update crl if validity is less than 1 week

add parameters: crl_auto_renew, crl_renew_schedule_period, crl_renew_schedule_repeat fix spec-tests
voxpupuli · Jan 5, 2018 · c7759f3 · c7759f3
1 parent 43cf1b1
commit c7759f3
Show file tree

Hide file tree

Showing 6 changed files with 54 additions and 4 deletions.
diff --git a/manifests/ca.pp b/manifests/ca.pp
@@ -119,6 +119,11 @@
 
   $etc_directory = $::openvpn::params::etc_directory
 
+  ensure_resource('file', "${etc_directory}/openvpn/${name}", {
+    ensure => directory,
+    mode   => '0750'
+  })
+
   exec { "copy easy-rsa to openvpn config folder ${name}":
     command => "/bin/cp -r ${openvpn::params::easyrsa_source} ${etc_directory}/openvpn/${name}/easy-rsa",
     creates => "${etc_directory}/openvpn/${name}/easy-rsa",

diff --git a/manifests/params.pp b/manifests/params.pp
@@ -52,7 +52,7 @@
 
       case $::operatingsystem {
         'Debian': {
-          # Version > 8.0, jessie
+          # Version > 8.0, jessie, stretch
           if(versioncmp($::operatingsystemrelease, '8.0') >= 0) {
             $additional_packages       = ['easy-rsa','openvpn-auth-ldap']
             $easyrsa_source            = '/usr/share/easy-rsa/'

diff --git a/manifests/server.pp b/manifests/server.pp
@@ -329,6 +329,20 @@
 #   Boolean. Enable CRL checking. Disabling this is not recommended.
 #   Default: true
 #
+# [*crl_auto_renew*]
+#   Boolen. Enables automatic renewing of crl.pem.
+#   Default: false
+#
+# [*crl_renew_schedule_period*]
+#   String. Sets the "period" Parameter of the schedule for renewing the CRL.
+#           Since changing the expiry of 30 days is not possible with easy-rsa2, twice a month should be good
+#   Default: 'monthly'
+#
+# [*crl_renew_schedule_repeat*]
+#   Integer. Sets the "repeat" Parameter of the schedule for renewing the CRL.
+#            Since changing the expiry of 30 days is not possible with easy-rsa2, twice a month should be good
+#   Default: 2
+#
 # [*extca_enabled*]
 #   Boolean. Turn this on if you are using an external CA solution, like FreeIPA.
 #            Once enabled, you must configure the remaining extca_* parameters.
@@ -497,6 +511,9 @@
   Optional[Integer] $rcvbuf                 = undef,
   Optional[String] $shared_ca               = undef,
   Boolean $crl_verify                       = true,
+  Boolean $crl_auto_renew                   = false,
+  String $crl_renew_schedule_period         = 'monthly',
+  Integer $crl_renew_schedule_repeat        = 2,
   Boolean $extca_enabled                    = false,
   Optional[String] $extca_ca_cert_file      = undef,
   Optional[String] $extca_ca_crl_file       = undef,
@@ -621,6 +638,21 @@
         key_ou       => $key_ou,
         tls_auth     => $tls_auth,
       }
+
+      ## Renewal of crl.pem
+      if ($crl_auto_renew) {
+        schedule { "renew crl.pem schedule on ${name}":
+          range  => '1 - 4',
+          period => $crl_renew_schedule_period,
+          repeat => $crl_renew_schedule_repeat,
+        }
+        exec { "renew crl.pem on ${name}":
+          command  => ". ./vars && KEY_CN='' KEY_OU='' KEY_NAME='' KEY_ALTNAMES='' openssl ca -gencrl -out ${::openvpn::params::etc_directory}/openvpn/${name}/crl.pem -config ${::openvpn::params::etc_directory}/openvpn/${name}/easy-rsa/openssl.cnf",
+          cwd      => "${::openvpn::params::etc_directory}/openvpn/${name}/easy-rsa",
+          provider => 'shell',
+          schedule => "renew crl.pem schedule on ${name}",
+        }
+      }
     } elsif !$extca_enabled {
       if !defined(Openvpn::Ca[$shared_ca]) {
         fail("Openvpn::ca[${name}] is not defined for shared_ca")

