Update and expand spec tests, including code fixes to match expected…

… behaviour.
redhat-openstack · Sep 29, 2014 · 207d316 · 207d316
1 parent 92f8b48
commit 207d316
Show file tree

Hide file tree

Showing 11 changed files with 822 additions and 174 deletions.
diff --git a/README.mod_shib.md b/README.mod_shib.md
@@ -171,7 +171,7 @@ The `apache::mod::shib` module provides the following classes and resource defin
 
 # Registration
 
-Manual resgistration of the Service Provider is still required. By default, the file `/etc/shibboleth/sp-key.pem` contains the public key of the back-end certificate used for secure comminucation within the Shibboleth Federation.
+Manual resgistration of the Service Provider is still required. By default, the file `/etc/shibboleth/sp-cert.pem` contains the public key of the back-end certificate used for secure comminucation within the Shibboleth Federation.
 
 # Attribution
 

diff --git a/manifests/mod/shib.pp b/manifests/mod/shib.pp
@@ -1,60 +1,86 @@
 class apache::mod::shib(
-	$shib_admin			= $apache::serveradmin,
-	$shib_hostname	= $fqdn,
-	$logoLocation		= "/shibboleth-sp/logo.jpg",
-	$styleSheet			= "/shibboleth-sp/main.css",
-	$shib_conf_dir	= '/etc/shibboleth',
-	$shib_conf_file	= 'shibboleth2.xml',
-	$shib_sp_cert		= 'sp-cert.pem',
-	$shib_bin_dir		= '/usr/sbin',
-	$handlerSSL			= 'true'
+  $shib_admin         = $apache::serveradmin,
+  $shib_hostname      = $::fqdn,
+  $logoLocation       = '/shibboleth-sp/logo.jpg',
+  $styleSheet         = '/shibboleth-sp/main.css',
+  $shib_conf_dir      = '/etc/shibboleth',
+  $shib_conf_file     = 'shibboleth2.xml',
+  $shib_sp_cert       = 'sp-cert.pem',
+  $shib_bin_dir       = '/usr/sbin',
+  $handlerSSL         = true,
+  $consistent_address = true
 ){
 
