diff --git a/.fixtures.yml b/.fixtures.yml index c65734b30c..c7abf0e1ab 100644 --- a/.fixtures.yml +++ b/.fixtures.yml @@ -1,10 +1,13 @@ fixtures: repositories: - stdlib: "git://github.com/puppetlabs/puppetlabs-stdlib.git" - concat: "git://github.com/puppetlabs/puppetlabs-concat.git" - portage: "git://github.com/gentoo/puppet-portage.git" + concat: "https://github.com/puppetlabs/puppetlabs-concat.git" + facts: 'https://github.com/puppetlabs/puppetlabs-facts.git' + portage: "https://github.com/gentoo/puppet-portage.git" + provision: 'https://github.com/puppetlabs/provision.git' + puppet_agent: 'https://github.com/puppetlabs/puppetlabs-puppet_agent.git' + stdlib: "https://github.com/puppetlabs/puppetlabs-stdlib.git" yumrepo_core: - repo: "git://github.com/puppetlabs/puppetlabs-yumrepo_core.git" + repo: "https://github.com/puppetlabs/puppetlabs-yumrepo_core.git" puppet_version: '>= 6.0.0' symlinks: apache: "#{source_dir}" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000000..35162951ee --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,54 @@ +name: "release" + +on: + push: + branches: + - 'release' + +jobs: + LitmusAcceptance: + env: + HONEYCOMB_WRITEKEY: 7f3c63a70eecc61d635917de46bea4e6 + HONEYCOMB_DATASET: litmus tests + runs-on: self-hosted + + strategy: + matrix: + ruby_version: [2.5.x] + puppet_gem_version: [~> 6.0] + platform: [release_checks] + agent_family: ['puppet5', 'puppet6'] + + steps: + - uses: actions/checkout@v1 + + - name: Litmus Parallel + uses: puppetlabs/action-litmus_parallel@master + with: + platform: ${{ matrix.platform }} + agent_family: ${{ matrix.agent_family }} + + Spec: + runs-on: self-hosted + + strategy: + matrix: + check: [parallel_spec, 'syntax lint metadata_lint check:symlinks check:git_ignore check:dot_underscore check:test_file rubocop'] + ruby_version: [2.4.x, 2.5.x] + puppet_gem_version: [~> 5.0, ~> 6.0] + exclude: + - puppet_gem_version: ~> 5.0 + check: 'syntax lint metadata_lint check:symlinks check:git_ignore check:dot_underscore check:test_file rubocop' + - ruby_version: 2.4.x + puppet_gem_version: ~> 6.0 + - ruby_version: 2.5.x + puppet_gem_version: ~> 5.0 + + steps: + - uses: actions/checkout@v1 + + - name: Spec Tests + uses: puppetlabs/action-litmus_spec@master + with: + puppet_gem_versionm: ${{ matrix.puppet_gem_version }} + check: ${{ matrix.check }} diff --git a/.github/workflows/weekly.yml b/.github/workflows/weekly.yml new file mode 100644 index 0000000000..8b621bca8f --- /dev/null +++ b/.github/workflows/weekly.yml @@ -0,0 +1,45 @@ +name: "weekly" + +on: + schedule: + - cron: '0 4 * * 1' + +jobs: + LitmusAcceptance: + env: + HONEYCOMB_WRITEKEY: 7f3c63a70eecc61d635917de46bea4e6 + HONEYCOMB_DATASET: litmus tests + runs-on: self-hosted + strategy: + matrix: + ruby_version: [2.5.x] + puppet_gem_version: [~> 6.0] + platform: [release_checks] + agent_family: ['puppet5', 'puppet6'] + + steps: + - uses: actions/checkout@v1 + - name: Litmus Parallel + uses: puppetlabs/action-litmus_parallel@master + with: + platform: ${{ matrix.platform }} + agent_family: ${{ matrix.agent_family }} + Spec: + runs-on: self-hosted + strategy: + matrix: + check: [parallel_spec, 'syntax lint metadata_lint check:symlinks check:git_ignore check:dot_underscore check:test_file rubocop'] + ruby_version: [2.5.x] + puppet_gem_version: [~> 5.0, ~> 6.0] + exclude: + - puppet_gem_version: ~> 5.0 + check: 'syntax lint metadata_lint check:symlinks check:git_ignore check:dot_underscore check:test_file rubocop' + - ruby_version: 2.5.x + puppet_gem_version: ~> 5.0 + steps: + - uses: actions/checkout@v1 + - name: Spec Tests + uses: puppetlabs/action-litmus_spec@master + with: + puppet_gem_version: ${{ matrix.puppet_gem_version }} + check: ${{ matrix.check }} diff --git a/.gitignore b/.gitignore index 3f4e2e8494..2767022cd6 100644 --- a/.gitignore +++ b/.gitignore @@ -22,5 +22,6 @@ /convert_report.txt /update_report.txt .DS_Store +.project .envrc /inventory.yaml diff --git a/.pdkignore b/.pdkignore index 54d2cda3ab..e6215cd0cb 100644 --- a/.pdkignore +++ b/.pdkignore @@ -22,6 +22,7 @@ /convert_report.txt /update_report.txt .DS_Store +.project .envrc /inventory.yaml /appveyor.yml diff --git a/.project b/.project deleted file mode 100644 index 51770ab1ca..0000000000 --- a/.project +++ /dev/null @@ -1,23 +0,0 @@ - - - puppetlabs-apache - - - - - - com.puppetlabs.geppetto.pp.dsl.ui.modulefileBuilder - - - - - org.eclipse.xtext.ui.shared.xtextBuilder - - - - - - com.puppetlabs.geppetto.pp.dsl.ui.puppetNature - org.eclipse.xtext.ui.shared.xtextNature - - diff --git a/.rubocop.yml b/.rubocop.yml index b349606f1a..33688a79ec 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -1,5 +1,7 @@ --- -require: rubocop-rspec +require: +- rubocop-rspec +- rubocop-i18n AllCops: DisplayCopNames: true TargetRubyVersion: '2.1' @@ -19,10 +21,13 @@ AllCops: Metrics/LineLength: Description: People have wide screens, use them. Max: 200 +GetText: + Enabled: false GetText/DecorateString: Description: We don't want to decorate test output. Exclude: - - spec/* + - spec/**/* + Enabled: false RSpec/BeforeAfterAll: Description: Beware of using after(:all) as it may cause state to leak between tests. A necessary evil in acceptance testing. @@ -85,6 +90,12 @@ Style/MethodCalledOnDoEndBlock: Enabled: true Style/StringMethods: Enabled: true +GetText/DecorateFunctionMessage: + Enabled: false +GetText/DecorateStringFormattingUsingInterpolation: + Enabled: false +GetText/DecorateStringFormattingUsingPercent: + Enabled: false Layout/EndOfLine: Enabled: false Layout/IndentHeredoc: diff --git a/.sync.yml b/.sync.yml index 7c941ee542..a36572bd9b 100644 --- a/.sync.yml +++ b/.sync.yml @@ -1,51 +1,40 @@ --- -.gitlab-ci.yml: - unmanaged: true - -.gitignore: - required: - - ---.project - -.travis.yml: - global_env: - - PARALLEL_TEST_PROCESSORS=16 - docker_sets: - - set: docker/centos-7 - - set: docker/ubuntu-14.04 - docker_defaults: - bundler_args: "" - secure: "" +".gitlab-ci.yml": + delete: true +".rubocop.yml": + default_configs: + inherit_from: ".rubocop_todo.yml" +".travis.yml": + global_env: + - HONEYCOMB_WRITEKEY="7f3c63a70eecc61d635917de46bea4e6",HONEYCOMB_DATASET="litmus tests" + deploy_to_forge: + enabled: false + secure: '' branches: - - release - + - release + use_litmus: true + litmus: + provision_list: + - travis_deb + - travis_ub + - travis_el7 + - ---travis_el + simplecov: true + notifications: + slack: + secure: MrXQwGIUO7WNmLbe7iiWgURiZPUgyvDLkKe3d9S58ohE6gdN6pqlsjP8YgodK8JmIBV1zp5Wj/0cXUmY3xvCtnDmII0DCEk2Y1Cs/W1drKZtS/0BsUpJkj0rDP2fSlKsY5ifESdEta/y8+NkjRnqadbl7SQPYeek4IjAfxjjuig= +appveyor.yml: + delete: true Gemfile: - required: - ':system_tests': - - gem: 'puppet-module-posix-system-r#{minor_version}' - platforms: ruby - - gem: 'puppet-module-win-system-r#{minor_version}' - platforms: - - mswin - - mingw - - x64_mingw optional: - ':development': - - gem: 'github_changelog_generator' - git: 'https://github.com/skywinder/github-changelog-generator' - ref: '20ee04ba1234e9e83eb2ffb5056e23d641c7a018' - condition: "Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.2.2')" - + ":development": + - gem: github_changelog_generator + git: https://github.com/skywinder/github-changelog-generator + ref: 20ee04ba1234e9e83eb2ffb5056e23d641c7a018 + condition: Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.2.2') Rakefile: requires: - - puppet-lint/tasks/puppet-lint - -appveyor.yml: - delete: true - -.rubocop.yml: - default_configs: - inherit_from: .rubocop_todo.yml - + - puppet-lint/tasks/puppet-lint spec/spec_helper.rb: - mock_with: ':rspec' - coverage_report: true \ No newline at end of file + mock_with: ":rspec" + coverage_report: true diff --git a/.travis.yml b/.travis.yml index 485a2d84b5..434c282060 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,48 +1,98 @@ --- +os: linux +dist: xenial language: ruby cache: bundler before_install: - bundle -v - rm -f Gemfile.lock - - gem update --system $RUBYGEMS_VERSION + - "# Update system gems if requested. This is useful to temporarily workaround troubles in the test runner" + - "# See https://github.com/puppetlabs/pdk-templates/commit/705154d5c437796b821691b707156e1b056d244f for an example of how this was used" + - "# Ignore exit code of SIGPIPE'd yes to not fail with shell's pipefail set" + - '[ -z "$RUBYGEMS_VERSION" ] || (yes || true) | gem update --system $RUBYGEMS_VERSION' - gem --version - bundle -v script: - - 'bundle exec rake $CHECK' + - 'SIMPLECOV=yes bundle exec rake $CHECK' bundler_args: --without system_tests rvm: - - 2.5.3 + - 2.5.7 env: global: - - PARALLEL_TEST_PROCESSORS=16 + - HONEYCOMB_WRITEKEY="7f3c63a70eecc61d635917de46bea4e6",HONEYCOMB_DATASET="litmus tests" stages: - static - spec - acceptance - - - if: tag =~ ^v\d - name: deploy -matrix: +jobs: fast_finish: true include: - - bundler_args: - dist: trusty - env: PUPPET_INSTALL_TYPE=agent BEAKER_debug=true BEAKER_PUPPET_COLLECTION=puppet6 BEAKER_set=docker/centos-7 BEAKER_TESTMODE=apply - rvm: 2.5.3 - script: bundle exec rake beaker + before_script: + - "bundle exec rake 'litmus:provision_list[travis_deb]'" + - "bundle exec rake 'litmus:install_agent[puppet5]'" + - "bundle exec rake litmus:install_module" + bundler_args: + env: PLATFORMS=travis_deb_puppet5 + rvm: 2.5.7 + script: ["travis_wait 45 bundle exec rake litmus:acceptance:parallel"] services: docker stage: acceptance - sudo: required - - bundler_args: - dist: trusty - env: PUPPET_INSTALL_TYPE=agent BEAKER_debug=true BEAKER_PUPPET_COLLECTION=puppet6 BEAKER_set=docker/ubuntu-14.04 BEAKER_TESTMODE=apply - rvm: 2.5.3 - script: bundle exec rake beaker + before_script: + - "bundle exec rake 'litmus:provision_list[travis_ub]'" + - "bundle exec rake 'litmus:install_agent[puppet5]'" + - "bundle exec rake litmus:install_module" + bundler_args: + env: PLATFORMS=travis_ub_puppet5 + rvm: 2.5.7 + script: ["travis_wait 45 bundle exec rake litmus:acceptance:parallel"] + services: docker + stage: acceptance + - + before_script: + - "bundle exec rake 'litmus:provision_list[travis_el7]'" + - "bundle exec rake 'litmus:install_agent[puppet5]'" + - "bundle exec rake litmus:install_module" + bundler_args: + env: PLATFORMS=travis_el7_puppet5 + rvm: 2.5.7 + script: ["travis_wait 45 bundle exec rake litmus:acceptance:parallel"] + services: docker + stage: acceptance + - + before_script: + - "bundle exec rake 'litmus:provision_list[travis_deb]'" + - "bundle exec rake 'litmus:install_agent[puppet6]'" + - "bundle exec rake litmus:install_module" + bundler_args: + env: PLATFORMS=travis_deb_puppet6 + rvm: 2.5.7 + script: ["travis_wait 45 bundle exec rake litmus:acceptance:parallel"] + services: docker + stage: acceptance + - + before_script: + - "bundle exec rake 'litmus:provision_list[travis_ub]'" + - "bundle exec rake 'litmus:install_agent[puppet6]'" + - "bundle exec rake litmus:install_module" + bundler_args: + env: PLATFORMS=travis_ub_puppet6 + rvm: 2.5.7 + script: ["travis_wait 45 bundle exec rake litmus:acceptance:parallel"] + services: docker + stage: acceptance + - + before_script: + - "bundle exec rake 'litmus:provision_list[travis_el7]'" + - "bundle exec rake 'litmus:install_agent[puppet6]'" + - "bundle exec rake litmus:install_module" + bundler_args: + env: PLATFORMS=travis_el7_puppet6 + rvm: 2.5.7 + script: ["travis_wait 45 bundle exec rake litmus:acceptance:parallel"] services: docker stage: acceptance - sudo: required - env: CHECK="check:symlinks check:git_ignore check:dot_underscore check:test_file rubocop syntax lint metadata_lint" stage: static @@ -52,11 +102,8 @@ matrix: stage: spec - env: PUPPET_GEM_VERSION="~> 6.0" CHECK=parallel_spec - rvm: 2.5.3 + rvm: 2.5.7 stage: spec - - - env: DEPLOY_TO_FORGE=yes - stage: deploy branches: only: - master @@ -64,12 +111,5 @@ branches: - release notifications: email: false -deploy: - provider: puppetforge - user: puppet - password: - secure: "" - on: - tags: true - all_branches: true - condition: "$DEPLOY_TO_FORGE = yes" + slack: + secure: MrXQwGIUO7WNmLbe7iiWgURiZPUgyvDLkKe3d9S58ohE6gdN6pqlsjP8YgodK8JmIBV1zp5Wj/0cXUmY3xvCtnDmII0DCEk2Y1Cs/W1drKZtS/0BsUpJkj0rDP2fSlKsY5ifESdEta/y8+NkjRnqadbl7SQPYeek4IjAfxjjuig= diff --git a/.vscode/extensions.json b/.vscode/extensions.json new file mode 100644 index 0000000000..6177782746 --- /dev/null +++ b/.vscode/extensions.json @@ -0,0 +1,6 @@ +{ + "recommendations": [ + "jpogran.puppet-vscode", + "rebornix.Ruby" + ] +} diff --git a/CHANGELOG.md b/CHANGELOG.md index 5528df9bdd..a32c71f436 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,72 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org). +## [v5.4.0](https://github.com/puppetlabs/puppetlabs-apache/tree/v5.4.0) (2020-01-21) + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v5.3.0...v5.4.0) + +### Added + +- Add an apache::vhost::fragment define [\#1980](https://github.com/puppetlabs/puppetlabs-apache/pull/1980) ([ekohl](https://github.com/ekohl)) + +### Fixed + +- \(MODULES-10391\) ssl\_protocol includes SSLv2 and SSLv3 on all platforms [\#1990](https://github.com/puppetlabs/puppetlabs-apache/pull/1990) ([legooolas](https://github.com/legooolas)) + +## [v5.3.0](https://github.com/puppetlabs/puppetlabs-apache/tree/v5.3.0) (2019-12-11) + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v5.2.0...v5.3.0) + +### Added + +- \(FM-8672\) - Addition of Support for CentOS 8 [\#1977](https://github.com/puppetlabs/puppetlabs-apache/pull/1977) ([david22swan](https://github.com/david22swan)) +- \(MODULES-9948\) Allow switching of thread modules [\#1961](https://github.com/puppetlabs/puppetlabs-apache/pull/1961) ([tuxmea](https://github.com/tuxmea)) + +### Fixed + +- Fix newline being added before proxy params [\#1984](https://github.com/puppetlabs/puppetlabs-apache/pull/1984) ([oxc](https://github.com/oxc)) +- When using mod jk, we expect the libapache2-mod-jk package to be installed [\#1979](https://github.com/puppetlabs/puppetlabs-apache/pull/1979) ([tuxmea](https://github.com/tuxmea)) +- move unless into manage\_security\_corerules [\#1976](https://github.com/puppetlabs/puppetlabs-apache/pull/1976) ([SimonHoenscheid](https://github.com/SimonHoenscheid)) +- Change mod\_proxy's ProxyTimeout to follow Apache's global timeout [\#1975](https://github.com/puppetlabs/puppetlabs-apache/pull/1975) ([gcoxmoz](https://github.com/gcoxmoz)) +- \(FM-8721\) fix php version and ssl error on redhat8 [\#1973](https://github.com/puppetlabs/puppetlabs-apache/pull/1973) ([sheenaajay](https://github.com/sheenaajay)) + +## [v5.2.0](https://github.com/puppetlabs/puppetlabs-apache/tree/v5.2.0) (2019-11-01) + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v5.1.0...v5.2.0) + +### Added + +- Add parameter version for mod security [\#1953](https://github.com/puppetlabs/puppetlabs-apache/pull/1953) ([tuxmea](https://github.com/tuxmea)) +- add possibility to define variables inside VirtualHost definition [\#1947](https://github.com/puppetlabs/puppetlabs-apache/pull/1947) ([trefzer](https://github.com/trefzer)) + +### Fixed + +- \(FM-8662\) Correct in manifests/mod/ssl.pp for SLES 11 [\#1963](https://github.com/puppetlabs/puppetlabs-apache/pull/1963) ([cmccrisken-puppet](https://github.com/cmccrisken-puppet)) +- always quote ExpiresDefault in vhost::directories [\#1958](https://github.com/puppetlabs/puppetlabs-apache/pull/1958) ([evgeni](https://github.com/evgeni)) +- MODULES-9904 Fix lbmethod module load order [\#1956](https://github.com/puppetlabs/puppetlabs-apache/pull/1956) ([optiz0r](https://github.com/optiz0r)) +- Add owner, group, file\_mode and show\_diff to apache::custom\_config [\#1942](https://github.com/puppetlabs/puppetlabs-apache/pull/1942) ([treydock](https://github.com/treydock)) +- Add shibboleth support for Debian 10 [\#1939](https://github.com/puppetlabs/puppetlabs-apache/pull/1939) ([fabbks](https://github.com/fabbks)) + +## [v5.1.0](https://github.com/puppetlabs/puppetlabs-apache/tree/v5.1.0) (2019-09-13) + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v5.0.0...v5.1.0) + +### Added + +- \(FM-8393\) add support on Debian 10 [\#1945](https://github.com/puppetlabs/puppetlabs-apache/pull/1945) ([ThoughtCrhyme](https://github.com/ThoughtCrhyme)) +- FM-8140 Add Redhat 8 support [\#1941](https://github.com/puppetlabs/puppetlabs-apache/pull/1941) ([sheenaajay](https://github.com/sheenaajay)) +- \(FM-8214\) converted to use litmus [\#1938](https://github.com/puppetlabs/puppetlabs-apache/pull/1938) ([tphoney](https://github.com/tphoney)) +- \(MODULES-9668 \) Please make ProxyRequests setting in vhost.pp configurable [\#1935](https://github.com/puppetlabs/puppetlabs-apache/pull/1935) ([aukesj](https://github.com/aukesj)) +- Added unmanaged\_path and custom\_fragment options to userdir [\#1931](https://github.com/puppetlabs/puppetlabs-apache/pull/1931) ([GeorgeCox](https://github.com/GeorgeCox)) +- Add LDAP parameters to httpd.conf [\#1930](https://github.com/puppetlabs/puppetlabs-apache/pull/1930) ([daveseff](https://github.com/daveseff)) +- Add LDAPReferrals configuration parameter [\#1928](https://github.com/puppetlabs/puppetlabs-apache/pull/1928) ([HT43-bqxFqB](https://github.com/HT43-bqxFqB)) + +### Fixed + +- \(MODULES-9104\) Add file\_mode to config files. [\#1922](https://github.com/puppetlabs/puppetlabs-apache/pull/1922) ([stevegarn](https://github.com/stevegarn)) +- \(bugfix\) Add default package name for mod\_ldap [\#1913](https://github.com/puppetlabs/puppetlabs-apache/pull/1913) ([turnopil](https://github.com/turnopil)) +- Remove event mpm when using prefork, worker or itk [\#1905](https://github.com/puppetlabs/puppetlabs-apache/pull/1905) ([tuxmea](https://github.com/tuxmea)) + ## [v5.0.0](https://github.com/puppetlabs/puppetlabs-apache/tree/v5.0.0) (2019-05-20) [Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/4.1.0...v5.0.0) @@ -808,6 +874,7 @@ This release features many improvements and bugfixes, including several new defi - passenger_ruby - passenger_start_timeout - proxy_preserve_host + - proxy_requests - redirectmatch_dest - ssl_crl_check - wsgi_chunked_request diff --git a/CODEOWNERS b/CODEOWNERS new file mode 100644 index 0000000000..a5d109e998 --- /dev/null +++ b/CODEOWNERS @@ -0,0 +1,2 @@ +# Setting ownership to the modules team +* @puppetlabs/modules diff --git a/Gemfile b/Gemfile index b7d80c3e53..4f6e33b02d 100644 --- a/Gemfile +++ b/Gemfile @@ -17,21 +17,18 @@ ruby_version_segments = Gem::Version.new(RUBY_VERSION.dup).segments minor_version = ruby_version_segments[0..1].join('.') group :development do - gem "fast_gettext", '1.1.0', require: false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.1.0') - gem "fast_gettext", require: false if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.1.0') - gem "json_pure", '<= 2.0.1', require: false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.0.0') - gem "json", '= 1.8.1', require: false if Gem::Version.new(RUBY_VERSION.dup) == Gem::Version.new('2.1.9') - gem "json", '= 2.0.4', require: false if Gem::Requirement.create('~> 2.4.2').satisfied_by?(Gem::Version.new(RUBY_VERSION.dup)) - gem "json", '= 2.1.0', require: false if Gem::Requirement.create(['>= 2.5.0', '< 2.7.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup)) - gem "puppet-module-posix-default-r#{minor_version}", require: false, platforms: [:ruby] - gem "puppet-module-posix-dev-r#{minor_version}", require: false, platforms: [:ruby] - gem "puppet-module-win-default-r#{minor_version}", require: false, platforms: [:mswin, :mingw, :x64_mingw] - gem "puppet-module-win-dev-r#{minor_version}", require: false, platforms: [:mswin, :mingw, :x64_mingw] - gem "github_changelog_generator", require: false, git: 'https://github.com/skywinder/github-changelog-generator', ref: '20ee04ba1234e9e83eb2ffb5056e23d641c7a018' if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.2.2') -end -group :system_tests do - gem "puppet-module-posix-system-r#{minor_version}", require: false, platforms: [:ruby] - gem "puppet-module-win-system-r#{minor_version}", require: false, platforms: [:mswin, :mingw, :x64_mingw] + gem "fast_gettext", '1.1.0', require: false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.1.0') + gem "fast_gettext", require: false if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.1.0') + gem "json_pure", '<= 2.0.1', require: false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.0.0') + gem "json", '= 1.8.1', require: false if Gem::Version.new(RUBY_VERSION.dup) == Gem::Version.new('2.1.9') + gem "json", '= 2.0.4', require: false if Gem::Requirement.create('~> 2.4.2').satisfied_by?(Gem::Version.new(RUBY_VERSION.dup)) + gem "json", '= 2.1.0', require: false if Gem::Requirement.create(['>= 2.5.0', '< 2.7.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup)) + gem "rb-readline", '= 0.5.5', require: false, platforms: [:mswin, :mingw, :x64_mingw] + gem "puppet-module-posix-default-r#{minor_version}", '~> 0.4', require: false, platforms: [:ruby] + gem "puppet-module-posix-dev-r#{minor_version}", '~> 0.4', require: false, platforms: [:ruby] + gem "puppet-module-win-default-r#{minor_version}", '~> 0.4', require: false, platforms: [:mswin, :mingw, :x64_mingw] + gem "puppet-module-win-dev-r#{minor_version}", '~> 0.4', require: false, platforms: [:mswin, :mingw, :x64_mingw] + gem "github_changelog_generator", require: false, git: 'https://github.com/skywinder/github-changelog-generator', ref: '20ee04ba1234e9e83eb2ffb5056e23d641c7a018' if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.2.2') end puppet_version = ENV['PUPPET_GEM_VERSION'] diff --git a/HISTORY.md b/HISTORY.md index 90e65f6584..3d6897f091 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -698,6 +698,7 @@ This release features many improvements and bugfixes, including several new defi - passenger_ruby - passenger_start_timeout - proxy_preserve_host + - proxy_requests - redirectmatch_dest - ssl_crl_check - wsgi_chunked_request diff --git a/MAINTAINERS.md b/MAINTAINERS.md deleted file mode 100644 index 18a33881e0..0000000000 --- a/MAINTAINERS.md +++ /dev/null @@ -1,6 +0,0 @@ -## Maintenance - -Maintainers: - - Puppet Forge Modules Team `forge-modules |at| puppet |dot| com` - -Tickets: https://tickets.puppet.com/browse/MODULES. Make sure to set component to `apache`. diff --git a/README.md b/README.md index 505a9420e7..38b973a3ff 100755 --- a/README.md +++ b/README.md @@ -720,6 +720,28 @@ There are several optional parameters you can specify when defining Apache modul ### Configuring FastCGI servers to handle PHP files +#### FastCGI on Ubuntu 18.04 + +On Ubuntu 18.04, `mod_fastcgi` is no longer supported. So considering: + +* an Apache Vhost with docroot set to `/var/www/html` +* a FastCGI server listening on `127.0.0.1:9000` + +you can then use the [`custom_fragment`][] parameter to configure the virtual host to have the FastCGI server handle the specified file type: + +``` puppet +apache::vhost { 'www': + ... + docroot => '/var/www/html/', + custom_fragment => 'ProxyPassMatch ^/(.*\.php)$ fcgi://127.0.0.1:9000/var/www/html/$1', + ... +} +``` + +Please note you have to adjust the second ProxyPassMatch parameter to you docroot value (here `/var/www/html/`). + +#### Other OSes + Add the [`apache::fastcgi::server`][] defined type to allow [FastCGI][] servers to handle requests for specific files. For example, the following defines a FastCGI server at 127.0.0.1 (localhost) on port 9000 to handle PHP requests: ``` puppet @@ -893,8 +915,6 @@ The [`apache::mod::suphp`][] class is untested since repositories are missing co ### Testing -Due to the difficult and specialised nature of acceptance testing mods in apache IE (high OS specificity), we have replaced acceptance tests with unit tests. - To run the unit tests, install the necessary gems: ``` @@ -913,10 +933,19 @@ To check the code coverage, run: COVERAGE=yes bundle exec rake parallel_spec ``` -### Contributing +## Development + +Acceptance tests for this module leverage [puppet_litmus](https://github.com/puppetlabs/puppet_litmus). +To run the acceptance tests follow the instructions [here](https://github.com/puppetlabs/puppet_litmus/wiki/Tutorial:-use-Litmus-to-execute-acceptance-tests-with-a-sample-module-(MoTD)#install-the-necessary-gems-for-the-module). +You can also find a tutorial and walkthrough of using Litmus and the PDK on [YouTube](https://www.youtube.com/watch?v=FYfR7ZEGHoE). -[Puppet][] modules on the [Puppet Forge][] are open projects, and community contributions are essential for keeping them great. We can’t access the huge number of platforms and myriad hardware, software, and deployment configurations that Puppet is intended to serve. +If you run into an issue with this module, or if you would like to request a feature, please [file a ticket](https://tickets.puppetlabs.com/browse/MODULES/). +Every Monday the Puppet IA Content Team has [office hours](https://puppet.com/community/office-hours) in the [Puppet Community Slack](http://slack.puppet.com/), alternating between an EMEA friendly time (1300 UTC) and an Americas friendly time (0900 Pacific, 1700 UTC). -We want to make it as easy as possible to contribute changes so our modules work in your environment, but we also need contributors to follow a few guidelines to help us maintain and improve the modules' quality. +If you have problems getting this module up and running, please [contact Support](http://puppetlabs.com/services/customer-support). -For more information, please read the complete [module contribution guide][] and check out [CONTRIBUTING.md][]. \ No newline at end of file +If you submit a change to this module, be sure to regenerate the reference documentation as follows: + +```bash +puppet strings generate --format markdown --out REFERENCE.md +``` diff --git a/REFERENCE.md b/REFERENCE.md index b22046568e..d82e2d8564 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -94,6 +94,9 @@ _Public Classes_ * [`apache::mod::worker`](#apachemodworker): Installs and manages the MPM `worker`. * [`apache::mod::wsgi`](#apachemodwsgi): Installs and configures `mod_wsgi`. * [`apache::mod::xsendfile`](#apachemodxsendfile): Installs `mod_xsendfile`. +* [`apache::mpm::disable_mpm_event`](#apachempmdisable_mpm_event): +* [`apache::mpm::disable_mpm_prefork`](#apachempmdisable_mpm_prefork): +* [`apache::mpm::disable_mpm_worker`](#apachempmdisable_mpm_worker): * [`apache::vhosts`](#apachevhosts): Creates `apache::vhost` defined types. _Private Classes_ @@ -128,6 +131,7 @@ Apache server's or a virtual host's listening address and port. * [`apache::vhost`](#apachevhost): Allows specialised configurations for virtual hosts that possess requirements outside of the defaults. * [`apache::vhost::custom`](#apachevhostcustom): A wrapper around the `apache::custom_config` defined type. +* [`apache::vhost::fragment`](#apachevhostfragment): Define a fragment within a vhost _Private Defined types_ @@ -165,6 +169,8 @@ When this class is declared with the default options, Puppet: - Creates a document root directory determined by your operating system, typically `/var/www`. - Starts the Apache service. +If an ldaps:// URL is specified, the mode becomes SSL and the setting of LDAPTrustedMode is ignored. + #### Examples ##### @@ -480,6 +486,30 @@ CGIs/SSIs in REMOTE_HOST.
Default value: $::apache::params::hostname_lookups +##### `ldap_trusted_mode` + +Data type: `Any` + +The following modes are supported: + + NONE - no encryption + SSL - ldaps:// encryption on default port 636 + TLS - STARTTLS encryption on default port 389 +Not all LDAP toolkits support all the above modes. An error message will be logged at +runtime if a mode is not supported, and the connection to the LDAP server will fail. + +Default value: `undef` + +##### `ldap_verify_server_cert` + +Data type: `Any` + +Specifies whether to force the verification of a server certificate when establishing an SSL +connection to the LDAP server. +On|Off + +Default value: `undef` + ##### `lib_path` Data type: `Any` @@ -3179,6 +3209,14 @@ Specifies the SSL/TLS mode to be used when connecting to an LDAP server. Default value: `undef` +##### `ldap_path` + +Data type: `String` + +The server location of the ldap status page. + +Default value: '/ldap-status' + ### apache::mod::lookup_identity Installs `mod_lookup_identity` @@ -4701,7 +4739,7 @@ Data type: `Any` Network timeout for proxied requests. -Default value: '60' +Default value: `undef` ### apache::mod::proxy_ajp @@ -5031,6 +5069,14 @@ for additional documentation. The following parameters are available in the `apache::mod::security` class. +##### `version` + +Data type: `Any` + +Manage mod_security or mod_security2 + +Default value: $::apache::params::modsec_version + ##### `logroot` Data type: `Any` @@ -5338,15 +5384,6 @@ Enable compression on the SSL level. Default value: `false` -##### `ssl_sessiontickets` - -Data type: `Optional[Boolean]` - -Enable the use of TLS session tickets (RFC 5077). -Available since Apache 2.4.11. - -Default: `undef`. - ##### `ssl_cryptodevice` Data type: `Any` @@ -5416,8 +5453,11 @@ Default value: `true` Data type: `Any` Configure usable SSL/TLS protocol versions. +Default based on the OS: +- RedHat 8: [ 'all' ]. +- Other Platforms: [ 'all', '-SSLv2', '-SSLv3' ]. -Default value: [ 'all', '-SSLv2', '-SSLv3' ] +Default value: $::apache::params::ssl_protocol ##### `ssl_proxy_protocol` @@ -5475,20 +5515,6 @@ Pass stapling related OCSP errors on to client. Default value: `undef` -##### `stapling_cache` - -Data type: `String` - -Configures the storage type of the global/inter-process SSL Stapling Cache. -Only cache type 'shmcb' is supported. -Default based on the OS: -- Debian/Ubuntu: '${APACHE_RUN_DIR}/ocsp(32768)'. -- RedHat: '/run/httpd/ssl_stapling(32768)'. -- FreeBSD/Gentoo: '/var/run/ssl_stapling(32768)'. -- Suse: '/var/lib/apache2/ssl_stapling(32768)'. - -Default value: `undef` - ##### `ssl_mutex` Data type: `Any` @@ -5516,6 +5542,22 @@ Data type: `Any` Name of ssl package to install. +Default value: `undef` + +##### `ssl_sessiontickets` + +Data type: `Optional[Boolean]` + + + +Default value: `undef` + +##### `stapling_cache` + +Data type: `Optional[String]` + + + Default value: `undef` ### apache::mod::status @@ -5679,6 +5721,22 @@ Configures what features are available in a particular directory. Default value: [ 'MultiViews', 'Indexes', 'SymLinksIfOwnerMatch', 'IncludesNoExec' ] +##### `unmanaged_path` + +Data type: `Any` + +Toggles whether to manage path in userdir.conf + +Default value: `false` + +##### `custom_fragment` + +Data type: `Any` + +Custom configuration to be added to userdir.conf + +Default value: `undef` + ### apache::mod::version Installs `mod_version`. @@ -5892,6 +5950,18 @@ Installs `mod_xsendfile`. https://tn123.org/mod_xsendfile/ for additional documentation. +### apache::mpm::disable_mpm_event + +The apache::mpm::disable_mpm_event class. + +### apache::mpm::disable_mpm_prefork + +The apache::mpm::disable_mpm_prefork class. + +### apache::mpm::disable_mpm_worker + +The apache::mpm::disable_mpm_worker class. + ### apache::vhosts host parameters or Configuring virtual hosts in the README section. @@ -6141,6 +6211,38 @@ Specifies whether to validate the configuration file before notifying the Apache Default value: `true` +##### `owner` + +Data type: `Any` + +File owner of configuration file + +Default value: `undef` + +##### `group` + +Data type: `Any` + +File group of configuration file + +Default value: `undef` + +##### `file_mode` + +Data type: `Any` + +File mode of configuration file + +Default value: `undef` + +##### `show_diff` + +Data type: `Boolean` + +show_diff property for configuration file resource + +Default value: `true` + ### apache::fastcgi::server Defines one or more external FastCGI servers to handle specific file types. Use this @@ -9074,6 +9176,23 @@ which allows you to configure how the server determines it's own name and port. Default value: `undef` +##### `define` + +Data type: `Hash` + +this lets you define configuration variables inside a vhost using [`Define`](https://httpd.apache.org/docs/2.4/mod/core.html#define), +these can then be used to replace configuration values. All Defines are Undefined at the end of the VirtualHost. + +Default value: {} + +##### `proxy_requests` + +Data type: `Boolean` + + + +Default value: `false` + ### apache::vhost::custom The `apache::vhost::custom` defined type is a thin wrapper around the `apache::custom_config` defined type, and simply overrides some of its default settings specific to the virtual host directory in Apache. @@ -9112,6 +9231,99 @@ Specifies whether to validate the configuration file before notifying the Apache Default value: `true` +### apache::vhost::fragment + +Define a fragment within a vhost + +#### Examples + +##### With a vhost without priority + +```puppet +include apache +apache::vhost { 'myvhost': +} +apache::vhost::fragment { 'myfragment': + vhost => 'myvhost', + content => '# Foo', +} +``` + +##### With a vhost with priority + +```puppet +include apache +apache::vhost { 'myvhost': + priority => '42', +} +apache::vhost::fragment { 'myfragment': + vhost => 'myvhost', + priority => '42', + content => '# Foo', +} +``` + +##### With a vhost with default vhost + +```puppet +include apache +apache::vhost { 'myvhost': + default_vhost => true, +} +apache::vhost::fragment { 'myfragment': + vhost => 'myvhost', + priority => '10', # default_vhost implies priority 10 + content => '# Foo', +} +``` + +##### Adding a fragment to the built in default vhost + +```puppet +include apache +apache::vhost::fragment { 'myfragment': + vhost => 'default', + priority => '15', + content => '# Foo', +} +``` + +#### Parameters + +The following parameters are available in the `apache::vhost::fragment` defined type. + +##### `vhost` + +Data type: `String[1]` + +The title of the vhost resource to append to + +##### `priority` + +Data type: `Any` + +Set the priority to match the one `apache::vhost` sets. This must match the +one `apache::vhost` sets or else the concat fragment won't be found. + +Default value: `undef` + +##### `content` + +Data type: `Optional[String]` + +The content to put in the fragment. Only when it's non-empty the actual +fragment will be created. + +Default value: `undef` + +##### `order` + +Data type: `Integer[0]` + +The order to insert the fragment at + +Default value: 900 + ## Resource types ### a2mod diff --git a/Rakefile b/Rakefile index a1d0de1226..c21ec57741 100644 --- a/Rakefile +++ b/Rakefile @@ -1,3 +1,6 @@ +# frozen_string_literal: true + +require 'puppet_litmus/rake_tasks' if Bundler.rubygems.find_name('puppet_litmus').any? require 'puppetlabs_spec_helper/rake_tasks' require 'puppet-syntax/tasks/puppet-syntax' require 'puppet_blacksmith/rake_tasks' if Bundler.rubygems.find_name('puppet-blacksmith').any? @@ -15,8 +18,17 @@ end def changelog_project return unless Rake.application.top_level_tasks.include? "changelog" - returnVal = nil || JSON.load(File.read('metadata.json'))['name'] - raise "unable to find the changelog_project in .sync.yml or the name in metadata.json" if returnVal.nil? + + returnVal = nil + returnVal ||= begin + metadata_source = JSON.load(File.read('metadata.json'))['source'] + metadata_source_match = metadata_source && metadata_source.match(%r{.*\/([^\/]*?)(?:\.git)?\Z}) + + metadata_source_match && metadata_source_match[1] + end + + raise "unable to find the changelog_project in .sync.yml or calculate it from the source in metadata.json" if returnVal.nil? + puts "GitHubChangelogGenerator project:#{returnVal}" returnVal end diff --git a/manifests/balancer.pp b/manifests/balancer.pp index ee1f6c3fc3..0bd8af95f7 100644 --- a/manifests/balancer.pp +++ b/manifests/balancer.pp @@ -55,7 +55,9 @@ undef => 'byrequests', default => $proxy_set['lbmethod'], } - ensure_resource('apache::mod', "lbmethod_${lbmethod}") + ensure_resource('apache::mod', "lbmethod_${lbmethod}", { + 'loadfile_name' => "proxy_balancer_lbmethod_${lbmethod}.load" + }) } if $target { diff --git a/manifests/custom_config.pp b/manifests/custom_config.pp index e0cea82b55..8a13163e57 100644 --- a/manifests/custom_config.pp +++ b/manifests/custom_config.pp @@ -36,6 +36,18 @@ # @param verify_config # Specifies whether to validate the configuration file before notifying the Apache service. # +# @param owner +# File owner of configuration file +# +# @param group +# File group of configuration file +# +# @param file_mode +# File mode of configuration file +# +# @param show_diff +# show_diff property for configuration file resource +# define apache::custom_config ( Enum['absent', 'present'] $ensure = 'present', $confdir = $::apache::confd_dir, @@ -45,6 +57,10 @@ $verify_command = $::apache::params::verify_command, Boolean $verify_config = true, $filename = undef, + $owner = undef, + $group = undef, + $file_mode = undef, + Boolean $show_diff = true, ) { if $content and $source { @@ -75,13 +91,19 @@ $notifies = undef } + $_file_mode = pick($file_mode, $::apache::file_mode) + file { "apache_${name}": - ensure => $ensure, - path => "${confdir}/${_filename}", - content => $content, - source => $source, - require => Package['httpd'], - notify => $notifies, + ensure => $ensure, + path => "${confdir}/${_filename}", + owner => $owner, + group => $group, + mode => $_file_mode, + content => $content, + source => $source, + show_diff => $show_diff, + require => Package['httpd'], + notify => $notifies, } if $ensure == 'present' and $verify_config { diff --git a/manifests/init.pp b/manifests/init.pp index 6846e21d37..1f230e82ac 100755 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -174,6 +174,22 @@ # CGIs/SSIs in REMOTE_HOST.
# > **Note**: If enabled, it impacts performance significantly. # +# @param ldap_trusted_mode +# The following modes are supported: +# +# NONE - no encryption +# SSL - ldaps:// encryption on default port 636 +# TLS - STARTTLS encryption on default port 389 +# Not all LDAP toolkits support all the above modes. An error message will be logged at +# runtime if a mode is not supported, and the connection to the LDAP server will fail. +# +#If an ldaps:// URL is specified, the mode becomes SSL and the setting of LDAPTrustedMode is ignored. +# +# @param ldap_verify_server_cert +# Specifies whether to force the verification of a server certificate when establishing an SSL +# connection to the LDAP server. +# On|Off +# # @param lib_path # Specifies the location whereApache module files are stored.
# > **Note**: Do not configure this parameter manually without special reason. @@ -468,6 +484,8 @@ $purge_vdir = false, $serveradmin = 'root@localhost', Enum['On', 'Off', 'on', 'off'] $sendfile = 'On', + $ldap_verify_server_cert = undef, + $ldap_trusted_mode = undef, $error_documents = false, $timeout = '60', $httpd_dir = $::apache::params::httpd_dir, @@ -776,6 +794,7 @@ # - $root_directory_secured file { "${::apache::conf_dir}/${::apache::params::conf_file}": ensure => file, + mode => $::apache::file_mode, content => template($conf_template), notify => Class['Apache::Service'], require => [Package['httpd'], Concat[$ports_file]], diff --git a/manifests/mod/auth_openidc.pp b/manifests/mod/auth_openidc.pp new file mode 100644 index 0000000000..36337fd3c4 --- /dev/null +++ b/manifests/mod/auth_openidc.pp @@ -0,0 +1,13 @@ +# @summary +# Installs and configures `mod_auth_openidc`. +# +# @see https://github.com/zmartzone/mod_auth_openidc for additional documentation. +# +class apache::mod::auth_openidc ( +) inherits ::apache::params { + + include ::apache + include ::apache::mod::authz_user + apache::mod { 'auth_openidc': } + +} diff --git a/manifests/mod/autoindex.pp b/manifests/mod/autoindex.pp index 65b0354426..c22d0a00a4 100644 --- a/manifests/mod/autoindex.pp +++ b/manifests/mod/autoindex.pp @@ -6,7 +6,17 @@ class apache::mod::autoindex { include ::apache ::apache::mod { 'autoindex': } - # Template uses no variables + + # Determine icon filename suffix for autoindex.conf.erb + case $::operatingsystem { + 'Debian', 'Ubuntu': { + $icon_suffix = '-20x22' + } + default: { + $icon_suffix = '' + } + } + file { 'autoindex.conf': ensure => file, path => "${::apache::mod_dir}/autoindex.conf", diff --git a/manifests/mod/proxy.pp b/manifests/mod/proxy.pp index b5c7a381a4..154898acbe 100644 --- a/manifests/mod/proxy.pp +++ b/manifests/mod/proxy.pp @@ -27,9 +27,10 @@ $apache_version = undef, $package_name = undef, $proxy_via = 'On', - $proxy_timeout = '60', + $proxy_timeout = undef, ) { include ::apache + $_proxy_timeout = $apache::timeout $_apache_version = pick($apache_version, $apache::apache_version) ::apache::mod { 'proxy': package => $package_name, diff --git a/manifests/mod/proxy_html.pp b/manifests/mod/proxy_html.pp index 7cf4695446..730940a4f5 100644 --- a/manifests/mod/proxy_html.pp +++ b/manifests/mod/proxy_html.pp @@ -19,15 +19,28 @@ 'i686' => 'i386', default => $::hardwaremodel, } - $loadfiles = $::apache::params::distrelease ? { - '6' => ['/usr/lib/libxml2.so.2'], - '10' => ['/usr/lib/libxml2.so.2'], - default => ["/usr/lib/${gnu_path}-linux-gnu/libxml2.so.2"], + case $::operatingsystem { + 'Ubuntu': { + $loadfiles = $::apache::params::distrelease ? { + '10' => ['/usr/lib/libxml2.so.2'], + default => ["/usr/lib/${gnu_path}-linux-gnu/libxml2.so.2"], + } + } + 'Debian': { + $loadfiles = $::apache::params::distrelease ? { + '6' => ['/usr/lib/libxml2.so.2'], + default => ["/usr/lib/${gnu_path}-linux-gnu/libxml2.so.2"], + } + } + default: { + $loadfiles = ["/usr/lib/${gnu_path}-linux-gnu/libxml2.so.2"] + } } if versioncmp($::apache::apache_version, '2.4') >= 0 { ::apache::mod { 'xml2enc': } } } + default: { } } ::apache::mod { 'proxy_html': diff --git a/manifests/mod/reqtimeout.pp b/manifests/mod/reqtimeout.pp index 8b4dbed3e0..31587207b4 100644 --- a/manifests/mod/reqtimeout.pp +++ b/manifests/mod/reqtimeout.pp @@ -15,6 +15,7 @@ file { 'reqtimeout.conf': ensure => file, path => "${::apache::mod_dir}/reqtimeout.conf", + mode => $::apache::file_mode, content => template('apache/mod/reqtimeout.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir], diff --git a/manifests/mod/security.pp b/manifests/mod/security.pp index f7bef39c1d..1bc3edfd83 100644 --- a/manifests/mod/security.pp +++ b/manifests/mod/security.pp @@ -2,6 +2,9 @@ # @summary # Installs and configures `mod_security`. # +# @param version +# Manage mod_security or mod_security2 +# # @param logroot # Configures the location of audit and debug logs. # @@ -24,6 +27,12 @@ # Defines which parts of each transaction are going to be recorded in the audit log. Each part is assigned a single letter; when a # letter appears in the list then the equivalent part will be recorded. # +# @param audit_log_type +# Defines the type of audit logging mechanism to be used. +# +# @param audit_log_storage_dir +# Defines the directory where concurrent audit log entries are to be stored. This directive is only needed when concurrent audit logging is used. +# # @param secpcrematchlimit # Sets the match limit in the PCRE library. # @@ -86,12 +95,15 @@ # class apache::mod::security ( $logroot = $::apache::params::logroot, + $version = $::apache::params::modsec_version, $crs_package = $::apache::params::modsec_crs_package, $activated_rules = $::apache::params::modsec_default_rules, $modsec_dir = $::apache::params::modsec_dir, $modsec_secruleengine = $::apache::params::modsec_secruleengine, $audit_log_relevant_status = '^(?:5|4(?!04))', $audit_log_parts = $::apache::params::modsec_audit_log_parts, + $audit_log_type = $::apache::params::modsec_audit_log_type, + $audit_log_storage_dir = undef, $secpcrematchlimit = $::apache::params::secpcrematchlimit, $secpcrematchlimitrecursion = $::apache::params::secpcrematchlimitrecursion, $allowed_methods = 'GET HEAD POST OPTIONS', @@ -127,7 +139,20 @@ fail('SLES 10 is not currently supported.') } - ::apache::mod { 'security': + case $version { + 1: { + $mod_name = 'security' + $mod_conf_name = 'security.conf' + } + 2: { + $mod_name = 'security2' + $mod_conf_name = 'security2.conf' + } + default: { + fail('Unsuported version for mod security') + } + } + ::apache::mod { $mod_name: id => 'security2_module', lib => 'mod_security2.so', } @@ -152,6 +177,8 @@ # - logroot # - $modsec_dir # - $audit_log_parts + # - $audit_log_type + # - $audit_log_storage_dir # - secpcrematchlimit # - secpcrematchlimitrecursion # - secrequestbodylimit @@ -161,7 +188,7 @@ ensure => file, content => template('apache/mod/security.conf.erb'), mode => $::apache::file_mode, - path => "${::apache::mod_dir}/security.conf", + path => "${::apache::mod_dir}/${mod_conf_name}", owner => $::apache::params::user, group => $::apache::params::group, require => Exec["mkdir ${::apache::mod_dir}"], @@ -212,10 +239,10 @@ require => File[$modsec_dir], notify => Class['apache::service'], } - } - # Debian 9 has a different rule setup - unless $::operatingsystem == 'SLES' or ($::operatingsystem == 'Debian' and versioncmp($::operatingsystemrelease, '9') >= 0) or ($::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease, '18.04') >= 0) { - apache::security::rule_link { $activated_rules: } + # Debian 9 has a different rule setup + unless $::operatingsystem == 'SLES' or ($::operatingsystem == 'Debian' and versioncmp($::operatingsystemrelease, '9') >= 0) or ($::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease, '18.04') >= 0) { + apache::security::rule_link { $activated_rules: } + } } } diff --git a/manifests/mod/ssl.pp b/manifests/mod/ssl.pp index 1867a55305..ccfc74eaf1 100644 --- a/manifests/mod/ssl.pp +++ b/manifests/mod/ssl.pp @@ -30,6 +30,9 @@ # # @param ssl_protocol # Configure usable SSL/TLS protocol versions. +# Default based on the OS: +# - RedHat 8: [ 'all' ]. +# - Other Platforms: [ 'all', '-SSLv2', '-SSLv3' ]. # # @param ssl_proxy_protocol # Configure usable SSL protocol flavors for proxy usage. @@ -85,7 +88,7 @@ $ssl_ca = undef, $ssl_cipher = 'HIGH:MEDIUM:!aNULL:!MD5:!RC4:!3DES', Variant[Boolean, Enum['on', 'off']] $ssl_honorcipherorder = true, - $ssl_protocol = [ 'all', '-SSLv2', '-SSLv3' ], + $ssl_protocol = $::apache::params::ssl_protocol, Array $ssl_proxy_protocol = [], $ssl_pass_phrase_dialog = 'builtin', $ssl_random_seed_bytes = '512', @@ -159,7 +162,7 @@ if defined(Class['::apache::mod::worker']){ $suse_path = '/usr/lib64/apache2-worker' } else { - $suse_path = '/usr/lib64/apache2-worker' + $suse_path = '/usr/lib64/apache2-prefork' } ::apache::mod { 'ssl': package => $package_name, diff --git a/manifests/mod/userdir.pp b/manifests/mod/userdir.pp index cd0359e820..d564e07fbf 100644 --- a/manifests/mod/userdir.pp +++ b/manifests/mod/userdir.pp @@ -21,6 +21,12 @@ # # @param options # Configures what features are available in a particular directory. +# +# @param unmanaged_path +# Toggles whether to manage path in userdir.conf +# +# @param custom_fragment +# Custom configuration to be added to userdir.conf # # @see https://httpd.apache.org/docs/current/mod/mod_userdir.html for additional documentation. # @@ -32,6 +38,8 @@ $path = '/home/*/public_html', $overrides = [ 'FileInfo', 'AuthConfig', 'Limit', 'Indexes' ], $options = [ 'MultiViews', 'Indexes', 'SymLinksIfOwnerMatch', 'IncludesNoExec' ], + $unmanaged_path = false, + $custom_fragment = undef, ) { include ::apache $_apache_version = pick($apache_version, $apache::apache_version) diff --git a/manifests/mpm.pp b/manifests/mpm.pp index 270c89b54e..d988b36238 100644 --- a/manifests/mpm.pp +++ b/manifests/mpm.pp @@ -84,13 +84,10 @@ } } + if $mpm == 'itk' { if ( ( $::operatingsystem == 'Ubuntu' ) or ( ($::operatingsystem == 'Debian') and ( versioncmp($::operatingsystemrelease, '8.0.0') >= 0 ) ) ) { - ensure_resource('exec', '/usr/sbin/a2dismod mpm_event', { - onlyif => "/usr/bin/test -e ${apache::mod_enable_dir}/mpm_event.load", - require => Package['httpd'], - before => Class['apache::service'], - }) + include apache::mpm::disable_mpm_event } package { 'libapache2-mpm-itk': @@ -104,11 +101,15 @@ if $mpm == 'prefork' { if ( ( $::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease,'18.04') >= 0 ) or ( $::operatingsystem == 'Debian' and versioncmp($::operatingsystemrelease, '9.0.0') >= 0 ) ) { - ensure_resource('exec', '/usr/sbin/a2dismod mpm_event', { - onlyif => "/usr/bin/test -e ${apache::mod_enable_dir}/mpm_event.load", - require => Package['httpd'], - before => Class['apache::service'], - }) + include apache::mpm::disable_mpm_event + include apache::mpm::disable_mpm_worker + } + } + + if $mpm == 'worker' { + if ( ( $::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease,'18.04') >= 0 ) or ( $::operatingsystem == 'Debian' and versioncmp($::operatingsystemrelease, '8.0.0') >= 0 ) ) { + include apache::mpm::disable_mpm_event + include apache::mpm::disable_mpm_prefork } } diff --git a/manifests/mpm/disable_mpm_event.pp b/manifests/mpm/disable_mpm_event.pp new file mode 100644 index 0000000000..10d22412db --- /dev/null +++ b/manifests/mpm/disable_mpm_event.pp @@ -0,0 +1,8 @@ +class apache::mpm::disable_mpm_event { + exec { '/usr/sbin/a2dismod event': + onlyif => "/usr/bin/test -e ${apache::mod_enable_dir}/event.load", + require => Package['httpd'], + before => Class['apache::service'], + } + +} diff --git a/manifests/mpm/disable_mpm_prefork.pp b/manifests/mpm/disable_mpm_prefork.pp new file mode 100644 index 0000000000..d7ff8aade6 --- /dev/null +++ b/manifests/mpm/disable_mpm_prefork.pp @@ -0,0 +1,8 @@ +class apache::mpm::disable_mpm_prefork { + exec { '/usr/sbin/a2dismod prefork': + onlyif => "/usr/bin/test -e ${apache::mod_enable_dir}/prefork.load", + require => Package['httpd'], + before => Class['apache::service'], + } + +} diff --git a/manifests/mpm/disable_mpm_worker.pp b/manifests/mpm/disable_mpm_worker.pp new file mode 100644 index 0000000000..414e7f58dc --- /dev/null +++ b/manifests/mpm/disable_mpm_worker.pp @@ -0,0 +1,8 @@ +class apache::mpm::disable_mpm_worker { + exec { '/usr/sbin/a2dismod worker': + onlyif => "/usr/bin/test -e ${apache::mod_enable_dir}/worker.load", + require => Package['httpd'], + before => Class['apache::service'], + } + +} diff --git a/manifests/params.pp b/manifests/params.pp index 147f9bed53..76a732e592 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -35,6 +35,7 @@ $vhost_include_pattern = '*' $modsec_audit_log_parts = 'ABIJDEFHZ' + $modsec_audit_log_type = 'Serial' # no client certs should be trusted for auth by default. $ssl_certs_dir = undef @@ -120,6 +121,7 @@ $mellon_lock_file = '/run/mod_auth_mellon/lock' $mellon_cache_size = 100 $mellon_post_directory = undef + $modsec_version = 1 $modsec_crs_package = 'mod_security_crs' $modsec_crs_path = '/usr/lib/modsecurity.d' $modsec_dir = '/etc/httpd/modsecurity.d' @@ -194,13 +196,17 @@ $suphp_addhandler = 'php5-script' $suphp_engine = 'off' $suphp_configpath = undef - $php_version = '5' + $php_version = $facts['operatingsystemmajrelease'] ? { + '8' => '7', # RedHat8 + default => '5', # RedHat5, RedHat6, RedHat7 + } $mod_packages = { # NOTE: The auth_cas module isn't available on RH/CentOS without providing dependency packages provided by EPEL. 'auth_cas' => 'mod_auth_cas', 'auth_kerb' => 'mod_auth_kerb', 'auth_gssapi' => 'mod_auth_gssapi', 'auth_mellon' => 'mod_auth_mellon', + 'auth_openidc' => 'mod_auth_openidc', 'authnz_ldap' => $::apache::version::distrelease ? { '7' => 'mod_ldap', default => 'mod_authz_ldap', @@ -214,10 +220,7 @@ 'fcgid' => 'mod_fcgid', 'geoip' => 'mod_geoip', 'intercept_form_submit' => 'mod_intercept_form_submit', - 'ldap' => $::apache::version::distrelease ? { - '7' => 'mod_ldap', - default => undef, - }, + 'ldap' => 'mod_ldap', 'lookup_identity' => 'mod_lookup_identity', 'pagespeed' => 'mod-pagespeed-stable', # NOTE: The passenger module isn't available on RH/CentOS without @@ -275,6 +278,7 @@ $mellon_lock_file = '/run/mod_auth_mellon/lock' $mellon_cache_size = 100 $mellon_post_directory = undef + $modsec_version = 1 $modsec_crs_package = 'mod_security_crs' $modsec_crs_path = '/usr/lib/modsecurity.d' $modsec_dir = '/etc/httpd/modsecurity.d' @@ -341,6 +345,7 @@ $mod_packages = { 'auth_cas' => 'libapache2-mod-auth-cas', 'auth_kerb' => 'libapache2-mod-auth-kerb', + 'auth_openidc' => 'libapache2-mod-auth-openidc', 'auth_gssapi' => 'libapache2-mod-auth-gssapi', 'auth_mellon' => 'libapache2-mod-auth-mellon', 'authnz_pam' => 'libapache2-mod-authnz-pam', @@ -349,6 +354,7 @@ 'fcgid' => 'libapache2-mod-fcgid', 'geoip' => 'libapache2-mod-geoip', 'intercept_form_submit' => 'libapache2-mod-intercept-form-submit', + 'jk' => 'libapache2-mod-jk', 'lookup_identity' => 'libapache2-mod-lookup-identity', 'nss' => 'libapache2-mod-nss', 'pagespeed' => 'mod-pagespeed-stable', @@ -364,12 +370,16 @@ 'wsgi' => 'libapache2-mod-wsgi', 'xsendfile' => 'libapache2-mod-xsendfile', } - } elsif ($::operatingsystem == 'Debian' and versioncmp($::operatingsystemrelease, '9') >= 0) { - # Debian stretch uses a different dav_svn from Ubuntu Xenial - $php_version = '7.0' + } elsif ($::operatingsystem == 'Debian' and versioncmp($::operatingsystemrelease, '9') >= 0) or ($::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease, '18.04') >= 0) { + $php_version = $facts['operatingsystemmajrelease'] ? { + '9' => '7.0', # Debian Stretch + '10' => '7.3', # Debian Buster + default => '7.2', # Ubuntu Bionic, Cosmic and Disco + } $mod_packages = { 'auth_cas' => 'libapache2-mod-auth-cas', 'auth_kerb' => 'libapache2-mod-auth-kerb', + 'auth_openidc' => 'libapache2-mod-auth-openidc', 'auth_gssapi' => 'libapache2-mod-auth-gssapi', 'auth_mellon' => 'libapache2-mod-auth-mellon', 'authnz_pam' => 'libapache2-mod-authnz-pam', @@ -378,34 +388,7 @@ 'fcgid' => 'libapache2-mod-fcgid', 'geoip' => 'libapache2-mod-geoip', 'intercept_form_submit' => 'libapache2-mod-intercept-form-submit', - 'lookup_identity' => 'libapache2-mod-lookup-identity', - 'nss' => 'libapache2-mod-nss', - 'pagespeed' => 'mod-pagespeed-stable', - 'passenger' => 'libapache2-mod-passenger', - 'perl' => 'libapache2-mod-perl2', - 'phpXXX' => 'libapache2-mod-phpXXX', - 'python' => 'libapache2-mod-python', - 'rpaf' => 'libapache2-mod-rpaf', - 'security' => 'libapache2-mod-security2', - 'shib2' => 'libapache2-mod-shib2', - 'suphp' => 'libapache2-mod-suphp', - 'wsgi' => 'libapache2-mod-wsgi', - 'xsendfile' => 'libapache2-mod-xsendfile', - } - } elsif ($::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease, '18.04') >= 0) { - # major.minor version used since Debian stretch and Ubuntu Xenial - $php_version = '7.2' # different to Ubuntu 16.04 - # fastcgi and suphp got removed from #mod_packages, they aren't supported anymore - $mod_packages = { - 'auth_cas' => 'libapache2-mod-auth-cas', - 'auth_kerb' => 'libapache2-mod-auth-kerb', - 'auth_gssapi' => 'libapache2-mod-auth-gssapi', - 'auth_mellon' => 'libapache2-mod-auth-mellon', - 'authnz_pam' => 'libapache2-mod-authnz-pam', - 'dav_svn' => 'libapache2-mod-svn', # different to Ubuntu16.04 - 'fcgid' => 'libapache2-mod-fcgid', - 'geoip' => 'libapache2-mod-geoip', - 'intercept_form_submit' => 'libapache2-mod-intercept-form-submit', + 'jk' => 'libapache2-mod-jk', 'lookup_identity' => 'libapache2-mod-lookup-identity', 'nss' => 'libapache2-mod-nss', 'pagespeed' => 'mod-pagespeed-stable', @@ -420,11 +403,12 @@ 'xsendfile' => 'libapache2-mod-xsendfile', } } else { - # major.minor version used since Debian stretch and Ubuntu Xenial + # Ubuntu Xenial $php_version = '7.0' $mod_packages = { 'auth_cas' => 'libapache2-mod-auth-cas', 'auth_kerb' => 'libapache2-mod-auth-kerb', + 'auth_openidc' => 'libapache2-mod-auth-openidc', 'auth_gssapi' => 'libapache2-mod-auth-gssapi', 'auth_mellon' => 'libapache2-mod-auth-mellon', 'authnz_pam' => 'libapache2-mod-authnz-pam', @@ -433,6 +417,7 @@ 'fcgid' => 'libapache2-mod-fcgid', 'geoip' => 'libapache2-mod-geoip', 'intercept_form_submit' => 'libapache2-mod-intercept-form-submit', + 'jk' => 'libapache2-mod-jk', 'lookup_identity' => 'libapache2-mod-lookup-identity', 