2 changes: 2 additions & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,3 +5,5 @@ spec/fixtures/
.vagrant/
.bundle/
coverage/
.idea/
*.iml
9 changes: 8 additions & 1 deletion .sync.yml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,13 @@
---
.travis.yml:
extras:
- rvm: 1.8.7
env: PUPPET_GEM_VERSION="~> 2.7.0" FACTER_GEM_VERSION="~> 1.6.0"
- rvm: 1.8.7
env: PUPPET_GEM_VERSION="~> 2.7.0" FACTER_GEM_VERSION="~> 1.7.0"
Gemfile:
optional:
- gem: mocha
':development, :unit_tests':
- gem: mocha
spec/spec_helper.rb:
unmanaged: true
21 changes: 16 additions & 5 deletions .travis.yml
View file
Original file line number Diff line number Diff line change
@@ -1,17 +1,28 @@
---
sudo: false
language: ruby
bundler_args: --without development
bundler_args: --without system_tests
script: "bundle exec rake validate && bundle exec rake lint && bundle exec rake spec SPEC_OPTS='--format documentation'"
matrix:
fast_finish: true
include:
- rvm: 1.9.3
env: PUPPET_GEM_VERSION="~> 3.4.0"
- rvm: 1.8.7
env: PUPPET_GEM_VERSION="~> 2.7.0" FACTER_GEM_VERSION="~> 1.6.0"
- rvm: 1.8.7
env: PUPPET_GEM_VERSION="~> 2.7.0" FACTER_GEM_VERSION="~> 1.7.0"
env: PUPPET_GEM_VERSION="~> 3.0"
- rvm: 1.9.3
env: PUPPET_GEM_VERSION="~> 3.0"
- rvm: 2.0.0
- rvm: 1.9.3
env: PUPPET_GEM_VERSION="~> 3.0" FUTURE_PARSER="yes"
- rvm: 2.1.5
env: PUPPET_GEM_VERSION="~> 3.0"
- rvm: 2.1.5
env: PUPPET_GEM_VERSION="~> 3.4.0"
- rvm: 2.1.5
env: PUPPET_GEM_VERSION="~> 3.0" FUTURE_PARSER="yes"
- rvm: 1.8.7
env: PUPPET_GEM_VERSION="~> 2.7.0" FACTER_GEM_VERSION="~> 1.6.0"
- rvm: 1.8.7
env: PUPPET_GEM_VERSION="~> 2.7.0" FACTER_GEM_VERSION="~> 1.7.0"
notifications:
email: false
7 changes: 7 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,10 @@
##2015-04-14 - Supported Release 1.3.0
###Summary
Remove openssl command line tool from requirements

####Features
- Add Windows support and tests

##2014-11-11 - Supported Release 1.2.6
###Summary

Expand Down
22 changes: 4 additions & 18 deletions CONTRIBUTING.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,11 +41,9 @@ Checklist (and a short version for the impatient)

* Pre-requisites:

- Sign the [Contributor License Agreement](https://cla.puppetlabs.com/)

- Make sure you have a [GitHub account](https://github.com/join)

- [Create a ticket](http://projects.puppetlabs.com/projects/modules/issues/new), or [watch the ticket](http://projects.puppetlabs.com/projects/modules/issues) you are patching for.
- [Create a ticket](https://tickets.puppetlabs.com/secure/CreateIssue!default.jspa), or [watch the ticket](https://tickets.puppetlabs.com/browse/) you are patching for.

* Preferred method:

Expand Down Expand Up @@ -94,17 +92,7 @@ The long version
whitespace or other "whitespace errors". You can do this by
running "git diff --check" on your changes before you commit.

2. Sign the Contributor License Agreement

Before we can accept your changes, we do need a signed Puppet
Labs Contributor License Agreement (CLA).

You can access the CLA via the [Contributor License Agreement link](https://cla.puppetlabs.com/)

If you have any questions about the CLA, please feel free to
contact Puppet Labs via email at cla-submissions@puppetlabs.com.

3. Sending your patches
2. Sending your patches

To submit your changes via a GitHub pull request, we _highly_
recommend that you have them on a topic branch, instead of
Expand All @@ -124,7 +112,7 @@ The long version
in order to open a pull request.


