Hashar has uploaded a new change for review.
https://gerrit.wikimedia.org/r/104743
Change subject: certs.pp puppet lint fixes
......................................................................
certs.pp puppet lint fixes
* double quoted string containing no variables
* unquoted file mode
* string containing only a variable
* indentation of => is not properly aligned
* Made statements and titles on the same line, reindenting block
* ensure found on line but it's not the first attribute. Thus add to
remove trailing semicolon and replace them with commas
* exploded some oneline arrays to have each member on each own line,
also made sure we have trailing commas for such arrays.
Change-Id: I2e1a13dc497a7d52da729fc5f8b90abf12329dbb
---
M manifests/certs.pp
1 file changed, 158 insertions(+), 155 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/43/104743/1
diff --git a/manifests/certs.pp b/manifests/certs.pp
index 6a0f646..5eb25fe 100644
--- a/manifests/certs.pp
+++ b/manifests/certs.pp
@@ -1,188 +1,199 @@
-define create_pkcs12( $certname="$name", $cert_alias="", $password="",
$user="root", $group="ssl-cert", $location="/etc/ssl/private" ) {
+define create_pkcs12( $certname=$name, $cert_alias='', $password='',
$user='root', $group='ssl-cert', $location='/etc/ssl/private' ) {
include passwords::certs
- if ( $cert_alias == "" ) {
+ if ( $cert_alias == '' ) {
$certalias = $certname
} else {
$certalias = $cert_alias
}
- if ( $password == "" ) {
+ if ( $password == '' ) {
$defaultpassword = $passwords::certs::certs_default_pass
} else {
$defaultpassword = $password
}
- exec {
- # pkcs12 file, used by things like opendj, nss, and tomcat
- "${name}_create_pkcs12":
- creates => "${location}/${certname}.p12",
- command => "/usr/bin/openssl pkcs12 -export -name \"${certalias}\"
-passout pass:${defaultpassword} -in /etc/ssl/certs/${certname}.pem -inkey
/etc/ssl/private/${certname}.key -out ${location}/${certname}.p12",
- onlyif => "/usr/bin/test -s /etc/ssl/private/${certname}.key",
- require => [Package["openssl"],
File["/etc/ssl/private/${certname}.key", "/etc/ssl/certs/${certname}.pem"]];
+ # pkcs12 file, used by things like opendj, nss, and tomcat
+ exec { "${name}_create_pkcs12":
+ creates => "${location}/${certname}.p12",
+ command => "/usr/bin/openssl pkcs12 -export -name \"${certalias}\"
-passout pass:${defaultpassword} -in /etc/ssl/certs/${certname}.pem -inkey
/etc/ssl/private/${certname}.key -out ${location}/${certname}.p12",
+ onlyif => "/usr/bin/test -s /etc/ssl/private/${certname}.key",
+ require => [
+ Package['openssl'],
+ File["/etc/ssl/private/${certname}.key"],
+ File["/etc/ssl/certs/${certname}.pem"],
+ ],
}
- file {
- # Fix permissions on the p12 file, and make it available as
- # a puppet resource
- "${location}/${certname}.p12":
- mode => 0440,
- owner => $user,
- group => $group,
- require => Exec["${name}_create_pkcs12"],
- ensure => file;
+ # Fix permissions on the p12 file, and make it available as
+ # a puppet resource
+ file { "${location}/${certname}.p12":
+ ensure => file,
+ mode => '0440',
+ owner => $user,
+ group => $group,
+ require => Exec["${name}_create_pkcs12"],
}
}
-define create_chained_cert( $certname="$name", $ca, $user="root",
$group="ssl-cert", $location="/etc/ssl/certs" ) {
- exec {
- # chained cert, used when needing to provide an entire certificate
chain to a client
- "${name}_create_chained_cert":
- creates => "${location}/${certname}.chained.pem",
- command => "/bin/cat ${certname}.pem ${ca} >
${location}/${certname}.chained.pem",
- cwd => "/etc/ssl/certs",
- require => [Package["openssl"],
File["/etc/ssl/certs/${certname}.pem"]];
+define create_chained_cert( $certname=$name, $ca, $user='root',
$group='ssl-cert', $location='/etc/ssl/certs' ) {
+ # chained cert, used when needing to provide an entire certificate chain to
+ # a client.
