Allow specifying owner/group/mode/show_diff (#94)

Some systemd files could contain sensitive information like .netdev files associated with wireguard devices that contain private keys and potentially pre-shared keys.
voxpupuli · Dec 11, 2018 · 629a8fb · 629a8fb
1 parent f6929de
commit 629a8fb
Show file tree

Hide file tree

Showing 4 changed files with 132 additions and 55 deletions.
diff --git a/manifests/dropin_file.pp b/manifests/dropin_file.pp
@@ -27,14 +27,30 @@
 #
 #   * Mutually exclusive with both ``$source`` and ``$content``
 #
+# @attr owner
+#   The owner to set on the dropin file
+#
+# @attr group
+#   The group to set on the dropin file
+#
+# @attr mode
+#   The mode to set on the dropin file
+#
+# @attr show_diff
+#   Whether to show the diff when updating dropin file
+#
 define systemd::dropin_file(
   Systemd::Unit                     $unit,
-  Systemd::Dropin                   $filename = $name,
-  Enum['present', 'absent', 'file'] $ensure   = 'present',
-  Stdlib::Absolutepath              $path     = '/etc/systemd/system',
-  Optional[String]                  $content  = undef,
-  Optional[String]                  $source   = undef,
-  Optional[Stdlib::Absolutepath]    $target   = undef,
+  Systemd::Dropin                   $filename  = $name,
+  Enum['present', 'absent', 'file'] $ensure    = 'present',
+  Stdlib::Absolutepath              $path      = '/etc/systemd/system',
+  Optional[String]                  $content   = undef,
+  Optional[String]                  $source    = undef,
+  Optional[Stdlib::Absolutepath]    $target    = undef,
+  String                            $owner     = 'root',
+  String                            $group     = 'root',
+  String                            $mode      = '0444',
+  Boolean                           $show_diff = true,
 ) {
   include systemd
 
@@ -58,13 +74,14 @@
   }
 
   file { "${path}/${unit}.d/${filename}":
-    ensure  => $_ensure,
-    content => $content,
-    source  => $source,
-    target  => $target,
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0444',
-    notify  => Class['systemd::systemctl::daemon_reload'],
+    ensure    => $_ensure,
+    content   => $content,
+    source    => $source,
+    target    => $target,
+    owner     => $owner,
+    group     => $group,
+    mode      => $mode,
+    show_diff => $show_diff,
+    notify    => Class['systemd::systemctl::daemon_reload'],
   }
 }
diff --git a/manifests/network.pp b/manifests/network.pp
@@ -1,12 +1,16 @@
 # -- Define: systemd::network
 # Creates network config for systemd-networkd
 define systemd::network (
-  Enum['file', 'absent'] $ensure         = file,
-  Stdlib::Absolutepath $path             = '/etc/systemd/network',
-  Optional[String] $content              = undef,
-  Optional[String] $source               = undef,
-  Optional[Stdlib::Absolutepath] $target = undef,
-  Boolean $restart_service               = true,
+  Enum['file', 'absent']         $ensure          = file,
+  Stdlib::Absolutepath           $path            = '/etc/systemd/network',
+  Optional[String]               $content         = undef,
+  Optional[String]               $source          = undef,
+  Optional[Stdlib::Absolutepath] $target          = undef,
+  String                         $owner           = 'root',
+  String                         $group           = 'root',
+  String                         $mode            = '0444',
+  Boolean                        $show_diff       = true,
+  Boolean                        $restart_service = true,
 ){
 
