diff --git a/manifests/vhost.pp b/manifests/vhost.pp index 8654831f65..ad0c312146 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -1463,10 +1463,37 @@ # directories => [ # { path => '/path/to/different/dir', # gssapi => { -# basicauth => 'On', -# credstore => 'keytab:/foo/bar.keytab', -# localname => 'Off', -# sslonly => 'On', +# acceptor_name => '{HOSTNAME}', +# allowed_mech => ['krb5', 'iakerb', 'ntlmssp'], +# basic_auth => true, +# basic_auth_mech => ['krb5', 'iakerb', 'ntlmssp'], +# basic_ticket_timeout => 300, +# connection_bound => true, +# cred_store => { +# ccache => ['/path/to/directory'], +# client_keytab => ['/path/to/example.keytab'], +# keytab => ['/path/to/example.keytab'], +# }, +# deleg_ccache_dir => '/path/to/directory', +# deleg_ccache_env_var => 'KRB5CCNAME', +# deleg_ccache_perms => { +# mode => '0600', +# uid => 'example-user', +# gid => 'example-group', +# }, +# deleg_ccache_unique => true, +# impersonate => true, +# local_name => true, +# name_attributes => 'json', +# negotiate_once => true, +# publish_errors => true, +# publish_mech => true, +# required_name_attributes => 'auth-indicators=high', +# session_key => 'file:/path/to/example.key', +# signal_persistent_auth => true, +# ssl_only => true, +# use_s4u2_proxy => true, +# use_sessions => true, # } # }, # ], diff --git a/spec/defines/vhost_spec.rb b/spec/defines/vhost_spec.rb index 9493398684..f79fb4065e 100644 --- a/spec/defines/vhost_spec.rb +++ b/spec/defines/vhost_spec.rb @@ -267,10 +267,37 @@ 'passenger_app_log_file' => '/tmp/app.log', 'passenger_debugger' => false, 'gssapi' => { - 'basicauth' => 'On', - 'credstore' => 'keytab:/foo/bar.keytab', - 'localname' => 'On', - 'sslonly' => 'Off', + 'acceptor_name' => '{HOSTNAME}', + 'allowed_mech' => ['krb5', 'iakerb', 'ntlmssp'], + 'basic_auth' => true, + 'basic_auth_mech' => ['krb5', 'iakerb', 'ntlmssp'], + 'basic_ticket_timeout' => 300, + 'connection_bound' => true, + 'cred_store' => { + 'ccache' => ['/path/to/directory'], + 'client_keytab' => ['/path/to/example.keytab'], + 'keytab' => ['/path/to/example.keytab'], + }, + 'deleg_ccache_dir' => '/path/to/directory', + 'deleg_ccache_env_var' => 'KRB5CCNAME', + 'deleg_ccache_perms' => { + 'mode' => '0600', + 'uid' => 'example-user', + 'gid' => 'example-group', + }, + 'deleg_ccache_unique' => true, + 'impersonate' => true, + 'local_name' => true, + 'name_attributes' => 'json', + 'negotiate_once' => true, + 'publish_errors' => true, + 'publish_mech' => true, + 'required_name_attributes' => 'auth-indicators=high', + 'session_key' => 'file:/path/to/example.key', + 'signal_persistent_auth' => true, + 'ssl_only' => true, + 'use_s4u2_proxy' => true, + 'use_sessions' => true, }, }, { @@ -971,6 +998,26 @@ content: %r{^\s+PassengerDebugger\sOff$}, ) } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiAcceptorName\s{HOSTNAME}$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiAllowedMech\skrb5$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiAllowedMech\siakerb$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiAllowedMech\sntlmssp$}, + ) + } it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( content: %r{^\s+GssapiBasicAuth\sOn$}, @@ -978,12 +1025,67 @@ } it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( - content: %r{^\s+GssapiCredStore\skeytab:/foo/bar.keytab$}, + content: %r{^\s+GssapiBasicAuthMech\skrb5$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiBasicAuthMech\siakerb$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiBasicAuthMech\sntlmssp$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiBasicTicketTimeout\s300$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiConnectionBound\sOn$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiCredStore\sccache:FILE:/path/to/directory$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiCredStore\sclient_keytab:/path/to/example\.keytab$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiCredStore\skeytab:/path/to/example\.keytab$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiDelegCcacheDir\s/path/to/directory$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiDelegCcacheEnvVar\sKRB5CCNAME$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiDelegCcachePerms\smode:0600\suid:example-user\sgid:example-group$}, ) } it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( - content: %r{^\s+GssapiSSLonly\sOff$}, + content: %r{^\s+GssapiDelegCcacheUnique\sOn$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiImpersonate\sOn$}, ) } it { @@ -991,6 +1093,56 @@ content: %r{^\s+GssapiLocalName\sOn$}, ) } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiNameAttributes\sjson$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiNegotiateOnce\sOn$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiPublishErrors\sOn$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiPublishMech\sOn$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiRequiredNameAttributes\s"auth-indicators=high"$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiSessionKey\sfile:/path/to/example\.key$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiSignalPersistentAuth\sOn$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiSSLonly\sOn$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiUseS4U2Proxy\sOn$}, + ) + } + it { + is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+GssapiUseSessions\sOn$}, + ) + } it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( content: %r{^\s+SSLVerifyClient\soptional$}, diff --git a/templates/vhost/_gssapi.epp b/templates/vhost/_gssapi.epp index 789e90595b..87a755a6b9 100644 --- a/templates/vhost/_gssapi.epp +++ b/templates/vhost/_gssapi.epp @@ -1,20 +1,123 @@ -<%| +<%- | # https://github.com/gssapi/mod_auth_gssapi - Optional[Enum['On','Off']] $basicauth = undef, - Optional[String[1]] $credstore = undef, - Optional[Enum['On','Off']] $sslonly = undef, - Optional[Enum['On','Off']] $localname = undef, -|%> + Optional[Variant[String[1], Enum['{HOSTNAME}']]] $acceptor_name = undef, + Optional[Array[Enum['krb5','iakerb','ntlmssp']]] $allowed_mech = undef, + Optional[Boolean] $basic_auth = undef, + Optional[Array[Enum['krb5','iakerb','ntlmssp']]] $basic_auth_mech = undef, + Optional[[Integer[1]]] $basic_ticket_timeout = undef, + Optional[Boolean] $connection_bound = undef, + Optional[Struct[{ + Optional['ccache'] => Array[Stdlib::Unixpath], + Optional['client_keytab'] => Array[Stdlib::Unixpath], + Optional['keytab'] => Array[Stdlib::Unixpath], + }]] $cred_store = undef, + Optional[Stdlib::Unixpath] $deleg_ccache_dir = undef, + Optional[[String[1]]] $deleg_ccache_env_var = undef, + Optional[Struct[{ + 'mode' => Stdlib::Filemode, + 'uid' => Variant[Integer[1], String[1]], + 'gid' => Variant[Integer[1], String[1]], + }]] $deleg_ccache_perms = undef, + Optional[Boolean] $deleg_ccache_unique = undef, + Optional[Boolean] $impersonate = undef, + Optional[Boolean] $local_name = undef, + Optional[Variant[String[1], Enum['json']]] $name_attributes = undef, + Optional[Boolean] $negotiate_once = undef, + Optional[Boolean] $publish_errors = undef, + Optional[Boolean] $publish_mech = undef, + Optional[[String[1]]] $required_name_attributes = undef, + Optional[[String[1]]] $session_key = undef, + Optional[Boolean] $signal_persistent_auth = undef, + Optional[Boolean] $ssl_only = undef, + Optional[Boolean] $use_s4u2_proxy = undef, + Optional[Boolean] $use_sessions = undef, +| -%> + # mod_auth_gssapi configuration -<% if $basicauth { -%> - GssapiBasicAuth <%= $basicauth %> -<% } -%> -<% if $sslonly { -%> - GssapiSSLonly <%= $sslonly %> -<% } -%> -<% if $localname { -%> - GssapiLocalName <%= $localname %> -<% } -%> -<% if $credstore { -%> - GssapiCredStore <%= $credstore %> -<% } -%> +<%- if $acceptor_name { -%> + GssapiAcceptorName <%= $acceptor_name %> +<%- } -%> +<%- if $allowed_mech { -%> + <%- $allowed_mech.each |$mech| { -%> + GssapiAllowedMech <%= $mech %> + <%- } -%> +<%- } -%> +<%- if $basic_auth { -%> + GssapiBasicAuth On +<%- } -%> +<%- if $basic_auth_mech { -%> +<%- $basic_auth_mech.each |$mech| { -%> + GssapiBasicAuthMech <%= $mech %> +<%- } -%> +<%- } -%> +<%- if $basic_ticket_timeout { -%> + GssapiBasicTicketTimeout <%= $basic_ticket_timeout %> +<%- } -%> +<%- if $connection_bound { -%> + GssapiConnectionBound On +<%- } -%> +<%- if $cred_store { -%> + <%- if $cred_store[ccache] { -%> + <%- $cred_store[ccache].each |$path| { -%> + GssapiCredStore ccache:FILE:<%= $path %> + <%- } -%> + <%- } -%> + <%- if $cred_store[client_keytab] { -%> + <%- $cred_store[client_keytab].each |$path| { -%> + GssapiCredStore client_keytab:<%= $path %> + <%- } -%> + <%- } -%> + <%- if $cred_store[keytab] { -%> + <%- $cred_store[keytab].each |$path| { -%> + GssapiCredStore keytab:<%= $path %> + <%- } -%> + <%- } -%> +<%- } -%> +<%- if $deleg_ccache_dir { -%> + GssapiDelegCcacheDir <%= $deleg_ccache_dir %> +<%- } -%> +<%- if $deleg_ccache_env_var { -%> + GssapiDelegCcacheEnvVar <%= $deleg_ccache_env_var %> +<%- } -%> +<%- if $deleg_ccache_perms { -%> + GssapiDelegCcachePerms mode:<%= $deleg_ccache_perms[mode] %> uid:<%= $deleg_ccache_perms[uid] %> gid:<%= $deleg_ccache_perms[gid] %> +<%- } -%> +<%- if $deleg_ccache_unique { -%> + GssapiDelegCcacheUnique On +<%- } -%> +<%- if $impersonate { -%> + GssapiImpersonate On +<%- } -%> +<%- if $local_name { -%> + GssapiLocalName On +<%- } -%> +<%- if $name_attributes { -%> + GssapiNameAttributes <%= $name_attributes %> +<%- } -%> +<%- if $negotiate_once { -%> + GssapiNegotiateOnce On +<%- } -%> +<%- if $publish_errors { -%> + GssapiPublishErrors On +<%- } -%> +<%- if $publish_mech { -%> + GssapiPublishMech On +<%- } -%> +<%- if $required_name_attributes { -%> + GssapiRequiredNameAttributes "<%= $required_name_attributes %>" +<%- } -%> +<%- if $session_key { -%> + GssapiSessionKey <%= $session_key %> +<%- } -%> +<%- if $signal_persistent_auth { -%> + GssapiSignalPersistentAuth On +<%- } -%> +<%- if $ssl_only { -%> + GssapiSSLonly On +<%- } -%> +<%- if $use_s4u2_proxy and $deleg_ccache_dir { -%> + GssapiUseS4U2Proxy On +<%- } -%> +<%- if $use_sessions { -%> + GssapiUseSessions On +<%- } -%>