Merge pull request #100 from StatensPensjonskasse/remove-defaults-for…

…-OSes-we-can-not-test Remove defaults for AIX and Solaris as we can't verify/maintain these
voxpupuli · May 27, 2024 · 4e2b5b8 · 4e2b5b8
2 parents a2dd63e + 2cba40b
commit 4e2b5b8
Show file tree

Hide file tree

Showing 7 changed files with 50 additions and 86 deletions.
diff --git a/REFERENCE.md b/REFERENCE.md
@@ -35,9 +35,27 @@ folder the module also manages distrusting system default CA certificates.
 
 ```puppet
 class { 'ca_cert': }
+```
+
+##### Purge unmanaged user CAs
 
+```puppet
 class { 'ca_cert':
-  manage_all_user_CAs => true,
+  purge_unmanaged_CAs => true,
+}
+```
+
+##### Custom certificates handling
+
+```puppet
+class { 'ca_cert':
+  update_cmd        => '/usr/bin/c_rehash',
+  trusted_cert_dir  => '/var/ssl/certs,
+  cert_dir_group    => 'system',
+  cert_dir_mode     => '0755',
+  ca_file_group     => 'system',
+  ca_file_mode      => '0644',
+  ca_file_extension => 'pem',
 }
 ```
 
@@ -78,15 +96,15 @@ Default value: `$ca_cert::params::update_cmd`
 
 ##### <a name="-ca_cert--trusted_cert_dir"></a>`trusted_cert_dir`
 
-Data type: `String[1]`
+Data type: `Stdlib::Absolutepath`
 
 Absolute directory path to the folder containing trusted certificates.
 
 Default value: `$ca_cert::params::trusted_cert_dir`
 
 ##### <a name="-ca_cert--distrusted_cert_dir"></a>`distrusted_cert_dir`
 
-Data type: `Optional[String[1]]`
+Data type: `Optional[Stdlib::Absolutepath]`
 
 Absolute directory path to the folder containing distrusted certificates.
 
@@ -98,14 +116,12 @@ Data type: `String[1]`
 
 The installed trusted certificate's POSIX group permissions. This uses
 the same syntax as Puppet's native file resource's "group" parameter.
-It defaults to 'system' on AIX, to 'sys' on Solaris, to 'staff' on
-Ubuntu/Debian, and to 'root' in other cases.
 
 Default value: `$ca_cert::params::cert_dir_group`
 
 ##### <a name="-ca_cert--cert_dir_mode"></a>`cert_dir_mode`
 
-Data type: `String[1]`
+Data type: `Stdlib::Filemode`
 
 The installed  trusted certificate's POSIX filesystem permissions. This uses
 the same syntax as Puppet's native file resource's "mode" parameter.
@@ -119,13 +135,12 @@ Data type: `String[1]`
 
 The installed CA certificate's POSIX group permissions. This uses
 the same syntax as Puppet's native file resource's "group" parameter.
-(defaults to 'root' with the exeption of AIX which defaults to 'system')
 
 Default value: `$ca_cert::params::ca_file_group`
 
 ##### <a name="-ca_cert--ca_file_mode"></a>`ca_file_mode`
 
-Data type: `String[1]`
+Data type: `Stdlib::Filemode`
 
 The installed CA certificate's POSIX filesystem permissions. This uses
 the same syntax as Puppet's native file resource's "mode" parameter.
@@ -143,7 +158,7 @@ Default value: `$ca_cert::params::ca_file_extension`
 
 ##### <a name="-ca_cert--package_ensure"></a>`package_ensure`
 
-Data type: `String[1]`
+Data type: `Stdlib::Ensure::Package`
 
 The ensure parameter to pass to the package resource.
 
@@ -237,7 +252,7 @@ Default value: `'text'`
 
 ##### <a name="-ca_cert--ca--ensure"></a>`ensure`
 
-Data type: `String`
+Data type: `Enum['present', 'trusted', 'distrusted', 'absent']`
 
 Whether or not the CA certificate should be on a system or not. Valid
 values are trusted, present, distrusted, and absent. Note: untrusted is

diff --git a/manifests/ca.pp b/manifests/ca.pp
@@ -33,11 +33,11 @@
 #   The type of file checksum. (defauts to undef)
 #
 define ca_cert::ca (
-  String $ensure                 = 'trusted',
-  String $source                 = 'text',
-  Boolean $verify_https_cert     = true,
-  Optional[String] $ca_text      = undef,
-  Optional[String] $checksum     = undef,
+  Enum['present', 'trusted', 'distrusted', 'absent'] $ensure = 'trusted',
+  String $source = 'text',
+  Boolean $verify_https_cert = true,
+  Optional[String] $ca_text = undef,
+  Optional[String] $checksum = undef,
   Optional[String[1]] $checksum_type = undef,
 ) {
   include ca_cert