4. Update the related GitHub issue.
3. Update the related GitHub issue.

If there is a GitHub issue associated with the change you
submitted, then you should update the ticket to include the
Expand Down Expand Up @@ -220,14 +208,12 @@ review.
Additional Resources
====================

* [Getting additional help](http://projects.puppetlabs.com/projects/puppet/wiki/Getting_Help)
* [Getting additional help](http://puppetlabs.com/community/get-help)

* [Writing tests](http://projects.puppetlabs.com/projects/puppet/wiki/Development_Writing_Tests)

* [Patchwork](https://patchwork.puppetlabs.com)

* [Contributor License Agreement](https://projects.puppetlabs.com/contributor_licenses/sign)

* [General GitHub documentation](http://help.github.com/)

* [GitHub pull request documentation](http://help.github.com/send-pull-requests/)
Expand Down
37 changes: 28 additions & 9 deletions Gemfile
View file
Original file line number Diff line number Diff line change
@@ -1,16 +1,35 @@
source ENV['GEM_SOURCE'] || "https://rubygems.org"

group :development, :test do
gem 'rake', :require => false
gem 'rspec-puppet', :require => false
def location_for(place, fake_version = nil)
if place =~ /^(git:[^#]*)#(.*)/
[fake_version, { :git => $1, :branch => $2, :require => false }].compact
elsif place =~ /^file:\/\/(.*)/
['>= 0', { :path => File.expand_path($1), :require => false }]
else
[place, { :require => false }]
end
end

group :development, :unit_tests do
gem 'rspec-core', '3.1.7', :require => false
gem 'puppetlabs_spec_helper', :require => false
gem 'serverspec', :require => false
gem 'puppet-lint', :require => false
gem 'beaker', :require => false
gem 'beaker-rspec', :require => false
gem 'pry', :require => false
gem 'simplecov', :require => false
gem 'mocha', :require => false
gem 'puppet_facts', :require => false
gem 'json', :require => false
end

beaker_version = ENV['BEAKER_VERSION']
beaker_rspec_version = ENV['BEAKER_RSPEC_VERSION']
group :system_tests do
if beaker_version
gem 'beaker', *location_for(beaker_version)
end
if beaker_rspec_version
gem 'beaker-rspec', *location_for(beaker_rspec_version)
else
gem 'beaker-rspec', :require => false
end
gem 'serverspec', :require => false
end

if facterversion = ENV['FACTER_GEM_VERSION']
Expand Down
160 changes: 72 additions & 88 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
java_ks
=======
#java_ks

[![Build Status](https://travis-ci.org/puppetlabs/puppetlabs-java_ks.png?branch=master)](https://travis-ci.org/puppetlabs/puppetlabs-java_ks)

Expand All @@ -9,138 +8,123 @@ java_ks
2. [Module Description - What does the module do?](#module-description)
3. [Setup - The basics of getting started with java_ks](#setup)
4. [Usage - The parameters available for configuration](#usage)
5. [Implementation - An under-the-hood peek at what the module is doing](#implementation)
5. [Reference - An under-the-hood peek at what the module is doing](#reference)
6. [Limitations - OS compatibility, etc.](#limitations)
7. [Development - Guide for contributing to the module](#development)
8. [Release Notes - Notes on the most recent updates to the module](#release-notes)

Overview
--------
##Overview

The java_ks module uses a combination of keytool and openssl to manage entries in a Java keystore.

Module Description
------------------
##Module Description

The java_ks module contains a type called 'java_ks' and a single provider named 'keytool'. Their purpose is to enable importation of arbitrary, already generated and signed certificates into a java keystore for use by various applications.
The java_ks module contains a type called `java_ks` and a single provider named `keytool`. Their purpose is to enable importation of arbitrary, already generated and signed certificates into a Java keystore for use by various applications.

Setup
-----

**What java_ks affects:**

* keystore repositories
##Setup

### Beginning with java_ks

To use the java_ks module's functionality, declare each java_ks resource you need

java_ks { 'puppetca:truststore':
ensure => latest,
certificate => '/etc/puppet/ssl/certs/ca.pem',
target => '/etc/activemq/broker.ts',
password => 'puppet',
trustcacerts => true,
}

java_ks { 'puppetca:keystore':
ensure => latest,
certificate => '/etc/puppet/ssl/certs/ca.pem',
target => '/etc/activemq/broker.ks',
password => 'puppet',
trustcacerts => true,
}

java_ks { 'broker.example.com:/etc/activemq/broker.ks':
ensure => latest,
certificate => '/etc/puppet/ssl/certs/broker.example.com.pe-internal-broker.pem',
private_key => '/etc/puppet/ssl/private_keys/broker.example.com.pe-internal-broker.pem',
password => 'puppet',
}

Usage
-----

### java_ks

This resource manages the entries in a java keystore, and uses composite namevars to accomplish the same alias spread across multiple target keystores.
To get started with java_ks, declare each `java_ks` resource you need.

