Added requireclientcert

jorritfolmer · Jul 15, 2017 · 7cc18d0 · 7cc18d0
1 parent f5f2ff2
commit 7cc18d0
Show file tree

Hide file tree

Showing 13 changed files with 116 additions and 16 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -5,26 +5,35 @@ rvm:
   - 1.9.3
   - 2.0.0
   - 2.1
+  - 2.4
 env:
-  - PUPPET_GEM_VERSION=2.7.14
-  - PUPPET_GEM_VERSION=3.8.5
-  - PUPPET_GEM_VERSION=4.6.2
-  - PUPPET_GEM_VERSION=4.10.4
+  - PUPPET_GEM_VERSION=2.7.14 RSPEC_PUPPET_VERSION=2.5.0
+  - PUPPET_GEM_VERSION=3.8.5 RSPEC_PUPPET_VERSION=2.5.0
+  - PUPPET_GEM_VERSION=4.8.2
+  - PUPPET_GEM_VERSION=5.0.0
 matrix:
   fast_finish: true
 notifications:
   email: false
 matrix:
   exclude:
     - rvm: 1.8.7
-      env: PUPPET_GEM_VERSION=4.6.2
+      env: PUPPET_GEM_VERSION=4.8.2
     - rvm: 1.8.7
-      env: PUPPET_GEM_VERSION=4.10.4
+      env: PUPPET_GEM_VERSION=5.0.0
     - rvm: 1.9.3
-      env: PUPPET_GEM_VERSION=4.10.4
+      env: PUPPET_GEM_VERSION=4.8.2
+    - rvm: 1.9.3
+      env: PUPPET_GEM_VERSION=5.0.0
     - rvm: 2.0.0
-      env: PUPPET_GEM_VERSION=2.7.14
+      env: PUPPET_GEM_VERSION=2.7.14 RSPEC_PUPPET_VERSION=2.5.0
     - rvm: 2.0.0
-      env: PUPPET_GEM_VERSION=4.10.4
+      env: PUPPET_GEM_VERSION=5.0.0
+    - rvm: 2.1
+      env: PUPPET_GEM_VERSION=2.7.14 RSPEC_PUPPET_VERSION=2.5.0
     - rvm: 2.1
-      env: PUPPET_GEM_VERSION=2.7.14
+      env: PUPPET_GEM_VERSION=5.0.0
+    - rvm: 2.4
+      env: PUPPET_GEM_VERSION=2.7.14 RSPEC_PUPPET_VERSION=2.5.0
+    - rvm: 2.4
+      env: PUPPET_GEM_VERSION=3.8.5 RSPEC_PUPPET_VERSION=2.5.0
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,12 @@
+### 3.3.0
+
+- Added requireclientcert
+- Successfully verified compatibility with Puppet 5.0.0 (Ruby 2.4) through Travis
+
+### 3.2.0
+
+- Added support for Windows
+
 ### 3.1.3
 
 - Fixed typo in ds_intermediate parameter (Issue #11)

diff --git a/Gemfile b/Gemfile
@@ -6,6 +6,11 @@ else
   gem 'puppet', '3.7.5' 
 end
 
+if rspecpuppetversion = ENV['RSPEC_PUPPET_VERSION']
+  gem 'rspec-puppet', rspecpuppetversion, :require => false
+else
+  gem 'rspec-puppet', '2.5.0' 
+end
 
 # rspec must be v2 for ruby 1.8.7
 if RUBY_VERSION >= '1.8.7' and RUBY_VERSION < '1.9'

diff --git a/README.md b/README.md
@@ -764,7 +764,7 @@ node 'splunk-idx2.internal.corp.tld',
 
 #### `shclustering`
 
-  Optional. Used to configure Splunk search head clustering. This is a hash with 4 members:
+  Optional. Used to configure Splunk search head clustering. This is a hash with 3 members:
 
