Alexandros Kosiaris has submitted this change and it was merged. Change subject: certs: lint ......................................................................
certs: lint Change-Id: I317fcc1b8a5722759f9830f617830a1004dcf4e4 --- M manifests/certs.pp 1 file changed, 185 insertions(+), 173 deletions(-) Approvals: RobH: Looks good to me, but someone else must approve Alexandros Kosiaris: Looks good to me, approved jenkins-bot: Verified diff --git a/manifests/certs.pp b/manifests/certs.pp index 1321448..66335a6 100644 --- a/manifests/certs.pp +++ b/manifests/certs.pp @@ -1,188 +1,210 @@ -define create_pkcs12( $certname="$name", $cert_alias="", $password="", $user="root", $group="ssl-cert", $location="/etc/ssl/private" ) { +define create_pkcs12( + $certname = $name, + $cert_alias = '', + $password = '', + $user = 'root', + $group = 'ssl-cert', + $location = '/etc/ssl/private', +) { include passwords::certs - if ( $cert_alias == "" ) { + if ( $cert_alias == '' ) { $certalias = $certname } else { $certalias = $cert_alias } - if ( $password == "" ) { + if ( $password == '' ) { $defaultpassword = $passwords::certs::certs_default_pass } else { $defaultpassword = $password } - - exec { - # pkcs12 file, used by things like opendj, nss, and tomcat - "${name}_create_pkcs12": - creates => "${location}/${certname}.p12", - command => "/usr/bin/openssl pkcs12 -export -name \"${certalias}\" -passout pass:${defaultpassword} -in /etc/ssl/certs/${certname}.pem -inkey /etc/ssl/private/${certname}.key -out ${location}/${certname}.p12", - onlyif => "/usr/bin/test -s /etc/ssl/private/${certname}.key", - require => [Package["openssl"], File["/etc/ssl/private/${certname}.key", "/etc/ssl/certs/${certname}.pem"]]; + # pkcs12 file, used by things like opendj, nss, and tomcat + exec { "${name}_create_pkcs12": + creates => "${location}/${certname}.p12", + command => "/usr/bin/openssl pkcs12 -export -name \"${certalias}\" -passout pass:${defaultpassword} -in /etc/ssl/certs/${certname}.pem -inkey /etc/ssl/private/${certname}.key -out ${location}/${certname}.p12", + onlyif => "/usr/bin/test -s /etc/ssl/private/${certname}.key", + require => [Package['openssl'], + File["/etc/ssl/private/${certname}.key"], + File["/etc/ssl/certs/${certname}.pem"], + ], } - - file { - # Fix permissions on the p12 file, and make it available as - # a puppet resource - "${location}/${certname}.p12": - mode => 0440, - owner => $user, - group => $group, - require => Exec["${name}_create_pkcs12"], - ensure => file; + # Fix permissions on the p12 file, and make it available as + # a puppet resource + file { "${location}/${certname}.p12": + ensure => 'file', + mode => '0440', + owner => $user, + group => $group, + require => Exec["${name}_create_pkcs12"], } } -define create_chained_cert( $certname="$name", $ca, $user="root", $group="ssl-cert", $location="/etc/ssl/certs" ) { - exec { - # chained cert, used when needing to provide an entire certificate chain to a client - "${name}_create_chained_cert": - creates => "${location}/${certname}.chained.pem", - command => "/bin/cat ${certname}.pem ${ca} > ${location}/${certname}.chained.pem", - cwd => "/etc/ssl/certs", - require => [Package["openssl"], File["/etc/ssl/certs/${certname}.pem"]]; +define create_chained_cert( + $ca, + $certname = $name, + $user = 'root', + $group = 'ssl-cert', + $location = '/etc/ssl/certs', +) { + # chained cert, used when needing to provide + # an entire certificate chain to a client + exec { "${name}_create_chained_cert": + creates => "${location}/${certname}.chained.pem", + command => "/bin/cat ${certname}.pem ${ca} > ${location}/${certname}.chained.pem", + cwd => '/etc/ssl/certs', + require => [Package['openssl'], + File["/etc/ssl/certs/${certname}.pem"], + ], } - - file { - # Fix permissions on the chained file, and make it available as - # a puppet resource - "${location}/${certname}.chained.pem": - mode => 0444, - owner => $user, - group => $group, - require => Exec["${name}_create_chained_cert"], - ensure => file; + # Fix permissions on the chained file, and make it available as + file { "${location}/${certname}.chained.pem": + ensure => 'file', + mode => '0444', + owner => $user, + group => $group, + require => Exec["${name}_create_chained_cert"], } } -define create_combined_cert( $certname="$name", $user="root", $group="ssl-cert", $location="/etc/ssl/private" ) { - - exec { - # combined cert, used by things like lighttp and nginx - "${name}_create_combined_cert": - creates => "${location}/${certname}.pem", - command => "/bin/cat /etc/ssl/certs/${certname}.pem /etc/ssl/private/${certname}.key > ${location}/${certname}.pem", - require => [Package["openssl"], File["/etc/ssl/private/${certname}.key", "/etc/ssl/certs/${certname}.pem"]]; +define create_combined_cert( + $certname = $name, + $user = 'root', + $group = 'ssl-cert', + $location = '/etc/ssl/private', +) { + # combined cert, used by things like lighttp and nginx + exec { "${name}_create_combined_cert": + creates => "${location}/${certname}.pem", + command => "/bin/cat /etc/ssl/certs/${certname}.pem /etc/ssl/private/${certname}.key > ${location}/${certname}.pem", + require => [Package['openssl'], + File["/etc/ssl/private/${certname}.key"], + File["/etc/ssl/certs/${certname}.pem"], + ]; } - - file { - # Fix permissions on the combined file, and make it available as - # a puppet resource - "${location}/${certname}.pem": - mode => 0440, - owner => $user, - group => $group, - require => Exec["${name}_create_combined_cert"], - ensure => file; + # Fix permissions on the combined file, and make it available as + # a puppet resource + file { "${location}/${certname}.pem": + ensure => 'file', + mode => '0440', + owner => $user, + group => $group, + require => Exec["${name}_create_combined_cert"], } } -define install_certificate( $group="ssl-cert", $ca="", $privatekey=true ) { +define install_certificate( + $group = 'ssl-cert', + $ca = '', + $privatekey=true, +) { require certificates::packages, certificates::rapidssl_ca, certificates::rapidssl_ca_2, certificates::digicert_ca, certificates::wmf_ca - - file { - # Public key - "/etc/ssl/certs/${name}.pem": - owner => root, - group => $group, - mode => 0444, - source => "puppet:///files/ssl/${name}.pem"; + # Public key + file { "/etc/ssl/certs/${name}.pem": + owner => 'root', + group => $group, + mode => '0444', + source => "puppet:///files/ssl/${name}.pem", } if ( $privatekey == true ) { - file { - # Private key - "/etc/ssl/private/${name}.key": - owner => root, - group => $group, - mode => 0440, - source => "puppet:///private/ssl/${name}.key"; + # Private key + file { "/etc/ssl/private/${name}.key": + owner => 'root', + group => $group, + mode => '0440', + source => "puppet:///private/ssl/${name}.key", } } else { - file { - # empty Private key - "/etc/ssl/private/${name}.key": - ensure => present; + # empty Private key + file { "/etc/ssl/private/${name}.key": + ensure => 'present', } } - - exec { - # Many services require certificates to be found by a hash in - # the certs directory - "${name}_create_hash": - unless => "/usr/bin/[ -f \"/etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in /etc/ssl/certs/${name}.pem).0\" ]", - command => "/bin/ln -sf /etc/ssl/certs/${name}.pem /etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in /etc/ssl/certs/${name}.pem).0", - require => [Package["openssl"], File["/etc/ssl/certs/${name}.pem"]]; + # Many services require certificates to be found by a hash in + # the certs directory + exec { "${name}_create_hash": + unless => "/usr/bin/[ -f \"/etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in /etc/ssl/certs/${name}.pem).0\" ]", + command => "/bin/ln -sf /etc/ssl/certs/${name}.pem /etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in /etc/ssl/certs/${name}.pem).0", + require => [Package['openssl'], + File["/etc/ssl/certs/${name}.pem"], + ], } - create_pkcs12{ "${name}": } - create_combined_cert{ "${name}": } + create_pkcs12{ $name: } + create_combined_cert{ $name: } if ( $ca ) { $cas = $ca } else { - # PEM files should be listed in order: intermediate -> intermediate -> ... -> root - # If this is out of order either servers will fail to start, or will not properly - # have SSL enabled. + # PEM files should be listed in order: + # intermediate -> intermediate -> ... -> root + # If this is out of order either servers will fail to start, + # or will not properly have SSL enabled. $cas = $name ? { - "unified.wikimedia.org" => "DigiCertHighAssuranceCA-3.pem", - "star.wikimedia.org" => "RapidSSL_CA.pem RapidSSL_CA_2.pem GeoTrust_Global_CA.pem", - "star.wikipedia.org" => "DigiCertHighAssuranceCA-3.pem DigiCert_High_Assurance_EV_Root_CA.pem", - "star.wiktionary.org" => "RapidSSL_CA.pem GeoTrust_Global_CA.pem", - "star.wikiquote.org" => "RapidSSL_CA.pem GeoTrust_Global_CA.pem", - "star.wikibooks.org" => "RapidSSL_CA.pem GeoTrust_Global_CA.pem", - "star.wikisource.org" => "RapidSSL_CA.pem GeoTrust_Global_CA.pem", - "star.wikinews.org" => "RapidSSL_CA.pem GeoTrust_Global_CA.pem", - "star.wikiversity.org" => "RapidSSL_CA.pem GeoTrust_Global_CA.pem", - "star.mediawiki.org" => "RapidSSL_CA.pem GeoTrust_Global_CA.pem", - "star.wikimediafoundation.org" => "RapidSSL_CA.pem GeoTrust_Global_CA.pem", - "star.wmflabs.org" => "wmf-labs.pem", - "star.wmflabs" => "wmf-labs.pem", - "star.planet.wikimedia.org" => "DigiCertHighAssuranceCA-3.pem DigiCert_High_Assurance_EV_Root_CA.pem", - default => "wmf-ca.pem", + 'unified.wikimedia.org' => 'DigiCertHighAssuranceCA-3.pem', + 'star.wikimedia.org' => 'RapidSSL_CA.pem RapidSSL_CA_2.pem GeoTrust_Global_CA.pem', + 'star.wikipedia.org' => 'DigiCertHighAssuranceCA-3.pem DigiCert_High_Assurance_EV_Root_CA.pem', + 'star.wiktionary.org' => 'RapidSSL_CA.pem GeoTrust_Global_CA.pem', + 'star.wikiquote.org' => 'RapidSSL_CA.pem GeoTrust_Global_CA.pem', + 'star.wikibooks.org' => 'RapidSSL_CA.pem GeoTrust_Global_CA.pem', + 'star.wikisource.org' => 'RapidSSL_CA.pem GeoTrust_Global_CA.pem', + 'star.wikinews.org' => 'RapidSSL_CA.pem GeoTrust_Global_CA.pem', + 'star.wikiversity.org' => 'RapidSSL_CA.pem GeoTrust_Global_CA.pem', + 'star.mediawiki.org' => 'RapidSSL_CA.pem GeoTrust_Global_CA.pem', + 'star.wikimediafoundation.org' => 'RapidSSL_CA.pem GeoTrust_Global_CA.pem', + 'star.wmflabs.org' => 'wmf-labs.pem', + 'star.wmflabs' => 'wmf-labs.pem', + 'star.planet.wikimedia.org' => 'DigiCertHighAssuranceCA-3.pem DigiCert_High_Assurance_EV_Root_CA.pem', + default => 'wmf-ca.pem', } } - create_chained_cert{ "${name}": ca => $cas } + create_chained_cert{ $name: + ca => $cas, + } } -define