Make x509 altnames and extkeyusage optional #177
Conversation
treydock
force-pushed
the
optional-x509-params
branch
from
1e962ea to
8ebf7cf
Compare
| Array $altnames = [], | ||
| Array $extkeyusage = [], | ||
| Optional[Array] $altnames = undef, | ||
| Optional[Array] $extkeyusage = undef, | ||
| Optional[String] $email = undef, |
There was a problem hiding this comment.
This is not solving the problem. It still allows to set an empty array to those parameters which will lead to the same result.
| @@ -159,7 +159,7 @@ | |||
| $_csr = pick($csr, "${_csr_dir}/${name}.csr") | |||
| $_key = pick($key, "${_key_dir}/${name}.key") | |||
|
|
|||
| if !empty($altnames+$extkeyusage) { | |||
| if $altnames or $extkeyusage { | |||
There was a problem hiding this comment.
What's about $req_ext = !empty($altnames) or !empty($extkeyusage) instead of that if-else-spaghetti
There was a problem hiding this comment.
well, you have to detect if we actually have values in extkexusage and altnames in order to set the req_ext. You cant set it always as that would error out when generating a cert, when both arrays are empty (and not set in the config, assuming its fixed). I am working on memory here though, when i last worked on it. I could be wrong.
If we only allow non-empty arrays and undef the 'if $altnames or $extkeyusage' works just fine, no need for the empty check
There was a problem hiding this comment.
First: My suggesting is essentially to use
$boolean_variable = (expression)
over something like
if (expression) {
$boolean_variable = true
} else {
$boolean_variable = false
}
Second, the v3_req section of the config depends on a lot more parameters. The $req_ext is not passed to the template at all, it is referenced only at a single point, to pass it to x509_cert. Thus, you can drop this variable and replace the expression into the x509_cert to be passed to its req_ext parameter.
|
Sorry for the fly by comment, but you may have a look on 50317c2 which is fixing the config template too, I hope. |
treydock
force-pushed
the
optional-x509-params
branch
from
8ebf7cf to
e01db1f
Compare
|
@rtib What about the updated change to use |
The defaults of empty arrays are generating invalid openssl configs
treydock
force-pushed
the
optional-x509-params
branch
from
e01db1f to
c6481cb
Compare
|
The semantics of the empty() function is covering all you need. It is built-in with Puppet, so there is no additional dependency. Though notions like |
|
The root cause of the problem is lying in the template used to generate the config, not in type signature of the parameters. This is part of what rendered release 3.0.0 unusable (see #178). I'd prefer to not change the module API. |
|
I agree partly with both: we have to fix the template to only set the values (and corresponding keys) in the config, if they are present. Checking for undef is easy enough in a template, default boolean behaviour will take care of that (even without empty). |
Look at it: Now imagine you are new to this module, probably new to Puppet, you want to use the module trying to understand its parameters. Which one you'd prefer? |
|
From the software engineering point of view, the real difference between and is that the first one is using a hidden, implicit behaviour of the language, while the semantics of the later is fully explicit. |
|
I look at data types as a way to represent what's valid. If an empty array is not valid, it should not be allowed as a parameter irregardless of how it might look to someone new to Puppet. Data types should validate the inputs, if empty array is not a valid input, it shouldn't be allowed. Similar for empty strings. If empty strings are not a valid input, data types need to prevent them. I'd imagine a new Puppet user would rather be prevented from invalid inputs or unexpected behavior rather than having an easier time looking at the code. If they go to look at the code cause they passed empty array and it broke X509 cert creation, it will be a lot harder to debug (as I recently found out) than if they are prevented from that issue to begin with. |
|
But the real issue is the template, so fixing that via 50317c2 might be better or be good to do at same time. |
Which is completely fine. However, there are two perspectives: one is the public API of the module, intended to be understood and used by others; and two, all the internal variables defined as they are used. On the public API, a parameter called |
|
Correct, empty array is a valid default in these cases. @rtib Do you want to open PR with template fixes or do you want me to handle with this PR? |
I think this PR is the right place for that. But, we need to test that thoroughly, that commit is just a first take. |
|
I found some time to look deeper into this and did some refactoring:
|
|
Those look pretty good, would you like to provide them in a PR? :) |
|
Opened #179 |
The defaults of empty arrays are generating invalid openssl configs
Example of what's generated:
This throws all sorts of errors: