From 4808b457342b68d424679d9d2244b20e67b480df Mon Sep 17 00:00:00 2001
From: Hugo Haakseth <hugo.haakseth@spk.no>
Date: Thu, 23 May 2024 10:52:52 +0200
Subject: [PATCH] Move and use params only in ca_certs class

---
 manifests/ca.pp     | 41 ++++++------------------
 manifests/init.pp   | 76 ++++++++++++++++++++++++++++++++++-----------
 manifests/params.pp | 12 ++++---
 3 files changed, 75 insertions(+), 54 deletions(-)

diff --git a/manifests/ca.pp b/manifests/ca.pp
index 649a1c4..f5bcde4 100644
--- a/manifests/ca.pp
+++ b/manifests/ca.pp
@@ -24,14 +24,6 @@
 #   The checksum of the file. (defaults to undef)
 # [*checksum_type*]
 #   The type of file checksum. (defauts to undef)
-# [*ca_file_group*]
-#   The installed CA certificate's POSIX group permissions. This uses
-#   the same syntax as Puppet's native file resource's "group" parameter.
-#   (defaults to 'root' with the exeption of AIX which defaults to 'system')
-# [*ca_file_mode*]
-#   The installed CA certificate's POSIX filesystem permissions. This uses
-#   the same syntax as Puppet's native file resource's "mode" parameter.
-#   (defaults to '0444', i.e. world-readable)
 #
 # === Examples
 #
@@ -45,23 +37,8 @@
   Boolean $verify_https_cert     = true,
   Optional[String] $checksum     = undef,
   Optional[String[1]] $checksum_type = undef,
-  Optional[String] $ca_file_group = undef,
-  Optional[String] $ca_file_mode = undef,
 ) {
   include ca_cert
-  include ca_cert::params
-
-  if $ca_file_group == undef {
-    $file_group = $ca_cert::params::ca_file_group
-  } else {
-    $file_group = $ca_file_group
-  }
-
-  if $ca_file_mode == undef {
-    $file_mode = $ca_cert::params::ca_file_mode
-  } else {
-    $file_mode = $ca_file_mode
-  }
 
   if ($ensure == 'trusted' or $ensure == 'distrusted') and $source == 'text' and !$ca_text {
     fail('ca_text is required if source is set to text')
@@ -93,11 +70,11 @@
   }
 
   # Determine Full Resource Name
-  $resource_name = "${name}.${ca_cert::params::ca_file_extension}"
+  $resource_name = "${name}.${ca_cert::ca_file_extension}"
 
   $ca_cert = $adjusted_ensure ? {
-    'distrusted' => "${ca_cert::params::distrusted_cert_dir}/${resource_name}",
-    default      => "${ca_cert::params::trusted_cert_dir}/${resource_name}",
+    'distrusted' => "${ca_cert::distrusted_cert_dir}/${resource_name}",
+    default      => "${ca_cert::trusted_cert_dir}/${resource_name}",
   }
 
