From 954ece86422df9ea1d2c6167280129196920049c Mon Sep 17 00:00:00 2001
From: Jeremy Stanley <fungi@yuggoth.org>
Date: Thu, 8 Oct 2015 20:42:07 +0000
Subject: [PATCH] Use SNI/SAN on static.openstack.org

A new cert bundle and key have been obtained for
static.openstack.org with SubjectAltNames for most of its relevant
vhosts. Switch it into place and generalize the current HTTPS
configuration for security.openstack.org in preparation for adding
HTTPS support to the remaining vhosts in subsequent commits. Also
add sane snakeoil fallback behavior for undefined certificate/key
files.

Change-Id: I65b7dbc3b5ad8735c158a1ac0b41b848ad5d2077
---
 manifests/site.pp                             |  20 +--
 modules/openstack_project/manifests/static.pp | 148 +++++++++++++-----
 .../templates/security.vhost.erb              |   8 +-
 3 files changed, 122 insertions(+), 54 deletions(-)

diff --git a/manifests/site.pp b/manifests/site.pp
index be2c61b130..94cdecdba9 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -549,16 +549,16 @@ node 'static.openstack.org' {
     sysadmins                 => hiera('sysadmins', []),
   }
   class { 'openstack_project::static':
-    project_config_repo              => 'https://git.openstack.org/openstack-infra/project-config',
-    swift_authurl                    => 'https://identity.api.rackspacecloud.com/v2.0/',
-    swift_user                       => 'infra-files-ro',
-    swift_key                        => hiera('infra_files_ro_password', 'XXX'),
-    swift_tenant_name                => hiera('infra_files_tenant_name', 'tenantname'),
-    swift_region_name                => 'DFW',
-    swift_default_container          => 'infra-files',
-    security_ssl_cert_file_contents  => hiera('security_ssl_cert_file_contents', 'XXX'),
-    security_ssl_key_file_contents   => hiera('security_ssl_key_file_contents', 'XXX'),
-    security_ssl_chain_file_contents => hiera('security_ssl_chain_file_contents', 'XXX'),
+    project_config_repo     => 'https://git.openstack.org/openstack-infra/project-config',
+    swift_authurl           => 'https://identity.api.rackspacecloud.com/v2.0/',
+    swift_user              => 'infra-files-ro',
+    swift_key               => hiera('infra_files_ro_password', 'XXX'),
+    swift_tenant_name       => hiera('infra_files_tenant_name', 'tenantname'),
+    swift_region_name       => 'DFW',
+    swift_default_container => 'infra-files',
+    ssl_cert_file_contents  => hiera('static_ssl_cert_file_contents', 'XXX'),
+    ssl_key_file_contents   => hiera('static_ssl_key_file_contents', 'XXX'),
+    ssl_chain_file_contents => hiera('static_ssl_chain_file_contents', 'XXX'),
   }
 }
 
diff --git a/modules/openstack_project/manifests/static.pp b/modules/openstack_project/manifests/static.pp
index 35c791df62..f1567eba7b 100644
--- a/modules/openstack_project/manifests/static.pp
+++ b/modules/openstack_project/manifests/static.pp
@@ -8,9 +8,12 @@ class openstack_project::static (
   $swift_region_name = '',
   $swift_default_container = '',
   $project_config_repo = '',
-  $security_ssl_cert_file_contents = '',
-  $security_ssl_key_file_contents = '',
-  $security_ssl_chain_file_contents = '',
+  $ssl_cert_file = '',
+  $ssl_cert_file_contents = '',
+  $ssl_key_file = '',
+  $ssl_key_file_contents = '',
+  $ssl_chain_file = '',
+  $ssl_chain_file_contents = '',
   $jenkins_gitfullname = 'OpenStack Jenkins',
   $jenkins_gitemail = 'jenkins@openstack.org',
 ) {
@@ -44,6 +47,98 @@ class openstack_project::static (
     }
   }
 
+  file { '/etc/ssl/certs':
+    ensure => directory,
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0755',
+  }
+
+  file { '/etc/ssl/private':
+    ensure => directory,
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0700',
+  }
+
+  # To use the standard ssl-certs package snakeoil certificate, leave both
+  # $ssl_cert_file and $ssl_cert_file_contents empty. To use an existing
+  # certificate, specify its path for $ssl_cert_file and leave
+  # $ssl_cert_file_contents empty. To manage the certificate with puppet,
+  # provide $ssl_cert_file_contents and optionally specify the path to use for
+  # it in $ssl_cert_file.
+  if ($ssl_cert_file == '') and ($ssl_cert_file_contents == '') {
+    $cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
+  } else {
+    if $ssl_cert_file == '' {
+      $cert_file = "/etc/ssl/certs/${::fqdn}.pem"
+    } else {
+      $cert_file = $ssl_cert_file
+    }
+    if $ssl_cert_file_contents != '' {
+      file { $cert_file:
+        ensure  => present,
+        owner   => 'root',
+        group   => 'root',
+        mode    => '0644',
+        content => $ssl_cert_file_contents,
+        require => File['/etc/ssl/certs'],
+      }
+    }
+  }
+
+  # To use the standard ssl-certs package snakeoil key, leave both
+  # $ssl_key_file and $ssl_key_file_contents empty. To use an existing key,
+  # specify its path for $ssl_key_file and leave $ssl_key_file_contents empty.
+  # To manage the key with puppet, provide $ssl_key_file_contents and
+  # optionally specify the path to use for it in $ssl_key_file.
+  if ($ssl_key_file == '') and ($ssl_key_file_contents == '') {
+    $key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'
+  } else {
+    if $ssl_key_file == '' {
+      $key_file = "/etc/ssl/private/${::fqdn}.key"
+    } else {
+      $key_file = $ssl_key_file
+    }
+    if $ssl_key_file_contents != '' {
+      file { $key_file:
+        ensure  => present,
+        owner   => 'root',
+        group   => 'root',
+        mode    => '0600',
+        content => $ssl_key_file_contents,
+        require => File['/etc/ssl/private'],
+      }
+    }
+  }
+
+  # To avoid using an intermediate certificate chain, leave both
+  # $ssl_chain_file and $ssl_chain_file_contents empty. To use an existing
+  # chain, specify its path for $ssl_chain_file and leave
+  # $ssl_chain_file_contents empty. To manage the chain with puppet, provide
+  # $ssl_chain_file_contents and optionally specify the path to use for it in
+  # $ssl_chain_file.
+  if ($ssl_chain_file == '') and ($ssl_chain_file_contents == '') {
+    $chain_file = ''
+  } else {
+    if $ssl_chain_file == '' {
+      $chain_file = "/etc/ssl/certs/${::fqdn}_intermediate.pem"
+    } else {
+      $chain_file = $ssl_chain_file
+    }
+    if $ssl_chain_file_contents != '' {
+      file { $chain_file:
+        ensure  => present,
+        owner   => 'root',
+        group   => 'root',
+        mode    => '0644',
+        content => $ssl_chain_file_contents,
+        require => File['/etc/ssl/certs'],
+        before  => File[$cert_file],
+      }
+    }
+  }
+
   ###########################################################
   # Tarballs
 
@@ -120,7 +215,11 @@ class openstack_project::static (
     ssl        => true,
     template   => 'openstack_project/security.vhost.erb',
     vhost_name => 'security.openstack.org',
-    require    => File['/srv/static/security'],
+    require    => [
+      File['/srv/static/security'],
+      File[$cert_file],
+      File[$key_file],
+    ],
   }
 
   file { '/srv/static/security':
@@ -130,48 +229,15 @@ class openstack_project::static (
     require => User['jenkins'],
   }
 
-  file { '/etc/ssl/certs':
-    ensure => directory,
-    owner  => 'root',
-    group  => 'root',
-    mode   => '0755',
-  }
-
-  file { '/etc/ssl/private':
-    ensure => directory,
-    owner  => 'root',
-    group  => 'root',
-    mode   => '0700',
-  }
-
+  #TODO(fungi) this cleanup can be removed once puppet has deleted them
   file { '/etc/ssl/certs/security.openstack.org.pem':
-    ensure  => present,
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0644',
-    content => $security_ssl_cert_file_contents,
-    require => File['/etc/ssl/certs'],
-    before  => Httpd::Vhost['security.openstack.org'],
+    ensure  => absent,
   }
-
   file { '/etc/ssl/private/security.openstack.org.key':
-    ensure  => present,
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0600',
-    content => $security_ssl_key_file_contents,
-    require => File['/etc/ssl/private'],
-    before  => Httpd::Vhost['security.openstack.org'],
+    ensure  => absent,
   }
-
   file { '/etc/ssl/certs/security.openstack.org_intermediate.pem':
-    ensure  => present,
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0644',
-    content => $security_ssl_chain_file_contents,
-    require => File['/etc/ssl/certs'],
-    before  => Httpd::Vhost['security.openstack.org'],
+    ensure  => absent,
   }
 
   ###########################################################
diff --git a/modules/openstack_project/templates/security.vhost.erb b/modules/openstack_project/templates/security.vhost.erb
index 79464e450c..4b66589324 100644
--- a/modules/openstack_project/templates/security.vhost.erb
+++ b/modules/openstack_project/templates/security.vhost.erb
@@ -23,9 +23,11 @@
   # only is guarenteed.
   SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
   SSLHonorCipherOrder on
-  SSLCertificateFile /etc/ssl/certs/<%= @vhost_name %>.pem
-  SSLCertificateKeyFile /etc/ssl/private/<%= @vhost_name %>.key
-  SSLCertificateChainFile /etc/ssl/certs/<%= @vhost_name %>_intermediate.pem
+  SSLCertificateFile <%= scope['openstack_project::static::cert_file'] %>
+  SSLCertificateKeyFile <%= scope['openstack_project::static::key_file'] %>
+<% if scope['openstack_project::static::chain_file'] != '' %>
+  SSLCertificateChainFile <%= scope['openstack_project::static::chain_file'] %>
+<% end %>
   <Directory <%= @docroot %>>
     Allow from all
     Satisfy Any