Use validate_cmd to validate a CA before writing

manifests/ca.pp

@@ -40,6 +40,8 @@
 
   if $source and $content {
     fail('You must not specify both $source and $content for trusted_ca defined resources')
+  } elsif !$source and !$content {
+    fail('You must specify either $source or $content for trusted_ca defined resources')
   }
 
   if $name =~ Pattern["\\.${certfile_suffix}$"] {
@@ -48,35 +50,14 @@
     $_name = "${name}.${certfile_suffix}"
   }
 
-  if $source {
-    file { "${install_path}/${_name}":
-      ensure => 'file',
-      source => $source,
-      notify => Exec["validate ${install_path}/${_name}"],
-      mode   => '0644',
-      owner  => 'root',
-      group  => 'root',
-    }
-  } elsif $content {
-    file { "${install_path}/${_name}":
-      ensure  => 'file',
-      content => $content,
-      notify  => Exec["validate ${install_path}/${_name}"],
-      mode    => '0644',
-      owner   => 'root',
-      group   => 'root',
-    }
-  } else {
-    fail('You must specify either $source or $content for trusted_ca defined resources')
-  }
-
-  # This makes sure the certificate is valid
-  exec { "validate ${install_path}/${_name}":
-    command     => "openssl x509 -in ${install_path}/${_name} -noout",
-    logoutput   => on_failure,
-    path        => $trusted_ca::path,
-    notify      => Exec['update_system_certs'],
-    returns     => 0,
-    refreshonly => true,
+  file { "${install_path}/${_name}":
+    ensure       => 'file',
+    content      => $content,
+    source       => $source,
+    notify       => Exec['update_system_certs'],
+    mode         => '0644',
+    owner        => 'root',
+    group        => 'root',
+    validate_cmd => 'openssl x509 -in % -noout',
   }
 }

spec/acceptance/certs_spec.rb

@@ -53,8 +53,21 @@
     end
 
     describe command("cd /root && /usr/bin/java SSLPoke #{fact('fqdn')} 443") do
       its(:exit_status) { is_expected.to eq 0 }
     end
     # rubocop:enable RSpec/RepeatedExampleGroupBody
   end
+
+  context 'invalid certificate' do
+    it 'refuses to apply' do
+      pp = <<-EOS
+      include trusted_ca
+      trusted_ca::ca { 'test':
+        content => 'invalid',
+      }
+      EOS
+
+      apply_manifest(pp, expect_failures: true)
+    end
+  end
 end

spec/defines/trusted_ca_ca_spec.rb

@@ -34,34 +34,29 @@
           case facts[:os]['family']
           when 'RedHat'
             file = '/etc/pki/ca-trust/source/anchors/mycert.crt'
-            notify = 'Exec[validate /etc/pki/ca-trust/source/anchors/mycert.crt]'
             source = 'puppet:///data/mycert.crt'
           when 'Debian'
             file = '/usr/local/share/ca-certificates/mycert.crt'
-            notify = 'Exec[validate /usr/local/share/ca-certificates/mycert.crt]'
             source = 'puppet:///data/mycert.crt'
           when 'Suse'
             if facts[:operatingsystem] == 'SLES'
               if facts[:operatingsystemmajrelease] == '11'
                 file = '/etc/ssl/certs/mycert.pem'
-                notify = 'Exec[validate /etc/ssl/certs/mycert.pem]'
                 source = 'puppet:///data/mycert.pem'
               else
                 file = '/etc/pki/trust/anchors/mycert.crt'
-                notify = 'Exec[validate /etc/pki/trust/anchors/mycert.crt]'
                 source = 'puppet:///data/mycert.crt'
               end
             else
               file = '/etc/pki/trust/anchors/mycert.crt'
-              notify = 'Exec[validate /etc/pki/trust/anchors/mycert.crt]'
               source = 'puppet:///data/mycert.crt'
             end
           end
 
           let(:params) { { source: source } }
 
           it { is_expected.to compile.with_all_deps }
-          it { is_expected.to contain_file(file).that_notifies(notify) }
+          it { is_expected.to contain_file(file).that_notifies('Exec[update_system_certs]') }
         end
       end
     end