+ exec { "${name}_create_chained_cert":
+ creates => "${location}/${certname}.chained.pem",
+ command => "/bin/cat ${certname}.pem ${ca} >
${location}/${certname}.chained.pem",
+ cwd => '/etc/ssl/certs',
+ require => [
+ Package['openssl'],
+ File["/etc/ssl/certs/${certname}.pem"],
+ ],
}
- file {
- # Fix permissions on the chained file, and make it available as
- # a puppet resource
- "${location}/${certname}.chained.pem":
- mode => 0444,
- owner => $user,
- group => $group,
- require => Exec["${name}_create_chained_cert"],
- ensure => file;
+ # Fix permissions on the chained file, and make it available as a puppet
+ # resource.
+ file { "${location}/${certname}.chained.pem":
+ ensure => file,
+ mode => '0444',
+ owner => $user,
+ group => $group,
+ require => Exec["${name}_create_chained_cert"],
}
}
-define create_combined_cert( $certname="$name", $user="root",
$group="ssl-cert", $location="/etc/ssl/private" ) {
+define create_combined_cert( $certname=$name, $user='root', $group='ssl-cert',
$location='/etc/ssl/private' ) {
- exec {
- # combined cert, used by things like lighttp and nginx
- "${name}_create_combined_cert":
- creates => "${location}/${certname}.pem",
- command => "/bin/cat /etc/ssl/certs/${certname}.pem
/etc/ssl/private/${certname}.key > ${location}/${certname}.pem",
- require => [Package["openssl"],
File["/etc/ssl/private/${certname}.key", "/etc/ssl/certs/${certname}.pem"]];
+ # Combined cert, used by things like lighttp and nginx
+ exec { "${name}_create_combined_cert":
+ creates => "${location}/${certname}.pem",
+ command => "/bin/cat /etc/ssl/certs/${certname}.pem
/etc/ssl/private/${certname}.key > ${location}/${certname}.pem",
+ require => [
+ Package['openssl'],
+ File["/etc/ssl/private/${certname}.key"],
+ File["/etc/ssl/certs/${certname}.pem"],
+ ],
}
- file {
- # Fix permissions on the combined file, and make it available as
- # a puppet resource
- "${location}/${certname}.pem":
- mode => 0440,
- owner => $user,
- group => $group,
- require => Exec["${name}_create_combined_cert"],
- ensure => file;
+ # Fix permissions on the combined file, and make it available as a puppet
+ # resource.
+ file { "${location}/${certname}.pem":
+ ensure => file,
+ mode => '0440',
+ owner => $user,
+ group => $group,
+ require => Exec["${name}_create_combined_cert"],
}
}
-define install_certificate( $group="ssl-cert", $ca="", $privatekey=true ) {
+define install_certificate( $group='ssl-cert', $ca='', $privatekey=true ) {
require certificates::packages,
certificates::rapidssl_ca,
certificates::digicert_ca,
certificates::wmf_ca
- file {
- # Public key
- "/etc/ssl/certs/${name}.pem":
- owner => root,
- group => $group,
- mode => 0444,
- source => "puppet:///files/ssl/${name}.pem";
+ # Public key
+ file { "/etc/ssl/certs/${name}.pem":
+ owner => root,
+ group => $group,
+ mode => '0444',
+ source => "puppet:///files/ssl/${name}.pem",
}
if ( $privatekey == true ) {
- file {
- # Private key
- "/etc/ssl/private/${name}.key":
- owner => root,
- group => $group,
- mode => 0440,
- source => "puppet:///private/ssl/${name}.key";
+ # Private key
+ file { "/etc/ssl/private/${name}.key":
+ owner => root,
+ group => $group,
+ mode => '0440',
+ source => "puppet:///private/ssl/${name}.key";
}
} else {
- file {
- # empty Private key
- "/etc/ssl/private/${name}.key":
- ensure => present;
+ # empty Private key
+ file { "/etc/ssl/private/${name}.key":
+ ensure => present,
}
}
- exec {
- # Many services require certificates to be found by a hash in
- # the certs directory
- "${name}_create_hash":
- unless => "/usr/bin/[ -f \"/etc/ssl/certs/$(/usr/bin/openssl x509
-hash -noout -in /etc/ssl/certs/${name}.pem).0\" ]",
- command => "/bin/ln -sf /etc/ssl/certs/${name}.pem
/etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in
/etc/ssl/certs/${name}.pem).0",
- require => [Package["openssl"],
File["/etc/ssl/certs/${name}.pem"]];
+ # Many services require certificates to be found by a hash in the certs
+ # directory.
