Merge pull request #798 from rchicoli/ssl_verify_client

add ssl_verify_client parameter
2016-04-12 18:08:26 -04:00 · 2016-04-12 18:08:26 -04:00 · b4946b7574
commit b4946b7574
parent f13fdc02a0 e43d8dca86
3 changed files with 8 additions and 2 deletions
--- a/manifests/resource/vhost.pp
+++ b/manifests/resource/vhost.pp
@ -53,6 +53,7 @@
 #     for SSL Support. This is not generated by this module.
 #   [*ssl_client_cert*]     - Pre-generated SSL Certificate file to reference
 #     for client verify SSL Support. This is not generated by this module.
+#   [*ssl_verify_client*]   - Enables verification of client certificates.
 #   [*ssl_crl*]             - String: Specifies CRL path in file system
 #   [*ssl_dhparam*]         - This directive specifies a file containing
 #     Diffie-Hellman key agreement protocol cryptographic parameters, in PEM
@ -191,6 +192,7 @@ define nginx::resource::vhost (
  $ssl_listen_option            = true,
  $ssl_cert                     = undef,
  $ssl_client_cert              = undef,
+  $ssl_verify_client            = 'on',
  $ssl_dhparam                  = undef,
  $ssl_key                      = undef,
  $ssl_port                     = 443,
@ -322,6 +324,9 @@ define nginx::resource::vhost (
  if ($ssl_client_cert != undef) {
    validate_string($ssl_client_cert)
  }
+  if ($ssl_verify_client != undef) {
+    validate_string($ssl_verify_client)
+  }
  if ($ssl_crl != undef) {
    validate_string($ssl_crl)
  }
--- a/spec/defines/resource_vhost_spec.rb
+++ b/spec/defines/resource_vhost_spec.rb
@ -922,12 +922,13 @@ describe 'nginx::resource::vhost' do
          :ssl_key            => 'dummy.key',
          :ssl_cert           => 'dummy.cert',
          :ssl_client_cert    => 'client.cert',
+          :ssl_verify_client  => 'optional',
        }) end

        it { is_expected.to contain_nginx__resource__location("#{title}-default").with_ssl_only(true) }
        it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{access_log\s+/var/log/nginx/ssl-www\.rspec\.example\.com\.access\.log combined;}) }
        it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{error_log\s+/var/log/nginx/ssl-www\.rspec\.example\.com\.error\.log}) }
-        it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{ssl_verify_client on;}) }
+        it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{ssl_verify_client\s+optional;}) }
      end
      context 'when passenger_cgi_param is set' do
        let :params do default_params.merge({
--- a/templates/vhost/vhost_ssl_settings.erb
+++ b/templates/vhost/vhost_ssl_settings.erb
@ -4,7 +4,7 @@
  ssl_certificate_key       <%= @ssl_key %>;
 <% if defined? @ssl_client_cert -%>
  ssl_client_certificate    <%= @ssl_client_cert %>;
-  ssl_verify_client on;
+  ssl_verify_client         <%= @ssl_verify_client %>;
 <% end -%>
 <% if defined? @ssl_dhparam -%>
  ssl_dhparam               <%= @ssl_dhparam %>;