Revert "Send passwords via environment variables"

This broke several things and needs some fixes. This reverts commit 25df787.
ekohl · Sep 30, 2024 · 41513a9 · 41513a9
1 parent a38c6ad
commit 41513a9
Show file tree

Hide file tree

Showing 6 changed files with 30 additions and 58 deletions.
diff --git a/lib/puppet/provider/x509_cert/openssl.rb b/lib/puppet/provider/x509_cert/openssl.rb
@@ -57,8 +57,6 @@ def exists?
   end
 
   def create
-    env = {}
-
     if resource[:csr]
       options = [
         'x509',
@@ -94,12 +92,9 @@ def create
 
     password = resource[:cakey_password] || resource[:password]
 
-    if password
-      options << ['-passin', 'env:CERTIFICATE_PASSIN']
-      env['CERTIFICATE_PASSIN'] = password
-    end
+    options << ['-passin', "pass:#{password}"] if password
     options << ['-extensions', 'v3_req'] if resource[:req_ext] != :false
-    openssl options, environment: env
+    openssl options
   end
 
   def destroy

diff --git a/lib/puppet/provider/x509_request/openssl.rb b/lib/puppet/provider/x509_request/openssl.rb
@@ -28,21 +28,17 @@ def exists?
   end
 
   def create
-    env = {}
     options = [
       'req', '-new',
       '-key', resource[:private_key],
       '-config', resource[:template],
       '-out', resource[:path]
     ]
 
-    if resource[:password]
-      options << ['-passin', 'env:CERTIFICATE_PASSIN']
-      env['CERTIFICATE_PASSIN'] = resource[:password]
-    end
+    options << ['-passin', "pass:#{resource[:password]}"] if resource[:password]
     options << ['-nodes'] unless resource[:encrypted]
 
-    openssl options, environment: env
+    openssl options
   end
 
   def destroy

diff --git a/manifests/export/pem_cert.pp b/manifests/export/pem_cert.pp
@@ -44,12 +44,9 @@
     $in_cert    = $pfx_cert
   }
 
-  if $in_pass {
-    $passin_opt = ['-nokeys', '-passin', 'env:CERTIFICATE_PASSIN']
-    $passin_env = ["CERTIFICATE_PASSIN=${in_pass}"]
-  } else {
-    $passin_opt = []
-    $passin_env = []
+  $passin_opt = $in_pass ? {
+    undef   => [],
+    default => ['-nokeys', '-passin', "pass:${in_pass}"],
   }
 
   if $ensure == 'present' {
@@ -65,10 +62,9 @@
     }
 
     exec { "Export ${in_cert} to ${pem_cert}":
-      command     => $cmd,
-      environment => $passin_env
-      path        => $facts['path'],
-      *           => $exec_params,
+      command => $cmd,
+      path    => $facts['path'],
+      *       => $exec_params,
     }
   } else {
     file { $pem_cert:

diff --git a/manifests/export/pem_key.pp b/manifests/export/pem_key.pp
@@ -25,20 +25,14 @@
   Optional[String]           $out_pass  = undef,
 ) {
   if $ensure == 'present' {
-    if $in_pass {
-      $passin_opt = ['-nokeys', '-passin', 'env:CERTIFICATE_PASSIN']
-      $passin_env = ["CERTIFICATE_PASSIN=${in_pass}"]
-    } else {
-      $passin_opt = []
-      $passin_env = []
+    $passin_opt = $in_pass ? {
+      undef   => [],
+      default => ['-passin', "pass:${in_pass}"],
     }
 
-    if $out_pass {
-      $passout_opt = ['-nokeys', '-passout', 'env:CERTIFICATE_PASSOUT']
-      $passout_env = ["CERTIFICATE_PASSOUT=${out_pass}"]
-    } else {
-      $passout_opt = []
-      $passout_env = []
+    $passout_opt = $out_pass ? {
+      undef   => ['-nodes'],
+      default => ['-passout', "pass:${out_pass}"],
     }
 
     $cmd = [
@@ -58,10 +52,9 @@
     }
 
     exec { "Export ${pfx_cert} to ${pem_key}":
-      command     => $cmd,
-      environment => $passin_env + $passout_env,
-      path        => $facts['path'],
-      *           => $exec_params,
+      command => $cmd,
+      path    => $facts['path'],
+      *       => $exec_params,
     }
   } else {
     file { $pem_key:

diff --git a/manifests/export/pkcs12.pp b/manifests/export/pkcs12.pp
@@ -33,20 +33,14 @@
   $full_path = "${basedir}/${name}.p12"
 
   if $ensure == 'present' {
-    if $in_pass {
-      $passin_opt = ['-nokeys', '-passin', 'env:CERTIFICATE_PASSIN']
-      $passin_env = ["CERTIFICATE_PASSIN=${in_pass}"]
-    } else {
-      $passin_opt = []
-      $passin_env = []
+    $pass_opt = $in_pass ? {
+      undef   => [],
+      default => ['-passin', "pass:${in_pass}"],
     }
 
-    if $out_pass {
-      $passout_opt = ['-nokeys', '-passout', 'env:CERTIFICATE_PASSOUT']
-      $passout_env = ["CERTIFICATE_PASSOUT=${out_pass}"]
-    } else {
-      $passout_opt = []
-      $passout_env = []
+    $passout_opt = $out_pass ? {
+      undef   => [],
+      default => ['-passout', "pass:${out_pass}"],
     }
 
     $chain_opt = $chaincert ? {
@@ -61,7 +55,7 @@
       '-out', $full_path,
       '-name', $name,
       '-nodes', '-noiter',
-    ] + $chain_opt + $passin_opt + $passout_opt
+    ] + $chain_opt + $pass_opt + $passout_opt
 
     if $dynamic {
       $exec_params = {
@@ -73,10 +67,9 @@
     }
 
     exec { "Export ${name} to ${full_path}":
-      command     => $cmd,
-      environment => $passin_env + $passout_env,
-      path        => $facts['path'],
-      *           => $exec_params,
+      command => $cmd,
+      path    => $facts['path'],
+      *       => $exec_params,
     }
   } else {
     file { $full_path:

diff --git a/spec/defines/openssl_export_pem_cert_spec.rb b/spec/defines/openssl_export_pem_cert_spec.rb
@@ -79,8 +79,7 @@
 
     it {
       is_expected.to contain_exec('Export /etc/ssl/certs/foo.pfx to /etc/ssl/certs/foo.pem').with(
-        command: ['openssl', 'pkcs12', '-in', '/etc/ssl/certs/foo.pfx', '-out', '/etc/ssl/certs/foo.pem', '-nokeys', '-passin', 'env:CERTIFICATE_PASSIN'],
-        environment: ['CERTIFICATE_PASSIN=5r$}^'],
+        command: ['openssl', 'pkcs12', '-in', '/etc/ssl/certs/foo.pfx', '-out', '/etc/ssl/certs/foo.pem', '-nokeys', '-passin', 'pass:5r$}^'],
         creates: '/etc/ssl/certs/foo.pem',
         path: '/usr/bin:/bin:/usr/sbin:/sbin'
       )