Merge pull request #40 from raphink/dev/ssl

SSL support
author: Steffen Zieger <me@saz.sh> 2013-12-26 04:12:19 -0800
committer: Steffen Zieger <me@saz.sh> 2013-12-26 04:12:19 -0800
commit: acf2755cda80e2ecd107ed8de4d275c383db0487 (patch)
tree: 8a31bba5306311dd81ec90bf443c501304c24320
parent: f8a05e0e6dd7a40fe53329a20ff81227b23bb398 (diff)
parent: fb924446a69b9ce07ea898d5d301ccca8de72b2f (diff)
9 files changed, 66 insertions, 8 deletions
diff --git a/manifests/client.pp b/manifests/client.pp
index 624dfe8..37be590 100644
--- a/manifests/client.pp
+++ b/manifests/client.pp
@@ -14,6 +14,7 @@
 # [*custom_params*]
 # [*server*]
 # [*port*]
+# [*ssl_ca*]
 #
 # === Variables
 #
@@ -30,7 +31,8 @@ class rsyslog::client (
   $custom_config  = undef,
   $custom_params  = undef,
   $server         = 'log',
-  $port           = '514'
+  $port           = '514',
+  $ssl_ca         = undef,
 ) inherits rsyslog {
 
   $content_real = $custom_config ? {
@@ -41,6 +43,14 @@ class rsyslog::client (
   rsyslog::snippet {'client':
     ensure  => present,
     content => $content_real,
-  } 
+  }
+
+  if $rsyslog::ssl and $ssl_ca == undef {
+    fail('You need to define $ssl_ca in order to use SSL.')
+  }
+
+  if $rsyslog::ssl and $remote_type != 'tcp' {
+    fail('You need to enable tcp in order to use SSL.')
+  }
 
 }
diff --git a/manifests/init.pp b/manifests/init.pp
index 05b9943..7064c65 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -15,6 +15,7 @@ class rsyslog (
   $relp_package_name      = $rsyslog::params::relp_package_name,
   $mysql_package_name     = $rsyslog::params::mysql_package_name,
   $pgsql_package_name     = $rsyslog::params::pgsql_package_name,
+  $gnutls_package_name    = $rsyslog::params::gnutls_package_name,
   $package_status         = $rsyslog::params::package_status,
   $rsyslog_d              = $rsyslog::params::rsyslog_d,
   $purge_rsyslog_d        = $rsyslog::params::purge_rsyslog_d,
@@ -30,7 +31,8 @@ class rsyslog (
   $spool_dir              = $rsyslog::params::spool_dir,
   $service_name           = $rsyslog::params::service_name,
   $client_conf            = $rsyslog::params::client_conf,
-  $server_conf            = $rsyslog::params::server_conf
+  $server_conf            = $rsyslog::params::server_conf,
+  $ssl                    = $rsyslog::params::ssl,
 ) inherits rsyslog::params {
   class { 'rsyslog::install': }
   class { 'rsyslog::config': }
diff --git a/manifests/install.pp b/manifests/install.pp
index 3e9ad1a..9798b3f 100644
--- a/manifests/install.pp
+++ b/manifests/install.pp
@@ -23,4 +23,10 @@ class rsyslog::install {
     }
   }
 
