voxpupuli · bastelfreak · Jul 11, 2016 · Jul 5, 2016 · Jul 5, 2016 · Jul 11, 2016
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -16,6 +16,7 @@
 - Add param to configure service state [\#223](https://github.com/voxpupuli/puppet-rundeck/pull/223) ([danifr](https://github.com/danifr))
 - Do not write non-existent mail configuration [\#234](https://github.com/voxpupuli/puppet-rundeck/pull/234) ([ak0ska](https://github.com/ak0ska))
 - Added option to template : 'forceBindingLoginUseRootContextForRoles' [\#228](https://github.com/voxpupuli/puppet-rundeck/pull/228) ([zlanyi](https://github.com/zlanyi))
+- Add support for more security role in web.xml [\#250](https://github.com/voxpupuli/puppet-rundeck/pull/250) ([zlanyi](https://github.com/zlanyi))
 
 #### Bugfixes
 - Fix\(validate\_rd\_policy\) expand relative path for require [\#201](https://github.com/voxpupuli/puppet-rundeck/pull/201) ([igalic](https://github.com/igalic))

diff --git a/README.md b/README.md
@@ -119,6 +119,12 @@ A hash of the rundeck security configuration.
 #####`security_role`
 The name of the role that is required for all users to be allowed access.
 
+#####`security_roles_array_enabled`
+Boolean value if set to true enables security_roles_array.
+
+#####`security_roles_array`
+Array value if you want to have more role in web.xml
+
 #####`manage_yum_repo`
 Whether to manage the YUM repository containing the Rundeck rpm. Defaults to true.
 

diff --git a/manifests/config.pp b/manifests/config.pp
@@ -7,50 +7,52 @@
 # This private class is called from `rundeck` to manage the configuration
 #
 class rundeck::config(
-  $acl_policies                = $rundeck::acl_policies,
-  $acl_template                = $rundeck::acl_template,
-  $api_policies                = $rundeck::api_policies,
-  $api_template                = $rundeck::api_template,
-  $auth_template               = $rundeck::auth_template,
-  $auth_types                  = $rundeck::auth_types,
-  $clustermode_enabled         = $rundeck::clustermode_enabled,
-  $database_config             = $rundeck::database_config,
-  $file_keystorage_dir         = $rundeck::file_keystorage_dir,
-  $file_keystorage_keys        = $rundeck::file_keystorage_keys,
-  $grails_server_url           = $rundeck::grails_server_url,
-  $group                       = $rundeck::group,
-  $gui_config                  = $rundeck::gui_config,
-  $java_home                   = $rundeck::java_home,
-  $jvm_args                    = $rundeck::jvm_args,
-  $kerberos_realms             = $rundeck::kerberos_realms,
-  $key_password                = $rundeck::key_password,
-  $key_storage_type            = $rundeck::key_storage_type,
-  $keystore                    = $rundeck::keystore,
-  $keystore_password           = $rundeck::keystore_password,
-  $mail_config                 = $rundeck::mail_config,
-  $manage_default_admin_policy = $rundeck::manage_default_admin_policy,
-  $manage_default_api_policy   = $rundeck::manage_default_api_policy,
-  $preauthenticated_config     = $rundeck::preauthenticated_config,
-  $projects                    = $rundeck::projects,
-  $projects_description        = $rundeck::projects_default_desc,
-  $projects_organization       = $rundeck::projects_default_org,
-  $projects_storage_type       = $rundeck::projects_storage_type,
-  $rd_loglevel                 = $rundeck::rd_loglevel,
-  $rdeck_config_template       = $rundeck::rdeck_config_template,
-  $rdeck_profile_template      = $rundeck::rdeck_profile_template,
-  $realm_template              = $rundeck::realm_template,
-  $rss_enabled                 = $rundeck::rss_enabled,
-  $security_config             = $rundeck::security_config,
-  $security_role               = $rundeck::security_role,
-  $server_web_context          = $rundeck::server_web_context,
-  $service_logs_dir            = $rundeck::service_logs_dir,
-  $service_name                = $rundeck::service_name,
-  $session_timeout             = $rundeck::session_timeout,
-  $ssl_enabled                 = $rundeck::ssl_enabled,
-  $ssl_port                    = $rundeck::ssl_port,
-  $truststore                  = $rundeck::truststore,
-  $truststore_password         = $rundeck::truststore_password,
-  $user                        = $rundeck::user,
+  $acl_policies                 = $rundeck::acl_policies,
+  $acl_template                 = $rundeck::acl_template,
+  $api_policies                 = $rundeck::api_policies,
+  $api_template                 = $rundeck::api_template,
+  $auth_template                = $rundeck::auth_template,
+  $auth_types                   = $rundeck::auth_types,
+  $clustermode_enabled          = $rundeck::clustermode_enabled,
+  $database_config              = $rundeck::database_config,
+  $file_keystorage_dir          = $rundeck::file_keystorage_dir,
+  $file_keystorage_keys         = $rundeck::file_keystorage_keys,
+  $grails_server_url            = $rundeck::grails_server_url,
+  $group                        = $rundeck::group,
+  $gui_config                   = $rundeck::gui_config,
+  $java_home                    = $rundeck::java_home,
+  $jvm_args                     = $rundeck::jvm_args,
+  $kerberos_realms              = $rundeck::kerberos_realms,
+  $key_password                 = $rundeck::key_password,
+  $key_storage_type             = $rundeck::key_storage_type,
+  $keystore                     = $rundeck::keystore,
+  $keystore_password            = $rundeck::keystore_password,
+  $mail_config                  = $rundeck::mail_config,
+  $manage_default_admin_policy  = $rundeck::manage_default_admin_policy,
+  $manage_default_api_policy    = $rundeck::manage_default_api_policy,
+  $preauthenticated_config      = $rundeck::preauthenticated_config,
+  $projects                     = $rundeck::projects,
+  $projects_description         = $rundeck::projects_default_desc,
+  $projects_organization        = $rundeck::projects_default_org,
+  $projects_storage_type        = $rundeck::projects_storage_type,
+  $rd_loglevel                  = $rundeck::rd_loglevel,
+  $rdeck_config_template        = $rundeck::rdeck_config_template,
+  $rdeck_profile_template       = $rundeck::rdeck_profile_template,
+  $realm_template               = $rundeck::realm_template,
+  $rss_enabled                  = $rundeck::rss_enabled,
+  $security_config              = $rundeck::security_config,
+  $security_role                = $rundeck::security_role,
+  $server_web_context           = $rundeck::server_web_context,
+  $service_logs_dir             = $rundeck::service_logs_dir,
+  $service_name                 = $rundeck::service_name,
+  $session_timeout              = $rundeck::session_timeout,
+  $ssl_enabled                  = $rundeck::ssl_enabled,
+  $ssl_port                     = $rundeck::ssl_port,
+  $truststore                   = $rundeck::truststore,
+  $truststore_password          = $rundeck::truststore_password,
+  $user                         = $rundeck::user,
+  $security_roles_array_enabled = $rundeck::security_roles_array_enabled,
+  $security_roles_array         = $rundeck::security_roles_array,
 ) inherits rundeck::params {
 
   File {
@@ -170,9 +172,11 @@
   create_resources(rundeck::config::project, $projects)
 
   class { '::rundeck::config::global::web':
-    security_role   => $security_role,
-    session_timeout => $session_timeout,
-    notify          => Service[$service_name],
+    security_role                => $security_role,
+    session_timeout              => $session_timeout,
+    security_roles_array_enabled => $security_roles_array_enabled,
+    security_roles_array         => $security_roles_array,
+    notify                       => Service[$service_name],
   }
 
   if !empty($kerberos_realms) {

diff --git a/manifests/config/global/web.pp b/manifests/config/global/web.pp
@@ -17,15 +17,28 @@
 # [*session_timeout*]
 #   Session timeout is an expired time limit for a logged in Rundeck GUI user which as been inactive for a period of time.
 #
+# [*security_roles_array_enabled*]
+# Boolen value if you want to have more roles in web.xml
+#
+# [*security_roles_array*]
+# Array value if you set the value 'security_roles_array_enabled' to true.
+#
 class rundeck::config::global::web (
-  $security_role   = $rundeck::params::security_role,
-  $session_timeout = $rundeck::params::session_timeout,
+  $security_role                = $rundeck::params::security_role,
+  $session_timeout              = $rundeck::params::session_timeout,
+  $security_roles_array_enabled = $rundeck::params::security_roles_array_enabled,
+  $security_roles_array         = $rundeck::params::security_roles_array,
 ) inherits rundeck::params {
 
