diff --git a/manifests/client.pp b/manifests/client.pp index f0dc4136..4d3b264c 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -215,6 +215,9 @@ Openvpn::Server[$server] -> Openvpn::Client[$name] + $extca_enabled = getparam(Openvpn::Server[$server], 'extca_enabled') + if $extca_enabled { fail('cannot currently create client configs when corresponding openvpn::server is extca_enabled') } + $ca_name = pick($shared_ca, $server) Openvpn::Ca[$ca_name] -> Openvpn::Client[$name] diff --git a/manifests/init.pp b/manifests/init.pp index 81e385d8..5f8d94e5 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -6,7 +6,7 @@ # === Parameters # # [*autostart_all*] -# Boolean. Wether the openvpn instances should be started automatically on boot. +# Boolean. Whether openvpn instances should be started automatically on boot. # Default: true # [*manage_service*] # Boolean. Wether the openvpn service should be managed by puppet. @@ -68,17 +68,17 @@ # See the License for the specific language governing permissions and # limitations under the License. # -class openvpn( - $autostart_all = true, - $manage_service = true, - $client_defaults = hiera_hash('openvpn::client_defaults', {}), - $clients = hiera_hash('openvpn::clients', {}), +class openvpn ( + $autostart_all = true, + $manage_service = true, + $client_defaults = hiera_hash('openvpn::client_defaults', {}), + $clients = hiera_hash('openvpn::clients', {}), $client_specific_config_defaults = hiera_hash('openvpn::client_specific_config_defaults', {}), - $client_specific_configs = hiera_hash('openvpn::client_specific_configs', {}), - $revoke_defaults = hiera_hash('openvpn::revoke_defaults', {}), - $revokes = hiera_hash('openvpn::revokes', {}), - $server_defaults = hiera_hash('openvpn::server_defaults', {}), - $servers = hiera_hash('openvpn::servers', {}), + $client_specific_configs = hiera_hash('openvpn::client_specific_configs', {}), + $revoke_defaults = hiera_hash('openvpn::revoke_defaults', {}), + $revokes = hiera_hash('openvpn::revokes', {}), + $server_defaults = hiera_hash('openvpn::server_defaults', {}), + $servers = hiera_hash('openvpn::servers', {}), ) { validate_hash($client_defaults) @@ -105,7 +105,8 @@ } create_resources('openvpn::client', $clients, $client_defaults) - create_resources('openvpn::client_specific_config', $client_specific_configs, $client_specific_config_defaults) + create_resources('openvpn::client_specific_config', $client_specific_configs, + $client_specific_config_defaults) create_resources('openvpn::revoke', $revokes, $revoke_defaults) create_resources('openvpn::server', $servers, $server_defaults) diff --git a/manifests/install.pp b/manifests/install.pp index 7a5f583a..7e8386b3 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -31,7 +31,7 @@ # See the License for the specific language governing permissions and # limitations under the License. # -class openvpn::install inherits ::openvpn::params { +class openvpn::install inherits openvpn::params { ensure_packages(['openvpn']) if $::openvpn::params::additional_packages != undef { diff --git a/manifests/params.pp b/manifests/params.pp index 9ff69a7a..3b239221 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -22,9 +22,9 @@ $root_group = 'root' $group = 'nobody' $link_openssl_cnf = true - $pam_module_path = '/usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so' + $pam_module_path = '/usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so' $additional_packages = ['easy-rsa'] - $easyrsa_source = '/usr/share/easy-rsa/2.0' + $easyrsa_source = '/usr/share/easy-rsa/2.0' # Redhat/Centos >= 7.0 if(versioncmp($::operatingsystemrelease, '7.0') >= 0) { @@ -47,41 +47,47 @@ 'Debian': { # Version > 8.0, jessie if(versioncmp($::operatingsystemrelease, '8.0') >= 0) { - $additional_packages = ['easy-rsa', 'openvpn-auth-ldap'] - $easyrsa_source = '/usr/share/easy-rsa/' + $additional_packages = ['easy-rsa','openvpn-auth-ldap'] + $easyrsa_source = '/usr/share/easy-rsa/' $ldap_auth_plugin_location = '/usr/lib/openvpn/openvpn-auth-ldap.so' - $systemd = true + $systemd = true # Version > 7.0, wheezy } elsif(versioncmp($::operatingsystemrelease, '7.0') >= 0) { - $additional_packages = ['openvpn-auth-ldap'] - $easyrsa_source = '/usr/share/doc/openvpn/examples/easy-rsa/2.0' + $additional_packages = ['openvpn-auth-ldap'] + $easyrsa_source = '/usr/share/doc/openvpn/examples/easy-rsa/2.0' $ldap_auth_plugin_location = '/usr/lib/openvpn/openvpn-auth-ldap.so' - $systemd = false + $systemd = false } else { + $additional_packages = undef $easyrsa_source = '/usr/share/doc/openvpn/examples/easy-rsa/2.0' + $ldap_auth_plugin_location = undef + $systemd = false } } 'Ubuntu': { # Version > 15.04, vivid if(versioncmp($::operatingsystemrelease, '15.04') >= 0){ - $additional_packages = ['easy-rsa', 'openvpn-auth-ldap'] - $easyrsa_source = '/usr/share/easy-rsa/' + $additional_packages = ['easy-rsa','openvpn-auth-ldap'] + $easyrsa_source = '/usr/share/easy-rsa/' $ldap_auth_plugin_location = '/usr/lib/openvpn/openvpn-auth-ldap.so' - $systemd = true + $systemd = true # Version > 13.10, saucy } elsif(versioncmp($::operatingsystemrelease, '13.10') >= 0) { - $additional_packages = ['easy-rsa', 'openvpn-auth-ldap'] - $easyrsa_source = '/usr/share/easy-rsa/' + $additional_packages = ['easy-rsa','openvpn-auth-ldap'] + $easyrsa_source = '/usr/share/easy-rsa/' $ldap_auth_plugin_location = '/usr/lib/openvpn/openvpn-auth-ldap.so' - $systemd = false + $systemd = false } else { + $additional_packages = undef $easyrsa_source = '/usr/share/doc/openvpn/examples/easy-rsa/2.0' + $ldap_auth_plugin_location = undef + $systemd = false } } default: { - fail("Not supported OS / Distribution: ${::osfamily}/${::operatingsystem}") + fail("Unsupported OS/Distribution ${::osfamily}/${::operatingsystem}") } } } @@ -92,8 +98,8 @@ $easyrsa_source = '/usr/share/easy-rsa/' $group = 'nobody' $ldap_auth_plugin_location = undef # unsupported - $link_openssl_cnf = true - $systemd = true + $link_openssl_cnf = true + $systemd = true } 'Linux': { case $::operatingsystem { @@ -102,13 +108,14 @@ $root_group = 'root' $group = 'nobody' $additional_packages = ['easy-rsa'] - $easyrsa_source = '/usr/share/easy-rsa/2.0' - $systemd = false - $link_openssl_cnf = true - $pam_module_path = '/usr/lib/openvpn/openvpn-auth-pam.so' + $easyrsa_source = '/usr/share/easy-rsa/2.0' + $ldap_auth_plugin_location = undef + $systemd = false + $link_openssl_cnf = true + $pam_module_path = '/usr/lib/openvpn/openvpn-auth-pam.so' } default: { - fail("Not supported OS / Distribution: ${::osfamily}/${::operatingsystem}") + fail("Unsupported OS/Distribution ${::osfamily}/${::operatingsystem}") } } } diff --git a/manifests/server.pp b/manifests/server.pp index 24a70486..1bd840cc 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -1,15 +1,18 @@ # == Define: openvpn::server # -# This define creates the openvpn server instance which can run in server or client mode. +# This define creates the openvpn server instance which can run in server or +# client mode. # # === Parameters # # [*country*] -# String. Country to