add openvpn::deploy::(export/client)

fix linting, add credit, add tests
fixes voxpupuli#231

lib/facter/openvpn.rb

@@ -0,0 +1,62 @@
+require 'facter'
+
+module Openvpn
+  def self.etc_path
+    case Facter.value(:osfamily)
+    when 'FreeBSD'
+      '/usr/local/etc/openvpn'
+    when 'RedHat'
+      '/etc/openvpn'
+    when 'Debian'
+      '/etc/openvpn'
+    when 'Archlinux'
+      '/etc/openvpn'
+    when 'Linux'
+      '/etc/openvpn'
+    else
+      ''
+    end
+  end
+
+  def self.client_certs
+    path = etc_path
+    clients = {}
+    if File.directory?(path)
+      Dir.entries(path).each do |server|
+        next unless File.directory?("#{path}/#{server}/download-configs")
+        clients[server.to_s] = {}
+
+        Dir.entries("#{path}/#{server}/download-configs").each do |client|
+          next unless File.directory?("#{path}/#{server}/download-configs/#{client}") && client !~ %r{^\.\.?$} && client !~ %r{\.tblk$}
+
+          clients[server.to_s][client.to_s] = {}
+          clients[server.to_s][client.to_s]['conf'] = File.open("#{path}/#{server}/download-configs/#{client}/#{client}.conf", 'r').read
+          clients[server.to_s][client.to_s]['ca'] = File.open("#{path}/#{server}/download-configs/#{client}/keys/#{client}/ca.crt", 'r').read
+          clients[server.to_s][client.to_s]['crt'] = File.open("#{path}/#{server}/download-configs/#{client}/keys/#{client}/#{client}.crt", 'r').read
+          clients[server.to_s][client.to_s]['key'] = File.open("#{path}/#{server}/download-configs/#{client}/keys/#{client}/#{client}.key", 'r').read
+          if File.exist?("#{path}/#{server}/download-configs/#{client}/keys/#{client}/ta.key")
+            clients[server.to_s][client.to_s]['ta'] = File.open("#{path}/#{server}/download-configs/#{client}/keys/#{client}/ta.key", 'r').read
+          end
+        end
+      end
+    end
+    clients
+  end
+
+  # Method to call the Facter DSL and dynamically add facts at runtime.
+  #
+  # This method is necessary to add reasonable RSpec coverage for the custom
+  # fact
+  #
+  # @return [NilClass]
+  def self.add_facts
+    certs = client_certs
+    Facter.add('openvpn::client_configs') do
+      setcode do
+        certs
+      end
+    end
+  end
+end
+
+Openvpn.add_facts

manifests/deploy/client.pp

@@ -0,0 +1,58 @@
+# == Define: openvpn::deploy::client
+#
+# Collect the exported configs for an Host and ensure a running Openvpn Service
+#
+# === Parameters
+#
+# $server   which Openvpn::Server[$server] does the config belong to?
+# String
+#
+# $manage_etc should the /etc/openvpn directory be managed? (warning, all unmanaged files will be purged!)
+#
+# === Variables
+#
+# None
+#
+# === Examples
+#
+#  openvpn::deploy::client { 'test-client':
+#    server => 'test_server',
+#  }
+#
+# === Authors
+#
+# Phil Bayfield https://bitbucket.org/Philio/
+#
+
+define openvpn::deploy::client (
+  String $server,
+  Boolean $manage_etc = true,
+) {
+
+  include openvpn::deploy::prepare
+
+  Class['openvpn::deploy::install']
+  -> Openvpn::Deploy::Client[$name]
+  ~> Class['openvpn::deploy::service']
+
+
+  if $manage_etc {
+    file { [
+      "${::openvpn::params::etc_directory}/openvpn",
+      "${::openvpn::params::etc_directory}/openvpn/keys",
+      "${::openvpn::params::etc_directory}/openvpn/keys/${name}",
+    ]:
+      ensure  => directory,
+      require => Package['openvpn'];
+    }
+  } else {
+    file { "${::openvpn::params::etc_directory}/openvpn/keys/${name}":
+      ensure  => directory,
+      require => Package['openvpn'];
+    }
+  }
+
+  File <<| tag == "${server}-${name}" |>>
+  ~> Class['openvpn::deploy::service']
+
+}

