diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md index 8b466cfb..daceb642 100644 --- a/.github/CONTRIBUTING.md +++ b/.github/CONTRIBUTING.md @@ -131,19 +131,29 @@ You can install all needed gems for spec tests into the modules directory by running: ```sh -bundle install --path .vendor/ --without development system_tests release --jobs "$(nproc)" +bundle config set --local path '.vendor/' +bundle config set --local without 'development system_tests release' +bundle install --jobs "$(nproc)" ``` If you also want to run acceptance tests: ```sh -bundle install --path .vendor/ --with system_tests --without development release --jobs "$(nproc)" +bundle config set --local path '.vendor/' +bundle config set --local without 'development release' +bundle config set --local with 'system_tests' +bundle install --jobs "$(nproc)" ``` Our all in one solution if you don't know if you need to install or update gems: ```sh -bundle install --path .vendor/ --with system_tests --without development release --jobs "$(nproc)"; bundle update; bundle clean +bundle config set --local path '.vendor/' +bundle config set --local without 'development release' +bundle config set --local with 'system_tests' +bundle install --jobs "$(nproc)" +bundle update +bundle clean ``` As an alternative to the `--jobs "$(nproc)` parameter, you can set an @@ -232,18 +242,29 @@ simple tests against it after applying the module. You can run this with: ```sh -BEAKER_setfile=debian11-64 bundle exec rake beaker +BEAKER_PUPPET_COLLECTION=puppet7 BEAKER_setfile=debian11-64 bundle exec rake beaker ``` -You can replace the string `debian10` with any common operating system. +or + +```sh +BEAKER_PUPPET_COLLECTION=none BEAKER_setfile=archlinux-64 bundle exec rake beaker +``` + +This latter example will use the distribution's own version of Puppet. + +You can replace the string `debian11` with any common operating system. The following strings are known to work: -* ubuntu1804 * ubuntu2004 -* debian10 +* ubuntu2204 * debian11 -* centos7 -* centos8 +* debian12 +* centos9 +* archlinux +* almalinux8 +* almalinux9 +* fedora36 For more information and tips & tricks, see [voxpupuli-acceptance's documentation](https://github.com/voxpupuli/voxpupuli-acceptance#running-tests). diff --git a/.github/SECURITY.md b/.github/SECURITY.md deleted file mode 100644 index cacadf22..00000000 --- a/.github/SECURITY.md +++ /dev/null @@ -1,3 +0,0 @@ -# Vox Pupuli Security Policy - -Our vulnerabilities reporting process is at https://voxpupuli.org/security/ diff --git a/.rspec b/.github/labeler.yml similarity index 63% rename from .rspec rename to .github/labeler.yml index f634583d..f2d08d6b 100644 --- a/.rspec +++ b/.github/labeler.yml @@ -1,5 +1,6 @@ +--- # Managed by modulesync - DO NOT EDIT # https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ ---format documentation ---color +skip-changelog: + - head-branch: ['^release-*', 'release'] diff --git a/.github/release.yml b/.github/release.yml new file mode 100644 index 00000000..f5b5d7a9 --- /dev/null +++ b/.github/release.yml @@ -0,0 +1,42 @@ +--- +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ + +# https://docs.github.com/en/repositories/releasing-projects-on-github/automatically-generated-release-notes + +changelog: + exclude: + labels: + - duplicate + - invalid + - modulesync + - question + - skip-changelog + - wont-fix + - wontfix + + categories: + - title: Breaking Changes 🛠 + labels: + - backwards-incompatible + + - title: New Features 🎉 + labels: + - enhancement + + - title: Bug Fixes 🐛 + labels: + - bug + + - title: Documentation Updates 📚 + labels: + - documentation + - docs + + - title: Dependency Updates ⬆️ + labels: + - dependencies + + - title: Other Changes + labels: + - "*" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9ac5f4a3..01e37028 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,97 +4,22 @@ name: CI -on: pull_request +# yamllint disable-line rule:truthy +on: + pull_request: {} + push: + branches: + - main + - master concurrency: group: ${{ github.ref_name }} cancel-in-progress: true jobs: - setup_matrix: - name: 'Setup Test Matrix' - runs-on: ubuntu-latest - timeout-minutes: 40 - outputs: - beaker_setfiles: ${{ steps.get-outputs.outputs.beaker_setfiles }} - puppet_major_versions: ${{ steps.get-outputs.outputs.puppet_major_versions }} - puppet_unit_test_matrix: ${{ steps.get-outputs.outputs.puppet_unit_test_matrix }} - env: - BUNDLE_WITHOUT: development:system_tests:release - steps: - - uses: actions/checkout@v2 - - name: Setup ruby - uses: ruby/setup-ruby@v1 - with: - ruby-version: '3.0' - bundler-cache: true - - name: Run static validations - run: bundle exec rake validate lint check - - name: Run rake rubocop - run: bundle exec rake rubocop - - name: Setup Test Matrix - id: get-outputs - run: bundle exec metadata2gha --use-fqdn --pidfile-workaround false - - unit: - needs: setup_matrix - runs-on: ubuntu-latest - timeout-minutes: 40 - strategy: - fail-fast: false - matrix: - include: ${{fromJson(needs.setup_matrix.outputs.puppet_unit_test_matrix)}} - env: - BUNDLE_WITHOUT: development:system_tests:release - PUPPET_VERSION: "~> ${{ matrix.puppet }}.0" - name: Puppet ${{ matrix.puppet }} (Ruby ${{ matrix.ruby }}) - steps: - - uses: actions/checkout@v2 - - name: Setup ruby - uses: ruby/setup-ruby@v1 - with: - ruby-version: ${{ matrix.ruby }} - bundler-cache: true - - name: Run tests - run: bundle exec rake parallel_spec - - acceptance: - needs: setup_matrix - runs-on: ubuntu-latest - env: - BUNDLE_WITHOUT: development:test:release - strategy: - fail-fast: false - matrix: - setfile: - - name: CentOS 8 - value: centos8-64vpnserver.ma{hostname=vpnserver}-centos8-64vpnclienta.a{hostname=vpnclienta} - - name: Debian 11 - value: debian11-64vpnserver.ma{hostname=vpnserver}-debian11-64vpnclienta.a{hostname=vpnclienta} - - name: Ubuntu 20.04 - value: ubuntu2004-64vpnserver.ma{hostname=vpnserver}-ubuntu2004-64vpnclienta.a{hostname=vpnclienta} - - name: Ubuntu 22.04 - value: ubuntu2204-64vpnserver.ma{hostname=vpnserver}-ubuntu2204-64vpnclienta.a{hostname=vpnclienta} - puppet: ${{fromJson(needs.setup_matrix.outputs.puppet_major_versions)}} - name: ${{ matrix.puppet.name }} - ${{ matrix.setfile.name }} - steps: - - uses: actions/checkout@v2 - - name: Setup ruby - uses: ruby/setup-ruby@v1 - with: - ruby-version: '3.0' - bundler-cache: true - - name: Run tests - run: bundle exec rake beaker - env: - BEAKER_PUPPET_COLLECTION: ${{ matrix.puppet.collection }} - BEAKER_setfile: ${{ matrix.setfile.value }} - - tests: - needs: - - unit - - acceptance - runs-on: ubuntu-latest - name: Test suite - steps: - - run: echo Test suite completed + puppet: + name: Puppet + uses: voxpupuli/gha-puppet/.github/workflows/beaker.yml@v3 + with: + beaker_hosts: 'vpnserver:ma;vpnclienta:a' + beaker_hypervisor: 'vagrant_libvirt' diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml new file mode 100644 index 00000000..73be88dc --- /dev/null +++ b/.github/workflows/labeler.yml @@ -0,0 +1,18 @@ +--- +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ + +name: "Pull Request Labeler" + +# yamllint disable-line rule:truthy +on: + pull_request_target: {} + +jobs: + labeler: + permissions: + contents: read + pull-requests: write + runs-on: ubuntu-latest + steps: + - uses: actions/labeler@v5 diff --git a/.github/workflows/prepare_release.yml b/.github/workflows/prepare_release.yml new file mode 100644 index 00000000..01efa1a8 --- /dev/null +++ b/.github/workflows/prepare_release.yml @@ -0,0 +1,23 @@ +--- +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ + +name: 'Prepare Release' + +on: + workflow_dispatch: + inputs: + version: + description: 'Module version to be released. Must be a valid semver string without leading v. (1.2.3)' + required: false + +jobs: + release_prep: + uses: 'voxpupuli/gha-puppet/.github/workflows/prepare_release.yml@v3' + with: + version: ${{ github.event.inputs.version }} + allowed_owner: 'voxpupuli' + secrets: + # Configure secrets here: + # https://docs.github.com/en/actions/security-guides/encrypted-secrets + github_pat: '${{ secrets.PCCI_PAT_RELEASE_PREP }}' diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 15f17213..3db60fbc 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -4,6 +4,7 @@ name: Release +# yamllint disable-line rule:truthy on: push: tags: @@ -12,7 +13,7 @@ on: jobs: release: name: Release - uses: voxpupuli/gha-puppet/.github/workflows/release.yml@v1 + uses: voxpupuli/gha-puppet/.github/workflows/release.yml@v3 with: allowed_owner: 'voxpupuli' secrets: diff --git a/.gitignore b/.gitignore index 9b95224c..adea1b01 100644 --- a/.gitignore +++ b/.gitignore @@ -1,23 +1,25 @@ # Managed by modulesync - DO NOT EDIT # https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ -pkg/ -Gemfile.lock -Gemfile.local -vendor/ -.vendor/ -spec/fixtures/manifests/ -spec/fixtures/modules/ -.vagrant/ -.bundle/ -.ruby-version -coverage/ -log/ -.idea/ -.dependencies/ -.librarian/ -Puppetfile.lock +/pkg/ +/Gemfile.lock +/Gemfile.local +/vendor/ +/.vendor/ +/spec/fixtures/manifests/ +/spec/fixtures/modules/ +/.vagrant/ +/.bundle/ +/.ruby-version +/coverage/ +/log/ +/.idea/ +/.dependencies/ +/.librarian/ +/Puppetfile.lock *.iml .*.sw? -.yardoc/ -Guardfile +/.yardoc/ +/Guardfile +bolt-debug.log +.rerun.json diff --git a/.msync.yml b/.msync.yml index 02353859..32df814c 100644 --- a/.msync.yml +++ b/.msync.yml @@ -2,4 +2,4 @@ # Managed by modulesync - DO NOT EDIT # https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ -modulesync_config_version: '5.3.0' +modulesync_config_version: '9.5.0' diff --git a/.overcommit.yml b/.overcommit.yml index d367adae..4ed994cc 100644 --- a/.overcommit.yml +++ b/.overcommit.yml @@ -43,10 +43,12 @@ PreCommit: enabled: true description: 'Runs rubocop on modified files only' command: ['bundle', 'exec', 'rubocop'] - PuppetLint: + RakeTarget: enabled: true - description: 'Runs puppet-lint on modified files only' - command: ['bundle', 'exec', 'puppet-lint'] + description: 'Runs lint on modified files only' + targets: + - 'lint' + command: ['bundle', 'exec', 'rake'] YamlSyntax: enabled: true JsonSyntax: diff --git a/.pmtignore b/.pmtignore index 65f50514..a9d37aa0 100644 --- a/.pmtignore +++ b/.pmtignore @@ -1,37 +1,39 @@ # Managed by modulesync - DO NOT EDIT # https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ -docs/ -pkg/ -Gemfile -Gemfile.lock -Gemfile.local -vendor/ -.vendor/ -spec/ -Rakefile -.vagrant/ -.bundle/ -.ruby-version -coverage/ -log/ -.idea/ -.dependencies/ -.github/ -.librarian/ -Puppetfile.lock +/docs/ +/pkg/ +/Gemfile +/Gemfile.lock +/Gemfile.local +/vendor/ +/.vendor/ +/spec/ +/Rakefile +/.vagrant/ +/.bundle/ +/.ruby-version +/coverage/ +/log/ +/.idea/ +/.dependencies/ +/.github/ +/.librarian/ +/Puppetfile.lock +/Puppetfile *.iml -.editorconfig -.fixtures.yml -.gitignore -.msync.yml -.overcommit.yml -.pmtignore -.rspec -.rspec_parallel -.rubocop.yml -.sync.yml +/.editorconfig +/.fixtures.yml +/.gitignore +/.msync.yml +/.overcommit.yml +/.pmtignore +/.rspec +/.rspec_parallel +/.rubocop.yml +/.sync.yml .*.sw? -.yardoc/ -.yardopts -Dockerfile +/.yardoc/ +/.yardopts +/Dockerfile +/HISTORY.md diff --git a/.puppet-lint.rc b/.puppet-lint.rc index dd8272c7..05d28a26 100644 --- a/.puppet-lint.rc +++ b/.puppet-lint.rc @@ -1,3 +1,6 @@ +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ + --fail-on-warnings --no-parameter_documentation-check --no-parameter_types-check diff --git a/.rspec_parallel b/.rspec_parallel deleted file mode 100644 index a9a84f85..00000000 --- a/.rspec_parallel +++ /dev/null @@ -1,4 +0,0 @@ -# Managed by modulesync - DO NOT EDIT -# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ - ---format progress diff --git a/.sync.yml b/.sync.yml index deb9d014..4c72f5db 100644 --- a/.sync.yml +++ b/.sync.yml @@ -1,3 +1,7 @@ --- -spec/spec_helper.rb: - hiera_config: "'spec/fixtures/hiera/hiera.yaml'" +spec/spec_helper_acceptance.rb: + unmanaged: false +.github/workflows/ci.yml: + with: + beaker_hosts: 'vpnserver:ma;vpnclienta:a' + beaker_hypervisor: 'vagrant_libvirt' \ No newline at end of file diff --git a/Dockerfile b/Dockerfile deleted file mode 100644 index 8dd82d63..00000000 --- a/Dockerfile +++ /dev/null @@ -1,24 +0,0 @@ -# MANAGED BY MODULESYNC -# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ - -FROM ruby:2.7 - -WORKDIR /opt/puppet - -# https://github.com/puppetlabs/puppet/blob/06ad255754a38f22fb3a22c7c4f1e2ce453d01cb/lib/puppet/provider/service/runit.rb#L39 -RUN mkdir -p /etc/sv - -ARG PUPPET_GEM_VERSION="~> 6.0" -ARG PARALLEL_TEST_PROCESSORS=4 - -# Cache gems -COPY Gemfile . -RUN bundle install --without system_tests development release --path=${BUNDLE_PATH:-vendor/bundle} - -COPY . . - -RUN bundle install -RUN bundle exec rake release_checks - -# Container should not saved -RUN exit 1 diff --git a/Gemfile b/Gemfile index 07209b79..ea079b08 100644 --- a/Gemfile +++ b/Gemfile @@ -4,10 +4,10 @@ source ENV['GEM_SOURCE'] || 'https://rubygems.org' group :test do - gem 'voxpupuli-test', '~> 5.4', :require => false + gem 'voxpupuli-test', '~> 9.0', :require => false gem 'coveralls', :require => false gem 'simplecov-console', :require => false - gem 'puppet_metadata', '~> 1.0', :require => false + gem 'puppet_metadata', '~> 5.0', :require => false end group :development do @@ -16,19 +16,17 @@ group :development do end group :system_tests do - gem 'voxpupuli-acceptance', '~> 1.0', :require => false + gem 'voxpupuli-acceptance', '~> 3.5', :require => false end group :release do - gem 'github_changelog_generator', '>= 1.16.1', :require => false if RUBY_VERSION >= '2.5' - gem 'voxpupuli-release', '>= 1.2.0', :require => false - gem 'puppet-strings', '>= 2.2', :require => false + gem 'voxpupuli-release', '~> 3.0', :require => false end gem 'rake', :require => false gem 'facter', ENV['FACTER_GEM_VERSION'], :require => false, :groups => [:test] -puppetversion = ENV['PUPPET_GEM_VERSION'] || '>= 6.0' +puppetversion = ENV['PUPPET_GEM_VERSION'] || [">= 7.24", "< 9"] gem 'puppet', puppetversion, :require => false, :groups => [:test] # vim: syntax=ruby diff --git a/Rakefile b/Rakefile index f92f0516..8c9810a2 100644 --- a/Rakefile +++ b/Rakefile @@ -24,6 +24,10 @@ end begin require 'voxpupuli/release/rake_tasks' rescue LoadError + # voxpupuli-release not present +else + GCGConfig.user = 'voxpupuli' + GCGConfig.project = 'puppet-openvpn' end desc "Run main 'test' task and report merged results to coveralls" @@ -37,36 +41,4 @@ task test_with_coveralls: [:test] do end end -desc 'Generate REFERENCE.md' -task :reference, [:debug, :backtrace] do |t, args| - patterns = '' - Rake::Task['strings:generate:reference'].invoke(patterns, args[:debug], args[:backtrace]) -end - -begin - require 'github_changelog_generator/task' - require 'puppet_blacksmith' - GitHubChangelogGenerator::RakeTask.new :changelog do |config| - metadata = Blacksmith::Modulefile.new - config.future_release = "v#{metadata.version}" if metadata.version =~ /^\d+\.\d+.\d+$/ - config.header = "# Changelog\n\nAll notable changes to this project will be documented in this file.\nEach new release typically also includes the latest modulesync defaults.\nThese should not affect the functionality of the module." - config.exclude_labels = %w{duplicate question invalid wontfix wont-fix modulesync skip-changelog} - config.user = 'voxpupuli' - config.project = metadata.metadata['name'] - end - - # Workaround for https://github.com/github-changelog-generator/github-changelog-generator/issues/715 - require 'rbconfig' - if RbConfig::CONFIG['host_os'] =~ /linux/ - task :changelog do - puts 'Fixing line endings...' - changelog_file = File.join(__dir__, 'CHANGELOG.md') - changelog_txt = File.read(changelog_file) - new_contents = changelog_txt.gsub(%r{\r\n}, "\n") - File.open(changelog_file, "w") {|file| file.puts new_contents } - end - end - -rescue LoadError -end # vim: syntax=ruby diff --git a/Vagrantfile b/Vagrantfile deleted file mode 100644 index 332019c9..00000000 --- a/Vagrantfile +++ /dev/null @@ -1,39 +0,0 @@ -# rubocop:disable Style/FileName -# -*- mode: ruby -*- -# vi: set ft=ruby : - -def server_config(config) - config.vm.provision :puppet do |puppet| - puppet.manifests_path = 'vagrant' - puppet.manifest_file = 'server.pp' - puppet.temp_dir = '/tmp' - puppet.options = ['--modulepath=/tmp/modules'] - end -end - -def client_config(config) - config.vm.provision :puppet do |puppet| - puppet.manifests_path = 'vagrant' - puppet.manifest_file = 'client.pp' - puppet.temp_dir = '/tmp' - puppet.options = ['--modulepath=/tmp/modules'] - end -end - -Vagrant::Config.run(2) do |config| - config.vm.provision :shell, path: 'vagrant/provision_module.sh' - - config.vm.define :server_ubuntu do |c| - c.vm.hostname = 'server' - c.vm.box = 'ubuntu/focal64' - server_config c - c.vm.network :private_network, ip: '192.168.61.10' - end - - config.vm.define :client_ubuntu do |c| - c.vm.hostname = 'client' - c.vm.box = 'ubuntu/focal64' - client_config c - c.vm.network :private_network, ip: '192.168.61.20' - end -end diff --git a/data/defaults.yaml b/data/defaults.yaml index b05c49b4..3c4cc15b 100644 --- a/data/defaults.yaml +++ b/data/defaults.yaml @@ -5,7 +5,7 @@ openvpn::group: 'nobody' openvpn::link_openssl_cnf: true openvpn::pam_module_path: ~ openvpn::namespecific_rclink: false -openvpn::default_easyrsa_ver: '2.0' +openvpn::default_easyrsa_ver: '3.0' openvpn::easyrsa_source: '/usr/share/easy-rsa/' openvpn::additional_packages: ['easy-rsa'] openvpn::ldap_auth_plugin_location: ~ diff --git a/data/family/Archlinux.yaml b/data/family/Archlinux.yaml index 2735b275..916b3542 100644 --- a/data/family/Archlinux.yaml +++ b/data/family/Archlinux.yaml @@ -1,9 +1,10 @@ -openvpn::default_easyrsa_ver: '3.0' openvpn::etc_directory: '/etc' openvpn::additional_packages: ['easy-rsa'] -openvpn::easyrsa_source: '/usr/share/easy-rsa/' -openvpn::group: 'nobody' +openvpn::easyrsa_source: '/etc/easy-rsa/' +openvpn::group: 'network' openvpn::ldap_auth_plugin_location: ~ -openvpn::pam_module_path: ~ -openvpn::link_openssl_cnf: true +openvpn::pam_module_path: /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so +openvpn::link_openssl_cnf: false openvpn::namespecific_rclink: false +openvpn::server_directory: '/etc/openvpn/server' +openvpn::server_service_name: 'openvpn-server' \ No newline at end of file diff --git a/data/family/Debian.yaml b/data/family/Debian.yaml index 4bf7af38..2fcf46cd 100644 --- a/data/family/Debian.yaml +++ b/data/family/Debian.yaml @@ -2,8 +2,9 @@ openvpn::etc_directory: '/etc' openvpn::group: 'nogroup' openvpn::link_openssl_cnf: true openvpn::namespecific_rclink: false -openvpn::default_easyrsa_ver: '2.0' openvpn::additional_packages: ['easy-rsa','openvpn-auth-ldap'] openvpn::easyrsa_source: '/usr/share/easy-rsa/' openvpn::ldap_auth_plugin_location: '/usr/lib/openvpn/openvpn-auth-ldap.so' openvpn::pam_module_path: '/usr/lib/openvpn/openvpn-plugin-auth-pam.so' +openvpn::server_directory: '/etc/openvpn/server' +openvpn::server_service_name: 'openvpn-server' diff --git a/data/family/Debian/10.yaml b/data/family/Debian/10.yaml deleted file mode 100644 index 9dc137e8..00000000 --- a/data/family/Debian/10.yaml +++ /dev/null @@ -1,3 +0,0 @@ ---- - -openvpn::default_easyrsa_ver: '3.0' diff --git a/data/family/Debian/11.yaml b/data/family/Debian/11.yaml deleted file mode 100644 index e793d021..00000000 --- a/data/family/Debian/11.yaml +++ /dev/null @@ -1,2 +0,0 @@ ---- -openvpn::default_easyrsa_ver: '3.0' diff --git a/data/family/Debian/20.04.yaml b/data/family/Debian/20.04.yaml deleted file mode 100644 index e793d021..00000000 --- a/data/family/Debian/20.04.yaml +++ /dev/null @@ -1,2 +0,0 @@ ---- -openvpn::default_easyrsa_ver: '3.0' diff --git a/data/family/Debian/22.04.yaml b/data/family/Debian/22.04.yaml deleted file mode 100644 index e793d021..00000000 --- a/data/family/Debian/22.04.yaml +++ /dev/null @@ -1,2 +0,0 @@ ---- -openvpn::default_easyrsa_ver: '3.0' diff --git a/data/family/FreeBSD.yaml b/data/family/FreeBSD.yaml index f89f728a..73512d8d 100644 --- a/data/family/FreeBSD.yaml +++ b/data/family/FreeBSD.yaml @@ -2,8 +2,6 @@ openvpn::etc_directory: '/usr/local/etc' openvpn::group: 'nogroup' openvpn::link_openssl_cnf: true openvpn::pam_module_path: '/usr/local/lib/openvpn/openvpn-auth-pam.so' -openvpn::additional_packages: ['easy-rsa2'] openvpn::easyrsa_source: '/usr/local/share/easy-rsa' -openvpn::default_easyrsa_ver: '2.0' openvpn::namespecific_rclink: true openvpn::server_directory: '/usr/local/etc/openvpn' diff --git a/data/family/RedHat.yaml b/data/family/RedHat.yaml index 45325fe3..f4256c0b 100644 --- a/data/family/RedHat.yaml +++ b/data/family/RedHat.yaml @@ -3,5 +3,6 @@ openvpn::group: 'nobody' openvpn::link_openssl_cnf: true openvpn::pam_module_path: '/usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so' openvpn::namespecific_rclink: false -openvpn::default_easyrsa_ver: '3.0' -openvpn::easyrsa_source: '/usr/share/easy-rsa/3' +openvpn::easyrsa_source: '/usr/share/easy-rsa/3/' +openvpn::server_directory: '/etc/openvpn/server' +openvpn::server_service_name: 'openvpn-server' \ No newline at end of file diff --git a/data/family/RedHat/7.yaml b/data/family/RedHat/7.yaml deleted file mode 100644 index 293a1e56..00000000 --- a/data/family/RedHat/7.yaml +++ /dev/null @@ -1,2 +0,0 @@ -openvpn::additional_packages: ['easy-rsa'] -openvpn::ldap_auth_plugin_location: ~ diff --git a/data/family/RedHat/8.yaml b/data/family/RedHat/8.yaml deleted file mode 100644 index 7d206819..00000000 --- a/data/family/RedHat/8.yaml +++ /dev/null @@ -1,2 +0,0 @@ -openvpn::server_directory: '/etc/openvpn/server' -openvpn::server_service_name: 'openvpn-server' diff --git a/data/family/Solaris.yaml b/data/family/Solaris.yaml index 77c89686..b7d7eb5b 100644 --- a/data/family/Solaris.yaml +++ b/data/family/Solaris.yaml @@ -1,5 +1,4 @@ openvpn::etc_directory: '/opt/local/etc' openvpn::server_directory: '/opt/local/etc/openvpn' openvpn::group: 'nogroup' -openvpn::default_easyrsa_ver: '3.0' openvpn::easyrsa_source: '/opt/local/share/examples/easyrsa' diff --git a/data/os/Rocky.yaml b/data/os/Rocky.yaml new file mode 100644 index 00000000..a9f34ac3 --- /dev/null +++ b/data/os/Rocky.yaml @@ -0,0 +1 @@ +openvpn::pam_module_path: '/usr/lib64/openvpn/plugins/openvpn-auth-pam.so' \ No newline at end of file diff --git a/lib/facter/easyrsa.rb b/lib/facter/easyrsa.rb index 744235b2..ed6c9537 100644 --- a/lib/facter/easyrsa.rb +++ b/lib/facter/easyrsa.rb @@ -9,12 +9,12 @@ operatingsystemrelease = Facter.value(:operatingsystemrelease) case operatingsystem - when %r{RedHat|CentOS|Amazon} + when %r{RedHat|CentOS|Amazon|Rocky|AlmaLinux|OracleLinux} binaryv2 = '/usr/share/easy-rsa/2.0/pkitool' binaryv3 = '/usr/share/easy-rsa/3/easyrsa' when %r{Ubuntu|Debian} case operatingsystemrelease - when %r{9|10|11|18.04|20.04|22.04} + when %r{11|12|18.04|20.04|22.04|24.04} binaryv2 = '/usr/share/easy-rsa/pkitool' binaryv3 = '/usr/share/easy-rsa/easyrsa' else @@ -29,7 +29,7 @@ end if File.exist? binaryv3 - data = Facter::Core::Execution.execute("#{binaryv3} --help") + data = Facter::Core::Execution.execute("#{binaryv3} help") version = '3.0' if data.gsub!