'nss' => 'libapache2-mod-nss', 'pagespeed' => 'mod-pagespeed-stable', @@ -453,8 +438,10 @@ $access_log_file = 'access.log' if $::osfamily == 'Debian' and versioncmp($::operatingsystemrelease, '8') < 0 { $shib2_lib = 'mod_shib_22.so' - } else { + } elsif ($::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease, '19.04') < 0) or ($::operatingsystem == 'Debian' and versioncmp($::operatingsystemrelease, '10') < 0) { $shib2_lib = 'mod_shib2.so' + } else { + $shib2_lib = 'mod_shib.so' } $mod_libs = { 'shib2' => $shib2_lib, @@ -476,6 +463,7 @@ $mellon_lock_file = undef $mellon_cache_size = undef $mellon_post_directory = '/var/cache/apache2/mod_auth_mellon/' + $modsec_version = 1 $modsec_crs_package = 'modsecurity-crs' $modsec_crs_path = '/usr/share/modsecurity-crs' $modsec_dir = '/etc/modsecurity' @@ -596,6 +584,7 @@ # NOTE: not sure where the shibboleth should come from 'auth_kerb' => 'www/mod_auth_kerb2', 'auth_gssapi' => 'www/mod_auth_gssapi', + 'auth_openidc'=> 'www/mod_auth_openidc', 'fcgid' => 'www/mod_fcgid', 'passenger' => 'www/rubygem-passenger', 'perl' => 'www/mod_perl2', @@ -772,6 +761,7 @@ $alias_icons_path = '/usr/share/apache2/icons' $error_documents_path = '/usr/share/apache2/error' $dev_packages = ['libapr-util1-devel', 'libapr1-devel', 'libcurl-devel'] + $modsec_version = 1 $modsec_crs_package = undef $modsec_crs_path = undef $modsec_default_rules = undef @@ -808,4 +798,10 @@ } else { $verify_command = '/usr/sbin/apachectl -t' } + + if $::osfamily == 'RedHat' and versioncmp($::operatingsystemrelease, '8.0') >= 0 { + $ssl_protocol = ['all'] # Implementations of the SSLv2 and SSLv3 protocol versions have been removed from OpenSSL (and hence mod_ssl) because these are no longer considered secure. For additional documentation https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/deploying_different_types_of_servers/setting-apache-web-server_deploying-different-types-of-servers + } else { + $ssl_protocol = [ 'all', '-SSLv2', '-SSLv3' ] + } } diff --git a/manifests/vhost.pp b/manifests/vhost.pp index 5323fd87e9..ceda18073c 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -216,6 +216,23 @@ # parameters has a value. If none of these parameters has a value, given a virtual host # `example.com`, Puppet defaults to `$logroot/example.com_error_ssl.log` for SSL virtual # hosts and `$logroot/example.com_error.log` for non-SSL virtual hosts. +# +# @param error_log_format +# Sets the [ErrorLogFormat](https://httpd.apache.org/docs/current/mod/core.html#errorlogformat) +# format specification for error log entries inside virtual host +# For example: +# ``` puppet +# apache::vhost { 'site.name.fdqn': +# ... +# error_log_format => [ +# '[%{uc}t] [%-m:%-l] [R:%L] [C:%{C}L] %7F: %E: %M', +# { '[%{uc}t] [R:%L] Request %k on C:%{c}L pid:%P tid:%T' => 'request' }, +# { "[%{uc}t] [R:%L] UA:'%+{User-Agent}i'" => 'request' }, +# { "[%{uc}t] [R:%L] Referer:'%+{Referer}i'" => 'request' }, +# { '[%{uc}t] [C:%{c}L] local\ %a remote\ %A' => 'connection' }, +# ], +# } +# ``` # # @param error_documents # A list of hashes which can be used to override the @@ -1622,6 +1639,46 @@ # Specifies whether to use the [`UseCanonicalName directive`](https://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname), # which allows you to configure how the server determines it's own name and port. # +# @param define +# this lets you define configuration variables inside a vhost using [`Define`](https://httpd.apache.org/docs/2.4/mod/core.html#define), +# these can then be used to replace configuration values. All Defines are Undefined at the end of the VirtualHost. +# +# @param auth_oidc +# Enable `mod_auth_openidc` parameters for OpenID Connect authentication. +# +# @param oidc_settings +# An Apache::OIDCSettings Struct containing (mod_auth_openidc settings)[https://github.com/zmartzone/mod_auth_openidc/blob/master/auth_openidc.conf]. +# +# @param limitreqfields +# The `limitreqfields` parameter sets the maximum number of request header fields in +# an HTTP request. This directive gives the server administrator greater control over +# abnormal client request behavior, which may be useful for avoiding some forms of +# denial-of-service attacks. The value should be increased if normal clients see an error +# response from the server that indicates too many fields were sent in the request. +# +# @param limitreqfieldsize +# The `limitreqfieldsize` parameter sets the maximum ammount of _bytes_ that will +# be allowed within a request header. +# +# @param limitreqline +# Limit the size of the HTTP request line that will be accepted from the client +# This directive sets the number of bytes that will be allowed on the HTTP +# request-line. The LimitRequestLine directive allows the server administrator +# to set the limit on the allowed size of a client's HTTP request-line. Since +# the request-line consists of the HTTP method, URI, and protocol version, the +# LimitRequestLine directive places a restriction on the length of a request-URI +# allowed for a request on the server. A server needs this value to be large +# enough to hold any of its resource names, including any information that might +# be passed in the query part of a GET request. +# +# @param limitreqbody +# Restricts the total size of the HTTP request body sent from the client +# The LimitRequestBody directive allows the user to set a limit on the allowed +# size of an HTTP request message body within the context in which the +# directive is given (server, per-directory, per-file or per-location). If the +# client request exceeds that limit, the server will return an error response +# instead of servicing the request. +# define apache::vhost( Variant[Boolean,String] $docroot, $manage_docroot = true, @@ -1692,6 +1749,14 @@ $error_log_file = undef, $error_log_pipe = undef, $error_log_syslog = undef, + Optional[ + Array[ + Variant[ + String, + Hash[String, Enum['connection', 'request']] + ] + ] + ] $error_log_format = undef, Optional[Pattern[/^((Strict|Unsafe)?\s*(\b(Registered|Lenient)Methods)?\s*(\b(Allow0\.9|Require1\.0))?)$/]] $http_protocol_options = undef, $modsec_audit_log = undef, $modsec_audit_log_file = undef, @@ -1700,11 +1765,16 @@ Optional[Variant[Stdlib::Absolutepath, Enum['disabled']]] $fallbackresource = undef, $scriptalias = undef, $scriptaliases = [], + Optional[Integer] $limitreqfieldsize = undef, + Optional[Integer] $limitreqfields = undef, + Optional[Integer] $limitreqline = undef, + Optional[Integer] $limitreqbody = undef, $proxy_dest = undef, $proxy_dest_match = undef, $proxy_dest_reverse_match = undef, $proxy_pass = undef, $proxy_pass_match = undef, + Boolean $proxy_requests = false, $suphp_addhandler = $::apache::params::suphp_addhandler, Enum['on', 'off'] $suphp_engine = $::apache::params::suphp_engine, $suphp_configpath = $::apache::params::suphp_configpath, @@ -1849,6 +1919,9 @@ Optional[String] $shib_compat_valid_user = undef, Optional[Enum['On', 'on', 'Off', 'off', 'DNS', 'dns']] $use_canonical_name = undef, Optional[Variant[String,Array[String]]] $comment = undef, + Hash $define = {}, + Boolean $auth_oidc = false, + Optional[Apache::OIDCSettings] $oidc_settings = undef, ) { # The base class must be included first because it is used by parameter defaults @@ -1895,6 +1968,10 @@ include ::apache::mod::auth_kerb } + if $auth_oidc and $ensure == 'present' { + include ::apache::mod::auth_openidc + } + if $virtual_docroot { include ::apache::mod::vhost_alias } @@ -1988,6 +2065,13 @@ } } + if versioncmp($apache_version, '2.4') >= 0 { + $error_log_format24 = $error_log_format + } + else { + $error_log_format24 = undef + } + if $modsec_audit_log == false { $modsec_audit_log_destination = undef } elsif $modsec_audit_log_file { @@ -2275,6 +2359,7 @@ # Template uses: # - $error_log + # - $error_log_format24 # - $log_level # - $error_log_destination # - $log_level @@ -2359,6 +2444,24 @@ } } + # Template uses: + # - $ssl_proxyengine + # - $ssl_proxy_verify + # - $ssl_proxy_verify_depth + # - $ssl_proxy_ca_cert + # - $ssl_proxy_check_peer_cn + # - $ssl_proxy_check_peer_name + # - $ssl_proxy_check_peer_expire + # - $ssl_proxy_machine_cert + # - $ssl_proxy_protocol + if $ssl_proxyengine { + concat::fragment { "${name}-sslproxy": + target => "${priority_real}${filename}.conf", + order => 160, + content => template('apache/vhost/_sslproxy.erb'), + } + } + # Template uses: # - $proxy_dest # - $proxy_pass @@ -2369,7 +2472,7 @@ if $proxy_dest or $proxy_pass or $proxy_pass_match or $proxy_dest_match or $proxy_preserve_host { concat::fragment { "${name}-proxy": target => "${priority_real}${filename}.conf", - order => 160, + order => 170, content => template('apache/vhost/_proxy.erb'), } } @@ -2468,24 +2571,6 @@ } } - # Template uses: - # - $ssl_proxyengine - # - $ssl_proxy_verify - # - $ssl_proxy_verify_depth - # - $ssl_proxy_ca_cert - # - $ssl_proxy_check_peer_cn - # - $ssl_proxy_check_peer_name - # - $ssl_proxy_check_peer_expire - # - $ssl_proxy_machine_cert - # - $ssl_proxy_protocol - if $ssl_proxyengine { - concat::fragment { "${name}-sslproxy": - target => "${priority_real}${filename}.conf", - order => 230, - content => template('apache/vhost/_sslproxy.erb'), - } - } - # Template uses: # - $auth_kerb # - $krb_method_negotiate @@ -2699,6 +2784,17 @@ } } + # Template uses: + # - $auth_oidc + # - $oidc_settings + if $auth_oidc { + concat::fragment { "${name}-auth_oidc": + target => "${priority_real}${filename}.conf", + order => 360, + content => template('apache/vhost/_auth_oidc.erb'), + } + } + # Template uses: # - $shib_compat_valid_user if $shibboleth_enabled { diff --git a/manifests/vhost/fragment.pp b/manifests/vhost/fragment.pp new file mode 100644 index 0000000000..e5b33184b0 --- /dev/null +++ b/manifests/vhost/fragment.pp @@ -0,0 +1,80 @@ +# @summary Define a fragment within a vhost +# +# @param vhost +# The title of the vhost resource to append to +# +# @param priority +# Set the priority to match the one `apache::vhost` sets. This must match the +# one `apache::vhost` sets or else the concat fragment won't be found. +# +# @param content +# The content to put in the fragment. Only when it's non-empty the actual +# fragment will be created. +# +# @param order +# The order to insert the fragment at +# +# @example With a vhost without priority +# include apache +# apache::vhost { 'myvhost': +# } +# apache::vhost::fragment { 'myfragment': +# vhost => 'myvhost', +# content => '# Foo', +# } +# +# @example With a vhost with priority +# include apache +# apache::vhost { 'myvhost': +# priority => '42', +# } +# apache::vhost::fragment { 'myfragment': +# vhost => 'myvhost', +# priority => '42', +# content => '# Foo', +# } +# +# @example With a vhost with default vhost +# include apache +# apache::vhost { 'myvhost': +# default_vhost => true, +# } +# apache::vhost::fragment { 'myfragment': +# vhost => 'myvhost', +# priority => '10', # default_vhost implies priority 10 +# content => '# Foo', +# } +# +# @example Adding a fragment to the built in default vhost +# include apache +# apache::vhost::fragment { 'myfragment': +# vhost => 'default', +# priority => '15', +# content => '# Foo', +# } +# +define apache::vhost::fragment( + String[1] $vhost, + $priority = undef, + Optional[String] $content = undef, + Integer[0] $order = 900, +) { + # This copies the logic from apache::vhost + if $priority { + $priority_real = "${priority}-" + } elsif $priority == false { + $priority_real = '' + } else { + $priority_real = '25-' + } + + $filename = regsubst($vhost, ' ', '_', 'G') + + if $content =~ String[1] { + concat::fragment { "${vhost}-${title}": + target => "${priority_real}${filename}.conf", + order => $order, + content => $content, + } + } +} diff --git a/metadata.json b/metadata.json index ba17c5f933..62dbdab48b 100644 --- a/metadata.json +++ b/metadata.json @@ -1,10 +1,10 @@ { "name": "puppetlabs-apache", - "version": "5.0.0", + "version": "5.4.0", "author": "puppetlabs", "summary": "Installs, configures, and manages Apache virtual hosts, web services, and modules.", "license": "Apache-2.0", - "source": "git://github.com/puppetlabs/puppetlabs-apache.git", + "source": "https://github.com/puppetlabs/puppetlabs-apache", "project_page": "https://github.com/puppetlabs/puppetlabs-apache", "issues_url": "https://tickets.puppetlabs.com/browse/MODULES", "dependencies": [ @@ -23,7 +23,8 @@ "operatingsystemrelease": [ "5", "6", - "7" + "7", + "8" ] }, { @@ -31,7 +32,8 @@ "operatingsystemrelease": [ "5", "6", - "7" + "7", + "8" ] }, { @@ -52,7 +54,8 @@ "operatingsystem": "Debian", "operatingsystemrelease": [ "8", - "9" + "9", + "10" ] }, { @@ -79,7 +82,7 @@ } ], "description": "Module for Apache configuration", - "pdk-version": "1.10.0", + "pdk-version": "1.17.0", "template-url": "https://github.com/puppetlabs/pdk-templates#master", - "template-ref": "heads/master-0-gf778803" + "template-ref": "1.17.0-0-gd3a4319" } diff --git a/provision.yaml b/provision.yaml new file mode 100644 index 0000000000..7ba151cf0f --- /dev/null +++ b/provision.yaml @@ -0,0 +1,22 @@ +--- +default: + provisioner: docker + images: ['litmusimage/debian:8'] +vagrant: + provisioner: vagrant + images: ['centos/7', 'generic/ubuntu1804'] +travis_deb: + provisioner: docker + images: ['litmusimage/debian:8', 'litmusimage/debian:9', 'litmusimage/debian:10'] +travis_ub: + provisioner: docker + images: ['litmusimage/ubuntu:14.04', 'litmusimage/ubuntu:16.04', 'litmusimage/ubuntu:18.04'] +travis_el6: + provisioner: docker + images: [] +travis_el7: + provisioner: docker + images: ['litmusimage/centos:7', 'litmusimage/oraclelinux:7', 'litmusimage/scientificlinux:7'] +release_checks: + provisioner: vmpooler + images: ['redhat-5-x86_64', 'redhat-6-x86_64', 'redhat-7-x86_64', 'redhat-8-x86_64', 'centos-5-x86_64', 'centos-6-x86_64', 'centos-7-x86_64', 'centos-8-x86_64', 'oracle-6-x86_64', 'oracle-7-x86_64', 'scientific-6-x86_64', 'scientific-7-x86_64', 'debian-8-x86_64', 'debian-9-x86_64', 'debian-10-x86_64', 'ubuntu-1404-x86_64', 'ubuntu-1604-x86_64', 'ubuntu-1804-x86_64', 'sles-11-x86_64', 'sles-12-x86_64', 'sles-15-x86_64'] diff --git a/spec/acceptance/apache_parameters_spec.rb b/spec/acceptance/apache_parameters_spec.rb old mode 100755 new mode 100644 index 98c7dd2ee4..345e359776 --- a/spec/acceptance/apache_parameters_spec.rb +++ b/spec/acceptance/apache_parameters_spec.rb @@ -1,6 +1,5 @@ require 'spec_helper_acceptance' -require_relative './version.rb' - +apache_hash = apache_settings_hash describe 'apache parameters' do # Currently this test only does something on FreeBSD. describe 'default_confd_files => false' do @@ -9,8 +8,8 @@ apply_manifest(pp, catch_failures: true) end - if host_inventory['facter']['os']['family'] == 'FreeBSD' - describe file("#{$confd_dir}/no-accf.conf.erb") do + if os[:family] == 'freebsd' + describe file("#{apache_hash['confd_dir']}/no-accf.conf.erb") do it { is_expected.not_to be_file } end end @@ -21,8 +20,8 @@ apply_manifest(pp, catch_failures: true) end - if host_inventory['facter']['os']['family'] == 'FreeBSD' - describe file("#{$confd_dir}/no-accf.conf.erb") do + if os[:family] == 'freebsd' + describe file("#{apache_hash['confd_dir']}/no-accf.conf.erb") do it { is_expected.to be_file } end end @@ -34,7 +33,7 @@ apply_manifest(pp, catch_failures: true) end - describe file($ports_file) do + describe file(apache_hash['ports_file']) do it { is_expected.to be_file } it { is_expected.to contain 'Listen 10.1.1.1' } end @@ -52,15 +51,9 @@ class { 'apache': apply_manifest(pp, catch_failures: true) end - describe service($service_name) do + describe service(apache_hash['service_name']), skip: 'FM-8483' do it { is_expected.to be_running } - if host_inventory['facter']['os']['name'] == 'debian' && os[:release][0] == '8' - pending 'Should be enabled - Bug 760616 on Debian 8' - elsif host_inventory['facter']['os']['name'] == 'sles' && os[:release][0..1] == '15' - pending 'Should be enabled - MODULES-8379 `be_enabled` check does not currently work for apache2 on SLES 15' - else - it { is_expected.to be_enabled } - end + it { is_expected.to be_enabled } end end @@ -75,15 +68,9 @@ class { 'apache': apply_manifest(pp, catch_failures: true) end - describe service($service_name) do + describe service(apache_hash['service_name']), skip: 'FM-8483' do it { is_expected.not_to be_running } - if host_inventory['facter']['os']['name'] == 'debian' && os[:release][0] == '8' - pending 'Should be enabled - Bug 760616 on Debian 8' - elsif host_inventory['facter']['os']['name'] == 'sles' && os[:release][0..1] == '15' - pending 'Should be enabled - MODULES-8379 `be_enabled` check does not currently work for apache2 on SLES 15' - else - it { is_expected.not_to be_enabled } - end + it { is_expected.not_to be_enabled } end end @@ -99,19 +86,13 @@ class { 'apache': apply_manifest(pp, catch_failures: true) end - describe service($service_name) do + describe service(apache_hash['service_name']), skip: 'FM-8483' do it { is_expected.not_to be_running } - if host_inventory['facter']['os']['name'] == 'debian' && os[:release][0] == '8' - pending 'Should be enabled - Bug 760616 on Debian 8' - elsif host_inventory['facter']['os']['name'] == 'sles' && os[:release][0..1] == '15' - pending 'Should be enabled - MODULES-8379 `be_enabled` check does not currently work for apache2 on SLES 15' - else - it { is_expected.not_to be_enabled } - end + it { is_expected.not_to be_enabled } end end - if host_inventory['facter']['os']['family'] == 'Debian' + if os[:family] == 'debian' describe 'conf_enabled => /etc/apache2/conf-enabled' do pp = <<-MANIFEST class { 'apache': @@ -120,7 +101,7 @@ class { 'apache': } MANIFEST it 'applies cleanly' do - shell('touch /etc/apache2/conf-enabled/test.conf') + run_shell('touch /etc/apache2/conf-enabled/test.conf') apply_manifest(pp, catch_failures: true) end @@ -141,44 +122,44 @@ class { 'apache': class { 'apache': purge_configs => false, purge_vhost_dir => false, - vhost_dir => "#{$confd_dir}.vhosts" + vhost_dir => "#{apache_hash['confd_dir']}.vhosts" } MANIFEST it 'applies cleanly' do - shell("touch #{$confd_dir}/test.conf") - shell("mkdir -p #{$confd_dir}.vhosts && touch #{$confd_dir}.vhosts/test.conf") + run_shell("touch #{apache_hash['confd_dir']}/test.conf") + run_shell("mkdir -p #{apache_hash['confd_dir']}.vhosts && touch #{apache_hash['confd_dir']}.vhosts/test.conf") apply_manifest(pp, catch_failures: true) end # Ensure the files didn't disappear. - describe file("#{$confd_dir}/test.conf") do + describe file("#{apache_hash['confd_dir']}/test.conf") do it { is_expected.to be_file } end - describe file("#{$confd_dir}.vhosts/test.conf") do + describe file("#{apache_hash['confd_dir']}.vhosts/test.conf") do it { is_expected.to be_file } end end - if host_inventory['facter']['os']['family'] != 'Debian' + if os[:family] != 'debian' describe 'purge parameters => true' do pp = <<-MANIFEST class { 'apache': purge_configs => true, purge_vhost_dir => true, - vhost_dir => "#{$confd_dir}.vhosts" + vhost_dir => "#{apache_hash['confd_dir']}.vhosts" } MANIFEST it 'applies cleanly' do - shell("touch #{$confd_dir}/test.conf") - shell("mkdir -p #{$confd_dir}.vhosts && touch #{$confd_dir}.vhosts/test.conf") + run_shell("touch #{apache_hash['confd_dir']}/test.conf") + run_shell("mkdir -p #{apache_hash['confd_dir']}.vhosts && touch #{apache_hash['confd_dir']}.vhosts/test.conf") apply_manifest(pp, catch_failures: true) end # File should be gone - describe file("#{$confd_dir}/test.conf") do + describe file("#{apache_hash['confd_dir']}/test.conf") do it { is_expected.not_to be_file } end - describe file("#{$confd_dir}.vhosts/test.conf") do + describe file("#{apache_hash['confd_dir']}.vhosts/test.conf") do it { is_expected.not_to be_file } end end @@ -190,7 +171,7 @@ class { 'apache': apply_manifest(pp, catch_failures: true) end - describe file($vhost) do + describe file(apache_hash['vhost']) do it { is_expected.to be_file } it { is_expected.to contain 'ServerAdmin test@example.com' } end @@ -204,7 +185,7 @@ class { 'apache': end end - describe file($conf_file) do + describe file(apache_hash['conf_file']) do it { is_expected.to be_file } it { is_expected.to contain 'EnableSendfile On' } end @@ -216,7 +197,7 @@ class { 'apache': end end - describe file($conf_file) do + describe file(apache_hash['conf_file']) do it { is_expected.to be_file } it { is_expected.to contain 'Sendfile Off' } end @@ -230,7 +211,7 @@ class { 'apache': end end - describe file($conf_file) do + describe file(apache_hash['conf_file']) do it { is_expected.to be_file } it { is_expected.to contain 'Alias /error/' } end @@ -244,7 +225,7 @@ class { 'apache': end end - describe file($conf_file) do + describe file(apache_hash['conf_file']) do it { is_expected.to be_file } it { is_expected.to contain 'Timeout 1234' } end @@ -261,7 +242,7 @@ class { 'apache': httpd_dir => '/tmp', service_ensure => stopped } end end - describe file("#{$mod_dir}/mime.conf") do + describe file("#{apache_hash['mod_dir']}/mime.conf") do it { is_expected.to be_file } it { is_expected.to contain 'AddLanguage eo .eo' } end @@ -271,7 +252,7 @@ class { 'apache': httpd_dir => '/tmp', service_ensure => stopped } # Actually >= 2.4.24, but the minor version is not provided # https://bugs.launchpad.net/ubuntu/+source/apache2/2.4.7-1ubuntu4.15 # basically versions of the ubuntu or sles apache package cause issue - if $apache_version >= '2.4' && host_inventory['facter']['os']['name'] !~ %r{Ubuntu|SLES} + if apache_hash['version'] >= '2.4' && os[:family] !~ %r{ubuntu|sles} describe 'setup' do it 'applies cleanly' do pp = "class { 'apache': http_protocol_options => 'Unsafe RegisteredMethods Require1.0'}" @@ -279,7 +260,7 @@ class { 'apache': httpd_dir => '/tmp', service_ensure => stopped } end end - describe file($conf_file) do + describe file(apache_hash['conf_file']) do it { is_expected.to be_file } it { is_expected.to contain 'HttpProtocolOptions Unsafe RegisteredMethods Require1.0' } end @@ -294,7 +275,7 @@ class { 'apache': httpd_dir => '/tmp', service_ensure => stopped } end end - describe file($conf_file) do + describe file(apache_hash['conf_file']) do it { is_expected.to be_file } it { is_expected.to contain 'ServerRoot "/tmp/root"' } end @@ -308,13 +289,13 @@ class { 'apache': httpd_dir => '/tmp', service_ensure => stopped } end end - if $apache_version == '2.4' - describe file($conf_file) do + if apache_hash['version'] == '2.4' + describe file(apache_hash['conf_file']) do it { is_expected.to be_file } it { is_expected.to contain 'IncludeOptional "/tmp/root/*.conf"' } end else - describe file($conf_file) do + describe file(apache_hash['conf_file']) do it { is_expected.to be_file } it { is_expected.to contain 'Include "/tmp/root/*.conf"' } end @@ -325,13 +306,13 @@ class { 'apache': httpd_dir => '/tmp', service_ensure => stopped } describe 'setup' do it 'applies cleanly' do pp = "class { 'apache': conf_template => 'another/test.conf.erb', service_ensure => stopped }" - shell("mkdir -p #{default['distmoduledir']}/another/templates") - shell("echo 'testcontent' >> #{default['distmoduledir']}/another/templates/test.conf.erb") + run_shell('mkdir -p /etc/puppetlabs/code/environments/production/modules/another/templates') + run_shell("echo 'testcontent' >> /etc/puppetlabs/code/environments/production/modules/another/templates/test.conf.erb") apply_manifest(pp, catch_failures: true) end end - describe file($conf_file) do + describe file(apache_hash['conf_file']) do it { is_expected.to be_file } it { is_expected.to contain 'testcontent' } end @@ -345,7 +326,7 @@ class { 'apache': httpd_dir => '/tmp', service_ensure => stopped } end end - describe file($conf_file) do + describe file(apache_hash['conf_file']) do it { is_expected.to be_file } it { is_expected.to contain 'ServerName "test.server"' } end @@ -391,7 +372,7 @@ class { 'apache': end end - describe file($conf_file) do + describe file(apache_hash['conf_file']) do it { is_expected.to be_file } it { is_expected.to contain 'LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common' } it { is_expected.to contain 'LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined' } @@ -406,7 +387,7 @@ class { 'apache': end end - describe file($conf_file) do + describe file(apache_hash['conf_file']) do it { is_expected.to be_file } it { is_expected.to contain 'KeepAlive Off' } it { is_expected.to contain 'KeepAliveTimeout 30' } @@ -422,7 +403,7 @@ class { 'apache': end end - describe file($conf_file) do + describe file(apache_hash['conf_file']) do it { is_expected.to be_file } it { is_expected.to contain 'LimitRequestFieldSize 16830' } end @@ -436,7 +417,7 @@ class { 'apache': end end - describe file($conf_file) do + describe file(apache_hash['conf_file']) do it { is_expected.to be_file } it { is_expected.to contain 'LimitRequestFields 120' } end @@ -472,7 +453,7 @@ class { 'apache': logroot => '/apache_spec' } end end - describe file("/apache_spec/#{$error_log}") do + describe file("/apache_spec/#{apache_hash['error_log']}") do it { is_expected.to be_file } end end @@ -506,7 +487,7 @@ class { 'apache': apply_manifest(pp, catch_failures: true) end - describe file($conf_file) do + describe file(apache_hash['conf_file']) do it { is_expected.to be_file } it { is_expected.to contain 'ServerTokens Minor' } end @@ -523,7 +504,7 @@ class { 'apache': apply_manifest(pp, catch_failures: true) end - describe file($conf_file) do + describe file(apache_hash['conf_file']) do it { is_expected.to be_file } it { is_expected.to contain 'ServerSignature testsig' } end @@ -537,7 +518,7 @@ class { 'apache': end end - describe file($conf_file) do + describe file(apache_hash['conf_file']) do it { is_expected.to be_file } it { is_expected.to contain 'HostnameLookups On' } end @@ -549,7 +530,7 @@ class { 'apache': end end - describe file($conf_file) do + describe file(apache_hash['conf_file']) do it { is_expected.to be_file } it { is_expected.to contain 'HostnameLookups Off' } end @@ -561,7 +542,7 @@ class { 'apache': end end - describe file($conf_file) do + describe file(apache_hash['conf_file']) do it { is_expected.to be_file } it { is_expected.to contain 'HostnameLookups Double' } end @@ -577,7 +558,7 @@ class { 'apache': apply_manifest(pp, catch_failures: true) end - describe file($conf_file) do + describe file(apache_hash['conf_file']) do it { is_expected.to be_file } it { is_expected.to contain 'TraceEnable Off' } end @@ -593,7 +574,7 @@ class { 'apache': apply_manifest(pp, catch_failures: true) end - describe file($conf_file) do + describe file(apache_hash['conf_file']) do it { is_expected.to be_file } it { is_expected.to contain 'FileETag None' } end @@ -609,7 +590,7 @@ class { 'apache': apply_manifest(pp, catch_failures: true) end - describe package($package_name) do + describe package(apache_hash['package_name']) do it { is_expected.to be_installed } end end diff --git a/spec/acceptance/apache_ssl_spec.rb b/spec/acceptance/apache_ssl_spec.rb index 63a44e7ea8..a02e4dd6ef 100644 --- a/spec/acceptance/apache_ssl_spec.rb +++ b/spec/acceptance/apache_ssl_spec.rb @@ -1,6 +1,5 @@ require 'spec_helper_acceptance' -require_relative './version.rb' - +apache_hash = apache_settings_hash describe 'apache ssl' do describe 'ssl parameters' do pp = <<-MANIFEST @@ -17,11 +16,19 @@ class { 'apache': } MANIFEST it 'runs without error' do - apply_manifest(pp, catch_failures: true) - apply_manifest(pp, catch_changes: true) + idempotent_apply(pp) + end + + describe file("#{apache_hash['mod_ssl_dir']}/ssl.conf") do + it { is_expected.to be_file } + if os[:family] =~ %r{redhat} && os[:release].to_i == 8 + it { is_expected.to contain 'SSLProtocol all' } + else + it { is_expected.to contain 'SSLProtocol all -SSLv2 -SSLv3' } + end end - describe file("#{$vhost_dir}/15-default-ssl.conf") do + describe file("#{apache_hash['vhost_dir']}/15-default-ssl.conf") do it { is_expected.to be_file } it { is_expected.to contain 'SSLCertificateFile "/tmp/ssl_cert"' } it { is_expected.to contain 'SSLCertificateKeyFile "/tmp/ssl_key"' } @@ -29,7 +36,7 @@ class { 'apache': it { is_expected.not_to contain 'SSLCACertificateFile "/tmp/ssl_ca"' } it { is_expected.not_to contain 'SSLCARevocationPath "/tmp/ssl_crl_path"' } it { is_expected.not_to contain 'SSLCARevocationFile "/tmp/ssl_crl"' } - if $apache_version == '2.4' + if apache_hash['version'] == '2.4' it { is_expected.not_to contain 'SSLCARevocationCheck "chain"' } else it { is_expected.not_to contain 'SSLCARevocationCheck' } @@ -52,7 +59,7 @@ class { 'apache': ssl_ca => '/tmp/ssl_ca', ssl_crl_path => '/tmp/ssl_crl_path', ssl_crl => '/tmp/ssl_crl', - ssl_crl_check => 'chain', + ssl_crl_check => 'chain flag', ssl_certs_dir => '/tmp', ssl_protocol => 'test', ssl_cipher => 'test', @@ -65,11 +72,10 @@ class { 'apache': } MANIFEST it 'runs without error' do - apply_manifest(pp, catch_failures: true) - apply_manifest(pp, catch_changes: true) + idempotent_apply(pp) end - describe file("#{$vhost_dir}/25-test_ssl.conf") do + describe file("#{apache_hash['vhost_dir']}/25-test_ssl.conf") do it { is_expected.to be_file } it { is_expected.to contain 'SSLCertificateFile "/tmp/ssl_cert"' } it { is_expected.to contain 'SSLCertificateKeyFile "/tmp/ssl_key"' } @@ -85,8 +91,8 @@ class { 'apache': it { is_expected.to contain 'SSLVerifyClient test' } it { is_expected.to contain 'SSLVerifyDepth test' } it { is_expected.to contain 'SSLOptions test test1' } - if $apache_version == '2.4' - it { is_expected.to contain 'SSLCARevocationCheck "chain"' } + if apache_hash['version'] == '2.4' + it { is_expected.to contain 'SSLCARevocationCheck chain flag' } else it { is_expected.not_to contain 'SSLCARevocationCheck' } end @@ -109,11 +115,10 @@ class { 'apache': } MANIFEST it 'runs without error' do - apply_manifest(pp, catch_failures: true) - apply_manifest(pp, catch_changes: true) + idempotent_apply(pp) end - describe file("#{$vhost_dir}/25-test_ssl_ca_only.conf") do + describe file("#{apache_hash['vhost_dir']}/25-test_ssl_ca_only.conf") do it { is_expected.to be_file } it { is_expected.to contain 'SSLCertificateFile "/tmp/ssl_cert"' } it { is_expected.to contain 'SSLCertificateKeyFile "/tmp/ssl_key"' } @@ -138,11 +143,10 @@ class { 'apache': } MANIFEST it 'runs without error' do - apply_manifest(pp, catch_failures: true) - apply_manifest(pp, catch_changes: true) + idempotent_apply(pp) end - describe file("#{$vhost_dir}/25-test_ssl_certs_dir_only.conf") do + describe file("#{apache_hash['vhost_dir']}/25-test_ssl_certs_dir_only.conf") do it { is_expected.to be_file } it { is_expected.to contain 'SSLCertificateFile "/tmp/ssl_cert"' } it { is_expected.to contain 'SSLCertificateKeyFile "/tmp/ssl_key"' } diff --git a/spec/acceptance/class_spec.rb b/spec/acceptance/class_spec.rb index d86a8dfdf5..67248b8771 100644 --- a/spec/acceptance/class_spec.rb +++ b/spec/acceptance/class_spec.rb @@ -1,11 +1,12 @@ require 'spec_helper_acceptance' -require_relative './version.rb' - +apache_hash = apache_settings_hash describe 'apache class' do context 'default parameters' do let(:pp) { "class { 'apache': }" } - it_behaves_like 'a idempotent resource' + it 'behaves idempotently' do + idempotent_apply(pp) + end describe 'apache_version fact' do let(:result) do @@ -17,22 +18,16 @@ end it { - expect(result.output).to match(%r{apache_version = >#{$apache_version}.