From f0b2ab58cf3303fb6316fcdefbe35872db1e06d1 Mon Sep 17 00:00:00 2001
From: "James R. Carr" <james.r.carr@gmail.com>
Date: Mon, 23 Mar 2015 13:59:30 -0500
Subject: [PATCH 1/4] provides ssl_client_verify support

---
 manifests/resource/vhost.pp          | 12 ++++++++++++
 templates/vhost/vhost_ssl_header.erb |  4 ++++
 2 files changed, 16 insertions(+)

diff --git a/manifests/resource/vhost.pp b/manifests/resource/vhost.pp
index ab2cd217e..a593533e6 100644
--- a/manifests/resource/vhost.pp
+++ b/manifests/resource/vhost.pp
@@ -44,6 +44,8 @@
 #     vhost.
 #   [*ssl_cert*]            - Pre-generated SSL Certificate file to reference
 #     for SSL Support. This is not generated by this module.
+#   [*ssl_client_cert*]     - Pre-generated SSL Certificate file to reference
+#     for client verify SSL Support. This is not generated by this module.
 #   [*ssl_dhparam*]         - This directive specifies a file containing
 #     Diffie-Hellman key agreement protocol cryptographic parameters, in PEM
 #     format, utilized for exchanging session keys between server and client.
@@ -162,6 +164,7 @@
   $ssl                          = false,
   $ssl_listen_option            = true,
   $ssl_cert                     = undef,
+  $ssl_client_cert              = undef,
   $ssl_dhparam                  = undef,
   $ssl_key                      = undef,
   $ssl_port                     = '443',
@@ -262,6 +265,9 @@
   if ($ssl_cert != undef) {
     validate_string($ssl_cert)
   }
+  if ($ssl_client_cert != undef) {
+    validate_string($ssl_cert)
+  }
   validate_bool($ssl_listen_option)
   if ($ssl_dhparam != undef) {
     validate_string($ssl_dhparam)
@@ -605,6 +611,12 @@
       mode   => '0444',
       source => $ssl_cert,
     })
+
+    ensure_resource('file', "${::nginx::config::conf_dir}/${cert}.client.crt", {
+      owner  => $::nginx::config::daemon_user,
+      mode   => '0444',
+      source => $ssl_client_cert,
+    })
     ensure_resource('file', "${::nginx::config::conf_dir}/${cert}.key", {
       owner  => $::nginx::config::daemon_user,
       mode   => '0440',
diff --git a/templates/vhost/vhost_ssl_header.erb b/templates/vhost/vhost_ssl_header.erb
index 09c8aa16e..a59317b9f 100644
--- a/templates/vhost/vhost_ssl_header.erb
+++ b/templates/vhost/vhost_ssl_header.erb
@@ -46,6 +46,10 @@ server {
 
   ssl_certificate           <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.crt;
   ssl_certificate_key       <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.key;
+<% if defined? @ssl_client_cert -%>
+  ssl_client_certificate    <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.client.crt;
+  ssl_verify_client on;
+<% end -%>
 <% if defined? @ssl_dhparam -%>
   ssl_dhparam               <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.dh.pem;
 <% end -%>

From 1104e6f0dccdce146bafec43a0b71ae7e056d83f Mon Sep 17 00:00:00 2001
From: "James R. Carr" <james.r.carr@gmail.com>
Date: Mon, 23 Mar 2015 14:14:15 -0500
Subject: [PATCH 2/4] Copy and pasta error.

---
 manifests/resource/vhost.pp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/manifests/resource/vhost.pp b/manifests/resource/vhost.pp
index a593533e6..34af267f7 100644
--- a/manifests/resource/vhost.pp
+++ b/manifests/resource/vhost.pp
@@ -266,7 +266,7 @@
     validate_string($ssl_cert)
   }
   if ($ssl_client_cert != undef) {
-    validate_string($ssl_cert)
+    validate_string($ssl_client_cert)
   }
   validate_bool($ssl_listen_option)
   if ($ssl_dhparam != undef) {

From 505ccf10d5ab62cb495183e359ec55d451a22bcb Mon Sep 17 00:00:00 2001
From: "James R. Carr" <james.r.carr@gmail.com>
Date: Mon, 23 Mar 2015 14:40:13 -0500
Subject: [PATCH 3/4] added tests