-	$shib_conf = "${shib_conf_dir}/${shib_conf_file}"
-	$mod_shib = 'shib2'
-
-	apache::mod {$mod_shib: }
-
-	file{$shib_conf_dir:
-		ensure	=> directory,
-		require => Apache::Mod[$mod_shib]
-	}
-
-	file{$shib_conf:
-		ensure	=> file,
-		replace	=> false,
-		require => [Apache::Mod[$mod_shib],File[$shib_conf_dir]],
-	}
-
-	augeas{"shib_SPconfig_errors":
-		lens		=> 'Xml.lns',
-		incl		=> $shib_conf,
-		context => "/files${shib_conf}/SPConfig/ApplicationDefaults",
-		changes => [
-			"set Errors/#attribute/supportContact ${shib_admin}",
-			"set Errors/#attribute/logoLocation ${logoLocation}",
-			"set Errors/#attribute/styleSheet ${styleSheet}",
-		],
-		notify	=> Service['httpd'],
-	}
-
-	augeas{"shib_SPconfig_hostname":
-		lens		=> 'Xml.lns',
-		incl		=> $shib_conf,
-		context => "/files${shib_conf}/SPConfig/ApplicationDefaults",
-		changes => [
-			"set #attribute/entityID https://${shib_hostname}/shibboleth",
-			"set Sessions/#attribute/handlerURL https://${shib_hostname}/Shibboleth.sso",
-		],
-		notify	=> Service['httpd'],
-	}
-
-	augeas{"shib_SPconfig_handlerSSL":
-		lens		=> 'Xml.lns',
-		incl		=> $shib_conf,
-		context => "/files${shib_conf}/SPConfig/ApplicationDefaults",
-		changes => ["set Sessions/#attribute/handlerSSL ${handlerSSL}",],
-		notify	=> Service['httpd'],
-	}
+  $shib_conf = "${shib_conf_dir}/${shib_conf_file}"
+  $mod_shib = 'shib2'
+
+  apache::mod {$mod_shib:
+    id => 'mod_shib',
+  }
+
+  # by requiring the Apache::Mod, this should wait for the package
+  # to create the directory and not need to manage it
+  file{$shib_conf_dir:
+    ensure  => 'directory',
+    require => Apache::Mod[$mod_shib]
+  }
+
+  # by requiring the Apache::Mod, this will just define the file
+  # created when installing the package.
+  file{$shib_conf:
+    ensure  => 'file',
+    replace => false,
+    require => [Apache::Mod[$mod_shib],File[$shib_conf_dir]],
+  }
+
+  # augeas should auto-require the file $shib_conf
+  augeas{'shib_SPconfig_errors':
+    lens    => 'Xml.lns',
+    incl    => $shib_conf,
+    context => "/files${shib_conf}/SPConfig/ApplicationDefaults",
+    changes => [
+      "set Errors/#attribute/supportContact ${shib_admin}",
+      "set Errors/#attribute/logoLocation ${logoLocation}",
+      "set Errors/#attribute/styleSheet ${styleSheet}",
+    ],
+    notify  => Service['httpd','shibd'],
+  }
+
+  augeas{'shib_SPconfig_consistent_address':
+    lens    => 'Xml.lns',
+    incl    => $shib_conf,
+    context => "/files${shib_conf}/SPConfig/ApplicationDefaults",
+    changes => [
+      "set Sessions/#attribute/consistentAddress ${consistent_address}",
+    ],
+    notify  => Service['httpd','shibd'],
+  }
+
+  augeas{'shib_SPconfig_hostname':
+    lens    => 'Xml.lns',
+    incl    => $shib_conf,
+    context => "/files${shib_conf}/SPConfig/ApplicationDefaults",
+    changes => [
+      "set #attribute/entityID https://${shib_hostname}/shibboleth",
+      "set Sessions/#attribute/handlerURL https://${shib_hostname}/Shibboleth.sso",
+    ],
+    notify  => Service['httpd','shibd'],
+  }
+
+  augeas{'shib_SPconfig_handlerSSL':
+    lens    => 'Xml.lns',
+    incl    => $shib_conf,
+    context => "/files${shib_conf}/SPConfig/ApplicationDefaults",
+    changes => ["set Sessions/#attribute/handlerSSL ${handlerSSL}",],
+    notify  => Service['httpd','shibd'],
+  }
+
+  service{'shibd':
+    ensure      => 'running',
+    enable      => true,
+    hasrestart  => true,
+    hasstatus   => true,
+    require     => Apache::Mod[$mod_shib],
+  }
 
 }
diff --git a/manifests/mod/shib/attribute_map.pp b/manifests/mod/shib/attribute_map.pp
@@ -1,32 +1,32 @@
+# parameter setup allows an attribute_map to bedownloaded with one name
+# and saved locally by another.
 define apache::mod::shib::attribute_map(
-	$attribute_map_uri,
-	$attribute_map_dir 	= $apache::mod::shib::shib_conf_dir,
-	$attribute_map_name = inline_template("<%= attribute_map_uri.split('/').last  %>"),
-	$max_age	= '21'
+  $attribute_map_uri,
+  $attribute_map_dir  = $::apache::mod::shib::shib_conf_dir,
+  $attribute_map_name = inline_template("<%= attribute_map_uri.split('/').last  %>"),
+  $max_age  = '21'
 ){
 
-	require apache::mod::shib
+  $attribute_map = "${attribute_map_dir}/${attribute_map_name}"
 
-	$attribute_map = "${attribute_map_dir}/${attribute_map_name}"
+  # Download the attribute map, refresh after $max_age days
+  exec{"get_${name}_attribute_map":
+    path    => ['/usr/bin'],
+    command => "wget ${attribute_map_uri} -O ${attribute_map}",
+    unless  => "test `find ${attribute_map} -mtime +${max_age}`",
+    notify  => Service['httpd','shibd'],
+  }
 
