Showing with 114 additions and 6 deletions.

+12 −3 README.md

+25 −2 manifests/service.pp

+1 −1 metadata.json

+71 −0 spec/defines/service_spec.rb

+5 −0 templates/service.erb
diff --git a/README.md b/README.md
@@ -423,7 +423,7 @@ Array of lines to add to the fragment file
 ===
 
 # pam::service
-Manage PAM file for specific service
+Manage PAM file for specific service. The `pam::service` resource is reversible, so that any service that Puppet has locked using PAM can be unlocked by setting the resource ensure to absent and waiting for the next puppet run.
 
 ## Usage
 you can specify a hash for to manage the services in Hiera
@@ -433,7 +433,12 @@ pam::services:
     content : "auth     required       pam_unix2.so"
 </pre>
 
-## Paramteters for `pam::service`
+## Parameters for `pam::service`
+
+ensure
+------
+
+Specifies if a PAM service file should (`present`) or should not (`absent`) exist. The default is set to 'present'
 
 pam_config_dir
 --------------
@@ -443,7 +448,11 @@ Path to PAM files
 
 content
 -------
-Content of the PAM file for the service
+Content of the PAM file for the service. The `content` and `lines` parameters are mutually exclusive. Not setting either of these parameters will result in an empty service definition file.
+
+lines
+-----
+Provides content for the PAM service file as an array of lines. The `content` and `lines` parameters are mutually exclusive. Not setting either of these parameters will result in an empty service definition file.
 
 ===
 

diff --git a/manifests/service.pp b/manifests/service.pp
@@ -3,16 +3,39 @@
 # Manage PAM file for a specifc service
 #
 define pam::service (
+  $ensure         = 'present',
   $pam_config_dir = '/etc/pam.d',
   $content        = undef,
+  $lines          = undef
 ) {
 
   include pam
 
+  validate_re($ensure, ['^present$', '^absent$'] )
+
+  case $ensure {
+    'present': {
+      $file_ensure = 'file'
+    }
+    default: {
+      $file_ensure = 'absent'
+    }
+  }
+
+  if $content and $lines {
+    fail('pam::service expects one of the lines or contents parameters to be provided, but not both')
+  } elsif $content {
+    $my_content = $content
+  } elsif $lines {
+    $my_content = template('pam/service.erb')
+  } else {
+    $my_content = undef
+  }
+
   file { "pam.d-service-${name}":
-    ensure  => file,
+    ensure  => $file_ensure,
     path    => "${pam_config_dir}/${name}",
-    content => $content,
+    content => $my_content,
     owner   => 'root',
     group   => 'root',
     mode    => '0644',

diff --git a/metadata.json b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "ghoneycutt-pam",
-  "version": "2.17.0",
+  "version": "2.18.0",
   "author": "ghoneycutt",
   "summary": "Manage PAM",
   "license": "Apache-2.0",

diff --git a/spec/defines/service_spec.rb b/spec/defines/service_spec.rb
@@ -0,0 +1,71 @@
+require 'spec_helper'
+describe 'pam::service', :type => :define do
+  context 'on a RedHat OS' do
+    let(:facts) {
+      {
+        :osfamily                   => 'RedHat',
+        :operatingsystemmajrelease  => '5',
+      }
+    }
+
+    context 'with no parameters' do
+      let(:title) { 'test' }
+
+      it { should contain_class('pam') }
+
+      it {
+        should contain_file('pam.d-service-test').with({
+          'ensure'  => 'file',
+          'owner'   => 'root',
+          'group'   => 'root',
+          'mode'    => '0644',
+          'content' => nil,
+        })
+      }
+    end
+
+    context 'when absent' do
+      let(:title) { 'test' }
+      let(:params) { { :ensure => 'absent' } }
+
+      it {
+        should contain_file('pam.d-service-test').with({
+          'ensure'  => 'absent',
+        })
+      }
+    end
+
+    context 'when given content' do
+      let(:title) { 'test' }
+      let(:params) { { :content => 'session required pam_permit.so' } }
+
+      it { should contain_file('pam.d-service-test').with_content(
+        %{session required pam_permit.so}
+      ) }
+    end
+
+    context 'when given an array of lines' do
+      let(:title) { 'test' }
+      let(:params) do
+        {
+          :lines  => [
+            '@include common-auth',
+            '@include common-account',
+            'session required pam_permit.so',
+            'session required pam_limits.so',
+          ],
+        }
+      end
+
+      it { should contain_file('pam.d-service-test').with_content(
+        %{# This file is being maintained by Puppet.
+# DO NOT EDIT
+@include common-auth
+@include common-account
+session required pam_permit.so
+session required pam_limits.so
+}
+      ) }
+    end
+  end
+end
diff --git a/templates/service.erb b/templates/service.erb
@@ -0,0 +1,5 @@
+# This file is being maintained by Puppet.
+# DO NOT EDIT
+<% @lines.each do |line| -%>
+<%= line %>
+<% end -%>