Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for cert_file on Windows #126

Merged
merged 1 commit into from
Jul 14, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.

## [Unreleased]
### Added
- Added support for `cert_file` on Windows and to the `conjur` class.
[cyberark/conjur-puppet#113](https://github.com/cyberark/conjur-puppet/issues/113)
- Added support for v6 servers by using v5- and v6-compatible APIs for token decryption
[cyberark/conjur-puppet#91](https://github.com/org/repo/issues/91)
- Added support for v6 agents (v6 server is still not supported) by using v5- and
Expand Down
30 changes: 24 additions & 6 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ returns `app1.example.com` and a Conjur variable named `domains/app1.example.com
exists, the SSL certificate can be retrieved and written to a file like so:

```puppet
file { '/etc/ssl/cert.pem':
file { '/abslute/path/to/cert.pem':
ensure => file,
content => conjur::secret("domains/%{hiera('domain')}/ssl-cert"),
show_diff => false # only required for Puppet < 4.6
Expand Down Expand Up @@ -122,7 +122,7 @@ class { 'conjur':
appliance_url => 'https://conjur.mycompany.com/',
authn_login => 'host/redis001',
authn_api_key => Sensitive('f9yykd2r0dajz398rh32xz2fxp1tws1qq2baw4112n4am9x3ncqbk3'),
ssl_certificate => file('/conjur-ca.pem')
ssl_certificate => file('/abslute/path/to/conjur-ca.pem')
}
```

Expand All @@ -136,7 +136,8 @@ values available to set are:
|-|-|-|
| Account | REG_SZ | Conjur account specified during Conjur setup. |
| ApplianceUrl | REG_SZ | Conjur API endpoint. |
| SslCertificate | REG_SZ | public Conjur SSL cert. |
| CertFile | REG_SZ | File path to public Conjur SSL cert. Takes precedence over `SslCertificate`. |
| SslCertificate | REG_SZ | Public Conjur SSL cert. Overwritten by the contents read from `CertFile` when it is present. |
| Version | REG_DWORD | Conjur API version. Defaults to `5`. |

These may be set using Powershell:
Expand All @@ -150,6 +151,8 @@ The operation completed successfully.
The operation completed successfully.
> reg ADD HKLM\Software\CyberArk\Conjur /v SslCertificate /t REG_SZ /d "-----BEGIN CERTIFICATE-----..."
The operation completed successfully.
> reg ADD HKLM\Software\CyberArk\Conjur /v CertFile /t REG_SZ /d "C:\Absolute\Path\To\SslCertificate"
The operation completed successfully.
```

Credentials for Conjur are stored in the Windows Credential Manager. The credential
Expand Down Expand Up @@ -189,7 +192,7 @@ class { 'conjur':
appliance_url => 'https://conjur.mycompany.com/',
authn_login => 'host/redis001',
host_factory_token => Sensitive('3zt94bb200p69nanj64v9sdn1e15rjqqt12kf68x1d6gb7z33vfskx'),
ssl_certificate => file('/etc/conjur.pem')
cert_file => file('/abslute/path/to/conjur.pem')
}
```

Expand Down Expand Up @@ -261,9 +264,14 @@ User username or host name (prefixed with `host/`).
##### `authn_api_key`
API key for a user or host. Must be `Sensitive` if supported.

##### `cert_file`
File path to X509 certificate of the root CA of Conjur, PEM formatted. Takes precedence
over `ssl_certificte`.

##### `ssl_certificate`
Content of the X509 certificate of the root CA of Conjur, PEM formatted.
When using Puppet's `file` function, the path to the cert must be absolute.
Overwritten by the contents read from `cert_file` when it is present.

##### `host_factory_token`
You can use a host factory token to obtain a host identity. Must be `Sensitive`.
Expand All @@ -287,7 +295,7 @@ class { 'conjur':
appliance_url => 'https://conjur.mycompany.com/',
authn_login => 'host/redis001',
host_factory_token => Sensitive('f9yykd2r0dajz398rh32xz2fxp1tws1qq2baw4112n4am9x3ncqbk3'),
ssl_certificate => file('conjur-ca.pem'),
ssl_certificate => file('/absolute/path/to/conjur-ca.pem'),
version => 5
}

Expand All @@ -304,7 +312,17 @@ class { 'conjur':
appliance_url => 'https://conjur.mycompany.com/',
authn_login => 'host/redis001',
authn_api_key => Sensitive('f9yykd2r0dajz398rh32xz2fxp1tws1qq2baw4112n4am9x3ncqbk3'),
ssl_certificate => file('conjur-ca.pem'),
ssl_certificate => file('/abslute/path/to/conjur-ca.pem'),
version => 5
}

# same, but 'cert_file' is used instead of 'ssl_certificate'
class { 'conjur':
account => 'mycompany',
appliance_url => 'https://conjur.mycompany.com/',
authn_login => 'host/redis001',
authn_api_key => Sensitive('f9yykd2r0dajz398rh32xz2fxp1tws1qq2baw4112n4am9x3ncqbk3'),
cert_file => '/abslute/path/to/conjur-ca.pem',
version => 5
}
```
Expand Down
4 changes: 3 additions & 1 deletion lib/conjur/puppet_module/config.rb
Original file line number Diff line number Diff line change
Expand Up @@ -27,11 +27,13 @@ def from_registry
unless Puppet.features.microsoft_windows?

require 'win32/registry'
Win32::Registry::HKEY_LOCAL_MACHINE.open(REG_KEY_NAME) do |reg|
c = Win32::Registry::HKEY_LOCAL_MACHINE.open(REG_KEY_NAME) do |reg|
# Convert registry value names from camel case to underscores
# e.g. ApplianceUrl => appliance_url
reg.map { |name, _type, data| [name.gsub(/(.)([A-Z])/, '\1_\2').downcase, data] }.to_h
end
c['ssl_certificate'] ||= File.read c['cert_file'] if c['cert_file']
c
end
end
end
Expand Down
4 changes: 4 additions & 0 deletions manifests/init.pp
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
String $appliance_url = $conjur::params::appliance_url,
Optional[String] $authn_login = $conjur::params::authn_login,
Optional[String] $ssl_certificate = $conjur::params::ssl_certificate,
Optional[String] $cert_file = undef,

Optional[String] $account = $conjur::params::account,
Integer $version = $conjur::params::version,
Expand All @@ -10,6 +11,9 @@
Optional[Sensitive] $authn_token = $conjur::params::authn_token,
Optional[Sensitive] $host_factory_token = $conjur::params::host_factory_token,
) inherits conjur::params {
if $cert_file {
$ssl_certificate = file($cert_file)
}
$client = conjur::client($appliance_url, $version, $ssl_certificate)

if $authn_token {
Expand Down