.gitattributes

@@ -1,5 +1,5 @@
 #This file is generated by ModuleSync, do not edit.
-*.rb  eol=lf
+*.rb eol=lf
 *.erb eol=lf
-*.pp  eol=lf
-*.sh  eol=lf
+*.pp eol=lf
+*.sh eol=lf

CHANGELOG.md

@@ -1,3 +1,10 @@
+## Supported Release 1.6.0
+### Summary
+The keytool would hang on occasion for unexplained reasons, so keytool executions are wrapped in a timeout that defaults to 120 seconds and is configurable by the `keytool_timeout` parameter.
+
+### Added
+- New parameter: `keytool_timeout`
+
 ## Supported Release 1.5.0
 ### Summary
 This release contains some small features and one bugfix which makes the module environment safe.

Gemfile

@@ -29,38 +29,27 @@ end
 
 # Used for gem conditionals
 supports_windows = false
+ruby_version_segments = Gem::Version.new(RUBY_VERSION.dup).segments
+minor_version = "#{ruby_version_segments[0]}.#{ruby_version_segments[1]}"
 
 group :development do
-  gem 'puppet-lint',                        :require => false
-  gem 'metadata-json-lint',                 :require => false, :platforms => 'ruby'
-  gem 'puppet_facts',                       :require => false
-  gem 'puppet-blacksmith', '>= 3.4.0',      :require => false, :platforms => 'ruby'
-  gem 'puppetlabs_spec_helper', '>= 1.2.1', :require => false
-  gem 'rspec-puppet', '>= 2.3.2',           :require => false
-  gem 'rspec-puppet-facts',                 :require => false, :platforms => 'ruby'
-  gem 'mocha', '< 1.2.0',                   :require => false
-  gem 'simplecov',                          :require => false, :platforms => 'ruby'
-  gem 'parallel_tests', '< 2.10.0',         :require => false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.0.0')
-  gem 'parallel_tests',                     :require => false if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.0.0')
-  gem 'rubocop', '0.41.2',                  :require => false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.0.0')
-  gem 'rubocop',                            :require => false if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.0.0')
-  gem 'rubocop-rspec', '~> 1.6',            :require => false if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.3.0')
-  gem 'pry',                                :require => false
-  gem 'json_pure', '<= 2.0.1',              :require => false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.0.0')
-  gem 'fast_gettext', '1.1.0',              :require => false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.1.0')
-  gem 'fast_gettext',                       :require => false if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.1.0')
-  gem 'rainbow', '< 2.2.0',                 :require => false
+  gem "puppet-module-posix-default-r#{minor_version}", :require => false, :platforms => "ruby"
+  gem "puppet-module-win-default-r#{minor_version}",   :require => false, :platforms => ["mswin", "mingw", "x64_mingw"]
+  gem "puppet-module-posix-dev-r#{minor_version}",     :require => false, :platforms => "ruby"
+  gem "puppet-module-win-dev-r#{minor_version}",       :require => false, :platforms => ["mswin", "mingw", "x64_mingw"]
+  gem "json_pure", '<= 2.0.1',                         :require => false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.0.0')
+  gem "fast_gettext", '1.1.0',                         :require => false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.1.0')
+  gem "fast_gettext",                                  :require => false if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.1.0')
 end
 
 group :system_tests do
-  gem 'beaker', *location_for(ENV['BEAKER_VERSION'] || '>= 3')                  
-  gem 'beaker-pe',                                                               :require => false
-  gem 'beaker-rspec', *location_for(ENV['BEAKER_RSPEC_VERSION'])                
-  gem 'beaker-puppet_install_helper',                                            :require => false
-  gem 'beaker-module_install_helper',                                            :require => false
-  gem 'master_manipulator',                                                      :require => false
-  gem 'beaker-hostgenerator', *location_for(ENV['BEAKER_HOSTGENERATOR_VERSION'])
-  gem 'beaker-abs', *location_for(ENV['BEAKER_ABS_VERSION'] || '~> 0.1')        
+  gem "puppet-module-posix-system-r#{minor_version}",                            :require => false, :platforms => "ruby"
+  gem "puppet-module-win-system-r#{minor_version}",                              :require => false, :platforms => ["mswin", "mingw", "x64_mingw"]
+  gem "beaker", *location_for(ENV['BEAKER_VERSION'] || '>= 3')                  
+  gem "beaker-pe",                                                               :require => false
+  gem "beaker-rspec", *location_for(ENV['BEAKER_RSPEC_VERSION'])                
+  gem "beaker-hostgenerator", *location_for(ENV['BEAKER_HOSTGENERATOR_VERSION'])
+  gem "beaker-abs", *location_for(ENV['BEAKER_ABS_VERSION'] || '~> 0.1')        
 end
 
