From be49eb7767ae79c850354b76928c085b184a30cd Mon Sep 17 00:00:00 2001 From: OKUMURA Takahiro Date: Fri, 3 Jun 2016 18:29:15 +0900 Subject: [PATCH 1/6] Support sudo for stns client --- manifests/client.pp | 20 ++++++++++++++++++++ manifests/server.pp | 12 ++++++++---- spec/acceptance/client_spec.rb | 6 ++++++ spec/acceptance/server_spec.rb | 4 ++++ templates/sudoers.conf.erb | 4 ++++ 5 files changed, 42 insertions(+), 4 deletions(-) create mode 100644 templates/sudoers.conf.erb diff --git a/manifests/client.pp b/manifests/client.pp index b933d58..6ab9a06 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -15,6 +15,8 @@ $handle_nsswitch = false, $handle_sshd_config = false, + $handle_sudo_config = false, + $sudoers_name = undef, ) { validate_string($user) @@ -77,4 +79,22 @@ } } + if $handle_sudo_config { + validate_string($sudoers_name) + + $line = $sudoers_name ? { + undef => 'auth sufficient libpam_stns.so', + default => "auth sufficient libpam_stns.so sudo ${sudoers_name}", + } + + file_line { 'pam_sudo_stns': + ensure => present, + path => '/etc/pam.d/sudo', + line => $line, + match => '^auth\s+sufficient\s+libpam_stns.so\s+sudo\s+example$', + after => '^#%PAM-1.0$', + match_for_absence => true, + } + } + } diff --git a/manifests/server.pp b/manifests/server.pp index d874a13..7c43bca 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -4,16 +4,20 @@ # stns::server is to install and configure stns. class stns::server ( - $port = 1104, - $user = undef, - $password = undef, - $package_ensure = present, + $port = 1104, + $user = undef, + $password = undef, + $package_ensure = present, + $sudoers_password = undef, + $sudoers_hash_type = undef, ) { validate_integer($port) validate_string($user) validate_string($password) validate_string($package_ensure) + validate_string($sudoers_password) + validate_string($sudoers_hash_type) require stns::repo diff --git a/spec/acceptance/client_spec.rb b/spec/acceptance/client_spec.rb index 9b5cfdc..93fb603 100644 --- a/spec/acceptance/client_spec.rb +++ b/spec/acceptance/client_spec.rb @@ -30,6 +30,8 @@ class { '::stns::client': http_proxy => 'http://proxy.example.com:1104', handle_nsswitch => true, handle_sshd_config => true, + handle_sudo_config => true, + sudoers_name => 'example_user', } EOS end @@ -76,4 +78,8 @@ class { '::stns::client': its(:content) { should match %r{^\s*AuthorizedKeysCommand\s+/usr/local/bin/stns-key-wrapper$} } its(:content) { should match /^\s*AuthorizedKeysCommand(User|RunAs)\s+root$/ } end + + describe file('/etc/pam.d/sudo') do + its(:content) { should match /^#%PAM-1.0\nauth\s+sufficient\s+libpam_stns.so\s+sudo\s+example_user$/ } + end end diff --git a/spec/acceptance/server_spec.rb b/spec/acceptance/server_spec.rb index fe045fe..5f07c15 100644 --- a/spec/acceptance/server_spec.rb +++ b/spec/acceptance/server_spec.rb @@ -62,6 +62,10 @@ class { '::stns::server': its(:content) { should match /^\[groups.sandbox\]$/ } its(:content) { should match /^id = 1001$/ } its(:content) { should match /^users = \["sandbox"\]$/ } + + its(:content) { should match /^\[sudoers.sandbox\]$/ } + its(:content) { should match /^password = "[a-z0-9]{64}"$/ } + its(:content) { should match /^hash_type = "sha256"$/ } end describe service('stns') do diff --git a/templates/sudoers.conf.erb b/templates/sudoers.conf.erb new file mode 100644 index 0000000..bb908f9 --- /dev/null +++ b/templates/sudoers.conf.erb @@ -0,0 +1,4 @@ +[sudoers.