**Parameters within java_ks**
~~~
java_ks { 'puppetca:truststore':
ensure => latest,
certificate => '/etc/puppet/ssl/certs/ca.pem',
target => '/etc/activemq/broker.ts',
password => 'puppet',
trustcacerts => true,
}
~~~

#### `certificate`

An already-signed certificate to place in the keystore. This file must be present on the node before java_ks{} is run.
##Usage

To have a java application server use a specific certificate for incoming connections, you will need to simultaneously import the private key accompanying the signed certificate you want to use. As long as you provide the path to the key and the certificate, the provider will do the conversion for you.
You must specify a target in some way. You can specify `target` after the colon in the title or by using the target attribute in the resource. If you declare both, it will prefer the attribute.

#### `chain`
~~~
java_ks { 'puppetca:keystore':
ensure => latest,
certificate => '/etc/puppet/ssl/certs/ca.pem',
target => '/etc/activemq/broker.ks',
password => 'puppet',
trustcacerts => true,
}
Some java applications do not properly send intermediary certificate authorities. In these cases, you can bundle them with the server certificate using this chain parameter. This file must be present on the node before java_ks{} is run.
java_ks { 'broker.example.com:/etc/activemq/broker.ks':
ensure => latest,
certificate => '/etc/puppet/ssl/certs/broker.example.com.pe-internal-broker.pem',
private_key => '/etc/puppet/ssl/private_keys/broker.example.com.pe-internal-broker.pem',
password => 'puppet',
}
~~~

java_ks { 'broker.example.com:/etc/activemq/broker.jks':
ensure => latest,
certificate => '/etc/ssl/certs/broker.example.com.pem',
private_key => '/etc/ssl/private/broker.example.com.key',
chain => '/etc/ssl/certs/GlobalSign_Intermediate_CA.pem
password => 'puppet',
}
### Certificates
To have a Java application server use a specific certificate for incoming connections, use the certificate parameter. You will need to simultaneously import the private key accompanying the signed certificate you want to use. As long as you provide the path to the key and the certificate, the provider will do the conversion for you.

#### `ensure`

The `ensure` parameter accepts three attributes: absent, present, and latest. Latest verifies md5 certificate fingerprints for the stored certificate and the source file.

#### `password`
### Namevars

The password used to protect the keystore. If private keys are also protected, this password will be used to attempt to unlock them.
The java_ks module supports multiple certificates with different keystores but the same alias by implementing Puppet's composite namevar functionality. Titles map to namevars via `$alias:$target` (alias of certificate, colon, on-disk path to the keystore). If you create dependencies on these resources you need to remember to use the same title syntax outlined for generating the composite namevars.

#### `password_file`
*Note about composite namevars:*
The way composite namevars currently work, you must have the colon in the title. This is true *even if you define name and target parameters.* The title can be `foo:bar`, but the name and target parameters must be `broker.example.com` and `/etc/activemq/broker.ks`. If you follow convention, it will do as you expect and correctly create an entry in the
broker.ks keystore with the alias of broker.example.com.

Used as an alternative to `password` here you can specify a plaintext file where the password is stored.
##Reference

#### `path`
###Public Types
* `java_ks`: This resource manages the entries in a Java keystore, and uses composite namevars to allow the same alias across multiple target keystores.

The search path used for command (keytool, openssl) execution. Paths can be specified as an array or as a file path seperated list (for example : in linux).
###Public Providers
* `keytool`: Manages Java keystores by using a combination of the `openssl` and `keytool` commands.

#### `private_key`
####Parameters
All parameters, except where specified, are optional.

If you want an application to be a server and encrypt traffic, you will need a private key. Private key entries in a keystore must be accompanied by a signed certificate for the keytool provider. This file must be present on the node before java_ks{} is run.
#####`certificate`
*Required.* Places an already-signed certificate in the keystore. This autorequires the specified file and must be present on the node before java_ks{} is run. Valid options: string. Default: undef.

#### `target`
#####`chain`
Bundles intermediary certificate authorities with certificate authorities. This autorequires the file of the same path and must be present on the node before java_ks{} is run. Valid options: string. Default: undef.

