From f37be7ce3b7de05d789ad438ce5cc2d81dfcae03 Mon Sep 17 00:00:00 2001 From: Frank Brehm Date: Thu, 16 Jun 2022 14:09:29 +0200 Subject: [PATCH 01/43] Using name instead of shortname in client definition for filename, firewall rule and huntgroup to allow the same shortname for different clients --- manifests/client.pp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/manifests/client.pp b/manifests/client.pp index 1bbf8727..86133be8 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -42,7 +42,7 @@ $fr_basepath = $::freeradius::params::fr_basepath $fr_group = $::freeradius::params::fr_group - file { "${fr_basepath}/clients.d/${shortname}.conf": + file { "${fr_basepath}/clients.d/${name}.conf": ensure => $ensure, mode => '0640', owner => 'root', @@ -61,14 +61,14 @@ if $port { if $ip { - firewall { "100 ${shortname} ${port_description} v4": + firewall { "100 ${name} ${port_description} v4": proto => 'udp', dport => $port, action => 'accept', source => $ip, } } elsif $ip6 { - firewall { "100 ${shortname} ${port_description} v6": + firewall { "100 ${name} ${port_description} v6": proto => 'udp', dport => $port, action => 'accept', @@ -83,7 +83,7 @@ if $huntgroups { $huntgroups.each |$index, $huntgroup| { - freeradius::huntgroup { "huntgroup.client.${shortname}.${index}": + freeradius::huntgroup { "huntgroup.client.${name}.${index}": * => $huntgroup } } From 6fa9a86cc0cf31aac3067687f92d3a45d653ec53 Mon Sep 17 00:00:00 2001 From: Frank Brehm Date: Mon, 31 Oct 2022 12:57:47 +0100 Subject: [PATCH 02/43] Version bump to 3.9.2+dpx1 --- metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metadata.json b/metadata.json index 32f267e9..629fe5a8 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "jgazeley-freeradius", - "version": "3.9.2", + "version": "3.9.2+dpx1", "author": "jgazeley", "summary": "Install and configure FreeRADIUS", "license": "Apache-2.0", From 9e3216f63907f8af00f064685659e48d7e3b57d1 Mon Sep 17 00:00:00 2001 From: Frank Brehm Date: Wed, 4 Jan 2023 13:59:44 +0100 Subject: [PATCH 03/43] Version bump to 3.9.2+dpx2 and updating CHANGELOG.md --- CHANGELOG.md | 4 ++++ metadata.json | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c8d5eab3..ab2a96e9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ ## Changelog +### 3.9.2+dpx2 + * Bugfix: Using name instead of shortname in client definition for filename, firewall rule and + huntgroup to allow the same shortname for different clients + ### 3.9.2 * Bugfix: Restart FreeRADIUS after any huntgroups modification diff --git a/metadata.json b/metadata.json index 629fe5a8..a2e5c56d 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "jgazeley-freeradius", - "version": "3.9.2+dpx1", + "version": "3.9.2+dpx2", "author": "jgazeley", "summary": "Install and configure FreeRADIUS", "license": "Apache-2.0", From 27450036340175079a1fd807e22c6182d91f34a3 Mon Sep 17 00:00:00 2001 From: cruelsmith <92088441+cruelsmith@users.noreply.github.com> Date: Wed, 16 Aug 2023 11:59:33 +0200 Subject: [PATCH 04/43] Version bump to 3.9.2+dpx3 and updating CHANGELOG.md --- CHANGELOG.md | 4 ++++ metadata.json | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ab2a96e9..ff69b103 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ ## Changelog +### 3.9.2+dpx3 + * Bugfix: Fix spec test for client definition + * Merge Upstream changes from main for stdlib 9.x support + ### 3.9.2+dpx2 * Bugfix: Using name instead of shortname in client definition for filename, firewall rule and huntgroup to allow the same shortname for different clients diff --git a/metadata.json b/metadata.json index 2c4bcc48..f6cacf7f 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "jgazeley-freeradius", - "version": "3.9.2+dpx2", + "version": "3.9.2+dpx3", "author": "jgazeley", "summary": "Install and configure FreeRADIUS", "license": "Apache-2.0", From ae121cf32fec2cc0665131f3f0b5417dd2490f71 Mon Sep 17 00:00:00 2001 From: Nathan Ward Date: Fri, 7 Apr 2023 19:26:55 +1200 Subject: [PATCH 05/43] Change resource names to be generic Re-work manifests and tests to make resource names generic, so that we can more easily integrate other OSes in the future. --- manifests/attr.pp | 15 +- manifests/blank.pp | 19 +- manifests/cert.pp | 9 +- manifests/client.pp | 9 +- manifests/config.pp | 9 +- manifests/dictionary.pp | 13 +- manifests/home_server.pp | 4 +- manifests/home_server_pool.pp | 4 +- manifests/huntgroup.pp | 7 +- manifests/init.pp | 285 +++++++++++++++----------- manifests/instantiate.pp | 9 +- manifests/krb5.pp | 12 +- manifests/listen.pp | 11 +- manifests/module.pp | 21 +- manifests/module/ldap.pp | 6 +- manifests/policy.pp | 15 +- manifests/radsniff.pp | 3 +- manifests/realm.pp | 6 +- manifests/script.pp | 9 +- manifests/site.pp | 12 +- manifests/sql.pp | 12 +- manifests/statusclient.pp | 9 +- manifests/template.pp | 6 +- manifests/virtual_module.pp | 9 +- spec/classes/freeradius_spec.rb | 143 +++++++------ spec/classes/radsniff_spec.rb | 9 +- spec/defines/attr_spec.rb | 11 +- spec/defines/blank_spec.rb | 5 +- spec/defines/cert_spec.rb | 9 +- spec/defines/client_spec.rb | 7 +- spec/defines/config_spec.rb | 3 +- spec/defines/dictionary_spec.rb | 9 +- spec/defines/home_server_pool_spec.rb | 2 +- spec/defines/home_server_spec.rb | 2 +- spec/defines/instantiate_spec.rb | 3 +- spec/defines/krb5_spec.rb | 6 +- spec/defines/module/ldap_spec.rb | 12 +- spec/defines/module_spec.rb | 6 +- spec/defines/policy_spec.rb | 9 +- spec/defines/realm_spec.rb | 4 +- spec/defines/script_spec.rb | 5 +- spec/defines/site_spec.rb | 6 +- spec/defines/sql_spec.rb | 12 +- spec/defines/statusclient_spec.rb | 5 +- spec/spec_helper_local.rb | 12 +- 45 files changed, 430 insertions(+), 364 deletions(-) diff --git a/manifests/attr.pp b/manifests/attr.pp index f44c0856..cfceb69d 100644 --- a/manifests/attr.pp +++ b/manifests/attr.pp @@ -6,27 +6,24 @@ Optional[String] $prefix = 'filter', Optional[Freeradius::Boolean] $relaxed = undef, ) { - $fr_package = $::freeradius::params::fr_package - $fr_service = $::freeradius::params::fr_service - $fr_basepath = $::freeradius::params::fr_basepath $fr_group = $::freeradius::params::fr_group $fr_moduleconfigpath = $::freeradius::params::fr_moduleconfigpath - $fr_modulepath = $::freeradius::params::fr_modulepath # Install the attribute filter snippet - file { "${fr_moduleconfigpath}/attr_filter/${name}": + file { "freeradius attr_filter/${name}": ensure => $ensure, + path => "${fr_moduleconfigpath}/attr_filter/${name}", mode => '0640', owner => 'root', group => $fr_group, source => $source, - require => [Package[$fr_package], Group[$fr_group]], - notify => Service[$fr_service], + require => [Package['freeradius'], Group['radiusd']], + notify => Service['radiusd'], } # Reference all attribute snippets in one file - concat::fragment { "attr-${name}": - target => "${fr_basepath}/mods-available/attr_filter", + concat::fragment { "freeradius attr-${name}": + target => 'freeradius mods-available/attr_filter', content => template('freeradius/attr.erb'), order => 20, } diff --git a/manifests/blank.pp b/manifests/blank.pp index 408e1f02..b0eae925 100644 --- a/manifests/blank.pp +++ b/manifests/blank.pp @@ -1,21 +1,20 @@ # Blank unneeded config files to reduce complexity define freeradius::blank { - $fr_package = $::freeradius::params::fr_package - $fr_service = $::freeradius::params::fr_service $fr_basepath = $::freeradius::params::fr_basepath $fr_group = $::freeradius::params::fr_group - file { "${fr_basepath}/${name}": + file { "freeradius ${name}": + path => "${fr_basepath}/${name}", mode => '0644', owner => 'root', group => $fr_group, - require => [File[$fr_basepath], Package[$fr_package], Group[$fr_group]], - notify => Service[$fr_service], + require => [File['freeradius raddb'], Package['freeradius'], Group['radiusd']], + notify => Service['radiusd'], content => @(BLANK/L), - # This file is intentionally left blank to reduce complexity. \ - Blanking it but leaving it present is safer than deleting it, \ - since the package manager will replace some files if they are \ - deleted, leading to unexpected behaviour! - |-BLANK + # This file is intentionally left blank to reduce complexity. \ + Blanking it but leaving it present is safer than deleting it, \ + since the package manager will replace some files if they are \ + deleted, leading to unexpected behaviour! + |-BLANK } } diff --git a/manifests/cert.pp b/manifests/cert.pp index 89c2764b..d334d1ff 100644 --- a/manifests/cert.pp +++ b/manifests/cert.pp @@ -5,8 +5,6 @@ Optional[String] $type = 'key', Freeradius::Ensure $ensure = present, ) { - $fr_package = $::freeradius::params::fr_package - $fr_service = $::freeradius::params::fr_service $fr_basepath = $::freeradius::params::fr_basepath $fr_group = $::freeradius::params::fr_group @@ -16,15 +14,16 @@ default => '0644', } - file { "${fr_basepath}/certs/${name}": + file { "freeradius certs/${name}": ensure => $ensure, + path => "${fr_basepath}/certs/${name}", mode => $permission, owner => 'root', group => $fr_group, source => $source, content => $content, show_diff => false, - require => [File["${fr_basepath}/certs"], Package[$fr_package], Group[$fr_group]], - notify => Service[$fr_service], + require => [File['freeradius certs'], Package['freeradius'], Group['radiusd']], + notify => Service['radiusd'], } } diff --git a/manifests/client.pp b/manifests/client.pp index 86133be8..f8fc7e4d 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -37,19 +37,18 @@ Variant[Array, Hash, String] $attributes = [], Optional[String] $huntgroups = undef, ) { - $fr_package = $::freeradius::params::fr_package - $fr_service = $::freeradius::params::fr_service $fr_basepath = $::freeradius::params::fr_basepath $fr_group = $::freeradius::params::fr_group - file { "${fr_basepath}/clients.d/${name}.conf": + file { "freeradius clients.d/${shortname}.conf": ensure => $ensure, + path => "${fr_basepath}/clients.d/${shortname}.conf", mode => '0640', owner => 'root', group => $fr_group, content => template('freeradius/client.conf.erb'), - require => [File["${fr_basepath}/clients.d"], Group[$fr_group]], - notify => Service[$fr_service], + require => [File['freeradius clients.d'], Group['radiusd']], + notify => Service['radiusd'], } if ($firewall and $ensure == 'present') { diff --git a/manifests/config.pp b/manifests/config.pp index 9492e9db..02bc67da 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -4,19 +4,18 @@ Optional[String] $content = undef, Freeradius::Ensure $ensure = present, ) { - $fr_package = $::freeradius::params::fr_package - $fr_service = $::freeradius::params::fr_service $fr_group = $::freeradius::params::fr_group $fr_moduleconfigpath = $::freeradius::params::fr_moduleconfigpath - file { "${fr_moduleconfigpath}/${name}": + file { "freeradius mods-config/${name}": ensure => $ensure, + path => "${fr_moduleconfigpath}/${name}", mode => '0640', owner => 'root', group => $fr_group, source => $source, content => $content, - require => [Package[$fr_package], Group[$fr_group]], - notify => Service[$fr_service], + require => [Package['freeradius'], Group['radiusd']], + notify => Service['radiusd'], } } diff --git a/manifests/dictionary.pp b/manifests/dictionary.pp index c18ca6cc..1b314051 100644 --- a/manifests/dictionary.pp +++ b/manifests/dictionary.pp @@ -5,8 +5,6 @@ Optional[Integer] $order = 50, Freeradius::Ensure $ensure = 'present', ) { - $fr_package = $::freeradius::params::fr_package - $fr_service = $::freeradius::params::fr_service $fr_basepath = $::freeradius::params::fr_basepath $fr_group = $::freeradius::params::fr_group @@ -15,15 +13,16 @@ } # Install dictionary in dictionary.d - file { "${fr_basepath}/dictionary.d/dictionary.${name}": + file { "freeradius dictionary.d/dictionary.${name}": ensure => $ensure, + path => "${fr_basepath}/dictionary.d/dictionary.${name}", mode => '0644', owner => 'root', group => $fr_group, source => $source, content => $content, - require => [File["${fr_basepath}/dictionary.d"], Package[$fr_package], Group[$fr_group]], - notify => Service[$fr_service], + require => [File['freeradius dictionary.d'], Package['freeradius'], Group['radiusd']], + notify => Service['radiusd'], } # Reference policy.d in the global includes file @@ -31,10 +30,10 @@ if ($ensure == 'present') { concat::fragment { "dictionary.${name}": - target => "${fr_basepath}/dictionary", + target => 'freeradius dictionary', content => "\$INCLUDE ${fr_basepath}/dictionary.d/dictionary.${name}", order => $order, - require => File["${fr_basepath}/dictionary.d/dictionary.${name}"], + require => File["freeradius dictionary.d/dictionary.${name}"], } } } diff --git a/manifests/home_server.pp b/manifests/home_server.pp index e3657952..dc431f9b 100644 --- a/manifests/home_server.pp +++ b/manifests/home_server.pp @@ -20,11 +20,9 @@ Optional[String] $virtual_server = undef, Optional[Integer] $zombie_period = undef, ) { - $fr_basepath = $::freeradius::params::fr_basepath - # Configure config fragment for this home server concat::fragment { "homeserver-${name}": - target => "${fr_basepath}/proxy.conf", + target => 'freeradius proxy.conf', content => template('freeradius/home_server.erb'), order => 10, } diff --git a/manifests/home_server_pool.pp b/manifests/home_server_pool.pp index bb3ae7d0..d45492e9 100644 --- a/manifests/home_server_pool.pp +++ b/manifests/home_server_pool.pp @@ -5,11 +5,9 @@ Optional[String] $virtual_server = undef, Optional[String] $fallback = undef, ) { - $fr_basepath = $::freeradius::params::fr_basepath - # Configure config fragment for this home server concat::fragment { "homeserverpool-${name}": - target => "${fr_basepath}/proxy.conf", + target => 'freeradius proxy.conf', content => template('freeradius/home_server_pool.erb'), order => 20, } diff --git a/manifests/huntgroup.pp b/manifests/huntgroup.pp index e137c11e..8827ca57 100644 --- a/manifests/huntgroup.pp +++ b/manifests/huntgroup.pp @@ -5,13 +5,10 @@ Optional[Array[String]] $conditions = [], Optional[Variant[String, Integer]] $order = 50, ) { - $fr_basepath = $::freeradius::params::fr_basepath - $fr_service = $::freeradius::params::fr_service - concat::fragment { "huntgroup.