(%r{Easy-RSA 3 usage}, '') elsif File.exist? binaryv2 data = Facter::Core::Execution.execute("#{binaryv2} --help") @@ -38,7 +38,7 @@ data = Facter::Core::Execution.execute('pkitool --help') version = '2.0' if data.gsub!(%r{pkitool 2.0}, '') elsif Facter::Util::Resolution.which('easyrsa') - data = Facter::Core::Execution.execute('easyrsa --help') + data = Facter::Core::Execution.execute('easyrsa help') version = '3.0' if data.gsub!(%r{Easy-RSA 3 usage}, '') end version = nil if version.nil? diff --git a/manifests/ca.pp b/manifests/ca.pp index 80e58ea8..5d4709ac 100644 --- a/manifests/ca.pp +++ b/manifests/ca.pp @@ -60,6 +60,7 @@ File { group => $group_to_set, + selinux_ignore_defaults => true, } $server_directory = $openvpn::server_directory @@ -86,6 +87,14 @@ require => File["${server_directory}/${name}/easy-rsa"], } + if $facts['os']['family'] == 'Archlinux' { + file { "${server_directory}/${name}/easy-rsa/easyrsa": + ensure => link, + target => '/bin/easyrsa', + require => File["${server_directory}/${name}/easy-rsa"], + } + } + case $openvpn::easyrsa_version { '2.0': { if $ssl_key_algo != 'rsa' { @@ -171,7 +180,7 @@ if $openvpn::link_openssl_cnf { File["${server_directory}/${name}/easy-rsa/openssl.cnf"] { ensure => link, - target => "${server_directory}/${name}/easy-rsa/openssl-1.0.cnf", + target => "${server_directory}/${name}/easy-rsa/openssl-easyrsa.cnf", before => Exec["initca ${name}"], } } @@ -182,7 +191,7 @@ } exec { "initca ${name}": - command => './easyrsa --batch init-pki && ./easyrsa --batch build-ca nopass', + command => "./easyrsa --batch --pki-dir=${server_directory}/${name}/easy-rsa/keys init-pki && ./easyrsa --batch build-ca nopass", cwd => "${server_directory}/${name}/easy-rsa", creates => "${server_directory}/${name}/easy-rsa/keys/ca.crt", environment => $_initca_environment, diff --git a/manifests/client.pp b/manifests/client.pp index 69bff018..babb298a 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -139,7 +139,7 @@ } '3.0': { exec { "generate certificate for ${name} in context of ${ca_name}": - command => ". ./vars && ${env_expire} ./easyrsa --batch build-client-full ${name} nopass", + command => "${env_expire} ./easyrsa --batch build-client-full ${name} nopass", cwd => "${server_directory}/${ca_name}/easy-rsa", creates => "${server_directory}/${ca_name}/easy-rsa/keys/issued/${name}.crt", provider => 'shell'; diff --git a/manifests/install.pp b/manifests/install.pp index 242b983a..8b3e451f 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -4,9 +4,9 @@ class openvpn::install { include openvpn - ensure_packages(['openvpn']) + stdlib::ensure_packages(['openvpn']) if $openvpn::additional_packages { - ensure_packages($openvpn::additional_packages) + stdlib::ensure_packages($openvpn::additional_packages) } file { diff --git a/manifests/revoke.pp b/manifests/revoke.pp index 5b9797a7..d1a787ef 100644 --- a/manifests/revoke.pp +++ b/manifests/revoke.pp @@ -26,12 +26,12 @@ $revocation_command = $openvpn::easyrsa_version ? { '2.0' => ". ./vars && ./revoke-full ${name}; echo \"exit $?\" | grep -qE '(error 23|exit (0|2))'", - '3.0' => ". ./vars && ./easyrsa --batch revoke ${name}; echo \"exit $?\" | grep -qE '(error 23|exit (0|2))'", + '3.0' => "./easyrsa --batch revoke ${name}; echo \"exit $?\" | grep -qE '(error 23|exit (0|2))'", } $renew_command = $openvpn::easyrsa_version ? { '2.0' => ". ./vars && KEY_CN='' KEY_OU='' KEY_NAME='' KEY_ALTNAMES='' openssl ca -gencrl -out ${server_directory}/${server}/crl.pem -config ${server_directory}/${server}/easy-rsa/openssl.cnf", - '3.0' => './easyrsa gen-crl', + '3.0' => './easyrsa --batch gen-crl', default => fail("unexepected value for EasyRSA version, got '${openvpn::easyrsa_version}', expect 2.0 or 3.0."), } @@ -56,7 +56,7 @@ } if ($openvpn::easyrsa_version == '3.0') { - exec { "copy renewed crl.pem to ${name} keys directory because of revocation of ${name}": + exec { "copy renewed crl.pem to ${server} keys directory because of revocation of ${name}": command => "cp ${server_directory}/${server}/easy-rsa/keys/crl.pem ${server_directory}/${server}/crl.pem", subscribe => Exec["renew crl.pem on ${server} because of revocation of ${name}"], provider => 'shell', diff --git a/manifests/server.pp b/manifests/server.pp index 5a0a7a06..3e791daa 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -321,6 +321,7 @@ File { group => $group_to_set, + selinux_ignore_defaults => true, } file { "${server_directory}/${name}": diff --git a/metadata.json b/metadata.json index d75dde4d..8d4eb986 100644 --- a/metadata.json +++ b/metadata.json @@ -13,32 +13,60 @@ "operatingsystem": "Ubuntu", "operatingsystemrelease": [ "20.04", - "22.04" + "22.04", + "24.04" ] }, { "operatingsystem": "Debian", "operatingsystemrelease": [ - "11" + "11", + "12" ] }, { "operatingsystem": "RedHat", "operatingsystemrelease": [ - "8" + "8", + "9" ] }, { "operatingsystem": "CentOS", "operatingsystemrelease": [ - "8" + "9" + ] + }, + { + "operatingsystem": "AlmaLinux", + "operatingsystemrelease": [ + "8", + "9" + ] + }, + { + "operatingsystem": "Rocky", + "operatingsystemrelease": [ + "8", + "9" + ] + }, + { + "operatingsystem": "OracleLinux", + "operatingsystemrelease": [ + "8", + "9" ] }, { "operatingsystem": "Archlinux" }, { - "operatingsystem": "FreeBSD" + "operatingsystem": "FreeBSD", + "operatingsystemrelease": [ + "13", + "14" + ] }, { "operatingsystem": "Solaris" @@ -47,17 +75,17 @@ "requirements": [ { "name": "puppet", - "version_requirement": ">= 7.0.0 < 8.0.0" + "version_requirement": ">= 7.0.0 < 9.0.0" } ], "dependencies": [ { "name": "puppetlabs/concat", - "version_requirement": ">= 4.1.0 < 8.0.0" + "version_requirement": ">= 4.1.0 < 10.0.0" }, { "name": "puppetlabs/stdlib", - "version_requirement": ">= 4.25.0 < 9.0.0" + "version_requirement": ">= 4.25.0 < 10.0.0" } ], "tags": [ diff --git a/spec/acceptance/openvpn_spec.rb b/spec/acceptance/openvpn_spec.rb index 4c0ba2fd..8be4b075 100644 --- a/spec/acceptance/openvpn_spec.rb +++ b/spec/acceptance/openvpn_spec.rb @@ -2,362 +2,122 @@ require 'spec_helper_acceptance' -case fact('osfamily') -when 'RedHat' - if fact('os.release.major') == '8' - server_directory = '/etc/openvpn/server' - client_directory = '/etc/openvpn/client' - client_service = 'openvpn-client' - else - server_directory = '/etc/openvpn' - client_directory = '/etc/openvpn' - client_service = 'openvpn' - end - server_crt = "#{server_directory}/test_openvpn_server/easy-rsa/keys/issued/server.crt" - key_path = "#{server_directory}/test_openvpn_server/easy-rsa/keys/private" - crt_path = "#{server_directory}/test_openvpn_server/easy-rsa/keys/issued" - index_path = "#{server_directory}/test_openvpn_server/easy-rsa/keys" - easy_rsa_version = '3.0' - renew_crl_cmd = "cd #{server_directory}/test_openvpn_server/easy-rsa && . ./vars && EASYRSA_REQ_CN='' EASYRSA_REQ_OU='' openssl ca -gencrl -out #{server_directory}/test_openvpn_server/crl.pem -config #{server_directory}/test_openvpn_server/easy-rsa/openssl.cnf" -when 'Debian' - server_directory = '/etc/openvpn' - client_directory = '/etc/openvpn' - client_service = 'openvpn' - if fact('os.release.major') =~ %r{10|11|20.04|22.04} - server_crt = "#{server_directory}/test_openvpn_server/easy-rsa/keys/issued/server.crt" - key_path = "#{server_directory}/test_openvpn_server/easy-rsa/keys/private" - crt_path = "#{server_directory}/test_openvpn_server/easy-rsa/keys/issued" - easy_rsa_version = '3.0' - renew_crl_cmd = "cd #{server_directory}/test_openvpn_server/easy-rsa && . ./vars && EASYRSA_REQ_CN='' EASYRSA_REQ_OU='' openssl ca -gencrl -out #{server_directory}/test_openvpn_server/crl.pem -config #{server_directory}/test_openvpn_server/easy-rsa/openssl.cnf" - else - server_crt = "#{server_directory}/test_openvpn_server/easy-rsa/keys/server.crt" - key_path = "#{server_directory}/test_openvpn_server/easy-rsa/keys" - crt_path = "#{server_directory}/test_openvpn_server/easy-rsa/keys" - easy_rsa_version = '2.0' - renew_crl_cmd = "cd #{server_directory}/test_openvpn_server/easy-rsa && . ./vars && KEY_CN='' KEY_OU='' KEY_NAME='' KEY_ALTNAMES='' openssl ca -gencrl -out #{server_directory}/test_openvpn_server/crl.pem -config #{server_directory}/test_openvpn_server/easy-rsa/openssl.cnf" - end - index_path = "#{server_directory}/test_openvpn_server/easy-rsa/keys" -else - raise "Unknown OS family #{fact('osfamily')}" -end - -# All-terrain tls ciphers are used to be able to work with all supported OSes. -# Default value is with ciphers too recent for old OSes like ubuntu 14.04. -describe 'server defined type' do - context 'with basics parameters' do - it 'installs openvpn server idempotently' do - pp = %( - openvpn::server { 'test_openvpn_server': - country => 'CO', - province => 'ST', - city => 'A city', - organization => 'FOO', - email => 'bar@foo.org', - server => '10.0.0.0 255.255.255.0', - local => '', - management => true, - tls_cipher => 'TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA', - } - ) - apply_manifest_on(hosts_as('vpnserver'), pp, catch_failures: true) - apply_manifest_on(hosts_as('vpnserver'), pp, catch_changes: true) - end - - it 'creates openvpn client certificate idempotently' do - pp = %( - openvpn::server { 'test_openvpn_server': - country => 'CO', - province => 'ST', - city => 'A city', - organization => 'FOO', - email => 'bar@foo.org', - server => '10.0.0.0 255.255.255.0', - local => '', - management => true, - tls_cipher => 'TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA', - } - - openvpn::client { 'vpnclienta' : - server => 'test_openvpn_server', - require => Openvpn::Server['test_openvpn_server'], - remote_host => $facts['networking']['ip'], - tls_cipher => 'TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA', - } - ) - apply_manifest_on(hosts_as('vpnserver'), pp, catch_failures: true) - apply_manifest_on(hosts_as('vpnserver'), pp, catch_changes: true) - end - - it 'revokes openvpn client certificate' do - pp = %( - openvpn::server { 'test_openvpn_server': - country => 'CO', - province => 'ST', - city => 'A city', - organization => 'FOO', - email => 'bar@foo.org', - server => '10.0.0.0 255.255.255.0', - local => '', - management => true, - tls_cipher => 'TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA', - } - - openvpn::client { 'vpnclientb' : - server => 'test_openvpn_server', - require => Openvpn::Server['test_openvpn_server'], - remote_host => $facts['networking']['ip'], - tls_cipher => 'TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA', - } - - openvpn::revoke { 'vpnclientb': - server => 'test_openvpn_server', - } - ) - apply_manifest_on(hosts_as('vpnserver'), pp, catch_failures: true) - apply_manifest_on(hosts_as('vpnserver'), pp, catch_changes: false) - end - - describe file("#{server_directory}/test_openvpn_server/easy-rsa/revoked/vpnclientb"), :revokedFile do - it { is_expected.to be_file } - end - - describe file("#{server_directory}/test_openvpn_server/easy-rsa/keys") do - it { is_expected.to be_directory } - end - - describe file("#{server_directory}/test_openvpn_server/easy-rsa/vars") do - it { is_expected.to be_file } - it { is_expected.to contain "export EASY_RSA=\"#{server_directory}/test_openvpn_server/easy-rsa\"" } - it { is_expected.to contain '_COUNTRY="CO"' } - it { is_expected.to contain '_PROVINCE="ST"' } - it { is_expected.to contain '_CITY="A city"' } - it { is_expected.to contain '_ORG="FOO"' } - it { is_expected.to contain '_EMAIL="bar@foo.org"' } - end - - describe file(server_crt.to_s), :crtFile do - it { is_expected.to be_file } - it { is_expected.to contain 'Issuer: C=CO, ST=ST, L=A city, O=FOO, ' } - end - - describe process('openvpn') do - it { is_expected.to be_running } - end - - describe port(1194) do - it { is_expected.to be_listening.with('tcp') } - end - - describe command('ip link show tun0') do - its(:stdout) { is_expected.to match %r{.* tun0: .*} } - its(:exit_status) { is_expected.to eq 0 } - end - - describe file("#{key_path}/vpnclienta.key") do - it { is_expected.to be_file } - end - - describe file("#{crt_path}/vpnclienta.crt") do - it { is_expected.to be_file } - it { is_expected.to contain 'Issuer: C=CO, ST=ST, L=A city, O=FOO, ' } - end - - describe file("#{index_path}/index.txt") do - it { is_expected.to be_file } - it { is_expected.to contain 'CN=vpnclienta' } - end - - describe file("#{server_directory}/test_openvpn_server/download-configs/vpnclienta.tar.gz") do - it { is_expected.to be_file } - its(:size) { is_expected.to be > 500 } - end - - it 'permits to setup a vpn client' do - scp_from(hosts_as('vpnserver'), "#{server_directory}/test_openvpn_server/download-configs/vpnclienta.tar.gz", '.') - scp_to(hosts_as('vpnclienta'), 'vpnclienta.tar.gz', '/tmp') - on(hosts_as('vpnclienta'), "tar xvfz /tmp/vpnclienta.tar.gz -C #{client_directory}") - on(hosts_as('vpnclienta'), "cp -a #{client_directory}/vpnclienta/* #{client_directory}/") - on(hosts_as('vpnclienta'), "systemctl enable #{client_service}@vpnclienta") - on(hosts_as('vpnclienta'), "systemctl restart #{client_service}@vpnclienta") - end - - describe command('echo status |nc -w 1 localhost 7505') do - its(:stdout) { is_expected.to match %r{.*vpnclienta.*} } - its(:exit_status) { is_expected.to eq 0 } - end - - describe command(renew_crl_cmd.to_s) do - its(:exit_status) { is_expected.to eq 0 } - end - end -end - -if easy_rsa_version == '3.0' - describe 'server defined type w/ easy-rsa 3.0' do - dev = 'tun1' - server_name = 'test_openvpn_server_ec_dn_mode' - port = 1195 - management_port = 7506 - - context 'with basics parameters' do - it 'installs openvpn server idempotently' do - pp = %( - openvpn::server { '#{server_name}': - dev => '#{dev}', - dn_mode => 'cn_only', - ssl_key_algo => 'ec', - ssl_key_curve => 'secp521r1', - ecdh_curve => 'secp521r1', - digest => 'sha256', - common_name => 'openvpn-server', - server => '10.1.0.0 255.255.255.0', - port => '#{port}', - management => true, - management_port => #{management_port}, - tls_cipher => 'TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384', - } - ) - apply_manifest_on(hosts_as('vpnserver'), pp, catch_failures: true) - apply_manifest_on(hosts_as('vpnserver'), pp, catch_changes: true) - end - - it 'creates openvpn client certificate idempotently' do - pp = %( - openvpn::server { '#{server_name}': - dev => '#{dev}', - dn_mode => 'cn_only', - ssl_key_algo => 'ec', - ssl_key_curve => 'secp521r1', - ecdh_curve => 'secp521r1', - digest => 'sha256', - common_name => 'openvpn-server', - server => '10.1.0.0 255.255.255.0', - port => '#{port}', - management => true, - management_port => #{management_port}, - tls_cipher => 'TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384', - } - - openvpn::client { '#{server_name}-vpnclienta' : - server => '#{server_name}', - port => '#{port}', - require => Openvpn::Server['#{server_name}'], - remote_host => $facts['networking']['ip'], - tls_cipher => 'TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384', - } - ) - apply_manifest_on(hosts_as('vpnserver'), pp, catch_failures: true) - apply_manifest_on(hosts_as('vpnserver'), pp, catch_changes: true) - end - - it 'revokes openvpn client certificate' do - pp = %( - openvpn::server { '#{server_name}': - dev => '#{dev}', - dn_mode => 'cn_only', - ssl_key_algo => 'ec', - ssl_key_curve => 'secp521r1', - ecdh_curve => 'secp521r1', - digest => 'sha256', - common_name => 'openvpn-server', - server => '10.1.0.0 255.255.255.0', - port => '#{port}', - management => true, - management_port => #{management_port}, - tls_cipher => 'TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384', - } - - openvpn::client { '#{server_name}-vpnclientb' : - server => '#{server_name}', - port => '#{port}', - require => Openvpn::Server['#{server_name}'], - remote_host => $facts['networking']['ip'], - tls_cipher => 'TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384', - } - - openvpn::revoke { '#{server_name}-vpnclientb': - server => '#{server_name}', - } - ) - apply_manifest_on(hosts_as('vpnserver'), pp, catch_failures: true) - apply_manifest_on(hosts_as('vpnserver'), pp, catch_changes: false) - end - - describe file("#{server_directory}/#{server_name}/easy-rsa/revoked/#{server_name}-vpnclientb"), :revokedFile do - it { is_expected.to be_file } - end - - describe file("#{server_directory}/#{server_name}/easy-rsa/keys") do - it { is_expected.to be_directory } - end - - describe file("#{server_directory}/#{server_name}/easy-rsa/vars") do - it { is_expected.to be_file } - it { is_expected.to contain 'export EASYRSA_ALGO=ec' } - it { is_expected.to contain 'export EASYRSA_CURVE=secp521r1' } - it { is_expected.to contain 'export EASYRSA_DIGEST=sha256' } - it { is_expected.to contain 'export EASYRSA_DN="cn_only"' } - end - - describe file(server_crt.to_s), :crtFile do +describe 'openvpn', order: :defined do + describe 'openvpn::server', order: :defined do + describe 'with minimal parameters' do + it_behaves_like 'an idempotent resource', 'master' do + let(:manifest) do + <<-PUPPET + openvpn::server { 'test_openvpn_server': + country => 'CO', + province => 'ST', + city => 'A city', + organization => 'FOO', + email => 'bar@foo.org', + server => '10.0.0.0 255.255.255.0', + } + PUPPET + end + end + + ['/etc/openvpn/server/test_openvpn_server', + '/etc/openvpn/server/test_openvpn_server/keys'].each do |dir| + describe file(dir) do + it { is_expected.to be_directory } + end + end + + describe file('/etc/openvpn/server/test_openvpn_server.conf') do it { is_expected.to be_file } - it { is_expected.to contain 'Issuer: C=CO, ST=ST, L=A city, O=FOO, ' } end - describe process('openvpn') do + describe service('openvpn-server@test_openvpn_server') do + it { is_expected.to be_enabled } it { is_expected.to be_running } end - describe port(port) do - it { is_expected.to be_listening.with('tcp') } - end - - describe command("ip link show #{dev}") do - its(:stdout) { is_expected.to match %r{.* #{dev}: .