Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Changes for PAM support needed on RHEL7/Centos7 #227

Closed
wants to merge 14 commits into from
Closed

Changes for PAM support needed on RHEL7/Centos7 #227

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
ab547cc
Have a Centos 7 different path for PAM library.
Feb 11, 2017
6611f16
Also doesn't need the lib path.
Feb 11, 2017
6236f2b
And the name was wrong too...
Feb 11, 2017
e7f3377
Merge branch 'master' into master
luxflux Feb 13, 2017
e9ce493
Merge branch 'master' into master
WetHippie Feb 13, 2017
e1570f5
Merge with upstream changes.
Feb 14, 2017
90499c0
Merge remote-tracking branch 'origin/master'
Feb 14, 2017
aeb29a5
Puppet lint changes for puppet v4. Mostly change string '' to undef
Feb 23, 2017
533bb1b
Remove specific version of puppet lint.
Feb 23, 2017
b5443d9
Remove old-style log format config.
Feb 23, 2017
bb3472d
metadata is now metadata_lint
Feb 23, 2017
897a1bb
Simpler, more standard rakefile.
Feb 23, 2017
9f6faf8
Revert to original form
Feb 23, 2017
33c0a59
Put in puppet facts to try to resolve the ::osfamily missing problem
Feb 23, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 10 additions & 7 deletions Gemfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,25 +1,28 @@
source 'https://rubygems.org'
source ENV['GEM_SOURCE'] || "https://rubygems.org"

group :unit_tests do
gem 'rake', :require => false
gem 'rspec-puppet', :require => false
gem 'puppetlabs_spec_helper', :require => false
gem 'puppet-lint', '1.0.1', :require => false
gem 'puppet-lint', :require => false
gem 'puppet-syntax', :require => false
gem 'metadata-json-lint', :require => false
gem 'rspec-puppet-facts', :require => false
end

group :development do
gem 'simplecov', :require => false
gem 'guard-rake', :require => false
# gem 'guard-rake', :require => false
end

if facterversion = ENV['FACTER_GEM_VERSION']
gem 'facter', facterversion, :require => false
else
gem 'facter', :require => false
end

if puppetversion = ENV['PUPPET_GEM_VERSION']
gem 'puppet', puppetversion, :require => false
if puppetversion == "~> 2.7.0"
gem 'hiera-puppet', :require => false
gem 'hiera', :require => false
end
else
gem 'puppet', :require => false
end
20 changes: 7 additions & 13 deletions Rakefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,28 +8,22 @@ exclude_paths = [
"spec/**/*",
]

PuppetLint.configuration.relative = true
PuppetLint.configuration.fail_on_warnings
PuppetLint.configuration.ignore_paths = exclude_paths
PuppetLint.configuration.log_format = "%{path}:%{linenumber}:%{check}:%{KIND}:%{message}"
PuppetLint.configuration.send('relative')
PuppetLint.configuration.send('disable_80chars')
PuppetLint.configuration.send('disable_class_inherits_from_params_class')
PuppetSyntax.exclude_paths = exclude_paths
Rake::Task[:lint].clear
PuppetLint::RakeTask.new :lint do |config|
config.ignore_paths = exclude_paths
config.disable_checks = ['140chars']
config.fail_on_warnings = true
end

desc "Run acceptance tests"
RSpec::Core::RakeTask.new(:acceptance) do |t|
t.pattern = 'spec/acceptance'
end

task :metadata do
sh "metadata-json-lint metadata.json"
end

desc "Run syntax, lint, and spec tests."
task :test => [
:syntax,
:lint,
:metadata,
:metadata_lint,
:spec,
]
8 changes: 4 additions & 4 deletions manifests/ca.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,13 +100,13 @@
$ssl_key_size = 1024,
$ca_expire = 3650,
$key_expire = 3650,
$key_cn = '',
$key_name = '',
$key_ou = '',
$key_cn = undef,
$key_name = undef,
$key_ou = undef,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like this change

$tls_auth = false,
) {

include openvpn
include ::openvpn
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With puppet4+, the absolute path check is no longer needed, and in fact, include foo is preferred over include ::foo


