.gitignore

@@ -5,5 +5,6 @@ spec/fixtures/
 .vagrant/
 .bundle/
 coverage/
+log/
 .idea/
 *.iml

.rspec

@@ -0,0 +1,2 @@
+--color
+--format documentation

.travis.yml

@@ -1,24 +1,19 @@
 ---
 sudo: false
 language: ruby
+cache: bundler
 bundler_args: --without system_tests
-script: "bundle exec rake validate && bundle exec rake lint && bundle exec rake spec SPEC_OPTS='--format documentation'"
+script: "bundle exec rake validate lint spec"
 matrix:
   fast_finish: true
   include:
-  - rvm: 1.8.7
+  - rvm: 2.1.6
+    env: PUPPET_GEM_VERSION="~> 4.0" STRICT_VARIABLES="yes"
+  - rvm: 2.1.5
+    env: PUPPET_GEM_VERSION="~> 3.0" FUTURE_PARSER="yes"
+  - rvm: 2.1.5
     env: PUPPET_GEM_VERSION="~> 3.0"
   - rvm: 1.9.3
     env: PUPPET_GEM_VERSION="~> 3.0"
-  - rvm: 2.1.5
-    env: PUPPET_GEM_VERSION="~> 3.0"
-  - rvm: 2.1.5
-    env: PUPPET_GEM_VERSION="~> 3.0" FUTURE_PARSER="yes"
-  - rvm: 2.1.6
-    env: PUPPET_GEM_VERSION="~> 4.0" STRICT_VARIABLES="yes"
-  - rvm: 1.8.7
-    env: PUPPET_GEM_VERSION="~> 2.7.0" FACTER_GEM_VERSION="~> 1.6.0"
-  - rvm: 1.8.7
-    env: PUPPET_GEM_VERSION="~> 2.7.0" FACTER_GEM_VERSION="~> 1.7.0"
 notifications:
   email: false

CHANGELOG.md

@@ -1,103 +1,115 @@
-##Supported Release 1.4.0
-###Summary
+## Supported Release 1.4.1
+### Summary
+This release contains bugfixes around certificate chains and other testing improvements.
+
+#### Bugfixes
+- Dont expose keystore content when keystore initally empty.
+- Support certificate chains in certificate file.
+- Support multiple intermediate certificates in chain.
+- Improve cert chain acceptance tests.
+- Update to current msync configs.
+- Debian 8 support.
+
+## Supported Release 1.4.0
+### Summary
 This release contains a new option to provide destkeypass. Also contains 
 bugfixes and a metadata update to support Puppet Enterprise 2015.3.x.
 
-####Features
+#### Features
 - Adds `destkeypass` option to pass in password when importing into the keystore.
 - Adds feature support for JCEKS format and extensions.
 
-####Bugfixes
+#### Bugfixes
 - Fixes composite title patterns in provider to improve support for Windows.
 
-####Test Improvements
+#### Test Improvements
 - Improves Windows testing.
 
-##2015-07-20 - Supported Release 1.3.1
-###Summary
+## 2015-07-20 - Supported Release 1.3.1
+### Summary
 This release updates the metadata for the upcoming release of PE as well as an additional bugfix.
 
-####Bugfixes
+#### Bugfixes
 - Fixes Puppet.newtype deprecation warning
 
-##2015-04-14 - Supported Release 1.3.0
-###Summary
+## 2015-04-14 - Supported Release 1.3.0
+### Summary
 Remove openssl command line tool from requirements
 
-####Features
+#### Features
 - Add Windows support and tests
 
-##2014-11-11 - Supported Release 1.2.6
-###Summary
+## 2014-11-11 - Supported Release 1.2.6
+### Summary
 
 This release has test fixes and files synced from modulesync.
 
-##2014-07-10 - Supported Release 1.2.5
-###Summary
+## 2014-07-10 - Supported Release 1.2.5
+### Summary
 
 This release has bugfixes and test improvements.
 
-####Features
+#### Features
 - Update tests to use RSpec 2.99 syntax
 
-####Bugfixes
+#### Bugfixes
 - Remove broken support for puppet:// files.
 - Remove incorrect statment of windows support from metadata.json.
 - Fix path issue for openssl on solaris 11.
 
