Merge pull request #7586 from chef/openssl_updates

 Add openssl_x509_crl resource and fix default modes in x509_certificate / x509_request 

7 files changed, 209 insertions, 16 deletions

diff --git a/lib/chef/resource/openssl_x509_certificate.rb b/lib/chef/resource/openssl_x509_certificate.rb
index 04641e877b..00058f65d0 100644
--- a/lib/chef/resource/openssl_x509_certificate.rb
+++ b/lib/chef/resource/openssl_x509_certificate.rb
@@ -44,8 +44,7 @@ class Chef
                default: 365
 
       property :mode, [Integer, String],
-               description: "The permission mode of all files created by the resource.",
-               default: "0644"
+               description: "The permission mode of all files created by the resource."
 
       property :country, String,
                description: "Value for the C ssl field."
@@ -116,9 +115,9 @@ class Chef
           converge_by("Create #{@new_resource}") do
             file new_resource.path do
               action :create_if_missing
-              mode new_resource.mode
               owner new_resource.owner unless new_resource.owner.nil?
               group new_resource.group unless new_resource.group.nil?
+              mode new_resource.mode unless new_resource.mode.nil?
               sensitive true
               content cert.to_pem
             end
@@ -126,9 +125,9 @@ class Chef
             if new_resource.csr_file.nil?
               file new_resource.key_file do
                 action :create_if_missing
-                mode new_resource.mode
                 owner new_resource.owner unless new_resource.owner.nil?
                 group new_resource.group unless new_resource.group.nil?
+                mode new_resource.mode unless new_resource.mode.nil?
                 sensitive true
                 content key.to_pem
               end
diff --git a/lib/chef/resource/openssl_x509_crl.rb b/lib/chef/resource/openssl_x509_crl.rb
new file mode 100644
index 0000000000..06c591ac18
--- /dev/null
+++ b/lib/chef/resource/openssl_x509_crl.rb
@@ -0,0 +1,130 @@
+#
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "chef/resource"
+
+class Chef
+  class Resource
+    class OpensslX509Crl < Chef::Resource
+      require "chef/mixin/openssl_helper"
+      include Chef::Mixin::OpenSSLHelper
+
+      preview_resource true
+      resource_name :openssl_x509_crl
+
+      description "Use the openssl_x509_crl resource to generate PEM-formatted x509 CRL files."
+      introduced "14.4"
+
+      property :path, String,
+               description: "Optional path to write the file to if you'd like to specify it here instead of in the resource name.",
+               name_property: true
+
+      property :serial_to_revoke, [Integer, String],
+               description: "Serial of the X509 Certificate to revoke."
+
+      property :revocation_reason, Integer,
+               description: "Reason for the revokation.",
+               default: 0
+
+      property :expire, Integer,
+               description: "Value representing the number of days from now through which the issued CRL will remain valid. The CRL will expire after this period.",
+               default: 8
+
+      property :renewal_threshold, Integer,
+               description: "Number of days before the expiration. It this threshold is reached, the CRL will be renewed.",
+               default: 1
+
+      property :ca_cert_file, String,
+               description: "The path to the CA X509 Certificate on the filesystem. If the ca_cert_file attribute is specified, the ca_key_file attribute must also be specified, the CRL will be signed with them.",
+               required: true
+
+      property :ca_key_file, String,
+               description: "The path to the CA private key on the filesystem. If the ca_key_file property is specified, the ca_cert_file property must also be specified, the CRL will be signed with them.",
+               required: true
+
+      property :ca_key_pass, String,
+               description: "The passphrase for CA private key's passphrase."
+
+      property :owner, String,
+               description: "The owner permission for the CRL file."
+
+      property :group, String,
+               description: "The group permission for the CRL file."
+
+      property :mode, [Integer, String],
+               description: "The permission mode of the CRL file."
+
+      action :create do
+        description "Create the CRL file."
+
+        file new_resource.path do
+          owner new_resource.owner unless new_resource.owner.nil?
+          group new_resource.group unless new_resource.group.nil?
+          mode new_resource.mode unless new_resource.mode.nil?
+          content crl.to_pem
+          action :create
+        end
+      end
+
+      action_class do
+        def crl_info
+          # Will contain issuer & expiration
+          crl_info = {}
+
+          crl_info["issuer"] = ::OpenSSL::X509::Certificate.new ::File.read(new_resource.ca_cert_file)
+          crl_info["validity"] = new_resource.expire
+
+          crl_info
+        end
+
+        def revoke_info
+          # Will contain Serial to revoke & reason
+          revoke_info = {}
+
+          revoke_info["serial"] = new_resource.serial_to_revoke
+          revoke_info["reason"] = new_resource.revocation_reason
+
+          revoke_info
+        end
+
+        def ca_private_key
+          ca_private_key = ::OpenSSL::PKey.read ::File.read(new_resource.ca_key_file), new_resource.ca_key_pass
+          ca_private_key
+        end
+
+        def crl
+          if crl_file_valid?(new_resource.path)
+            crl = ::OpenSSL::X509::CRL.new ::File.read(new_resource.path)
+          else
+            log "Creating a CRL #{new_resource.path} for CA #{new_resource.ca_cert_file}"
+            crl = gen_x509_crl(ca_private_key, crl_info)
+          end
+
+          if !new_resource.serial_to_revoke.nil? && serial_revoked?(crl, new_resource.serial_to_revoke) == false
+            log "Revoking serial #{new_resource.serial_to_revoke} in CRL #{new_resource.path}"
+            crl = revoke_x509_crl(revoke_info, crl, ca_private_key, crl_info)
+          elsif crl.next_update <= Time.now + 3600 * 24 * new_resource.renewal_threshold
+            log "Renewing CRL for CA #{new_resource.ca_cert_file}"
+            crl = renew_x509_crl(crl, ca_private_key, crl_info)
+          end
+
+          crl
+        end
+      end
+
+    end
+  end
+end
diff --git a/lib/chef/resource/openssl_x509_request.rb b/lib/chef/resource/openssl_x509_request.rb
index a7b989d96d..071978a961 100644
--- a/lib/chef/resource/openssl_x509_request.rb
+++ b/lib/chef/resource/openssl_x509_request.rb
@@ -37,8 +37,8 @@ class Chef
       property :group, String,
                description: "The group of all files created by the resource."
 