+ exec { "${name}_create_hash":
+ unless => "/usr/bin/[ -f \"/etc/ssl/certs/$(/usr/bin/openssl x509
-hash -noout -in /etc/ssl/certs/${name}.pem).0\" ]",
+ command => "/bin/ln -sf /etc/ssl/certs/${name}.pem
/etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in
/etc/ssl/certs/${name}.pem).0",
+ require => [
+ Package['openssl'],
+ File["/etc/ssl/certs/${name}.pem"],
+ ],
}
- create_pkcs12{ "${name}": }
- create_combined_cert{ "${name}": }
+ create_pkcs12{ $name: }
+ create_combined_cert{ $name: }
+
if ( $ca ) {
$cas = $ca
} else {
- # PEM files should be listed in order: intermediate -> intermediate ->
... -> root
- # If this is out of order either servers will fail to start, or will
not properly
- # have SSL enabled.
+ # PEM files should be listed in order:
+ #
+ # intermediate -> intermediate -> ... -> root
+ #
+ # If this is out of order either servers will fail to start, or will
+ # not properly have SSL enabled.
$cas = $name ? {
- "unified.wikimedia.org" => "DigiCertHighAssuranceCA-3.pem",
- "star.wikimedia.org" => "Equifax_Secure_CA.pem",
- "star.wikipedia.org" => "DigiCertHighAssuranceCA-3.pem
DigiCert_High_Assurance_EV_Root_CA.pem",
- "star.wiktionary.org" => "RapidSSL_CA.pem GeoTrust_Global_CA.pem",
- "star.wikiquote.org" => "RapidSSL_CA.pem GeoTrust_Global_CA.pem",
- "star.wikibooks.org" => "RapidSSL_CA.pem GeoTrust_Global_CA.pem",
- "star.wikisource.org" => "RapidSSL_CA.pem GeoTrust_Global_CA.pem",
- "star.wikinews.org" => "RapidSSL_CA.pem GeoTrust_Global_CA.pem",
- "star.wikiversity.org" => "RapidSSL_CA.pem GeoTrust_Global_CA.pem",
- "star.mediawiki.org" => "RapidSSL_CA.pem GeoTrust_Global_CA.pem",
- "star.wikimediafoundation.org" => "RapidSSL_CA.pem
GeoTrust_Global_CA.pem",
- "star.wmflabs.org" => "wmf-labs.pem",
- "star.wmflabs" => "wmf-labs.pem",
- "star.planet.wikimedia.org" => "DigiCertHighAssuranceCA-3.pem
DigiCert_High_Assurance_EV_Root_CA.pem",
- default => "wmf-ca.pem",
+ 'unified.wikimedia.org' => 'DigiCertHighAssuranceCA-3.pem',
+ 'star.wikimedia.org' => 'Equifax_Secure_CA.pem',
+ 'star.wikipedia.org' => 'DigiCertHighAssuranceCA-3.pem
DigiCert_High_Assurance_EV_Root_CA.pem',
+ 'star.wiktionary.org' => 'RapidSSL_CA.pem
GeoTrust_Global_CA.pem',
+ 'star.wikiquote.org' => 'RapidSSL_CA.pem
GeoTrust_Global_CA.pem',
+ 'star.wikibooks.org' => 'RapidSSL_CA.pem
GeoTrust_Global_CA.pem',
+ 'star.wikisource.org' => 'RapidSSL_CA.pem
GeoTrust_Global_CA.pem',
+ 'star.wikinews.org' => 'RapidSSL_CA.pem
GeoTrust_Global_CA.pem',
+ 'star.wikiversity.org' => 'RapidSSL_CA.pem
GeoTrust_Global_CA.pem',
+ 'star.mediawiki.org' => 'RapidSSL_CA.pem
GeoTrust_Global_CA.pem',
+ 'star.wikimediafoundation.org' => 'RapidSSL_CA.pem
GeoTrust_Global_CA.pem',
+ 'star.wmflabs.org' => 'wmf-labs.pem',
+ 'star.wmflabs' => 'wmf-labs.pem',
+ 'star.planet.wikimedia.org' => 'DigiCertHighAssuranceCA-3.pem
DigiCert_High_Assurance_EV_Root_CA.pem',