 gem 'puppet', *location_for(ENV['PUPPET_GEM_VERSION'])

README.md

@@ -1,8 +1,8 @@
-#java_ks
+# java_ks
 
 [![Build Status](https://travis-ci.org/puppetlabs/puppetlabs-java_ks.png?branch=master)](https://travis-ci.org/puppetlabs/puppetlabs-java_ks)
 
-####Table of Contents
+#### Table of Contents
 
 1. [Overview - What is the java_ks module?](#overview)
 2. [Module Description - What does the module do?](#module-description)
@@ -12,36 +12,36 @@
 6. [Limitations - OS compatibility, etc.](#limitations)
 7. [Development - Guide for contributing to the module](#development)
 
-##Overview
+## Overview
 
 The java_ks module uses a combination of keytool and openssl to manage entries in a Java keystore.
 
-##Module Description
+## Module Description
 
 The java_ks module contains a type called `java_ks` and a single provider named `keytool`.  Their purpose is to enable importation of arbitrary, already generated and signed certificates into a Java keystore for use by various applications.
 
-##Setup
+## Setup
 
 ### Beginning with java_ks
 
 To get started with java_ks, declare each `java_ks` resource you need.
 
-~~~
+```puppet
 java_ks { 'puppetca:truststore':
   ensure       => latest,
   certificate  => '/etc/puppet/ssl/certs/ca.pem',
   target       => '/etc/activemq/broker.ts',
   password     => 'puppet',
   trustcacerts => true,
 }
-~~~
+```
 
 
-##Usage
+## Usage
 
 You must specify a target in some way. You can specify `target` after the colon in the title or by using the target attribute in the resource. If you declare both, it will prefer the attribute.
 
-~~~
+```puppet
 java_ks { 'puppetca:keystore':
   ensure       => latest,
   certificate  => '/etc/puppet/ssl/certs/ca.pem',
@@ -56,18 +56,18 @@ java_ks { 'broker.example.com:/etc/activemq/broker.ks':
   private_key => '/etc/puppet/ssl/private_keys/broker.example.com.pe-internal-broker.pem',
   password    => 'puppet',
 }
-~~~
+```
 
 You can also use Hiera by passing params to the java_ks::config class:
 
-~~~
+```yaml
 java_ks::config::params:
   'broker.example.com:/etc/activemq/broker.ks':
     ensure: latest
     certificate: '/etc/puppet/ssl/certs/broker.example.com.pe-internal-broker.pem'
     private_key: '/etc/puppet/ssl/private_keys/broker.example.com.pe-internal-broker.pem'
     password: true
-~~~
+```
 
 ### Certificates
 To have a Java application server use a specific certificate for incoming connections, use the certificate parameter. You will need to simultaneously import the private key accompanying the signed certificate you want to use. As long as you provide the path to the key and the certificate, the provider will do the conversion for you.
@@ -81,78 +81,80 @@ The java_ks module supports multiple certificates with different keystores but t
 The way composite namevars currently work, you must have the colon in the title. This is true *even if you define name and target parameters.*  The title can be `foo:bar`, but the name and target parameters must be `broker.example.com` and `/etc/activemq/broker.ks`. If you follow convention, it will do as you expect and correctly create an entry in the
 broker.ks keystore with the alias of broker.example.com.
 
