Fixes to TLS ODL keystore provider

File exist checks were done in in the odl_keystore type.  Checks within
a type are done before puppet is applied.  Therefore the file has to
exist before puppet is ran, which excludes another puppet resource from
being able to create the files at run time.

The JKS provider for the keystore was incorrectly passing the CA
certificate as a file to create the p12 keystore, instead of as a X509
certificate object.

Changes Include:
 - Checks to ensure key files, ca cert, and public cert are moved from
   the type into the jks provider.
 - CA cert is now correctly created as and OpenSSL:X509 object before
   being passed into the p12 keystore create.

Change-Id: Iaf3e66fa44dee3987817177e2210230ee2d3325c
Signed-off-by: Tim Rozet <trozet@redhat.com>

diff --git a/lib/puppet/provider/odl_keystore/jks.rb b/lib/puppet/provider/odl_keystore/jks.rb
index 4338cc28b893f8ac184681e1f0b47095038f49df..779d85573291d8e9fd2bf41a334d2d649f753bf8 100644 (file)
--- a/lib/puppet/provider/odl_keystore/jks.rb
+++ b/lib/puppet/provider/odl_keystore/jks.rb
@@ -18,12 +18,23 @@ Puppet::Type.type(:odl_keystore).provide(:jks) do
       FileUtils.chown('odl', 'odl', keystore_dir)
     end
     # create p12 keystore
+    unless File.file?(@resource[:key_file])
+      raise Puppet::Error, "Key file not found: #{@resource[:key_file]}"
+    end
     key = OpenSSL::PKey::RSA.new File.read(@resource[:key_file])
+    unless File.file?(@resource[:cert_file])
+      raise Puppet::Error, "Certificate file not found: #{@resource[:cert_file]}"
+    end
     raw_cert = File.read(@resource[:cert_file])
     certificate = OpenSSL::X509::Certificate.new(raw_cert)
     if @resource[:ca_file]
+      unless File.file?(@resource[:ca_file])
+        raise Puppet::Error, "CA cert file not found: #{@resource[:ca_file]}"
+      end
+      raw_ca = File.read(@resource[:ca_file])
+      ca_cert = OpenSSL::X509::Certificate.new(raw_ca)
       p12_ks = OpenSSL::PKCS12.create(@resource[:password], @resource[:name], \
-                                      key, certificate, [@resource[:ca_file]])
+                                      key, certificate, [ca_cert])
     else
       p12_ks = OpenSSL::PKCS12.create(@resource[:password], @resource[:name], \
                                       key, certificate)

diff --git a/lib/puppet/type/odl_keystore.rb b/lib/puppet/type/odl_keystore.rb
index b0e2568a8edf63886208c8e0097110c0021b7b2f..2a8a010751410c68e3bbf1fb6b385386a12402a1 100644 (file)
--- a/lib/puppet/type/odl_keystore.rb
+++ b/lib/puppet/type/odl_keystore.rb
@@ -14,9 +14,6 @@ Puppet::Type.newtype(:odl_keystore) do
         if !value.is_a?(String)
           raise ArgumentError, "CA cert file path must be a string"
         end
-        unless File.file?(value)
-          raise ArgumentError, "CA cert file not found: #{value}"
-        end
       end
     end
   end
@@ -39,14 +36,11 @@ Puppet::Type.newtype(:odl_keystore) do
   end
 
   newproperty(:cert_file) do
-    desc "Certificate filepath"
+    desc "Certificate file path"
     validate do |value|
       if !value.is_a?(String)
         raise ArgumentError, "Certificate file path must be a string"
       end
-      unless File.file?(value)
-        raise ArgumentError, "Certificate file not found: #{value}"
-      end
     end
   end
 
@@ -56,9 +50,6 @@ Puppet::Type.newtype(:odl_keystore) do
       if !value.is_a?(String)
         raise ArgumentError, "Key file path must be a string"
       end
-      unless File.file?(value)
-        raise ArgumentError, "Key file not found: #{value}"
-      end
     end
   end