diff options
| author | Julien Huon <julien@huon.email> | 2019-12-25 15:08:10 +0100 |
|---|---|---|
| committer | Julien Huon <julien@huon.email> | 2019-12-25 15:08:10 +0100 |
| commit | afc883e252f6e158323e55892525fd4f7cb15bcc (patch) | |
| tree | 3d68bea83aa44037c9e42ba0bac6050db456a232 /lib | |
| parent | f5f618321ff524cfe5c8cafdf3bdaca55485cd9b (diff) | |
| download | chef-afc883e252f6e158323e55892525fd4f7cb15bcc.tar.gz | |
Add the capability to automatically renew a certificate with x509_certificate resource
Signed-off-by: Julien Huon <julien@huon.email>
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/chef/mixin/openssl_helper.rb | 24 | ||||
| -rw-r--r-- | lib/chef/resource/openssl_x509_certificate.rb | 8 |
2 files changed, 30 insertions, 2 deletions
diff --git a/lib/chef/mixin/openssl_helper.rb b/lib/chef/mixin/openssl_helper.rb index 5a4bd6077a..28388453c5 100644 --- a/lib/chef/mixin/openssl_helper.rb +++ b/lib/chef/mixin/openssl_helper.rb @@ -401,6 +401,30 @@ class Chef crl.sign(ca_private_key, ::OpenSSL::Digest::SHA256.new) crl end + + # Return true if a certificate need to be renewed (or doesn't exist) according to the number + # of days before expiration given + # @param [string] cert_file path of the cert file or cert content + # @param [integer] renew_before_expiry number of days before expiration + # @return [true, false] + def cert_need_renewall?(cert_file, renew_before_expiry) + raise TypeError, 'cert_file must be a String object' unless cert_file.is_a?(String) + raise TypeError, 'renew_before_expiry must be a Integer object' unless renew_before_expiry.is_a?(Integer) + + resp = true + cert_content = ::File.exist?(cert_file) ? File.read(cert_file) : cert_file + begin + cert = OpenSSL::X509::Certificate.new cert_content + rescue ::OpenSSL::X509::CertificateError + return resp + end + + unless cert.not_after <= Time.now + 3600 * 24 * renew_before_expiry + resp = false + end + + resp + end end end end diff --git a/lib/chef/resource/openssl_x509_certificate.rb b/lib/chef/resource/openssl_x509_certificate.rb index 20cf998239..354c8c0dab 100644 --- a/lib/chef/resource/openssl_x509_certificate.rb +++ b/lib/chef/resource/openssl_x509_certificate.rb @@ -109,13 +109,17 @@ class Chef property :ca_key_pass, String, description: "The passphrase for CA private key's passphrase." + property :renew_before_expiry, Integer, + description: "The number of days before the expiry. The certificate will be automaticaly renewed when the value is reached.", + default: 5 + action :create do description "Generate a certificate" - unless ::File.exist? new_resource.path + if cert_need_renewall?(new_resource.path, new_resource.renew_before_expiry) converge_by("Create #{@new_resource}") do file new_resource.path do - action :create_if_missing + action :create owner new_resource.owner unless new_resource.owner.nil? group new_resource.group unless new_resource.group.nil? mode new_resource.mode unless new_resource.mode.nil? |