be used for the SSL certificate, mandatory for server mode. +# String. Country to be used for the SSL certificate, +# mandatory for server mode. # Default: undef # # [*province*] -# String. Province to be used for the SSL certificate, mandatory for server mode. +# String. Province to be used for the SSL certificate, +# mandatory for server mode. # Default: undef # # [*city*] @@ -17,11 +20,13 @@ # Default: undef # # [*organization*] -# String. Organization to be used for the SSL certificate, mandatory for server mode. +# String. Organization to be used for the SSL certificate, +# mandatory for server mode. # Default: undef # # [*email*] -# String. Email address to be used for the SSL certificate, mandatory for server mode. +# String. Email address to be used for the SSL certificate, +# mandatory for server mode. # Default: undef # # [*remote*] @@ -84,7 +89,8 @@ # Default: "/var/log/openvpn/${name}-status.log" # # [*status_version*] -# Integer. Choose the status file format version number. Can be 1, 2 or 3 and defaults to 1 +# Integer. Choose the status file format version number. +# Can be 1, 2 or 3 and defaults to 1 # Default: None (=1) # # [*server*] @@ -143,6 +149,12 @@ # Boolean, Enable/Disable. # Default: false # +# [*pam_module_arguments*] +# String. Arguments to pass to the PAM module. For FreeIPA, set this to +# "openvpn login USERNAME password PASSWORD" and create HBAC Service +# "openvpn". +# Default: login +# # [*management*] # Boolean. Enable management interface # Default: false @@ -309,13 +321,54 @@ # String. Name of a openssl::ca resource to use config with # Default: undef # +# [*crl_verify*] +# Boolean. Enable CRL checking. Disabling this is not recommended. +# Default: true +# +# [*extca_enabled*] +# Boolean. Turn this on if you are using an external CA solution, like FreeIPA. +# Once enabled, you must configure the remaining extca_* parameters. +# Default: false +# +# [*extca_ca_cert_file*] +# String. External CA: Path to the CA certificate. +# Default: undef +# +# [*extca_ca_crl_file*] +# String. External CA: Path to the CA's CRL file. +# For FreeIPA-based CAs, CRLs expire every four hours, which means you +# may need your own solution for maintaining a local copy of your CA's CRL. +# Otherwise, you can set crl_verify to false (not recommended). +# Default: undef +# +# [*extca_server_cert_file*] +# String. External CA: Path to the external CA issued OpenVPN server certificate. +# Default: undef +# +# [*extca_server_key_file*] +# String. External CA: Path to the key file that corresponds to $extca_server_cert_file +# Default: undef +# +# [*extca_dh_file*] +# String. External CA: Path to your Dillie-Hellman parameter file. You will need to create one yourself. +# Make sure key-size matches the public key size of your CA-issued server certificate. +# Like this: openssl dhparam -out /path/to/dh.pem 2048 +# Note: This is only required if you are enabling $tls_server. +# Default: undef +# +# [*extca_tls_auth_key_file*] +# String. External CA: If you are enabling $extca_enabled and $tls_auth, you will also need to create +# the tls-auth key file and specify its location here. +# The file can be created like this: openvpn --genkey --secret /path/to/ta.key +# Note: you will need to distribute this file to your clients as well. +# # [*autostart*] -# Boolean. Enable autostart for this server if openvpn::autostart_all is false. +# Boolean. Enable autostart for server if openvpn::autostart_all is false. # Default: undef # # [*ns_cert_type*] -# Boolean. Enable