${title}": - target => "${fr_basepath}/mods-config/preprocess/huntgroups", + target => 'freeradius mods-config/preprocess/huntgroups', content => template('freeradius/huntgroup.erb'), order => $order, - notify => Service[$fr_service], + notify => Service['radiusd'], } } diff --git a/manifests/init.pp b/manifests/init.pp index d0ad42cd..0c283fd9 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -47,62 +47,70 @@ # Always restart the service after every module operation Freeradius::Module { - notify => Service[$freeradius::fr_service] + notify => Service['radiusd'] } - file { 'radiusd.conf': + file { 'freeradius radiusd.conf': name => "${freeradius::fr_basepath}/radiusd.conf", mode => '0644', owner => 'root', group => $freeradius::fr_group, content => template('freeradius/radiusd.conf.erb'), require => [Package[$freeradius::fr_package], Group[$freeradius::fr_group]], - notify => Service[$freeradius::fr_service], + notify => Service['radiusd'], } # Create various directories - file { [ - "${freeradius::fr_basepath}/statusclients.d", - $freeradius::fr_basepath, - "${freeradius::fr_basepath}/conf.d", - "${freeradius::fr_basepath}/attr.d", - "${freeradius::fr_basepath}/users.d", - "${freeradius::fr_basepath}/policy.d", - "${freeradius::fr_basepath}/dictionary.d", - "${freeradius::fr_basepath}/scripts", - "${freeradius::fr_basepath}/mods-config", - "${freeradius::fr_basepath}/mods-config/attr_filter", - "${freeradius::fr_basepath}/mods-config/preprocess", - "${freeradius::fr_basepath}/mods-config/sql", - "${freeradius::fr_basepath}/sites-available", - "${freeradius::fr_basepath}/mods-available", - ]: - ensure => directory, - mode => '0755', - owner => 'root', - group => $freeradius::fr_group, - require => [Package[$freeradius::fr_package], Group[$freeradius::fr_group]], - notify => Service[$freeradius::fr_service], + $dirs = { + 'freeradius statusclients.d' => "${freeradius::fr_basepath}/statusclients.d", + 'freeradius raddb' => $freeradius::fr_basepath, + 'freeradius conf.d' => "${freeradius::fr_basepath}/conf.d", + 'freeradius attr.d' => "${freeradius::fr_basepath}/attr.d", + 'freeradius users.d' => "${freeradius::fr_basepath}/users.d", + 'freeradius policy.d' => "${freeradius::fr_basepath}/policy.d", + 'freeradius dictionary.d' => "${freeradius::fr_basepath}/dictionary.d", + 'freeradius scripts' => "${freeradius::fr_basepath}/scripts", + 'freeradius mods-config' => "${freeradius::fr_basepath}/mods-config", + 'freeradius mods-config/attr_filter' => "${freeradius::fr_basepath}/mods-config/attr_filter", + 'freeradius mods-config/preprocess' => "${freeradius::fr_basepath}/mods-config/preprocess", + 'freeradius mods-config/sql' => "${freeradius::fr_basepath}/mods-config/sql", + 'freeradius sites-available' => "${freeradius::fr_basepath}/sites-available", + 'freeradius mods-available' => "${freeradius::fr_basepath}/mods-available", + } + $dirs.each |$name, $path| { + file { $name: + ensure => directory, + path => $path, + mode => '0755', + owner => 'root', + group => $freeradius::fr_group, + require => [Package['freeradius'], Group['radiusd']], + notify => Service['radiusd'], + } } # Create these directories separately so we can set purge option # Anything in these dirs NOT managed by puppet will be removed! - file { [ - "${freeradius::fr_basepath}/certs", - "${freeradius::fr_basepath}/clients.d", - "${freeradius::fr_basepath}/listen.d", - "${freeradius::fr_basepath}/sites-enabled", - "${freeradius::fr_basepath}/mods-enabled", - "${freeradius::fr_basepath}/instantiate", - ]: - ensure => directory, - purge => true, - recurse => true, - mode => '0755', - owner => 'root', - group => $freeradius::fr_group, - require => [Package[$freeradius::fr_package], Group[$freeradius::fr_group]], - notify => Service[$freeradius::fr_service], + $purged_dirs = { + 'freeradius certs' => "${freeradius::fr_basepath}/certs", + 'freeradius clients.d' => "${freeradius::fr_basepath}/clients.d", + 'freeradius listen.d' => "${freeradius::fr_basepath}/listen.d", + 'freeradius sites-enabled' => "${freeradius::fr_basepath}/sites-enabled", + 'freeradius mods-enabled' => "${freeradius::fr_basepath}/mods-enabled", + 'freeradius instantiate' => "${freeradius::fr_basepath}/instantiate", + } + $purged_dirs.each |$name, $path| { + file { $name: + ensure => directory, + path => $path, + purge => true, + recurse => true, + mode => '0755', + owner => 'root', + group => $freeradius::fr_group, + require => [Package['freeradius'], Group['radiusd']], + notify => Service['radiusd'], + } } # Preserve some stock modules @@ -142,140 +150,152 @@ # Set up concat policy file, as there is only one global policy # We also add standard header and footer - concat { "${freeradius::fr_basepath}/policy.conf": + concat { 'freeradius policy.conf': + path => "${freeradius::fr_basepath}/policy.conf", owner => 'root', group => $freeradius::fr_group, mode => '0640', ensure_newline => true, - require => [Package[$freeradius::fr_package], Group[$freeradius::fr_group]], - notify => Service[$freeradius::fr_service], + require => [Package['freeradius'], Group['radiusd']], + notify => Service['radiusd'], } concat::fragment { 'policy_header': - target => "${freeradius::fr_basepath}/policy.conf", + target => 'freeradius policy.conf', content => 'policy {', order => 10, } concat::fragment { 'policy_footer': - target => "${freeradius::fr_basepath}/policy.conf", + target => 'freeradius policy.conf', content => '}', order => '99', } # Set up concat template file - concat { "${freeradius::fr_basepath}/templates.conf": + concat { 'freeradius templates.conf': + path => "${freeradius::fr_basepath}/templates.conf", owner => 'root', group => $freeradius::fr_group, mode => '0640', ensure_newline => true, - require => [Package[$freeradius::fr_package], Group[$freeradius::fr_group]], - notify => Service[$freeradius::fr_service], + require => [Package['freeradius'], Group['radiusd']], + notify => Service['radiusd'], } concat::fragment { 'template_header': - target => "${freeradius::fr_basepath}/templates.conf", + target => 'freeradius templates.conf', source => 'puppet:///modules/freeradius/template.header', order => '05', } concat::fragment { 'template_footer': - target => "${freeradius::fr_basepath}/templates.conf", + target => 'freeradius templates.conf', content => '}', order => '95', } # Set up concat proxy file - concat { "${freeradius::fr_basepath}/proxy.conf": + concat { 'freeradius proxy.conf': + path => "${freeradius::fr_basepath}/proxy.conf", owner => 'root', group => $freeradius::fr_group, mode => '0640', ensure_newline => true, - require => [Package[$freeradius::fr_package], Group[$freeradius::fr_group]], - notify => Service[$freeradius::fr_service], + require => [Package['freeradius'], Group['radiusd']], + notify => Service['radiusd'], } concat::fragment { 'proxy_header': - target => "${freeradius::fr_basepath}/proxy.conf", + target => 'freeradius proxy.conf', content => '# Proxy config', order => '05', } # Set up attribute filter file - concat { "${freeradius::fr_basepath}/mods-available/attr_filter": + concat { 'freeradius mods-available/attr_filter': + path => "${freeradius::fr_basepath}/mods-available/attr_filter", owner => 'root', group => $freeradius::fr_group, mode => '0640', ensure_newline => true, - require => [Package[$freeradius::fr_package], Group[$freeradius::fr_group]], - notify => Service[$freeradius::fr_service], + require => [Package['freeradius'], Group['radiusd']], + notify => Service['radiusd'], } - file { "${freeradius::fr_modulepath}/attr_filter": + file { 'freeradius mods-enabled/attr_filter': ensure => link, + path => "${freeradius::fr_modulepath}/attr_filter", target => '../mods-available/attr_filter', - notify => Service[$freeradius::fr_service], + notify => Service['radiusd'], } # Install default attribute filters concat::fragment { 'attr-default': - target => "${freeradius::fr_basepath}/mods-available/attr_filter", + target => 'freeradius mods-available/attr_filter', content => template('freeradius/attr_default.erb'), order => 10, } # Manage the file permissions for files defined in attr_filter - file { [ - "${freeradius::fr_basepath}/mods-config/attr_filter/access_challenge", - "${freeradius::fr_basepath}/mods-config/attr_filter/access_reject", - "${freeradius::fr_basepath}/mods-config/attr_filter/accounting_response", - "${freeradius::fr_basepath}/mods-config/attr_filter/post-proxy", - "${freeradius::fr_basepath}/mods-config/attr_filter/pre-proxy", - ]: - ensure => 'present', - mode => '0640', - owner => 'root', - group => $freeradius::fr_group, - require => [Package[$freeradius::fr_package], Group[$freeradius::fr_group]], - notify => Service[$freeradius::fr_service], + $attr_filter_files = { + 'freeradius mods-config/attr_filter/access_challenge' => "${freeradius::fr_basepath}/mods-config/attr_filter/access_challenge", + 'freeradius mods-config/attr_filter/access_reject' => "${freeradius::fr_basepath}/mods-config/attr_filter/access_reject", + 'freeradius mods-config/attr_filter/accounting_response' => "${freeradius::fr_basepath}/mods-config/attr_filter/accounting_response", + 'freeradius mods-config/attr_filter/post-proxy' => "${freeradius::fr_basepath}/mods-config/attr_filter/post-proxy", + 'freeradius mods-config/attr_filter/pre-proxy' => "${freeradius::fr_basepath}/mods-config/attr_filter/pre-proxy", + } + $attr_filter_files.each |$name, $path| { + file { $name: + ensure => present, + path => $path, + mode => '0640', + owner => 'root', + group => $freeradius::fr_group, + require => [Package['freeradius'], Group['radiusd']], + notify => Service['radiusd'], + } } # Install a slightly tweaked stock dictionary that includes # our custom dictionaries - concat { "${freeradius::fr_basepath}/dictionary": + concat { 'freeradius dictionary': + path => "${freeradius::fr_basepath}/dictionary", owner => 'root', group => $freeradius::fr_group, mode => '0644', ensure_newline => true, - require => [Package[$freeradius::fr_package], Group[$freeradius::fr_group]], + require => [Package['freeradius'], Group['radiusd']], } - concat::fragment { 'dictionary_header': - target => "${freeradius::fr_basepath}/dictionary", + concat::fragment { 'freeradius dictionary_header': + target => 'freeradius dictionary', source => 'puppet:///modules/freeradius/dictionary.header', order => 10, } - concat::fragment { 'dictionary_footer': - target => "${freeradius::fr_basepath}/dictionary", + concat::fragment { 'freeradius dictionary_footer': + target => 'freeradius dictionary', source => 'puppet:///modules/freeradius/dictionary.footer', order => 90, } # Install a huntgroups file - concat { "${freeradius::fr_basepath}/mods-config/preprocess/huntgroups": + concat { 'freeradius mods-config/preprocess/huntgroups': + path => "${freeradius::fr_basepath}/mods-config/preprocess/huntgroups", owner => 'root', group => $freeradius::fr_group, mode => '0640', ensure_newline => true, - require => [Package[$freeradius::fr_package], Group[$freeradius::fr_group]], - notify => Service[$freeradius::fr_service], + require => [Package['freeradius'], Group['radiusd']], + notify => Service['radiusd'], } - concat::fragment { 'huntgroups_header': - target => "${freeradius::fr_basepath}/mods-config/preprocess/huntgroups", + concat::fragment { 'freeradius huntgroups_header': + target => 'freeradius mods-config/preprocess/huntgroups', source => 'puppet:///modules/freeradius/huntgroups.header', order => 10, } # Fix the permissions on the hints file - file { "${freeradius::fr_basepath}/mods-config/preprocess/hints": - ensure => 'present', + file { 'freeradius mods-config/preprocess/hints': + ensure => present, + path => "${freeradius::fr_basepath}/mods-config/preprocess/hints", mode => '0640', owner => 'root', group => $freeradius::fr_group, - require => [Package[$freeradius::fr_package], Group[$freeradius::fr_group]], + require => [Package['freeradius'], Group['radiusd']], } # Install FreeRADIUS packages @@ -286,36 +306,43 @@ if $mysql_support { package { 'freeradius-mysql': ensure => $package_ensure, + name => 'freeradius-mysql', } } if $pgsql_support { package { 'freeradius-postgresql': ensure => $package_ensure, + name => 'freeradius-postgresql', } } if $perl_support { package { 'freeradius-perl': ensure => $package_ensure, + name => 'freeradius-perl', } } if $utils_support { package { 'freeradius-utils': ensure => $package_ensure, + name => 'freeradius-utils', } } if $ldap_support { package { 'freeradius-ldap': ensure => $package_ensure, + name => 'freeradius-ldap', } } if $dhcp_support { package { 'freeradius-dhcp': ensure => $package_ensure, + name => 'freeradius-dhcp', } } if $krb5_support { package { 'freeradius-krb5': ensure => $package_ensure, + name => 'freeradius-krb5', } } if $wpa_supplicant { @@ -327,10 +354,10 @@ # radiusd always tests its config before restarting the service, to avoid outage. If the config is not valid, the service # won't get restarted, and the puppet run will fail. - service { $freeradius::fr_service: + service { 'radiusd': ensure => running, name => $freeradius::fr_service, - require => [Exec['radiusd-config-test'], File['radiusd.conf'], User[$freeradius::fr_user], Package[$freeradius::fr_package],], + require => [Exec['radiusd-config-test'], File['freeradius radiusd.conf'], User['radiusd'], Package['freeradius'],], enable => true, hasstatus => $freeradius::fr_service_has_status, hasrestart => true, @@ -343,18 +370,20 @@ true => $freeradius::fr_wbpriv_user, default => undef, } - user { $freeradius::fr_user: + user { 'radiusd': ensure => present, + name => $freeradius::fr_user, groups => $fr_user_group, - require => Package[$freeradius::fr_package], + require => Package['freeradius'], } # We don't want to add the radiusd group but it must be defined # here so we can depend on it. WE depend on the FreeRADIUS # package to be sure that the group has been created. - group { $freeradius::fr_group: + group { 'radiusd': ensure => present, - require => Package[$freeradius::fr_package], + name => $freeradius::fr_group, + require => Package['freeradius'], } # Syslog rules @@ -366,21 +395,26 @@ if $manage_logpath { # Make the radius log dir