-	# Download the attribute map, refresh after $max_age days
-	exec{"get_${name}_attribute_map":
-		path	=> ['/usr/bin'],
-		command => "wget ${attribute_map_uri} -O ${attribute_map}",
-		unless	=> "test `find ${attribute_map} -mtime +${max_age}`",
-		notify	=> Service['httpd'],
-	}
-
-	# Make sure the shibboleth config is pointing at the attribute map
-	augeas{"shib_${name}_attribute_map":
-		lens		=> 'Xml.lns',
-		incl		=> $apache::mod::shib::shib_conf,
-		context => "/files${apache::mod::shib::shib_conf}/SPConfig/ApplicationDefaults",
-		changes => [
-			"set AttributeExtractor/#attribute/path ${attribute_map_name}",
-		],
-		notify	=> Service['httpd'],
-		require => Exec["get_${name}_attribute_map"],
-	}
+  # Make sure the shibboleth config is pointing at the attribute map
+  augeas{"shib_${name}_attribute_map":
+    lens    => 'Xml.lns',
+    incl    => $::apache::mod::shib::shib_conf,
+    context => "/files${::apache::mod::shib::shib_conf}/SPConfig/ApplicationDefaults",
+    changes => [
+      "set AttributeExtractor/#attribute/path ${attribute_map_name}",
+    ],
+    notify  => Service['httpd','shibd'],
+    require => Exec["get_${name}_attribute_map"],
+  }
 
 }
diff --git a/manifests/mod/shib/backend_cert.pp b/manifests/mod/shib/backend_cert.pp
@@ -1,14 +1,18 @@
+# This generates a self signed x509 certificate used to secure connections
+# with a Shibboleth Federation registry. If the key is ever lost or overwritten
+# the certificate will have to be re-registered.
+# Alternativly, the certificate could be deployed from the puppetmaster
 class apache::mod::shib::backend_cert(
-	$sp_hostname		= $apache::mod::shib::shib_hostname
-){
+  $sp_hostname    = $apache::mod::shib::shib_hostname
+) {
 
-	require apache::mod::shib
+  require apache::mod::shib
 
-	$sp_cert = "${apache::mod::shib::shib_conf_dir}/${apache::mod::shib::shib_sp_cert}"
+  $sp_cert = "${::apache::mod::shib::shib_conf_dir}/${::apache::mod::shib::shib_sp_cert}"
 
-	exec{"shib_keygen_${sp_hostname}":
-		path 		=> [$apache::mod::shib::shib_bin_dir,'/usr/bin','/bin'],
-		command	=> "shib-keygen -h ${sp_hostname} -e https://${sp_hostname}/shibbloeth",
-		unless	=> "openssl x509 -noout -in ${sp_cert} -issuer|grep ${sp_hostname}",
-	}
+  exec{"shib_keygen_${sp_hostname}":
+    path    => [$::apache::mod::shib::shib_bin_dir,'/usr/bin','/bin'],
+    command => "shib-keygen -f -h ${sp_hostname} -e https://${sp_hostname}/shibbloeth",
+    unless  => "openssl x509 -noout -in ${sp_cert} -issuer|grep ${sp_hostname}",
+  }
 }
diff --git a/manifests/mod/shib/metadata.pp b/manifests/mod/shib/metadata.pp
@@ -1,60 +1,58 @@
 # Currently this can only create a _single_ metadata provider
 # it will need to be modified to permit multiple metadata providers
 define apache::mod::shib::metadata(
-	$provider_uri,
-	$cert_uri,
-	$backing_file_dir 				= $apache::mod::shib::shib_conf_dir,
-	$backing_file_name 				= inline_template("<%= provider_uri.split('/').last  %>"),
-	$cert_dir									= $apache::mod::shib::shib_conf_dir,
-	$cert_file_name						= inline_template("<%= cert_uri.split('/').last  %>"),
-	$provider_type						= 'XML',
-	$provider_reload_interval	= "7200",
-	$metadata_filter_max_validity_interval	= "2419200"	
+  $provider_uri,
+  $cert_uri,
+  $backing_file_dir         = $::apache::mod::shib::shib_conf_dir,
+  $backing_file_name        = inline_template("<%= provider_uri.split('/').last  %>"),
+  $cert_dir                 = $::apache::mod::shib::shib_conf_dir,
+  $cert_file_name           = inline_template("<%= cert_uri.split('/').last  %>"),
+  $provider_type            = 'XML',
+  $provider_reload_interval = '7200',
+  $metadata_filter_max_validity_interval  = '2419200'
 ){
 
-	require apache::mod::shib
+  $backing_file = "${backing_file_dir}/${backing_file_name}"
+  $cert_file    = "${cert_dir}/${cert_file_name}"
 
