Fixes #374 - Revocation command update and crl renew

An issue was raised informing that the revocation command is incorrect. This was diagnosed to indeed be the case. As the `$name` variable in context of `revoke.pp` does not evalute to `server name` but instead `client name`. The exec for the crl renew was updated to clarify which server it's done for and to prevent duplicate `exec` resource names.
voxpupuli · Mar 14, 2020 · 3bfa748 · 3bfa748
1 parent 73725c6
commit 3bfa748
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 8 deletions.
diff --git a/manifests/revoke.pp b/manifests/revoke.pp
@@ -27,12 +27,12 @@
 
   $revocation_command = $openvpn::easyrsa_version ? {
     '2.0' => ". ./vars && ./revoke-full ${name}; echo \"exit $?\" | grep -qE '(error 23|exit (0|2))' && touch revoked/${name}",
-    '3.0' => ". ./vars && ./easyrsa revoke --batch ${name}; echo \"exit $?\" | grep -qE '(error 23|exit (0|2))' && touch revoked/${name}",
+    '3.0' => ". ./vars && ./easyrsa --batch revoke ${name}; echo \"exit $?\" | grep -qE '(error 23|exit (0|2))' && touch revoked/${name}",
   }
 
   $renew_command = $openvpn::easyrsa_version ? {
-    '2.0'   => ". ./vars && KEY_CN='' KEY_OU='' KEY_NAME='' KEY_ALTNAMES='' openssl ca -gencrl -out ${openvpn::server_directory}/${name}/crl.pem -config ${openvpn::server_directory}/${name}/easy-rsa/openssl.cnf",
-    '3.0'   => ". ./vars && EASYRSA_REQ_CN='' EASYRSA_REQ_OU='' openssl ca -gencrl -out ${server_directory}/${name}/crl.pem -config ${server_directory}/${name}/easy-rsa/openssl.cnf",
+    '2.0'   => ". ./vars && KEY_CN='' KEY_OU='' KEY_NAME='' KEY_ALTNAMES='' openssl ca -gencrl -out ${server_directory}/${server}/crl.pem -config ${server_directory}/${server}/easy-rsa/openssl.cnf",
+    '3.0'   => ". ./vars && EASYRSA_REQ_CN='' EASYRSA_REQ_OU='' openssl ca -gencrl -out ${server_directory}/${server}/crl.pem -config ${server_directory}/${server}/easy-rsa/openssl.cnf",
     default => fail("unexepected value for EasyRSA version, got '${openvpn::easyrsa_version}', expect 2.0 or 3.0."),
   }
 
@@ -41,13 +41,12 @@
     cwd      => "${server_directory}/${server}/easy-rsa",
     creates  => "${server_directory}/${server}/easy-rsa/revoked/${name}",
     provider => 'shell',
-    notify   => Exec["renew crl.pem on ${name}"],
+    notify   => Exec["renew crl.pem on ${server} because of revocation of ${name}"],
   }
 
-  exec { "renew crl.pem on ${name}":
+  exec { "renew crl.pem on ${server} because of revocation of ${name}":
     command  => $renew_command,
-    cwd      => "${openvpn::server_directory}/${name}/easy-rsa",
+    cwd      => "${server_directory}/${server}/easy-rsa",
     provider => 'shell',
-    schedule => "renew crl.pem schedule on ${name}",
   }
 }
diff --git a/spec/defines/openvpn_revoke_spec.rb b/spec/defines/openvpn_revoke_spec.rb
@@ -60,7 +60,7 @@
 
       it {
         is_expected.to contain_exec('revoke certificate for test_client3 in context of test_server').with(
-          'command' => ". ./vars && ./easyrsa revoke --batch test_client3; echo \"exit $?\" | grep -qE '(error 23|exit (0|2))' && touch revoked/test_client3"
+          'command' => ". ./vars && ./easyrsa --batch revoke test_client3; echo \"exit $?\" | grep -qE '(error 23|exit (0|2))' && touch revoked/test_client3"
         )
       }
     end
-Original file line number
+Diff line change
@@ Expand Up / @@ -60,7 +60,7 @@ @@
           it {
             is_expected.to contain_exec('revoke certificate for test_client3 in context of test_server').with(
-              'command' => ". ./vars && ./easyrsa revoke --batch test_client3; echo \"exit $?\" | grep -qE '(error 23|exit (0|2))' && touch revoked/test_client3"
+              'command' => ". ./vars && ./easyrsa --batch revoke test_client3; echo \"exit $?\" | grep -qE '(error 23|exit (0|2))' && touch revoked/test_client3"
             )
           }
         end
@@ Expand Down @@