*<}) + expect(result.stdout).to match(%r{apache_version = >#{apache_hash['version']}.*<}) } end - describe package($package_name) do + describe package(apache_hash['package_name']) do it { is_expected.to be_installed } end - describe service($service_name) do - if host_inventory['facter']['os']['name'] == 'Debian' && host_inventory['facter']['os']['release']['major'] == '8' - pending 'Should be enabled - Bug 760616 on Debian 8' - elsif host_inventory['facter']['os']['name'] == 'SLES' && host_inventory['facter']['os']['release']['major'] == '15' - pending 'Should be enabled - MODULES-8379 `be_enabled` check does not currently work for apache2 on SLES 15' - else - it { is_expected.to be_enabled } - end + describe service(apache_hash['service_name']), skip: 'FM-8483' do + it { is_expected.to be_enabled } it { is_expected.to be_running } end @@ -42,7 +37,6 @@ end context 'custom site/mod dir parameters' do - # Using puppet_apply as a helper let(:pp) do <<-MANIFEST if $::osfamily == 'RedHat' and "$::selinux" == "true" { @@ -76,17 +70,12 @@ class { 'apache': MANIFEST end - # Run it twice and test for idempotency - it_behaves_like 'a idempotent resource' + it 'behaves idempotently' do + idempotent_apply(pp) + end - describe service($service_name) do - if host_inventory['facter']['os']['name'] == 'Debian' && host_inventory['facter']['os']['release']['major'] == '8' - pending 'Should be enabled - Bug 760616 on Debian 8' - elsif host_inventory['facter']['os']['name'] == 'SLES' && host_inventory['facter']['os']['release']['major'] == '15' - pending 'Should be enabled - MODULES-8379 `be_enabled` check does not currently work for apache2 on SLES 15' - else - it { is_expected.to be_enabled } - end + describe service(apache_hash['service_name']), skip: 'FM-8483' do + it { is_expected.to be_enabled } it { is_expected.to be_running } end end diff --git a/spec/acceptance/custom_config_spec.rb b/spec/acceptance/custom_config_spec.rb index 799fdc1646..52b58fe136 100644 --- a/spec/acceptance/custom_config_spec.rb +++ b/spec/acceptance/custom_config_spec.rb @@ -1,6 +1,5 @@ require 'spec_helper_acceptance' -require_relative './version.rb' - +apache_hash = apache_settings_hash describe 'apache::custom_config define' do context 'invalid config' do pp = <<-MANIFEST @@ -13,7 +12,7 @@ class { 'apache': } apply_manifest(pp, expect_failures: true) end - describe file("#{$confd_dir}/25-acceptance_test.conf") do + describe file("#{apache_hash['confd_dir']}/25-acceptance_test.conf") do it { expect(file).not_to exist } end end @@ -29,7 +28,7 @@ class { 'apache': } apply_manifest(pp, catch_failures: true) end - describe file("#{$confd_dir}/25-acceptance_test.conf") do + describe file("#{apache_hash['confd_dir']}/25-acceptance_test.conf") do it { is_expected.to contain '# just a comment' } end end @@ -46,7 +45,7 @@ class { 'apache': } apply_manifest(pp, catch_failures: true) end - describe file("#{$confd_dir}/custom_filename") do + describe file("#{apache_hash['confd_dir']}/custom_filename") do it { is_expected.to contain '# just another comment' } end end @@ -63,7 +62,7 @@ class { 'apache': } apply_manifest(pp, catch_failures: true) end - describe file("#{$confd_dir}/prefix_test.conf") do + describe file("#{apache_hash['confd_dir']}/prefix_test.conf") do it { is_expected.to be_file } end end @@ -78,13 +77,13 @@ class { 'apache': } # Try to wedge the apache::custom_config call between when httpd.conf is written and # ports.conf is written. This should trigger a dependency cycle - File["#{$conf_file}"] -> Apache::Custom_config['ordering_test'] -> Concat["#{$ports_file}"] + File["#{apache_hash['conf_file']}"] -> Apache::Custom_config['ordering_test'] -> Concat["#{apache_hash['ports_file']}"] MANIFEST it 'applies in the right order' do expect(apply_manifest(pp, expect_failures: true).stderr).to match(%r{Found 1 dependency cycle}i) end - describe file("#{$confd_dir}/25-ordering_test.conf") do + describe file("#{apache_hash['confd_dir']}/25-ordering_test.conf") do it { is_expected.not_to be_file } end end diff --git a/spec/acceptance/default_mods_spec.rb b/spec/acceptance/default_mods_spec.rb index e14dca7fef..4093ec0b1a 100644 --- a/spec/acceptance/default_mods_spec.rb +++ b/spec/acceptance/default_mods_spec.rb @@ -1,6 +1,5 @@ require 'spec_helper_acceptance' -require_relative './version.rb' - +apache_hash = apache_settings_hash describe 'apache::default_mods class' do describe 'no default mods' do # Using puppet_apply as a helper @@ -12,14 +11,16 @@ class { 'apache': MANIFEST end - # Run it twice and test for idempotency - it_behaves_like 'a idempotent resource' - describe service($service_name) do + it 'behaves idempotently' do + idempotent_apply(pp) + end + + describe service(apache_hash['service_name']), skip: 'FM-8483' do it { is_expected.to be_running } end end - unless host_inventory['facter']['os']['name'] == 'SLES' && os[:release].to_i >= 12 + unless os[:family] == 'sles' && os[:release].to_i >= 12 describe 'no default mods and failing' do before :all do pp = <<-PP @@ -34,14 +35,14 @@ class { 'apache': default_mods => false, } apache::vhost { 'defaults.example.com': - docroot => '#{$doc_root}/defaults', + docroot => '#{apache_hash['doc_root']}/defaults', aliases => { alias => '/css', - path => '#{$doc_root}/css', + path => '#{apache_hash['doc_root']}/css', }, directories => [ { - 'path' => "#{$doc_root}/admin", + 'path' => "#{apache_hash['doc_root']}/admin", 'auth_basic_fake' => 'demo demopass', } ], @@ -53,7 +54,7 @@ class { 'apache': end end - describe service($service_name) do + describe service(apache_hash['service_name']), skip: 'FM-8483' do it { is_expected.not_to be_running } end end @@ -72,19 +73,21 @@ class { 'apache': ], } apache::vhost { 'defaults.example.com': - docroot => '#{$doc_root}/defaults', + docroot => '#{apache_hash['doc_root']}/defaults', aliases => { alias => '/css', - path => '#{$doc_root}/css', + path => '#{apache_hash['doc_root']}/css', }, setenv => 'TEST1 one', } MANIFEST end - it_behaves_like 'a idempotent resource' + it 'behaves idempotently' do + idempotent_apply(pp) + end - describe service($service_name) do + describe service(apache_hash['service_name']), skip: 'FM-8483' do it { is_expected.to be_running } end end @@ -99,13 +102,15 @@ class { 'apache': default_mods => false } MANIFEST end - # Run it twice and test for idempotency - it_behaves_like 'a idempotent resource' - describe service($service_name) do + it 'behaves idempotently' do + idempotent_apply(pp) + end + + describe service(apache_hash['service_name']), skip: 'FM-8483' do it { is_expected.to be_running } end - describe file("#{$mod_dir}/zz_auth_basic.load") do + describe file("#{apache_hash['mod_dir']}/zz_auth_basic.load") do it { is_expected.to be_file } end end diff --git a/spec/acceptance/init_task_spec.rb b/spec/acceptance/init_task_spec.rb index 4c074e1dc4..3405c62d4c 100644 --- a/spec/acceptance/init_task_spec.rb +++ b/spec/acceptance/init_task_spec.rb @@ -1,7 +1,6 @@ -# run a test task require 'spec_helper_acceptance' -describe 'apache tasks', if: puppet_version =~ %r{(5\.\d+\.\d+)} && host_inventory['facter']['os']['name'] != 'SLES' do +describe 'apache tasks' do describe 'reload' do pp = <<-MANIFEST class { 'apache': @@ -12,8 +11,8 @@ class { 'apache': it 'execute reload' do apply_manifest(pp, catch_failures: true) - result = run_task(task_name: 'apache', params: 'action=reload') - expect_multiple_regexes(result: result, regexes: [%r{reload successful}, %r{Job completed. 1/1 nodes succeeded|Ran on 1 node}]) + result = run_bolt_task('apache', 'action' => 'reload') + expect(result.stdout).to contain(%(reload successful)) end end end diff --git a/spec/acceptance/itk_spec.rb b/spec/acceptance/itk_spec.rb index 4376b00d0a..5e4c67e095 100644 --- a/spec/acceptance/itk_spec.rb +++ b/spec/acceptance/itk_spec.rb @@ -1,22 +1,21 @@ require 'spec_helper_acceptance' -case host_inventory['facter']['os']['family'] -when 'Debian' +case os[:family] +when 'debian', 'ubuntu' service_name = 'apache2' variant = :prefork -when 'RedHat' - unless host_inventory['facter']['os']['release']['major'] == '5' +when 'redhat' + unless os[:release] =~ %r{^5} variant = (os[:release].to_i >= 7) ? :prefork : :itk_only service_name = 'httpd' end -when 'FreeBSD' +when 'freebsd' service_name = 'apache24' variant = :prefork end describe 'apache::mod::itk class', if: service_name do describe 'running puppet code' do - # Using puppet_apply as a helper let(:pp) do case variant when :prefork @@ -35,18 +34,13 @@ class { 'apache': end end - # Run it twice and test for idempotency - it_behaves_like 'a idempotent resource' + it 'behaves idempotently' do + idempotent_apply(pp) + end end - describe service(service_name) do + describe service(service_name), skip: 'FM-8483' do it { is_expected.to be_running } - if host_inventory['facter']['os']['name'] == 'Debian' && host_inventory['facter']['os']['release']['major'] == '8' - pending 'Should be enabled - Bug 760616 on Debian 8' - elsif host_inventory['facter']['os']['name'] == 'SLES' && host_inventory['facter']['os']['release']['major'] == '15' - pending 'Should be enabled - MODULES-8379 `be_enabled` check does not currently work for apache2 on SLES 15' - else - it { is_expected.to be_enabled } - end + it { is_expected.to be_enabled } end end diff --git a/spec/acceptance/mod_php_spec.rb b/spec/acceptance/mod_php_spec.rb index e05290b9a1..778c1be1f6 100644 --- a/spec/acceptance/mod_php_spec.rb +++ b/spec/acceptance/mod_php_spec.rb @@ -1,7 +1,6 @@ require 'spec_helper_acceptance' -require_relative './version.rb' - -unless host_inventory['facter']['os']['name'] == 'SLES' && os[:release].to_i >= 12 +apache_hash = apache_settings_hash +unless os[:family] == 'sles' && os[:release].to_i >= 12 describe 'apache::mod::php class' do context 'default php config' do pp = <<-MANIFEST @@ -11,10 +10,10 @@ class { 'apache': class { 'apache::mod::php': } apache::vhost { 'php.example.com': port => '80', - docroot => '#{$doc_root}/php', + docroot => '#{apache_hash['doc_root']}/php', } host { 'php.example.com': ip => '127.0.0.1', } - file { '#{$doc_root}/php/index.php': + file { '#{apache_hash['doc_root']}/php/index.php': ensure => file, content => "\\n", } @@ -23,17 +22,25 @@ class { 'apache::mod::php': } apply_manifest(pp, catch_failures: true) end - if (host_inventory['facter']['os']['name'] == 'Ubuntu' && host_inventory['facter']['os']['release']['full'] == '16.04') || - (host_inventory['facter']['os']['name'] == 'Debian' && os[:release].to_i == 9) - describe file("#{$mod_dir}/php7.0.conf") do + if (os[:family] == 'ubuntu' && os[:release] == '16.04') || + (os[:family] == 'debian' && os[:release] =~ %r{9}) + describe file("#{apache_hash['mod_dir']}/php7.0.conf") do + it { is_expected.to contain 'DirectoryIndex index.php' } + end + elsif os[:family] == 'debian' && os[:release] =~ %r{10} + describe file("#{apache_hash['mod_dir']}/php7.3.conf") do + it { is_expected.to contain 'DirectoryIndex index.php' } + end + elsif os[:family] == 'ubuntu' && os[:release] == '18.04' + describe file("#{apache_hash['mod_dir']}/php7.2.conf") do it { is_expected.to contain 'DirectoryIndex index.php' } end - elsif host_inventory['facter']['os']['name'] == 'Ubuntu' && host_inventory['facter']['os']['release']['full'] == '18.04' - describe file("#{$mod_dir}/php7.2.conf") do + elsif os[:family] == 'redhat' && os[:release] =~ %r{^8} + describe file("#{apache_hash['mod_dir']}/php7.conf") do it { is_expected.to contain 'DirectoryIndex index.php' } end else - describe file("#{$mod_dir}/php5.conf") do + describe file("#{apache_hash['mod_dir']}/php5.conf") do it { is_expected.to contain 'DirectoryIndex index.php' } end end @@ -50,14 +57,14 @@ class { 'apache::mod::php': apache::vhost { 'php.example.com': port => '80', - docroot => '#{$doc_root}/php', + docroot => '#{apache_hash['doc_root']}/php', php_values => { 'include_path' => '.:/usr/share/pear:/usr/bin/php', }, php_flags => { 'display_errors' => 'on', }, php_admin_values => { 'open_basedir' => '/var/www/php/:/usr/share/pear/', }, php_admin_flags => { 'engine' => 'on', }, } host { 'php.example.com': ip => '127.0.0.1', } - file { '#{$doc_root}/php/index.php5': + file { '#{apache_hash['doc_root']}/php/index.php5': ensure => file, content => "\\n", } @@ -66,7 +73,7 @@ class { 'apache::mod::php': apply_manifest(pp, catch_failures: true) end - describe file("#{$vhost_dir}/25-php.example.com.conf") do + describe file("#{apache_hash['vhost_dir']}/25-php.example.com.conf") do it { is_expected.to contain ' php_flag display_errors on' } it { is_expected.to contain ' php_value include_path ".:/usr/share/pear:/usr/bin/php"' } it { is_expected.to contain ' php_admin_flag engine on' } diff --git a/spec/acceptance/nodesets/centos-7-x64.yml b/spec/acceptance/nodesets/centos-7-x64.yml deleted file mode 100644 index 5eebdefbfa..0000000000 --- a/spec/acceptance/nodesets/centos-7-x64.yml +++ /dev/null @@ -1,10 +0,0 @@ -HOSTS: - centos-7-x64: - roles: - - agent - - default - platform: el-7-x86_64 - hypervisor: vagrant - box: puppetlabs/centos-7.2-64-nocm -CONFIG: - type: foss diff --git a/spec/acceptance/nodesets/debian-8-x64.yml b/spec/acceptance/nodesets/debian-8-x64.yml deleted file mode 100644 index fef6e63ca5..0000000000 --- a/spec/acceptance/nodesets/debian-8-x64.yml +++ /dev/null @@ -1,10 +0,0 @@ -HOSTS: - debian-8-x64: - roles: - - agent - - default - platform: debian-8-amd64 - hypervisor: vagrant - box: puppetlabs/debian-8.2-64-nocm -CONFIG: - type: foss diff --git a/spec/acceptance/nodesets/default.yml b/spec/acceptance/nodesets/default.yml deleted file mode 100644 index dba339c46a..0000000000 --- a/spec/acceptance/nodesets/default.yml +++ /dev/null @@ -1,10 +0,0 @@ -HOSTS: - ubuntu-1404-x64: - roles: - - agent - - default - platform: ubuntu-14.04-amd64 - hypervisor: vagrant - box: puppetlabs/ubuntu-14.04-64-nocm -CONFIG: - type: foss diff --git a/spec/acceptance/nodesets/docker/centos-7.yml b/spec/acceptance/nodesets/docker/centos-7.yml deleted file mode 100644 index a3333aac53..0000000000 --- a/spec/acceptance/nodesets/docker/centos-7.yml +++ /dev/null @@ -1,12 +0,0 @@ -HOSTS: - centos-7-x64: - platform: el-7-x86_64 - hypervisor: docker - image: centos:7 - docker_preserve_image: true - docker_cmd: '["/usr/sbin/init"]' - # install various tools required to get the image up to usable levels - docker_image_commands: - - 'yum install -y crontabs tar wget openssl sysvinit-tools iproute which initscripts' -CONFIG: - trace_limit: 200 diff --git a/spec/acceptance/nodesets/docker/debian-8.yml b/spec/acceptance/nodesets/docker/debian-8.yml deleted file mode 100644 index df5c31944f..0000000000 --- a/spec/acceptance/nodesets/docker/debian-8.yml +++ /dev/null @@ -1,11 +0,0 @@ -HOSTS: - debian-8-x64: - platform: debian-8-amd64 - hypervisor: docker - image: debian:8 - docker_preserve_image: true - docker_cmd: '["/sbin/init"]' - docker_image_commands: - - 'apt-get update && apt-get install -y net-tools wget locales strace lsof && echo "en_US.UTF-8 UTF-8" > /etc/locale.gen && locale-gen' -CONFIG: - trace_limit: 200 diff --git a/spec/acceptance/nodesets/docker/ubuntu-14.04.yml b/spec/acceptance/nodesets/docker/ubuntu-14.04.yml deleted file mode 100644 index b1efa58390..0000000000 --- a/spec/acceptance/nodesets/docker/ubuntu-14.04.yml +++ /dev/null @@ -1,12 +0,0 @@ -HOSTS: - ubuntu-1404-x64: - platform: ubuntu-14.04-amd64 - hypervisor: docker - image: ubuntu:14.04 - docker_preserve_image: true - docker_cmd: '["/sbin/init"]' - docker_image_commands: - # ensure that upstart is booting correctly in the container - - 'rm /usr/sbin/policy-rc.d && rm /sbin/initctl && dpkg-divert --rename --remove /sbin/initctl && apt-get update && apt-get install -y net-tools wget && locale-gen en_US.UTF-8' -CONFIG: - trace_limit: 200 diff --git a/spec/acceptance/nodesets/suse.yml b/spec/acceptance/nodesets/suse.yml deleted file mode 100644 index ac04926992..0000000000 --- a/spec/acceptance/nodesets/suse.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- -HOSTS: - sles-11-x86_64-agent: - roles: - - agent - - default - platform: sles-11-x86_64 - template: sles-11-x86_64 - hypervisor: virtualbox - redhat-7-x86_64-master: - roles: - - master - - dashboard - - database - - agent - platform: el-7-x86_64 - template: redhat-7-x86_64 - hypervisor: virtualbox -CONFIG: - nfs_server: none - consoleport: 443 - datastore: instance0 - folder: Delivery/Quality Assurance/Enterprise/Dynamic - resourcepool: delivery/Quality Assurance/Enterprise/Dynamic - pooling_api: http://vcloud.delivery.puppetlabs.net/ diff --git a/spec/acceptance/prefork_worker_spec.rb b/spec/acceptance/prefork_worker_spec.rb index 6ff8651661..31d7e38e05 100644 --- a/spec/acceptance/prefork_worker_spec.rb +++ b/spec/acceptance/prefork_worker_spec.rb @@ -1,40 +1,29 @@ require 'spec_helper_acceptance' -require_relative './version.rb' - -describe 'prefork_worker_spec.rb' do - case host_inventory['facter']['os']['family'] - when 'FreeBSD' - describe 'apache::mod::event class' do - describe 'running puppet code' do - # Using puppet_apply as a helper - pp = <<-MANIFEEST +apache_hash = apache_settings_hash +describe 'prefork_worker_spec.rb', unless: (os[:family] =~ %r{sles}) do + describe 'apache::mod::event class' do + describe 'running puppet code' do + let(:pp) do + <<-MANIFEEST class { 'apache': mpm_module => 'event', } MANIFEEST - it 'works with no errors' do - # Run it twice and test for idempotency - apply_manifest(pp, catch_failures: true) - expect(apply_manifest(pp, catch_failures: true).exit_code).to be_zero - end end - describe service($service_name) do - it { is_expected.to be_running } - if host_inventory['facter']['os']['name'] == 'Debian' && host_inventory['facter']['os']['release']['major'] == '8' - pending 'Should be enabled - Bug 760616 on Debian 8' - elsif host_inventory['facter']['os']['name'] == 'SLES' && host_inventory['facter']['os']['release']['major'] == '15' - pending 'Should be enabled - MODULES-8379 `be_enabled` check does not currently work for apache2 on SLES 15' - else - it { is_expected.to be_enabled } - end + it 'behaves idempotently' do + idempotent_apply(pp) end end + + describe service(apache_hash['service_name']), skip: 'FM-8483' do + it { is_expected.to be_running } + it { is_expected.to be_enabled } + end end describe 'apache::mod::worker class' do describe 'running puppet code' do - # Using puppet_apply as a helper let(:pp) do <<-MANIFEEST class { 'apache': @@ -43,19 +32,14 @@ class { 'apache': MANIFEEST end - # Run it twice and test for idempotency - it_behaves_like 'a idempotent resource' + it 'behaves idempotently' do + idempotent_apply(pp) + end end - describe service($service_name) do + describe service(apache_hash['service_name']), skip: 'FM-8483' do it { is_expected.to be_running } - if host_inventory['facter']['os']['name'] == 'Debian' && host_inventory['facter']['os']['release']['major'] == '8' - pending 'Should be enabled - Bug 760616 on Debian 8' - elsif host_inventory['facter']['os']['name'] == 'SLES' && host_inventory['facter']['os']['release']['major'] == '15' - pending 'Should be enabled - MODULES-8379 `be_enabled` check does not currently work for apache2 on SLES 15' - else - it { is_expected.to be_enabled } - end + it { is_expected.to be_enabled } end end @@ -70,19 +54,14 @@ class { 'apache': MANIFEEST end - # Run it twice and test for idempotency - it_behaves_like 'a idempotent resource' + it 'behaves idempotently' do + idempotent_apply(pp) + end end - describe service($service_name) do + describe service(apache_hash['service_name']), skip: 'FM-8483' do it { is_expected.to be_running } - if host_inventory['facter']['os']['name'] == 'Debian' && host_inventory['facter']['os']['release']['major'] == '8' - pending 'Should be enabled - Bug 760616 on Debian 8' - elsif host_inventory['facter']['os']['name'] == 'SLES' && host_inventory['facter']['os']['release']['major'] == '15' - pending 'Should be enabled - MODULES-8379 `be_enabled` check does not currently work for apache2 on SLES 15' - else - it { is_expected.to be_enabled } - end + it { is_expected.to be_enabled } end end end diff --git a/spec/acceptance/service_spec.rb b/spec/acceptance/service_spec.rb index ee6aa0b2a1..bcb204c520 100644 --- a/spec/acceptance/service_spec.rb +++ b/spec/acceptance/service_spec.rb @@ -12,7 +12,8 @@ class { 'apache': } MANIFEST end - # Run it twice and test for idempotency - it_behaves_like 'a idempotent resource' + it 'behaves idempotently' do + idempotent_apply(pp) + end end end diff --git a/spec/acceptance/version.rb b/spec/acceptance/version.rb deleted file mode 100644 index 6aefcec6e2..0000000000 --- a/spec/acceptance/version.rb +++ /dev/null @@ -1,93 +0,0 @@ -@osfamily = fact('osfamily') -@operatingsystem = fact('operatingsystem') -@operatingsystemrelease = fact('operatingsystemrelease').to_f - -case @osfamily -when 'RedHat' - $confd_dir = '/etc/httpd/conf.d' - $conf_file = '/etc/httpd/conf/httpd.conf' - $ports_file = '/etc/httpd/conf/ports.conf' - $vhost_dir = '/etc/httpd/conf.d' - $vhost = '/etc/httpd/conf.d/15-default.conf' - $run_dir = '/var/run/httpd' - $doc_root = '/var/www' - $service_name = 'httpd' - $package_name = 'httpd' - $error_log = 'error_log' - $suphp_handler = 'php5-script' - $suphp_configpath = 'undef' - - if (@operatingsystem == 'Fedora' && @operatingsystemrelease >= 18) || (@operatingsystem != 'Fedora' && @operatingsystemrelease >= 7) - $apache_version = '2.4' - $mod_dir = '/etc/httpd/conf.modules.d' - else - $apache_version = '2.2' - $mod_dir = '/etc/httpd/conf.d' - end -when 'Debian' - $confd_dir = '/etc/apache2/conf.d' - $mod_dir = '/etc/apache2/mods-available' - $conf_file = '/etc/apache2/apache2.conf' - $ports_file = '/etc/apache2/ports.conf' - $vhost = '/etc/apache2/sites-available/15-default.conf' - $vhost_dir = '/etc/apache2/sites-enabled' - $run_dir = '/var/run/apache2' - $doc_root = '/var/www' - $service_name = 'apache2' - $package_name = 'apache2' - $error_log = 'error.log' - $suphp_handler = 'x-httpd-php' - $suphp_configpath = '/etc/php5/apache2' - $apache_version = if @operatingsystem == 'Ubuntu' && @operatingsystemrelease >= 13.10 - '2.4' - elsif @operatingsystem == 'Debian' && @operatingsystemrelease >= 8.0 - '2.4' - else - '2.2' - end -when 'FreeBSD' - $confd_dir = '/usr/local/etc/apache24/Includes' - $mod_dir = '/usr/local/etc/apache24/Modules' - $conf_file = '/usr/local/etc/apache24/httpd.conf' - $ports_file = '/usr/local/etc/apache24/Includes/ports.conf' - $vhost = '/usr/local/etc/apache24/Vhosts/15-default.conf' - $vhost_dir = '/usr/local/etc/apache24/Vhosts' - $run_dir = '/var/run/apache24' - $doc_root = '/var/www' - $service_name = 'apache24' - $package_name = 'apache24' - $error_log = 'http-error.log' - $apache_version = '2.2' -when 'Gentoo' - $confd_dir = '/etc/apache2/conf.d' - $mod_dir = '/etc/apache2/modules.d' - $conf_file = '/etc/apache2/httpd.conf' - $ports_file = '/etc/apache2/ports.conf' - $vhost = '/etc/apache2/vhosts.d/15-default.conf' - $vhost_dir = '/etc/apache2/vhosts.d' - $run_dir = '/var/run/apache2' - $doc_root = '/var/www' - $service_name = 'apache2' - $package_name = 'www-servers/apache' - $error_log = 'http-error.log' - $apache_version = '2.4' -when 'Suse' - $confd_dir = '/etc/apache2/conf.d' - $mod_dir = '/etc/apache2/mods-available' - $conf_file = '/etc/apache2/httpd.conf' - $ports_file = '/etc/apache2/ports.conf' - $vhost = '/etc/apache2/sites-available/15-default.conf' - $vhost_dir = '/etc/apache2/sites-available' - $run_dir = '/var/run/apache2' - $doc_root = '/srv/www' - $service_name = 'apache2' - $package_name = 'apache2' - $error_log = 'error.log' - $apache_version = if @operatingsystemrelease < 12 - '2.2' - else - '2.4' - end -else - $apache_version = '0' -end diff --git a/spec/acceptance/vhost_spec.rb b/spec/acceptance/vhost_spec.rb index 434c59df43..d1b9db21c0 100644 --- a/spec/acceptance/vhost_spec.rb +++ b/spec/acceptance/vhost_spec.rb @@ -1,6 +1,5 @@ require 'spec_helper_acceptance' -require_relative './version.rb' - +apache_hash = apache_settings_hash describe 'apache::vhost define' do context 'no default vhosts' do pp = <<-MANIFEST @@ -24,11 +23,11 @@ class { 'apache': apply_manifest(pp, catch_failures: true) end - describe file("#{$vhost_dir}/15-default.conf") do + describe file("#{apache_hash['vhost_dir']}/15-default.conf") do it { is_expected.not_to be_file } end - describe file("#{$vhost_dir}/15-default-ssl.conf") do + describe file("#{apache_hash['vhost_dir']}/15-default-ssl.conf") do