Certificate workflow overhaul (legacy workflow preserved + default)

.fixtures.yml

@@ -4,3 +4,15 @@ fixtures:
     stdlib:
       repo: "puppetlabs/stdlib"
       ref: "5.0.0"
+    inifile:
+      repo: "puppetlabs/inifile"
+      ref: "6.1.1"
+    concat:
+      repo: "puppetlabs/concat"
+      ref: "7.0.0"
+    apt:
+      repo: "puppetlabs/apt"
+      ref: "8.0.0"
+    openssl:
+      repo: "puppet/openssl"
+      ref: "4.2.0"

.gitignore

@@ -4,6 +4,7 @@
 .yardoc
 .yardwarns
 *.iml
+.vendor/
 /.bundle/
 /.idea/
 /.vagrant/

manifests/activeresponse.pp

@@ -1,6 +1,6 @@
 # Copyright (C) 2015, Wazuh Inc.
-#Define for a specific ossec active-response
-define wazuh::activeresponse(
+# @summary Define for a specific ossec active-response
+define wazuh::activeresponse (
   $active_response_name               = 'Rendering active-response template',
   $active_response_disabled           = undef,
   $active_response_linux_ca_store     = undef,
@@ -21,6 +21,6 @@
     target  => $target_arg,
     order   => $order_arg,
     before  => $before_arg,
-    content => template($content_arg)
+    content => template($content_arg),
   }
 }

manifests/addlog.pp

@@ -1,6 +1,6 @@
 # Copyright (C) 2015, Wazuh Inc.
-#Define a log-file to add to ossec
-define wazuh::addlog(
+# @summary Define a log-file to add to ossec
+define wazuh::addlog (
   $logfile      = undef,
   $logtype      = 'syslog',
   $logcommand   = undef,
@@ -15,5 +15,4 @@
     content => template('wazuh/fragments/_localfile_generation.erb'),
     order   => 21,
   }
-
 }

manifests/audit.pp

@@ -1,24 +1,23 @@
 # Copyright (C) 2015, Wazuh Inc.
-# Define an ossec command
+# @summary Define an ossec command
 class wazuh::audit (
   $audit_manage_rules = false,
   $audit_buffer_bytes = '8192',
   $audit_backlog_wait_time = '0',
   $audit_rules = [],
   $audit_package_title = 'Installing Audit..',
 ) {
-
-  case $::kernel {
+  case $facts['kernel'] {
     'Linux': {
-      case $::operatingsystem {
+      case $facts['os']['name'] {
         'Debian', 'debian', 'Ubuntu', 'ubuntu': {
           package { $audit_package_title:
             name => 'auditd',
           }
         }
         default: {
           package { $audit_package_title:
-            name => 'audit'
+            name => 'audit',
           }
         }
       }
@@ -31,21 +30,21 @@
 
       if $audit_manage_rules == true {
         file { '/etc/audit/rules.d/audit.rules':
-          ensure  => present,
+          ensure  => file,
           require => Service['auditd'],
         }
 
         $audit_rules.each |String $rule| {
           file_line { "Append rule ${rule} to /etc/audit/rules.d/audit.rules":
             path    => '/etc/audit/rules.d/audit.rules',
             line    => $rule,
-            require => File['/etc/audit/rules.d/audit.rules']
+            require => File['/etc/audit/rules.d/audit.rules'],
           }
         }
       }
     }
     default: {
-      fail("Module Audit not supported on ${::operatingsystem}")
+      fail("Module Audit not supported on ${facts['os']['name']}")
     }
   }
 }

manifests/certificates.pp

@@ -1,46 +1,80 @@
 # Copyright (C) 2015, Wazuh Inc.
-# Wazuh repository installation
+# @summary Wazuh certificate generation
+# If using legacy workflow, this generates all certificates using the
+# `wazuh-certs-tool.sh` script and dumps them into Puppet server's code directory.
+# (This is less than ideal.)
+# If `$use_legacy_workflow` is false, it will use the openssl module and the Puppet CA 
+# to generate certificates.
+# @param use_legacy_workflow
+#   If true, use the legacy workflow to generate certificates. Use Puppet CA otherwise.
+
 class wazuh::certificates (
-  $wazuh_repository = 'packages.wazuh.com',
-  $wazuh_version = '5.0',
+  Boolean $use_legacy_workflow = true,
+  String $puppet_code_path = "/etc/puppetlabs/code/environments/${server_facts['environment']}/modules/archive/files",
+  String $wazuh_repository = 'packages.wazuh.com',
+  String $wazuh_version = '5.0',
   $indexer_certs = [],
   $manager_certs = [],
   $manager_master_certs = [],
   $manager_worker_certs = [],
-  $dashboard_certs = []
+  $dashboard_certs = [],
+  Boolean $manage_certs = true,
+  Optional[Stdlib::Absolutepath] $ca_cert_path = $settings::cacert,
+  Optional[Stdlib::Absolutepath] $ca_key_path = $settings::cakey,
+  String $bucket_name = 'wazuh',
+  Optional[Stdlib::Absolutepath] $filebucket_path = "${settings::confdir}/filebucket",
+  Optional[Stdlib::Absolutepath] $fileserver_conf = "${settings::confdir}/fileserver.conf",
 ) {
-  file { 'Configure Wazuh Certificates config.yml':
-    owner   => 'root',
-    path    => '/tmp/config.yml',
-    group   => 'root',
-    mode    => '0640',
-    content => template('wazuh/wazuh_config_yml.erb'),
-  }
+  if $use_legacy_workflow {
+    file { 'Configure Wazuh Certificates config.yml':
+      owner   => 'root',
+      path    => '/tmp/config.yml',
+      group   => 'root',
+      mode    => '0640',
+      content => template('wazuh/wazuh_config_yml.erb'),
+    }
 
-  file { '/tmp/wazuh-certs-tool.sh':
-    ensure => file,
-    source => "https://${wazuh_repository}/${wazuh_version}/wazuh-certs-tool.sh",
-    owner  => 'root',
-    group  => 'root',
-    mode   => '0740',
-  }
+    file { '/tmp/wazuh-certs-tool.sh':
+      ensure => file,
+      source => "https://${wazuh_repository}/${wazuh_version}/wazuh-certs-tool.sh",
+      owner  => 'root',
+      group  => 'root',
+      mode   => '0740',
+    }
 
-  exec { 'Create Wazuh Certificates':
-    path    => '/usr/bin:/bin',
-    command => 'bash /tmp/wazuh-certs-tool.sh --all',
-    creates => '/tmp/wazuh-certificates',
-    require => [
-      File['/tmp/wazuh-certs-tool.sh'],
-      File['/tmp/config.yml'],
-    ],
+    exec { 'Create Wazuh Certificates':
+      path    => '/usr/bin:/bin',
+      command => 'bash /tmp/wazuh-certs-tool.sh --all',
+      creates => '/tmp/wazuh-certificates',
+      require => [
+        File['/tmp/wazuh-certs-tool.sh'],
+        File['/tmp/config.yml'],
+      ],
+    }
+    file { 'Copy all certificates into module':
+      ensure  => 'directory',
+      source  => '/tmp/wazuh-certificates/',
+      recurse => 'remote',
+      path    => $puppet_code_path,
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0755',
+    }
   }
-  file { 'Copy all certificates into module':
-    ensure => 'directory',
-    source => '/tmp/wazuh-certificates/',
-    recurse => 'remote',
-    path => '/etc/puppetlabs/code/environments/production/modules/archive/files/',
-    owner => 'root',
-    group => 'root',
-    mode  => '0755',
+  else {
+    contain wazuh::certificates::mountpoint
+    if $manage_certs {
+      Wazuh::Certificates::Certificate <<| tag == 'wazuh' |>> {
+        ensure       => present,
+        country      => 'US',
+        locality     => 'California',
+        organization => 'Wazuh',
+        unit         => 'Wazuh',
+        keyusage     => ['digitalSignature', 'nonRepudiation', 'keyEncipherment', 'dataEncipherment'],
+        base_dir     => "${filebucket_path}/${bucket_name}",
+        ca           => $ca_cert_path,
+        cakey        => $ca_key_path,
+      }
+    }
   }
 }

