Katello · komidore64 · Dec 16, 2014 · Dec 16, 2014
diff --git a/.gitignore b/.gitignore
@@ -7,3 +7,8 @@ update_submodules_scratch
 .librarian
 .tmp
 .rpm
+
+# rvm
+.rvmrc
+.ruby-version
+.ruby-gemset
diff --git a/Puppetfile b/Puppetfile
@@ -29,6 +29,7 @@ mod 'theforeman/puppet', :git => 'https://github.com/theforeman/puppet-puppet'
 # Katello specific modules
 mod 'katello/common', :git => 'https://github.com/Katello/puppet-common'
 mod 'katello-candlepin', :git => 'https://github.com/Katello/puppet-candlepin'
+mod 'katello-gutterball', :git => 'https://github.com/Katello/puppet-gutterball'
 mod 'katello-capsule', :git => 'https://github.com/Katello/puppet-capsule'
 mod 'katello-certs', :git => 'https://github.com/Katello/puppet-certs'
 mod 'katello-elasticsearch', :git => 'https://github.com/Katello/puppet-elasticsearch'

diff --git a/Puppetfile.lock b/Puppetfile.lock
@@ -36,7 +36,7 @@ GIT
 GIT
   remote: https://github.com/Katello/puppet-certs
   ref: master
-  sha: b6e31c25d629ea2300564a522259b51c4ca9f6a7
+  sha: a3b80e8b16e774b0e88222ebb5be8aed234a813f
   specs:
     katello-certs (0.1.0)
       katello-common (>= 0.0.1)
@@ -68,17 +68,30 @@ GIT
   specs:
     katello-elasticsearch (0.0.1)
 
+GIT
+  remote: https://github.com/Katello/puppet-gutterball
+  ref: master
+  sha: 34c9ad7a26443c7df65e0de7f68203c03c45cf8b
+  specs:
+    katello-gutterball (0.1.0)
+      puppetlabs-concat (>= 1.1.1)
+      puppetlabs-postgresql (>= 3.0.0)
+      puppetlabs-stdlib (>= 1.0.0)
+      theforeman-concat_native (>= 1.3.0)
+      theforeman-foreman (>= 1.5.0)
+
 GIT
   remote: https://github.com/Katello/puppet-katello
   ref: master
-  sha: d9680917c0611fe5b51af4e77774987ce211d4fe
+  sha: 317f4fdfa1e884dc1d44a6b5204feda901ee443e
   specs:
     katello-katello (0.1.0)
       katello-candlepin (>= 0.1.0)
       katello-certs (>= 0.1.0)
       katello-common (>= 0.0.1)
       katello-crane (>= 0.1.0)
       katello-elasticsearch (>= 0.0.1)
+      katello-gutterball (>= 0.1.0)
       katello-pulp (>= 0.1.0)
       katello-qpid (>= 0.1.0)
       puppetlabs-apache (< 2.0.0, >= 1.0.0)
@@ -258,6 +271,7 @@ DEPENDENCIES
   katello-common (>= 0)
   katello-crane (>= 0)
   katello-elasticsearch (>= 0)
+  katello-gutterball (>= 0)
   katello-katello (>= 0)
   katello-katello_devel (>= 0)
   katello-pulp (>= 0)

diff --git a/modules/certs/.gitignore b/modules/certs/.gitignore
@@ -1,6 +1,7 @@
 .vagrant
 *.swp
 *.swo
+.*.sw?
 
 .bundle
 vendor/
@@ -12,5 +13,6 @@ Gemfile.lock
 .rbenv*
 .rvmrc*
 .ruby-version
+.ruby-gemset
 