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -6,8 +6,20 @@
 # @example Basic usage
 #   class { 'ca_cert': }
 #
+# @example Purge unmanaged user CAs
 #   class { 'ca_cert':
-#     manage_all_user_CAs => true,
+#     purge_unmanaged_CAs => true,
+#   }
+#
+# @example Custom certificates handling
+#   class { 'ca_cert':
+#     update_cmd        => '/usr/bin/c_rehash',
+#     trusted_cert_dir  => '/var/ssl/certs,
+#     cert_dir_group    => 'system',
+#     cert_dir_mode     => '0755',
+#     ca_file_group     => 'system',
+#     ca_file_mode      => '0644',
+#     ca_file_extension => 'pem',
 #   }
 #
 # @param package_name
@@ -25,8 +37,6 @@
 # @param cert_dir_group
 #   The installed trusted certificate's POSIX group permissions. This uses
 #   the same syntax as Puppet's native file resource's "group" parameter.
-#   It defaults to 'system' on AIX, to 'sys' on Solaris, to 'staff' on
-#   Ubuntu/Debian, and to 'root' in other cases.
 #
 # @param cert_dir_mode
 #   The installed  trusted certificate's POSIX filesystem permissions. This uses
@@ -36,7 +46,6 @@
 # @param ca_file_group
 #   The installed CA certificate's POSIX group permissions. This uses
 #   the same syntax as Puppet's native file resource's "group" parameter.
-#   (defaults to 'root' with the exeption of AIX which defaults to 'system')
 #
 # @param ca_file_mode
 #   The installed CA certificate's POSIX filesystem permissions. This uses
@@ -71,14 +80,14 @@
 class ca_cert (
   String[1] $package_name = $ca_cert::params::package_name,
   String[1] $update_cmd = $ca_cert::params::update_cmd,
-  String[1] $trusted_cert_dir = $ca_cert::params::trusted_cert_dir,
-  Optional[String[1]] $distrusted_cert_dir = $ca_cert::params::distrusted_cert_dir,
+  Stdlib::Absolutepath $trusted_cert_dir = $ca_cert::params::trusted_cert_dir,
+  Optional[Stdlib::Absolutepath] $distrusted_cert_dir = $ca_cert::params::distrusted_cert_dir,
   String[1] $cert_dir_group = $ca_cert::params::cert_dir_group,
   String[1] $ca_file_group = $ca_cert::params::ca_file_group,
-  String[1] $cert_dir_mode = $ca_cert::params::cert_dir_mode,
-  String[1] $ca_file_mode = $ca_cert::params::ca_file_mode,
+  Stdlib::Filemode $cert_dir_mode = $ca_cert::params::cert_dir_mode,
+  Stdlib::Filemode $ca_file_mode = $ca_cert::params::ca_file_mode,
   String[1] $ca_file_extension = $ca_cert::params::ca_file_extension,
-  String[1] $package_ensure = 'installed',
+  Stdlib::Ensure::Package $package_ensure = 'installed',
   Boolean $always_update_certs = false,
   Boolean $purge_unmanaged_CAs = false, # lint:ignore:variable_contains_upcase lint:ignore:variable_is_lowercase
   Boolean $install_package = true,

diff --git a/manifests/params.pp b/manifests/params.pp
@@ -22,7 +22,7 @@
           $cert_dir_mode     = '2665'
         }
         default: {
-          fail("Unsupported operatingsystem (${facts['os']['name']})")
+          $cert_dir_mode     = '0755'
         }
       }
     }
@@ -68,35 +68,6 @@
       $ca_file_group         = 'root'
       $ca_file_mode          = '0644'
     }
-    'AIX': {
-      $trusted_cert_dir    = '/var/ssl/certs'
-      $distrusted_cert_dir = undef
-      $update_cmd          = '/usr/bin/c_rehash'
-      $cert_dir_group      = 'system'
-      $cert_dir_mode       = '0755'
-      $ca_file_group       = 'system'
-      $ca_file_mode        = '0644'
-      $ca_file_extension   = 'crt'
-      $package_name        = 'ca-certificates'
-    }
-    'Solaris': {
-      if versioncmp($facts['os']['release']['major'], '11') >= 0 {
-        $trusted_cert_dir    = '/etc/certs/CA/'
-        $distrusted_cert_dir = undef
-        $update_cmd          = '/usr/sbin/svcadm restart /system/ca-certificates'
-        $cert_dir_group      = 'sys'
-        $cert_dir_mode       = '0755'
-        $ca_file_group       = 'root'
-        $ca_file_mode        = '0444'
-        $ca_file_extension   = 'pem'
-        $package_name        = 'ca-certificates'
-      }
-      else {
-        fail("Unsupported OS Major release (${facts['os']['release']['major']})")
-      }
-    }
-    default: {
-      fail("Unsupported osfamily (${facts['os']['family']})")
-    }
+    default: {}
   }
 }
diff --git a/metadata.json b/metadata.json
@@ -67,13 +67,6 @@
     },
     {
       "operatingsystem": "Archlinux"
-    },
-    {
-      "operatingsystem": "AIX",
-      "operatingsystemrelease": [
-        "7.2",
-        "7.3"
-      ]
     }
   ],
   "requirements": [

diff --git a/spec/classes/ca_cert_spec.rb b/spec/classes/ca_cert_spec.rb
@@ -102,16 +102,4 @@
       end
     end
   end
-
-  context 'on an unsupported operating system' do
-    let :facts do
-      {
-        'os' => {
-          'family' => 'WeirdOS',
-        },
-      }
-    end
-
-    it { expect { catalogue }.to raise_error Puppet::Error, %r{Unsupported osfamily} }
-  end
 end
diff --git a/spec/classes/params_spec.rb b/spec/classes/params_spec.rb
@@ -47,16 +47,4 @@
       end
     end
   end
-
-  context 'on an unsupported operating system' do
-    let :facts do
-      {
-        'os' => {
-          'family' => 'WeirdOS',
-        },
-      }
-    end
-
-    it { expect { catalogue }.to raise_error Puppet::Error, %r{Unsupported osfamily} }
-  end
 end