Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Revoke command missing on easy-rsa 3.0 #331 #332

Closed
wants to merge 2 commits into from
+53 −10
Closed

Revoke command missing on easy-rsa 3.0 #331 #332

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
dfa7a5f
Revoke command missing on easy-rsa 3.0 #331
Mar 6, 2019
23278ef
retry notify
Mar 7, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 35 additions & 5 deletions manifests/revoke.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,10 +25,40 @@

$etc_directory = $openvpn::etc_directory

exec { "revoke certificate for ${name} in context of ${server}":
command => ". ./vars && ./revoke-full ${name}; echo \"exit $?\" | grep -qE '(error 23|exit (0|2))' && touch revoked/${name}",
cwd => "${etc_directory}/openvpn/${server}/easy-rsa",
creates => "${etc_directory}/openvpn/${server}/easy-rsa/revoked/${name}",
provider => 'shell',
case $openvpn::easyrsa_version {
'2.0': {
exec { "revoke certificate for ${name} in context of ${server}":
command => ". ./vars && ./revoke-full ${name}; echo \"exit $?\" | grep -qE '(error 23|exit (0|2))' && touch revoked/${name}",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A bit annoying that this is so ugly to automate :(

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree 100%!!!!!! I was not very happy to find that.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is why acceptance tests are mandatory IMO. This will permit to check if it is not too much fragile.

cwd => "${etc_directory}/openvpn/${server}/easy-rsa",
creates => "${etc_directory}/openvpn/${server}/easy-rsa/revoked/${name}",
provider => 'shell',
}
}
'3.0': {
if $openvpn::manage_service {
if $facts['service_provider'] == 'systemd' {
$lnotify = Service["openvpn@${server}"]
} elsif $openvpn::namespecific_rclink {
$lnotify = Service["openvpn_${server}"]
} else {
$lnotify = Service['openvpn']
Openvpn::Server[$server] -> Service['openvpn']
}
}
else {
$lnotify = undef
}

exec { "revoke certificate for ${name} in context of ${server}":
command => ". ./vars && echo yes | ./easyrsa revoke ${name} 2>&1 | grep -E 'Already revoked|was successful|not a valid certificate' && ./easyrsa gen-crl && /bin/cp -f keys/crl.pem ../crl.pem && touch revoked/${name}",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

May I ask, why you are using 'echo yes' instead of the --batch switch on easyrsa?

I just hacked together a 'revoke-full' temp fix and found this to be simpler.
./easyrsa --batch revoke ${name}

Cheers,
Jan

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No reason, just missed that flag.

cwd => "/etc/openvpn/${server}/easy-rsa",
creates => "/etc/openvpn/${server}/easy-rsa/revoked/${name}",
provider => 'shell',
notify => $lnotify,
}
}
default: {
fail("unexepected value for EasyRSA version, got '${openvpn::easyrsa_version}', expect 2.0 or 3.0.")
}
}
}
23 changes: 18 additions & 5 deletions spec/defines/openvpn_revoke_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,11 +25,24 @@

it { is_expected.to compile.with_all_deps }

it {
is_expected.to contain_exec('revoke certificate for test_client in context of test_server').with(
'command' => ". ./vars && ./revoke-full test_client; echo \"exit $?\" | grep -qE '(error 23|exit (0|2))' && touch revoked/test_client"
)
}
case facts[:os]['family']
when 'Ubuntu', 'Debian'
context 'system with easyrsa2' do
it {
is_expected.to contain_exec('revoke certificate for test_client in context of test_server').with(
'command' => ". ./vars && ./revoke-full test_client; echo \"exit $?\" | grep -qE '(error 23|exit (0|2))' && touch revoked/test_client"
)
}
end
when 'CentOS', 'RedHat', %r{Archlinux}, %r{FreeBSD}
context 'system with easyrsa3' do
it {
is_expected.to contain_exec('revoke certificate for test_client in context of test_server').with(
'command' => ". ./vars && echo yes | ./easyrsa revoke test_client 2>&1 | grep -E 'Already revoked|was successful|not a valid certificate' && ./easyrsa gen-crl && /bin/cp -f keys/crl.pem ../crl.pem && touch revoked/test_client"
)
}
end
end
end
end
end