*} } - its(:exit_status) { is_expected.to eq 0 } - end - - describe file("#{server_directory}/#{server_name}/easy-rsa/keys/private/#{server_name}-vpnclienta.key") do - it { is_expected.to be_file } + describe port(1194) do + it { is_expected.to be_listening } end - describe file("#{server_directory}/#{server_name}/easy-rsa/keys/issued/#{server_name}-vpnclienta.crt") do + describe file('/etc/openvpn/server/test_openvpn_server/easy-rsa/vars') do it { is_expected.to be_file } - it { is_expected.to contain 'Issuer: CN=openvpn-server CA' } - end - - describe file("#{server_directory}/#{server_name}/easy-rsa/keys/index.txt") do - it { is_expected.to be_file } - it { is_expected.to contain "CN=#{server_name}-vpnclienta" } + its(:content) { is_expected.to contain(%r{EASYRSA_REQ_COUNTRY "CO"}) } + its(:content) { is_expected.to contain(%r{EASYRSA_REQ_PROVINCE "ST"}) } + its(:content) { is_expected.to contain(%r{EASYRSA_REQ_CITY "A city"}) } + its(:content) { is_expected.to contain(%r{EASYRSA_REQ_ORG "FOO"}) } end + end + end - describe file("#{server_directory}/#{server_name}/download-configs/#{server_name}-vpnclienta.tar.gz") do + describe 'openvpn::client', order: :defined do + it_behaves_like 'an idempotent resource', 'master' do + let(:manifest) do + <<-PUPPET + openvpn::server { 'test_openvpn_server': + country => 'CO', + province => 'ST', + city => 'A city', + organization => 'FOO', + email => 'bar@foo.org', + server => '10.0.0.0 255.255.255.0', + } + openvpn::client { ['vpnclienta','vpnclientb'] : + server => 'test_openvpn_server', + require => Openvpn::Server['test_openvpn_server'], + } + PUPPET + end + end + + ['/etc/openvpn/server/test_openvpn_server/download-configs/vpnclienta.ovpn', + '/etc/openvpn/server/test_openvpn_server/download-configs/vpnclientb.ovpn', + '/etc/openvpn/server/test_openvpn_server/keys/private/vpnclienta.key', + '/etc/openvpn/server/test_openvpn_server/keys/private/vpnclientb.key', + '/etc/openvpn/server/test_openvpn_server/keys/issued/vpnclienta.crt', + '/etc/openvpn/server/test_openvpn_server/keys/issued/vpnclientb.crt'].each do |path| + describe file(path) do it { is_expected.to be_file } - its(:size) { is_expected.to be > 500 } - end - - it 'permits to setup a vpn client' do - scp_from(hosts_as('vpnserver'), "#{server_directory}/#{server_name}/download-configs/#{server_name}-vpnclienta.tar.gz", '.') - scp_to(hosts_as('vpnclienta'), "#{server_name}-vpnclienta.tar.gz", '/tmp') - on(hosts_as('vpnclienta'), "tar xvfz /tmp/#{server_name}-vpnclienta.tar.gz -C #{client_directory}") - on(hosts_as('vpnclienta'), "cp -a #{client_directory}/#{server_name}-vpnclienta/* #{client_directory}/") - on(hosts_as('vpnclienta'), "systemctl enable #{client_service}@#{server_name}-vpnclienta") - on(hosts_as('vpnclienta'), "systemctl restart #{client_service}@#{server_name}-vpnclienta") - end - - it 'logs (in case of an error)' do - on(hosts_as('vpnserver'), "journalctl -lu #{client_service}@#{server_name}") - on(hosts_as('vpnclienta'), "journalctl -lu #{client_service}@#{server_name}-vpnclienta") end + end + end - describe command("echo status |nc -w 1 localhost #{management_port}") do - its(:stdout) { is_expected.to match %r{.*#{server_name}-vpnclienta.*} } - its(:exit_status) { is_expected.to eq 0 } - end + describe 'openvpn::revoke', order: :defined do + it 'revoke a client certificate' do + pp = <<-PUPPET + openvpn::server { 'test_openvpn_server': + country => 'CO', + province => 'ST', + city => 'A city', + organization => 'FOO', + email => 'bar@foo.org', + server => '10.0.0.0 255.255.255.0', + } + openvpn::client { ['vpnclienta','vpnclientb'] : + server => 'test_openvpn_server', + require => Openvpn::Server['test_openvpn_server'], + } + openvpn::revoke { 'vpnclientb': + server => 'test_openvpn_server', + } + PUPPET + # Apply the manifest to revoke the client certificate + apply_manifest_on(hosts_as('master'), pp, catch_failures: true) + end + + describe file('/etc/openvpn/server/test_openvpn_server/easy-rsa/revoked/vpnclientb') do + it { is_expected.to be_file } + end + end - describe command(renew_crl_cmd.to_s) do - its(:exit_status) { is_expected.to eq 0 } - end + describe 'remote client', order: :defined do + it 'connects to vpnserver' do + scp_from(hosts_as('master'), '/etc/openvpn/server/test_openvpn_server/download-configs/vpnclienta.tar.gz', '.') + scp_to(hosts_as('agent'), 'vpnclienta.tar.gz', '/tmp') + on(hosts_as('agent'), 'tar xvfz /tmp/vpnclienta.tar.gz -C /etc/openvpn/client') + on(hosts_as('agent'), 'cp -a /etc/openvpn/client/vpnclienta/* /etc/openvpn/client/') + on(hosts_as('agent'), 'systemctl enable openvpn-client@vpnclienta') + on(hosts_as('agent'), 'systemctl restart openvpn-client@vpnclienta') end end end diff --git a/spec/classes/openvpn_config_spec.rb b/spec/classes/openvpn_config_spec.rb index d3302ebb..36319db1 100644 --- a/spec/classes/openvpn_config_spec.rb +++ b/spec/classes/openvpn_config_spec.rb @@ -2,40 +2,35 @@ require 'spec_helper' -describe 'openvpn::config', type: :class do - on_supported_os.each do |os, facts| +describe 'openvpn::config' do + on_supported_os.each do |os, os_facts| context "on #{os}" do let(:facts) do - facts + os_facts.merge( + easyrsa: '3.0' + ) end + let(:pre_condition) { 'include openvpn' } if os_facts[:os]['family'] == 'Debian' + it { is_expected.to compile.with_all_deps } - case facts[:os]['family'] + case os_facts[:os]['family'] when 'Debian' - context 'on Debian based machines' do - it { is_expected.to contain_concat('/etc/default/openvpn') } - it { is_expected.to contain_concat__fragment('openvpn.default.header') } - - context 'enabled autostart_all' do - let(:pre_condition) { 'class { "openvpn": autostart_all => true }' } - - it { - is_expected.to contain_concat__fragment('openvpn.default.header').with( - 'content' => %r{^AUTOSTART="all"} - ) - } - end - - context 'disabled autostart_all' do - let(:pre_condition) { 'class { "openvpn": autostart_all => false }' } - - it { - is_expected.to contain_concat__fragment('openvpn.default.header').with( - 'content' => %r{^AUTOSTART=""} - ) - } - end + it { is_expected.to contain_concat('/etc/default/openvpn') } + + it { is_expected.to contain_concat__fragment('openvpn.default.header') } + + context 'enabled autostart_all' do + let(:pre_condition) { 'class { "openvpn": autostart_all => true }' } + + it { is_expected.to contain_concat__fragment('openvpn.default.header').with_content(%r{^AUTOSTART="all"}) } + end + + context 'disabled autostart_all' do + let(:pre_condition) { 'class { "openvpn": autostart_all => false }' } + + it { is_expected.to contain_concat__fragment('openvpn.default.header').with_content(%r{^AUTOSTART=""}) } end end end diff --git a/spec/classes/openvpn_init_hiera_spec.rb b/spec/classes/openvpn_init_hiera_spec.rb deleted file mode 100644 index ae6a640a..00000000 --- a/spec/classes/openvpn_init_hiera_spec.rb +++ /dev/null @@ -1,89 +0,0 @@ -# frozen_string_literal: true - -require 'spec_helper' - -describe 'openvpn', type: :class do - on_supported_os.each do |os, facts| - context "on #{os}" do - let(:pre_condition) { 'class { "openvpn" : manage_service => true }' } - let(:facts) do - facts - end - let(:title) { 'test openvpn hiera lookups' } - - it { is_expected.to create_class('openvpn') } - - it do - is_expected.to contain_openvpn__server('winterthur').with( - 'country' => 'CH', - 'province' => 'ZH', - 'city' => 'Winterthur', - 'organization' => 'example.org', - 'email' => 'root@example.org', - 'server' => '10.200.200.0 255.255.255.0' - ) - end - - it do - is_expected.to contain_openvpn__server('uster').with( - 'country' => 'CH', - 'province' => 'ZH', - 'city' => 'Uster', - 'organization' => 'example.com', - 'email' => 'root@example.com', - 'server' => '10.100.100.0 255.255.255.0' - ) - end - - it do - is_expected.to contain_openvpn__client('winti-client1').with( - 'server' => 'winterthur' - ) - end - - it do - is_expected.to contain_openvpn__client('winti-client2').with( - 'server' => 'winterthur' - ) - end - - it do - is_expected.to contain_openvpn__client('uster-client1').with( - 'server' => 'uster' - ) - end - - it do - is_expected.to contain_openvpn__client('uster-client2').with( - 'server' => 'uster' - ) - end - - it do - is_expected.to contain_openvpn__client_specific_config('winti-client1').with( - 'server' => 'winterthur', - 'ifconfig' => '10.200.200.50 10.200.200.51' - ) - end - - it do - is_expected.to contain_openvpn__client_specific_config('uster-client1').with( - 'server' => 'uster', - 'ifconfig' => '10.100.100.50 10.100.100.51' - ) - end - - it do - is_expected.to contain_openvpn__revoke('winti-client2').with( - 'server' => 'winterthur' - ) - end - - it do - is_expected.to contain_openvpn__revoke('uster-client2').with( - 'server' => 'uster' - ) - end - end - end -end diff --git a/spec/classes/openvpn_init_spec.rb b/spec/classes/openvpn_init_spec.rb index 832f6154..05e06561 100644 --- a/spec/classes/openvpn_init_spec.rb +++ b/spec/classes/openvpn_init_spec.rb @@ -2,35 +2,30 @@ require 'spec_helper' -describe 'openvpn', type: :class do - on_supported_os.each do |os, facts| +describe 'openvpn' do + on_supported_os.each do |os, os_facts| context "on #{os}" do - let(:pre_condition) { 'class { "openvpn" : manage_service => true }' } + let(:facts) do + os_facts.merge( + easyrsa: '3.0' + ) + end it { is_expected.to compile.with_all_deps } - os_name = facts[:os]['name'] - os_release = facts[:os]['release']['major'] - case "#{os_name}-#{os_release}" - when %r{FreeBSD} - let(:facts) do - facts - end + it { is_expected.to create_class('openvpn') } + it { is_expected.to contain_class('openvpn::install') } + it { is_expected.to contain_class('openvpn::config') } - context 'system without systemd' do + if os_facts[:service_provider] == 'systemd' + context 'system with systemd' do it { is_expected.to create_class('openvpn') } - it { is_expected.to contain_class('openvpn::service') } + it { is_expected.not_to contain_class('openvpn::service') } end else - let(:facts) do - facts.merge( - service_provider: 'systemd' - ) - end - - context 'system with systemd' do + context 'system without systemd' do it { is_expected.to create_class('openvpn') } - it { is_expected.not_to contain_class('openvpn::service') } + it { is_expected.to contain_class('openvpn::service') } end end end diff --git a/spec/classes/openvpn_install_spec.rb b/spec/classes/openvpn_install_spec.rb index b81bbf08..2e03f78c 100644 --- a/spec/classes/openvpn_install_spec.rb +++ b/spec/classes/openvpn_install_spec.rb @@ -2,47 +2,43 @@ require 'spec_helper' -describe 'openvpn::install', type: :class do - on_supported_os.each do |os, facts| +describe 'openvpn::install' do + on_supported_os.each do |os, os_facts| context "on #{os}" do - let(:pre_condition) do - 'include openvpn' - end let(:facts) do - facts + os_facts.merge( + easyrsa: '3.0' + ) end + let(:pre_condition) { 'include openvpn' } + + etc_directory = case os_facts[:os]['family'] + when 'Solaris' + '/opt/local/etc' + when 'FreeBSD' + '/usr/local/etc' + else + '/etc' + end it { is_expected.to compile.with_all_deps } it { is_expected.to create_class('openvpn::install') } + it { is_expected.to contain_package('openvpn') } - it { is_expected.to contain_file('/etc/openvpn').with('ensure' => 'directory') } - it { is_expected.to contain_file('/etc/openvpn/keys').with('ensure' => 'directory') } - it { is_expected.to contain_file('/var/log/openvpn').with('ensure' => 'directory') } + it { is_expected.to contain_file("#{etc_directory}/openvpn").with_ensure('directory') } + + it { is_expected.to contain_file("#{etc_directory}/openvpn/keys").with_ensure('directory') } + + it { is_expected.to contain_file('/var/log/openvpn').with_ensure('directory') } it { is_expected.to contain_package('easy-rsa') } - case facts[:os]['family'] - when 'Debian' - context 'debian' do - it { is_expected.to contain_package('openvpn-auth-ldap') } - end - when 'RedHat' - case facts[:os]['release']['major'] - when '6' - context 'redhat/centos 6' do - it { is_expected.to contain_package('openvpn-auth-ldap') } - end - when '7' - context 'redhat/centos 7' do - it { is_expected.not_to contain_package('openvpn-auth-ldap') } - end - end - when 'Archlinux' - context 'Archlinux' do - it { is_expected.not_to contain_package('openvpn-auth-ldap') } - end + if os_facts[:os]['family'] == 'Debian' + it { is_expected.to contain_package('openvpn-auth-ldap') } + else + it { is_expected.not_to contain_package('openvpn-auth-ldap') } end end end diff --git a/spec/classes/openvpn_service_spec.rb b/spec/classes/openvpn_service_spec.rb index 2fafaa2b..f7bc6e14 100644 --- a/spec/classes/openvpn_service_spec.rb +++ b/spec/classes/openvpn_service_spec.rb @@ -2,24 +2,56 @@ require 'spec_helper' -describe 'openvpn::service', type: :class do - on_supported_os.each do |os, facts| +describe 'openvpn::service' do + on_supported_os.each do |os, os_facts| context "on #{os}" do - let(:pre_condition) { 'class { "openvpn": manage_service => true }' } let(:facts) do - facts + os_facts.merge( + easyrsa: '3.0' + ) end + let(:pre_condition) { 'include openvpn' } it { is_expected.to compile.with_all_deps } - it { is_expected.to create_class('openvpn::service') } + context 'enabled manage_service and disabled namespecific_rclink' do + let(:pre_condition) do + 'class { "openvpn": + manage_service => true, + namespecific_rclink => false + }' + end - it { - is_expected.to contain_service('openvpn').with( - 'ensure' => 'running', - 'enable' => true - ) - } + it { is_expected.to create_class('openvpn::service') } + + it { is_expected.to contain_service('openvpn').with_ensure('running').with_enable(true) } + end + + context 'disabled manage_service and disabled namespecific_rclink' do + let(:pre_condition) do + 'class { "openvpn": + manage_service => false, + namespecific_rclink => false + }' + end + + it { is_expected.to create_class('openvpn::service') } + + it { is_expected.not_to contain_service('openvpn') } + end + + context 'disabled manage_service and enabled namespecific_rclink' do + let(:pre_condition) do + 'class { "openvpn": + manage_service => false, + namespecific_rclink => true + }' + end + + it { is_expected.to create_class('openvpn::service') } + + it { is_expected.not_to contain_service('openvpn') } + end end end end diff --git a/spec/defines/openvpn_ca_spec.rb b/spec/defines/openvpn_ca_spec.rb index a578c3c1..c5ae27c1 100644 --- a/spec/defines/openvpn_ca_spec.rb +++ b/spec/defines/openvpn_ca_spec.rb @@ -2,216 +2,113 @@ require 'spec_helper' -describe 'openvpn::ca', type: :define do - on_supported_os.each do |os, facts| +describe 'openvpn::ca' do + on_supported_os.each do |os, os_facts| context "on #{os}" do let(:facts) do - facts + os_facts.merge( + easyrsa: '3.0' + ) end let(:title) { 'test_server' } - case facts[:os]['family'] - when 'RedHat' - server_directory = if facts[:os]['release']['major'] == '8' - '/etc/openvpn/server' - else - '/etc/openvpn' - end - - context 'creating a server with the minimum parameters' do - let(:params) do - { - 'country' => 'CO', - 'province' => 'ST', - 'city' => 'Some City', - 'organization' => 'example.org', - 'email' => 'testemail@example.org' - } - end - - it { is_expected.to contain_package('easy-rsa').with('ensure' => 'installed') } - - it { - is_expected.to contain_file("#{server_directory}/test_server/crl.pem").with( - 'mode' => '0640', - 'group' => 'nobody' - ) + server_directory = case os_facts[:os]['family'] + when 'Archlinux', 'Debian', 'RedHat' + '/etc/openvpn/server' + when 'Solaris' + '/opt/local/etc/openvpn' + when 'FreeBSD' + '/usr/local/etc/openvpn' + else + '/etc/openvpn' + end + + context 'with default parameters' do + let(:params) do + { + 'country' => 'CO', + 'province' => 'ST', + 'city' => 'Some City', + 'organization' => 'example.org', + 'email' => 'admin@example.org' } + end - # Files associated with a server config + it { is_expected.to contain_class('openvpn') } - it { is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/vars").with(mode: '0550') } + it { is_expected.to contain_file("#{server_directory}/test_server").with_ensure('directory') } - it { - is_expected.to contain_file("#{server_directory}/test_server/keys"). - with(ensure: 'link', target: "#{server_directory}/test_server/easy-rsa/keys") - } + it { is_expected.to contain_file("#{server_directory}/test_server/easy-rsa").with_ensure('directory') } - # Execs to working with certificates + it { is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/revoked").with_ensure('directory') } - it { is_expected.to contain_exec('generate dh param test_server').with_creates("#{server_directory}/test_server/easy-rsa/keys/dh.pem") } - it { is_expected.to contain_exec('initca test_server') } - it { is_expected.to contain_exec('generate server cert test_server') } - it { is_expected.to contain_exec('create crl.pem on test_server') } - it { is_expected.not_to contain_exec('update crl.pem on test_server') } + it { is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/easyrsa").with_ensure('link') } if os_facts[:os]['family'] == 'Archlinux' - it { is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/vars").with_content(%r{^export EASYRSA_CA_EXPIRE=3650$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/vars").with_content(%r{^export EASYRSA_CERT_EXPIRE=3650$}) } - it { is_expected.not_to contain_file("#{server_directory}/test_server/easy-rsa/vars").with_content(%r{EASYRSA_REQ_CN}) } - it { is_expected.not_to contain_file("#{server_directory}/test_server/easy-rsa/vars").with_content(%r{EASYRSA_REQ_OU}) } - end + it { is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/vars").with_mode('0550') } - context 'creating a ca setting all parameters' do - let(:params) do - { - 'dn_mode' => 'cn_only', - 'country' => 'CO', - 'province' => 'ST', - 'city' => 'Some City', - 'organization' => 'example.org', - 'email' => 'testemail@example.org', - 'group' => 'someone', - 'ssl_key_size' => 2048, - 'common_name' => 'mylittlepony', - 'ca_expire' => 365, - 'digest' => 'sha256', - 'key_expire' => 365, - 'key_cn' => 'yolo', - 'key_name' => 'burp', - 'key_ou' => 'NSA' - } - end - - it { is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/vars").with_content(%r{^export EASYRSA_DN="cn_only"$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/vars").with_content(%r{^export EASYRSA_CA_EXPIRE=365$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/vars").with_content(%r{^export EASYRSA_CERT_EXPIRE=365$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/vars").with_content(%r{^export EASYRSA_REQ_CN="yolo"$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/vars").with_content(%r{^export EASYRSA_REQ_OU="NSA"$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/vars").with_content(%r{^export EASYRSA_DIGEST=sha256$}) } - - it { is_expected.to contain_exec('generate dh param test_server').with_creates("#{server_directory}/test_server/easy-rsa/keys/dh.pem") } - end - when 'Debian' - server_directory = '/etc/openvpn' - - context 'creating a server with the minimum parameters' do - let(:params) do - { - 'country' => 'CO', - 'province' => 'ST', - 'city' => 'Some City', - 'organization' => 'example.org', - 'email' => 'testemail@example.org' - } - end - - # Files associated with a server config - - it { is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/vars").with(mode: '0550') } - - it { - is_expected.to contain_file("#{server_directory}/test_server/keys"). - with(ensure: 'link', target: "#{server_directory}/test_server/easy-rsa/keys") - } + it { + is_expected.to contain_file("#{server_directory}/test_server/keys"). + with(ensure: 'link', target: "#{server_directory}/test_server/easy-rsa/keys") + } - # Execs to working with certificates - - if facts[:os]['release']['major'] =~ %r{10|11|20.04|22.04} - it { is_expected.to contain_exec('generate dh param test_server').with_creates("#{server_directory}/test_server/easy-rsa/keys/dh.pem") } - else - it { is_expected.to contain_exec('generate dh param test_server').with_creates("#{server_directory}/test_server/easy-rsa/keys/dh2048.pem") } - end - it { is_expected.to contain_exec('initca test_server') } - it { is_expected.to contain_exec('generate server cert test_server') } - it { is_expected.to contain_exec('create crl.pem on test_server') } - it { is_expected.not_to contain_exec('update crl.pem on test_server') } - - if facts[:os]['release']['major'] =~ %r{10|11|20.04|22.04} - it { is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/vars").with_content(%r{^export EASYRSA_CA_EXPIRE=3650$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/vars").with_content(%r{^export EASYRSA_CERT_EXPIRE=3650$}) } - it { is_expected.not_to contain_file("#{server_directory}/test_server/easy-rsa/vars").with_content(%r{^export EASYRSA_REQ_CN"$}) } - # Missing key_name - it { is_expected.not_to contain_file("#{server_directory}/test_server/easy-rsa/vars").with_content(%r{^export EASYRSA_REQ_OU"$}) } - else - it { is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/vars").with_content(%r{^export CA_EXPIRE=3650$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/vars").with_content(%r{^export KEY_EXPIRE=3650$}) } - it { is_expected.not_to contain_file("#{server_directory}/test_server/easy-rsa/vars").with_content(%r{KEY_CN}) } - it { is_expected.not_to contain_file("#{server_directory}/test_server/easy-rsa/vars").with_content(%r{KEY_NAME}) } - it { is_expected.not_to contain_file("#{server_directory}/test_server/easy-rsa/vars").with_content(%r{KEY_OU}) } - end - end + it { is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/openssl.cnf") } - context 'creating a ca setting all parameters' do - let(:params) do - { - 'dn_mode' => 'cn_only', - 'country' => 'CO', - 'province' => 'ST', - 'city' => 'Some City', - 'organization' => 'example.org', - 'email' => 'testemail@example.org', - 'group' => 'someone', - 'ssl_key_size' => 2048, - 'common_name' => 'mylittlepony', - 'ca_expire' => 365, - 'key_expire' => 365, - 'key_cn' => 'yolo', - 'key_name' => 'burp', - 'key_ou' => 'NSA' - } - end - - if facts[:os]['release']['major'] =~ %r{10|11|20.04|22.04} - it { is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/vars").with_content(%r{^export EASYRSA_DN="cn_only"$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/vars").with_content(%r{^export EASYRSA_CA_EXPIRE=365$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/vars").with_content(%r{^export EASYRSA_CERT_EXPIRE=365$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/vars").with_content(%r{^export EASYRSA_REQ_CN="yolo"$}) } - # Missing key_name - it { is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/vars").with_content(%r{^export EASYRSA_REQ_OU="NSA"$}) } - else - it { is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/vars").with_content(%r{^export