Commit f91d4312 authored by Fabien Combernous's avatar Fabien Combernous

Merge branch '19-use-puppet-datatype-fully' into 'master'

Resolve "use puppet datatype fully"

Closes #19

See merge request adullact/puppet-freeipa!23
parents 3eb9883e 1043f869
......@@ -17,7 +17,6 @@
* [`freeipa::install::server::master`](#freeipainstallservermaster): Installs freeipa server as master
* [`freeipa::install::server::replica`](#freeipainstallserverreplica): Installs freeipa server as replica
* [`freeipa::install::sssd`](#freeipainstallsssd): A short summary of the purpose of this class
* [`freeipa::validate_params`](#freeipavalidate_params): Validates input configs from init.pp.
**Defined types**
......@@ -54,36 +53,28 @@ The following parameters are available in the `freeipa` class.
##### `domain`
Data type: `String`
Data type: `Stdlib::Fqdn`
The name of the IPA domain to create or join.
Default value: 'default'
##### `ipa_role`
Data type: `String`
Data type: `Enum['master','replica','client']`
What role the node will be. Options are 'master', 'replica', and 'client'.
Default value: 'default'
##### `admin_password`
Data type: `String`
Data type: `String[8]`
Password which will be assigned to the IPA account named 'admin'.
Default value: ''
##### `directory_services_password`
Data type: `String`
Data type: `String[8]`
Password which will be passed into the ipa setup's parameter named "--ds-password".
Default value: ''
##### `autofs_package_name`
Data type: `String`
......@@ -124,21 +115,21 @@ Each element in this array is prefixed with '--forwarder' and passed to the IPA
Default value: []
##### `domain_join_principal`
##### `principal_usedto_joindomain`
Data type: `String`
The principal (usually username) used to join a client or replica to the IPA domain.
Default value: ''
Default value: 'admin'
##### `domain_join_password`
##### `password_usedto_joindomain`
Data type: `String`
The password for the domain_join_principal.
Default value: ''
Default value: $directory_services_password
##### `enable_hostname`
......@@ -166,7 +157,7 @@ Default value: `false`
##### `idstart`
Data type: `Integer`
Data type: `Integer[10000]`
From the IPA man pages: "The starting user and group id number".
......@@ -210,7 +201,7 @@ Data type: `String`
Name of the IPA client package.
Default value: $::osfamily
Default value: $facts['os']['family']
##### `ipa_server_package_name`
......@@ -246,19 +237,17 @@ Default value: `true`
##### `ip_address`
Data type: `String`
Data type: `Stdlib::IP::Address::V4`
IP address to pass to the IPA installer.
Default value: ''
##### `ipa_server_fqdn`
Data type: `String`
Data type: `Stdlib::Fqdn`
Actual fqdn of the IPA server or client.
Default value: $::fqdn
Default value: $facts['fqdn']
##### `kstart_package_name`
......@@ -274,16 +263,14 @@ Data type: `String`
Name of the ldaputils package.
Default value: $::osfamily
Default value: $facts['os']['family']
##### `ipa_master_fqdn`
Data type: `String`
Data type: `Stdlib::Fqdn`
FQDN of the server to use for a client or replica domain join.
Default value: ''
##### `manage_host_entry`
Data type: `Boolean`
......@@ -310,11 +297,11 @@ Default value: `false`
##### `realm`
Data type: `String`
Data type: `Stdlib::Fqdn`
The name of the IPA realm to create or join.
Default value: ''
Default value: $domain
##### `server_install_ldaputils`
......@@ -366,7 +353,7 @@ Default value: `false`
##### `webui_proxy_external_fqdn`
Data type: `String`
Data type: `Stdlib::Fqdn`
The public or external FQDN used to access the IPA Web UI behind the reverse proxy.
......@@ -521,19 +508,6 @@ Install sssd package
include freeipa::install::sssd
```
### freeipa::validate_params
A description of what this class does
Validates input configs from init.pp.
#### Examples
#####
```puppet
include freeipa::validate_params
```
## Defined types
### freeipa::helpers::flushcache
......
