add initial per instance ssl configuration

These params have been addded to the port389::instance define * ssl_server_port * ssl_cert * ssl_key * ssl_ca_certs
Contargo · Jan 31, 2014 · b5f5e99 · b5f5e99
1 parent dbb1c5e
commit b5f5e99
Show file tree

Hide file tree

Showing 12 changed files with 540 additions and 2 deletions.
diff --git a/.fixtures.yml b/.fixtures.yml
@@ -5,5 +5,9 @@ fixtures:
       ref:  '4.0.0'
     limits: 'https://github.com/saz/puppet-limits.git'
     augeasproviders: 'https://github.com/hercules-team/augeasproviders.git'
+    openldap: 'https://github.com/mcanevet/puppet-openldap.git'
+    nssdb:
+      repo: 'https://github.com/jhoblitt/puppet-nssdb.git'
+      ref:  '1be003431c3f612483756a26eebf13cfa14d18a9'
   symlinks:
     port389: "#{source_dir}"
diff --git a/Gemfile b/Gemfile
@@ -12,6 +12,6 @@ gem 'puppet-lint',                    :require => false
 gem 'puppet-syntax',                  :require => false
 gem 'rspec-system',                   :require => false
 gem 'rspec-system-puppet',            :require => false
-gem 'rspec-puppet', '1.0.1', :git => 'https://github.com/maestrodev/rspec-puppet', :ref => '3cc8d86fd3a43c238f509515c62acd474a701579', :require => false
+gem 'rspec-puppet', '1.0.1', :git => 'https://github.com/jhoblitt/rspec-puppet', :ref => '2de529d5a4bc01f91a4f6061c957badc6844ac6f', :require => false
 gem 'rspec-system-serverspec', '>=2', :require => false
 gem 'serverspec',                     :require => false
diff --git a/Modulefile b/Modulefile
@@ -10,3 +10,4 @@ description 'Manage port 389 Directory Server'
 dependency 'puppetlabs/stdlib', '>= 4.0.0'
 dependency 'saz/limits', '>= 2.0.2'
 dependency 'domcleal/augeasproviders', '>= 1.0.2'
+dependency 'mcanevet/openldap', '>= 0.0.4'
diff --git a/files/addRSA.ldif b/files/addRSA.ldif
@@ -0,0 +1,8 @@
+dn: cn=RSA,cn=encryption,cn=config
+changetype: add
+objectclass: top
+objectclass: nsEncryptionModule
+cn: RSA
+nsSSLPersonalitySSL: Server-Cert
+nsSSLToken: internal (software)
+nsSSLActivation: on
diff --git a/files/ssl_enable.ldif b/files/ssl_enable.ldif
@@ -0,0 +1,18 @@
+dn: cn=encryption,cn=config
+changetype: modify
+replace: nsSSL3
+nsSSL3: on
+-
+replace: nsSSLClientAuth
+nsSSLClientAuth: allowed
+-
+replace: nsSSL3Ciphers
+nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha,-rc4,-rc4export,-rc2,-rc2export,-des,-desede3
+
+dn: cn=config
+changetype: modify
+add: nsslapd-security
+nsslapd-security: on
+-
+replace: nsslapd-ssl-check-hostname
+nsslapd-ssl-check-hostname: off
diff --git a/lib/puppet/parser/functions/port389_nssdb_add_cert.rb b/lib/puppet/parser/functions/port389_nssdb_add_cert.rb
@@ -0,0 +1,62 @@
+module Puppet::Parser::Functions
+  newfunction(:port389_nssdb_add_cert, :doc => <<-EOS
