Merge pull request #714 from Icinga/tls

Rewrite some feature classes
voxpupuli · Dec 16, 2022 · e725fe9 · e725fe9
2 parents aae419e + d46bb1a
commit e725fe9
Show file tree

Hide file tree

Showing 25 changed files with 622 additions and 851 deletions.
diff --git a/examples/init_elasticsearch.pp b/examples/init_elasticsearch.pp
@@ -1,5 +1,6 @@
 include icinga2
 
 class { 'icinga2::feature::elasticsearch':
-  password => Sensitive('super(secret'),
+#  password => Sensitive('super(secret'),
+  password => 'super(secret',
 }
diff --git a/examples/init_influxdb.pp b/examples/init_influxdb.pp
@@ -3,9 +3,11 @@
 }
 
 class { 'icinga2::feature::influxdb':
-  password   => Sensitive('super(secret'),
+#  password   => Sensitive('super(secret'),
+  password   => 'super(secret',
   basic_auth => {
     username => 'icinga2',
-    password => Sensitive('super(secret'),
+#    password => Sensitive('super(secret'),
+    password => 'super(secret',
   },
 }
diff --git a/examples/init_influxdb2.pp b/examples/init_influxdb2.pp
@@ -6,6 +6,6 @@
   ensure       => present,
   organization => 'ICINGA',
   bucket       => 'icinga2',
-#  auth_token   => 'super(secret',
-  auth_token   => Sensitive('super(secret'),
+  auth_token   => 'super(secret',
+#  auth_token   => Sensitive('super(secret'),
 }
diff --git a/functions/cert.pp b/functions/cert.pp
@@ -5,13 +5,13 @@
 #    Returned hash includes all paths and the key, cert and cacert.
 #
 function icinga2::cert(
-  String                               $name,
-  Optional[Stdlib::Absolutepath]       $key_file    = undef,
-  Optional[Stdlib::Absolutepath]       $cert_file   = undef,
-  Optional[Stdlib::Absolutepath]       $cacert_file = undef,
-  Optional[Variant[String, Sensitive]] $key         = undef,
-  Optional[String]                     $cert        = undef,
-  Optional[String]                     $cacert      = undef,
+  String                                       $name,
+  Optional[Stdlib::Absolutepath]               $key_file    = undef,
+  Optional[Stdlib::Absolutepath]               $cert_file   = undef,
+  Optional[Stdlib::Absolutepath]               $cacert_file = undef,
+  Optional[Variant[String, Sensitive[String]]] $key         = undef,
+  Optional[String]                             $cert        = undef,
+  Optional[String]                             $cacert      = undef,
 ) >> Hash {
   # @param name
   #   The base name of certicate, key and ca file.
@@ -40,7 +40,13 @@ function icinga2::cert(
   $default_dir = $icinga2::globals::cert_dir
 
   $result = {
-    'key'         => $key,
+    'key'         => if $key =~ Sensitive {
+      $key
+    } elsif $key =~ String {
+      Sensitive($key)
+    } else {
+      undef
+    },
     'key_file'    => if $key {
       if $key_file {
         $key_file