install_additional_key( $key_loc="", $owner="root", $group="ssl-cert", $mode="0440" ) { +define install_additional_key( + $key_loc = '', + $owner = 'root', + $group = 'ssl-cert', + $mode = '0440', +) { if ( $key_loc ) { - file { - "${key_loc}/${name}.key": - owner => $owner, - group => $group, - mode => $mode, - source => "puppet:///private/ssl/${name}.key", - require => Package["openssl"]; + file { "${key_loc}/${name}.key": + owner => $owner, + group => $group, + mode => $mode, + source => "puppet:///private/ssl/${name}.key", + require => Package['openssl'], } } } class certificates::packages { - package { [ "openssl", "ca-certificates", "ssl-cert" ]: - ensure => latest; + package { [ 'openssl', 'ca-certificates', 'ssl-cert' ]: + ensure => 'latest', } } class certificates::star_wmflabs_org { - install_certificate{ "star.wmflabs.org": } + install_certificate{ 'star.wmflabs.org': } } class certificates::star_wmflabs { - install_certificate{ "star.wmflabs": } + install_certificate{ 'star.wmflabs': } } @@ -190,19 +212,17 @@ include certificates::packages - file { - "/etc/ssl/certs/wmf-ca.pem": - owner => root, - group => root, - mode => 0444, - source => "puppet:///files/ssl/wmf-ca.pem", - require => Package["openssl"]; + file { '/etc/ssl/certs/wmf-ca.pem': + owner => 'root', + group => 'root', + mode => '0444', + source => 'puppet:///files/ssl/wmf-ca.pem', + require => Package['openssl'], } - exec { - '/bin/ln -s /etc/ssl/certs/wmf-ca.pem /etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in /etc/ssl/certs/wmf-ca.pem).0': - unless => "/usr/bin/[ -f \"/etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in /etc/ssl/certs/wmf-ca.pem).0\" ]", - require => File["/etc/ssl/certs/wmf-ca.pem"]; + exec { '/bin/ln -s /etc/ssl/certs/wmf-ca.pem /etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in /etc/ssl/certs/wmf-ca.pem).0': + unless => "/usr/bin/[ -f \"/etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in /etc/ssl/certs/wmf-ca.pem).0\" ]", + require => File['/etc/ssl/certs/wmf-ca.pem'], } } @@ -211,19 +231,17 @@ include certificates::packages - file { - "/etc/ssl/certs/wmf-labs.pem": - owner => root, - group => root, - mode => 0444, - source => "puppet:///files/ssl/wmf-labs.pem", - require => Package["openssl"]; + file { '/etc/ssl/certs/wmf-labs.pem': + owner => 'root', + group => 'root', + mode => '0444', + source => 'puppet:///files/ssl/wmf-labs.pem', + require => Package['openssl'], } - exec { - '/bin/ln -s /etc/ssl/certs/wmf-labs.pem /etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in /etc/ssl/certs/wmf-labs.pem).0': - unless => "/usr/bin/[ -f \"/etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in /etc/ssl/certs/wmf-labs.pem).0\" ]", - require => File["/etc/ssl/certs/wmf-labs.pem"]; + exec { '/bin/ln -s /etc/ssl/certs/wmf-labs.pem /etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in /etc/ssl/certs/wmf-labs.pem).0': + unless => "/usr/bin/[ -f \"/etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in /etc/ssl/certs/wmf-labs.pem).0\" ]", + require => File['/etc/ssl/certs/wmf-labs.pem'], } } @@ -232,19 +250,17 @@ include certificates::packages - file { - "/etc/ssl/certs/RapidSSL_CA.pem": - owner => root, - group => root, - mode => 0444, - source => "puppet:///files/ssl/RapidSSL_CA.pem", - require => Package["openssl"]; + file { '/etc/ssl/certs/RapidSSL_CA.pem': + owner => 'root', + group => 'root', + mode => '0444', + source => 'puppet:///files/ssl/RapidSSL_CA.pem', + require => Package['openssl'], } - exec { - '/bin/ln -sf /etc/ssl/certs/RapidSSL_CA.pem /etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in /etc/ssl/certs/RapidSSL_CA.pem).0': - unless => "/usr/bin/[ -f \"/etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in /etc/ssl/certs/RapidSSL_CA.pem).0\" ]", - require => File["/etc/ssl/certs/RapidSSL_CA.pem"]; + exec { '/bin/ln -sf /etc/ssl/certs/RapidSSL_CA.pem /etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in /etc/ssl/certs/RapidSSL_CA.pem).0': + unless => "/usr/bin/[ -f \"/etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in /etc/ssl/certs/RapidSSL_CA.pem).0\" ]", + require => File['/etc/ssl/certs/RapidSSL_CA.pem'], } } @@ -253,19 +269,17 @@ include certificates::packages - file { - "/etc/ssl/certs/RapidSSL_CA_2.pem": - owner => root, - group => root, - mode => 0444, - source => "puppet:///files/ssl/RapidSSL_CA_2.pem", - require => Package["openssl"]; + file { '/etc/ssl/certs/RapidSSL_CA_2.pem': + owner => 'root', + group => 'root', + mode => '0444', + source => 'puppet:///files/ssl/RapidSSL_CA_2.pem', + require => Package['openssl'], } - exec { - '/bin/ln -sf /etc/ssl/certs/RapidSSL_CA_2.pem /etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in /etc/ssl/certs/RapidSSL_CA_2.pem).0': - unless => "/usr/bin/[ -f \"/etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in /etc/ssl/certs/RapidSSL_CA_2.pem).0\" ]", - require => File["/etc/ssl/certs/RapidSSL_CA_2.pem"]; + exec { '/bin/ln -sf /etc/ssl/certs/RapidSSL_CA_2.pem /etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in /etc/ssl/certs/RapidSSL_CA_2.pem).0': + unless => "/usr/bin/[ -f \"/etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in /etc/ssl/certs/RapidSSL_CA_2.pem).0\" ]", + require => File['/etc/ssl/certs/RapidSSL_CA_2.pem'], } } @@ -274,18 +288,16 @@ include certificates::packages - file { - "/etc/ssl/certs/DigiCertHighAssuranceCA-3.pem": - owner => root, - group => root, - mode => 0444, - source => "puppet:///files/ssl/DigiCertHighAssuranceCA-3.pem", - require => Package["openssl"]; + file { '/etc/ssl/certs/DigiCertHighAssuranceCA-3.pem': + owner => 'root', + group => 'root', + mode => '0444', + source => 'puppet:///files/ssl/DigiCertHighAssuranceCA-3.pem', + require => Package['openssl'], } - exec { - '/bin/ln -sf /etc/ssl/certs/DigiCertHighAssuranceCA-3.pem /etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in /etc/ssl/certs/DigiCertHighAssuranceCA-3.pem).0': - unless => "/usr/bin/[ -f \"/etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in /etc/ssl/certs/DigiCertHighAssuranceCA-3.pem).0\" ]", - require => File["/etc/ssl/certs/DigiCertHighAssuranceCA-3.pem"]; + exec { '/bin/ln -sf /etc/ssl/certs/DigiCertHighAssuranceCA-3.pem /etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in /etc/ssl/certs/DigiCertHighAssuranceCA-3.pem).0': + unless => "/usr/bin/[ -f \"/etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in /etc/ssl/certs/DigiCertHighAssuranceCA-3.pem).0\" ]", + require => File['/etc/ssl/certs/DigiCertHighAssuranceCA-3.pem'], } } -- To view, visit https://gerrit.wikimedia.org/r/110366 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I317fcc1b8a5722759f9830f617830a1004dcf4e4 Gerrit-PatchSet: 2 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Matanya <mata...@foss.co.il> Gerrit-Reviewer: Alexandros Kosiaris <akosia...@wikimedia.org> Gerrit-Reviewer: Andrew Bogott <abog...@wikimedia.org> Gerrit-Reviewer: Dzahn <dz...@wikimedia.org> Gerrit-Reviewer: Ori.livneh <o...@wikimedia.org> Gerrit-Reviewer: RobH <r...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits