Merge branch 'master' of bitbucket.org:tmakinen/puppet

cups/files/cupsd.conf

@@ -1,88 +0,0 @@
-#
-# "$Id: cupsd.conf.in 7199 2008-01-08 00:16:30Z mike $"
-#
-#   Sample configuration file for the Common UNIX Printing System (CUPS)
-#   scheduler.  See "man cupsd.conf" for a complete description of this
-#   file.
-#
-MaxLogSize 2000000000
-
-# Log general information in error_log - change "info" to "debug" for
-# troubleshooting...
-LogLevel info
-
-# Administrator user group...
-SystemGroup sys root sysadm
-
-# Disable preserving jobs
-PreserveJobFiles Off
-PreserveJobHistory Off
-
-# Only listen for connections from the local machine.
-Listen *:631
-Listen /var/run/cups/cups.sock
-
-# Show shared printers on the local network.
-Browsing On
-BrowseOrder allow,deny
-# (Change '@LOCAL' to 'ALL' if using directed broadcasts from another subnet.)
-BrowseAllow @LOCAL
-
-# Default authentication type, when authentication is required...
-DefaultAuthType Basic
-
-# Restrict access to the server...
-<Location />
-  Order allow,deny
-  Allow @LOCAL
-</Location>
-
-# Restrict access to the admin pages...
-<Location /admin>
-  Encryption Required
-  Order allow,deny
-</Location>
-
-# Restrict access to configuration files...
-<Location /admin/conf>
-  AuthType Default
-  Require user @SYSTEM
-  Order allow,deny
-</Location>
-
-# Set the default printer/job policies...
-<Policy default>
-  # Job-related operations must be done by the owner or an administrator...
-  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
-    Require user @OWNER @SYSTEM
-    Order deny,allow
-  </Limit>
-
-  # All administration operations require an administrator to authenticate...
-  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
-    AuthType Default
-    Require user @SYSTEM
-    Order deny,allow
-  </Limit>
-
-  # All printer operations require a printer operator to authenticate...
-  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs>
-    AuthType Default
-    Require user @SYSTEM
-    Order deny,allow
-  </Limit>
-
-  # Only the owner or an administrator can cancel or authenticate a job...
-  <Limit Cancel-Job CUPS-Authenticate-Job>
-    Require user @OWNER @SYSTEM
-    Order deny,allow
-  </Limit>
-
-  <Limit All>
-    Order deny,allow
-  </Limit>
-</Policy>
-
-#
-# End of "$Id: cupsd.conf.in 7199 2008-01-08 00:16:30Z mike $".
-#

cups/manifests/init.pp

@@ -55,20 +55,56 @@ class cups::client {
 
 # Install cups server
 #
-class cups::server inherits cups::client {
+# === Parameters:
+#
+#     $admin_group:
+#         Group name which is allowed to modify printers.
+#
+#     $manager_group:
+#         Group name which is allowed to remove jobs from print
+#         queues.
+#
+#     $ssl_cert:
+#         Path to SSL certificate. Defaults to auto generated
+#         certificate.
+#
+#     $ssl_key:
+#         Path to SSL key. Defaults to auto generated key.
+#
+class cups::server($admin_group=undef, $manager_group=undef,
+                   $ssl_cert=undef, $ssl_key=undef) inherits cups::client {
+
+    require ssl
 
     package { [ "ghostscript", "system-config-printer" ]:
         ensure => installed,
     }
 
+    if $ssl_key and $ssl_cert {
+        file { "${ssl::private}/cups.key":
+            ensure => present,
+            source => $ssl_key,
+            mode   => "0600",
+            owner  => "root",
+            group  => "root",
+            notify => Service["cups"],
+        }
+        file { "${ssl::certs}/cups.crt":
+            ensure => present,
+            source => $ssl_cert,
+            mode   => "0644",
+            owner  => "root",
+            group  => "root",
+            notify => Service["cups"],
+        }
+    }
+
     file { "/etc/cups/cupsd.conf":
         ensure  => present,
-        source  => [ "puppet:///files/cups/cupsd.conf.${::homename}",
+        content => template("cups/cupsd.conf.erb"),
-                     "puppet:///files/cups/cupsd.conf",
-                     "puppet:///modules/cups/cupsd.conf", ],
         mode    => "0640",
-        owner   => root,
+        owner   => "root",
-        group   => lp,
+        group   => "lp",
         require => Package["cups"],
         notify  => Service["cups"],
     }