diff --git a/spec/classes/openvpn_install_spec.rb b/spec/classes/openvpn_install_spec.rb
@@ -41,7 +41,14 @@
       end
 
       context 'jessie' do
-        let(:operatingsystemrelease) { '8.0.0' }
+        let(:operatingsystemrelease) { '8.0' }
+
+        it { is_expected.to contain_package('openvpn-auth-ldap') }
+        it { is_expected.to contain_package('easy-rsa') }
+      end
+
+      context 'stretch' do
+        let(:operatingsystemrelease) { '9.0' }
 
         it { is_expected.to contain_package('openvpn-auth-ldap') }
         it { is_expected.to contain_package('easy-rsa') }

diff --git a/spec/defines/openvpn_ca_spec.rb b/spec/defines/openvpn_ca_spec.rb
@@ -1,7 +1,6 @@
 require 'spec_helper'
 
 describe 'openvpn::ca', type: :define do
-  let(:pre_condition) { "file { '/etc/openvpn/#{title}': ensure => directory }" }
   let(:title) { 'test_server' }
 
   let(:facts) do
@@ -57,6 +56,7 @@
     it { is_expected.to contain_exec('initca test_server') }
     it { is_expected.to contain_exec('generate server cert test_server') }
     it { is_expected.to contain_exec('create crl.pem on test_server') }
+    it { is_expected.not_to contain_exec('update crl.pem on test_server') }
 
     it { is_expected.to contain_file('/etc/openvpn/test_server/easy-rsa/vars').with_content(%r{^export CA_EXPIRE=3650$}) }
     it { is_expected.to contain_file('/etc/openvpn/test_server/easy-rsa/vars').with_content(%r{^export KEY_EXPIRE=3650$}) }
@@ -177,7 +177,7 @@
         )
       }
     end
-    context 'when jessie/sid' do
+    context 'when jessie/stretch/sid' do
       before do
         facts[:operatingsystem] = 'Debian'
         facts[:operatingsystemrelease] = '8.0.1'

diff --git a/spec/defines/openvpn_server_spec.rb b/spec/defines/openvpn_server_spec.rb
@@ -115,7 +115,10 @@
     it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^local\s+1\.2\.3\.4$}) }
     it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^ifconfig-pool-persist}) }
     it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^crl-verify\s+\/etc\/openvpn\/test_server\/crl.pem$}) }
+    it { is_expected.not_to contain_schedule('renew crl.pem schedule on test_server') }
+    it { is_expected.not_to contain_exec('renew crl.pem on test_server') }
     it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^secret}) }
+
     it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{verb}) }
     it { is_expected.to contain_file('/etc/openvpn/test_server.conf').with_content(%r{cipher AES-256-CBC}) }
     it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{persist-key}) }
@@ -162,6 +165,7 @@
         'management_port' => 1337,
         'common_name'     => 'mylittlepony',
         'ca_expire'       => 365,
+        'crl_auto_renew'  => true,
         'key_expire'      => 365,
         'key_cn'          => 'yolo',
         'key_name'        => 'burp',
@@ -245,6 +249,8 @@
     it { is_expected.not_to contain_file('/etc/openvpn/test_server.conf').with_content(%r{^rcvbuf}) }
 
     it { is_expected.to contain_file('/etc/openvpn/test_server/keys/pre-shared.secret').with_content(%r{^secretsecret1234$}).with(ensure: 'present') }
+    it { is_expected.to contain_schedule('renew crl.pem schedule on test_server') }
+    it { is_expected.to contain_exec('renew crl.pem on test_server') }
 
     # OpenVPN easy-rsa CA
     it {