mod_auth_gssapi: Add support for every configuration directive

canth1 · canth1 · commit 58217d98f9a9 · 2022-02-11T11:42:52.000-07:00
diff --git a/manifests/vhost.pp b/manifests/vhost.pp
@@ -1509,9 +1509,37 @@
 #     directories => [
 #       { path   => '/path/to/different/dir',
 #         gssapi => {
-#           credstore => 'keytab:/foo/bar.keytab',
-#           localname => 'Off',
-#           sslonly   => 'On',
+#           acceptor_name            => '{HOSTNAME}',
+#           allowed_mech             => ['krb5', 'iakerb', 'ntlmssp'],
+#           basic_auth               => true,
+#           basic_auth_mech          => ['krb5', 'iakerb', 'ntlmssp'],
+#           basic_ticket_timeout     => 300,
+#           connection_bound         => true,
+#           cred_store               => {
+#             ccache        => ['/path/to/directory'],
+#             client_keytab => ['/path/to/example.keytab'],
+#             keytab        => ['/path/to/example.keytab'],
+#           },
+#           deleg_ccache_dir         => '/path/to/directory',
+#           deleg_ccache_env_var     => 'KRB5CCNAME',
+#           deleg_ccache_perms       => {
+#             mode => '0600',
+#             uid  => 'example-user',
+#             gid  => 'example-group',
+#           },
+#           deleg_ccache_unique      => true,
+#           impersonate              => true,
+#           local_name               => true,
+#           name_attributes          => 'json',
+#           negotiate_once           => true,
+#           publish_errors           => true,
+#           publish_mech             => true,
+#           required_name_attributes =>	'auth-indicators=high',
+#           session_key              => 'file:/path/to/example.key',
+#           signal_persistent_auth   => true,
+#           ssl_only                 => true,
+#           use_s4u2_proxy           => true,
+#           use_sessions             => true,
 #         }
 #       },
 #     ],
diff --git a/spec/defines/vhost_spec.rb b/spec/defines/vhost_spec.rb
@@ -252,9 +252,37 @@
                   'passenger_app_log_file'                              => '/tmp/app.log',
                   'passenger_debugger'                                  => false,
                   'gssapi'                                              => {
-                    'credstore' => 'keytab:/foo/bar.keytab',
-                    'localname' => 'On',
-                    'sslonly'   => 'Off',
+                    acceptor_name            => '{HOSTNAME}',
+                    allowed_mech             => ['krb5', 'iakerb', 'ntlmssp'],
+                    basic_auth               => true,
+                    basic_auth_mech          => ['krb5', 'iakerb', 'ntlmssp'],
+                    basic_ticket_timeout     => 300,
+                    connection_bound         => true,
+                    cred_store               => {
+                      ccache        => ['/path/to/directory'],
+                      client_keytab => ['/path/to/example.keytab'],
+                      keytab        => ['/path/to/example.keytab'],
+                    },
+                    deleg_ccache_dir         => '/path/to/directory',
+                    deleg_ccache_env_var     => 'KRB5CCNAME',
+                    deleg_ccache_perms       => {
+                      mode => '0600',
+                      uid  => 'example-user',
+                      gid  => 'example-group',
+                    },
+                    deleg_ccache_unique      => true,
+                    impersonate              => true,
+                    local_name               => true,
+                    name_attributes          => 'json',
+                    negotiate_once           => true,
+                    publish_errors           => true,
+                    publish_mech             => true,
+                    required_name_attributes =>	'auth-indicators=high',
