From b3d8007217bd32ac8c4e2b5d405b9d677cddec77 Mon Sep 17 00:00:00 2001 From: Raffael Schmid Date: Mon, 8 Sep 2014 15:55:43 +0200 Subject: [PATCH] fix a lot of the linting warnings --- manifests/client.pp | 107 +++++++++++---------- manifests/params.pp | 14 ++- manifests/revoke.pp | 21 ++--- manifests/server.pp | 140 ++++++++++++++-------------- spec/defines/openvpn_server_spec.rb | 2 + 5 files changed, 148 insertions(+), 136 deletions(-) diff --git a/manifests/client.pp b/manifests/client.pp index 1e67de0d..e63972df 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -66,9 +66,9 @@ # Options: Integer or infinite # # [*auth_retry*] -# String. Controls how OpenVPN responds to username/password verification errors such -# as the client-side response to an AUTH_FAILED message from the server or verification -# failure of the private key password. +# String. Controls how OpenVPN responds to username/password verification +# errors such as the client-side response to an AUTH_FAILED message from +# the server or verification failure of the private key password. # Default: none # Options: 'none' or 'nointeract' or 'interact' # @@ -88,10 +88,11 @@ # Default: {} # # [*setenv_safe*] -# Hash. Set a custom environmental variable OPENVPN_name=value to pass to script. -# This directive is designed to be pushed by the server to clients, and the prepending -# of "OPENVPN_" to the environmental variable is a safety precaution to prevent a LD_PRELOAD -# style attack from a malicious or compromised server. +# Hash. Set a custom environmental variable OPENVPN_name=value to pass to +# script. This directive is designed to be pushed by the server to clients, +# and the prepending of "OPENVPN_" to the environmental variable is a +# safety precaution to prevent a LD_PRELOAD style attack from a malicious +# or compromised server. # Default: {} # # [*up*] @@ -173,57 +174,63 @@ provider => 'shell'; } - file { - [ "/etc/openvpn/${server}/download-configs/${name}", - "/etc/openvpn/${server}/download-configs/${name}/keys"]: - ensure => directory; + file { "/etc/openvpn/${server}/download-configs/${name}": + ensure => directory, + } + + file { "/etc/openvpn/${server}/download-configs/${name}/keys": + ensure => directory, + } - "/etc/openvpn/${server}/download-configs/${name}/keys/${name}.crt": - ensure => link, - target => "/etc/openvpn/${server}/easy-rsa/keys/${name}.crt", - require => Exec["generate certificate for ${name} in context of ${server}"]; + file { "/etc/openvpn/${server}/download-configs/${name}/keys/${name}.crt": + ensure => link, + target => "/etc/openvpn/${server}/easy-rsa/keys/${name}.crt", + require => Exec["generate certificate for ${name} in context of ${server}"], + } - "/etc/openvpn/${server}/download-configs/${name}/keys/${name}.key": - ensure => link, - target => "/etc/openvpn/${server}/easy-rsa/keys/${name}.key", - require => Exec["generate certificate for ${name} in context of ${server}"]; + file { "/etc/openvpn/${server}/download-configs/${name}/keys/${name}.key": + ensure => link, + target => "/etc/openvpn/${server}/easy-rsa/keys/${name}.key", + require => Exec["generate certificate for ${name} in context of ${server}"], + } - "/etc/openvpn/${server}/download-configs/${name}/keys/ca.crt": - ensure => link, - target => "/etc/openvpn/${server}/easy-rsa/keys/ca.crt", - require => Exec["generate certificate for ${name} in context of ${server}"]; + file { "/etc/openvpn/${server}/download-configs/${name}/keys/ca.crt": + ensure => link, + target => "/etc/openvpn/${server}/easy-rsa/keys/ca.crt", + require => Exec["generate certificate for ${name} in context of ${server}"], + } - "/etc/openvpn/${server}/download-configs/${name}/${name}.conf": - owner => root, - group => root, - mode => '0444', - content => template('openvpn/client.erb'), - notify => Exec["tar the thing ${server} with ${name}"]; + file { "/etc/openvpn/${server}/download-configs/${name}/${name}.conf": + owner => root, + group => root, + mode => '0444', + content => template('openvpn/client.erb'), + notify => Exec["tar the thing ${server} with ${name}"], } - exec { - "tar the thing ${server} with ${name}": - cwd => "/etc/openvpn/${server}/download-configs/", - command => "/bin/rm ${name}.tar.gz; tar --exclude=\\*.conf.d -chzvf ${name}.tar.gz ${name}", - refreshonly => true, - require => [ File["/etc/openvpn/${server}/download-configs/${name}/${name}.conf"], - File["/etc/openvpn/${server}/download-configs/${name}/keys/ca.crt"], - File["/etc/openvpn/${server}/download-configs/${name}/keys/${name}.key"], - File["/etc/openvpn/${server}/download-configs/${name}/keys/${name}.crt"] - ], - notify => Exec["generate ${name}.ovpn in ${server}"]; + exec { "tar the thing ${server} with ${name}": + cwd => "/etc/openvpn/${server}/download-configs/", + command => "/bin/rm ${name}.tar.gz; tar --exclude=\\*.conf.d -chzvf ${name}.tar.gz ${name}", + refreshonly => true, + require => [ + File["/etc/openvpn/${server}/download-configs/${name}/${name}.conf"], + File["/etc/openvpn/${server}/download-configs/${name}/keys/ca.crt"], + File["/etc/openvpn/${server}/download-configs/${name}/keys/${name}.key"], + File["/etc/openvpn/${server}/download-configs/${name}/keys/${name}.crt"] + ], + notify => Exec["generate ${name}.ovpn in ${server}"], } - exec { - "generate ${name}.ovpn in ${server}": - cwd => "/etc/openvpn/${server}/download-configs/", - command => "/bin/rm ${name}.ovpn; cat ${name}/${name}.conf|perl -lne 'if(m|^ca keys/ca.crt|){ chomp(\$ca=`cat ${name}/keys/ca.crt`); print \"\n\$ca\n\"} elsif(m|^cert keys/${name}.crt|) { chomp(\$crt=`cat ${name}/keys/${name}.crt`); print \"\n\$crt\n\"} elsif(m|^key keys/${name}.key|){ chomp(\$key=`cat ${name}/keys/${name}.key`); print \"\n\$key\n\"} else { print} ' > ${name}.ovpn", - refreshonly => true, - require => [ File["/etc/openvpn/${server}/download-configs/${name}/${name}.conf"], - File["/etc/openvpn/${server}/download-configs/${name}/keys/ca.crt"], - File["/etc/openvpn/${server}/download-configs/${name}/keys/${name}.key"], - File["/etc/openvpn/${server}/download-configs/${name}/keys/${name}.crt"], - ], + exec { "generate ${name}.ovpn in ${server}": + cwd => "/etc/openvpn/${server}/download-configs/", + command => "/bin/rm ${name}.ovpn; cat ${name}/${name}.conf | perl -lne 'if(m|^ca keys/ca.crt|){ chomp(\$ca=`cat ${name}/keys/ca.crt`); print \"\n\$ca\n\"} elsif(m|^cert keys/${name}.crt|) { chomp(\$crt=`cat ${name}/keys/${name}.crt`); print \"\n\$crt\n\"} elsif(m|^key keys/${name}.key|){ chomp(\$key=`cat ${name}/keys/${name}.key`); print \"\n\$key\n\"} else { print} ' > ${name}.ovpn", + refreshonly => true, + require => [ + File["/etc/openvpn/${server}/download-configs/${name}/${name}.conf"], + File["/etc/openvpn/${server}/download-configs/${name}/keys/ca.crt"], + File["/etc/openvpn/${server}/download-configs/${name}/keys/${name}.key"], + File["/etc/openvpn/${server}/download-configs/${name}/keys/${name}.crt"], + ], } file { "/etc/openvpn/${server}/download-configs/${name}.ovpn": diff --git a/manifests/params.pp b/manifests/params.pp index 946d00d5..c7d62d81 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -23,7 +23,8 @@ case $::osfamily { 'RedHat': { - if($::operatingsystemmajrelease >= 6) { # Redhat/Centos >= 6 + # Redhat/Centos >= 6 + if($::operatingsystemmajrelease >= 6) { # http://docs.puppetlabs.com/references/latest/function.html#versioncmp if(versioncmp($::operatingsystemrelease, '6.4') < 0) { # Version < 6.4 $easyrsa_source = '/usr/share/openvpn/easy-rsa/2.0' @@ -39,7 +40,8 @@ 'Debian': { # Debian/Ubuntu case $::lsbdistid { 'Debian': { - if(versioncmp($::lsbdistrelease, '8.0.0') >= 0) { # Version > 8.0.0, jessie + # Version > 8.0.0, jessie + if(versioncmp($::lsbdistrelease, '8.0.0') >= 0) { $additional_packages = ['easy-rsa', 'openvpn-auth-ldap'] $easyrsa_source = '/usr/share/easy-rsa/' $ldap_auth_plugin_location = '/usr/lib/openvpn/openvpn-auth-ldap.so' @@ -48,7 +50,8 @@ } } 'Ubuntu': { - if(versioncmp($::lsbdistrelease, '13.10') >= 0) { # Version > 13.10, saucy + # Version > 13.10, saucy + if(versioncmp($::lsbdistrelease, '13.10') >= 0) { $additional_packages = ['easy-rsa', 'openvpn-auth-ldap'] $easyrsa_source = '/usr/share/easy-rsa/' $ldap_auth_plugin_location = '/usr/lib/openvpn/openvpn-auth-ldap.so' @@ -56,10 +59,13 @@ $easyrsa_source = '/usr/share/doc/openvpn/examples/easy-rsa/2.0' } } + default: { + fail("Not supported OS / Distribution: ${::osfamily}/${::lsbdistid}") + } } } default: { - fail("Not supported OS family ${osfamily}") + fail("Not supported OS family ${::osfamily}") } } diff --git a/manifests/revoke.pp b/manifests/revoke.pp index ad2a69a4..e4b7d1a0 100644 --- a/manifests/revoke.pp +++ b/manifests/revoke.pp @@ -1,6 +1,7 @@ # == Define: openvpn::revoke # -# This define creates a revocation on a certificate for a specified openvpn server. +# This define creates a revocation on a certificate for a specified openvpn +# server. # # === Parameters # @@ -11,7 +12,8 @@ # === Note # # In order for a certificate to be revoked, it must exist first. -# You cannot declare a revoked certificate that has not been created by the module. +# You cannot declare a revoked certificate that has not been created by the +# module. # # === Examples # @@ -45,9 +47,7 @@ # See the License for the specific language governing permissions and # limitations under the License. # -define openvpn::revoke( - $server -) { +define openvpn::revoke($server) { Openvpn::Server[$server] -> Openvpn::Revoke[$name] @@ -55,11 +55,10 @@ Openvpn::Client[$name] -> Openvpn::Revoke[$name] - exec { - "revoke certificate for ${name} in context of ${server}": - command => ". ./vars && ./revoke-full ${name} ; test $? -eq 2 && touch revoked/${name}", - cwd => "/etc/openvpn/${server}/easy-rsa", - creates => "/etc/openvpn/${server}/easy-rsa/revoked/${name}", - provider => 'shell'; + exec { "revoke certificate for ${name} in context of ${server}": + command => ". ./vars && ./revoke-full ${name} ; test $? -eq 2 && touch revoked/${name}", + cwd => "/etc/openvpn/${server}/easy-rsa", + creates => "/etc/openvpn/${server}/easy-rsa/revoked/${name}", + provider => 'shell'; } } diff --git a/manifests/server.pp b/manifests/server.pp index 68c6baad..8bb7e806 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -239,15 +239,18 @@ # Default: 3650 # # [*key_name*] -# String. Value for