-      property :mode, [Integer, String], default: "0644",
-               description: ""
+      property :mode, [Integer, String],
+               description: "The permission mode of all files created by the resource."
 
       property :country, String,
                description: "Value for the C ssl field."
@@ -90,15 +90,15 @@ class Chef
             file new_resource.name do
               owner new_resource.owner unless new_resource.owner.nil?
               group new_resource.group unless new_resource.group.nil?
-              mode new_resource.mode
+              mode new_resource.mode unless new_resource.mode.nil?
               content csr.to_pem
               action :create
             end
 
             file new_resource.key_file do
-              mode new_resource.mode
               owner new_resource.owner unless new_resource.owner.nil?
               group new_resource.group unless new_resource.group.nil?
+              mode new_resource.mode unless new_resource.mode.nil?
               content key.to_pem
               sensitive true
               action :create_if_missing
diff --git a/lib/chef/resources.rb b/lib/chef/resources.rb
index 3a4822e8f4..614ef74ade 100644
--- a/lib/chef/resources.rb
+++ b/lib/chef/resources.rb
@@ -71,6 +71,7 @@ require "chef/resource/openssl_ec_public_key"
 require "chef/resource/openssl_rsa_private_key"
 require "chef/resource/openssl_rsa_public_key"
 require "chef/resource/openssl_x509_certificate"
+require "chef/resource/openssl_x509_crl"
 require "chef/resource/openssl_x509_request"
 require "chef/resource/package"
 require "chef/resource/pacman_package"
diff --git a/spec/unit/resource/openssl_openssl_x509_certificate_spec.rb b/spec/unit/resource/openssl_x509_certificate_spec.rb
index b8e49db164..795987f569 100644
--- a/spec/unit/resource/openssl_openssl_x509_certificate_spec.rb
+++ b/spec/unit/resource/openssl_x509_certificate_spec.rb
@@ -41,10 +41,6 @@ describe Chef::Resource::OpensslX509Certificate do
     expect(resource.expire).to eql(365)
   end
 