 spec/fixtures/
diff --git a/modules/certs/manifests/gutterball.pp b/modules/certs/manifests/gutterball.pp
@@ -0,0 +1,100 @@
+# Constains certs specific configurations for gutterball
+class certs::gutterball(
+
+  $hostname               = $::certs::node_fqdn,
+  $generate               = $::certs::generate,
+  $regenerate             = $::certs::regenerate,
+  $deploy                 = $::certs::deploy,
+  $pki_dir                = $::certs::pki_dir,
+  $password_file          = $::certs::gutterball_keystore_password_file,
+  $amqp_truststore        = $::certs::gutterball_amqp_truststore,
+  $amqp_keystore          = $::certs::gutterball_amqp_keystore,
+  $amqp_store_dir         = $::certs::gutterball_amqp_store_dir,
+
+) inherits certs::params {
+  $keystore_alias = 'gutterball'
+  $ca_key = $::certs::ca_key
+  $ca = $::certs::ca_cert_stripped
+  $key = "${pki_dir}/gutterball.key"
+  $cert = "${pki_dir}/gutterball.crt"
+
+  $gutterball_keystore_password = cache_data('gutterball_keystore_password', random_password(32))
+
+  $keypair= 'gutterball-certs'
+
+  cert { $keypair:
+    ensure        => present,
+    hostname      => $hostname,
+    country       => $::certs::country,
+    state         => $::certs::state,
+    city          => $::certs::sity,
+    org           => 'gutterball',
+    org_unit      => $::certs::org_unit,
+    expiration    => $::certs::expiration,
+    ca            => $::certs::default_ca,
+    generate      => $generate,
+    regenerate    => $regenerate,
+    deploy        => $deploy,
+    password_file => $certs::ca_key_password_file,
+  }
+  if $deploy {
+    file { $certs::gutterball_certs_dir:
+      ensure => directory,
+      owner  => 'tomcat',
+      group  => $::certs::group,
+      mode   => '0755',
+    } ->
+    Cert[$keypair] ~>
+    privkey { $key:
+      key_pair => Cert[$keypair]
+    } ~>
+    pubkey { $cert:
+      key_pair => Cert[$keypair]
+    } ->
+    file { $password_file:
+      ensure  => file,
+      content => $gutterball_keystore_password,
+      owner   => $certs::user,
+      group   => $certs::group,
+      mode    => '0440',
+    } ->
+    certs::ssltools::certutil{ 'guterball-amqp-client':
+      nss_db_dir  => $::certs::nss_db_dir,
+      client_cert => $cert,
+    } ->
+    file { $amqp_store_dir:
+      ensure => directory,
+      owner  => 'tomcat',
+      group  => $::certs::group,
+      mode   => '0750',
+    } ->
+    file { "${certs::gutterball_certs_dir}/gutterball.key":
+      ensure => 'link',
+      target => $key,
+    } ->
+    file { "${certs::gutterball_certs_dir}/gutterball.crt":
+      ensure => 'link',
+      target => $cert,
+    } ->
+    certs::ssltools::keytool::import_ca { 'import CA into gutterball truststore':
+      keystore       => $amqp_truststore,
+      password       => $gutterball_keystore_password,
+      keystore_alias => $keystore_alias,
+      file           => $ca
+    } ~>
+    certs::ssltools::keytool::import_keypair{ 'import client certificate into gutterball keystore':
+      keystore_alias    => $keystore_alias,
+      keystore          => $amqp_keystore,
+      keystore_password => $gutterball_keystore_password,
+      cert              => $cert,
+      key               => $key,
+      tmp_password_file => $password_file
+    } ~>
+    file { $amqp_keystore:
+      ensure => file,
+      owner  => 'tomcat',
+      group  => $::certs::group,
+      mode   => '0640',
+    }
+  }
+}
diff --git a/modules/certs/manifests/params.pp b/modules/certs/manifests/params.pp
@@ -20,7 +20,6 @@
   $custom_repo = false
 
   $ca_common_name = $::fqdn  # we need fqdn as CA common name as candlepin uses it as a ssl cert
-
   $generate      = true
   $regenerate    = false
   $regenerate_ca = false
@@ -72,6 +71,12 @@
   $candlepin_amqp_keystore          = "${candlepin_amqp_store_dir}/candlepin.jks"
   $candlepin_qpid_exchange          = 'event'
 
+  $gutterball_certs_dir              = '/etc/gutterball/certs'
+  $gutterball_amqp_store_dir         = "${gutterball_certs_dir}/amqp/"
+  $gutterball_amqp_truststore        = "${gutterball_amqp_store_dir}/gutterball.truststore"
+  $gutterball_amqp_keystore          = "${gutterball_amqp_store_dir}/gutterball.jks"
+  $gutterball_keystore_password_file = "${pki_dir}/keystore_password-file-gutterball"
+
   $certs_tar              = undef
   # Settings for uploading packages to Katello
   $katello_user           = undef

