Add ldap support

README.md

@@ -268,7 +268,6 @@ class { 'puppetboard':
   puppetdb_host     => 'puppetdb.example.com',
   puppetdb_port     => '8081',
   puppetdb_key      => "${ssl_dir}/private_keys/${puppetboard_certname}.pem",
-  puppetdb_ssl      => "${ssl_dir}/certs/ca.pem",
   puppetdb_cert     => "${ssl_dir}/certs/${puppetboard_certname}.pem",
 }
 ```

manifests/apache/conf.pp

@@ -31,6 +31,26 @@
 #   (string) Base directory where to build puppetboard vcsrepo and python virtualenv.
 #   Defaults to '/srv/puppetboard' ($::puppetboard::params::basedir)
 #
+# [*enable_ldap_auth]
+#   (bool) Whether to enable LDAP auth
+#   Defaults to False ($::puppetboard::params::enable_ldap_auth)
+#
+# [*ldap_bind_dn]
+#   (string) LDAP Bind DN
+#   No default ($::puppetboard::params::ldap_bind_dn)
+#
+# [*ldap_bind_password]
+#   (string) LDAP password
+#   No default ($::puppetboard::params::ldap_bind_password)
+#
+# [*ldap_url]
+#   (string) LDAP connection string
+#   No default ($::puppetboard::params::ldap_url)
+#
+# [*ldap_bind_authoritative]
+#   (string) Determines if other authentication providers are used when a user can be mapped to a DN but the server cannot bind with the credentials
+#   No default ($::puppetboard::params::ldap_bind_authoritative)
+#
 # === Notes:
 #
 # Make sure you have purge_configs set to false in your apache class!
@@ -39,12 +59,18 @@
 # a WSGIApplicationGroup of %{GLOBAL}.
 #
 class puppetboard::apache::conf (
-  $wsgi_alias = '/puppetboard',
-  $threads    = 5,
-  $max_reqs   = 0,
-  $user       = $::puppetboard::params::user,
-  $group      = $::puppetboard::params::group,
-  $basedir    = $::puppetboard::params::basedir,
+  $wsgi_alias               = '/puppetboard',
+  $threads                  = 5,
+  $max_reqs                 = 0,
+  $user                     = $::puppetboard::params::user,
+  $group                    = $::puppetboard::params::group,
+  $basedir                  = $::puppetboard::params::basedir,
+  $enable_ldap_auth         = $::puppetboard::params::enable_ldap_auth,
+  $ldap_bind_dn             = $::puppetboard::params::ldap_bind_dn,
+  $ldap_bind_password       = $::puppetboard::params::ldap_bind_password,
+  $ldap_url                 = $::puppetboard::params::ldap_url,
+  $ldap_bind_authoritative  = $::puppetboard::params::ldap_bind_authoritative
+
 ) inherits ::puppetboard::params {
 
   $docroot = "${basedir}/puppetboard"

manifests/apache/vhost.pp

@@ -51,18 +51,44 @@
 #   (string) Sets the Apache AllowOverride value
 #   Defaults to 'None' ($::puppetboard::params::apache_override)
 #
+# [*enable_ldap_auth]
+#   (bool) Whether to enable LDAP auth
+#   Defaults to False ($::puppetboard::params::enable_ldap_auth)
+#
+# [*ldap_bind_dn]
+#   (string) LDAP Bind DN
+#   No default ($::puppetboard::params::ldap_bind_dn)
+#
+# [*ldap_bind_password]
+#   (string) LDAP password
+#   No default ($::puppetboard::params::ldap_bind_password)
+#
+# [*ldap_url]
+#   (string) LDAP connection string
+#   No default ($::puppetboard::params::ldap_url)
+#
+# [*ldap_bind_authoritative]
+#   (string) Determines if other authentication providers are used 
+#            when a user can be mapped to a DN but the server cannot bind with the credentials
+#   No default ($::puppetboard::params::ldap_bind_authoritative)
 class puppetboard::apache::vhost (
   $vhost_name,
-  $wsgi_alias  = '/',
-  $port        = 5000,