+Iterates over a hash of cert nickname/path pairs (key/value) and creates
+nssdb::add_cert resources.
+
+*Example:*
+
+  port389_nssdb_add_cert(
+    '/etc/dirsrv/slapd-ldap1',
+    {
+      'AlphaSSL CA'        => '/tmp/alphassl_intermediate.pem',
+      'GlobalSign Root CA' => '/tmp/globalsign_root.pem',
+    }
+  )
+
+Would effectively define these resources:
+
+  nssdb::add_cert { 'AlphaSSL CA':
+    certdir  => '/etc/dirsrv/slapd-ldap1',
+    nickname => 'AlphaSSL CA',
+    cert     => '/tmp/alphassl_intermediate.pem',
+  }
+
+  nssdb::add_cert { 'GlobalSign Root CA':
+    certdir  => '/etc/dirsrv/slapd-ldap1',
+    nickname => 'GlobalSign Root CA',
+    cert     => '/tmp/globalsign_root.pem',
+  }
+
+  EOS
+  ) do |args|
+    unless args.size == 2
+      raise(Puppet::ParseError, ":port389_nssdb_add_cert(): " +
+        "Wrong number of arguments given #{args.size} for 2")
+    end
+
+    certdir = args[0]
+    certs   = args[1]
+
+    unless certdir.is_a?(String)
+      raise(Puppet::ParseError, ":port389_nssdb_add_cert(): " +
+        "First argument must be a string")
+    end
+
+    unless certs.is_a?(Hash)
+      raise(Puppet::ParseError, ":port389_nssdb_add_cert(): " +
+        "Second argument must be a hash")
+    end
+
+    # we need to managle the resource name so multiple instances (and/or the
+    # admin server) can reuse the same certs
+    certs.each_pair do |nickname, cert|
+      function_create_resources(['nssdb::add_cert', {
+        "#{certdir}-#{nickname}" => {
+          'certdir'  => certdir,
+          'nickname' => nickname,
+          'cert'     => cert,
+        }
+      }])
+    end    
+  end
+end
diff --git a/manifests/instance.pp b/manifests/instance.pp
@@ -8,6 +8,11 @@
   $server_port                = $::port389::server_port,
   $suffix                     = port389_domain2dn($::port389::admin_domain),
   $schema_file                = undef,
+  $enable_ssl                 = false,
+  $ssl_server_port            = '636',
+  $ssl_cert                   = undef,
+  $ssl_key                    = undef,
+  $ssl_ca_certs               = {},
 ) {
   # follow the same server identifier validation rules as setup-ds-admin.pl
   validate_re($title, '^[\w#%:@-]*$', "The ServerIdentifier '${title}' contains invalid characters.  It must contain only alphanumeric characters and the following: #%:@_-")
@@ -19,6 +24,15 @@
   validate_string($root_dn_pwd)
   validate_string($server_port)
   validate_string($suffix)
+  # ssl
+  validate_bool($enable_ssl)
+  # don't validate ssl_* params unless $enable_ssl == true
+  if $enable_ssl {
+    validate_string($ssl_server_port)
+    validate_absolute_path($ssl_cert)
+    validate_absolute_path($ssl_key)
+    validate_hash($ssl_ca_certs)
+  }
 