CA_EXPIRE=365$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/vars").with_content(%r{^export KEY_EXPIRE=365$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/vars").with_content(%r{^export KEY_CN="yolo"$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/vars").with_content(%r{^export KEY_NAME="burp"$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/vars").with_content(%r{^export KEY_OU="NSA"$}) } - end - - if facts[:os]['release']['major'] =~ %r{10|11|20.04|22.04} - it { is_expected.to contain_exec('generate dh param test_server').with_creates("#{server_directory}/test_server/easy-rsa/keys/dh.pem") } - else - it { is_expected.to contain_exec('generate dh param test_server').with_creates("#{server_directory}/test_server/easy-rsa/keys/dh2048.pem") } - end - end + it { is_expected.to contain_file("#{server_directory}/test_server/crl.pem").with_mode('0640') } + + it { is_expected.to contain_file("#{server_directory}/test_server/crl.pem").with_group('nobody') } if os_facts[:os]['family'] == %r{'RedHat'|'Solaris'|'FreeBSD'} - context 'when Debian based machine' do - let(:params) do - { - 'country' => 'CO', - 'province' => 'ST', - 'city' => 'Some City', - 'organization' => 'example.org', - 'email' => 'testemail@example.org' - } - end - - if facts[:os]['release']['major'] =~ %r{10|11|20.04|22.04} - it { - is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/openssl.cnf").with( - 'ensure' => 'link', - 'target' => "#{server_directory}/test_server/easy-rsa/openssl-1.0.cnf", - 'recurse' => nil, - 'group' => 'nogroup' - ) - } - end - - it { - is_expected.to contain_file("#{server_directory}/test_server/crl.pem").with( - 'mode' => '0640', - 'group' => 'nogroup' - ) + it { is_expected.to contain_file("#{server_directory}/test_server/crl.pem").with_group('nogroup') } if os_facts[:os]['family'] == 'Debian' + + it { is_expected.to contain_file("#{server_directory}/test_server/crl.pem").with_group('network') } if os_facts[:os]['family'] == 'Archlinux' + + it { is_expected.to contain_exec('initca test_server').with_command("./easyrsa --batch --pki-dir=#{server_directory}/test_server/easy-rsa/keys init-pki && ./easyrsa --batch build-ca nopass") } + + it { is_expected.to contain_exec('generate dh param test_server').with_command('./easyrsa --batch gen-dh') } + it { is_expected.to contain_exec('generate server cert test_server').with_command("./easyrsa build-server-full 'server' nopass") } + it { is_expected.to contain_exec('create crl.pem on test_server').with_command('./easyrsa gen-crl') } + it { is_expected.to contain_exec('copy created crl.pem to test_server keys directory').with_command("cp #{server_directory}/test_server/easy-rsa/keys/crl.pem #{server_directory}/test_server/crl.pem") } + + it { + is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/vars"). + with_content(%r{set_var EASYRSA_REQ_COUNTRY "CO"$}). + with_content(%r{set_var EASYRSA_REQ_PROVINCE "ST"$}). + with_content(%r{set_var EASYRSA_REQ_CITY "Some City"$}). + with_content(%r{set_var EASYRSA_REQ_ORG "example.org"$}). + with_content(%r{set_var EASYRSA_REQ_EMAIL "admin@example.org"$}) + } + end + + context 'with all parameters' do + let(:params) do + { + 'dn_mode' => 'cn_only', + 'country' => 'CO', + 'province' => 'ST', + 'city' => 'Some City', + 'organization' => 'example.org', + 'email' => 'testemail@example.org', + 'group' => 'someone', + 'ssl_key_size' => 2048, + 'common_name' => 'mylittlepony', + 'ca_expire' => 365, + 'digest' => 'sha256', + 'key_expire' => 365, + 'key_cn' => 'yolo', + 'key_name' => 'burp', + 'key_ou' => 'NSA' } end + + it { + is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/vars"). + with_content(%r{set_var EASYRSA_DN "cn_only"$}). + with_content(%r{set_var EASYRSA_CA_EXPIRE 365$}). + with_content(%r{set_var EASYRSA_CERT_EXPIRE 365$}). + with_content(%r{set_var EASYRSA_REQ_CN "yolo"$}). + with_content(%r{set_var EASYRSA_REQ_OU "NSA"$}). + with_content(%r{set_var EASYRSA_DIGEST sha256$}). + with_content(%r{set_var EASYRSA_KEY_SIZE 2048$}) + } end end end diff --git a/spec/defines/openvpn_client_spec.rb b/spec/defines/openvpn_client_spec.rb index 99e6d731..decff53e 100644 --- a/spec/defines/openvpn_client_spec.rb +++ b/spec/defines/openvpn_client_spec.rb @@ -1,10 +1,15 @@ -# rubocop:disable Style/FrozenStringLiteralComment +# frozen_string_literal: true require 'spec_helper' -describe 'openvpn::client', type: :define do - on_supported_os.each do |os, facts| +describe 'openvpn::client' do + on_supported_os.each do |os, os_facts| context "on #{os}" do + let(:facts) do + os_facts.merge( + easyrsa: '3.0' + ) + end let(:pre_condition) do 'openvpn::server { "test_server": country => "CO", @@ -14,132 +19,166 @@ email => "testemail@example.org" }' end - let(:facts) do - facts - end let(:title) { 'test_client' } - let(:params) { { server: 'test_server' } } - - server_directory = case facts[:os]['family'] - when 'CentOS', 'RedHat' - if facts[:os]['release']['major'] == '8' - '/etc/openvpn/server' - else - '/etc/openvpn' - end + + server_directory = case os_facts[:os]['family'] + when 'Archlinux', 'Debian', 'RedHat' + '/etc/openvpn/server' + when 'Solaris' + '/opt/local/etc/openvpn' + when 'FreeBSD' + '/usr/local/etc/openvpn' else '/etc/openvpn' end + context 'with default parameters' do + let(:params) { { server: 'test_server' } } - it { is_expected.to compile.with_all_deps } + it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_exec('generate certificate for test_client in context of test_server') } + it { is_expected.to contain_class('openvpn') } - ['test_client', 'test_client/keys/test_client'].each do |directory| - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/#{directory}") } - end + it { is_expected.to contain_exec('generate certificate for test_client in context of test_server') } - case facts[:os]['family'] - when 'Ubuntu', 'Debian' - if facts[:os]['release']['major'] =~ %r{10|11|20.04|22.04} - context 'system with easyrsa3' do - it { - is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/keys/test_client/test_client.crt").with( - 'ensure' => 'link', - 'target' => "#{server_directory}/test_server/easy-rsa/keys/issued/test_client.crt" - ) - } - - it { - is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/keys/test_client/test_client.key").with( - 'ensure' => 'link', - 'target' => "#{server_directory}/test_server/easy-rsa/keys/private/test_client.key" - ) - } - - it { - is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/keys/test_client/ca.crt").with( - 'ensure' => 'link', - 'target' => "#{server_directory}/test_server/easy-rsa/keys/ca.crt" - ) - } - end - else - context 'system with easyrsa2' do - ['test_client.crt', 'test_client.key', 'ca.crt'].each do |file| - it { - is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/keys/test_client/#{file}").with( - 'ensure' => 'link', - 'target' => "#{server_directory}/test_server/easy-rsa/keys/#{file}" - ) - } - end - end + ['test_client', 'test_client/keys/test_client'].each do |directory| + it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/#{directory}") } end - when 'CentOS', 'RedHat', %r{Archlinux}, %r{FreeBSD} - context 'system with easyrsa3' do - it { - is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/keys/test_client/test_client.crt").with( - 'ensure' => 'link', - 'target' => "#{server_directory}/test_server/easy-rsa/keys/issued/test_client.crt" - ) - } - - it { - is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/keys/test_client/test_client.key").with( - 'ensure' => 'link', - 'target' => "#{server_directory}/test_server/easy-rsa/keys/private/test_client.key" - ) - } + it { + is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf"). + with_content(%r{^client$}). + with_content(%r{^dev\s+tun$}). + with_content(%r{^proto\s+tcp$}). + with_content(%r{^remote\s+.+\s+1194$}). + with_content(%r{^nobind$}). + with_content(%r{^persist-key$}). + with_content(%r{^persist-tun$}). + with_content(%r{^cipher\s+AES-256-GCM$}). + with_content(%r{^tls-cipher\s+TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256$}). + with_content(%r{^mute-replay-warnings$}). + with_content(%r{^remote-cert-tls\s+server$}). + with_content(%r{^verb\s+3$}). + with_content(%r{^mute\s+20$}). + with_content(%r{^ca\s+keys/test_client/ca\.crt$}). + with_content(%r{^cert\s+keys/test_client/test_client.crt$}). + with_content(%r{^key\s+keys/test_client/test_client\.key$}). + without_content(%r{^pull$}). + without_content(%r{^sndbuf}). + without_content(%r{^rcvbuf}). + without_content(%r{^auth-user-pass}). + without_content(%r{^setnev}). + without_content(%r{^setnev-safe}). + without_content(%r{^script-security\s+2$}). + without_content(%r{^up}). + without_content(%r{^down}). + without_content(%r{^x509-verify-name}) + } + + it { + is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/keys/test_client/test_client.crt").with( + 'ensure' => 'link', + 'target' => "#{server_directory}/test_server/easy-rsa/keys/issued/test_client.crt" + ) + } + + it { + is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/keys/test_client/test_client.key").with( + 'ensure' => 'link', + 'target' => "#{server_directory}/test_server/easy-rsa/keys/private/test_client.key" + ) + } + + it { + is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/keys/test_client/ca.crt").with( + 'ensure' => 'link', + 'target' => "#{server_directory}/test_server/easy-rsa/keys/ca.crt" + ) + } + end - it { - is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/keys/test_client/ca.crt").with( - 'ensure' => 'link', - 'target' => "#{server_directory}/test_server/easy-rsa/keys/ca.crt" - ) + context 'with remote_host' do + let(:params) do + { + 'server' => 'test_server', + 'remote_host' => 'foo.example.com' } end + + it { + is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf"). + with_content(%r{^client$}). + with_content(%r{^dev\s+tun$}). + with_content(%r{^proto\s+tcp$}). + with_content(%r{^remote\s+foo.example.com\s+1194$}) + } + + it { + is_expected.not_to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf"). + with_content(%r{^tls-client$}). + with_content(%r{^verify-x509-name}). + with_content(%r{^sndbuf}). + with_content(%r{^rcvbuf}). + with_content(%r{^pull}) + } end - it { - is_expected.to contain_exec('tar the thing test_server with test_client').with( - 'cwd' => "#{server_directory}/test_server/download-configs/", - 'command' => '/bin/rm test_client.tar.gz; tar --exclude=\*.conf.d -chzvf test_client.tar.gz test_client test_client.tblk' - ) - } + context 'with tls_crypt true' do + let(:params) { { 'server' => 'test_server', 'tls_crypt' => true } } + + it { + is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf"). + with_content(%r{^tls-crypt\s+keys/test_client/ta\.key$}) + } + end + + context 'with tls_auth true' do + let(:params) { { 'server' => 'test_server', 'tls_auth' => true } } + + it { + is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf"). + with_content(%r{^tls-client$}). + with_content(%r{^tls-auth\s+keys/test_client/ta\.key\s+1$}) + } + end + + context 'with tls_auth and tls_crypt true' do + let(:params) { { 'server' => 'test_server', 'tls_auth' => true, 'tls_crypt' => true } } + + it { is_expected.to compile.and_raise_error(%r{tls_auth and tls_crypt are mutually exclusive}) } + end + + context 'with authuserpass true' do + let(:params) { { 'server' => 'test_server', 'authuserpass' => true } } + + it { + is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf"). + with_content(%r{^auth-user-pass$}) + } + end + + context 'with pam true' do + let(:params) { { 'server' => 'test_server', 'pam' => true } } - context 'setting the minimum parameters' do + it { + is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf"). + with_content(%r{^auth-user-pass$}) + } + end + + context 'custom options' do let(:params) do { 'server' => 'test_server', - 'remote_host' => 'foo.example.com' + 'custom_options' => { 'this' => 'that' } } end - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^client$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^ca\s+keys/test_client/ca\.crt$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^cert\s+keys/test_client/test_client.crt$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^key\s+keys/test_client/test_client\.key$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^dev\s+tun$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^proto\s+tcp$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^remote\s+foo.example.com\s+1194$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^resolv-retry\s+infinite$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^nobind$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^persist-key$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^persist-tun$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^mute-replay-warnings$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^remote-cert-tls\s+server$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^verb\s+3$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^mute\s+20$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^auth-retry\s+none$}) } - it { is_expected.not_to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^tls-client$}) } - it { is_expected.not_to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^verify-x509-name}) } - it { is_expected.not_to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^sndbuf}) } - it { is_expected.not_to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^rcvbuf}) } - it { is_expected.not_to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^pull}) } + it { + is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf"). + with_content(%r{^this that$}) + } end - context 'setting all of the parameters' do + context 'with all parameters' do let(:params) do { 'server' => 'test_server', @@ -170,54 +209,40 @@ } end - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^client$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^ca\s+keys/test_client/ca\.crt$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^cert\s+keys/test_client/test_client.crt$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^key\s+keys/test_client/test_client\.key$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^dev\s+tap$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^proto\s+udp$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^remote\s+somewhere\s+123$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^remote\s+galaxy\s+123$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^compress lz4$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^resolv-retry\s+2m$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^verb\s+1$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^mute\s+10$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^auth-retry\s+interact$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^setenv\s+CLIENT_CERT\s+0$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^setenv_safe\s+FORWARD_COMPATIBLE\s+1$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^cipher\s+AES-256-GCM$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^tls-cipher\s+TLS-DHE-RSA-WITH-AES-256-CBC-SHA$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^tls-client$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^verify-x509-name\s+"test_server"\s+name$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^sndbuf\s+393216$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^rcvbuf\s+393215$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/README").with_content(%r{^readme text$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^pull$}) } - it { is_expected.not_to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^remote-cert-tls\s+server$}) } - end + it { + is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf"). + with_content(%r{^client$}). + with_content(%r{^ca\s+keys/test_client/ca\.crt$}). + with_content(%r{^cert\s+keys/test_client/test_client.crt$}). + with_content(%r{^key\s+keys/test_client/test_client\.key$}). + with_content(%r{^dev\s+tap$}). + with_content(%r{^proto\s+udp$}). + with_content(%r{^remote\s+somewhere\s+123$}). + with_content(%r{^remote\s+galaxy\s+123$}). + with_content(%r{^compress lz4$}). + with_content(%r{^resolv-retry\s+2m$}). + with_content(%r{^verb\s+1$}). + with_content(%r{^mute\s+10$}). + with_content(%r{^auth-retry\s+interact$}). + with_content(%r{^setenv\s+CLIENT_CERT\s+0$}). + with_content(%r{^setenv_safe\s+FORWARD_COMPATIBLE\s+1$}). + with_content(%r{^cipher\s+AES-256-GCM$}). + with_content(%r{^tls-cipher\s+TLS-DHE-RSA-WITH-AES-256-CBC-SHA$}). + with_content(%r{^tls-client$}). + with_content(%r{^verify-x509-name\s+"test_server"\s+name$}). + with_content(%r{^sndbuf\s+393216$}). + with_content(%r{^rcvbuf\s+393215$}). + with_content(%r{^pull$}) + } - context 'test tls_crypt' do - let(:params) { { 'server' => 'test_server', 'tls_crypt' => true } } - - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^tls-crypt keys/test_client/ta\.key$}) } - end - - context 'omitting the cipher key' do - let(:params) { { 'server' => 'test_server' } } + it { is_expected.not_to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^remote-cert-tls\s+server$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^cipher AES-256-GCM$}) } + it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/README").with_content(%r{^readme text$}) } end - context 'should fail if specifying an openvpn::server with extca_enabled=true' do - let(:params) do - { - 'server' => 'test_server_extca' - } - end - - before do - pre_condition << ' - openvpn::server { "text_server_extca": + context 'with extca' do + let(:pre_condition) do + 'openvpn::server { "text_server_extca": tls_auth => true, extca_enabled => true, extca_ca_cert_file => "/etc/ipa/ca.crt", @@ -226,128 +251,80 @@ extca_server_key_file => "/etc/pki/tls/private/localhost.key", extca_dh_file => "/etc/ipa/dh.pem", extca_tls_auth_key_file => "/etc/openvpn/keys/ta.key", - } - ' + }' end + let(:params) { { 'server' => 'text_server_extca' } } - it { expect { is_expected.to contain_file('test') }.to raise_error(Puppet::Error) } + it { is_expected.to compile.and_raise_error(%r{extca_enabled}) } end - context 'when using shared ca' do - let(:params) do - { - 'server' => 'test_server', - 'shared_ca' => 'my_already_existing_ca' + context 'with shared_ca' do + let(:pre_condition) do + 'openvpn::server { "test_server": + country => "CO", + province => "ST", + city => "Some City", + organization => "example.org", + email => "testemail@example.org" } + openvpn::server { "my_shared_ca": + country => "CO", + province => "ST", + city => "Some City", + organization => "example.org", + email => "testemail@example.org" + }' end - - before do - pre_condition << ' - openvpn::server { "my_already_existing_ca": - country => "CO", - province => "ST", - city => "Some City", - organization => "example.org", - email => "testemail@example.org" - } - ' - end - - it { is_expected.to contain_openvpn__ca('my_already_existing_ca') } - - it { is_expected.to contain_exec('generate certificate for test_client in context of my_already_existing_ca') } - - # Check that certificate files point to the provided CA - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^client$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^ca\s+keys/test_client/ca\.crt$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^cert\s+keys/test_client/test_client.crt$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^key\s+keys/test_client/test_client\.key$}) } - - case facts[:os]['family'] - when 'Ubuntu', 'Debian' - if facts[:os]['release']['major'] =~ %r{10|11|20.04|22.04} - context 'system with easyrsa3' do - it { - is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/keys/test_client/test_client.crt").with( - 'ensure' => 'link', - 'target' => "#{server_directory}/my_already_existing_ca/easy-rsa/keys/issued/test_client.crt" - ) - } - - it { - is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/keys/test_client/test_client.key").with( - 'ensure' => 'link', - 'target' => "#{server_directory}/my_already_existing_ca/easy-rsa/keys/private/test_client.key" - ) - } - - it { - is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/keys/test_client/ca.crt").with( - 'ensure' => 'link', - 'target' => "#{server_directory}/my_already_existing_ca/easy-rsa/keys/ca.crt" - ) - } - end - else - context 'system with easyrsa2' do - ['test_client.crt', 'test_client.key', 'ca.crt'].each do |file| - it { - is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/keys/test_client/#{file}").with( - 'ensure' => 'link', - 'target' => "#{server_directory}/my_already_existing_ca/easy-rsa/keys/#{file}" - ) - } - end - end - end - when 'CentOS', 'RedHat', %r{Archlinux}, %r{FreeBSD} - context 'system with easyrsa3' do - it { - is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/keys/test_client/test_client.crt").with( - 'ensure' => 'link', - 'target' => "#{server_directory}/my_already_existing_ca/easy-rsa/keys/issued/test_client.crt" - ) - } - - it { - is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/keys/test_client/test_client.key").with( - 'ensure' => 'link', - 'target' => "#{server_directory}/my_already_existing_ca/easy-rsa/keys/private/test_client.key" - ) - } - - it { - is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/keys/test_client/ca.crt").with( - 