Merge pull request #923 from pcfens/add_auth_cas

Add support for mod_auth_cas module configuration

README.md

@@ -520,6 +520,7 @@ There are many `apache::mod::[name]` classes within this module that can be decl
 * `actions`
 * `alias`
 * `auth_basic`
+* `auth_cas`* (see [`apache::mod::auth_cas`](#class-apachemodauthcas) below)
 * `auth_kerb`
 * `authnz_ldap`*
 * `autoindex`
@@ -578,7 +579,7 @@ Modules noted with a * indicate that the module has settings and, thus, a templa
 
 The modules mentioned above, and other Apache modules that have templates, cause template files to be dropped along with the mod install. The module will not work without the template. Any module without a template installs the package but drops no files.
 
-####Class:  `apache::mod::event
+####Class:  `apache::mod::event`
 
 Installs and manages mpm_event module.
 
@@ -592,6 +593,11 @@ To configure the event thread limit:
   }
 ```
 
+####Class: `apache::mod::auth_cas`
+
+Installs and manages mod_auth_cas. The parameters `cas_login_url` and `cas_validate_url` are required.
+
+Full documentation on mod_auth_cas is available from [JASIG](https://github.com/Jasig/mod_auth_cas).
 
 ####Class: `apache::mod::info`
 

manifests/mod/auth_cas.pp

@@ -0,0 +1,48 @@
+class apache::mod::auth_cas (
+  $cas_login_url,
+  $cas_validate_url,
+  $cas_cookie_path          = $::apache::params::cas_cookie_path,
+  $cas_version              = 2,
+  $cas_debug                = 'Off',
+  $cas_validate_depth       = undef,
+  $cas_certificate_path     = undef,
+  $cas_proxy_validate_url   = undef,
+  $cas_root_proxied_as      = undef,
+  $cas_cookie_entropy       = undef,
+  $cas_timeout              = undef,
+  $cas_idle_timeout         = undef,
+  $cas_cache_clean_interval = undef,
+  $cas_cookie_domain        = undef,
+  $cas_cookie_http_only     = undef,
+  $cas_authoritative        = undef,
+  $suppress_warning         = false,
+) {
+
+  validate_string($cas_login_url, $cas_validate_url, $cas_cookie_path)
+
+  if $::osfamily == 'RedHat' and ! $suppress_warning {
+    warning('RedHat distributions do not have Apache mod_auth_cas in their default package repositories.')
+  }
+
+  ::apache::mod { 'auth_cas': }
+
+  file { $cas_cookie_path:
+    ensure => directory,
+    before => File['auth_cas.conf'],
+    mode   => '0750',
+    owner  => $apache::user,
+    group  => $apache::group,
+  }
+
+  # Template uses
+  # - All variables beginning with cas_
+  file { 'auth_cas.conf':
+    ensure  => file,
+    path    => "${::apache::mod_dir}/auth_cas.conf",
+    content => template('apache/mod/auth_cas.conf.erb'),
+    require => [ Exec["mkdir ${::apache::mod_dir}"], ],
+    before  => File[$::apache::mod_dir],
+    notify  => Service['httpd'],
+  }
+
+}

manifests/params.pp

@@ -67,7 +67,9 @@
     $suphp_engine         = 'off'
     $suphp_configpath     = undef
     # NOTE: The module for Shibboleth is not available to RH/CentOS without an additional repository. http://wiki.aaf.edu.au/tech-info/sp-install-guide
+    # NOTE: The auth_cas module isn't available to RH/CentOS without enabling EPEL.
     $mod_packages         = {
+      'auth_cas'    => 'mod_auth_cas',
       'auth_kerb'   => 'mod_auth_kerb',
       'authnz_ldap' => $::apache::version::distrelease ? {
         '7'     => 'mod_ldap',
@@ -110,11 +112,12 @@
       '7'     => '/usr/share/httpd/error',
       default => '/var/www/error'
     }
-    if $::osfamily == "RedHat" {
+    if $::osfamily == 'RedHat' {
       $wsgi_socket_prefix = '/var/run/wsgi'
     } else {
       $wsgi_socket_prefix = undef
     }
+    $cas_cookie_path      = '/var/cache/mod_auth_cas/'
     $modsec_crs_package   = 'mod_security_crs'
     $modsec_crs_path      = '/usr/lib/modsecurity.d'
     $modsec_dir           = '/etc/httpd/modsecurity.d'
@@ -169,6 +172,7 @@
     $suphp_engine        = 'off'
     $suphp_configpath    = '/etc/php5/apache2'
     $mod_packages        = {