   $setup_inf_name = "setup_${title}.inf"
   $setup_inf_path = "${::port389::setup_dir}/${setup_inf_name}"
@@ -100,6 +114,19 @@
         unless    => "/usr/bin/test -e /etc/dirsrv/slapd-${title}",
         logoutput => true,
       }
+
+      if $enable_ssl {
+        Exec["setup-ds-admin.pl_${title}"] ->
+        port389::instance::ssl { $name:
+          root_dn         => $root_dn,
+          root_dn_pwd     => $root_dn_pwd,
+          server_port     => $server_port,
+          ssl_server_port => $ssl_server_port,
+          ssl_cert        => $ssl_cert,
+          ssl_key         => $ssl_key,
+          ssl_ca_certs    => $ssl_ca_certs,
+        }
+      }
     }
     default: {
       warning("it is meaningless to declare Port389::Instance[${name}] while Class[port389]{ ensure => 'absent|purged' }")

diff --git a/manifests/instance/ssl.pp b/manifests/instance/ssl.pp
@@ -0,0 +1,108 @@
+# private type
+define port389::instance::ssl (
+  $root_dn,
+  $root_dn_pwd,
+  $server_port,
+  $ssl_server_port,
+  $ssl_cert,
+  $ssl_key,
+  $ssl_ca_certs,
+) {
+  if $caller_module_name != $module_name {
+    fail("Use of private type ${name} by ${caller_module_name}")
+  }
+
+  # we need the openldap client tools to configure the 389 server for SSL
+  include openldap::client
+
+  # based on SSL setup instructions from:
+  # http://directory.fedoraproject.org/wiki/Howto:SSL#Starting_the_Server_with_SSL_enabled
+  # and
+  # https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_SSL.html
+
+  # how to change default ssl port
+  # https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Configuring_LDAP_Parameters-Changing_DS_Port_Numbers.html#changing-ssl-ports
+
+  ensure_resource('file', 'ssl_enable.ldif', {
+    ensure => file,
+    path   => "${::port389::setup_dir}/ssl_enable.ldif",
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0640',
+    source => "puppet:///modules/${module_name}/ssl_enable.ldif",
+    backup => false,
+  })
+
+  ensure_resource('file', 'addRSA.ldif', {
+    ensure => file,
+    path   => "${::port389::setup_dir}/addRSA.ldif",
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0640',
+    source => "puppet:///modules/${module_name}/addRSA.ldif",
+    backup => false,
+  })
+
+  file { "set_secureport_${name}.ldif":
+    ensure  => file,
+    path    => "${::port389::setup_dir}/set_secureport_${name}.ldif",
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0640',
+    content => template("${module_name}/set_secureport.ldif.erb"),
+    backup  => false,
+  }
+
+  $ldap_connect = "-x -H \"ldap://localhost:${server_port}\" -D \"${root_dn}\" -w \"${root_dn_pwd}\""
+
+  exec { "ssl_enable.ldif-${name}":
+    path      => ['/bin', '/usr/bin'],
+    command   => "ldapmodify ${ldap_connect} -f ${::port389::setup_dir}/ssl_enable.ldif",
+    unless    => "ldapsearch ${ldap_connect} -b cn=encryption,cn=config \"nsSSL3=on\" nsSSL3 | grep \"nsSSL3: on\"",
+    logoutput => true,
+    require   => [Class['openldap::client'], File['ssl_enable.ldif']],
+  } ->
+  exec { "addRSA.ldif-${name}":
+    path      => ['/bin', '/usr/bin'],
+    command   => "ldapmodify ${ldap_connect} -f ${::port389::setup_dir}/addRSA.ldif",
+    unless    => "ldapsearch ${ldap_connect} -b cn=RSA,cn=encryption,cn=config \"nsSSLActivation=on\" nsSSLActivation | grep \"nsSSLActivation: on\"",
+    logoutput => true,
+    require   => [Class['openldap::client'], File['addRSA.ldif']],
+  } ->
+  exec { "set_secureport_${name}.ldif":
+    path      => ['/bin', '/usr/bin'],
+    command   => "ldapmodify ${ldap_connect} -f ${::port389::setup_dir}/set_secureport_${name}.ldif",
+    unless    => "ldapsearch ${ldap_connect} -b cn=config \"nsslapd-secureport=${ssl_server_port}\" nsslapd-secureport | grep \"nsslapd-secureport: ${ssl_server_port}\"",
+    logoutput => true,
+    require   => [Class['openldap::client'], File["set_secureport_${name}.ldif"]],
+  }
+
+  $certdir = "/etc/dirsrv/slapd-${name}"
+
+  file { "pin.txt-${name}":
+    ensure  => file,
+    path    => "${certdir}/pin.txt",
+    owner   => $::port389::user,
+    group   => $::port389::group,
+    mode    => '0400',
+    content => "Internal (Software) Token:${root_dn_pwd}",
+  }
+
+  nssdb::create { $certdir:
+    owner_id       => $::port389::user,
+    group_id       => $::port389::group,
+    mode           => '0660',
+    password       => $root_dn_pwd,
+    manage_certdir => false,
+  }
+
+  nssdb::add_cert_and_key { $certdir:
+    nickname => 'Server-Cert',
+    cert     => $ssl_cert,
+    key      => $ssl_key,
+  }
+
+  if size(keys($ssl_ca_certs)) > 0 {
+    port389_nssdb_add_cert("/etc/dirsrv/slapd-${name}", $ssl_ca_certs)
+  }
+}
diff --git a/spec/classes/port389_spec.rb b/spec/classes/port389_spec.rb
@@ -170,7 +170,7 @@
 
     it 'should fail' do
      expect { should compile }.
-        to raise_error(Puppet::Error, /not supported on Debian/)
+        to raise_error(/not supported on Debian/)
     end
   end # on an unsupported osfamily