-  it "has a default mode of '0644'" do
-    expect(resource.mode).to eql("0644")
-  end
-
   it "has a default key_type of 'rsa'" do
     expect(resource.key_type).to eql("rsa")
   end
@@ -68,4 +64,9 @@ describe Chef::Resource::OpensslX509Certificate do
   it "only accepts valid key_curve values" do
     expect { resource.key_curve "fako" }.to raise_error(ArgumentError)
   end
+
+  it "mode accepts both String and Integer values" do
+    expect { resource.mode "644" }.not_to raise_error
+    expect { resource.mode 644 }.not_to raise_error
+  end
 end
diff --git a/spec/unit/resource/openssl_x509_crl_spec.rb b/spec/unit/resource/openssl_x509_crl_spec.rb
new file mode 100644
index 0000000000..4f852be0c2
--- /dev/null
+++ b/spec/unit/resource/openssl_x509_crl_spec.rb
@@ -0,0 +1,61 @@
+#
+# Copyright:: Copyright 2018, Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "spec_helper"
+
+describe Chef::Resource::OpensslX509Crl do
+
+  let(:resource) { Chef::Resource::OpensslX509Crl.new("fakey_fakerton") }
+
+  it "has a resource name of :openssl_x509_crl" do
+    expect(resource.resource_name).to eql(:openssl_x509_crl)
+  end
+
+  it "the path property is the name_property" do
+    expect(resource.path).to eql("fakey_fakerton")
+  end
+
+  it "sets the default action as :create" do
+    expect(resource.action).to eql([:create])
+  end
+
+  it "supports :create action" do
+    expect { resource.action :create }.not_to raise_error
+  end
+
+  it "has a default revocation_reason of 0" do
+    expect(resource.revocation_reason).to eql(0)
+  end
+
+  it "has a default expiration of 8" do
+    expect(resource.expire).to eql(8)
+  end
+
+  it "has a default renewal_threshold of 1" do
+    expect(resource.renewal_threshold).to eql(1)
+  end
+
+  it "serial_to_revoke accepts both String and Integer values" do
+    expect { resource.serial_to_revoke "123" }.not_to raise_error
+    expect { resource.serial_to_revoke 123 }.not_to raise_error
+  end
+
+  it "mode accepts both String and Integer values" do
+    expect { resource.mode "644" }.not_to raise_error
+    expect { resource.mode 644 }.not_to raise_error
+  end
+end
diff --git a/spec/unit/resource/openssl_openssl_x509_request.rb b/spec/unit/resource/openssl_x509_request.rb
index 59abdc666e..28ca4f7345 100644
--- a/spec/unit/resource/openssl_openssl_x509_request.rb
+++ b/spec/unit/resource/openssl_x509_request.rb
@@ -37,10 +37,6 @@ describe Chef::Resource::OpensslX509Request do
     expect { resource.action :create }.not_to raise_error
   end
 
-  it "has a default mode of '0644'" do
-    expect(resource.mode).to eql("0644")
-  end
-
   it "has a default key_type of 'ec'" do
     expect(resource.key_type).to eql("ec")
   end
@@ -64,4 +60,9 @@ describe Chef::Resource::OpensslX509Request do
   it "only accepts valid key_curve values" do
     expect { resource.key_curve "fako" }.to raise_error(ArgumentError)
   end
+
+  it "mode accepts both String and Integer values" do
+    expect { resource.mode "644" }.not_to raise_error
+    expect { resource.mode 644 }.not_to raise_error
+  end
 end