manifests/certificates/certificate.pp

@@ -0,0 +1,104 @@
+# @summary Wraps openssl::certificate::x509 to additionally convert to pkcs8 key (necessary for OpenSearch admin)
+#
+# @param export_pkcs8
+#   Whether to export the private key in PKCS8 format, necessary for OpenSearch admin
+# @param pkcs8_extension
+#   The file extension for the PKCS8 key
+# @param algo
+#   The encryption algorithm to use for the PKCS8 key, for use in Java
+#
+define wazuh::certificates::certificate (
+  # All necessary params for openssl::certificate::x509
+  Enum['present', 'absent']      $ensure = present,
+  Optional[String]               $country = undef,
+  Optional[String]               $organization = undef,
+  Optional[String]               $unit = undef,
+  Optional[String]               $state = undef,
+  Optional[String]               $commonname = undef,
+  Optional[String]               $locality = undef,
+  Array                          $altnames = [],
+  Array                          $keyusage = [],
+  Array                          $extkeyusage = [],
+  Optional[String]               $email = undef,
+  Integer                        $days = 365,
+  Stdlib::Absolutepath           $base_dir = '/etc/ssl/certs',
+  Stdlib::Absolutepath           $cnf_dir = $base_dir,
+  Stdlib::Absolutepath           $crt_dir = $base_dir,
+  Stdlib::Absolutepath           $csr_dir = $base_dir,
+  Stdlib::Absolutepath           $key_dir = $base_dir,
+  Stdlib::Absolutepath           $cnf = "${cnf_dir}/${name}.cnf",
+  Stdlib::Absolutepath           $crt = "${crt_dir}/${name}.crt",
+  Stdlib::Absolutepath           $csr = "${csr_dir}/${name}.csr",
+  Stdlib::Absolutepath           $key = "${key_dir}/${name}.key",
+  Integer                        $key_size = 3072,
+  Variant[String, Integer]       $owner = 'puppet',
+  Variant[String, Integer]       $group = 'puppet',
+  Variant[String, Integer]       $key_owner = $owner,
+  Variant[String, Integer]       $key_group = $group,
+  Stdlib::Filemode               $key_mode = '0600',
+  Optional[String]               $password = undef,
+  Boolean                        $force = true,
+  Boolean                        $encrypted = true,
+  Optional[Stdlib::Absolutepath] $ca = undef,
+  Optional[Stdlib::Absolutepath] $cakey = undef,
+  Optional[Variant[Sensitive[String[1]], String[1]]] $cakey_password = undef,
+  # Params specific to this module
+  Boolean $export_pkcs8     = false,
+  String  $pkcs8_extension  = 'pk8',
+  String  $algo             = 'PBE-SHA1-3DES',
+
+) {
+  openssl::certificate::x509 { $name:
+    ensure         => $ensure,
+    country        => $country,
+    organization   => $organization,
+    unit           => $unit,
+    state          => $state,
+    commonname     => $commonname,
+    locality       => $locality,
+    altnames       => $altnames,
+    keyusage       => $keyusage,
+    extkeyusage    => $extkeyusage,
+    email          => $email,
+    days           => $days,
+    base_dir       => $base_dir,
+    cnf_dir        => $cnf_dir,
+    crt_dir        => $crt_dir,
+    csr_dir        => $csr_dir,
+    key_dir        => $key_dir,
+    cnf            => $cnf,
+    crt            => $crt,
+    csr            => $csr,
+    key            => $key,
+    key_size       => $key_size,
+    owner          => $owner,
+    group          => $group,
+    key_owner      => $key_owner,
+    key_group      => $key_group,
+    key_mode       => $key_mode,
+    password       => $password,
+    force          => $force,
+    encrypted      => $encrypted,
+    ca             => $ca,
+    cakey          => $cakey,
+    cakey_password => $cakey_password,
+  }
+  if $export_pkcs8 {
+    $_cmd = [
+      'openssl', 'pkcs8', '-topk8',
+      '-inform', 'PEM',
+      '-outform', 'PEM',
+      '-in', $key,
+      '-out', "${key}.${pkcs8_extension}",
+      '-v1', $algo,
+      '-nocrypt',
+    ]
+    exec { "export ${name} key to pkcs8":
+      command     => $_cmd,
+      user        => $owner,
+      path        => $facts['path'],
+      subscribe   => OpenSSL::Certificate::X509[$name],
+      refreshonly => true,
+    }
+  }
+}

manifests/certificates/mountpoint.pp

@@ -0,0 +1,55 @@
+# @summary Creates a puppet file mountpoint for generated certificates
+# on the Puppet server. If you have separate CAs and compilers, you'll
+# need to implement syncing of some sort (a network share, rsync, etc)
+# and include this class on all compilers as well as the CA.
+# Potential improvements: 
+# - Restrict access to the mountpoint with entries in auth.conf
+class wazuh::certificates::mountpoint (
+  Stdlib::Absolutepath $filebucket_path = $wazuh::certificates::filebucket_path,
+  Stdlib::Absolutepath $fileserver_conf = $wazuh::certificates::fileserver_conf,
+  Boolean $manage_fileserver_conf = true,
+  Boolean $manage_bucket_dir = true,
+  String $bucket_name = $wazuh::certificates::bucket_name,
+  String $owner = 'puppet',
+  String $group = 'puppet',
+) {
+  assert_private()
+  $_dirs = $manage_bucket_dir ? {
+    true => [
+      $filebucket_path,
+      "${filebucket_path}/${bucket_name}",
+    ],
+    default => ["${filebucket_path}/${bucket_name}"],
+  }
+  file { $_dirs:
+    ensure => directory,
+    owner  => $owner,
+    group  => $group,
+    mode   => '0750',
+  }
+
+  if $manage_fileserver_conf {
+    file { $fileserver_conf:
+      ensure => file,
+      owner  => $owner,
+      group  => $group,
+      mode   => '0640',
+    }
+  }
+
+  $_tonotify = defined(Service['puppetserver']) ? {
+    true    => Service['puppetserver'],
+    default => undef,
+  }
+
+  ini_setting { 'wazuh certificates mountpoint':
+    ensure            => present,
+    path              => $fileserver_conf,
+    section           => $bucket_name,
+    setting           => 'path',
+    value             => "${filebucket_path}/${bucket_name}",
+    indent_width      => 4,
+    key_val_separator => ' ',
+    notify            => $_tonotify,
+  }
+}

manifests/command.pp

@@ -1,6 +1,6 @@
 # Copyright (C) 2015, Wazuh Inc.
-# Define an ossec command
-define wazuh::command(
+# @summary Define an ossec command
+define wazuh::command (
   $command_name,
   $command_executable,
   $command_expect  = 'srcip',