diff --git a/functions/db/connect.pp b/functions/db/connect.pp
@@ -0,0 +1,89 @@
+# @summary
+#   This function returns a string to connect databases
+#   with or without TLS information.
+#
+# @return
+#   Connection string to connect database.
+#
+function icinga2::db::connect(
+  Struct[{
+      type     => Enum['pgsql','mysql','mariadb'],
+      host     => Stdlib::Host,
+      port     => Optional[Stdlib::Port],
+      database => String,
+      username => String,
+      password => Optional[Variant[String, Sensitive[String]]],
+  }]                   $db,
+  Hash[String, Any]    $tls,
+  Optional[Boolean]    $use_tls = undef,
+) >> String {
+  # @param db
+  #    Data hash with database information.
+  #
+  # @param tls
+  #   Data hash with TLS connection information.
+  #
+  # @param use_tls
+  #   Wether or not to use TLS encryption.
+  #
+  if $use_tls {
+    case $db['type'] {
+      'pgsql': {
+        $tls_options = regsubst(join(any2array(delete_undef_values({
+                  'sslmode='     => if $tls['noverify'] { 'require' } else { 'verify-full' },
+                  'sslcert='     => $tls['cert_file'],
+                  'sslkey='      => $tls['key_file'],
+                  'sslrootcert=' => $tls['cacert_file'],
+        })), ' '), '= ', '=', 'G')
+      }
+      'mariadb': {
+        $tls_options = join(any2array(delete_undef_values({
+                '--ssl'        => '',
+                '--ssl-ca'     => $tls['cacert_file'],
+                '--ssl-cert'   => $tls['cert_file'],
+                '--ssl-key'    => $tls['key_file'],
+                '--ssl-capath' => $tls['capath'],
+                '--ssl-cipher' => $tls['cipher'],
+        })), ' ')
+      }
+      'mysql': {
+        $tls_options = join(any2array(delete_undef_values({
+                '--ssl-mode'   => 'required',
+                '--ssl-ca'     => $tls['cacert_file'],
+                '--ssl-cert'   => $tls['cert_file'],
+                '--ssl-key'    => $tls['key_file'],
+                '--ssl-capath' => $tls['capath'],
+                '--ssl-cipher' => $tls['cipher'],
+        })), ' ')
+      }
+      default: {
+        fail('The database type you provided is not supported.')
+      }
+    }
+  } else {
+    $tls_options = ''
+  }
+
+  if $db['type'] == 'pgsql' {
+    $options = regsubst(join(any2array(delete_undef_values({
+              'host='        => $db['host'],
+              'user='        => $db['username'],
+              'port='        => $db['port'],
+              'dbname='      => $db['database'],
+    })), ' '), '= ', '=', 'G')
+  } else {
+    $_password = icinga2::unwrap($db['password'])
+    $options = join(any2array(delete_undef_values({
+            '-h'               => $db['host'] ? {
+              /localhost/  => undef,
+              default      => $db['host'],
+            },
+            '-P'               => $db['port'],
+            '-u'               => $db['username'],
+            "-p'${_password}'" => '',
+            '-D'               => $db['database'],
+    })), ' ')
+  }
+
+  "${options} ${tls_options}"
+}
diff --git a/functions/newline.pp b/functions/newline.pp
@@ -0,0 +1,25 @@
+# @summary
+#   Replace newlines for Windows systems.
+#
+# @return
+#    Text with correct newlines.
+#
+function icinga2::newline(
+  Optional[String] $text,
+) >> String {
+  # @param text
+  #   Text to replace the newlines.
+  #
+
+  if $text {
+    $result = if $facts['os']['family'] != 'windows' {
+      $text
+    } else {
+      regsubst($text, '\n', "\r\n", 'EMG')
+    }
+  } else {
+    $result = undef
+  }
+
+  return $result
+}
diff --git a/manifests/feature/api.pp b/manifests/feature/api.pp
@@ -249,43 +249,28 @@
       }
 
       if $ssl_key {
-        $_ssl_key = $facts['os']['family'] ? {
-          'windows' => regsubst($ssl_key, '\n', "\r\n", 'EMG'),
-          default   => $ssl_key,
-        }
-
         file { $_ssl_key_path:
           ensure    => file,
           mode      => $_ssl_key_mode,
-          content   => $_ssl_key,
+          content   => icinga2::newline($ssl_key),
           tag       => 'icinga2::config::file',
           show_diff => false,
           backup    => false,
         }
       }
 
       if $ssl_cert {
-        $_ssl_cert = $facts['os']['family'] ? {
-          'windows' => regsubst($ssl_cert, '\n', "\r\n", 'EMG'),
-          default   => $ssl_cert,
-        }
-
         file { $_ssl_cert_path:
           ensure  => file,
-          content => $_ssl_cert,
+          content => icinga2::newline($ssl_cert),
           tag     => 'icinga2::config::file',
         }
       }
 
       if $ssl_cacert {
-        $_ssl_cacert = $facts['os']['family'] ? {
-          'windows' => regsubst($ssl_cacert, '\n', "\r\n", 'EMG'),
-          default   => $ssl_cacert,
-        }
-
         file { $_ssl_cacert_path:
           ensure  => file,
-          content => $_ssl_cacert,
+          content => icinga2::newline($ssl_cacert),
           tag     => 'icinga2::config::file',
         }
       }