ignore changes to /etc/apache2/conf-available/puppet-ssl-key-pins.conf
[mirror/dsa-puppet.git] / modules / puppetmaster / lib / puppet / parser / functions / gen_hpkp_pin.rb
1 module Puppet::Parser::Functions
2   newfunction(:gen_hpkp_pin, :type => :rvalue) do |args|
3     site = args.shift()
4
5     pin_info = []
6     pinfiles = [ "/srv/puppet.debian.org/from-letsencrypt/#{site}.pin",
7                  "/srv/puppet.debian.org/backup-keys/#{site}.pin" ]
8     pinfiles.each do |fn|
9       if File.exist?(fn)
10         pin_info << File.read(fn).chomp()
11       end
12     end
13
14     res = []
15     res << "<Macro http-pkp-#{site}>"
16     if pin_info.size >= 2 then
17       pin_info = pin_info.map{ |x| x.gsub('"', '\"') }
18       pin_info << "max-age=300"
19       pin_str = pin_info.join("; ")
20       res << "  Header always set Public-Key-Pins \"#{pin_str}\""
21     else
22       res << "  # mod macro does not like empty macros, so here's some content:"
23       res << "  <Directory /non-existant>"
24       res << "  </Directory>"
25     end
26     res << "</Macro>"
27     res << ""
28     return res.join("\n")
29   end
30 end