......@@ -51,7 +51,7 @@ class freeipa::config::admin_user {
exec { 'configure_admin_keytab':
command => $configure_admin_keytab_cmd,
cwd => $home_dir_path,
unless => shellquote('/usr/bin/kvno','-k',"${home_dir_path}/admin.keytab","admin@${freeipa::final_realm}"),
unless => shellquote('/usr/bin/kvno','-k',"${home_dir_path}/admin.keytab","admin@${freeipa::realm}"),
notify => Exec['chown_admin_keytab'],
refreshonly => true,
require => Cron['k5start_admin'],
......@@ -67,7 +67,7 @@ class freeipa::config::admin_user {
}
$k5start_admin_keytab_cmd = "/sbin/runuser -l admin -c \"/usr/bin/k5start -f ${home_dir_path}/admin.keytab -U\""
$k5start_admin_keytab_cmd_unless = "/sbin/runuser -l admin -c /usr/bin/klist | grep -i krbtgt\\/${freeipa::final_realm}\\@"
$k5start_admin_keytab_cmd_unless = "/sbin/runuser -l admin -c /usr/bin/klist | grep -i krbtgt\\/${freeipa::realm}\\@"
exec { 'k5start_admin_keytab':
command => $k5start_admin_keytab_cmd,
cwd => $home_dir_path,
......
......@@ -17,8 +17,8 @@
# Also, triggers the install of the required dns server packages.
# @param configure_ntp If false, then the parameter '--no-ntp' is passed to the IPA server installer.
# @param custom_dns_forwarders Each element in this array is prefixed with '--forwarder' and passed to the IPA server installer.
# @param domain_join_principal The principal (usually username) used to join a client or replica to the IPA domain.
# @param domain_join_password The password for the domain_join_principal.
# @param principal_usedto_joindomain The principal (usually username) used to join a client or replica to the IPA domain.
# @param password_usedto_joindomain The password for the domain_join_principal.
# @param enable_hostname If true, then the parameter '--hostname' is populated with the parameter 'ipa_server_fqdn'
# and passed to the IPA installer.
# @param enable_ip_address If true, then the parameter '--ip-address' is populated with the parameter 'ip_address'
......@@ -58,93 +58,74 @@
#
#
class freeipa (
String $domain = 'default',
String $ipa_role = 'default',
String $admin_password = '',
String $directory_services_password = '',
String $autofs_package_name = 'autofs',
Boolean $client_install_ldaputils = false,
Boolean $configure_dns_server = true,
Boolean $configure_ntp = true,
Array[String] $custom_dns_forwarders = [],
String $domain_join_principal = '',
String $domain_join_password = '',
Boolean $enable_hostname = true,
Boolean $enable_ip_address = false,
Boolean $fixed_primary = false,
Integer $idstart = 10000,
Boolean $install_autofs = false,
Boolean $install_epel = true,
Boolean $install_kstart = true,
Boolean $install_sssdtools = true,
String $ipa_client_package_name = $::osfamily ? {
Stdlib::Fqdn $domain,
Enum['master','replica','client'] $ipa_role,
String[8] $admin_password,
String[8] $directory_services_password,
Stdlib::IP::Address::V4 $ip_address,
Stdlib::Fqdn $ipa_master_fqdn,
Stdlib::Fqdn $realm = upcase($domain),
String $autofs_package_name = 'autofs',
Boolean $client_install_ldaputils = false,
Boolean $configure_dns_server = true,
Boolean $configure_ntp = true,
Array[String] $custom_dns_forwarders = [],
String $principal_usedto_joindomain = 'admin',
String $password_usedto_joindomain = $directory_services_password,
Boolean $enable_hostname = true,
Boolean $enable_ip_address = false,
Boolean $fixed_primary = false,
Integer[10000] $idstart = 10000,
Boolean $install_autofs = false,
Boolean $install_epel = true,
Boolean $install_kstart = true,
Boolean $install_sssdtools = true,
String $ipa_client_package_name = $facts['os']['family'] ? {
'Debian' => 'freeipa-client',
default => 'ipa-client',
},
String $ipa_server_package_name = 'ipa-server',
Boolean $install_ipa_client = true,
Boolean $install_ipa_server = true,
Boolean $install_sssd = true,
String $ip_address = '',
String $ipa_server_fqdn = $::fqdn,
String $kstart_package_name = 'kstart',
String $ldaputils_package_name = $::osfamily ? {
String $ipa_server_package_name = 'ipa-server',
Boolean $install_ipa_client = true,
Boolean $install_ipa_server = true,
Boolean $install_sssd = true,