$group_to_set = $group ? {
false => $openvpn::params::group,
Expand Down
32 changes: 16 additions & 16 deletions manifests/client.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -205,8 +205,8 @@
$authuserpass = false,
$setenv = {},
$setenv_safe = {},
$up = '',
$down = '',
$up = undef,
$down = undef,
$tls_auth = false,
$x509_name = undef,
$sndbuf = undef,
Expand Down Expand Up @@ -242,7 +242,7 @@
warning("Custom expiry time ignored: only integer is accepted but ${expire} is given.")
}
} else {
$env_expire = ''
$env_expire = undef
}

exec { "generate certificate for ${name} in context of ${ca_name}":
Expand Down Expand Up @@ -349,80 +349,80 @@
concat::fragment { "${etc_directory}/openvpn/${server}/download-configs/${name}.ovpn/client_config":
target => "${etc_directory}/openvpn/${server}/download-configs/${name}.ovpn",
content => template('openvpn/client.erb'),
order => '01'
order => '01',
}

concat::fragment { "${etc_directory}/openvpn/${server}/download-configs/${name}.ovpn/ca_open_tag":
target => "${etc_directory}/openvpn/${server}/download-configs/${name}.ovpn",
content => "# Authentication \n<ca>\n",
order => '02'
order => '02',
}

concat::fragment { "${etc_directory}/openvpn/${server}/download-configs/${name}.ovpn/ca":
target => "${etc_directory}/openvpn/${server}/download-configs/${name}.ovpn",
source => "${etc_directory}/openvpn/${server}/download-configs/${name}/keys/${name}/ca.crt",
order => '03'
order => '03',
}

concat::fragment { "${etc_directory}/openvpn/${server}/download-configs/${name}.ovpn/ca_close_tag":
target => "${etc_directory}/openvpn/${server}/download-configs/${name}.ovpn",
content => "</ca>\n",
order => '04'
order => '04',
}

concat::fragment { "${etc_directory}/openvpn/${server}/download-configs/${name}.ovpn/key_open_tag":
target => "${etc_directory}/openvpn/${server}/download-configs/${name}.ovpn",
content => "<key>\n",
order => '05'
order => '05',
}

concat::fragment { "${etc_directory}/openvpn/${server}/download-configs/${name}.ovpn/key":
target => "${etc_directory}/openvpn/${server}/download-configs/${name}.ovpn",
source => "${etc_directory}/openvpn/${server}/download-configs/${name}/keys/${name}/${name}.key",
order => '06'
order => '06',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These should now be updated w/ the switch to Vox

}

concat::fragment { "${etc_directory}/openvpn/${server}/download-configs/${name}.ovpn/key_close_tag":
target => "${etc_directory}/openvpn/${server}/download-configs/${name}.ovpn",
content => "</key>\n",
order => '07'
order => '07',
}

concat::fragment { "${etc_directory}/openvpn/${server}/download-configs/${name}.ovpn/cert_open_tag":
target => "${etc_directory}/openvpn/${server}/download-configs/${name}.ovpn",
content => "<cert>\n",
order => '08'
order => '08',
}

concat::fragment { "${etc_directory}/openvpn/${server}/download-configs/${name}.ovpn/cert":
target => "${etc_directory}/openvpn/${server}/download-configs/${name}.ovpn",
source => "${etc_directory}/openvpn/${server}/download-configs/${name}/keys/${name}/${name}.crt",
order => '09'
order => '09',
}

concat::fragment { "${etc_directory}/openvpn/${server}/download-configs/${name}.ovpn/cert_close_tag":
target => "${etc_directory}/openvpn/${server}/download-configs/${name}.ovpn",
content => "</cert>\n",
order => '10'
order => '10',
}

if $tls_auth {
concat::fragment { "/etc/openvpn/${server}/download-configs/${name}.ovpn/tls_auth_open_tag":
target => "${etc_directory}/openvpn/${server}/download-configs/${name}.ovpn",
content => "<tls-auth>\n",
order => '11'
order => '11',
}

concat::fragment { "${etc_directory}/openvpn/${server}/download-configs/${name}.ovpn/tls_auth":
target => "${etc_directory}/openvpn/${server}/download-configs/${name}.ovpn",
source => "${etc_directory}/openvpn/${server}/download-configs/${name}/keys/${name}/ta.key",
order => '12'
order => '12',
}

concat::fragment { "${etc_directory}/openvpn/${server}/download-configs/${name}.ovpn/tls_auth_close_tag":
target => "${etc_directory}/openvpn/${server}/download-configs/${name}.ovpn",
content => "</tls-auth>\nkey-direction 1\n",
order => '13'
order => '13',
}
}
}
2 changes: 1 addition & 1 deletion manifests/client_specific_config.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,7 @@

file { "${::openvpn::params::etc_directory}/openvpn/${server}/client-configs/${name}":
ensure => $ensure,
content => template('openvpn/client_specific_config.erb')
content => template('openvpn/client_specific_config.erb'),
}