Destination file for the keystore. We autorequire the parent directory for convenience.
#####`ensure`
Valid options: absent, present, latest. Latest verifies md5 certificate fingerprints for the stored certificate and the source file. Default: present.

#### `trustcacerts`
#####`name`
*Required.* Identifies the entry in the keystore. This will be converted to lowercase. Valid options: string. Default: undef.

Certificate authorities input into a keystore aren’t trusted by default, so if you are adding a CA you need to set this parameter to true.
#####`password`
This password is used to protect the keystore. If private keys are also protected, this password will be used to attempt to unlock them. Valid options: String. Must be 6 or more characters. This cannot be used together with `password_file`, but *you must pass at least one of these parameters.* Default: undef.

### Namevars
#####`password_file`
Sets a plaintext file where the password is stored. Used as an alternative to `password`. This cannot be used together with `password`, but *you must pass at least one of these parameters.* Valid options: String to the plaintext file. Default: undef.

Java_ks supports multiple certificates with different keystores but the same alias by implementing Puppet's composite namevar functionality. Titles map to namevars via `$alias:$target` (alias of certificate, colon, on-disk path to the keystore). If you create dependencies on these resources you need to remember to use the same title syntax outlined for generating the composite namevars.
#####`path`
Used for command (keytool, openssl) execution. Valid options: array or file path separated list (for example : in linux). Default: undef.

*Note about composite namevars:*
The way composite namevars currently work, you must have the colon in the title. This is true *even if you define name and target parameters.* The title can be `foo:bar`, but the name and target parameters must be `broker.example.com` and `/etc/activemq/broker.ks`. If you follow convention, it will do as you expect and correctly create an entry in the broker.ks keystore with the alias of broker.example.com.
#####`private_key`
Sets a private key that encrypts traffic to a server application. Must be accompanied by a signed certificate for the keytool provider. This autorequires the specified file and must be present on the node before java_ks{} is run. Valid options: string. Default: undef.

Implementation
--------------
#####`target`
*Required.* Specifies a destination file for the keystore. Autorequires the parent directory of the file. Valid options: string. Default: undef.

### keytool
#####`trustcacerts`
Certificate authorities input into a keystore aren’t trusted by default, so if you are adding a CA you need to set this parameter to 'true'. Valid options: 'true' or 'false'. Default: 'false'.

Keytool is a provider that uses a combination of the binaries openssl and keytool to manage Java keystores

Limitations
------------

The java_ks module uses the `keytool` and `openssl` commands. It should work on all systems with these commands.

At the moment, Java 7 isn't fully supported, and `ensure => latest` will fail.
Java 7 is supported as of 1.0.0.

Only validated against IBM Java 6 on AIX. Other versions may be unsupported.
Developed against IBM Java 6 on AIX. Other versions may be unsupported.

Development
-----------

Puppet Labs modules on the Puppet Forge are open projects, and community contributions are essential for keeping them great. We can’t access the huge number of platforms and myriad of hardware, software, and deployment configurations that Puppet is intended to serve.

We want to keep it as easy as possible to contribute changes so that our modules work in your environment. There are a few guidelines that we need contributors to follow so that we can have a chance of keeping on top of things.
Puppet Labs modules on the Puppet Forge are open projects, and community contributions are essential for keeping them great. We can’t access the huge number of platforms and myriad hardware, software, and deployment configurations that Puppet is intended to serve.

You can read the complete module contribution guide [on the Puppet Labs wiki.](http://projects.puppetlabs.com/projects/module-site/wiki/Module_contributing)
We want to keep it as easy as possible to contribute changes so that our modules work in your environment. There are a few guidelines that we need contributors to follow so that we can have a chance of keeping on top of things. For more information, see our [module contribution guide.](https://docs.puppetlabs.com/forge/contributing.html)

4 changes: 2 additions & 2 deletions Rakefile
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
require 'puppetlabs_spec_helper/rake_tasks'
require 'puppet-lint/tasks/puppet-lint'

PuppetLint.configuration.fail_on_warnings
PuppetLint.configuration.fail_on_warnings = true
PuppetLint.configuration.send('relative')
PuppetLint.configuration.send('disable_80chars')
PuppetLint.configuration.send('disable_class_inherits_from_params_class')
PuppetLint.configuration.send('disable_class_parameter_defaults')
PuppetLint.configuration.send('disable_documentation')
PuppetLint.configuration.send('disable_single_quote_string_with_variables')
PuppetLint.configuration.ignore_paths = ["spec/**/*.pp", "pkg/**/*.pp"]
Loading