diff --git a/.travis.yml b/.travis.yml index 66126e2..bc29249 100644 --- a/.travis.yml +++ b/.travis.yml @@ -5,11 +5,12 @@ rvm: - 1.9.3 - 2.0.0 - 2.1 + - 2.4 env: - - PUPPET_GEM_VERSION=2.7.14 - - PUPPET_GEM_VERSION=3.8.5 - - PUPPET_GEM_VERSION=4.6.2 - - PUPPET_GEM_VERSION=4.10.4 + - PUPPET_GEM_VERSION=2.7.14 RSPEC_PUPPET_VERSION=2.5.0 + - PUPPET_GEM_VERSION=3.8.5 RSPEC_PUPPET_VERSION=2.5.0 + - PUPPET_GEM_VERSION=4.8.2 + - PUPPET_GEM_VERSION=5.0.0 matrix: fast_finish: true notifications: @@ -17,14 +18,22 @@ notifications: matrix: exclude: - rvm: 1.8.7 - env: PUPPET_GEM_VERSION=4.6.2 + env: PUPPET_GEM_VERSION=4.8.2 - rvm: 1.8.7 - env: PUPPET_GEM_VERSION=4.10.4 + env: PUPPET_GEM_VERSION=5.0.0 - rvm: 1.9.3 - env: PUPPET_GEM_VERSION=4.10.4 + env: PUPPET_GEM_VERSION=4.8.2 + - rvm: 1.9.3 + env: PUPPET_GEM_VERSION=5.0.0 - rvm: 2.0.0 - env: PUPPET_GEM_VERSION=2.7.14 + env: PUPPET_GEM_VERSION=2.7.14 RSPEC_PUPPET_VERSION=2.5.0 - rvm: 2.0.0 - env: PUPPET_GEM_VERSION=4.10.4 + env: PUPPET_GEM_VERSION=5.0.0 + - rvm: 2.1 + env: PUPPET_GEM_VERSION=2.7.14 RSPEC_PUPPET_VERSION=2.5.0 - rvm: 2.1 - env: PUPPET_GEM_VERSION=2.7.14 + env: PUPPET_GEM_VERSION=5.0.0 + - rvm: 2.4 + env: PUPPET_GEM_VERSION=2.7.14 RSPEC_PUPPET_VERSION=2.5.0 + - rvm: 2.4 + env: PUPPET_GEM_VERSION=3.8.5 RSPEC_PUPPET_VERSION=2.5.0 diff --git a/CHANGELOG.md b/CHANGELOG.md index bedb6b7..8d74204 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +### 3.3.0 + +- Added requireclientcert +- Successfully verified compatibility with Puppet 5.0.0 (Ruby 2.4) through Travis + +### 3.2.0 + +- Added support for Windows + ### 3.1.3 - Fixed typo in ds_intermediate parameter (Issue #11) diff --git a/Gemfile b/Gemfile index 75b8adc..56e4ef6 100644 --- a/Gemfile +++ b/Gemfile @@ -6,6 +6,11 @@ else gem 'puppet', '3.7.5' end +if rspecpuppetversion = ENV['RSPEC_PUPPET_VERSION'] + gem 'rspec-puppet', rspecpuppetversion, :require => false +else + gem 'rspec-puppet', '2.5.0' +end # rspec must be v2 for ruby 1.8.7 if RUBY_VERSION >= '1.8.7' and RUBY_VERSION < '1.9' diff --git a/README.md b/README.md index 5d802d5..d1d1389 100644 --- a/README.md +++ b/README.md @@ -764,7 +764,7 @@ node 'splunk-idx2.internal.corp.tld', #### `shclustering` - Optional. Used to configure Splunk search head clustering. This is a hash with 4 members: + Optional. Used to configure Splunk search head clustering. This is a hash with 3 members: - `mode` (can be one of `searchhead`,`deployer`) - `replication_factor` @@ -800,6 +800,28 @@ node 'splunk-idx2.internal.corp.tld', - `ldap_groupnameattribute` - `ldap_realnameattribute` +#### `requireClientCert` + + Optional. Used on a server to require clients to present an SSL certificate. + Can be an array with: + + - `inputs`: require clients to present a certificate when sending data to Splunk + - `splunkd`: require deployment clients and search peers to present a certificate when + + + For example require both splunkd and inputs connections to present a certificate: + + ``` + requireclientcert => ['splunkd','inputs'], + ``` + + Or only require forwarders to present a certificate when sending data; + + ``` + requireclientcert => 