Merge pull request #157 from duritong/set-file-dir-mode-to-what-rpm-has

Align filemode on RedHat to distro default
voxpupuli · Jan 7, 2023 · 069c9fd · 069c9fd
2 parents 0e7fe75 + 0b7bcb5
commit 069c9fd
Show file tree

Hide file tree

Showing 15 changed files with 115 additions and 48 deletions.
diff --git a/data/common.yaml b/data/common.yaml
@@ -1,3 +1,3 @@
 ---
-
+nftables::default_config_mode: '0640'
 nftables::configuration_path: '/etc/sysconfig/nftables.conf'
diff --git a/data/os/RedHat.yaml b/data/os/RedHat.yaml
@@ -1,3 +1,4 @@
 ---
 nftables::nft_path: /usr/sbin/nft
 nftables::echo: /usr/bin/echo
+nftables::default_config_mode: '0600'
diff --git a/manifests/chain.pp b/manifests/chain.pp
@@ -15,7 +15,7 @@
       path           => "/etc/nftables/puppet-preflight/${table}-chain-${chain}.nft",
       owner          => root,
       group          => root,
-      mode           => '0640',
+      mode           => $nftables::default_config_mode,
       ensure_newline => true,
       require        => Package['nftables'],
   } ~> Exec['nft validate'] -> file {
@@ -24,7 +24,7 @@
       source => "/etc/nftables/puppet-preflight/${table}-chain-${chain}.nft",
       owner  => root,
       group  => root,
-      mode   => '0640',
+      mode   => $nftables::default_config_mode,
   } ~> Service['nftables']
 
   concat::fragment {

diff --git a/manifests/config.pp b/manifests/config.pp
@@ -19,14 +19,14 @@
       ensure_newline => true,
       owner          => root,
       group          => root,
-      mode           => '0640',
+      mode           => $nftables::default_config_mode,
   } ~> Exec['nft validate'] -> file {
     "/etc/nftables/puppet/${prefix}${name}.nft":
       ensure => file,
       source => "/etc/nftables/puppet-preflight/${prefix}${name}.nft",
       owner  => root,
       group  => root,
-      mode   => '0640',
+      mode   => $nftables::default_config_mode,
   } ~> Service['nftables']
 
   $data = split($name, '-')

diff --git a/manifests/file.pp b/manifests/file.pp
@@ -30,14 +30,14 @@
     ensure  => file,
     owner   => root,
     group   => root,
-    mode    => '0640',
+    mode    => $nftables::default_config_mode,
     content => $content,
     source  => $source,
   } ~> Exec['nft validate'] -> file { "/etc/nftables/puppet/${prefix}${label}.nft":
     ensure  => file,
     owner   => root,
     group   => root,
-    mode    => '0640',
+    mode    => $nftables::default_config_mode,
     content => $content,
     source  => $source,
   } ~> Service['nftables']

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -96,6 +96,10 @@
 # @param echo
 #   Path to the echo binary
 #
+# @param default_config_mode
+#   The default file & dir mode for configuration files and directories. The
+#   default varies depending on the system, and is set in the module's data.
+#
 class nftables (
   Boolean $in_ssh = true,
   Boolean $in_icmp = true,
@@ -120,6 +124,7 @@
   Stdlib::Unixpath $echo,
   Stdlib::Unixpath $configuration_path,
   Stdlib::Unixpath $nft_path,
+  Stdlib::Filemode $default_config_mode,
 ) {
   package { 'nftables':
     ensure => installed,
@@ -132,13 +137,13 @@
     default:
       owner => 'root',
       group => 'root',
-      mode  => '0640';
+      mode  => $default_config_mode;
     '/etc/nftables':
       ensure => directory,
-      mode   => '0750';
+      mode   => $default_config_mode;
     '/etc/nftables/puppet-preflight':
       ensure  => directory,
-      mode    => '0750',
+      mode    => $default_config_mode,
       purge   => true,
       force   => true,
       recurse => true;
@@ -158,7 +163,7 @@
     default:
       owner => 'root',
       group => 'root',
-      mode  => '0640';
+      mode  => $default_config_mode;
     '/etc/nftables/puppet.nft':
       ensure  => file,
       content => epp('nftables/config/puppet.nft.epp', {
@@ -169,7 +174,7 @@
       );
     '/etc/nftables/puppet':
       ensure  => directory,
-      mode    => '0750',
+      mode    => $default_config_mode,
       purge   => true,
       force   => true,
       recurse => true;

diff --git a/spec/classes/dnat4_spec.rb b/spec/classes/dnat4_spec.rb
@@ -9,6 +9,13 @@
     context "on #{os}" do
       let(:facts) { os_facts }
 
+      nft_mode = case os_facts[:os]['family']
+                 when 'RedHat'
+                   '0600'
+                 else
+                   '0640'
+                 end
+
       context 'with dnat' do
         let(:pre_condition) do
           '
@@ -57,7 +64,7 @@
             path: '/etc/nftables/puppet-preflight/inet-filter-chain-default_fwd.nft',
             owner: 'root',
             group: 'root',
-            mode: '0640',
+            mode: nft_mode,
             ensure_newline: true
           )
         }
@@ -139,7 +146,7 @@
             path: '/etc/nftables/puppet-preflight/ip-nat-chain-PREROUTING.nft',
             owner: 'root',
             group: 'root',
-            mode: '0640',
+            mode: nft_mode,
             ensure_newline: true
           )
         }

diff --git a/spec/classes/inet_filter_spec.rb b/spec/classes/inet_filter_spec.rb
@@ -9,15 +9,20 @@
     context "on #{os}" do
       let(:facts) { os_facts }
 
-      it { is_expected.to compile }
+      nft_mode = case os_facts[:os]['family']
+                 when 'RedHat'
+                   '0600'
+                 else
+                   '0640'
+                 end
 
       it {
         expect(subject).to contain_concat('nftables-inet-filter').with(
           path: '/etc/nftables/puppet-preflight/inet-filter.nft',
           ensure: 'present',
           owner: 'root',
           group: 'root',
-          mode: '0640'
+          mode: nft_mode
         )
       }
 
@@ -50,7 +55,7 @@
             path: '/etc/nftables/puppet-preflight/inet-filter-chain-INPUT.nft',
             owner: 'root',
             group: 'root',
-            mode: '0640',
+            mode: nft_mode,
             ensure_newline: true
           )
         }
@@ -132,7 +137,7 @@
             path: '/etc/nftables/puppet-preflight/inet-filter-chain-default_in.nft',
             owner: 'root',
             group: 'root',
-            mode: '0640',
+            mode: nft_mode,
             ensure_newline: true
           )
         }
@@ -172,7 +177,7 @@
             path: '/etc/nftables/puppet-preflight/inet-filter-chain-OUTPUT.nft',
             owner: 'root',
             group: 'root',
-            mode: '0640',
+            mode: nft_mode,
             ensure_newline: true
           )
         }
@@ -254,7 +259,7 @@
             path: '/etc/nftables/puppet-preflight/inet-filter-chain-default_out.nft',
             owner: 'root',
             group: 'root',
-            mode: '0640',
+            mode: nft_mode,
             ensure_newline: true
           )
         }
@@ -326,7 +331,7 @@
             path: '/etc/nftables/puppet-preflight/inet-filter-chain-FORWARD.nft',
             owner: 'root',
             group: 'root',
-            mode: '0640',
+            mode: nft_mode,
             ensure_newline: true
           )
         }
@@ -404,7 +409,7 @@
             path: '/etc/nftables/puppet-preflight/inet-filter-chain-default_fwd.nft',
             owner: 'root',
             group: 'root',
-            mode: '0640',
+            mode: nft_mode,
             ensure_newline: true
           )
         }
@@ -432,7 +437,7 @@
             path: '/etc/nftables/puppet-preflight/inet-filter-chain-global.nft',
             owner: 'root',
             group: 'root',
-            mode: '0640',
+            mode: nft_mode,
             ensure_newline: true
           )
         }

diff --git a/spec/classes/ip_nat_spec.rb b/spec/classes/ip_nat_spec.rb
@@ -9,6 +9,13 @@
     context "on #{os}" do
       let(:facts) { os_facts }
 
