Added easyrsa DN mode

jkroepke · jkroepke · commit 34e99e269a4e · 2022-04-22T13:55:32.000+02:00
diff --git a/REFERENCE.md b/REFERENCE.md
@@ -237,6 +237,7 @@ openvpn::ca {
 
 The following parameters are available in the `openvpn::ca` defined type:
 
+* [`dn_mode`](#dn_mode)
 * [`country`](#country)
 * [`province`](#province)
 * [`city`](#city)
@@ -257,6 +258,14 @@ The following parameters are available in the `openvpn::ca` defined type:
 * [`tls_static_key`](#tls_static_key)
 * [`crl_days`](#crl_days)
 
+##### <a name="dn_mode"></a>`dn_mode`
+
+Data type: `Enum['org','cn_only']`
+
+EasyRSA X509 DN mode.
+
+Default value: `'org'`
+
 ##### <a name="country"></a>`country`
 
 Data type: `Optional[String]`
@@ -933,6 +942,7 @@ openvpn::server { 'zurich':
 
 The following parameters are available in the `openvpn::server` defined type:
 
+* [`dn_mode`](#dn_mode)
 * [`country`](#country)
 * [`province`](#province)
 * [`city`](#city)
@@ -1039,6 +1049,14 @@ The following parameters are available in the `openvpn::server` defined type:
 * [`custom_options`](#custom_options)
 * [`fragment`](#fragment)
 
+##### <a name="dn_mode"></a>`dn_mode`
+
+Data type: `Enum['org','cn_only']`
+
+EasyRSA X509 DN mode.
+
+Default value: `'org'`
+
 ##### <a name="country"></a>`country`
 
 Data type: `Optional[String[1]]`
diff --git a/manifests/ca.pp b/manifests/ca.pp
@@ -1,5 +1,6 @@
 # @summary This define creates the openvpn ca and ssl certificates
 #
+# @param dn_mode EasyRSA X509 DN mode.
 # @param country Country to be used for the SSL certificate
 # @param province Province to be used for the SSL certificate
 # @param city City to be used for the SSL certificate
@@ -26,6 +27,7 @@
 #    }
 #
 define openvpn::ca (
+  Enum['org','cn_only'] $dn_mode                                 = 'org',
   Optional[String] $country                                      = undef,
   Optional[String] $province                                     = undef,
   Optional[String] $city                                         = undef,
@@ -152,6 +154,7 @@
             'ca_expire'        => $ca_expire,
             'key_expire'       => $key_expire,
             'crl_days'         => $crl_days,
+            'dn_mode'          => $dn_mode,
             'digest'           => $digest,
             'country'          => $country,
             'province'         => $province,
@@ -173,12 +176,18 @@
         }
       }
 
+      $_initca_environment = $dn_mode ? {
+        'cn_only' => ["EASYRSA_REQ_CN=${common_name} CA"],
+        default   => [],
+      }
+
       exec { "initca ${name}":
-        command  => './easyrsa --batch init-pki && ./easyrsa --batch build-ca nopass',
-        cwd      => "${server_directory}/${name}/easy-rsa",
-        creates  => "${server_directory}/${name}/easy-rsa/keys/ca.crt",
-        provider => 'shell',
-        require  => File["${server_directory}/${name}/easy-rsa/vars"],
+        command     => './easyrsa --batch init-pki && ./easyrsa --batch build-ca nopass',
+        cwd         => "${server_directory}/${name}/easy-rsa",
+        creates     => "${server_directory}/${name}/easy-rsa/keys/ca.crt",
+        environment => $_initca_environment,
+        provider    => 'shell',
+        require     => File["${server_directory}/${name}/easy-rsa/vars"],
       }
 
       if ($ssl_key_algo == 'rsa') {
@@ -193,7 +202,7 @@
       }
 
       exec { "generate server cert ${name}":
-        command  => "./easyrsa build-server-full ${common_name} nopass",
+        command  => "./easyrsa build-server-full '${common_name}' nopass",
         cwd      => "${server_directory}/${name}/easy-rsa",
         creates  => "${server_directory}/${name}/easy-rsa/keys/private/${common_name}.key",
         provider => 'shell',
@@ -206,13 +215,17 @@
       }
 