or disable use of ns-cert-type for the session. Generally used -# with client configuration +# Boolean. Enable or disable use of ns-cert-type for the session. Generally +# used with client configuration # Default: true # # [*nobind*] @@ -323,7 +376,7 @@ # Default: false # # [*custom_options*] -# Hash of additional options that you want to append to the configuration file. +# Hash of additional options to append to the configuration file. # # === Examples # @@ -393,6 +446,7 @@ $tcp_nodelay = false, $ccd_exclusive = false, $pam = false, + $pam_module_arguments = 'login', $management = false, $management_ip = 'localhost', $management_port = 7505, @@ -433,6 +487,14 @@ $sndbuf = undef, $rcvbuf = undef, $shared_ca = undef, + $crl_verify = true, + $extca_enabled = false, + $extca_ca_cert_file = undef, + $extca_ca_crl_file = undef, + $extca_server_cert_file = undef, + $extca_server_key_file = undef, + $extca_dh_file = undef, + $extca_tls_auth_key_file = undef, $autostart = undef, $ns_cert_type = true, $nobind = false, @@ -464,13 +526,15 @@ # Selection block to enable or disable tls-server flag # Check if we want to run as a client or not if !$tls_client { - if $tls_server { + if $tls_server and !$extca_enabled { $real_tls_server = $tls_server - } else { + } elsif ($extca_enabled and $extca_dh_file) or (!$extca_enabled) { $real_tls_server = $proto ? { /tcp/ => true, default => false } + } else { + $real_tls_server = false } } @@ -485,7 +549,7 @@ if $shared_ca { $ca_name = $shared_ca - } else { + } elsif !$extca_enabled { $ca_name = $name } @@ -499,13 +563,29 @@ notify => $lnotify, } + if $extca_enabled { + # VPN Server or Client with external CA + if $extca_ca_cert_file == undef { fail('extca_ca_cert_file has to be specified in extca mode') } + if $extca_ca_crl_file == undef and $crl_verify and !$remote { fail('extca_ca_crl_file has to be specified in extca mode if crl_verify is enabled') } + if $extca_server_cert_file == undef { fail('extca_server_cert_file has to be specified in extca mode') } + if $extca_server_key_file == undef { fail('extca_server_key_file has to be specified in extca mode') } + if $extca_dh_file == undef and !$remote and $tls_server { fail('cant enable tls_server: missing extca_dh_file') } + if $extca_tls_auth_key_file == undef and !$remote and $tls_auth { fail('cant enable tls_auth: missing extca_tls_auth_key_file') } + } + if !$remote { - if !$shared_ca { + if !$shared_ca and !$extca_enabled { # VPN Server Mode - if $country == undef { fail('country has to be specified in server mode') } - if $province == undef { fail('province has to be specified in server mode') } + if $country == undef { + fail('country has to be specified in server mode') + } + if $province == undef { + fail('province has to be specified in server mode') + } if $city == undef { fail('city has to be specified in server mode') } - if $organization == undef { fail('organization has to be specified in server mode') } + if $organization == undef { + fail('organization has to be specified in server mode') + } if $email == undef { fail('email has to be specified in server mode') } $ca_common_name = $common_name @@ -525,11 +605,13 @@ key_ou => $key_ou, tls_auth => $tls_auth, } - } else { + } elsif !$extca_enabled { if !defined(Openvpn::Ca[$shared_ca]) { fail("Openvpn::ca[${name}] is not defined for shared_ca") } $ca_common_name = getparam(Openvpn::Ca[$shared_ca], 'common_name') + } else { + $ca_common_name = undef } file { @@ -582,7 +664,10 @@ ensure => running, enable => true, provider => 'systemd', - require => [ File["${etc_directory}/openvpn/${name}.conf"], Openvpn::Ca[$ca_name] ] + require => File["${etc_directory}/openvpn/${name}.conf"], + } + if !$extca_enabled { + Openvpn::Ca[$ca_name] -> Service["openvpn@${name}"] } } } @@ -604,7 +689,10 @@ service { "openvpn_${name}": ensure => running, enable => true, - require => [ File["${etc_directory}/openvpn/${name}.conf"], Openvpn::Ca[$ca_name] ] + require => File["${etc_directory}/openvpn/${name}.conf"], + } + if !extca_enabled { + Openvpn::Ca[$ca_name] -> Service["openvpn_${name}"] } } } diff --git a/spec/defines/openvpn_client_spec.rb b/spec/defines/openvpn_client_spec.rb index 24afc7c6..730b33cd 100644 --- a/spec/defines/openvpn_client_spec.rb +++ b/spec/defines/openvpn_client_spec.rb @@ -38,6 +38,7 @@ 'command' => '/bin/rm test_client.tar.gz; tar --exclude=\*.conf.d -chzvf test_client.tar.gz test_client test_client.tblk' ) } + context "setting the minimum parameters" do let(:params) { { 'server' => 'test_server' } } @@ -126,6 +127,27 @@ it { should_not contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^cipher/) } end + context "should fail if specifying an openvpn::server with extca_enabled=true" do + let(:params) { { + 'server' => "test_server_extca", + } } + before do + pre_condition << ' + openvpn::server { "text_server_extca": + tls_auth => true, + extca_enabled => true, + extca_ca_cert_file => "/etc/ipa/ca.crt", + extca_ca_crl_file => "/etc/ipa/ca_crl.pem", + extca_server_cert_file => "/etc/pki/tls/certs/localhost.crt", + extca_server_key_file => "/etc/pki/tls/private/localhost.key", + extca_dh_file => "/etc/ipa/dh.pem", + extca_tls_auth_key_file => "/etc/openvpn/keys/ta.key", + } + ' + end + it { expect { should compile }.to raise_error } + end + context "when using shared ca" do let(:params) { { 'server' => 'test_server', @@ -154,6 +176,7 @@ )} end + # Check that certificate files point to the provided CA it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^client$/)} it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^ca\s+keys\/test_client\/ca\.crt$/)} diff --git a/spec/defines/openvpn_server_spec.rb b/spec/defines/openvpn_server_spec.rb index 2c9d7b77..465299cc 100644 --- a/spec/defines/openvpn_server_spec.rb +++ b/spec/defines/openvpn_server_spec.rb @@ -346,7 +346,26 @@ :concat_basedir => '/var/lib/puppet/concat' } } it { should contain_file('/etc/openvpn/test_server.conf').with_content(%r{^group\s+nobody$}) } - it { should contain_file('/etc/openvpn/test_server.conf').with_content(%r{^plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so login$}) } + it { should contain_file('/etc/openvpn/test_server.conf').with_content(%r{^plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so "?login"?$}) } + end + + context "when RedHat based machine with different pam_module_arguments and crl_verify disabled" do + let(:params) { { + 'country' => 'CO', + 'province' => 'ST', + 'city' => 'Some City', + 'organization' => 'example.org', + 'email' => 'testemail@example.org', + 'pam' => true, + 'pam_module_arguments' => 'openvpn login USERNAME password PASSWORD', + 'crl_verify' => false, + } } + + let(:facts) { { :osfamily => 'RedHat', + :concat_basedir => '/var/lib/puppet/concat' } } + + it { should contain_file('/etc/openvpn/test_server.conf').with_content(%r{^plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so "openvpn login USERNAME password PASSWORD"$}) } + it { should_not contain_file('/etc/openvpn/test_server.conf').with_content(/^crl-verify/) } end context "when Debian based machine" do @@ -362,7 +381,7 @@ let(:facts) { { :osfamily => 'Debian', :operatingsystem => 'Debian', :concat_basedir => '/var/lib/puppet/concat' } } it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^group\s+nogroup$/) } - it { should contain_file('/etc/openvpn/test_server.conf').with_content(%r{^plugin /usr/lib/openvpn/openvpn-auth-pam.so login$}) } + it { should contain_file('/etc/openvpn/test_server.conf').with_content(%r{^plugin /usr/lib/openvpn/openvpn-auth-pam.so "?login"?