+                    session_key              => 'file:/path/to/example.key',
+                    signal_persistent_auth   => true,
+                    ssl_only                 => true,
+                    use_s4u2_proxy           => true,
+                    use_sessions             => true,
                   },
                 },
                 {
@@ -945,19 +973,149 @@
           }
           it {
             is_expected.to contain_concat__fragment('rspec.example.com-directories').with(
-              content: %r{^\s+GssapiCredStore\skeytab:/foo/bar.keytab$},
+              content: %r{^\s+GssapiAcceptorName\s{HOSTNAME}$},
+            )
+          }
+          it {
+            is_expected.to contain_concat__fragment('rspec.example.com-directories').with(
+              content: %r{^\s+GssapiAllowedMech\skrb5$},
+            )
+          }
+          it {
+            is_expected.to contain_concat__fragment('rspec.example.com-directories').with(
+              content: %r{^\s+GssapiAllowedMech\siakerb$},
+            )
+          }
+          it {
+            is_expected.to contain_concat__fragment('rspec.example.com-directories').with(
+              content: %r{^\s+GssapiAllowedMech\sntlmssp$},
+            )
+          }
+          it {
+            is_expected.to contain_concat__fragment('rspec.example.com-directories').with(
+              content: %r{^\s+GssapiBasicAuth\sOn$},
+            )
+          }
+          it {
+            is_expected.to contain_concat__fragment('rspec.example.com-directories').with(
+              content: %r{^\s+GssapiBasicAuthMech\skrb5$},
+            )
+          }
+          it {
+            is_expected.to contain_concat__fragment('rspec.example.com-directories').with(
+              content: %r{^\s+GssapiBasicAuthMech\siakerb$},
+            )
+          }
+          it {
+            is_expected.to contain_concat__fragment('rspec.example.com-directories').with(
+              content: %r{^\s+GssapiBasicAuthMech\sntlmssp$},
+            )
+          }
+          it {
+            is_expected.to contain_concat__fragment('rspec.example.com-directories').with(
+              content: %r{^\s+GssapiBasicTicketTimeout\s300$},
+            )
+          }
+          it {
+            is_expected.to contain_concat__fragment('rspec.example.com-directories').with(
+              content: %r{^\s+GssapiConnectionBound\sOn$},
+            )
+          }
+          it {
+            is_expected.to contain_concat__fragment('rspec.example.com-directories').with(
+              content: %r{^\s+GssapiCredStore\sccache:FILE:/path/to/directory$},
+            )
+          }
+          it {
+            is_expected.to contain_concat__fragment('rspec.example.com-directories').with(
+              content: %r{^\s+GssapiCredStore\sclient_keytab:/path/to/example\.keytab$},
+            )
+          }
+          it {
+            is_expected.to contain_concat__fragment('rspec.example.com-directories').with(
+              content: %r{^\s+GssapiCredStore\skeytab:/path/to/example\.keytab$},
+            )
+          }
+          it {
+            is_expected.to contain_concat__fragment('rspec.example.com-directories').with(
+              content: %r{^\s+GssapiDelegCcacheDir\s/path/to/directory$},
+            )
+          }
+          it {
+            is_expected.to contain_concat__fragment('rspec.example.com-directories').with(
+              content: %r{^\s+GssapiDelegCcacheEnvVar\sKRB5CCNAME$},
+            )
+          }
+          it {
+            is_expected.to contain_concat__fragment('rspec.example.com-directories').with(
+              content: %r{^\s+GssapiDelegCcachePerms\smode:0600\suid:example-user\sgid:example-group$},
             )
           }
           it {
             is_expected.to contain_concat__fragment('rspec.example.com-directories').with(
-              content: %r{^\s+GssapiSSLonly\sOff$},
+              content: %r{^\s+GssapiDelegCcacheUnique\sOn$},
+            )