-####Known Bugs
+#### Known Bugs
 * No known bugs
 
-##2014-06-04 - Release 1.2.4
-###Summary
+## 2014-06-04 - Release 1.2.4
+### Summary
 
 This is a compatibility release. No functional changes to this module were made
 in this release, just testing infrastructure changes to extend tests to RHEL7
 and Ubuntu 14.04
 
-####Features
+#### Features
 
-####Bugfixes
+#### Bugfixes
 
-####Known Bugs
+#### Known Bugs
 * No known bugs
 
-##2014-03-04 - Supported Release 1.2.3
-###Summary
+## 2014-03-04 - Supported Release 1.2.3
+### Summary
 
 This is a supported release.  This release removes a testing symlink that can
 cause trouble on systems where /var is on a seperate filesystem from the
 modulepath.
 
-####Features
+#### Features
 
-####Bugfixes
+#### Bugfixes
 
-####Known Bugs
+#### Known Bugs
 * No known bugs
 
-##2014-03-04 - Supported Release 1.2.2
-###Summary
+## 2014-03-04 - Supported Release 1.2.2
+### Summary
 
 This is a supported release.  Only tests and documentation were changed.
 
-####Features
+#### Features
 - Test changes.
 - Documentation changes.
 
-####Bugfixes
+#### Bugfixes
 
-####Known Bugs
+#### Known Bugs
 * No known bugs
 
 
-##2014-02-12 - Release 1.2.1
+## 2014-02-12 - Release 1.2.1
 
 #### Bugfixes
 - Updating specs
 
 
-##2013-09-18 - Release 1.2.0
+## 2013-09-18 - Release 1.2.0
 
 ### Summary
 This release adds `puppet://` URI support, a few bugfixes, and lots of tests.
@@ -111,7 +123,7 @@ This release adds `puppet://` URI support, a few bugfixes, and lots of tests.
 - More acceptance tests, unit tests, and rspec-puppet tests.
 
 
-##1.1.0
+## 1.1.0
 
 This minor feature provides a number of new features:
 
@@ -132,7 +144,7 @@ Travis-CI support has also been added to improve testing.
 
 ---------------------------------------
 
-##0.0.6
+## 0.0.6
 
 
 Fixes an issue with ibm java handling input from stdin on SLES

CONTRIBUTING.md

@@ -159,7 +159,7 @@ If you already have those gems installed, make sure they are up-to-date:
 With all dependencies in place and up-to-date we can now run the tests:
 
 ```shell
-% rake spec
+% bundle exec rake spec
 ```
 
 This will execute all the [rspec tests](http://rspec-puppet.com/) tests
@@ -178,8 +178,8 @@ installed on your system.
 You can run them by issuing the following command
 
 ```shell
-% rake spec_clean
-% rspec spec/acceptance
+% bundle exec rake spec_clean
+% bundle exec rspec spec/acceptance
 ```
 
 This will now download a pre-fabricated image configured in the [default node-set](./spec/acceptance/nodesets/default.yml),

Gemfile

@@ -1,7 +1,7 @@
 source ENV['GEM_SOURCE'] || "https://rubygems.org"
 
 def location_for(place, fake_version = nil)
-  if place =~ /^(git:[^#]*)#(.*)/
+  if place =~ /^(git[:@][^#]*)#(.*)/
     [fake_version, { :git => $1, :branch => $2, :require => false }].compact
   elsif place =~ /^file:\/\/(.*)/
     ['>= 0', { :path => File.expand_path($1), :require => false }]
@@ -11,14 +11,16 @@ def location_for(place, fake_version = nil)
 end
 
 group :development, :unit_tests do
-  gem 'rspec-core', '3.1.7',     :require => false
-  gem 'puppetlabs_spec_helper',  :require => false
-  gem 'simplecov',               :require => false
-  gem 'puppet_facts',            :require => false
-  gem 'json',                    :require => false
+  gem 'json',                      :require => false
+  gem 'metadata-json-lint',        :require => false
+  gem 'puppet_facts',              :require => false
+  gem 'puppet-blacksmith',         :require => false
+  gem 'puppetlabs_spec_helper',    :require => false
+  gem 'rspec-puppet', '>= 2.3.2',  :require => false
+  gem 'simplecov',                 :require => false
 end
-
 group :system_tests do
+  gem 'beaker-puppet_install_helper',  :require => false
   if beaker_version = ENV['BEAKER_VERSION']
     gem 'beaker', *location_for(beaker_version)
   end
@@ -27,12 +29,10 @@ group :system_tests do
   else
     gem 'beaker-rspec',  :require => false
   end
-  gem 'serverspec',    :require => false
-  gem 'beaker-puppet_install_helper', '~> 0.3', :require => false
+  gem 'master_manipulator',            :require => false
+  gem 'serverspec',                    :require => false
 end
 
-
-
 if facterversion = ENV['FACTER_GEM_VERSION']
   gem 'facter', facterversion, :require => false
 else
@@ -45,8 +45,4 @@ else
   gem 'puppet', :require => false
 end
 
-if File.exists? "#{__FILE__}.local"
-  eval(File.read("#{__FILE__}.local"), binding)
-end
-
 # vim:ft=ruby

README.md

@@ -82,10 +82,10 @@ broker.ks keystore with the alias of broker.example.com.
 All parameters, except where specified, are optional.
 