-##Reference
+## Reference
 
-###Public Types
+### Public Types
 * `java_ks`: This resource manages the entries in a Java keystore, and uses composite namevars to allow the same alias across multiple target keystores.
 
-###Public Providers
+### Public Providers
 * `keytool`: Manages Java keystores by using a combination of the `openssl` and `keytool` commands.
 
-####Parameters
+#### Parameters
 All parameters, except where specified, are optional.
 
-#####`certificate`
+##### `certificate`
 *Required.* A server certificate, followed by zero or more intermediate certificate authorities. Places the certificates in the keystore. This autorequires the specified file and must be present on the node before java_ks{} is run. Valid options: string. Default: undef.
 
-#####`chain`
+##### `chain`
 Takes intermediate certificate authorities from a separate file from the server certificate. This autorequires the file of the same path and must be present on the node before java_ks{} is run. Valid options: string. Default: undef.
 
-#####`ensure`
+##### `ensure`
 Valid options: absent, present, latest. Latest verifies sha1 certificate fingerprints for the stored certificate and the source file. Default: present.
 
-#####`name`
+##### `name`
 *Required.* Identifies the entry in the keystore. This will be converted to lowercase. Valid options: string. Default: undef.
 
-#####`password`
+##### `password`
 This password is used to protect the keystore. If private keys are also protected, this password will be used to attempt to unlock them. Valid options: String. Must be 6 or more characters. This cannot be used together with `password_file`, but *you must pass at least one of these parameters.* Default: undef.
 
-#####`password_file`
+##### `password_file`
 Sets a plaintext file where the password is stored. Used as an alternative to `password`. This cannot be used together with `password`, but *you must pass at least one of these parameters.* Valid options: String to the plaintext file. Default: undef.
 
-#####`destkeypass`
+##### `destkeypass`
 The password you want to set to protect the key in the keystore.
 
-#####`path`
+##### `path`
 Used for command (keytool, openssl) execution. Valid options: array or file path separated list (for example : in linux). Default: undef.
 
-#####`private_key`
+##### `private_key`
 Sets a private key that encrypts traffic to a server application. Must be accompanied by a signed certificate for the keytool provider. This autorequires the specified file and must be present on the node before java_ks{} is run. Valid options: string. Default: undef.
 
-#####`private_key_type`
+##### `private_key_type`
 
 Sets the type of the private key. Usually this is RSA but Elliptic Curve (EC) keys are also supported. Valid options: `rsa` and `ec`. Default: `rsa`.
 
-#####`target`
+##### `target`
 *Required.* Specifies a destination file for the keystore. Autorequires the parent directory of the file. Valid options: string. Default: undef.
 
-#####`trustcacerts`
+##### `trustcacerts`
 Certificate authorities input into a keystore aren’t trusted by default, so if you are adding a CA you need to set this parameter to 'true'. Valid options: 'true' or 'false'. Default: 'false'.
 
+##### `keytool_timeout`
+Timeout in seconds for all keytool commands. Can be disabled by passing 0. Default: 120
+
 ##### `storetype`
 
 The storetype parameter allows you to use 'jceks' format if desired.
 
-    java_ks { 'puppetca:/opt/puppet/truststore.jceks':
-      ensure       => latest,
-      storetype    => 'jceks',
-      certificate  => '/etc/puppet/ssl/certs/ca.pem',
-      password     => 'puppet',
-      trustcacerts => true,
-    }
-
+```puppet
+java_ks { 'puppetca:/opt/puppet/truststore.jceks':
+  ensure       => latest,
+  storetype    => 'jceks',
+  certificate  => '/etc/puppet/ssl/certs/ca.pem',
+  password     => 'puppet',
+  trustcacerts => true,
+}
+```
 
-Limitations
-------------
+## Limitations
 
 The java_ks module uses the `keytool` and `openssl` commands. It should work on all systems with these commands.
 
 Java 7 is supported as of 1.0.0.
 
 Developed against IBM Java 6 on AIX. Other versions may be unsupported.
 
