From fc52cbcc9681bc5f18de3e81ef41bdf44693acaf Mon Sep 17 00:00:00 2001
From: "Eric D. Helms" <ericdhelms@gmail.com>
Date: Tue, 16 Feb 2021 15:33:57 -0500
Subject: [PATCH] Refs #31878 - Split qpid router server and client
 certificates

---
 manifests/foreman_proxy_content.pp            | 17 +++---
 .../{qpid_router.pp => qpid_router/client.pp} | 45 ++-------------
 manifests/qpid_router/server.pp               | 57 +++++++++++++++++++
 spec/classes/certs_qpid_router_client_spec.rb | 13 +++++
 spec/classes/certs_qpid_router_server_spec.rb | 13 +++++
 spec/classes/certs_qpid_router_spec.rb        | 15 -----
 6 files changed, 97 insertions(+), 63 deletions(-)
 rename manifests/{qpid_router.pp => qpid_router/client.pp} (55%)
 create mode 100644 manifests/qpid_router/server.pp
 create mode 100644 spec/classes/certs_qpid_router_client_spec.rb
 create mode 100644 spec/classes/certs_qpid_router_server_spec.rb
 delete mode 100644 spec/classes/certs_qpid_router_spec.rb

diff --git a/manifests/foreman_proxy_content.pp b/manifests/foreman_proxy_content.pp
index cbba959f..d7a5e0c6 100644
--- a/manifests/foreman_proxy_content.pp
+++ b/manifests/foreman_proxy_content.pp
@@ -24,15 +24,16 @@
     fail('The hostname is the same as the provided hostname for the foreman-proxy')
   }
 
-  class { 'certs::puppet':        hostname => $foreman_proxy_fqdn, cname => $foreman_proxy_cname }
-  class { 'certs::foreman':       hostname => $foreman_proxy_fqdn, cname => $foreman_proxy_cname }
-  class { 'certs::foreman_proxy': hostname => $foreman_proxy_fqdn, cname => $foreman_proxy_cname }
-  class { 'certs::apache':        hostname => $foreman_proxy_fqdn, cname => $foreman_proxy_cname }
-  class { 'certs::qpid':          hostname => $foreman_proxy_fqdn, cname => $foreman_proxy_cname }
-  class { 'certs::qpid_router':   hostname => $foreman_proxy_fqdn, cname => $foreman_proxy_cname }
-  class { 'certs::qpid_client':   hostname => $foreman_proxy_fqdn, cname => $foreman_proxy_cname }
+  class { 'certs::puppet':              hostname => $foreman_proxy_fqdn, cname => $foreman_proxy_cname }
+  class { 'certs::foreman':             hostname => $foreman_proxy_fqdn, cname => $foreman_proxy_cname }
+  class { 'certs::foreman_proxy':       hostname => $foreman_proxy_fqdn, cname => $foreman_proxy_cname }
+  class { 'certs::apache':              hostname => $foreman_proxy_fqdn, cname => $foreman_proxy_cname }
+  class { 'certs::qpid':                hostname => $foreman_proxy_fqdn, cname => $foreman_proxy_cname }
+  class { 'certs::qpid_router::server': hostname => $foreman_proxy_fqdn, cname => $foreman_proxy_cname }
+  class { 'certs::qpid_router::client': hostname => $foreman_proxy_fqdn, cname => $foreman_proxy_cname }
+  class { 'certs::qpid_client':         hostname => $foreman_proxy_fqdn, cname => $foreman_proxy_cname }
 
   certs::tar_create { $certs_tar:
-    subscribe => Class['certs::puppet', 'certs::foreman', 'certs::foreman_proxy', 'certs::qpid', 'certs::qpid_router', 'certs::apache', 'certs::qpid_client'],
+    subscribe => Class['certs::puppet', 'certs::foreman', 'certs::foreman_proxy', 'certs::qpid', 'certs::qpid_router::server', 'certs::qpid_router::client', 'certs::apache', 'certs::qpid_client'],
   }
 }
diff --git a/manifests/qpid_router.pp b/manifests/qpid_router/client.pp
similarity index 55%
rename from manifests/qpid_router.pp
rename to manifests/qpid_router/client.pp
index 7b221b77..587934f1 100644
--- a/manifests/qpid_router.pp
+++ b/manifests/qpid_router/client.pp
@@ -1,14 +1,12 @@
 # Constains certs specific configurations for qpid dispatch router
-class certs::qpid_router (
+class certs::qpid_router::client (
   $hostname               = $certs::node_fqdn,
   $cname                  = $certs::cname,
   $generate               = $certs::generate,
   $regenerate             = $certs::regenerate,
   $deploy                 = $certs::deploy,
-  $server_cert            = $certs::qpid_router_server_cert,
-  $client_cert            = $certs::qpid_router_client_cert,
-  $server_key             = $certs::qpid_router_server_key,
-  $client_key             = $certs::qpid_router_client_key,
+  $cert                   = $certs::qpid_router_client_cert,
+  $key                    = $certs::qpid_router_client_key,
   $owner                  = 'qdrouterd',
   $group                  = 'root',
 
@@ -21,27 +19,8 @@
   $ca_key_password_file  = $certs::ca_key_password_file,
 ) inherits certs {
 
-  $server_keypair = "${hostname}-qpid-router-server"
   $client_keypair = "${hostname}-qpid-router-client"
 