it { is_expected.not_to be_file } end end @@ -41,36 +40,36 @@ class { 'apache': } apply_manifest(pp, catch_failures: true) end - describe file("#{$vhost_dir}/15-default.conf") do + describe file("#{apache_hash['vhost_dir']}/15-default.conf") do it { is_expected.to contain '' } end - describe file("#{$vhost_dir}/15-default-ssl.conf") do + describe file("#{apache_hash['vhost_dir']}/15-default-ssl.conf") do it { is_expected.not_to be_file } end end - context 'default vhost with ssl' do + context 'default vhost with ssl', unless: (os[:family] =~ %r{redhat} && os[:release].to_i == 8) do pp = <<-MANIFEST - file { '#{$run_dir}': + file { '#{apache_hash['run_dir']}': ensure => 'directory', recurse => true, } class { 'apache': default_ssl_vhost => true, - require => File['#{$run_dir}'], + require => File['#{apache_hash['run_dir']}'], } MANIFEST it 'creates default vhost configs' do apply_manifest(pp, catch_failures: true) end - describe file("#{$vhost_dir}/15-default.conf") do + describe file("#{apache_hash['vhost_dir']}/15-default.conf") do it { is_expected.to contain '' } end - describe file("#{$vhost_dir}/15-default-ssl.conf") do + describe file("#{apache_hash['vhost_dir']}/15-default-ssl.conf") do it { is_expected.to contain '' } it { is_expected.to contain 'SSLEngine on' } end @@ -94,7 +93,7 @@ class { 'apache': } apply_manifest(pp, catch_failures: true) end - describe file("#{$vhost_dir}/25-first.example.com.conf") do + describe file("#{apache_hash['vhost_dir']}/25-first.example.com.conf") do it { is_expected.to contain '' } it { is_expected.to contain 'ServerName first.example.com' } end @@ -117,7 +116,7 @@ class { 'apache': } apply_manifest(pp, catch_failures: true) end - describe file("#{$vhost_dir}/25-proxy.example.com.conf") do + describe file("#{apache_hash['vhost_dir']}/25-proxy.example.com.conf") do it { is_expected.to contain '' } it { is_expected.to contain 'ServerName proxy.example.com' } it { is_expected.to contain 'ProxyPass' } @@ -133,7 +132,7 @@ class { 'apache': } class { 'apache': } apache::vhost { 'proxy.example.com': port => '80', - docroot => '#{$docroot}/proxy', + docroot => '#{apache_hash['doc_root']}/proxy', proxy_pass_match => [ { 'path' => '/foo', 'url' => 'http://backend-foo/'}, ], @@ -145,7 +144,7 @@ class { 'apache': } apply_manifest(pp, catch_failures: true) end - describe file("#{$vhost_dir}/25-proxy.example.com.conf") do + describe file("#{apache_hash['vhost_dir']}/25-proxy.example.com.conf") do it { is_expected.to contain '' } it { is_expected.to contain 'ServerName proxy.example.com' } it { is_expected.to contain 'ProxyPassMatch /foo http://backend-foo/' } @@ -156,173 +155,6 @@ class { 'apache': } end end - context 'new vhost on port 80' do - pp = <<-MANIFEST - class { 'apache': } - apache::vhost { 'first.example.com': - port => '80', - docroot => '/var/www/first', - } - host { 'first.example.com': ip => '127.0.0.1', } - file { '/var/www/first/index.html': - ensure => file, - content => "Hello from first\\n", - } - apache::vhost { 'second.example.com': - port => '80', - docroot => '/var/www/second', - } - host { 'second.example.com': ip => '127.0.0.1', } - file { '/var/www/second/index.html': - ensure => file, - content => "Hello from second\\n", - } - MANIFEST - it 'configures two apache vhosts' do - apply_manifest(pp, catch_failures: true) - end - - describe service($service_name) do - if fact('operatingsystem') == 'Debian' && host_inventory['facter']['os']['release']['major'] == '8' - pending 'Should be enabled - Bug 760616 on Debian 8' - elsif fact('operatingsystem') == 'SLES' && host_inventory['facter']['os']['release']['major'] == '15' - pending 'Should be enabled - MODULES-8379 `be_enabled` check does not currently work for apache2 on SLES 15' - else - it { is_expected.to be_enabled } - end - it { is_expected.to be_running } - end - - it 'answers to first.example.com' do - shell('/usr/bin/curl first.example.com:80', acceptable_exit_codes: 0) do |r| - expect(r.stdout).to eq("Hello from first\n") - end - end - - it 'answers to second.example.com' do - shell('/usr/bin/curl second.example.com:80', acceptable_exit_codes: 0) do |r| - expect(r.stdout).to eq("Hello from second\n") - end - end - end - - context 'new vhost with multiple IP addresses on port 80' do - pp = <<-MANIFEST - class { 'apache': - default_vhost => false, - } - apache::vhost { 'example.com': - port => '80', - ip => ['127.0.0.1','127.0.0.2'], - ip_based => true, - docroot => '/var/www/html', - } - host { 'host1.example.com': ip => '127.0.0.1', } - host { 'host2.example.com': ip => '127.0.0.2', } - file { '/var/www/html/index.html': - ensure => file, - content => "Hello from vhost\\n", - } - MANIFEST - it 'configures one apache vhost with 2 ip addresses' do - apply_manifest(pp, catch_failures: true) - end - - describe service($service_name) do - if fact('operatingsystem') == 'Debian' && host_inventory['facter']['os']['release']['major'] == '8' - pending 'Should be enabled - Bug 760616 on Debian 8' - elsif fact('operatingsystem') == 'SLES' && host_inventory['facter']['os']['release']['major'] == '15' - pending 'Should be enabled - MODULES-8379 `be_enabled` check does not currently work for apache2 on SLES 15' - else - it { is_expected.to be_enabled } - end - it { is_expected.to be_running } - end - - describe file("#{$vhost_dir}/25-example.com.conf") do - it { is_expected.to contain '' } - it { is_expected.to contain 'ServerName example.com' } - end - - describe file($ports_file) do - it { is_expected.to be_file } - it { is_expected.to contain 'Listen 127.0.0.1:80' } - it { is_expected.to contain 'Listen 127.0.0.2:80' } - it { is_expected.not_to contain 'NameVirtualHost 127.0.0.1:80' } - it { is_expected.not_to contain 'NameVirtualHost 127.0.0.2:80' } - end - - it 'answers to host1.example.com' do - shell('/usr/bin/curl host1.example.com:80', acceptable_exit_codes: 0) do |r| - expect(r.stdout).to eq("Hello from vhost\n") - end - end - - it 'answers to host2.example.com' do - shell('/usr/bin/curl host2.example.com:80', acceptable_exit_codes: 0) do |r| - expect(r.stdout).to eq("Hello from vhost\n") - end - end - end - - context 'new vhost with multiple ports on 1 IP address' do - pp = <<-MANIFEST - class { 'apache': - default_vhost => false, - } - apache::vhost { 'example.com': - port => ['80','8080'], - ip => '127.0.0.1', - ip_based => true, - docroot => '/var/www/html', - } - host { 'host1.example.com': ip => '127.0.0.1', } - file { '/var/www/html/index.html': - ensure => file, - content => "Hello from vhost\\n", - } - MANIFEST - it 'configures one apache vhost with 2 ports' do - apply_manifest(pp, catch_failures: true) - end - - describe service($service_name) do - if fact('operatingsystem') == 'Debian' && host_inventory['facter']['os']['release']['major'] == '8' - pending 'Should be enabled - Bug 760616 on Debian 8' - elsif fact('operatingsystem') == 'SLES' && host_inventory['facter']['os']['release']['major'] == '15' - pending 'Should be enabled - MODULES-8379 `be_enabled` check does not currently work for apache2 on SLES 15' - else - it { is_expected.to be_enabled } - end - it { is_expected.to be_running } - end - - describe file("#{$vhost_dir}/25-example.com.conf") do - it { is_expected.to contain '' } - it { is_expected.to contain 'ServerName example.com' } - end - - describe file($ports_file) do - it { is_expected.to be_file } - it { is_expected.to contain 'Listen 127.0.0.1:80' } - it { is_expected.to contain 'Listen 127.0.0.1:8080' } - it { is_expected.not_to contain 'NameVirtualHost 127.0.0.1:80' } - it { is_expected.not_to contain 'NameVirtualHost 127.0.0.1:8080' } - end - - it 'answers to host1.example.com port 80' do - shell('/usr/bin/curl host1.example.com:80', acceptable_exit_codes: 0) do |r| - expect(r.stdout).to eq("Hello from vhost\n") - end - end - - it 'answers to host1.example.com port 8080' do - shell('/usr/bin/curl host1.example.com:8080', acceptable_exit_codes: 0) do |r| - expect(r.stdout).to eq("Hello from vhost\n") - end - end - end - context 'new vhost with multiple IP addresses on multiple ports' do pp = <<-MANIFEST class { 'apache': @@ -345,23 +177,17 @@ class { 'apache': apply_manifest(pp, catch_failures: true) end - describe service($service_name) do - if fact('operatingsystem') == 'Debian' && host_inventory['facter']['os']['release']['major'] == '8' - pending 'Should be enabled - Bug 760616 on Debian 8' - elsif fact('operatingsystem') == 'SLES' && host_inventory['facter']['os']['release']['major'] == '15' - pending 'Should be enabled - MODULES-8379 `be_enabled` check does not currently work for apache2 on SLES 15' - else - it { is_expected.to be_enabled } - end + describe service(apache_hash['service_name']), skip: 'FM-8483' do + it { is_expected.to be_enabled } it { is_expected.to be_running } end - describe file("#{$vhost_dir}/25-example.com.conf") do + describe file("#{apache_hash['vhost_dir']}/25-example.com.conf") do it { is_expected.to contain '' } it { is_expected.to contain 'ServerName example.com' } end - describe file($ports_file) do + describe file(apache_hash['ports_file']) do it { is_expected.to be_file } it { is_expected.to contain 'Listen 127.0.0.1:80' } it { is_expected.to contain 'Listen 127.0.0.1:8080' } @@ -374,25 +200,25 @@ class { 'apache': end it 'answers to host1.example.com port 80' do - shell('/usr/bin/curl host1.example.com:80', acceptable_exit_codes: 0) do |r| + run_shell('/usr/bin/curl host1.example.com:80', acceptable_exit_codes: 0) do |r| expect(r.stdout).to eq("Hello from vhost\n") end end it 'answers to host1.example.com port 8080' do - shell('/usr/bin/curl host1.example.com:8080', acceptable_exit_codes: 0) do |r| + run_shell('/usr/bin/curl host1.example.com:8080', acceptable_exit_codes: 0) do |r| expect(r.stdout).to eq("Hello from vhost\n") end end it 'answers to host2.example.com port 80' do - shell('/usr/bin/curl host2.example.com:80', acceptable_exit_codes: 0) do |r| + run_shell('/usr/bin/curl host2.example.com:80', acceptable_exit_codes: 0) do |r| expect(r.stdout).to eq("Hello from vhost\n") end end it 'answers to host2.example.com port 8080' do - shell('/usr/bin/curl host2.example.com:8080', acceptable_exit_codes: 0) do |r| + run_shell('/usr/bin/curl host2.example.com:8080', acceptable_exit_codes: 0) do |r| expect(r.stdout).to eq("Hello from vhost\n") end end @@ -419,85 +245,78 @@ class { 'apache': apply_manifest(pp, catch_failures: true) end - describe service($service_name) do - if fact('operatingsystem') == 'Debian' && host_inventory['facter']['os']['release']['major'] == '8' - pending 'Should be enabled - Bug 760616 on Debian 8' - elsif fact('operatingsystem') == 'SLES' && host_inventory['facter']['os']['release']['major'] == '15' - pending 'Should be enabled - MODULES-8379 `be_enabled` check does not currently work for apache2 on SLES 15' - else - it { is_expected.to be_enabled } - end + describe service(apache_hash['service_name']), skip: 'FM-8483' do + it { is_expected.to be_enabled } it { is_expected.to be_running } end - describe file("#{$vhost_dir}/25-example.com.conf") do + describe file("#{apache_hash['vhost_dir']}/25-example.com.conf") do it { is_expected.to contain '' } it { is_expected.to contain 'ServerName example.com' } end - describe file($ports_file) do + describe file(apache_hash['ports_file']) do it { is_expected.to be_file } it { is_expected.to contain 'Listen [::1]:80' } it { is_expected.not_to contain 'NameVirtualHost [::1]:80' } end it 'answers to ipv6.example.com' do - shell('/usr/bin/curl ipv6.example.com:80', acceptable_exit_codes: 0) do |r| + run_shell('/usr/bin/curl ipv6.example.com:80', acceptable_exit_codes: 0) do |r| expect(r.stdout).to eq("Hello from vhost\n") end end end context 'apache_directories' do - describe 'readme example, adapted' do - pp = <<-MANIFEST - class { 'apache': } + let(:pp) do + <<-MANIFEST + class { 'apache': } - if versioncmp($apache_version, '2.4') >= 0 { - $_files_match_directory = { 'path' => '(\.swp|\.bak|~)$', 'provider' => 'filesmatch', 'require' => 'all denied', } - } else { - $_files_match_directory = { 'path' => '(\.swp|\.bak|~)$', 'provider' => 'filesmatch', 'deny' => 'from all', } - } + if versioncmp('#{apache_hash['version']}', '2.4') >= 0 { + $_files_match_directory = { 'path' => '(\.swp|\.bak|~)$', 'provider' => 'filesmatch', 'require' => 'all denied', } + } else { + $_files_match_directory = { 'path' => '(\.swp|\.bak|~)$', 'provider' => 'filesmatch', 'deny' => 'from all', } + } - $_directories = [ - { 'path' => '/var/www/files', }, - $_files_match_directory, - ] + $_directories = [ + { 'path' => '/var/www/files', }, + $_files_match_directory, + ] - apache::vhost { 'files.example.net': - docroot => '/var/www/files', - directories => $_directories, - } - file { '/var/www/files/index.html': - ensure => file, - content => "Hello World\\n", - } - file { '/var/www/files/index.html.bak': - ensure => file, - content => "Hello World\\n", - } - host { 'files.example.net': ip => '127.0.0.1', } - MANIFEST + apache::vhost { 'files.example.net': + docroot => '/var/www/files', + directories => $_directories, + } + file { '/var/www/files/index.html': + ensure => file, + content => "Hello World\\n", + } + file { '/var/www/files/index.html.bak': + ensure => file, + content => "Hello World\\n", + } + host { 'files.example.net': ip => '127.0.0.1', } + MANIFEST + end + + describe 'readme example, adapted' do it 'configures a vhost with Files' do apply_manifest(pp, catch_failures: true) end - describe service($service_name) do - if fact('operatingsystem') == 'Debian' && host_inventory['facter']['os']['release']['major'] == '8' - pending 'Should be enabled - Bug 760616 on Debian 8' - elsif fact('operatingsystem') == 'SLES' && host_inventory['facter']['os']['release']['major'] == '15' - pending 'Should be enabled - MODULES-8379 `be_enabled` check does not currently work for apache2 on SLES 15' - else - it { is_expected.to be_enabled } - end + describe service(apache_hash['service_name']), skip: 'FM-8483' do + it { is_expected.to be_enabled } it { is_expected.to be_running } end it 'answers to files.example.net #stdout' do - expect(shell('/usr/bin/curl -sSf files.example.net:80/index.html').stdout).to eq("Hello World\n") + expect(run_shell('/usr/bin/curl -sSf files.example.net:80/index.html').stdout).to eq("Hello World\n") end it 'answers to files.example.net #stderr' do - expect(shell('/usr/bin/curl -sSf files.example.net:80/index.html.bak', acceptable_exit_codes: 22).stderr).to match(%r{curl: \(22\) The requested URL returned error: 403}) + result = run_shell('/usr/bin/curl -sSf files.example.net:80/index.html.bak', expect_failures: true) + expect(result.stderr).to match(%r{curl: \(22\) The requested URL returned error: 403}) + expect(result.exit_code).to eq 22 end end @@ -548,28 +367,24 @@ class { 'apache': } apply_manifest(pp_one, catch_failures: true) end - describe service($service_name) do - if fact('operatingsystem') == 'Debian' && host_inventory['facter']['os']['release']['major'] == '8' - pending 'Should be enabled - Bug 760616 on Debian 8' - elsif fact('operatingsystem') == 'SLES' && host_inventory['facter']['os']['release']['major'] == '15' - pending 'Should be enabled - MODULES-8379 `be_enabled` check does not currently work for apache2 on SLES 15' - else - it { is_expected.to be_enabled } - end + describe service(apache_hash['service_name']), skip: 'FM-8483' do + it { is_expected.to be_enabled } it { is_expected.to be_running } end it 'answers to files.example.net #stdout' do - expect(shell('/usr/bin/curl -sSf files.example.net:80/').stdout).to eq("Hello World\n") + expect(run_shell('/usr/bin/curl -sSf files.example.net:80/').stdout).to eq("Hello World\n") end it 'answers to files.example.net #stdout foo' do - expect(shell('/usr/bin/curl -sSf files.example.net:80/foo/').stdout).to eq("Hello Foo\n") + expect(run_shell('/usr/bin/curl -sSf files.example.net:80/foo/').stdout).to eq("Hello Foo\n") end it 'answers to files.example.net #stderr' do - expect(shell('/usr/bin/curl -sSf files.example.net:80/private.html', acceptable_exit_codes: 22).stderr).to match(%r{curl: \(22\) The requested URL returned error: 403}) + result = run_shell('/usr/bin/curl -sSf files.example.net:80/private.html', expect_failures: true) + expect(result.stderr).to match(%r{curl: \(22\) The requested URL returned error: 403}) + expect(result.exit_code).to eq 22 end it 'answers to files.example.net #stdout bar' do - expect(shell('/usr/bin/curl -sSf files.example.net:80/bar/bar.html').stdout).to eq("Hello Bar\n") + expect(run_shell('/usr/bin/curl -sSf files.example.net:80/bar/bar.html').stdout).to eq("Hello Bar\n") end end @@ -594,26 +409,20 @@ class { 'apache': } apply_manifest(pp_two, catch_failures: true) end - describe service($service_name) do - if fact('operatingsystem') == 'Debian' && host_inventory['facter']['os']['release']['major'] == '8' - pending 'Should be enabled - Bug 760616 on Debian 8' - elsif fact('operatingsystem') == 'SLES' && host_inventory['facter']['os']['release']['major'] == '15' - pending 'Should be enabled - MODULES-8379 `be_enabled` check does not currently work for apache2 on SLES 15' - else - it { is_expected.to be_enabled } - end + describe service(apache_hash['service_name']), skip: 'FM-8483' do + it { is_expected.to be_enabled } it { is_expected.to be_running } end it 'answers to files.example.net #stdout' do - expect(shell('/usr/bin/curl -sSf files.example.net:80/index.html').stdout).to eq("Hello World\n") + expect(run_shell('/usr/bin/curl -sSf files.example.net:80/index.html').stdout).to eq("Hello World\n") end it 'answers to files.example.net #stdout regex' do - expect(shell('/usr/bin/curl -sSf files.example.net:80/server-status?auto').stdout).to match(%r{Scoreboard: }) + expect(run_shell('/usr/bin/curl -sSf files.example.net:80/server-status?auto').stdout).to match(%r{Scoreboard: }) end end - describe 'Satisfy and Auth directive', unless: $apache_version == '2.4' do + describe 'Satisfy and Auth directive', unless: apache_hash['version'] == '2.4' do pp_two = <<-MANIFEST class { 'apache': } host { 'files.example.net': ip => '127.0.0.1', } @@ -676,63 +485,21 @@ class { 'apache': } apply_manifest(pp_two, catch_failures: true) end - describe service($service_name) do - if fact('operatingsystem') == 'Debian' && host_inventory['facter']['os']['release']['major'] == '8' - pending 'Should be enabled - Bug 760616 on Debian 8' - elsif fact('operatingsystem') == 'SLES' && host_inventory['facter']['os']['release']['major'] == '15' - pending 'Should be enabled - MODULES-8379 `be_enabled` check does not currently work for apache2 on SLES 15' - else - it { is_expected.to be_enabled } - end + describe service(apache_hash['service_name']), skip: 'FM-8483' do + it { is_expected.to be_enabled } it { is_expected.to be_running } it 'answers to files.example.net' do - shell('/usr/bin/curl -sSf files.example.net:80/foo/index.html', acceptable_exit_codes: 22).stderr.should match(%r{curl: \(22\) The requested URL returned error: 401}) - shell('/usr/bin/curl -sSf -u login:password files.example.net:80/foo/index.html').stdout.should eq("Hello World\n") - shell('/usr/bin/curl -sSf files.example.net:80/bar/index.html').stdout.should eq("Hello World\n") - shell('/usr/bin/curl -sSf -u login:password files.example.net:80/bar/index.html').stdout.should eq("Hello World\n") - shell('/usr/bin/curl -sSf files.example.net:80/baz/index.html', acceptable_exit_codes: 22).stderr.should match(%r{curl: \(22\) The requested URL returned error: 401}) - shell('/usr/bin/curl -sSf -u login:password files.example.net:80/baz/index.html').stdout.should eq("Hello World\n") - end - end - end - end - - unless host_inventory['facter']['os']['distro'].nil? - case host_inventory['facter']['os']['distro']['codename'] - when 'precise', 'wheezy' - context 'vhost FallbackResource example' do - pp = <<-MANIFEST - class { 'apache': } - apache::vhost { 'fallback.example.net': - docroot => '/var/www/fallback', - fallbackresource => '/index.html' - } - file { '/var/www/fallback/index.html': - ensure => file, - content => "Hello World\\n", - } - host { 'fallback.example.net': ip => '127.0.0.1', } - MANIFEST - it 'configures a vhost with FallbackResource' do - apply_manifest(pp, catch_failures: true) - end - - describe service($service_name) do - if host_inventory['facter']['os']['name'] == 'Debian' && host_inventory['facter']['os']['release']['major'] == '8' - pending 'Should be enabled - Bug 760616 on Debian 8' - elsif host_inventory['facter']['os']['name'] == 'SLES' && host_inventory['facter']['os']['release']['major'] == '15' - pending 'Should be enabled - MODULES-8379 `be_enabled` check does not currently work for apache2 on SLES 15' - else - it { is_expected.to be_enabled } - end - it { is_expected.to be_running } - end - - it 'answers to fallback.example.net' do - shell('/usr/bin/curl fallback.example.net:80/Does/Not/Exist') do |r| - expect(r.stdout).to eq("Hello World\n") - end + result = run_shell('/usr/bin/curl -sSf files.example.net:80/foo/index.html', expect_failures: true) + expect(result.stderr).to match(%r{curl: \(22\) The requested URL returned error: 401}) + expect(result.exit_code).to eq 22 + expect(run_shell('/usr/bin/curl -sSf -u login:password files.example.net:80/foo/index.html').stdout).to eq("Hello World\n") + expect(run_shell('/usr/bin/curl -sSf files.example.net:80/bar/index.html').stdout).to eq("Hello World\n") + expect(run_shell('/usr/bin/curl -sSf -u login:password files.example.net:80/bar/index.html').stdout).to eq("Hello World\n") + result = run_shell('/usr/bin/curl -sSf files.example.net:80/baz/index.html', expect_failures: true) + expect(result.stderr).to match(%r{curl: \(22\) The requested URL returned error: 401}) + expect(result.exit_code).to eq 22 + expect(run_shell('/usr/bin/curl -sSf -u login:password files.example.net:80/baz/index.html').stdout).to eq("Hello World\n") end end end @@ -759,25 +526,19 @@ class { 'apache': } apply_manifest(pp, catch_failures: true) end - describe service($service_name) do - if host_inventory['facter']['os']['name'] == 'Debian' && host_inventory['facter']['os']['release']['major'] == '8' - pending 'Should be enabled - Bug 760616 on Debian 8' - elsif host_inventory['facter']['os']['name'] == 'SLES' && host_inventory['facter']['os']['release']['major'] == '15' - pending 'Should be enabled - MODULES-8379 `be_enabled` check does not currently work for apache2 on SLES 15' - else - it { is_expected.to be_enabled } - end + describe service(apache_hash['service_name']), skip: 'FM-8483' do + it { is_expected.to be_enabled } it { is_expected.to be_running } end it 'answers to a.virt.example.com' do - shell('/usr/bin/curl a.virt.example.com:80', acceptable_exit_codes: 0) do |r| + run_shell('/usr/bin/curl a.virt.example.com:80', acceptable_exit_codes: 0) do |r| expect(r.stdout).to eq("Hello from a.virt\n") end end it 'answers to b.virt.example.com' do - shell('/usr/bin/curl b.virt.example.com:80', acceptable_exit_codes: 0) do |r| + run_shell('/usr/bin/curl b.virt.example.com:80', acceptable_exit_codes: 0) do |r| expect(r.stdout).to eq("Hello from b.virt\n") end end @@ -811,24 +572,18 @@ class { 'apache': default_vhost => false, } ), catch_failures: true) end - describe service($service_name) do - if host_inventory['facter']['os']['name'] == 'Debian' && host_inventory['facter']['os']['release']['major'] == '8' - pending 'Should be enabled - Bug 760616 on Debian 8' - elsif host_inventory['facter']['os']['name'] == 'SLES' && host_inventory['facter']['os']['release']['major'] == '15' - pending 'Should be enabled - MODULES-8379 `be_enabled` check does not currently work for apache2 on SLES 15' - else - it { is_expected.to be_enabled } - end + describe service(apache_hash['service_name']), skip: 'FM-8483' do + it { is_expected.to be_enabled } it { is_expected.to be_running } end it 'gets a response from the back end #stdout' do - shell('/usr/bin/curl --max-redirs 0 proxy.example.com:80') do |r| + run_shell('/usr/bin/curl --max-redirs 0 proxy.example.com:80') do |r| expect(r.stdout).to eq("Hello from localhost\n") end end it 'gets a response from the back end #exit_code' do - shell('/usr/bin/curl --max-redirs 0 proxy.example.com:80') do |r| + run_shell('/usr/bin/curl --max-redirs 0 proxy.example.com:80') do |r| expect(r.exit_code).to eq(0) end end @@ -862,24 +617,18 @@ class { 'apache': default_vhost => false, } ), catch_failures: true) end - describe service($service_name) do - if host_inventory['facter']['os']['name'] == 'Debian' && host_inventory['facter']['os']['release']['major'] == '8' - pending 'Should be enabled - Bug 760616 on Debian 8' - elsif host_inventory['facter']['os']['name'] == 'SLES' && host_inventory['facter']['os']['release']['major'] == '15' - pending 'Should be enabled - MODULES-8379 `be_enabled` check does not currently work for apache2 on SLES 15' - else - it { is_expected.to be_enabled } - end + describe service(apache_hash['service_name']), skip: 'FM-8483' do + it { is_expected.to be_enabled } it { is_expected.to be_running } end it 'gets a response from the back end #stdout' do - shell('/usr/bin/curl --max-redirs 0 proxy.example.com:80') do |r| + run_shell('/usr/bin/curl --max-redirs 0 proxy.example.com:80') do |r| expect(r.stdout).to eq("Hello from localhost\n") end end it 'gets a response from the back end #exit_code' do - shell('/usr/bin/curl --max-redirs 0 proxy.example.com:80') do |r| + run_shell('/usr/bin/curl --max-redirs 0 proxy.example.com:80') do |r| expect(r.exit_code).to eq(0) end end @@ -899,11 +648,11 @@ class { 'apache': } apply_manifest(pp, catch_failures: true) end - describe file($ports_file) do + describe file(apache_hash['ports_file']) do it { is_expected.to be_file } it { is_expected.not_to contain 'NameVirtualHost test.server' } end - describe file("#{$vhost_dir}/25-test.server.conf") do + describe file("#{apache_hash['vhost_dir']}/25-test.server.conf") do it { is_expected.to be_file } it { is_expected.to contain 'ServerName test.server' } end @@ -923,11 +672,11 @@ class { 'apache': } apply_manifest(pp, catch_failures: true) end - describe file($ports_file) do + describe file(apache_hash['ports_file']) do it { is_expected.to be_file } it { is_expected.not_to contain 'NameVirtualHost test.server' } end - describe file("#{$vhost_dir}/25-test.server.conf") do + describe file("#{apache_hash['vhost_dir']}/25-test.server.conf") do it { is_expected.to be_file } it { is_expected.not_to contain 'ServerName' } end @@ -949,7 +698,7 @@ class { 'apache': default_vhost => false } apply_manifest(pp, catch_failures: true) end - describe file($ports_file) do + describe file(apache_hash['ports_file']) do it { is_expected.to be_file } it { is_expected.not_to contain 'Listen 80' } it { is_expected.to contain 'Listen 81' } @@ -994,77 +743,209 @@ class { 'apache': } apply_manifest(pp, catch_failures: true) end - describe file($ports_file) do + describe file(apache_hash['ports_file']) do it { is_expected.to be_file } - if fact('osfamily') == 'RedHat' && host_inventory['facter']['os']['release']['major'] == '7' || - fact('osfamily') == 'Debian' || - host_inventory['facter']['os']['name'] == 'SLES' && fact('operatingsystemrelease') >= '12' - it { is_expected.not_to contain 'NameVirtualHost test.server' } - else - it { is_expected.to contain 'NameVirtualHost test.server' } - end end - describe file("#{$vhost_dir}/10-test.server.conf") do + describe file("#{apache_hash['vhost_dir']}/10-test.server.conf") do it { is_expected.to be_file } end end - describe 'options' do + describe 'parameter tests', unless: (os[:family] =~ %r{redhat} && os[:release].to_i == 8) do pp = <<-MANIFEST class { 'apache': } - host { 'test.server': ip => '127.0.0.1' } - apache::vhost { 'test.server': - docroot => '/tmp', - options => ['Indexes','FollowSymLinks', 'ExecCGI'], + host { 'test.itk': ip => '127.0.0.1' } + apache::vhost { 'test.itk': + docroot => '/tmp', + itk => { user => 'nobody', group => 'nobody' } } - MANIFEST - it 'applies cleanly' do - apply_manifest(pp, catch_failures: true) - end - - describe file("#{$vhost_dir}/25-test.server.conf") do - it { is_expected.to be_file } - it { is_expected.to contain 'Options Indexes FollowSymLinks ExecCGI' } - end - end - - describe 'override' do - pp = <<-MANIFEST - class { 'apache': } - host { 'test.server': ip => '127.0.0.1' } - apache::vhost { 'test.server': + host { 'test.custom_fragment': ip => '127.0.0.1' } + apache::vhost { 'test.custom_fragment': + docroot => '/tmp', + custom_fragment => inline_template('#weird test string'), + } + apache::vhost { 'test.without_priority_prefix': + priority => false, + docroot => '/tmp' + } + apache::vhost { 'test.ssl_protool': + docroot => '/tmp', + ssl => true, + ssl_protocol => ['All', '-SSLv2'], + } + apache::vhost { 'test.block': + docroot => '/tmp', + block => 'scm', + } + apache::vhost { 'test.setenv_setenvif': + docroot => '/tmp', + setenv => ['TEST /test'], + setenvif => ['Request_URI "\.gif$" object_is_image=gif'] + } + apache::vhost { 'test.rewrite': + docroot => '/tmp', + rewrites => [ + { comment => 'test', + rewrite_cond => '%{HTTP_USER_AGENT} ^Lynx/ [OR]', + rewrite_rule => ['^index\.html$ welcome.html'], + rewrite_map => ['lc int:tolower'], + } + ], + } + apache::vhost { 'test.request_headers': + docroot => '/tmp', + request_headers => ['append MirrorID "mirror 12"'], + } + apache::vhost { 'test.redirect': + docroot => '/tmp', + redirect_source => ['/images'], + redirect_dest => ['http://test.server/'], + redirect_status => ['permanent'], + } + apache::vhost { 'test.no_proxy_uris': + docroot => '/tmp', + proxy_dest => 'http://test2', + no_proxy_uris => [ 'http://test2/test' ], + } + apache::vhost { 'test.proxy': docroot => '/tmp', - override => ['All'], + proxy_dest => 'http://testproxy', } - MANIFEST - it 'applies cleanly' do - apply_manifest(pp, catch_failures: true) - end - - describe file("#{$vhost_dir}/25-test.server.conf") do - it { is_expected.to be_file } - it { is_expected.to contain 'AllowOverride All' } - end - end - - describe 'logroot' do - pp = <<-MANIFEST - class { 'apache': } - host { 'test.server': ip => '127.0.0.1' } - apache::vhost { 'test.server': + apache::vhost { 'test.scriptaliases': docroot => '/tmp', - logroot => '/tmp', + scriptaliases => [{ alias => '/myscript', path => '/usr/share/myscript', }], } - MANIFEST - it 'applies cleanly' do + apache::vhost { 'test.aliases': + docroot => '/tmp', + aliases => [ + { alias => '/image' , path => '/ftp/pub/image' } , + { scriptalias => '/myscript' , path => '/usr/share/myscript' } + ], + } + apache::vhost { 'test.access_logs': + docroot => '/tmp', + logroot => '/tmp', + access_logs => [ + {'file' => 'log1'}, + {'file' => 'log2', 'env' => 'admin' }, + {'file' => '/var/tmp/log3', 'format' => '%h %l'}, + {'syslog' => 'syslog' } + ] + } + apache::vhost { 'test.access_log_env_var': + docroot => '/tmp', + logroot => '/tmp', + access_log_syslog => 'syslog', + access_log_env_var => 'admin', + } + apache::vhost { 'test.access_log_format': + docroot => '/tmp', + logroot => '/tmp', + access_log_syslog => 'syslog', + access_log_format => '%h %l', + } + apache::vhost { 'test.logroot': + docroot => '/tmp', + logroot => '/tmp', + } + apache::vhost { 'test.override': + docroot => '/tmp', + override => ['All'], + } + apache::vhost { 'test.options': + docroot => '/tmp', + options => ['Indexes','FollowSymLinks', 'ExecCGI'], + } + MANIFEST + it 'applies cleanly' do apply_manifest(pp, catch_failures: true) end - describe file("#{$vhost_dir}/25-test.server.conf") do + describe file("#{apache_hash['vhost_dir']}/25-test.itk.