Fixes #24012 - Add PuppetCA providers settings

theforeman · Jun 27, 2018 · 270fb4f · 270fb4f
1 parent 210c5ad
commit 270fb4f
Show file tree

Hide file tree

Showing 5 changed files with 64 additions and 1 deletion.
diff --git a/manifests/config.pp b/manifests/config.pp
@@ -90,6 +90,7 @@
   if $::foreman_proxy::puppetca_modular {
     foreman_proxy::settings_file { [
         'puppetca_hostname_whitelisting',
+        'puppetca_token_whitelisting',
       ]:
         module => false,
     }

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -83,6 +83,8 @@
 #
 # $autosignfile::               Hostname-Whitelisting only: Location of puppets autosign.conf
 #
+# $puppetca_tokens_file::       Token-Whitelisting only: Location of the tokens.yaml
+#
 # $manage_puppet_group::        Whether to ensure the $puppet_group exists.  Also ensures group owner of ssl keys and certs is $puppet_group
 #                               Not applicable when ssl is false.
 #
@@ -295,6 +297,8 @@
 #
 # $puppetca_provider::          Whether to use puppetca_hostname_whitelisting or puppetca_token_whitelisting
 #
+# $puppetca_sign_all::          Token-whitelisting only: Whether to sign all CSRs without checking their token
+#
 class foreman_proxy (
   String $repo = $::foreman_proxy::params::repo,
   Boolean $gpgcheck = $::foreman_proxy::params::gpgcheck,
@@ -335,6 +339,8 @@
   Boolean $puppetca_modular = $::foreman_proxy::params::puppetca_modular,
   String $puppetca_provider = $::foreman_proxy::params::puppetca_provider,
   Stdlib::Absolutepath $autosignfile = $::foreman_proxy::params::autosignfile,
+  Boolean $puppetca_sign_all = $::foreman_proxy::params::puppetca_sign_all,
+  Stdlib::Absolutepath $puppetca_tokens_file = $::foreman_proxy::params::puppetca_tokens_file,
   Boolean $manage_puppet_group = $::foreman_proxy::params::manage_puppet_group,
   Boolean $puppet = $::foreman_proxy::params::puppet,
   Foreman_proxy::ListenOn $puppet_listen_on = $::foreman_proxy::params::puppet_listen_on,

diff --git a/manifests/params.pp b/manifests/params.pp
@@ -244,6 +244,8 @@
   $puppetca_cmd          = "${puppet_cmd} cert"
   $puppet_group          = 'puppet'
   $autosignfile          = "${puppetdir}/autosign.conf"
+  $puppetca_sign_all     = false
+  $puppetca_tokens_file  = '/var/lib/foreman-proxy/tokens.yml'
 
   # The puppet-agent package, (puppet 4 AIO) doesn't create a puppet group
   $manage_puppet_group = versioncmp($::puppetversion, '4.0') > 0

diff --git a/spec/classes/foreman_proxy__config__spec.rb b/spec/classes/foreman_proxy__config__spec.rb
@@ -83,7 +83,7 @@
             'settings.d/dns_libvirt.yml', 'settings.d/dhcp.yml', 'settings.d/dhcp_isc.yml',
             'settings.d/dhcp_libvirt.yml', 'settings.d/logs.yml', 'settings.d/puppet.yml',
             'settings.d/puppetca.yml', 'settings.d/puppetca_hostname_whitelisting.yml',
-            'settings.d/puppet_proxy_customrun.yml',
+            'settings.d/puppetca_token_whitelisting.yml', 'settings.d/puppet_proxy_customrun.yml',
             'settings.d/puppet_proxy_legacy.yml', 'settings.d/puppet_proxy_mcollective.yml',
             'settings.d/puppet_proxy_puppet_api.yml', 'settings.d/puppet_proxy_puppetrun.yml',
             'settings.d/puppet_proxy_salt.yml', 'settings.d/puppet_proxy_ssh.yml',
@@ -265,6 +265,14 @@
           ])
         end
 
+        it 'should generate correct puppetca_token_whitelisting.yml' do
+          verify_exact_contents(catalogue, "#{etc_dir}/foreman-proxy/settings.d/puppetca_token_whitelisting.yml", [
+            '---',
+            ':tokens_file: /var/lib/foreman-proxy/tokens.yml',
+            ':sign_all: false'
+          ])
+        end
+
         tftp_root = case facts[:osfamily]
                     when 'Debian'
                       case facts[:operatingsystem]
@@ -803,6 +811,45 @@
         it 'should not generate a puppetca_hostname_whitelisting' do
           should_not contain_file("#{etc_dir}/foreman-proxy/settings.d/puppet_hostname_whitelisting")
         end
+
+        it 'should not generate a puppetca_hostname_whitelisting' do
+          should_not contain_file("#{etc_dir}/foreman-proxy/settings.d/puppet_token_whitelisting")
+        end
+      end
+
+      context 'with custom puppetca params' do
+        let :pre_condition do
+          'class { "foreman_proxy":
+            puppetca_provider => "puppetca_token_whitelisting",
+            puppetca_sign_all => true,
+            puppetca_tokens_file => "/foo/bar.yml",
+            autosignfile => "/bar/baz.conf",
+          }'
+        end
+
+        it 'should generate correct puppetca.yml' do
+          verify_exact_contents(catalogue, "#{etc_dir}/foreman-proxy/settings.d/puppetca.yml", [
+            '---',
+            ':enabled: https',
+            ':use_provider: puppetca_token_whitelisting',
+            ":ssldir: #{ssl_dir}",
+          ])
+        end
+
+        it 'should generate correct puppetca_hostname_whitelisting.yml' do
+          verify_exact_contents(catalogue, "#{etc_dir}/foreman-proxy/settings.d/puppetca_hostname_whitelisting.yml", [
+            '---',
+            ":autosignfile: /bar/baz.conf",
+          ])
+        end
+
+        it 'should generate correct puppetca_token_whitelisting.yml' do
+          verify_exact_contents(catalogue, "#{etc_dir}/foreman-proxy/settings.d/puppetca_token_whitelisting.yml", [
+            '---',
+            ':tokens_file: /foo/bar.yml',
+            ':sign_all: true'
+          ])
+        end
       end
 
       context 'when puppetrun_provider and puppetrun_cmd set' do

diff --git a/templates/puppetca_token_whitelisting.yml.erb b/templates/puppetca_token_whitelisting.yml.erb
@@ -0,0 +1,7 @@
+---
+#
+# Configuration of the PuppetCA token_whitelisting provider
+#
+
+:sign_all: <%= scope.lookupvar('foreman_proxy::puppetca_sign_all') %>
+:tokens_file: <%= scope.lookupvar('foreman_proxy::puppetca_tokens_file') %>