2 files changed, 77 insertions, 0 deletions
diff --git a/lib/puppet/parser/functions/clamp.rb b/lib/puppet/parser/functions/clamp.rb
new file mode 100644
index 0000000..432c7c1
--- /dev/null
+++ b/lib/puppet/parser/functions/clamp.rb
@@ -0,0 +1,30 @@
+#
+# clamp.rb
+#
+
+module Puppet::Parser::Functions
+  newfunction(:clamp, :type => :rvalue, :arity => -2, :doc => <<-EOS
+    Clamps value to a range.
+    EOS
+  ) do |args|
+
+    args.flatten!
+
+    raise(Puppet::ParseError, 'clamp(): Wrong number of arguments, ' +
+          'need three to clamp') if args.size != 3
+
+    # check values out
+    args.each do |value|
+      case [value.class]
+        when [String]
+          raise(Puppet::ParseError, "clamp(): Required explicit numeric (#{value}:String)") unless value =~ /^\d+$/
+        when [Hash]
+          raise(Puppet::ParseError, "clamp(): The Hash type is not allowed (#{value})")
+      end
+    end
+
+    # convert to numeric each element
+    # then sort them and get a middle value
+    args.map{ |n| n.to_i }.sort[1]
+  end
+end
diff --git a/lib/puppet/parser/functions/validate_x509_rsa_key_pair.rb b/lib/puppet/parser/functions/validate_x509_rsa_key_pair.rb
new file mode 100644
index 0000000..fc9f23f
--- /dev/null
+++ b/lib/puppet/parser/functions/validate_x509_rsa_key_pair.rb
@@ -0,0 +1,47 @@
+module Puppet::Parser::Functions
+
+  newfunction(:validate_x509_rsa_key_pair, :doc => <<-ENDHEREDOC
+    Validates a PEM-formatted X.509 certificate and RSA private key using
+    OpenSSL. Verifies that the certficate's signature was created from the
+    supplied key.
+
+    Fail compilation if any value fails this check.
+
+    validate_x509_rsa_key_pair($cert, $key)
+
+    ENDHEREDOC
+  ) do |args|
+
+    require 'openssl'
+
+    NUM_ARGS = 2 unless defined? NUM_ARGS
+
+    unless args.length == NUM_ARGS then
+      raise Puppet::ParseError,
+        ("validate_x509_rsa_key_pair(): wrong number of arguments (#{args.length}; must be #{NUM_ARGS})")
+    end
+
+    args.each do |arg|
+      unless arg.is_a?(String)
+        raise Puppet::ParseError, "#{arg.inspect} is not a string."
+      end
+    end
+
+    begin
+      cert = OpenSSL::X509::Certificate.new(args[0])
+    rescue OpenSSL::X509::CertificateError => e
+      raise Puppet::ParseError, "Not a valid x509 certificate: #{e}"
+    end
+
+    begin
+      key = OpenSSL::PKey::RSA.new(args[1])
+    rescue OpenSSL::PKey::RSAError => e
+      raise Puppet::ParseError, "Not a valid RSA key: #{e}"
+    end
+
+    unless cert.verify(key)
+      raise Puppet::ParseError, "Certificate signature does not match supplied key"
+    end
+  end
+
+end