diff --git a/manifests/config.pp b/manifests/config.pp index 2d74ba45..8fdf38f1 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -89,7 +89,11 @@ contain foreman_proxy::module::puppetca foreman_proxy::provider { ['puppetca_hostname_whitelisting', 'puppetca_token_whitelisting']: } - foreman_proxy::provider { ['puppetca_http_api', 'puppetca_puppet_cert']: + foreman_proxy::provider { 'puppetca_http_api': + } + # Foreman Proxy 3.4 dropped puppetca_puppet_cert + foreman_proxy::provider { 'puppetca_puppet_cert': + ensure => absent, } contain foreman_proxy::module::realm @@ -104,29 +108,8 @@ contain foreman_proxy::module::registration - if $foreman_proxy::puppetca or $foreman_proxy::puppet { - $uses_sudo = $foreman_proxy::puppetca and versioncmp($facts['puppetversion'], '6.0') < 0 - - if $foreman_proxy::use_sudoersd { - if $uses_sudo and $foreman_proxy::manage_sudoersd { - ensure_resource('file', "${foreman_proxy::sudoers}.d", { 'ensure' => 'directory' }) - } - - file { "${foreman_proxy::sudoers}.d/foreman-proxy": - ensure => bool2str($uses_sudo, 'file', 'absent'), - owner => 'root', - group => 0, - mode => '0440', - content => template('foreman_proxy/sudo.erb'), - } - } elsif $foreman_proxy::use_sudoers { - augeas { 'sudo-foreman-proxy': - context => "/files${foreman_proxy::sudoers}", - changes => template('foreman_proxy/sudo_augeas.erb'), - } - } - } else { - # The puppet-agent (puppet 4 AIO package) doesn't create a puppet user and group + unless $foreman_proxy::puppetca or $foreman_proxy::puppet { + # The puppet-agent doesn't create a puppet user and group # but the foreman proxy still needs to be able to read the agent's private key if $foreman_proxy::manage_puppet_group and $foreman_proxy::ssl { if !defined(Group[$foreman_proxy::puppet_group]) { diff --git a/manifests/init.pp b/manifests/init.pp index 2fb20821..212e8d79 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -48,13 +48,6 @@ # # $trusted_hosts:: Only hosts listed will be permitted, empty array to disable authorization # -# $manage_sudoersd:: Whether to manage File['/etc/sudoers.d'] or not. When reusing this module, this may be -# disabled to let a dedicated sudo module manage it instead. -# -# $use_sudoersd:: Add a file to /etc/sudoers.d (true). -# -# $use_sudoers:: Add contents to /etc/sudoers (true). This is ignored if $use_sudoersd is true. -# # $puppetca:: Enable Puppet CA feature # # $puppetca_listen_on:: Protocols for the Puppet CA feature to listen on @@ -65,8 +58,6 @@ # # $puppetdir:: Puppet var directory # -# $puppetca_cmd:: Puppet CA command to be allowed in sudoers -# # $puppet_group:: Groups of Foreman proxy user # # $autosignfile:: Hostname-Whitelisting only: Location of puppets autosign.conf @@ -308,14 +299,10 @@ Array[String] $trusted_hosts = $foreman_proxy::params::trusted_hosts, Array[String] $ssl_disabled_ciphers = [], Array[String] $tls_disabled_versions = [], - Boolean $manage_sudoersd = true, - Boolean $use_sudoersd = true, - Boolean $use_sudoers = true, Boolean $puppetca = true, Foreman_proxy::ListenOn $puppetca_listen_on = 'https', Stdlib::Absolutepath $ssldir = $foreman_proxy::params::ssldir, Stdlib::Absolutepath $puppetdir = $foreman_proxy::params::puppetdir, - String $puppetca_cmd = $foreman_proxy::params::puppetca_cmd, String $puppet_group = 'puppet', String $puppetca_provider = 'puppetca_hostname_whitelisting', Stdlib::Absolutepath $autosignfile = $foreman_proxy::params::autosignfile, diff --git a/manifests/params.pp b/manifests/params.pp index fe4e16e0..430df520 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -130,13 +130,10 @@ # Only hosts listed will be permitted, empty array to disable authorization $trusted_hosts = [$lower_fqdn] - $sudoers = "${etc}/sudoers" - # puppet settings $puppet_url = "https://${facts['networking']['fqdn']}:8140" # puppetca settings - $puppetca_cmd = "${puppet_cmd} cert" $autosignfile = "${puppetdir}/autosign.conf" # Template settings diff --git a/spec/classes/foreman_proxy__spec.rb b/spec/classes/foreman_proxy__spec.rb