   include systemd
@@ -18,13 +22,14 @@
   }
 
   file { "${path}/${name}":
-    ensure  => $ensure,
-    content => $content,
-    source  => $source,
-    target  => $target,
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0444',
-    notify  => $notify,
+    ensure    => $ensure,
+    content   => $content,
+    source    => $source,
+    target    => $target,
+    owner     => $owner,
+    group     => $group,
+    mode      => $mode,
+    show_diff => $show_diff,
+    notify    => $notify,
   }
 }
diff --git a/manifests/unit_file.pp b/manifests/unit_file.pp
@@ -27,20 +27,36 @@
 #
 #   * Mutually exclusive with both ``$source`` and ``$content``
 #
+# @attr owner
+#   The owner to set on the unit file
+#
+# @attr group
+#   The group to set on the unit file
+#
+# @attr mode
+#   The mode to set on the unit file
+#
+# @attr show_diff
+#   Whether to show the diff when updating unit file
+#
 # @attr enable
 #   If set, will manage the unit enablement status.
 #
 # @attr active
 #   If set, will manage the state of the unit.
 #
 define systemd::unit_file(
-  Enum['present', 'absent', 'file']        $ensure  = 'present',
-  Stdlib::Absolutepath                     $path    = '/etc/systemd/system',
-  Optional[String]                         $content = undef,
-  Optional[String]                         $source  = undef,
-  Optional[Stdlib::Absolutepath]           $target  = undef,
-  Optional[Variant[Boolean, Enum['mask']]] $enable  = undef,
-  Optional[Boolean]                        $active  = undef,
+  Enum['present', 'absent', 'file']        $ensure    = 'present',
+  Stdlib::Absolutepath                     $path      = '/etc/systemd/system',
+  Optional[String]                         $content   = undef,
+  Optional[String]                         $source    = undef,
+  Optional[Stdlib::Absolutepath]           $target    = undef,
+  String                                   $owner     = 'root',
+  String                                   $group     = 'root',
+  String                                   $mode      = '0444',
+  Boolean                                  $show_diff = true,
+  Optional[Variant[Boolean, Enum['mask']]] $enable    = undef,
+  Optional[Boolean]                        $active    = undef,
 ) {
   include systemd
 
@@ -56,14 +72,15 @@
   }
 
   file { "${path}/${name}":
-    ensure  => $_ensure,
-    content => $content,
-    source  => $source,
-    target  => $target,
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0444',
-    notify  => Class['systemd::systemctl::daemon_reload'],
+    ensure    => $_ensure,
+    content   => $content,
+    source    => $source,
+    target    => $target,
+    owner     => $owner,
+    group     => $group,
+    mode      => $mode,
+    show_diff => $show_diff,
+    notify    => Class['systemd::systemctl::daemon_reload'],
   }
 
   if $enable != undef or $active != undef {

diff --git a/spec/defines/network_spec.rb b/spec/defines/network_spec.rb
@@ -1,21 +1,59 @@
 require 'spec_helper'
 
 describe 'systemd::network' do
-  let :params do
-    {
-      restart_service: true
-    }
-  end
+  context 'supported operating systems' do
+    on_supported_os.each do |os, facts|
+      context "on #{os}" do
+        # manage systemd-networkd service
+        let :pre_condition do
+          "class { 'systemd':
+            manage_networkd => true,
+          }"
+        end
 
-  let(:title) { 'eth0.network' }
+        let(:facts) { facts }
 
-  on_supported_os.each do |os, facts|
-    let :facts do
-      facts
-    end
+        let(:title) { 'eth0.network' }
+
+        let(:params) {{
+          :content         => 'random stuff',
+          :restart_service => true,
+        }}
+
+        it { is_expected.to compile.with_all_deps }
+
+        it { is_expected.to create_file("/etc/systemd/network/#{title}").with(
+          :ensure  => 'file',
+          :content => /#{params[:content]}/,
+          :mode    => '0444'
+        ) }
+
+        it { is_expected.to create_file("/etc/systemd/network/#{title}").that_notifies('Service[systemd-networkd]') }
+
+        context 'with group => systemd-network, mode => 0640 and show_diff => false' do
+          let(:title) { 'wg0.netdev' }
+
+          let(:params) {{
+            :content         => 'secret string',
+            :group           => 'systemd-network',
+            :mode            => '0640',
+            :show_diff       => false,
+            :restart_service => true,
+          }}
+
+          it { is_expected.to compile.with_all_deps }
+
+          it { is_expected.to create_file("/etc/systemd/network/#{title}").with(
+            :ensure    => 'file',
+            :content   => /#{params[:content]}/,
+            :group     => 'systemd-network',
+            :mode      => '0640',
+            :show_diff => false
+          ) }
 
-    context 'with all defaults' do
-      it { is_expected.to compile.with_all_deps }
+          it { is_expected.to create_file("/etc/systemd/network/#{title}").that_notifies('Service[systemd-networkd]') }
+        end
+      end
     end
   end
 end