From 5e1032519189f3b6fa793cec81833a781a91d8f2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= Date: Sun, 18 Jun 2023 20:35:48 +0200 Subject: Rewrote almost everything. --- manifests/auth/ldap.pp | 131 +++++++++++++++++++++++++++++++++++++----------- manifests/auth/local.pp | 80 +++++++++++------------------ 2 files changed, 132 insertions(+), 79 deletions(-) (limited to 'manifests/auth') diff --git a/manifests/auth/ldap.pp b/manifests/auth/ldap.pp index 7e4472b..70df4a8 100644 --- a/manifests/auth/ldap.pp +++ b/manifests/auth/ldap.pp @@ -1,47 +1,122 @@ -# @summary Concourse local authentication -# @param users -# List of local users. -# @param main_team_users -# List of users which should be added to the "main" team. +# @summary Concourse LDAP authentication +# Most attributes maps directly to concourse's options, but with +# `CONCOURSE_LDAP_` prefixed. +# +# @param host +# LDAP host to bind to, e.x. ldap.example.com +# @param bind_dn +# Distinguished name used when binding to the ldap server. +# e.x. `cn=read-only-admin,dc=example,dc=com` +# @param bind_pw +# Password used when binding to the ldap server. +# @param user_search_base_dn +# Base distinguished name when searching for user, together with +# `user_search_username` creates the query: +# `${user_search_username}=%,${user_search_base_dn}`. +# +# Should be something along the lines of `cn=users,dc=example,dc=com`. +# @param user_search_username +# See `user_search_base_dn`. +# +# Should probably be `uid` or `cn`. +# @param display_name +# Fancy name to display for this authentication method. +# @param user_search_filter +# LDAP filter to limit which users are queried +# @param user_search_id_attr +# LDAP attribute used to specify the users id +# @param user_search_email_attr +# LDAP attribute used to specify the users email address +# @param user_search_name_attr +# LDAP attribute used to specify the users name. +# @param ca_cert +# Path to a CA CERT used when connecting to the LDAP server. +# Probably mutually exclusive with `insecure_no_ssl`. +# @param insecure_no_ssl +# Allow unencrypted connections to the ldap server. +# @param group_search_base_dn +# Base for LDAP search for groups. If this is set then LDAP groups +# are mapped to teams in Concourse. +# +# e.x. `cn=group,dc=example,dc=com` +# @param group_search_name_attr +# LDAP attribute to use as key when searching for groups under +# `group_search_base_dn`. +# @param group_search_user_attr +# LDAP attribute used to get the "name" of a given user. +# Should match with what is used in `group_search_group_attr`. +# @param group_search_group_attr +# LDAP attribute used to determine which users are part of which group. +# Should match with what is used in `group_search_user_attr` +# @param group_search_filter +# LDAP filter to limit which users are returned when searching +# for who is part of which group +# @param main_team_user # @param main_team_group -# Ignored, but here to keep the same "API" with the other auth modules. -class concourse::auth::local ( - Array[Struct[{ - 'name' => String, - 'password' => Variant[String, Sensitive[String]], - }]] $users, - Optional[Array[String]] $main_team_user, - Optional[Array[String]] $main_team_group, # ignored - Enum['absent', 'present'] $ensure = 'present', +# @param ensure +class concourse::auth::ldap ( + String $host, + String $bind_dn, + Variant[String, Sensitive[String]] $bind_pw, + String $user_search_base_dn, + String $user_search_username = 'uid', + Optional[String] $display_name = undef, + Optional[String] $user_search_filter = undef, + Optional[String] $user_search_id_attr = undef, + Optional[String] $user_search_email_attr = undef, + Optional[String] $user_search_name_attr = undef, + Optional[Stdlib::Absolutepath] $ca_cert = undef, + Boolean $insecure_no_ssl = false, + Optional[String] $group_search_base_dn = undef, + String $group_search_name_attr = 'ou', + String $group_search_user_attr = 'uid', + String $group_search_group_attr = 'members', + Optional[String] $group_search_filter = undef, + Optional[Array[String]] $main_team_user = undef, + Optional[Array[String]] $main_team_group = undef, + Enum['absent', 'present'] $ensure = 'present', ) { - $env_file = "${concourse::web::conf_dir}/auth-local" + $env_file = "${concourse::web::conf_dir}/auth-ldap" $environment = { - 'CONCOURSE_ADD_LOCAL_USER' => $users.map |$user| { - $name = $user['name'] - $pass = $user['password'] ? { - String => $user['password'], - default => $user['password'].unwrap, - } - "${name}:${pass}" - }.join(','), - 'CONCOURSE_MAIN_TEAM_LOCAL_USER' => $main_team_group ? { - Array => $main_team_group.join(','), + 'CONCOURSE_LDAP_HOST' => $host, + 'CONCOURSE_LDAP_BIND_DN' => $bind_dn, + 'CONCOURSE_LDAP_BIND_PW' => $bind_pw, + 'CONCOURSE_LDAP_USER_SEARCH_BASE_DN' => $user_search_base_dn, + 'CONCOURSE_LDAP_USER_SEARCH_USERNAME' => $user_search_username, + 'CONCOURSE_LDAP_DISPLAY_NAME' => $display_name, + 'CONCOURSE_LDAP_USER_SEARCH_FILTER' => $user_search_filter, + 'CONCOURSE_LDAP_USER_SEARCH_ID_ATTR' => $user_search_id_attr, + 'CONCOURSE_LDAP_USER_SEARCH_EMAIL_ATTR' => $user_search_email_attr, + 'CONCOURSE_LDAP_USER_SEARCH_NAME_ATTR' => $user_search_name_attr, + 'CONCOURSE_LDAP_CA_CERT' => $ca_cert, + 'CONCOURSE_LDAP_INSECURE_NO_SSL' => $insecure_no_ssl, + 'CONCOURSE_LDAP_GROUP_SEARCH_BASE_DN' => $group_search_base_dn, + 'CONCOURSE_LDAP_GROUP_SEARCH_NAME_ATTR' => $group_search_name_attr, + 'CONCOURSE_LDAP_GROUP_SEARCH_USER_ATTR' => $group_search_user_attr, + 'CONCOURSE_LDAP_GROUP_SEARCH_GROUP_ATTR' => $group_search_group_attr, + 'CONCOURSE_LDAP_GROUP_SEARCH_FILTER' => $group_search_filter, + 'CONCOURSE_LDAP_MAIN_TEAM_LDAP_USER' => $main_team_user ? { + Array => $main_team_user.join(','), + default => undef, + }, + 'CONCOURSE_LDAP_MAIN_TEAM_LDAP_GROUP' => $main_team_group ? { + Array => $main_team_user.join(','), default => undef, }, } file { $env_file: ensure => $ensure, - content => epp("${module_name}/env.epp", $environment), + content => epp("${module_name}/env.epp", { 'entries' => $environment }), # To not show new password show_diff => false, mode => '0600', } - systemd::manage_dropin { 'concourse-local-auth': + systemd::manage_dropin { 'concourse-ldap-auth': ensure => $ensure, - unit => $concourse::web::service, + unit => $concourse::web::service_unit, service_entry => { 'EnvironmentFile' => $env_file, }, diff --git a/manifests/auth/local.pp b/manifests/auth/local.pp index 289ce15..bc15dad 100644 --- a/manifests/auth/local.pp +++ b/manifests/auth/local.pp @@ -1,70 +1,48 @@ -# @summary Concourse LDAP authentication -# Most attributes maps directly to concourse's options, but with -# `CONCOURSE_LDAP_` prefixed. -class concourse::auth::ldap ( - String $host, - String $bind_dn, - Variant[String, Sensitive[String]] $bind_pw, - String $user_search_base_dn, - String $user_search_username = 'uid', - Optional[String] $display_name = undef, - Optional[String] $user_search_filter = undef, - Optioal[String] $user_search_id_attr = undef, - Optional[String] $user_search_email_attr = undef, - Optional[String] $user_search_name_attr = undef, - Optional[Stdlib::Absolutepath] $ca_cert = undef, - Boolean $insecure_no_ssl = false, - Optional[String] $group_search_base_dn = undef, - String $group_search_name_attr = 'ou', - String $group_search_user_attr = 'uid', - String $group_search_group_attr = 'members', - Optional[String] $group_search_filter = undef, - Optional[Array[String]] $main_team_user, - Optional[Array[String]] $main_team_group, - +# @summary Concourse local authentication +# @param users +# List of local users. +# @param main_team_user +# List of users which should be added to the "main" team. +# @param main_team_group +# Ignored, but here to keep the same "API" with the other auth modules. +# @param ensure +class concourse::auth::local ( + Array[Struct[{ + 'name' => String, + 'password' => Variant[String, Sensitive[String]], + }]] $users, + Optional[Array[String]] $main_team_user = undef, + Optional[Array[String]] $main_team_group = undef, # ignored Enum['absent', 'present'] $ensure = 'present', ) { - $env_file = "${concourse::web::conf_dir}/auth-ldap" + $env_file = "${concourse::web::conf_dir}/auth-local" $environment = { - 'CONCOURSE_LDAP_HOST' => $host, - 'CONCOURSE_LDAP_BIND_DN' => $bind_dn, - 'CONCOURSE_LDAP_BIND_PW' => $bind_pw, - 'CONCOURSE_LDAP_USER_SEARCH_BASE_DN' => $user_search_base_dn, - 'CONCOURSE_LDAP_USER_SEARCH_USERNAME' => $user_search_username, - 'CONCOURSE_LDAP_DISPLAY_NAME' => $display_name, - 'CONCOURSE_LDAP_USER_SEARCH_FILTER' => $user_search_filter, - 'CONCOURSE_LDAP_USER_SEARCH_ID_ATTR' => $user_search_id_attr, - 'CONCOURSE_LDAP_USER_SEARCH_EMAIL_ATTR' => $user_search_email_attr, - 'CONCOURSE_LDAP_USER_SEARCH_NAME_ATTR' => $user_search_name_attr, - 'CONCOURSE_LDAP_CA_CERT' => $ca_cert, - 'CONCOURSE_LDAP_INSECURE_NO_SSL' => $insecure_no_ssl, - 'CONCOURSE_LDAP_GROUP_SEARCH_BASE_DN' => $group_search_base_dn, - 'CONCOURSE_LDAP_GROUP_SEARCH_NAME_ATTR' => $group_search_name_attr, - 'CONCOURSE_LDAP_GROUP_SEARCH_USER_ATTR' => $group_search_user_attr, - 'CONCOURSE_LDAP_GROUP_SEARCH_GROUP_ATTR' => $group_search_group_attr, - 'CONCOURSE_LDAP_GROUP_SEARCH_FILTER' => $group_search_filter, - 'CONCOURSE_LDAP_MAIN_TEAM_LDAP_USER' => $main_team_user ? { - Array => $main_team_user.join(','), - default => undef, - }, - 'CONCOURSE_LDAP_MAIN_TEAM_LDAP_GROUP' => $main_team_group ? { - Array => $main_team_user.join(','), + 'CONCOURSE_ADD_LOCAL_USER' => $users.map |$user| { + $name = $user['name'] + $pass = $user['password'] ? { + String => $user['password'], + default => $user['password'].unwrap, + } + "${name}:${pass}" + }.join(','), + 'CONCOURSE_MAIN_TEAM_LOCAL_USER' => $main_team_group ? { + Array => $main_team_group.join(','), default => undef, }, } file { $env_file: ensure => $ensure, - content => epp("${module_name}/env.epp", $environment), + content => epp("${module_name}/env.epp", { 'entries' => $environment }), # To not show new password show_diff => false, mode => '0600', } - systemd::manage_dropin { 'concourse-ldap-auth': + systemd::manage_dropin { 'concourse-local-auth': ensure => $ensure, - unit => $concourse::web::service, + unit => $concourse::web::service_unit, service_entry => { 'EnvironmentFile' => $env_file, }, -- cgit v1.2.3