Hashar has uploaded a new change for review. https://gerrit.wikimedia.org/r/104743
Change subject: certs.pp puppet lint fixes ...................................................................... certs.pp puppet lint fixes * double quoted string containing no variables * unquoted file mode * string containing only a variable * indentation of => is not properly aligned * Made statements and titles on the same line, reindenting block * ensure found on line but it's not the first attribute. Thus add to remove trailing semicolon and replace them with commas * exploded some oneline arrays to have each member on each own line, also made sure we have trailing commas for such arrays. Change-Id: I2e1a13dc497a7d52da729fc5f8b90abf12329dbb --- M manifests/certs.pp 1 file changed, 158 insertions(+), 155 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/43/104743/1 diff --git a/manifests/certs.pp b/manifests/certs.pp index 6a0f646..5eb25fe 100644 --- a/manifests/certs.pp +++ b/manifests/certs.pp @@ -1,188 +1,199 @@ -define create_pkcs12( $certname="$name", $cert_alias="", $password="", $user="root", $group="ssl-cert", $location="/etc/ssl/private" ) { +define create_pkcs12( $certname=$name, $cert_alias='', $password='', $user='root', $group='ssl-cert', $location='/etc/ssl/private' ) { include passwords::certs - if ( $cert_alias == "" ) { + if ( $cert_alias == '' ) { $certalias = $certname } else { $certalias = $cert_alias } - if ( $password == "" ) { + if ( $password == '' ) { $defaultpassword = $passwords::certs::certs_default_pass } else { $defaultpassword = $password } - exec { - # pkcs12 file, used by things like opendj, nss, and tomcat - "${name}_create_pkcs12": - creates => "${location}/${certname}.p12", - command => "/usr/bin/openssl pkcs12 -export -name \"${certalias}\" -passout pass:${defaultpassword} -in /etc/ssl/certs/${certname}.pem -inkey /etc/ssl/private/${certname}.key -out ${location}/${certname}.p12", - onlyif => "/usr/bin/test -s /etc/ssl/private/${certname}.key", - require => [Package["openssl"], File["/etc/ssl/private/${certname}.key", "/etc/ssl/certs/${certname}.pem"]]; + # pkcs12 file, used by things like opendj, nss, and tomcat + exec { "${name}_create_pkcs12": + creates => "${location}/${certname}.p12", + command => "/usr/bin/openssl pkcs12 -export -name \"${certalias}\" -passout pass:${defaultpassword} -in /etc/ssl/certs/${certname}.pem -inkey /etc/ssl/private/${certname}.key -out ${location}/${certname}.p12", + onlyif => "/usr/bin/test -s /etc/ssl/private/${certname}.key", + require => [ + Package['openssl'], + File["/etc/ssl/private/${certname}.key"], + File["/etc/ssl/certs/${certname}.pem"], + ], } - file { - # Fix permissions on the p12 file, and make it available as - # a puppet resource - "${location}/${certname}.p12": - mode => 0440, - owner => $user, - group => $group, - require => Exec["${name}_create_pkcs12"], - ensure => file; + # Fix permissions on the p12 file, and make it available as + # a puppet resource + file { "${location}/${certname}.p12": + ensure => file, + mode => '0440', + owner => $user, + group => $group, + require => Exec["${name}_create_pkcs12"], } } -define create_chained_cert( $certname="$name", $ca, $user="root", $group="ssl-cert", $location="/etc/ssl/certs" ) { - exec { - # chained cert, used when needing to provide an entire certificate chain to a client - "${name}_create_chained_cert": - creates => "${location}/${certname}.chained.pem", - command => "/bin/cat ${certname}.pem ${ca} > ${location}/${certname}.chained.pem", - cwd => "/etc/ssl/certs", - require => [Package["openssl"], File["/etc/ssl/certs/${certname}.pem"]]; +define create_chained_cert( $certname=$name, $ca, $user='root', $group='ssl-cert', $location='/etc/ssl/certs' ) { + # chained cert, used when needing to provide an entire certificate chain to + # a client. + exec { "${name}_create_chained_cert": + creates => "${location}/${certname}.chained.pem", + command => "/bin/cat ${certname}.pem ${ca} > ${location}/${certname}.chained.pem", + cwd => '/etc/ssl/certs', + require => [ + Package['openssl'], + File["/etc/ssl/certs/${certname}.pem"], + ], } - file { - # Fix permissions on the chained file, and make it available as - # a puppet resource - "${location}/${certname}.chained.pem": - mode => 0444, - owner => $user, - group => $group, - require => Exec["${name}_create_chained_cert"], - ensure => file; + # Fix permissions on the chained file, and make it available as a puppet + # resource. + file { "${location}/${certname}.chained.pem": + ensure => file, + mode => '0444', + owner => $user, + group => $group, + require => Exec["${name}_create_chained_cert"], } } -define create_combined_cert( $certname="$name", $user="root", $group="ssl-cert", $location="/etc/ssl/private" ) { +define create_combined_cert( $certname=$name, $user='root', $group='ssl-cert', $location='/etc/ssl/private' ) { - exec { - # combined cert, used by things like lighttp and nginx - "${name}_create_combined_cert": - creates => "${location}/${certname}.pem", - command => "/bin/cat /etc/ssl/certs/${certname}.pem /etc/ssl/private/${certname}.key > ${location}/${certname}.pem", - require => [Package["openssl"], File["/etc/ssl/private/${certname}.key", "/etc/ssl/certs/${certname}.pem"]]; + # Combined cert, used by things like lighttp and nginx + exec { "${name}_create_combined_cert": + creates => "${location}/${certname}.pem", + command => "/bin/cat /etc/ssl/certs/${certname}.pem /etc/ssl/private/${certname}.key > ${location}/${certname}.pem", + require => [ + Package['openssl'], + File["/etc/ssl/private/${certname}.key"], + File["/etc/ssl/certs/${certname}.pem"], + ], } - file { - # Fix permissions on the combined file, and make it available as - # a puppet resource - "${location}/${certname}.pem": - mode => 0440, - owner => $user, - group => $group, - require => Exec["${name}_create_combined_cert"], - ensure => file; + # Fix permissions on the combined file, and make it available as a puppet + # resource. + file { "${location}/${certname}.pem": + ensure => file, + mode => '0440', + owner => $user, + group => $group, + require => Exec["${name}_create_combined_cert"], } } -define install_certificate( $group="ssl-cert", $ca="", $privatekey=true ) { +define install_certificate( $group='ssl-cert', $ca='', $privatekey=true ) { require certificates::packages, certificates::rapidssl_ca, certificates::digicert_ca, certificates::wmf_ca - file { - # Public key - "/etc/ssl/certs/${name}.pem": - owner => root, - group => $group, - mode => 0444, - source => "puppet:///files/ssl/${name}.pem"; + # Public key + file { "/etc/ssl/certs/${name}.pem": + owner => root, + group => $group, + mode => '0444', + source => "puppet:///files/ssl/${name}.pem", } if ( $privatekey == true ) { - file { - # Private key - "/etc/ssl/private/${name}.key": - owner => root, - group => $group, - mode => 0440, - source => "puppet:///private/ssl/${name}.key"; + # Private key + file { "/etc/ssl/private/${name}.key": + owner => root, + group => $group, + mode => '0440', + source => "puppet:///private/ssl/${name}.key"; } } else { - file { - # empty Private key - "/etc/ssl/private/${name}.key": - ensure => present; + # empty Private key + file { "/etc/ssl/private/${name}.key": + ensure => present, } } - exec { - # Many services require certificates to be found by a hash in - # the certs directory - "${name}_create_hash": - unless => "/usr/bin/[ -f \"/etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in /etc/ssl/certs/${name}.pem).0\" ]", - command => "/bin/ln -sf /etc/ssl/certs/${name}.pem /etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in /etc/ssl/certs/${name}.pem).0", - require => [Package["openssl"], File["/etc/ssl/certs/${name}.pem"]]; + # Many services require certificates to be found by a hash in the certs + # directory. + exec { "${name}_create_hash": + unless => "/usr/bin/[ -f \"/etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in /etc/ssl/certs/${name}.pem).0\" ]", + command => "/bin/ln -sf /etc/ssl/certs/${name}.pem /etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in /etc/ssl/certs/${name}.pem).0", + require => [ + Package['openssl'], + File["/etc/ssl/certs/${name}.pem"], + ], } - create_pkcs12{ "${name}": } - create_combined_cert{ "${name}": } + create_pkcs12{ $name: } + create_combined_cert{ $name: } + if ( $ca ) { $cas = $ca } else { - # PEM files should be listed in order: intermediate -> intermediate -> ... -> root - # If this is out of order either servers will fail to start, or will not properly - # have SSL enabled. + # PEM files should be listed in order: + # + # intermediate -> intermediate -> ... -> root + # + # If this is out of order either servers will fail to start, or will + # not properly have SSL enabled. $cas = $name ? { - "unified.wikimedia.org" => "DigiCertHighAssuranceCA-3.pem", - "star.wikimedia.org" => "Equifax_Secure_CA.pem", - "star.wikipedia.org" => "DigiCertHighAssuranceCA-3.pem DigiCert_High_Assurance_EV_Root_CA.pem", - "star.wiktionary.org" => "RapidSSL_CA.pem GeoTrust_Global_CA.pem", - "star.wikiquote.org" => "RapidSSL_CA.pem GeoTrust_Global_CA.pem", - "star.wikibooks.org" => "RapidSSL_CA.pem GeoTrust_Global_CA.pem", - "star.wikisource.org" => "RapidSSL_CA.pem GeoTrust_Global_CA.pem", - "star.wikinews.org" => "RapidSSL_CA.pem GeoTrust_Global_CA.pem", - "star.wikiversity.org" => "RapidSSL_CA.pem GeoTrust_Global_CA.pem", - "star.mediawiki.org" => "RapidSSL_CA.pem GeoTrust_Global_CA.pem", - "star.wikimediafoundation.org" => "RapidSSL_CA.pem GeoTrust_Global_CA.pem", - "star.wmflabs.org" => "wmf-labs.pem", - "star.wmflabs" => "wmf-labs.pem", - "star.planet.wikimedia.org" => "DigiCertHighAssuranceCA-3.pem DigiCert_High_Assurance_EV_Root_CA.pem", - default => "wmf-ca.pem", + 'unified.wikimedia.org' => 'DigiCertHighAssuranceCA-3.pem', + 'star.wikimedia.org' => 'Equifax_Secure_CA.pem', + 'star.wikipedia.org' => 'DigiCertHighAssuranceCA-3.pem DigiCert_High_Assurance_EV_Root_CA.pem', + 'star.wiktionary.org' => 'RapidSSL_CA.pem GeoTrust_Global_CA.pem', + 'star.wikiquote.org' => 'RapidSSL_CA.pem GeoTrust_Global_CA.pem', + 'star.wikibooks.org' => 'RapidSSL_CA.pem GeoTrust_Global_CA.pem', + 'star.wikisource.org' => 'RapidSSL_CA.pem GeoTrust_Global_CA.pem', + 'star.wikinews.org' => 'RapidSSL_CA.pem GeoTrust_Global_CA.pem', + 'star.wikiversity.org' => 'RapidSSL_CA.pem GeoTrust_Global_CA.pem', + 'star.mediawiki.org' => 'RapidSSL_CA.pem GeoTrust_Global_CA.pem', + 'star.wikimediafoundation.org' => 'RapidSSL_CA.pem GeoTrust_Global_CA.pem', + 'star.wmflabs.org' => 'wmf-labs.pem', + 'star.wmflabs' => 'wmf-labs.pem', + 'star.planet.wikimedia.org' => 'DigiCertHighAssuranceCA-3.pem DigiCert_High_Assurance_EV_Root_CA.pem', + default => 'wmf-ca.pem', } } - create_chained_cert{ "${name}": ca => $cas } + create_chained_cert{ $name: ca => $cas } } -define install_additional_key( $key_loc="", $owner="root", $group="ssl-cert", $mode="0440" ) { +define install_additional_key( $key_loc='', $owner='root', $group='ssl-cert', $mode='0440' ) { if ( $key_loc ) { - file { - "${key_loc}/${name}.key": - owner => $owner, - group => $group, - mode => $mode, - source => "puppet:///private/ssl/${name}.key", - require => Package["openssl"]; + file { "${key_loc}/${name}.key": + owner => $owner, + group => $group, + mode => $mode, + source => "puppet:///private/ssl/${name}.key", + require => Package['openssl'], } } } class certificates::packages { - package { [ "openssl", "ca-certificates", "ssl-cert" ]: - ensure => latest; + package { [ + 'openssl', + 'ca-certificates', + 'ssl-cert', + ]: ensure => latest; } } class certificates::star_wmflabs_org { - install_certificate{ "star.wmflabs.org": } + install_certificate{ 'star.wmflabs.org': } } class certificates::star_wmflabs { - install_certificate{ "star.wmflabs": } + install_certificate{ 'star.wmflabs': } } @@ -190,19 +201,17 @@ include certificates::packages - file { - "/etc/ssl/certs/wmf-ca.pem": - owner => root, - group => root, - mode => 0444, - source => "puppet:///files/ssl/wmf-ca.pem", - require => Package["openssl"]; + file { '/etc/ssl/certs/wmf-ca.pem': + owner => root, + group => root, + mode => '0444', + source => 'puppet:///files/ssl/wmf-ca.pem', + require => Package['openssl'], } - exec { - '/bin/ln -s /etc/ssl/certs/wmf-ca.pem /etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in /etc/ssl/certs/wmf-ca.pem).0': - unless => "/usr/bin/[ -f \"/etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in /etc/ssl/certs/wmf-ca.pem).0\" ]", - require => File["/etc/ssl/certs/wmf-ca.pem"]; + exec { '/bin/ln -s /etc/ssl/certs/wmf-ca.pem /etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in /etc/ssl/certs/wmf-ca.pem).0': + unless => "/usr/bin/[ -f \"/etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in /etc/ssl/certs/wmf-ca.pem).0\" ]", + require => File['/etc/ssl/certs/wmf-ca.pem'], } } @@ -211,19 +220,17 @@ include certificates::packages - file { - "/etc/ssl/certs/wmf-labs.pem": - owner => root, - group => root, - mode => 0444, - source => "puppet:///files/ssl/wmf-labs.pem", - require => Package["openssl"]; + file { '/etc/ssl/certs/wmf-labs.pem': + owner => root, + group => root, + mode => '0444', + source => 'puppet:///files/ssl/wmf-labs.pem', + require => Package['openssl'], } - exec { - '/bin/ln -s /etc/ssl/certs/wmf-labs.pem /etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in /etc/ssl/certs/wmf-labs.pem).0': - unless => "/usr/bin/[ -f \"/etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in /etc/ssl/certs/wmf-labs.pem).0\" ]", - require => File["/etc/ssl/certs/wmf-labs.pem"]; + exec { '/bin/ln -s /etc/ssl/certs/wmf-labs.pem /etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in /etc/ssl/certs/wmf-labs.pem).0': + unless => "/usr/bin/[ -f \"/etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in /etc/ssl/certs/wmf-labs.pem).0\" ]", + require => File['/etc/ssl/certs/wmf-labs.pem'], } } @@ -232,19 +239,17 @@ include certificates::packages - file { - "/etc/ssl/certs/RapidSSL_CA.pem": - owner => root, - group => root, - mode => 0444, - source => "puppet:///files/ssl/RapidSSL_CA.pem", - require => Package["openssl"]; + file { '/etc/ssl/certs/RapidSSL_CA.pem': + owner => root, + group => root, + mode => '0444', + source => 'puppet:///files/ssl/RapidSSL_CA.pem', + require => Package['openssl']; } - exec { - '/bin/ln -sf /etc/ssl/certs/RapidSSL_CA.pem /etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in /etc/ssl/certs/RapidSSL_CA.pem).0': - unless => "/usr/bin/[ -f \"/etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in /etc/ssl/certs/RapidSSL_CA.pem).0\" ]", - require => File["/etc/ssl/certs/RapidSSL_CA.pem"]; + exec { '/bin/ln -sf /etc/ssl/certs/RapidSSL_CA.pem /etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in /etc/ssl/certs/RapidSSL_CA.pem).0': + unless => "/usr/bin/[ -f \"/etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in /etc/ssl/certs/RapidSSL_CA.pem).0\" ]", + require => File['/etc/ssl/certs/RapidSSL_CA.pem'], } } @@ -253,18 +258,16 @@ include certificates::packages - file { - "/etc/ssl/certs/DigiCertHighAssuranceCA-3.pem": - owner => root, - group => root, - mode => 0444, - source => "puppet:///files/ssl/DigiCertHighAssuranceCA-3.pem", - require => Package["openssl"]; + file { '/etc/ssl/certs/DigiCertHighAssuranceCA-3.pem': + owner => root, + group => root, + mode => '0444', + source => 'puppet:///files/ssl/DigiCertHighAssuranceCA-3.pem', + require => Package['openssl'], } - exec { - '/bin/ln -sf /etc/ssl/certs/DigiCertHighAssuranceCA-3.pem /etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in /etc/ssl/certs/DigiCertHighAssuranceCA-3.pem).0': - unless => "/usr/bin/[ -f \"/etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in /etc/ssl/certs/DigiCertHighAssuranceCA-3.pem).0\" ]", - require => File["/etc/ssl/certs/DigiCertHighAssuranceCA-3.pem"]; + exec { '/bin/ln -sf /etc/ssl/certs/DigiCertHighAssuranceCA-3.pem /etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in /etc/ssl/certs/DigiCertHighAssuranceCA-3.pem).0': + unless => "/usr/bin/[ -f \"/etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in /etc/ssl/certs/DigiCertHighAssuranceCA-3.pem).0\" ]", + require => File['/etc/ssl/certs/DigiCertHighAssuranceCA-3.pem'], } } -- To view, visit https://gerrit.wikimedia.org/r/104743 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I2e1a13dc497a7d52da729fc5f8b90abf12329dbb Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Hashar <has...@free.fr> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits