.github/workflows/ci.yml

@@ -77,3 +77,6 @@ jobs:
         env:
           BEAKER_PUPPET_COLLECTION: ${{ matrix.puppet.collection }}
           BEAKER_setfile: ${{ matrix.setfile.value }}
+          # In Puppet 7 the locale ends up being C.UTF-8 if it isn't passed.
+          # This locale doesn't exist in EL7 and won't be supported either.
+          LANG: en_US.UTF-8

CHANGELOG.md

@@ -1,5 +1,51 @@
 # Changelog
 
+## [18.0.0](https://github.com/theforeman/puppet-foreman/tree/18.0.0) (2021-07-26)
+
+[Full Changelog](https://github.com/theforeman/puppet-foreman/compare/17.0.0...18.0.0)
+
+**Breaking changes:**
+
+- Fixes [\#33106](https://projects.theforeman.org/issues/33106) - Move user, app\_root, rails\_env & vhost\_prio to globals [\#975](https://github.com/theforeman/puppet-foreman/pull/975) ([ekohl](https://github.com/ekohl))
+- Fixes [\#33089](https://projects.theforeman.org/issues/33089) - move \(hammer\_\)plugin\_prefix to globals [\#974](https://github.com/theforeman/puppet-foreman/pull/974) ([evgeni](https://github.com/evgeni))
+- Drop Puppet 5 support [\#958](https://github.com/theforeman/puppet-foreman/pull/958) ([ehelms](https://github.com/ehelms))
+
+**Implemented enhancements:**
+
+- Match Foreman user to what packaging creates [\#971](https://github.com/theforeman/puppet-foreman/pull/971) ([ekohl](https://github.com/ekohl))
+- Fixes [\#32947](https://projects.theforeman.org/issues/32947) - Use Apache module variables [\#968](https://github.com/theforeman/puppet-foreman/pull/968) ([ekohl](https://github.com/ekohl))
+- Fixes [\#32352](https://projects.theforeman.org/issues/32352) - use mod\_auth\_gssapi instead of mod\_auth\_kerb [\#967](https://github.com/theforeman/puppet-foreman/pull/967) ([evgeni](https://github.com/evgeni))
+- Autorequire provider in smartproxy type [\#966](https://github.com/theforeman/puppet-foreman/pull/966) ([ekohl](https://github.com/ekohl))
+- Use to\_symbolized\_yaml instead of a template for supervisory [\#964](https://github.com/theforeman/puppet-foreman/pull/964) ([ekohl](https://github.com/ekohl))
+- Use EPP instead of ERB for some templates [\#962](https://github.com/theforeman/puppet-foreman/pull/962) ([cocker-cc](https://github.com/cocker-cc))
+- Fixes [\#32827](https://projects.theforeman.org/issues/32827) - Add sendmail config options [\#961](https://github.com/theforeman/puppet-foreman/pull/961) ([ekohl](https://github.com/ekohl))
+- Add ACD plugin [\#957](https://github.com/theforeman/puppet-foreman/pull/957) ([sbernhard](https://github.com/sbernhard))
+- Mark compatible with camptocamp/systemd 3.x [\#956](https://github.com/theforeman/puppet-foreman/pull/956) ([ekohl](https://github.com/ekohl))
+- Allow puppet/redis 7.x [\#955](https://github.com/theforeman/puppet-foreman/pull/955) ([ekohl](https://github.com/ekohl))
+- Allow customising ProxyAddHeaders [\#953](https://github.com/theforeman/puppet-foreman/pull/953) ([nbarrientos](https://github.com/nbarrientos))
+- Support setting the priority of the Yum repositories [\#950](https://github.com/theforeman/puppet-foreman/pull/950) ([nbarrientos](https://github.com/nbarrientos))
+- Allow Puppet 7 compatible versions of mods [\#947](https://github.com/theforeman/puppet-foreman/pull/947) ([ekohl](https://github.com/ekohl))
+- Allow customising the list of HTTP headers to unset [\#944](https://github.com/theforeman/puppet-foreman/pull/944) ([nbarrientos](https://github.com/nbarrientos))
+- Customisable Yum repository base URL and GPG key path [\#943](https://github.com/theforeman/puppet-foreman/pull/943) ([nbarrientos](https://github.com/nbarrientos))
+- Refs [\#32885](https://projects.theforeman.org/issues/32885): Add puppet user to user\_groups only if server or client certificate contains puppet path [\#938](https://github.com/theforeman/puppet-foreman/pull/938) ([ehelms](https://github.com/ehelms))
+- Fixes [\#29649](https://projects.theforeman.org/issues/29649) - Drop default\_server argument in IPA [\#935](https://github.com/theforeman/puppet-foreman/pull/935) ([ekohl](https://github.com/ekohl))
+- Support Puppet 7 [\#921](https://github.com/theforeman/puppet-foreman/pull/921) ([ekohl](https://github.com/ekohl))
+- Configurable: email\_reply\_address, email\_subject\_prefix [\#913](https://github.com/theforeman/puppet-foreman/pull/913) ([knorx](https://github.com/knorx))
+- added foreman\_datacenter [\#868](https://github.com/theforeman/puppet-foreman/pull/868) ([Zenya](https://github.com/Zenya))
+- Let Function to\_symbolized\_yaml handle Datatype Sensitive [\#972](https://github.com/theforeman/puppet-foreman/pull/972) ([cocker-cc](https://github.com/cocker-cc))
+- Handle duplicate file declaration for foreman::app\_root [\#969](https://github.com/theforeman/puppet-foreman/pull/969) ([chr1s692](https://github.com/chr1s692))
+
+**Fixed bugs:**
+
+- Remove unused suburi template [\#970](https://github.com/theforeman/puppet-foreman/pull/970) ([ekohl](https://github.com/ekohl))
+- Make database.yml and settings.yaml have consistent headers [\#945](https://github.com/theforeman/puppet-foreman/pull/945) ([gcoxmoz](https://github.com/gcoxmoz))
+
+**Closed issues:**
+
+- Allow customising ProxyAddHeaders [\#952](https://github.com/theforeman/puppet-foreman/issues/952)
+- Allow configuring the priority of the Yum repositories [\#949](https://github.com/theforeman/puppet-foreman/issues/949)
+- foreman-report\_v2 disappeared from master branch ? [\#939](https://github.com/theforeman/puppet-foreman/issues/939)
+
 ## [17.0.0](https://github.com/theforeman/puppet-foreman/tree/17.0.0) (2021-04-26)
 