+          }
+          it {
+            is_expected.to contain_concat__fragment('rspec.example.com-directories').with(
+              content: %r{^\s+GssapiImpersonate\sOn$},
             )
           }
           it {
             is_expected.to contain_concat__fragment('rspec.example.com-directories').with(
               content: %r{^\s+GssapiLocalName\sOn$},
             )
           }
+          it {
+            is_expected.to contain_concat__fragment('rspec.example.com-directories').with(
+              content: %r{^\s+GssapiNameAttributes\sjson$},
+            )
+          }
+          it {
+            is_expected.to contain_concat__fragment('rspec.example.com-directories').with(
+              content: %r{^\s+GssapiNegotiateOnce\sOn$},
+            )
+          }
+          it {
+            is_expected.to contain_concat__fragment('rspec.example.com-directories').with(
+              content: %r{^\s+GssapiPublishErrors\sOn$},
+            )
+          }
+          it {
+            is_expected.to contain_concat__fragment('rspec.example.com-directories').with(
+              content: %r{^\s+GssapiPublishMech\sOn$},
+            )
+          }
+          it {
+            is_expected.to contain_concat__fragment('rspec.example.com-directories').with(
+              content: %r{^\s+GssapiRequiredNameAttributes\s"auth-indicators=high"$},
+            )
+          }
+          it {
+            is_expected.to contain_concat__fragment('rspec.example.com-directories').with(
+              content: %r{^\s+GssapiSessionKey\sfile:/path/to/example\.key$},
+            )
+          }
+          it {
+            is_expected.to contain_concat__fragment('rspec.example.com-directories').with(
+              content: %r{^\s+GssapiSignalPersistentAuth\sOn$},
+            )
+          }
+          it {
+            is_expected.to contain_concat__fragment('rspec.example.com-directories').with(
+              content: %r{^\s+GssapiSSLonly\sOn$},
+            )
+          }
+          it {
+            is_expected.to contain_concat__fragment('rspec.example.com-directories').with(
+              content: %r{^\s+GssapiUseS4U2Proxy\sOn$},
+            )
+          }
+          it {
+            is_expected.to contain_concat__fragment('rspec.example.com-directories').with(
+              content: %r{^\s+GssapiUseSessions\sOn$},
+            )
+          }
           it {
             is_expected.to contain_concat__fragment('rspec.example.com-directories').with(
               content: %r{^\s+SSLVerifyClient\soptional$},
diff --git a/templates/vhost/_gssapi.epp b/templates/vhost/_gssapi.epp
@@ -1,16 +1,123 @@
-<%|
+<%- |
   # https://github.com/gssapi/mod_auth_gssapi
-  Optional[String[1]]        $credstore = undef,
-  Optional[Enum['On','Off']] $sslonly   = undef,
-  Optional[Enum['On','Off']] $localname = undef,
-|%>
-# mod_auth_gssapi configuration
-<% if $sslonly { -%>
-    GssapiSSLonly <%= $sslonly %>
-<% } -%>
-<% if $localname { -%>
-    GssapiLocalName <%= $localname %>
-<% } -%>
-<% if $credstore { -%>
-    GssapiCredStore <%= $credstore %>
-<% } -%>
+  Optional[Variant[String[1], Enum['{HOSTNAME}']]]        $acceptor_name = undef,
+  Optional[Array[Enum['krb5','iakerb','ntlmssp']]]        $allowed_mech = undef,
+  Optional[Boolean]                                       $basic_auth = undef,
+  Optional[Array[Enum['krb5','iakerb','ntlmssp']]]        $basic_auth_mech = undef,
+  Optional[[Integer[1]]]                                  $basic_ticket_timeout = undef,
+  Optional[Boolean]                                       $connection_bound = undef,
+  Optional[Struct[{
+    Optional['ccache']        => Array[Stdlib::Unixpath],
+    Optional['client_keytab'] => Array[Stdlib::Unixpath],
+    Optional['keytab']        => Array[Stdlib::Unixpath],
+  }]]                                                     $cred_store = undef,
+  Optional[Stdlib::Unixpath]                              $deleg_ccache_dir = undef,