traversable - file { [ - $freeradius::fr_logpath, - "${freeradius::fr_logpath}/radacct", - ]: - group => $freeradius::fr_group, - mode => '0750', - owner => $freeradius::fr_user, - require => Package[$freeradius::fr_package], + $logdirs = { + 'freeradius logdir' => $freeradius::fr_logpath, + 'freeradius logdir/radacct' => "${freeradius::fr_logpath}/radacct", + } + $logdirs.each |$name, $path| { + file { $name: + path => $path, + group => $freeradius::fr_group, + mode => '0750', + owner => $freeradius::fr_user, + require => Package['freeradius'], + } } - file { "${freeradius::fr_logpath}/radius.log": + file { 'freeradius radius.log': + path => "${freeradius::fr_logpath}/radius.log", owner => $freeradius::fr_user, group => $freeradius::fr_group, seltype => 'radiusd_log_t', - require => [Package[$freeradius::fr_package], User[$freeradius::fr_user], Group[$freeradius::fr_group]], + require => [Package['freeradius'], User['radiusd'], Group['radiusd']], } } @@ -419,24 +453,31 @@ # Placeholder resource for dh and random as they are dynamically generated, so they # exist in the catalogue and don't get purged - file { ["${freeradius::fr_basepath}/certs/dh", "${freeradius::fr_basepath}/certs/random"]: - require => Exec['dh', 'random'], + $cert_files = { + 'freeradius certs/dh' => "${freeradius::fr_basepath}/certs/dh", + 'freeradius certs/random' => "${freeradius::fr_basepath}/certs/random", + } + $cert_files.each |$name,$path| { + file { $name: + path => $path, + require => Exec['freeradius dh', 'freeradius random'], + } } # Generate global SSL parameters - exec { 'dh': + exec { 'freeradius dh': command => "openssl dhparam -out ${freeradius::fr_basepath}/certs/dh 1024", creates => "${freeradius::fr_basepath}/certs/dh", path => '/usr/bin', - require => File["${freeradius::fr_basepath}/certs"], + require => File['freeradius certs'], } # Generate global SSL parameters - exec { 'random': + exec { 'freeradius random': command => "dd if=/dev/urandom of=${freeradius::fr_basepath}/certs/random count=10 >/dev/null 2>&1", creates => "${freeradius::fr_basepath}/certs/random", path => '/bin', - require => File["${freeradius::fr_basepath}/certs"], + require => File['freeradius certs'], } # This exec tests the radius config and fails if it's bad @@ -451,16 +492,20 @@ # Blank a couple of default files that will break our config. This is more effective than deleting them # as they won't get overwritten when FR is upgraded from RPM, whereas missing files are replaced. - file { [ - "${freeradius::fr_basepath}/clients.conf", - "${freeradius::fr_basepath}/sql.conf", - ]: - content => '# FILE INTENTIONALLY BLANK', - mode => '0644', - owner => 'root', - group => $freeradius::fr_group, - require => [Package[$freeradius::fr_package], Group[$freeradius::fr_group]], - notify => Service[$freeradius::fr_service], + $blank_files = { + 'freeradius clients.conf' => "${freeradius::fr_basepath}/clients.conf", + 'freeradius sql.conf' => "${freeradius::fr_basepath}/sql.conf", + } + $blank_files.each |$name, $path| { + file { $name: + path => $path, + content => '# FILE INTENTIONALLY BLANK', + mode => '0644', + owner => 'root', + group => $freeradius::fr_group, + require => [Package['freeradius'], Group['radiusd']], + notify => Service['radiusd'], + } } # Delete *.rpmnew and *.rpmsave files from the radius config dir because diff --git a/manifests/instantiate.pp b/manifests/instantiate.pp index fd3bc4bd..3109792d 100644 --- a/manifests/instantiate.pp +++ b/manifests/instantiate.pp @@ -2,18 +2,17 @@ define freeradius::instantiate ( Freeradius::Ensure $ensure = present, ) { - $fr_package = $::freeradius::params::fr_package - $fr_service = $::freeradius::params::fr_service $fr_basepath = $::freeradius::params::fr_basepath $fr_group = $::freeradius::params::fr_group - file { "${fr_basepath}/instantiate/${name}": + file { "freeradius instantiate/${name}": ensure => $ensure, + path => "${fr_basepath}/instantiate/${name}", mode => '0640', owner => 'root', group => $fr_group, content => $name, - require => [Package[$fr_package], Group[$fr_group]], - notify => Service[$fr_service], + require => [Package['freeradius'], Group['radiusd']], + notify => Service['radiusd'], } } diff --git a/manifests/krb5.pp b/manifests/krb5.pp index a53c7720..919d1f34 100644 --- a/manifests/krb5.pp +++ b/manifests/krb5.pp @@ -8,24 +8,24 @@ Freeradius::Integer $spare = "\${thread[pool].max_spare_servers}", Freeradius::Ensure $ensure = 'present', ) { - $fr_package = $::freeradius::params::fr_package - $fr_service = $::freeradius::params::fr_service $fr_modulepath = $::freeradius::params::fr_modulepath $fr_basepath = $::freeradius::params::fr_basepath $fr_group = $::freeradius::params::fr_group # Generate a module config - file { "${fr_basepath}/mods-available/${name}": + file { "freeradius mods-available/${name}": ensure => $ensure, + path => "${fr_basepath}/mods-available/${name}", mode => '0640', owner => 'root', group => $fr_group, content => template('freeradius/krb5.erb'), - require => [Package[$fr_package], Group[$fr_group]], - notify => Service[$fr_service], + require => [Package['freeradius'], Group['radiusd']], + notify => Service['radiusd'], } - file { "${fr_modulepath}/${name}": + file { "freeradius mods-enabled/${name}": ensure => link, + path => "${fr_modulepath}/${name}", target => "../mods-available/${name}", } } diff --git a/manifests/listen.pp b/manifests/listen.pp index 4f177d9d..e73d2f25 100644 --- a/manifests/listen.pp +++ b/manifests/listen.pp @@ -13,8 +13,6 @@ Integer $lifetime = 0, Integer $idle_timeout = 30, ) { - $fr_package = $::freeradius::params::fr_package - $fr_service = $::freeradius::params::fr_service $fr_basepath = $::freeradius::params::fr_basepath $fr_group = $::freeradius::params::fr_group @@ -31,16 +29,17 @@ fail('Only one of ip or ip6 can be used') } - file { "${fr_basepath}/listen.d/${name}.conf": + file { "freeradius listen.d/${name}.conf": ensure => $ensure, + path => "${fr_basepath}/listen.d/${name}.conf", owner => 'root', group => $fr_group, mode => '0640', content => template('freeradius/listen.erb'), require => [ - File["${fr_basepath}/listen.d"], - Group[$fr_group], + File['freeradius listen.d'], + Group['radiusd'], ], - notify => Service[$fr_service], + notify => Service['radiusd'], } } diff --git a/manifests/module.pp b/manifests/module.pp index 17fbb142..2d273df1 100644 --- a/manifests/module.pp +++ b/manifests/module.pp @@ -5,8 +5,6 @@ Freeradius::Ensure $ensure = present, Boolean $preserve = false, ) { - $fr_package = $::freeradius::params::fr_package - $fr_service = $::freeradius::params::fr_service $fr_modulepath = $::freeradius::params::fr_modulepath $fr_basepath = $::freeradius::params::fr_basepath $fr_group = $::freeradius::params::fr_group @@ -18,28 +16,31 @@ if ($preserve) { # Symlink to mods-available for stock modules - file { "${fr_modulepath}/${name}": + file { "freeradius mods-enabled/${name}": ensure => $ensure_link, + path => "${fr_modulepath}/${name}", target => "../mods-available/${name}", - notify => Service[$fr_service], + notify => Service['radiusd'], } } else { # Deploy actual module to mods-available, and link it to mods-enabled - file { "${fr_basepath}/mods-available/${name}": + file { "freeradius mods-available/${name}": ensure => $ensure, + path => "${fr_basepath}/mods-available/${name}", mode => '0640', owner => 'root', group => $fr_group, source => $source, content => $content, - require => [Package[$fr_package], Group[$fr_group]], - notify => Service[$fr_service], + require => [Package['freeradius'], Group['radiusd']], + notify => Service['radiusd'], } - file { "${fr_modulepath}/${name}": + file { "freeradius mods-enabled/${name}": ensure => $ensure_link, + path => "${fr_modulepath}/${name}", target => "../mods-available/${name}", - require => File["${fr_basepath}/mods-available/${name}"], - notify => Service[$fr_service], + require => File["freeradius mods-available/${name}"], + notify => Service['radiusd'], } } } diff --git a/manifests/module/ldap.pp b/manifests/module/ldap.pp index 5120f2bb..279e3771 100644 --- a/manifests/module/ldap.pp +++ b/manifests/module/ldap.pp @@ -153,8 +153,9 @@ } # Generate a module config, based on ldap.conf - file { "${fr_basepath}/mods-available/${name}": + file { "freeradius mods-available/${name}": ensure => $ensure, + path => "${fr_basepath}/mods-available/${name}", mode => '0640', owner => 'root', group => $fr_group, @@ -162,8 +163,9 @@ require => [Package[$fr_package], Group[$fr_group]], notify => Service[$fr_service], } - file { "${fr_modulepath}/${name}": + file { "freeradius mods-enabled/${name}": ensure => link, + path => "${fr_modulepath}/${name}", target => "../mods-available/${name}", } } diff --git a/manifests/policy.pp b/manifests/policy.pp index d4896547..27226673 100644 --- a/manifests/policy.pp +++ b/manifests/policy.pp @@ -4,30 +4,29 @@ Optional[Integer] $order = 50, Freeradius::Ensure $ensure = present, ) { - $fr_package = $::freeradius::params::fr_package - $fr_service = $::freeradius::params::fr_service $fr_basepath = $::freeradius::params::fr_basepath $fr_group = $::freeradius::params::fr_group # Install policy in policy.d - file { "${fr_basepath}/policy.d/${name}": + file { "freeradius policy.d/${name}": ensure => $ensure, + path => "${fr_basepath}/policy.d/${name}", mode => '0644', owner => 'root', group => $fr_group, source => $source, - require => [Package[$fr_package], Group[$fr_group]], - notify => Service[$fr_service], + require => [Package['freeradius'], Group['radiusd']], + notify => Service['radiusd'], } # Reference policy.d in the global includes file # If no order priority is given, assume 50 if ($ensure == 'present') { - concat::fragment { "policy-${name}": - target => "${fr_basepath}/policy.conf", + concat::fragment { "freeradius policy-${name}": + target => 'freeradius policy.conf', content => "\t\$INCLUDE ${fr_basepath}/policy.d/${name}", order => $order, - require => File["${fr_basepath}/policy.d/${name}"], + require => File["freeradius policy.d/${name}"], } } } diff --git a/manifests/radsniff.pp b/manifests/radsniff.pp index 094629be..5ff9da1f 100644 --- a/manifests/radsniff.pp +++ b/manifests/radsniff.pp @@ -36,7 +36,8 @@ $escaped_cmd = $options.regsubst('"','\\\\"','G') - file { $final_envfile: + file { 'freeradius radsniff envfile': + path => $final_envfile, content => @("SYSCONFIG"), RADSNIFF_OPTIONS="${escaped_cmd}" | SYSCONFIG diff --git a/manifests/realm.pp b/manifests/realm.pp index 640215f3..dd2b1e04 100644 --- a/manifests/realm.pp +++ b/manifests/realm.pp @@ -7,11 +7,9 @@ Optional[Boolean] $nostrip = false, Optional[Integer] $order = 30, ) { - $fr_basepath = $::freeradius::params::fr_basepath - # Configure config fragment for this realm - concat::fragment { "realm-${name}": - target => "${fr_basepath}/proxy.conf", + concat::fragment { "freeradius realm-${name}": + target => 'freeradius proxy.conf', content => template('freeradius/realm.erb'), order => $order, } diff --git a/manifests/script.pp b/manifests/script.pp index 8202ea4d..50435bec 100644 --- a/manifests/script.pp +++ b/manifests/script.pp @@ -3,18 +3,17 @@ String $source, Freeradius::Ensure $ensure = present, ) { - $fr_package = $::freeradius::params::fr_package - $fr_service = $::freeradius::params::fr_service $fr_basepath = $::freeradius::params::fr_basepath $fr_group = $::freeradius::params::fr_group - file { "${fr_basepath}/scripts/${name}": + file { "freeradius scripts/${name}": + path => "${fr_basepath}/scripts/${name}", ensure => $ensure, mode => '0750', owner => 'root', group => $fr_group, source => $source, - require => [File["${fr_basepath}/scripts"], Package[$fr_package], Group[$fr_group]], - notify => Service[$fr_service], + require => [File['freeradius scripts'], Package['freeradius'], Group['radiusd']], + notify => Service['radiusd'], } } diff --git a/manifests/site.pp b/manifests/site.pp index ced5d737..b1b351a5 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -13,8 +13,6 @@ Array[String] $post_proxy = [], Array[Hash] $listen = [], ) { - $fr_package = $::freeradius::params::fr_package - $fr_service = $::freeradius::params::fr_service $fr_basepath = $::freeradius::params::fr_basepath $fr_group = $::freeradius::params::fr_group @@ -31,18 +29,20 @@ default => 'link' } - file { "${fr_basepath}/sites-available/${name}": + file { "freeradius sites-available/${name}": ensure => $ensure, + path => "${fr_basepath}/sites-available/${name}", mode => '0640', owner => 'root', group => $fr_group, source => $source, content => $manage_content, - require => [Package[$fr_package], Group[$fr_group]], - notify => Service[$fr_service], + require => [Package['freeradius'], Group['radiusd']], + notify => Service['radiusd'], } - file { "${fr_basepath}/sites-enabled/${name}": + file { "freeradius sites-enabled/${name}": ensure => $ensure_link, + path => "${fr_basepath}/sites-enabled/${name}", target => "${fr_basepath}/sites-available/${name}", } } diff --git a/manifests/sql.pp b/manifests/sql.pp index ded6d506..2d928708 100644 --- a/manifests/sql.pp +++ b/manifests/sql.pp @@ -33,8 +33,6 @@ Optional[Integer] $pool_idle_timeout = 60, Optional[Float] $pool_connect_timeout = undef, ) { - $fr_package = $::freeradius::params::fr_package - $fr_service = $::freeradius::params::fr_service $fr_basepath = $::freeradius::params::fr_basepath $fr_modulepath = $::freeradius::params::fr_modulepath $fr_group = $::freeradius::params::fr_group @@ -86,17 +84,19 @@ } # Generate a module config, based on sql.conf - file { "${fr_basepath}/mods-available/${name}": + file { "freeradius mods-available/${name}": ensure => $ensure, + path => "${fr_basepath}/mods-available/${name}", mode => '0640', owner => 'root', group => $fr_group, content => template('freeradius/sql.conf.erb'), - require => [Package[$fr_package], Group[$fr_group]], - notify => Service[$fr_service], + require => [Package['freeradius'], Group['radiusd']], + notify => Service['radiusd'], } - file { "${fr_modulepath}/${name}": + file { "freeradius mods-enabled/${name}": ensure => link, + path => "${fr_modulepath}/${name}", target => "../mods-available/${name}", } diff --git a/manifests/statusclient.pp b/manifests/statusclient.pp index 3743ed95..d5396b52 100644 --- a/manifests/statusclient.pp +++ b/manifests/statusclient.pp @@ -7,18 +7,17 @@ Optional[String] $shortname = $name, Freeradius::Ensure $ensure = present, ) { - $fr_package = $::freeradius::params::fr_package - $fr_service = $::freeradius::params::fr_service $fr_basepath = $::freeradius::params::fr_basepath $fr_group = $::freeradius::params::fr_group - file { "${fr_basepath}/statusclients.d/${name}.conf": + file { "freeradius statusclients.d/${name}.conf": ensure => $ensure, + path => "${fr_basepath}/statusclients.d/${name}.conf", mode => '0640', owner => 'root', group => $fr_group, content => template('freeradius/client.conf.erb'), - require => [File["${fr_basepath}/clients.d"], Package[$fr_package], Group[$fr_group]], - notify => Service[$fr_service], + require => [File['freeradius clients.d'], Package['freeradius'], Group['radiusd']], + notify => Service['radiusd'], } } diff --git a/manifests/template.pp b/manifests/template.pp index 9b33abe9..0dbf6285 100644 --- a/manifests/template.pp +++ b/manifests/template.pp @@ -3,11 +3,9 @@ Optional[String] $source = undef, Optional[String] $content = undef, ) { - $fr_basepath = $::freeradius::params::fr_basepath - # Configure config fragment for this template - concat::fragment { "template -${name}": - target => "${fr_basepath}/templates.conf", + concat::fragment { "freeradius template ${name}": + target => 'freeradius templates.conf', source => $source, content => $content, order => 10, diff --git a/manifests/virtual_module.pp b/manifests/virtual_module.pp index d043f9b2..ad5433bd 100644 --- a/manifests/virtual_module.pp +++ b/manifests/virtual_module.pp @@ -4,18 +4,17 @@ Freeradius::Ensure $ensure = present, Enum['redundant','load-balance','redundant-load-balance','group'] $type = 'redundant-load-balance', ) { - $fr_package = $::freeradius::params::fr_package - $fr_service = $::freeradius::params::fr_service $fr_basepath = $::freeradius::params::fr_basepath $fr_group = $::freeradius::params::fr_group - file { "${fr_basepath}/instantiate/${name}": + file { "freeradius instantiate/${name}": ensure => $ensure, + path => "${fr_basepath}/instantiate/${name}", mode => '0640', owner => 'root', group => $fr_group, content => template('freeradius/virtual_module.erb'), - require => [Package[$fr_package], Group[$fr_group]], - notify => Service[$fr_service], + require => [Package['freeradius'], Group['radiusd']], + notify => Service['radiusd'], } } diff --git a/spec/classes/freeradius_spec.rb b/spec/classes/freeradius_spec.rb index a6b66900..8f409eff 100644 --- a/spec/classes/freeradius_spec.rb +++ b/spec/classes/freeradius_spec.rb @@ -11,7 +11,7 @@ let(:params) { {} } it do - is_expected.to contain_file('radiusd.conf') + is_expected.to contain_file('freeradius radiusd.conf') .with( 'group' => 'radiusd', 'mode' => '0644', @@ -24,23 +24,24 @@ end it do - [ - '/etc/raddb/statusclients.d', - '/etc/raddb', - '/etc/raddb/conf.d', - '/etc/raddb/attr.d', - '/etc/raddb/users.d', - '/etc/raddb/policy.d', - '/etc/raddb/dictionary.d', - '/etc/raddb/scripts', - '/etc/raddb/mods-config', - '/etc/raddb/mods-config/attr_filter', - '/etc/raddb/mods-config/preprocess', - '/etc/raddb/mods-config/sql', - '/etc/raddb/sites-available', - '/etc/raddb/mods-available', - ].each do |file| - is_expected.to contain_file(file) + { + 'freeradius statusclients.d': '/etc/raddb/statusclients.d', + 'freeradius raddb': '/etc/raddb', + 'freeradius conf.d': '/etc/raddb/conf.d', + 'freeradius attr.d': '/etc/raddb/attr.d', + 'freeradius users.d': '/etc/raddb/users.d', + 'freeradius policy.d': '/etc/raddb/policy.d', + 'freeradius dictionary.d': '/etc/raddb/dictionary.d', + 'freeradius scripts': '/etc/raddb/scripts', + 'freeradius mods-config': '/etc/raddb/mods-config', + 'freeradius mods-config/attr_filter': '/etc/raddb/mods-config/attr_filter', + 'freeradius mods-config/preprocess': '/etc/raddb/mods-config/preprocess', + 'freeradius mods-config/sql': '/etc/raddb/mods-config/sql', + 'freeradius sites-available': '/etc/raddb/sites-available', + 'freeradius mods-available': '/etc/raddb/mods-available', + }.each do |name, path| + is_expected.to contain_file(name) + .with_path(path) .with( 'ensure' => 'directory', 'group' => 'radiusd', @@ -54,14 +55,15 @@ end it do - [ - '/etc/raddb/certs', - '/etc/raddb/clients.d', - '/etc/raddb/listen.d', - '/etc/raddb/sites-enabled', - '/etc/raddb/instantiate', - ].each do |file| - is_expected.to contain_file(file) + { + 'freeradius certs': '/etc/raddb/certs', + 'freeradius clients.d': '/etc/raddb/clients.d', + 'freeradius listen.d': '/etc/raddb/listen.d', + 'freeradius sites-enabled': '/etc/raddb/sites-enabled', + 'freeradius instantiate': '/etc/raddb/instantiate', + }.each do |name, path| + is_expected.to contain_file(name) + .with_path(path) .with( 'ensure' => 'directory', 'group' => 'radiusd', @@ -77,7 +79,8 @@ end it do - is_expected.to contain_concat('/etc/raddb/policy.conf') + is_expected.to contain_concat('freeradius policy.conf') + .with_path('/etc/raddb/policy.conf') .with( 'group' => 'radiusd', 'mode' => '0640', @@ -94,7 +97,7 @@ .with( 'content' => 'policy {', 'order' => '10', - 'target' => '/etc/raddb/policy.conf', + 'target' => 'freeradius policy.conf', ) end @@ -103,12 +106,13 @@ .with( 'content' => '}', 'order' => '99', - 'target' => '/etc/raddb/policy.conf', + 'target' => 'freeradius policy.conf', ) end it do - is_expected.to contain_concat('/etc/raddb/proxy.conf') + is_expected.to contain_concat('freeradius proxy.conf') + .with_path('/etc/raddb/proxy.conf') .with( 'group' => 'radiusd', 'mode' => '0640', @@ -125,12 +129,13 @@ .with( 'content' => '# Proxy config', 'order' => '05', - 'target' => '/etc/raddb/proxy.conf', + 'target' => 'freeradius proxy.conf', ) end it do - is_expected.to contain_concat('/etc/raddb/mods-available/attr_filter') + is_expected.to contain_concat('freeradius mods-available/attr_filter') + .with_path('/etc/raddb/mods-available/attr_filter') .with( 'group' => 'radiusd', 'mode' => '0640', @@ -146,12 +151,13 @@ is_expected.to contain_concat__fragment('attr-default') .with( 'order' => '10', - 'target' => '/etc/raddb/mods-available/attr_filter', + 'target' => 'freeradius mods-available/attr_filter', ) end it do - is_expected.to contain_concat('/etc/raddb/dictionary') + is_expected.to contain_concat('freeradius dictionary') + .with_path('/etc/raddb/dictionary') .with( 'group' => 'radiusd', 'mode' => '0644', @@ -163,20 +169,20 @@ end it do - is_expected.to contain_concat__fragment('dictionary_header') + is_expected.to contain_concat__fragment('freeradius dictionary_header') .with( 'order' => '10', 'source' => 'puppet:///modules/freeradius/dictionary.header', - 'target' => '/etc/raddb/dictionary', + 'target' => 'freeradius dictionary', ) end it do - is_expected.to contain_concat__fragment('dictionary_footer') + is_expected.to contain_concat__fragment('freeradius dictionary_footer') .with( 'order' => '90', 'source' => 'puppet:///modules/freeradius/dictionary.footer', - 'target' => '/etc/raddb/dictionary', + 'target' => 'freeradius dictionary', ) end @@ -200,7 +206,7 @@ .that_requires('Package[freeradius]') .that_requires('User[radiusd]') .that_requires('Exec[radiusd-config-test]') - .that_requires('File[radiusd.conf]') + .that_requires('File[freeradius radiusd.conf]') end it do @@ -221,6 +227,7 @@ it do is_expected.to contain_user('radiusd') + .with_name('radiusd') .with( 'groups' => 'wbpriv', ) @@ -229,6 +236,7 @@ it do is_expected.to contain_group('radiusd') + .with_name('radiusd') .with( 'ensure' => 'present', ) @@ -251,11 +259,12 @@ end it do - [ - '/var/log/radius', - '/var/log/radius/radacct', - ].each do |file| - is_expected.to contain_file(file) + { + 'freeradius logdir': '/var/log/radius', + 'freeradius logdir/radacct': '/var/log/radius/radacct', + }.each do |name, path| + is_expected.to contain_file(name) + .with_path(path) .with( 'mode' => '0750', 'owner' => 'radiusd', @@ -266,7 +275,8 @@ end it do - is_expected.to contain_file('/var/log/radius/radius.log') + is_expected.to contain_file('freeradius radius.log') + .with_path('/var/log/radius/radius.log') .with( 'group' => 'radiusd', 'owner' => 'radiusd', @@ -320,34 +330,35 @@ end it do - [ - '/etc/raddb/certs/dh', - '/etc/raddb/certs/random', - ].each do |file| - is_expected.to contain_file(file) - .that_requires('Exec[dh]') - .that_requires('Exec[random]') + { + 'freeradius certs/dh': '/etc/raddb/certs/dh', + 'freeradius certs/random': '/etc/raddb/certs/random', + }.each do |name, path| + is_expected.to contain_file(name) + .with_path(path) + .that_requires('Exec[freeradius dh]') + .that_requires('Exec[freeradius random]') end end it do - is_expected.to contain_exec('dh') + is_expected.to contain_exec('freeradius dh') .with( 'command' => 'openssl dhparam -out /etc/raddb/certs/dh 1024', 'creates' => '/etc/raddb/certs/dh', 'path' => '/usr/bin', ) - .that_requires('File[/etc/raddb/certs]') + .that_requires('File[freeradius certs]') end it do - is_expected.to contain_exec('random') + is_expected.to contain_exec('freeradius random') .with( 'command' => 'dd if=/dev/urandom of=/etc/raddb/certs/random count=10 >/dev/null 2>&1', 'creates' => '/etc/raddb/certs/random', 'path' => '/bin', ) - .that_requires('File[/etc/raddb/certs]') + .that_requires('File[freeradius certs]') end it do @@ -362,11 +373,12 @@ end it do - [ - '/etc/raddb/clients.conf', - '/etc/raddb/sql.conf', - ].each do |file| - is_expected.to contain_file(file) + { + 'freeradius clients.conf': '/etc/raddb/clients.conf', + 'freeradius sql.conf': '/etc/raddb/sql.conf', + }.each do |name, path| + is_expected.to contain_file(name) + .with_path(path) .with( 'content' => '# FILE INTENTIONALLY BLANK', 'group' => 'radiusd', @@ -388,6 +400,7 @@ it do is_expected.to contain_package('freeradius-mysql') + .with_name('freeradius-mysql') .with( 'ensure' => 'installed', ) @@ -403,6 +416,7 @@ it do is_expected.to contain_package('freeradius-postgresql') + .with_name('freeradius-postgresql') .with( 'ensure' => 'installed', ) @@ -418,6 +432,7 @@ it do is_expected.to contain_package('freeradius-perl') + .with_name('freeradius-perl') .with( 'ensure' => 'installed', ) @@ -433,6 +448,7 @@ it do is_expected.to contain_package('freeradius-utils') + .with_name('freeradius-utils') .with( 'ensure' => 'installed', ) @@ -448,6 +464,7 @@ it do is_expected.to contain_package('freeradius-ldap') + .with_name('freeradius-ldap') .with( 'ensure' => 'installed', ) @@ -463,6 +480,7 @@ it do is_expected.to contain_package('freeradius-dhcp') + .with_name('freeradius-dhcp') .with( 'ensure' => 'installed', ) @@ -478,6 +496,7 @@ it do is_expected.to contain_package('freeradius-krb5') + .with_name('freeradius-krb5') .with( 'ensure' => 'installed', ) @@ -493,9 +512,9 @@ it do is_expected.to contain_package('wpa_supplicant') + .with_name('wpa_supplicant') .with( 'ensure' => 'installed', - 'name' => 'wpa_supplicant', ) end end diff --git a/spec/classes/radsniff_spec.rb b/spec/classes/radsniff_spec.rb index 4857ec6e..9eb3b067 100644 --- a/spec/classes/radsniff_spec.rb +++ b/spec/classes/radsniff_spec.rb @@ -52,7 +52,8 @@ case os_facts[:osfamily] when 'RedHat' it do - is_expected.to contain_file('/etc/sysconfig/radsniff') + is_expected.to contain_file('freeradius radsniff envfile') + .with_path('/etc/sysconfig/radsniff') .with_content(%r{RADSNIFF_OPTIONS="radsniff cmd \\"line\\" options"}) .that_notifies('Service[radsniff]') .that_requires('Package[freeradius-utils]') @@ -67,7 +68,8 @@ end when 'Debian' it do - is_expected.to contain_file('/etc/defaults/radsniff') + is_expected.to contain_file('freeradius radsniff envfile') + .with_path('/etc/defaults/radsniff') .with_content(%r{RADSNIFF_OPTIONS="radsniff cmd \\"line\\" options"}) .that_notifies('Service[radsniff]') .that_requires('Package[freeradius-utils]') @@ -104,7 +106,8 @@ end it do - is_expected.to contain_file('/test/env/file') + is_expected.to contain_file('freeradius radsniff envfile') + .with_path('/test/env/file') .with_content(%r{RADSNIFF_OPTIONS="radsniff cmd \\"line\\" options"}) .that_notifies('Service[radsniff]') .that_requires('Package[freeradius-utils]') diff --git a/spec/defines/attr_spec.rb b/spec/defines/attr_spec.rb index 82c21649..5afc56cc 100644 --- a/spec/defines/attr_spec.rb +++ b/spec/defines/attr_spec.rb @@ -12,7 +12,8 @@ end it do - is_expected.to contain_file('/etc/raddb/mods-config/attr_filter/test') + is_expected.to contain_file('freeradius attr_filter/test') + .with_path('/etc/raddb/mods-config/attr_filter/test') .that_notifies('Service[radiusd]') .that_requires('Group[radiusd]') .that_requires('Package[freeradius]') @@ -24,11 +25,11 @@ end it do - is_expected.to contain_concat__fragment('attr-test') + is_expected.to contain_concat__fragment('freeradius attr-test') .with_content(%r{^attr_filter filter.test {\n\s+key = "\%{User-Name}"\n\s+filename = \${modconfdir}/\${\.:name}/test\n}}) .without_content(%r{^\s+relaxed\s+.*$}) .with_order('20') - .with_target('/etc/raddb/mods-available/attr_filter') + .with_target('freeradius mods-available/attr_filter') end context 'with relaxed = no' do @@ -37,7 +38,7 @@ end it do - is_expected.to contain_concat__fragment('attr-test') + is_expected.to contain_concat__fragment('freeradius attr-test') .with_content(%r{^\s+relaxed\s+=\s+no$}) end end @@ -48,7 +49,7 @@ end it do - is_expected.to contain_concat__fragment('attr-test') + is_expected.to contain_concat__fragment('freeradius attr-test') .with_content(%r{^\s+relaxed\s+=\s+yes$}) end end diff --git a/spec/defines/blank_spec.rb b/spec/defines/blank_spec.rb index 7e6e466f..19d0ac68 100644 --- a/spec/defines/blank_spec.rb +++ b/spec/defines/blank_spec.rb @@ -8,9 +8,10 @@ let(:params) { {} } it do - is_expected.to contain_file('/etc/raddb/test') + is_expected.to contain_file('freeradius test') + .with_path('/etc/raddb/test') .that_notifies('Service[radiusd]') - .that_requires('File[/etc/raddb]') + .that_requires('File[freeradius raddb]') .that_requires('Group[radiusd]') .that_requires('Package[freeradius]') .with_content(%r{^# This file is intentionally left blank .*}) diff --git a/spec/defines/cert_spec.rb b/spec/defines/cert_spec.rb index 54a202f8..47264e28 100644 --- a/spec/defines/cert_spec.rb +++ b/spec/defines/cert_spec.rb @@ -14,9 +14,10 @@ end it do - is_expected.to contain_file('/etc/raddb/certs/test') + is_expected.to contain_file('freeradius certs/test') + .with_path('/etc/raddb/certs/test') .that_notifies('Service[radiusd]') - .that_requires('File[/etc/raddb/certs]') + .that_requires('File[freeradius certs]') .that_requires('Group[radiusd]') .that_requires('Package[freeradius]') .with_content(%r{test data}) @@ -39,9 +40,9 @@ end it do - is_expected.to contain_file('/etc/raddb/certs/test') + is_expected.to contain_file('freeradius certs/test') .that_notifies('Service[radiusd]') - .that_requires('File[/etc/raddb/certs]') + .that_requires('File[freeradius certs]') .that_requires('Group[radiusd]') .that_requires('Package[freeradius]') .with_content(nil) diff --git a/spec/defines/client_spec.rb b/spec/defines/client_spec.rb index fe20c65b..fcf8c73f 100644 --- a/spec/defines/client_spec.rb +++ b/spec/defines/client_spec.rb @@ -14,14 +14,15 @@ end it do - is_expected.to contain_file('/etc/raddb/clients.d/test.conf') + is_expected.to contain_file('freeradius clients.d/test_short.conf') + .with_path('/etc/raddb/clients.d/test_short.conf') .with_content(%r{^client test_short {\n\s+ipaddr = 1.2.3.4\n\s+proto = \*\n\s+shortname = test_short\n\s+secret = "secret_value"\n\s+require_message_authenticator = no\n}\n}) .with_ensure('present') .with_group('radiusd') .with_mode('0640') .with_owner('root') .that_notifies('Service[radiusd]') - .that_requires('File[/etc/raddb/clients.d]') + .that_requires('File[freeradius clients.d]') .that_requires('Group[radiusd]') end @@ -57,7 +58,7 @@ end it do - is_expected.to contain_file('/etc/raddb/clients.d/test.conf') + is_expected.to contain_file('freeradius clients.d/test_short.conf') .with_content(%r{^\s+password = "foo bar"$}) end end diff --git a/spec/defines/config_spec.rb b/spec/defines/config_spec.rb index 34d52e24..beb3c1ff 100644 --- a/spec/defines/config_spec.rb +++ b/spec/defines/config_spec.rb @@ -12,7 +12,8 @@ end it do - is_expected.to contain_file('/etc/raddb/mods-config/test') + is_expected.to contain_file('freeradius mods-config/test') + .with_path('/etc/raddb/mods-config/test') .with_content('test content') .with_ensure('present') .with_group('radiusd') diff --git a/spec/defines/dictionary_spec.rb b/spec/defines/dictionary_spec.rb index 8c6139ab..cc6830c1 100644 --- a/spec/defines/dictionary_spec.rb +++ b/spec/defines/dictionary_spec.rb @@ -12,14 +12,15 @@ end it do - is_expected.to contain_file('/etc/raddb/dictionary.d/dictionary.test') + is_expected.to contain_file('freeradius dictionary.d/dictionary.test') + .with_path('/etc/raddb/dictionary.d/dictionary.test') .with_ensure('present') .with_group('radiusd') .with_mode('0644') .with_owner('root') .with_source('puppet:///modules/test/path/to/dict') .that_notifies('Service[radiusd]') - .that_requires('File[/etc/raddb/dictionary.d]') + .that_requires('File[freeradius dictionary.d]') .that_requires('Package[freeradius]') .that_requires('Group[radiusd]') end @@ -28,7 +29,7 @@ is_expected.to contain_concat__fragment('dictionary.test') .with_content(%r{^\$INCLUDE /etc/raddb/dictionary\.d/dictionary\.test$}) .with_order('50') - .with_target('/etc/raddb/dictionary') - .that_requires('File[/etc/raddb/dictionary.d/dictionary.test]') + .with_target('freeradius dictionary') + .that_requires('File[freeradius dictionary.d/dictionary.test]') end end diff --git a/spec/defines/home_server_pool_spec.rb b/spec/defines/home_server_pool_spec.rb index bf1ac346..bbf4e2aa 100644 --- a/spec/defines/home_server_pool_spec.rb +++ b/spec/defines/home_server_pool_spec.rb @@ -18,6 +18,6 @@ is_expected.to contain_concat__fragment('homeserverpool-test') .with_content(%r{home_server_pool test {\n\s+type = fail-over\n\s+home_server = test_home_server_1\n\s+home_server = test_home_server_2\n}\n}) .with_order('20') - .with_target('/etc/raddb/proxy.conf') + .with_target('freeradius proxy.conf') end end diff --git a/spec/defines/home_server_spec.rb b/spec/defines/home_server_spec.rb index 23810cb6..b76ded79 100644 --- a/spec/defines/home_server_spec.rb +++ b/spec/defines/home_server_spec.rb @@ -16,7 +16,7 @@ is_expected.to contain_concat__fragment('homeserver-test') .with_content(%r{home_server test {\n\s+type = auth\n\s+ipaddr = 1.2.3.4\n\s+port = 1812\n\s+proto = udp\n\s+secret = "test_secret"\n\s+status_check = none\n}\n}) .with_order('10') - .with_target('/etc/raddb/proxy.conf') + .with_target('freeradius proxy.conf') end context 'with secret containing a newline' do diff --git a/spec/defines/instantiate_spec.rb b/spec/defines/instantiate_spec.rb index 33585863..6936b2b8 100644 --- a/spec/defines/instantiate_spec.rb +++ b/spec/defines/instantiate_spec.rb @@ -8,7 +8,8 @@ let(:params) { {} } it do - is_expected.to contain_file('/etc/raddb/instantiate/test') + is_expected.to contain_file('freeradius instantiate/test') + .with_path('/etc/raddb/instantiate/test') .with_content('test') .with_ensure('present') .with_group('radiusd') diff --git a/spec/defines/krb5_spec.rb b/spec/defines/krb5_spec.rb index c768373a..71762d88 100644 --- a/spec/defines/krb5_spec.rb +++ b/spec/defines/krb5_spec.rb @@ -13,7 +13,8 @@ end it do - is_expected.to contain_file('/etc/raddb/mods-available/test') + is_expected.to contain_file('freeradius mods-available/test') + .with_path('/etc/raddb/mods-available/test') .with_content(%r{^\s+keytab = test_keytab$}) .with_content(%r{^\s+service_principal = test_principal$}) .with_ensure('present') @@ -26,7 +27,8 @@ end it do - is_expected.to contain_file('/etc/raddb/mods-enabled/test') + is_expected.to contain_file('freeradius mods-enabled/test') + .with_path('/etc/raddb/mods-enabled/test') .with_ensure('link') .with_target('../mods-available/test') end diff --git a/spec/defines/module/ldap_spec.rb b/spec/defines/module/ldap_spec.rb index 04c04921..c1cc6730 100644 --- a/spec/defines/module/ldap_spec.rb +++ b/spec/defines/module/ldap_spec.rb @@ -27,7 +27,8 @@ end it do - is_expected.to contain_file('/etc/raddb/mods-available/test') + is_expected.to contain_file('freeradius mods-available/test') + .with_path('/etc/raddb/mods-available/test') .with_content(%r{^ldap test \{\n}) .with_content(%r{^\s+server = 'localhost'\n}) .with_content(%r{^\s+identity = 'cn=root,dc=example,dc=com'\n}) @@ -45,7 +46,8 @@ end it do - is_expected.to contain_file('/etc/raddb/mods-enabled/test') + is_expected.to contain_file('freeradius mods-enabled/test') + .with_path('/etc/raddb/mods-enabled/test') .with_ensure('link') .with_target('../mods-available/test') end @@ -64,7 +66,7 @@ end it do - is_expected.to contain_file('/etc/raddb/mods-available/test') + is_expected.to contain_file('freeradius mods-available/test') .with_content(%r{^\s+connect_timeout = 3.0}) .with_content(%r{^\s+use_referral_credentials = no}) .without_content(%r{^\s+session_tracking = .*}) @@ -80,7 +82,7 @@ end it do - is_expected.to contain_file('/etc/raddb/mods-available/test') + is_expected.to contain_file('freeradius mods-available/test') .with_content(%r{^\s+connect_timeout = 5.0}) .with_content(%r{^\s+use_referral_credentials = yes}) .with_content(%r{^\s+session_tracking = yes}) @@ -159,7 +161,7 @@ end it do - is_expected.to contain_file('/etc/raddb/mods-available/test') + is_expected.to contain_file('freeradius mods-available/test') .with_content(%r{^\s+update \{\n\s+control:Password-With-Header \+= 'userPassword'\n\s+reply:Framed-IP-Address := 'radiusFramedIPAddress'\n\s+\}\n}) end end diff --git a/spec/defines/module_spec.rb b/spec/defines/module_spec.rb index 693cec53..4cb03485 100644 --- a/spec/defines/module_spec.rb +++ b/spec/defines/module_spec.rb @@ -12,7 +12,8 @@ end it do - is_expected.to contain_file('/etc/raddb/mods-available/test') + is_expected.to contain_file('freeradius mods-available/test') + .with_path('/etc/raddb/mods-available/test') .with_content(nil) .with_ensure('present') .with_group('radiusd') @@ -25,7 +26,8 @@ end it do - is_expected.to contain_file('/etc/raddb/mods-enabled/test') + is_expected.to contain_file('freeradius mods-enabled/test') + .with_path('/etc/raddb/mods-enabled/test') .with_ensure('link') .with_target('../mods-available/test') end diff --git a/spec/defines/policy_spec.rb b/spec/defines/policy_spec.rb index 74f177f2..3c328075 100644 --- a/spec/defines/policy_spec.rb +++ b/spec/defines/policy_spec.rb @@ -12,7 +12,8 @@ end it do - is_expected.to contain_file('/etc/raddb/policy.d/test') + is_expected.to contain_file('freeradius policy.d/test') + .with_path('/etc/raddb/policy.d/test') .with_ensure('present') .with_group('radiusd') .with_mode('0644') @@ -24,10 +25,10 @@ end it do - is_expected.to contain_concat__fragment('policy-test') + is_expected.to contain_concat__fragment('freeradius policy-test') .with_content(%r{\s+\$INCLUDE /etc/raddb/policy.d/test$}) .with_order('50') - .with_target('/etc/raddb/policy.conf') - .that_requires('File[/etc/raddb/policy.d/test]') + .with_target('freeradius policy.conf') + .that_requires('File[freeradius policy.d/test]') end end diff --git a/spec/defines/realm_spec.rb b/spec/defines/realm_spec.rb index 5b98b295..750466f5 100644 --- a/spec/defines/realm_spec.rb +++ b/spec/defines/realm_spec.rb @@ -13,9 +13,9 @@ end it do - is_expected.to contain_concat__fragment('realm-test') + is_expected.to contain_concat__fragment('freeradius realm-test') .with_content(%r{^realm test {\n\s+virtual_server = test_virtual_server\n\s+pool = test_pool\n}}) .with_order('30') - .with_target('/etc/raddb/proxy.conf') + .with_target('freeradius proxy.conf') end end diff --git a/spec/defines/script_spec.rb b/spec/defines/script_spec.rb index 231ee046..160e8986 100644 --- a/spec/defines/script_spec.rb +++ b/spec/defines/script_spec.rb @@ -12,7 +12,8 @@ end it do - is_expected.to contain_file('/etc/raddb/scripts/test') + is_expected.to contain_file('freeradius scripts/test') + .with_path('/etc/raddb/scripts/test') .with_ensure('present') .with_group('radiusd') .with_mode('0750') @@ -21,6 +22,6 @@ .that_notifies('Service[radiusd]') .that_requires('Package[freeradius]') .that_requires('Group[radiusd]') - .that_requires('File[/etc/raddb/scripts]') + .that_requires('File[freeradius scripts]') end end diff --git a/spec/defines/site_spec.rb b/spec/defines/site_spec.rb index 7a1e9dc4..0f08c415 100644 --- a/spec/defines/site_spec.rb +++ b/spec/defines/site_spec.rb @@ -12,7 +12,8 @@ end it do - is_expected.to contain_file('/etc/raddb/sites-available/test') + is_expected.to contain_file('freeradius sites-available/test') + .with_path('/etc/raddb/sites-available/test') .with_content(nil) .with_ensure('present') .with_group('radiusd') @@ -25,7 +26,8 @@ end it do - is_expected.to contain_file('/etc/raddb/sites-enabled/test') + is_expected.to contain_file('freeradius sites-enabled/test') + .with_path('/etc/raddb/sites-enabled/test') .with_ensure('link') .with_target('/etc/raddb/sites-available/test') end diff --git a/spec/defines/sql_spec.rb b/spec/defines/sql_spec.rb index e35ad5d0..85c3ae05 100644 --- a/spec/defines/sql_spec.rb +++ b/spec/defines/sql_spec.rb @@ -22,7 +22,8 @@ end it do - is_expected.to contain_file('/etc/raddb/mods-available/test') + is_expected.to contain_file('freeradius mods-available/test') + .with_path('/etc/raddb/mods-available/test') .with_content(%r{^sql test \{\n}) .with_content(%r{^\s+dialect = "postgresql"$}) .with_content(%r{^\s+server = "localhost"$}) @@ -42,7 +43,8 @@ end it do - is_expected.to contain_file('/etc/raddb/mods-enabled/test') + is_expected.to contain_file('freeradius mods-enabled/test') + .with_path('/etc/raddb/mods-enabled/test') .with_ensure('link') .with_target('../mods-available/test') end @@ -55,7 +57,7 @@ end it do - is_expected.to contain_file('/etc/raddb/mods-available/test') + is_expected.to contain_file('freeradius mods-available/test') .with_content(%r{^\s+logfile = \${logdir}/sqllog.sql$}) end @@ -98,7 +100,7 @@ end it do - is_expected.to contain_file('/etc/raddb/mods-available/test') + is_expected.to contain_file('freeradius mods-available/test') .with_content(%r{^\s+connect_timeout = 3.0}) end @@ -110,7 +112,7 @@ end it do - is_expected.to contain_file('/etc/raddb/mods-available/test') + is_expected.to contain_file('freeradius mods-available/test') .with_content(%r{^\s+connect_timeout = 5.0}) end diff --git a/spec/defines/statusclient_spec.rb b/spec/defines/statusclient_spec.rb index 315a260d..687b7339 100644 --- a/spec/defines/statusclient_spec.rb +++ b/spec/defines/statusclient_spec.rb @@ -13,7 +13,8 @@ end it do - is_expected.to contain_file('/etc/raddb/statusclients.d/test.conf') + is_expected.to contain_file('freeradius statusclients.d/test.conf') + .with_path('/etc/raddb/statusclients.d/test.conf') .with_content(%r{^client test {\n\s+ipaddr = 1.2.3.4\n\s+shortname = test\n\s+secret = "test_secret"\n}\n}) .with_ensure('present') .with_group('radiusd') @@ -22,7 +23,7 @@ .that_notifies('Service[radiusd]') .that_requires('Package[freeradius]') .that_requires('Group[radiusd]') - .that_requires('File[/etc/raddb/clients.d]') + .that_requires('File[freeradius clients.d]') end context 'with secret containing a newline' do diff --git a/spec/spec_helper_local.rb b/spec/spec_helper_local.rb index f66ce653..5cc4516d 100644 --- a/spec/spec_helper_local.rb +++ b/spec/spec_helper_local.rb @@ -75,12 +75,12 @@ "package { 'freeradius': }", "group { 'radiusd': }", "service { 'radiusd': }", - "file { '/etc/raddb': ensure => directory }", - "file { '/etc/raddb/certs': ensure => directory }", - "file { '/etc/raddb/clients.d': ensure => directory }", - "file { '/etc/raddb/dictionary.d': ensure => directory }", - "file { '/etc/raddb/mods-config': ensure => directory }", - "file { '/etc/raddb/scripts': ensure => directory }", + "file { 'freeradius raddb': ensure => directory, path => '/etc/raddb/raddb' }", + "file { 'freeradius certs': ensure => directory, path => '/etc/raddb/certs' }", + "file { 'freeradius clients.d': ensure => directory, path => '/etc/raddb/clients.d' }", + "file { 