voxpupuli · jyaworski · Nov 7, 2016 · Feb 22, 2016 · Feb 22, 2016 · Mar 24, 2016
diff --git a/manifests/resource/mailhost.pp b/manifests/resource/mailhost.pp
@@ -3,28 +3,54 @@
 # This definition creates a virtual host
 #
 # Parameters:
-#   [*ensure*]              - Enables or disables the specified mailhost (present|absent)
-#   [*listen_ip*]           - Default IP Address for NGINX to listen with this vHost on. Defaults to all interfaces (*)
-#   [*listen_port*]         - Default IP Port for NGINX to listen with this vHost on. Defaults to TCP 80
-#   [*listen_options*]      - Extra options for listen directive like 'default' to catchall. Undef by default.
-#   [*ipv6_enable*]         - BOOL value to enable/disable IPv6 support (false|true). Module will check to see if IPv6
-#                             support exists on your system before enabling.
-#   [*ipv6_listen_ip*]      - Default IPv6 Address for NGINX to listen with this vHost on. Defaults to all interfaces (::)
-#   [*ipv6_listen_port*]    - Default IPv6 Port for NGINX to listen with this vHost on. Defaults to TCP 80
-#   [*ipv6_listen_options*] - Extra options for listen directive like 'default' to catchall. Template will allways add ipv6only=on.
-#                             While issue jfryman/puppet-nginx#30 is discussed, default value is 'default'.
-#   [*index_files*]         - Default index files for NGINX to read when traversing a directory
-#   [*ssl*]                 - Indicates whether to setup SSL bindings for this mailhost.
-#   [*ssl_cert*]            - Pre-generated SSL Certificate file to reference for SSL Support. This is not generated by this module.
-#   [*ssl_protocols*]       - SSL protocols enabled. Defaults to nginx::config::ssl_protocols
-#   [*ssl_ciphers*]         - Override default SSL ciphers (defaults to nginx::config::ssl_ciphers)
-#   [*ssl_key*]             - Pre-generated SSL Key file to reference for SSL Support. This is not generated by this module.
-#   [*ssl_port*]            - Default IP Port for NGINX to listen with this SSL vHost on. Defaults to TCP 443
-#   [*starttls*]            - Enable STARTTLS support: (on|off|only)
-#   [*protocol*]            - Mail protocol to use: (imap|pop3|smtp)
-#   [*auth_http*]           - With this directive you can set the URL to the external HTTP-like server for authorization.
-#   [*xclient*]             - Whether to use xclient for smtp (on|off)
-#   [*server_name*]         - List of mailhostnames for which this mailhost will respond. Default [$name].
+#   [*ensure*]                   - Enables or disables the specified mailhost (present|absent)
+#   [*listen_ip*]                - Default IP Address for NGINX to listen with this vHost on. Defaults to all interfaces (*)
+#   [*listen_port*]              - Default IP Port for NGINX to listen with this vHost on. Defaults to TCP 80
+#   [*listen_options*]           - Extra options for listen directive like 'default' to catchall. Undef by default.
+#   [*ipv6_enable*]              - BOOL value to enable/disable IPv6 support (false|true). Module will check to see if IPv6
+#                                  support exists on your system before enabling.
+#   [*ipv6_listen_ip*]           - Default IPv6 Address for NGINX to listen with this vHost on. Defaults to all interfaces (::)
+#   [*ipv6_listen_port*]         - Default IPv6 Port for NGINX to listen with this vHost on. Defaults to TCP 80
+#   [*ipv6_listen_options*]      - Extra options for listen directive like 'default' to catchall. Template will allways add ipv6only=on.
+#                                  While issue jfryman/puppet-nginx#30 is discussed, default value is 'default'.
+#   [*index_files*]              - Default index files for NGINX to read when traversing a directory
+#   [*ssl*]                      - Indicates whether to setup SSL bindings for this mailhost.
+#   [*ssl_cert*]                 - Pre-generated SSL Certificate file to reference for SSL Support. This is not generated by this module.
+#   [*ssl_ciphers*]              - Override default SSL ciphers (defaults to nginx::config::ssl_ciphers)
+#   [*ssl_client_cert*]          - Pre-generated SSL Certificate file to reference for client verify SSL Support. This is not generated by this module.
+#   [*ssl_crl*]                  - String: Specifies CRL path in file system
+#   [*ssl_dhparam*]              - This directive specifies a file containing Diffie-Hellman key agreement protocol cryptographic parameters, in PEM
+#                                  format, utilized for exchanging session keys between server and client.
+#   [*ssl_ecdh_curve*]           - This directive specifies a curve for ECDHE ciphers.
