Merge pull request #1183 from traylenator/kerb

(MODULES-2419) - Add mod_auth_kerb parameters to vhost
xbezdick · Sep 14, 2015 · 3e1f0c5 · 3e1f0c5
2 parents ec5c0e5 + bf948c0
commit 3e1f0c5
Show file tree

Hide file tree

Showing 4 changed files with 113 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -1964,6 +1964,51 @@ Usage typically looks like:
     }
 ~~~
 
+##### `auth_kerb`
+
+Enable mod_auth_kerb parameters for a virtual host. Valid values are 'true' or 'false'. Defaults to 'false'.
+
+Usage typically looks like:
+
+~~~ puppet
+    apache::vhost {'sample.example.net':
+      auth_kerb              => true,
+      krb_method_negotiate   => 'on',
+      krb_auth_realms        => ['EXAMPLE.ORG'],
+      krb_local_user_mapping => 'on',
+      directories            => { 
+        path         => '/var/www/html',
+        auth_name    => 'Kerberos Login',
+        auth_type    => 'Kerberos',
+        auth_require => 'valid-user',
+      }
+    }
+~~~
+
+##### `krb_method_negotiate`
+
+To enable or disable the use of the Negotiate method. Defaults is 'on'
+
+##### `krb_method_k5passwd`
+
+To enable or disable the use of password based authentication for Kerberos v5. Default is 'on'
+
+##### `krb_authoritative`
+
+If set to off this directive allow authentication controls to be pass on to another modules.  Default is 'on'
+
+##### `krb_auth_realms`
+
+Specifies an array Kerberos realm(s) to be used for authentication. Default is []
+
+##### `krb_5keytab`
+
+Location of the Kerberos V5 keytab file. Not set by default.
+
+##### `krb_local_user_mapping`
+
+Strips @REALM from username for further use. Not set by default.
+
 ##### `logroot`
 
 Specifies the location of the virtual host's logfiles. Defaults to '/var/log/<apache log location>/'.

diff --git a/manifests/vhost.pp b/manifests/vhost.pp
@@ -123,6 +123,13 @@
   $modsec_disable_ids          = undef,
   $modsec_disable_ips          = undef,
   $modsec_body_limit           = undef,
+  $auth_kerb                   = false,
+  $krb_method_negotiate        = 'on',
+  $krb_method_k5passwd         = 'on',
+  $krb_authoritative           = 'on',
+  $krb_auth_realms             = [],
+  $krb_5keytab                 = undef,
+  $krb_local_user_mapping      = undef,
 ) {
   # The base class must be included first because it is used by parameter defaults
   if ! defined(Class['apache']) {
@@ -213,6 +220,7 @@
     validate_re($allow_encoded_slashes, '(^on$|^off$|^nodecode$)', "${allow_encoded_slashes} is not permitted for allow_encoded_slashes. Allowed values are 'on', 'off' or 'nodecode'.")
   }
 
+  validate_bool($auth_kerb)
   # Input validation ends
 
   if $ssl and $ensure == 'present' {
@@ -221,6 +229,10 @@
     include ::apache::mod::mime
   }
 
+  if $auth_kerb and $ensure == 'present' {
+    include ::apache::mod::auth_kerb
+  }
+
   if $virtual_docroot {
     include ::apache::mod::vhost_alias
   }
@@ -751,6 +763,22 @@
     }
   }
 
+  # Template uses:
+  # - $auth_kerb
+  # - $krb_method_negotiate
+  # - $krb_method_k5passwd
+  # - $krb_authoritative
+  # - $krb_auth_realms
+  # - $krb_5keytab 
+  # - $krb_local_user_mapping
+  if $auth_kerb {
+    concat::fragment { "${name}-auth_kerb":
+      target  => "${priority_real}${filename}.conf",
+      order   => 210,
+      content => template('apache/vhost/_auth_kerb.erb'),
+    }
+  }
+
   # Template uses:
   # - $suphp_engine
   # - $suphp_addhandler

diff --git a/spec/defines/vhost_spec.rb b/spec/defines/vhost_spec.rb
@@ -313,6 +313,13 @@
           'passenger_start_timeout'     => '600',
           'passenger_pre_start'         => 'http://localhost/myapp',
           'add_default_charset'         => 'UTF-8',
+          'auth_kerb'                   => true,
+          'krb_method_negotiate'        => 'off',
+          'krb_method_k5passwd'         => 'off',
+          'krb_authoritative'           => 'off',
+          'krb_auth_realms'             => ['EXAMPLE.ORG','EXAMPLE.NET'],
+          'krb_5keytab'                 => '/tmp/keytab5',
+          'krb_local_user_mapping'      => 'off',
         }
       end
       let :facts do
@@ -432,6 +439,16 @@
       it { is_expected.to contain_concat__fragment('rspec.example.com-passenger') }
       it { is_expected.to contain_concat__fragment('rspec.example.com-charsets') }
       it { is_expected.to contain_concat__fragment('rspec.example.com-file_footer') }
+      it { is_expected.to contain_concat__fragment('rspec.example.com-auth_kerb').with(
+        :content => /^\s+KrbMethodNegotiate\soff$/)}
+      it { is_expected.to contain_concat__fragment('rspec.example.com-auth_kerb').with(
+        :content => /^\s+KrbAuthoritative\soff$/)}
+      it { is_expected.to contain_concat__fragment('rspec.example.com-auth_kerb').with(
+        :content => /^\s+KrbAuthRealms\sEXAMPLE.ORG\sEXAMPLE.NET$/)}
+      it { is_expected.to contain_concat__fragment('rspec.example.com-auth_kerb').with(
+        :content => /^\s+Krb5Keytab\s\/tmp\/keytab5$/)}
+      it { is_expected.to contain_concat__fragment('rspec.example.com-auth_kerb').with(
+        :content => /^\s+KrbLocalUserMapping\soff$/)}
     end
     context 'set only aliases' do
       let :params do

diff --git a/templates/vhost/_auth_kerb.erb b/templates/vhost/_auth_kerb.erb
@@ -0,0 +1,23 @@
+<% if @auth_kerb -%>
+
+  ## Kerberos directives
+  <%- if @krb_method_negotiate -%>
+  KrbMethodNegotiate <%= @krb_method_negotiate %>
+  <%- end -%>
+  <%- if @krb_method_k5passwd -%>
+  KrbMethodK5Passwd <%= @krb_method_k5passwd %>
+  <%- end -%>
+  <%- if @krb_authoritative -%>
+  KrbAuthoritative <%= @krb_authoritative %>
+  <%- end -%>
+  <%- if @krb_auth_realms and @krb_auth_realms.length >= 1 -%>
+  KrbAuthRealms <%= @krb_auth_realms.join(' ') %>
+  <%- end -%>
+  <%- if @krb_5keytab -%>
+  Krb5Keytab <%= @krb_5keytab %>
+  <%- end -%>
+  <%- if @krb_local_user_mapping -%>
+  KrbLocalUserMapping <%= @krb_local_user_mapping -%>
+  <%- end -%>
+
+<% end -%>