Merge branch '__snakeoil_cert' into 'master'

new type: __snakeoil_cert See merge request ungleich-public/cdist!1002
2021-07-05 08:59:59 +02:00 · 2021-07-05 08:59:59 +02:00 · d8da298cdf
commit d8da298cdf
parent 44eeb4bbfc 30ba796d06
8 changed files with 172 additions and 0 deletions
--- a/cdist/conf/type/__snakeoil_cert/explorer/ssl-cert-group
+++ b/cdist/conf/type/__snakeoil_cert/explorer/ssl-cert-group
@ -0,0 +1,8 @@
 #!/bin/sh -e
 if grep -Eq '^ssl-cert:' /etc/group
 then
    echo 'present'
 else
    echo 'absent'
 fi
--- a/cdist/conf/type/__snakeoil_cert/explorer/state
+++ b/cdist/conf/type/__snakeoil_cert/explorer/state
@ -0,0 +1,24 @@
 #!/bin/sh -e
 key_path="$( cat "$__object/parameter/key-path" )"
 if echo "$key_path" | grep -Fq '%s'
 then
    # shellcheck disable=SC2059
    key_path="$( printf "$key_path" "$__object_id" )"
 fi
 cert_path="$( cat "$__object/parameter/cert-path" )"
 if echo "$cert_path" | grep -Fq '%s'
 then
    # shellcheck disable=SC2059
    cert_path="$( printf "$cert_path" "$__object_id" )"
 fi
 if [ ! -f "$key_path" ] || [ ! -f "$cert_path" ]
 then
    echo 'absent'
 else
    echo 'present'
 fi
--- a/cdist/conf/type/__snakeoil_cert/gencode-remote
+++ b/cdist/conf/type/__snakeoil_cert/gencode-remote
@ -0,0 +1,73 @@
 #!/bin/sh -e
 state="$( cat "$__object/explorer/state" )"
 if [ "$state" = 'present' ]
 then
    exit 0
 fi
 if [ -f "$__object/parameter/common-name" ]
 then
    common_name="$( cat "$__object/parameter/common-name" )"
 else
    common_name="$__object_id"
 fi
 key_path="$( cat "$__object/parameter/key-path" )"
 if echo "$key_path" | grep -Fq '%s'
 then
    # shellcheck disable=SC2059
    key_path="$( printf "$key_path" "$__object_id" )"
 fi
 cert_path="$( cat "$__object/parameter/cert-path" )"
 if echo "$cert_path" | grep -Fq '%s'
 then
    # shellcheck disable=SC2059
    cert_path="$( printf "$cert_path" "$__object_id" )"
 fi
 key_type="$( cat "$__object/parameter/key-type" )"
 key_type_arg="$( echo "$key_type" | cut -d : -f 2 )"
 case "$key_type" in
    rsa:*)
        echo "openssl genrsa -out '$key_path' $key_type_arg"
    ;;
    ec:*)
        echo "openssl ecparam -name $key_type_arg -genkey -noout -out '$key_path'"
    ;;
 esac
 # shellcheck disable=SC2016
 echo 'csr_path="$( mktemp )"'
 echo "openssl req -new -subj '/CN=$common_name' -key '$key_path' -out \"\$csr_path\""
 echo "openssl x509 -req -sha256 -days 3650 -in \"\$csr_path\" -signkey '$key_path' -out '$cert_path'"
 # shellcheck disable=SC2016
 echo 'rm -f "$csr_path"'
 if [ "$( cat "$__object/explorer/ssl-cert-group" )" = 'present' ]
 then
    key_group='ssl-cert'
 else
    key_group='root'
 fi
 echo "chmod 640 '$key_path'"
 echo "chown root '$key_path'"
 echo "chgrp $key_group '$key_path'"
 echo "chmod 644 '$cert_path'"
 echo "chown root '$cert_path'"
 echo "chgrp root '$cert_path'"
--- a/cdist/conf/type/__snakeoil_cert/man.rst
+++ b/cdist/conf/type/__snakeoil_cert/man.rst
@ -0,0 +1,60 @@
 cdist-type__snakeoil_cert(7)
 ============================
 NAME
 ----
 cdist-type__snakeoil_cert - Generate self-signed certificate
 DESCRIPTION
 -----------
 The purpose of this type is to generate **self-signed** certificate and private key
 for **testing purposes**. Certificate will expire in 3650 days.
 Certificate's and key's access bits will be ``644`` and ``640`` respectively.
 If target system has ``ssl-cert`` group, then it will be used as key's group.
 Use ``require='__snakeoil_cert/...' __file ...`` to override.
 OPTIONAL PARAMETERS
 -------------------
 common-name
   Defaults to ``$__object_id``.
 key-path
   ``%s`` in path will be replaced with ``$__object_id``.
   Defaults to ``/etc/ssl/private/%s.pem``.
 key-type
   Possible values are ``rsa:$bits`` and ``ec:$name``.
   For possible EC names see ``openssl ecparam -list_curves``.
   Defaults to ``rsa:2048``.
 cert-path
   ``%s`` in path will be replaced with ``$__object_id``.
   Defaults to ``/etc/ssl/certs/%s.pem``.
 EXAMPLES
 --------
 .. code-block:: sh
 	__snakeoil_cert localhost-rsa \
 	    --common-name localhost \
 	    --key-type rsa:4096
 	__snakeoil_cert localhost-ec \
 	    --common-name localhost \
 	    --key-type ec:prime256v1
 AUTHORS
 -------
 Ander Punnar <ander-at-kvlt-dot-ee>
 COPYING
 -------
 Copyright \(C) 2021 Ander Punnar. You can redistribute it and/or modify it
 under the terms of the GNU General Public License as published by the Free
 Software Foundation, either version 3 of the License, or (at your option)
 any later version.
--- a/cdist/conf/type/__snakeoil_cert/parameter/default/cert-path
+++ b/cdist/conf/type/__snakeoil_cert/parameter/default/cert-path
@ -0,0 +1 @@
 /etc/ssl/certs/%s.pem
--- a/cdist/conf/type/__snakeoil_cert/parameter/default/key-path
+++ b/cdist/conf/type/__snakeoil_cert/parameter/default/key-path
@ -0,0 +1 @@
 /etc/ssl/private/%s.pem
--- a/cdist/conf/type/__snakeoil_cert/parameter/default/key-type
+++ b/cdist/conf/type/__snakeoil_cert/parameter/default/key-type
@ -0,0 +1 @@
 rsa:2048
--- a/cdist/conf/type/__snakeoil_cert/parameter/optional
+++ b/cdist/conf/type/__snakeoil_cert/parameter/optional
@ -0,0 +1,4 @@
 common-name
 key-path
 key-type
 cert-path