From cae52d9634d0acd9cb4009a9e1315b4ba69c0df5 Mon Sep 17 00:00:00 2001
From: Trevor Vaughan <trevor@sicura.us>
Date: Mon, 28 Mar 2022 11:58:48 -0400
Subject: [PATCH] Support Amazon Linux 2 (#121)

Closes #120
---
 .gitignore                                    |  7 +++-
 .gitlab-ci.yml                                |  6 +++
 CHANGELOG                                     |  3 ++
 Gemfile                                       |  2 +-
 REFERENCE.md                                  | 40 +++++++++++++++++++
 metadata.json                                 |  8 +++-
 spec/acceptance/nodesets/amzn2.yml            | 23 +++++++++++
 .../suites/default/00_default_spec.rb         |  3 +-
 .../security_modules/nodesets/amzn2.yml       | 27 +++++++++++++
 spec/spec_helper_acceptance.rb                | 13 ++++--
 10 files changed, 124 insertions(+), 8 deletions(-)
 create mode 100644 spec/acceptance/nodesets/amzn2.yml
 create mode 100644 spec/acceptance/suites/security_modules/nodesets/amzn2.yml

diff --git a/.gitignore b/.gitignore
index 9d5658a..706aeb6 100644
--- a/.gitignore
+++ b/.gitignore
@@ -9,7 +9,12 @@
 .idea/
 dist
 /pkg
-/spec/fixtures
+# Read everything in fixtures
+/spec/fixtures/*
+# Un-ignore hieradata
+!/spec/fixtures/hieradata/*
+# Except this one, which is auto-generated
+/spec/fixtures/hieradata/hiera.yaml
 /spec/rp_env
 /.rspec_system
 /.vagrant
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 45184b2..34dbf79 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -357,6 +357,12 @@ pup6.pe-oel:
   script:
     - 'bundle exec rake beaker:suites[default,oel]'
 
+pup6.pe-amzn2:
+  <<: *pup_6_pe
+  <<: *acceptance_base
+  script:
+    - 'bundle exec rake beaker:suites[default,amzn2]'
+
 pup6.pe-oel-fips:
   <<: *pup_6_pe
   <<: *acceptance_base
diff --git a/CHANGELOG b/CHANGELOG
index 6f9a329..cb1f35e 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,6 @@
+* Sun Mar 20 2022 Trevor Vaughan <trevor@sicura.us> - 6.10.1
+- Support Amazon Linux 2
+
 * Thu Aug 26 2021 Kendall Moore <kendall.moore@onyxpoint.com> - 6.10.0
 - Add pre section content for auth files
 - Add extra content for su
diff --git a/Gemfile b/Gemfile
index 4ed1bf9..028bcfd 100644
--- a/Gemfile
+++ b/Gemfile
@@ -38,7 +38,7 @@ end
 group :system_tests do
   gem 'beaker'
   gem 'beaker-rspec'
-  gem 'simp-beaker-helpers', ENV['SIMP_BEAKER_HELPERS_VERSION'] || ['>= 1.23.2', '< 2']
+  gem 'simp-beaker-helpers', ENV['SIMP_BEAKER_HELPERS_VERSION'] || ['>= 1.24.2', '< 2']
 end
 
 # Evaluate extra gemfiles if they exist
diff --git a/REFERENCE.md b/REFERENCE.md
index bf418c2..3305dfb 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -85,9 +85,11 @@ The following parameters are available in the `pam` class:
 * [`use_openshift`](#use_openshift)
 * [`sssd`](#sssd)
 * [`tty_audit_users`](#tty_audit_users)
+* [`su_content_extra`](#su_content_extra)
 * [`su_content`](#su_content)
 * [`other_content`](#other_content)
 * [`auth_sections`](#auth_sections)
+* [`auth_content_pre`](#auth_content_pre)
 * [`fingerprint_auth_content`](#fingerprint_auth_content)
 * [`system_auth_content`](#system_auth_content)
 * [`password_auth_content`](#password_auth_content)
@@ -506,6 +508,15 @@ The users for which TTY auditing is enabled
 