'ensure' => 'link', - 'target' => "#{server_directory}/my_already_existing_ca/easy-rsa/keys/ca.crt" - ) - } - end - end - end - - context 'when using not existed shared ca' do let(:params) do { 'server' => 'test_server', - 'shared_ca' => 'my_already_existing_ca' + 'shared_ca' => 'my_shared_ca' } end - it { expect { is_expected.to contain_file('test') }.to raise_error(Puppet::Error) } + it { is_expected.to contain_openvpn__ca('my_shared_ca') } + it { is_expected.to contain_exec('generate certificate for test_client in context of my_shared_ca') } + + it { + is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf"). + with_content(%r{^client$}). + with_content(%r{^ca\s+keys/test_client/ca\.crt$}). + with_content(%r{^cert\s+keys/test_client/test_client\.crt$}). + with_content(%r{^key\s+keys/test_client/test_client\.key$}) + } + + it { + is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/keys/test_client/test_client.crt").with( + 'ensure' => 'link', + 'target' => "#{server_directory}/my_shared_ca/easy-rsa/keys/issued/test_client.crt" + ) + } + + it { + is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/keys/test_client/test_client.key").with( + 'ensure' => 'link', + 'target' => "#{server_directory}/my_shared_ca/easy-rsa/keys/private/test_client.key" + ) + } + + it { + is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/keys/test_client/ca.crt").with( + 'ensure' => 'link', + 'target' => "#{server_directory}/my_shared_ca/easy-rsa/keys/ca.crt" + ) + } end - context 'custom options' do + context 'with not existed shared_ca' do let(:params) do { 'server' => 'test_server', - 'custom_options' => { 'this' => 'that' } + 'shared_ca' => 'my_shared_ca' } end - it { is_expected.to contain_file("#{server_directory}/test_server/download-configs/test_client/test_client.conf").with_content(%r{^this that$}) } + it { is_expected.to compile.and_raise_error(%r{Could not find resource}) } end end end end -# rubocop:enable Style/FrozenStringLiteralComment diff --git a/spec/defines/openvpn_client_specific_config_spec.rb b/spec/defines/openvpn_client_specific_config_spec.rb index 93ea09e1..45f51db6 100644 --- a/spec/defines/openvpn_client_specific_config_spec.rb +++ b/spec/defines/openvpn_client_specific_config_spec.rb @@ -2,53 +2,51 @@ require 'spec_helper' -describe 'openvpn::client_specific_config', type: :define do - on_supported_os.each do |os, facts| +describe 'openvpn::client_specific_config' do + on_supported_os.each do |os, os_facts| context "on #{os}" do - let(:pre_condition) do - [ - 'openvpn::server { "test_server": - country => "CO", - province => "ST", - city => "Some City", - organization => "example.org", - email => "testemail@example.org" - }', - 'openvpn::client { "test_client": - server => "test_server" - }' - ].join - end let(:facts) do - facts + os_facts.merge( + easyrsa: '3.0' + ) end - let(:title) { 'test_client' } - let(:params) do - { - server: 'test_server' + let(:pre_condition) do + 'openvpn::server { "test_server": + country => "CO", + province => "ST", + city => "Some City", + organization => "example.org", + email => "testemail@example.org" } + openvpn::client { "test_client": + server => "test_server" + }' end - server_directory = case facts[:os]['family'] - when 'CentOS', 'RedHat' - if facts[:os]['release']['major'] == '8' - '/etc/openvpn/server' - else - '/etc/openvpn' - end + let(:title) { 'test_client' } + + server_directory = case os_facts[:os]['family'] + when 'Archlinux', 'Debian', 'RedHat' + '/etc/openvpn/server' + when 'Solaris' + '/opt/local/etc/openvpn' + when 'FreeBSD' + '/usr/local/etc/openvpn' else '/etc/openvpn' end - it { is_expected.to compile.with_all_deps } + context 'with the minimum parameters' do + let(:params) { { server: 'test_server' } } - it { is_expected.to contain_file("#{server_directory}/test_server/client-configs/test_client") } + it { is_expected.to compile.with_all_deps } - describe 'setting no paramter at all' do - it { is_expected.to contain_file("#{server_directory}/test_server/client-configs/test_client").with_content(%r{\A\n\z}) } + it { + is_expected.to contain_file("#{server_directory}/test_server/client-configs/test_client") + } end - describe 'setting all parameters' do + context 'with all parameters' do let(:params) do { server: 'test_server', @@ -63,14 +61,19 @@ } end - it { is_expected.to contain_file("#{server_directory}/test_server/client-configs/test_client").with_content(%r{^iroute 10.0.1.0 255.255.255.0$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/client-configs/test_client").with_content(%r{^iroute-ipv6 2001:db8:1234::/64$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/client-configs/test_client").with_content(%r{^ifconfig-push 10.10.10.2 255.255.255.0$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/client-configs/test_client").with_content(%r{^ifconfig-ipv6-push 2001:db8:0:123::2/64 2001:db8:0:123::1$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/client-configs/test_client").with_content(%r{^push "dhcp-option DNS 8.8.8.8"$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/client-configs/test_client").with_content(%r{^push "redirect-gateway def1"$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/client-configs/test_client").with_content(%r{^push "route 10.200.100.0 255.255.255.0 10.10.10.1"$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/client-configs/test_client").with_content(%r{^this that$}) } + it { is_expected.to compile.with_all_deps } + + it { + is_expected.to contain_file("#{server_directory}/test_server/client-configs/test_client"). + with_content(%r{iroute 10.0.1.0 255.255.255.0}). + with_content(%r{iroute-ipv6 2001:db8:1234::/64}). + with_content(%r{ifconfig-push 10.10.10.2 255.255.255.0}). + with_content(%r{ifconfig-ipv6-push 2001:db8:0:123::2/64 2001:db8:0:123::1}). + with_content(%r{route 10.200.100.0 255.255.255.0 10.10.10.1}). + with_content(%r{dhcp-option DNS 8.8.8.8}). + with_content(%r{this that}). + with_content(%r{redirect-gateway}) + } end end end diff --git a/spec/defines/openvpn_revoke_spec.rb b/spec/defines/openvpn_revoke_spec.rb index 2b9edb95..9e4236f6 100644 --- a/spec/defines/openvpn_revoke_spec.rb +++ b/spec/defines/openvpn_revoke_spec.rb @@ -2,70 +2,65 @@ require 'spec_helper' -describe 'openvpn::revoke', type: :define do - on_supported_os.each do |os, facts| - context "on #{os} with easyrsa version 2.0" do - let(:pre_condition) do - [ - 'openvpn::server { "test_server": - country => "CO", - province => "ST", - city => "Some City", - organization => "example.org", - email => "testemail@example.org" - }', - 'openvpn::client { "test_client": - server => "test_server" - }' - ].join - end +describe 'openvpn::revoke' do + on_supported_os.each do |os, os_facts| + context "on #{os}" do let(:facts) do - facts.merge( - easyrsa: '2.0' + os_facts.merge( + easyrsa: '3.0' ) end - let(:title) { 'test_client' } - let(:params) { { 'server' => 'test_server' } } - - it { is_expected.to compile.with_all_deps } - - it { - is_expected.to contain_exec('revoke certificate for test_client in context of test_server').with( - 'command' => ". ./vars && ./revoke-full test_client; echo \"exit $?\" | grep -qE '(error 23|exit (0|2))'" - ) - } - end - context "on #{os} with easyrsa version 3.0" do - let(:pre_condition) do - [ - 'openvpn::server { "test_server": + server_directory = case os_facts[:os]['family'] + when 'Archlinux', 'Debian', 'RedHat' + '/etc/openvpn/server' + when 'Solaris' + '/opt/local/etc/openvpn' + when 'FreeBSD' + '/usr/local/etc/openvpn' + else + '/etc/openvpn' + end + context 'with default parameters' do + let(:pre_condition) do + [ + 'openvpn::server { "test_server": country => "CO", province => "ST", city => "Some City", organization => "example.org", email => "testemail@example.org" }', - 'openvpn::client { "test_client3": + 'openvpn::client { "test_client": server => "test_server" }' - ].join - end - let(:facts) do - facts.merge( - easyrsa: '3.0' - ) - end - let(:title) { 'test_client3' } - let(:params) { { 'server' => 'test_server' } } + ].join + end + let(:title) { 'test_client' } + let(:params) { { 'server' => 'test_server' } } - it { is_expected.to compile.with_all_deps } + it { is_expected.to compile.with_all_deps } - it { - is_expected.to contain_exec('revoke certificate for test_client3 in context of test_server').with( - 'command' => ". ./vars && ./easyrsa --batch revoke test_client3; echo \"exit $?\" | grep -qE '(error 23|exit (0|2))'" - ) - } + it { + is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/revoked/test_client"). + with_ensure('file') + } + + it { + is_expected.to contain_exec('revoke certificate for test_client in context of test_server'). + with_command("./easyrsa --batch revoke test_client; echo \"exit $?\" | grep -qE '(error 23|exit (0|2))'") + } + + it { + is_expected.to contain_exec('renew crl.pem on test_server because of revocation of test_client'). + with_command('./easyrsa --batch gen-crl') + } + + it { + is_expected.to contain_exec('copy renewed crl.pem to test_server keys directory because of revocation of test_client'). + with_command("cp #{server_directory}/test_server/easy-rsa/keys/crl.pem #{server_directory}/test_server/crl.pem") + } + end end end end diff --git a/spec/defines/openvpn_server_spec.rb b/spec/defines/openvpn_server_spec.rb index a7fcc539..b849ab66 100644 --- a/spec/defines/openvpn_server_spec.rb +++ b/spec/defines/openvpn_server_spec.rb @@ -3,160 +3,188 @@ require 'spec_helper' describe 'openvpn::server' do - on_supported_os.each do |os, facts| + on_supported_os.each do |os, os_facts| context "on #{os}" do let(:facts) do - facts + os_facts.merge( + easyrsa: '3.0' + ) end + let(:title) { 'test_server' } - server_directory = case facts[:os]['family'] - when 'CentOS', 'RedHat' - if facts[:os]['release']['major'] == '8' - '/etc/openvpn/server' - else - '/etc/openvpn' - end - when %r{FreeBSD} + server_directory = case os_facts[:os]['family'] + when 'Archlinux', 'Debian', 'RedHat' + '/etc/openvpn/server' + when 'Solaris' + '/opt/local/etc/openvpn' + when 'FreeBSD' '/usr/local/etc/openvpn' else '/etc/openvpn' end - server_directory_regex = server_directory.gsub('/', '\/') - - # common tests for any easyrsa version - context 'creating a server without any parameter' do + pam_module_path = case os_facts[:os]['family'] + when 'RedHat' + case os_facts[:os]['name'] + when 'Rocky' + '/usr/lib64/openvpn/plugins/openvpn-auth-pam.so' + else + '/usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so' + end + when 'Debian' + '/usr/lib/openvpn/openvpn-plugin-auth-pam.so' + when 'FreeBSD' + '/usr/local/lib/openvpn/openvpn-auth-pam.so' + when 'Archlinux' + '/usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so' + else + '~' + end + context 'with default parameters' do let(:params) { {} } - it { expect { is_expected.to contain_file("#{server_directory}/test_server") }.to raise_error(Puppet::PreformattedError) } - end - - context 'creating a server partial parameters: country' do - let(:params) { { 'country' => 'CO' } } - - it { expect { is_expected.to contain_file("#{server_directory}/test_server") }.to raise_error(Puppet::PreformattedError) } + it { is_expected.to compile.and_raise_error(%r{Evaluation Error}) } end - context 'creating a server partial parameters: country, province' do + context 'with country' do let(:params) do { - 'country' => 'CO', - 'province' => 'ST' + 'country' => 'CO' } end - it { expect { is_expected.to contain_file("#{server_directory}/test_server") }.to raise_error(Puppet::PreformattedError) } - end + it { is_expected.to compile.and_raise_error(%r{Evaluation Error}) } - context 'creating a server partial parameters: country, province, city' do - let(:params) do - { - 'country' => 'CO', - 'province' => 'ST', - 'city' => 'Some City' - } - end + context 'with province' do + let(:params) do + { + 'country' => 'CO', + 'province' => 'ST' + } + end - it { expect { is_expected.to contain_file("#{server_directory}/test_server") }.to raise_error(Puppet::PreformattedError) } - end + it { is_expected.to compile.and_raise_error(%r{Evaluation Error}) } - context 'creating a server partial parameters: country, province, city, organization' do - let(:params) do - { - 'country' => 'CO', - 'province' => 'ST', - 'city' => 'Some City', - 'organization' => 'example.org' - } - end + context 'with city' do + let(:params) do + { + 'country' => 'CO', + 'province' => 'ST', + 'city' => 'Some City' + } + end - it { expect { is_expected.to contain_file("#{server_directory}/test_server") }.to raise_error(Puppet::PreformattedError) } - end + it { is_expected.to compile.and_raise_error(%r{Evaluation Error}) } - context 'when using not existed shared ca' do - let(:params) do - { - 'shared_ca' => 'my_already_existing_ca' - } - end + context 'with organization' do + let(:params) do + { + 'country' => 'CO', + 'province' => 'ST', + 'city' => 'Some City', + 'organization' => 'example.org' + } + end + + it { is_expected.to compile.and_raise_error(%r{Evaluation Error}) } - it { expect { is_expected.to contain_file("#{server_directory}/test_server") }.to raise_error(Puppet::PreformattedError) } + context 'with email' do + let(:params) do + { + 'country' => 'CO', + 'province' => 'ST', + 'city' => 'Some City', + 'organization' => 'example.org', + 'email' => 'user@example.com' + } + end + + it { is_expected.to compile.with_all_deps } + end + end + end + end end - context 'should fail if setting extca_enabled=true without specifying any other extca_* options' do + context 'with extca_enabled' do let(:params) do { 'extca_enabled' => true } end - it { expect { is_expected.to contain_file("#{server_directory}/test_server") }.to raise_error(Puppet::PreformattedError) } - end + it { is_expected.to compile.and_raise_error(%r{Evaluation Error}) } - context 'should fail if setting extca_enabled=true and tls_auth=true without providing extca_tls_auth_key_file' do - let(:params) do - { - 'tls_auth' => true, - 'extca_enabled' => true, - 'extca_ca_cert_file' => '/etc/ipa/ca.crt', - 'extca_ca_crl_file' => '/etc/ipa/ca_crl.pem', - 'extca_server_cert_file' => '/etc/pki/tls/certs/localhost.crt', - 'extca_server_key_file' => '/etc/pki/tls/private/localhost.key', - 'extca_dh_file' => '/etc/ipa/dh.pem' - } - end + context 'with extca parameters' do + let(:params) do + { + 'extca_enabled' => true, + 'extca_ca_cert_file' => '/etc/ipa/ca.crt', + 'extca_ca_crl_file' => '/etc/ipa/ca_crl.pem', + 'extca_server_cert_file' => '/etc/pki/tls/certs/localhost.crt', + 'extca_server_key_file' => '/etc/pki/tls/private/localhost.key', + 'extca_dh_file' => '/etc/ipa/dh.pem' + } + end - it { expect { is_expected.to contain_file("#{server_directory}/test_server") }.to raise_error(Puppet::PreformattedError) } - end + it { is_expected.to compile.with_all_deps } - context 'when altering send and receive buffers' do - let(:params) do - { - 'country' => 'CO', - 'province' => 'ST', - 'city' => 'Some City', - 'organization' => 'example.org', - 'email' => 'testemail@example.org', - 'sndbuf' => 393_216, - 'rcvbuf' => 393_215 + it { + is_expected.to contain_file("#{server_directory}/test_server.conf"). + with_content(%r{^ca\s+/etc/ipa/ca\.crt$}). + with_content(%r{^crl-verify\s+/etc/ipa/ca_crl\.pem$}). + with_content(%r{^cert\s+/etc/pki/tls/certs/localhost\.crt$}). + with_content(%r{^key\s+/etc/pki/tls/private/localhost\.key$}). + with_content(%r{^dh\s+/etc/ipa/dh\.pem$}) } end - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^sndbuf\s+393216$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^rcvbuf\s+393215$}) } - end + context 'with tls_auth=true' do + let(:params) do + { + 'tls_auth' => true, + 'extca_enabled' => true, + 'extca_ca_cert_file' => '/etc/ipa/ca.crt', + 'extca_ca_crl_file' => '/etc/ipa/ca_crl.pem', + 'extca_server_cert_file' => '/etc/pki/tls/certs/localhost.crt', + 'extca_server_key_file' => '/etc/pki/tls/private/localhost.key', + 'extca_dh_file' => '/etc/ipa/dh.pem' + } + end - context 'when using udp4' do - let(:params) do - { - 'country' => 'CO', - 'province' => 'ST', - 'city' => 'Some City', - 'organization' => 'example.org', - 'email' => 'testemail@example.org', - 'proto' => 'udp4' - } - end + it { is_expected.to compile.and_raise_error(%r{Evaluation Error}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^proto\s+udp4$}) } - end + context 'with extca_tls_auth_key_file' do + let(:params) do + { + 'tls_auth' => true, + 'extca_tls_auth_key_file' => '/etc/openvpn/ta.key', + 'extca_enabled' => true, + 'extca_ca_cert_file' => '/etc/ipa/ca.crt', + 'extca_ca_crl_file' => '/etc/ipa/ca_crl.pem', + 'extca_server_cert_file' => '/etc/pki/tls/certs/localhost.crt', + 'extca_server_key_file' => '/etc/pki/tls/private/localhost.key', + 'extca_dh_file' => '/etc/ipa/dh.pem' + } + end - context 'when using udp6' do - let(:params) do - { - 'country' => 'CO', - 'province' => 'ST', - 'city' => 'Some City', - 'organization' => 'example.org', - 'email' => 'testemail@example.org', - 'proto' => 'udp6' - } - end + it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^proto\s+udp6$}) } + it { + is_expected.to contain_file("#{server_directory}/test_server.conf"). + with_content(%r{^ca\s+/etc/ipa/ca\.crt$}). + with_content(%r{^crl-verify\s+/etc/ipa/ca_crl\.pem$}). + with_content(%r{^cert\s+/etc/pki/tls/certs/localhost\.crt$}). + with_content(%r{^key\s+/etc/pki/tls/private/localhost\.key$}). + with_content(%r{^dh\s+/etc/ipa/dh\.pem$}). + with_content(%r{^tls-auth\s+/etc/openvpn/ta\.key$}). + with_content(%r{^key-direction\s+0$}) + } + end + end end - context 'when using tcp4' do + context 'with sndbuf and rcvbuf' do let(:params) do { 'country' => 'CO', @@ -164,29 +192,43 @@ 'city' => 'Some City', 'organization' => 'example.org', 'email' => 'testemail@example.org', - 'proto' => 'tcp4' + 'sndbuf' => 393_216, + 'rcvbuf' => 393_215 } end - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^proto\s+tcp4-server$}) } + it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^sndbuf\s+393216$}) } + it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^rcvbuf\s+393215$}) } end - context 'when using tcp6' do - let(:params) do - { - 'country' => 'CO', - 'province' => 'ST', - 'city' => 'Some City', - 'organization' => 'example.org', - 'email' => 'testemail@example.org', - 'proto' => 'tcp6' + %w[udp tcp udp4 tcp4 udp6 tcp6].each do |proto| + context "with proto=#{proto}" do + let(:params) do + { + 'country' => 'CO', + 'province' => 'ST', + 'city' => 'Some City', + 'organization' => 'example.org', + 'email' => 'testemail@example.org', + 'proto' => proto + } + end + + it { is_expected.to compile.with_all_deps } + + it { + if proto.include?