From 2dc5e7d802e2a11e35bd1e34d28cce05195040ce Mon Sep 17 00:00:00 2001
From: Ewoud Kohl van Wijngaarden <ewoud@kohlvanwijngaarden.nl>
Date: Wed, 20 May 2020 14:15:51 +0200
Subject: [PATCH] Fixes #29892 - Use server certs for websockets

Prior to this the user needed to specify the certs both for the server
and websockets. In practice these are pretty much always the same files.
By using undef + pick() the option to specify these is maintained, but
the defaults are better.
---
 manifests/config.pp          |  4 ++++
 manifests/init.pp            |  4 ++--
 manifests/params.pp          |  4 ++--
 spec/classes/foreman_spec.rb | 12 ++++++++++--
 templates/settings.yaml.erb  |  4 ++--
 5 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/manifests/config.pp b/manifests/config.pp
index 86364b5f5..845773d16 100644
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -19,6 +19,10 @@
     }
   }
 
+  # Used in the settings template
+  $websockets_ssl_cert = pick($foreman::websockets_ssl_cert, $foreman::server_ssl_cert)
+  $websockets_ssl_key = pick($foreman::websockets_ssl_key, $foreman::server_ssl_key)
+
   concat::fragment {'foreman_settings+01-header.yaml':
     target  => '/etc/foreman/settings.yaml',
     content => template('foreman/settings.yaml.erb'),
diff --git a/manifests/init.pp b/manifests/init.pp
index 3136b253b..2d7a9f568 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -273,8 +273,8 @@
   String $pam_service = $foreman::params::pam_service,
   Boolean $ipa_manage_sssd = $foreman::params::ipa_manage_sssd,
   Boolean $websockets_encrypt = $foreman::params::websockets_encrypt,
-  Stdlib::Absolutepath $websockets_ssl_key = $foreman::params::websockets_ssl_key,
-  Stdlib::Absolutepath $websockets_ssl_cert = $foreman::params::websockets_ssl_cert,
+  Optional[Stdlib::Absolutepath] $websockets_ssl_key = $foreman::params::websockets_ssl_key,
+  Optional[Stdlib::Absolutepath] $websockets_ssl_cert = $foreman::params::websockets_ssl_cert,
   Enum['debug', 'info', 'warn', 'error', 'fatal'] $logging_level = $foreman::params::logging_level,
   Enum['file', 'syslog', 'journald'] $logging_type = $foreman::params::logging_type,
   Enum['pattern', 'multiline_pattern', 'json'] $logging_layout = $foreman::params::logging_layout,
diff --git a/manifests/params.pp b/manifests/params.pp
index 96c440791..781affdd2 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -183,8 +183,8 @@
 
   # Websockets
   $websockets_encrypt = true
-  $websockets_ssl_key = $server_ssl_key
-  $websockets_ssl_cert = $server_ssl_cert
+  $websockets_ssl_key = undef
+  $websockets_ssl_cert = undef
 
   # Application logging
   $logging_level = 'info'
diff --git a/spec/classes/foreman_spec.rb b/spec/classes/foreman_spec.rb
index c00a42667..5e5a910c6 100644
--- a/spec/classes/foreman_spec.rb
+++ b/spec/classes/foreman_spec.rb
@@ -31,6 +31,8 @@
             .with_content(/^:oauth_consumer_key:\s*\w+$/)
             .with_content(/^:oauth_consumer_secret:\s*\w+$/)
             .with_content(/^:websockets_encrypt:\s*true$/)
+            .with_content(%r{^:websockets_ssl_key:\s*/etc/puppetlabs/puppet/ssl/private_keys/foo\.example\.com\.pem$})
+            .with_content(%r{^:websockets_ssl_cert:\s*/etc/puppetlabs/puppet/ssl/certs/foo\.example\.com\.pem$})
             .with_content(%r{^:ssl_certificate:\s*/etc/puppetlabs/puppet/ssl/certs/foo\.example\.com\.pem$})
             .with_content(%r{^:ssl_ca_file:\s*/etc/puppetlabs/puppet/ssl/certs/ca.pem$})
             .with_content(%r{^:ssl_priv_key:\s*/etc/puppetlabs/puppet/ssl/private_keys/foo\.example\.com\.pem$})
@@ -236,8 +238,8 @@
             pam_service: 'foreman',
             ipa_manage_sssd: true,
             websockets_encrypt: true,
-            websockets_ssl_key: '/etc/ssl/private/snakeoil.pem',
-            websockets_ssl_cert: '/etc/ssl/certs/snakeoil.pem',
+            websockets_ssl_key: '/etc/ssl/private/snakeoil-ws.pem',
+            websockets_ssl_cert: '/etc/ssl/certs/snakeoil-ws.pem',
             logging_level: 'info',
             loggers: {},
             email_delivery_method: 'sendmail',
@@ -260,6 +262,12 @@
             .with_keycloak_app_name('cloak-app')
             .with_keycloak_realm('myrealm')
         end
+
+        it 'should configure certificates in settings.yaml' do
+          is_expected.to contain_concat__fragment('foreman_settings+01-header.yaml')
+            .with_content(%r{^:websockets_ssl_key: /etc/ssl/private/snakeoil-ws\.pem$})
+            .with_content(%r{^:websockets_ssl_cert: /etc/ssl/certs/snakeoil-ws\.pem$})
+        end
       end
 
       context 'with journald logging' do
diff --git a/templates/settings.yaml.erb b/templates/settings.yaml.erb
index 61d0969f5..383b490e5 100644
--- a/templates/settings.yaml.erb
+++ b/templates/settings.yaml.erb
@@ -17,8 +17,8 @@
 
 # Websockets
 :websockets_encrypt: <%= scope.lookupvar("foreman::websockets_encrypt") %>
-:websockets_ssl_key: <%= scope.lookupvar("foreman::websockets_ssl_key") %>
-:websockets_ssl_cert: <%= scope.lookupvar("foreman::websockets_ssl_cert") %>
+:websockets_ssl_key: <%= @websockets_ssl_key %>
+:websockets_ssl_cert: <%= @websockets_ssl_cert %>
 
 # SSL-settings
 :ssl_certificate: <%= scope.lookupvar("foreman::client_ssl_cert") %>