 Default value: `[ 'root' ]`
 
+##### <a name="su_content_extra"></a>`su_content_extra`
+
+Data type: `Optional[Array[String]]`
+
+User-specified content to be added to ``/etc/pam.d/su`` in addition to
+the rest of the templated content
+
+Default value: ``undef``
+
 ##### <a name="su_content"></a>`su_content`
 
 Data type: `Optional[String]`
@@ -534,6 +545,16 @@ The PAM ``*-auth`` files to manage
 
 Default value: `[ 'fingerprint', 'system', 'password', 'smartcard' ]`
 
+##### <a name="auth_content_pre"></a>`auth_content_pre`
+
+Data type: `Optional[Array[String]]`
+
+Content to prepend to the auth configs in addition to templated content
+
+* Set to an empty Array to not prepend any default content
+
+Default value: ``undef``
+
 ##### <a name="fingerprint_auth_content"></a>`fingerprint_auth_content`
 
 Data type: `Optional[String]`
@@ -745,6 +766,7 @@ The following parameters are available in the `pam::wheel` class:
 * [`wheel_group`](#wheel_group)
 * [`root_only`](#root_only)
 * [`use_openshift`](#use_openshift)
+* [`su_content_extra`](#su_content_extra)
 * [`content`](#content)
 
 ##### <a name="wheel_group"></a>`wheel_group`
@@ -772,6 +794,15 @@ puppet code is compatible
 
 Default value: `$pam::use_openshift`
 
+##### <a name="su_content_extra"></a>`su_content_extra`
+
+Data type: `Optional[Array[String]]`
+
+User-specified content added after rootok but before further templated
+content
+
+Default value: `$pam::su_content_extra`
+
 ##### <a name="content"></a>`content`
 
 Data type: `Optional[String[1]]`
@@ -918,6 +949,7 @@ The following parameters are available in the `pam::auth` defined type:
 
 * [`password_check_backend`](#password_check_backend)
 * [`locale_file`](#locale_file)
+* [`auth_content_pre`](#auth_content_pre)
 * [`cracklib_enforce_for_root`](#cracklib_enforce_for_root)
 * [`cracklib_reject_username`](#cracklib_reject_username)
 * [`cracklib_difok`](#cracklib_difok)
@@ -972,6 +1004,14 @@ Data type: `Optional[Stdlib::Absolutepath]`
 
 Default value: `$pam::locale_file`
 
+##### <a name="auth_content_pre"></a>`auth_content_pre`
+
+Data type: `Optional[Array[String]]`
+
+
+
+Default value: `$pam::auth_content_pre`
+
 ##### <a name="cracklib_enforce_for_root"></a>`cracklib_enforce_for_root`
 
 Data type: `Boolean`
diff --git a/metadata.json b/metadata.json
index b73d054..9d957f0 100644
--- a/metadata.json
+++ b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "simp-pam",
-  "version": "6.10.0",
+  "version": "6.10.1",
   "author": "SIMP Team",
   "summary": "A SIMP puppet module for managing pam",
   "license": "Apache-2.0",
@@ -38,6 +38,12 @@
     ]
   },
   "operatingsystem_support": [
+    {
+      "operatingsystem": "Amazon",
+      "operatingsystemrelease": [
+        "2"
+      ]
+    },
     {
       "operatingsystem": "CentOS",
       "operatingsystemrelease": [
diff --git a/spec/acceptance/nodesets/amzn2.yml b/spec/acceptance/nodesets/amzn2.yml
new file mode 100644
index 0000000..1368180
--- /dev/null
+++ b/spec/acceptance/nodesets/amzn2.yml
@@ -0,0 +1,23 @@
+<%
+  if ENV['BEAKER_HYPERVISOR']
+    hypervisor = ENV['BEAKER_HYPERVISOR']
+  else
+    hypervisor = 'vagrant'
+  end
+-%>
+HOSTS:
+  amzn2:
+    roles:
+      - default
+    platform: el-7-x86_64
+    box: gbailey/amzn2
+    hypervisor: <%= hypervisor %>
+
+CONFIG:
+  log_level: verbose
+  synced_folder : disabled
+  type: aio
+  vagrant_memsize: 512
+<% if ENV['BEAKER_PUPPET_COLLECTION'] -%>
+  puppet_collection: <%= ENV['BEAKER_PUPPET_COLLECTION'] %>
+<% end -%>
diff --git a/spec/acceptance/suites/default/00_default_spec.rb b/spec/acceptance/suites/default/00_default_spec.rb
index 835ab9a..3a90583 100644
--- a/spec/acceptance/suites/default/00_default_spec.rb
+++ b/spec/acceptance/suites/default/00_default_spec.rb
@@ -22,7 +22,8 @@
 