manifests/deploy/export.pp

@@ -0,0 +1,96 @@
+# == Define: openvpn::deploy::export
+#
+# Prepare all Openvpn-Client-Configs to be exported
+#
+# === Parameters
+#
+# $server   which Openvpn::Server[$server] does the config belong to?
+# String
+#
+# $tls_auth should the ta* files be exported too?
+#
+# === Variables
+#
+# None
+#
+# === Examples
+#
+#  openvpn::deploy::export { 'test-client':
+#    server => 'test_server',
+#  }
+#
+# === Authors
+#
+# Tobias Knipping https://github.com/to-kn
+# Phil Bayfield https://bitbucket.org/Philio/
+#
+
+define openvpn::deploy::export (
+  String $server,
+  Boolean $tls_auth = false,
+) {
+
+  Openvpn::Server[$server]
+  -> Openvpn::Client[$name]
+  -> Openvpn::Deploy::Export[$name]
+
+  if $::openvpn::client_configs {
+    if $::openvpn::client_configs[$server][$name] {
+      $data = $::openvpn::client_configs[$server][$name]
+
+      @@file { "exported-${server}-${name}-config":
+        ensure  => file,
+        path    => "${::openvpn::params::etc_directory}/openvpn/${name}.conf",
+        owner   => 'root',
+        group   => 'root',
+        mode    => '0600',
+        content => $data['conf'],
+        tag     => "${server}-${name}",
+      }
+
+      @@file { "exported-${server}-${name}-ca":
+        ensure  => file,
+        path    => "${::openvpn::params::etc_directory}/openvpn/keys/${name}/ca.crt",
+        owner   => 'root',
+        group   => 'root',
+        mode    => '0600',
+        content => $data['ca'],
+        tag     => "${server}-${name}",
+      }
+
+      @@file { "exported-${server}-${name}-crt":
+        ensure  => file,
+        path    => "${::openvpn::params::etc_directory}/openvpn/keys/${name}/${name}.crt",
+        owner   => 'root',
+        group   => 'root',
+        mode    => '0600',
+        content => $data['crt'],
+        tag     => "${server}-${name}",
+      }
+
+      @@file { "exported-${server}-${name}-key":
+        ensure  => file,
+        path    => "${::openvpn::params::etc_directory}/openvpn/keys/${name}/${name}.key",
+        owner   => 'root',
+        group   => 'root',
+        mode    => '0600',
+        content => $data['key'],
+        tag     => "${server}-${name}",
+      }
+
+      if $tls_auth {
+        @@file { "exported-${server}-${name}-ta":
+          ensure  => file,
+          path    => "${::openvpn::params::etc_directory}/openvpn/keys/${name}/ta.key",
+          owner   => 'root',
+          group   => 'root',
+          mode    => '0600',
+          content => $data['ta'],
+          tag     => "${server}-${name}",
+        }
+      }
+    }
+  } else {
+    fail('openvpn::client_configs not defined, is pluginsync enabled?')
+  }
+}

manifests/deploy/install.pp

@@ -0,0 +1,26 @@
+# == Class: openvpn::deploy::install
+#
+# Installs the Openvpn profile
+#
+# === Parameters
+#
+# None
+#
+# === Variables
+#
+# None
+#
+# === Examples
+#
+#  include openvpn::deploy::install
+#
+# === Authors
+#
+# Phil Bayfield https://bitbucket.org/Philio/
+#
+
+class openvpn::deploy::install {
+
+  ensure_packages(['openvpn'])
+
+}