('tcp') + is_expected.to contain_file("#{server_directory}/test_server.conf"). + with_content(%r{^proto\s+#{proto}-server$}) + else + is_expected.to contain_file("#{server_directory}/test_server.conf"). + with_content(%r{^proto\s+#{proto}$}) + end } end - - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^proto\s+tcp6-server$}) } end - context 'when using invalid value for proto' do + context 'with invalid proto' do let(:params) do { 'country' => 'CO', @@ -194,174 +236,164 @@ 'city' => 'Some City', 'organization' => 'example.org', 'email' => 'testemail@example.org', - 'proto' => 'tcp5' + 'proto' => 'invalid' } end - it { expect { is_expected.to contain_file("#{server_directory}/test_server") }.to raise_error(Puppet::PreformattedError) } + it { is_expected.to compile.and_raise_error(%r{Evaluation Error}) } end - context 'creating a server in client mode' do + context 'with remote' do let(:title) { 'test_client' } - let(:nobind) { false } let(:params) do { - 'remote' => ['vpn.example.com 12345'], 'server_poll_timeout' => 1, 'ping_timer_rem' => true, 'tls_auth' => true, 'tls_client' => true, - 'nobind' => nobind + 'remote' => ['vpn.example.com 1194'] } end - context 'nobind is true' do - let(:nobind) { true } - - it { is_expected.to contain_file("#{server_directory}/test_client.conf").with_content(%r{^nobind$}) } - it { is_expected.not_to contain_file("#{server_directory}/test_client.conf").with_content(%r{port\s+\d+}) } - end - - it { is_expected.to contain_file("#{server_directory}/test_client.conf").with_content(%r{^client$}) } + it { is_expected.to compile.with_all_deps } it { is_expected.to contain_file("#{server_directory}/test_client.conf"). - with_content(%r{^remote\s+vpn.example.com\s+12345$}) + with_content(%r{^remote\s+vpn\.example\.com\s+1194$}). + with_content(%r{^client$}). + with_content(%r{^server-poll-timeout\s+1$}). + with_content(%r{^remote-cert-tls server}). + with_content(%r{^ping-timer-rem$}). + with_content(%r{^tls-client$}). + with_content(%r{^key-direction\s+1$}). + with_content(%r{^port\s+\d+$}). + without_content(%r{^mode\s+server$}). + without_content(%r{^nobind$}). + without_content(%r{^client-config-dir}). + without_content(%r{^dh}). + without_content(%r{^remote-random-hostname$}). + without_content(%r{^remote-random$}) } - it { is_expected.to contain_file("#{server_directory}/test_client.conf").with_content(%r{^server-poll-timeout\s+1$}) } - it { is_expected.to contain_file("#{server_directory}/test_client.conf").with_content(%r{^ping-timer-rem$}) } - it { is_expected.to contain_file("#{server_directory}/test_client.conf").with_content(%r{^remote-cert-tls server}) } - it { is_expected.not_to contain_file("#{server_directory}/test_client.conf").with_content(%r{^mode\s+server$}) } - it { is_expected.not_to contain_file("#{server_directory}/test_client.conf").with_content(%r{^client-config-dir}) } - it { is_expected.not_to contain_file("#{server_directory}/test_client.conf").with_content(%r{^dh}) } - it { is_expected.to contain_file("#{server_directory}/test_client.conf").with_content(%r{^tls-client$}) } - it { is_expected.to contain_file("#{server_directory}/test_client.conf").with_content(%r{^key-direction 1$}) } - it { is_expected.not_to contain_file("#{server_directory}/test_client.conf").with_content(%r{nobind}) } - it { is_expected.to contain_file("#{server_directory}/test_client.conf").with_content(%r{^port\s+\d+$}) } - it { is_expected.to contain_file("#{server_directory}/test_client.conf").without_content(%r{^remote-random-hostname$}) } - it { is_expected.to contain_file("#{server_directory}/test_client.conf").without_content(%r{^remote-random$}) } + context 'with nobind' do + let(:params) do + { + 'server_poll_timeout' => 1, + 'ping_timer_rem' => true, + 'tls_auth' => true, + 'tls_client' => true, + 'nobind' => true, + 'remote' => ['vpn.example.com 1194'] + } + end - it { is_expected.not_to contain_openvpn__ca('test_client') } + it { is_expected.to compile.with_all_deps } - case facts[:os]['family'] - when 'RedHat' it { - is_expected.to contain_file("#{server_directory}/test_client/keys"). - with(ensure: 'directory', mode: '0750', group: 'nobody') + is_expected.to contain_file("#{server_directory}/test_client.conf"). + with_content(%r{^nobind$}). + without_content(%r{^port\s+\d+$}) } end - end - context 'creating a server in client mode with multiple remotes and random' do - let(:title) { 'test_client' } - let(:nobind) { false } - let(:params) do - { - 'remote' => ['vpn1.example.com 12345', 'vpn2.example.com 23456'], - 'remote_random_hostname' => true, - 'remote_random' => true, - 'server_poll_timeout' => 1, - 'ping_timer_rem' => true, - 'tls_auth' => true, - 'tls_client' => true, - 'nobind' => nobind - } - end + it { is_expected.not_to contain_openvpn__ca('test_client') } - it { is_expected.to contain_file("#{server_directory}/test_client.conf").with_content(%r{^client$}) } + it { is_expected.to contain_file("#{server_directory}/test_client/keys").with(mode: '0750', ensure: 'directory') } - it { - is_expected.to contain_file("#{server_directory}/test_client.conf"). - with_content(%r{^remote\s+vpn1.example.com\s+12345$}) - } + it { is_expected.to contain_file("#{server_directory}/test_client/keys").with_group('nobody') } if os_facts[:os]['family'] == %r{'RedHat'|'Solaris'|'FreeBSD'} - it { - is_expected.to contain_file("#{server_directory}/test_client.conf"). - with_content(%r{^remote\s+vpn2.example.com\s+23456$}) - } + it { is_expected.to contain_file("#{server_directory}/test_client/keys").with_group('nogroup') } if os_facts[:os]['family'] == 'Debian' - it { is_expected.to contain_file("#{server_directory}/test_client.conf").with_content(%r{^remote-random-hostname$}) } - it { is_expected.to contain_file("#{server_directory}/test_client.conf").with_content(%r{^remote-random$}) } - it { is_expected.to contain_file("#{server_directory}/test_client.conf").with_content(%r{^server-poll-timeout\s+1$}) } - it { is_expected.to contain_file("#{server_directory}/test_client.conf").with_content(%r{^ping-timer-rem$}) } - it { is_expected.to contain_file("#{server_directory}/test_client.conf").with_content(%r{^remote-cert-tls server}) } - it { is_expected.not_to contain_file("#{server_directory}/test_client.conf").with_content(%r{^mode\s+server$}) } - it { is_expected.not_to contain_file("#{server_directory}/test_client.conf").with_content(%r{^client-config-dir}) } - it { is_expected.not_to contain_file("#{server_directory}/test_client.conf").with_content(%r{^dh}) } - it { is_expected.to contain_file("#{server_directory}/test_client.conf").with_content(%r{^tls-client$}) } - it { is_expected.to contain_file("#{server_directory}/test_client.conf").with_content(%r{^key-direction 1$}) } - it { is_expected.not_to contain_file("#{server_directory}/test_client.conf").with_content(%r{nobind}) } - it { is_expected.to contain_file("#{server_directory}/test_client.conf").with_content(%r{^port\s+\d+$}) } + it { is_expected.to contain_file("#{server_directory}/test_client/keys").with_group('network') } if os_facts[:os]['family'] == 'Archlinux' - it { is_expected.not_to contain_openvpn__ca('test_client') } + context 'with multiple remotes' do + let(:params) do + { + 'server_poll_timeout' => 1, + 'ping_timer_rem' => true, + 'tls_auth' => true, + 'tls_client' => true, + 'remote' => ['vpn.example.com 1194', 'vpn2.example.com 1194'] + } + end + + it { is_expected.to compile.with_all_deps } - case facts[:os]['family'] - when 'RedHat' it { - is_expected.to contain_file("#{server_directory}/test_client/keys"). - with(ensure: 'directory', mode: '0750', group: 'nobody') + is_expected.to contain_file("#{server_directory}/test_client.conf"). + with_content(%r{^remote\s+vpn\.example\.com\s+1194$}). + with_content(%r{^remote\s+vpn2\.example\.com\s+1194$}). + with_content(%r{^client$}). + with_content(%r{^server-poll-timeout\s+1$}). + with_content(%r{^remote-cert-tls server}). + with_content(%r{^ping-timer-rem$}). + with_content(%r{^tls-client$}). + with_content(%r{^key-direction\s+1$}). + with_content(%r{^port\s+\d+$}). + without_content(%r{^mode\s+server$}). + without_content(%r{^nobind$}). + without_content(%r{^client-config-dir}). + without_content(%r{^dh}). + without_content(%r{^remote-random-hostname$}). + without_content(%r{^remote-random$}) } - end - end - case facts[:os]['family'] - when 'Debian' - # ldap auth needs the ldap package and that is only defined for a few OSes (including debian) - context 'debian' do - context 'creating a server with ldap authentication enabled' do - let(:params) do - { - 'country' => 'CO', - 'province' => 'ST', - 'city' => 'Some City', - 'organization' => 'example.org', - 'email' => 'testemail@example.org', - 'ldap_enabled' => true, - 'ldap_binddn' => 'dn=foo,ou=foo,ou=com', - 'ldap_bindpass' => 'ldappass123', - 'ldap_tls_enable' => true, - 'ldap_tls_ca_cert_file' => '/etc/ldap/ca.pem', - 'ldap_tls_ca_cert_dir' => '/etc/ldap/certs' - } - end + it { is_expected.not_to contain_openvpn__ca('test_client') } + it { is_expected.to contain_file("#{server_directory}/test_client/keys").with(mode: '0750', ensure: 'directory') } - it { is_expected.to contain_file("#{server_directory}/test_server/auth/ldap.conf").with_content(%r{^\s+TLSEnable\s+yes$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/auth/ldap.conf").with_content(%r{^\s+TLSCACertFile\s+/etc/ldap/ca.pem$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/auth/ldap.conf").with_content(%r{^\s+TLSCACertDir\s+/etc/ldap/certs$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/auth/ldap.conf").without_content(%r{^\s+TLSCertFile.*$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/auth/ldap.conf").without_content(%r{^\s+TLSKeyFile.*$}) } - end + it { is_expected.to contain_file("#{server_directory}/test_client/keys").with_group('nobody') } if os_facts[:os]['family'] == %r{'RedHat'|'Solaris'|'FreeBSD'} + + it { is_expected.to contain_file("#{server_directory}/test_client/keys").with_group('nogroup') } if os_facts[:os]['family'] == 'Debian' + + it { is_expected.to contain_file("#{server_directory}/test_client/keys").with_group('network') } if os_facts[:os]['family'] == 'Archlinux' - context 'creating a server with ldap authentication enabled and using ldap client certificates' do + context 'with remote_random' do let(:params) do { - 'country' => 'CO', - 'province' => 'ST', - 'city' => 'Some City', - 'organization' => 'example.org', - 'email' => 'testemail@example.org', - 'ldap_enabled' => true, - 'ldap_binddn' => 'dn=foo,ou=foo,ou=com', - 'ldap_bindpass' => 'ldappass123', - 'ldap_tls_enable' => true, - 'ldap_tls_ca_cert_file' => '/etc/ldap/ca.pem', - 'ldap_tls_ca_cert_dir' => '/etc/ldap/certs', - 'ldap_tls_client_cert_file' => '/etc/ldap/client-cert.pem', - 'ldap_tls_client_key_file' => '/etc/ldap/client-key.pem' + 'server_poll_timeout' => 1, + 'ping_timer_rem' => true, + 'tls_auth' => true, + 'tls_client' => true, + 'remote_random' => true, + 'remote_random_hostname' => true, + 'remote' => ['vpn.example.com 1194', 'vpn2.example.com 1194'] } end - it { is_expected.to contain_file("#{server_directory}/test_server/auth/ldap.conf").with_content(%r{^\s+TLSEnable\s+yes$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/auth/ldap.conf").with_content(%r{^\s+TLSCACertFile\s+/etc/ldap/ca.pem$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/auth/ldap.conf").with_content(%r{^\s+TLSCACertDir\s+/etc/ldap/certs$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/auth/ldap.conf").with_content(%r{^\s+TLSCertFile\s+/etc/ldap/client-cert.pem$}) } - it { is_expected.to contain_file("#{server_directory}/test_server/auth/ldap.conf").with_content(%r{^\s+TLSKeyFile\s+/etc/ldap/client-key.pem$}) } + it { is_expected.to compile.with_all_deps } + + it { + is_expected.to contain_file("#{server_directory}/test_client.conf"). + with_content(%r{^remote\s+vpn\.example\.com\s+1194$}). + with_content(%r{^remote\s+vpn2\.example\.com\s+1194$}). + with_content(%r{^client$}). + with_content(%r{^server-poll-timeout\s+1$}). + with_content(%r{^remote-cert-tls server}). + with_content(%r{^ping-timer-rem$}). + with_content(%r{^tls-client$}). + with_content(%r{^key-direction\s+1$}). + with_content(%r{^port\s+\d+$}). + with_content(%r{^remote-random$}). + with_content(%r{^remote-random-hostname$}). + without_content(%r{^mode\s+server$}). + without_content(%r{^nobind$}). + without_content(%r{^client-config-dir}). + without_content(%r{^dh}) + } + + it { is_expected.not_to contain_openvpn__ca('test_client') } + it { is_expected.to contain_file("#{server_directory}/test_client/keys").with(mode: '0750', ensure: 'directory') } + + it { is_expected.to contain_file("#{server_directory}/test_client/keys").with_group('nobody') } if os_facts[:os]['family'] == %r{'RedHat'|'Solaris'|'FreeBSD'} + + it { is_expected.to contain_file("#{server_directory}/test_client/keys").with_group('nogroup') } if os_facts[:os]['family'] == 'Debian' + + it { is_expected.to contain_file("#{server_directory}/test_client/keys").with_group('network') } if os_facts[:os]['family'] == 'Archlinux' end end end - context 'creating a server setting all parameters' do + context 'with all parameters' do let(:params) do { 'country' => 'CO', @@ -422,59 +454,65 @@ } end - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^mode\s+server$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^client-config-dir\s+#{server_directory}/test_server/client-configs$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^ca\s+#{server_directory}/test_server/keys/ca.crt$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^proto\s+udp$}) } - it { is_expected.not_to contain_file("#{server_directory}/test_server.conf").with_content(%r{^proto\s+tls-server$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^port\s+123$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^compress lz4$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^group\s+someone$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^user\s+someone$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^log-append\s+/var/log/openvpn/server1/test_server\.log$}) } - it { is_expected.to contain_file('/var/log/openvpn/server1').with('ensure' => 'directory', 'owner' => 'someone', 'group' => 'someone') } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^status\s+/tmp/test_server_status\.log$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^dev\s+tun1$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^local\s+2\.3\.4\.5$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^server\s+2\.3\.4\.0\s+255\.255\.0\.0$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^server-ipv6\s+fe80:1337:1337:1337::/64$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^push\s+"dhcp-option\s+DNS\s+172\.31\.0\.30"$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^push\s+"route\s+172\.31\.0\.0\s+255\.255\.0\.0"$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^route\s+192.168.30.0\s+255.255.255.0$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^route\s+192.168.35.0\s+255.255.0.0$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^route-ipv6\s+2001:db8:1234::/64$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^route-ipv6\s+2001:db8:abcd::/64$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^keepalive\s+10\s+120$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^topology\s+subnet$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^management\s+1.3.3.7 1337$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^verb mute$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^cipher DES-CBC$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^tls-cipher\s+TLS-DHE-RSA-WITH-AES-256-CBC-SHA$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^persist-key$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^persist-tun$}) } - - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^up "/tmp/up"$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^down "/tmp/down"$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^client-connect "/tmp/connect"$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^client-disconnect "/tmp/disconnect"$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^script-security 2$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^duplicate-cn$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^tls-server$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^tls-auth\s+#{server_directory}/test_server/keys/ta.key$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^key-direction 0$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^this that$}) } - - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^fragment 1412$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^port-share 127.0.0.1 8443$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^secret #{server_directory}/test_server/keys/pre-shared.secret$}) } - - it { is_expected.not_to contain_file("#{server_directory}/test_server.conf").with_content(%r{^server-poll-timeout}) } - it { is_expected.not_to contain_file("#{server_directory}/test_server.conf").with_content(%r{^ping-timer-rem}) } - it { is_expected.not_to contain_file("#{server_directory}/test_server.conf").with_content(%r{^sndbuf}) } - it { is_expected.not_to contain_file("#{server_directory}/test_server.conf").with_content(%r{^rcvbuf}) } - it { is_expected.not_to contain_file("#{server_directory}/test_server.conf").with_content(%r{^remote-cert-tls server$}) } - - it { is_expected.to contain_file("#{server_directory}/test_server/keys/pre-shared.secret").with_content(%r{^secretsecret1234$}).with(ensure: 'present') } + it { + is_expected.to contain_file("#{server_directory}/test_server.conf"). + with_content(%r{^mode\s+server$}). + with_content(%r{^client-config-dir\s+#{server_directory}/test_server/client-configs$}). + with_content(%r{^ca\s+#{server_directory}/test_server/keys/ca.crt$}). + with_content(%r{^proto\s+udp$}). + with_content(%r{^port\s+123$}). + with_content(%r{^compress lz4$}). + with_content(%r{^group\s+someone$}). + with_content(%r{^user\s+someone$}). + with_content(%r{^log-append\s+/var/log/openvpn/server1/test_server\.log$}). + with_content(%r{^status\s+/tmp/test_server_status\.log$}). + with_content(%r{^dev\s+tun1$}). + with_content(%r{^local\s+2\.3\.4\.5$}). + with_content(%r{^server\s+2\.3\.4\.0\s+255\.255\.0\.0$}). + with_content(%r{^server-ipv6\s+fe80:1337:1337:1337::/64$}). + with_content(%r{^push\s+"dhcp-option\s+DNS\s+172\.31\.0\.30"$}). + with_content(%r{^push\s+"route\s+172\.31\.0\.0\s+255\.255\.0\.0"$}). + with_content(%r{^route\s+192.168.30.0\s+255.255.255.0$}). + with_content(%r{^route\s+192.168.35.0\s+255.255.0.0$}). + with_content(%r{^route-ipv6\s+2001:db8:1234::/64$}). + with_content(%r{^route-ipv6\s+2001:db8:abcd::/64$}). + with_content(%r{^keepalive\s+10\s+120$}). + with_content(%r{^topology\s+subnet$}). + with_content(%r{^management\s+1.3.3.7 1337$}). + with_content(%r{^verb mute$}). + with_content(%r{^cipher DES-CBC$}). + with_content(%r{^tls-cipher\s+TLS-DHE-RSA-WITH-AES-256-CBC-SHA$}). + with_content(%r{^persist-key$}). + with_content(%r{^persist-tun$}). + with_content(%r{^up "/tmp/up"$}). + with_content(%r{^down "/tmp/down"$}). + with_content(%r{^client-connect "/tmp/connect"$}). + with_content(%r{^client-disconnect "/tmp/disconnect"$}). + with_content(%r{^script-security 2$}). + with_content(%r{^duplicate-cn$}). + with_content(%r{^tls-server$}). + with_content(%r{^tls-auth\s+#{server_directory}/test_server/keys/ta.key$}). + with_content(%r{^key-direction 0$}). + with_content(%r{^this that$}). + with_content(%r{^fragment 1412$}). + with_content(%r{^port-share 127.0.0.1 8443$}). + with_content(%r{^secret #{server_directory}/test_server/keys/pre-shared.secret$}). + without_content(%r{^proto\s+tls-server$}). + without_content(%r{^server-poll-timeout}). + without_content(%r{^ping-timer-rem}). + without_content(%r{^sndbuf}). + without_content(%r{^rcvbuf}). + without_content(%r{^remote-cert-tls server$}) + } + + it { is_expected.to contain_file('/var/log/openvpn/server1').with(ensure: 'directory', owner: 'someone', group: 'someone') } + + it { + is_expected.to contain_file("#{server_directory}/test_server/keys/pre-shared.secret"). + with_content(%r{^secretsecret1234$}). + with_ensure('present') + } + it { is_expected.to contain_schedule('renew crl.pem schedule on test_server') } it { is_expected.to contain_exec('renew crl.pem on test_server') } @@ -500,373 +538,70 @@ } end - context 'creating a server setting all parameters including tls_crypt' do + context 'with pam' do let(:params) do { 'country' => 'CO', 'province' => 'ST', 'city' => 'Some City', 'organization' => 'example.org', - 'email' => 'testemail@example.org', - 'proto' => 'tcp6', - 'tls_crypt' => true + 'email' => 'testmail@example.org', + 'pam' => true } end - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^tls-crypt\s+#{server_directory}/test_server/keys/ta.key$}) } - - # OpenVPN easy-rsa CA - it { is_expected.to contain_openvpn__ca('test_server').with(tls_static_key: true) } - end + it { is_expected.to compile.with_all_deps } - # tests dedicated to easyrsa version 2 - context 'with easyrsa 2.0' do - let(:facts) do - facts.merge( - easyrsa: '2.0' - ) - end + it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^plugin #{pam_module_path} "?login"?$}) } - context 'creating a server setting all parameters' do + context 'with pam_module_arguments' do let(:params) do { 'country' => 'CO', 'province' => 'ST', 'city' => 'Some City', 'organization' => 'example.org', - 'email' => 'testemail@example.org', - 'compression' => 'compress lz4', - 'port' => '123', - 'proto' => 'udp', - 'group' => 'someone', - 'user' => 'someone', - 'logfile' => '/var/log/openvpn/test_server.log', - 'status_log' => '/tmp/test_server_status.log', - 'dev' => 'tun1', - 'up' => '/tmp/up', - 'down' => '/tmp/down', - 'local' => '2.3.4.5', - 'ipp' => true, - 'server' => '2.3.4.0 255.255.0.0', - 'server_ipv6' => 'fe80:1337:1337:1337::/64', - 'push' => ['dhcp-option DNS 172.31.0.30', 'route 172.31.0.0 255.255.0.0'], - 'route' => ['192.168.30.0 255.255.255.0', '192.168.35.0 255.255.0.0'], - 'route_ipv6' => ['2001:db8:1234::/64', '2001:db8:abcd::/64'], - 'keepalive' => '10 120', - 'topology' => 'subnet', - 'ssl_key_size' => 2048, - 'management' => true, - 'management_ip' => '1.3.3.7', - 'management_port' => 1337, - 'common_name' => 'mylittlepony', - 'ca_expire' => 365, - 'crl_auto_renew' => true, - 'key_expire' => 365, - 'crl_days' => 20, - 'key_cn' => 'yolo', - 'key_name' => 'burp', - 'key_ou' => 'NSA', - 'verb' => 'mute', - 'cipher' => 'DES-CBC', - 'tls_cipher' => 'TLS-DHE-RSA-WITH-AES-256-CBC-SHA', - 'persist_key' => true, - 'persist_tun' => true, - 'duplicate_cn' => true, - 'tls_auth' => true, - 'tls_server' => true, - 'fragment' => 1412, - 'custom_options' => { 'this' => 'that' }, - 'portshare' => '127.0.0.1 8443', - 'secret' => 'secretsecret1234', - 'remote_cert_tls' => true + 'email' => 'testmail@example.org', + 'pam' => true, + 'pam_module_arguments' => 'openvpn login USERNAME password PASSWORD' } end - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^cert\s+#{server_directory}/test_server/keys/mylittlepony.crt$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^key\s+#{server_directory}/test_server/keys/mylittlepony.key$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^dh\s+#{server_directory}/test_server/keys/dh2048.pem$}) } - it { is_expected.to contain_exec('renew crl.pem on test_server').with('command' => ". ./vars && KEY_CN='' KEY_OU='' KEY_NAME='' KEY_ALTNAMES='' openssl ca -gencrl -out #{server_directory}/test_server/crl.pem -config #{server_directory}/test_server/easy-rsa/openssl.cnf") } + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^plugin #{pam_module_path} "openvpn login USERNAME password PASSWORD"$}) } end + end - context 'creating a server in client mode' do - let(:title) { 'test_client' } - let(:nobind) { false } + if os_facts[:os]['family'] == 'Debian' + context 'with ldap authentication' do let(:params) do { - 'remote' => ['vpn.example.com 12345'], - 'server_poll_timeout' => 1, - 'ping_timer_rem' => true, - 'tls_auth' => true, - 'tls_client' => true, - 'nobind' => nobind + 'country' => 'CO', + 'province' => 'ST', + 'city' => 'Some City', + 'organization' => 'example.org', + 'email' => 'testemail@example.org', + 'ldap_enabled' => true, + 'ldap_binddn' => 'dn=foo,ou=foo,ou=com', + 'ldap_bindpass' => 'ldappass123', + 'ldap_tls_enable' => true, + 'ldap_tls_ca_cert_file' => '/etc/ldap/ca.pem', + 'ldap_tls_ca_cert_dir' => '/etc/ldap/certs' } end - it { - is_expected.to contain_file("#{server_directory}/test_client.conf"). - with_content(%r{^ca #{server_directory}/test_client/keys/ca.crt$}) - } - - it { - is_expected.to contain_file("#{server_directory}/test_client.conf"). - with_content(%r{^cert #{server_directory}/test_client/keys/test_client.crt$}) - } + it { is_expected.to compile.with_all_deps } it { - is_expected.to contain_file("#{server_directory}/test_client.conf"). - with_content(%r{^key #{server_directory}/test_client/keys/test_client.key$}) + is_expected.to contain_file("#{server_directory}/test_server/auth/ldap.conf"). + with_content(%r{^\s+TLSEnable\s+yes$}). + with_content(%r{^\s+TLSCACertFile\s+/etc/ldap/ca.pem$}). + with_content(%r{^\s+TLSCACertDir\s+/etc/ldap/certs$}). + without_content(%r{^\s+TLSCertFile.