+ default => 'wmf-ca.pem',
}
}
- create_chained_cert{ "${name}": ca => $cas }
+ create_chained_cert{ $name: ca => $cas }
}
-define install_additional_key( $key_loc="", $owner="root", $group="ssl-cert",
$mode="0440" ) {
+define install_additional_key( $key_loc='', $owner='root', $group='ssl-cert',
$mode='0440' ) {
if ( $key_loc ) {
- file {
- "${key_loc}/${name}.key":
- owner => $owner,
- group => $group,
- mode => $mode,
- source => "puppet:///private/ssl/${name}.key",
- require => Package["openssl"];
+ file { "${key_loc}/${name}.key":
+ owner => $owner,
+ group => $group,
+ mode => $mode,
+ source => "puppet:///private/ssl/${name}.key",
+ require => Package['openssl'],
}
}
}
class certificates::packages {
- package { [ "openssl", "ca-certificates", "ssl-cert" ]:
- ensure => latest;
+ package { [
+ 'openssl',
+ 'ca-certificates',
+ 'ssl-cert',
+ ]: ensure => latest;
}
}
class certificates::star_wmflabs_org {
- install_certificate{ "star.wmflabs.org": }
+ install_certificate{ 'star.wmflabs.org': }
}
class certificates::star_wmflabs {
- install_certificate{ "star.wmflabs": }
+ install_certificate{ 'star.wmflabs': }
}
@@ -190,19 +201,17 @@
include certificates::packages
- file {
- "/etc/ssl/certs/wmf-ca.pem":
- owner => root,
- group => root,
- mode => 0444,
- source => "puppet:///files/ssl/wmf-ca.pem",
- require => Package["openssl"];
+ file { '/etc/ssl/certs/wmf-ca.pem':
+ owner => root,
+ group => root,
+ mode => '0444',
+ source => 'puppet:///files/ssl/wmf-ca.pem',
+ require => Package['openssl'],
}
- exec {
- '/bin/ln -s /etc/ssl/certs/wmf-ca.pem
/etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in
/etc/ssl/certs/wmf-ca.pem).0':
- unless => "/usr/bin/[ -f \"/etc/ssl/certs/$(/usr/bin/openssl x509
-hash -noout -in /etc/ssl/certs/wmf-ca.pem).0\" ]",
- require => File["/etc/ssl/certs/wmf-ca.pem"];
+ exec { '/bin/ln -s /etc/ssl/certs/wmf-ca.pem
/etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in
/etc/ssl/certs/wmf-ca.pem).0':
+ unless => "/usr/bin/[ -f \"/etc/ssl/certs/$(/usr/bin/openssl x509
-hash -noout -in /etc/ssl/certs/wmf-ca.pem).0\" ]",
+ require => File['/etc/ssl/certs/wmf-ca.pem'],
}
}
@@ -211,19 +220,17 @@
include certificates::packages
- file {
- "/etc/ssl/certs/wmf-labs.pem":
- owner => root,
- group => root,
- mode => 0444,
- source => "puppet:///files/ssl/wmf-labs.pem",
- require => Package["openssl"];
+ file { '/etc/ssl/certs/wmf-labs.pem':
+ owner => root,
+ group => root,
+ mode => '0444',
+ source => 'puppet:///files/ssl/wmf-labs.pem',
+ require => Package['openssl'],
}
- exec {
- '/bin/ln -s /etc/ssl/certs/wmf-labs.pem
/etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in
/etc/ssl/certs/wmf-labs.pem).0':
- unless => "/usr/bin/[ -f \"/etc/ssl/certs/$(/usr/bin/openssl x509
-hash -noout -in /etc/ssl/certs/wmf-labs.pem).0\" ]",
- require => File["/etc/ssl/certs/wmf-labs.pem"];
+ exec { '/bin/ln -s /etc/ssl/certs/wmf-labs.pem
/etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in
/etc/ssl/certs/wmf-labs.pem).0':
+ unless => "/usr/bin/[ -f \"/etc/ssl/certs/$(/usr/bin/openssl x509
-hash -noout -in /etc/ssl/certs/wmf-labs.pem).0\" ]",
+ require => File['/etc/ssl/certs/wmf-labs.pem'],
}
}
@@ -232,19 +239,17 @@
include certificates::packages
- file {
- "/etc/ssl/certs/RapidSSL_CA.pem":
- owner => root,
- group => root,
- mode => 0444,
- source => "puppet:///files/ssl/RapidSSL_CA.pem",
- require => Package["openssl"];
+ file { '/etc/ssl/certs/RapidSSL_CA.pem':
+ owner => root,
+ group => root,
+ mode => '0444',
+ source => 'puppet:///files/ssl/RapidSSL_CA.pem',
+ require => Package['openssl'];
}
- exec {
- '/bin/ln -sf /etc/ssl/certs/RapidSSL_CA.pem
/etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in
/etc/ssl/certs/RapidSSL_CA.pem).0':
- unless => "/usr/bin/[ -f \"/etc/ssl/certs/$(/usr/bin/openssl x509
-hash -noout -in /etc/ssl/certs/RapidSSL_CA.pem).0\" ]",
- require => File["/etc/ssl/certs/RapidSSL_CA.pem"];
+ exec { '/bin/ln -sf /etc/ssl/certs/RapidSSL_CA.pem
/etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in
/etc/ssl/certs/RapidSSL_CA.pem).0':
+ unless => "/usr/bin/[ -f \"/etc/ssl/certs/$(/usr/bin/openssl x509
-hash -noout -in /etc/ssl/certs/RapidSSL_CA.pem).0\" ]",
+ require => File['/etc/ssl/certs/RapidSSL_CA.pem'],
}
}
@@ -253,18 +258,16 @@
include certificates::packages
- file {
- "/etc/ssl/certs/DigiCertHighAssuranceCA-3.pem":
- owner => root,
- group => root,
- mode => 0444,
- source => "puppet:///files/ssl/DigiCertHighAssuranceCA-3.pem",
- require => Package["openssl"];
+ file { '/etc/ssl/certs/DigiCertHighAssuranceCA-3.pem':
+ owner => root,
+ group => root,
+ mode => '0444',
+ source => 'puppet:///files/ssl/DigiCertHighAssuranceCA-3.pem',
+ require => Package['openssl'],
}
- exec {
- '/bin/ln -sf /etc/ssl/certs/DigiCertHighAssuranceCA-3.pem
/etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in
/etc/ssl/certs/DigiCertHighAssuranceCA-3.pem).0':
- unless => "/usr/bin/[ -f \"/etc/ssl/certs/$(/usr/bin/openssl x509
-hash -noout -in /etc/ssl/certs/DigiCertHighAssuranceCA-3.pem).0\" ]",
- require => File["/etc/ssl/certs/DigiCertHighAssuranceCA-3.pem"];
+ exec { '/bin/ln -sf /etc/ssl/certs/DigiCertHighAssuranceCA-3.pem
/etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in
/etc/ssl/certs/DigiCertHighAssuranceCA-3.pem).0':
+ unless => "/usr/bin/[ -f \"/etc/ssl/certs/$(/usr/bin/openssl x509
-hash -noout -in /etc/ssl/certs/DigiCertHighAssuranceCA-3.pem).0\" ]",
+ require => File['/etc/ssl/certs/DigiCertHighAssuranceCA-3.pem'],
}
}
--
To view, visit https://gerrit.wikimedia.org/r/104743
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I2e1a13dc497a7d52da729fc5f8b90abf12329dbb
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Hashar <has...@free.fr>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
