From: Peter Palfrader <peter@palfrader.org>
Date: Sat, 24 Sep 2016 09:05:22 +0000 (+0000)
Subject: change pin thing
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=c2f13d4cf63d9d2143ebe02109eb5f157e4eea73;p=mirror%2Fdsa-puppet.git

change pin thing
---

diff --git a/modules/apache2/manifests/init.pp b/modules/apache2/manifests/init.pp
index a3db477e5..373b8fe18 100644
--- a/modules/apache2/manifests/init.pp
+++ b/modules/apache2/manifests/init.pp
@@ -163,19 +163,8 @@ class apache2 {
 		require =>  Package['apache2'],
 	}
 
-	concat { '/etc/apache2/conf-available/puppet-ssl-key-pins.conf':
-		owner   => root,
-		group   => root,
-		mode    => '0644',
-		require =>  Package['apache2'],
-		notify  => Exec['service apache2 reload'],
-	}
-	concat::fragment { 'puppet-ssl-key-pins-header':
-		target => '/etc/apache2/conf-available/puppet-ssl-key-pins.conf',
-		content => '',
-		order  => 00,
-	}
 	apache2::config { 'puppet-ssl-key-pins':
-		nocontentok => true,
+		content => template('apache2/ssl-key-pins.erb'),
+		notify  => Exec['service apache2 reload'],
 	}
 }
diff --git a/modules/apache2/manifests/pin.pp b/modules/apache2/manifests/pin.pp
deleted file mode 100644
index 020f221d5..000000000
--- a/modules/apache2/manifests/pin.pp
+++ /dev/null
@@ -1,8 +0,0 @@
-define apache2::pin () {
-	$snippet = gen_hpkp_pin($name)
-
-	concat::fragment { "puppet-ssl-key-pins-header-${name}":
-		target => '/etc/apache2/conf-available/puppet-ssl-key-pins.conf',
-		content => $snippet,
-	}
-}
diff --git a/modules/apache2/templates/ssl-key-pins.erb b/modules/apache2/templates/ssl-key-pins.erb
new file mode 100644
index 000000000..273cc69e3
--- /dev/null
+++ b/modules/apache2/templates/ssl-key-pins.erb
@@ -0,0 +1,43 @@
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+<%=
+  $cert_dir_le = '/srv/puppet.debian.org/from-letsencrypt'
+  $cert_dir_backup = '/srv/puppet.debian.org/backup-keys'
+
+  def make_pin_macro(site)
+    pin_info = []
+    pinfiles = [ "#{$cert_dir_le}/#{site}.pin",
+                 "#{$cert_dir_backup}/#{site}.pin" ]
+    pinfiles.each do |fn|
+      if File.exist?(fn)
+        pin_info << File.read(fn).chomp()
+      end
+    end
+
+    res = []
+    res << "<Macro http-pkp-#{site}>"
+    if pin_info.size >= 2 then
+      pin_info = pin_info.map{ |x| x.gsub('"', '\"') }
+      pin_info << "max-age=300"
+      pin_str = pin_info.join("; ")
+      res << "  Header always set Public-Key-Pins \"#{pin_str}\""
+    else
+      res << "  # mod macro does not like empty macros, so here's some content:"
+      res << "  <Directory /non-existant>"
+      res << "  </Directory>"
+    end
+    res << "</Macro>"
+    res << ""
+    return res.join("\n")
+  end
+
+  macros = []
+  Dir.glob("#{$cert_dir_le}/*.pin") do |pinfile|
+    site = File.basename(pinfile, '.pin')
+    macros << make_pin_macro(site)
+  end
+  macros.join("\n")
+-%>
diff --git a/modules/puppetmaster/lib/puppet/parser/functions/gen_hpkp_pin.rb b/modules/puppetmaster/lib/puppet/parser/functions/gen_hpkp_pin.rb
deleted file mode 100644
index 913bdf3f5..000000000
--- a/modules/puppetmaster/lib/puppet/parser/functions/gen_hpkp_pin.rb
+++ /dev/null
@@ -1,30 +0,0 @@
-module Puppet::Parser::Functions
-  newfunction(:gen_hpkp_pin, :type => :rvalue) do |args|
-    site = args.shift()
-
-    pin_info = []
-    pinfiles = [ "/srv/puppet.debian.org/from-letsencrypt/#{site}.pin",
-                 "/srv/puppet.debian.org/backup-keys/#{site}.pin" ]
-    pinfiles.each do |fn|
-      if File.exist?(fn)
-        pin_info << File.read(fn).chomp()
-      end
-    end
-
-    res = []
-    res << "<Macro http-pkp-#{site}>"
-    if pin_info.size >= 2 then
-      pin_info = pin_info.map{ |x| x.gsub('"', '\"') }
-      pin_info << "max-age=300"
-      pin_str = pin_info.join("; ")
-      res << "  Header always set Public-Key-Pins \"#{pin_str}\""
-    else
-      res << "  # mod macro does not like empty macros, so here's some content:"
-      res << "  <Directory /non-existant>"
-      res << "  </Directory>"
-    end
-    res << "</Macro>"
-    res << ""
-    return res.join("\n")
-  end
-end
diff --git a/modules/roles/manifests/init.pp b/modules/roles/manifests/init.pp
index e7369d450..1d7282435 100644
--- a/modules/roles/manifests/init.pp
+++ b/modules/roles/manifests/init.pp
@@ -91,7 +91,6 @@ class roles {
 	if has_role('people') {
 		ssl::service { 'people.debian.org': notify  => Exec['service apache2 reload'], key => true, }
 		onion::service { 'people.debian.org': port => 80, target_address => 'people.debian.org', target_port => 80, direct => true }
-		apache2::pin { 'people.debian.org': }
 	}
 
 	if has_role('security_master') {