-  $ssl         = false,
-  $ssl_cert    = undef,
-  $ssl_key     = undef,
-  $threads     = 5,
-  $user        = $::puppetboard::params::user,
-  $group       = $::puppetboard::params::group,
-  $basedir     = $::puppetboard::params::basedir,
-  $override    = $::puppetboard::params::apache_override
+  $wsgi_alias               = '/',
+  $port                     = 5000,
+  $ssl                      = false,
+  $ssl_cert                 = undef,
+  $ssl_key                  = undef,
+  $threads                  = 5,
+  $user                     = $::puppetboard::params::user,
+  $group                    = $::puppetboard::params::group,
+  $basedir                  = $::puppetboard::params::basedir,
+  $override                 = $::puppetboard::params::apache_override,
+  $enable_ldap_auth         = $::puppetboard::params::enable_ldap_auth,
+  $ldap_bind_dn             = $::puppetboard::params::ldap_bind_dn,
+  $ldap_bind_password       = $::puppetboard::params::ldap_bind_password,
+  $ldap_url                 = $::puppetboard::params::ldap_url,
+  $ldap_bind_authoritative  = $::puppetboard::params::ldap_bind_authoritative
+
 ) inherits ::puppetboard::params {
 
   $docroot = "${basedir}/puppetboard"
@@ -91,18 +117,35 @@
     ],
   }
 
+  if $enable_ldap_auth {
+    $ldap_additional_includes = [ "${::puppetboard::params::apache_confd}/puppetboard-ldap.conf" ]
+    $ldap_require = File["${::puppetboard::params::apache_confd}/puppetboard-ldap.conf"]
+    file { "${::puppetboard::params::apache_confd}/puppetboard-ldap.conf":
+      ensure  => present,
+      owner   => 'root',
+      group   => 'root',
+      content => template('puppetboard/apache/ldap.erb'),
+      require => File["${docroot}/wsgi.py"],
+      notify  => Service[$::puppetboard::params::apache_service],
+    }
+  }
+  else {
+    $ldap_additional_includes = undef
+    $ldap_require = undef
+  }
   ::apache::vhost { $vhost_name:
     port                        => $port,
     docroot                     => $docroot,
     ssl                         => $ssl,
     ssl_cert                    => $ssl_cert,
     ssl_key                     => $ssl_key,
+    additional_includes         => $ldap_additional_includes,
     wsgi_daemon_process         => $user,
     wsgi_process_group          => $group,
     wsgi_script_aliases         => $wsgi_script_aliases,
     wsgi_daemon_process_options => $wsgi_daemon_process_options,
     override                    => $override,
-    require                     => File["${docroot}/wsgi.py"],
+    require                     => [ File["${docroot}/wsgi.py"], $ldap_require ],
     notify                      => Service[$::puppetboard::params::apache_service],
   }
 

manifests/params.pp

@@ -36,7 +36,6 @@
   $groups = undef
   $basedir = '/srv/puppetboard'
   $git_source = 'https://github.com/voxpupuli/puppetboard'
-
   $puppetdb_host = 'localhost'
   $puppetdb_port = 8080
   $puppetdb_key = undef
@@ -60,4 +59,9 @@
   $apache_override = 'None'
   $default_environment = 'production'
   $extra_settings = {}
+  $enable_ldap_auth = false
+  $ldap_bind_dn = undef
+  $ldap_bind_password = undef
+  $ldap_url = undef
+  $ldap_bind_authoritative = undef
 }

spec/acceptance/class_spec.rb

@@ -117,4 +117,50 @@ class { 'puppetboard':
       it { should contain "PUPPETDB_CERT = '/var/lib/puppet/ssl/certs/test.networkninjas.net.pem'" }
     end
   end
+