Stdlib::Fqdn $ipa_server_fqdn = $facts['fqdn'],
String $kstart_package_name = 'kstart',
String $ldaputils_package_name = $facts['os']['family'] ? {
'Debian' => 'ldap-utils',
default => 'openldap-clients',
},
String $ipa_master_fqdn = '',
Boolean $manage_host_entry = false,
Boolean $mkhomedir = true,
Boolean $no_ui_redirect = false,
String $realm = '',
Boolean $server_install_ldaputils = true,
String $sssd_package_name = 'sssd-common',
String $sssdtools_package_name = 'sssd-tools',
Boolean $webui_disable_kerberos = false,
Boolean $webui_enable_proxy = false,
Boolean $webui_force_https = false,
String $webui_proxy_external_fqdn = 'localhost',
String $webui_proxy_https_port = '8440',
Boolean $manage_host_entry = false,
Boolean $mkhomedir = true,
Boolean $no_ui_redirect = false,
Boolean $server_install_ldaputils = true,
String $sssd_package_name = 'sssd-common',
String $sssdtools_package_name = 'sssd-tools',
Boolean $webui_disable_kerberos = false,
Boolean $webui_enable_proxy = false,
Boolean $webui_force_https = false,
Stdlib::Fqdn $webui_proxy_external_fqdn = 'localhost',
String $webui_proxy_https_port = '8440',
) {
if $facts['kernel'] != 'Linux' or $facts['osfamily'] == 'Windows' {
fail('This module is only supported on Linux.')
}
if $realm != '' {
$final_realm = $realm
} else {
$final_realm = upcase($domain)
}
$master_principals = suffix(
prefix(
[$ipa_server_fqdn],
'host/'
),
"@${final_realm}"
"@${realm}"
)
if $domain_join_principal != '' {
$final_domain_join_principal = $domain_join_principal
} else {
$final_domain_join_principal = 'admin'
}
if $domain_join_password != '' {
$final_domain_join_password = $domain_join_password
} else {
$final_domain_join_password = $directory_services_password
}
if $ipa_role == 'client' {
$final_configure_dns_server = false
} else {
$final_configure_dns_server = $configure_dns_server
}
class {'::freeipa::validate_params':}
-> class {'::freeipa::install':}
class {'::freeipa::install':}
}
......@@ -41,10 +41,10 @@ class freeipa::install::client {
$client_install_cmd = "/usr/sbin/ipa-client-install \
--server=${freeipa::ipa_master_fqdn} \
--realm=${freeipa::final_realm} \
--realm=${freeipa::realm} \
--domain=${freeipa::domain} \
--principal='${freeipa::final_domain_join_principal}' \
--password='${freeipa::final_domain_join_password}' \
--principal='${freeipa::principal_usedto_joindomain}' \
--password='${freeipa::password_usedto_joindomain}' \
${client_install_cmd_opts_mkhomedir} \
${client_install_cmd_opts_fixed_primary} \
${client_install_cmd_opts_no_ntp} \
......
......@@ -9,7 +9,7 @@ class freeipa::install::server::master {
$server_install_cmd = "\
/usr/sbin/ipa-server-install \
${freeipa::install::server::server_install_cmd_opts_hostname} \
--realm=${freeipa::final_realm} \
--realm=${freeipa::realm} \
--domain=${freeipa::domain} \
--admin-password='${freeipa::admin_password}' \
--ds-password='${freeipa::directory_services_password}' \
......
......@@ -6,10 +6,10 @@
# include freeipa::install::server::replica
class freeipa::install::server::replica {
$replica_install_cmd = "/usr/sbin/ipa-replica-install \
--principal=${freeipa::final_domain_join_principal} \
--admin-password='${freeipa::final_domain_join_password}' \
--principal=${freeipa::principal_usedto_joindomain} \
--admin-password='${freeipa::password_usedto_joindomain}' \
${freeipa::install::server::server_install_cmd_opts_hostname} \
--realm=${freeipa::final_realm} \
--realm=${freeipa::realm} \
--domain=${freeipa::domain} \
--server=${freeipa::ipa_master_fqdn} \
${freeipa::install::server::server_install_cmd_opts_setup_dns} \
......
# A description of what this class does
# Validates input configs from init.pp.
#
# @summary Validates input configs from init.pp.
#
# @example
# include freeipa::validate_params
class freeipa::validate_params {
case $freeipa::ipa_role {
'client': {}
'master': {}
'replica': {}
default: {fail('The parameter ipa_role must be set to client, master, or replica.')}
}
if $freeipa::ip_address != '' {
# TODO: validate_legacy
if !is_ipv4_address($freeipa::ip_address) {
fail('The parameter ip_address must pass validation as an IPv4 address.')