cups/templates/cupsd.conf.erb

@@ -0,0 +1,135 @@
+MaxLogSize 0
+#
+# "$Id: cupsd.conf.in 8805 2009-08-31 16:34:06Z mike $"
+#
+# Sample configuration file for the CUPS scheduler.  See "man cupsd.conf" for a
+# complete description of this file.
+#
+
+<% if @ssl_cert and @ssl_key -%>
+# SSL support
+ServerCertificate <%= scope.lookupvar('ssl::certs') %>/cups.crt
+ServerKey <%= scope.lookupvar('ssl::private') %>/cups.key
+
+<% end -%>
+# Do not preserve history
+PreserveJobFiles Off
+PreserveJobHistory Off
+
+# Log general information in error_log - change "warn" to "debug"
+# for troubleshooting...
+LogLevel info
+AccessLog syslog
+ErrorLog syslog
+
+# Administrator user group...
+SystemGroup sys root <% if @admin_group %><%= @admin_group %><% end %>
+
+# Listen all interfaces for connections.
+ServerAlias *
+Listen *:631
+Listen /var/run/cups/cups.sock
+
+# Show shared printers on the local network.
+Browsing On
+BrowseOrder allow,deny
+BrowseAllow @LOCAL
+BrowseLocalProtocols CUPS dnssd
+
+# Default authentication type, when authentication is required...
+DefaultAuthType Basic
+
+# Restrict access to the server...
+<Location />
+  Order allow,deny
+  Allow from @LOCAL
+</Location>
+
+# Restrict access to the admin pages...
+<Location /admin>
+  Order allow,deny
+</Location>
+
+# Restrict access to configuration files...
+<Location /admin/conf>
+  AuthType Default
+  Require user @SYSTEM
+  Order allow,deny
+</Location>
+
+# Set the default printer/job policies...
+<Policy default>
+  # Job-related operations must be done by the owner or an administrator...
+  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job CUPS-Get-Document>
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  # All administration operations require an administrator to authenticate...
+  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  # All printer operations require a printer operator to authenticate...
+  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  # Only the owner or an administrator can cancel or authenticate a job...
+  <Limit Cancel-Job CUPS-Authenticate-Job>
+    Require user @OWNER @SYSTEM <% if @manager_group %>@<%= @manager_group %><% end %>
+    Order deny,allow
+  </Limit>
+
+  <Limit All>
+    Order deny,allow
+  </Limit>
+</Policy>
+
+# Set the authenticated printer/job policies...
+<Policy authenticated>
+  # Job-related operations must be done by the owner or an administrator...
+  <Limit Create-Job Print-Job Print-URI>
+    AuthType Default
+    Order deny,allow
+  </Limit>
+
+  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job CUPS-Get-Document>
+    AuthType Default
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  # All administration operations require an administrator to authenticate...
+  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  # All printer operations require a printer operator to authenticate...
+  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  # Only the owner or an administrator can cancel or authenticate a job...
+  <Limit Cancel-Job CUPS-Authenticate-Job>
+    AuthType Default
+    Require user @OWNER @SYSTEM <% if @manager_group %>@<%= @manager_group %><% end %>
+    Order deny,allow
+  </Limit>
+
+  <Limit All>
+    Order deny,allow
+  </Limit>
+</Policy>
+
+#
+# End of "$Id: cupsd.conf.in 8805 2009-08-31 16:34:06Z mike $".
+#

kerberos/lib/puppet/parser/functions/keytab_generate.rb

@@ -0,0 +1,66 @@
+
+require 'base64'
+require 'expect'
+require 'tempfile'
+
+
+module Puppet::Parser::Functions
+  newfunction(:keytab_generate) do |args|
+      name = args[0]
+      principals = args[1]
+
+      # get output file name
+      outfile = File.join('/srv/puppet/files/generated',
+                          lookupvar('homename'), Base64.encode64(name)).strip
+      begin
+        Dir.mkdir(File.dirname(outfile))
+      rescue
+        nil
+      end
+
+      # check if we have cached keytab up to date
+      cached = true
+      if File.exists?(outfile)
+        if not check_keytab(outfile, principals)
+          cached = false
+          File.unlink(outfile)
+        end
+      else
+        cached = false
+      end
+
+      # create new keytab if cache is not up to date
+      if not cached
+        cmd = sprintf('kadmin -p %s -k -t /etc/puppet/puppet.keytab -q "ktadd -k %s %s" 1>&2',
+                      lookupvar('kerberos_user'), outfile, principals.join(' '))
+        output = ''
+        IO.popen(cmd, mode='r') { |f|
+          output = f.read
+        }
+        if not File.exists?(outfile)
+          raise 'Failed to create keytab ' + name + ' error was: ' + output
+        elsif not check_keytab(outfile, principals)
+          raise 'Invalid keytab ' + name + ' created'
+        end
+      end
+  end
+
+end
+
+
+# function to check if keytab contains required principals
+def check_keytab(keytab, principals)
+  entries = []
+  IO.popen(sprintf('klist -k %s', keytab), mode='r') { |f|
+    f.readlines.each do |l|
+      next unless l =~ /[ ]+\d+ .*/
+      entries << l.split()[1]
+    end
+  }
+  principals.each do |p|
+    if not entries.include?(p)
+      return false
+    end
+  end
+  return true
+end

kerberos/manifests/init.pp

@@ -244,7 +244,8 @@ class kerberos::server::ldap inherits kerberos::server {
 #     principals => [ "host/testhost.foo.sh@FOO.SH" ],
 # }
 #
-define kerberos::keytab($principals = [], $ensure = present, $owner = "root", $group = "", $mode = "0600") {
+define kerberos::keytab($principals=[], $ensure=present, $owner="root",
+                           $group="", $mode="0600") {
 
     case $group {
         "": {
@@ -258,12 +259,15 @@ define kerberos::keytab($principals = [], $ensure = present, $owner = "root", $g
         }
     }
 