   - `mode` (can be one of `searchhead`,`deployer`)
   - `replication_factor`
@@ -800,6 +800,28 @@ node 'splunk-idx2.internal.corp.tld',
   - `ldap_groupnameattribute`
   - `ldap_realnameattribute`
 
+#### `requireClientCert`
+
+  Optional. Used on a server to require clients to present an SSL certificate.
+  Can be an array with:
+
+  - `inputs`: require clients to present a certificate when sending data to Splunk
+  - `splunkd`: require deployment clients and search peers to present a certificate when 
+
+
+  For example require both splunkd and inputs connections to present a certificate:
+
+  ```
+  requireclientcert => ['splunkd','inputs'],
+  ```
+
+  Or only require forwarders to present a certificate when sending data;
+
+  ```
+  requireclientcert => 'inputs',
+  ```
+
+
 #### `rolemap`
 
   Optional. Specifies the role mapping for SAML and LDAP

diff --git a/TEST_COVERAGE.md b/TEST_COVERAGE.md
@@ -6,13 +6,14 @@
 |---------|--------|-------|
 | v3.1.3  |   22   |  40   |
 | v3.2.0  |   23   |  42   |
+| v3.2.0  |   24   |  43   |
 
 ## By operating system:
 
 | os      | tested | total |
 |---------|--------|-------|
-| linux   |   23   |  42   |
-| windows |   0    |  42   |
+| linux   |   24   |  43   |
+| windows |   0    |  43   |
 
 ## By parameter:
 
@@ -42,6 +43,7 @@
 | `phonehomeintervalinsec` | no |
 | `replication_port`| Y |
 | `repositorylocation`| Y |
+| `requireclientcert`| Y |
 | `reuse_puppet_certs`| Y |
 | `rolemap` | no |
 | `searchpeers`| Y |

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -22,6 +22,7 @@
   $sslversions_intermediate   = $splunk::params::sslversions_intermediate,
   $dhparamsize_intermediate   = $splunk::params::dhparamsize_intermediate,
   $ecdhcurvename_intermediate = $splunk::params::ecdhcurvename_intermediate,
+  $requireclientcert          = $splunk::params::requireclientcert,
   $reuse_puppet_certs         = $splunk::params::reuse_puppet_certs,
   $sslcertpath                = $splunk::params::sslcertpath,
   $sslrootcapath              = $splunk::params::sslrootcapath,

diff --git a/manifests/inputs.pp b/manifests/inputs.pp
@@ -4,6 +4,7 @@
   $ciphersuite = $splunk::ciphersuite,
   $sslversions = $splunk::sslversions,
   $ecdhcurvename = $splunk::ecdhcurvename,
+  $requireclientcert = $splunk::requireclientcert,
   $splunk_home = $splunk::splunk_home,
   $splunk_app_precedence_dir = $splunk::splunk_app_precedence_dir,
   $splunk_app_replace = $splunk::splunk_app_replace,

diff --git a/manifests/params.pp b/manifests/params.pp
@@ -20,6 +20,7 @@
   $ciphersuite_intermediate = 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'
   $dhparamsize_intermediate = 2048
   $ecdhcurvename_intermediate = 'secp384r1'
+  $requireclientcert = undef
   $reuse_puppet_certs = true
   $sslcertpath   = 'certs/s2s.pem'
   $sslrootcapath = 'certs/ca.crt'

diff --git a/manifests/server/ssl.pp b/manifests/server/ssl.pp
@@ -8,6 +8,7 @@
   $ciphersuite = $splunk::ciphersuite,
   $sslversions = $splunk::sslversions,
   $ecdhcurvename = $splunk::ecdhcurvename,
+  $requireclientcert = $splunk::requireclientcert,
   $splunk_app_precedence_dir = $splunk::splunk_app_precedence_dir,
   $splunk_app_replace = $splunk::splunk_app_replace,
   $splunk_home = $splunk::splunk_home,

