From e43d8dca86f356c90e8a8a545c9dd51a666f5d2b Mon Sep 17 00:00:00 2001
From: Rafael Chicoli <rafaelchicoli@hotmail.com>
Date: Mon, 11 Apr 2016 13:35:19 +0200
Subject: [PATCH] add ssl_verify_client parameter

---
 manifests/resource/vhost.pp            | 5 +++++
 spec/defines/resource_vhost_spec.rb    | 3 ++-
 templates/vhost/vhost_ssl_settings.erb | 2 +-
 3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/manifests/resource/vhost.pp b/manifests/resource/vhost.pp
index 8a2473d..69c71ef 100644
--- a/manifests/resource/vhost.pp
+++ b/manifests/resource/vhost.pp
@@ -53,6 +53,7 @@
 #     for SSL Support. This is not generated by this module.
 #   [*ssl_client_cert*]     - Pre-generated SSL Certificate file to reference
 #     for client verify SSL Support. This is not generated by this module.
+#   [*ssl_verify_client*]   - Enables verification of client certificates.
 #   [*ssl_crl*]             - String: Specifies CRL path in file system
 #   [*ssl_dhparam*]         - This directive specifies a file containing
 #     Diffie-Hellman key agreement protocol cryptographic parameters, in PEM
@@ -191,6 +192,7 @@ define nginx::resource::vhost (
   $ssl_listen_option            = true,
   $ssl_cert                     = undef,
   $ssl_client_cert              = undef,
+  $ssl_verify_client            = 'on',
   $ssl_dhparam                  = undef,
   $ssl_key                      = undef,
   $ssl_port                     = 443,
@@ -322,6 +324,9 @@ define nginx::resource::vhost (
   if ($ssl_client_cert != undef) {
     validate_string($ssl_client_cert)
   }
+  if ($ssl_verify_client != undef) {
+    validate_string($ssl_verify_client)
+  }
   if ($ssl_crl != undef) {
     validate_string($ssl_crl)
   }
diff --git a/spec/defines/resource_vhost_spec.rb b/spec/defines/resource_vhost_spec.rb
index e7adec2..1294e24 100644
--- a/spec/defines/resource_vhost_spec.rb
+++ b/spec/defines/resource_vhost_spec.rb
@@ -922,12 +922,13 @@ describe 'nginx::resource::vhost' do
           :ssl_key            => 'dummy.key',
           :ssl_cert           => 'dummy.cert',
           :ssl_client_cert    => 'client.cert',
+          :ssl_verify_client  => 'optional',
         }) end
 
         it { is_expected.to contain_nginx__resource__location("#{title}-default").with_ssl_only(true) }
         it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{access_log\s+/var/log/nginx/ssl-www\.rspec\.example\.com\.access\.log combined;}) }
         it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{error_log\s+/var/log/nginx/ssl-www\.rspec\.example\.com\.error\.log}) }
-        it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{ssl_verify_client on;}) }
+        it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{ssl_verify_client\s+optional;}) }
       end
       context 'when passenger_cgi_param is set' do
         let :params do default_params.merge({
diff --git a/templates/vhost/vhost_ssl_settings.erb b/templates/vhost/vhost_ssl_settings.erb
index 36629a1..a5d1863 100644
--- a/templates/vhost/vhost_ssl_settings.erb
+++ b/templates/vhost/vhost_ssl_settings.erb
@@ -4,7 +4,7 @@
   ssl_certificate_key       <%= @ssl_key %>;
 <% if defined? @ssl_client_cert -%>
   ssl_client_certificate    <%= @ssl_client_cert %>;
-  ssl_verify_client on;
+  ssl_verify_client         <%= @ssl_verify_client %>;
 <% end -%>
 <% if defined? @ssl_dhparam -%>
   ssl_dhparam               <%= @ssl_dhparam %>;