diff --git a/manifests/ca.pp b/manifests/ca.pp index 8d41ef0..c56618e 100644 --- a/manifests/ca.pp +++ b/manifests/ca.pp @@ -22,6 +22,10 @@ # source. (defaults to true) # [*checksum*] # The md5sum of the file. (defaults to undef) +# [*ca_file_mode*] +# The installed CA certificate's POSIX filesystem permissions. This uses +# the same syntax as Puppet's native file resource's "mode" parameter. +# (defaults to '0444', i.e. world-readable) # # === Examples # @@ -35,6 +39,7 @@ $ensure = 'trusted', $verify_https_cert = true, $checksum = undef, + $ca_file_mode = $ca_cert::params::ca_file_mode, ) { include ::ca_cert::params @@ -91,6 +96,7 @@ path => $ca_cert, owner => 'root', group => 'root', + mode => $ca_file_mode, require => Package[$ca_cert::params::package_name], notify => Class['::ca_cert::update'], } @@ -114,6 +120,7 @@ path => $ca_cert, owner => 'root', group => 'root', + mode => $ca_file_mode, require => Package[$ca_cert::params::package_name], notify => Class['::ca_cert::update'], } @@ -125,6 +132,7 @@ path => $ca_cert, owner => 'root', group => 'root', + mode => $ca_file_mode, require => Package[$ca_cert::params::package_name], notify => Class['::ca_cert::update'], } diff --git a/manifests/init.pp b/manifests/init.pp index c376537..47af1da 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -58,13 +58,15 @@ } $trusted_cert_dir = $ca_cert::params::trusted_cert_dir - $cert_dir_group = $ca_cert::params::cert_dir_group + $cert_dir_group = $ca_cert::params::cert_dir_group + $cert_dir_mode = $ca_cert::params::cert_dir_mode file { 'trusted_certs': ensure => directory, path => $trusted_cert_dir, owner => 'root', group => $cert_dir_group, + mode => $cert_dir_mode, purge => $purge_unmanaged_CAs, recurse => $purge_unmanaged_CAs, notify => Exec['ca_cert_update'], diff --git a/manifests/params.pp b/manifests/params.pp index 9bab99a..c857be9 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -5,14 +5,28 @@ $trusted_cert_dir = '/usr/local/share/ca-certificates' $update_cmd = 'update-ca-certificates' $cert_dir_group = 'staff' + $ca_file_mode = '0444' $ca_file_extension = 'crt' $package_name = 'ca-certificates' + case $::operatingsystem { + 'Ubuntu': { + $cert_dir_mode = '0755' + } + 'Debian': { + $cert_dir_mode = '2665' + } + default: { + fail("Unsupported operatingsystem (${::operatingsystem})") + } + } } 'RedHat': { $trusted_cert_dir = '/etc/pki/ca-trust/source/anchors' $distrusted_cert_dir = '/etc/pki/ca-trust/source/blacklist' $update_cmd = 'update-ca-trust extract' $cert_dir_group = 'root' + $cert_dir_mode = '0555' + $ca_file_mode = '0444' $ca_file_extension = 'crt' $package_name = 'ca-certificates' } @@ -21,6 +35,8 @@ $distrusted_cert_dir = '/etc/ca-certificates/trust-source/blacklist' $update_cmd = 'trust extract-compat' $cert_dir_group = 'root' + $cert_dir_mode = '0555' + $ca_file_mode = '0444' $ca_file_extension = 'crt' $package_name = 'ca-certificates' } @@ -39,6 +55,8 @@ $package_name = 'ca-certificates' } $cert_dir_group = 'root' + $cert_dir_mode = '0555' + $ca_file_mode = '0444' } default: { fail("Unsupported osfamily (${::osfamily})") diff --git a/spec/classes/ca_cert_spec.rb b/spec/classes/ca_cert_spec.rb index 20bb3a0..eff7d21 100644 --- a/spec/classes/ca_cert_spec.rb +++ b/spec/classes/ca_cert_spec.rb @@ -11,6 +11,7 @@ let :facts do { :osfamily => 'Debian', + :operatingsystem => 'Ubuntu', } end diff --git a/spec/classes/update_spec.rb b/spec/classes/update_spec.rb index 49b5c79..26dc47f 100644 --- a/spec/classes/update_spec.rb +++ b/spec/classes/update_spec.rb @@ -11,6 +11,7 @@ let :facts do { :osfamily => 'Debian', + :operatingsystem => 'Ubuntu' } end