}
12 changes: 6 additions & 6 deletions manifests/init.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
# Hash of defaults for clients passed to openvpn::client defined type.
# Default: {} (hiera_hash)
# [*clients*]
# Hash of clients passed to openvpn::client defined type.
# Hash of clients passed to openvpn::client defined type.
# Default: {} (hiera_hash)
# [*client_specific_config_defaults*]
# Hash of defaults for client specific configurations passed to
Expand Down Expand Up @@ -90,13 +90,13 @@
validate_hash($server_defaults)
validate_hash($servers)

class { 'openvpn::params': } ->
class { 'openvpn::install': } ->
class { 'openvpn::config': } ->
Class['openvpn']
class { '::openvpn::params': } ->
class { '::openvpn::install': } ->
class { '::openvpn::config': } ->
Class['::openvpn']

if ! $::openvpn::params::systemd {
class { 'openvpn::service':
class { '::openvpn::service':
subscribe => [Class['openvpn::config'], Class['openvpn::install'] ],
}
if empty($servers) {
Expand Down
6 changes: 4 additions & 2 deletions manifests/params.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@
$root_group = 'root'
$group = 'nobody'
$link_openssl_cnf = true
$pam_module_path = '/usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so'
$easyrsa_source = '/usr/share/easy-rsa/2.0'
$namespecific_rclink = false

Expand All @@ -31,16 +30,19 @@
$additional_packages = ['easy-rsa']
$ldap_auth_plugin_location = undef
$systemd = true
$pam_module_path = '/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so'
# Redhat/Centos == 6.0
} elsif(versioncmp($::operatingsystemrelease, '6.0') >= 0) and $::operatingsystem != 'Amazon' {
$additional_packages = ['easy-rsa','openvpn-auth-ldap']
$additional_packages = ['easy-rsa', 'openvpn-auth-ldap']
$ldap_auth_plugin_location = '/usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so'
$systemd = false
$pam_module_path = '/usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so'
# Redhat/Centos < 6.0
} else {
$additional_packages = ['easy-rsa']
$ldap_auth_plugin_location = undef
$systemd = false
$pam_module_path = '/usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so'
}
}
'Debian': { # Debian/Ubuntu
Expand Down
56 changes: 29 additions & 27 deletions manifests/server.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -439,15 +439,15 @@
$port = '1194',
$portshare = undef,
$proto = 'tcp',
$status_version = '',
$status_version = undef,
$status_log = "/var/log/openvpn/${name}-status.log",
$server = '',
$server_ipv6 = '',
$server_bridge = '',
$server = undef,
$server_ipv6 = undef,
$server_bridge = undef,
$push = [],
$route = [],
$route_ipv6 = [],
$keepalive = '',
$keepalive = undef,
$fragment = false,
$ssl_key_size = 1024,
$topology = 'net30',
Expand All @@ -459,32 +459,32 @@
$management = false,
$management_ip = 'localhost',
$management_port = 7505,
$up = '',
$down = '',
$up = undef,
$down = undef,
$username_as_common_name = false,
$client_cert_not_required = false,
$ldap_enabled = false,
$ldap_server = '',
$ldap_binddn = '',
$ldap_bindpass = '',
$ldap_u_basedn = '',
$ldap_g_basedn = '',
$ldap_server = undef,
$ldap_binddn = undef,
$ldap_bindpass = undef,
$ldap_u_basedn = undef,
$ldap_g_basedn = undef,
$ldap_gmember = false,
$ldap_u_filter = '',
$ldap_g_filter = '',
$ldap_memberatr = '',
$ldap_u_filter = undef,
$ldap_g_filter = undef,
$ldap_memberatr = undef,
$ldap_tls_enable = false,
$ldap_tls_ca_cert_file = '',
$ldap_tls_ca_cert_dir = '',
$ldap_tls_client_cert_file = '',
$ldap_tls_client_key_file = '',
$ldap_tls_ca_cert_file = undef,
$ldap_tls_ca_cert_dir = undef,
$ldap_tls_client_cert_file = undef,
$ldap_tls_client_key_file = undef,
$ca_expire = 3650,
$key_expire = 3650,
$key_cn = '',
$key_name = '',
$key_ou = '',
$verb = '',
$cipher = '',
$key_cn = undef,
$key_name = undef,
$key_ou = undef,
$verb = undef,
$cipher = undef,
$tls_cipher = undef,
$persist_key = false,
$persist_tun = false,
Expand All @@ -511,8 +511,8 @@
$custom_options = {},
) {

include openvpn
Class['openvpn::install'] ->
include ::openvpn
Class['::openvpn::install'] ->
Openvpn::Server[$name]

if $::openvpn::params::systemd and $::openvpn::params::namespecific_rclink {
Expand Down Expand Up @@ -679,9 +679,11 @@
}

if $ldap_enabled == true {
validate_string($ldap_server)

file {
"${etc_directory}/openvpn/${name}/auth/ldap.conf":
ensure => present,
ensure => file,
owner => root,
mode => '0400',
content => template('openvpn/ldap.erb'),
Expand Down
Loading