 [Full Changelog](https://github.com/theforeman/puppet-foreman/compare/16.1.0...17.0.0)

Gemfile

@@ -17,8 +17,7 @@ gem 'voxpupuli-test', '~> 1.4'
 gem 'github_changelog_generator', '>= 1.15.0', {"groups"=>["development"]}
 gem 'puppet_metadata', '~> 0.3'
 gem 'puppet-blacksmith', '>= 6.0.0', {"groups"=>["development"]}
-gem 'voxpupuli-acceptance', '~> 0.3', {"groups"=>["system_tests"]}
-gem 'beaker-hiera', {"git"=>"https://github.com/ekohl/beaker-hiera", "branch"=>"fix", "groups"=>["system_tests"]}
+gem 'voxpupuli-acceptance', '~> 1.0', {"groups"=>["system_tests"]}
 gem 'webmock', '~> 2.0'
 gem 'oauth'
 

lib/facter/sssd.rb

@@ -1,19 +1,6 @@
 require 'facter/util/sssd'
 
 if defined? Facter::Util::Sssd
-  # == Fact: foreman_ipa
-  Facter.add(:foreman_ipa, :type => :aggregate) do
-    {
-      :default_realm => 'global/realm',
-      :default_server => 'global/server',
-    }.each do |key, path|
-      chunk(key) do
-        val = Facter::Util::Sssd.ipa_value(path)
-        {key => val} if val
-      end
-    end
-  end
-
   # == Fact: foreman_sssd
   Facter.add(:foreman_sssd, :type => :aggregate) do
     {