$}) } context 'enabled autostart_all' do let(:pre_condition) { 'class { "openvpn": autostart_all => true }' } @@ -468,6 +487,86 @@ end + context "RedHat using an external CA and without tls-auth" do + let(:params) { { + 'extca_enabled' => true, + 'extca_ca_cert_file' => '/etc/ipa/ca.crt', + 'extca_ca_crl_file' => '/etc/ipa/ca_crl.pem', + 'extca_server_cert_file' => '/etc/pki/tls/certs/localhost.crt', + 'extca_server_key_file' => '/etc/pki/tls/private/localhost.key', + 'extca_dh_file' => '/etc/ipa/dh.pem', + 'extca_tls_auth_key_file' => '/etc/openvpn/keys/ta.key', + } } + + let(:facts) { { :osfamily => 'RedHat', + :concat_basedir => '/var/lib/puppet/concat' } } + + it { should_not contain_file('/etc/openvpn/test_server.conf').with_content(/^ca\s+\/etc\/openvpn\/test_server\/keys/) } + it { should_not contain_file('/etc/openvpn/test_server.conf').with_content(/^crl-verify\s+\/etc\/openvpn\/test_server/) } + it { should_not contain_file('/etc/openvpn/test_server.conf').with_content(/^cert\s+\/etc\/openvpn\/test_server\/keys/) } + it { should_not contain_file('/etc/openvpn/test_server.conf').with_content(/^key\s+\/etc\/openvpn\/test_server\/keys/) } + it { should_not contain_file('/etc/openvpn/test_server.conf').with_content(/^dh\s+\/etc\/openvpn\/test_server\/keys/) } + it { should_not contain_file('/etc/openvpn/test_server.conf').with_content(/^tls-auth/) } + + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^ca\s+\/etc\/ipa\/ca.crt$/) } + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^crl-verify\s+\/etc\/ipa\/ca_crl.pem$/) } + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^cert\s+\/etc\/pki\/tls\/certs\/localhost.crt$/) } + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^key\s+\/etc\/pki\/tls\/private\/localhost.key$/) } + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^dh\s+\/etc\/ipa\/dh.pem$/) } + + end + + context "RedHat using an external CA and enabling tls-auth" do + let(:params) { { + 'tls_auth' => true, + 'extca_enabled' => true, + 'extca_ca_cert_file' => '/etc/ipa/ca.crt', + 'extca_ca_crl_file' => '/etc/ipa/ca_crl.pem', + 'extca_server_cert_file' => '/etc/pki/tls/certs/localhost.crt', + 'extca_server_key_file' => '/etc/pki/tls/private/localhost.key', + 'extca_dh_file' => '/etc/ipa/dh.pem', + 'extca_tls_auth_key_file' => '/etc/openvpn/keys/ta.key', + } } + + let(:facts) { { :osfamily => 'RedHat', + :concat_basedir => '/var/lib/puppet/concat' } } + + it { should_not contain_file('/etc/openvpn/test_server.conf').with_content(/^ca\s+\/etc\/openvpn\/test_server\/keys\/ca.crt$/) } + it { should_not contain_file('/etc/openvpn/test_server.conf').with_content(/^crl-verify\s+\/etc\/openvpn\/test_server\/crl.pem$/) } + it { should_not contain_file('/etc/openvpn/test_server.conf').with_content(/^cert\s+\/etc\/openvpn\/test_server\/keys\/server.crt$/) } + it { should_not contain_file('/etc/openvpn/test_server.conf').with_content(/^key\s+\/etc\/openvpn\/test_server\/keys\/server.key$/) } + it { should_not