From 33aa22a8f3284172fbe706b209539638fdb96dab Mon Sep 17 00:00:00 2001 From: Joris29 Date: Tue, 28 Nov 2023 12:08:27 +0100 Subject: [PATCH] Update specs reference and config templates --- .fixtures.yml | 2 - REFERENCE.md | 8 +- manifests/config/jaas_auth.pp | 5 +- manifests/init.pp | 8 +- manifests/install.pp | 1 - spec/classes/config/aclpolicyfile_spec.rb | 55 ---- spec/classes/config/framework_spec.rb | 48 ++- spec/classes/config/jaas_auth_spec.rb | 310 ++++++++++-------- spec/classes/config/ssl_spec.rb | 63 ++-- spec/classes/config_spec.rb | 18 +- spec/classes/install_spec.rb | 23 +- spec/classes/rundeck_spec.rb | 73 ++--- spec/classes/service_spec.rb | 2 +- spec/defines/config/aclpolicyfile_spec.rb | 113 +++++-- spec/defines/config/plugin_spec.rb | 4 +- templates/framework.properties.epp | 4 +- ...uth.conf.epp => jaas-loginmodule.conf.epp} | 0 templates/rundeck-config.properties.epp | 4 +- 18 files changed, 369 insertions(+), 372 deletions(-) delete mode 100644 spec/classes/config/aclpolicyfile_spec.rb rename templates/{jaas-auth.conf.epp => jaas-loginmodule.conf.epp} (100%) diff --git a/.fixtures.yml b/.fixtures.yml index 9e4fdca72..586cb448a 100644 --- a/.fixtures.yml +++ b/.fixtures.yml @@ -1,9 +1,7 @@ fixtures: repositories: stdlib: "https://github.com/puppetlabs/puppetlabs-stdlib.git" - inifile: "https://github.com/puppetlabs/puppetlabs-inifile.git" archive: "https://github.com/puppet-community/puppet-archive.git" - dirtree: "https://github.com/puppetlabs/pltraining-dirtree.git" java_ks: "https://github.com/puppetlabs/puppetlabs-java_ks.git" apt: "https://github.com/puppetlabs/puppetlabs-apt.git" yumrepo_core: diff --git a/REFERENCE.md b/REFERENCE.md index a7e228fda..91750578d 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -326,14 +326,14 @@ Default value: ```puppet { 'file' => { - 'auth_flag' => 'required', - 'jaas_config' => { + 'auth_flag' => 'required', + 'jaas_config' => { 'file' => '/etc/rundeck/realm.properties', }, 'realm_config' => { 'admin_user' => 'admin', 'admin_password' => 'admin', - 'auth_users' => {}, + 'auth_users' => [], }, }, } @@ -352,7 +352,7 @@ Default value: `{ 'url' => 'jdbc:h2:file:/var/lib/rundeck/data/rundeckdb' }` Data type: `Hash` Hash of properties for configuring the [Rundeck Framework](https://docs.rundeck.com/docs/administration/configuration/config-file-reference.html#framework-properties) -This hash will be merged some [defaults](https://github.com/voxpupuli/puppet-rundeck/blob/ffcc77ea943f2ee52257004ec6385ab3a3aa6f91/manifests/config.pp#L8C12-L8C12) # TODO: Update ref +This hash will be merged with the [Rundeck defaults](https://github.com/voxpupuli/puppet-rundeck/blob/4eb3f4158f49cd1176090897aa88098f1e4507ab/manifests/config.pp#L8-L20) # TODO: Update ref Default value: `{}` diff --git a/manifests/config/jaas_auth.pp b/manifests/config/jaas_auth.pp index 667be732b..7185242cd 100644 --- a/manifests/config/jaas_auth.pp +++ b/manifests/config/jaas_auth.pp @@ -28,7 +28,10 @@ file { "${rundeck::config::properties_dir}/jaas-loginmodule.conf": ensure => file, - content => Sensitive(epp('rundeck/jaas-auth.conf.epp', { _auth_config => $_auth_config, _ldap_login_module => $_ldap_login_module })), + content => Sensitive(epp('rundeck/jaas-loginmodule.conf.epp', { + '_auth_config' => $_auth_config, + '_ldap_login_module' => $_ldap_login_module + })), mode => '0400', } } diff --git a/manifests/init.pp b/manifests/init.pp index 0be53d1ed..2fc3c1f4a 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -47,7 +47,7 @@ # Hash of properties for configuring the [Rundeck Database](https://docs.rundeck.com/docs/administration/configuration/database) # @param framework_config # Hash of properties for configuring the [Rundeck Framework](https://docs.rundeck.com/docs/administration/configuration/config-file-reference.html#framework-properties) -# This hash will be merged some [defaults](https://github.com/voxpupuli/puppet-rundeck/blob/ffcc77ea943f2ee52257004ec6385ab3a3aa6f91/manifests/config.pp#L8C12-L8C12) # TODO: Update ref +# This hash will be merged with the [Rundeck defaults](https://github.com/voxpupuli/puppet-rundeck/blob/4eb3f4158f49cd1176090897aa88098f1e4507ab/manifests/config.pp#L8-L20) # TODO: Update ref # @param gui_config # Hash of properties for customizing the [Rundeck GUI](https://docs.rundeck.com/docs/administration/configuration/gui-customization.html) # @param mail_config @@ -179,14 +179,14 @@ Integer $quartz_job_threadcount = 10, Rundeck::Auth_config $auth_config = { 'file' => { - 'auth_flag' => 'required', - 'jaas_config' => { + 'auth_flag' => 'required', + 'jaas_config' => { 'file' => '/etc/rundeck/realm.properties', }, 'realm_config' => { 'admin_user' => 'admin', 