 #####`certificate`
-*Required.* Places an already-signed certificate in the keystore. This autorequires the specified file and must be present on the node before java_ks{} is run. Valid options: string. Default: undef.
+*Required.* A server certificate, followed by zero or more intermediate certificate authorities. Places the certificates in the keystore. This autorequires the specified file and must be present on the node before java_ks{} is run. Valid options: string. Default: undef.
 
 #####`chain`
-Bundles intermediary certificate authorities with certificate authorities. This autorequires the file of the same path and must be present on the node before java_ks{} is run. Valid options: string. Default: undef.
+Takes intermediate certificate authorities from a separate file from the server certificate. This autorequires the file of the same path and must be present on the node before java_ks{} is run. Valid options: string. Default: undef.
 
 #####`ensure`
 Valid options: absent, present, latest. Latest verifies md5 certificate fingerprints for the stored certificate and the source file. Default: present.

Rakefile

@@ -1,5 +1,6 @@
-require 'puppetlabs_spec_helper/rake_tasks'
+require 'puppet_blacksmith/rake_tasks'
 require 'puppet-lint/tasks/puppet-lint'
+require 'puppetlabs_spec_helper/rake_tasks'
 
 PuppetLint.configuration.fail_on_warnings = true
 PuppetLint.configuration.send('relative')

lib/puppet/provider/java_ks/keytool.rb

@@ -12,11 +12,12 @@ def command_keytool
   # importing a keystore is used to add private_key and certifcate pairs.
   def to_pkcs12(path)
     pkey = OpenSSL::PKey::RSA.new File.read private_key
-    x509_cert = OpenSSL::X509::Certificate.new File.read certificate
     if chain
-      chain_certs = [(OpenSSL::X509::Certificate.new File.read chain)]
+      x509_cert = OpenSSL::X509::Certificate.new File.read certificate
+      chain_certs = get_chain(chain)
     else
-      chain_certs = []
+      chain_certs = get_chain(certificate)
+      x509_cert = chain_certs.shift
     end
     pkcs12 = OpenSSL::PKCS12.create(get_password, @resource[:name], pkey, x509_cert, chain_certs)
     File.open(path, "wb") { |f| f.print pkcs12.to_der }
@@ -29,6 +30,10 @@ def to_der(path)
     File.open(path, "wb") { |f| f.print x509_cert.to_der }
   end
 
+  def get_chain(path)
+    File.read(path).scan(/-----BEGIN [^\n]*CERTIFICATE.*?-----END [^\n]*CERTIFICATE-----/m).map {|cert| OpenSSL::X509::Certificate.new cert}
+  end
+
   def get_password
     if @resource[:password_file].nil?
       @resource[:password]
@@ -226,9 +231,10 @@ def run_command(cmd, target=false, stdinfile=false, env={})
 
     # the java keytool will not correctly deal with an empty target keystore
     # file. If we encounter an empty keystore target file, preserve the mode,
-    # owner and group, and delete the empty file.
+    # owner and group, temporarily raise the umask, and delete the empty file.
     if target and (File.exists?(target) and File.zero?(target))
       stat = File.stat(target)
+      umask = File.umask(0077)
       File.delete(target)
     end
 
@@ -259,12 +265,15 @@ def run_command(cmd, target=false, stdinfile=false, env={})
                end
              end
 
-    # for previously empty files, restore the mode, owner and group. The funky
-    # double-take check is because on Suse defined? doesn't seem to behave
-    # quite the same as on Debian, RedHat
+    # for previously empty files, restore the umask, mode, owner and group.
+    # The funky double-take check is because on Suse defined? doesn't seem
+    # to behave quite the same as on Debian, RedHat
     if target and (defined? stat and stat)
-      File.chmod(stat.mode, target)
+      File.umask(umask)
+      # Need to change group ownership before mode to prevent making the file
+      # accessible to the wrong group.
       File.chown(stat.uid, stat.gid, target)
+      File.chmod(stat.mode, target)
     end
 
     return output