}
}
if $freeipa::manage_host_entry {
if $freeipa::ip_address == '' {
fail('When using the parameter manage_host_entry, the parameter ip_address is mandatory.')
}
}
if $freeipa::idstart < 10000 {
fail('Parameter "idstart" must be an integer greater than 10000.')
}
# TODO: validate_legacy
if ! is_domain_name($freeipa::domain) {
fail('The parameter \'domain\' must pass validation as a domain name.')
}
# TODO: validate_legacy
if ! is_domain_name($freeipa::final_realm) {
fail('The parameter \'realm\' must pass validation as a domain name.')
}
if $freeipa::ipa_role == 'master' {
if length($freeipa::admin_password) < 8 {
fail('When ipa_role is set to master, the parameter admin_password must be populated and at least of length 8.')
}
if length($freeipa::directory_services_password) < 8 {
fail("\
When ipa_role is set to master, the parameter directory_services_password \
must be populated and at least of length 8."
)
}
}
if $freeipa::ipa_role != 'master' { # if replica or client
# TODO: validate_legacy
if $freeipa::ipa_master_fqdn == ''{
fail("When creating a ${freeipa::ipa_role} the parameter named ipa_master_fqdn cannot be empty.")
} elsif !is_domain_name($freeipa::ipa_master_fqdn) {
fail('The parameter \'ipa_master_fqdn\' must pass validation as a domain name.')
}
if $freeipa::final_domain_join_password == '' {
fail("When creating a ${freeipa::ipa_role} the parameter named domain_join_password cannot be empty.")
}
}
}
......@@ -24,7 +24,8 @@ describe 'freeipa class' do
install_epel => true,
webui_disable_kerberos => true,
webui_enable_proxy => true,
webui_force_https => true
webui_force_https => true,
ipa_master_fqdn => 'ipa-server-1.vagrant.example.lan',
}
EOS
......@@ -49,7 +50,9 @@ describe 'freeipa class' do
ipa_role => 'replica',
domain => 'vagrant.example.lan',
ipa_server_fqdn => 'ipa-server-2.vagrant.example.lan',
domain_join_password => 'vagrant123',
admin_password => 'vagrant123',
directory_services_password => 'vagrant123',
password_usedto_joindomain => 'vagrant123',
install_ipa_server => true,
ip_address => '192.168.44.36',
enable_ip_address => true,
......@@ -80,7 +83,10 @@ describe 'freeipa class' do
class {'freeipa':
ipa_role => 'client',
domain => 'vagrant.example.lan',
domain_join_password => 'vagrant123',
admin_password => 'vagrant123',
directory_services_password => 'vagrant123',
password_usedto_joindomain => 'vagrant123',
ip_address => '192.168.44.37',
install_epel => true,
ipa_master_fqdn => 'ipa-server-1.vagrant.example.lan'
}
......@@ -111,7 +117,7 @@ describe 'freeipa class' do
end
it 'adds the public key in freeipa to toto' do
on(master, 'key=`cat /root/.ssh/id_rsa.pub`; ipa user-mod toto --sshpubkey=\"$key\"')
on(master, 'key=`cat /root/.ssh/id_rsa.pub`; ipa user-mod toto --sshpubkey="$key"')
end
# Add HBAC Rule to give all ipa users access to ipa-client-centos
......
......@@ -11,9 +11,11 @@ describe 'freeipa::config::admin_user' do
ipa_role => 'master',
ipa_master_fqdn => 'master.example.com',
ipa_server_fqdn => 'foo.example.com',
domain_join_password => 'foobartest',
domain => 'vagrant.lan',
password_usedto_joindomain => 'foobartest',
admin_password => 'foobartest',
directory_services_password => 'foobartest',
ip_address => '192.168.44.35',
}
EOS
manifest
......
......@@ -11,9 +11,11 @@ describe 'freeipa::config::webui' do
ipa_role => 'master',
ipa_master_fqdn => 'master.example.com',
ipa_server_fqdn => 'foo.example.com',
domain_join_password => 'foobartest',
domain => 'vagrant.lan',
password_usedto_joindomain => 'foobartest',
admin_password => 'foobartest',
directory_services_password => 'foobartest',
ip_address => '192.168.44.35',
}
EOS
manifest
......