+      'auth_cas'    => 'libapache2-mod-auth-cas',
       'auth_kerb'   => 'libapache2-mod-auth-kerb',
       'dav_svn'     => 'libapache2-svn',
       'fastcgi'     => 'libapache2-mod-fastcgi',
@@ -198,6 +202,7 @@
     $mime_support_package = 'mime-support'
     $mime_types_config    = '/etc/mime.types'
     $docroot              = '/var/www'
+    $cas_cookie_path      = '/var/cache/apache2/mod_auth_cas/'
     $modsec_crs_package   = 'modsecurity-crs'
     $modsec_crs_path      = '/usr/share/modsecurity-crs'
     $modsec_dir           = '/etc/modsecurity'

spec/classes/mod/auth_cas_spec.rb

@@ -0,0 +1,54 @@
+require 'spec_helper'
+
+describe 'apache::mod::auth_cas', :type => :class do
+  let :params do
+    {
+      :cas_login_url    => 'https://cas.example.com/login',
+      :cas_validate_url => 'https://cas.example.com/validate',
+    }
+  end
+
+  let :pre_condition do
+    'include ::apache'
+  end
+
+  context "on a Debian OS", :compile do
+    let :facts do
+      {
+        :id                     => 'root',
+        :kernel                 => 'Linux',
+        :lsbdistcodename        => 'squeeze',
+        :osfamily               => 'Debian',
+        :operatingsystem        => 'Debian',
+        :operatingsystemrelease => '6',
+        :path                   => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+        :concat_basedir         => '/dne',
+        :is_pe                  => false,
+      }
+    end
+    it { is_expected.to contain_class("apache::params") }
+    it { is_expected.to contain_apache__mod("auth_cas") }
+    it { is_expected.to contain_package("libapache2-mod-auth-cas") }
+    it { is_expected.to contain_file("auth_cas.conf").with_path('/etc/apache2/mods-available/auth_cas.conf') }
+    it { is_expected.to contain_file("/var/cache/apache2/mod_auth_cas/").with_owner('www-data') }
+  end
+  context "on a RedHat OS", :compile do
+    let :facts do
+      {
+        :id                     => 'root',
+        :kernel                 => 'Linux',
+        :osfamily               => 'RedHat',
+        :operatingsystem        => 'RedHat',
+        :operatingsystemrelease => '6',
+        :path                   => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+        :concat_basedir         => '/dne',
+        :is_pe                  => false,
+      }
+    end
+    it { is_expected.to contain_class("apache::params") }
+    it { is_expected.to contain_apache__mod("auth_cas") }
+    it { is_expected.to contain_package("mod_auth_cas") }
+    it { is_expected.to contain_file("auth_cas.conf").with_path('/etc/httpd/conf.d/auth_cas.conf') }
+    it { is_expected.to contain_file("/var/cache/mod_auth_cas/").with_owner('apache') }
+  end
+end

templates/mod/auth_cas.conf.erb

@@ -0,0 +1,40 @@
+CASCookiePath <%= @cas_cookie_path %>
+CASLoginURL <%= @cas_login_url %>
+CASValidateURL <%= @cas_validate_url %>
+
+CASVersion <%= @cas_version %>
+CASDebug <%= @cas_debug %>
+
+<% if @cas_certificate_path -%>
+CASCertificatePath <%= @cas_certificate_path %>
+<% end -%>
+<% if @cas_proxy_validate_url -%>
+CASProxyValidateURL <%= @cas_proxy_validate_url %>
+<% end -%>
+<% if @cas_validate_depth -%>
+CASValidateDepth <%= @cas_validate_depth %>
+<% end -%>
+<% if @cas_root_proxied_as -%>
+CASRootProxiedAs <%= @cas_root_proxied_as %>
+<% end -%>
+<% if @cas_cookie_entropy -%>
+CASCookieEntropy <%= @cas_cookie_entropy %>
+<% end -%>
+<% if @cas_timeout -%>
+CASTimeout <%= @cas_timeout %>
+<% end -%>
+<% if @cas_idle_timeout -%>
+CASIdleTimeout <%= @cas_idle_timeout %>
+<% end -%>
+<% if @cas_cache_clean_interval -%>
+CASCacheCleanInterval <%= @cas_cache_clean_interval %>
+<% end -%>
+<% if @cas_cookie_domain -%>
+CASCookieDomain <%= @cas_cookie_domain %>
+<% end -%>
+<% if @cas_cookie_http_only -%>
+CASCookieHttpOnly <%= @cas_cookie_http_only %>
+<% end -%>
+<% if @cas_authoritative -%>
+CASAuthoritative <%= @cas_authoritative %>
+<% end -%>