-  augeas { 'rundeck/web.xml/security-role/role-name':
-    lens    => 'Xml.lns',
-    incl    => $rundeck::params::web_xml,
-    changes => [ "set web-app/security-role/role-name/#text '${security_role}'" ],
+  if $security_roles_array_enabled {
+    rundeck::config::securityroles { $security_roles_array: }
+  }
+  else {
+    augeas { 'rundeck/web.xml/security-role/role-name':
+      lens    => 'Xml.lns',
+      incl    => $rundeck::params::web_xml,
+      changes => [ "set web-app/security-role/role-name/#text '${security_role}'" ],
+    }
   }
 
   augeas { 'rundeck/web.xml/session-config/session-timeout':

diff --git a/manifests/config/securityroles.pp b/manifests/config/securityroles.pp
@@ -0,0 +1,14 @@
+#
+# Author: Zoltan Lanyi <[email protected]>
+# Date  : 03.06.2016
+# 
+
+define rundeck::config::securityroles {
+
+  augeas { "rundeck/web.xml/security-role/role-name/${name}":
+    lens    => 'Xml.lns',
+    incl    => $rundeck::params::web_xml,
+    onlyif  => "match web-app/security-role/role-name[#text = '${name}'] size == 0",
+    changes => [ "set web-app/security-role/#text[last()] '\t\t'", "set web-app/security-role/role-name[last()+1]/#text '${name}'", "set web-app/security-role/#text[last()+1] '\t'" ],
+  }
+}
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -141,7 +141,23 @@
 #
 # [*user*]
 #  The user that rundeck is installed as.
-#.
+#
+# [*security_roles_array_enabled*]
+#  Boolean value if you need more roles. false or true (default is false).
+#
+# [*security_roles_array*]
+#  Array value if you need more roles and you set true the "security_roles_array_enabled" value.
+#  Example: my.hiera.yaml:
+#  ...
+#  rundeck::config::global::web::security_roles_array_enabled: true
+#  rundeck::config::global::web::security_roles_array:
+#    - DevOps
+#    - roots_ito
+#  ...
+#  In your class:
+#  $security_roles_array_enabled = hiera('rundeck::config::global::web::security_roles_array_enabled', true),
+#  $security_roles_array         = hiera('rundeck::config::global::web::security_roles_array', []),
+#
 class rundeck (
   $acl_policies                 = $rundeck::params::acl_policies,
   $acl_template                 = $rundeck::params::acl_template,
@@ -199,6 +215,8 @@
   $truststore                   = $rundeck::params::truststore,
   $truststore_password          = $rundeck::params::truststore_password,
   $user                         = $rundeck::params::user,
+  $security_roles_array_enabled = $rundeck::params::security_roles_array_enabled,
+  $security_roles_array         = $rundeck::params::security_roles_array,
 ) inherits rundeck::params {
 
   validate_array($auth_types)
@@ -234,6 +252,8 @@
   validate_hash($file_keystorage_keys)
   validate_bool($manage_default_admin_policy)
   validate_bool($manage_default_api_policy)
+  validate_bool($security_roles_array_enabled)
+  validate_array($security_roles_array)
 
   class { '::rundeck::install': } ->
   class { '::rundeck::config': } ~>

diff --git a/manifests/params.pp b/manifests/params.pp
@@ -301,4 +301,7 @@
   $manage_default_admin_policy = true
   $manage_default_api_policy   = true
 
+  $security_roles_array_enabled = false
+  $security_roles_array         = []
+
 }
diff --git a/spec/defines/config/securityroles_spec.rb b/spec/defines/config/securityroles_spec.rb
@@ -0,0 +1,32 @@
+require 'spec_helper'
+
+describe 'rundeck::config::securityroles', type: :define do
+  context 'supported operating systems' do
+    %w(Debian RedHat).each do |osfamily|
+      describe "rundeck::config::securityroles definition with array parameters on #{osfamily}" do
+        let(:title) { 'source one' }
+        let(:params) do
+          {
+            'security_roles_array_enabled' => true
+          }
+        end
+        let(:facts) do
+          {
+            osfamily: osfamily,
+            serialnumber: 0,
+            rundeck_version: '',
+            puppetversion: Puppet.version
+          }
+        end
+
+        security_roles_array = %w(devops roots)
+
+        security_roles_array.each do |roles|
+          it "augeas with param: #{roles}" do
+            contain_augeas('rundeck/web.xml/security-role/role-name') .with_changes(["set web-app/security-role/role-name/#text '#{roles}'"])
+          end
+        end
+      end
+    end
+  end
+end