Browse Source

Removed maxdays and mindate fields, not suitable for GPG keys. May now even generate the key generation file.

master
Aaron Hicks 6 years ago
parent
commit
a18453466b
4 changed files with 49 additions and 33 deletions
  1. 7
    9
      manifests/key.pp
  2. 21
    23
      manifests/keymaster/setup.pp
  3. 1
    1
      manifests/params.pp
  4. 20
    0
      templates/keygen.txt.erb

+ 7
- 9
manifests/key.pp View File

@@ -1,17 +1,16 @@
define gpg::key (
$ensure = 'present',
$force = false,
$keytype = 'rsa',
$keylength = 4096,
$keytype = 'default',
$keylength = undef,
$expiry = 0,
$maxdays = undef,
$mindate = undef,
$warn_expiry = 21,
$subkeytype = 'rsa',
$subkeylength = '4096',
$subkeytype = 'default',
$subkeylength = undef,
$email = 'puppet@localhost',
$realname = 'not given',
$password = '',
$armour = true,
$armour = true
){

include gpg::params
@@ -36,11 +35,10 @@ define gpg::key (
subkeytype => $subkeytype,
subkeylength => $subkeylength,
email => $email,
realname => $realname,
password => $password,
armour => $armour,
expiry => $expiry,
mindate => $mindate,
maxdays => $maxdays,
warn_expiry => $warn_expiry
}


+ 21
- 23
manifests/keymaster/setup.pp View File

@@ -10,11 +10,10 @@ define gpg::keymaster::setup(
$subkeytype,
$subkeylength,
$email,
$realname,
$password,
$armour,
$expiry,
$maxdays,
$mindate,
$warn_expiry
){
include gpg::params
@@ -32,33 +31,32 @@ define gpg::keymaster::setup(
$secret_file = "${key_dir}/${title}_secret.gpg"
$public_file = "${key_dir}/${title}_public.gpg"

if $ensure = 'present' {
# Remove existing key pair, if;
# $force is true, or
# $maxdays or $mindate criteria isn't met (if set)
$secret_content = file($secret_file,'/dev/null')
if $secret_content {
if $ensure = 'present' {
# Remove existing key pair, if;
# $force is true

if $force {
$reason = 'force is true'
}
if $force {
$reason = 'force is true'
}

if !$reason and $mindate and generate("/usr/bin/find", $secret_file, "!", "-newermt", "${mindate}") {
$reason = "created before ${mindate}"
}
if $reason {
Exec{"Revoke previous GPG key ${title}: ${reason}":
command => "rm ${secret_file} ${public_file} ${keygen_file}",
before => Exec["Create GPG keygen file for ${title}","Create GPG key pair for ${title}"]
}
}

if !$reason and $maxdays and generate("/usr/bin/find", $secret_file, "-mtime", "+${maxdays}") {
$reason = "older than ${maxdays} days"
}
$comment = "$keytype $keylength $subkeytype $subkeylength"

if $reason {
Exec{"Revoke previous GPG key ${title}: ${reason}":
command => "rm ${secret_file} ${public_file} ${keygen_file}",
before => Exec["Create GPG keygen file for ${title}","Create GPG key pair for ${title}"]
}
}
# Create the GPG key gen file for using gpg in batch mode
$keygen_content = template('gpg/keygen.txt.erb')

# Create the GPG key gen file for using gpg in batch mode
# Create the GPG key pair

# Create the GPG key pair
}
# Check certificate expiry

}
}

+ 1
- 1
manifests/params.pp View File

@@ -7,7 +7,7 @@ case $::osfamily {
$gpgme_provider = 'gem'
$ring_dir = '/var/lib/puppet-keymaster/gpg'
$ring_file = "${keymaster_ring_dir}/gpg_keyring.pgp"
}s
}
default: {
fail("The operating system family ${::osfamily} is not supported by the puppet-gpg module on ${::fqdn}")
}

+ 20
- 0
templates/keygen.txt.erb View File

@@ -0,0 +1,20 @@
# This GPG key generation file is generated by Puppet
%echo Generating <%= title %> GPG key
Key-Type: <%= keytype %>
<% if keylength -%>
Key-Length: <%= keylength %>
<% end -%>
Subkey-Type: <%= subkeytype %>
<% if subkeylength -%>
Subkey-Length: <%= subkeylength %>
<% end -%>
Name-Real: <%= realname %>
Name-Comment: <%= comment %>
Name-Email: <%= email %>
Expire-Date: <%= expiry %>
Passphrase: <%= password %>
%pubring <%= public_file %>
%secring <%= secret_file %>
%no-protection
%commit
%echo Done.

Loading…
Cancel
Save