diff --git a/REFERENCE.md b/REFERENCE.md
index 671e00463c3208ddf121b994b0b1f4dd450b1934..1389ab5b2e0973ca3774e1756bf4aa14004c3dcf 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -80,6 +80,7 @@ The following parameters are available in the `cfssl` class:
* [`version`](#version)
* [`downloadchecksum`](#downloadchecksum)
* [`checksum_type`](#checksum_type)
+* [`sysuser_manage`](#sysuser_manage)
* [`sysuser`](#sysuser)
* [`sysgroup`](#sysgroup)
* [`binding_ip`](#binding_ip)
@@ -134,6 +135,14 @@ Type of checksum used
Default value: `'sha256'`
+##### <a name="sysuser_manage"></a>`sysuser_manage`
+
+Data type: `Boolean`
+
+To enable/disable the creation of sysuser and sysgroup. To permit manage users by external process.
+
+Default value: ``true``
+
##### <a name="sysuser"></a>`sysuser`
Data type: `String[1]`
diff --git a/manifests/goose.pp b/manifests/goose.pp
index 8dd68a08e0c889b09a4c7f9e9dcc8799d3b1374d..a02092c79d4b3782ecdf14aecc4aa7643b31c9e0 100644
--- a/manifests/goose.pp
+++ b/manifests/goose.pp
@@ -18,10 +18,9 @@ class cfssl::goose {
checksum => $cfssl::params::goose_checksum,
}
-> file { "${cfssl::binpath}/goose" :
- ensure => file,
- mode => '0700',
- owner => $cfssl::sysuser,
- group => $cfssl::sysgroup,
- require => User[$cfssl::sysuser],
+ ensure => file,
+ mode => '0700',
+ owner => $cfssl::sysuser,
+ group => $cfssl::sysgroup,
}
}
diff --git a/manifests/init.pp b/manifests/init.pp
index 1e0f537db2a9346c1ebbe140899c30461f6c6ce0..7fa2c54580adf4749f70ddb4349a459ae60329d0 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -29,6 +29,7 @@
# @param version Downloaded version of CFSSL binary
# @param downloadchecksum Checksum of CFSSL binary
# @param checksum_type Type of checksum used
+# @param sysuser_manage To enable/disable the creation of sysuser and sysgroup. To permit manage users by external process.
# @param sysuser Operating system user account owner of CFSSL files
# @param sysgroup Operating system group owner of CFSSL files
# @param binding_ip IP adresse binded by CFSSL serve process.
@@ -56,6 +57,7 @@ class cfssl (
String[1] $version = '1.6.3',
String[1] $downloadchecksum = '16b42bfc592dc4d0ba1e51304f466cae7257edec13743384caf4106195ab6047',
Enum['md5', 'sha1', 'sha2','sha256', 'sha384', 'sha512'] $checksum_type = 'sha256',
+ Boolean $sysuser_manage = true,
String[1] $sysuser = 'cfssl',
String[1] $sysgroup = 'cfssl',
Stdlib::IP::Address $binding_ip = '127.0.0.1',
@@ -88,14 +90,25 @@ class cfssl (
$dbpassword
}
- group { $sysgroup :
- ensure => present,
- }
- -> user { $sysuser :
- ensure => present,
- managehome => true,
- shell => '/bin/bash',
- gid => $sysgroup,
+ if $sysuser_manage {
+ group { $sysgroup :
+ ensure => present,
+ }
+ -> user { $sysuser :
+ ensure => present,
+ managehome => true,
+ shell => '/bin/bash',
+ gid => $sysgroup,
+ before => [
+ File["${binpath}/cfssl", $confdir, "${confdir}/ca", $logdir],
+ File["${confdir}/${cfssl::params::db_config_json}"],
+ File["${confdir}/${cfssl::params::serve_config_json}"],
+ Vcsrepo[$_goose_cfssldbmigrate_path],
+ Exec['goose pg up'],
+ File["${cfssl::binpath}/goose"],
+ Class['cfssl::ca::root'],
+ ],
+ }
}
archive { "${binpath}/cfssl" :
@@ -106,11 +119,10 @@ class cfssl (
checksum => $downloadchecksum,
}
-> file { "${binpath}/cfssl" :
- ensure => file,
- mode => '0700',
- owner => $sysuser,
- group => $sysgroup,
- require => User[$sysuser],
+ ensure => file,
+ mode => '0700',
+ owner => $sysuser,
+ group => $sysgroup,
