Only output ldap_tls_client_cert_file and ldap_tls_client_key_file wh…

…en set TLSCertFile and TLSKeyFile are not always required, especially if no client certificates are used (also see the docs linked below). If they are set to empty values, the plugin throws an exception/parser error. Thus, only put them in the config file when they are actually used. References: https://github.com/threerings/openvpn-auth-ldap/wiki/Configuration Signed-off-by: Florian Pritz <[email protected]>
voxpupuli · Jul 3, 2019 · 80485e5 · 80485e5
1 parent 433ba31
commit 80485e5
Show file tree

Hide file tree

Showing 3 changed files with 60 additions and 2 deletions.
diff --git a/manifests/server.pp b/manifests/server.pp
@@ -175,8 +175,8 @@
   Boolean $ldap_tls_enable                                          = false,
   String $ldap_tls_ca_cert_file                                     = '',
   String $ldap_tls_ca_cert_dir                                      = '',
-  String $ldap_tls_client_cert_file                                 = '',
-  String $ldap_tls_client_key_file                                  = '',
+  Optional[Stdlib::Absolutepath] $ldap_tls_client_cert_file         = undef,
+  Optional[Stdlib::Absolutepath] $ldap_tls_client_key_file          = undef,
   Integer $ca_expire                                                = 3650,
   Integer $key_expire                                               = 3650,
   String $key_cn                                                    = '',

diff --git a/spec/defines/openvpn_server_spec.rb b/spec/defines/openvpn_server_spec.rb
@@ -233,6 +233,62 @@
         end
       end
 
+      case facts[:os]['family']
+      when 'Debian'
+        # ldap auth needs the ldap package and that is only defined for a few OSes (including debian)
+        context 'debian' do
+          context 'creating a server with ldap authentication enabled' do
+            let(:params) do
+              {
+                'country'               => 'CO',
+                'province'              => 'ST',
+                'city'                  => 'Some City',
+                'organization'          => 'example.org',
+                'email'                 => '[email protected]',
+                'ldap_enabled'          => true,
+                'ldap_binddn'           => 'dn=foo,ou=foo,ou=com',
+                'ldap_bindpass'         => 'ldappass123',
+                'ldap_tls_enable'       => true,
+                'ldap_tls_ca_cert_file' => '/etc/ldap/ca.pem',
+                'ldap_tls_ca_cert_dir'  => '/etc/ldap/certs'
+              }
+            end
+
+            it { is_expected.to contain_file('/etc/openvpn/test_server/auth/ldap.conf').with_content(%r{^\s+TLSEnable\s+yes$}) }
+            it { is_expected.to contain_file('/etc/openvpn/test_server/auth/ldap.conf').with_content(%r{^\s+TLSCACertFile\s+/etc/ldap/ca.pem$}) }
+            it { is_expected.to contain_file('/etc/openvpn/test_server/auth/ldap.conf').with_content(%r{^\s+TLSCACertDir\s+/etc/ldap/certs$}) }
+            it { is_expected.to contain_file('/etc/openvpn/test_server/auth/ldap.conf').without_content(%r{^\s+TLSCertFile.*$}) }
+            it { is_expected.to contain_file('/etc/openvpn/test_server/auth/ldap.conf').without_content(%r{^\s+TLSKeyFile.*$}) }
+          end
+
+          context 'creating a server with ldap authentication enabled and using ldap client certificates' do
+            let(:params) do
+              {
+                'country'                   => 'CO',
+                'province'                  => 'ST',
+                'city'                      => 'Some City',
+                'organization'              => 'example.org',
+                'email'                     => '[email protected]',
+                'ldap_enabled'              => true,
+                'ldap_binddn'               => 'dn=foo,ou=foo,ou=com',
+                'ldap_bindpass'             => 'ldappass123',
+                'ldap_tls_enable'           => true,
+                'ldap_tls_ca_cert_file'     => '/etc/ldap/ca.pem',
+                'ldap_tls_ca_cert_dir'      => '/etc/ldap/certs',
+                'ldap_tls_client_cert_file' => '/etc/ldap/client-cert.pem',
+                'ldap_tls_client_key_file'  => '/etc/ldap/client-key.pem'
+              }
+            end
+
+            it { is_expected.to contain_file('/etc/openvpn/test_server/auth/ldap.conf').with_content(%r{^\s+TLSEnable\s+yes$}) }
+            it { is_expected.to contain_file('/etc/openvpn/test_server/auth/ldap.conf').with_content(%r{^\s+TLSCACertFile\s+/etc/ldap/ca.pem$}) }
+            it { is_expected.to contain_file('/etc/openvpn/test_server/auth/ldap.conf').with_content(%r{^\s+TLSCACertDir\s+/etc/ldap/certs$}) }
+            it { is_expected.to contain_file('/etc/openvpn/test_server/auth/ldap.conf').with_content(%r{^\s+TLSCertFile\s+/etc/ldap/client-cert.pem$}) }
+            it { is_expected.to contain_file('/etc/openvpn/test_server/auth/ldap.conf').with_content(%r{^\s+TLSKeyFile\s+/etc/ldap/client-key.pem$}) }
+          end
+        end
+      end
+
       context 'creating a server setting all parameters' do
         let(:params) do
           {

diff --git a/templates/ldap.erb b/templates/ldap.erb
@@ -11,8 +11,10 @@
   TLSEnable yes
   TLSCACertFile <%= @ldap_tls_ca_cert_file %>
   TLSCACertDir <%= @ldap_tls_ca_cert_dir %>
+<% if @ldap_tls_client_cert_file or @ldap_tls_client_key_file -%>
   TLSCertFile <%= @ldap_tls_client_cert_file %>
   TLSKeyFile <%= @ldap_tls_client_key_file %>
+<% end -%>
 <% else %>
   TLSEnable no
 <% end -%>