Skip to content

Commit

Permalink
Ldap group (#1)
Browse files Browse the repository at this point in the history 
* add support for require ldap-group

* add tests for require ldap-group
  • Loading branch information
@swenske
swenske authored Dec 12, 2018
1 parent 8070c10 commit d769cb7
Show file tree
Hide file tree
Showing 6 changed files with 85 additions and 10 deletions.
20 changes: 15 additions & 5 deletions manifests/apache/conf.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,14 @@
# (string) Determines if other authentication providers are used when a user can be mapped to a DN but the server cannot bind with the credentials
# No default ($::puppetboard::params::ldap_bind_authoritative)
#
# [*ldap_require_group]
# (bool) LDAP group to require on login
# Default to False ($::puppetboard::params::ldap_require_group)
#
# [*$ldap_require_group_dn]
# (string) LDAP group DN for LDAP group
# No default
#
# === Notes:
#
# Make sure you have purge_configs set to false in your apache class!
Expand All @@ -62,14 +70,16 @@
String $wsgi_alias = '/puppetboard',
Integer $threads = 5,
Integer $max_reqs = 0,
String $user = $::puppetboard::params::user,
String $group = $::puppetboard::params::group,
Stdlib::AbsolutePath $basedir = $::puppetboard::params::basedir,
Boolean $enable_ldap_auth = $::puppetboard::params::enable_ldap_auth,
String $user = $puppetboard::params::user,
String $group = $puppetboard::params::group,
Stdlib::AbsolutePath $basedir = $puppetboard::params::basedir,
Boolean $enable_ldap_auth = $puppetboard::params::enable_ldap_auth,
Optional[String] $ldap_bind_dn = undef,
Optional[String] $ldap_bind_password = undef,
Optional[String] $ldap_url = undef,
Optional[String] $ldap_bind_authoritative = undef
Optional[String] $ldap_bind_authoritative = undef,
Boolean $ldap_require_group = $puppetboard::params::ldap_require_group,
Optional[String] $ldap_require_group_dn = undef,
) inherits ::puppetboard::params {

$docroot = "${basedir}/puppetboard"
Expand Down
20 changes: 15 additions & 5 deletions manifests/apache/vhost.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,14 @@
# (string) Determines if other authentication providers are used
# when a user can be mapped to a DN but the server cannot bind with the credentials
# No default ($::puppetboard::params::ldap_bind_authoritative)
#
# [*ldap_require_group]
# (bool) LDAP group to require on login
# Default to False ($::puppetboard::params::ldap_require_group)
#
# [*$ldap_require_group_dn]
# (string) LDAP group DN for LDAP group
# No default
class puppetboard::apache::vhost (
String $vhost_name,
String $wsgi_alias = '/',
Expand All @@ -79,15 +87,17 @@
Optional[Stdlib::AbsolutePath] $ssl_cert = undef,
Optional[Stdlib::AbsolutePath] $ssl_key = undef,
Integer $threads = 5,
String $user = $::puppetboard::params::user,
String $group = $::puppetboard::params::group,
Stdlib::AbsolutePath $basedir = $::puppetboard::params::basedir,
String $override = $::puppetboard::params::apache_override,
Boolean $enable_ldap_auth = $::puppetboard::params::enable_ldap_auth,
String $user = $puppetboard::params::user,
String $group = $puppetboard::params::group,
Stdlib::AbsolutePath $basedir = $puppetboard::params::basedir,
String $override = $puppetboard::params::apache_override,
Boolean $enable_ldap_auth = $puppetboard::params::enable_ldap_auth,
Optional[String] $ldap_bind_dn = undef,
Optional[String] $ldap_bind_password = undef,
Optional[String] $ldap_url = undef,
Optional[String] $ldap_bind_authoritative = undef,
Boolean $ldap_require_group = $puppetboard::params::ldap_require_group,
Optional[String] $ldap_require_group_dn = undef,
Hash $custom_apache_parameters = {},
) inherits ::puppetboard::params {

Expand Down
1 change: 1 addition & 0 deletions manifests/params.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,4 +59,5 @@
$default_environment = 'production'
$extra_settings = {}
$enable_ldap_auth = false
$ldap_require_group = false
}
45 changes: 45 additions & 0 deletions spec/acceptance/class_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -144,4 +144,49 @@ class { 'puppetboard::apache::conf':
it { is_expected.to contain "PUPPETDB_CERT = '/var/lib/puppet/ssl/certs/test.networkninjas.net.pem'" }
end
end

context 'AUTH ldap-group' do
it 'works with no errors' do
pp = <<-EOS
if $facts['os']['family'] == 'RedHat' {
include epel
}
# Configure Apache on this server
class { 'apache': }
class { 'apache::mod::wsgi': }
class { 'apache::mod::authnz_ldap': }
-> class { 'puppetboard':
manage_virtualenv => true,
puppetdb_host => 'puppet.example.com',
puppetdb_port => 8081,
puppetdb_key => "/var/lib/puppet/ssl/private_keys/test.networkninjas.net.pem",
puppetdb_ssl_verify => true,
puppetdb_cert => "/var/lib/puppet/ssl/certs/test.networkninjas.net.pem",
}
class { 'puppetboard::apache::conf':
enable_ldap_auth => true,
ldap_bind_dn => 'cn=user,dc=puppet,dc=example,dc=com',
ldap_bind_password => 'password',
ldap_url => 'ldap://puppet.example.com',
ldap_require_group => true,
ldap_require_group_dn => 'cn=admins,=cn=groups,dc=puppet,dc=example,dc=com',
}
EOS

# Run it twice and test for idempotency
apply_manifest(pp, catch_failures: true)
apply_manifest(pp, catch_failures: true)
end

describe file(apache_conf_file) do
it { is_expected.to contain 'AuthBasicProvider ldap' }
it { is_expected.to contain 'AuthLDAPBindDN "cn=user,dc=puppet,dc=example,dc=com"' }
it { is_expected.to contain 'AuthLDAPURL "ldap://puppet.example.com"' }
it { is_expected.to contain 'Require ldap-group "cn=admins,=cn=groups,dc=puppet,dc=example,dc=com"' }
end
describe file('/srv/puppetboard/puppetboard/settings.py') do
it { is_expected.to contain "PUPPETDB_KEY = '/var/lib/puppet/ssl/private_keys/test.networkninjas.net.pem'" }
it { is_expected.to contain "PUPPETDB_CERT = '/var/lib/puppet/ssl/certs/test.networkninjas.net.pem'" }
end
end
end
4 changes: 4 additions & 0 deletions templates/apache/conf.erb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,10 @@ WSGIScriptAlias <%= @wsgi_alias -%> <%= @docroot -%>/wsgi.py
<%- if @ldap_bind_authoritative -%>
AuthLDAPBindAuthoritative <%= @ldap_bind_authoritative -%>
<%- end -%>
<% if @ldap_require_group -%>
Require ldap-group "<%= @ldap_require_group_dn -%>"
<% else %>
Require valid-user
<% end %>
</LocationMatch>
<% end -%>
5 changes: 5 additions & 0 deletions templates/apache/ldap.erb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,5 +17,10 @@
<%- if @ldap_bind_authoritative -%>
AuthLDAPBindAuthoritative <%= @ldap_bind_authoritative -%>
<%- end -%>
<% if @ldap_require_group -%>
Require ldap-group "<%= ldap_require_group_dn -%>"
<% else %>
Require valid-user
<% end %>

</LocationMatch>

0 comments on commit d769cb7

Please sign in to comment.