'admin_password' => 'admin', - 'auth_users' => {}, + 'auth_users' => [], }, }, }, diff --git a/manifests/install.pp b/manifests/install.pp index 2fce99f77..1d50ea650 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -26,7 +26,6 @@ uid => $rundeck::user_id, gid => $rundeck::group_id, system => true, - before => File['/var/rundeck'], } if $rundeck::user != 'rundeck' { diff --git a/spec/classes/config/aclpolicyfile_spec.rb b/spec/classes/config/aclpolicyfile_spec.rb deleted file mode 100644 index 87436ed81..000000000 --- a/spec/classes/config/aclpolicyfile_spec.rb +++ /dev/null @@ -1,55 +0,0 @@ -# frozen_string_literal: true - -require 'spec_helper' - -describe 'rundeck' do - on_supported_os.each do |os, facts| - context "on #{os}" do - let :facts do - facts - end - - describe "rundeck::config::aclpolicyfile class without any parameters on #{os}" do - let(:params) { {} } - - default_acl = <<~CONFIG.gsub(%r{[^\S\n]{10}}, '') - description: Admin, all access - context: - project: '.*' - for: - resource: - - allow: '*' - adhoc: - - allow: '*' - job: - - allow: '*' - node: - - allow: '*' - by: - group: - - 'admin' - - --- - - description: Admin, all access - context: - application: 'rundeck' - for: - resource: - - allow: '*' - project: - - allow: '*' - storage: - - allow: '*' - by: - group: - - 'admin' - CONFIG - - it do - is_expected.to contain_file('/etc/rundeck/admin.aclpolicy').with_content(default_acl) - end - end - end - end -end diff --git a/spec/classes/config/framework_spec.rb b/spec/classes/config/framework_spec.rb index 1e5684740..bca688bb7 100644 --- a/spec/classes/config/framework_spec.rb +++ b/spec/classes/config/framework_spec.rb @@ -3,22 +3,18 @@ require 'spec_helper' describe 'rundeck' do - on_supported_os.each do |os, facts| + on_supported_os.each do |os, os_facts| context "on #{os}" do - let :facts do - facts - end + let(:facts) { os_facts } - describe "rundeck::config::framework class without any parameters on #{os}" do + context 'without any parameters test rundeck::config::framework' do let(:params) { {} } framework_details = { 'framework.server.name' => 'foo.example.com', - 'framework.server.hostname' => 'foo.example.com', + 'framework.server.hostname' => 'foo', 'framework.server.port' => '4440', 'framework.server.url' => 'http://foo.example.com:4440', - 'framework.server.username' => 'admin', - 'framework.server.password' => 'admin', 'framework.etc.dir' => '/etc/rundeck', 'framework.libext.dir' => '/var/lib/rundeck/libext', 'framework.ssh.keypath' => '/var/lib/rundeck/.ssh/id_rsa', @@ -36,30 +32,28 @@ end end - context 'add plugin configuration' do - describe 'add plugin configuration for the logstash plugin' do - let(:params) do - { - framework_config: { - 'framework.plugin.StreamingLogWriter.LogstashPlugin.port' => '9700' - } + context 'add plugin configuration for the logstash plugin' do + let(:params) do + { + framework_config: { + 'framework.plugin.StreamingLogWriter.LogstashPlugin.port' => '9700' } - end + } + end - it 'generates valid content for framework.properties' do - content = catalogue.resource('file', '/etc/rundeck/framework.properties')[:content] - expect(content).to include('framework.server.name = foo.example.com') - expect(content).to include('framework.plugin.StreamingLogWriter.LogstashPlugin.port = 9700') - end + it 'generates valid content for framework.properties' do + content = catalogue.resource('file', '/etc/rundeck/framework.properties')[:content] + expect(content).to include('framework.server.name = foo.example.com') + expect(content).to include('framework.plugin.StreamingLogWriter.LogstashPlugin.port = 9700') end end - context 'setting framework.server.{port,url}' do - describe 'with non-default framework.server.hostname' do + context 'setting framework.server.{name,url}' do + context 'with non-default framework.server.hostname' do let(:params) do { framework_config: { - 'framework.server.hostname' => 'rundeck.example.com' + 'framework.server.url' => 'rundeck.example.com' } } end @@ -71,7 +65,7 @@ end end - describe 'ssl_enabled with non-default SSL port' do + context 'ssl_enabled with non-default SSL port' do let(:params) do { ssl_enabled: true, @@ -86,13 +80,13 @@ end end - describe 'ssl_enabled with non-default framework.server.hostname' do + context 'ssl_enabled with non-default framework.server.hostname' do let(:params) do { ssl_enabled: true, ssl_port: 443, framework_config: { - 'framework.server.hostname' => 'rundeck.example.com' + 'framework.server.name' => 'rundeck.example.com' } } end diff --git a/spec/classes/config/jaas_auth_spec.rb b/spec/classes/config/jaas_auth_spec.rb index b2375d100..e3a676a3b 100644 --- a/spec/classes/config/jaas_auth_spec.rb +++ b/spec/classes/config/jaas_auth_spec.rb @@ -3,37 +3,44 @@ require 'spec_helper' describe 'rundeck' do - let(:login_module) { 'org.eclipse.jetty.jaas.spi.PropertyFileLoginModule sufficient' } - on_supported_os.each do |os, facts| context "on #{os}" do let :facts do facts end - describe 'with empty params' do + context 'with empty auth config test rundeck::config::jaas_auth' do let(:params) do - {} + { + auth_config: {} + } end - it 'generates valid content for realm.properties' do - content = catalogue.resource('file', '/etc/rundeck/realm.properties')[:content] - expect(content).to include('admin:admin,user,admin,architect,deploy,build') - end + it { is_expected.to contain_file('/etc/rundeck/realm.properties').with(ensure: 'absent') } - it 'contains PropertyFileLoginModule and be sufficient' do + it 'jaas-loginmodule.conf contains no auth classes' do jaas_auth = catalogue.resource('file', '/etc/rundeck/jaas-loginmodule.conf')[:content] - expect(jaas_auth).to include(login_module) + expect(jaas_auth).not_to include('org.eclipse.jetty.jaas.spi.PropertyFileLoginModule') + expect(jaas_auth).not_to include('com.dtolabs.rundeck.jetty.jaas.JettyCombinedLdapLoginModule') + expect(jaas_auth).not_to include('com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule') + expect(jaas_auth).not_to include('org.rundeck.jaas.jetty.JettyPamLoginModule') end end - describe 'with empty auth users array' do + context 'file auth with empty auth users array' do let(:params) do { auth_config: { 'file' => { - 'auth_users' => [] - } + 'jaas_config' => { + 'file' => '/etc/rundeck/realm.properties', + }, + 'realm_config' => { + 'admin_user' => 'admin', + 'admin_password' => 'admin', + 'auth_users' => [], + }, + }, } } end @@ -43,30 +50,31 @@ expect(content).to include('admin:admin,user,admin,architect,deploy,build') end - it 'contains PropertyFileLoginModule and be sufficient' do + it 'contains PropertyFileLoginModule and default auth_flag' do jaas_auth = catalogue.resource('file', '/etc/rundeck/jaas-loginmodule.conf')[:content] - expect(jaas_auth).to include(login_module) + expect(jaas_auth).to include('org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required') end end - describe 'with auth users array' do + context 'file auth with single auth user without roles' do let(:params) do { auth_config: { 'file' => { - 'auth_users' => [ - { - 'username' => 'testuser', - 'password' => 'password', - 'roles' => %w[user deploy] - }, - { - 'username' => 'anotheruser', - 'password' => 'anotherpassword', - 'roles' => ['user'] - } - ] - } + 'jaas_config' => { + 'file' => '/etc/rundeck/realm.properties', + }, + 'realm_config' => { + 'admin_user' => 'admin', + 'admin_password' => 'admin', + 'auth_users' => [ + { + 'username' => 'testuser', + 'password' => 'password' + } + ] + }, + }, } } end @@ -74,54 +82,35 @@ it 'generates valid content for realm.properties' do content = catalogue.resource('file', '/etc/rundeck/realm.properties')[:content] expect(content).to include('admin:admin,user,admin,architect,deploy,build') - expect(content).to include('testuser:password,user,deploy') - expect(content).to include('anotheruser:anotherpassword,user') + expect(content).to include('testuser:password') end it 'contains PropertyFileLoginModule and be sufficient' do jaas_auth = catalogue.resource('file', '/etc/rundeck/jaas-loginmodule.conf')[:content] - expect(jaas_auth).to include(login_module) + expect(jaas_auth).to include('org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required') end end - describe 'with multiauth ldap and file auth users array' do + context 'file auth with single auth user and roles' do let(:params) do { auth_config: { 'file' => { - 'auth_users' => [ - { - 'username' => 'testuser', - 'password' => 'password', - 'roles' => %w[user deploy] - }, - { - 'username' => 'anotheruser', - 'password' => 'anotherpassword', - 'roles' => ['user'] - } - ] + 'jaas_config' => { + 'file' => '/etc/rundeck/realm.properties', + }, + 'realm_config' => { + 'admin_user' => 'admin', + 'admin_password' => 'admin', + 'auth_users' => [ + { + 'username' => 'testuser', + 'password' => 'password', + 'roles' => %w[user deploy] + } + ] + }, }, - - 'ldap' => { - 'debug' => 'true', - 'url' => 'localhost:389', - 'force_binding' => 'true', - 'force_binding_use_root' => 'true', - 'bind_dn' => 'test_rundeck', - 'bind_password' => 'abc123', - 'user_base_dn' => 'ou=users,ou=accounts,ou=corp,dc=xyz,dc=com', - 'user_rdn_attribute' => 'sAMAccountName', - 'user_id_attribute' => 'sAMAccountName', - 'user_password_attribute' => 'unicodePwd', - 'user_object_class' => 'user', - 'role_base_dn' => 'ou=role based,ou=security,ou=groups,ou=test,dc=xyz,dc=com', - 'role_name_attribute' => 'cn', - 