Ask Your Question
1

ERB string interpolation and file_line matching

asked 2013-06-13 17:37:08 -0500

Karunamon gravatar image

updated 2013-06-13 18:05:14 -0500

I'm trying to (ab)use a file_line resource to ensure a block of text (my enterprise CA) always exists in my ca-certs bundle on CentOS hosts.

So far, what I've done is set a variable containing the newline-escaped version of my certificate's full info (what you'd get if you did openssl x509 -in (filename) -noout -text). I newline escaped it by opening up IRB, opening double quotes, pasting the line in, and closing the quotes.

This looks like this in my manifest:

$cacert = "Certificate:\n    Data:\n        Version: 3 (0x2)\n        Serial Number:\n            10:d8 ...
(more)
edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
1

answered 2013-06-14 19:26:25 -0500

GregLarkin gravatar image

After looking at the file_line source, I verified that it cannot handle multiline text, primarily because it uses very simple regexp matching.

In the end, I played around with using an exec to append the certificate text to the ca-bundle.crt file, but the trick is getting an onlyif condition to work correctly. I didn't have much luck there so far, but maybe an egrep regexp search command would do the trick.

The other option that you might explore is whether your CA cert has to be included in the ca-bundle.crt or not. Perhaps there's a way ... (more)

edit flag offensive delete link more

Comments

Thanks for confirming this! I'll have to look around and see if there's another way to handle this.

Karunamon gravatar imageKarunamon ( 2013-06-17 10:13:14 -0500 )edit
2

answered 2013-06-17 10:53:23 -0500

Karunamon gravatar image

For what it's worth, I ended up solving this with an exec:

class em_cacerts::centos inherits em_cacerts{
        exec { 'cent-ca-certificate':
                command => "/bin/echo '$centcacert' >> '$cabundlepath'",
                onlyif => "test ! `grep (redacted CA name) $cabundlepath`", 
                provider => 'shell',
}

Yeah, it's escaping out to the shell, but I'm using basic bash stuff, so this should be relatively portable.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2013-06-13 17:37:08 -0500

Seen: 1,509 times

Last updated: Jun 17 '13