Fix of deprecation warning

[amorphina]

Pull Request (PR) description

Fix of deprecation warning:
Warning: The source_permissions parameter is deprecated. Explicitly set owner, group, and mode.
(file: .../manifests/ca.pp, line: 127)

This Pull Request (PR) fixes the following issues

Replaced:
source_permissions => 'use',
With:
owner => 'root',
mode => '0755',

This is tested on puppet-agent 5.5.7-1 on Ubuntu Xenial, puppetserver 5.3.6-1 Ubuntu Xenial.

[alexjfisher]

Thanks for the PR. Is this the correct mode to use? This directory resource has recurse => true, so I think this mode would make all the files under the directory executable. (But maybe that's what's needed? Could you confirm?)

Puppet automatically sets directory browse permissions, so maybe 0644 would be better?
https://puppet.com/docs/puppet/5.5/types/file.html#file-attribute-mode

When specifying numeric permissions for directories, Puppet sets the search permission wherever the read permission is set.

[alexjfisher]

One of the test failures is due to the now excessive indentation of the parameters in this resource. The acceptance test failures seem to be related to the new modes.

[alexjfisher]

Notice: /Stage[main]/Main/Openvpn::Server[test_openvpn_server]/Openvpn::Ca[test_openvpn_server]/File[/etc/openvpn/test_openvpn_server/easy-rsa/keys/vpnclienta.key]/mode: mode changed '0600' to '0755'
https://travis-ci.org/voxpupuli/puppet-openvpn/jobs/458818494#L1619

[alexjfisher]

There are key files that had a very restrictive mode 0600 now being set to 0755. These files should not be executable, but more of a problem is that they're now world readable.

At this stage, I'm not too sure what the best solution is. I wonder why puppet deprecated source_permissions. It looked quite useful here.

[alexjfisher]

Notice: /Stage[main]/Main/Openvpn::Server[test_openvpn_server]/Openvpn::Ca[test_openvpn_server]/File[/etc/openvpn/test_openvpn_server/easy-rsa/keys/vpnclienta.key]/mode: mode changed '0600' to '0755'
https://travis-ci.org/voxpupuli/puppet-openvpn/jobs/458818494#L1619

[Dan33l]

Hi @amorphina thank you for the PR.
There is a bunch of failing tests because proposed code is not idempotent.

[alexjfisher]

There is a bunch of failing tests because proposed code is not idempotent.

@Dan33l Do you know why though? Does the service automatically chmod some files when it starts or something?

[Dan33l]

@Dan33l Do you know why though? Does the service automatically chmod some files when it starts or something?

@alexjfisher This PR force mode => '0755', and the client key is created by easyrsa with mode 0600 and changed during the second run to 0755.
More than idempotency issue, it is safe that a private key use mode 0600 and not 0755.

@amorphina are you yet interested by this PR ?

[amorphina]

@Dan33l I am still interested by it.
Can we create a separate file resource to manage the keys directory, something like:

file { "${etc_directory}/openvpn/${name}/easy-rsa/keys" :
  ensure => directory,
  mode   => '0600',
}

This way we will change the mode for all files/dirs to 755 without the keys directory.

Also by default puppet pushes the mode for directories from 6(rw) to 7(rwx), thus the directory ${etc_directory}/openvpn/${name}/easy-rsa/keys will automatically be set to 700, while the files inside it should remain with 600.

[Dan33l]

The source_permissions parameter will be undeprecated :
https://tickets.puppetlabs.com/browse/PUP-10253

[alexjfisher]

The source_permissions parameter will be undeprecated :
https://tickets.puppetlabs.com/browse/PUP-10253

Has that been agreed?

[Dan33l]

Since status is ACCEPTED, i supposed yes.

And also the comment on ticket i opened :
https://tickets.puppetlabs.com/browse/PUP-9332?focusedCommentId=724011&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-724011