+  Optional[[String[1]]]                                   $deleg_ccache_env_var = undef,
+  Optional[Struct[{
+    'mode' => Stdlib::Filemode,
+    'uid'  => Variant[Integer[1], String[1]],
+    'gid'  => Variant[Integer[1], String[1]],
+  }]]                                                     $deleg_ccache_perms = undef,
+  Optional[Boolean]                                       $deleg_ccache_unique = undef,
+  Optional[Boolean]                                       $impersonate = undef,
+  Optional[Boolean]                                       $local_name = undef,
+  Optional[Variant[String[1], Enum['json']]]              $name_attributes = undef,
+  Optional[Boolean]                                       $negotiate_once = undef,
+  Optional[Boolean]                                       $publish_errors = undef,
+  Optional[Boolean]                                       $publish_mech = undef,
+  Optional[[String[1]]]                                   $required_name_attributes = undef,
+  Optional[[String[1]]]                                   $session_key = undef,
+  Optional[Boolean]                                       $signal_persistent_auth = undef,
+  Optional[Boolean]                                       $ssl_only   = undef,
+  Optional[Boolean]                                       $use_s4u2_proxy = undef,
+  Optional[Boolean]                                       $use_sessions = undef,
+| -%>
+
+    # mod_auth_gssapi configuration
+<%- if $acceptor_name { -%>
+    GssapiAcceptorName <%= $acceptor_name %>
+<%- } -%>
+<%- if $allowed_mech { -%>
+  <%- $allowed_mech.each |$mech| { -%>
+    GssapiAllowedMech <%= $mech %>
+  <%- } -%>
+<%- } -%>
+<%- if $basic_auth { -%>
+    GssapiBasicAuth On
+<%- } -%>
+<%- if $basic_auth_mech { -%>
+<%- $basic_auth_mech.each |$mech| { -%>
+    GssapiBasicAuthMech <%= $mech %>
+<%- } -%>
+<%- } -%>
+<%- if $basic_ticket_timeout { -%>
+    GssapiBasicTicketTimeout <%= $basic_ticket_timeout %>
+<%- } -%>
+<%- if $connection_bound { -%>
+    GssapiConnectionBound On
+<%- } -%>
+<%- if $cred_store { -%>
+  <%- if $cred_store[ccache] { -%>
+    <%- $cred_store[ccache].each |$path| { -%>
+    GssapiCredStore ccache:FILE:<%= $path %>
+    <%- } -%>
+  <%- } -%>
+  <%- if $cred_store[client_keytab] { -%>
+    <%- $cred_store[client_keytab].each |$path| { -%>
+    GssapiCredStore client_keytab:<%= $path %>
+    <%- } -%>
+  <%- } -%>
+  <%- if $cred_store[keytab] { -%>
+    <%- $cred_store[keytab].each |$path| { -%>
+    GssapiCredStore keytab:<%= $path %>
+    <%- } -%>
+  <%- } -%>
+<%- } -%>
+<%- if $deleg_ccache_dir { -%>
+    GssapiDelegCcacheDir <%= $deleg_ccache_dir %>
+<%- } -%>
+<%- if $deleg_ccache_env_var { -%>
+    GssapiDelegCcacheEnvVar <%= $deleg_ccache_env_var %>
+<%- } -%>
+<%- if $deleg_ccache_perms { -%>
+    GssapiDelegCcachePerms mode:<%= $deleg_ccache_perms[mode] %> uid:<%= $deleg_ccache_perms[uid] %> gid:<%= $deleg_ccache_perms[gid] %>
+<%- } -%>
+<%- if $deleg_ccache_unique { -%>
+    GssapiDelegCcacheUnique On
+<%- } -%>
+<%- if $impersonate { -%>
+    GssapiImpersonate On
+<%- } -%>
+<%- if $local_name { -%>
+    GssapiLocalName On
+<%- } -%>
+<%- if $name_attributes { -%>
+    GssapiNameAttributes <%= $name_attributes %>
+<%- } -%>
+<%- if $negotiate_once { -%>
+    GssapiNegotiateOnce On
+<%- } -%>
+<%- if $publish_errors { -%>
+    GssapiPublishErrors On
+<%- } -%>
+<%- if $publish_mech { -%>
+    GssapiPublishMech On
+<%- } -%>
+<%- if $required_name_attributes { -%>
+    GssapiRequiredNameAttributes "<%= $required_name_attributes %>"
+<%- } -%>
+<%- if $session_key { -%>
+    GssapiSessionKey <%= $session_key %>
+<%- } -%>
+<%- if $signal_persistent_auth { -%>
+    GssapiSignalPersistentAuth On
+<%- } -%>
+<%- if $ssl_only { -%>
+    GssapiSSLonly On
+<%- } -%>
+<%- if $use_s4u2_proxy and $deleg_ccache_dir { -%>
+    GssapiUseS4U2Proxy On
+<%- } -%>
+<%- if $use_sessions { -%>
+    GssapiUseSessions On
+<%- } -%>
