Merge pull request #1346 from joernott/feature_ssl_password_file

Add ssl_password_file directive to support encrypted ssl keys
voxpupuli · Sep 24, 2019 · 9ddae82 · 9ddae82
2 parents f3aaa06 + 2c8eccd
commit 9ddae82
Show file tree

Hide file tree

Showing 4 changed files with 57 additions and 0 deletions.
diff --git a/manifests/resource/server.pp b/manifests/resource/server.pp
@@ -71,6 +71,7 @@
 #   [*ssl_trusted_cert*]           - String: Specifies a file with trusted CA certificates in the PEM format used to verify client
 #     certificates and OCSP responses if ssl_stapling is enabled.
 #   [*ssl_verify_depth*]           - Integer: Sets the verification depth in the client certificates chain.
+#   [*ssl_password_file*]          - String: File containing the password for the SSL Key file.
 #   [*spdy*]                       - Toggles SPDY protocol.
 #   [*http2*]                      - Toggles HTTP/2 protocol.
 #   [*server_name*]                - List of servernames for which this server will respond. Default [$name].
@@ -187,6 +188,7 @@
   Optional[String] $ssl_session_ticket_key                                       = undef,
   Optional[String] $ssl_trusted_cert                                             = undef,
   Optional[Integer] $ssl_verify_depth                                            = undef,
+  Optional[Stdlib::Absolutepath] $ssl_password_file                              = undef,
   Enum['on', 'off'] $spdy                                                        = $nginx::spdy,
   Enum['on', 'off'] $http2                                                       = $nginx::http2,
   Optional[String] $proxy                                                        = undef,

diff --git a/spec/acceptance/nginx_server_spec.rb b/spec/acceptance/nginx_server_spec.rb
@@ -111,4 +111,52 @@ class { 'nginx': }
       end
     end
   end
+
+  context 'should run successfully with encrypted ssl key' do
+    it 'configures a nginx SSL server' do
+      pp = "
+      class { 'nginx': }
+      nginx::resource::server { 'www.puppetlabs.com':
+        ensure            => present,
+        ssl               => true,
+        ssl_cert          => '/etc/pki/tls/certs/crypted.cert',
+        ssl_key           => '/etc/pki/tls/private/crypted.key',
+        ssl_password_file => '/etc/pki/tls/private/crypted.pass',
+        www_root          => '/var/www/www.puppetlabs.com',
+      }
+      host { 'www.puppetlabs.com': ip => '127.0.0.1', }
+      file { ['/var/www','/var/www/www.puppetlabs.com']: ensure => directory }
+      file { '/var/www/www.puppetlabs.com/index.html': ensure  => file, content => 'Hello from www\n', }
+      "
+
+      apply_manifest(pp, catch_failures: true)
+    end
+
+    describe file('/etc/nginx/sites-available/www.puppetlabs.com.conf') do
+      it { is_expected.to be_file }
+      it { is_expected.to contain 'ssl_password_file         /etc/pki/tls/private/crypted.pass;' }
+    end
+
+    describe service('nginx') do
+      it { is_expected.to be_running }
+    end
+
+    describe port(443) do
+      it { is_expected.to be_listening }
+    end
+
+    it 'answers to https://www.puppetlabs.com with "Hello from www"' do
+      # use --insecure because it's a self-signed cert
+      shell('/usr/bin/curl --insecure https://www.puppetlabs.com:443') do |r|
+        expect(r.stdout).to eq("Hello from www\n")
+      end
+    end
+
+    it 'answers to https://www.puppetlabs.com without error' do
+      # use --insecure because it's a self-signed cert
+      shell('/usr/bin/curl --fail --insecure https://www.puppetlabs.com:443') do |r|
+        expect(r.exit_code).to eq(0)
+      end
+    end
+  end
 end
diff --git a/spec/spec_helper_acceptance.rb b/spec/spec_helper_acceptance.rb
@@ -67,7 +67,11 @@
 
       # put the keys in a directory with the correct SELinux context
       on host, 'cp /tmp/blah.cert /etc/pki/tls/certs/blah.cert'
+      on host, 'cp /tmp/blah.cert /etc/pki/tls/certs/crypted.cert'
       on host, 'cp /tmp/blah.key /etc/pki/tls/private/blah.key'
+      on host, 'openssl rsa -in /tmp/blah.key -out /etc/pki/tls/private/crypted.key -passout pass:Sup3r_S3cr3t_Passw0rd'
+      on host, 'echo Sup3r_S3cr3t_Passw0rd >/etc/pki/tls/private/crypted.pass'
+      on host, 'chmod 0600 /etc/pki/tls/private/crypted.pass'
     end
   end
 end
diff --git a/templates/server/server_ssl_settings.erb b/templates/server/server_ssl_settings.erb
@@ -53,4 +53,7 @@
   <%- if @ssl_verify_depth -%>
   ssl_verify_depth          <%= @ssl_verify_depth %>;
   <%- end -%>
+  <%- if @ssl_password_file -%>
+  ssl_password_file         <%= @ssl_password_file %>;
+  <%- end -%>
 <% end -%>