manifests/deploy/prepare.pp

@@ -0,0 +1,29 @@
+# == Class: openvpn::deploy::prepare
+#
+# Base profile
+#
+# === Parameters
+#
+# None
+#
+# === Variables
+#
+# None
+#
+# === Examples
+#
+#  include openvpn::deploy::prepare
+#
+# === Authors
+#
+# Phil Bayfield https://bitbucket.org/Philio/
+#
+
+class openvpn::deploy::prepare {
+
+  class { 'openvpn::params': }
+
+  class { 'openvpn::deploy::install': }
+  ~> class { 'openvpn::deploy::service': }
+
+}

manifests/deploy/service.pp

@@ -0,0 +1,31 @@
+# == Class: openvpn::deploy::service
+#
+# Base profile
+#
+# === Parameters
+#
+# None
+#
+# === Variables
+#
+# None
+#
+# === Examples
+#
+#  include openvpn::deploy::service
+#
+# === Authors
+#
+# Phil Bayfield https://bitbucket.org/Philio/
+#
+
+class openvpn::deploy::service {
+
+  service { 'openvpn':
+    ensure     => running,
+    enable     => true,
+    hasrestart => true,
+    hasstatus  => true;
+  }
+
+}

spec/defines/openvpn_deploy_client_spec.rb

@@ -0,0 +1,33 @@
+require 'spec_helper'
+
+describe 'openvpn::deploy::client', type: :define do
+  let(:title) { 'test_client' }
+  let(:params) { { 'server' => 'test_server' } }
+  let(:facts) do
+    {
+      fqdn: 'somehost',
+      concat_basedir: '/var/lib/puppet/concat',
+      osfamily: 'Debian',
+      operatingsystem: 'Ubuntu',
+      operatingsystemrelease: '12.04'
+    }
+  end
+
+  it { is_expected.to contain_file('/etc/openvpn/keys/test_client') }
+
+  it { is_expected.to contain_package('openvpn') }
+  it {
+    is_expected.to contain_service('openvpn').with(
+      ensure: 'running',
+      enable: true
+    )
+  }
+
+  context 'with manage_etc' do
+    let(:params) { { 'server' => 'test_server', 'manage_etc' => true } }
+
+    it { is_expected.to contain_file('/etc/openvpn') }
+    it { is_expected.to contain_file('/etc/openvpn/keys') }
+    it { is_expected.to contain_file('/etc/openvpn/keys/test_client') }
+  end
+end

spec/defines/openvpn_deploy_export_spec.rb

@@ -0,0 +1,57 @@
+require 'spec_helper'
+
+describe 'openvpn::deploy::export', type: :define do
+  let(:title) { 'test_client' }
+  let(:params) { { 'server' => 'test_server' } }
+  let(:facts) do
+    {
+      fqdn: 'somehost',
+      concat_basedir: '/var/lib/puppet/concat',
+      osfamily: 'Debian',
+      operatingsystem: 'Ubuntu',
+      operatingsystemrelease: '12.04',
+      openvpn: {
+        client_configs: {
+          test_server: {
+            test_client: {
+              conf: 'config',
+              crt: 'crt',
+              ca: 'ca',
+              key: 'key',
+              ta: 'ta'
+            }
+          }
+        }
+      }
+    }
+  end
+  let(:pre_condition) do
+    [
+      'openvpn::server { "test_server":
+        country       => "CO",
+        province      => "ST",
+        city          => "Some City",
+        organization  => "example.org",
+        email         => "[email protected]"
+      }',
+      'openvpn::client { "test_client":
+        server => "test_server"
+      }'
+    ].join
+  end
+
+  context 'exported resources' do
+    subject { exported_resources }
+
+    it { is_expected.to contain_file('exported-test_server-test_client-config').with_content('config') }
+    it { is_expected.to contain_file('exported-test_server-test_client-ca').with_content('ca') }
+    it { is_expected.to contain_file('exported-test_server-test_client-crt').with_content('crt') }
+    it { is_expected.to contain_file('exported-test_server-test_client-key').with_content('key') }
+
+    context 'with tls_auth' do
+      let(:params) { { 'server' => 'test_server', 'tls_auth' => true } }
+
+      it { is_expected.to contain_file('exported-test_server-test_client-ta').with_content('ta') }
+    end
+  end
+end