'role_member_attribute' => 'member', - 'role_object_class' => 'group', - 'supplemental_roles' => 'user', - 'nested_groups' => 'true' - } } } end @@ -130,63 +119,40 @@ content = catalogue.resource('file', '/etc/rundeck/realm.properties')[:content] expect(content).to include('admin:admin,user,admin,architect,deploy,build') expect(content).to include('testuser:password,user,deploy') - expect(content).to include('anotheruser:anotherpassword,user') - end - end - - describe 'with ldap using ldap_sync' do - let(:params) do - { - auth_config: { - 'ldap' => { - 'debug' => 'true', - 'url' => 'localhost:389', - 'force_binding' => 'true', - 'force_binding_use_root' => 'true', - 'bind_dn' => 'test_rundeck', - 'bind_password' => 'abc123', - 'user_base_dn' => 'ou=users,ou=accounts,ou=corp,dc=xyz,dc=com', - 'user_rdn_attribute' => 'sAMAccountName', - 'user_id_attribute' => 'sAMAccountName', - 'user_password_attribute' => 'unicodePwd', - 'user_object_class' => 'user', - 'role_base_dn' => 'ou=role based,ou=security,ou=groups,ou=test,dc=xyz,dc=com', - 'role_name_attribute' => 'cn', - 'role_member_attribute' => 'member', - 'role_object_class' => 'group', - 'supplemental_roles' => 'user', - 'nested_groups' => 'true', - 'sync_first_name_attribute' => 'givenName', - 'sync_last_name_attribute' => 'sn', - 'sync_email_attribute' => 'mail' - } - }, - security_config: { - 'syncLdapUser' => true - } - } end - it 'generates valid content for jaas-auth.conf' do - content = catalogue.resource('file', '/etc/rundeck/jaas-loginmodule.conf')[:content] - expect(content).to include('userFirstNameAttribute="givenName"') - expect(content).to include('userLastNameAttribute="sn"') - expect(content).to include('userEmailAttribute="mail"') + it 'contains PropertyFileLoginModule and be sufficient' do + jaas_auth = catalogue.resource('file', '/etc/rundeck/jaas-loginmodule.conf')[:content] + expect(jaas_auth).to include('org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required') end end - describe 'with auth user without roles' do + context 'file auth with auth users array and auth_flag' do let(:params) do { auth_config: { 'file' => { - 'auth_users' => [ - { - 'username' => 'testuser', - 'password' => 'password' - } - ] - } + 'auth_flag' => 'sufficient', + 'jaas_config' => { + 'file' => '/etc/rundeck/realm.properties', + }, + 'realm_config' => { + 'admin_user' => 'admin', + 'admin_password' => 'admin', + 'auth_users' => [ + { + 'username' => 'testuser', + 'password' => 'password', + 'roles' => %w[user deploy] + }, + { + 'username' => 'anotheruser', + 'password' => 'anotherpassword', + 'roles' => ['user'] + }, + ], + }, + }, } } end @@ -194,57 +160,135 @@ it 'generates valid content for realm.properties' do content = catalogue.resource('file', '/etc/rundeck/realm.properties')[:content] expect(content).to include('admin:admin,user,admin,architect,deploy,build') - expect(content).to include('testuser:password') + expect(content).to include('testuser:password,user,deploy') + expect(content).to include('anotheruser:anotherpassword,user') end it 'contains PropertyFileLoginModule and be sufficient' do jaas_auth = catalogue.resource('file', '/etc/rundeck/jaas-loginmodule.conf')[:content] - expect(jaas_auth).to include(login_module) + expect(jaas_auth).to include('org.eclipse.jetty.jaas.spi.PropertyFileLoginModule sufficient') end end - describe 'backward compatibility (no array of users)' do + context 'with ldap auth using ldap_sync' do let(:params) do { auth_config: { - 'file' => { - 'auth_users' => { - 'username' => 'testuser', - 'password' => 'password', - 'roles' => %w[user deploy] + 'ldap' => { + 'jaas_config' => { + 'debug' => 'true', + 'providerUrl' => 'ldap://server:389', + 'bindDn' => 'cn=Manager,dc=example,dc=com', + 'bindPassword' => 'secret', + 'authenticationMethod' => 'simple', + 'forceBindingLogin' => 'false', + 'userBaseDn' => 'ou=users,ou=accounts,ou=corp,dc=xyz,dc=com', + 'userRdnAttribute' => 'sAMAccountName', + 'userIdAttribute' => 'sAMAccountName', + 'userPasswordAttribute' => 'unicodePwd', + 'userObjectClass' => 'user', + 'roleBaseDn' => 'ou=role based,ou=security,ou=groups,ou=test,dc=xyz,dc=com', + 'roleNameAttribute' => 'cn', + 'roleMemberAttribute' => 'member', + 'roleObjectClass' => 'group' } } + }, + security_config: { + 'syncLdapUser' => true } } end - it 'generates valid content for realm.properties' do - content = catalogue.resource('file', '/etc/rundeck/realm.properties')[:content] - expect(content).to include('admin:admin,user,admin,architect,deploy,build') - expect(content).to include('testuser:password,user,deploy') + it 'generates valid content for rundeck-config.properties' do + content = catalogue.resource('file', '/etc/rundeck/rundeck-config.properties')[:content] + expect(content).to