Merge pull request #107 from StatensPensjonskasse/support-distrust-fo…

…r-debian

Support distrusting ca's on Debian; Changed ca_cert::ca parameter names and meaning

REFERENCE.md

@@ -6,22 +6,17 @@
 
 ### Classes
 
-* [`ca_cert`](#ca_cert): This module manages the user defined certificate authority (CA)
-certificates on the server. On OSes that support a distrusted
-folder the module also manages distrusting system default CA certificates.
+* [`ca_cert`](#ca_cert): This module manages the shared system-wide truststore.
 
 ### Defined types
 
-* [`ca_cert::ca`](#ca_cert--ca): Manage a user defined CA Certificate on a system.
-On OSes that support distrusting pre-installed CAs this can be managed as well.
+* [`ca_cert::ca`](#ca_cert--ca): Manage a CA Certificate in the the shared system-wide truststore.
 
 ## Classes
 
 ### <a name="ca_cert"></a>`ca_cert`
 
-This module manages the user defined certificate authority (CA)
-certificates on the server. On OSes that support a distrusted
-folder the module also manages distrusting system default CA certificates.
+This module manages the shared system-wide truststore.
 
 #### Examples
 
@@ -60,6 +55,7 @@ The following parameters are available in the `ca_cert` class:
 * [`update_cmd`](#-ca_cert--update_cmd)
 * [`trusted_cert_dir`](#-ca_cert--trusted_cert_dir)
 * [`distrusted_cert_dir`](#-ca_cert--distrusted_cert_dir)
+* [`ca_certificates_conf`](#-ca_cert--ca_certificates_conf)
 * [`install_package`](#-ca_cert--install_package)
 * [`package_ensure`](#-ca_cert--package_ensure)
 * [`package_name`](#-ca_cert--package_name)
@@ -95,6 +91,15 @@ Default provided by Hiera for supported Operating Systems.
 
 Default value: `undef`
 
+##### <a name="-ca_cert--ca_certificates_conf"></a>`ca_certificates_conf`
+
+Data type: `Optional[Stdlib::Absolutepath]`
+
+Some distros use a configuration file to mark distrusted certificates.
+Default provided by Hiera for supported Operating Systems.
+
+Default value: `undef`
+
 ##### <a name="-ca_cert--install_package"></a>`install_package`
 
 Data type: `Boolean`
@@ -198,8 +203,7 @@ Default value: `{}`
 
 ### <a name="ca_cert--ca"></a>`ca_cert::ca`
 
-Manage a user defined CA Certificate on a system.
-On OSes that support distrusting pre-installed CAs this can be managed as well.
+Manage a CA Certificate in the the shared system-wide truststore.
 
 #### Examples
 
@@ -215,55 +219,53 @@ ca_cert::ca { 'globalsign_org_intermediate':
 
 The following parameters are available in the `ca_cert::ca` defined type:
 
-* [`ca_text`](#-ca_cert--ca--ca_text)
-* [`source`](#-ca_cert--ca--source)
 * [`ensure`](#-ca_cert--ca--ensure)
-* [`verify_https_cert`](#-ca_cert--ca--verify_https_cert)
+* [`content`](#-ca_cert--ca--content)
+* [`source`](#-ca_cert--ca--source)
+* [`allow_insecure_source`](#-ca_cert--ca--allow_insecure_source)
 * [`checksum`](#-ca_cert--ca--checksum)
 * [`checksum_type`](#-ca_cert--ca--checksum_type)
 
-##### <a name="-ca_cert--ca--ca_text"></a>`ca_text`
+##### <a name="-ca_cert--ca--ensure"></a>`ensure`
 
-Data type: `Optional[String]`
+Data type: `Enum['present', 'absent', 'trusted', 'distrusted']`
 
-The text of the CA certificate to install. Required if text is the source
-(default). If a different source is specified this parameter is ignored.
+Whether or not the CA certificate should be on a system or not.
+- `present`/`absent` is used to manage local/none default CAs.
+- `trusted`/`distrusted` is used to manage system CAs.
 
