voxpupuli · liamjbennett · May 23, 2015 · May 22, 2015 · wcooley · Jun 2, 2015
diff --git a/README.md b/README.md
@@ -109,6 +109,21 @@ A hash of the rundeck security configuration.
 #####`manage_yum_repo`
 Whether to manage the YUM repository containing the Rundeck rpm. Defaults to true.
 
+####Define: `aclpolicyfile`
+A definition for creating custom acl policy files
+
+#####`acl_policies`
+An array containing acl policies. See rundeck::params::acl_policies / rundeck::params::api_policies as an example.
+
+#####`owner`
+The user that rundeck is installed as.
+
+#####`group`
+The group permission that rundeck is installed as.
+
+#####`properties_dir`
+The rundeck configuration directory.
+
 ####Define: `rundeck::plugin`
 A definition for installing rundeck plugins
 
@@ -226,6 +241,7 @@ The group permission that rundeck is installed as.
 
 ###Defines
 ####Public Defines
+* [`rundeck::config::aclpolicyfile`](#define-aclpolicyfile): Manages a acl policy file
 * [`rundeck::config::plugin`](#define-rundeckplugin): Manages the installation of rundeck plugins
 * [`rundeck::config::project`](#define-rundeckproject): Manages the configuration of rundeck projects
 * [`rundeck::config::resource_source`](#define-resourcesource): Manages resource sources for each project

diff --git a/manifests/config.pp b/manifests/config.pp
@@ -82,20 +82,12 @@
     require => File[$properties_dir]
   }
 
-  file { "${properties_dir}/admin.aclpolicy":
-    owner   => $user,
-    group   => $group,
-    mode    => '0640',
-    content => template($rundeck::acl_template),
-    require => File[$properties_dir]
+  rundeck::config::aclpolicyfile { 'admin':
+    acl_policies => $acl_policies,
   }
 
-  file { "${properties_dir}/apitoken.aclpolicy":
-    owner   => $user,
-    group   => $group,
-    mode    => '0640',
-    content => template('rundeck/apitoken.aclpolicy.erb'),
-    require => File[$properties_dir]
+  rundeck::config::aclpolicyfile { 'apitoken':
+    acl_policies => $api_policies,
   }
 
   file { "${properties_dir}/profile":

diff --git a/manifests/config/aclpolicyfile.pp b/manifests/config/aclpolicyfile.pp
@@ -0,0 +1,81 @@
+# Author::    Johannes Graf (mailto:graf@synyx.de)
+# Copyright:: Copyright (c) 2015 synyx GmbH & Co. KG
+# License::   MIT
+
+# == Define rundeck::config::aclpolicyfile
+#
+# Use this define to create a custom acl policy file
+#
+# === Parameters
+#
+# [*acl_policies*]
+#  An array containing acl policies. See rundeck::params::acl_policies / rundeck::params::api_policies as an example.
+#
+# [*$owner*]
+#  The user that rundeck is installed as.
+#
+# [*$group*]
+#  The group permission that rundeck is installed as.
+#
+# [*$properties_dir*]
+#  The rundeck configuration directory.
+#
+# === Examples
+#
+# Create the admin.aclpolicy file:
+#
+# rundeck::config::aclpolicyfile { 'myPolicyFile':
+#   acl_policies => [
+#     {
+#       'description' => 'Admin, all access',
+#       'context' => {
+#         'type' => 'project',
+#         'rule' => '.*'
+#       },
+#       'resource_types' => [
+#         { 'type'  => 'resource', 'rules' => [{ 'name' => 'allow','rule' => '*' }] },
+#         { 'type'  => 'adhoc', 'rules' => [{ 'name' => 'allow','rule' => '*' }] },
+#         { 'type'  => 'job', 'rules' => [{ 'name' => 'allow','rule' => '*' }] },
+#         { 'type'  => 'node', 'rules' => [{ 'name' => 'allow','rule' => '*' }] }
+#       ],
+#       'by' => {
+#         'groups'    => ['admin'],
+#         'usernames' => undef
+#       }
+#     },
+#     {
+#       'description' => 'Admin, all access',
+#       'context' => {
+#         'type' => 'application',
+#         'rule' => 'rundeck'
+#       },
+#       'resource_types' => [
+#         { 'type'  => 'resource', 'rules' => [{ 'name' => 'allow','rule' => '*' }] },
+#         { 'type'  => 'project', 'rules' => [{ 'name' => 'allow','rule' => '*' }] },
+#         { 'type'  => 'storage', 'rules' => [{ 'name' => 'allow','rule' => '*' }] },
+#       ],
+#       'by' => {
+#         'groups'    => ['admin'],
+#         'usernames' => undef
+#       }
+#     }
+#   ],
+# }
+#
+define rundeck::config::aclpolicyfile(
+  $acl_policies,
+  $owner          = $rundeck::user,
+  $group          = $rundeck::group,
+  $properties_dir = $rundeck::framework_config['framework.etc.dir'],
+) {
+
+  validate_array($acl_policies)
+
+  file { "${properties_dir}/${name}.aclpolicy":
+    owner   => $owner,
+    group   => $group,
+    mode    => '0640',
+    content => template("${module_name}/aclpolicy.erb"),
+    require => File[$properties_dir],
+  }
+}
diff --git a/manifests/params.pp b/manifests/params.pp
@@ -65,8 +65,8 @@
   $auth_users = {}
   $auth_template = 'rundeck/jaas-auth.conf.erb'
 
