From 307c1feb50e7ae95829ff085a760cf3e1f51abc7 Mon Sep 17 00:00:00 2001
From: Andrew Bonney <andrew.bonney@bbc.co.uk>
Date: Tue, 8 Aug 2023 14:05:02 +0100
Subject: [PATCH] Add defaults for owner/group/mode on pki_install_host

Reverts the default user/group from
I4a90479261b2721c08e9034fbae0d56de9308676

Adds global default options so user/group etc can
be overridden on the setup host

Some cases of 'omit' for file modes are changed to a
role-defined default which will override any system umask
preferences.

Related-Bug: #2029253
Change-Id: Id999ccf5f42ee7f6b6b08db67276bb77bc9a21d8
---
 defaults/main.yml              |  8 ++++++++
 tasks/main_ca.yml              |  5 +++--
 tasks/main_certs.yml           |  5 +++--
 tasks/standalone/create_ca.yml | 24 ++++++++++++------------
 vars/standalone_cert.yml       |  8 ++++----
 5 files changed, 30 insertions(+), 20 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 2a5e1ea..fc63d59 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -155,3 +155,11 @@ pki_method: standalone
 pki_handler_ca_changed: "ca cert changed"
 pki_handler_cert_changed: "cert changed"
 pki_handler_cert_installed: "cert installed"
+
+# Default permissions used on pki_setup_host
+# pki_owner: "root"
+# pki_group: "root"
+pki_cert_mode: "0644"
+pki_cert_dir_mode: "0755"
+pki_key_mode: "0600"
+pki_key_dir_mode: "0700"
diff --git a/tasks/main_ca.yml b/tasks/main_ca.yml
index 4651122..f715cd8 100644
--- a/tasks/main_ca.yml
+++ b/tasks/main_ca.yml
@@ -21,8 +21,9 @@
   file:
     state: directory
     path: "{{ item.path }}"
-    owner: "{{ item.owner | default(omit) }}"
-    mode: "{{ item.mode | default(omit) }}"
+    owner: "{{ item.owner | default(pki_owner) | default(omit) }}"
+    group: "{{ item.group | default(pki_group) | default(omit) }}"
+    mode: "{{ item.mode | default('0755') }}"
   with_items:
     - "{{ pki_ca_dirs }}"
   delegate_to: "{{ pki_setup_host }}"
diff --git a/tasks/main_certs.yml b/tasks/main_certs.yml
index 57fa16a..2dbd56f 100644
--- a/tasks/main_certs.yml
+++ b/tasks/main_certs.yml
@@ -21,8 +21,9 @@
   file:
     state: directory
     path: "{{ item.path }}"
-    owner: "{{ item.owner | default(omit) }}"
-    mode: "{{ item.mode | default(omit) }}"
+    owner: "{{ item.owner | default(pki_owner) | default(omit) }}"
+    group: "{{ item.group | default(pki_group) | default(omit) }}"
+    mode: "{{ item.mode | default('0755') }}"
   with_items:
     - "{{ pki_cert_dirs }}"
   when: pki_create_certificates | default(true)
diff --git a/tasks/standalone/create_ca.yml b/tasks/standalone/create_ca.yml
index c1620e1..bf47227 100644
--- a/tasks/standalone/create_ca.yml
+++ b/tasks/standalone/create_ca.yml
@@ -24,17 +24,17 @@
       file:
         state: directory
         path: "{{ item.path }}"
-        owner: "{{ item.owner | default(omit) }}"
-        mode: "{{ item.mode | default(omit) }}"
+        owner: "{{ item.owner | default(pki_owner) | default(omit) }}"
+        group: "{{ item.group | default(pki_group) | default(omit) }}"
+        mode: "{{ item.mode | default('0755') }}"
       with_items:
         - path: "{{ ca_dir }}"
-          mode: "0755"
         - path: "{{ ca_dir ~ '/csr' }}"
-          mode: "0700"
+          mode: "{{ pki_key_dir_mode }}"
         - path: "{{ ca_dir ~ '/private' }}"
-          mode: "0700"
+          mode: "{{ pki_key_dir_mode }}"
         - path: "{{ ca_dir ~ '/certs' }}"
-          mode: "0755"
+          mode: "{{ pki_cert_dir_mode }}"
 
       # NOTE(noonedeadpunk): Incorrect permissions lead to CA certs re-generation as
       #                      openssl_privatekey gets changed when harmonizing ownership/permissions
@@ -42,9 +42,9 @@
       file:
         state: file
         path: "{{ ca_dir ~ '/private/' ~ ca.name ~ '.key.pem' }}"
-        mode: "{{ ca.key_mode | default('0600') }}"
-        owner: "{{ ca.key_owner | default('root') }}"
-        group: "{{ ca.key_group | default('root') }}"
+        mode: "{{ ca.key_mode | default(pki_key_mode) }}"
+        owner: "{{ ca.key_owner | default(pki_owner) | default(omit) }}"
+        group: "{{ ca.key_group | default(pki_group) | default(omit) }}"
       failed_when: false
 
     - name: Initialise the serial number for {{ ca.name }}
@@ -59,9 +59,9 @@
         passphrase: "{{ ca.key_passphrase | default(omit) }}"
         cipher: "{{ ('key_passphrase' in ca and ca.key_passphrase) | ternary('auto', omit) }}"
         backup: "{{ ca.backup | default(True) }}"
-        mode: "{{ ca.key_mode | default('0600') }}"
-        owner: "{{ ca.key_owner | default('root') }}"
-        group: "{{ ca.key_group | default('root') }}"
+        mode: "{{ ca.key_mode | default(pki_key_mode) }}"
+        owner: "{{ ca.key_owner | default(pki_owner) | default(omit) }}"
+        group: "{{ ca.key_group | default(pki_group) | default(omit) }}"
       register: ca_privkey
 
     - name: Read the serial number for {{ ca.name }}
diff --git a/vars/standalone_cert.yml b/vars/standalone_cert.yml
index 4fa81b6..42a4d9f 100644
--- a/vars/standalone_cert.yml
+++ b/vars/standalone_cert.yml
@@ -17,10 +17,10 @@
 _pki_cert_dirs:
   - path: "{{ pki_dir }}"
   - path: "{{ pki_dir ~ '/certs' }}"
-    mode: "0755"
+    mode: "{{ pki_cert_dir_mode }}"
   - path: "{{ pki_dir ~ '/certs/csr' }}"
-    mode: "0700"
+    mode: "{{ pki_key_dir_mode }}"
   - path: "{{ pki_dir ~ '/certs/private' }}"
-    mode: "0700"
+    mode: "{{ pki_key_dir_mode }}"
   - path: "{{ pki_dir ~ '/certs/certs' }}"
-    mode: "0755"
+    mode: "{{ pki_cert_dir_mode }}"