diff --git a/modules/certs/manifests/ssltools/certutil.pp b/modules/certs/manifests/ssltools/certutil.pp
@@ -0,0 +1,15 @@
+# type to append cert to nssdb
+define certs::ssltools::certutil($nss_db_dir, $client_cert, $cert_name=$title, $refreshonly = true) {
+  exec { "delete ${cert_name}":
+    path        => ['/bin', '/usr/bin'],
+    unless      => "certutil -D -d ${nss_db_dir} -n '${cert_name}'",
+    onlyif      => "certutil -L -d ${nss_db_dir} | grep '${cert_name}'",
+    refreshonly => $refreshonly,
+  } ->
+  exec { $cert_name:
+    path        => ['/bin', '/usr/bin'],
+    command     => "certutil -A -d '${nss_db_dir}' -n '${cert_name}' -t ',,' -a -i '${client_cert}'",
+    unless      => "certutil -L -d ${nss_db_dir} | grep '${cert_name}'",
+    refreshonly => $refreshonly,
+  }
+}
diff --git a/modules/certs/manifests/ssltools/keytool/convert_pkcs12_to_jks.pp b/modules/certs/manifests/ssltools/keytool/convert_pkcs12_to_jks.pp
@@ -0,0 +1,8 @@
+# Convert a pkcs12 key pair to a java keystore
+define certs::ssltools::keytool::convert_pkcs12_to_jks( $keystore_alias, $dest_keystore, $src_keystore, $keystore_password, $src_keystore_password, $refreshonly = false){
+  exec { $title:
+    command     => "keytool -importkeystore -destkeystore ${dest_keystore} -srckeystore ${src_keystore} -srcstoretype pkcs12 -alias ${keystore_alias} -storepass ${keystore_password} -srcstorepass ${src_keystore_password} -noprompt",
+    path        => ['/bin/', '/usr/bin'],
+    refreshonly => $refreshonly,
+  }
+}
diff --git a/modules/certs/manifests/ssltools/keytool/import_ca.pp b/modules/certs/manifests/ssltools/keytool/import_ca.pp
@@ -0,0 +1,8 @@
+# Imports a ca into a keystore
+define certs::ssltools::keytool::import_ca($keystore, $password, $keystore_alias, $file){
+  exec { $title:
+    command => "keytool -import -v -keystore ${keystore} -storepass ${password} -alias ${keystore_alias} -file ${file} -noprompt",
+    creates => $keystore,
+    path    => ['/bin/', '/usr/bin']
+  }
+}
diff --git a/modules/certs/manifests/ssltools/keytool/import_keypair.pp b/modules/certs/manifests/ssltools/keytool/import_keypair.pp
@@ -0,0 +1,30 @@
+# import a x509 keypair into a jks
+define certs::ssltools::keytool::import_keypair($keystore_alias, $keystore, $keystore_password, $cert, $key, $tmp_password_file){
+  # Stupid keytool doesn't allow you to import a keypair.  You can only import a cert.  Hence, we have to
+  # create the store as an PKCS12 and convert to JKS.  See http://stackoverflow.com/a/8224863
+
+  $tmpkeystore = "/tmp/${keystore_alias}keystore.p12"
+  exec{ "[${title}] signal import if pair has not been imported":
+    command => 'echo importing keypair',
+    unless  => "keytool -list -keystore ${keystore} -storepass ${keystore_password} -alias ${keystore_alias}",
+    path    => ['/bin/', '/usr/bin'],
+  } ~>
+  certs::ssltools::openssl::pkcs12{ "[${title}] convert x509 cert and key to pkcs12":
+    cert_name    => $keystore_alias,
+    ca_cert      => $cert,
+    ca_name      => 'root',
+    ca_key       => $key,
+    keystore_out => $tmpkeystore,
+    password_out => $tmp_password_file,
+    password_in  => $keystore_password,
+    refreshonly  => true,
+  } ->
+  convert_pkcs12_to_jks{ "[${title}] convert tmp pkcs12 keystore to jks":
+    keystore_alias        => $keystore_alias,
