ungleich-public
/
cdist
6
3
Fork 8
Code Issues 55 Pull Requests 10 Projects Releases Wiki Activity
Browse Source

Merge branch '__snakeoil_cert' into 'master' 

new type: __snakeoil_cert

See merge request ungleich-public/cdist!1002
ander/__rsync
poljakowski 2 years ago
parent
44eeb4bbfc 30ba796d06
commit
d8da298cdf
8 changed files with 172 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 8
      cdist/conf/type/__snakeoil_cert/explorer/ssl-cert-group
  2. 24
      cdist/conf/type/__snakeoil_cert/explorer/state
  3. 73
      cdist/conf/type/__snakeoil_cert/gencode-remote
  4. 60
      cdist/conf/type/__snakeoil_cert/man.rst
  5. 1
      cdist/conf/type/__snakeoil_cert/parameter/default/cert-path
  6. 1
      cdist/conf/type/__snakeoil_cert/parameter/default/key-path
  7. 1
      cdist/conf/type/__snakeoil_cert/parameter/default/key-type
  8. 4
      cdist/conf/type/__snakeoil_cert/parameter/optional

8
cdist/conf/type/__snakeoil_cert/explorer/ssl-cert-group vendored
Unescape View File

@ -0,0 +1,8 @@
#!/bin/sh -e
if grep -Eq '^ssl-cert:' /etc/group
then
echo 'present'
else
echo 'absent'
fi

24
cdist/conf/type/__snakeoil_cert/explorer/state vendored
Unescape View File

@ -0,0 +1,24 @@
#!/bin/sh -e
key_path="$( cat "$__object/parameter/key-path" )"
if echo "$key_path" | grep -Fq '%s'
then
# shellcheck disable=SC2059
key_path="$( printf "$key_path" "$__object_id" )"
fi
cert_path="$( cat "$__object/parameter/cert-path" )"
if echo "$cert_path" | grep -Fq '%s'
then
# shellcheck disable=SC2059
cert_path="$( printf "$cert_path" "$__object_id" )"
fi
if [ ! -f "$key_path" ] || [ ! -f "$cert_path" ]
then
echo 'absent'
else
echo 'present'
fi

73
cdist/conf/type/__snakeoil_cert/gencode-remote vendored
Unescape View File

@ -0,0 +1,73 @@
#!/bin/sh -e
state="$( cat "$__object/explorer/state" )"
if [ "$state" = 'present' ]
then
exit 0
fi
if [ -f "$__object/parameter/common-name" ]
then
common_name="$( cat "$__object/parameter/common-name" )"
else
common_name="$__object_id"
fi
key_path="$( cat "$__object/parameter/key-path" )"
if echo "$key_path" | grep -Fq '%s'
then
# shellcheck disable=SC2059
key_path="$( printf "$key_path" "$__object_id" )"
fi
cert_path="$( cat "$__object/parameter/cert-path" )"
if echo "$cert_path" | grep -Fq '%s'
then
# shellcheck disable=SC2059
cert_path="$( printf "$cert_path" "$__object_id" )"
fi
key_type="$( cat "$__object/parameter/key-type" )"
key_type_arg="$( echo "$key_type" | cut -d : -f 2 )"
case "$key_type" in
rsa:*)
echo "openssl genrsa -out '$key_path' $key_type_arg"
;;
ec:*)
echo "openssl ecparam -name $key_type_arg -genkey -noout -out '$key_path'"
;;
esac
# shellcheck disable=SC2016
echo 'csr_path="$( mktemp )"'
echo "openssl req -new -subj '/CN=$common_name' -key '$key_path' -out \"\$csr_path\""
echo "openssl x509 -req -sha256 -days 3650 -in \"\$csr_path\" -signkey '$key_path' -out '$cert_path'"
# shellcheck disable=SC2016
echo 'rm -f "$csr_path"'
if [ "$( cat "$__object/explorer/ssl-cert-group" )" = 'present' ]
then
key_group='ssl-cert'
else
key_group='root'
fi
echo "chmod 640 '$key_path'"
echo "chown root '$key_path'"
echo "chgrp $key_group '$key_path'"
echo "chmod 644 '$cert_path'"
echo "chown root '$cert_path'"
echo "chgrp root '$cert_path'"

60
cdist/conf/type/__snakeoil_cert/man.rst vendored
Unescape View File

@ -0,0 +1,60 @@
cdist-type__snakeoil_cert(7)
============================
NAME
----
cdist-type__snakeoil_cert - Generate self-signed certificate
DESCRIPTION
-----------
The purpose of this type is to generate **self-signed** certificate and private key
for **testing purposes**. Certificate will expire in 3650 days.
Certificate's and key's access bits will be ``644`` and ``640`` respectively.
If target system has ``ssl-cert`` group, then it will be used as key's group.
Use ``require='__snakeoil_cert/...' __file ...`` to override.
OPTIONAL PARAMETERS
-------------------
common-name
Defaults to ``$__object_id``.
key-path
``%s`` in path will be replaced with ``$__object_id``.
Defaults to ``/etc/ssl/private/%s.pem``.
key-type
Possible values are ``rsa:$bits`` and ``ec:$name``.
For possible EC names see ``openssl ecparam -list_curves``.
Defaults to ``rsa:2048``.
cert-path
``%s`` in path will be replaced with ``$__object_id``.
Defaults to ``/etc/ssl/certs/%s.pem``.
EXAMPLES
--------
.. code-block:: sh
__snakeoil_cert localhost-rsa \
--common-name localhost \
--key-type rsa:4096
__snakeoil_cert localhost-ec \
--common-name localhost \
--key-type ec:prime256v1
AUTHORS
-------
Ander Punnar <ander-at-kvlt-dot-ee>
COPYING
-------
Copyright \(C) 2021 Ander Punnar. You can redistribute it and/or modify it
under the terms of the GNU General Public License as published by the Free
Software Foundation, either version 3 of the License, or (at your option)
any later version.

1
cdist/conf/type/__snakeoil_cert/parameter/default/cert-path vendored
Unescape View File

@ -0,0 +1 @@
/etc/ssl/certs/%s.pem

1
cdist/conf/type/__snakeoil_cert/parameter/default/key-path vendored
Unescape View File

@ -0,0 +1 @@
/etc/ssl/private/%s.pem

1
cdist/conf/type/__snakeoil_cert/parameter/default/key-type vendored
Unescape View File

@ -0,0 +1 @@
rsa:2048

4
cdist/conf/type/__snakeoil_cert/parameter/optional vendored
Unescape View File

@ -0,0 +1,4 @@
common-name
key-path
key-type
cert-path
Write Preview
Loading…
Cancel
Save