Only output ldap_tls_client_cert_file and ldap_tls_client_key_file when set

TLSCertFile and TLSKeyFile are not always required, especially if no
client certificates are used (also see the docs linked below). If they
are set to empty values, the plugin throws an exception/parser error.
Thus, only put them in the config file when they are actually used.

References:
https://github.com/threerings/openvpn-auth-ldap/wiki/Configuration

Signed-off-by: Florian Pritz <[email protected]>

Author: Bluewind

manifests/server.pp

@@ -175,8 +175,8 @@
   Boolean $ldap_tls_enable                                          = false,
   String $ldap_tls_ca_cert_file                                     = '',
   String $ldap_tls_ca_cert_dir                                      = '',
-  String $ldap_tls_client_cert_file                                 = '',
-  String $ldap_tls_client_key_file                                  = '',
+  Optional[Stdlib::Absolutepath] $ldap_tls_client_cert_file         = undef,
+  Optional[Stdlib::Absolutepath] $ldap_tls_client_key_file          = undef,
   Integer $ca_expire                                                = 3650,
   Integer $key_expire                                               = 3650,
   String $key_cn                                                    = '',

spec/defines/openvpn_server_spec.rb

@@ -233,6 +233,62 @@
         end
       end
 
+      case facts[:os]['family']
+      when 'Debian'
+        # ldap auth needs the ldap package and that is only defined for a few OSes (including debian)
+        context 'debian' do
+          context 'creating a server with ldap authentication enabled' do
+            let(:params) do
+              {
+                'country'               => 'CO',
+                'province'              => 'ST',
+                'city'                  => 'Some City',
+                'organization'          => 'example.org',
+                'email'                 => '[email protected]',
+                'ldap_enabled'          => true,
+                'ldap_binddn'           => 'dn=foo,ou=foo,ou=com',
+                'ldap_bindpass'         => 'ldappass123',
+                'ldap_tls_enable'       => true,
+                'ldap_tls_ca_cert_file' => '/etc/ldap/ca.pem',
+                'ldap_tls_ca_cert_dir'  => '/etc/ldap/certs'
+              }
+            end
+
+            it { is_expected.to contain_file('/etc/openvpn/test_server/auth/ldap.conf').with_content(%r{^\s+TLSEnable\s+yes$}) }
+            it { is_expected.to contain_file('/etc/openvpn/test_server/auth/ldap.conf').with_content(%r{^\s+TLSCACertFile\s+/etc/ldap/ca.pem$}) }
+            it { is_expected.to contain_file('/etc/openvpn/test_server/auth/ldap.conf').with_content(%r{^\s+TLSCACertDir\s+/etc/ldap/certs$}) }
+            it { is_expected.to contain_file('/etc/openvpn/test_server/auth/ldap.conf').without_content(%r{^\s+TLSCertFile.*$}) }
+            it { is_expected.to contain_file('/etc/openvpn/test_server/auth/ldap.conf').without_content(%r{^\s+TLSKeyFile.*$}) }
+          end
+
+          context 'creating a server with ldap authentication enabled and using ldap client certificates' do
+            let(:params) do
+              {
+                'country'                   => 'CO',
+                'province'                  => 'ST',
+                'city'                      => 'Some City',
+                'organization'              => 'example.org',
+                'email'                     => '[email protected]',
+                'ldap_enabled'              => true,
+                'ldap_binddn'               => 'dn=foo,ou=foo,ou=com',
+                'ldap_bindpass'             => 'ldappass123',
+                'ldap_tls_enable'           => true,
+                'ldap_tls_ca_cert_file'     => '/etc/ldap/ca.pem',
+                'ldap_tls_ca_cert_dir'      => '/etc/ldap/certs',
+                'ldap_tls_client_cert_file' => '/etc/ldap/client-cert.pem',
+                'ldap_tls_client_key_file'  => '/etc/ldap/client-key.pem'
+              }
+            end
+
+            it { is_expected.to contain_file('/etc/openvpn/test_server/auth/ldap.conf').with_content(%r{^\s+TLSEnable\s+yes$}) }
+            it { is_expected.to contain_file('/etc/openvpn/test_server/auth/ldap.conf').with_content(%r{^\s+TLSCACertFile\s+/etc/ldap/ca.pem$}) }
+            it { is_expected.to contain_file('/etc/openvpn/test_server/auth/ldap.conf').with_content(%r{^\s+TLSCACertDir\s+/etc/ldap/certs$}) }
+            it { is_expected.to contain_file('/etc/openvpn/test_server/auth/ldap.conf').with_content(%r{^\s+TLSCertFile\s+/etc/ldap/client-cert.pem$}) }
+            it { is_expected.to contain_file('/etc/openvpn/test_server/auth/ldap.conf').with_content(%r{^\s+TLSKeyFile\s+/etc/ldap/client-key.pem$}) }
+          end
+        end
+      end
+
       context 'creating a server setting all parameters' do
         let(:params) do
           {

templates/ldap.erb

@@ -11,8 +11,10 @@
   TLSEnable yes
   TLSCACertFile <%= @ldap_tls_ca_cert_file %>
   TLSCACertDir <%= @ldap_tls_ca_cert_dir %>
+<% if @ldap_tls_client_cert_file or @ldap_tls_client_key_file -%>
   TLSCertFile <%= @ldap_tls_client_cert_file %>
   TLSKeyFile <%= @ldap_tls_client_key_file %>
+<% end -%>
 <% else %>
   TLSEnable no
 <% end -%>