-  $acl_template = 'rundeck/admin.aclpolicy.erb'
-  $api_template = 'rundeck/apitoken.aclpolicy.erb'
+  $acl_template = 'rundeck/aclpolicy.erb'
+  $api_template = 'rundeck/aclpolicy.erb'
 
   $acl_policies = [
     {

diff --git a/spec/classes/config_spec.rb b/spec/classes/config_spec.rb
@@ -52,8 +52,8 @@
         end
 
 
-        it { should contain_file('/etc/rundeck/admin.aclpolicy') }
-        it { should contain_file('/etc/rundeck/apitoken.aclpolicy') }
+        it { should contain_rundeck__config__aclpolicyfile('admin') }
+        it { should contain_rundeck__config__aclpolicyfile('apitoken') }
 
       end
     end

diff --git a/spec/defines/config/aclpolicyfile_spec.rb b/spec/defines/config/aclpolicyfile_spec.rb
@@ -0,0 +1,50 @@
+require 'spec_helper'
+
+describe 'rundeck::config::aclpolicyfile', :type => :define do
+
+    let(:title) {'myPolicy'}
+    let(:params) {{
+        :acl_policies   =>
+          [
+              {
+                'description' => 'Admin, all access',
+                'context' => {
+                  'type' => 'project',
+                  'rule' => '.*'
+                },
+                'resource_types' => [
+                  { 'type'  => 'resource', 'rules' => [{'name' => 'allow','rule' => '*'}] }
+                ],
+                'by' => {
+                  'groups'    => ['admin'],
+                }
+              },
+              {
+                'description' => 'Admin, all access',
+                'context' => {
+                  'type' => 'application',
+                  'rule' => 'rundeck'
+                },
+                'resource_types' => [
+                  { 'type'  => 'resource', 'rules' => [{'name' => 'allow','rule' => '*'}] }
+                ],
+                'by' => {
+                  'groups'    => ['admin'],
+                }
+              }
+          ],
+        :properties_dir => '/etc/rundeck',
+        :owner => 'myUser',
+        :group => 'myGroup',
+		}}
+
+    it { should contain_file('/etc/rundeck/myPolicy.aclpolicy').with(
+          {
+            'owner' => 'myUser',
+            'group' => 'myGroup',
+            'mode' => '0640',
+          }
+    )}
+
+end
+
diff --git a/templates/apitoken.aclpolicy.erb → templates/aclpolicy.erb b/templates/apitoken.aclpolicy.erb → templates/aclpolicy.erb
@@ -1,4 +1,4 @@
-<%- @api_policies.each_with_index do |policy, index| -%>
+<%- @acl_policies.each_with_index do |policy, index| -%>
 description: <%= policy['description'] %>
 context:
   <%= policy['context']['type'] %>: '<%= policy['context']['rule'] %>'
@@ -31,7 +31,7 @@ by:
    - '<%= username %>'
   <%- end -%>
 <%- end -%>
-<%- if index != (@api_policies.length-1) -%>
+<%- if index != (@acl_policies.length-1) -%>
 
 ---
 

diff --git a/templates/admin.aclpolicy.erb b/templates/admin.aclpolicy.erb