       exec { "create crl.pem on ${name}":
-        command  => ". ./vars && EASYRSA_REQ_CN='' EASYRSA_REQ_OU='' openssl ca -gencrl -out ${server_directory}/${name}/crl.pem -config ${server_directory}/${name}/easy-rsa/openssl.cnf",
+        command  => './easyrsa gen-crl',
         cwd      => "${server_directory}/${name}/easy-rsa",
-        creates  => "${server_directory}/${name}/crl.pem",
-        group    => $group_to_set,
+        creates  => "${server_directory}/${name}/easy-rsa/keys/crl.pem",
         provider => 'shell',
         require  => Exec["generate server cert ${name}"],
       }
+      -> exec { "copy created crl.pem to ${name} keys directory":
+        command  => "cp ${server_directory}/${name}/easy-rsa/keys/crl.pem ${server_directory}/${name}/crl.pem",
+        creates  => "${server_directory}/${name}/crl.pem",
+        provider => 'shell',
+      }
     }
     default: {
       fail("unexepected value for EasyRSA version, got '${openvpn::easyrsa_version}', expect 2.0 or 3.0.")
@@ -244,10 +257,4 @@
       require  => Exec["generate server cert ${name}"],
     }
   }
-
-  file { "${server_directory}/${name}/easy-rsa/keys/crl.pem":
-    ensure  => link,
-    target  => "${server_directory}/${name}/crl.pem",
-    require => Exec["create crl.pem on ${name}"],
-  }
 }
diff --git a/manifests/revoke.pp b/manifests/revoke.pp
@@ -31,7 +31,7 @@
 
   $renew_command = $openvpn::easyrsa_version ? {
     '2.0'   => ". ./vars && KEY_CN='' KEY_OU='' KEY_NAME='' KEY_ALTNAMES='' openssl ca -gencrl -out ${server_directory}/${server}/crl.pem -config ${server_directory}/${server}/easy-rsa/openssl.cnf",
-    '3.0'   => ". ./vars && EASYRSA_REQ_CN='' EASYRSA_REQ_OU='' openssl ca -gencrl -out ${server_directory}/${server}/crl.pem -config ${server_directory}/${server}/easy-rsa/openssl.cnf",
+    '3.0'   => './easyrsa gen-crl',
     default => fail("unexepected value for EasyRSA version, got '${openvpn::easyrsa_version}', expect 2.0 or 3.0."),
   }
 
@@ -54,4 +54,13 @@
     provider    => 'shell',
     refreshonly => true,
   }
+
+  if ($openvpn::easyrsa_version == '3.0') {
+    exec { "copy renewed crl.pem to ${name} keys directory because of revocation of ${name}":
+      command     => "cp ${server_directory}/${server}/easy-rsa/keys/crl.pem ${server_directory}/${server}/crl.pem",
+      subscribe   => Exec["renew crl.pem on ${server} because of revocation of ${name}"],
+      provider    => 'shell',
+      refreshonly => true,
+    }
+  }
 }
diff --git a/manifests/server.pp b/manifests/server.pp
@@ -1,6 +1,7 @@
 #
 # @summary This define creates the openvpn server instance which can run in server or client mode.
 #
+# @param dn_mode EasyRSA X509 DN mode.
 # @param country Country to be used for the SSL certificate, mandatory for server mode.
 # @param province Province to be used for the SSL certificate, mandatory for server mode.
 # @param city City to be used for the SSL certificate, mandatory for server mode.
@@ -146,6 +147,7 @@
 #   }
 #
 define openvpn::server (
+  Enum['org','cn_only'] $dn_mode                                    = 'org',
   Optional[String[1]] $country                                      = undef,
   Optional[String[1]] $province                                     = undef,
   Optional[String[1]] $city                                         = undef,
@@ -351,21 +353,24 @@
 
   if !$remote {
     if !$shared_ca and !$extca_enabled {
-      # VPN Server Mode
-      if $country == undef {
-        fail('country has to be specified in server mode')
-      }
-      if $province == undef {
-        fail('province has to be specified in server mode')
-      }
-      if $city == undef { fail('city has to be specified in server mode') }
-      if $organization == undef {
-        fail('organization has to be specified in server mode')
+      if $dn_mode == 'org' or $openvpn::easyrsa_version == '2.0' {
+        # VPN Server Mode
+        if $country == undef {
+          fail('country has to be specified in server mode')
+        }
+        if $province == undef {
+          fail('province has to be specified in server mode')
+        }
+        if $city == undef { fail('city has to be specified in server mode') }
+        if $organization == undef {
+          fail('organization has to be specified in server mode')
+        }
+        if $email == undef { fail('email has to be specified in server mode') }
       }
-      if $email == undef { fail('email has to be specified in server mode') }
 