'freeradius dictionary.d': ensure => directory, path => '/etc/raddb/dictionary.d' }", + "file { 'freeradius mods-config': ensure => directory, path => '/etc/raddb/mods-config' }", + "file { 'freeradius scripts': ensure => directory, path => '/etc/raddb/scripts' }", ] end end From 2b3f232549545f260bf91413607c46f053515e9b Mon Sep 17 00:00:00 2001 From: Matthias Hensler Date: Fri, 18 Aug 2023 11:58:42 +0200 Subject: [PATCH 06/43] Bump minimum stdlib version to be 4.25.0 (#193) * bump version-requirement for stdlib to 4.25.0 (needed for Stdlib::IP::*) --------- Co-authored-by: Nathan Ward --- metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metadata.json b/metadata.json index 7c4321d8..c1ad2642 100644 --- a/metadata.json +++ b/metadata.json @@ -10,7 +10,7 @@ "dependencies": [ { "name": "puppetlabs/stdlib", - "version_requirement": ">=4.0.0 <10.0.0" + "version_requirement": ">=4.25.0 <10.0.0" }, { "name": "puppetlabs/firewall", From 9eb32b679a398bf8343ab988203505c05d812cec Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Fri, 18 Aug 2023 11:19:26 +0100 Subject: [PATCH 07/43] Update to latest GitHub Actions --- .github/workflows/publish.yml | 6 +++--- .github/workflows/test.yml | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index e2808ab4..87601740 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -11,13 +11,13 @@ jobs: steps: - name: Get latest tag id: vars - run: echo ::set-output name=tag::${GITHUB_REF:10} + run: echo "{tag}=${GITHUB_REF:10}" >> $GITHUB_OUTPUT - name: Clone repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: ref: ${{ steps.vars.outputs.tag }} - name: Build and publish module - uses: barnumbirr/action-forge-publish@v2.8.0 + uses: barnumbirr/action-forge-publish@v2 env: FORGE_API_KEY: ${{ secrets.FORGE_API_KEY }} REPOSITORY_URL: https://forgeapi.puppet.com/v3/releases diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 4b39db11..eeb6512e 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Clone repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Run unit tests uses: puppets-epic-show-theatre/action-pdk-test-unit@v1 @@ -24,7 +24,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Clone repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Run PDK validate uses: puppets-epic-show-theatre/action-pdk-validate@v1 From 97648be14a0c23f877591fdba9f546d0f50b2957 Mon Sep 17 00:00:00 2001 From: Mathew Winstone Date: Sun, 30 Oct 2022 20:28:55 -0400 Subject: [PATCH 08/43] Add drop-in to disable certificate bootstrap, and update systemd module requirement --- .fixtures.yml | 2 +- manifests/init.pp | 10 ++++++++++ metadata.json | 4 ++-- templates/systemd_dropin_rhel8.erb | 4 ++++ 4 files changed, 17 insertions(+), 3 deletions(-) create mode 100644 templates/systemd_dropin_rhel8.erb diff --git a/.fixtures.yml b/.fixtures.yml index 02c2eb77..de2f16d3 100644 --- a/.fixtures.yml +++ b/.fixtures.yml @@ -5,4 +5,4 @@ fixtures: logrotate: "puppet/logrotate" rsyslog: "saz/rsyslog" stdlib: "puppetlabs/stdlib" - systemd: "camptocamp/systemd" + systemd: "puppet/systemd" diff --git a/manifests/init.pp b/manifests/init.pp index 0c283fd9..b855fe20 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -113,6 +113,16 @@ } } + # Add systemd unit to override default file on RHEL8 systems. + if ($facts['os']['family'] == 'RedHat' and $facts['os']['release']['major'] == '8') { + systemd::dropin_file { 'freeradius remove bootstrap': + ensure => present, + filename => 'remove_bootstrap.conf', + unit => 'radiusd.service', + content => template('freeradius/systemd_dropin_rhel8.erb'), + } + } + # Preserve some stock modules if ($preserve_mods) { freeradius::module { [ diff --git a/metadata.json b/metadata.json index c1ad2642..42ad3a67 100644 --- a/metadata.json +++ b/metadata.json @@ -29,8 +29,8 @@ "version_requirement": ">=1.0.0 <7.0.0" }, { - "name": "camptocamp/systemd", - "version_requirement": ">=2.0.0 <3.0.0" + "name": "puppet/systemd", + "version_requirement": ">=3.0.0 <5.0.0" } ], "operatingsystem_support": [ diff --git a/templates/systemd_dropin_rhel8.erb b/templates/systemd_dropin_rhel8.erb new file mode 100644 index 00000000..cd27a3c6 --- /dev/null +++ b/templates/systemd_dropin_rhel8.erb @@ -0,0 +1,4 @@ +[Service] +ExecStartPre= +ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd +ExecStartPre=/usr/sbin/radiusd -C From 564a7198e8788ee87c6a4965766b6ad25108f0f5 Mon Sep 17 00:00:00 2001 From: Nathan Ward Date: Fri, 18 Aug 2023 22:27:16 +1200 Subject: [PATCH 09/43] add tests for conditional definition of systemd dropin on different OSes --- spec/classes/freeradius_spec.rb | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/spec/classes/freeradius_spec.rb b/spec/classes/freeradius_spec.rb index 8f409eff..a1aaef34 100644 --- a/spec/classes/freeradius_spec.rb +++ b/spec/classes/freeradius_spec.rb @@ -391,6 +391,18 @@ end end + it do + if ['rocky-8-x86_64', 'centos-8-x86_64', 'redhat-8-x86_64', 'almalinux-8-x86_64'].include? os + is_expected.to contain_systemd__dropin_file('freeradius remove bootstrap') + .with_ensure('present') + .with_filename('remove_bootstrap.conf') + .with_unit('radiusd.service') + .with_content(%r{^ExecStartPre=$}) + else + is_expected.not_to contain_systemd__dropin_file('freeradius remove bootstrap') + end + end + context 'with mysql' do let(:params) do super().merge( From 473fd514737754d77b4c043ced550cbcdf3d6d99 Mon Sep 17 00:00:00 2001 From: Nathan Ward Date: Fri, 18 Aug 2023 22:40:34 +1200 Subject: [PATCH 10/43] Allow puppet 8, and update module dependencies to allow more modern versions --- metadata.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/metadata.json b/metadata.json index 42ad3a67..8025bcae 100644 --- a/metadata.json +++ b/metadata.json @@ -14,7 +14,7 @@ }, { "name": "puppetlabs/firewall", - "version_requirement": ">=1.0.0 <3.0.0" + "version_requirement": ">=1.0.0 <7.0.0" }, { "name": "saz/rsyslog", @@ -22,15 +22,15 @@ }, { "name": "puppet/logrotate", - "version_requirement": ">=1.4.0 <4.0.0" + "version_requirement": ">=1.4.0 <8.0.0" }, { "name": "puppetlabs/concat", - "version_requirement": ">=1.0.0 <7.0.0" + "version_requirement": ">=1.0.0 <10.0.0" }, { "name": "puppet/systemd", - "version_requirement": ">=3.0.0 <5.0.0" + "version_requirement": ">=3.0.0 <6.0.0" } ], "operatingsystem_support": [ @@ -92,7 +92,7 @@ "requirements": [ { "name": "puppet", - "version_requirement": ">=4.0.0 <7.0.0" + "version_requirement": ">=7.0.0 <9.0.0" } ], "pdk-version": "3.0.0", From 72b165e72bd5789a3f00b5bf0574f5ed0786d580 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81ngel=20L=2E=20Mateo?= Date: Mon, 25 Sep 2023 14:38:30 +0200 Subject: [PATCH 11/43] Fix locking in freeradius::module::detail The locking parameter is a Enum['no', 'yes'], so we can't check it as boolean. The assignment must be to the value of the parameter. --- templates/detail.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/detail.erb b/templates/detail.erb index 8e250682..2769dc76 100644 --- a/templates/detail.erb +++ b/templates/detail.erb @@ -87,7 +87,7 @@ detail <%= @name %> { # # locking = yes <%- if @locking -%> - locking = <%= @locking == true %> + locking = <%= @locking %> <%- end -%> # From 770ab904a4c3a5eb0bda87381ed207478d54d739 Mon Sep 17 00:00:00 2001 From: Mark Ottaway Date: Fri, 10 Nov 2023 15:05:21 +0000 Subject: [PATCH 12/43] Adding trigger conf with test option --- templates/trigger.conf.erb | 288 +++++++++++++++++++++++++++++++++++++ 1 file changed, 288 insertions(+) create mode 100644 templates/trigger.conf.erb diff --git a/templates/trigger.conf.erb b/templates/trigger.conf.erb new file mode 100644 index 00000000..d000ad08 --- /dev/null +++ b/templates/trigger.conf.erb @@ -0,0 +1,288 @@ +# -*- text -*- +## +## trigger.conf -- Events in the server can trigger a hook to be executed. +## +## $Id: 413a182eec6a193ef8ffd284295e181962265395 $ + +# +# The triggers are named as "type.subtype.value". These names refer +# to subsections and then configuration items in the "trigger" +# section below. When an event occurs, the trigger is executed. The +# trigger is simply a program that is run, with optional arguments. +# +# The server does not wait when a trigger is executed. It is simply +# a "one-shot" event that is sent. +# +# The trigger names should be self-explanatory. +# + +# +# SNMP configuration. +# +# For now, this is only for SNMP traps. +# +# They are enabled by uncommenting (or adding) "$INCLUDE trigger.conf" +# in the main "radiusd.conf" file. +# +# The traps *REQUIRE* that the files in the "mibs" directory be copied +# to the global mibs directory, usually /usr/share/snmp/mibs/. +# If this is not done, the "snmptrap" program has no idea what information +# to send, and will not work. The MIB installation is *NOT* done as +# part of the default installation, so that step *MUST* be done manually. +# +# The global MIB directory can be found by running the following command: +# +# snmptranslate -Dinit_mib .1.3 2>&1 | grep MIBDIR | sed "s/' .*//;s/.* '//;s/.*://" +# +# Or maybe just: +# +# snmptranslate -Dinit_mib .1.3 2>&1 | grep MIBDIR +# +# If you have copied the MIBs to that directory, you can test the +# FreeRADIUS MIBs by running the following command: +# +# snmptranslate -m +FREERADIUS-NOTIFICATION-MIB -IR -On serverStart +# +# It should print out: +# +# .1.3.6.1.4.1.11344.4.1.1 +# +# As always, run the server in debugging mode after enabling the +# traps. You will see the "snmptrap" command being run, and it will +# print out any errors or issues that it encounters. Those need to +# be fixed before running the server in daemon mode. +# +# We also suggest running in debugging mode as the "radiusd" user, if +# you have "user/group" set in radiusd.conf. The "snmptrap" program +# may behave differently when run as "root" or as the "radiusd" user. +# +snmp { + # + # Configuration for SNMP traps / notifications + # + # To disable traps, edit "radiusd.conf", and delete the line + # which says "$INCUDE trigger.conf" + # + trap { + # + # Absolute path for the "snmptrap" command, and + # default command-line arguments. + # + # You can disable traps by changing the command to + # "/bin/echo". + # + <%- if @ensure = 'present' -%> + cmd = "/usr/bin/snmptrap -v2c" + <%- else -%> + cmd = "/bin/echo" + <%- end -%> + + # + # Community string + # + community = "<%= @trap_community %>" + + # + # Agent configuration. + # + agent = "<%= @trap_dest %> ''" + } +} + +# +# The "snmptrap" configuration defines the full command used to run the traps. +# +# This entry should not be edited. Instead, edit the "trap" section above. +# +snmptrap = "${snmp.trap.cmd} -c ${snmp.trap.community} ${snmp.trap.agent} FREERADIUS-NOTIFICATION-MIB" + +# +# The individual triggers are defined here. You can disable one by +# deleting it, or by commenting it out. You can disable an entire +# section of traps by deleting the section. +# +# The entries below should not be edited. For example, the double colons +# *must* immediately follow the ${snmptrap} reference. Adding a space +# before the double colons will break all SNMP traps. +# +# However... the traps are just programs which are run when +# particular events occur. If you want to replace a trap with +# another program, you can. Just edit the definitions below, so that +# they run a program of your choice. +# +# For example, you can leverage the "start/stop" triggers to run a +# program when the server starts, or when it stops. But that will +# prevent the start/stop SNMP traps from working, of course. +# +trigger { + # + # Events in the server core + # + server { + # the server has just started + <% unless @snmp_traps.include?('home_server_alive') %># <% end %> + start = "${snmptrap}::serverStart" + + + + # the server is about to stop + stop = "${snmptrap}::serverStop" + + # The "max_requests" condition has been reached. + # This will trigger only once per 60 seconds. + max_requests = "${snmptrap}::serverMaxRequests" + + # For events related to clients + client { + # Added a new dynamic client + add = "/path/to/file %{Packet-Src-IP-Address}" + + # There is no event for when dynamic clients expire + } + + # Events related to signals received. + signal { + # a HUP signal + hup = "${snmptrap}::signalHup" + + # a TERM signal + term = "${snmptrap}::signalTerm" + } + + + # Events related to the thread pool + thread { + # A new thread has been started + start = "${snmptrap}::threadStart" + + # an existing thread has been stopped + stop = "${snmptrap}::threadStop" + + # an existing thread is unresponsive + unresponsive = "${snmptrap}::threadUnresponsive" + + # the "max_threads" limit has been reached + max_threads = "${snmptrap}::threadMaxThreads" + } + } + + # When a home server changes state. + # These traps are edge triggered. + home_server { + # common arguments: IP, port, identifier + args = "radiusAuthServerAddress a %{proxy-request:Packet-Dst-IP-Address} radiusAuthClientServerPortNumber i %{proxy-request:Packet-Dst-Port} radiusAuthServIdent s '%{home_server:instance}'" + + # The home server has been marked "alive" + alive = "${snmptrap}::homeServerAlive ${args}" + + # The home server has been marked "zombie" + zombie = "${snmptrap}::homeServerZombie ${args}" + + # The home server has been marked "dead" + dead = "${snmptrap}::homeServerDead ${args}" + } + + # When a pool of home servers changes state. + home_server_pool { + # common arguments + args = "radiusdConfigName s %{home_server:instance}" + + # It has reverted to "normal" mode, where at least one + # home server is alive. + normal = "${snmptrap}::homeServerPoolNormal ${args}" + + # It is in "fallback" mode, with all home servers "dead" + fallback = "${snmptrap}::homeServerPoolFallback ${args}" + } + + # Triggers for specific modules. These are NOT in the module + # configuration because they are global to all instances of the + # module. You can have module-specific triggers, by placing a + # "trigger" subsection in the module configuration. + modules { + # Common arguments + args = "radiusdModuleInstance s ''" + + # The files module + files { + # Common arguments + args = "radiusdModuleName s files ${..args}" + + # The module has been HUP'd via radmin + hup = "${snmptrap}::serverModuleHup ${args}" + + # Note that "hup" can be used for every module + # which can be HUP'd via radmin + } + + # The LDAP module + # If the server does "bind as user", it will open and close + # an LDAP connection ofr every "bind as user". Be aware that + # this will likely produce a lot of triggers. + ldap { + # Common arguments + args = "radiusdModuleName s ldap ${..args}" + + # A new connection to the DB has been opened + open = "${snmptrap}::serverModuleConnectionUp ${args}" + + # A connection to the DB has been closed + close = "${snmptrap}::serverModuleConnectionDown ${args}" + + # The module has been HUP'd via radmin + hup = "${snmptrap}::serverModuleHup ${args}" + } + + # The SQL module + sql { + # Common arguments + args = "radiusdModuleName s sql ${..args}" + + # A new connection to the DB has been opened + open = "${snmptrap}::serverModuleConnectionUp ${args}" + + # A connection to the DB has been closed + close = "${snmptrap}::serverModuleConnectionDown ${args}" + + # Failed to open a new connection to the DB + fail = "${snmptrap}::serverModuleConnectionFail ${args}" + + # The module has been HUP'd via radmin + hup = "${snmptrap}::serverModuleHup ${args}" + } + + # You can also use connection pool's start/stop/open/close triggers + # for any module which uses the "pool" section, here and under + # pool.trigger in module configuration. + } +} + +# +# The complete list of triggers as generated from the source code is below. +# +# These are the ONLY traps which are generated. You CANNOT add new traps +# by defining them in one of the sections above. New traps can be created +# only by edited both the source code to the server, *and* the MIBs. +# If you are not an expert in C and SNMP, then adding new traps will be +# difficult to create. +# +# home_server.alive +# home_server.dead +# home_server.zombie +# home_server_pool.fallback +# home_server_pool.normal +# modules.