include('rundeck.security.syncLdapUser = true') end - it 'contains PropertyFileLoginModule and be sufficient' do - jaas_auth = catalogue.resource('file', '/etc/rundeck/jaas-loginmodule.conf')[:content] - expect(jaas_auth).to include(login_module) + it 'generates valid content for jaas-loginmodule.conf' do + content = catalogue.resource('file', '/etc/rundeck/jaas-loginmodule.conf')[:content] + expect(content).to include('com.dtolabs.rundeck.jetty.jaas.JettyCombinedLdapLoginModule required') + expect(content).to include('debug="true"') + expect(content).to include('providerUrl="ldap://server:389"') + expect(content).to include('bindDn="cn=Manager,dc=example,dc=com"') + expect(content).to include('bindPassword="secret"') + expect(content).to include('authenticationMethod="simple"') + expect(content).to include('userBaseDn="ou=users,ou=accounts,ou=corp,dc=xyz,dc=com"') + expect(content).to include('roleBaseDn="ou=role based,ou=security,ou=groups,ou=test,dc=xyz,dc=com"') + expect(content).to include('roleObjectClass="group";') end end - describe 'ldap with rolePrefix' do + context 'with multiauth ldap and file with auth users array' do let(:params) do { auth_config: { + 'file' => { + 'auth_flag' => 'sufficient', + 'jaas_config' => { + 'file' => '/etc/rundeck/realm.properties', + }, + 'realm_config' => { + 'admin_user' => 'admin', + 'admin_password' => 'admin', + 'auth_users' => [ + { + 'username' => 'testuser', + 'password' => 'password', + 'roles' => %w[user deploy] + }, + { + 'username' => 'anotheruser', + 'password' => 'anotherpassword', + 'roles' => ['user'] + }, + ], + }, + }, 'ldap' => { - 'url' => 'localhost:389', - 'role_prefix' => 'rundeck_' + 'jaas_config' => { + 'debug' => 'true', + 'providerUrl' => 'ldap://server:389', + 'bindDn' => 'cn=Manager,dc=example,dc=com', + 'bindPassword' => 'secret', + 'authenticationMethod' => 'simple', + 'forceBindingLogin' => 'false', + 'userBaseDn' => 'ou=users,ou=accounts,ou=corp,dc=xyz,dc=com', + 'userRdnAttribute' => 'sAMAccountName', + 'userIdAttribute' => 'sAMAccountName', + 'userPasswordAttribute' => 'unicodePwd', + 'userObjectClass' => 'user', + 'roleBaseDn' => 'ou=role based,ou=security,ou=groups,ou=test,dc=xyz,dc=com', + 'roleNameAttribute' => 'cn', + 'roleMemberAttribute' => 'member', + 'roleObjectClass' => 'group', + 'nestedGroups' => 'true' + }, } } } end - it 'generates valid content for jaas-auth.conf' do + it 'generates valid content for realm.properties' do + content = catalogue.resource('file', '/etc/rundeck/realm.properties')[:content] + expect(content).to include('admin:admin,user,admin,architect,deploy,build') + expect(content).to include('testuser:password,user,deploy') + expect(content).to include('anotheruser:anotherpassword,user') + end + + it 'generates valid content for jaas-loginmodule.conf' do content = catalogue.resource('file', '/etc/rundeck/jaas-loginmodule.conf')[:content] - expect(content).to include('rolePrefix="rundeck_"') + expect(content).to include('org.eclipse.jetty.jaas.spi.PropertyFileLoginModule sufficient') + expect(content).to include('file="/etc/rundeck/realm.properties";') + expect(content).to include('com.dtolabs.rundeck.jetty.jaas.JettyCombinedLdapLoginModule required') + expect(content).to include('debug="true"') + expect(content).to include('providerUrl="ldap://server:389"') + expect(content).to include('bindDn="cn=Manager,dc=example,dc=com"') + expect(content).to include('bindPassword="secret"') + expect(content).to include('authenticationMethod="simple"') + expect(content).to include('userBaseDn="ou=users,ou=accounts,ou=corp,dc=xyz,dc=com"') + expect(content).to include('roleBaseDn="ou=role based,ou=security,ou=groups,ou=test,dc=xyz,dc=com"') + expect(content).to include('nestedGroups="true";') end end end diff --git a/spec/classes/config/ssl_spec.rb b/spec/classes/config/ssl_spec.rb index 14edcec0c..05258dfe0 100644 --- a/spec/classes/config/ssl_spec.rb +++ b/spec/classes/config/ssl_spec.rb @@ -3,35 +3,48 @@ require 'spec_helper' describe 'rundeck' do - on_supported_os.each do |os, os_facts| + on_supported_os.each do |os, facts| context "on #{os}" do - let(:params) do - { - ssl_enabled: true - } + let :facts do + facts end - let(:facts) do - os_facts + + context 'with ssl_enabled => true' do + let(:params) do + { + ssl_enabled: true + } + end + + ssl_details = { + 'keystore' => '/etc/rundeck/ssl/keystore', + 'keystore.password' => 'adminadmin', + 'truststore' => '/etc/rundeck/ssl/truststore', + 'truststore.password' => 'adminadmin' + } + + it { is_expected.to contain_file('/etc/rundeck/ssl').with('ensure' => 'directory') } + it { is_expected.to contain_file('/etc/rundeck/ssl/ssl.properties') } + + ssl_details.each