Showing with 123 additions and 14 deletions.
  1. +1 −1 .travis.yml
  2. +1 −1 Gemfile
  3. +1 −1 LICENSE
  4. +1 −1 Modulefile
  5. +45 −2 README.md
  6. +1 −1 Rakefile
  7. +1 −1 metadata.json
  8. +58 −1 spec/classes/accesslogin_spec.rb
  9. +14 −5 templates/access.conf.erb
2 changes: 1 addition & 1 deletion .travis.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,6 @@ rvm:
- 1.9.3
- 2.0.0
language: ruby
before_script: "gem install --no-ri --no-rdoc bundler"
before_script: 'gem install --no-ri --no-rdoc bundler'
script: 'bundle exec rake validate && bundle exec rake lint && SPEC_OPTS="--format documentation" bundle exec rake spec'
gemfile: Gemfile
2 changes: 1 addition & 1 deletion Gemfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,4 +4,4 @@ puppetversion = ENV.key?('PUPPET_VERSION') ? "= #{ENV['PUPPET_VERSION']}" : ['>=
gem 'puppet', puppetversion
gem 'puppetlabs_spec_helper', '>= 0.1.0'
gem 'puppet-lint', '>= 0.3.2'
gem 'facter', '>= 1.7.0', "< 1.8.0"
gem 'facter', '>= 1.7.0'
2 changes: 1 addition & 1 deletion LICENSE
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
Copyright (C) 2010-2013 Garrett Honeycutt <code@garretthoneycutt.com>
Copyright (C) 2010-2014 Garrett Honeycutt <code@garretthoneycutt.com>

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
Expand Down
2 changes: 1 addition & 1 deletion Modulefile
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name 'ghoneycutt-pam'
version '2.6.1'
version '2.7.0'
source 'git://github.com/ghoneycutt/puppet-module-pam.git'
author 'ghoneycutt'
license 'Apache License, Version 2.0'
Expand Down
47 changes: 45 additions & 2 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,9 +31,52 @@ This module has been tested to work on the following systems using Puppet v3 wit

allowed_users
-------------
Array of users allowed to log in.
Array or Hash of strings and/or arrays to configure users and origins in access.conf. The default allows the root user/group from origin 'ALL'.

- *Default*: root
- *Default*: 'root'

# Hiera example for allowed_users
<pre>
# as an array where the origin for each is 'ALL'
pam::allowed_users:
- root
- ops
- devs
</pre>

This would create /etc/security/access.conf with the following content.
<pre>
# This file is being maintained by Puppet.
# DO NOT EDIT
#

#allow only the groups listed
+ : root : ALL
+ : ops : ALL
+ : devs : ALL
</pre>

<pre>
# as a hash where the user/group can optionally specify the origin
pam::allowed_users:
'username':
'username1':
- 'cron'
- 'tty0'
'username2': 'tty1'
</pre>

This would create /etc/security/access.conf with the following content.
<pre>
# This file is being maintained by Puppet.
# DO NOT EDIT
#

#allow only the groups listed
+ : username : ALL
+ : username1 : cron tty0
+ : username2 : tty1
</pre>

limits_fragments
----------------
Expand Down
2 changes: 1 addition & 1 deletion Rakefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ require 'puppet-lint/tasks/puppet-lint'
PuppetLint.configuration.send('disable_80chars')
PuppetLint.configuration.ignore_paths = ["spec/**/*.pp", "pkg/**/*.pp"]

desc "Run puppet in noop mode and check for syntax errors."
desc 'Run puppet in noop mode and check for syntax errors.'
task :validate do
Dir['manifests/**/*.pp'].each do |manifest|
sh "puppet parser validate --noop #{manifest}"
Expand Down
2 changes: 1 addition & 1 deletion metadata.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "ghoneycutt-pam",
"version": "2.6.1",
"version": "2.7.0",
"author": "ghoneycutt",
"summary": "Manage PAM",
"license": "Apache License, Version 2.0",
Expand Down
59 changes: 58 additions & 1 deletion spec/classes/accesslogin_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@
}
end

context 'with multiple users on supported platform' do
context 'with multiple users on supported platform expressed as an array' do
let(:facts) do
{
:osfamily => 'RedHat',
Expand Down Expand Up @@ -77,6 +77,63 @@
}
end

context 'with hash entry containing string values' do
let(:facts) do
{
:osfamily => 'RedHat',
:lsbmajdistrelease => '5',
}
end
let(:pre_condition) do
'class {"pam": allowed_users => {"username1" => "cron", "username2" => "tty0"} }'
end
it { should contain_file('access_conf').with_content(/^\+ : username1 : cron$/)}
it { should contain_file('access_conf').with_content(/^\+ : username2 : tty0$/)}
end

context 'with hash entry containing array of values' do
let(:facts) do
{
:osfamily => 'RedHat',
:lsbmajdistrelease => '5',
}
end
let(:pre_condition) do
'class {"pam": allowed_users => {"username" => ["cron", "tty0"]} }'
end
it { should contain_file('access_conf').with_content(/^\+ : username : cron tty0$/)}
end

context 'with hash entry containing no value should default to "ALL"' do
let(:facts) do
{
:osfamily => 'RedHat',
:lsbmajdistrelease => '5',
}
end
let(:pre_condition) do
'class {"pam": allowed_users => {"username" => {} }}'
end
it { should contain_file('access_conf').with_content(/^\+ : username : ALL$/)}
end

context 'with hash entries containing string, array and empty hash' do
let(:facts) do
{
:osfamily => 'RedHat',
:lsbmajdistrelease => '5',
}
end
let(:pre_condition) do
'class {"pam": allowed_users => {"username" => "tty5", "username1" => ["cron", "tty0"], "username2" => "cron", "username3" => "tty0", "username4" => {}}}'
end
it { should contain_file('access_conf').with_content(/^\+ : username : tty5$/)}
it { should contain_file('access_conf').with_content(/^\+ : username1 : cron tty0$/)}
it { should contain_file('access_conf').with_content(/^\+ : username2 : cron$/)}
it { should contain_file('access_conf').with_content(/^\+ : username3 : tty0$/)}
it { should contain_file('access_conf').with_content(/^\+ : username4 : ALL$/)}
end

context 'with custom values on supported platform' do
let(:facts) do
{
Expand Down
19 changes: 14 additions & 5 deletions templates/access.conf.erb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,21 @@
#

# allow only the groups listed
<% if scope.lookupvar('pam::allowed_users').class == String -%>
+ : <%= scope.lookupvar('pam::allowed_users') %> : ALL
<% else -%>
<% scope.lookupvar('pam::allowed_users').each do |user| -%>
+ : <%= user %> : ALL
<%
entries = scope.lookupvar('pam::allowed_users')
-%>
<% if entries.is_a? Hash -%>
<% entries.each do |key, value| -%>
+ : <%= key %> : <% if value.is_a? Array -%><%= value.join(' ') %><% elsif value.is_a? String -%><%= value %><% else -%>ALL<% end %>
<% end -%>
<% elsif entries.is_a? Array -%>
<% entries.each do |key| -%>
+ : <%= key %> : ALL
<% end -%>
<% elsif entries.is_a? String -%>
+ : <%= entries %> : ALL
<% else -%>
+ : root : ALL
<% end -%>

# default deny
Expand Down