*$}). + without_content(%r{^\s+TLSKeyFile.*$}) } - end - - context 'when using shared ca' do - let(:params) do - { - 'shared_ca' => 'my_already_existing_ca' - } - end - let(:pre_condition) do - ' - openvpn::ca{ "my_already_existing_ca": - common_name => "custom_common_name", - country => "CO", - province => "ST", - city => "Some City", - organization => "example.org", - email => "testemail@example.org" - }' - end - it { is_expected.to contain_openvpn__ca('my_already_existing_ca') } - - # Check that certificate files point to the provide CA - - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^mode\s+server$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^client-config-dir\s+#{server_directory_regex}/test_server/client-configs$}) } - - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^ca\s+#{server_directory_regex}/my_already_existing_ca/keys/ca.crt$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^cert\s+#{server_directory_regex}/my_already_existing_ca/keys/custom_common_name.crt$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^key\s+#{server_directory_regex}/my_already_existing_ca/keys/custom_common_name.key$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^dh\s+#{server_directory_regex}/my_already_existing_ca/keys/dh2048.pem$}) } - end - - context 'creating a server with the minimum parameters' do - let(:params) do - { - 'country' => 'CO', - 'province' => 'ST', - 'city' => 'Some City', - 'organization' => 'example.org', - 'email' => 'testemail@example.org' - } - end - - # OpenVPN easy-rsa CA - it { is_expected.to contain_openvpn__ca('test_server').with(params) } - - # VPN server config file itself - - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^mode\s+server$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^client-config-dir\s+#{server_directory_regex}/test_server/client-configs$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^ca\s+#{server_directory_regex}/test_server/keys/ca.crt$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^cert\s+#{server_directory_regex}/test_server/keys/server.crt$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^key\s+#{server_directory_regex}/test_server/keys/server.key$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^dh\s+#{server_directory_regex}/test_server/keys/dh2048.pem$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^proto\s+tcp-server$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^tls-server$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^port\s+1194$}) } - it { is_expected.not_to contain_file("#{server_directory}/test_server.conf").with_content(%r{^comp-lzo$}) } - it { is_expected.not_to contain_file("#{server_directory}/test_server.conf").with_content(%r{^log-append\s+test_server/openvpn\.log$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^status\s+/var/log/openvpn/test_server-status\.log$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^dev\s+tun0$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^local\s+10\.0\.2\.15$}) } - it { is_expected.not_to contain_file("#{server_directory}/test_server.conf").with_content(%r{^ifconfig-pool-persist}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^crl-verify\s+#{server_directory_regex}/test_server/crl.pem$}) } - it { is_expected.not_to contain_schedule('renew crl.pem schedule on test_server') } - it { is_expected.not_to contain_exec('renew crl.pem on test_server') } - it { is_expected.not_to contain_file("#{server_directory}/test_server.conf").with_content(%r{^secret}) } - - it { is_expected.not_to contain_file("#{server_directory}/test_server.conf").with_content(%r{verb}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{cipher AES-256-GCM}) } - it { is_expected.not_to contain_file("#{server_directory}/test_server.conf").with_content(%r{persist-key}) } - it { is_expected.not_to contain_file("#{server_directory}/test_server.conf").with_content(%r{persist-tun}) } - it { is_expected.not_to contain_file("#{server_directory}/test_server.conf").with_content(%r{^duplicate-cn$}) } - it { is_expected.not_to contain_file("#{server_directory}/test_server.conf").with_content(%r{^remote-cert-tls server}) } - it { is_expected.not_to contain_file("#{server_directory}/test_server.conf").with_content(%r{^tls-auth}) } - it { is_expected.not_to contain_file("#{server_directory}/test_server.conf").with_content(%r{^fragment}) } - it { is_expected.not_to contain_file("#{server_directory}/test_server.conf").with_content(%r{^port-share}) } - - it { is_expected.to contain_file("#{server_directory}/test_server/keys/pre-shared.secret").with(ensure: 'absent') } - end - - context 'when pushing scripts' do - let(:params) do - { - 'country' => 'CO', - 'province' => 'ST', - 'city' => 'Some City', - 'organization' => 'example.org', - 'email' => 'testemail@example.org', - 'up' => 'up.sh', - 'down' => 'down.sh', - 'client_connect' => 'connect.sh', - 'client_disconnect' => 'disconnect.sh', - 'scripts' => { - 'add-tap-to-bridge.sh' => { - 'ensure' => 'present' - } - } - } - end - - it { is_expected.to contain_file("#{server_directory}/test_server/scripts/add-tap-to-bridge.sh").with(ensure: 'present') } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^up\s+"#{server_directory}/test_server/scripts/up\.sh"$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^down\s+"#{server_directory}/test_server/scripts/down\.sh"$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^client-connect\s+"#{server_directory}/test_server/scripts/connect\.sh"$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^client-disconnect\s+"#{server_directory}/test_server/scripts/disconnect\.sh"$}) } - end - - context 'when not using status log' do - let(:params) do - { - 'country' => 'CO', - 'province' => 'ST', - 'city' => 'Some City', - 'organization' => 'example.org', - 'email' => 'testemail@example.org', - 'status_log' => '' - } - end - - it { is_expected.not_to contain_file("#{server_directory}/test_server.conf").with_content(%r{^status}) } - end - - context 'when not using scripts' do - let(:params) do - { - 'country' => 'CO', - 'province' => 'ST', - 'city' => 'Some City', - 'organization' => 'example.org', - 'email' => 'testemail@example.org' - } - end - - it { is_expected.to contain_file("#{server_directory}/test_server.conf").without_content(%r{^script-security\s+}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").without_content(%r{^up\s+}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").without_content(%r{^down\s+}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").without_content(%r{^client-connect\s+}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").without_content(%r{^client-disconnect\s+}) } - end - - case facts[:os]['family'] - when %r{FreeBSD} - context 'when FreeBSD based machine' do - let(:params) do - { - 'country' => 'CO', - 'province' => 'ST', - 'city' => 'Some City', - 'organization' => 'example.org', - 'email' => 'testemail@example.org', - 'pam' => true - } - end - - it { is_expected.to contain_file('/etc/rc.conf.d/openvpn_test_server') } - it { is_expected.to contain_service('openvpn_test_server') } - it { is_expected.to contain_file("#{server_directory}/test_server") } - it { is_expected.to contain_file('/usr/local/etc/rc.d/openvpn_test_server') } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{/usr/local/etc}) } - end - - context 'creating a server with the minimum parameters' do - let(:params) do - { - 'country' => 'CO', - 'province' => 'ST', - 'city' => 'Some City', - 'organization' => 'example.org', - 'email' => 'testemail@example.org' - } - end - - # Files associated with a server config - it { - is_expected.to contain_file("#{server_directory}/test_server"). - with(ensure: 'directory', mode: '0750', group: 'nogroup') - } - - it { - is_expected.to contain_file("#{server_directory}/test_server/client-configs"). - with(ensure: 'directory', mode: '0750', recurse: true, group: 'nogroup') - } - - it { - is_expected.to contain_file("#{server_directory}/test_server/download-configs"). - with(ensure: 'directory', mode: '0750', recurse: true, group: 'nogroup') - } - - it { - is_expected.to contain_file("#{server_directory}/test_server/auth"). - with(ensure: 'directory', mode: '0750', recurse: true, group: 'nogroup') - } - - it { - is_expected.to contain_file("#{server_directory}/test_server/scripts"). - with(ensure: 'directory', mode: '0750', recurse: true, group: 'nogroup') - } - - # VPN server config file itself - - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^group\s+nogroup$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^user\s+nobody$}) } - end - - when 'Debian' - context 'creating a server with the minimum parameters' do - let(:params) do - { - 'country' => 'CO', - 'province' => 'ST', - 'city' => 'Some City', - 'organization' => 'example.org', - 'email' => 'testemail@example.org' - } - end - - # Files associated with a server config - it { - is_expected.to contain_file("#{server_directory}/test_server"). - with(ensure: 'directory', mode: '0750', group: 'nogroup') - } - - it { - is_expected.to contain_file("#{server_directory}/test_server/client-configs"). - with(ensure: 'directory', mode: '0750', recurse: true, group: 'nogroup') - } - - it { - is_expected.to contain_file("#{server_directory}/test_server/download-configs"). - with(ensure: 'directory', mode: '0750', recurse: true, group: 'nogroup') - } - - it { - is_expected.to contain_file("#{server_directory}/test_server/auth"). - with(ensure: 'directory', mode: '0750', recurse: true, group: 'nogroup') - } - - it { - is_expected.to contain_file("#{server_directory}/test_server/scripts"). - with(ensure: 'directory', mode: '0750', recurse: true, group: 'nogroup') - } - - # VPN server config file itself - - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^group\s+nogroup$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^user\s+nobody$}) } - end - - context 'when Debian based machine' do + context 'with ldap_tls_cert_file and ldap_tls_key_file' do let(:params) do { 'country' => 'CO', @@ -874,331 +609,25 @@ 'city' => 'Some City', 'organization' => 'example.org', 'email' => 'testemail@example.org', - 'pam' => true - } - end - - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^group\s+nogroup$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so "login"$}) } - - context 'enabled autostart_all' do - let(:pre_condition) { 'class { "openvpn": autostart_all => true }' } - - it { is_expected.not_to contain_concat__fragment('openvpn.default.autostart.test_server') } - end - - context 'disabled autostart_all' do - let(:pre_condition) { 'class { "openvpn": autostart_all => false }' } - - it { is_expected.not_to contain_concat__fragment('openvpn.default.autostart.test_server') } - - context 'but machine has autostart' do - before { params['autostart'] = true } - - it { - is_expected.to contain_concat__fragment('openvpn.default.autostart.test_server').with( - 'content' => "AUTOSTART=\"$AUTOSTART test_server\"\n", - 'target' => '/etc/default/openvpn' - ) - } - end - end - end - end - end - - # tests with easyrsa version 3 - context 'with easyrsa 3.0' do - let(:facts) do - facts.merge( - easyrsa: '3.0' - ) - end - - context 'creating a server setting all parameters' do - let(:params) do - { - 'country' => 'CO', - 'province' => 'ST', - 'city' => 'Some City', - 'organization' => 'example.org', - 'email' => 'testemail@example.org', - 'compression' => 'compress lz4', - 'port' => '123', - 'proto' => 'udp', - 'group' => 'someone', - 'user' => 'someone', - 'logfile' => '/var/log/openvpn/test_server.log', - 'status_log' => '/tmp/test_server_status.log', - 'dev' => 'tun1', - 'up' => '/tmp/up', - 'down' => '/tmp/down', - 'local' => '2.3.4.5', - 'ipp' => true, - 'server' => '2.3.4.0 255.255.0.0', - 'server_ipv6' => 'fe80:1337:1337:1337::/64', - 'push' => ['dhcp-option DNS 172.31.0.30', 'route 172.31.0.0 255.255.0.0'], - 'route' => ['192.168.30.0 255.255.255.0', '192.168.35.0 255.255.0.0'], - 'route_ipv6' => ['2001:db8:1234::/64', '2001:db8:abcd::/64'], - 'keepalive' => '10 120', - 'topology' => 'subnet', - 'ssl_key_size' => 2048, - 'management' => true, - 'management_ip' => '1.3.3.7', - 'management_port' => 1337, - 'common_name' => 'mylittlepony', - 'ca_expire' => 365, - 'crl_auto_renew' => true, - 'key_expire' => 365, - 'crl_days' => 20, - 'key_cn' => 'yolo', - 'key_name' => 'burp', - 'key_ou' => 'NSA', - 'verb' => 'mute', - 'cipher' => 'DES-CBC', - 'tls_cipher' => 'TLS-DHE-RSA-WITH-AES-256-CBC-SHA', - 'persist_key' => true, - 'persist_tun' => true, - 'duplicate_cn' => true, - 'tls_auth' => true, - 'tls_server' => true, - 'fragment' => 1412, - 'custom_options' => { 'this' => 'that' }, - 'portshare' => '127.0.0.1 8443', - 'secret' => 'secretsecret1234', - 'remote_cert_tls' => true - } - end - - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^cert\s+#{server_directory}/test_server/keys/issued/mylittlepony.crt$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^key\s+#{server_directory}/test_server/keys/private/mylittlepony.key$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^dh\s+#{server_directory}/test_server/keys/dh.pem$}) } - it { is_expected.to contain_exec('renew crl.pem on test_server').with('command' => "./easyrsa gen-crl && cp ./keys/crl.pem #{server_directory}/test_server/crl.pem") } - end - - context 'creating a server in dn_mode cn_only' do - let(:params) do - { - 'dn_mode' => 'cn_only', - } - end - - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^cert\s+#{server_directory}/test_server/keys/issued/server.crt$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^key\s+#{server_directory}/test_server/keys/private/server.key$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^dh\s+#{server_directory}/test_server/keys/dh.pem$}) } - end - - context 'creating a server in client mode' do - let(:title) { 'test_client' } - let(:nobind) { false } - let(:params) do - { - 'remote' => ['vpn.example.com 12345'], - 'server_poll_timeout' => 1, - 'ping_timer_rem' => true, - 'tls_auth' => true, - 'tls_client' => true, - 'nobind' => nobind - } - end - - it { - is_expected.to contain_file("#{server_directory}/test_client.conf"). - with_content(%r{^ca #{server_directory}/test_client/keys/ca.crt$}) - } - - it { - is_expected.to contain_file("#{server_directory}/test_client.conf"). - with_content(%r{^cert #{server_directory}/test_client/keys/issued/test_client.crt$}) - } - - it { - is_expected.to contain_file("#{server_directory}/test_client.conf"). - with_content(%r{^key #{server_directory}/test_client/keys/private/test_client.key$}) - } - end - - context 'when using shared ca' do - let(:params) do - { - 'shared_ca' => 'my_already_existing_ca' - } - end - let(:pre_condition) do - ' - openvpn::ca{ "my_already_existing_ca": - common_name => "custom_common_name", - country => "CO", - province => "ST", - city => "Some City", - organization => "example.org", - email => "testemail@example.org" - }' - end - - it { is_expected.to contain_openvpn__ca('my_already_existing_ca') } - - # Check that certificate files point to the provide CA - - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^mode\s+server$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^client-config-dir\s+#{server_directory_regex}/test_server/client-configs$}) } - - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^ca\s+#{server_directory_regex}/my_already_existing_ca/keys/ca.crt$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^cert\s+#{server_directory_regex}/my_already_existing_ca/keys/issued/custom_common_name.crt$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^key\s+#{server_directory_regex}/my_already_existing_ca/keys/private/custom_common_name.key$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^dh\s+#{server_directory_regex}/my_already_existing_ca/keys/dh.pem$}) } - end - - context 'creating a server with ec keys' do - let(:params) do - { - 'country' => 'CO', - 'province' => 'ST', - 'city' => 'Some City', - 'organization' => 'example.org', - 'email' => 'testemail@example.org', - 'ssl_key_algo' => 'ec', - } - end - - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^cert\s+#{server_directory}/test_server/keys/issued/server.crt$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^key\s+#{server_directory}/test_server/keys/private/server.key$}) } - it { is_expected.not_to contain_file("#{server_directory}/test_server.conf").with_content(%r{^dh\s+#{server_directory}/test_server/keys/dh.pem$}) } - end - - case facts[:os]['family'] - when 'RedHat' - context 'creating a server with the minimum parameters' do - let(:params) do - { - 'country' => 'CO', - 'province' => 'ST', - 'city' => 'Some City', - 'organization' => 'example.org', - 'email' => 'testemail@example.org' + 'ldap_enabled' => true, + 'ldap_binddn' => 'dn=foo,ou=foo,ou=com', + 'ldap_bindpass' => 'ldappass123', + 'ldap_tls_enable' => true, + 'ldap_tls_ca_cert_file' => '/etc/ldap/ca.pem', + 'ldap_tls_ca_cert_dir' => '/etc/ldap/certs', + 'ldap_tls_client_cert_file' => '/etc/ldap/client-cert.pem', + 'ldap_tls_client_key_file' => '/etc/ldap/client-key.pem' } end - # Files associated with a server config - it { - is_expected.to contain_file("#{server_directory}/test_server"). - with(ensure: 'directory', mode: '0750', group: 'nobody') - } - - it { - is_expected.to contain_file("#{server_directory}/test_server/client-configs"). - with(ensure: 'directory', mode: '0750', recurse: true, group: 'nobody') - } - - it { - is_expected.to contain_file("#{server_directory}/test_server/download-configs"). - with(ensure: 'directory', mode: '0750', recurse: true, group: 'nobody') - } - - it { - is_expected.to contain_file("#{server_directory}/test_server/auth"). - with(ensure: 'directory', mode: '0750', recurse: true, group: 'nobody') - } - it { - is_expected.to contain_file("#{server_directory}/test_server/scripts"). - with(ensure: 'directory', mode: '0750', recurse: true, group: 'nobody') + is_expected.to contain_file("#{server_directory}/test_server/auth/ldap.conf"). + with_content(%r{^\s+TLSEnable\s+yes$}). + with_content(%r{^\s+TLSCACertFile\s+/etc/ldap/ca.pem$}). + with_content(%r{^\s+TLSCACertDir\s+/etc/ldap/certs$}). + with_content(%r{^\s+TLSCertFile\s+/etc/ldap/client-cert.pem$}). + with_content(%r{^\s+TLSKeyFile\s+/etc/ldap/client-key.pem$}) } - - # VPN server config file itself - - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^group\s+nobody$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^user\s+nobody$}) } - end - - context 'RedHat using an external CA and enabling tls-auth' do - let(:params) do - { - 'tls_auth' => true, - 'extca_enabled' => true, - 'extca_ca_cert_file' => '/etc/ipa/ca.crt', - 'extca_ca_crl_file' => '/etc/ipa/ca_crl.pem', - 'extca_server_cert_file' => '/etc/pki/tls/certs/localhost.crt', - 'extca_server_key_file' => '/etc/pki/tls/private/localhost.key', - 'extca_dh_file' => '/etc/ipa/dh.pem', - 'extca_tls_auth_key_file' => '/etc/openvpn/keys/ta.key' - } - end - - it { is_expected.not_to contain_file("#{server_directory}/test_server.conf").with_content(%r{^ca\s+#{server_directory_regex}/test_server/keys/ca.crt$}) } - it { is_expected.not_to contain_file("#{server_directory}/test_server.conf").with_content(%r{^crl-verify\s+#{server_directory_regex}/test_server/crl.pem$}) } - it { is_expected.not_to contain_file("#{server_directory}/test_server.conf").with_content(%r{^cert\s+#{server_directory_regex}/test_server/keys/server.crt$}) } - it { is_expected.not_to contain_file("#{server_directory}/test_server.conf").with_content(%r{^key\s+#{server_directory_regex}/test_server/keys/server.key$}) } - it { is_expected.not_to contain_file("#{server_directory}/test_server.conf").with_content(%r{^dh\s+#{server_directory_regex}/test_server/keys/dh2048.pem$}) } - it { is_expected.not_to