simp_apps/postfix/x509',
+  Stdlib::Absolutepath           $app_pki_key             = "${app_pki_dir}/private/${facts['fqdn']}.pem",
+  Stdlib::Absolutepath           $app_pki_cert            = "${app_pki_dir}/public/${facts['fqdn']}.pub",
+  Stdlib::Absolutepath           $app_pki_ca_dir          = "${app_pki_dir}/cacerts"
 ) {
   validate_net_list($trusted_nets)
 
@@ -111,22 +133,13 @@
       }
 
       if $pki {
-        pki::copy { $app_pki_dir:
+        pki::copy { 'postfix':
           pki    => $pki,
           source => $app_pki_external_source,
           group  => 'postfix',
           notify => Service['postfix']
         }
       }
-      else {
-        file { "${app_pki_dir}/pki":
-          ensure => 'directory',
-          owner  => 'root',
-          group  => 'root',
-          mode   => '0640',
-          source => $app_pki_external_source
-        }
-      }
     }
   }
 }

spec/acceptance/suites/default/00_base_spec.rb

@@ -12,7 +12,7 @@
         EOS
       }
       let(:hieradata) {{
-        'postfix::server::app_pki_external_source' => '/etc/pki/simp-testing/pki/'
+        'simp_options::pki::source' => '/etc/pki/simp-testing/pki/'
       }}
 
       it 'should work with no errors' do

spec/acceptance/suites/default/01_user_with_existing_maildir_spec.rb

@@ -13,7 +13,7 @@
         EOS
       }
       let(:hieradata) {{
-        'postfix::server::app_pki_external_source' => '/etc/pki/simp-testing/pki/'
+        'simp_options::pki::source' => '/etc/pki/simp-testing/pki/'
       }}
 
       let(:test_user) { 'test_user' }

spec/classes/server_spec.rb

@@ -15,12 +15,11 @@
         it { is_expected.to create_postfix_main_cf('smtp_use_tls') }
         it { is_expected.to create_postfix_main_cf('smtp_enforce_tls') }
         it { is_expected.to create_postfix_main_cf('smtp_tls_mandatory_ciphers').with({ 'value' => 'high' }) }
-        it { is_expected.to create_postfix_main_cf('smtp_tls_cert_file').with(:value => "/etc/postfix/pki/public/#{facts[:fqdn]}.pub")}
-        it { is_expected.to create_postfix_main_cf('smtp_tls_CApath').with(:value => "/etc/postfix/pki/cacerts")}
-        it { is_expected.to create_postfix_main_cf('smtp_tls_key_file').with(:value => "/etc/postfix/pki/private/#{facts[:fqdn]}.pem")}
+        it { is_expected.to create_postfix_main_cf('smtp_tls_cert_file').with(:value => "/etc/pki/simp_apps/postfix/x509/public/#{facts[:fqdn]}.pub")}
+        it { is_expected.to create_postfix_main_cf('smtp_tls_CApath').with(:value => "/etc/pki/simp_apps/postfix/x509/cacerts")}
+        it { is_expected.to create_postfix_main_cf('smtp_tls_key_file').with(:value => "/etc/pki/simp_apps/postfix/x509/private/#{facts[:fqdn]}.pem")}
         it { is_expected.to_not contain_class('pki')}
-        it { is_expected.to_not contain_pki__copy('/etc/postfix').that_notifies('Service[postfix]') }
-        it { is_expected.to create_file('/etc/postfix/pki')}
+        it { is_expected.to_not contain_pki__copy('postfix').that_notifies('Service[postfix]') }
         it { is_expected.not_to contain_class('haveged') }
       end
 
@@ -34,7 +33,7 @@
         it { is_expected.not_to create_postfix_main_cf('smtp_enforce_tls') }
         it { is_expected.not_to create_postfix_main_cf('smtp_tls_mandatory_ciphers').with({ 'value' => 'high' }) }
         it { is_expected.not_to create_class('pki') }
-        it { is_expected.not_to contain_pki__copy('/etc/postfix').that_notifies('Service[postfix]') }
+        it { is_expected.not_to contain_pki__copy('postfix').that_notifies('Service[postfix]') }
         it { is_expected.to_not contain_class('haveged') }
       end
 
@@ -52,7 +51,7 @@
         it { is_expected.to create_postfix_main_cf('smtp_enforce_tls') }
         it { is_expected.to create_postfix_main_cf('smtp_tls_mandatory_ciphers').with({ 'value' => 'high' }) }
         it { is_expected.to_not create_class('pki') }
-        it { is_expected.to_not contain_pki__copy('/etc/postfix').that_notifies('Service[postfix]') }
+        it { is_expected.to_not contain_pki__copy('postfix').that_notifies('Service[postfix]') }
       end
 
       context 'no_enable_user_connect' do
@@ -80,7 +79,7 @@
         it { is_expected.to_not create_postfix_main_cf('smtp_tls__CApath')}
         it { is_expected.to_not create_postfix_main_cf('smtp_tls_key_file')}
         it { is_expected.not_to create_class('pki') }
-        it { is_expected.not_to contain_pki__copy('/etc/postfix').that_notifies('Service[postfix]') }
+        it { is_expected.not_to contain_pki__copy('postfix').that_notifies('Service[postfix]') }
         it { is_expected.to_not contain_class('haveged') }
       end
 
@@ -97,7 +96,7 @@
         it { is_expected.not_to create_postfix_main_cf('smtp_enforce_tls') }
         it { is_expected.to create_postfix_main_cf('smtp_tls_mandatory_ciphers').with({ 'value' => 'high' }) }
         it { is_expected.to_not create_class('pki') }
-        it { is_expected.to_not contain_pki__copy('/etc/postfix').that_notifies('Service[postfix]') }
+        it { is_expected.to_not contain_pki__copy('postfix').that_notifies('Service[postfix]') }
         it { is_expected.not_to contain_class('haveged') }
       end
 
@@ -111,7 +110,8 @@
         it { is_expected.to create_postfix_main_cf('smtp_enforce_tls') }
         it { is_expected.to create_postfix_main_cf('smtp_tls_mandatory_ciphers').with({ 'value' => 'high' }) }
         it { is_expected.to create_class('pki') }
-        it { is_expected.to contain_pki__copy('/etc/postfix').that_notifies('Service[postfix]') }
+        it { is_expected.to contain_pki__copy('postfix').that_notifies('Service[postfix]') }
+        it { is_expected.to create_file('/etc/pki/simp_apps/postfix/x509')}
         it { is_expected.not_to contain_class('haveged') }
       end