lib/facter/util/sssd.rb

@@ -11,10 +11,6 @@ def self.aug_value(lens, file, path)
       end
     end
 
-    def self.ipa_value(path)
-      aug_value('Puppet.lns', '/etc/ipa/default.conf', path)
-    end
-
     def self.sssd_value(path)
       val = aug_value('Sssd.lns', '/etc/sssd/sssd.conf', path)
       val.split(',').map(&:strip) if val

lib/puppet/functions/foreman/enc.rb

@@ -45,14 +45,6 @@ def enc(url, certname)
     ssl_context = use_ssl ? Puppet.lookup(:ssl_context) : nil
     conn = Puppet::Network::HttpPool.connection(uri.host, uri.port, use_ssl: use_ssl, ssl_context: ssl_context)
 
-    # Puppetserver doesn't implement HTTP auth on get requests
-    # https://tickets.puppetlabs.com/browse/SERVER-2597
-    if defined?(Puppet::Server::HttpClient) && conn.is_a?(Puppet::Server::HttpClient) && options[:basic_auth]
-      require 'base64'
-      encoded = Base64.strict_encode64("#{options[:basic_auth][:user]}:#{options[:basic_auth][:password]}")
-      headers["Authorization"] = "Basic #{encoded}"
-    end
-
     path = uri.path
     path += "?#{uri.query}" if uri.query
     response = conn.get(path, headers, options)

lib/puppet/functions/foreman/to_symbolized_yaml.rb

@@ -6,6 +6,8 @@
 #
 # In Foreman often YAML files have symbols as keys. Since it's hard to do that
 # from Puppet, this function does it for you.
+# If the Input contains any sensitive Data, the returned YAML-String
+# will be also of Datatype Sensitive.
 #
 # @example How to output YAML
 #   # output yaml to a file
@@ -22,17 +24,32 @@
   # @param data
   # @param options
   #
-  # @return [String]
+  # @return [Variant[String, Sensitive[String]]]
   dispatch :to_symbolized_yaml do
     param 'Any', :data
     optional_param 'Hash', :options
   end
 
   def to_symbolized_yaml(data, options = {})
+    return_sensitive = false
+    if data.respond_to?(:unwrap)
+      data = data.unwrap
+      return_sensitive = true
+    end
     if data.is_a?(Hash)
-      data = Hash[data.map { |k, v| [k.to_sym, v] }]
+      data = data.map do |k, v|
+        if v.respond_to?(:unwrap)
+          v = v.unwrap
+          return_sensitive = true
+        end
+        [k.to_sym, v]
+      end.to_h
     end
 
-    data.to_yaml(options)
+    if return_sensitive
+      Puppet::Pops::Types::PSensitiveType::Sensitive.new(data.to_yaml(options))
+    else
+      data.to_yaml(options)
+    end
   end
 end

lib/puppet/type/foreman_smartproxy.rb

@@ -68,6 +68,10 @@ def is_to_s(value)
     defaultto 500
   end
 
+  autorequire(:anchor) do
+    ['foreman::providers::oauth']
+  end
+
   def refresh
     if @parameters[:ensure].retrieve == :present
       provider.refresh_features! if provider.respond_to?(:refresh_features!)

manifests/cli.pp

@@ -22,8 +22,6 @@
 #
 # $ssl_ca_file::          Path to SSL certificate authority
 #
-# $hammer_plugin_prefix:: Hammer plugin package prefix based normally on platform
-#
 # $version::              foreman-cli package version, it's passed to ensure parameter of package resource
 #                         can be set to specific version number, 'latest', 'present' etc.
 #
@@ -37,7 +35,6 @@
   Boolean $refresh_cache = $foreman::cli::params::refresh_cache,
   Integer[-1] $request_timeout = $foreman::cli::params::request_timeout,
   Optional[Stdlib::Absolutepath] $ssl_ca_file = $foreman::cli::params::ssl_ca_file,
-  String $hammer_plugin_prefix = $foreman::cli::params::hammer_plugin_prefix,
 ) inherits foreman::cli::params {
   # Inherit URL & auth parameters from foreman class if possible
   if defined('$foreman::foreman_url') {
@@ -60,7 +57,16 @@
     owner   => 'root',
     group   => 'root',
     mode    => '0644',
-    content => template('foreman/hammer_etc.yml.erb'),
+    content => epp(
+      'foreman/hammer_etc.yml.epp',
+      {
+        host            => $foreman_url_real,
+        use_sessions    => $use_sessions,
+        refresh_cache   => $refresh_cache,
+        request_timeout => $request_timeout,
+        ssl_ca_file     => $ssl_ca_file_real,
+      }
+    ),
   }
 