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'AssignUserId nobody nobody' } + end + describe file("#{apache_hash['vhost_dir']}/25-test.custom_fragment.conf") do + it { is_expected.to be_file } + it { is_expected.to contain '#weird test string' } + end + describe file("#{apache_hash['vhost_dir']}/test.without_priority_prefix.conf") do + it { is_expected.to be_file } + end + describe file("#{apache_hash['vhost_dir']}/25-test.ssl_protool.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'SSLProtocol *All -SSLv2' } + end + describe file("#{apache_hash['vhost_dir']}/25-test.block.conf") do + it { is_expected.to be_file } + it { is_expected.to contain '' } + end + describe file("#{apache_hash['vhost_dir']}/25-test.setenv_setenvif.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'SetEnv TEST /test' } + it { is_expected.to contain 'SetEnvIf Request_URI "\.gif$" object_is_image=gif' } + end + describe file("#{apache_hash['vhost_dir']}/25-test.rewrite.conf") do + it { is_expected.to be_file } + it { is_expected.to contain '#test' } + it { is_expected.to contain 'RewriteCond %{HTTP_USER_AGENT} ^Lynx/ [OR]' } + it { is_expected.to contain 'RewriteRule ^index.html$ welcome.html' } + it { is_expected.to contain 'RewriteMap lc int:tolower' } + end + describe file("#{apache_hash['vhost_dir']}/25-test.request_headers.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'append MirrorID "mirror 12"' } + end + describe file("#{apache_hash['vhost_dir']}/25-test.redirect.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'Redirect permanent /images http://test.server/' } + end + describe file("#{apache_hash['vhost_dir']}/25-test.no_proxy_uris.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'ProxyPass http://test2/test !' } + it { is_expected.to contain 'ProxyPass / http://test2/' } + end + describe file("#{apache_hash['vhost_dir']}/25-test.proxy.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'ProxyPass / http://testproxy/' } + end + describe file("#{apache_hash['vhost_dir']}/25-test.scriptaliases.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'ScriptAlias /myscript "/usr/share/myscript"' } + end + describe file("#{apache_hash['vhost_dir']}/25-test.aliases.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'Alias /image "/ftp/pub/image"' } + it { is_expected.to contain 'ScriptAlias /myscript "/usr/share/myscript"' } + end + describe file("#{apache_hash['vhost_dir']}/25-test.access_logs.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'CustomLog "/tmp/log1" combined' } + it { is_expected.to contain 'CustomLog "/tmp/log2" combined env=admin' } + it { is_expected.to contain 'CustomLog "/var/tmp/log3" "%h %l"' } + it { is_expected.to contain 'CustomLog "syslog" combined' } + end + describe file("#{apache_hash['vhost_dir']}/25-test.access_log_env_var.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'CustomLog "syslog" combined env=admin' } + end + describe file("#{apache_hash['vhost_dir']}/25-test.access_log_format.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'CustomLog "syslog" "%h %l"' } + end + describe file("#{apache_hash['vhost_dir']}/25-test.logroot.conf") do it { is_expected.to be_file } it { is_expected.to contain ' CustomLog "/tmp' } end + describe file("#{apache_hash['vhost_dir']}/25-test.override.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'AllowOverride All' } + end + describe file("#{apache_hash['vhost_dir']}/25-test.options.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'Options Indexes FollowSymLinks ExecCGI' } + end end ['access', 'error'].each do |logtype| @@ -1089,7 +970,7 @@ class { 'apache': } apply_manifest(pp, catch_failures: true) end - describe file("#{$vhost_dir}/25-test.server.conf") do + describe file("#{apache_hash['vhost_dir']}/25-test.server.conf") do it { is_expected.to be_file } it { is_expected.not_to contain " #{logname} \"/tmp" } end @@ -1109,7 +990,7 @@ class { 'apache': } apply_manifest(pp, catch_failures: true) end - describe file("#{$vhost_dir}/25-test.server.conf") do + describe file("#{apache_hash['vhost_dir']}/25-test.server.conf") do it { is_expected.to be_file } it { is_expected.to contain " #{logname} \"|/bin/sh" } end @@ -1129,144 +1010,13 @@ class { 'apache': } apply_manifest(pp, catch_failures: true) end - describe file("#{$vhost_dir}/25-test.server.conf") do + describe file("#{apache_hash['vhost_dir']}/25-test.server.conf") do it { is_expected.to be_file } it { is_expected.to contain " #{logname} \"syslog\"" } end end end - describe 'access_log_format' do - pp = <<-MANIFEST - class { 'apache': } - host { 'test.server': ip => '127.0.0.1' } - apache::vhost { 'test.server': - docroot => '/tmp', - logroot => '/tmp', - access_log_syslog => 'syslog', - access_log_format => '%h %l', - } - MANIFEST - it 'applies cleanly' do - apply_manifest(pp, catch_failures: true) - end - - describe file("#{$vhost_dir}/25-test.server.conf") do - it { is_expected.to be_file } - it { is_expected.to contain 'CustomLog "syslog" "%h %l"' } - end - end - - describe 'access_log_env_var' do - pp = <<-MANIFEST - class { 'apache': } - host { 'test.server': ip => '127.0.0.1' } - apache::vhost { 'test.server': - docroot => '/tmp', - logroot => '/tmp', - access_log_syslog => 'syslog', - access_log_env_var => 'admin', - } - MANIFEST - it 'applies cleanly' do - apply_manifest(pp, catch_failures: true) - end - - describe file("#{$vhost_dir}/25-test.server.conf") do - it { is_expected.to be_file } - it { is_expected.to contain 'CustomLog "syslog" combined env=admin' } - end - end - - describe 'multiple access_logs' do - pp = <<-MANIFEST - class { 'apache': } - host { 'test.server': ip => '127.0.0.1' } - apache::vhost { 'test.server': - docroot => '/tmp', - logroot => '/tmp', - access_logs => [ - {'file' => 'log1'}, - {'file' => 'log2', 'env' => 'admin' }, - {'file' => '/var/tmp/log3', 'format' => '%h %l'}, - {'syslog' => 'syslog' } - ] - } - MANIFEST - it 'applies cleanly' do - apply_manifest(pp, catch_failures: true) - end - - describe file("#{$vhost_dir}/25-test.server.conf") do - it { is_expected.to be_file } - it { is_expected.to contain 'CustomLog "/tmp/log1" combined' } - it { is_expected.to contain 'CustomLog "/tmp/log2" combined env=admin' } - it { is_expected.to contain 'CustomLog "/var/tmp/log3" "%h %l"' } - it { is_expected.to contain 'CustomLog "syslog" combined' } - end - end - - describe 'aliases' do - pp = <<-MANIFEST - class { 'apache': } - host { 'test.server': ip => '127.0.0.1' } - apache::vhost { 'test.server': - docroot => '/tmp', - aliases => [ - { alias => '/image' , path => '/ftp/pub/image' } , - { scriptalias => '/myscript' , path => '/usr/share/myscript' } - ], - } - MANIFEST - it 'applies cleanly' do - apply_manifest(pp, catch_failures: true) - end - - describe file("#{$vhost_dir}/25-test.server.conf") do - it { is_expected.to be_file } - it { is_expected.to contain 'Alias /image "/ftp/pub/image"' } - it { is_expected.to contain 'ScriptAlias /myscript "/usr/share/myscript"' } - end - end - - describe 'scriptaliases' do - pp = <<-MANIFEST - class { 'apache': } - host { 'test.server': ip => '127.0.0.1' } - apache::vhost { 'test.server': - docroot => '/tmp', - scriptaliases => [{ alias => '/myscript', path => '/usr/share/myscript', }], - } - MANIFEST - it 'applies cleanly' do - apply_manifest(pp, catch_failures: true) - end - - describe file("#{$vhost_dir}/25-test.server.conf") do - it { is_expected.to be_file } - it { is_expected.to contain 'ScriptAlias /myscript "/usr/share/myscript"' } - end - end - - describe 'proxy' do - pp = <<-MANIFEST - class { 'apache': service_ensure => stopped, } - host { 'test.server': ip => '127.0.0.1' } - apache::vhost { 'test.server': - docroot => '/tmp', - proxy_dest => 'test2', - } - MANIFEST - it 'applies cleanly' do - apply_manifest(pp, catch_failures: true) - end - - describe file("#{$vhost_dir}/25-test.server.conf") do - it { is_expected.to be_file } - it { is_expected.to contain 'ProxyPass / test2/' } - end - end - describe 'actions' do pp = <<-MANIFEST class { 'apache': } @@ -1277,11 +1027,11 @@ class { 'apache': } } MANIFEST it 'applies cleanly' do - pp += "\nclass { 'apache::mod::actions': }" if fact('osfamily') == 'Debian' || fact('osfamily') == 'Suse' + pp += "\nclass { 'apache::mod::actions': }" if os[:family] =~ %r{debian|suse|ubuntu|sles} apply_manifest(pp, catch_failures: true) end - describe file("#{$vhost_dir}/25-test.server.conf") do + describe file("#{apache_hash['vhost_dir']}/25-test.server.conf") do it { is_expected.to be_file } it { is_expected.to contain 'Action php-fastcgi /cgi-bin virtual' } end @@ -1293,128 +1043,20 @@ class { 'apache': service_ensure => stopped, } host { 'test.server': ip => '127.0.0.1' } apache::vhost { 'test.server': docroot => '/tmp', - suphp_addhandler => '#{$suphp_handler}', + suphp_addhandler => '#{apache_hash['suphp_handler']}', suphp_engine => 'on', - suphp_configpath => '#{$suphp_configpath}', + suphp_configpath => '#{apache_hash['suphp_configpath']}', } MANIFEST it 'applies cleanly' do apply_manifest(pp, catch_failures: true) end - describe file("#{$vhost_dir}/25-test.server.conf") do + describe file("#{apache_hash['vhost_dir']}/25-test.server.conf") do it { is_expected.to be_file } - it { is_expected.to contain "suPHP_AddHandler #{$suphp_handler}" } + it { is_expected.to contain "suPHP_AddHandler #{apache_hash['suphp_handler']}" } it { is_expected.to contain 'suPHP_Engine on' } - it { is_expected.to contain "suPHP_ConfigPath \"#{$suphp_configpath}\"" } - end - end - - describe 'rack_base_uris' do - unless fact('osfamily') == 'RedHat' || host_inventory['facter']['os']['name'] == 'SLES' - test = -> do - pp = <<-MANIFEST - class { 'apache': } - host { 'test.server': ip => '127.0.0.1' } - apache::vhost { 'test.server': - docroot => '/tmp', - rack_base_uris => ['/test'], - } - MANIFEST - it 'applies cleanly' do - apply_manifest(pp, catch_failures: true) - end - test.call - end - end - end - - describe 'no_proxy_uris' do - pp = <<-MANIFEST - class { 'apache': service_ensure => stopped, } - host { 'test.server': ip => '127.0.0.1' } - apache::vhost { 'test.server': - docroot => '/tmp', - proxy_dest => 'http://test2', - no_proxy_uris => [ 'http://test2/test' ], - } - MANIFEST - it 'applies cleanly' do - apply_manifest(pp, catch_failures: true) - end - - describe file("#{$vhost_dir}/25-test.server.conf") do - it { is_expected.to be_file } - it { is_expected.to contain 'ProxyPass http://test2/test !' } - it { is_expected.to contain 'ProxyPass / http://test2/' } - end - end - - describe 'redirect' do - pp = <<-MANIFEST - class { 'apache': } - host { 'test.server': ip => '127.0.0.1' } - apache::vhost { 'test.server': - docroot => '/tmp', - redirect_source => ['/images'], - redirect_dest => ['http://test.server/'], - redirect_status => ['permanent'], - } - MANIFEST - it 'applies cleanly' do - apply_manifest(pp, catch_failures: true) - end - - describe file("#{$vhost_dir}/25-test.server.conf") do - it { is_expected.to be_file } - it { is_expected.to contain 'Redirect permanent /images http://test.server/' } - end - end - - describe 'request_headers' do - pp = <<-MANIFEST - class { 'apache': } - host { 'test.server': ip => '127.0.0.1' } - apache::vhost { 'test.server': - docroot => '/tmp', - request_headers => ['append MirrorID "mirror 12"'], - } - MANIFEST - it 'applies cleanly' do - apply_manifest(pp, catch_failures: true) - end - - describe file("#{$vhost_dir}/25-test.server.conf") do - it { is_expected.to be_file } - it { is_expected.to contain 'append MirrorID "mirror 12"' } - end - end - - describe 'rewrite rules' do - pp = <<-MANIFEST - class { 'apache': } - host { 'test.server': ip => '127.0.0.1' } - apache::vhost { 'test.server': - docroot => '/tmp', - rewrites => [ - { comment => 'test', - rewrite_cond => '%{HTTP_USER_AGENT} ^Lynx/ [OR]', - rewrite_rule => ['^index\.html$ welcome.html'], - rewrite_map => ['lc int:tolower'], - } - ], - } - MANIFEST - it 'applies cleanly' do - apply_manifest(pp, catch_failures: true) - end - - describe file("#{$vhost_dir}/25-test.server.conf") do - it { is_expected.to be_file } - it { is_expected.to contain '#test' } - it { is_expected.to contain 'RewriteCond %{HTTP_USER_AGENT} ^Lynx/ [OR]' } - it { is_expected.to contain 'RewriteRule ^index.html$ welcome.html' } - it { is_expected.to contain 'RewriteMap lc int:tolower' } + it { is_expected.to contain "suPHP_ConfigPath \"#{apache_hash['suphp_configpath']}\"" } end end @@ -1448,7 +1090,7 @@ class { 'apache': } apply_manifest(pp, catch_failures: true) end - describe file("#{$vhost_dir}/25-test.server.conf") do + describe file("#{apache_hash['vhost_dir']}/25-test.server.conf") do it { is_expected.to be_file } it { is_expected.to contain '#Permalink Rewrites' } it { is_expected.to contain 'RewriteEngine On' } @@ -1460,207 +1102,39 @@ class { 'apache': } end end - describe 'setenv/setenvif' do - pp = <<-MANIFEST - class { 'apache': } - host { 'test.server': ip => '127.0.0.1' } - apache::vhost { 'test.server': - docroot => '/tmp', - setenv => ['TEST /test'], - setenvif => ['Request_URI "\.gif$" object_is_image=gif'] - } - MANIFEST - it 'applies cleanly' do - apply_manifest(pp, catch_failures: true) - end - - describe file("#{$vhost_dir}/25-test.server.conf") do - it { is_expected.to be_file } - it { is_expected.to contain 'SetEnv TEST /test' } - it { is_expected.to contain 'SetEnvIf Request_URI "\.gif$" object_is_image=gif' } - end - end - - describe 'block' do - pp = <<-MANIFEST - class { 'apache': } - host { 'test.server': ip => '127.0.0.1' } - apache::vhost { 'test.server': - docroot => '/tmp', - block => 'scm', - } - MANIFEST - it 'applies cleanly' do - apply_manifest(pp, catch_failures: true) - end - - describe file("#{$vhost_dir}/25-test.server.conf") do - it { is_expected.to be_file } - it { is_expected.to contain '' } - end - end - describe 'wsgi' do - unless host_inventory['facter']['os']['distro'].nil? - context 'on lucid', if: host_inventory['facter']['os']['distro']['codename'] == 'lucid' do - pp = <<-MANIFEST - class { 'apache': } - class { 'apache::mod::wsgi': } - host { 'test.server': ip => '127.0.0.1' } - apache::vhost { 'test.server': - docroot => '/tmp', - wsgi_application_group => '%{GLOBAL}', - wsgi_daemon_process => { 'foo' => { 'python-home' => '/usr' }, 'bar' => {} }, - wsgi_daemon_process_options => {processes => '2'}, - wsgi_process_group => 'nobody', - wsgi_script_aliases => { '/test' => '/test1' }, - wsgi_script_aliases_match => { '/test/([^/*])' => '/test1' }, - wsgi_pass_authorization => 'On', - } - MANIFEST - it 'import_script applies cleanly' do - apply_manifest(pp, catch_failures: true) - end - end - - context 'on everything but lucid', unless: (host_inventory['facter']['os']['distro']['codename'] == 'lucid' || host_inventory['facter']['os']['name'] == 'SLES') do - pp = <<-MANIFEST - class { 'apache': } - class { 'apache::mod::wsgi': } - host { 'test.server': ip => '127.0.0.1' } - apache::vhost { 'test.server': - docroot => '/tmp', - wsgi_application_group => '%{GLOBAL}', - wsgi_daemon_process => { 'wsgi' => { 'python-home' => '/usr' }, 'foo' => {} }, - wsgi_daemon_process_options => {processes => '2'}, - wsgi_import_script => '/test1', - wsgi_import_script_options => { application-group => '%{GLOBAL}', process-group => 'wsgi' }, - wsgi_process_group => 'nobody', - wsgi_script_aliases => { '/test' => '/test1' }, - wsgi_script_aliases_match => { '/test/([^/*])' => '/test1' }, - wsgi_pass_authorization => 'On', - wsgi_chunked_request => 'On', - } - MANIFEST - it 'import_script applies cleanly' do - apply_manifest(pp, catch_failures: true) - end - - describe file("#{$vhost_dir}/25-test.server.conf") do - it { is_expected.to be_file } - it { is_expected.to contain 'WSGIApplicationGroup %{GLOBAL}' } - it { is_expected.to contain 'WSGIDaemonProcess foo' } - it { is_expected.to contain 'WSGIDaemonProcess wsgi python-home=/usr' } - it { is_expected.to contain 'WSGIImportScript /test1 application-group=%{GLOBAL} process-group=wsgi' } - it { is_expected.to contain 'WSGIProcessGroup nobody' } - it { is_expected.to contain 'WSGIScriptAlias /test "/test1"' } - it { is_expected.to contain 'WSGIPassAuthorization On' } - it { is_expected.to contain 'WSGIChunkedRequest On' } - end - end - end - end - - describe 'custom_fragment' do - pp = <<-MANIFEST - class { 'apache': } - host { 'test.server': ip => '127.0.0.1' } - apache::vhost { 'test.server': - docroot => '/tmp', - custom_fragment => inline_template('#weird test string'), - } - MANIFEST - it 'applies cleanly' do - apply_manifest(pp, catch_failures: true) - end - - describe file("#{$vhost_dir}/25-test.server.conf") do - it { is_expected.to be_file } - it { is_expected.to contain '#weird test string' } - end - end - - describe 'itk' do - pp = <<-MANIFEST + context 'filter on OS', unless: (os[:family] =~ %r{sles|redhat}) do + pp = <<-MANIFEST class { 'apache': } + class { 'apache::mod::wsgi': } host { 'test.server': ip => '127.0.0.1' } apache::vhost { 'test.server': - docroot => '/tmp', - itk => { user => 'nobody', group => 'nobody' } + docroot => '/tmp', + wsgi_application_group => '%{GLOBAL}', + wsgi_daemon_process => { 'wsgi' => { 'python-home' => '/usr' }, 'foo' => {} }, + wsgi_daemon_process_options => {processes => '2'}, + wsgi_import_script => '/test1', + wsgi_import_script_options => { application-group => '%{GLOBAL}', process-group => 'wsgi' }, + wsgi_process_group => 'nobody', + wsgi_script_aliases => { '/test' => '/test1' }, + wsgi_script_aliases_match => { '/test/([^/*])' => '/test1' }, + wsgi_pass_authorization => 'On', + wsgi_chunked_request => 'On', } - MANIFEST - it 'applies cleanly' do - apply_manifest(pp, catch_failures: true) - end - - describe file("#{$vhost_dir}/25-test.server.conf") do - it { is_expected.to be_file } - it { is_expected.to contain 'AssignUserId nobody nobody' } - end - end - - # Limit testing to Debian, since Centos does not have fastcgi package. - # In addition Debian 9/Ubuntu 18.04 no longer support this fastcgi - if fact('osfamily') == 'Debian' && !['9', '18.04'].include?(host_inventory['facter']['os']['release']['major']) - describe 'fastcgi' do - pp_one = <<-MANIFEST - $_os = $::operatingsystem - - if $_os == 'Ubuntu' { - $_location = "http://archive.ubuntu.com/ubuntu/" - $_security_location = "http://archive.ubuntu.com/ubuntu/" - $_release = $::lsbdistcodename - $_release_security = "${_release}-security" - $_repos = "main universe multiverse" - } else { - $_location = "http://httpredir.debian.org/debian/" - $_security_location = "http://security.debian.org/" - $_release = $::lsbdistcodename - $_release_security = "${_release}/updates" - $_repos = "main contrib non-free" - } - - include ::apt - apt::source { "${_os}_${_release}": - location => $_location, - release => $_release, - repos => $_repos, - } - - apt::source { "${_os}_${_release}-updates": - location => $_location, - release => "${_release}-updates", - repos => $_repos, - } - - apt::source { "${_os}_${_release}-security": - location => $_security_location, - release => $_release_security, - repos => $_repos, - } - MANIFEST - pp_two = <<-MANIFEST - class { 'apache': } - class { 'apache::mod::fastcgi': } - host { 'test.server': ip => '127.0.0.1' } - apache::vhost { 'test.server': - docroot => '/tmp', - fastcgi_server => 'localhost', - fastcgi_socket => '/tmp/fast/1234', - fastcgi_dir => '/tmp/fast', - } MANIFEST - it 'applies cleanly' do - # apt-get update may not run clean here. Should be OK. - apply_manifest(pp_one, catch_failures: false) - - apply_manifest(pp_two, catch_failures: true, acceptable_exit_codes: [0, 2]) + it 'import_script applies cleanly' do + apply_manifest(pp, catch_failures: true) end - - describe file("#{$vhost_dir}/25-test.server.conf") do + describe file("#{apache_hash['vhost_dir']}/25-test.server.conf") do it { is_expected.to be_file } - it { is_expected.to contain 'FastCgiExternalServer localhost -socket /tmp/fast/1234' } - it { is_expected.to contain '' } + it { is_expected.to contain 'WSGIApplicationGroup %{GLOBAL}' } + it { is_expected.to contain 'WSGIDaemonProcess foo' } + it { is_expected.to contain 'WSGIDaemonProcess wsgi python-home=/usr' } + it { is_expected.to contain 'WSGIImportScript /test1 application-group=%{GLOBAL} process-group=wsgi' } + it { is_expected.to contain 'WSGIProcessGroup nobody' } + it { is_expected.to contain 'WSGIScriptAlias /test "/test1"' } + it { is_expected.to contain 'WSGIPassAuthorization On' } + it { is_expected.to contain 'WSGIChunkedRequest On' } end end end @@ -1698,75 +1172,62 @@ class { 'apache': } apply_manifest(pp, catch_failures: true) end - describe file("#{$vhost_dir}/25-test.server.conf") do + describe file("#{apache_hash['vhost_dir']}/25-test.server.conf") do it { is_expected.to be_file } it { is_expected.to contain 'Include "/apache_spec/include"' } end end - describe 'virtualhost without priority prefix' do - pp = <<-MANIFEST - class { 'apache': } - apache::vhost { 'test.server': - priority => false, - docroot => '/tmp' - } - MANIFEST - it 'applies cleanly' do - apply_manifest(pp, catch_failures: true) - end - - describe file("#{$vhost_dir}/test.server.conf") do - it { is_expected.to be_file } - end - end - - describe 'SSLProtocol directive' do + describe 'shibboleth parameters', if: (os[:family] == 'debian' && os[:release] != '7') do + # Debian 7 is too old for ShibCompatValidUser pp = <<-MANIFEST class { 'apache': } + class { 'apache::mod::shib': } apache::vhost { 'test.server': - docroot => '/tmp', - ssl => true, - ssl_protocol => ['All', '-SSLv2'], - } - apache::vhost { 'test2.server': - docroot => '/tmp', - ssl => true, - ssl_protocol => 'All -SSLv2', + port => '80', + docroot => '/var/www/html', + shib_compat_valid_user => 'On' } MANIFEST it 'applies cleanly' do apply_manifest(pp, catch_failures: true) end - - describe file("#{$vhost_dir}/25-test.server.conf") do + describe file("#{apache_hash['vhost_dir']}/25-test.server.conf") do it { is_expected.to be_file } - it { is_expected.to contain 'SSLProtocol *All -SSLv2' } - end - - describe file("#{$vhost_dir}/25-test2.server.conf") do - it { is_expected.to be_file } - it { is_expected.to contain 'SSLProtocol *All -SSLv2' } + it { is_expected.to contain 'ShibCompatValidUser On' } end end - describe 'shibboleth parameters', if: (fact('osfamily') == 'Debian' && host_inventory['facter']['os']['release']['major'] != '7') do - # Debian 7 is too old for ShibCompatValidUser + describe 'auth_oidc', unless: (os[:family] == 'ubuntu' && os[:release].to_f == 14.04) do pp = <<-MANIFEST - class { 'apache': } - class { 'apache::mod::shib': } - apache::vhost { 'test.server': - port => '80', - docroot => '/var/www/html', - shib_compat_valid_user => 'On' - } + class { 'apache': } + apache::vhost { 'test.server': + port => '80', + docroot => '/var/www/html', + auth_oidc => true, + oidc_settings => { + 'ProviderMetadataURL' => 'https://login.example.com/.well-known/openid-configuration', + 'ClientID' => 'test', + 'RedirectURI' => 'https://login.example.com/redirect_uri', + 'ProviderTokenEndpointAuth' => 'client_secret_basic', + 'RemoteUserClaim' => 'sub', + 'ClientSecret' => 'aae053a9-4abf-4824-8956-e94b2af335c8', + 'CryptoPassphrase' => '4ad1bb46-9979-450e-ae58-c696967df3cd' + } + } MANIFEST - it 'applies cleanly' do + it 'applys cleanly' do apply_manifest(pp, catch_failures: true) end - describe file("#{$vhost_dir}/25-test.server.conf") do + describe file("#{apache_hash['vhost_dir']}/25-test.server.conf") do it { is_expected.to be_file } - it { is_expected.to contain 'ShibCompatValidUser On' } + it { is_expected.to contain 'OIDCProviderMetadataURL https://login.example.com/.well-known/openid-configuration' } + it { is_expected.to contain 'OIDCClientID test' } + it { is_expected.to contain 'OIDCRedirectURI https://login.example.com/redirect_uri' } + it { is_expected.to contain 'OIDCProviderTokenEndpointAuth client_secret_basic' } + it { is_expected.to contain 'OIDCRemoteUserClaim sub' } + it { is_expected.to contain 'OIDCClientSecret aae053a9-4abf-4824-8956-e94b2af335c8' } + it { is_expected.to contain 'OIDCCryptoPassphrase 