+    dest_keystore         => $keystore,
+    src_keystore          => $tmpkeystore,
+    keystore_password     => $keystore_password,
+    src_keystore_password => $keystore_password,
+    refreshonly           => true,
+  }
+}
diff --git a/modules/certs/manifests/ssltools/openssl/pkcs12.pp b/modules/certs/manifests/ssltools/openssl/pkcs12.pp
@@ -0,0 +1,14 @@
+# type that coresponds the openssl pkcs12 subcommand
+define certs::ssltools::openssl::pkcs12 ( $cert_name, $ca_cert, $ca_key, $ca_name, $keystore_out, $password_out, $password_in = undef, $refreshonly = false) {
+  $password_in_options = $password_in ? {
+    undef   => '',
+    default => "-passin \"pass:${password_in}\"",
+  }
+  exec { $title:
+    command     => "openssl pkcs12 -export -in ${ca_cert} -inkey ${ca_key} -out ${keystore_out} -name ${cert_name} -CAfile ${ca_cert} -caname ${ca_name} -password \"file:${password_out}\" ${password_in_options}",
+    creates     => $keystore_out,
+    refreshonly => $refreshonly,
+    path        => ['/bin/', '/usr/bin'],
+    logoutput   => true,
+  }
+}
diff --git a/modules/firewall/spec/acceptance/nodesets/centos-64-x64.yml b/modules/firewall/spec/acceptance/nodesets/centos-64-x64.yml
diff --git a/modules/gutterball/.fixtures.yml b/modules/gutterball/.fixtures.yml
@@ -0,0 +1,9 @@
+fixtures:
+  repositories:
+    stdlib:  "git://github.com/puppetlabs/puppetlabs-stdlib.git"
+    foreman: "git://github.com/theforeman/puppet-foreman.git"
+    concat:
+      repo:        "git://github.com/ripienaar/puppet-concat.git"
+      ref:         "04356974f72b90a1d0f57346a00e95a717924e43"
+    concat_native: "git://github.com/theforeman/puppet-concat.git"
+    postgresql:    "git://github.com/puppetlabs/puppetlabs-postgresql.git"
diff --git a/modules/gutterball/.gitignore b/modules/gutterball/.gitignore
@@ -0,0 +1,19 @@
+.vagrant
+*.swp
+*.swo
+*.sw?
+
+.bundle
+vendor/
+
+pkg/
+
+Gemfile.lock
+
+.rbenv*
+.rvmrc*
+.ruby-version
+
+spec/fixtures/
+
+.project
diff --git a/modules/gutterball/.travis.yml b/modules/gutterball/.travis.yml
@@ -0,0 +1,31 @@
+---
+language: ruby
+bundler_args: --without development
+before_install: rm Gemfile.lock || true
+rvm:
+  - 1.8.7
+  - 1.9.3
+  - 2.0.0
+  - 2.1.0
+script: bundle exec rake test
+env:
+  - PUPPET_VERSION="~> 2.7.0"
+  - PUPPET_VERSION="~> 3.2.0"
+  - PUPPET_VERSION="~> 3.3.0"
+  - PUPPET_VERSION="~> 3.4.0"
+  - PUPPET_VERSION="~> 3.5.0"
+  - PUPPET_VERSION="~> 3.6.0"
+matrix:
+  exclude:
+  - rvm: 1.9.3
+    env: PUPPET_VERSION="~> 2.7.0"
+  - rvm: 2.0.0
+    env: PUPPET_VERSION="~> 2.7.0"
+  - rvm: 2.1.0
+    env: PUPPET_VERSION="~> 2.7.0"
+  - rvm: 2.1.0
+    env: PUPPET_VERSION="~> 3.2.0"
+  - rvm: 2.1.0
+    env: PUPPET_VERSION="~> 3.3.0"
+  - rvm: 2.1.0
+    env: PUPPET_VERSION="~> 3.4.0"
diff --git a/modules/gutterball/Gemfile b/modules/gutterball/Gemfile
@@ -0,0 +1,20 @@
+source "https://rubygems.org"
+
+group :test do
+  gem "rake"
+  gem "puppet", ENV['PUPPET_VERSION'] || '~> 3.4.0'
+  gem "puppet-lint"
+  gem "rspec-puppet", :git => 'https://github.com/rodjek/rspec-puppet.git'
+  gem "puppet-syntax"
+  gem "puppetlabs_spec_helper"
+end
+
+group :development do
+  gem "travis"
+  gem "travis-lint"
+  gem "beaker"
+  gem "beaker-rspec"
+  gem "vagrant-wrapper"
+  gem "puppet-blacksmith"
+  gem "guard-rake"
+end