+  if $rsyslog::gnutls_package_name != false {
+    package { $rsyslog::gnutls_package_name:
+      ensure => $rsyslog::package_status
+    }
+  }
+
 }
diff --git a/manifests/params.pp b/manifests/params.pp
index 1ca23d5..8f9b639 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -18,6 +18,7 @@ class rsyslog::params {
       $relp_package_name      = 'rsyslog-relp'
       $mysql_package_name     = 'rsyslog-mysql'
       $pgsql_package_name     = 'rsyslog-pgsql'
+      $gnutls_package_name    = 'rsyslog-gnutls'
       $package_status         = 'latest'
       $rsyslog_d              = '/etc/rsyslog.d/'
       $purge_rsyslog_d        = false
@@ -34,6 +35,7 @@ class rsyslog::params {
       $service_name           = 'rsyslog'
       $client_conf            = "${rsyslog_d}client.conf"
       $server_conf            = "${rsyslog_d}server.conf"
+      $ssl                    = false
     }
     redhat: {
       $rsyslog_package_name   = 'rsyslog'
@@ -44,6 +46,7 @@ class rsyslog::params {
       }
       $mysql_package_name     = 'rsyslog-mysql'
       $pgsql_package_name     = 'rsyslog-pgsql'
+      $gnutls_package_name    = 'rsyslog-gnutls'
       $package_status         = 'latest'
       $rsyslog_d              = '/etc/rsyslog.d/'
       $rsyslog_conf           = '/etc/rsyslog.conf'
@@ -59,12 +62,14 @@ class rsyslog::params {
       $service_name           = 'rsyslog'
       $client_conf            = "${rsyslog_d}client.conf"
       $server_conf            = "${rsyslog_d}server.conf"
+      $ssl                    = false
     }
     freebsd: {
       $rsyslog_package_name   = 'sysutils/rsyslog5'
       $relp_package_name      = 'sysutils/rsyslog5-relp'
       $mysql_package_name     = 'sysutils/rsyslog5-mysql'
       $pgsql_package_name     = 'sysutils/rsyslog5-pgsql'
+      $gnutls_package_name    = 'sysutils/rsyslog5-gnutls'
       $package_status         = 'present'
       $rsyslog_d              = '/etc/syslog.d/'
       $rsyslog_conf           = '/etc/syslog.conf'
@@ -80,6 +85,7 @@ class rsyslog::params {
       $service_name           = 'syslogd'
       $client_conf            = "${rsyslog_d}client.conf"
       $server_conf            = "${rsyslog_d}server.conf"
+      $ssl                    = false
     }
     default: {
       case $::operatingsystem {
diff --git a/manifests/server.pp b/manifests/server.pp
index 0cb7de8..36ee898 100644
--- a/manifests/server.pp
+++ b/manifests/server.pp
@@ -10,6 +10,9 @@
 # [*server_dir*]
 # [*custom_config*]
 # [*high_precision_timestamps*]
+# [*ssl_ca*]
+# [*ssl_cert*]
+# [*ssl_key*]
 #
 # === Variables
 #
@@ -33,6 +36,9 @@ class rsyslog::server (
   $custom_config             = undef,
   $port                      = '514',
   $high_precision_timestamps = false,
+  $ssl_ca                    = undef,
+  $ssl_cert                  = undef,
+  $ssl_key                   = undef,
 ) inherits rsyslog {
 
   $real_content = $custom_config ? {
@@ -44,4 +50,8 @@ class rsyslog::server (
     ensure  => present,
     content => $real_content,
   }
+
+  if $rsyslog::ssl and (!$enable_tcp or $ssl_ca == undef or $ssl_cert == undef or $ssl_key == undef) {
+    fail('You need to define all the ssl options and enable tcp in order to use SSL.')
+  }
 }
diff --git a/manifests/snippet.pp b/manifests/snippet.pp
index 26cfa76..bb0468e 100644
--- a/manifests/snippet.pp
+++ b/manifests/snippet.pp
@@ -26,7 +26,7 @@ define rsyslog::snippet(
     ensure  => $ensure,
     owner   => $rsyslog::run_user,
     group   => $rsyslog::run_group,
-    content => "${content}\n",
+    content => "# file managed by puppet\n${content}\n",
     require => Class['rsyslog::config'],
     notify  => Class['rsyslog::service'],
   }
diff --git a/spec/defines/rsyslog_snippet_spec.rb b/spec/defines/rsyslog_snippet_spec.rb
index 91d75c1..a8f2575 100644
--- a/spec/defines/rsyslog_snippet_spec.rb
+++ b/spec/defines/rsyslog_snippet_spec.rb
@@ -19,7 +19,7 @@ describe 'rsyslog::snippet', :type => :define do
       let(:title) { 'rsyslog-snippet-basic' }
 
       it 'should compile' do
-        should contain_file('/etc/rsyslog.d/rsyslog-snippet-basic.conf').with_content("Random Content\n")
+        should contain_file('/etc/rsyslog.d/rsyslog-snippet-basic.conf').with_content("# file managed by puppet\nRandom Content\n")
       end
     end
   end
@@ -41,7 +41,7 @@ describe 'rsyslog::snippet', :type => :define do
       let(:title) { 'rsyslog-snippet-basic' }
 
