From 48b0785e3e57651485690fabb785feed50fb6d4a Mon Sep 17 00:00:00 2001
From: Ewoud Kohl van Wijngaarden <ewoud@kohlvanwijngaarden.nl>
Date: Fri, 24 May 2024 15:34:22 +0200
Subject: [PATCH] Support reading SSL credentials from default locations

When CREDENTIALS_DIRECTORY is present, it tries fixed locations for
these values. This allows using systemd CREDENTIALS or other similar
mechanism without having to specify the locations in the settings file.

Still TODO: The Puppet module can also use certificates as credentials.
Should this also be exposed to plugins?
---
 lib/proxy/settings/global.rb | 35 +++++++++++++++++++++++++++++++++++
 test/global_settings_test.rb | 30 ++++++++++++++++++++++++++++++
 2 files changed, 65 insertions(+)

diff --git a/lib/proxy/settings/global.rb b/lib/proxy/settings/global.rb
index ccefcca4f..c30bdb9ae 100644
--- a/lib/proxy/settings/global.rb
+++ b/lib/proxy/settings/global.rb
@@ -47,5 +47,40 @@ def normalize_setting(key, value, how_to)
       return value unless how_to.has_key?(key)
       how_to[key].call(value)
     end
+
+    def ssl_private_key
+      credential(:ssl_private_key, 'server-key')
+    end
+
+    def ssl_certificate
+      credential(:ssl_certificate, 'server-certificate')
+    end
+
+    def ssl_ca_file
+      credential(:ssl_ca_file, 'server-client-ca')
+    end
+
+    def foreman_ssl_key
+      credential(:foreman_ssl_key, 'client-key')
+    end
+
+    def foreman_ssl_cert
+      credential(:foreman_ssl_cert, 'client-certificate')
+    end
+
+    def foreman_ssl_key
+      credential(:foreman_ssl_ca, 'client-ca')
+    end
+
+    private
+
+    def credential(setting, cred)
+      value = self[cred]
+      if !value && ENV.key?('CREDENTIALS_DIRECTORY')
+        path = File.join(ENV['CREDENTIALS_DIRECTORY'], cred)
+        value = path if File.exist?(path)
+      end
+      value
+    end
   end
 end
diff --git a/test/global_settings_test.rb b/test/global_settings_test.rb
index 7046eb29f..d374da396 100644
--- a/test/global_settings_test.rb
+++ b/test/global_settings_test.rb
@@ -26,4 +26,34 @@ def test_bind_host_is_normalized
     assert_equal ['127.0.0.1'], ::Proxy::Settings::Global.new(:bind_host => '127.0.0.1').bind_host
     assert_equal ['127.0.0.1'], ::Proxy::Settings::Global.new(:bind_host => ['127.0.0.1']).bind_host
   end
+
+  def test_ssl_private_key_default_without_credential
+    settings = ::Proxy::Settings::Global.new({})
+    Dir.mktmpdir do |tmpdir|
+      ENV['CREDENTIALS_DIRECTORY'] = tmpdir
+      assert_nil settings.ssl_private_key
+    end
+  end
+
+  def test_ssl_private_key_default_with_credential
+    settings = ::Proxy::Settings::Global.new({})
+    Dir.mktmpdir do |tmpdir|
+      ENV['CREDENTIALS_DIRECTORY'] = tmpdir
+      path = File.join(tmpdir, 'server-key')
+      FileUtils.touch(path)
+
+      assert_equal path, settings.ssl_private_key
+    end
+  end
+
+  def test_ssl_private_key_with_value
+    settings = ::Proxy::Settings::Global.new({ssl_private_key: 'mykey'})
+    Dir.mktmpdir do |tmpdir|
+      ENV['CREDENTIALS_DIRECTORY'] = tmpdir
+      path = File.join(tmpdir, 'server-key')
+      FileUtils.touch(path)
+
+      assert_equal 'mykey', settings.ssl_private_key
+    end
+  end
 end