   # Separate configuration for admin username/password
@@ -83,7 +89,13 @@
       group   => 'root',
       mode    => '0600',
       replace => false,
-      content => template('foreman/hammer_root.yml.erb'),
+      content => epp(
+        'foreman/hammer_root.yml.epp',
+        {
+          username => $username_real,
+          password => $password_real,
+        }
+      ),
     }
   }
 

manifests/cli/globals.pp

@@ -0,0 +1,9 @@
+# @summary Global overrides on parameters that hardly ever change
+#
+# @param hammer_plugin_prefix
+#   Hammer plugin package prefix based normally on platform
+#
+class foreman::cli::globals (
+  Optional[String] $hammer_plugin_prefix = undef,
+) {
+}

manifests/cli/params.pp

@@ -1,5 +1,5 @@
 # Parameters for Foreman CLI class
-class foreman::cli::params {
+class foreman::cli::params inherits foreman::cli::globals {
   $foreman_url = undef
   $version = 'installed'
   $manage_root_config = true
@@ -15,35 +15,36 @@
     'RedHat': {
       # We use system packages except on EL7
       if versioncmp($facts['os']['release']['major'], '8') >= 0 {
-        $hammer_plugin_prefix = 'rubygem-hammer_cli_'
+        $_hammer_plugin_prefix = 'rubygem-hammer_cli_'
       } else {
-        $hammer_plugin_prefix = 'tfm-rubygem-hammer_cli_'
+        $_hammer_plugin_prefix = 'tfm-rubygem-hammer_cli_'
       }
     }
     'Debian': {
-      $hammer_plugin_prefix = 'ruby-hammer-cli-'
+      $_hammer_plugin_prefix = 'ruby-hammer-cli-'
     }
     'Linux': {
       case $facts['os']['name'] {
         'Amazon': {
-          $hammer_plugin_prefix = 'tfm-rubygem-hammer_cli_'
+          $_hammer_plugin_prefix = 'tfm-rubygem-hammer_cli_'
         }
         default: {
           fail("${facts['networking']['hostname']}: This module does not support operatingsystem ${facts['os']['name']}")
         }
       }
     }
     /(ArchLinux|Suse)/: {
-      $hammer_plugin_prefix = undef
+      $_hammer_plugin_prefix = undef
     }
     /^(FreeBSD|DragonFly)$/: {
-      $hammer_plugin_prefix = undef
+      $_hammer_plugin_prefix = undef
     }
     'windows': {
-      $hammer_plugin_prefix = undef
+      $_hammer_plugin_prefix = undef
     }
     default: {
       fail("${facts['networking']['hostname']}: This module does not support osfamily ${facts['os']['family']}")
     }
   }
+  $hammer_plugin_prefix = pick($foreman::cli::globals::hammer_plugin_prefix, $_hammer_plugin_prefix)
 }

manifests/cli/plugin.pp

@@ -9,7 +9,7 @@
 # $version:: The package version to ensure
 #
 define foreman::cli::plugin (
-  String $package = "${foreman::cli::hammer_plugin_prefix}${title}",
+  String $package = "${foreman::cli::params::hammer_plugin_prefix}${title}",
   String $version = 'installed',
 ) {
   # Debian gem2deb converts underscores to hyphens

manifests/config.pp

@@ -50,8 +50,10 @@
     content  => template('foreman/foreman.service-overrides.erb'),
   }
 
