add support for require ldap-group

manifests/apache/conf.pp

@@ -51,6 +51,14 @@
 #   (string) Determines if other authentication providers are used when a user can be mapped to a DN but the server cannot bind with the credentials
 #   No default ($::puppetboard::params::ldap_bind_authoritative)
 #
+# [*ldap_require_group]
+#   (bool) LDAP group to require on login
+#   Default to False ($::puppetboard::params::ldap_require_group)
+#
+# [*$ldap_require_group_dn]
+#   (string) LDAP group DN for LDAP group
+#   No default
+#
 # === Notes:
 #
 # Make sure you have purge_configs set to false in your apache class!
@@ -69,7 +77,9 @@
   Optional[String] $ldap_bind_dn            = undef,
   Optional[String] $ldap_bind_password      = undef,
   Optional[String] $ldap_url                = undef,
-  Optional[String] $ldap_bind_authoritative = undef
+  Optional[String] $ldap_bind_authoritative = undef,
+  Boolean $ldap_require_group               = $::puppetboard::params::ldap_require_group,
+  Optional[String] $ldap_require_group_dn   = undef,
 ) inherits ::puppetboard::params {
 
   $docroot = "${basedir}/puppetboard"

manifests/apache/vhost.pp

@@ -71,6 +71,14 @@
 #   (string) Determines if other authentication providers are used 
 #            when a user can be mapped to a DN but the server cannot bind with the credentials
 #   No default ($::puppetboard::params::ldap_bind_authoritative)
+#
+# [*ldap_require_group]
+#   (bool) LDAP group to require on login
+#   Default to False ($::puppetboard::params::ldap_require_group)
+#
+# [*$ldap_require_group_dn]
+#   (string) LDAP group DN for LDAP group
+#   No default
 class puppetboard::apache::vhost (
   String $vhost_name,
   String $wsgi_alias                        = '/',
@@ -88,6 +96,8 @@
   Optional[String] $ldap_bind_password      = undef,
   Optional[String] $ldap_url                = undef,
   Optional[String] $ldap_bind_authoritative = undef,
+  Boolean $ldap_require_group               = $::puppetboard::params::ldap_require_group,
+  Optional[String] $ldap_require_group_dn   = undef,
   Hash $custom_apache_parameters            = {},
 ) inherits ::puppetboard::params {
 

manifests/params.pp

@@ -59,4 +59,5 @@
   $default_environment = 'production'
   $extra_settings = {}
   $enable_ldap_auth = false
+  $ldap_require_group = false
 }

spec/acceptance/class_spec.rb

@@ -126,6 +126,8 @@ class { 'puppetboard::apache::conf':
         ldap_bind_dn => 'cn=user,dc=puppet,dc=example,dc=com',
         ldap_bind_password => 'password',
         ldap_url     => 'ldap://puppet.example.com',
+        ldap_require_group => true,
+        ldap_require_group_dn => 'cn=admins,=cn=groups,dc=puppet,dc=example,dc=com',
       }
       EOS
 
@@ -138,6 +140,7 @@ class { 'puppetboard::apache::conf':
       it { is_expected.to contain 'AuthBasicProvider ldap' }
       it { is_expected.to contain 'AuthLDAPBindDN "cn=user,dc=puppet,dc=example,dc=com"' }
       it { is_expected.to contain 'AuthLDAPURL "ldap://puppet.example.com"' }
+      it { is_expected.to contain 'Require ldap-group "cn=admins,=cn=groups,dc=puppet,dc=example,dc=com"' }
     end
     describe file('/srv/puppetboard/puppetboard/settings.py') do
       it { is_expected.to contain "PUPPETDB_KEY = '/var/lib/puppet/ssl/private_keys/test.networkninjas.net.pem'" }

templates/apache/conf.erb

@@ -32,6 +32,10 @@ WSGIScriptAlias <%= @wsgi_alias -%> <%= @docroot -%>/wsgi.py
    <%- if @ldap_bind_authoritative -%>
    AuthLDAPBindAuthoritative <%= @ldap_bind_authoritative -%>
    <%- end -%>
+   <% if @ldap_require_group -%>
+   Require ldap-group "<%= @ldap_require_group_dn -%>"
+   <% else %>
    Require valid-user
+   <% end %>
 </LocationMatch>
 <% end -%>

templates/apache/ldap.erb

@@ -17,5 +17,10 @@
    <%- if @ldap_bind_authoritative -%>
    AuthLDAPBindAuthoritative <%= @ldap_bind_authoritative -%>
    <%- end -%>
+   <% if @ldap_require_group -%>
+   Require ldap-group "<%= ldap_require_group_dn -%>"
+   <% else %>
    Require valid-user
+   <% end %>
+
 </LocationMatch>