From 41513a9ac1c302033edd774fb1bd8f8af8c78f69 Mon Sep 17 00:00:00 2001 From: Ewoud Kohl van Wijngaarden Date: Mon, 30 Sep 2024 17:33:12 +0200 Subject: [PATCH] Revert "Send passwords via environment variables" This broke several things and needs some fixes. This reverts commit 25df78714f2147735197322d322418f5b38c5fa4. --- lib/puppet/provider/x509_cert/openssl.rb | 9 ++----- lib/puppet/provider/x509_request/openssl.rb | 8 ++---- manifests/export/pem_cert.pp | 16 +++++------- manifests/export/pem_key.pp | 25 +++++++----------- manifests/export/pkcs12.pp | 27 ++++++++------------ spec/defines/openssl_export_pem_cert_spec.rb | 3 +-- 6 files changed, 30 insertions(+), 58 deletions(-) diff --git a/lib/puppet/provider/x509_cert/openssl.rb b/lib/puppet/provider/x509_cert/openssl.rb index 05d146d..91793a1 100644 --- a/lib/puppet/provider/x509_cert/openssl.rb +++ b/lib/puppet/provider/x509_cert/openssl.rb @@ -57,8 +57,6 @@ def exists? end def create - env = {} - if resource[:csr] options = [ 'x509', @@ -94,12 +92,9 @@ def create password = resource[:cakey_password] || resource[:password] - if password - options << ['-passin', 'env:CERTIFICATE_PASSIN'] - env['CERTIFICATE_PASSIN'] = password - end + options << ['-passin', "pass:#{password}"] if password options << ['-extensions', 'v3_req'] if resource[:req_ext] != :false - openssl options, environment: env + openssl options end def destroy diff --git a/lib/puppet/provider/x509_request/openssl.rb b/lib/puppet/provider/x509_request/openssl.rb index 131bf30..732330a 100644 --- a/lib/puppet/provider/x509_request/openssl.rb +++ b/lib/puppet/provider/x509_request/openssl.rb @@ -28,7 +28,6 @@ def exists? end def create - env = {} options = [ 'req', '-new', '-key', resource[:private_key], @@ -36,13 +35,10 @@ def create '-out', resource[:path] ] - if resource[:password] - options << ['-passin', 'env:CERTIFICATE_PASSIN'] - env['CERTIFICATE_PASSIN'] = resource[:password] - end + options << ['-passin', "pass:#{resource[:password]}"] if resource[:password] options << ['-nodes'] unless resource[:encrypted] - openssl options, environment: env + openssl options end def destroy diff --git a/manifests/export/pem_cert.pp b/manifests/export/pem_cert.pp index fe5de3f..826fa44 100644 --- a/manifests/export/pem_cert.pp +++ b/manifests/export/pem_cert.pp @@ -44,12 +44,9 @@ $in_cert = $pfx_cert } - if $in_pass { - $passin_opt = ['-nokeys', '-passin', 'env:CERTIFICATE_PASSIN'] - $passin_env = ["CERTIFICATE_PASSIN=${in_pass}"] - } else { - $passin_opt = [] - $passin_env = [] + $passin_opt = $in_pass ? { + undef => [], + default => ['-nokeys', '-passin', "pass:${in_pass}"], } if $ensure == 'present' { @@ -65,10 +62,9 @@ } exec { "Export ${in_cert} to ${pem_cert}": - command => $cmd, - environment => $passin_env - path => $facts['path'], - * => $exec_params, + command => $cmd, + path => $facts['path'], + * => $exec_params, } } else { file { $pem_cert: diff --git a/manifests/export/pem_key.pp b/manifests/export/pem_key.pp index 390b8b1..efbb9e7 100644 --- a/manifests/export/pem_key.pp +++ b/manifests/export/pem_key.pp @@ -25,20 +25,14 @@ Optional[String] $out_pass = undef, ) { if $ensure == 'present' { - if $in_pass { - $passin_opt = ['-nokeys', '-passin', 'env:CERTIFICATE_PASSIN'] - $passin_env = ["CERTIFICATE_PASSIN=${in_pass}"] - } else { - $passin_opt = [] - $passin_env = [] + $passin_opt = $in_pass ? { + undef => [], + default => ['-passin', "pass:${in_pass}"], } - if $out_pass { - $passout_opt = ['-nokeys', '-passout', 'env:CERTIFICATE_PASSOUT'] - $passout_env = ["CERTIFICATE_PASSOUT=${out_pass}"] - } else { - $passout_opt = [] - $passout_env = [] + $passout_opt = $out_pass ? { + undef => ['-nodes'], + default => ['-passout', "pass:${out_pass}"], } $cmd = [ @@ -58,10 +52,9 @@ } exec { "Export ${pfx_cert} to ${pem_key}": - command => $cmd, - environment => $passin_env + $passout_env, - path => $facts['path'], - * => $exec_params, + command => $cmd, + path => $facts['path'], + * => $exec_params, } } else { file { $pem_key: diff --git a/manifests/export/pkcs12.pp b/manifests/export/pkcs12.pp index ccef3f3..ea3bace 100644 --- a/manifests/export/pkcs12.pp +++ b/manifests/export/pkcs12.pp @@ -33,20 +33,14 @@ $full_path = "${basedir}/${name}.p12" if $ensure == 'present' { - if $in_pass { - $passin_opt = ['-nokeys', '-passin', 'env:CERTIFICATE_PASSIN'] - $passin_env = ["CERTIFICATE_PASSIN=${in_pass}"] - } else { - $passin_opt = [] - $passin_env = [] + $pass_opt = $in_pass ? { + undef => [], + default => ['-passin', "pass:${in_pass}"], } - if $out_pass { - $passout_opt = ['-nokeys', '-passout', 'env:CERTIFICATE_PASSOUT'] - $passout_env = ["CERTIFICATE_PASSOUT=${out_pass}"] - } else { - $passout_opt = [] - $passout_env = [] + $passout_opt = $out_pass ? { + undef => [], + default => ['-passout', "pass:${out_pass}"], } $chain_opt = $chaincert ? { @@ -61,7 +55,7 @@ '-out', $full_path, '-name', $name, '-nodes', '-noiter', - ] + $chain_opt + $passin_opt + $passout_opt + ] + $chain_opt + $pass_opt + $passout_opt if $dynamic { $exec_params = { @@ -73,10 +67,9 @@ } exec { "Export ${name} to ${full_path}": - command => $cmd, - environment => $passin_env + $passout_env, - path => $facts['path'], - * => $exec_params, + command => $cmd, + path => $facts['path'], + * => $exec_params, } } else { file { $full_path: diff --git a/spec/defines/openssl_export_pem_cert_spec.rb b/spec/defines/openssl_export_pem_cert_spec.rb index f04c649..d5cf277 100644 --- a/spec/defines/openssl_export_pem_cert_spec.rb +++ b/spec/defines/openssl_export_pem_cert_spec.rb @@ -79,8 +79,7 @@ it { is_expected.to contain_exec('Export /etc/ssl/certs/foo.pfx to /etc/ssl/certs/foo.pem').with( - command: ['openssl', 'pkcs12', '-in', '/etc/ssl/certs/foo.pfx', '-out', '/etc/ssl/certs/foo.pem', '-nokeys', '-passin', 'env:CERTIFICATE_PASSIN'], - environment: ['CERTIFICATE_PASSIN=5r$}^'], + command: ['openssl', 'pkcs12', '-in', '/etc/ssl/certs/foo.pfx', '-out', '/etc/ssl/certs/foo.pem', '-nokeys', '-passin', 'pass:5r$}^'], creates: '/etc/ssl/certs/foo.pem', path: '/usr/bin:/bin:/usr/sbin:/sbin' )