Manager certificate permissions if manage_certificates true

ehelms · ehelms · commit 3dc3c6d461bc · 2025-03-21T10:53:03.000-04:00
Signed-off-by: Eric D. Helms &lt;ericdhelms@gmail.com&gt;
diff --git a/manifests/config.pp b/manifests/config.pp
@@ -133,4 +133,60 @@
       }
     }
   }
+
+  if $foreman_proxy::manage_certificates {
+    file { "${foreman_proxy::config_dir}/ssl_ca.pem":
+      ensure => file,
+      source => $foreman_proxy::ssl_ca,
+      owner  => 'root',
+      group  => $foreman_proxy::group,
+      mode   => '0440',
+    }
+
+    file { "${foreman_proxy::config_dir}/ssl_cert.pem":
+      ensure => file,
+      source => $foreman_proxy::ssl_cert,
+      owner  => 'root',
+      group  => $foreman_proxy::group,
+      mode   => '0440',
+    }
+
+    file { "${foreman_proxy::config_dir}/ssl_key.pem":
+      ensure => file,
+      source => $foreman_proxy::ssl_key,
+      owner  => 'root',
+      group  => $foreman_proxy::group,
+      mode   => '0440',
+    }
+
+    if $foreman_proxy::foreman_ssl_ca {
+      file { "${foreman_proxy::config_dir}/foreman_ssl_ca.pem":
+        ensure => file,
+        source => $foreman_proxy::foreman_ssl_ca,
+        owner  => 'root',
+        group  => $foreman_proxy::group,
+        mode   => '0440',
+      }
+    }
+
+    if $foreman_proxy::foreman_ssl_cert {
+      file { "${foreman_proxy::config_dir}/foreman_ssl_cert.pem":
+        ensure => file,
+        source => $foreman_proxy::foreman_ssl_cert,
+        owner  => 'root',
+        group  => $foreman_proxy::group,
+        mode   => '0440',
+      }
+    }
+
+    if $foreman_proxy::foreman_ssl_key {
+      file { "${foreman_proxy::config_dir}/foreman_ssl_key.pem":
+        ensure => file,
+        source => $foreman_proxy::foreman_ssl_key,
+        owner  => 'root',
+        group  => $foreman_proxy::group,
+        mode   => '0440',
+      }
+    }
+  }
 }
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -282,6 +282,9 @@
 # $manage_service::             control the service, whether it should be started / enabled or not. useful, if the
 #                               service should be managed by a cluster software e.g. corosync / pacemaker
 #
+# $manage_certificates::        control the location, ownership and permissions of the certificates
+#
+#
 class foreman_proxy (
   String $version = 'present',
   Enum['latest', 'present', 'installed', 'absent'] $ensure_packages_version = 'installed',
@@ -420,6 +423,7 @@
   String $oauth_consumer_key = $foreman_proxy::params::oauth_consumer_key,
   String $oauth_consumer_secret = $foreman_proxy::params::oauth_consumer_secret,
   Optional[Stdlib::HTTPUrl] $registration_url = undef,
+  Boolean $manage_certificates = false,
 ) inherits foreman_proxy::params {
   if $bind_host =~ String {
     warning('foreman_proxy::bind_host should be changed to an array, support for string only is deprecated')
diff --git a/spec/classes/foreman_proxy__spec.rb b/spec/classes/foreman_proxy__spec.rb
@@ -1047,6 +1047,76 @@ class { 'foreman_proxy::globals':
 
         it { should contain_user("#{proxy_user_name}").with_shell('/dne/foo') }
       end
+
+      describe 'manage_certificates' do
+        let(:params) do
+          super().merge(
+            manage_certificates: true,
+          )
+        end
+
+        context 'when ssl_ca, ssl_cert and ssl_key are defined' do
+          it { should compile.with_all_deps }
+
+          it do
+            should contain_file('/etc/foreman-proxy/ssl_ca.pem')
+                    .with_owner('root')
+                    .with_group('foreman-proxy')
+                    .with_mode('0440')
+          end
+          it do
+            should contain_file('/etc/foreman-proxy/ssl_cert.pem')
+                    .with_owner('root')
+                    .with_group('foreman-proxy')
+                    .with_mode('0440')
+          end
+          it do
+            should contain_file('/etc/foreman-proxy/ssl_key.pem')
+                    .with_owner('root')
+                    .with_group('foreman-proxy')
+                    .with_mode('0440')
+          end
+
+          it { should_not contain_file('/etc/foreman-proxy/foreman_ssl_ca.pem') }
+          it { should_not contain_file('/etc/foreman-proxy/foreman_ssl_cert.pem') }
+          it { should_not contain_file('/etc/foreman-proxy/foreman_ssl_key.pem') }
+        end
+
+        context 'when foreman_ssl_ca, foreman_ssl_cert and foreman_ssl_key are defined' do
+          let(:params) do
+            super().merge(
+              manage_certificates: true,
+              foreman_ssl_ca: '/root/certificates/ca.pem',
+              foreman_ssl_cert: '/root/certificates/cert.pem',
+              foreman_ssl_key: '/root/certificates/key.pem',
+            )
+          end
+
+          it { should compile.with_all_deps }
+
+          it do
+            should contain_file('/etc/foreman-proxy/foreman_ssl_ca.pem')
+                    .with_source('/root/certificates/ca.pem')
+                    .with_owner('root')
+                    .with_group('foreman-proxy')
+                    .with_mode('0440')
+          end
+          it do
+            should contain_file('/etc/foreman-proxy/foreman_ssl_cert.pem')
+                    .with_source('/root/certificates/cert.pem')
+                    .with_owner('root')
+                    .with_group('foreman-proxy')
+                    .with_mode('0440')
+          end
+          it do
+            should contain_file('/etc/foreman-proxy/foreman_ssl_key.pem')
+                    .with_source('/root/certificates/key.pem')
+                    .with_owner('root')
+                    .with_group('foreman-proxy')
+                    .with_mode('0440')
+          end
+        end
+      end
     end
   end
 end