diff --git a/metadata.json b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "jorritfolmer-splunk",
-  "version": "3.2.0",
+  "version": "3.3.0",
   "author": "Jorrit Folmer",
   "summary": "Deploy Splunk indexers, search heads and universal forwarders into any imaginable topology, distributed or (multisite) clustered.",
   "license": "MIT",
@@ -34,7 +34,7 @@
   ],
   "requirements": [
     {
-      "version_requirement": ">= 2.7.14 < 5.0.0",
+      "version_requirement": ">= 2.7.14 < 6.0.0",
       "name": "puppet"
     }
   ],

diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
@@ -56,6 +56,7 @@
     it { should contain_file('/opt/splunk/etc/apps/puppet_common_ssl_outputs/local/outputs.conf').with_content(/useACK = true/) }
   end
 
+
   context 'with tcpout as string and revert to default splunk cert instead of puppet cert reuse' do
     let(:params) { 
       {
@@ -203,6 +204,45 @@
     it { should contain_file('/opt/splunk/etc/apps/puppet_common_kvstore_disabled/local/server.conf').with_content(/disabled = true/) }
   end
 
+  context 'with requireclientcert inputs ' do
+    let(:params) { 
+      {
+        :inputport => 9997,
+        :requireclientcert => 'inputs',
+        :admin => { 'hash' => 'zzzz', 'fn' => 'yyyy', 'email' => 'wwww', },
+      }
+    }
+    it { should contain_class('splunk::installed') }
+    it { should contain_package('splunk') }
+    it { should contain_file('/opt/splunk/etc/apps/puppet_common_ssl_inputs/local/inputs.conf').with_content(/requireClientCert = true/) }
+  end
+
+  context 'with requireclientcert splunkd ' do
+    let(:params) { 
+      {
+        :requireclientcert => 'splunkd',
+        :admin => { 'hash' => 'zzzz', 'fn' => 'yyyy', 'email' => 'wwww', },
+      }
+    }
+    it { should contain_class('splunk::installed') }
+    it { should contain_package('splunk') }
+    it { should contain_file('/opt/splunk/etc/apps/puppet_common_ssl_base/local/server.conf').with_content(/requireClientCert = true/) }
+  end
+
+  context 'with requireclientcert splunkd and inputs' do
+    let(:params) { 
+      {
+        :inputport => 9997,
+        :requireclientcert => ['splunkd','inputs'],
+        :admin => { 'hash' => 'zzzz', 'fn' => 'yyyy', 'email' => 'wwww', },
+      }
+    }
+    it { should contain_class('splunk::installed') }
+    it { should contain_package('splunk') }
+    it { should contain_file('/opt/splunk/etc/apps/puppet_common_ssl_base/local/server.conf').with_content(/requireClientCert = true/) }
+    it { should contain_file('/opt/splunk/etc/apps/puppet_common_ssl_inputs/local/inputs.conf').with_content(/requireClientCert = true/) }
+  end
+
   context 'with saml auth' do
     let(:params) { 
       {

diff --git a/templates/puppet_common_ssl_base/local/server.conf b/templates/puppet_common_ssl_base/local/server.conf
@@ -12,3 +12,8 @@ enableSplunkdSSL=true
 <% if @ecdhcurvename != nil %>
 ecdhCurveName = <%= @ecdhcurvename %>
 <% end %>
+<% if @requireclientcert != nil %>
+<% if @requireclientcert.include? 'splunkd' %>
+requireClientCert = true
+<% end %>
+<% end %>
diff --git a/templates/puppet_common_ssl_inputs/local/inputs.conf b/templates/puppet_common_ssl_inputs/local/inputs.conf
@@ -21,4 +21,8 @@ ecdhCurveName = <%= @ecdhcurvename %>
 # moved to server.conf/[sslConfig]/
 serverCert = <%= @splunk_home %>/etc/auth/<%= @sslcertpath %>
 sslVersions = <%= @sslversions %>
-
+<% if @requireclientcert != nil %>
+<% if @requireclientcert.include? 'inputs' %>
+requireClientCert = true
+<% end %>
+<% end %>