}
$cfssl::params::binaries.each | String $_bin | {
@@ -127,25 +139,23 @@ class cfssl (
mode => '0700',
owner => $sysuser,
group => $sysgroup,
- require => User[$sysuser],
+ require => File["${binpath}/cfssl"],
}
}
file { [$confdir, "${confdir}/ca", $logdir]:
- ensure => directory,
- mode => '0700',
- owner => $sysuser,
- group => $sysgroup,
- require => User[$sysuser],
+ ensure => directory,
+ mode => '0700',
+ owner => $sysuser,
+ group => $sysgroup,
}
if $crldir_manage {
file { $crldir:
- ensure => directory,
- mode => '0700',
- owner => $sysuser,
- group => $sysgroup,
- require => User[$sysuser],
+ ensure => directory,
+ mode => '0700',
+ owner => $sysuser,
+ group => $sysgroup,
}
}
@@ -187,7 +197,6 @@ class cfssl (
cwd => "${_goose_cfssldbmigrate_path}/certdb/pg/migrations",
onlyif => "${binpath}/goose postgres \"host=localhost user=${cfssl::dbuser} password='\$DBPASSWORD' dbname=${cfssl::dbname} sslmode=disable\" status 2>&1 | grep -q 'Pending'",
require => [
- User[$sysuser],
Vcsrepo[$_goose_cfssldbmigrate_path],
Postgresql::Server::Db[$dbname],
Class[cfssl::goose],
diff --git a/spec/acceptance/cfssl_spec.rb b/spec/acceptance/cfssl_spec.rb
index 4d2305f2f67ea838294a07e89ada1bbe0d58089c..f2d13961426be6a47b1d8e96f3f4682c739a4824 100644
--- a/spec/acceptance/cfssl_spec.rb
+++ b/spec/acceptance/cfssl_spec.rb
@@ -1,7 +1,31 @@
require 'spec_helper_acceptance'
describe 'cfssl' do
- context 'with defaults' do
+ context 'with defaults and sysuser_manage to false' do
+ pp = %(
+ class { 'cfssl':
+ sysuser_manage => false,
+ }
+ )
+
+ it 'applies without error' do
+ apply_manifest(pp, catch_failures: true)
+ end
+ it 'applies idempotently' do
+ apply_manifest(pp, catch_changes: true)
+ end
+
+ describe command('openssl x509 -in /etc/cfssl/ca/EXEMPLEROOTCA.pem -text -noout') do
+ # rubocop:disable RSpec/RepeatedDescription
+ its(:stdout) { is_expected.to match %r{Certificate:} }
+ its(:stdout) { is_expected.to match %r{Issuer: C = FR, L = MONTPELLIER, O = EXEMPLE ORG, CN = EXEMPLE ROOT CA} }
+ its(:stdout) { is_expected.to match %r{Subject: C = FR, L = MONTPELLIER, O = EXEMPLE ORG, CN = EXEMPLE ROOT CA} }
+ its(:stdout) { is_expected.to match %r{CA:TRUE} }
+ # rubocop:enable RSpec/RepeatedDescription
+ end
+ end
+
+ context 'with defaults and sysuser_manage to true' do
pp = %(
include cfssl
)
diff --git a/spec/classes/cfssl_spec.rb b/spec/classes/cfssl_spec.rb
index ad53d0c1e66b4af8bd56abc550285b4ab1b637e7..04b64b8bc0b3ddbb0e13e81023a2dc29f5494eea 100644
--- a/spec/classes/cfssl_spec.rb
+++ b/spec/classes/cfssl_spec.rb
@@ -12,6 +12,16 @@ describe 'cfssl' do
let(:facts) { os_facts.merge(service_provider: 'systemd') }
it { is_expected.to compile }
+
+ context 'with sysuser_manage to false' do
+ let(:params) do
+ {
+ sysuser_manage: false,
+ }
+ end
+
+ it { is_expected.to compile }
+ end
end
end
end
diff --git a/spec/spec_helper_acceptance.rb b/spec/spec_helper_acceptance.rb
index 1064aeb3769eb223c6b634aba31938ba93cfa159..00338bbf16f997392d94d4e71f9e436b1e26caca 100644
--- a/spec/spec_helper_acceptance.rb
+++ b/spec/spec_helper_acceptance.rb
@@ -14,6 +14,15 @@ RSpec.configure do |c|
# curl is used during tests to interact with CA
pp_prepare_sut = %(
package { ['git','curl']: ensure => present }
+ group { 'cfssl' :
+ ensure => present,
+ }
+ -> user { 'cfssl' :
+ ensure => present,
+ managehome => true,
+ shell => '/bin/bash',
+ gid => 'cfssl',
+ }
)
apply_manifest(pp_prepare_sut, catch_failures: true)
end