       it 'should compile' do
-        should contain_file('/etc/rsyslog.d/rsyslog-snippet-basic.conf').with_content("Random Content\n")
+        should contain_file('/etc/rsyslog.d/rsyslog-snippet-basic.conf').with_content("# file managed by puppet\nRandom Content\n")
       end
     end
   end
@@ -63,7 +63,7 @@ describe 'rsyslog::snippet', :type => :define do
       let(:title) { 'rsyslog-snippet-basic' }
 
       it 'should compile' do
-        should contain_file('/etc/syslog.d/rsyslog-snippet-basic.conf').with_content("Random Content\n")
+        should contain_file('/etc/syslog.d/rsyslog-snippet-basic.conf').with_content("# file managed by puppet\nRandom Content\n")
       end
     end
   end
diff --git a/templates/client.conf.erb b/templates/client.conf.erb
index e5dfb8c..d86a271 100644
--- a/templates/client.conf.erb
+++ b/templates/client.conf.erb
@@ -8,6 +8,17 @@ $ActionQueueSaveOnShutdown on   # save messages to disk on shutdown
 $ActionQueueType LinkedList     # run asynchronously
 $ActionResumeRetryCount -1      # infinety retries if host is down
 
+<% if scope.lookupvar('rsyslog::client::ssl') -%>
+# Setup SSL connection.
+# CA/Cert
+$DefaultNetStreamDriverCAFile <%= scope.lookupvar('rsyslog::client::ssl_ca') %>
+
+# Connection settings.
+$DefaultNetstreamDriver gtls
+$ActionSendStreamDriverMode 1
+$ActionSendStreamDriverAuthMode anon
+<% end -%>
+
 <% if scope.lookupvar('rsyslog::client::log_remote') -%>
 # Log to remote syslog server using <%= scope.lookupvar('rsyslog::client::remote_type') %>
 <% if scope.lookupvar('rsyslog::client::remote_type') == 'tcp' -%>
@@ -79,7 +90,7 @@ news.notice                     -/var/log/news/news.notice
 
 # The named pipe /dev/xconsole is for the `xconsole' utility.  To use it,
 # you must invoke `xconsole' with the `-file' option:
-# 
+#
 #    $ xconsole -file /dev/xconsole [...]
 #
 # NOTE: adjust the list below, or you'll go crazy if you have a reasonably
diff --git a/templates/server/_default-header.conf.erb b/templates/server/_default-header.conf.erb
index 19eb173..95391ce 100644
--- a/templates/server/_default-header.conf.erb
+++ b/templates/server/_default-header.conf.erb
@@ -16,5 +16,18 @@ $ModLoad imtcp
 $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
 <% end -%>
 
+<% if scope.lookupvar('rsyslog::server::ssl') -%>
+# Server side SSL.
+$DefaultNetstreamDriver gtls
+
+# Cert files.
+$DefaultNetstreamDriverCAFile <%= scope.lookupvar('rsyslog::server::ssl_ca') %>
+$DefaultNetstreamDriverCertFile <%= scope.lookupvar('rsyslog::server::ssl_cert') %>
+$DefaultNetstreamDriverKeyFile <%= scope.lookupvar('rsyslog::server::ssl_key') %>
+
+$InputTCPServerStreamDriverMode 1
+$InputTCPServerStreamDriverAuthMode anon
+<% end -%>
+
 # Switch to remote ruleset
 $RuleSet remote
author	Steffen Zieger <me@saz.sh>	2013-12-26 04:12:19 -0800
committer	Steffen Zieger <me@saz.sh>	2013-12-26 04:12:19 -0800
commit	acf2755cda80e2ecd107ed8de4d275c383db0487 (patch)
tree	8a31bba5306311dd81ec90bf443c501304c24320
parent	f8a05e0e6dd7a40fe53329a20ff81227b23bb398 (diff)
parent	fb924446a69b9ce07ea898d5d301ccca8de72b2f (diff)