'inputs', + ``` + + #### `rolemap` Optional. Specifies the role mapping for SAML and LDAP diff --git a/TEST_COVERAGE.md b/TEST_COVERAGE.md index 975bf4d..be0abe6 100644 --- a/TEST_COVERAGE.md +++ b/TEST_COVERAGE.md @@ -6,13 +6,14 @@ |---------|--------|-------| | v3.1.3 | 22 | 40 | | v3.2.0 | 23 | 42 | +| v3.2.0 | 24 | 43 | ## By operating system: | os | tested | total | |---------|--------|-------| -| linux | 23 | 42 | -| windows | 0 | 42 | +| linux | 24 | 43 | +| windows | 0 | 43 | ## By parameter: @@ -42,6 +43,7 @@ | `phonehomeintervalinsec` | no | | `replication_port`| Y | | `repositorylocation`| Y | +| `requireclientcert`| Y | | `reuse_puppet_certs`| Y | | `rolemap` | no | | `searchpeers`| Y | diff --git a/manifests/init.pp b/manifests/init.pp index 8dfc363..f46966d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -22,6 +22,7 @@ $sslversions_intermediate = $splunk::params::sslversions_intermediate, $dhparamsize_intermediate = $splunk::params::dhparamsize_intermediate, $ecdhcurvename_intermediate = $splunk::params::ecdhcurvename_intermediate, + $requireclientcert = $splunk::params::requireclientcert, $reuse_puppet_certs = $splunk::params::reuse_puppet_certs, $sslcertpath = $splunk::params::sslcertpath, $sslrootcapath = $splunk::params::sslrootcapath, diff --git a/manifests/inputs.pp b/manifests/inputs.pp index 1923529..9a601ab 100644 --- a/manifests/inputs.pp +++ b/manifests/inputs.pp @@ -4,6 +4,7 @@ $ciphersuite = $splunk::ciphersuite, $sslversions = $splunk::sslversions, $ecdhcurvename = $splunk::ecdhcurvename, + $requireclientcert = $splunk::requireclientcert, $splunk_home = $splunk::splunk_home, $splunk_app_precedence_dir = $splunk::splunk_app_precedence_dir, $splunk_app_replace = $splunk::splunk_app_replace, diff --git a/manifests/params.pp b/manifests/params.pp index d0f614d..746237c 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -20,6 +20,7 @@ $ciphersuite_intermediate = 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS' $dhparamsize_intermediate = 2048 $ecdhcurvename_intermediate = 'secp384r1' + $requireclientcert = undef $reuse_puppet_certs = true $sslcertpath = 'certs/s2s.pem' $sslrootcapath = 'certs/ca.crt' diff --git a/manifests/server/ssl.pp b/manifests/server/ssl.pp index bdaa9b6..c3bc734 100644 --- a/manifests/server/ssl.pp +++ b/manifests/server/ssl.pp @@ -8,6 +8,7 @@ $ciphersuite = $splunk::ciphersuite, $sslversions = $splunk::sslversions, $ecdhcurvename = $splunk::ecdhcurvename, + $requireclientcert = $splunk::requireclientcert, $splunk_app_precedence_dir = $splunk::splunk_app_precedence_dir, $splunk_app_replace = $splunk::splunk_app_replace, $splunk_home = $splunk::splunk_home, diff --git a/metadata.json b/metadata.json index fb81a33..1a451ff 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "jorritfolmer-splunk", - "version": "3.2.0", + "version": "3.3.0", "author": "Jorrit Folmer", "summary": "Deploy Splunk indexers, search heads and universal forwarders into any imaginable topology, distributed or (multisite) clustered.", "license": "MIT", @@ -34,7 +34,7 @@ ], "requirements": [ { - "version_requirement": ">= 2.7.14 < 5.0.0", + "version_requirement": ">= 2.7.14 < 