Fix config template issues and add some improvements

[rtib]

Pull Request (PR) description

Some bugfixes and improving refactoring.

This Pull Request (PR) fixes the following issues

Fixes config template issue which partly Fixes #178
Improves transparency of default values of openssl::certificate::x509
Makes DN attributes optional moving the API towards RFC5280

[rtib]

This PR, also embracing #177, is fixing only the first part of #178, but leaves the second part open and still producing the issue

Info: /Stage[main]/Roles_test::Cert/Openssl::Certificate::X509[hostcert]/X509_request[/etc/ssl/certs/hostcert.csr]: Scheduling refresh of X509_cert[/etc/ssl/certs/hostcert.crt]
Error: Execution of '/usr/bin/openssl x509 -req -days 365 -in /etc/ssl/certs/hostcert.csr -out /etc/ssl/certs/hostcert.crt -extfile /etc/ssl/certs/hostcert.cnf' returned 1: Error Loading extension section default
139636029801792:error:22097082:X509 V3 routines:do_ext_nconf:unknown extension name:../crypto/x509v3/v3_conf.c:78:
139636029801792:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:../crypto/x509v3/v3_conf.c:47:name=HOME, value=.
Error: /Stage[main]/Roles_test::Cert/Openssl::Certificate::X509[hostcert]/X509_cert[/etc/ssl/certs/hostcert.crt]/ensure: change from 'absent' to 'present' failed: Execution of '/usr/bin/openssl x509 -req -days 365 -in /etc/ssl/certs/hostcert.csr -out /etc/ssl/certs/hostcert.crt -extfile /etc/ssl/certs/hostcert.cnf' returned 1: Error Loading extension section default
139636029801792:error:22097082:X509 V3 routines:do_ext_nconf:unknown extension name:../crypto/x509v3/v3_conf.c:78:
139636029801792:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:../crypto/x509v3/v3_conf.c:47:name=HOME, value=. (corrective)
Error: /Stage[main]/Roles_test::Cert/Openssl::Certificate::X509[hostcert]/X509_cert[/etc/ssl/certs/hostcert.crt]: Failed to call refresh: Execution of '/usr/bin/openssl x509 -req -days 365 -in /etc/ssl/certs/hostcert.csr -out /etc/ssl/certs/hostcert.crt -extfile /etc/ssl/certs/hostcert.cnf' returned 1: Error Loading extension section default
140650929960256:error:22097082:X509 V3 routines:do_ext_nconf:unknown extension name:../crypto/x509v3/v3_conf.c:78:
140650929960256:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:../crypto/x509v3/v3_conf.c:47:name=HOME, value=.
Error: /Stage[main]/Roles_test::Cert/Openssl::Certificate::X509[hostcert]/X509_cert[/etc/ssl/certs/hostcert.crt]: Execution of '/usr/bin/openssl x509 -req -days 365 -in /etc/ssl/certs/hostcert.csr -out /etc/ssl/certs/hostcert.crt -extfile /etc/ssl/certs/hostcert.cnf' returned 1: Error Loading extension section default
140650929960256:error:22097082:X509 V3 routines:do_ext_nconf:unknown extension name:../crypto/x509v3/v3_conf.c:78:
140650929960256:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:../crypto/x509v3/v3_conf.c:47:name=HOME, value=.
Notice: /Stage[main]/Roles_test::Cert/Openssl::Certificate::X509[hostcert]/File[/etc/ssl/certs/hostcert.crt]: Dependency X509_cert[/etc/ssl/certs/hostcert.crt] has failures: true

I'd suggest to address this in a separate PR.

[fmichea]

@zilchms @rtib This condition seems to prevent altnames from being used. The condition used to be !empty($altnames + $extkeyusage) so either would trigger req_ext to be set and therefore the openssl command to be given the necessary option for the certificate to have the extension (this is done in lib/puppet/provider/x509_cert/openssl.rb line 103). This became a and condition which now requires both lists to be non-empty. I wasnt able to get certs with SANs to generate until I changed this locally to a or condition. I'll look into making a contribution shortly but I am commenting here just to have you take a look if you agree and maybe do the change if it's easy on your end.

[rtib]

You're right, my mistake. AFAIK, I tested extkeyusage, which should work, but that can't work either. Unfortunately, the module lacks appropriate tests, which is a shame considering the importance of its functionality. I can file a PR, I broke it I fix it.

[fmichea]

Thanks for the quick answer! This is the basic change with a test (that fails with main branch but passes with change), but I'll let you decide if there is more is needed. I didnt see a test for the actual function generating the openssl command for instance but only did a quick glance.

diff --git a/manifests/certificate/x509.pp b/manifests/certificate/x509.pp
index 7543d7e..2aae7c4 100644
--- a/manifests/certificate/x509.pp
+++ b/manifests/certificate/x509.pp
@@ -184,7 +184,7 @@ define openssl::certificate::x509 (
     csr      => $csr,
     days     => $days,
     password => $password,
-    req_ext  => !empty($altnames) and !empty($extkeyusage),
+    req_ext  => !empty($altnames) or !empty($extkeyusage),
     force    => $force,
     ca       => $ca,
     cakey    => $cakey,
diff --git a/spec/defines/openssl_certificate_x509_spec.rb b/spec/defines/openssl_certificate_x509_spec.rb
index e2df33d..57facfe 100644
--- a/spec/defines/openssl_certificate_x509_spec.rb
+++ b/spec/defines/openssl_certificate_x509_spec.rb
@@ -422,6 +422,26 @@ describe 'openssl::certificate::x509' do
     }
   end

+  context 'when passing altnames, extension is enabled' do
+    let(:params) do
+      {
+        country: 'com',
+        organization: 'bar',
+        commonname: 'foo.example.com',
+        altnames: ['bar.example.com'],
+      }
+    end
+
+    it {
+      is_expected.to contain_x509_cert('/etc/ssl/certs/foo.crt').with(
+        ensure: 'present',
+        template: '/etc/ssl/certs/foo.cnf',
+        csr: '/etc/ssl/certs/foo.csr',
+        req_ext: true
+      )
+    }
+  end
+
   context 'when passing all parameters' do
     let(:params) do
       {

[zilchms]

Thanks @rtib , i will look at getting some tests up and running in the near future. This module really needs those....
and thanks @fmichea for reporting this :)

[rtib]

Thanks @fmichea , took that, extended it with some more cases. @zilchms , #195 is ready for review.