---
 spec/defines/resource_vhost_spec.rb | 18 ++++++++++++++++++
 tests/vhost_ssl.pp                  | 17 +++++++++++++++++
 2 files changed, 35 insertions(+)

diff --git a/spec/defines/resource_vhost_spec.rb b/spec/defines/resource_vhost_spec.rb
index eb2f23973..ab3b89444 100644
--- a/spec/defines/resource_vhost_spec.rb
+++ b/spec/defines/resource_vhost_spec.rb
@@ -812,6 +812,24 @@
         it { is_expected.to contain_file("/etc/nginx/#{title}.key") }
       end
 
+      context 'when ssl_client_cert is set' do
+        let :params do default_params.merge({
+          :ssl                => true,
+          :listen_port        => 80,
+          :ssl_port           => 80,
+          :ssl_key            => 'dummy.key',
+          :ssl_cert           => 'dummy.cert',
+          :ssl_client_cert    => 'client.cert',
+        }) end
+
+        it { is_expected.to contain_nginx__resource__location("#{title}-default").with_ssl_only(true) }
+        it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{access_log\s+/var/log/nginx/ssl-www\.rspec\.example\.com\.access\.log combined;}) }
+        it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{error_log\s+/var/log/nginx/ssl-www\.rspec\.example\.com\.error\.log}) }
+        it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{client_verify on;}) }
+        it { is_expected.to contain_file("/etc/nginx/#{title}.crt") }
+        it { is_expected.to contain_file("/etc/nginx/#{title}.client.crt") }
+        it { is_expected.to contain_file("/etc/nginx/#{title}.key") }
+      end
       context 'when passenger_cgi_param is set' do
         let :params do default_params.merge({
           :passenger_cgi_param => { 'test1' => 'test value 1', 'test2' => 'test value 2', 'test3' => 'test value 3' }
diff --git a/tests/vhost_ssl.pp b/tests/vhost_ssl.pp
index 0eff758d2..2973273d8 100644
--- a/tests/vhost_ssl.pp
+++ b/tests/vhost_ssl.pp
@@ -1,5 +1,14 @@
 include nginx
 
+nginx::resource::vhost { 'test3.local test3':
+  ensure          => present,
+  www_root        => '/var/www/nginx-default',
+  ssl             => true,
+  ssl_cert        => 'puppet:///modules/sslkey/whildcard_mydomain.crt',
+  ssl_client_cert => 'puppet:///modules/sslkey/whildcard_mydomain.crt',
+  ssl_key         => 'puppet:///modules/sslkey/whildcard_mydomain.key'
+}
+
 nginx::resource::vhost { 'test2.local test2':
   ensure   => present,
   www_root => '/var/www/nginx-default',
@@ -15,3 +24,11 @@
   vhost    => 'test2.local test2',
 }
 
+nginx::resource::location { 'test3.local-bob':
+  ensure   => present,
+  www_root => '/var/www/bob',
+  location => '/bob',
+  vhost    => 'test3.local test3',
+}
+
+

From f9ea135affebbf296b5ceacdb29730d176e8d8e8 Mon Sep 17 00:00:00 2001
From: "James R. Carr" <james.r.carr@gmail.com>
Date: Mon, 23 Mar 2015 14:50:28 -0500
Subject: [PATCH 4/4] spec matched against the wrong thing

---
 spec/defines/resource_vhost_spec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/spec/defines/resource_vhost_spec.rb b/spec/defines/resource_vhost_spec.rb
index ab3b89444..f1a55f01e 100644
--- a/spec/defines/resource_vhost_spec.rb
+++ b/spec/defines/resource_vhost_spec.rb
@@ -825,7 +825,7 @@
         it { is_expected.to contain_nginx__resource__location("#{title}-default").with_ssl_only(true) }
         it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{access_log\s+/var/log/nginx/ssl-www\.rspec\.example\.com\.access\.log combined;}) }
         it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{error_log\s+/var/log/nginx/ssl-www\.rspec\.example\.com\.error\.log}) }
-        it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{client_verify on;}) }
+        it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{ssl_verify_client on;}) }
         it { is_expected.to contain_file("/etc/nginx/#{title}.crt") }
         it { is_expected.to contain_file("/etc/nginx/#{title}.client.crt") }
         it { is_expected.to contain_file("/etc/nginx/#{title}.key") }