forked from puppetlabs/puppetlabs-java_ks
-
Notifications
You must be signed in to change notification settings - Fork 0
/
java_ks.rb
187 lines (153 loc) · 4.99 KB
/
java_ks.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
Puppet::Type.newtype(:java_ks) do
@doc = 'Manages the entries in a java keystore, and uses composite namevars to
accomplish the same alias spread across multiple target keystores.'
ensurable do
desc 'Has three states: present, absent, and latest. Latest
will compare the on disk MD5 fingerprint of the certificate and to that
in keytool to determine if insync? returns true or false. We redefine
insync? for this paramerter to accomplish this.'
newvalue(:present) do
provider.create
end
newvalue(:absent) do
provider.destroy
end
newvalue(:latest) do
if provider.exists?
provider.update
else
provider.create
end
end
def insync?(is)
@should.each do |should|
case should
when :present
return true if is == :present
when :absent
return true if is == :absent
when :latest
unless is == :absent
return true if provider.latest == provider.current
end
end
end
return false
end
defaultto :present
end
newparam(:name) do
desc 'The alias that is used to identify the entry in the keystore. This will be
converted to lowercase.'
isnamevar
munge do |value|
value.downcase
end
end
newparam(:target) do
desc 'Destination file for the keystore. This will autorequire the parent directory of the file.'
isnamevar
end
newparam(:certificate) do
desc 'An already signed certificate that we can place in the keystore. This will autorequire the specified file.'
isrequired
end
newparam(:storetype) do
desc 'Optional storetype
Valid options: <jceks>'
newvalues(:jceks)
end
newparam(:private_key) do
desc 'If you want an application to be a server and encrypt traffic,
you will need a private key. Private key entries in a keystore must be
accompanied by a signed certificate for the keytool provider. This will autorequire the specified file.'
end
newparam(:chain) do
desc 'Some java applications do not properly send
intermediary certificate authorities, in this case you can bundle them
with the server certificate using chain. This will autorequire the specified file.'
end
newparam(:password) do
desc 'The password used to protect the keystore. If private keys are
subsequently also protected this password will be used to attempt
unlocking. Must be six or more characters in length. Cannot be used
together with :password_file, but you must pass at least one of these parameters.'
validate do |value|
raise Puppet::Error, "password is #{value.length} characters long; must be 6 characters or greater in length" if value.length < 6
end
end
newparam(:password_file) do
desc 'The path to a file containing the password used to protect the
keystore. This cannot be used together with :password, but you must pass at least one of these parameters.'
end
newparam(:destkeypass) do
desc 'The password used to protect the key in keystore.'
validate do |value|
raise Puppet::Error, "destkeypass is #{value.length} characters long; must be of length 6 or greater" if value.length < 6
end
end
newparam(:trustcacerts) do
desc "Certificate authorities aren't by default trusted so if you are adding a CA you need to set this to true.
Defaults to :false."
newvalues(:true, :false)
defaultto :false
end
newparam(:path) do
desc "The search path used for command (keytool, openssl) execution.
Paths can be specified as an array or as a '#{File::PATH_SEPARATOR}' separated list."
# Support both arrays and colon-separated fields.
def value=(*values)
@value = values.flatten.collect { |val|
val.split(File::PATH_SEPARATOR)
}.flatten
end
end
# Where we setup autorequires.
autorequire(:file) do
auto_requires = []
[:private_key, :certificate, :chain].each do |param|
if @parameters.include?(param)
auto_requires << @parameters[param].value
end
end
if @parameters.include?(:target)
auto_requires << ::File.dirname(@parameters[:target].value)
end
auto_requires
end
# Our title_patterns method for mapping titles to namevars for supporting
# composite namevars.
def self.title_patterns
identity = lambda {|x| x}
[
[
/^([^:]+)$/,
[
[ :name, identity ]
]
],
[
/^(.*):([a-z]:(\/|\\).*)$/i,
[
[ :name, identity ],
[ :target, identity ]
]
],
[
/^(.*):(.*)$/,
[
[ :name, identity ],
[ :target, identity ]
]
]
]
end
validate do
if value(:password) and value(:password_file)
self.fail "You must pass either 'password' or 'password_file', not both."
end
unless value(:password) or value(:password_file)
self.fail "You must pass one of 'password' or 'password_file'."
end
end
end