From fdc206eb9a23725343f87b53ea0794c4c01762e2 Mon Sep 17 00:00:00 2001
From: Lennart Betz <lennart.betz@netways.de>
Date: Wed, 6 Sep 2017 10:54:31 +0200
Subject: [PATCH] fix #325, ticket_salt ist stored to api.conf only if pki =
 none|ca

---
 README.md                |  3 ++-
 examples/init_master.pp  |  5 +++--
 manifests/feature/api.pp | 14 ++++++++++++--
 manifests/pki/ca.pp      |  4 ++--
 spec/classes/api_spec.rb | 12 +++++-------
 5 files changed, 24 insertions(+), 14 deletions(-)

diff --git a/README.md b/README.md
index 3b0ac1a02..2a732eb70 100644
--- a/README.md
+++ b/README.md
@@ -1224,7 +1224,8 @@ This host will be connected to request the certificate. Set this if you use the
 Port of the 'ca_host'. Defaults to `5665`
 
 ##### `ticket_salt`
-Salt to use for ticket generation. Defaults to icinga2 constant `TicketSalt`.
+Salt to use for ticket generation. The salt is stored to api.conf if `none` or `ca` is chosen for `pki`.
+Defaults to constant `TicketSalt`.
 
 ##### `endpoints`
 Hash to configure endpoint objects. Defaults to `{ 'NodeName' => {} }`. `NodeName` is a Icinga 2 constant.
diff --git a/examples/init_master.pp b/examples/init_master.pp
index 3b5f13415..f522c3ccb 100644
--- a/examples/init_master.pp
+++ b/examples/init_master.pp
@@ -7,8 +7,6 @@
   }
 }
 
-class { '::icinga2::pki::ca': }
-
 class { '::icinga2::feature::api':
   pki             => 'none',
   zones           => {
@@ -17,3 +15,6 @@
     },
   }
 }
+
+class { '::icinga2::pki::ca': }
+
diff --git a/manifests/feature/api.pp b/manifests/feature/api.pp
index f4c166652..ce3cfab04 100644
--- a/manifests/feature/api.pp
+++ b/manifests/feature/api.pp
@@ -66,7 +66,8 @@
 #   Port of the 'ca_host'. Defaults to 5665
 #
 # [*ticket_salt*]
-#   Salt to use for ticket generation. Defaults to icinga2 constant TicketSalt.
+#   Salt to use for ticket generation. The salt is stored to api.conf if none or ca is chosen for pki.
+#   Defaults to constant TicketSalt.
 #
 # [*endpoints*]
 #   Hash to configure endpoint objects. Defaults to { 'NodeName' => {} }.
@@ -242,6 +243,8 @@
   # handle the certificate's stuff
   case $pki {
     'puppet': {
+      $_ticket_salt = undef
+
       file { $_ssl_key_path:
         ensure => file,
         mode   => $_ssl_key_mode,
@@ -263,6 +266,10 @@
     } # puppet
 
     'none': {
+      # non means you manage the CA on your own and so
+      # the salt has to be stored in api.conf
+      $_ticket_salt = $ticket_salt
+
       if $ssl_key {
         $_ssl_key = $::osfamily ? {
           'windows' => regsubst($ssl_key, '\n', "\r\n", 'EMG'),
@@ -305,6 +312,8 @@
     } # none
 
     'icinga2': {
+      $_ticket_salt = undef
+
       validate_string($ca_host)
       validate_integer($ca_port)
 
@@ -333,6 +342,7 @@
     } # icinga2
 
     'ca': {
+      $_ticket_salt = $ticket_salt
       class { '::icinga2::pki::ca': }
 
       warning('This parameter is deprecated and will be removed in future versions! Please use ::icinga2::pki::ca instead')
@@ -346,7 +356,7 @@
     ca_path         => $_ssl_cacert_path,
     accept_commands => $accept_commands,
     accept_config   => $accept_config,
-    ticket_salt     => $ticket_salt,
+    ticket_salt     => $_ticket_salt,
     tls_protocolmin => $ssl_protocolmin,
     cipher_list     => $ssl_cipher_list,
     bind_host       => $bind_host,
diff --git a/manifests/pki/ca.pp b/manifests/pki/ca.pp
index 215a0a7f9..cf4c3f498 100644
--- a/manifests/pki/ca.pp
+++ b/manifests/pki/ca.pp
@@ -64,6 +64,7 @@
   include ::icinga2::params
   require ::icinga2::config
 
+  $bin_dir   = $::icinga2::params::bin_dir
   $ca_dir    = $::icinga2::params::ca_dir
   $pki_dir   = $::icinga2::params::pki_dir
   $user      = $::icinga2::params::user
@@ -76,8 +77,7 @@
   }
 
   Exec {
-    user => 'root',
-    path => $::path,
+    path => $bin_dir,
   }
 
   if $ssl_key_path {
diff --git a/spec/classes/api_spec.rb b/spec/classes/api_spec.rb
index 3a243ec28..55fc3661d 100644
--- a/spec/classes/api_spec.rb
+++ b/spec/classes/api_spec.rb
@@ -46,7 +46,6 @@
         .with({ 'target' => '/etc/icinga2/features-available/api.conf' })
         .with_content(/accept_config = false/)
         .with_content(/accept_commands = false/)
-        .with_content(/ticket_salt = TicketSalt/)
         .without_content(/bind_\w+ =/)
       }
 
@@ -228,8 +227,8 @@
     end
 
 
-    context "#{os} with ticket_salt => foo" do
-      let(:params) { {:ticket_salt => 'foo'} }
+    context "#{os} with pki => none, ticket_salt => foo" do
+      let(:params) { {:pki => 'none', :ticket_salt => 'foo'} }
 
       it { is_expected.to contain_concat__fragment('icinga2::object::ApiListener::api')
         .with({ 'target' => '/etc/icinga2/features-available/api.conf' })
@@ -347,8 +346,7 @@
     it { is_expected.to contain_concat__fragment('icinga2::object::ApiListener::api')
       .with({ 'target' => 'C:/ProgramData/icinga2/etc/icinga2/features-available/api.conf' })
       .with_content(/accept_config = false/)
-      .with_content(/accept_commands = false/)
-      .with_content(/ticket_salt = TicketSalt/) }
+      .with_content(/accept_commands = false/) }
 
     it { is_expected.to contain_file('C:/ProgramData/icinga2/etc/icinga2/pki/host.example.org.key') }
     it { is_expected.to contain_file('C:/ProgramData/icinga2/etc/icinga2/pki/host.example.org.crt') }
@@ -498,8 +496,8 @@
   end
 
 
-  context "Windows 2012 R2 with ticket_salt => foo" do
-    let(:params) { {:ticket_salt => 'foo'} }
+  context "Windows 2012 R2 with pki => none, ticket_salt => foo" do
+    let(:params) { {:pki => 'none', :ticket_salt => 'foo'} }
 
     it { is_expected.to contain_concat__fragment('icinga2::object::ApiListener::api')
       .with({ 'target' => 'C:/ProgramData/icinga2/etc/icinga2/features-available/api.conf' })