Skip to content

Commit

Permalink
Fix external ca support (#192)
Browse files Browse the repository at this point in the history 
* fix (some) puppet-lint errors and apply puppet style guide

* openvpn::install should inherit openvpn::params - reverting

* openvpn::server: can now pass arguments to pam plugin

* openvpn::server: pam_module_arguments: fix spec tests

* openvpn::server: can now disable crl-verify if necessary

* openvpn::server: now with external CA support

* openvpn::server: added spec tests for external CA feature

* openvpn::client: fail if using an openvpn::server with extca_enabled

* openvpn::server and openvpn::client: more spec tests for external CA

* openvpn::server: fix syntax error in spec test

* openvpn::server: fix typo in server.erb template

* Removing comments as per request in #170.

* Fix conditional CA requirement. ExtCA changes.

* Adjust extca conditional for name specific rclink

* fix test issues
  • Loading branch information
@axier @luxflux
axier authored and luxflux committed May 3, 2016
1 parent 2be9c8b commit 8d46086
Show file tree
Hide file tree
Showing 8 changed files with 302 additions and 64 deletions.
3 changes: 3 additions & 0 deletions manifests/client.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -215,6 +215,9 @@
Openvpn::Server[$server] ->
Openvpn::Client[$name]

$extca_enabled = getparam(Openvpn::Server[$server], 'extca_enabled')
if $extca_enabled { fail('cannot currently create client configs when corresponding openvpn::server is extca_enabled') }

$ca_name = pick($shared_ca, $server)
Openvpn::Ca[$ca_name] ->
Openvpn::Client[$name]
Expand Down
25 changes: 13 additions & 12 deletions manifests/init.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
# === Parameters
#
# [*autostart_all*]
# Boolean. Wether the openvpn instances should be started automatically on boot.
# Boolean. Whether openvpn instances should be started automatically on boot.
# Default: true
# [*manage_service*]
# Boolean. Wether the openvpn service should be managed by puppet.
Expand Down Expand Up @@ -68,17 +68,17 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
class openvpn(
$autostart_all = true,
$manage_service = true,
$client_defaults = hiera_hash('openvpn::client_defaults', {}),
$clients = hiera_hash('openvpn::clients', {}),
class openvpn (
$autostart_all = true,
$manage_service = true,
$client_defaults = hiera_hash('openvpn::client_defaults', {}),
$clients = hiera_hash('openvpn::clients', {}),
$client_specific_config_defaults = hiera_hash('openvpn::client_specific_config_defaults', {}),
$client_specific_configs = hiera_hash('openvpn::client_specific_configs', {}),
$revoke_defaults = hiera_hash('openvpn::revoke_defaults', {}),
$revokes = hiera_hash('openvpn::revokes', {}),
$server_defaults = hiera_hash('openvpn::server_defaults', {}),
$servers = hiera_hash('openvpn::servers', {}),
$client_specific_configs = hiera_hash('openvpn::client_specific_configs', {}),
$revoke_defaults = hiera_hash('openvpn::revoke_defaults', {}),
$revokes = hiera_hash('openvpn::revokes', {}),
$server_defaults = hiera_hash('openvpn::server_defaults', {}),
$servers = hiera_hash('openvpn::servers', {}),
) {

validate_hash($client_defaults)
Expand All @@ -105,7 +105,8 @@
}

create_resources('openvpn::client', $clients, $client_defaults)
create_resources('openvpn::client_specific_config', $client_specific_configs, $client_specific_config_defaults)
create_resources('openvpn::client_specific_config', $client_specific_configs,
$client_specific_config_defaults)
create_resources('openvpn::revoke', $revokes, $revoke_defaults)
create_resources('openvpn::server', $servers, $server_defaults)

Expand Down
2 changes: 1 addition & 1 deletion manifests/install.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
class openvpn::install inherits ::openvpn::params {
class openvpn::install inherits openvpn::params {

ensure_packages(['openvpn'])
if $::openvpn::params::additional_packages != undef {
Expand Down
51 changes: 29 additions & 22 deletions manifests/params.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,9 +22,9 @@
$root_group = 'root'
$group = 'nobody'
$link_openssl_cnf = true
$pam_module_path = '/usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so'
$pam_module_path = '/usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so'
$additional_packages = ['easy-rsa']
$easyrsa_source = '/usr/share/easy-rsa/2.0'
$easyrsa_source = '/usr/share/easy-rsa/2.0'

