From 628da428ee06a8069ce0ce54b56a2b7d5d08990c Mon Sep 17 00:00:00 2001
From: Ewoud Kohl van Wijngaarden <ewoud@kohlvanwijngaarden.nl>
Date: Tue, 19 Feb 2019 19:05:12 +0100
Subject: [PATCH] [WIP] Add puppet http api support

---
 manifests/config.pp                    |  9 +++++++--
 templates/puppetca.yml.erb             | 10 ++++++++--
 templates/puppetca_http_api.yml.erb    |  8 ++++++++
 templates/puppetca_puppet_cert.yml.erb |  4 ++++
 templates/sudo.erb                     |  4 ++--
 templates/sudo_augeas.erb              |  4 ++--
 6 files changed, 31 insertions(+), 8 deletions(-)
 create mode 100644 templates/puppetca_http_api.yml.erb
 create mode 100644 templates/puppetca_puppet_cert.yml.erb

diff --git a/manifests/config.pp b/manifests/config.pp
index f54812ce3..b95f52336 100644
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -80,6 +80,8 @@
       'puppet_proxy_salt',
       'puppet_proxy_ssh',
       'puppetca_hostname_whitelisting',
+      'puppetca_http_api',
+      'puppetca_puppet_cert',
       'puppetca_token_whitelisting',
     ]:
       module => false,
@@ -113,14 +115,17 @@
     listen_on => $::foreman_proxy::logs_listen_on,
   }
 
-  if $foreman_proxy::puppetca or $foreman_proxy::puppet {
+  if $foreman_proxy::puppet or $foreman_proxy::puppetca {
+    $puppetca_sudo = $foreman_proxy::puppetca and versioncmp($facts['puppetversion'], '6.0') < 0
+    $puppetrun_sudo = $foreman_proxy::puppet and $foreman_proxy::puppetrun_provider == 'puppetrun'
+
     if $foreman_proxy::use_sudoersd {
       if $foreman_proxy::manage_sudoersd {
         ensure_resource('file', "${::foreman_proxy::sudoers}.d", {'ensure' => 'directory'})
       }
 
       file { "${::foreman_proxy::sudoers}.d/foreman-proxy":
-        ensure  => file,
+        ensure  => bool2str($puppetrun_sudo or $puppetca_sudo, 'file', 'absent'),
         owner   => 'root',
         group   => 0,
         mode    => '0440',
diff --git a/templates/puppetca.yml.erb b/templates/puppetca.yml.erb
index 9a46de134..4ffd9f1b2 100644
--- a/templates/puppetca.yml.erb
+++ b/templates/puppetca.yml.erb
@@ -1,5 +1,11 @@
 ---
-# PuppetCA management
+# Can be true, false, or http/https to enable just one of the protocols
 :enabled: <%= @module_enabled %>
-:ssldir: <%= scope.lookupvar("foreman_proxy::ssldir") %>
+
+# valid providers:
+#   - puppetca_hostname_whitelisting (verify CSRs based on a hostname whitelist)
+#   - puppetca_token_whitelisting (verify CSRs based on a token whitelist)
 :use_provider: <%= scope.lookupvar("foreman_proxy::puppetca_provider") %>
+
+# Puppet version used
+:puppet_version: <%= @puppetversion %>
diff --git a/templates/puppetca_http_api.yml.erb b/templates/puppetca_http_api.yml.erb
new file mode 100644
index 000000000..9170f6c12
--- /dev/null
+++ b/templates/puppetca_http_api.yml.erb
@@ -0,0 +1,8 @@
+---
+# URL of the puppet master itself for API requests.
+:puppet_url: <%= scope.lookupvar("foreman_proxy::puppet_url") %>
+#
+# SSL certificates used to access the CA API.
+:puppet_ssl_ca: <%= scope.lookupvar("foreman_proxy::puppet_ssl_ca") %>
+:puppet_ssl_cert: <%= scope.lookupvar("foreman_proxy::puppet_ssl_cert") %>
+:puppet_ssl_key: <%= scope.lookupvar("foreman_proxy::puppet_ssl_key") %>
diff --git a/templates/puppetca_puppet_cert.yml.erb b/templates/puppetca_puppet_cert.yml.erb
new file mode 100644
index 000000000..957a762a8
--- /dev/null
+++ b/templates/puppetca_puppet_cert.yml.erb
@@ -0,0 +1,4 @@
+---
+:ssldir: <%= scope.lookupvar("foreman_proxy::ssldir") %>
+#:puppetca_use_sudo: true
+#:sudo_command: /usr/bin/sudo
diff --git a/templates/sudo.erb b/templates/sudo.erb
index 835075aae..d8ddaa610 100644
--- a/templates/sudo.erb
+++ b/templates/sudo.erb
@@ -1,7 +1,7 @@
-<% if scope.lookupvar("foreman_proxy::puppetca") -%>
+<% if @puppetca_sudo -%>
 <%= scope.lookupvar("foreman_proxy::user") %> ALL = (root) NOPASSWD : <%= scope.lookupvar("foreman_proxy::puppetca_cmd") %> *
 <% end -%>
-<% if scope.lookupvar("foreman_proxy::puppet") and scope.lookupvar("foreman_proxy::puppetrun_provider") == 'puppetrun' -%>
+<% if @puppetrun_sudo -%>
 <%= scope.lookupvar("foreman_proxy::user") %> ALL = (<%= scope.lookupvar("foreman_proxy::puppet_user") %>) NOPASSWD : <%= scope.lookupvar("foreman_proxy::puppetrun_cmd") %> *
 <% end -%>
 Defaults:<%= scope.lookupvar("foreman_proxy::user") %> !requiretty
diff --git a/templates/sudo_augeas.erb b/templates/sudo_augeas.erb
index 23328c0fd..4d4e0a921 100644
--- a/templates/sudo_augeas.erb
+++ b/templates/sudo_augeas.erb
@@ -2,7 +2,7 @@
   user = scope.lookupvar('foreman_proxy::user')
   index = 0
 -%>
-<% if scope.lookupvar('foreman_proxy::puppetca')
+<% if @puppetca_sudo
   index += 1
 -%>
 set spec[user = '<%= user %>'][<%=index%>]/user <%= user %>
@@ -12,7 +12,7 @@ set spec[user = '<%= user %>'][<%=index%>]/host_group/command/runas_user root
 set spec[user = '<%= user %>'][<%=index%>]/host_group/command/tag NOPASSWD
 rm spec[user = '<%= user %>'][<%=index%>]/host_group/command[position() > 1]<%# delete any other command in the rule %>
 <% end -%>
-<% if scope.lookupvar("foreman_proxy::puppet") and scope.lookupvar("foreman_proxy::puppetrun_provider") == 'puppetrun'
+<% if @puppetca_sudo
   index += 1
 -%>
 set spec[user = '<%= user %>'][<%=index%>]/user <%= user %>