From 5e1032519189f3b6fa793cec81833a781a91d8f2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= <hugo@lysator.liu.se>
Date: Sun, 18 Jun 2023 20:35:48 +0200
Subject: Rewrote almost everything.

---
 manifests/auth/local.pp | 80 ++++++++++++++++++-------------------------------
 1 file changed, 29 insertions(+), 51 deletions(-)

(limited to 'manifests/auth/local.pp')

diff --git a/manifests/auth/local.pp b/manifests/auth/local.pp
index 289ce15..bc15dad 100644
--- a/manifests/auth/local.pp
+++ b/manifests/auth/local.pp
@@ -1,70 +1,48 @@
-# @summary Concourse LDAP authentication
-# Most attributes maps directly to concourse's options, but with
-# `CONCOURSE_LDAP_` prefixed.
-class concourse::auth::ldap (
-  String $host,
-  String $bind_dn,
-  Variant[String, Sensitive[String]] $bind_pw,
-  String $user_search_base_dn,
-  String $user_search_username = 'uid',
-  Optional[String] $display_name = undef,
-  Optional[String] $user_search_filter = undef,
-  Optioal[String] $user_search_id_attr = undef,
-  Optional[String] $user_search_email_attr = undef,
-  Optional[String] $user_search_name_attr = undef,
-  Optional[Stdlib::Absolutepath] $ca_cert = undef,
-  Boolean $insecure_no_ssl = false,
-  Optional[String] $group_search_base_dn = undef,
-  String $group_search_name_attr = 'ou',
-  String $group_search_user_attr = 'uid',
-  String $group_search_group_attr = 'members',
-  Optional[String] $group_search_filter = undef,
-  Optional[Array[String]] $main_team_user,
-  Optional[Array[String]] $main_team_group,
-
+# @summary Concourse local authentication
+# @param users
+#   List of local users.
+# @param main_team_user
+#   List of users which should be added to the "main" team.
+# @param main_team_group
+#   Ignored, but here to keep the same "API" with the other auth modules.
+# @param ensure
+class concourse::auth::local (
+  Array[Struct[{
+        'name'   => String,
+        'password' => Variant[String, Sensitive[String]],
+  }]] $users,
+  Optional[Array[String]] $main_team_user = undef,
+  Optional[Array[String]] $main_team_group = undef, # ignored
   Enum['absent', 'present'] $ensure = 'present',
 ) {
-  $env_file = "${concourse::web::conf_dir}/auth-ldap"
+  $env_file = "${concourse::web::conf_dir}/auth-local"
 
   $environment = {
-    'CONCOURSE_LDAP_HOST'                    => $host,
-    'CONCOURSE_LDAP_BIND_DN'                 => $bind_dn,
-    'CONCOURSE_LDAP_BIND_PW'                 => $bind_pw,
-    'CONCOURSE_LDAP_USER_SEARCH_BASE_DN'     => $user_search_base_dn,
-    'CONCOURSE_LDAP_USER_SEARCH_USERNAME'    => $user_search_username,
-    'CONCOURSE_LDAP_DISPLAY_NAME'            => $display_name,
-    'CONCOURSE_LDAP_USER_SEARCH_FILTER'      => $user_search_filter,
-    'CONCOURSE_LDAP_USER_SEARCH_ID_ATTR'     => $user_search_id_attr,
-    'CONCOURSE_LDAP_USER_SEARCH_EMAIL_ATTR'  => $user_search_email_attr,
-    'CONCOURSE_LDAP_USER_SEARCH_NAME_ATTR'   => $user_search_name_attr,
-    'CONCOURSE_LDAP_CA_CERT'                 => $ca_cert,
-    'CONCOURSE_LDAP_INSECURE_NO_SSL'         => $insecure_no_ssl,
-    'CONCOURSE_LDAP_GROUP_SEARCH_BASE_DN'    => $group_search_base_dn,
-    'CONCOURSE_LDAP_GROUP_SEARCH_NAME_ATTR'  => $group_search_name_attr,
-    'CONCOURSE_LDAP_GROUP_SEARCH_USER_ATTR'  => $group_search_user_attr,
-    'CONCOURSE_LDAP_GROUP_SEARCH_GROUP_ATTR' => $group_search_group_attr,
-    'CONCOURSE_LDAP_GROUP_SEARCH_FILTER'     => $group_search_filter,
-    'CONCOURSE_LDAP_MAIN_TEAM_LDAP_USER'     => $main_team_user ? {
-      Array   => $main_team_user.join(','),
-      default => undef,
-    },
-    'CONCOURSE_LDAP_MAIN_TEAM_LDAP_GROUP'    => $main_team_group ? {
-      Array   => $main_team_user.join(','),
+    'CONCOURSE_ADD_LOCAL_USER'       => $users.map |$user| {
+      $name = $user['name']
+      $pass = $user['password'] ? {
+        String  => $user['password'],
+        default => $user['password'].unwrap,
+      }
+      "${name}:${pass}"
+    }.join(','),
+    'CONCOURSE_MAIN_TEAM_LOCAL_USER' => $main_team_group ? {
+      Array   => $main_team_group.join(','),
       default => undef,
     },
   }
 
   file { $env_file:
     ensure    => $ensure,
-    content   => epp("${module_name}/env.epp", $environment),
+    content   => epp("${module_name}/env.epp", { 'entries' => $environment }),
     # To not show new password
     show_diff => false,
     mode      => '0600',
   }
 
-  systemd::manage_dropin { 'concourse-ldap-auth':
+  systemd::manage_dropin { 'concourse-local-auth':
     ensure        => $ensure,
-    unit          => $concourse::web::service,
+    unit          => $concourse::web::service_unit,
     service_entry => {
       'EnvironmentFile' => $env_file,
     },
-- 
cgit v1.2.3