add possibility to manage permissions for x509_cert

trefzer · trefzer · commit 1ccd6e6cfb61 · 2025-02-07T17:56:38.000+01:00
diff --git a/lib/puppet/provider/x509_cert/openssl.rb b/lib/puppet/provider/x509_cert/openssl.rb
@@ -1,7 +1,11 @@
 # frozen_string_literal: true
 
 require 'pathname'
-Puppet::Type.type(:x509_cert).provide(:openssl) do
+require File.join(File.dirname(__FILE__), '..', '..', '..', 'puppet/provider/openssl')
+Puppet::Type.type(:x509_cert).provide(
+  :openssl,
+  parent: Puppet::Provider::Openssl,
+) do
   desc 'Manages certificates with OpenSSL'
 
   commands openssl: 'openssl'
@@ -103,6 +107,7 @@ def create
     # openssl(options) doesn't work because it's impossible to pass an env
     # https://github.com/puppetlabs/puppet/issues/9493
     execute([command('openssl')] + options, { failonfail: true, combine: true, custom_environment: env })
+    set_file_perm(resource[:path], resource[:owner], resource[:group], resource[:mode])
   end
 
   def destroy
diff --git a/lib/puppet/type/x509_cert.rb b/lib/puppet/type/x509_cert.rb
@@ -76,6 +76,33 @@
     desc 'The optional CA key password'
   end
 
+  newproperty(:owner) do
+    desc 'owner of the file'
+    validate do |value|
+      unless value =~ %r{^\w+}
+        raise ArgumentError, '%s is not a valid user name' % value
+      end
+    end
+  end
+
+  newproperty(:group) do
+    desc 'group of the file'
+    validate do |value|
+      unless value =~ %r{^\w+}
+        raise ArgumentError, '%s is not a valid group name' % value
+      end
+    end
+  end
+
+  newproperty(:mode) do
+    desc 'mode of the file'
+    validate do |value|
+      unless value =~ %r{^0\d\d\d$}
+        raise ArgumentError, '%s is not a valid file mode' % value
+      end
+    end
+  end
+
   autorequire(:file) do
     self[:template]
   end
diff --git a/spec/unit/puppet/type/x509_cert_spec.rb b/spec/unit/puppet/type/x509_cert_spec.rb
@@ -69,4 +69,20 @@
     resource[:csr] = '/tmp/foo.csr'
     expect(resource[:csr]).to eq('/tmp/foo.csr')
   end
+
+  it 'accepts mode' do
+    resource[:mode] = '0700'
+    expect(resource[:mode]).to eq('0700')
+  end
+
+  it 'accepts owner' do
+    resource[:owner] = 'someone'
+    expect(resource[:owner]).to eq('someone')
+  end
+
+  it 'accepts group' do
+    resource[:group] = 'party'
+    expect(resource[:group]).to eq('party')
+  end
+
 end