name_default variable in openssl.cnf (and KEY_NAME in vars) +# String. Value for name_default variable in openssl.cnf and +# KEY_NAME in vars # Default: None # # [*key_ou*] -# String. Value for organizationalUnitName_default variable in openssl.cnf (and KEY_OU in vars) +# String. Value for organizationalUnitName_default variable in openssl.cnf +# and KEY_OU in vars # Default: None # # [*key_cn*] -# String. Value for commonName_default variable in openssl.cnf (and KEY_CN in vars) +# String. Value for commonName_default variable in openssl.cnf +# and KEY_CN in vars # Default: None # # === Examples @@ -372,41 +375,36 @@ "/etc/openvpn/${name}/auth", "/etc/openvpn/${name}/client-configs", "/etc/openvpn/${name}/download-configs" ]: + ensure => directory, mode => '0750', - ensure => directory; } - exec { - "copy easy-rsa to openvpn config folder ${name}": - command => "/bin/cp -r ${openvpn::params::easyrsa_source} /etc/openvpn/${name}/easy-rsa", - creates => "/etc/openvpn/${name}/easy-rsa", - notify => Exec["fix_easyrsa_file_permissions_${name}"], - require => File["/etc/openvpn/${name}"]; + exec { "copy easy-rsa to openvpn config folder ${name}": + command => "/bin/cp -r ${openvpn::params::easyrsa_source} /etc/openvpn/${name}/easy-rsa", + creates => "/etc/openvpn/${name}/easy-rsa", + notify => Exec["fix_easyrsa_file_permissions_${name}"], + require => File["/etc/openvpn/${name}"], } - exec { - "fix_easyrsa_file_permissions_${name}": - refreshonly => true, - command => "/bin/chmod 755 /etc/openvpn/${name}/easy-rsa/*"; + exec { "fix_easyrsa_file_permissions_${name}": + refreshonly => true, + command => "/bin/chmod 755 /etc/openvpn/${name}/easy-rsa/*", } - file { - "/etc/openvpn/${name}/easy-rsa/revoked": - mode => '0750', - ensure => directory, - require => Exec["copy easy-rsa to openvpn config folder ${name}"]; + file { "/etc/openvpn/${name}/easy-rsa/revoked": + ensure => directory, + mode => '0750', + require => Exec["copy easy-rsa to openvpn config folder ${name}"], } - file { - "/etc/openvpn/${name}/easy-rsa/vars": - ensure => present, - content => template('openvpn/vars.erb'), - require => Exec["copy easy-rsa to openvpn config folder ${name}"]; + file { "/etc/openvpn/${name}/easy-rsa/vars": + ensure => present, + content => template('openvpn/vars.erb'), + require => Exec["copy easy-rsa to openvpn config folder ${name}"], } - file { - "/etc/openvpn/${name}/easy-rsa/openssl.cnf": - require => Exec["copy easy-rsa to openvpn config folder ${name}"]; + file { "/etc/openvpn/${name}/easy-rsa/openssl.cnf": + require => Exec["copy easy-rsa to openvpn config folder ${name}"], } if $openvpn::params::link_openssl_cnf == true { @@ -416,51 +414,51 @@ } } - exec { - "generate dh param ${name}": - command => '. ./vars && ./clean-all && ./build-dh', - cwd => "/etc/openvpn/${name}/easy-rsa", - creates => "/etc/openvpn/${name}/easy-rsa/keys/dh${ssl_key_size}.pem", - provider => 'shell', - require => File["/etc/openvpn/${name}/easy-rsa/vars"]; + exec { "generate dh param ${name}": + command => '. ./vars && ./clean-all && ./build-dh', + cwd => "/etc/openvpn/${name}/easy-rsa", + creates => "/etc/openvpn/${name}/easy-rsa/keys/dh${ssl_key_size}.pem", + provider => 'shell', + require => File["/etc/openvpn/${name}/easy-rsa/vars"], + } - "initca ${name}": - command => '. ./vars && ./pkitool --initca', - cwd => "/etc/openvpn/${name}/easy-rsa", - creates => "/etc/openvpn/${name}/easy-rsa/keys/ca.key", - provider => 'shell', - require => [ Exec["generate dh param ${name}"], - File["/etc/openvpn/${name}/easy-rsa/openssl.cnf"] ]; + exec { "initca ${name}": + command => '. ./vars && ./pkitool --initca', + cwd => "/etc/openvpn/${name}/easy-rsa", + creates => "/etc/openvpn/${name}/easy-rsa/keys/ca.key", + provider => 'shell', + require => [ + Exec["generate dh param ${name}"], + File["/etc/openvpn/${name}/easy-rsa/openssl.cnf"] + ], + } - "generate server cert ${name}": - command => ". ./vars && ./pkitool --server ${common_name}", - cwd => "/etc/openvpn/${name}/easy-rsa", - creates => "/etc/openvpn/${name}/easy-rsa/keys/${common_name}.key", - provider => 'shell', - require => Exec["initca ${name}"]; + exec { "generate server cert ${name}": + command => ". ./vars && ./pkitool --server ${common_name}", + cwd => "/etc/openvpn/${name}/easy-rsa", + creates => "/etc/openvpn/${name}/easy-rsa/keys/${common_name}.key", + provider => 'shell', + require => Exec["initca ${name}"], } - file { - "/etc/openvpn/${name}/keys": - ensure => link, - target => "/etc/openvpn/${name}/easy-rsa/keys", - require => Exec["copy easy-rsa to openvpn config folder ${name}"]; + file { "/etc/openvpn/${name}/keys": + ensure => link, + target => "/etc/openvpn/${name}/easy-rsa/keys", + require => Exec["copy easy-rsa to openvpn config folder ${name}"], } - exec { - "create crl.pem on ${name}": - command => ". ./vars && KEY_CN='' KEY_OU='' KEY_NAME='' KEY_ALTNAMES='' openssl ca -gencrl -out /etc/openvpn/${name}/crl.pem -config /etc/openvpn/${name}/easy-rsa/openssl.cnf", - cwd => "/etc/openvpn/${name}/easy-rsa", - creates => "/etc/openvpn/${name}/crl.pem", - provider => 'shell', - require => Exec["generate server cert ${name}"]; + exec { "create crl.pem on ${name}": + command => ". ./vars && KEY_CN='' KEY_OU='' KEY_NAME='' KEY_ALTNAMES='' openssl ca -gencrl -out /etc/openvpn/${name}/crl.pem -config /etc/openvpn/${name}/easy-rsa/openssl.cnf", + cwd => "/etc/openvpn/${name}/easy-rsa", + creates => "/etc/openvpn/${name}/crl.pem", + provider => 'shell', + require => Exec["generate server cert ${name}"], } - file { - "/etc/openvpn/${name}/easy-rsa/keys/crl.pem": - ensure => link, - target => "/etc/openvpn/${name}/crl.pem", - require => Exec["create crl.pem on ${name}"]; + file { "/etc/openvpn/${name}/easy-rsa/keys/crl.pem": + ensure => link, + target => "/etc/openvpn/${name}/crl.pem", + require => Exec["create crl.pem on ${name}"], } if $::osfamily == 'Debian' { @@ -472,19 +470,19 @@ } } - file { - "/etc/openvpn/${name}.conf": - owner => root, - group => root, - mode => '0444', - content => template('openvpn/server.erb'); + file { "/etc/openvpn/${name}.conf": + owner => root, + group => root, + mode => '0444', + content => template('openvpn/server.erb'); } + if $ldap_enabled == true { file { "/etc/openvpn/${name}/auth/ldap.conf": ensure => present, content => template('openvpn/ldap.erb'), - require => Package["openvpn-auth-ldap"], + require => Package['openvpn-auth-ldap'], } } } diff --git a/spec/defines/openvpn_server_spec.rb b/spec/defines/openvpn_server_spec.rb index e94eaea7..d9d77baa 100644 --- a/spec/defines/openvpn_server_spec.rb +++ b/spec/defines/openvpn_server_spec.rb @@ -131,6 +131,8 @@ :netmask_eth0 => '255.255.255.0', :concat_basedir => '/var/lib/puppet/concat', :osfamily => 'Debian', + :lsbdistid => 'Ubuntu', + :lsbdistrelease => '12.04', } } it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^mode\s+server$/) }