       $ca_common_name = $common_name
       ::openvpn::ca { $name:
+        dn_mode        => $dn_mode,
         country        => $country,
         province       => $province,
         city           => $city,
@@ -404,11 +409,16 @@
           }
           '3.0': {
             exec { "renew crl.pem on ${name}":
-              command  => ". ./vars && EASYRSA_REQ_CN='' EASYRSA_REQ_OU='' openssl ca -gencrl -out ${server_directory}/${name}/crl.pem -config ${server_directory}/${name}/easy-rsa/openssl.cnf",
+              command  => "./easyrsa gen-crl && cp ./keys/crl.pem ${server_directory}/${server}/crl.pem",
               cwd      => "${server_directory}/${name}/easy-rsa",
               provider => 'shell',
               schedule => "renew crl.pem schedule on ${name}",
             }
+            ~> exec { "copy renewed crl.pem to ${name} keys directory":
+              command     => "cp ${server_directory}/${name}/easy-rsa/keys/crl.pem ${server_directory}/${name}/crl.pem",
+              refreshonly => true,
+              provider    => 'shell',
+            }
           }
           default: {
             fail("unexepected value for EasyRSA version, got '${openvpn::easyrsa_version}', expect 2.0 or 3.0.")
diff --git a/spec/acceptance/openvpn_spec.rb b/spec/acceptance/openvpn_spec.rb
@@ -195,7 +195,7 @@
 if easy_rsa_version == '3.0'
   describe 'server defined type w/ easy-rsa 3.0' do
     dev = 'tun1'
-    server_name = 'test_openvpn_server_ec'
+    server_name = 'test_openvpn_server_ec_dn_mode'
     port = 1195
     management_port = 7506
 
@@ -204,11 +204,7 @@
         pp = %(
         openvpn::server { '#{server_name}':
           dev             => '#{dev}',
-          country         => 'CO',
-          province        => 'ST',
-          city            => 'A city',
-          organization    => 'FOO',
-          email           => 'bar@foo.org',
+          dn_mode         => 'cn_only',
           ssl_key_algo    => 'ec',
           ssl_key_curve   => 'secp521r1',
           ecdh_curve      => 'secp521r1',
@@ -229,11 +225,7 @@
         pp = %(
         openvpn::server { '#{server_name}':
           dev             => '#{dev}',
-          country         => 'CO',
-          province        => 'ST',
-          city            => 'A city',
-          organization    => 'FOO',
-          email           => 'bar@foo.org',
+          dn_mode         => 'cn_only',
           ssl_key_algo    => 'ec',
           ssl_key_curve   => 'secp521r1',
           ecdh_curve      => 'secp521r1',
@@ -262,11 +254,7 @@
         pp = %(
         openvpn::server { '#{server_name}':
           dev             => '#{dev}',
-          country         => 'CO',
-          province        => 'ST',
-          city            => 'A city',
-          organization    => 'FOO',
-          email           => 'bar@foo.org',
+          dn_mode         => 'cn_only',
           ssl_key_algo    => 'ec',
           ssl_key_curve   => 'secp521r1',
           ecdh_curve      => 'secp521r1',
@@ -308,6 +296,7 @@
         it { is_expected.to contain 'export EASYRSA_ALGO=ec' }
         it { is_expected.to contain 'export EASYRSA_CURVE=secp521r1' }
         it { is_expected.to contain 'export EASYRSA_DIGEST=sha256' }
+        it { is_expected.to contain 'export EASYRSA_DN="cn_only"' }
       end
 
       describe file(server_crt.to_s), :crtFile do
@@ -334,7 +323,7 @@
 
       describe file("#{server_directory}/#{server_name}/easy-rsa/keys/issued/#{server_name}-vpnclienta.crt") do
         it { is_expected.to be_file }
-        it { is_expected.to contain 'Issuer: C=CO, ST=ST, L=A city, O=FOO, ' }
+        it { is_expected.to contain 'Issuer: CN=openvpn-server CA' }
       end
 
       describe file("#{server_directory}/#{server_name}/easy-rsa/keys/index.txt") do
diff --git a/spec/defines/openvpn_ca_spec.rb b/spec/defines/openvpn_ca_spec.rb
@@ -42,11 +42,6 @@
 
           it { is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/vars").with(mode: '0550') }
 
