Allow Setting Ca file mode (#33)

manifests/ca.pp

@@ -22,6 +22,10 @@
 #   source. (defaults to true)
 # [*checksum*]
 #   The md5sum of the file. (defaults to undef)
+# [*ca_file_mode*]
+#   The installed CA certificate's POSIX filesystem permissions. This uses
+#   the same syntax as Puppet's native file resource's "mode" parameter.
+#   (defaults to '0444', i.e. world-readable)
 #
 # === Examples
 #
@@ -35,6 +39,7 @@
   $ensure            = 'trusted',
   $verify_https_cert = true,
   $checksum          = undef,
+  $ca_file_mode      = $ca_cert::params::ca_file_mode,
 ) {
 
   include ::ca_cert::params
@@ -91,6 +96,7 @@
             path    => $ca_cert,
             owner   => 'root',
             group   => 'root',
+            mode    => $ca_file_mode,
             require => Package[$ca_cert::params::package_name],
             notify  => Class['::ca_cert::update'],
           }
@@ -114,6 +120,7 @@
             path    => $ca_cert,
             owner   => 'root',
             group   => 'root',
+            mode    => $ca_file_mode,
             require => Package[$ca_cert::params::package_name],
             notify  => Class['::ca_cert::update'],
           }
@@ -125,6 +132,7 @@
             path    => $ca_cert,
             owner   => 'root',
             group   => 'root',
+            mode    => $ca_file_mode,
             require => Package[$ca_cert::params::package_name],
             notify  => Class['::ca_cert::update'],
           }

manifests/init.pp

@@ -58,13 +58,15 @@
   }
 
   $trusted_cert_dir = $ca_cert::params::trusted_cert_dir
-  $cert_dir_group = $ca_cert::params::cert_dir_group
+  $cert_dir_group   = $ca_cert::params::cert_dir_group
+  $cert_dir_mode    = $ca_cert::params::cert_dir_mode
 
   file { 'trusted_certs':
     ensure  => directory,
     path    => $trusted_cert_dir,
     owner   => 'root',
     group   => $cert_dir_group,
+    mode    => $cert_dir_mode,
     purge   => $purge_unmanaged_CAs,
     recurse => $purge_unmanaged_CAs,
     notify  => Exec['ca_cert_update'],

manifests/params.pp

@@ -5,14 +5,28 @@
       $trusted_cert_dir  = '/usr/local/share/ca-certificates'
       $update_cmd        = 'update-ca-certificates'
       $cert_dir_group    = 'staff'
+      $ca_file_mode      = '0444'
       $ca_file_extension = 'crt'
       $package_name      = 'ca-certificates'
+      case $::operatingsystem {
+        'Ubuntu': {
+          $cert_dir_mode     = '0755'
+        }
+        'Debian': {
+          $cert_dir_mode     = '2665'
+        }
+        default: {
+          fail("Unsupported operatingsystem (${::operatingsystem})")
+        }
+      }
     }
     'RedHat': {
       $trusted_cert_dir    = '/etc/pki/ca-trust/source/anchors'
       $distrusted_cert_dir = '/etc/pki/ca-trust/source/blacklist'
       $update_cmd          = 'update-ca-trust extract'
       $cert_dir_group      = 'root'
+      $cert_dir_mode       = '0555'
+      $ca_file_mode        = '0444'
       $ca_file_extension   = 'crt'
       $package_name        = 'ca-certificates'
     }
@@ -21,6 +35,8 @@
       $distrusted_cert_dir = '/etc/ca-certificates/trust-source/blacklist'
       $update_cmd          = 'trust extract-compat'
       $cert_dir_group      = 'root'
+      $cert_dir_mode       = '0555'
+      $ca_file_mode        = '0444'
       $ca_file_extension   = 'crt'
       $package_name        = 'ca-certificates'
     }
@@ -39,6 +55,8 @@
         $package_name        = 'ca-certificates'
       }
       $cert_dir_group        = 'root'
+      $cert_dir_mode         = '0555'
+      $ca_file_mode          = '0444'
     }
     default: {
       fail("Unsupported osfamily (${::osfamily})")

spec/classes/ca_cert_spec.rb

@@ -11,6 +11,7 @@
     let :facts do
       {
         :osfamily => 'Debian',
+        :operatingsystem => 'Ubuntu',
       }
     end
 

spec/classes/update_spec.rb

@@ -11,6 +11,7 @@
     let :facts do
       {
         :osfamily => 'Debian',
+        :operatingsystem => 'Ubuntu'
       }
     end