4ad1bb46-9979-450e-ae58-c696967df3cd' } end end end diff --git a/spec/acceptance/vhosts_spec.rb b/spec/acceptance/vhosts_spec.rb index 9c49c5b173..3051700352 100644 --- a/spec/acceptance/vhosts_spec.rb +++ b/spec/acceptance/vhosts_spec.rb @@ -1,6 +1,5 @@ require 'spec_helper_acceptance' -require_relative './version.rb' - +apache_hash = apache_settings_hash describe 'apache::vhosts class' do context 'custom vhosts defined via class apache::vhosts' do pp = <<-MANIFEST @@ -21,11 +20,11 @@ class { 'apache::vhosts': apply_manifest(pp, catch_failures: true) end - describe file("#{$vhost_dir}/25-custom_vhost_1.conf") do + describe file("#{apache_hash['vhost_dir']}/25-custom_vhost_1.conf") do it { is_expected.to contain '' } end - describe file("#{$vhost_dir}/25-custom_vhost_2.conf") do + describe file("#{apache_hash['vhost_dir']}/25-custom_vhost_2.conf") do it { is_expected.to contain '' } end end diff --git a/spec/classes/apache_spec.rb b/spec/classes/apache_spec.rb index ad4f8dcc62..a9a6952685 100644 --- a/spec/classes/apache_spec.rb +++ b/spec/classes/apache_spec.rb @@ -247,7 +247,7 @@ context '8' do let :facts do super().merge(lsbdistcodename: 'jessie', - operatingsystemrelease: '8') + operatingsystemrelease: '8.0.0') end it { @@ -255,7 +255,16 @@ 'ensure' => 'directory', ) } + describe 'Alternate mpm_modules when declaring mpm_module => prefork' do + let :params do + { mpm_module: 'worker' } + end + + it { is_expected.to contain_exec('/usr/sbin/a2dismod event') } + it { is_expected.to contain_exec('/usr/sbin/a2dismod prefork') } + end end + context 'on Ubuntu 14.04' do let :facts do super().merge(operatingsystem: 'Ubuntu', diff --git a/spec/classes/mod/auth_openidc_spec.rb b/spec/classes/mod/auth_openidc_spec.rb new file mode 100644 index 0000000000..3f1d640cc8 --- /dev/null +++ b/spec/classes/mod/auth_openidc_spec.rb @@ -0,0 +1,89 @@ +require 'spec_helper' + +describe 'apache::mod::auth_openidc', type: :class do + it_behaves_like 'a mod class, without including apache' + + context 'default configuration with parameters' do + context 'on a Debian OS', :compile do + let :facts do + { + id: 'root', + kernel: 'Linux', + lsbdistcodename: 'jessie', + osfamily: 'Debian', + operatingsystem: 'Debian', + operatingsystemrelease: '8', + path: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + is_pe: false, + } + end + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('auth_openidc') } + it { is_expected.to contain_package('libapache2-mod-auth-openidc') } + end + context 'on a RedHat OS', :compile do + let :facts do + { + id: 'root', + kernel: 'Linux', + osfamily: 'RedHat', + operatingsystem: 'RedHat', + operatingsystemrelease: '6', + path: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + is_pe: false, + } + end + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('auth_openidc') } + it { is_expected.to contain_package('mod_auth_openidc') } + end + context 'on a FreeBSD OS', :compile do + let :facts do + { + id: 'root', + kernel: 'FreeBSD', + osfamily: 'FreeBSD', + operatingsystem: 'FreeBSD', + operatingsystemrelease: '9', + path: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + is_pe: false, + } + end + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('auth_openidc') } + it { is_expected.to contain_package('www/mod_auth_openidc') } + end + end + context 'overriding mod_packages' do + context 'on a RedHat OS', :compile do + let :facts do + { + id: 'root', + kernel: 'Linux', + osfamily: 'RedHat', + operatingsystem: 'RedHat', + operatingsystemrelease: '6', + path: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + is_pe: false, + } + end + let :pre_condition do + <<-MANIFEST + include apache::params + class { 'apache': + mod_packages => merge($::apache::params::mod_packages, { + 'auth_openidc' => 'httpd24-mod_auth_openidc', + }) + } + MANIFEST + end + + it { is_expected.to contain_apache__mod('auth_openidc') } + it { is_expected.to contain_package('httpd24-mod_auth_openidc') } + it { is_expected.not_to contain_package('mod_auth_openidc') } + end + end +end diff --git a/spec/classes/mod/jk_spec.rb b/spec/classes/mod/jk_spec.rb index d253c2f984..a8a4d5b9e2 100644 --- a/spec/classes/mod/jk_spec.rb +++ b/spec/classes/mod/jk_spec.rb @@ -114,6 +114,7 @@ it_behaves_like 'minimal resources', mod_dir it_behaves_like 'specific workers_file', mod_dir it { is_expected.to contain_apache__listen("#{default_ip}:#{default_port}") } + it { is_expected.to contain_package('libapache2-mod-jk') } it { verify_contents(catalogue, 'jk.conf', ['', '']) } diff --git a/spec/classes/mod/passenger_spec.rb b/spec/classes/mod/passenger_spec.rb index 2bcd0ac879..e8c37a67d8 100644 --- a/spec/classes/mod/passenger_spec.rb +++ b/spec/classes/mod/passenger_spec.rb @@ -424,6 +424,16 @@ is_expected.to contain_file('zpassenger.load').with('path' => '/etc/httpd/conf.modules.d/zpassenger.load') } end + when '8' + + context 'on EL8' do + it { + is_expected.to contain_file('passenger_package.conf').with('path' => '/etc/httpd/conf.d/passenger.conf') + } + it { + is_expected.to contain_file('zpassenger.load').with('path' => '/etc/httpd/conf.d/zpassenger.load') + } + end end end when 'FreeBSD' diff --git a/spec/classes/mod/php_spec.rb b/spec/classes/mod/php_spec.rb index e4a654ff31..fa557f24f0 100644 --- a/spec/classes/mod/php_spec.rb +++ b/spec/classes/mod/php_spec.rb @@ -86,13 +86,10 @@ end it { is_expected.to contain_class('apache::params') } - it { is_expected.to contain_apache__mod('php5') } + it { is_expected.to contain_apache__mod('php5') } if facts[:os]['release']['major'].to_i < 8 it { is_expected.to contain_package('php') } if facts[:os]['release']['major'].to_i > 5 - it { - is_expected.to contain_file('php5.load').with( - content: "LoadModule php5_module modules/libphp5.so\n", - ) - } + it { is_expected.to contain_file('php5.load').with(content: "LoadModule php5_module modules/libphp5.so\n") } if facts[:os]['release']['major'].to_i < 8 + it { is_expected.to contain_file('php7.load').with(content: "LoadModule php7_module modules/libphp7.so\n") } if facts[:os]['release']['major'].to_i >= 8 end context 'with alternative package name' do let :pre_condition do @@ -112,11 +109,8 @@ { path: 'alternative-path' } end - it { - is_expected.to contain_file('php5.load').with( - content: "LoadModule php5_module alternative-path\n", - ) - } + it { is_expected.to contain_file('php5.load').with(content: "LoadModule php5_module alternative-path\n") } if facts[:os]['release']['major'].to_i < 8 + it { is_expected.to contain_file('php7.load').with(content: "LoadModule php7_module alternative-path\n") } if facts[:os]['release']['major'].to_i >= 8 end context 'with alternative extensions' do let :pre_condition do @@ -128,7 +122,7 @@ } end - it { is_expected.to contain_file('php5.conf').with_content(Regexp.new(Regexp.escape(''))) } + it { is_expected.to contain_file('php5.conf').with_content(Regexp.new(Regexp.escape(''))) } if facts[:os]['release']['major'].to_i < 8 end if facts[:os]['release']['major'].to_i > 5 context 'with specific version' do @@ -149,13 +143,10 @@ context 'with mpm_module => prefork' do it { is_expected.to contain_class('apache::params') } it { is_expected.to contain_class('apache::mod::prefork') } - it { is_expected.to contain_apache__mod('php5') } + it { is_expected.to contain_apache__mod('php5') } if facts[:os]['release']['major'].to_i < 8 it { is_expected.to contain_package('php') } if facts[:os]['release']['major'].to_i > 5 - it { - is_expected.to contain_file('php5.load').with( - content: "LoadModule php5_module modules/libphp5.so\n", - ) - } + it { is_expected.to contain_file('php5.load').with(content: "LoadModule php5_module modules/libphp5.so\n") } if facts[:os]['release']['major'].to_i < 8 + it { is_expected.to contain_file('php7.load').with(content: "LoadModule php7_module modules/libphp7.so\n") } if facts[:os]['release']['major'].to_i >= 8 end context 'with mpm_module => itk' do let :pre_condition do @@ -164,13 +155,10 @@ it { is_expected.to contain_class('apache::params') } it { is_expected.to contain_class('apache::mod::itk') } - it { is_expected.to contain_apache__mod('php5') } + it { is_expected.to contain_apache__mod('php5') } if facts[:os]['release']['major'].to_i < 8 it { is_expected.to contain_package('php') } if facts[:os]['release']['major'].to_i > 5 - it { - is_expected.to contain_file('php5.load').with( - content: "LoadModule php5_module modules/libphp5.so\n", - ) - } + it { is_expected.to contain_file('php5.load').with(content: "LoadModule php5_module modules/libphp5.so\n") } if facts[:os]['release']['major'].to_i < 8 + it { is_expected.to contain_file('php7.load').with(content: "LoadModule php7_module modules/libphp7.so\n") } if facts[:os]['release']['major'].to_i >= 8 end end when 'FreeBSD' @@ -215,9 +203,10 @@ end end - # all the following tests are for legacy php/apache versions. They don't work on modern ubuntu + # all the following tests are for legacy php/apache versions. They don't work on modern ubuntu and redhat 8 next if (facts[:os]['release']['major'].to_i > 15 && facts[:os]['name'] == 'Ubuntu') || - (facts[:os]['release']['major'].to_i >= 9 && facts[:os]['name'] == 'Debian') + (facts[:os]['release']['major'].to_i >= 9 && facts[:os]['name'] == 'Debian') || + (facts[:os]['release']['major'].to_i >= 8 && (facts[:os]['name'] == 'RedHat' || facts[:os]['name'] == 'CentOS')) describe 'OS independent tests' do context 'with content param' do diff --git a/spec/classes/mod/security_spec.rb b/spec/classes/mod/security_spec.rb index 570d9af606..ad7d9644a1 100644 --- a/spec/classes/mod/security_spec.rb +++ b/spec/classes/mod/security_spec.rb @@ -24,17 +24,25 @@ ) } it { is_expected.to contain_package('mod_security_crs') } - if facts[:os]['release']['major'].to_i > 6 + if facts[:os]['release']['major'].to_i > 6 && facts[:os]['release']['major'].to_i <= 7 it { is_expected.to contain_file('security.conf').with( path: '/etc/httpd/conf.modules.d/security.conf', ) } end + if facts[:os]['release']['major'].to_i >= 8 + it { + is_expected.to contain_file('security.conf').with( + path: '/etc/httpd/conf.d/security.conf', + ) + } + end it { is_expected.to contain_file('security.conf') .with_content(%r{^\s+SecAuditLogRelevantStatus "\^\(\?:5\|4\(\?!04\)\)"$}) .with_content(%r{^\s+SecAuditLogParts ABIJDEFHZ$}) + .with_content(%r{^\s+SecAuditLogType Serial$}) .with_content(%r{^\s+SecDebugLog /var/log/httpd/modsec_debug.log$}) .with_content(%r{^\s+SecAuditLog /var/log/httpd/modsec_audit.log$}) } @@ -71,12 +79,16 @@ ], audit_log_relevant_status: '^(?:5|4(?!01|04))', audit_log_parts: 'ABCDZ', + audit_log_type: 'Concurrent', + audit_log_storage_dir: '/var/log/httpd/audit', secdefaultaction: 'deny,status:406,nolog,auditlog', } end it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecAuditLogRelevantStatus "\^\(\?:5\|4\(\?!01\|04\)\)"$} } it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecAuditLogParts ABCDZ$} } + it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecAuditLogType Concurrent$} } + it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecAuditLogStorageDir /var/log/httpd/audit$} } it { is_expected.to contain_file('/etc/httpd/modsecurity.d/security_crs.conf').with_content %r{^\s*SecDefaultAction "phase:2,deny,status:406,nolog,auditlog"$} } it { is_expected.to contain_file('bar.conf').with( @@ -119,6 +131,7 @@ is_expected.to contain_file('security.conf') .with_content(%r{^\s+SecAuditLogRelevantStatus "\^\(\?:5\|4\(\?!04\)\)"$}) .with_content(%r{^\s+SecAuditLogParts ABIJDEFHZ$}) + .with_content(%r{^\s+SecAuditLogType Serial$}) .with_content(%r{^\s+SecDebugLog /var/log/apache2/modsec_debug.log$}) .with_content(%r{^\s+SecAuditLog /var/log/apache2/modsec_audit.log$}) } @@ -158,6 +171,8 @@ ], audit_log_relevant_status: '^(?:5|4(?!01|04))', audit_log_parts: 'ABCDZ', + audit_log_type: 'Concurrent', + audit_log_storage_dir: '/var/log/httpd/audit', secdefaultaction: 'deny,status:406,nolog,auditlog', } end @@ -166,6 +181,7 @@ (facts[:os]['release']['major'].to_i < 9 && facts[:os]['name'] == 'Debian') it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecAuditLogRelevantStatus "\^\(\?:5\|4\(\?!01\|04\)\)"$} } it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecAuditLogParts ABCDZ$} } + it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecAuditLogStorageDir /var/log/httpd/audit$} } it { is_expected.to contain_file('/etc/modsecurity/security_crs.conf').with_content %r{^\s*SecDefaultAction "phase:2,deny,status:406,nolog,auditlog"$} } it { is_expected.to contain_file('bar.conf').with( @@ -175,6 +191,21 @@ } end end + + describe 'with mod security version' do + let :params do + { + version: 2, + } + end + + it { is_expected.to contain_apache__mod('security2') } + it { + is_expected.to contain_file('security.conf').with( + path: '/etc/apache2/mods-available/security2.conf', + ) + } + end end end end diff --git a/spec/classes/mod/ssl_spec.rb b/spec/classes/mod/ssl_spec.rb index 700079ad8a..1fe0955a8e 100644 --- a/spec/classes/mod/ssl_spec.rb +++ b/spec/classes/mod/ssl_spec.rb @@ -36,6 +36,26 @@ it { is_expected.to contain_apache__mod('ssl') } it { is_expected.to contain_package('mod_ssl') } it { is_expected.to contain_file('ssl.conf').with_path('/etc/httpd/conf.d/ssl.conf') } + it { is_expected.to contain_file('ssl.conf').with_content(%r{SSLProtocol all -SSLv2 -SSLv3}) } + end + context '8 OS' do + let :facts do + { + osfamily: 'RedHat', + operatingsystemrelease: '8', + operatingsystem: 'RedHat', + id: 'root', + kernel: 'Linux', + path: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + is_pe: false, + } + end + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('ssl') } + it { is_expected.to contain_package('mod_ssl') } + it { is_expected.to contain_file('ssl.conf').with_path('/etc/httpd/conf.d/ssl.conf') } + it { is_expected.to contain_file('ssl.conf').with_content(%r{SSLProtocol all}) } end context '6 OS with a custom package_name parameter' do let :facts do @@ -104,8 +124,8 @@ it { is_expected.to contain_class('apache::params') } it { is_expected.to contain_apache__mod('ssl') } it { is_expected.not_to contain_package('libapache2-mod-ssl') } + it { is_expected.to contain_file('ssl.conf').with_content(%r{SSLProtocol all -SSLv2 -SSLv3}) } end - context 'on a FreeBSD OS' do let :facts do { diff --git a/spec/classes/mod/userdir_spec.rb b/spec/classes/mod/userdir_spec.rb index f33920a262..9ce731d53d 100644 --- a/spec/classes/mod/userdir_spec.rb +++ b/spec/classes/mod/userdir_spec.rb @@ -55,5 +55,24 @@ it { is_expected.to contain_file('userdir.conf').with_content(%r{^\s*UserDir\s+public_html /usr/web http://www\.example\.com/$}) } it { is_expected.to contain_file('userdir.conf').with_content(%r{^\s*\$}) } end + context 'with unmanaged_path set to true' do + let :params do + { + unmanaged_path: true, + } + end + + it { is_expected.to contain_file('userdir.conf').with_content(%r{^\s*UserDir\s+/home/\*/public_html$}) } + it { is_expected.not_to contain_file('userdir.conf').with_content(%r{^\s*\ false' do + let(:params) { super().merge(priority: false) } + let(:pre_condition) do + <<-PUPPET + include apache + apache::vhost { 'custom': + docroot => '/path/to/docroot', + priority => false, + } + PUPPET + end + + it 'creates a vhost concat fragment' do + is_expected.to compile.with_all_deps + is_expected.to contain_concat('custom.conf') + is_expected.to create_concat__fragment('custom-myfragment') + .with_target('custom.conf') + .with_order(900) + .with_content('# Foo') + end + end + + context 'with priority => 42' do + let(:params) { super().merge(priority: '42') } + let(:pre_condition) do + <<-PUPPET + include apache + apache::vhost { 'custom': + docroot => '/path/to/docroot', + priority => '42', + } + PUPPET + end + + it 'creates a vhost concat fragment' do + is_expected.to compile.with_all_deps + is_expected.to contain_concat('42-custom.conf') + is_expected.to create_concat__fragment('custom-myfragment') + .with_target('42-custom.conf') + .with_order(900) + .with_content('# Foo') + end + end + + context 'with default priority' do + let(:pre_condition) do + <<-PUPPET + include apache + apache::vhost { 'custom': + docroot => '/path/to/docroot', + } + PUPPET + end + + it 'creates a vhost concat fragment' do + is_expected.to compile.with_all_deps + is_expected.to contain_concat('25-custom.conf') + is_expected.to create_concat__fragment('custom-myfragment') + .with_target('25-custom.conf') + .with_order(900) + .with_content('# Foo') + end + end + end + end + end +end diff --git a/spec/defines/vhost_spec.rb b/spec/defines/vhost_spec.rb index dcefbd1ba0..9832f328ed 100644 --- a/spec/defines/vhost_spec.rb +++ b/spec/defines/vhost_spec.rb @@ -3,9 +3,9 @@ describe 'apache::vhost', type: :define do describe 'os-independent items' do on_supported_os.each do |os, facts| - # this setup uses fastcgi wich isn't available on RHEL 7 / Ubuntu 18.04 + # this setup uses fastcgi wich isn't available on RHEL 7 / RHEL 8 / Ubuntu 18.04 next if facts[:os]['release']['major'] == '18.04' - next if facts[:os]['release']['major'] == '7' && facts[:os]['family']['RedHat'] + next if (facts[:os]['release']['major'] == '7' || facts[:os]['release']['major'] == '8') && facts[:os]['family']['RedHat'] # next if facts[:os]['name'] == 'SLES' apache_name = case facts[:os]['family'] @@ -44,7 +44,7 @@ it { is_expected.to contain_class('apache::params') } it { is_expected.to contain_apache__listen(params[:port]) } # namebased virualhost is only created on apache 2.2 and older - if (facts[:os]['family'] == 'RedHat' && facts[:os]['release']['major'].to_i < 7) || + if (facts[:os]['family'] == 'RedHat' && facts[:os]['release']['major'].to_i < 8) || (facts[:os]['name'] == 'Amazon') || (facts[:os]['name'] == 'SLES' && facts[:os]['release']['major'].to_i < 12) it { is_expected.to contain_apache__namevirtualhost("*:#{params[:port]}") } @@ -159,6 +159,8 @@ 'index_style_sheet' => '/styles/style.css' }, { 'path' => '/var/www/files/output_filtered', 'set_output_filter' => 'output_filter' }, + { 'path' => '/var/www/files/input_filtered', + 'set_input_filter' => 'input_filter' }, { 'path' => '/var/www/files', 'provider' => 'location', 'limit' => [ @@ -183,6 +185,25 @@ '/foo.js', ], }, + { + 'path' => '/', + 'provider' => 'location', + 'auth_ldap_referrals' => 'off', + }, + { + 'path' => '/proxy', + 'provider' => 'location', + 'proxy_pass' => [ + { + 'url' => 'http://backend-b/', + 'keywords' => ['noquery', 'interpolate'], + 'params' => { + 'retry' => '0', + 'timeout' => '5', + }, + }, + ], + }, { 'path' => '/var/www/node-app/public', 'passenger_enabled' => true, @@ -227,6 +248,7 @@ 'error_log' => false, 'error_log_file' => 'httpd_error_log', 'error_log_syslog' => true, + 'error_log_format' => ['[%t] [%l] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i'], 'error_documents' => 'true', 'fallbackresource' => '/index.php', 'scriptalias' => '/usr/lib/cgi-bin', @@ -240,6 +262,10 @@ 'path' => '/usr/share/fooscripts$1', }, ], + 'limitreqfieldsize' => 8190, + 'limitreqfields' => 100, + 'limitreqline' => 8190, + 'limitreqbody' => 0, 'proxy_dest' => '/', 'proxy_pass' => [ { @@ -279,6 +305,7 @@ 'setenv' => ['proxy-nokeepalive 1', 'force-proxy-request-1.0 1'], }, ], + 'proxy_requests' => false, 'suphp_addhandler' => 'foo', 'suphp_engine' => 'on', 'suphp_configpath' => '/var/www/html', @@ -438,6 +465,14 @@ 'max_keepalive_requests' => '1000', 'protocols' => ['h2', 'http/1.1'], 'protocols_honor_order' => true, + 'auth_oidc' => true, + 'oidc_settings' => { 'ProviderMetadataURL' => 'https://login.example.com/.well-known/openid-configuration', + 'ClientID' => 'test', + 'RedirectURI' => 'https://login.example.com/redirect_uri', + 'ProviderTokenEndpointAuth' => 'client_secret_basic', + 'RemoteUserClaim' => 'sub', + 'ClientSecret' => 'aae053a9-4abf-4824-8956-e94b2af335c8', + 'CryptoPassphrase' => '4ad1bb46-9979-450e-ae58-c696967df3cd' }, } end @@ -490,6 +525,26 @@ } end it { is_expected.to contain_concat__fragment('rspec.example.com-apache-header') } + it { + is_expected.to contain_concat__fragment('rspec.example.com-apache-header').with( + content: %r{^\s+LimitRequestFieldSize 8190$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-apache-header').with( + content: %r{^\s+LimitRequestFields 100$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-apache-header').with( + content: %r{^\s+LimitRequestLine 8190$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-apache-header').with( + content: %r{^\s+LimitRequestBody 0$}, + ) + } it { is_expected.to contain_concat__fragment('rspec.example.com-docroot') } it { is_expected.to contain_concat__fragment('rspec.example.com-aliases') } it { is_expected.to contain_concat__fragment('rspec.example.com-itk') } @@ -600,6 +655,16 @@ content: %r{^\s+Require any-valid2$}, ) } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+LDAPReferrals off$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+ProxyPass http://backend-b/ retry=0 timeout=5 noquery interpolate$}, + ) + } it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( content: %r{^\s+Options\sIndexes\sFollowSymLinks\sMultiViews$}, @@ -625,6 +690,11 @@ content: %r{^\s+SetOutputFilter\soutput_filter$}, ) } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+SetInputFilter\sinput_filter$}, + ) + } it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( content: %r{^\s+$}, @@ -847,6 +917,10 @@ } it { is_expected.to contain_concat__fragment('rspec.example.com-additional_includes') } it { is_expected.to contain_concat__fragment('rspec.example.com-logging') } + it { + is_expected.to contain_concat__fragment('rspec.example.com-logging') + .with_content(%r{^\s+ErrorLogFormat "\[%t\] \[%l\] %7F: %E: \[client\\ %a\] %M% ,\\ referer\\ %\{Referer\}i"$}) + } it { is_expected.to contain_concat__fragment('rspec.example.com-serversignature') } it { is_expected.not_to contain_concat__fragment('rspec.example.com-access_log') } it { is_expected.to contain_concat__fragment('rspec.example.com-action') } @@ -1348,6 +1422,41 @@ content: %r{^\s+PassengerLveMinUid\s500$}, ) } + it { + is_expected.to contain_concat__fragment('rspec.example.com-auth_oidc').with( + content: %r{^\s+OIDCProviderMetadataURL\shttps:\/\/login.example.com\/\.well-known\/openid-configuration$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-auth_oidc').with( + content: %r{^\s+OIDCClientID\stest$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-auth_oidc').with( + content: %r{^\s+OIDCRedirectURI\shttps:\/\/login\.example.com\/redirect_uri$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-auth_oidc').with( + content: %r{^\s+OIDCProviderTokenEndpointAuth\sclient_secret_basic$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-auth_oidc').with( + content: %r{^\s+OIDCRemoteUserClaim\ssub$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-auth_oidc').with( + content: %r{^\s+OIDCClientSecret\saae053a9-4abf-4824-8956-e94b2af335c8$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-auth_oidc').with( + content: %r{^\s+OIDCCryptoPassphrase\s4ad1bb46-9979-450e-ae58-c696967df3cd$}, + ) + } end context 'vhost with multiple ip addresses' do let :params do @@ -1873,6 +1982,84 @@ } end end # access logs + describe 'error logs format' do + context 'on Apache 2.2' do + let(:params) do + { + 'docroot' => '/rspec/docroot', + 'apache_version' => '2.2', + 'error_log_format' => ['[%t] [%l] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i'], + } + end + + it { + is_expected.to contain_concat__fragment('rspec.example.com-logging') + .without_content(%r{ErrorLogFormat}) + } + end + + context 'single log format directive as a string' do + let(:params) do + { + 'docroot' => '/rspec/docroot', + 'apache_version' => '2.4', + 'error_log_format' => ['[%t] [%l] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i'], + } + end + + it { + is_expected.to contain_concat__fragment('rspec.example.com-logging').with( + content: %r{^\s+ErrorLogFormat "\[%t\] \[%l\] %7F: %E: \[client\\ %a\] %M% ,\\ referer\\ %\{Referer\}i"$}, + ) + } + end + + context 'multiple log format directives' do + let(:params) do + { + 'docroot' => '/rspec/docroot', + 'apache_version' => '2.4', + 'error_log_format' => [ + '[%{uc}t] [%-m:%-l] [R:%L] [C:%{C}L] %7F: %E: %M', + { '[%{uc}t] [R:%L] Request %k on C:%{c}L pid:%P tid:%T' => 'request' }, + { "[%{uc}t] [R:%L] UA:'%+{User-Agent}i'" => 'request' }, + { "[%{uc}t] [R:%L] Referer:'%+{Referer}i'" => 'request' }, + { '[%{uc}t] [C:%{c}L] local\ %a remote\ %A' => 'connection' }, + ], + } + end + + it { + is_expected.to contain_concat__fragment('rspec.example.com-logging').with( + content: %r{^\s+ErrorLogFormat "\[%\{uc\}t\] \[%-m:%-l\] \[R:%L\] \[C:%\{C\}L\] %7F: %E: %M"$}, + ) + } + + it { + is_expected.to contain_concat__fragment('rspec.example.com-logging').with( + content: %r{^\s+ErrorLogFormat request "\[%\{uc\}t\] \[R:%L\] Request %k on C:%\{c\}L pid:%P tid:%T"$}, + ) + } + + it { + is_expected.to contain_concat__fragment('rspec.example.com-logging').with( + content: %r{^\s+ErrorLogFormat request "\[%\{uc\}t\] \[R:%L\] UA:'%\+\{User-Agent\}i'"$}, + ) + } + + it { + is_expected.to contain_concat__fragment('rspec.example.com-logging').with( + content: %r{^\s+ErrorLogFormat request "\[%\{uc\}t\] \[R:%L\] Referer:'%\+\{Referer\}i'"$}, + ) + } + + it { + is_expected.to contain_concat__fragment('rspec.example.com-logging').with( + content: %r{^\s+ErrorLogFormat connection "\[%\{uc\}t\] \[C:%\{c\}L\] local\\ %a remote\\ %A"$}, + ) + } + end + end # error logs format describe 'validation' do context 'bad ensure' do let :params do @@ -2054,6 +2241,18 @@ it { is_expected.to raise_error(Puppet::Error) } end + context 'bad error_log_format flag' do + let :params do + { + 'docroot' => '/rspec/docroot', + 'error_log_format' => [ + { 'some format' => 'bogus' }, + ], + } + end + + it { is_expected.to raise_error(Puppet::Error) } + end context 'access_log_file and access_log_pipe' do let :params do { diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 1f8b6b4bcb..bc023f51af 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + RSpec.configure do |c| c.mock_with :rspec end @@ -29,6 +31,11 @@ end end +# read default_facts and merge them over what is provided by facterdb +default_facts.each do |fact, value| + add_custom_fact fact, value +end + RSpec.configure do |c| c.default_facts = default_facts c.before :each do @@ -42,6 +49,8 @@ end end +# Ensures that a module is defined +# @param module_name Name of the module def ensure_module_defined(module_name) module_name.split('::').reduce(Object) do |last_module, next_module| last_module.const_set(next_module, Module.new) unless last_module.const_defined?(next_module, false) diff --git a/spec/spec_helper_acceptance.rb b/spec/spec_helper_acceptance.rb index e98ad28ebb..aabeb0b80d 100644 --- a/spec/spec_helper_acceptance.rb +++ b/spec/spec_helper_acceptance.rb @@ -1,102 +1,82 @@ -require 'beaker-pe' -require 'beaker-puppet' -require 'puppet' -require 'beaker-rspec/spec_helper' -require 'beaker-rspec/helpers/serverspec' -require 'beaker/puppet_install_helper' -require 'beaker/module_install_helper' -require 'beaker-task_helper' +# frozen_string_literal: true -run_puppet_install_helper -configure_type_defaults_on(hosts) -install_bolt_on(hosts) unless pe_install? -install_module_on(hosts) -install_module_dependencies_on(hosts) +require 'serverspec' +require 'puppet_litmus' +require 'spec_helper_acceptance_local' if File.file?