*.hup +# modules.ldap.timeout +# modules.sql.close +# modules.sql.fail +# modules.sql.open +# server.client.add +# server.max_requests +# server.signal.hup +# server.signal.term +# server.start +# server.stop +# server.thread.max_threads +# server.thread.start +# server.thread.stop +# server.thread.unresponsive \ No newline at end of file From 8eacab27391129eea14da38020717763a5b9a2dc Mon Sep 17 00:00:00 2001 From: Mark Ottaway Date: Fri, 10 Nov 2023 15:35:10 +0000 Subject: [PATCH 13/43] Added reference to trigger as well --- manifests/init.pp | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/manifests/init.pp b/manifests/init.pp index b855fe20..f5c0096e 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -158,6 +158,16 @@ } } + # Add trigger.conf snmp trap configuration + file { "${freeradius::fr_basepath}/trigger.conf": + ensure => file, + mode => '0644', + owner => 'root', + group => $freeradius::fr_group, + content => template('freeradius/trigger.conf.erb'), + require => [Package[$freeradius::fr_package], Group[$freeradius::fr_group]], + notify => Service['radiusd'], + } # Set up concat policy file, as there is only one global policy # We also add standard header and footer concat { 'freeradius policy.conf': From 048b5b640ca8a70648193552c23bf9d5410a39d0 Mon Sep 17 00:00:00 2001 From: Mark Ottaway Date: Fri, 10 Nov 2023 15:43:28 +0000 Subject: [PATCH 14/43] Add snmp_traps array to init.pp --- manifests/init.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index f5c0096e..92994a04 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -22,6 +22,7 @@ Boolean $manage_logpath = true, Optional[String] $package_ensure = 'installed', String $radacctdir = $freeradius::params::radacctdir, + Array $snmp_traps = [], ) inherits freeradius::params { if $freeradius::fr_version !~ /^3/ { notify { 'This module is only compatible with FreeRADIUS 3.': } @@ -161,7 +162,7 @@ # Add trigger.conf snmp trap configuration file { "${freeradius::fr_basepath}/trigger.conf": ensure => file, - mode => '0644', + mode => '0640', owner => 'root', group => $freeradius::fr_group, content => template('freeradius/trigger.conf.erb'), From b950e883a59f928c23e114c15840331cab02bcda Mon Sep 17 00:00:00 2001 From: Mark Ottaway Date: Fri, 10 Nov 2023 15:54:18 +0000 Subject: [PATCH 15/43] Moved hash to next line --- templates/trigger.conf.erb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/templates/trigger.conf.erb b/templates/trigger.conf.erb index d000ad08..6bdccce1 100644 --- a/templates/trigger.conf.erb +++ b/templates/trigger.conf.erb @@ -120,8 +120,8 @@ trigger { # server { # the server has just started - <% unless @snmp_traps.include?('home_server_alive') %># <% end %> - start = "${snmptrap}::serverStart" + <% unless @snmp_traps.include?('home_server_alive') %> + # <% end %>start = "${snmptrap}::serverStart" @@ -285,4 +285,4 @@ trigger { # server.thread.max_threads # server.thread.start # server.thread.stop -# server.thread.unresponsive \ No newline at end of file +# server.thread.unresponsive From e05bb4e137f723c7fe2241ca67ea6f3afa4dfa40 Mon Sep 17 00:00:00 2001 From: Mark Ottaway Date: Fri, 10 Nov 2023 15:59:33 +0000 Subject: [PATCH 16/43] Added server start to hash --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index 92994a04..0c3f93cd 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -22,7 +22,7 @@ Boolean $manage_logpath = true, Optional[String] $package_ensure = 'installed', String $radacctdir = $freeradius::params::radacctdir, - Array $snmp_traps = [], + Array $snmp_traps = ['home_server_alive'], ) inherits freeradius::params { if $freeradius::fr_version !~ /^3/ { notify { 'This module is only compatible with FreeRADIUS 3.': } From 1f63759b2ca87989647908aca197fdfeadbf04fe Mon Sep 17 00:00:00 2001 From: Mark Ottaway Date: Fri, 10 Nov 2023 17:11:44 +0000 Subject: [PATCH 17/43] test if array empty and populate it --- manifests/init.pp | 30 ++++++++++++++- templates/trigger.conf.erb | 76 ++++++++++++++++++++++++-------------- 2 files changed, 77 insertions(+), 29 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 0c3f93cd..2055d14a 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -22,7 +22,7 @@ Boolean $manage_logpath = true, Optional[String] $package_ensure = 'installed', String $radacctdir = $freeradius::params::radacctdir, - Array $snmp_traps = ['home_server_alive'], + Array $snmp_traps = [], ) inherits freeradius::params { if $freeradius::fr_version !~ /^3/ { notify { 'This module is only compatible with FreeRADIUS 3.': } @@ -158,7 +158,33 @@ preserve => true, } } - + if empty($snmp_traps) { + $snmp_traps = [ + 'server_start', + 'server_stop', + 'server_max_requests', + 'server_client_add', + 'server_signal_hup', + 'server_signal_term', + 'server_thread_start', + 'server_thread_stop', + 'server_thread_Unresponsive', + 'server_thread_max_threads', + 'home_server_alive', + 'home_server_zombie', + 'home_server_dead', + 'home_server_pool_normal', + 'home_server_pool_fallback', + 'server_files_module_hup', + 'server_ldap_module_connection_up', + 'server_ldap_module_connection_down', + 'server_ldap_module_hup', + 'server_sql_module_connection_up', + 'server_sql_module_connection_close', + 'server_sql_module_connection_fail', + 'server_sql_module_hup', + ] + } # Add trigger.conf snmp trap configuration file { "${freeradius::fr_basepath}/trigger.conf": ensure => file, diff --git a/templates/trigger.conf.erb b/templates/trigger.conf.erb index 6bdccce1..dbc71747 100644 --- a/templates/trigger.conf.erb +++ b/templates/trigger.conf.erb @@ -120,22 +120,25 @@ trigger { # server { # the server has just started - <% unless @snmp_traps.include?('home_server_alive') %> + <% unless @snmp_traps.include?('server_start') %> # <% end %>start = "${snmptrap}::serverStart" # the server is about to stop - stop = "${snmptrap}::serverStop" + <% unless @snmp_traps.include?('server_stop') %> + # <% end %>stop = "${snmptrap}::serverStop" # The "max_requests" condition has been reached. # This will trigger only once per 60 seconds. - max_requests = "${snmptrap}::serverMaxRequests" + <% unless @snmp_traps.include?('server_max_requests') %> + # <% end %>max_requests = "${snmptrap}::serverMaxRequests" # For events related to clients client { # Added a new dynamic client - add = "/path/to/file %{Packet-Src-IP-Address}" + <% unless @snmp_traps.include?('server_client_add') %> + # <% end %>add = "/path/to/file %{Packet-Src-IP-Address}" # There is no event for when dynamic clients expire } @@ -143,26 +146,32 @@ trigger { # Events related to signals received. signal { # a HUP signal - hup = "${snmptrap}::signalHup" + <% unless @snmp_traps.include?('server_signal_hup') %> + # <% end %>hup = "${snmptrap}::signalHup" # a TERM signal - term = "${snmptrap}::signalTerm" + <% unless @snmp_traps.include?('server_signal_term') %> + # <% end %>term = "${snmptrap}::signalTerm" } # Events related to the thread pool thread { - # A new thread has been started - start = "${snmptrap}::threadStart" + # A new thread has been started + <% unless @snmp_traps.include?('server_thread_start') %> + # <% end %>start = "${snmptrap}::threadStart" - # an existing thread has been stopped - stop = "${snmptrap}::threadStop" + # an existing thread has been stopped + <% unless @snmp_traps.include?('server_thread_stop') %> + # <% end %>stop = "${snmptrap}::threadStop" - # an existing thread is unresponsive - unresponsive = "${snmptrap}::threadUnresponsive" + # an existing thread is unresponsive + <% unless @snmp_traps.include?('server_thread_Unresponsive') %> + # <% end %>unresponsive = "${snmptrap}::threadUnresponsive" - # the "max_threads" limit has been reached - max_threads = "${snmptrap}::threadMaxThreads" + # the "max_threads" limit has been reached + <% unless @snmp_traps.include?('server_thread_max_threads') %> + # <% end %>max_threads = "${snmptrap}::threadMaxThreads" } } @@ -173,13 +182,16 @@ trigger { args = "radiusAuthServerAddress a %{proxy-request:Packet-Dst-IP-Address} radiusAuthClientServerPortNumber i %{proxy-request:Packet-Dst-Port} radiusAuthServIdent s '%{home_server:instance}'" # The home server has been marked "alive" - alive = "${snmptrap}::homeServerAlive ${args}" + <% unless @snmp_traps.include?('home_server_alive') %> + # <% end %>salive = "${snmptrap}::homeServerAlive ${args}" # The home server has been marked "zombie" - zombie = "${snmptrap}::homeServerZombie ${args}" + <% unless @snmp_traps.include?('home_server_zombie') %> + # <% end %>szombie = "${snmptrap}::homeServerZombie ${args}" # The home server has been marked "dead" - dead = "${snmptrap}::homeServerDead ${args}" + <% unless @snmp_traps.include?('home_server_dead') %> + # <% end %>sdead = "${snmptrap}::homeServerDead ${args}" } # When a pool of home servers changes state. @@ -189,10 +201,12 @@ trigger { # It has reverted to "normal" mode, where at least one # home server is alive. - normal = "${snmptrap}::homeServerPoolNormal ${args}" + <% unless @snmp_traps.include?('home_server_pool_normal') %> + # <% end %>snormal = "${snmptrap}::homeServerPoolNormal ${args}" # It is in "fallback" mode, with all home servers "dead" - fallback = "${snmptrap}::homeServerPoolFallback ${args}" + <% unless @snmp_traps.include?('home_server_pool_fallback') %> + # <% end %>fallback = "${snmptrap}::homeServerPoolFallback ${args}" } # Triggers for specific modules. These are NOT in the module @@ -209,7 +223,8 @@ trigger { args = "radiusdModuleName s files ${..args}" # The module has been HUP'd via radmin - hup = "${snmptrap}::serverModuleHup ${args}" + <% unless @snmp_traps.include?('server_files_module_hup') %> + # <% end %>hup = "${snmptrap}::serverModuleHup ${args}" # Note that "hup" can be used for every module # which can be HUP'd via radmin @@ -224,13 +239,16 @@ trigger { args = "radiusdModuleName s ldap ${..args}" # A new connection to the DB has been opened - open = "${snmptrap}::serverModuleConnectionUp ${args}" + <% unless @snmp_traps.include?('server_ldap_module_connection_up') %> + # <% end %>open = "${snmptrap}::serverModuleConnectionUp ${args}" # A connection to the DB has been closed - close = "${snmptrap}::serverModuleConnectionDown ${args}" + <% unless @snmp_traps.include?('server_ldap_module_connection_down') %> + # <% end %>close = "${snmptrap}::serverModuleConnectionDown ${args}" # The module has been HUP'd via radmin - hup = "${snmptrap}::serverModuleHup ${args}" + <% unless @snmp_traps.include?('server_ldap_module_hup') %> + # <% end %>hup = "${snmptrap}::serverModuleHup ${args}" } # The SQL module @@ -239,16 +257,20 @@ trigger { args = "radiusdModuleName s sql ${..args}" # A new connection to the DB has been opened - open = "${snmptrap}::serverModuleConnectionUp ${args}" + <% unless @snmp_traps.include?('server_sql_module_connection_up') %> + # <% end %>open = "${snmptrap}::serverModuleConnectionUp ${args}" # A connection to the DB has been closed - close = "${snmptrap}::serverModuleConnectionDown ${args}" + <% unless @snmp_traps.include?('server_sql_module_connection_close') %> + # <% end %>close = "${snmptrap}::serverModuleConnectionDown ${args}" # Failed to open a new connection to the DB - fail = "${snmptrap}::serverModuleConnectionFail ${args}" + <% unless @snmp_traps.include?('server_sql_module_connection_fail') %> + # <% end %>fail = "${snmptrap}::serverModuleConnectionFail ${args}" # The module has been HUP'd via radmin - hup = "${snmptrap}::serverModuleHup ${args}" + <% unless @snmp_traps.include?('server_sql_module_hup') %> + # <% end %>hup = "${snmptrap}::serverModuleHup ${args}" } # You can also use connection pool's start/stop/open/close triggers From 66544d62726a135d6680c4173bd7320d81e6425d Mon Sep 17 00:00:00 2001 From: Mark Ottaway Date: Fri, 10 Nov 2023 17:31:20 +0000 Subject: [PATCH 18/43] Added remaining template variables --- manifests/init.pp | 3 +++ templates/trigger.conf.erb | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 2055d14a..3d71c3f6 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -22,6 +22,9 @@ Boolean $manage_logpath = true, Optional[String] $package_ensure = 'installed', String $radacctdir = $freeradius::params::radacctdir, + String $snmp_traps_enable = 'disable', + String $snmp_traps_community = 'public', + String $snmp_traps_dest = '127.0.0.1', Array $snmp_traps = [], ) inherits freeradius::params { if $freeradius::fr_version !