+  context 'default parameters' do
+    hosts.each do |host|
+      if fact('osfamily') == 'RedHat'
+        if fact('architecture') == 'amd64'
+          on host, 'wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm; rpm -ivh epel-release-6-8.noarch.rpm'
+        else
+          on host, 'wget http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm; rpm -ivh epel-release-6-8.noarch.rpm'
+        end
+      end
+      on host, 'puppet module install puppetlabs/apache'
+      install_package host, 'python-virtualenv'
+      install_package host, 'git'
+    end
+
+    it 'works with no errors' do
+      pp = <<-EOS
+      class { 'puppetboard':
+        manage_virtualenv => true,
+        puppetdb_host => 'puppet.example.com',
+        puppetdb_port => '8081',
+        puppetdb_key  => "/var/lib/puppet/ssl/private_keys/test.networkninjas.net.pem",
+        puppetdb_ssl_verify => 'True',
+        puppetdb_cert => "/var/lib/puppet/ssl/certs/test.networkninjas.net.pem",
+        enable_ldap_auth => true,
+        ldap_bind_dn => 'cn=user,dc=puppet,dc=example,dc=com',
+        ldap_bind_password => 'password',
+        ldap_url     => 'ldap://puppet.example.com',
+      }
+      EOS
+
+      # Run it twice and test for idempotency
+      apply_manifest(pp, catch_failures: true)
+      apply_manifest(pp, catch_failures: true)
+    end
+
+    describe file('/etc/httpd/conf.d/puppetboard-ldap.conf') do
+      it { should contain 'AuthBasicProvider ldap' }
+      it { should contain 'AuthLDAPBindDN "cn=user,dc=puppet,dc=example,dc=com"' }
+      it { should contain 'AuthLDAPURL "ldap://puppet.example.com"' }
+    end
+    describe file('/srv/puppetboard/puppetboard/settings.py') do
+      it { should contain "PUPPETDB_KEY = '/var/lib/puppet/ssl/private_keys/test.networkninjas.net.pem'" }
+      it { should contain "PUPPETDB_CERT = '/var/lib/puppet/ssl/certs/test.networkninjas.net.pem'" }
+    end
+  end
 end

templates/apache/conf.erb

@@ -7,3 +7,27 @@ WSGIScriptAlias <%= @wsgi_alias -%> <%= @docroot -%>/wsgi.py
     Order deny,allow
     Allow from all
 </Directory>
+## Puppet data <%= @ldap_bind_dn -%>
+<% if @enable_ldap_auth != false %> 
+<LocationMatch ^/puppetboard>
+   AuthType Basic
+   AuthName "Login to puppetboard"
+   Order Allow,Deny
+   Allow from All
+
+   AuthBasicProvider ldap
+   <% if @ldap_bind_dn != false %> 
+   AuthLDAPBindDN <%= @ldap_bind_dn -%>
+   <% end %>
+   <% if @ldap_bind_password != false %> 
+   AuthLDAPBindPassword <%= @ldap_bind_password -%>
+   <% end %>
+   <% if @ldap_url != false %> 
+   AuthLDAPURL <%= @ldap_url -%>
+   <% end %>
+   <% if @ldap_bind_authoritative != false %> 
+   AuthLDAPBindAuthoritative <%= @ldap_bind_authoritative -%>
+   <% end %>
+   Require valid-user
+</LocationMatch>
+<% end %>

templates/apache/ldap.erb

@@ -0,0 +1,21 @@
+<LocationMatch ^/>
+   AuthType Basic
+   AuthName "Login to puppetboard"
+   Order Allow,Deny
+   Allow from All
+
+   AuthBasicProvider ldap
+   <% if @ldap_bind_dn != false %> 
+   AuthLDAPBindDN <%= @ldap_bind_dn -%>
+   <% end %>
+   <% if @ldap_bind_password != false %> 
+   AuthLDAPBindPassword <%= @ldap_bind_password -%>
+   <% end %>
+   <% if @ldap_url != false %> 
+   AuthLDAPURL <%= @ldap_url -%>
+   <% end %>
+   <% if @ldap_bind_authoritative != false %> 
+   AuthLDAPBindAuthoritative <%= @ldap_bind_authoritative -%>
+   <% end %>
+   Require valid-user
+</LocationMatch>