do |key, value| + it 'generates valid content for ssl.properties' do + content = catalogue.resource('file', '/etc/rundeck/ssl/ssl.properties')[:content] + expect(content).to include("#{key}=#{value}") + end + end end - ssl_details = { - 'keystore' => '/etc/rundeck/ssl/keystore', - 'keystore.password' => 'adminadmin', - 'key.password' => 'adminadmin', - 'truststore' => '/etc/rundeck/ssl/truststore', - 'truststore.password' => 'adminadmin' - } - - it { is_expected.to contain_file('/etc/rundeck/ssl').with('ensure' => 'directory') } - it { is_expected.to contain_file('/etc/rundeck/ssl/ssl.properties') } - - ssl_details.each do |key, value| - it do - is_expected.to contain_ini_setting(key).with( - 'path' => '/etc/rundeck/ssl/ssl.properties', - 'setting' => key, - 'value' => value - ) + context 'with ssl_enabled => true and key_password => verysecure' do + let(:params) do + { + ssl_enabled: true, + key_password: 'verysecure' + } + end + + it 'generates valid content for ssl.properties' do + content = catalogue.resource('file', '/etc/rundeck/ssl/ssl.properties')[:content] + expect(content).to include('key.password=verysecure') end end end diff --git a/spec/classes/config_spec.rb b/spec/classes/config_spec.rb index 7f3ed976f..fadf9470f 100644 --- a/spec/classes/config_spec.rb +++ b/spec/classes/config_spec.rb @@ -12,7 +12,7 @@ facts end - describe "rundeck::config class without any parameters on #{os}" do + context 'without any parameters test rundeck::config' do it { is_expected.to contain_file('/var/lib/rundeck').with('ensure' => 'directory') } it { is_expected.to contain_file('/var/lib/rundeck/libext').with('ensure' => 'directory') } it { is_expected.to contain_file('/etc/rundeck').with('ensure' => 'directory') } @@ -31,10 +31,10 @@ it 'generates valid content for the profile overrides file' do content = catalogue.resource('file', overrides)[:content] - expect(content).to include('RDECK_BASE=/var/lib/rundeck') - expect(content).to include('RDECK_CONFIG=/etc/rundeck') - expect(content).to include('RDECK_CONFIG_FILE=$RDECK_CONFIG/rundeck-config.properties') - expect(content).to include('RDECK_INSTALL=$RDECK_BASE') + expect(content).to include('RDECK_BASE="/var/lib/rundeck"') + expect(content).to include('RDECK_CONFIG="/etc/rundeck"') + expect(content).to include('RDECK_CONFIG_FILE="$RDECK_CONFIG/rundeck-config.properties"') + expect(content).to include('RDECK_INSTALL="$RDECK_BASE"') expect(content).to include('LOGIN_MODULE=authentication') expect(content).to include('RDECK_JVM_SETTINGS="-Xmx1024m -Xms256m -server"') expect(content).to include('RDECK_HTTP_PORT=4440') @@ -43,8 +43,8 @@ it { is_expected.to contain_class('rundeck::config::jaas_auth') } it { is_expected.to contain_class('rundeck::config::framework') } - it { is_expected.to contain_file('/etc/project.properties').with('ensure' => 'absent') } - it { is_expected.to contain_file('/etc/rundeck-config.properties').with('ensure' => 'file') } + it { is_expected.to contain_file('/etc/rundeck/project.properties').with('ensure' => 'absent') } + it { is_expected.to contain_file('/etc/rundeck/rundeck-config.properties').with('ensure' => 'file') } it 'generates valid content for rundeck-config.properties' do content = catalogue.resource('file', '/etc/rundeck/rundeck-config.properties')[:content] @@ -60,7 +60,7 @@ end end - describe 'rundeck::config with override_template set' do + context 'with override_template set' do template = 'rundeck/../spec/fixtures/files/override.template' let(:params) { { override_template: template } } @@ -72,7 +72,7 @@ end end - describe 'rundeck::config with jvm_args set' do + context 'with jvm_args set' do jvm_args = '-Dserver.http.port=8008 -Xms2048m -Xmx2048m -server' let(:params) { { jvm_args: jvm_args } } diff --git a/spec/classes/install_spec.rb b/spec/classes/install_spec.rb index bfe0bd42b..af3295747 100644 --- a/spec/classes/install_spec.rb +++ b/spec/classes/install_spec.rb @@ -9,28 +9,21 @@ facts end - describe "rundeck class without any parameters on #{os}" do + context 'without any parameters test rundeck::install' do let(:params) { {} } it { is_expected.not_to contain_user('rundeck') } - it do - is_expected.to contain_file('/var/rundeck').with( - ensure: 'directory', - owner: 'rundeck', - group: 'rundeck', - recurse: true - ) - end - case facts[:os]['family'] when 'RedHat' it do is_expected.to contain_yumrepo('rundeck').with( baseurl: 'https://packagecloud.io/pagerduty/rundeck/rpm_any/rpm_any/$basearch', - gpgcheck: 0, - repo_gpgcheck: 1, - gpgkey: 'https://packagecloud.io/pagerduty/rundeck/gpgkey' + descr: 'Rundeck repository', + enabled: 1, + gpgcheck: 1, + gpgkey: 'https://packagecloud.io/pagerduty/rundeck/gpgkey', + repo_gpgcheck: 