-  cert { $server_keypair:
-    ensure        => present,
-    hostname      => $hostname,
-    cname         => $cname,
-    country       => $country,
-    state         => $state,
-    city          => $city,
-    org           => 'dispatch server',
-    org_unit      => $org_unit,
-    expiration    => $expiration,
-    ca            => $default_ca,
-    generate      => $generate,
-    regenerate    => $regenerate,
-    deploy        => $deploy,
-    purpose       => 'server',
-    password_file => $ca_key_password_file,
-  }
-
   cert { $client_keypair:
     ensure        => present,
     hostname      => $hostname,
@@ -61,28 +40,14 @@
   }
 
   if $deploy {
-    certs::keypair { 'qpid_router_server':
-      key_pair    => Cert[$server_keypair],
-      key_file    => $server_key,
-      manage_key  => true,
-      key_owner   => $owner,
-      key_group   => $group,
-      key_mode    => '0640',
-      cert_file   => $server_cert,
-      manage_cert => true,
-      cert_owner  => $owner,
-      cert_group  => $group,
-      cert_mode   => '0640',
-    }
-
     certs::keypair { 'qpid_router_client':
       key_pair    => Cert[$client_keypair],
-      key_file    => $client_key,
+      key_file    => $key,
       manage_key  => true,
       key_owner   => $owner,
       key_group   => $group,
       key_mode    => '0640',
-      cert_file   => $client_cert,
+      cert_file   => $cert,
       manage_cert => true,
       cert_owner  => $owner,
       cert_group  => $group,
diff --git a/manifests/qpid_router/server.pp b/manifests/qpid_router/server.pp
new file mode 100644
index 00000000..20ef26b1
--- /dev/null
+++ b/manifests/qpid_router/server.pp
@@ -0,0 +1,57 @@
+# Constains certs specific configurations for qpid dispatch router
+class certs::qpid_router::server (
+  $hostname               = $certs::node_fqdn,
+  $cname                  = $certs::cname,
+  $generate               = $certs::generate,
+  $regenerate             = $certs::regenerate,
+  $deploy                 = $certs::deploy,
+  $cert                   = $certs::qpid_router_server_cert,
+  $key                    = $certs::qpid_router_server_key,
+  $owner                  = 'qdrouterd',
+  $group                  = 'root',
+
+  $country               = $certs::country,
+  $state                 = $certs::state,
+  $city                  = $certs::city,
+  $org_unit              = $certs::org_unit,
+  $expiration            = $certs::expiration,
+  $default_ca            = $certs::default_ca,
+  $ca_key_password_file  = $certs::ca_key_password_file,
+) inherits certs {
+
+  $server_keypair = "${hostname}-qpid-router-server"
+
+  cert { $server_keypair:
+    ensure        => present,
+    hostname      => $hostname,
+    cname         => $cname,
+    country       => $country,
+    state         => $state,
+    city          => $city,
+    org           => 'dispatch server',
+    org_unit      => $org_unit,
+    expiration    => $expiration,
+    ca            => $default_ca,
+    generate      => $generate,
+    regenerate    => $regenerate,
+    deploy        => $deploy,
+    purpose       => 'server',
+    password_file => $ca_key_password_file,
+  }
+
+  if $deploy {
+    certs::keypair { 'qpid_dispatch_server':
+      key_pair    => Cert[$server_keypair],
+      key_file    => $key,
+      manage_key  => true,
+      key_owner   => $owner,
+      key_group   => $group,
+      key_mode    => '0640',
+      cert_file   => $cert,
+      manage_cert => true,
+      cert_owner  => $owner,
+      cert_group  => $group,
+      cert_mode   => '0640',
+    }
+  }
+}
diff --git a/spec/classes/certs_qpid_router_client_spec.rb b/spec/classes/certs_qpid_router_client_spec.rb
new file mode 100644
index 00000000..2db543d5
--- /dev/null
+++ b/spec/classes/certs_qpid_router_client_spec.rb
@@ -0,0 +1,13 @@
+require 'spec_helper'
+
+describe 'certs::qpid_router::client' do
+  on_supported_os.each do |os, os_facts|
+    let :facts do
+      os_facts
+    end
+
+    describe 'with default parameters' do
+      it { should compile.with_all_deps }
+    end
+  end
+end
diff --git a/spec/classes/certs_qpid_router_server_spec.rb b/spec/classes/certs_qpid_router_server_spec.rb
new file mode 100644
index 00000000..5655973d
--- /dev/null
+++ b/spec/classes/certs_qpid_router_server_spec.rb
@@ -0,0 +1,13 @@
+require 'spec_helper'
+
+describe 'certs::qpid_router::server' do
+  on_supported_os.each do |os, os_facts|
+    let :facts do
+      os_facts
+    end
+
+    describe 'with default parameters' do
+      it { should compile.with_all_deps }
+    end
+  end
+end
diff --git a/spec/classes/certs_qpid_router_spec.rb b/spec/classes/certs_qpid_router_spec.rb
deleted file mode 100644
index 8acf2f54..00000000
--- a/spec/classes/certs_qpid_router_spec.rb
+++ /dev/null
@@ -1,15 +0,0 @@
-require 'spec_helper'
-
-describe 'certs::qpid_router' do
-  on_supported_os.each do |os, os_facts|
-    context "on #{os}", if: os_facts[:operatingsystemmajrelease] == '7' do
-      let :facts do
-        os_facts
-      end
-
-      describe 'with default parameters' do
-        it { should compile.with_all_deps }
-      end
-    end
-  end
-end