......@@ -10,7 +10,11 @@ describe 'freeipa' do
{
ipa_role: 'client',
ipa_master_fqdn: 'foo.example.com',
domain_join_password: 'foobartest'
domain: 'vagrant.lan',
password_usedto_joindomain: 'foobartest',
admin_password: 'vagrant123',
directory_services_password: 'vagrant123',
ip_address: '192.168.44.35'
}
end
......
This diff is collapsed.
......@@ -5,20 +5,22 @@ require 'spec_helper'
describe 'freeipa::install::autofs' do
on_supported_os.each do |os, os_facts|
context "on #{os}" do
let(:facts) { os_facts }
let(:pre_condition) do
manifest = <<-EOS
class{ 'freeipa' :
ipa_role => 'master',
ipa_master_fqdn => 'master.example.com',
ipa_server_fqdn => 'foo.example.com',
domain_join_password => 'foobartest',
domain => 'vagrant.lan',
password_usedto_joindomain => 'foobartest',
admin_password => 'foobartest',
directory_services_password => 'foobartest',
ip_address => '192.168.44.35',
}
EOS
manifest
end
let(:facts) { os_facts }
it { is_expected.to compile }
end
......
......@@ -5,19 +5,22 @@ require 'spec_helper'
describe 'freeipa::install::client' do
on_supported_os.each do |os, os_facts|
context "on #{os}" do
let(:facts) { os_facts }
let(:pre_condition) do
manifest = <<-EOS
class{'freeipa':
ipa_role => 'client',
ipa_master_fqdn => 'foo.example.com',
domain_join_password => 'foobartest',
install_ipa_client => true,
install_ipa_server => false
class{ 'freeipa' :
ipa_role => 'client',
ipa_master_fqdn => 'master.example.com',
ipa_server_fqdn => 'foo.example.com',
domain => 'vagrant.lan',
password_usedto_joindomain => 'foobartest',
admin_password => 'foobartest',
directory_services_password => 'foobartest',
ip_address => '192.168.44.35',
}
EOS
manifest
end
let(:facts) { os_facts }
it { is_expected.to compile }
end
......
......@@ -11,14 +11,15 @@ describe 'freeipa::install::server::master' do
ipa_role => 'master',
ipa_master_fqdn => 'master.example.com',
ipa_server_fqdn => 'foo.example.com',
domain_join_password => 'foobartest',
domain => 'vagrant.lan',
password_usedto_joindomain => 'foobartest',
admin_password => 'foobartest',
directory_services_password => 'foobartest',
ip_address => '192.168.44.35',
}
EOS
manifest
end
let(:facts) { os_facts }
it { is_expected.to compile }
......
......@@ -11,9 +11,11 @@ describe 'freeipa::install::server::replica' do
ipa_role => 'replica',
ipa_master_fqdn => 'master.example.com',
ipa_server_fqdn => 'foo.example.com',
domain_join_password => 'foobartest',
domain => 'vagrant.lan',
password_usedto_joindomain => 'foobartest',
admin_password => 'foobartest',
directory_services_password => 'foobartest',
ip_address => '192.168.44.35',
}
EOS
manifest
......
......@@ -5,20 +5,22 @@ require 'spec_helper'
describe 'freeipa::install::server' do
on_supported_os.each do |os, os_facts|
context "on #{os}" do
let(:facts) { os_facts }
let(:pre_condition) do
manifest = <<-EOS
class{ 'freeipa' :
ipa_role => 'replica',
ipa_role => 'master',
ipa_master_fqdn => 'master.example.com',
ipa_server_fqdn => 'foo.example.com',
domain_join_password => 'foobartest',
domain => 'vagrant.lan',
password_usedto_joindomain => 'foobartest',
admin_password => 'foobartest',
directory_services_password => 'foobartest',
ip_address => '192.168.44.35',
}
EOS
manifest
end
let(:facts) { os_facts }
it { is_expected.to compile }
end
......
......@@ -5,22 +5,23 @@ require 'spec_helper'
describe 'freeipa::install::sssd' do
on_supported_os.each do |os, os_facts|
context "on #{os}" do
let(:facts) { os_facts }
let(:pre_condition) do
manifest = <<-EOS
class{ 'freeipa' :
ipa_role => 'master',
ipa_master_fqdn => 'master.example.com',
ipa_server_fqdn => 'foo.example.com',