contain_file('/etc/openvpn/test_server.conf').with_content(/^dh\s+\/etc\/openvpn\/test_server\/keys\/dh1024.pem$/) } + it { should_not contain_file('/etc/openvpn/test_server.conf').with_content(/^tls-auth\s+\/etc\/openvpn\/test_server\/keys\/ta.key$/) } + + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^ca\s+\/etc\/ipa\/ca.crt$/) } + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^crl-verify\s+\/etc\/ipa\/ca_crl.pem$/) } + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^cert\s+\/etc\/pki\/tls\/certs\/localhost.crt$/) } + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^key\s+\/etc\/pki\/tls\/private\/localhost.key$/) } + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^dh\s+\/etc\/ipa\/dh.pem$/) } + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^tls-auth\s+\/etc\/openvpn\/keys\/ta.key$/) } + + end + + context "should fail if setting extca_enabled=true without specifying any other extca_* options" do + let(:params) { { + 'extca_enabled' => true, + } } + it { expect { should compile }.to raise_error } + end + + context "should fail if setting extca_enabled=true and tls_auth=true without providing extca_tls_auth_key_file" do + let(:params) { { + 'tls_auth' => true, + 'extca_enabled' => true, + 'extca_ca_cert_file' => '/etc/ipa/ca.crt', + 'extca_ca_crl_file' => '/etc/ipa/ca_crl.pem', + 'extca_server_cert_file' => '/etc/pki/tls/certs/localhost.crt', + 'extca_server_key_file' => '/etc/pki/tls/private/localhost.key', + 'extca_dh_file' => '/etc/ipa/dh.pem', + } } + it { expect { should compile }.to raise_error } + end + context 'systemd enabled RedHat' do let(:pre_condition) { "class { 'openvpn': manage_service => #{manage_service} }" } let(:facts) do diff --git a/templates/server.erb b/templates/server.erb index 715570d4..6f548650 100644 --- a/templates/server.erb +++ b/templates/server.erb @@ -13,6 +13,17 @@ remote <%= rem %> server-poll-timeout <%= @server_poll_timeout %> <% end -%> <% end -%> +<% if @extca_enabled -%> +ca <%= @extca_ca_cert_file %> +cert <%= @extca_server_cert_file %> +key <%= @extca_server_key_file %> +<% unless @remote or !@extca_dh_file -%> +dh <%= @extca_dh_file %> +<% end -%> +<% unless @remote or !@crl_verify or !@extca_ca_crl_file -%> +crl-verify <%= @extca_ca_crl_file %> +<% end -%> +<% else -%> ca <%= @etc_directory -%>/openvpn/<%= @ca_name %>/keys/ca.crt cert <%= @etc_directory -%>/openvpn/<%= @ca_name %>/keys/<%= @ca_common_name %>.crt key <%= @etc_directory -%>/openvpn/<%= @ca_name %>/keys/<%= @ca_common_name %>.key @@ -21,6 +32,7 @@ dh <%= @etc_directory -%>/openvpn/<%= @ca_name %>/keys/dh<%= @ssl_key_size %>.pe <% end -%> <% unless @remote -%> crl-verify <%= @etc_directory -%>/openvpn/<%= @ca_name %>/crl.pem +<% end -%> <% end -%> <% if @proto == 'tcp' -%> proto <%= @proto %>-server @@ -112,7 +124,7 @@ tcp-nodelay ccd-exclusive <% end -%> <% if @pam -%> -plugin <%= @pam_module_path %> login +plugin <%= @pam_module_path %> "<%= @pam_module_arguments %>" <% end -%> <% if @management -%> management <%= @management_ip %> <%= @management_port %> @@ -142,13 +154,18 @@ duplicate-cn ping-timer-rem <% end -%> <% if @tls_auth -%> +<% if @extca_enabled and @extca_tls_auth_key_file -%> +# tls authentification +tls-auth <%= @extca_tls_auth_key_file %> +<% elsif !@extca_enabled -%> # tls authentification tls-auth <%= @etc_directory -%>/openvpn/<%= @name %>/keys/ta.key -<% unless @remote -%> +<% end -%> +<% unless @remote -%> key-direction 0 -<% else -%> +<% else -%> key-direction 1 -<% end -%> +<% end -%> <% end -%> <% if @fragment != false -%> fragment <%= @fragment %>