<%= @sudoers_name %>] +password = "<%= @password %>" +hash_type = "<%= @hash_type %>" + From b34f9accabe842dc6dda0c0e656c6074bbbd1e48 Mon Sep 17 00:00:00 2001 From: OKUMURA Takahiro Date: Sun, 5 Jun 2016 01:29:34 +0900 Subject: [PATCH 2/6] Use augeas instead of file_line --- manifests/client.pp | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/manifests/client.pp b/manifests/client.pp index 6ab9a06..5985771 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -82,18 +82,21 @@ if $handle_sudo_config { validate_string($sudoers_name) - $line = $sudoers_name ? { - undef => 'auth sufficient libpam_stns.so', - default => "auth sufficient libpam_stns.so sudo ${sudoers_name}", - } - - file_line { 'pam_sudo_stns': - ensure => present, - path => '/etc/pam.d/sudo', - line => $line, - match => '^auth\s+sufficient\s+libpam_stns.so\s+sudo\s+example$', - after => '^#%PAM-1.0$', - match_for_absence => true, + augeas {'sudo pam with stns': + context => '/files/etc/pam.d/sudo', + changes => [ + 'ins "01" after #comment', + 'set 01/type auth', + 'set 01/control sufficient', + 'set 01/module libpam_stns.so', + 'set 01/argument[1] sudo', + "set 01/argument[2] ${sudoers_name}", + ], + onlyif => [ + "values *[type = 'auth']/module not_include libpam_stns.so", + "match *[module = 'libpam_stns.so']/argument size < 2", + "match *[module = 'libpam_stns.so']/argument != ['sudo', ${sudoers_name}]", + ], } } From d6a1b6ee973db8e5b86fd8d398b62567207a5594 Mon Sep 17 00:00:00 2001 From: OKUMURA Takahiro Date: Sun, 12 Jun 2016 09:15:10 +0900 Subject: [PATCH 3/6] wip --- manifests/server.pp | 4 +++- manifests/server/config.pp | 21 ++++++++++++++++----- spec/acceptance/server_spec.rb | 8 +++++--- templates/sudoers.conf.erb | 4 ++-- 4 files changed, 26 insertions(+), 11 deletions(-) diff --git a/manifests/server.pp b/manifests/server.pp index 7c43bca..fddd3ac 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -8,6 +8,7 @@ $user = undef, $password = undef, $package_ensure = present, + $sudoers_name = undef, $sudoers_password = undef, $sudoers_hash_type = undef, ) { @@ -16,8 +17,9 @@ validate_string($user) validate_string($password) validate_string($package_ensure) + validate_string($sudoers_name) validate_string($sudoers_password) - validate_string($sudoers_hash_type) + validate_re($sudoers_hash_type, '\Asha(256|512)\z', 'sudoers_hash_type supports sha256 or sha512.') require stns::repo diff --git a/manifests/server/config.pp b/manifests/server/config.pp index 99d9a38..ced7dbc 100644 --- a/manifests/server/config.pp +++ b/manifests/server/config.pp @@ -5,11 +5,14 @@ class stns::server::config { - $port = $stns::server::port - $user = $stns::server::user - $password = $stns::server::password - $users = $stns::server::users - $groups = $stns::server::groups + $port = $stns::server::port + $user = $stns::server::user + $password = $stns::server::password + $users = $stns::server::users + $groups = $stns::server::groups + $sudoers_name = $stns::server::sudoers_name + $sudoers_password = $stns::server::sudoers_password + $sudoers_hash_type = $stns::server::sudoers_hash_type concat { '/etc/stns/stns.conf': ensure => present, @@ -41,4 +44,12 @@ order => '60'; } + if $sudoers_name != undef { + concat::fragment { 'sudoers_config_in_stns': + target => '/etc/stns/stns.conf', + content => template('stns/sudoers.conf.erb'), + order => '25', + } + } + } diff --git a/spec/acceptance/server_spec.rb b/spec/acceptance/server_spec.rb index 5f07c15..be17d8c 100644 --- a/spec/acceptance/server_spec.rb +++ b/spec/acceptance/server_spec.rb @@ -4,9 +4,11 @@ let(:manifest) do <<-EOS class { '::stns::server': - port => 1104, - user => 'sample', - password => 's@mp1e', + port => 1104, + user => 'sample', + password => 's@mp1e', + sudoers_name => 'sandbox', + sudoers_password => 'b7ad567477c83756aab9a542b2be04f77dbae25115d85f22070d74d8cc4779dc', } ::stns::server::users { 'sandbox': diff --git a/templates/sudoers.conf.erb b/templates/sudoers.conf.erb index bb908f9..c8366e6 100644 --- a/templates/sudoers.conf.erb +++ b/templates/sudoers.conf.erb @@ -1,4 +1,4 @@ [sudoers.