Support setting ssl_verify_depth in nginx::resource::server

This adds support for specifying the `ssl_verify_depth` option in server sections.
voxpupuli · Apr 25, 2018 · 82d7b30 · 82d7b30
1 parent 6103b40
commit 82d7b30
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 0 deletions.
diff --git a/manifests/resource/server.pp b/manifests/resource/server.pp
@@ -66,6 +66,7 @@
 #   [*ssl_session_tickets*]        - String: Enables or disables session resumption through TLS session tickets.
 #   [*ssl_session_ticket_key*]     - String: Sets a file with the secret key used to encrypt and decrypt TLS session tickets.
 #   [*ssl_trusted_cert*]           - String: Specifies a file with trusted CA certificates in the PEM format used to verify client
+#   [*ssl_verify_depth*]           - Integer: Sets the verification depth in the client certificates chain. 
 #     certificates and OCSP responses if ssl_stapling is enabled.
 #   [*spdy*]                       - Toggles SPDY protocol.
 #   [*http2*]                      - Toggles HTTP/2 protocol.
@@ -179,6 +180,7 @@
   Optional[String] $ssl_session_tickets                                          = undef,
   Optional[String] $ssl_session_ticket_key                                       = undef,
   Optional[String] $ssl_trusted_cert                                             = undef,
+  Optional[Integer] $ssl_verify_depth                                            = undef,
   String $spdy                                                                   = $::nginx::spdy,
   $http2                                                                         = $::nginx::http2,
   Optional[String] $proxy                                                        = undef,

diff --git a/spec/defines/resource_server_spec.rb b/spec/defines/resource_server_spec.rb
@@ -578,6 +578,12 @@
               value: '/tmp/trusted_certificate',
               match: %r{\s+ssl_trusted_certificate\s+/tmp/trusted_certificate;}
             },
+            {
+              title: 'should set ssl_verify_depth',
+              attr: 'ssl_verify_depth',
+              value: 2,
+              match: %r{^\s+ssl_verify_depth\s+2;}
+            },
             {
               title: 'should set the SSL cache',
               attr: 'ssl_cache',

diff --git a/templates/server/server_ssl_settings.erb b/templates/server/server_ssl_settings.erb
@@ -49,4 +49,7 @@
   <%- if defined? @ssl_trusted_cert -%>
   ssl_trusted_certificate   <%= @ssl_trusted_cert %>;
   <%- end -%>
+  <%- if @ssl_verify_depth -%>
+  ssl_verify_depth          <%= @ssl_verify_depth %>;
+  <%- end -%>
 <% end -%>