(SIMP-4442) Enable additional config options (#112)

* Added pre-content for auth * Added extra content for su * Added comments to identify user content vs module content SIMP-4442 #close Co-authored-by: Kendall Moore <kendall.moore@onyxpoint.com>
simp · Sep 14, 2021 · 60fedd3 · 60fedd3
1 parent 249b45f
commit 60fedd3
Show file tree

Hide file tree

Showing 54 changed files with 367 additions and 11 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,3 +1,7 @@
+* Thu Aug 26 2021 Kendall Moore <kendall.moore@onyxpoint.com> - 6.10.0
+- Add pre section content for auth files
+- Add extra content for su
+
 * Wed Aug 04 2021 Trevor Vaughan <tvaughan@onyxpoint.com> - 6.9.1
 - Silence unnecessary TTY messages
 

diff --git a/manifests/auth.pp b/manifests/auth.pp
@@ -8,6 +8,7 @@
 #
 # @param password_check_backend
 # @param locale_file
+# @param auth_content_pre
 # @param cracklib_enforce_for_root
 # @param cracklib_reject_username
 # @param cracklib_difok
@@ -51,6 +52,7 @@
 define pam::auth (
   Pam::PasswordBackends          $password_check_backend    = $pam::password_check_backend,
   Optional[Stdlib::Absolutepath] $locale_file               = $pam::locale_file,
+  Optional[Array[String]]        $auth_content_pre          = $pam::auth_content_pre,
   Boolean                        $cracklib_enforce_for_root = $pam::cracklib_enforce_for_root,
   Boolean                        $cracklib_reject_username  = $pam::cracklib_reject_username,
   Optional[Integer[0]]           $cracklib_difok            = $pam::cracklib_difok,
@@ -129,6 +131,7 @@
         name                      => $name,
         password_check_backend    => $password_check_backend,
         locale_file               => $locale_file,
+        auth_content_pre          => $auth_content_pre,
         cracklib_enforce_for_root => $cracklib_enforce_for_root,
         cracklib_reject_username  => $cracklib_reject_username,
         cracklib_difok            => $cracklib_difok,

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -203,6 +203,10 @@
 #
 #   * Set to an empty Array to not audit TTY actions for any user
 #
+# @param su_content_extra
+#   User-specified content to be added to ``/etc/pam.d/su`` in addition to
+#   the rest of the templated content
+#
 # @param su_content
 #   The content that should be used to fill ``/etc/pam.d/su`` instead of the
 #   templated content
@@ -216,6 +220,11 @@
 #
 #   * Set to an empty Array to not manage any sections
 #
+# @param auth_content_pre
+#   Content to prepend to the auth configs in addition to templated content
+#
+#   * Set to an empty Array to not prepend any default content
+#
 # @param fingerprint_auth_content
 #   The content that should be used to fill ``/etc/pam.d/fingerprint_auth``
 #   instead of the templated content
@@ -304,6 +313,8 @@
   String[0]                      $separator                 = ',',
   Array[String[0]]               $tty_audit_users           = [ 'root' ],
   Pam::AuthSections              $auth_sections             = [ 'fingerprint', 'system', 'password', 'smartcard' ],
+  Optional[Array[String]]        $auth_content_pre          = undef,
+  Optional[Array[String]]        $su_content_extra          = undef,
   Optional[String]               $su_content                = undef,
   Optional[String]               $other_content             = undef,
   Optional[String]               $fingerprint_auth_content  = undef,

diff --git a/manifests/wheel.pp b/manifests/wheel.pp
@@ -12,25 +12,31 @@
 #    Whether or not to configure things in such a way that the ``openshift``
 #    puppet code is compatible
 #
+# @param su_content_extra
+#    User-specified content added after rootok but before further templated
+#    content
+#
 # @param content
 #   Optional custom content for file
 #
 # @author https://github.com/simp/pupmod-simp-pam/graphs/contributors
 #
 class pam::wheel (
-  String[1]           $wheel_group   = 'wheel',
-  Boolean             $root_only     = false,
-  Boolean             $use_openshift = $pam::use_openshift,
-  Optional[String[1]] $content       = $pam::su_content
+  String[1]               $wheel_group      = 'wheel',
+  Boolean                 $root_only        = false,
+  Boolean                 $use_openshift    = $pam::use_openshift,
+  Optional[Array[String]] $su_content_extra = $pam::su_content_extra,
+  Optional[String[1]]     $content          = $pam::su_content,
 ) inherits pam {
   if $content {
     $_content = $content
   }
   else {
     $_content = epp("${module_name}/etc/pam.d/su.epp", {
-      wheel_group   => $wheel_group,
-      root_only     => $root_only,
-      use_openshift => $use_openshift
+      wheel_group      => $wheel_group,
+      root_only        => $root_only,
+      use_openshift    => $use_openshift,
+      su_content_extra => $su_content_extra,
     })
   }
 