<%= @sudoers_name %>] -password = "<%= @password %>" -hash_type = "<%= @hash_type %>" +password = "<%= @sudoers_password %>" +hash_type = "<%= @sudoers_hash_type || 'sha256' %>" From 4e58d3b0af1f93b3d27cfae5afbeb6b5d355e83d Mon Sep 17 00:00:00 2001 From: OKUMURA Takahiro Date: Sun, 12 Jun 2016 16:06:10 +0900 Subject: [PATCH 4/6] fix --- manifests/server.pp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/manifests/server.pp b/manifests/server.pp index fddd3ac..e916192 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -19,7 +19,9 @@ validate_string($package_ensure) validate_string($sudoers_name) validate_string($sudoers_password) - validate_re($sudoers_hash_type, '\Asha(256|512)\z', 'sudoers_hash_type supports sha256 or sha512.') + if $sudoers_hash_type != undef { + validate_re($sudoers_hash_type, '\Asha(256|512)\z', 'sudoers_hash_type supports sha256 or sha512.') + } require stns::repo From fc28379f297a350c4f892d92ad4a5b43a0e7eda5 Mon Sep 17 00:00:00 2001 From: OKUMURA Takahiro Date: Sun, 12 Jun 2016 16:07:19 +0900 Subject: [PATCH 5/6] fix --- manifests/server.pp | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/manifests/server.pp b/manifests/server.pp index e916192..930d894 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -10,7 +10,7 @@ $package_ensure = present, $sudoers_name = undef, $sudoers_password = undef, - $sudoers_hash_type = undef, + $sudoers_hash_type = 'sha256', ) { validate_integer($port) @@ -19,9 +19,7 @@ validate_string($package_ensure) validate_string($sudoers_name) validate_string($sudoers_password) - if $sudoers_hash_type != undef { - validate_re($sudoers_hash_type, '\Asha(256|512)\z', 'sudoers_hash_type supports sha256 or sha512.') - } + validate_re($sudoers_hash_type, '\Asha(256|512)\z', 'sudoers_hash_type supports sha256 or sha512.') require stns::repo From 4f52f4b8fc633a3d4687729710c525fedbf6c722 Mon Sep 17 00:00:00 2001 From: OKUMURA Takahiro Date: Sun, 12 Jun 2016 16:52:17 +0900 Subject: [PATCH 6/6] add --- manifests/client.pp | 48 ++++++++++++++++++++++------------ spec/acceptance/client_spec.rb | 3 +-- 2 files changed, 33 insertions(+), 18 deletions(-) diff --git a/manifests/client.pp b/manifests/client.pp index 5985771..625a6ea 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -80,23 +80,39 @@ } if $handle_sudo_config { - validate_string($sudoers_name) + if $sudoers_name { + validate_string($sudoers_name) - augeas {'sudo pam with stns': - context => '/files/etc/pam.d/sudo', - changes => [ - 'ins "01" after #comment', - 'set 01/type auth', - 'set 01/control sufficient', - 'set 01/module libpam_stns.so', - 'set 01/argument[1] sudo', - "set 01/argument[2] ${sudoers_name}", - ], - onlyif => [ - "values *[type = 'auth']/module not_include libpam_stns.so", - "match *[module = 'libpam_stns.so']/argument size < 2", - "match *[module = 'libpam_stns.so']/argument != ['sudo', ${sudoers_name}]", - ], + augeas {'sudo pam with stns': + context => '/files/etc/pam.d/sudo', + changes => [ + 'ins "01" after #comment', + 'set 01/type auth', + 'set 01/control sufficient', + 'set 01/module libpam_stns.so', + 'set 01/argument[1] sudo', + "set 01/argument[2] ${sudoers_name}", + ], + onlyif => [ + "values *[type = 'auth']/module not_include libpam_stns.so", + "match *[module = 'libpam_stns.so']/argument size < 2", + "match *[module = 'libpam_stns.so']/argument != ['sudo', ${sudoers_name}]", + ], + } + } else { + augeas {'sudo pam with stns': + context => '/files/etc/pam.d/sudo', + changes => [ + 'ins "01" after #comment', + 'set 01/type auth', + 'set 01/control sufficient', + 'set 01/module libpam_stns.so', + ], + onlyif => [ + "values *[type = 'auth']/module not_include libpam_stns.so", + "match *[module = 'libpam_stns.so']/argument size == 0", + ], + } } } diff --git a/spec/acceptance/client_spec.rb b/spec/acceptance/client_spec.rb index 93fb603..b09bb0c 100644 --- a/spec/acceptance/client_spec.rb +++ b/spec/acceptance/client_spec.rb @@ -31,7 +31,6 @@ class { '::stns::client': handle_nsswitch => true, handle_sshd_config => true, handle_sudo_config => true, - sudoers_name => 'example_user', } EOS end @@ -80,6 +79,6 @@ class { '::stns::client': end describe file('/etc/pam.d/sudo') do - its(:content) { should match /^#%PAM-1.0\nauth\s+sufficient\s+libpam_stns.so\s+sudo\s+example_user$/ } + its(:content) { should match /^#%PAM-1.0\nauth\s+sufficient\s+libpam_stns.so$/ } end end