(File.join(File.dirname(__FILE__), 'spec_helper_acceptance_local.rb')) +include PuppetLitmus -RSpec.configure do |c| - c.filter_run focus: true - c.run_all_when_everything_filtered = true - # IPv6 is not enabled by default in the new travis-ci Trusty environment (see https://github.com/travis-ci/travis-ci/issues/8891 ) - if fact('network6_lo') != '::1' - c.filter_run_excluding ipv6: true +if ENV['TARGET_HOST'].nil? || ENV['TARGET_HOST'] == 'localhost' + puts 'Running tests against this machine !' + if Gem.win_platform? + set :backend, :cmd + else + set :backend, :exec end +else + # load inventory + inventory_hash = inventory_hash_from_inventory_file + node_config = config_from_node(inventory_hash, ENV['TARGET_HOST']) - # Readable test descriptions - c.formatter = :documentation + if target_in_group(inventory_hash, ENV['TARGET_HOST'], 'docker_nodes') + host = ENV['TARGET_HOST'] + set :backend, :docker + set :docker_container, host + elsif target_in_group(inventory_hash, ENV['TARGET_HOST'], 'ssh_nodes') + set :backend, :ssh + options = Net::SSH::Config.for(host) + options[:user] = node_config.dig('ssh', 'user') unless node_config.dig('ssh', 'user').nil? + options[:port] = node_config.dig('ssh', 'port') unless node_config.dig('ssh', 'port').nil? + options[:keys] = node_config.dig('ssh', 'private-key') unless node_config.dig('ssh', 'private-key').nil? + options[:password] = node_config.dig('ssh', 'password') unless node_config.dig('ssh', 'password').nil? + # Support both net-ssh 4 and 5. + # rubocop:disable Metrics/BlockNesting + options[:verify_host_key] = if node_config.dig('ssh', 'host-key-check').nil? + # Fall back to SSH behavior. This variable will only be set in net-ssh 5.3+. + if @strict_host_key_checking.nil? || @strict_host_key_checking + Net::SSH::Verifiers::Always.new + else + # SSH's behavior with StrictHostKeyChecking=no: adds new keys to known_hosts. + # If known_hosts points to /dev/null, then equivalent to :never where it + # accepts any key beacuse they're all new. + Net::SSH::Verifiers::AcceptNewOrLocalTunnel.new + end + elsif node_config.dig('ssh', 'host-key-check') + if defined?(Net::SSH::Verifiers::Always) + Net::SSH::Verifiers::Always.new + else + Net::SSH::Verifiers::Secure.new + end + elsif defined?(Net::SSH::Verifiers::Never) + Net::SSH::Verifiers::Never.new + else + Net::SSH::Verifiers::Null.new + end + # rubocop:enable Metrics/BlockNesting + host = if ENV['TARGET_HOST'].include?(':') + ENV['TARGET_HOST'].split(':').first + else + ENV['TARGET_HOST'] + end + set :host, options[:host_name] || host + set :ssh_options, options + set :request_pty, true + elsif target_in_group(inventory_hash, ENV['TARGET_HOST'], 'winrm_nodes') + require 'winrm' - # detect the situation where PUP-5016 is triggered and skip the idempotency tests in that case - # also note how fact('puppetversion') is not available because of PUP-4359 - if host_inventory['facter']['os']['family'] == 'Debian' && host_inventory['facter']['os']['release']['major'] == '8' && shell('puppet --version').stdout =~ %r{^4\.2} - c.filter_run_excluding skip_pup_5016: true - end - - # Configure all nodes in nodeset - c.before :suite do - run_puppet_access_login(user: 'admin') if pe_install? && (Gem::Version.new(puppet_version) >= Gem::Version.new('5.0.0')) - # net-tools required for netstat utility being used by be_listening - if (host_inventory['facter']['os']['family'] == 'RedHat' && host_inventory['facter']['os']['release']['major'] == '7') || - (host_inventory['facter']['os']['family'] == 'Debian' && host_inventory['facter']['os']['release']['major'] == '9') || - (host_inventory['facter']['os']['name'] == 'Ubuntu' && host_inventory['facter']['os']['release']['full'] == '18.04') - pp = <<-EOS - package { 'net-tools': ensure => installed } - EOS - - apply_manifest_on(agents, pp, catch_failures: false) - elsif host_inventory['facter']['os']['name'] == 'SLES' && host_inventory['facter']['os']['release']['major'] == '15' - pp = <<-EOS - package { 'net-tools-deprecated': ensure => installed } - EOS - - apply_manifest_on(agents, pp, catch_failures: false) - end - - if host_inventory['facter']['os']['family'] == 'Debian' - # Make sure snake-oil certs are installed. - shell 'apt-get install -y ssl-cert' - end - - # Install module and dependencies - hosts.each do |host| - # Required for mod_passenger tests. - if host_inventory['facter']['os']['family'] == 'RedHat' - on host, puppet('module', 'install', 'stahnma/epel') - on host, puppet('module', 'install', 'puppetlabs/inifile') - # We need epel installed, so we can get plugins, wsgi, mime ... - # The osmirror is required as epel no longer supports el5 - pp = <<-PUPPETCODE - if $::osfamily == 'RedHat' { - if $::operatingsystemmajrelease == '5' or ($::operatingsystem == 'OracleLinux' and $::operatingsystemmajrelease == '6'){ - class { 'epel': - epel_baseurl => "http://osmirror.delivery.puppetlabs.net/epel${::operatingsystemmajrelease}-\\$basearch/RPMS.all", - epel_mirrorlist => "http://osmirror.delivery.puppetlabs.net/epel${::operatingsystemmajrelease}-\\$basearch/RPMS.all", - } - } else { - class { 'epel': } - } - } - PUPPETCODE + set :backend, :winrm + set :os, family: 'windows' + user = node_config.dig('winrm', 'user') unless node_config.dig('winrm', 'user').nil? + pass = node_config.dig('winrm', 'password') unless node_config.dig('winrm', 'password').nil? + endpoint = "http://#{ENV['TARGET_HOST']}:5985/wsman" - apply_manifest_on(host, pp, catch_failures: true) - end - - # Required for manifest to make mod_pagespeed repository available - if host_inventory['facter']['os']['family'] == 'Debian' - on host, puppet('module', 'install', 'puppetlabs-apt') - end - - # Make sure selinux is disabled so the tests work. - on host, puppet('apply', '-e', - %("exec { 'setenforce 0': path => '/bin:/sbin:/usr/bin:/usr/sbin', onlyif => 'which setenforce && getenforce | grep Enforcing', }")) - end - end -end - -shared_examples 'a idempotent resource' do - it 'applies with no errors' do - apply_manifest(pp, catch_failures: true) - end + opts = { + user: user, + password: pass, + endpoint: endpoint, + operation_timeout: 300, + } - it 'applies a second time without changes', :skip_pup_5016 do - apply_manifest(pp, catch_changes: true) + winrm = WinRM::Connection.new opts + Specinfra.configuration.winrm = winrm end end diff --git a/spec/spec_helper_acceptance_local.rb b/spec/spec_helper_acceptance_local.rb new file mode 100644 index 0000000000..b6eca89aa0 --- /dev/null +++ b/spec/spec_helper_acceptance_local.rb @@ -0,0 +1,158 @@ +# frozen_string_literal: true + +RSpec.configure do |c| + # IPv6 is not enabled by default in the new travis-ci Trusty environment (see https://github.com/travis-ci/travis-ci/issues/8891 ) + if ENV['CI'] == 'true' + c.filter_run_excluding ipv6: true + end + c.before :suite do + run_shell('puppet module install stahnma/epel') + pp = <<-PUPPETCODE + # needed by tests + package { 'curl': + ensure => 'latest', + } + # needed for netstat, for serverspec checks + if $::osfamily == 'SLES' or $::osfamily == 'SUSE' { + package { 'net-tools-deprecated': + ensure => 'latest', + } + } + # needed for ss, for serverspec checks + if $::operatingsystem == 'Ubuntu' and $::operatingsystemmajrelease !~ /14.04|16.04/ { + package { 'iproute2': + ensure => 'latest', + } + } + if $::osfamily == 'RedHat' { + if $::operatingsystemmajrelease == '5' or $::operatingsystemmajrelease == '6'{ + class { 'epel': + epel_baseurl => "http://osmirror.delivery.puppetlabs.net/epel${::operatingsystemmajrelease}-\\$basearch/RPMS.all", + epel_mirrorlist => "http://osmirror.delivery.puppetlabs.net/epel${::operatingsystemmajrelease}-\\$basearch/RPMS.all", + } + } elsif $::operatingsystemmajrelease == '8' { + class { 'epel': + os_maj_release => "7", + epel_baseurl => "http://osmirror.delivery.puppetlabs.net/epel7-\\$basearch/RPMS.all", + epel_mirrorlist => "http://osmirror.delivery.puppetlabs.net/epel7-\\$basearch/RPMS.all", + } + } else { + class { 'epel': } + } + } + PUPPETCODE + apply_manifest(pp) + + # Make sure selinux is disabled so the tests work. + run_shell('setenforce 0', expect_failures: true) if os[:family] =~ %r{redhat|oracle} + end +end + +def apache_settings_hash + osfamily = os[:family] + operatingsystemrelease = os[:release].to_f + apache = {} + case osfamily + when 'redhat', 'oracle' + apache['confd_dir'] = '/etc/httpd/conf.d' + apache['conf_file'] = '/etc/httpd/conf/httpd.conf' + apache['ports_file'] = '/etc/httpd/conf/ports.conf' + apache['vhost_dir'] = '/etc/httpd/conf.d' + apache['vhost'] = '/etc/httpd/conf.d/15-default.conf' + apache['run_dir'] = '/var/run/httpd' + apache['doc_root'] = '/var/www' + apache['service_name'] = 'httpd' + apache['package_name'] = 'httpd' + apache['error_log'] = 'error_log' + apache['suphp_handler'] = 'php5-script' + apache['suphp_configpath'] = 'undef' + if (operatingsystemrelease >= 7 && operatingsystemrelease < 8) && (osfamily == 'redhat') + apache['version'] = '2.4' + apache['mod_dir'] = '/etc/httpd/conf.modules.d' + apache['mod_ssl_dir'] = apache['confd_dir'] + elsif operatingsystemrelease >= 8 && osfamily == 'redhat' + apache['version'] = '2.4' + apache['mod_dir'] = '/etc/httpd/conf.d' + apache['mod_ssl_dir'] = apache['mod_dir'] + elsif operatingsystemrelease >= 7 && osfamily == 'oracle' + apache['version'] = '2.4' + apache['mod_dir'] = '/etc/httpd/conf.modules.d' + apache['mod_ssl_dir'] = apache['confd_dir'] + else + apache['version'] = '2.2' + apache['mod_dir'] = '/etc/httpd/conf.d' + apache['mod_ssl_dir'] = apache['mod_dir'] + end + when 'debian', 'ubuntu' + apache['confd_dir'] = '/etc/apache2/conf.d' + apache['mod_dir'] = '/etc/apache2/mods-available' + apache['conf_file'] = '/etc/apache2/apache2.conf' + apache['ports_file'] = '/etc/apache2/ports.conf' + apache['vhost'] = '/etc/apache2/sites-available/15-default.conf' + apache['vhost_dir'] = '/etc/apache2/sites-enabled' + apache['run_dir'] = '/var/run/apache2' + apache['doc_root'] = '/var/www' + apache['service_name'] = 'apache2' + apache['package_name'] = 'apache2' + apache['error_log'] = 'error.log' + apache['suphp_handler'] = 'x-httpd-php' + apache['suphp_configpath'] = '/etc/php5/apache2' + apache['version'] = if osfamily == 'ubuntu' && operatingsystemrelease >= 13.10 + '2.4' + elsif osfamily == 'debian' && operatingsystemrelease >= 8.0 + '2.4' + else + '2.2' + end + apache['mod_ssl_dir'] = apache['mod_dir'] + when 'freebsd' + apache['confd_dir'] = '/usr/local/etc/apache24/Includes' + apache['mod_dir'] = '/usr/local/etc/apache24/Modules' + apache['conf_file'] = '/usr/local/etc/apache24/httpd.conf' + apache['ports_file'] = '/usr/local/etc/apache24/Includes/ports.conf' + apache['vhost'] = '/usr/local/etc/apache24/Vhosts/15-default.conf' + apache['vhost_dir'] = '/usr/local/etc/apache24/Vhosts' + apache['run_dir'] = '/var/run/apache24' + apache['doc_root'] = '/var/www' + apache['service_name'] = 'apache24' + apache['package_name'] = 'apache24' + apache['error_log'] = 'http-error.log' + apache['version'] = '2.2' + apache['mod_ssl_dir'] = apache['mod_dir'] + when 'gentoo' + apache['confd_dir'] = '/etc/apache2/conf.d' + apache['mod_dir'] = '/etc/apache2/modules.d' + apache['conf_file'] = '/etc/apache2/httpd.conf' + apache['ports_file'] = '/etc/apache2/ports.conf' + apache['vhost'] = '/etc/apache2/vhosts.d/15-default.conf' + apache['vhost_dir'] = '/etc/apache2/vhosts.d' + apache['run_dir'] = '/var/run/apache2' + apache['doc_root'] = '/var/www' + apache['service_name'] = 'apache2' + apache['package_name'] = 'www-servers/apache' + apache['error_log'] = 'http-error.log' + apache['version'] = '2.4' + apache['mod_ssl_dir'] = apache['mod_dir'] + when 'suse', 'sles' + apache['confd_dir'] = '/etc/apache2/conf.d' + apache['mod_dir'] = '/etc/apache2/mods-available' + apache['conf_file'] = '/etc/apache2/httpd.conf' + apache['ports_file'] = '/etc/apache2/ports.conf' + apache['vhost'] = '/etc/apache2/sites-available/15-default.conf' + apache['vhost_dir'] = '/etc/apache2/sites-available' + apache['run_dir'] = '/var/run/apache2' + apache['doc_root'] = '/srv/www' + apache['service_name'] = 'apache2' + apache['package_name'] = 'apache2' + apache['error_log'] = 'error.log' + apache['version'] = if operatingsystemrelease < 12 + '2.2' + else + '2.4' + end + apache['mod_ssl_dir'] = apache['mod_dir'] + else + raise 'unable to figure out what apache version' + end + apache +end diff --git a/templates/httpd.conf.erb b/templates/httpd.conf.erb index 5393cb8bbc..b19d8da813 100755 --- a/templates/httpd.conf.erb +++ b/templates/httpd.conf.erb @@ -134,6 +134,12 @@ IncludeOptional "<%= @vhost_load_dir %>/<%= @vhost_include_pattern %>" Include "<%= @vhost_load_dir %>/<%= @vhost_include_pattern %>" <%- end -%> <% end -%> +<% if @ldap_verify_server_cert -%> +LDAPVerifyServerCert <%= @ldap_verify_server_cert %> +<% end -%> +<% if @ldap_trusted_mode -%> +LDAPTrustedMode <%= @ldap_trusted_mode %> +<% end -%> <% if @error_documents -%> # /usr/share/apache2/error on debian diff --git a/templates/mod/autoindex.conf.erb b/templates/mod/autoindex.conf.erb index ef6bbebea6..ac4103a7ba 100644 --- a/templates/mod/autoindex.conf.erb +++ b/templates/mod/autoindex.conf.erb @@ -30,24 +30,24 @@ AddIcon /icons/hand.right.gif README AddIcon /icons/folder.gif ^^DIRECTORY^^ AddIcon /icons/blank.gif ^^BLANKICON^^ -AddIcon /icons/odf6odt-20x22.png .odt -AddIcon /icons/odf6ods-20x22.png .ods -AddIcon /icons/odf6odp-20x22.png .odp -AddIcon /icons/odf6odg-20x22.png .odg -AddIcon /icons/odf6odc-20x22.png .odc -AddIcon /icons/odf6odf-20x22.png .odf -AddIcon /icons/odf6odb-20x22.png .odb -AddIcon /icons/odf6odi-20x22.png .odi -AddIcon /icons/odf6odm-20x22.png .odm +AddIcon /icons/odf6odt<%= @icon_suffix %>.png .odt +AddIcon /icons/odf6ods<%= @icon_suffix %>.png .ods +AddIcon /icons/odf6odp<%= @icon_suffix %>.png .odp +AddIcon /icons/odf6odg<%= @icon_suffix %>.png .odg +AddIcon /icons/odf6odc<%= @icon_suffix %>.png .odc +AddIcon /icons/odf6odf<%= @icon_suffix %>.png .odf +AddIcon /icons/odf6odb<%= @icon_suffix %>.png .odb +AddIcon /icons/odf6odi<%= @icon_suffix %>.png .odi +AddIcon /icons/odf6odm<%= @icon_suffix %>.png .odm -AddIcon /icons/odf6ott-20x22.png .ott -AddIcon /icons/odf6ots-20x22.png .ots -AddIcon /icons/odf6otp-20x22.png .otp -AddIcon /icons/odf6otg-20x22.png .otg -AddIcon /icons/odf6otc-20x22.png .otc -AddIcon /icons/odf6otf-20x22.png .otf -AddIcon /icons/odf6oti-20x22.png .oti -AddIcon /icons/odf6oth-20x22.png .oth +AddIcon /icons/odf6ott<%= @icon_suffix %>.png .ott +AddIcon /icons/odf6ots<%= @icon_suffix %>.png .ots +AddIcon /icons/odf6otp<%= @icon_suffix %>.png .otp +AddIcon /icons/odf6otg<%= @icon_suffix %>.png .otg +AddIcon /icons/odf6otc<%= @icon_suffix %>.png .otc +AddIcon /icons/odf6otf<%= @icon_suffix %>.png .otf +AddIcon /icons/odf6oti<%= @icon_suffix %>.png .oti +AddIcon /icons/odf6oth<%= @icon_suffix %>.png .oth DefaultIcon /icons/unknown.gif ReadmeName README.html diff --git a/templates/mod/proxy.conf.erb b/templates/mod/proxy.conf.erb index f3114fdb55..f9dee733f9 100644 --- a/templates/mod/proxy.conf.erb +++ b/templates/mod/proxy.conf.erb @@ -25,5 +25,7 @@ # Set to one of: Off | On | Full | Block ProxyVia <%= @proxy_via %> + <%- if @proxy_timeout -%> ProxyTimeout <%= @proxy_timeout %> + <%- end -%> diff --git a/templates/mod/security.conf.erb b/templates/mod/security.conf.erb index 638332e52e..5392bae3a5 100644 --- a/templates/mod/security.conf.erb +++ b/templates/mod/security.conf.erb @@ -45,7 +45,10 @@ SecAuditEngine RelevantOnly SecAuditLogRelevantStatus "<%= @audit_log_relevant_status %>" SecAuditLogParts <%= @audit_log_parts %> - SecAuditLogType Serial + SecAuditLogType <%= @audit_log_type %> + <%- if @audit_log_storage_dir -%> + SecAuditLogStorageDir <%= @audit_log_storage_dir %> + <%- end -%> SecArgumentSeparator & SecCookieFormat 0 <%- if scope.lookupvar('::osfamily') == 'Debian' -%> diff --git a/templates/mod/userdir.conf.erb b/templates/mod/userdir.conf.erb index edf994c502..c28081131e 100644 --- a/templates/mod/userdir.conf.erb +++ b/templates/mod/userdir.conf.erb @@ -4,6 +4,7 @@ <% end -%> UserDir <%= @_path %> +<%- if ! @unmanaged_path -%> "> AllowOverride <%= @overrides.join(' ') %> Options <%= @options.join(' ') %> @@ -24,4 +25,8 @@ <%- end -%> +<%- end -%> +<%- if @custom_fragment -%> +<%= @custom_fragment %> +<%- end -%> diff --git a/templates/vhost/_auth_oidc.erb b/templates/vhost/_auth_oidc.erb new file mode 100644 index 0000000000..dd0faa429c --- /dev/null +++ b/templates/vhost/_auth_oidc.erb @@ -0,0 +1,5 @@ +<% if @auth_oidc -%> +<% @oidc_settings.each do |key, value| %> + OIDC<%= key %> <%= value -%> +<% end %> +<% end -%> diff --git a/templates/vhost/_directories.erb b/templates/vhost/_directories.erb index 8d92afbde7..97056de893 100644 --- a/templates/vhost/_directories.erb +++ b/templates/vhost/_directories.erb @@ -290,6 +290,9 @@ <%- if directory['auth_merging'] -%> AuthMerging <%= directory['auth_merging'] %> <%- end -%> + <%- if directory['auth_ldap_referrals'] -%> + LDAPReferrals <%= directory['auth_ldap_referrals'] %> + <%- end -%> <%- if directory['auth_ldap_url'] -%> AuthLDAPURL <%= directory['auth_ldap_url'] %> <%- end -%> @@ -317,7 +320,7 @@ ExpiresActive <%= directory['expires_active'] %> <%- end -%> <%- if directory['expires_default'] -%> - ExpiresDefault <%= directory['expires_default'] %> + ExpiresDefault "<%= directory['expires_default'] %>" <%- end -%> <%- if directory['expires_by_type'] -%> <%- Array(directory['expires_by_type']).each do |rule| -%> @@ -374,6 +377,9 @@ <%- if directory['set_output_filter'] -%> SetOutputFilter <%= directory['set_output_filter'] %> <%- end -%> + <%- if directory['set_input_filter'] -%> + SetInputFilter <%= directory['set_input_filter'] %> + <%- end -%> <%- if @shibboleth_enabled -%> <%- if directory['shib_require_session'] and ! directory['shib_require_session'].empty? -%> ShibRequireSession <%= directory['shib_require_session'] %> @@ -457,7 +463,7 @@ <%- end -%> <%- if directory['proxy_pass'] and directory['provider'] and directory['provider'].match('location') -%> <%- directory['proxy_pass'].flatten.compact.each do |proxy| -%> - ProxyPass <%= proxy['url'] %> + ProxyPass <%= proxy['url'] -%> <%- if proxy['params'] -%> <%- proxy['params'].keys.sort.each do |key| -%> <%= key %>=<%= proxy['params'][key] -%> <%- end -%> diff --git a/templates/vhost/_file_footer.erb b/templates/vhost/_file_footer.erb index f8108e5c3f..d42a1bdbe6 100644 --- a/templates/vhost/_file_footer.erb +++ b/templates/vhost/_file_footer.erb @@ -1,3 +1,6 @@ +<% @define.each do | k, v| -%> + Undefine <%= k %> +<% end -%> <% if @passenger_pre_start -%> <%- [@passenger_pre_start].flatten.compact.each do |passenger_pre_start| -%> diff --git a/templates/vhost/_file_header.erb b/templates/vhost/_file_header.erb index 9ff4aff3d8..ac119ae01e 100644 --- a/templates/vhost/_file_header.erb +++ b/templates/vhost/_file_header.erb @@ -5,6 +5,9 @@ <%= [@comment].flatten.collect{|c| "# #{c}"}.join("\n") -%> > +<% @define.each do | k, v| -%> + Define <%= k %> <%= v %> +<% end -%> <% if @servername and not @servername.empty? -%> ServerName <%= @servername %> <% end -%> @@ -20,3 +23,15 @@ ProtocolsHonorOrder <%= scope.call_function('apache::bool2httpd', [@protocols_honor_order]) %> <%- end -%> <% end -%> +<% if @limitreqfieldsize -%> + LimitRequestFieldSize <%= @limitreqfieldsize %> +<% end -%> +<% if @limitreqfields -%> + LimitRequestFields <%= @limitreqfields %> +<% end -%> +<% if @limitreqline -%> + LimitRequestLine <%= @limitreqline %> +<% end -%> +<% if @limitreqbody -%> + LimitRequestBody <%= @limitreqbody %> +<% end -%> \ No newline at end of file diff --git a/templates/vhost/_logging.erb b/templates/vhost/_logging.erb index 35a924d29b..b41c85cc5b 100644 --- a/templates/vhost/_logging.erb +++ b/templates/vhost/_logging.erb @@ -8,3 +8,14 @@ <% if @log_level -%> LogLevel <%= @log_level %> <% end -%> +<% if @error_log_format24 -%> + <%- @error_log_format24.each do |lfmt| -%> + <%- if lfmt.is_a?(Hash) -%> + <%- lfmt.each do |fmt, flag| -%> + ErrorLogFormat <%= flag %> "<%= fmt %>" + <%- end -%> + <%- else -%> + ErrorLogFormat "<%= lfmt %>" + <%- end -%> + <%- end -%> +<% end -%> diff --git a/templates/vhost/_proxy.erb b/templates/vhost/_proxy.erb index 6cbe43ae76..b47c98bd8d 100644 --- a/templates/vhost/_proxy.erb +++ b/templates/vhost/_proxy.erb @@ -1,8 +1,12 @@ <% if @proxy_dest or @proxy_pass or @proxy_pass_match or @proxy_dest_match -%> ## Proxy rules +<% if @proxy_requests -%> + ProxyRequests On +<% else -%> ProxyRequests Off <%- end -%> +<%- end -%> <% if @proxy_preserve_host -%> ProxyPreserveHost On <% else -%> diff --git a/templates/vhost/_ssl.erb b/templates/vhost/_ssl.erb index 7f5767c4cb..4200f78590 100644 --- a/templates/vhost/_ssl.erb +++ b/templates/vhost/_ssl.erb @@ -34,7 +34,7 @@ SSLVerifyDepth <%= @ssl_verify_depth %> <%- end -%> <%- if @ssl_crl_check && scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%> - SSLCARevocationCheck "<%= @ssl_crl_check %>" + SSLCARevocationCheck <%= @ssl_crl_check %> <%- end -%> <%- end -%> <%- if @ssl_options -%> diff --git a/types/oidcsettings.pp b/types/oidcsettings.pp new file mode 100644 index 0000000000..bc3ce5c7da --- /dev/null +++ b/types/oidcsettings.pp @@ -0,0 +1,112 @@ +# https://github.com/zmartzone/mod_auth_openidc/blob/master/auth_openidc.conf +type Apache::OIDCSettings = Struct[ + { + Optional['RedirectURI'] => Variant[Stdlib::HTTPSUrl,Stdlib::HttpUrl], + Optional['CryptoPassphrase'] => String, + Optional['MetadataDir'] => String, + Optional['ProviderMetadataURL'] => Stdlib::HTTPSUrl, + Optional['ProviderIssuer'] => String, + Optional['ProviderAuthorizationEndpoint'] => Stdlib::HTTPSUrl, + Optional['ProviderJwksUri'] => Stdlib::HTTPSUrl, + Optional['ProviderTokenEndpoint'] => Stdlib::HTTPSUrl, + Optional['ProviderTokenEndpointAuth'] => Enum['client_secret_basic','client_secret_post','client_secret_jwt','private_key_jwt','none'], + Optional['ProviderTokenEndpointParams'] => Pattern[/^[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+(&[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+)*$/], + Optional['ProviderUserInfoEndpoint'] => Stdlib::HTTPSUrl, + Optional['ProviderCheckSessionIFrame'] => Stdlib::HTTPSUrl, + Optional['ProviderEndSessionEndpoint'] => Stdlib::HTTPSUrl, + Optional['ProviderRevocationEndpoint'] => Stdlib::HTTPSUrl, + Optional['ProviderBackChannelLogoutSupported'] => Enum['On','Off'], + Optional['ProviderRegistrationEndpointJson'] => String, + Optional['Scope'] => Pattern[/^[A-Za-z0-9\-\._\s]+$/], + Optional['AuthRequestParams'] => Pattern[/^[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+(&[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+)*$/], + Optional['SSLValidateServer'] => Enum['On','Off'], + Optional['UserInfoRefreshInterval'] => Integer, + Optional['JWKSRefreshInterval'] => Integer, + Optional['UserInfoTokenMethod'] => Enum['authz_header','post_param'], + Optional['ProviderAuthRequestMethod'] => Enum['GET','POST'], + Optional['PublicKeyFiles'] => String, + Optional['ResponseType'] => Enum['code','id_token','id_token token','code id_token','code token','code id_token token'], + Optional['ResponseMode'] => Enum['fragment','query','form_post'], + Optional['ClientID'] => String, + Optional['ClientSecret'] => String, + Optional['ClientTokenEndpointCert'] => String, + Optional['ClientTokenEndpointKey'] => String, + Optional['ClientName'] => String, + Optional['ClientContact'] => String, + Optional['PKCDMethod'] => Enum['plain','S256','referred_tb'], + Optional['TokenBindingPolicy'] => Enum['disabled','optional','required','enforced'], + Optional['ClientJwksUri'] => Stdlib::HTTPSUrl, + Optional['IDTokenSignedResponseAlg'] => Enum['RS256','RS384','RS512','PS256','PS384','PS512','HS256','HS384','HS512','ES256','ES384','ES512'], + Optional['IDTokenEncryptedResponseAlg'] => Enum['RSA1_5','A128KW','A256KW','RSA-OAEP'], + Optional['IDTokenEncryptedResponseAlg'] => Enum['A128CBC-HS256','A256CBC-HS512','A256GCM'], + Optional['UserInfoSignedResposeAlg'] => Enum['RS256','RS384','RS512','PS256','PS384','PS512','HS256','HS384','HS512','ES256','ES384','ES512'], + Optional['UserInfoEncryptedResponseAlg'] => Enum['RSA1_5','A128KW','A256KW','RSA-OAEP'], + Optional['UserInfoEncryptedResponseEnc'] => Enum['A128CBC-HS256','A256CBC-HS512','A256GCM'], + Optional['OAuthServerMetadataURL'] => Stdlib::HTTPSUrl, + Optional['AuthIntrospectionEndpoint'] => Stdlib::HTTPSUrl, + Optional['OAuthClientID'] => String, + Optional['OAuthClientSecret'] => String, + Optional['OAuthIntrospectionEndpointAuth'] => Enum['client_secret_basic','client_secret_post','client_secret_jwt','private_key_jwt','bearer_access_token','none'], + Optional['OAuthIntrospectionClientAuthBearerToken'] => String, + Optional['OAuthIntrospectionEndpointCert'] => String, + Optional['OAuthIntrospectionEndpointKey'] => String, + Optional['OAuthIntrospectionEndpointMethod'] => Enum['POST','GET'], + Optional['OAuthIntrospectionEndpointParams'] => Pattern[/^[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+(&[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+)*$/], + Optional['OAuthIntrospectionTokenParamName'] => String, + Optional['OAuthTokenExpiryClaim'] => Pattern[/^[A-Za-z0-9\-\._]+\s(absolute|relative)\s(mandatory|optional)$/], + Optional['OAuthSSLValidateServer'] => Enum['On','Off'], + Optional['OAuthVerifySharedKeys'] => String, + Optional['OAuthVerifyCertFiles'] => String, + Optional['OAuthVerifyJwksUri'] => Stdlib::HTTPSUrl, + Optional['OAuthRemoteUserClaim'] => String, + Optional['OAuthAcceptTokenAs'] => Pattern[/^((header|post|query|cookie\:[A-Za-z0-9\-\._]+|basic)\s?)+$/], + Optional['OAuthAccessTokenBindingPolicy'] => Enum['disabled','optional','required','enforced'], + Optional['Cookie'] => String, + Optional['SessionCookieChunkSize'] => Integer, + Optional['CookieHTTPOnly'] => Enum['On','Off'], + Optional['CookieSameSite'] => Enum['On','Off'], + Optional['PassCookies'] => String, + Optional['StripCookies'] => String, + Optional['StateMaxNumberOfCookies'] => Pattern[/^[0-9]+\s(false|true)$/], + Optional['SessionInactivityTimeout'] => Integer, + Optional['SessionMaxDuration'] => Integer, + Optional['SessionType'] => Pattern[/^(server-cache(:persistent)?|client-cookie(:persistent)?)$/], + Optional['SessionCacheFallbackToCookie'] => Enum['On','Off'], + Optional['CacheType'] => Enum['shm','memcache','file','redis'], + Optional['CacheEncrypt'] => Enum['On','Off'], + Optional['CacheShmMax'] => Integer, + Optional['CacheShmEntrySizeMax'] => Integer, + Optional['CacheFileCleanInterval'] => Integer, + Optional['MemCacheServers'] => String, + Optional['RedisCacheServer'] => String, + Optional['RedisCachePassword'] => String, + Optional['DiscoverURL'] => Variant[Stdlib::HTTPSUrl,Stdlib::HttpUrl], + Optional['HTMLErrorTemplate'] => String, + Optional['DefaultURL'] => Variant[Stdlib::HTTPSUrl,Stdlib::HttpUrl], + Optional['PathScope'] => Pattern[/^[A-Za-z0-9\-\._\s]+$/], + Optional['PathAuthRequestParams'] => Pattern[/^[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+(&[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+)*$/], + Optional['IDTokenIatSlack'] => Integer, + Optional['ClaimPrefix'] => String, + Optional['ClaimDelimiter'] => Pattern[/^.$/], + Optional['RemoteUserClaim'] => String, + Optional['PassIDTokenAs'] => Pattern[/^((claims|payload|serialized)\s?)+$/], + Optional['PassUserInfoAs'] => Pattern[/^((claims|json|jwt)\s?)+$/], + Optional['PassClaimsAs'] => Enum['none','headers','environment','both'], + Optional['AuthNHeader'] => String, + Optional['HTTPTimeoutLong'] => Integer, + Optional['HTTPTimeoutShort'] => Integer, + Optional['StateTimeout'] => Integer, + Optional['ScrubRequestHeaders'] => Enum['On','Off'], + Optional['OutgoingProxy'] => String, + Optional['UnAuthAction'] => Enum['auth','pass','401','410'], + Optional['UnAuthzAction'] => Enum['401','403','auth'], + Optional['PreservePost'] => Enum['On','Off'], + Optional['PassRefreshToken'] => Enum['On','Off'], + Optional['RequestObject'] => String, + Optional['ProviderMetadataRefreshInterval'] => Integer, + Optional['InfoHook'] => Pattern[/^((iat|access_token|access_token_expires|id_token|userinfo|refresh_token|session)\s?)+$/], + Optional['BlackListedClaims'] => String, + Optional['WhiteListedClaims'] => String, + Optional['RefreshAccessTokenBeforeExpiry'] => Pattern[/^[0-9]+(\slogout_on_error)?$/], + } +]