# Redhat/Centos >= 7.0
if(versioncmp($::operatingsystemrelease, '7.0') >= 0) {
Expand All @@ -47,41 +47,47 @@
'Debian': {
# Version > 8.0, jessie
if(versioncmp($::operatingsystemrelease, '8.0') >= 0) {
$additional_packages = ['easy-rsa', 'openvpn-auth-ldap']
$easyrsa_source = '/usr/share/easy-rsa/'
$additional_packages = ['easy-rsa','openvpn-auth-ldap']
$easyrsa_source = '/usr/share/easy-rsa/'
$ldap_auth_plugin_location = '/usr/lib/openvpn/openvpn-auth-ldap.so'
$systemd = true
$systemd = true

# Version > 7.0, wheezy
} elsif(versioncmp($::operatingsystemrelease, '7.0') >= 0) {
$additional_packages = ['openvpn-auth-ldap']
$easyrsa_source = '/usr/share/doc/openvpn/examples/easy-rsa/2.0'
$additional_packages = ['openvpn-auth-ldap']
$easyrsa_source = '/usr/share/doc/openvpn/examples/easy-rsa/2.0'
$ldap_auth_plugin_location = '/usr/lib/openvpn/openvpn-auth-ldap.so'
$systemd = false
$systemd = false
} else {
$additional_packages = undef
$easyrsa_source = '/usr/share/doc/openvpn/examples/easy-rsa/2.0'
$ldap_auth_plugin_location = undef
$systemd = false
}
}
'Ubuntu': {
# Version > 15.04, vivid
if(versioncmp($::operatingsystemrelease, '15.04') >= 0){
$additional_packages = ['easy-rsa', 'openvpn-auth-ldap']
$easyrsa_source = '/usr/share/easy-rsa/'
$additional_packages = ['easy-rsa','openvpn-auth-ldap']
$easyrsa_source = '/usr/share/easy-rsa/'
$ldap_auth_plugin_location = '/usr/lib/openvpn/openvpn-auth-ldap.so'
$systemd = true
$systemd = true

# Version > 13.10, saucy
} elsif(versioncmp($::operatingsystemrelease, '13.10') >= 0) {
$additional_packages = ['easy-rsa', 'openvpn-auth-ldap']
$easyrsa_source = '/usr/share/easy-rsa/'
$additional_packages = ['easy-rsa','openvpn-auth-ldap']
$easyrsa_source = '/usr/share/easy-rsa/'
$ldap_auth_plugin_location = '/usr/lib/openvpn/openvpn-auth-ldap.so'
$systemd = false
$systemd = false
} else {
$additional_packages = undef
$easyrsa_source = '/usr/share/doc/openvpn/examples/easy-rsa/2.0'
$ldap_auth_plugin_location = undef
$systemd = false
}
}
default: {
fail("Not supported OS / Distribution: ${::osfamily}/${::operatingsystem}")
fail("Unsupported OS/Distribution ${::osfamily}/${::operatingsystem}")
}
}
}
Expand All @@ -92,8 +98,8 @@
$easyrsa_source = '/usr/share/easy-rsa/'
$group = 'nobody'
$ldap_auth_plugin_location = undef # unsupported
$link_openssl_cnf = true
$systemd = true
$link_openssl_cnf = true
$systemd = true
}
'Linux': {
case $::operatingsystem {
Expand All @@ -102,13 +108,14 @@
$root_group = 'root'
$group = 'nobody'
$additional_packages = ['easy-rsa']
$easyrsa_source = '/usr/share/easy-rsa/2.0'
$systemd = false
$link_openssl_cnf = true
$pam_module_path = '/usr/lib/openvpn/openvpn-auth-pam.so'
$easyrsa_source = '/usr/share/easy-rsa/2.0'
$ldap_auth_plugin_location = undef
$systemd = false
$link_openssl_cnf = true
$pam_module_path = '/usr/lib/openvpn/openvpn-auth-pam.so'
}
default: {
fail("Not supported OS / Distribution: ${::osfamily}/${::operatingsystem}")
fail("Unsupported OS/Distribution ${::osfamily}/${::operatingsystem}")
}
}
}
Expand Down
Loading

0 comments on commit 8d46086

Please sign in to comment.