6.0.0", "name": "puppet" } ], diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 07dcd74..cf1c8be 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -56,6 +56,7 @@ it { should contain_file('/opt/splunk/etc/apps/puppet_common_ssl_outputs/local/outputs.conf').with_content(/useACK = true/) } end + context 'with tcpout as string and revert to default splunk cert instead of puppet cert reuse' do let(:params) { { @@ -203,6 +204,45 @@ it { should contain_file('/opt/splunk/etc/apps/puppet_common_kvstore_disabled/local/server.conf').with_content(/disabled = true/) } end + context 'with requireclientcert inputs ' do + let(:params) { + { + :inputport => 9997, + :requireclientcert => 'inputs', + :admin => { 'hash' => 'zzzz', 'fn' => 'yyyy', 'email' => 'wwww', }, + } + } + it { should contain_class('splunk::installed') } + it { should contain_package('splunk') } + it { should contain_file('/opt/splunk/etc/apps/puppet_common_ssl_inputs/local/inputs.conf').with_content(/requireClientCert = true/) } + end + + context 'with requireclientcert splunkd ' do + let(:params) { + { + :requireclientcert => 'splunkd', + :admin => { 'hash' => 'zzzz', 'fn' => 'yyyy', 'email' => 'wwww', }, + } + } + it { should contain_class('splunk::installed') } + it { should contain_package('splunk') } + it { should contain_file('/opt/splunk/etc/apps/puppet_common_ssl_base/local/server.conf').with_content(/requireClientCert = true/) } + end + + context 'with requireclientcert splunkd and inputs' do + let(:params) { + { + :inputport => 9997, + :requireclientcert => ['splunkd','inputs'], + :admin => { 'hash' => 'zzzz', 'fn' => 'yyyy', 'email' => 'wwww', }, + } + } + it { should contain_class('splunk::installed') } + it { should contain_package('splunk') } + it { should contain_file('/opt/splunk/etc/apps/puppet_common_ssl_base/local/server.conf').with_content(/requireClientCert = true/) } + it { should contain_file('/opt/splunk/etc/apps/puppet_common_ssl_inputs/local/inputs.conf').with_content(/requireClientCert = true/) } + end + context 'with saml auth' do let(:params) { { diff --git a/templates/puppet_common_ssl_base/local/server.conf b/templates/puppet_common_ssl_base/local/server.conf index 948908b..081e070 100644 --- a/templates/puppet_common_ssl_base/local/server.conf +++ b/templates/puppet_common_ssl_base/local/server.conf @@ -12,3 +12,8 @@ enableSplunkdSSL=true <% if @ecdhcurvename != nil %> ecdhCurveName = <%= @ecdhcurvename %> <% end %> +<% if @requireclientcert != nil %> +<% if @requireclientcert.include? 'splunkd' %> +requireClientCert = true +<% end %> +<% end %> diff --git a/templates/puppet_common_ssl_inputs/local/inputs.conf b/templates/puppet_common_ssl_inputs/local/inputs.conf index 1be564b..30f79bd 100644 --- a/templates/puppet_common_ssl_inputs/local/inputs.conf +++ b/templates/puppet_common_ssl_inputs/local/inputs.conf @@ -21,4 +21,8 @@ ecdhCurveName = <%= @ecdhcurvename %> # moved to server.conf/[sslConfig]/ serverCert = <%= @splunk_home %>/etc/auth/<%= @sslcertpath %> sslVersions = <%= @sslversions %> - +<% if @requireclientcert != nil %> +<% if @requireclientcert.include? 'inputs' %> +requireClientCert = true +<% end %> +<% end %>