1 ).that_comes_before('Package[rundeck]') end when 'Debian' @@ -40,7 +33,7 @@ end end - describe 'different user and group' do + context 'with different user and group' do let(:params) do { manage_user: true, @@ -59,7 +52,7 @@ it { is_expected.to contain_user('rundeck').with('ensure' => 'absent') } end - describe 'different user and group with ids' do + context 'different user and group with ids' do let(:params) do { manage_user: true, diff --git a/spec/classes/rundeck_spec.rb b/spec/classes/rundeck_spec.rb index f00901a14..3628e6365 100644 --- a/spec/classes/rundeck_spec.rb +++ b/spec/classes/rundeck_spec.rb @@ -9,73 +9,40 @@ facts end - describe "rundeck class without any parameters on #{os}" do + context 'rundeck class without any parameters' do let(:params) { {} } it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('rundeck::params') } it { is_expected.to contain_class('rundeck::install').that_comes_before('Class[rundeck::config]') } it { is_expected.to contain_class('rundeck::config').that_notifies('Class[rundeck::service]') } it { is_expected.to contain_class('rundeck::service') } + it { is_expected.to contain_class('rundeck::config::jaas_auth') } + it { is_expected.to contain_class('rundeck::config::framework') } + it { is_expected.not_to contain_class('rundeck::config::ssl') } end - context 'non-platform-specific config parameters' do - # auth_config cannot be passed as a parameter to rundeck::config :-( - # so we have to test it here - describe 'setting auth_config ldap roleUsernameMemberAttribute' do - let(:params) do - { - auth_config: { - 'ldap' => { - 'role_username_member_attribute' => 'memberUid' - } - } - } - end - - it { is_expected.to contain_file('/etc/rundeck/jaas-auth.conf') } - - it 'generates valid content for jaas-auth.conf' do - content = catalogue.resource('file', '/etc/rundeck/jaas-auth.conf')[:content] - expect(content).to include('roleUsernameMemberAttribute="memberUid"') - expect(content).not_to include('roleMemberAttribute') - end + context 'rundeck class with ssl_enabled => true' do + let(:params) do + { + ssl_enabled: true + } end - describe 'setting auth_config ldap url' do - let(:params) do - { - auth_config: { - 'ldap' => { - 'url' => 'ldaps://myrealldap.example.com', - 'server' => 'fakeldap', - 'port' => '983' - } - } - } - end - - it { is_expected.to contain_file('/etc/rundeck/jaas-auth.conf') } + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_class('rundeck::config::ssl') } + end - it 'generates valid content for jaas-auth.conf' do - content = catalogue.resource('file', '/etc/rundeck/jaas-auth.conf')[:content] - expect(content).to include('providerUrl="ldaps://myrealldap.example.com"') - expect(content).not_to include('providerUrl="ldap://fakeldap:983"') - end + context 'override server uuid' do + let :facts do + # uuid is ac7c2cbd-14fa-5ba3-b3f2-d436e9b8a3b0 + override_facts(super(), networking: { fqdn: 'rundeck.example.com' }) end - describe 'uuid setting' do - let :facts do - # uuid is ac7c2cbd-14fa-5ba3-b3f2-d436e9b8a3b0 - override_facts(super(), networking: { fqdn: 'rundeck.example.com' }) - end - - it { is_expected.to contain_file('/etc/rundeck/framework.properties') } + it { is_expected.to contain_file('/etc/rundeck/framework.properties') } - it 'uses fqdn fact for \'rundeck.server.uuid\'' do - content = catalogue.resource('file', '/etc/rundeck/framework.properties')[:content] - expect(content).to include('rundeck.server.uuid = ac7c2cbd-14fa-5ba3-b3f2-d436e9b8a3b0') - end + it 'uses fqdn fact for \'rundeck.server.uuid\'' do + content = catalogue.resource('file', '/etc/rundeck/framework.properties')[:content] + expect(content).to include('rundeck.server.uuid = ac7c2cbd-14fa-5ba3-b3f2-d436e9b8a3b0') end end end diff --git a/spec/classes/service_spec.rb b/spec/classes/service_spec.rb index 37899f0b5..23428d89e 100644 --- a/spec/classes/service_spec.rb +++ b/spec/classes/service_spec.rb @@ -9,7 +9,7 @@ facts end - describe "rundeck class without any parameters on #{os}" do + context 'without any parameters test rundeck::service' do let(:params) { {} } it { is_expected.to contain_service('rundeckd') } diff --git a/spec/defines/config/aclpolicyfile_spec.rb b/spec/defines/config/aclpolicyfile_spec.rb index f1a3c4e31..dc43c48c6 100644 --- a/spec/defines/config/aclpolicyfile_spec.rb +++ b/spec/defines/config/aclpolicyfile_spec.rb @@ -3,7 +3,7 @@ require 'spec_helper' describe 'rundeck::config::aclpolicyfile', type: :define do - test_policies = [ + admin_policy = [ { 'description' => 'Admin, all access', 'context' => { @@ -11,36 +11,37 @@ }, 'for' => { 'resource' => [ - { 'equals' => { 'kind' => 'job' }, 'allow' => ['create'] } - ] + { 