+#   [*ssl_key*]                  - Pre-generated SSL Key file to reference for SSL Support. This is not generated by this module.
+#   [*ssl_password_file*]        - This directive specifies a file containing passphrases for secret keys.
+#   [*ssl_port*]                 - Default IP Port for NGINX to listen with this SSL vHost on. Defaults to TCP 443
+#   [*ssl_protocols*]            - SSL protocols enabled. Defaults to nginx::config::ssl_protocols
+#   [*ssl_session_cache*]        - Sets the type and size of the session cache.
+#   [*ssl_session_ticket_key*]   - This directive specifies a file containing secret key used to encrypt and decrypt TLS session tickets.
+#   [*ssl_session_tickets*]      - Wheter to enable or disable session resumption through TLS session tickets.
+#   [*ssl_session_timeout*]      - String: Specifies a time during which a client may reuse the session parameters stored in a cache.
+#                                  Defaults to 5m.
+#   [*ssl_trusted_cert*]         - String: Specifies a file with trusted CA certificates in the PEM format used to verify client
+#                                  certificates and OCSP responses if ssl_stapling is enabled.
+#   [*ssl_verify_depth*]         - Sets the verification depth in the client certificates chain.
+#   [*starttls*]                 - Enable STARTTLS support: (on|off|only)
+#   [*protocol*]                 - Mail protocol to use: (imap|pop3|smtp)
+#   [*auth_http*]                - With this directive you can set the URL to the external HTTP-like server for authorization.
+#   [*xclient*]                  - Whether to use xclient for smtp (on|off)
+#   [*imap_auth*]                - Sets permitted methods of authentication for IMAP clients.
+#   [*imap_capabilities*]        - Sets the IMAP protocol extensions list that is passed to the client in response to the CAPABILITY command.
+#   [*imap_client_buffer*]       - Sets the IMAP commands read buffer size.
+#   [*pop3_auth*]                - Sets permitted methods of authentication for POP3 clients.
+#   [*pop3_capabilities*]        - Sets the POP3 protocol extensions list that is passed to the client in response to the CAPA command.
+#   [*smtp_auth*]                - Sets permitted methods of SASL authentication for SMTP clients.
+#   [*smtp_capabilities*]        - Sets the SMTP protocol extensions list that is passed to the client in response to the EHLO command.
+#   [*proxy_pass_error_message*] - Indicates whether to pass the error message obtained during the authentication on the backend to the client.
+#   [*server_name*]              - List of mailhostnames for which this mailhost will respond. Default [$name].
+#   [*raw_prepend*]              - A single string, or an array of strings to prepend to the server directive (after mailhost_cfg_prepend directive). NOTE: YOU are responsible for a semicolon on each line that requires one.
+#   [*raw_append*]               - A single string, or an array of strings to append to the server directive (after mailhost_cfg_append directive). NOTE: YOU are responsible for a semicolon on each line that requires one.
+#   [*mailhost_cfg_append*]      - It expects a hash with custom directives to put after everything else inside vhost
+#   [*mailhost_cfg_prepend*]     - It expects a hash with custom directives to put before everything else inside vhost
 #
 # Actions:
 #
@@ -45,25 +71,48 @@
 #  }
 define nginx::resource::mailhost (
   $listen_port,
-  $ensure              = 'present',
-  $listen_ip           = '*',
-  $listen_options      = undef,
-  $ipv6_enable         = false,
-  $ipv6_listen_ip      = '::',
-  $ipv6_listen_port    = 80,
-  $ipv6_listen_options = 'default ipv6only=on',
-  $ssl                 = false,
-  $ssl_cert            = undef,
-  $ssl_protocols       = $::nginx::config::ssl_protocols,
-  $ssl_ciphers         = $::nginx::config::ssl_ciphers,
-  $ssl_key             = undef,
-  $ssl_port            = undef,
-  $starttls            = 'off',
-  $protocol            = undef,
-  $auth_http           = undef,
-  $auth_http_header    = undef,
-  $xclient             = 'on',
-  $server_name         = [$name]
+  $ensure                   = 'present',
+  $listen_ip                = '*',
+  $listen_options           = undef,
+  $ipv6_enable              = false,
+  $ipv6_listen_ip           = '::',
+  $ipv6_listen_port         = 80,
+  $ipv6_listen_options      = 'default ipv6only=on',
+  $ssl                      = false,
+  $ssl_cert                 = undef,
+  $ssl_ciphers              = $::nginx::config::ssl_ciphers,
+  $ssl_client_cert          = undef,
+  $ssl_crl                  = undef,
+  $ssl_dhparam              = undef,
+  $ssl_ecdh_curve           = undef,
+  $ssl_key                  = undef,
+  $ssl_password_file        = undef,
+  $ssl_port                 = undef,
+  $ssl_protocols            = $::nginx::config::ssl_protocols,
+  $ssl_session_cache        = undef,
+  $ssl_session_ticket_key   = undef,
+  $ssl_session_tickets      = undef,
+  $ssl_session_timeout      = '5m',
+  $ssl_trusted_cert         = undef,
+  $ssl_verify_depth         = undef,
+  $starttls                 = 'off',
+  $protocol                 = undef,
+  $auth_http                = undef,
+  $auth_http_header         = undef,
+  $xclient                  = 'on',
+  $imap_auth                = undef,
+  $imap_capabilities        = undef,
+  $imap_client_buffer       = undef,
+  $pop3_auth                = undef,
+  $pop3_capabilities        = undef,
+  $smtp_auth                = undef,
+  $smtp_capabilities        = undef,
+  $raw_prepend              = undef,
+  $raw_append               = undef,
+  $mailhost_cfg_prepend     = undef,
+  $mailhost_cfg_append      = undef,
+  $proxy_pass_error_message = 'off',
+  $server_name              = [$name]
 ) {
 
   $root_group = $::nginx::config::root_group
@@ -104,7 +153,6 @@
     validate_string($ssl_cert)
   }
   validate_string($ssl_protocols)
-  validate_string($ssl_ciphers)
   if ($ssl_key != undef) {
     validate_string($ssl_key)
   }
@@ -113,9 +161,42 @@
       warning('DEPRECATION: String $ssl_port must be converted to an integer. Integer string support will be removed in a future release.')
     }
     elsif !is_integer($ssl_port) {
-      fail('$ssl_port must be an integer.')
+    fail('$ssl_port must be an integer.')
     }
   }
+  validate_string($ssl_ciphers)
+  if ($ssl_client_cert != undef) {
+    validate_string($ssl_client_cert)
+  }
+  if ($ssl_crl != undef) {
+    validate_string($ssl_crl)
+  }
+  if ($ssl_dhparam != undef) {
+    validate_string($ssl_dhparam)
+  }
+  if ($ssl_ecdh_curve != undef) {
+    validate_string($ssl_ecdh_curve)
+  }
+  validate_string($ssl_protocols)
+  if ($ssl_session_cache != undef) {
+    validate_string($ssl_session_cache)
+  }
+  if ($ssl_session_ticket_key != undef) {
+    validate_string($ssl_session_ticket_key)
+  }
+  if ($ssl_session_tickets != undef) {
+    validate_string($ssl_session_tickets)
+  }
+  validate_string($ssl_session_timeout)
+  if ($ssl_password_file != undef) {
+    validate_string($ssl_password_file)
+  }
+  if ($ssl_trusted_cert != undef) {
+    validate_string($ssl_trusted_cert)
+  }
+  if ($ssl_verify_depth != undef) and (!is_integer($ssl_verify_depth)) {
+    fail('$ssl_verify_depth must be an integer.')
+  }
   validate_re($starttls, '^(on|only|off)$',
     "${starttls} is not supported for starttls. Allowed values are 'on', 'only' and 'off'.")
   if ($protocol != undef) {
@@ -128,6 +209,48 @@
     validate_string($auth_http_header)
   }
   validate_string($xclient)
+  if ($imap_auth != undef) {
+    validate_string($imap_auth)
+  }
+  if ($imap_capabilities != undef) {
+    validate_array($imap_capabilities)
+  }
+  if ($imap_client_buffer != undef) {
+    validate_string($imap_client_buffer)
+  }
+  if ($pop3_auth != undef) {
+    validate_string($pop3_auth)
+  }
+  if ($pop3_capabilities != undef) {
+    validate_array($pop3_capabilities)
+  }
+  if ($smtp_auth != undef) {
+    validate_string($smtp_auth)
+  }
+  if ($smtp_capabilities != undef) {
+    validate_array($smtp_capabilities)
+  }
+  if ($raw_prepend != undef) {
+    if (is_array($raw_prepend)) {
+      validate_array($raw_prepend)
+    } else {
+      validate_string($raw_prepend)
+    }
+  }
+  if ($raw_append != undef) {
+    if (is_array($raw_append)) {
+      validate_array($raw_append)
+    } else {
+      validate_string($raw_append)
+    }
+  }
+  if ($mailhost_cfg_prepend != undef) {
+    validate_hash($mailhost_cfg_prepend)
+  }
+  if ($mailhost_cfg_append != undef) {
+    validate_hash($mailhost_cfg_append)
+  }
+  validate_string($proxy_pass_error_message)
   validate_array($server_name)
 
   $config_file = "${::nginx::config::conf_dir}/conf.mail.d/${name}.conf"