-  file { $foreman::app_root:
-    ensure  => directory,
+  if ! defined(File[$foreman::app_root]) {
+    file { $foreman::app_root:
+      ensure  => directory,
+    }
   }
 
   if $foreman::db_root_cert {
@@ -74,16 +76,24 @@
   }
 
   if $foreman::manage_user {
+    if $foreman::puppet_ssldir in $foreman::server_ssl_key or $foreman::puppet_ssldir in $foreman::client_ssl_key {
+      $_user_groups = $foreman::user_groups + ['puppet']
+    } else {
+      $_user_groups = $foreman::user_groups
+    }
+
     group { $foreman::group:
       ensure => 'present',
+      system => true,
     }
     user { $foreman::user:
       ensure  => 'present',
-      shell   => '/bin/false',
+      shell   => $foreman::user_shell,
       comment => 'Foreman',
       home    => $foreman::app_root,
       gid     => $foreman::group,
-      groups  => $foreman::user_groups,
+      groups  => unique($_user_groups),
+      system  => true,
     }
   }
 
@@ -120,10 +130,6 @@
     $foreman_socket_override = template('foreman/foreman.socket-overrides.erb')
 
     if $foreman::ipa_authentication {
-      unless fact('foreman_ipa.default_server') and fact('foreman_ipa.default_realm') {
-        fail("${facts['networking']['hostname']}: The system does not seem to be IPA-enrolled")
-      }
-
       if $facts['os']['selinux']['enabled'] {
         selboolean { ['allow_httpd_mod_auth_pam', 'httpd_dbus_sssd']:
           persistent => true,
@@ -147,14 +153,16 @@
         content => template('foreman/pam_service.erb'),
       }
 
+      $http_keytab = pick($foreman::http_keytab, "${apache::conf_dir}/http.keytab")
+
       exec { 'ipa-getkeytab':
         command => "/bin/echo Get keytab \
           && KRB5CCNAME=KEYRING:session:get-http-service-keytab kinit -k \
-          && KRB5CCNAME=KEYRING:session:get-http-service-keytab /usr/sbin/ipa-getkeytab -s ${facts['foreman_ipa']['default_server']} -k ${foreman::http_keytab} -p HTTP/${facts['networking']['fqdn']} \
+          && KRB5CCNAME=KEYRING:session:get-http-service-keytab /usr/sbin/ipa-getkeytab -k ${http_keytab} -p HTTP/${facts['networking']['fqdn']} \
           && kdestroy -c KEYRING:session:get-http-service-keytab",
-        creates => $foreman::http_keytab,
+        creates => $http_keytab,
       }
-      -> file { $foreman::http_keytab:
+      -> file { $http_keytab:
         ensure => file,
         owner  => $apache::user,
         mode   => '0600',
@@ -168,16 +176,16 @@
         ssl_content => template('foreman/lookup_identity.conf.erb'),
       }
 
-      foreman::config::apache::fragment { 'auth_kerb':
-        ssl_content => template('foreman/auth_kerb.conf.erb'),
+      foreman::config::apache::fragment { 'auth_gssapi':
+        ssl_content => template('foreman/auth_gssapi.conf.erb'),
       }
 
 
       if $foreman::ipa_manage_sssd {
-        $sssd = $facts['foreman_sssd']
+        $sssd = pick(fact('foreman_sssd'), {})
         $sssd_services = join(unique(pick($sssd['services'], []) + ['ifp']), ', ')
         $sssd_ldap_user_extra_attrs = join(unique(pick($sssd['ldap_user_extra_attrs'], []) + ['email:mail', 'lastname:sn', 'firstname:givenname']), ', ')
-        $sssd_allowed_uids = join(unique(pick($sssd['allowed_uids'], []) + ['apache', 'root']), ', ')
+        $sssd_allowed_uids = join(unique(pick($sssd['allowed_uids'], []) + [$apache::user, 'root']), ', ')
         $sssd_user_attributes = join(unique(pick($sssd['user_attributes'], []) + ['+email', '+firstname', '+lastname']), ', ')
 
         augeas { 'sssd-ifp-extra-attributes':