-Development
------------
+## Development
 
 Puppet modules on the Puppet Forge are open projects, and community contributions are essential for keeping them great. We can’t access the huge number of platforms and myriad hardware, software, and deployment configurations that Puppet is intended to serve.
 

lib/puppet/provider/java_ks/keytool.rb

@@ -1,4 +1,5 @@
 require 'openssl'
+require 'timeout'
 require 'puppet/util/filetype'
 
 Puppet::Type.type(:java_ks).provide(:keytool) do
@@ -265,15 +266,22 @@ def run_command(cmd, target=false, stdinfile=false, env={})
 
     # Now run the command
     options = {:failonfail => true, :combine => true}
-    output = if stdinfile
-               withenv.call(env) do
-                 exec_method.call(cmd, options.merge(:stdinfile => stdinfile.path))
-               end
-             else
-               withenv.call(env) do
-                 exec_method.call(cmd, options)
-               end
-             end
+    output = nil
+    begin
+      Timeout::timeout(@resource[:keytool_timeout], Timeout::Error) do
+        output = if stdinfile
+                   withenv.call(env) do
+                     exec_method.call(cmd, options.merge(:stdinfile => stdinfile.path))
+                   end
+                 else
+                   withenv.call(env) do
+                     exec_method.call(cmd, options)
+                   end
+                 end
+      end
+    rescue Timeout::Error
+      raise Puppet::Error.new("Timed out waiting for '#{@resource[:name]}' to run keytool")
+    end
 
     # for previously empty files, restore the umask, mode, owner and group.
     # The funky double-take check is because on Suse defined? doesn't seem

lib/puppet/type/java_ks.rb

@@ -143,6 +143,12 @@ def value=(*values)
     end
   end
 
+  newparam(:keytool_timeout) do
+    desc "Timeout for the keytool command in seconds."
+
+    defaultto 120
+  end
+
   # Where we setup autorequires.
   autorequire(:file) do
     auto_requires = []

locales/config.yaml

@@ -0,0 +1,25 @@
+---
+# This is the project-specific configuration file for setting up
+# fast_gettext for your project.
+gettext:
+  # This is used for the name of the .pot and .po files; they will be
+  # called <project_name>.pot?
+  project_name: puppetlabs-java_ks
+  # This is used in comments in the .pot and .po files to indicate what
+  # project the files belong to and should bea little more desctiptive than
+  # <project_name>
+  package_name: puppetlabs-java_ks
+  # The locale that the default messages in the .pot file are in
+  default_locale: en
+  # The email used for sending bug reports.
+  bugs_address: docs@puppet.com
+  # The holder of the copyright.
+  copyright_holder: Puppet, Inc.
+  # This determines which comments in code should be eligible for translation.
+  # Any comments that start with this string will be externalized. (Leave
+  # empty to include all.)
+  comments_tag: TRANSLATOR
+  # Patterns for +Dir.glob+ used to find all files that might contain
+  # translatable content, relative to the project root directory
+  source_files:
+

metadata.json

@@ -1,6 +1,6 @@
 {
   "name": "puppetlabs-java_ks",
-  "version": "1.5.0",
+  "version": "1.6.0",
   "author": "puppetlabs",
   "summary": "Manage arbitrary Java keystore files",
   "license": "Apache-2.0",
@@ -97,10 +97,6 @@
     }
   ],
   "requirements": [
-    {
-      "name": "pe",
-      "version_requirement": ">= 3.0.0 < 2015.4.0"
-    },
     {
       "name": "puppet",
       "version_requirement": ">= 3.0.0 < 5.0.0"

spec/spec_helper.rb

@@ -1,7 +1,7 @@
 #This file is generated by ModuleSync, do not edit.
 require 'puppetlabs_spec_helper/module_spec_helper'
 
-if Puppet.version.to_f >= 4.5
+if Puppet::Util::Package.versioncmp(Puppet.version, '4.5.0') >= 0
   RSpec.configure do |c|
     c.before :each do
       Puppet.settings[:strict] = :error