-Default value: `undef`
+Default value: `'present'`
 
-##### <a name="-ca_cert--ca--source"></a>`source`
+##### <a name="-ca_cert--ca--content"></a>`content`
 
-Data type: `String`
+Data type: `Optional[String[1]]`
 
-Where the CA certificate should be retrieved from. text, http, https, ftp,
-file, and puppet protocols/sources are supported. If text, then the ca_text parameter
-is also required. Defaults to text.
+PEM formatted certificate content
+This attribute is mutually exclusive with `source`
 
-Default value: `'text'`
+Default value: `undef`
 
-##### <a name="-ca_cert--ca--ensure"></a>`ensure`
+##### <a name="-ca_cert--ca--source"></a>`source`
 
-Data type: `Enum['present', 'trusted', 'distrusted', 'absent']`
+Data type: `Optional[String[1]]`
 
-Whether or not the CA certificate should be on a system or not. Valid
-values are trusted, present, distrusted, and absent. Note: untrusted is
-not supported on Debian based systems - using it will log a warning
-and treat it the same as absent. (defaults to trusted)
+A source certificate, which will be copied into place on the local system.
+This attribute is mutually exclusive with `content`
+Uri support, see puppet-archive.
 
-Default value: `'trusted'`
+Default value: `undef`
 
-##### <a name="-ca_cert--ca--verify_https_cert"></a>`verify_https_cert`
+##### <a name="-ca_cert--ca--allow_insecure_source"></a>`allow_insecure_source`
 
 Data type: `Boolean`
 
-When retrieving a certificate whether or not to validate the CA of the
-source. (defaults to true)
+Wether to allow insecure download or not.
 
-Default value: `true`
+Default value: `false`
 
 ##### <a name="-ca_cert--ca--checksum"></a>`checksum`
 
-Data type: `Optional[String]`
+Data type: `Optional[String[1]]`
 
 The checksum of the file. (defaults to undef)
 

data/Archlinux-family.yaml

@@ -1,4 +1,4 @@
 ---
 ca_cert::update_cmd:          'trust extract-compat'
-ca_cert::trusted_cert_dir:    '/etc/ca-certificates/trust-source/anchors/'
-ca_cert::distrusted_cert_dir: '/etc/ca-certificates/trust-source/blacklist'
+ca_cert::trusted_cert_dir:    '/etc/ca-certificates/trust-source/anchors'
+ca_cert::distrusted_cert_dir: '/etc/ca-certificates/trust-source/blocklist'

data/Debian-family.yaml

@@ -1,3 +1,4 @@
 ---
-ca_cert::update_cmd:          'update-ca-certificates'
-ca_cert::trusted_cert_dir:    '/usr/local/share/ca-certificates'
+ca_cert::update_cmd:           'update-ca-certificates'
+ca_cert::trusted_cert_dir:     '/usr/local/share/ca-certificates'
+ca_cert::ca_certificates_conf: '/etc/ca-certificates.conf'

data/RedHat-family-9.yaml

@@ -0,0 +1,2 @@
+---
+ca_cert::distrusted_cert_dir: '/etc/pki/ca-trust/source/blocklist'