-          it {
-            is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/keys/crl.pem").
-              with(ensure: 'link', target: "#{server_directory}/test_server/crl.pem")
-          }
-
           it {
             is_expected.to contain_file("#{server_directory}/test_server/keys").
               with(ensure: 'link', target: "#{server_directory}/test_server/easy-rsa/keys")
@@ -69,6 +64,7 @@
         context 'creating a ca setting all parameters' do
           let(:params) do
             {
+              'dn_mode' => 'cn_only',
               'country' => 'CO',
               'province' => 'ST',
               'city' => 'Some City',
@@ -86,6 +82,7 @@
             }
           end
 
+          it { is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/vars").with_content(%r{^export EASYRSA_DN="cn_only"$}) }
           it { is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/vars").with_content(%r{^export EASYRSA_CA_EXPIRE=365$}) }
           it { is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/vars").with_content(%r{^export EASYRSA_CERT_EXPIRE=365$}) }
           it { is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/vars").with_content(%r{^export EASYRSA_REQ_CN="yolo"$}) }
@@ -112,11 +109,6 @@
 
           it { is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/vars").with(mode: '0550') }
 
-          it {
-            is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/keys/crl.pem").
-              with(ensure: 'link', target: "#{server_directory}/test_server/crl.pem")
-          }
-
           it {
             is_expected.to contain_file("#{server_directory}/test_server/keys").
               with(ensure: 'link', target: "#{server_directory}/test_server/easy-rsa/keys")
@@ -152,6 +144,7 @@
         context 'creating a ca setting all parameters' do
           let(:params) do
             {
+              'dn_mode' => 'cn_only',
               'country' => 'CO',
               'province' => 'ST',
               'city' => 'Some City',
@@ -169,6 +162,7 @@
           end
 
           if facts[:os]['release']['major'] =~ %r{10|11|20.04}
+            it { is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/vars").with_content(%r{^export EASYRSA_DN="cn_only"$}) }
             it { is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/vars").with_content(%r{^export EASYRSA_CA_EXPIRE=365$}) }
             it { is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/vars").with_content(%r{^export EASYRSA_CERT_EXPIRE=365$}) }
             it { is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/vars").with_content(%r{^export EASYRSA_REQ_CN="yolo"$}) }
diff --git a/spec/defines/openvpn_server_spec.rb b/spec/defines/openvpn_server_spec.rb
@@ -974,6 +974,18 @@
           it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^dh\s+#{server_directory}/test_server/keys/dh.pem$}) }
         end
 
+        context 'creating a server in dn_mode cn_only' do
+          let(:params) do
+            {
+              'dn_mode' => 'cn_only',
+            }
+          end
+
+          it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^cert\s+#{server_directory}/test_server/keys/issued/server.crt$}) }
+          it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^key\s+#{server_directory}/test_server/keys/private/server.key$}) }
+          it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^dh\s+#{server_directory}/test_server/keys/dh.pem$}) }
+        end
+
         context 'creating a server in client mode' do
           let(:title) { 'test_client' }
           let(:nobind) { false }
diff --git a/templates/vars-30.epp b/templates/vars-30.epp
@@ -81,16 +81,26 @@ export EASYRSA_CRL_DAYS=<%= $crl_days %>
 
 export EASYRSA_DIGEST=<%= $digest %>
 
-export EASYRSA_DN="org"
+export EASYRSA_DN="<%= $dn_mode %>"
 
 # These are the default values for fields
 # which will be placed in the certificate.
 # Don't leave any of these fields blank.
+<% if $country { -%>
 export EASYRSA_REQ_COUNTRY="<%= $country %>"
+<% } -%>
+<% if $province { -%>
 export EASYRSA_REQ_PROVINCE="<%= $province %>"
+<% } -%>
+<% if $city { -%>
 export EASYRSA_REQ_CITY="<%= $city %>"
+<% } -%>
+<% if $organization { -%>
 export EASYRSA_REQ_ORG="<%= $organization %>"
+<% } -%>
+<% if $email { -%>
 export EASYRSA_REQ_EMAIL="<%= $email %>"
+<% } -%>
 <% if $key_cn { -%>
 export EASYRSA_REQ_CN="<%= $key_cn %>"
 <% } -%>