contain_file("#{server_directory}/test_server.conf").with_content(%r{^tls-auth\s+#{server_directory_regex}/test_server/keys/ta.key$}) } - - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^ca\s+/etc/ipa/ca.crt$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^crl-verify\s+/etc/ipa/ca_crl.pem$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^cert\s+/etc/pki/tls/certs/localhost.crt$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^key\s+/etc/pki/tls/private/localhost.key$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^dh\s+/etc/ipa/dh.pem$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^tls-auth\s+/etc/openvpn/keys/ta.key$}) } - end - - context 'RedHat using an external CA and without tls-auth' do - let(:params) do - { - 'extca_enabled' => true, - 'extca_ca_cert_file' => '/etc/ipa/ca.crt', - 'extca_ca_crl_file' => '/etc/ipa/ca_crl.pem', - 'extca_server_cert_file' => '/etc/pki/tls/certs/localhost.crt', - 'extca_server_key_file' => '/etc/pki/tls/private/localhost.key', - 'extca_dh_file' => '/etc/ipa/dh.pem', - 'extca_tls_auth_key_file' => '/etc/openvpn/keys/ta.key' - } - end - - it { is_expected.not_to contain_file("#{server_directory}/test_server.conf").with_content(%r{^ca\s+#{server_directory}/test_server/keys}) } - it { is_expected.not_to contain_file("#{server_directory}/test_server.conf").with_content(%r{^crl-verify\s+#{server_directory}/test_server}) } - it { is_expected.not_to contain_file("#{server_directory}/test_server.conf").with_content(%r{^cert\s+#{server_directory}/test_server/keys}) } - it { is_expected.not_to contain_file("#{server_directory}/test_server.conf").with_content(%r{^key\s+#{server_directory}/test_server/keys}) } - it { is_expected.not_to contain_file("#{server_directory}/test_server.conf").with_content(%r{^dh\s+#{server_directory}/test_server/keys}) } - it { is_expected.not_to contain_file("#{server_directory}/test_server.conf").with_content(%r{^tls-auth}) } - - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^ca\s+/etc/ipa/ca.crt$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^crl-verify\s+/etc/ipa/ca_crl.pem$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^cert\s+/etc/pki/tls/certs/localhost.crt$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^key\s+/etc/pki/tls/private/localhost.key$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^dh\s+/etc/ipa/dh.pem$}) } - end - - context 'when RedHat based machine with different pam_module_arguments and crl_verify disabled' do - let(:params) do - { - 'country' => 'CO', - 'province' => 'ST', - 'city' => 'Some City', - 'organization' => 'example.org', - 'email' => 'testemail@example.org', - 'pam' => true, - 'pam_module_arguments' => 'openvpn login USERNAME password PASSWORD', - 'crl_verify' => false - } - end - - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so "openvpn login USERNAME password PASSWORD"$}) } - it { is_expected.not_to contain_file("#{server_directory}/test_server.conf").with_content(%r{^crl-verify}) } - end - - context 'when RedHat based machine' do - let(:params) do - { - 'country' => 'CO', - 'province' => 'ST', - 'city' => 'Some City', - 'organization' => 'example.org', - 'email' => 'testemail@example.org', - 'pam' => true - } - end - - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^group\s+nobody$}) } - it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so "?login"?$}) } end end end diff --git a/spec/fixtures/hiera/hiera.yaml b/spec/fixtures/hiera/hiera.yaml deleted file mode 100644 index 58f410e3..00000000 --- a/spec/fixtures/hiera/hiera.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -:backends: - - yaml -:hierarchy: - - test -:yaml: - :datadir: 'spec/fixtures/hiera' diff --git a/spec/fixtures/hiera/test.yaml b/spec/fixtures/hiera/test.yaml deleted file mode 100644 index 5d963fb1..00000000 --- a/spec/fixtures/hiera/test.yaml +++ /dev/null @@ -1,44 +0,0 @@ ---- -classes: - - openvpn - -openvpn::server_defaults: - country: 'CH' - province: 'ZH' - city: 'Winterthur' - organization: 'example.org' -openvpn::servers: - 'winterthur': - email: 'root@example.org' - server: '10.200.200.0 255.255.255.0' - 'uster': - city: 'Uster' - email: 'root@example.com' - organization: 'example.com' - server: '10.100.100.0 255.255.255.0' - -openvpn::client_defaults: - server: 'winterthur' -openvpn::clients: - 'winti-client1': {} - 'winti-client2': {} - 'uster-client1': - server: 'uster' - 'uster-client2': - server: 'uster' - -openvpn::client_specific_config_defaults: - server: 'winterthur' -openvpn::client_specific_configs: - 'winti-client1': - ifconfig: '10.200.200.50 10.200.200.51' - 'uster-client1': - server: 'uster' - ifconfig: '10.100.100.50 10.100.100.51' - -openvpn::revoke_defaults: - server: 'winterthur' -openvpn::revokes: - 'winti-client2': {} - 'uster-client2': - server: 'uster' diff --git a/spec/setup_acceptance_node.pp b/spec/setup_acceptance_node.pp new file mode 100644 index 00000000..03bc708d --- /dev/null +++ b/spec/setup_acceptance_node.pp @@ -0,0 +1,30 @@ +if $facts['os']['family'] == 'RedHat' { + package { 'epel-release': + ensure => present, + } +} + +$netcat_package_name = $facts['os']['family'] ? { + 'Debian' => 'netcat-openbsd', + 'RedHat' => 'nc', + 'Archlinux' => 'gnu-netcat', + default => 'netcat', +} + +node /vpnserver/ { + package { $netcat_package_name: + ensure => present, + } +} + +node /vpnclient/ { + package { ['tar','openvpn']: + ensure => present, + } +} + +node default { + package { $netcat_package_name: + ensure => present, + } +} diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index fe09954d..58c9b66a 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -10,7 +10,7 @@ require 'voxpupuli/test/spec_helper' RSpec.configure do |c| - c.hiera_config = 'spec/fixtures/hiera/hiera.yaml' + c.facterdb_string_keys = false end add_mocked_facts! @@ -21,3 +21,4 @@ add_custom_fact name.to_sym, value end end +Dir['./spec/support/spec/**/*.rb'].sort.each { |f| require f } diff --git a/spec/spec_helper_acceptance.rb b/spec/spec_helper_acceptance.rb index 254f1b61..d3a6e23c 100644 --- a/spec/spec_helper_acceptance.rb +++ b/spec/spec_helper_acceptance.rb @@ -1,40 +1,10 @@ # frozen_string_literal: true -require 'voxpupuli/acceptance/spec_helper_acceptance' - -configure_beaker do |host| - manifest = <<-PUPPET - if $facts['os']['name'] == 'CentOS' { - package { 'epel-release': - ensure => present, - } - } - - $netcat_package_name = $facts['os']['family'] ? { - 'Debian' => 'netcat-openbsd', - 'RedHat' => 'nc', - default => 'netcat', - } +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ - node /^vpnserver\./ { - package { $netcat_package_name: - ensure => present, - } - } - - node /^vpnclienta\./ { - package { ['tar','openvpn'] : - ensure => present, - } - } +require 'voxpupuli/acceptance/spec_helper_acceptance' - # CentOS 6 in docker doesn't get a hostname - install all packages - node /^localhost\./ { - package { ['tar', 'openvpn', $netcat_package_name]: - ensure => present, - } - } +configure_beaker - PUPPET - apply_manifest_on(host, manifest, catch_failures: true) -end +Dir['./spec/support/acceptance/**/*.rb'].sort.each { |f| require f } diff --git a/templates/vars-30.epp b/templates/vars-30.epp index 6c69fe71..e9e6c002 100644 --- a/templates/vars-30.epp +++ b/templates/vars-30.epp @@ -1,109 +1,256 @@ -# easy-rsa parameter settings +# Easy-RSA 3 parameter settings -# NOTE: If you installed from an RPM, -# don't edit this file in place in -# /usr/share/openvpn/easy-rsa -- -# instead, you should copy the whole -# easy-rsa directory to another location -# (such as /etc/openvpn) so that your -# edits will not be wiped out by a future -# OpenVPN package upgrade. +# NOTE: If you installed Easy-RSA from your package manager, do not edit +# this file in place -- instead, you should copy the entire easy-rsa directory +# to another location so future upgrades do not wipe out your changes. -# This variable should point to -# the top level of the easy-rsa -# tree. -export EASY_RSA="<%= $server_directory -%>/<%= $openvpn_server %>/easy-rsa" +# HOW TO USE THIS FILE +# +# vars.example contains built-in examples to Easy-RSA settings. You MUST name +# this file "vars" if you want it to be used as a configuration file. If you +# do not, it WILL NOT be automatically read when you call easyrsa commands. +# +# It is not necessary to use this config file unless you wish to change +# operational defaults. These defaults should be fine for many uses without +# the need to copy and edit the "vars" file. +# +# All of the editable settings are shown commented and start with the command +# "set_var" -- this means any set_var command that is uncommented has been +# modified by the user. If you are happy with a default, there is no need to +# define the value to its default. +# NOTES FOR WINDOWS USERS # -# This variable should point to -# the requested executables +# Paths for Windows *MUST* use forward slashes, or optionally double-escaped +# backslashes (single forward slashes are recommended.) This means your path +# to the openssl binary might look like this: +# "C:/Program Files/OpenSSL-Win32/bin/openssl.exe" + +# A little housekeeping: DO NOT EDIT THIS SECTION # -export EASYRSA_OPENSSL="openssl" -export PKCS11TOOL="pkcs11-tool" -export GREP="grep" +# Easy-RSA 3.x does not source into the environment directly. +# Complain if a user tries to do this: +if [ -z "$EASYRSA_CALLER" ]; then + echo "You appear to be sourcing an Easy-RSA *vars* file. This is" >&2 + echo "no longer necessary and is disallowed. See the section called" >&2 + echo "*How to use this file* near the top comments for more details." >&2 + return 1 +fi +# DO YOUR EDITS BELOW THIS POINT -# This variable should point to -# the openssl.cnf file included -# with easy-rsa. -export EASYRSA_SSL_CONF="$EASY_RSA/openssl-1.0.cnf" +# This variable is used as the base location of configuration files needed by +# easyrsa. More specific variables for specific files (eg: EASYRSA_SSL_CONF) +# may override this default. +# +# The default value of this variable is the location of the easyrsa script +# itself, which is also where the configuration files are located in the +# easy-rsa tree. +# +set_var EASYRSA "<%= $server_directory -%>/<%= $openvpn_server %>/easy-rsa" -# Edit this variable to point to -# your soon-to-be-created key -# directory. +set_var EASYRSA_PKI "$EASYRSA/keys" + +# If your OpenSSL command is not in the system PATH, you will need to define +# the path here. Normally this means a full path to the executable, otherwise +# you could have left it undefined here and the shown default would be used. +# +# Windows users, remember to use paths with forward-slashes (or escaped +# back-slashes.) Windows users should declare the full path to the openssl +# binary here if it is not in their system PATH. +# +set_var EASYRSA_OPENSSL "openssl" # -# WARNING: clean-all will do -# a rm -rf on this directory -# so make sure you define -# it correctly! -export EASYRSA_PKI="$EASY_RSA/keys" +# This sample is in Windows syntax -- edit it for your path if not using PATH: +#set_var EASYRSA_OPENSSL "C:/Program Files/OpenSSL-Win32/bin/openssl.exe" -# Issue rm -rf warning -echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $EASYRSA_PKI +# Define X509 DN mode. +# +# This is used to adjust which elements are included in the Subject field +# as the DN ("Distinguished Name"). Note that in 'cn_only' mode the +# Organizational fields, listed further below, are not used. +# +# Choices are: +# cn_only - Use just a commonName value. +# org - Use the "traditional" format: +# Country/Province/City/Org/Org.Unit/email/commonName +# +set_var EASYRSA_DN "<%= $dn_mode %>" -# PKCS11 fixes -export PKCS11_MODULE_PATH="dummy" -export PKCS11_PIN="dummy" +# Organizational fields (used with "org" mode and ignored in "cn_only" mode). +# These are the default values for fields which will be placed in the +# certificate. Do not leave any of these fields blank, although interactively +# you may omit any specific field by typing the "." symbol (not valid for +# email). +# +# NOTE: The following characters are not supported +# in these "Organizational fields" by Easy-RSA: +# back-tick (`) +# +<% if $country { -%> +set_var EASYRSA_REQ_COUNTRY "<%= $country %>" +<% } -%> +<% if $province { -%> +set_var EASYRSA_REQ_PROVINCE "<%= $province %>" +<% } -%> +<% if $city { -%> +set_var EASYRSA_REQ_CITY "<%= $city %>" +<% } -%> +<% if $organization { -%> +set_var EASYRSA_REQ_ORG "<%= $organization %>" +<% } -%> +<% if $email { -%> +set_var EASYRSA_REQ_EMAIL "<%= $email %>" +<% } -%> +<% if $key_cn { -%> +set_var EASYRSA_REQ_CN "<%= $key_cn %>" +<% } -%> +<% if $key_ou { -%> +set_var EASYRSA_REQ_OU "<%= $key_ou %>" +<% } -%> + +# Preserve the Distinguished Name field order +# of the certificate signing request +# *Only* effective in --dn-mode=org +# +#set_var EASYRSA_PRESERVE_DN 1 + +# Set no password mode - This will create the entire PKI without passwords. +# This can be better managed by choosing which entity private keys should be +# encrypted with the following command line options: +# Global option '--no-pass' or command option 'nopass'. +# +#set_var EASYRSA_NO_PASS 1 -# Increase this to 2048 if you -# are paranoid. This will slow -# down TLS negotiation performance -# as well as the one-time DH parms -# generation process. -export EASYRSA_KEY_SIZE=<%= $ssl_key_size %> +# Choose a size in bits for your keypairs. The recommended value is 2048. +# Using 2048-bit keys is considered more than sufficient for many years into +# the future. Larger keysizes will slow down TLS negotiation and make key/DH +# param generation take much longer. Values up to 4096 should be accepted by +# most software. Only used when the crypto alg is rsa, see below. +# +set_var EASYRSA_KEY_SIZE <%= $ssl_key_size %> # The default crypto mode is rsa; ec can enable elliptic curve support. # Note that not all software supports ECC, so use care when enabling it. # Choices for crypto alg are: (each in lower-case) # * rsa # * ec - +# * ed +# <% if $ssl_key_algo { -%> -export EASYRSA_ALGO=<%= $ssl_key_algo %> +set_var EASYRSA_ALGO <%= $ssl_key_algo %> <% } -%> -# Define the named curve, used in ec mode only: +# Define the named curve, used in ec & ed modes: +# <% if $ssl_key_curve { -%> -export EASYRSA_CURVE=<%= $ssl_key_curve %> +set_var EASYRSA_CURVE <%= $ssl_key_curve %> <% } -%> # In how many days should the root CA key expire? -export EASYRSA_CA_EXPIRE=<%= $ca_expire %> +# +set_var EASYRSA_CA_EXPIRE <%= $ca_expire %> # In how many days should certificates expire? -export EASYRSA_CERT_EXPIRE=<%= $key_expire %> +# +set_var EASYRSA_CERT_EXPIRE <%= $key_expire %> -export EASYRSA_CRL_DAYS=<%= $crl_days %> +# How many days until the Certificate Revokation List will expire. +# +# IMPORTANT: When the CRL expires, an OpenVPN Server which uses a +# CRL will reject ALL new connections, until the CRL is replaced. +# +set_var EASYRSA_CRL_DAYS <%= $crl_days %> + +# Random serial numbers by default. +# Set to 'no' for the old incremental serial numbers. +# +#set_var EASYRSA_RAND_SN "yes" + +# Cut-off window for checking expiring certificates. +# +#set_var EASYRSA_PRE_EXPIRY_WINDOW 90 + +# Generate automatic subjectAltName for certificates +# +#set_var EASYRSA_AUTO_SAN 1 + +# Add critical attribute to X509 fields: basicConstraints (BC), +# keyUsage (KU), extendedKeyUsage (EKU) or SAN +# +#set_var EASYRSA_BC_CRIT 1 +#set_var EASYRSA_KU_CRIT 1 +#set_var EASYRSA_EKU_CRIT 1 +#set_var EASYRSA_SAN_CRIT 1 + +# Disable automatic inline files +# +#set_var EASYRSA_DISABLE_INLINE 1 + +# Support deprecated "Netscape" extensions? (choices "yes" or "no"). +# The default is "no", to discourage use of deprecated extensions. +# If you require this feature to use with --ns-cert-type, set this to "yes". +# This support should be replaced with the more modern --remote-cert-tls +# feature. If you do not use --ns-cert-type in your configs, it is safe, +# and recommended, to leave this defined to "no". +# When set to "yes", server-signed certs get the nsCertType=server attribute +# and also get any NS_COMMENT defined below in the nsComment field. +# +#set_var EASYRSA_NS_SUPPORT "no" + +# When NS_SUPPORT is set to "yes", this field is added as the nsComment field. +# Set this blank to omit it. With NS_SUPPORT set to "no" this field is ignored. +# +#set_var EASYRSA_NS_COMMENT "Easy-RSA Generated Certificate" + +# !! +# NOTE: ADVANCED OPTIONS BELOW THIS POINT +# PLAY WITH THEM AT YOUR OWN RISK +# !! + +# Broken shell command aliases: If you have a largely broken shell that is +# missing any of these POSIX-required commands used by Easy-RSA, you will need +# to define an alias to the proper path for the command. The symptom will be +# some form of a "command not found" error from your shell. This means your +# shell is BROKEN, but you can hack around it here if you really need. These +# shown values are not defaults: it is up to you to know what you are doing if +# you touch these. +# +#alias awk="/alt/bin/awk" +#alias cat="/alt/bin/cat" + +# X509 extensions directory: +# If you want to customize the X509 extensions used, set the directory to look +# for extensions here. Each cert type you sign must have a matching filename, +# and an optional file named "COMMON" is included first when present. Note that +# when undefined here, default behaviour is to look in $EASYRSA_PKI first, then +# fallback to $EASYRSA for the "x509-types" dir. You may override this +# detection with an explicit dir here. +# +#set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types" + +# Non-functional +# If you want to generate KDC certificates, you need to set the realm here. +# +#set_var EASYRSA_KDC_REALM "CHANGEME.EXAMPLE.COM" + +# OpenSSL config file: +# If you need to use a specific openssl config file, you can reference it here. +# Normally this file is auto-detected from a file named openssl-easyrsa.cnf +# from the EASYRSA_PKI or EASYRSA dir, in that order. NOTE that this file is +# Easy-RSA specific and you cannot just use a standard config file, so this is +# an advanced feature. +# +#set_var EASYRSA_SSL_CONF "$EASYRSA_PKI/openssl-easyrsa.cnf" # Cryptographic digest to use. # Do not change this default unless you understand the security implications. # Valid choices include: md5, sha1, sha256, sha224, sha384, sha512 +# +set_var EASYRSA_DIGEST <%= $digest %> -export EASYRSA_DIGEST=<%= $digest %> - -export EASYRSA_DN="<%= $dn_mode %>" - -# These are the default values for fields -# which will be placed in the certificate. -# Don't leave any of these fields blank. -<% if $country { -%> -export EASYRSA_REQ_COUNTRY="<%= $country %>" -<% } -%> -<% if $province { -%> -export EASYRSA_REQ_PROVINCE="<%= $province %>" -<% } -%> -<% if $city { -%> -export EASYRSA_REQ_CITY="<%= $city %>" -<% } -%> -<% if $organization { -%> -export EASYRSA_REQ_ORG="<%= $organization %>" -<% } -%> -<% if $email { -%> -export EASYRSA_REQ_EMAIL="<%= $email %>" -<% } -%> -<% if $key_cn { -%> -export EASYRSA_REQ_CN="<%= $key_cn %>" -<% } -%> -<% if $key_ou { -%> -export EASYRSA_REQ_OU="<%= $key_ou %>" -<% } -%> +# Batch mode. Leave this disabled unless you intend to call Easy-RSA explicitly +# in batch mode without any user input, confirmation on dangerous operations, +# or most output. Setting this to any non-blank string enables batch mode. +# +set_var EASYRSA_BATCH "1" diff --git a/vagrant/Puppetfile b/vagrant/Puppetfile deleted file mode 100644 index 3b980201..00000000 --- a/vagrant/Puppetfile +++ /dev/null @@ -1,2 +0,0 @@ -# rubocop:disable Style/FileName -mod 'luxflux-openvpn', path: '/vagrant' diff --git a/vagrant/client.pp b/vagrant/client.pp deleted file mode 100644 index 9faa4895..00000000 --- a/vagrant/client.pp +++ /dev/null @@ -1,3 +0,0 @@ -node default { - package { 'openvpn': ensure => installed; } -} diff --git a/vagrant/provision_module.sh b/vagrant/provision_module.sh deleted file mode 100644 index d9cb057d..00000000 --- a/vagrant/provision_module.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash - -set -e - -if [ ! -f /module-installed ]; then - wget https://apt.puppet.com/puppet7-release-focal.deb - dpkg -i puppet7-release-focal.deb - - apt-get update - apt-get install -y ruby-dev git puppet-agent - - export PATH=$PATH:/opt/puppetlabs/puppet/bin:/opt/puppetlabs/bin - - gem install librarian-puppet --no-document - - cp /vagrant/vagrant/Puppetfile /tmp - cd /tmp && librarian-puppet install --verbose - - touch /module-installed -fi diff --git a/vagrant/server.pp b/vagrant/server.pp deleted file mode 100644 index 29112b17..00000000 --- a/vagrant/server.pp +++ /dev/null @@ -1,35 +0,0 @@ -node default { - openvpn::server { 'winterthur': - country => 'CH', - province => 'ZH', - city => 'Winterthur', - organization => 'example.org', - email => 'root@example.org', - local => '192.168.61.10', - server => '10.200.200.0 255.255.255.0', - } - - openvpn::client { 'client1': - server => 'winterthur', - remote_host => '192.168.61.10', - } - - openvpn::client_specific_config { 'client1': - server => 'winterthur', - ifconfig => '10.200.200.100 255.255.255.0', - } - - openvpn::client { 'client2': - server => 'winterthur', - remote_host => '192.168.61.10', - } - - openvpn::client { 'client3': - server => 'winterthur', - remote_host => '192.168.61.10', - } - - openvpn::revoke { 'client3': - server => 'winterthur', - } -}