Merge pull request #582 from jamescarr/support-ssl-client-verify

Support ssl client verify
2015-03-23 15:05:39 -05:00 · 2015-03-23 15:05:39 -05:00 · acaa4e99ee
commit acaa4e99ee
parent 13b2e4493d 1c5b453d76
4 changed files with 51 additions and 0 deletions
--- a/manifests/resource/vhost.pp
+++ b/manifests/resource/vhost.pp
@ -44,6 +44,8 @@
 #     vhost.
 #   [*ssl_cert*]            - Pre-generated SSL Certificate file to reference
 #     for SSL Support. This is not generated by this module.
+#   [*ssl_client_cert*]     - Pre-generated SSL Certificate file to reference
+#     for client verify SSL Support. This is not generated by this module.
 #   [*ssl_dhparam*]         - This directive specifies a file containing
 #     Diffie-Hellman key agreement protocol cryptographic parameters, in PEM
 #     format, utilized for exchanging session keys between server and client.
@ -162,6 +164,7 @@ define nginx::resource::vhost (
  $ssl                          = false,
  $ssl_listen_option            = true,
  $ssl_cert                     = undef,
+  $ssl_client_cert              = undef,
  $ssl_dhparam                  = undef,
  $ssl_key                      = undef,
  $ssl_port                     = '443',
@ -262,6 +265,9 @@ define nginx::resource::vhost (
  if ($ssl_cert != undef) {
    validate_string($ssl_cert)
  }
+  if ($ssl_client_cert != undef) {
+    validate_string($ssl_client_cert)
+  }
  validate_bool($ssl_listen_option)
  if ($ssl_dhparam != undef) {
    validate_string($ssl_dhparam)
@ -605,6 +611,12 @@ define nginx::resource::vhost (
      mode   => '0444',
      source => $ssl_cert,
    })
+
+    ensure_resource('file', "${::nginx::config::conf_dir}/${cert}.client.crt", {
+      owner  => $::nginx::config::daemon_user,
+      mode   => '0444',
+      source => $ssl_client_cert,
+    })
    ensure_resource('file', "${::nginx::config::conf_dir}/${cert}.key", {
      owner  => $::nginx::config::daemon_user,
      mode   => '0440',
--- a/spec/defines/resource_vhost_spec.rb
+++ b/spec/defines/resource_vhost_spec.rb
@ -812,6 +812,24 @@ describe 'nginx::resource::vhost' do
        it { is_expected.to contain_file("/etc/nginx/#{title}.key") }
      end

+      context 'when ssl_client_cert is set' do
+        let :params do default_params.merge({
+          :ssl                => true,
+          :listen_port        => 80,
+          :ssl_port           => 80,
+          :ssl_key            => 'dummy.key',
+          :ssl_cert           => 'dummy.cert',
+          :ssl_client_cert    => 'client.cert',
+        }) end
+
+        it { is_expected.to contain_nginx__resource__location("#{title}-default").with_ssl_only(true) }
+        it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{access_log\s+/var/log/nginx/ssl-www\.rspec\.example\.com\.access\.log combined;}) }
+        it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{error_log\s+/var/log/nginx/ssl-www\.rspec\.example\.com\.error\.log}) }
+        it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{ssl_verify_client on;}) }
+        it { is_expected.to contain_file("/etc/nginx/#{title}.crt") }
+        it { is_expected.to contain_file("/etc/nginx/#{title}.client.crt") }
+        it { is_expected.to contain_file("/etc/nginx/#{title}.key") }
+      end
      context 'when passenger_cgi_param is set' do
        let :params do default_params.merge({
          :passenger_cgi_param => { 'test1' => 'test value 1', 'test2' => 'test value 2', 'test3' => 'test value 3' }
--- a/templates/vhost/vhost_ssl_header.erb
+++ b/templates/vhost/vhost_ssl_header.erb
@ -46,6 +46,10 @@ server {

  ssl_certificate           <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.crt;
  ssl_certificate_key       <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.key;
+<% if defined? @ssl_client_cert -%>
+  ssl_client_certificate    <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.client.crt;
+  ssl_verify_client on;
+<% end -%>
 <% if defined? @ssl_dhparam -%>
  ssl_dhparam               <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.dh.pem;
 <% end -%>
--- a/tests/vhost_ssl.pp
+++ b/tests/vhost_ssl.pp
@ -1,5 +1,14 @@
 include nginx

+nginx::resource::vhost { 'test3.local test3':
+  ensure          => present,
+  www_root        => '/var/www/nginx-default',
+  ssl             => true,
+  ssl_cert        => 'puppet:///modules/sslkey/whildcard_mydomain.crt',
+  ssl_client_cert => 'puppet:///modules/sslkey/whildcard_mydomain.crt',
+  ssl_key         => 'puppet:///modules/sslkey/whildcard_mydomain.key'
+}
+
 nginx::resource::vhost { 'test2.local test2':
  ensure   => present,
  www_root => '/var/www/nginx-default',
@ -15,3 +24,11 @@ nginx::resource::location { 'test2.local-bob':
  vhost    => 'test2.local test2',
 }

+nginx::resource::location { 'test3.local-bob':
+  ensure   => present,
+  www_root => '/var/www/bob',
+  location => '/bob',
+  vhost    => 'test3.local test3',
+}
+
+