-	$backing_file = "${backing_file_dir}/${backing_file_name}"
-	$cert_file		= "${cert_dir}/${cert_file_name}"
+  # Get the Metadata signing certificate
+  exec{"get_${name}_metadata_cert":
+    path    => ['/usr/bin'],
+    command => "wget ${cert_uri} -O ${cert_file}",
+    creates => $cert_file,
+    notify  => Service['httpd','shibd'],
+  }
 
-	# Get the Metadata signing certificate
-	exec{"get_${name}_metadata_cert":
-		path	=> ['/usr/bin'],
-		command => "wget ${cert_uri} -O ${cert_file}",
-		creates => $cert_file,
-		notify	=> Service['httpd'],
-	}
+  # This puts the MetadataProvider entry in the 'right' place
+  augeas{"shib_${name}_create_metadata_provider":
+    lens    => 'Xml.lns',
+    incl    => $::apache::mod::shib::shib_conf,
+    context => "/files${::apache::mod::shib::shib_conf}/SPConfig/ApplicationDefaults",
+    changes => [
+      'ins MetadataProvider after Errors',
+    ],
+    onlyif  => 'match MetadataProvider/#attribute/uri size == 0',
+    notify  => Service['httpd','shibd'],
+    require => Exec["get_${name}_metadata_cert"],
+  }
 
-	# This puts the MetadataProvider entry in the 'right' place
-	augeas{"shib_${name}_create_metadata_provider":
-		lens		=> 'Xml.lns',
-		incl		=> $apache::mod::shib::shib_conf,
-		context => "/files${apache::mod::shib::shib_conf}/SPConfig/ApplicationDefaults",
-		changes => [
-			"ins MetadataProvider after Errors",
-		],
-		onlyif	=> 'match MetadataProvider/#attribute/uri size == 0',
-		notify	=> Service['httpd'],
-		require => Exec["get_${name}_metadata_cert"],
-	}
-
-	# This will update the attributes and child nodes if they change
-	augeas{"shib_${name}_metadata_provider":
-		lens		=> 'Xml.lns',
-		incl		=> $apache::mod::shib::shib_conf,
-		context => "/files${apache::mod::shib::shib_conf}/SPConfig/ApplicationDefaults",
-		changes => [
-			"set MetadataProvider/#attribute/type ${provider_type}",
-			"set MetadataProvider/#attribute/uri ${provider_uri}",
-			"set MetadataProvider/#attribute/backingFilePath ${backing_file}",
-			"set MetadataProvider/#attribute/reloadInterva ${provider_reload_interval}",
-			"set MetadataProvider/MetadataFilter[1]/#attribute/type RequireValidUntil",
-			"set MetadataProvider/MetadataFilter[1]/#attribute/maxValidityInterval ${metadata_filter_max_validity_interval}",
-			"set MetadataProvider/MetadataFilter[2]/#attribute/type Signature",
-			"set MetadataProvider/MetadataFilter[2]/#attribute/certificate ${cert_file}",
-		],
-		notify	=> Service['httpd'],
-		require => [Exec["get_${name}_metadata_cert"],Augeas["shib_${name}_create_metadata_provider"]],
-	}
+  # This will update the attributes and child nodes if they change
+  augeas{"shib_${name}_metadata_provider":
+    lens    => 'Xml.lns',
+    incl    => $::apache::mod::shib::shib_conf,
+    context => "/files${::apache::mod::shib::shib_conf}/SPConfig/ApplicationDefaults",
+    changes => [
+      "set MetadataProvider/#attribute/type ${provider_type}",
+      "set MetadataProvider/#attribute/uri ${provider_uri}",
+      "set MetadataProvider/#attribute/backingFilePath ${backing_file}",
+      "set MetadataProvider/#attribute/reloadInterval ${provider_reload_interval}",
+      'set MetadataProvider/MetadataFilter[1]/#attribute/type RequireValidUntil',
+      "set MetadataProvider/MetadataFilter[1]/#attribute/maxValidityInterval ${metadata_filter_max_validity_interval}",
+      'set MetadataProvider/MetadataFilter[2]/#attribute/type Signature',
+      "set MetadataProvider/MetadataFilter[2]/#attribute/certificate ${cert_file}",
+    ],
+    notify  => Service['httpd','shibd'],
+    require => [Exec["get_${name}_metadata_cert"],Augeas["shib_${name}_create_metadata_provider"]],
+  }
 
 }