diff --git a/metadata.json b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "simp-pam",
-  "version": "6.9.1",
+  "version": "6.10.0",
   "author": "SIMP Team",
   "summary": "A SIMP puppet module for managing pam",
   "license": "Apache-2.0",

diff --git a/spec/classes/wheel_spec.rb b/spec/classes/wheel_spec.rb
@@ -38,6 +38,13 @@
           it { is_expected.to create_file('/etc/pam.d/su').with_content(/oo-trap/) }
         end
 
+        context 'with extra content' do
+          let(:params){{
+            :su_content_extra => ['auth sufficient pam_centrifydc.so enable_dzpamgate']
+          }}
+          it { is_expected.to create_file('/etc/pam.d/su').with_content(/auth\s+sufficient\s+pam_centrifydc\.so\s+enable_dzpamgate/) }
+        end
+
         context 'with custom content' do
           let(:params) {{
             :content    => 'this is valid pam su configuration, I promise'

diff --git a/spec/defines/auth_spec.rb b/spec/defines/auth_spec.rb
@@ -216,6 +216,32 @@ def get_expected(filename)
           end
         end
 
+        context 'Generate file using auth_content_pre params for Centrify' do
+          let(:params) {{
+            :sssd             => true,
+            :auth_content_pre => [
+              'auth     sufficient pam_centrifydc.so',
+              'auth     requisite  pam_centrifydc.so deny',
+              'account  sufficient pam_centrifydc.so',
+              'account  requisite  pam_centrifydc.so deny',
+              'session  required   pam_centrifydc.so homedir',
+              'password sufficient pam_centrifydc.so try_first_pass',
+              'password requisite  pam_centrifydc.so deny',
+            ]
+          }}
+          ['fingerprint', 'password', 'smartcard', 'system'].each do |auth_type|
+            context "auth type '#{auth_type}'" do
+              let(:pw_backend) { 'pwquality' }
+              let(:title){ auth_type }
+              let(:filename){ "/etc/pam.d/#{auth_type}-auth" }
+              let(:file_content) { get_expected("#{pw_backend}-#{auth_type}-auth_sssd_user_specified_centrify") }
+
+              it_should_behave_like "a pam.d config file generator"
+              it { is_expected.to contain_file(filename).with_content(file_content) }
+            end
+          end
+        end
+
         context 'Generate file with varying list separators when list_separator == true' do
           ['!', ',', '@'].each_with_index do |separator, index|
             context "auth type separator = '#{separator}'" do

diff --git a/spec/expected/auth_spec/cracklib-fingerprint-auth_default_params b/spec/expected/auth_spec/cracklib-fingerprint-auth_default_params
@@ -1,6 +1,8 @@
 #%PAM-1.0
 # This file managed by Puppet
 # User changes will be lost!
+
+# SIMP defined auth content
 auth     optional      pam_faildelay.so
 auth     required      pam_env.so
 auth     required      pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60

diff --git a/spec/expected/auth_spec/cracklib-fingerprint-auth_sssd_no_tty_audit b/spec/expected/auth_spec/cracklib-fingerprint-auth_sssd_no_tty_audit
@@ -1,6 +1,8 @@
 #%PAM-1.0
 # This file managed by Puppet
 # User changes will be lost!
+
+# SIMP defined auth content
 auth     optional      pam_faildelay.so
 auth     required      pam_env.so
 auth     sufficient    pam_fprintd.so

diff --git a/spec/expected/auth_spec/cracklib-fingerprint-auth_sssd_openshift_multi_tty_audit b/spec/expected/auth_spec/cracklib-fingerprint-auth_sssd_openshift_multi_tty_audit
@@ -1,6 +1,8 @@
 #%PAM-1.0
 # This file managed by Puppet
 # User changes will be lost!
+
+# SIMP defined auth content
 auth     optional      pam_faildelay.so
 auth     required      pam_env.so
 auth     required      pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60