         os_major = fact_on(host, 'operatingsystemmajrelease')
 
-        if os_major == '7'
+        # Total hack to support Amazon without a bunch of logic
+        if ['7','2'].include?(os_major)
           it 'should replace authconfig and authconfi-tui links' do
             result = on(host, 'ls -l /usr/sbin/authconfig')
             expect(result.stdout).to match(/authconfig -> \/usr\/local\/sbin\/simp_authconfig.sh/)
diff --git a/spec/acceptance/suites/security_modules/nodesets/amzn2.yml b/spec/acceptance/suites/security_modules/nodesets/amzn2.yml
new file mode 100644
index 0000000..b182fd1
--- /dev/null
+++ b/spec/acceptance/suites/security_modules/nodesets/amzn2.yml
@@ -0,0 +1,27 @@
+<%
+  if ENV['BEAKER_HYPERVISOR']
+    hypervisor = ENV['BEAKER_HYPERVISOR']
+  else
+    hypervisor = 'vagrant'
+  end
+-%>
+HOSTS:
+  amzn2-server:
+    roles:
+      - default
+    platform:   el-7-x86_64
+    box: gbailey/amzn2
+    hypervisor: <%= hypervisor %>
+
+  amzn2-client:
+    platform:   el-7-x86_64
+    box: gbailey/amzn2
+    hypervisor: <%= hypervisor %>
+
+CONFIG:
+  log_level:       verbose
+  type:            aio
+  vagrant_memsize: 512
+<% if ENV['BEAKER_PUPPET_COLLECTION'] -%>
+  puppet_collection: <%= ENV['BEAKER_PUPPET_COLLECTION'] %>
+<% end -%>
diff --git a/spec/spec_helper_acceptance.rb b/spec/spec_helper_acceptance.rb
index f14e11e..9631ed6 100644
--- a/spec/spec_helper_acceptance.rb
+++ b/spec/spec_helper_acceptance.rb
@@ -12,9 +12,6 @@
     else
       install_puppet
     end
-    # Install git, it's a dependency for inspec profiles
-    # Found this when experiencing https://github.com/chef/inspec/issues/1270
-    install_package(host, 'git')
   end
 end
 
@@ -35,12 +32,20 @@
     begin
       # Install modules and dependencies from spec/fixtures/modules
       copy_fixture_modules_to( hosts )
+      begin
+        server = only_host_with_role(hosts, 'server')
+      rescue ArgumentError =>e
+        server = only_host_with_role(hosts, 'default')
+      end
 
       # Generate and install PKI certificates on each SUT
       Dir.mktmpdir do |cert_dir|
-        run_fake_pki_ca_on( default, hosts, cert_dir )
+        run_fake_pki_ca_on(server, hosts, cert_dir )
         hosts.each{ |sut| copy_pki_to( sut, cert_dir, '/etc/pki/simp-testing' )}
       end
+
+      # add PKI keys
+      copy_keydist_to(server)
     rescue StandardError, ScriptError => e
       if ENV['PRY']
         require 'pry'; binding.pry