index b7436c43..e54119ee 100644 --- a/spec/classes/foreman_proxy__spec.rb +++ b/spec/classes/foreman_proxy__spec.rb @@ -228,7 +228,7 @@ '---', ':enabled: https', ':use_provider: puppetca_hostname_whitelisting', - ":puppet_version: #{Puppet.version}", + ":puppet_version: '6.0'", ]) end @@ -242,11 +242,8 @@ ]) end - it 'should generate correct puppetca_puppet_cert.yml' do - verify_exact_contents(catalogue, "#{etc_dir}/foreman-proxy/settings.d/puppetca_puppet_cert.yml", [ - '---', - ":ssldir: #{ssl_dir}", - ]) + it 'should remove puppetca_puppet_cert.yml' do + is_expected.to contain_file("#{etc_dir}/foreman-proxy/settings.d/puppetca_puppet_cert.yml").with_ensure('absent') end it 'should generate correct puppetca_hostname_whitelisting.yml' do @@ -321,27 +318,6 @@ ]) end - it 'should set up sudo rules', if: Puppet.version < '6.0' do - should contain_file("#{etc_dir}/sudoers.d").with_ensure('directory') - - should contain_file("#{etc_dir}/sudoers.d/foreman-proxy").with({ - :ensure => 'file', - :owner => 'root', - :group => 0, - :mode => '0440', - }) - - verify_exact_contents(catalogue, "#{etc_dir}/sudoers.d/foreman-proxy", [ - "#{proxy_user_name} ALL = (root) NOPASSWD : #{puppetca_command}", - "Defaults:#{proxy_user_name} !requiretty", - ]) - end - - it 'should not set up sudo rules', if: Puppet.version >= '6.0' do - should_not contain_file("#{etc_dir}/sudoers.d") - should contain_file("#{etc_dir}/sudoers.d/foreman-proxy").with_ensure('absent') - end - it "should not manage puppet group" do should_not contain_group('puppet') end @@ -736,17 +712,6 @@ end end - context 'when puppetca_cmd set', if: Puppet.version < '6.0' do - let(:params) { super().merge(puppetca_cmd: 'pup cert') } - - it "should set puppetca_cmd" do - verify_exact_contents(catalogue, "#{etc_dir}/sudoers.d/foreman-proxy", [ - "#{proxy_user_name} ALL = (root) NOPASSWD : pup cert *", - "Defaults:#{proxy_user_name} !requiretty", - ]) - end - end - context 'with custom puppetca params' do let(:params) do super().merge( @@ -764,7 +729,7 @@ '---', ':enabled: https', ':use_provider: puppetca_token_whitelisting', - ":puppet_version: #{Puppet.version}", + ":puppet_version: '6.0'", ]) end diff --git a/templates/puppetca.yml.erb b/templates/puppetca.yml.erb index 0890e322..7ff70fea 100644 --- a/templates/puppetca.yml.erb +++ b/templates/puppetca.yml.erb @@ -8,5 +8,5 @@ # - puppetca_token_whitelisting (verify CSRs based on a token whitelist) :use_provider: <%= scope.lookupvar("foreman_proxy::puppetca_provider") %> -# Puppet version used -:puppet_version: <%= @puppetversion %> +# Using 6.0 forces use of puppetca_http_api +:puppet_version: '6.0' diff --git a/templates/sudo.erb b/templates/sudo.erb deleted file mode 100644 index 93c396d2..00000000 --- a/templates/sudo.erb +++ /dev/null @@ -1,2 +0,0 @@ -<%= scope.lookupvar("foreman_proxy::user") %> ALL = (root) NOPASSWD : <%= scope.lookupvar("foreman_proxy::puppetca_cmd") %> * -Defaults:<%= scope.lookupvar("foreman_proxy::user") %> !requiretty diff --git a/templates/sudo_augeas.erb b/templates/sudo_augeas.erb deleted file mode 100644 index e0063c7f..00000000 --- a/templates/sudo_augeas.erb +++ /dev/null @@ -1,17 +0,0 @@ -<%- - user = scope.lookupvar('foreman_proxy::user') - index = 0 --%> -<% if @puppetca_sudo - index += 1 --%> -set spec[user = '<%= user %>'][<%=index%>]/user <%= user %> -set spec[user = '<%= user %>'][<%=index%>]/host_group/host ALL -set spec[user = '<%= user %>'][<%=index%>]/host_group/command '<%= scope.lookupvar('foreman_proxy::puppetca_cmd') %> *' -set spec[user = '<%= user %>'][<%=index%>]/host_group/command/runas_user root -set spec[user = '<%= user %>'][<%=index%>]/host_group/command/tag NOPASSWD -rm spec[user = '<%= user %>'][<%=index%>]/host_group/command[position() > 1]<%# delete any other command in the rule %> -<% end -%> -rm spec[user = '<%= user %>'][position() > <%= index %>]<%# delete any other rule for the user %> -set Defaults[type = ':<%= user %>']/type :<%= user %> -set Defaults[type = ':<%= user %>']/requiretty/negate ''