manifests/ca.pp

@@ -1,30 +1,27 @@
 # @summary
-#   Manage a user defined CA Certificate on a system.
-#   On OSes that support distrusting pre-installed CAs this can be managed as well.
+#   Manage a CA Certificate in the the shared system-wide truststore.
 #
 # @example
 #   ca_cert::ca { 'globalsign_org_intermediate':
 #     source => 'http://secure.globalsign.com/cacert/gsorganizationvalsha2g2r1.crt',
 #   }
 #
-# @param ca_text
-#   The text of the CA certificate to install. Required if text is the source
-#   (default). If a different source is specified this parameter is ignored.
+# @param ensure
+#   Whether or not the CA certificate should be on a system or not.
+#   - `present`/`absent` is used to manage local/none default CAs.
+#   - `trusted`/`distrusted` is used to manage system CAs.
 #
-# @param source
-#   Where the CA certificate should be retrieved from. text, http, https, ftp,
-#   file, and puppet protocols/sources are supported. If text, then the ca_text parameter
-#   is also required. Defaults to text.
+# @param content
+#   PEM formatted certificate content
+#   This attribute is mutually exclusive with `source`
 #
-# @param ensure
-#   Whether or not the CA certificate should be on a system or not. Valid
-#   values are trusted, present, distrusted, and absent. Note: untrusted is
-#   not supported on Debian based systems - using it will log a warning
-#   and treat it the same as absent. (defaults to trusted)
+# @param source
+#   A source certificate, which will be copied into place on the local system.
+#   This attribute is mutually exclusive with `content`
+#   Uri support, see puppet-archive.
 #
-# @param verify_https_cert
-#   When retrieving a certificate whether or not to validate the CA of the
-#   source. (defaults to true)
+# @param allow_insecure_source
+#   Wether to allow insecure download or not.
 #
 # @param checksum
 #   The checksum of the file. (defaults to undef)
@@ -33,99 +30,85 @@
 #   The type of file checksum. (defauts to undef)
 #
 define ca_cert::ca (
-  Enum['present', 'trusted', 'distrusted', 'absent'] $ensure = 'trusted',
-  String $source = 'text',
-  Boolean $verify_https_cert = true,
-  Optional[String] $ca_text = undef,
-  Optional[String] $checksum = undef,
+  Enum['present', 'absent', 'trusted', 'distrusted'] $ensure = 'present',
+  Boolean $allow_insecure_source = false,
+  Optional[String[1]] $source = undef,
+  Optional[String[1]] $content = undef,
+  Optional[String[1]] $checksum = undef,
   Optional[String[1]] $checksum_type = undef,
 ) {
   include ca_cert
 
-  if ($ensure == 'trusted' or $ensure == 'distrusted') and $source == 'text' and !$ca_text {
-    fail('ca_text is required if source is set to text')
-  }
-
-  # Since Debian based OSes don't have explicit distrust directories
-  if $facts['os']['family'] == 'Debian' and $ensure == 'distrusted' {
-    warning("Cannot explicitly set CA distrust on ${facts['os']['name']}.")
-    warning("Ensuring that ${name} CA is absent from the trusted list.")
-    $adjusted_ensure = 'absent'
-  }
-  else {
-    $adjusted_ensure = $ensure
-  }
-
   # Determine Full Resource Name
   $resource_name = "${name}.${ca_cert::ca_file_extension}"
 
-  $ca_cert = $adjusted_ensure ? {
-    'distrusted' => "${ca_cert::distrusted_cert_dir}/${resource_name}",
-    default      => "${ca_cert::trusted_cert_dir}/${resource_name}",
+  case $ensure {
+    'present', 'absent': {
+      $ca_cert = "${ca_cert::trusted_cert_dir}/${resource_name}"
+    }
+    'trusted', 'distrusted': {
+      $ca_cert = "${ca_cert::distrusted_cert_dir}/${resource_name}"
+    }
+    default: {}
   }
 
