diff --git a/manifests/apache/conf.pp b/manifests/apache/conf.pp index 2533abe4..ad353b84 100644 --- a/manifests/apache/conf.pp +++ b/manifests/apache/conf.pp @@ -51,6 +51,14 @@ # (string) Determines if other authentication providers are used when a user can be mapped to a DN but the server cannot bind with the credentials # No default ($::puppetboard::params::ldap_bind_authoritative) # +# [*ldap_require_group] +# (bool) LDAP group to require on login +# Default to False ($::puppetboard::params::ldap_require_group) +# +# [*$ldap_require_group_dn] +# (string) LDAP group DN for LDAP group +# No default +# # === Notes: # # Make sure you have purge_configs set to false in your apache class! @@ -62,14 +70,16 @@ String $wsgi_alias = '/puppetboard', Integer $threads = 5, Integer $max_reqs = 0, - String $user = $::puppetboard::params::user, - String $group = $::puppetboard::params::group, - Stdlib::AbsolutePath $basedir = $::puppetboard::params::basedir, - Boolean $enable_ldap_auth = $::puppetboard::params::enable_ldap_auth, + String $user = $puppetboard::params::user, + String $group = $puppetboard::params::group, + Stdlib::AbsolutePath $basedir = $puppetboard::params::basedir, + Boolean $enable_ldap_auth = $puppetboard::params::enable_ldap_auth, Optional[String] $ldap_bind_dn = undef, Optional[String] $ldap_bind_password = undef, Optional[String] $ldap_url = undef, - Optional[String] $ldap_bind_authoritative = undef + Optional[String] $ldap_bind_authoritative = undef, + Boolean $ldap_require_group = $puppetboard::params::ldap_require_group, + Optional[String] $ldap_require_group_dn = undef, ) inherits ::puppetboard::params { $docroot = "${basedir}/puppetboard" diff --git a/manifests/apache/vhost.pp b/manifests/apache/vhost.pp index 2a73ac19..4ba2b2bb 100644 --- a/manifests/apache/vhost.pp +++ b/manifests/apache/vhost.pp @@ -71,6 +71,14 @@ # (string) Determines if other authentication providers are used # when a user can be mapped to a DN but the server cannot bind with the credentials # No default ($::puppetboard::params::ldap_bind_authoritative) +# +# [*ldap_require_group] +# (bool) LDAP group to require on login +# Default to False ($::puppetboard::params::ldap_require_group) +# +# [*$ldap_require_group_dn] +# (string) LDAP group DN for LDAP group +# No default class puppetboard::apache::vhost ( String $vhost_name, String $wsgi_alias = '/', @@ -79,15 +87,17 @@ Optional[Stdlib::AbsolutePath] $ssl_cert = undef, Optional[Stdlib::AbsolutePath] $ssl_key = undef, Integer $threads = 5, - String $user = $::puppetboard::params::user, - String $group = $::puppetboard::params::group, - Stdlib::AbsolutePath $basedir = $::puppetboard::params::basedir, - String $override = $::puppetboard::params::apache_override, - Boolean $enable_ldap_auth = $::puppetboard::params::enable_ldap_auth, + String $user = $puppetboard::params::user, + String $group = $puppetboard::params::group, + Stdlib::AbsolutePath $basedir = $puppetboard::params::basedir, + String $override = $puppetboard::params::apache_override, + Boolean $enable_ldap_auth = $puppetboard::params::enable_ldap_auth, Optional[String] $ldap_bind_dn = undef, Optional[String] $ldap_bind_password = undef, Optional[String] $ldap_url = undef, Optional[String] $ldap_bind_authoritative = undef, + Boolean $ldap_require_group = $puppetboard::params::ldap_require_group, + Optional[String] $ldap_require_group_dn = undef, Hash $custom_apache_parameters = {}, ) inherits ::puppetboard::params { diff --git a/manifests/params.pp b/manifests/params.pp index cee39cd0..c8386d97 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -59,4 +59,5 @@ $default_environment = 'production' $extra_settings = {} $enable_ldap_auth = false + $ldap_require_group = false } diff --git a/spec/acceptance/class_spec.rb b/spec/acceptance/class_spec.rb index cf1ed9ec..41aa3c70 100644 --- a/spec/acceptance/class_spec.rb +++ b/spec/acceptance/class_spec.rb @@ -144,4 +144,49 @@ class { 'puppetboard::apache::conf': it { is_expected.to contain "PUPPETDB_CERT = '/var/lib/puppet/ssl/certs/test.networkninjas.net.pem'" } end end + + context 'AUTH ldap-group' do + it 'works with no errors' do + pp = <<-EOS + if $facts['os']['family'] == 'RedHat' { + include epel + } + # Configure Apache on this server + class { 'apache': } + class { 'apache::mod::wsgi': } + class { 'apache::mod::authnz_ldap': } + -> class { 'puppetboard': + manage_virtualenv => true, + puppetdb_host => 'puppet.example.com', + puppetdb_port => 8081, + puppetdb_key => "/var/lib/puppet/ssl/private_keys/test.networkninjas.net.pem", + puppetdb_ssl_verify => true, + puppetdb_cert => "/var/lib/puppet/ssl/certs/test.networkninjas.net.pem", + } + class { 'puppetboard::apache::conf': + enable_ldap_auth => true, + ldap_bind_dn => 'cn=user,dc=puppet,dc=example,dc=com', + ldap_bind_password => 'password', + ldap_url => 'ldap://puppet.example.com', + ldap_require_group => true, + ldap_require_group_dn => 'cn=admins,=cn=groups,dc=puppet,dc=example,dc=com', + } + EOS + + # Run it twice and test for idempotency + apply_manifest(pp, catch_failures: true) + apply_manifest(pp, catch_failures: true) + end + + describe file(apache_conf_file) do + it { is_expected.to contain 'AuthBasicProvider ldap' } + it { is_expected.to contain 'AuthLDAPBindDN "cn=user,dc=puppet,dc=example,dc=com"' } + it { is_expected.to contain 'AuthLDAPURL "ldap://puppet.example.com"' } + it { is_expected.to contain 'Require ldap-group "cn=admins,=cn=groups,dc=puppet,dc=example,dc=com"' } + end + describe file('/srv/puppetboard/puppetboard/settings.py') do + it { is_expected.to contain "PUPPETDB_KEY = '/var/lib/puppet/ssl/private_keys/test.networkninjas.net.pem'" } + it { is_expected.to contain "PUPPETDB_CERT = '/var/lib/puppet/ssl/certs/test.networkninjas.net.pem'" } + end + end end diff --git a/templates/apache/conf.erb b/templates/apache/conf.erb index 69a2f90a..427f1431 100644 --- a/templates/apache/conf.erb +++ b/templates/apache/conf.erb @@ -32,6 +32,10 @@ WSGIScriptAlias <%= @wsgi_alias -%> <%= @docroot -%>/wsgi.py <%- if @ldap_bind_authoritative -%> AuthLDAPBindAuthoritative <%= @ldap_bind_authoritative -%> <%- end -%> + <% if @ldap_require_group -%> + Require ldap-group "<%= @ldap_require_group_dn -%>" + <% else %> Require valid-user + <% end %> <% end -%> diff --git a/templates/apache/ldap.erb b/templates/apache/ldap.erb index 9d07be17..7c8ed22b 100644 --- a/templates/apache/ldap.erb +++ b/templates/apache/ldap.erb @@ -17,5 +17,10 @@ <%- if @ldap_bind_authoritative -%> AuthLDAPBindAuthoritative <%= @ldap_bind_authoritative -%> <%- end -%> + <% if @ldap_require_group -%> + Require ldap-group "<%= ldap_require_group_dn -%>" + <% else %> Require valid-user + <% end %> +