   case $adjusted_ensure {
@@ -111,8 +88,8 @@
             source => $source,
             path   => $ca_cert,
             owner  => 'root',
-            group  => $file_group,
-            mode   => $file_mode,
+            group  => $ca_cert::ca_file_group,
+            mode   => $ca_cert::ca_file_mode,
             notify => Exec['ca_cert_update'],
           }
         }
@@ -133,8 +110,8 @@
             source => $source_path,
             path   => $ca_cert,
             owner  => 'root',
-            group  => $file_group,
-            mode   => $file_mode,
+            group  => $ca_cert::ca_file_group,
+            mode   => $ca_cert::ca_file_mode,
             notify => Exec['ca_cert_update'],
           }
         }
@@ -144,8 +121,8 @@
             content => $ca_text,
             path    => $ca_cert,
             owner   => 'root',
-            group   => $file_group,
-            mode    => $file_mode,
+            group   => $ca_cert::ca_file_group,
+            mode    => $ca_cert::ca_file_mode,
             notify  => Exec['ca_cert_update'],
           }
         }
diff --git a/manifests/init.pp b/manifests/init.pp
index c9fb9eb..72a01ad 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -6,25 +6,63 @@
 #
 # === Parameters
 #
+# [*package_name*]
+#   The name of the package(s) to be installed
+#
+# [*update_cmd*]
+#   Command to be used to update CA certificates.
+#
+# [*trusted_cert_dir*]
+#   Absolute directory path to the folder containing trusted certificates.
+#
+# [*distrusted_cert_dir*]
+#   Absolute directory path to the folder containing distrusted certificates (OS dependent).
+#
+# [*cert_dir_group*]
+#   The installed trusted certificate's POSIX group permissions. This uses
+#   the same syntax as Puppet's native file resource's "group" parameter.
+#   It defaults to 'system' on AIX, to 'sys' on Solaris, to 'staff' on
+#   Ubuntu/Debian, and to 'root' in other cases.
+#
+# [*cert_dir_mode*]
+#   The installed  trusted certificate's POSIX filesystem permissions. This uses
+#   the same syntax as Puppet's native file resource's "mode" parameter.
+#   It defaults to '2665' on Debian, and to '0755' on other cases.
+#
+# [*ca_file_group*]
+#   The installed CA certificate's POSIX group permissions. This uses
+#   the same syntax as Puppet's native file resource's "group" parameter.
+#   (defaults to 'root' with the exeption of AIX which defaults to 'system')
+#
+# [*ca_file_mode*]
+#   The installed CA certificate's POSIX filesystem permissions. This uses
+#   the same syntax as Puppet's native file resource's "mode" parameter.
+#   (defaults to '0444', i.e. world-readable)
+#
+# [*ca_file_extension*]
+#   File extenstion for the certificate.
+#
+# [*package_ensure*]
+#   The ensure parameter to pass to the package resource
+#
 # [*always_update_certs*]
 #   Run the appropriate update CA certificates command for your operating
 #   system on every Puppet run whether it is needed or not.
+#
 # [*purge_unmanaged_CAs*]
 #   When set to true (default: false), user installed CA
 #   certificates (in the appropriate directories) not managed by this
 #   module will be purged.
+#
 # [*install_package*]
 #   Whether or not this module should install the ca_certificates package.
 #   The package contains the system default (typically Mozilla) CA
 #   certificates, as well as the tools required for managing other installed
 #   CA certificates.
+#
 # [*ca_certs*]
 #   A hash of CA certificates that should be installed as part of the class
 #   declaration
-# [*package_ensure*]
-#   The ensure parameter to pass to the package resource
-# [*package_name*]
-#   The name of the package(s) to be installed
 #
 # === Examples
 #
@@ -38,27 +76,30 @@
 #
 # Phil Fenstermacher <phillip.fenstermacher@gmail.com>
 #
-# lint:ignore:variable_is_lowercase
 class ca_cert (
+  String[1] $package_name = $ca_cert::params::package_name,
+  String[1] $update_cmd = $ca_cert::params::update_cmd,
+  String[1] $trusted_cert_dir = $ca_cert::params::trusted_cert_dir,
+  Optional[String[1]] $distrusted_cert_dir = $ca_cert::params::distrusted_cert_dir,
+  String[1] $cert_dir_group = $ca_cert::params::cert_dir_group,
+  String[1] $ca_file_group = $ca_cert::params::ca_file_group,
+  String[1] $cert_dir_mode = $ca_cert::params::cert_dir_mode,
+  String[1] $ca_file_mode = $ca_cert::params::ca_file_mode,
+  String[1] $ca_file_extension = $ca_cert::params::ca_file_extension,
+  String[1] $package_ensure = 'installed',
   Boolean $always_update_certs = false,
-  Boolean $purge_unmanaged_CAs = false, # lint:ignore:variable_contains_upcase
-  Boolean $install_package     = true,
-  Hash    $ca_certs            = {},
-  String  $package_ensure      = 'installed',
-  String  $package_name        = $ca_cert::params::package_name,
+  Boolean $purge_unmanaged_CAs = false, # lint:ignore:variable_contains_upcase lint:ignore:variable_is_lowercase
+  Boolean $install_package = true,
+  Hash    $ca_certs = {},
 ) inherits ca_cert::params {
-  $trusted_cert_dir = $ca_cert::params::trusted_cert_dir
-  $cert_dir_group   = $ca_cert::params::cert_dir_group
-  $cert_dir_mode    = $ca_cert::params::cert_dir_mode
-
   file { 'trusted_certs':
     ensure  => directory,
     path    => $trusted_cert_dir,
     owner   => 'root',
     group   => $cert_dir_group,
     mode    => $cert_dir_mode,
-    purge   => $purge_unmanaged_CAs, # lint:ignore:variable_contains_upcase
-    recurse => $purge_unmanaged_CAs, # lint:ignore:variable_contains_upcase
+    purge   => $purge_unmanaged_CAs, # lint:ignore:variable_contains_upcase lint:ignore:variable_is_lowercase
+    recurse => $purge_unmanaged_CAs, # lint:ignore:variable_contains_upcase lint:ignore:variable_is_lowercase
     notify  => Exec['ca_cert_update'],
   }
 
@@ -75,10 +116,9 @@
   }
 
   exec { 'ca_cert_update':
-    command     => $ca_cert::params::update_cmd,
+    command     => $update_cmd,
     logoutput   => 'on_failure',
     refreshonly => !$always_update_certs,
     path        => ['/usr/sbin', '/usr/bin', '/bin'],
   }
 }
-# lint:endignore:variable_is_lowercase
diff --git a/manifests/params.pp b/manifests/params.pp
index ea483ad..73aa926 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -3,6 +3,7 @@
   case $facts['os']['family'] {
     'Debian': {
       $trusted_cert_dir  = '/usr/local/share/ca-certificates'
+      $distrusted_cert_dir = undef
       $update_cmd        = 'update-ca-certificates'
       $cert_dir_group    = 'staff'
       $ca_file_group     = 'root'
@@ -45,10 +46,11 @@
     }
     'Suse': {
       if $facts['os']['release']['major'] =~ /(10|11)/ {
-        $trusted_cert_dir  = '/etc/ssl/certs'
-        $update_cmd        = 'c_rehash'
-        $ca_file_extension = 'pem'
-        $package_name      = 'openssl-certs'
+        $trusted_cert_dir    = '/etc/ssl/certs'
+        $distrusted_cert_dir = undef
+        $update_cmd          = 'c_rehash'
+        $ca_file_extension   = 'pem'
+        $package_name        = 'openssl-certs'
       }
       elsif versioncmp($facts['os']['release']['major'], '12') >= 0 {
         $trusted_cert_dir    = '/etc/pki/trust/anchors'
@@ -64,6 +66,7 @@
     }
     'AIX': {
       $trusted_cert_dir    = '/var/ssl/certs'
+      $distrusted_cert_dir = undef
       $update_cmd          = '/usr/bin/c_rehash'
       $cert_dir_group      = 'system'
       $cert_dir_mode       = '0755'
@@ -75,6 +78,7 @@
     'Solaris': {
       if versioncmp($facts['os']['release']['major'], '11') >= 0 {
         $trusted_cert_dir    = '/etc/certs/CA/'
+        $distrusted_cert_dir = undef
         $update_cmd          = '/usr/sbin/svcadm restart /system/ca-certificates'
         $cert_dir_group      = 'sys'
         $cert_dir_mode       = '0755'