-  case $adjusted_ensure {
-    'present', 'trusted', 'distrusted': {
-      $source_array = split($source, ':')
-      $protocol_type = $source_array[0]
-      case $protocol_type {
-        'puppet': {
-          file { $resource_name:
-            ensure => 'file',
-            source => $source,
-            path   => $ca_cert,
-            owner  => 'root',
-            group  => $ca_cert::ca_file_group,
-            mode   => $ca_cert::ca_file_mode,
-            notify => Exec['ca_cert_update'],
-          }
-        }
-        'ftp', 'https', 'http': {
+  # On Debian we trust/distrust Os provided CAs in config
+  if $facts['os']['family'] == 'Debian' and member(['trusted', 'distrusted'], $ensure) {
+    if $ensure == 'trusted' {
+      exec { "trust ca ${resource_name}":
+        command => "sed -ri \'s|!(.*)${resource_name}|\\1${resource_name}|\' ${ca_cert::ca_certificates_conf}",
+        onlyif  => "grep -q ${resource_name} ${ca_cert::ca_certificates_conf} && grep -q \'^!.*${resource_name}\' ${ca_cert::ca_certificates_conf}",
+        path    => ['/bin','/usr/bin'],
+        notify  => Exec['ca_cert_update'],
+      }
+    } else {
+      exec { "distrust ca ${resource_name}":
+        command => "sed -ri \'s|(.*)${resource_name}|!\\1${resource_name}|\' ${ca_cert::ca_certificates_conf}",
+        onlyif  => "grep -q ${resource_name} ${ca_cert::ca_certificates_conf} && grep -q \'^[^!].*${resource_name}\' ${ca_cert::ca_certificates_conf}",
+        path    => ['/bin','/usr/bin'],
+        notify  => Exec['ca_cert_update'],
+      }
+    }
+  }
+  else {
+    case $ensure {
+      'present', 'distrusted': {
+        if $source {
           archive { $ca_cert:
             ensure         => 'present',
             source         => $source,
             checksum       => $checksum,
             checksum_type  => $checksum_type,
-            allow_insecure => !$verify_https_cert,
+            allow_insecure => $allow_insecure_source,
             notify         => Exec['ca_cert_update'],
           }
-        }
-        'file': {
-          $source_path = $source_array[1]
-          file { $resource_name:
+          -> file { $ca_cert:
             ensure => 'file',
-            source => $source_path,
-            path   => $ca_cert,
             owner  => 'root',
             group  => $ca_cert::ca_file_group,
             mode   => $ca_cert::ca_file_mode,
             notify => Exec['ca_cert_update'],
           }
-        }
-        'text': {
-          file { $resource_name:
+        } elsif $content {
+          file { $ca_cert:
             ensure  => 'file',
-            content => $ca_text,
-            path    => $ca_cert,
+            content => $content,
             owner   => 'root',
             group   => $ca_cert::ca_file_group,
             mode    => $ca_cert::ca_file_mode,
             notify  => Exec['ca_cert_update'],
           }
-        }
-        default: {
-          fail('Protocol must be puppet, file, http, https, ftp, or text.')
+        } else {
+          fail('Either `source` or `content` is required')
         }
       }
-    }
-    'absent': {
-      file { $ca_cert:
-        ensure => absent,
-        notify => Exec['ca_cert_update'],
+      'absent', 'trusted': {
+        file { $ca_cert:
+          ensure => absent,
+          notify => Exec['ca_cert_update'],
+        }
       }
-    }
-    default: {
-      fail("Ca_cert::Ca[${name}] - ensure must be set to present, trusted, distrusted, or absent.")
+      default: {}
     }
   }
 }

manifests/init.pp

@@ -1,7 +1,5 @@
 # @summary
-#   This module manages the user defined certificate authority (CA)
-#   certificates on the server. On OSes that support a distrusted
-#   folder the module also manages distrusting system default CA certificates.
+#   This module manages the shared system-wide truststore.
 #
 # @example Basic usage
 #   class { 'ca_cert': }
@@ -34,6 +32,10 @@
 #   Absolute directory path to the folder containing distrusted certificates.
 #   Default provided by Hiera for supported Operating Systems.
 #
+# @param ca_certificates_conf
+#   Some distros use a configuration file to mark distrusted certificates.
+#   Default provided by Hiera for supported Operating Systems.
+#
 # @param install_package
 #   Whether or not this module should install the ca_certificates package.
 #   The package contains the system default (typically Mozilla) CA
@@ -82,6 +84,7 @@
   String[1] $update_cmd,
   Stdlib::Absolutepath $trusted_cert_dir,
   Optional[Stdlib::Absolutepath] $distrusted_cert_dir = undef,
+  Optional[Stdlib::Absolutepath] $ca_certificates_conf = undef,
   Boolean $install_package = true,
   Stdlib::Ensure::Package $package_ensure = 'installed',
   String[1] $package_name = 'ca-certificates',