+    keytab_generate($name, $principals)
+    $source = base64($name)
+
     file { $name:
-        ensure  => $ensure,
+        ensure => $ensure,
-        content => template("kerberos/keytab.erb"),
+        source => "puppet:///generated/${source}",
-        mode    => $mode,
+        mode   => $mode,
-        owner   => $owner,
+        owner  => $owner,
-        group   => $real_group,
+        group  => $real_group,
     }
 
 }

kerberos/templates/keytab.erb

@@ -1,62 +0,0 @@
-<%
-
-require 'digest/md5'
-require 'expect'
-require 'tempfile'
-
-
-config = {}
-config['cachedir'] = '/var/cache/puppet'
-config['kadmin'] = '/usr/bin/kadmin'
-config['klist'] = '/usr/bin/klist'
-
-
-# set global vars
-cachefile = File.join(config['cachedir'],
-		      homename + '.' + Digest::MD5.hexdigest(name))
-
-# function to check if keytab contains required principals
-def check_keytab(config, keytab, principals)
-  entries = []
-  IO.popen(sprintf('%s -k %s', config['klist'], keytab), mode='r') { |f|
-    f.readlines.each do |l|
-      next unless l =~ /[ ]+\d+ .*/
-      entries << l.split()[1]
-    end
-  }
-  principals.each do |p|
-    if not entries.include?(p)
-      return false
-    end
-  end
-  return true
-end
-
-
-# check if we have cached keytab up to date
-cached = true
-if File.exists?(cachefile)
-  if not check_keytab(config, cachefile, principals)
-    cached = false
-    File.unlink(cachefile)
-  end
-else
-  cached = false
-end
-
-# create new keytab if cache is not up to date
-if not cached
-  cmd = sprintf('%s -p %s -k -t /etc/puppet/puppet.keytab -q "ktadd -k %s %s"',
-      config['kadmin'], kerberos_user, cachefile, principals.join(' '))
-  output = `#{cmd} 2>&1`
-  if not File.exists?(cachefile)
-    raise 'Failed to create keytab ' + name + ' error was: ' + output
-  elsif not check_keytab(config, cachefile, principals)
-    raise 'Invalid keytab ' + name + ' created'
-  end
-end
-
-# read keytab into memory
-data = File.open(cachefile).read
-
--%><%= data -%>

puppet/files/fileserver.conf

@@ -5,3 +5,7 @@
 [private]
   path /srv/puppet/files/private/%H
   allow *
+
+[generated]
+  path /srv/puppet/files/generated/%H
+  allow *

puppet/manifests/init.pp

@@ -111,6 +111,20 @@ class puppet::client {
                 notify  => Service["puppet"],
             }
         }
+        "fedora": {
+            service { "puppet":
+                name      => $::operatingsystemrelease ? {
+                    /^1[0-8]/ => "puppet",
+                    default   => "puppetagent",
+                },
+                enable    => true,
+                restart   => $::puppetversion ? {
+                    /^[0-2]\./ => "pkill -HUP puppetd",
+                    default    => "pkill -HUP -f '/usr/bin/puppet agent'",
+                },
+                subscribe => File["/etc/puppet/puppet.conf"],
+            }
+        }
         default: {
             service { "puppet":
                 ensure    => running,
@@ -338,10 +352,14 @@ class puppet::server::common inherits puppet::client {
             seltype => "usr_t",
             require => File[$puppet_datadir],
         }
-        selinux::manage_fcontext { "/srv/puppet(/.*)?":
+        selinux::manage_fcontext { "/srv/puppet":
             type   => "usr_t",
             before => File["/srv/puppet"],
         }
+        selinux::manage_fcontext { "/srv/puppet/.*":
+            type   => $seltype,
+            before => File["/srv/puppet"],
+        }
     } else {
         file { "/srv/puppet":
             ensure  => directory,
@@ -361,13 +379,14 @@ class puppet::server::common inherits puppet::client {
     }
 
     file { [ "/srv/puppet/bucket",
-             "/srv/puppet/reports", ]:
+             "/srv/puppet/reports",
+             "/srv/puppet/files/generated", ]:
         ensure  => directory,
         mode    => "0750",
         owner   => $user,
         group   => $group,
         seltype => $seltype,
-        require => File["/srv/puppet"],
+        require => [ File["/srv/puppet"], File["/srv/puppet/files"], ],
     }
     file { [ "/srv/puppet/files",
              "/srv/puppet/files/common",

util/lib/puppet/parser/functions/base64.rb

@@ -3,6 +3,6 @@ require 'base64'
 
 module Puppet::Parser::Functions
     newfunction(:base64, :type => :rvalue) do |args|
-        Base64.encode64(args[0])
+        Base64.encode64(args[0]).strip
     end
 end