+      nft_mode = case os_facts[:os]['family']
+                 when 'RedHat'
+                   '0600'
+                 else
+                   '0640'
+                 end
+
       it { is_expected.to compile }
 
       it {
@@ -17,7 +24,7 @@
           ensure: 'present',
           owner: 'root',
           group: 'root',
-          mode: '0640'
+          mode: nft_mode
         )
       }
 
@@ -51,7 +58,7 @@
           ensure: 'present',
           owner: 'root',
           group: 'root',
-          mode: '0640'
+          mode: nft_mode
         )
       }
 
@@ -85,7 +92,7 @@
             path: '/etc/nftables/puppet-preflight/ip-nat-chain-PREROUTING.nft',
             owner: 'root',
             group: 'root',
-            mode: '0640',
+            mode: nft_mode,
             ensure_newline: true
           )
         }
@@ -129,7 +136,7 @@
             path: '/etc/nftables/puppet-preflight/ip-nat-chain-POSTROUTING.nft',
             owner: 'root',
             group: 'root',
-            mode: '0640',
+            mode: nft_mode,
             ensure_newline: true
           )
         }
@@ -173,7 +180,7 @@
             path: '/etc/nftables/puppet-preflight/ip6-nat-chain-PREROUTING6.nft',
             owner: 'root',
             group: 'root',
-            mode: '0640',
+            mode: nft_mode,
             ensure_newline: true
           )
         }
@@ -217,7 +224,7 @@
             path: '/etc/nftables/puppet-preflight/ip6-nat-chain-POSTROUTING6.nft',
             owner: 'root',
             group: 'root',
-            mode: '0640',
+            mode: nft_mode,
             ensure_newline: true
           )
         }
@@ -270,7 +277,7 @@
             ensure: 'present',
             owner: 'root',
             group: 'root',
-            mode: '0640'
+            mode: nft_mode
           )
         }
       end

diff --git a/spec/classes/masquerade_spec.rb b/spec/classes/masquerade_spec.rb
@@ -9,6 +9,13 @@
     context "on #{os}" do
       let(:facts) { os_facts }
 
+      nft_mode = case os_facts[:os]['family']
+                 when 'RedHat'
+                   '0600'
+                 else
+                   '0640'
+                 end
+
       context 'with masquerade' do
         let(:pre_condition) do
           '
@@ -41,7 +48,7 @@
             path: '/etc/nftables/puppet-preflight/ip-nat-chain-POSTROUTING.nft',
             owner: 'root',
             group: 'root',
-            mode: '0640',
+            mode: nft_mode,
             ensure_newline: true
           )
         }

diff --git a/spec/classes/nftables_spec.rb b/spec/classes/nftables_spec.rb
@@ -22,6 +22,13 @@
                      '/etc/nftables.conf'
                    end
 
+      nft_mode = case os_facts[:os]['family']
+                 when 'RedHat'
+                   '0600'
+                 else
+                   '0640'
+                 end
+
       it { is_expected.to compile.with_all_deps }
 
       it { is_expected.to contain_package('nftables') }
@@ -31,7 +38,7 @@
           ensure: 'directory',
           owner: 'root',
           group: 'root',
-          mode: '0750'
+          mode: nft_mode
         )
       }
 
@@ -40,7 +47,7 @@
           ensure: 'file',
           owner: 'root',
           group: 'root',
-          mode: '0640',
+          mode: nft_mode,
           content: %r{flush ruleset}
         )
       }
@@ -56,7 +63,7 @@
           ensure: 'directory',
           owner: 'root',
           group: 'root',
-          mode: '0750',
+          mode: nft_mode,
           purge: true,
           force: true,
           recurse: true
@@ -68,7 +75,7 @@
           ensure: 'file',
           owner: 'root',
           group: 'root',
-          mode: '0640',
+          mode: nft_mode,
           content: %r{flush ruleset}
         )
       }
@@ -84,7 +91,7 @@
           ensure: 'directory',
           owner: 'root',
           group: 'root',
-          mode: '0750',
+          mode: nft_mode,
           purge: true,
           force: true,
           recurse: true