diff --git a/spec/expected/auth_spec/cracklib-fingerprint-auth_unlock_time_never b/spec/expected/auth_spec/cracklib-fingerprint-auth_unlock_time_never
@@ -1,6 +1,8 @@
 #%PAM-1.0
 # This file managed by Puppet
 # User changes will be lost!
+
+# SIMP defined auth content
 auth     optional      pam_faildelay.so
 auth     required      pam_env.so
 auth     required      pam_faillock.so preauth silent deny=5 audit unlock_time=never fail_interval=900 even_deny_root root_unlock_time=60

diff --git a/spec/expected/auth_spec/cracklib-password-auth_default_params b/spec/expected/auth_spec/cracklib-password-auth_default_params
@@ -1,6 +1,8 @@
 #%PAM-1.0
 # This file managed by Puppet
 # User changes will be lost!
+
+# SIMP defined auth content
 auth     optional      pam_faildelay.so
 auth     required      pam_env.so
 auth     required      pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60

diff --git a/spec/expected/auth_spec/cracklib-password-auth_sssd_no_tty_audit b/spec/expected/auth_spec/cracklib-password-auth_sssd_no_tty_audit
@@ -1,6 +1,8 @@
 #%PAM-1.0
 # This file managed by Puppet
 # User changes will be lost!
+
+# SIMP defined auth content
 auth     optional      pam_faildelay.so
 auth     required      pam_env.so
 auth     sufficient    pam_sss.so forward_pass

diff --git a/spec/expected/auth_spec/cracklib-password-auth_sssd_openshift_multi_tty_audit b/spec/expected/auth_spec/cracklib-password-auth_sssd_openshift_multi_tty_audit
@@ -1,6 +1,8 @@
 #%PAM-1.0
 # This file managed by Puppet
 # User changes will be lost!
+
+# SIMP defined auth content
 auth     optional      pam_faildelay.so
 auth     required      pam_env.so
 auth     required      pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60

diff --git a/spec/expected/auth_spec/cracklib-password-separator-0 b/spec/expected/auth_spec/cracklib-password-separator-0
@@ -1,6 +1,8 @@
 #%PAM-1.0
 # This file managed by Puppet
 # User changes will be lost!
+
+# SIMP defined auth content
 auth     optional      pam_faildelay.so
 auth     required      pam_env.so
 auth     required      pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60

diff --git a/spec/expected/auth_spec/cracklib-password-separator-1 b/spec/expected/auth_spec/cracklib-password-separator-1
@@ -1,6 +1,8 @@
 #%PAM-1.0
 # This file managed by Puppet
 # User changes will be lost!
+
+# SIMP defined auth content
 auth     optional      pam_faildelay.so
 auth     required      pam_env.so
 auth     required      pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60

diff --git a/spec/expected/auth_spec/cracklib-password-separator-2 b/spec/expected/auth_spec/cracklib-password-separator-2
@@ -1,6 +1,8 @@
 #%PAM-1.0
 # This file managed by Puppet
 # User changes will be lost!
+
+# SIMP defined auth content
 auth     optional      pam_faildelay.so
 auth     required      pam_env.so
 auth     required      pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60

diff --git a/spec/expected/auth_spec/cracklib-password-separator-false b/spec/expected/auth_spec/cracklib-password-separator-false
@@ -1,6 +1,8 @@
 #%PAM-1.0
 # This file managed by Puppet
 # User changes will be lost!
+
+# SIMP defined auth content
 auth     optional      pam_faildelay.so
 auth     required      pam_env.so
 auth     required      pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60

diff --git a/spec/expected/auth_spec/cracklib-smartcard-auth_default_params b/spec/expected/auth_spec/cracklib-smartcard-auth_default_params
@@ -1,6 +1,8 @@
 #%PAM-1.0
 # This file managed by Puppet
 # User changes will be lost!
+
+# SIMP defined auth content
 auth     optional      pam_faildelay.so
 auth     required      pam_env.so
 auth     required      pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60

diff --git a/spec/expected/auth_spec/cracklib-smartcard-auth_sssd_no_tty_audit b/spec/expected/auth_spec/cracklib-smartcard-auth_sssd_no_tty_audit
@@ -1,6 +1,8 @@
 #%PAM-1.0
 # This file managed by Puppet
 # User changes will be lost!
+
+# SIMP defined auth content
 auth     optional      pam_faildelay.so
 auth     required      pam_env.so
 auth     [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card card_only

diff --git a/spec/expected/auth_spec/cracklib-smartcard-auth_sssd_openshift_multi_tty_audit b/spec/expected/auth_spec/cracklib-smartcard-auth_sssd_openshift_multi_tty_audit
@@ -1,6 +1,8 @@
 #%PAM-1.0
 # This file managed by Puppet
 # User changes will be lost!
+
+# SIMP defined auth content
 auth     optional      pam_faildelay.so
 auth     required      pam_env.so
 auth     required      pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60