'allow' => '*' } + ], + 'adhoc' => [ + { 'allow' => '*' } + ], + 'job' => [ + { 'allow' => '*' } + ], + 'node' => [ + { 'allow' => '*' } + ], }, 'by' => [ { 'group' => ['admin'] } - ] + ], }, { 'description' => 'Admin, all access', 'context' => { 'application' => 'rundeck' }, - 'for' => { - 'resource' => [ - { 'equals' => { 'kind' => 'project' }, 'allow' => ['create'] } - ] - }, - 'by' => [ - { 'group' => ['admin'] } - ] - }, - { - 'description' => 'System-level read access to a specific project', - 'context' => { - 'application' => 'rundeck' - }, 'for' => { 'project' => [ - { 'equals' => { 'name' => 'project' }, 'allow' => ['read'] } - ] + { 'allow' => '*' } + ], + 'resource' => [ + { 'allow' => '*' } + ], + 'storage' => [ + { 'allow' => '*' } + ], }, 'by' => [ { 'group' => ['admin'] } @@ -48,36 +49,76 @@ } ] - context 'default parameters' do - let(:title) { 'defaultPolicy' } + admin_acl = <<~CONFIG.gsub(%r{[^\S\n]{10}}, '') + description: Admin, all access + context: + project: '.*' + for: + resource: + - allow: '*' + adhoc: + - allow: '*' + job: + - allow: '*' + node: + - allow: '*' + by: + group: + - 'admin' + + --- + + description: Admin, all access + context: + application: 'rundeck' + for: + project: + - allow: '*' + resource: + - allow: '*' + storage: + - allow: '*' + by: + group: + - 'admin' + CONFIG + + context 'with admin acl and default parameters' do + let(:title) { 'admin' } let(:params) do { - acl_policies: test_policies + acl_policies: admin_policy, } end - it do - is_expected.to contain_file('/etc/rundeck/defaultPolicy.aclpolicy').with('owner' => 'rundeck', - 'group' => 'rundeck', - 'mode' => '0640') - end + it { + is_expected.to contain_file('/etc/rundeck/admin.aclpolicy').with( + owner: 'rundeck', + group: 'rundeck', + mode: '0644', + content: admin_acl + ) + } end - context 'custom parameters' do - let(:title) { 'myPolicy' } + context 'with admin acl and custom parameters' do + let(:title) { 'admin' } let(:params) do { - acl_policies: test_policies, + acl_policies: admin_policy, properties_dir: '/etc/rundeck-acl', owner: 'myUser', group: 'myGroup' } end - it do - is_expected.to contain_file('/etc/rundeck-acl/myPolicy.aclpolicy').with('owner' => 'myUser', - 'group' => 'myGroup', - 'mode' => '0640') - end + it { + is_expected.to contain_file('/etc/rundeck-acl/admin.aclpolicy').with( + owner: 'myUser', + group: 'myGroup', + mode: '0644', + content: admin_acl + ) + } end end diff --git a/spec/defines/config/plugin_spec.rb b/spec/defines/config/plugin_spec.rb index 288d91f89..04705a3cb 100644 --- a/spec/defines/config/plugin_spec.rb +++ b/spec/defines/config/plugin_spec.rb @@ -9,7 +9,7 @@ facts end - describe "rundeck::config::plugin definition without any parameters on #{os}" do + context 'install rundeck hipchat plugin' do name = 'rundeck-hipchat-plugin-1.0.0.jar' source = 'http://search.maven.org/remotecontent?filepath=com/hbakkum/rundeck/plugins/rundeck-hipchat-plugin/1.0.0/rundeck-hipchat-plugin-1.0.0.jar' plugin_dir = '/var/lib/rundeck/libext' @@ -36,7 +36,7 @@ end end - describe "rundeck::config::plugin definition with ensure set to absent on #{os}" do + context 'make rundeck hipchat plugin absent' do name = 'rundeck-hipchat-plugin-1.0.0.jar' source = 'http://search.maven.org/remotecontent?filepath=com/hbakkum/rundeck/plugins/rundeck-hipchat-plugin/1.0.0/rundeck-hipchat-plugin-1.0.0.jar' plugin_dir = '/var/lib/rundeck/libext' diff --git a/templates/framework.properties.epp b/templates/framework.properties.epp index 188aa4caa..f4241c085 100644 --- a/templates/framework.properties.epp +++ b/templates/framework.properties.epp @@ -1,3 +1,3 @@ -<%- $_framework_config.keys.unique.sort.each |$k| { -%> -<%= $k %> = <%= $_framework_config[$k] %> +<%- $_framework_config.each |$_k, $_v| { -%> +<%= $_k %> = <%= $_v %> <%- } -%> diff --git a/templates/jaas-auth.conf.epp b/templates/jaas-loginmodule.conf.epp similarity index 100% rename from templates/jaas-auth.conf.epp rename to templates/jaas-loginmodule.conf.epp diff --git a/templates/rundeck-config.properties.epp b/templates/rundeck-config.properties.epp index 651f56230..0736c6ddc 100644 --- a/templates/rundeck-config.properties.epp +++ b/templates/rundeck-config.properties.epp @@ -46,7 +46,7 @@ grails.mail.<%= $_k %> = <%= $_v %> <%- } -%> <%- $rundeck::security_config.each |$_k, $_v| {-%> -<%= $k %> = <%= $rundeck::security_config[$k] %> +rundeck.security.<%= $_k %> = <%= $_v %> <%- } -%> <%- $rundeck::preauthenticated_config.each |$_k, $_v| { -%> @@ -54,5 +54,5 @@ rundeck.security.authorization.preauthenticated.<%= $_k %> = <%= $_v %> <%- } -%> <%- $rundeck::gui_config.each |$_k, $_v| {-%> -<%= $_k %> = <%= $_v %> +rundeck.gui.<%= $_k %> = <%= $_v %> <%- } -%>