diff --git a/spec/expected/auth_spec/cracklib-smartcard-auth_unlock_time_never b/spec/expected/auth_spec/cracklib-smartcard-auth_unlock_time_never
@@ -1,6 +1,8 @@
 #%PAM-1.0
 # This file managed by Puppet
 # User changes will be lost!
+
+# SIMP defined auth content
 auth     optional      pam_faildelay.so
 auth     required      pam_env.so
 auth     required      pam_faillock.so preauth silent deny=5 audit unlock_time=never fail_interval=900 even_deny_root root_unlock_time=60

diff --git a/spec/expected/auth_spec/cracklib-system-auth_default_params b/spec/expected/auth_spec/cracklib-system-auth_default_params
@@ -1,6 +1,8 @@
 #%PAM-1.0
 # This file managed by Puppet
 # User changes will be lost!
+
+# SIMP defined auth content
 auth     optional      pam_faildelay.so
 auth     required      pam_env.so
 auth     required      pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60

diff --git a/spec/expected/auth_spec/cracklib-system-auth_oath_enabled b/spec/expected/auth_spec/cracklib-system-auth_oath_enabled
@@ -1,6 +1,8 @@
 #%PAM-1.0
 # This file managed by Puppet
 # User changes will be lost!
+
+# SIMP defined auth content
 auth     optional      pam_faildelay.so
 auth     required      pam_env.so
 auth     required      pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60

diff --git a/spec/expected/auth_spec/cracklib-system-auth_sssd_no_tty_audit b/spec/expected/auth_spec/cracklib-system-auth_sssd_no_tty_audit
@@ -1,6 +1,8 @@
 #%PAM-1.0
 # This file managed by Puppet
 # User changes will be lost!
+
+# SIMP defined auth content
 auth     optional      pam_faildelay.so
 auth     required      pam_env.so
 auth     sufficient    pam_sss.so forward_pass

diff --git a/spec/expected/auth_spec/cracklib-system-auth_sssd_openshift_multi_tty_audit b/spec/expected/auth_spec/cracklib-system-auth_sssd_openshift_multi_tty_audit
@@ -1,6 +1,8 @@
 #%PAM-1.0
 # This file managed by Puppet
 # User changes will be lost!
+
+# SIMP defined auth content
 auth     optional      pam_faildelay.so
 auth     required      pam_env.so
 auth     required      pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60

diff --git a/spec/expected/auth_spec/cracklib-system-auth_unlock_time_never b/spec/expected/auth_spec/cracklib-system-auth_unlock_time_never
@@ -1,6 +1,8 @@
 #%PAM-1.0
 # This file managed by Puppet
 # User changes will be lost!
+
+# SIMP defined auth content
 auth     optional      pam_faildelay.so
 auth     required      pam_env.so
 auth     required      pam_faillock.so preauth silent deny=5 audit unlock_time=never fail_interval=900 even_deny_root root_unlock_time=60

diff --git a/spec/expected/auth_spec/pwquality-fingerprint-auth_default_params b/spec/expected/auth_spec/pwquality-fingerprint-auth_default_params
@@ -1,6 +1,8 @@
 #%PAM-1.0
 # This file managed by Puppet
 # User changes will be lost!
+
+# SIMP defined auth content
 auth     optional      pam_faildelay.so
 auth     required      pam_env.so
 auth     required      pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60

diff --git a/spec/expected/auth_spec/pwquality-fingerprint-auth_sssd_no_tty_audit b/spec/expected/auth_spec/pwquality-fingerprint-auth_sssd_no_tty_audit
@@ -1,6 +1,8 @@
 #%PAM-1.0
 # This file managed by Puppet
 # User changes will be lost!
+
+# SIMP defined auth content
 auth     optional      pam_faildelay.so
 auth     required      pam_env.so
 auth     sufficient    pam_fprintd.so

diff --git a/spec/expected/auth_spec/pwquality-fingerprint-auth_sssd_openshift_multi_tty_audit b/spec/expected/auth_spec/pwquality-fingerprint-auth_sssd_openshift_multi_tty_audit
@@ -1,6 +1,8 @@
 #%PAM-1.0
 # This file managed by Puppet
 # User changes will be lost!
+
+# SIMP defined auth content
 auth     optional      pam_faildelay.so
 auth     required      pam_env.so
 auth     required      pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60