~ /^3/ { diff --git a/templates/trigger.conf.erb b/templates/trigger.conf.erb index dbc71747..9619ae44 100644 --- a/templates/trigger.conf.erb +++ b/templates/trigger.conf.erb @@ -71,7 +71,7 @@ snmp { # You can disable traps by changing the command to # "/bin/echo". # - <%- if @ensure = 'present' -%> + <%- if @snmp_traps_enable = 'enable' -%> cmd = "/usr/bin/snmptrap -v2c" <%- else -%> cmd = "/bin/echo" @@ -80,12 +80,12 @@ snmp { # # Community string # - community = "<%= @trap_community %>" + community = "<%= @snmp_traps_community %>" # # Agent configuration. # - agent = "<%= @trap_dest %> ''" + agent = "<%= @snmp_traps_dest %> ''" } } From 5d98df546c8745f365c505ba339cafa184ff57e9 Mon Sep 17 00:00:00 2001 From: Mark Ottaway Date: Fri, 10 Nov 2023 17:39:21 +0000 Subject: [PATCH 19/43] Equals test with single = --- templates/trigger.conf.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/trigger.conf.erb b/templates/trigger.conf.erb index 9619ae44..959be6b0 100644 --- a/templates/trigger.conf.erb +++ b/templates/trigger.conf.erb @@ -71,7 +71,7 @@ snmp { # You can disable traps by changing the command to # "/bin/echo". # - <%- if @snmp_traps_enable = 'enable' -%> + <%- if @snmp_traps_enable == 'enable' -%> cmd = "/usr/bin/snmptrap -v2c" <%- else -%> cmd = "/bin/echo" From 096d21313253a1258a4971e0207c07eef9b5ce61 Mon Sep 17 00:00:00 2001 From: Mark Ottaway Date: Fri, 10 Nov 2023 17:43:29 +0000 Subject: [PATCH 20/43] Removed an unneeded s --- templates/trigger.conf.erb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/templates/trigger.conf.erb b/templates/trigger.conf.erb index 959be6b0..59b8956f 100644 --- a/templates/trigger.conf.erb +++ b/templates/trigger.conf.erb @@ -183,15 +183,15 @@ trigger { # The home server has been marked "alive" <% unless @snmp_traps.include?('home_server_alive') %> - # <% end %>salive = "${snmptrap}::homeServerAlive ${args}" + # <% end %>alive = "${snmptrap}::homeServerAlive ${args}" # The home server has been marked "zombie" <% unless @snmp_traps.include?('home_server_zombie') %> - # <% end %>szombie = "${snmptrap}::homeServerZombie ${args}" + # <% end %>zombie = "${snmptrap}::homeServerZombie ${args}" # The home server has been marked "dead" <% unless @snmp_traps.include?('home_server_dead') %> - # <% end %>sdead = "${snmptrap}::homeServerDead ${args}" + # <% end %>dead = "${snmptrap}::homeServerDead ${args}" } # When a pool of home servers changes state. @@ -202,7 +202,7 @@ trigger { # It has reverted to "normal" mode, where at least one # home server is alive. <% unless @snmp_traps.include?('home_server_pool_normal') %> - # <% end %>snormal = "${snmptrap}::homeServerPoolNormal ${args}" + # <% end %>normal = "${snmptrap}::homeServerPoolNormal ${args}" # It is in "fallback" mode, with all home servers "dead" <% unless @snmp_traps.include?('home_server_pool_fallback') %> From cbad6ae295bbbb3c618badd0c1f48d0a01e90c67 Mon Sep 17 00:00:00 2001 From: Mark Ottaway Date: Fri, 10 Nov 2023 18:10:56 +0000 Subject: [PATCH 21/43] changing snmp_traps to undef --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index 3d71c3f6..4cf51b45 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -25,7 +25,7 @@ String $snmp_traps_enable = 'disable', String $snmp_traps_community = 'public', String $snmp_traps_dest = '127.0.0.1', - Array $snmp_traps = [], + Array $snmp_traps = undef, ) inherits freeradius::params { if $freeradius::fr_version !~ /^3/ { notify { 'This module is only compatible with FreeRADIUS 3.': } From f74c32f8197d67d4b667f77c3dc9d337023ff327 Mon Sep 17 00:00:00 2001 From: Mark Ottaway Date: Fri, 10 Nov 2023 18:29:26 +0000 Subject: [PATCH 22/43] Used second trap variable to check passed trap list --- manifests/init.pp | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 4cf51b45..fdd364b4 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -25,7 +25,7 @@ String $snmp_traps_enable = 'disable', String $snmp_traps_community = 'public', String $snmp_traps_dest = '127.0.0.1', - Array $snmp_traps = undef, + Array $snmp_traps_list = [], ) inherits freeradius::params { if $freeradius::fr_version !~ /^3/ { notify { 'This module is only compatible with FreeRADIUS 3.': } @@ -161,7 +161,7 @@ preserve => true, } } - if empty($snmp_traps) { + if empty($snmp_traps_list) { $snmp_traps = [ 'server_start', 'server_stop', @@ -187,6 +187,8 @@ 'server_sql_module_connection_fail', 'server_sql_module_hup', ] + } else { + $snmp_traps = $snmp_traps_list } # Add trigger.conf snmp trap configuration file { "${freeradius::fr_basepath}/trigger.conf": From 3b91c4d30081af3ae00df5a98c0e823130242102 Mon Sep 17 00:00:00 2001 From: Julien Godin Date: Thu, 25 Apr 2024 16:13:04 +0200 Subject: [PATCH 23/43] improvment: add a new parameter to allow the use of vulnerable SSL/TLS versions Signed-off-by: Julien Godin --- README.md | 3 +++ manifests/init.pp | 1 + templates/radiusd.conf.erb | 2 +- 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index b6f89861..60b067fe 100644 --- a/README.md +++ b/README.md @@ -138,6 +138,9 @@ Add a syslog rule (using the `saz/rsyslog` module). Default: `false`. ##### `log_auth` Log authentication requests (yes/no). Default: `no`. +##### `allow_vulnerable_openssl` +Allow the server to start with versions of OpenSSL known to have critical vulnerabilities. (yes/no). Default: `yes`. + ##### `package_ensure` Choose whether the package is just installed and left (`installed`), or updated every Puppet run (`latest`). Default: `installed` diff --git a/manifests/init.pp b/manifests/init.pp index fdd364b4..a0eae333 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -17,6 +17,7 @@ Boolean $syslog = false, String $syslog_facility = 'daemon', Freeradius::Boolean $log_auth = 'no', + Freeradius::Boolean $allow_vulnerable_ssl = 'yes', Boolean $preserve_mods = true, Boolean $correct_escapes = true, Boolean $manage_logpath = true, diff --git a/templates/radiusd.conf.erb b/templates/radiusd.conf.erb index 3d715654..87e8614e 100644 --- a/templates/radiusd.conf.erb +++ b/templates/radiusd.conf.erb @@ -574,7 +574,7 @@ security { # and may not reflect patches applied to libssl by # distribution maintainers. # - allow_vulnerable_openssl = yes + allow_vulnerable_openssl = <%= @allow_vulnerable_openssl%> } # PROXY CONFIGURATION From 89e42437832d5aa66cab0ad9e48a52ca3129aaff Mon Sep 17 00:00:00 2001 From: Julien Godin Date: Thu, 25 Apr 2024 16:39:30 +0200 Subject: [PATCH 24/43] fix: allow vulnerable ssl versions Signed-off-by: Julien Godin --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index a0eae333..6ce600be 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -17,7 +17,7 @@ Boolean $syslog = false, String $syslog_facility = 'daemon', Freeradius::Boolean $log_auth = 'no', - Freeradius::Boolean $allow_vulnerable_ssl = 'yes', + Freeradius::Boolean $allow_vulnerable_openssl = 'yes', Boolean $preserve_mods = true, Boolean $correct_escapes = true, Boolean $manage_logpath = true, From 75d354dcb6e6d07d06e3dba06dcbc6bf64a22879 Mon Sep 17 00:00:00 2001 From: Andrew Teixeira Date: Tue, 14 May 2024 14:56:06 -0400 Subject: [PATCH 25/43] Remove is_ip_address function removed from stdlib in 9.x Bump the lower bound on stdlib to 5.0.0 --- manifests/listen.pp | 31 +++++++++++-------------------- metadata.json | 2 +- 2 files changed, 12 insertions(+), 21 deletions(-) diff --git a/manifests/listen.pp b/manifests/listen.pp index e73d2f25..352f3a00 100644 --- a/manifests/listen.pp +++ b/manifests/listen.pp @@ -1,30 +1,21 @@ # == Define freeradius::listen # define freeradius::listen ( - Freeradius::Ensure $ensure = 'present', - Enum['auth','acct','proxy','detail','status','coa'] $type = 'auth', - Optional[String] $ip = undef, - Optional[String] $ip6 = undef, - Integer $port = 0, - Optional[String] $interface = undef, - Optional[String] $virtual_server = undef, - Array[String] $clients = [], - Integer $max_connections = 16, - Integer $lifetime = 0, - Integer $idle_timeout = 30, + Freeradius::Ensure $ensure = 'present', + Enum['auth','acct','proxy','detail','status','coa'] $type = 'auth', + Optional[Variant[Stdlib::IP::Address::V4, Enum['*']]] $ip = undef, + Optional[Variant[Stdlib::IP::Address::V6, Enum['*']]] $ip6 = undef, + Integer $port = 0, + Optional[String] $interface = undef, + Optional[String] $virtual_server = undef, + Array[String] $clients = [], + Integer $max_connections = 16, + Integer $lifetime = 0, + Integer $idle_timeout = 30, ) { $fr_basepath = $::freeradius::params::fr_basepath $fr_group = $::freeradius::params::fr_group - # Parameter validation - if $ip and $ip != '*' and !is_ip_address($ip) { - fail('ip must be a valid IP address or \'*\'') - } - - if $ip6 and $ip6 != '::' and !is_ip_address($ip6) { - fail('ip6 must be a valid IP address or \'::\'') - } - if $ip and $ip6 { fail('Only one of ip or ip6 can be used') } diff --git a/metadata.json b/metadata.json index 8025bcae..66d05a5b 100644 --- a/metadata.json +++ b/metadata.json @@ -10,7 +10,7 @@ "dependencies": [ { "name": "puppetlabs/stdlib", - "version_requirement": ">=4.25.0 <10.0.0" + "version_requirement": ">=5.0.0 <10.0.0" }, { "name": "puppetlabs/firewall", From 93b3c83e82eb767f650d7b6fe780849bcd20ffbf Mon Sep 17 00:00:00 2001 From: Nathan Ward Date: Wed, 15 May 2024 22:44:48 +1200 Subject: [PATCH 26/43] Update the puppetlabs firewall module requirement to be >7 --- metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metadata.json b/metadata.json index 66d05a5b..f5662ef8 100644 --- a/metadata.json +++ b/metadata.json @@ -14,7 +14,7 @@ }, { "name": "puppetlabs/firewall", - "version_requirement": ">=1.0.0 <7.0.0" + "version_requirement": ">=7.0.0 <9.0.0" }, { "name": "saz/rsyslog", From a314d78785102585a23c7b7f3b3256672228321c Mon Sep 17 00:00:00 2001 From: Nathan Ward Date: Wed, 15 May 2024 22:36:26 +1200 Subject: [PATCH 27/43] Update calls to the firewall module with modern parameters --- manifests/client.pp | 13 +++++++------ spec/defines/client_spec.rb | 13 +++++++------ 2 files changed, 14 insertions(+), 12 deletions(-) diff --git a/manifests/client.pp b/manifests/client.pp index f8fc7e4d..876d4da9 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -61,17 +61,18 @@ if $port { if $ip { firewall { "100 ${name} ${port_description} v4": - proto => 'udp', - dport => $port, - action => 'accept', - source => $ip, + proto => 'udp', + dport => $port, + jump => 'ACCEPT', + protocol => 'IPv4', + source => $ip, } } elsif $ip6 { firewall { "100 ${name} ${port_description} v6": proto => 'udp', dport => $port, - action => 'accept', - provider => 'ip6tables', + jump => 'ACCEPT', + protocol => 'IPv6', source => $ip6, } } diff --git a/spec/defines/client_spec.rb b/spec/defines/client_spec.rb index fcf8c73f..f234d7ab 100644 --- a/spec/defines/client_spec.rb +++ b/spec/defines/client_spec.rb @@ -85,8 +85,9 @@ is_expected.to contain_firewall('100 test 1234 v4') .with_proto('udp') .with_dport(1234) - .with_action('accept') + .with_jump('ACCEPT') .with_source('1.2.3.4') + .with_protocol('IPv4') end context 'with ipv6' do @@ -102,9 +103,9 @@ is_expected.to contain_firewall('100 test 1234 v6') .with_proto('udp') .with_dport(1234) - .with_action('accept') + .with_jump('ACCEPT') .with_source('2001:db8::100') - .with_provider('ip6tables') + .with_protocol('IPv6') end end end @@ -120,7 +121,7 @@ is_expected.to contain_firewall('100 test 1234,4321 v4') .with_proto('udp') .with_dport([1234, 4321]) - .with_action('accept') + .with_jump('ACCEPT') .with_source('1.2.3.4') end @@ -137,9 +138,9 @@ is_expected.to contain_firewall('100 test 1234,4321 v6') .with_proto('udp') .with_dport([1234, 4321]) - .with_action('accept') + .with_jump('ACCEPT') .with_source('2001:db8::100') - .with_provider('ip6tables') + .with_protocol('IPv6') end end end From 612eff6aab08c6a02b05462d198d3c8a0ea25a5c Mon Sep 17 00:00:00 2001 From: Nathan Ward Date: Sat, 19 Aug 2023 01:44:10 +1200 Subject: [PATCH 28/43] Fix link target --- manifests/site.pp | 2 +- spec/defines/site_spec.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/site.pp b/manifests/site.pp index b1b351a5..16a132b1 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -43,6 +43,6 @@ file { "freeradius sites-enabled/${name}": ensure => $ensure_link, path => "${fr_basepath}/sites-enabled/${name}", - target => "${fr_basepath}/sites-available/${name}", + target => "../sites-available/${name}", } } diff --git a/spec/defines/site_spec.rb b/spec/defines/site_spec.rb index 0f08c415..72dec9e1 100644 --- a/spec/defines/site_spec.rb +++ b/spec/defines/site_spec.rb @@ -29,6 +29,6 @@ is_expected.to contain_file('freeradius sites-enabled/test') .with_path('/etc/raddb/sites-enabled/test') .with_ensure('link') - .with_target('/etc/raddb/sites-available/test') + .with_target('../sites-available/test') end end From 4e90820436eddc2fafe0f3d32248d13c64f74949 Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Wed, 15 May 2024 12:38:01 +0100 Subject: [PATCH 29/43] We don't use the v prefix in version numbers --- .github/workflows/publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 87601740..3528885f 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -3,7 +3,7 @@ name: Build and publish to Puppet Forge on: push: tags: - - v[0-9]+.[0-9]+.[0-9]+ + - [0-9]+.[0-9]+.[0-9]+ jobs: build: From 7d3911c3b910ecc6be0945c2154700509cacb5e6 Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Wed, 15 May 2024 12:39:45 +0100 Subject: [PATCH 30/43] Prepare release 4.0.0 --- CHANGELOG.md | 2 ++ metadata.json | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c8d5eab3..9a0379ac 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,7 @@ ## Changelog +Please refer to the [GitHub releases page](https://github.com/djjudas21/puppet-freeradius/releases) for the changelog for 4.0.0 and onwards + ### 3.9.2 * Bugfix: Restart FreeRADIUS after any huntgroups modification diff --git a/metadata.json b/metadata.json index f5662ef8..4154c522 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "jgazeley-freeradius", - "version": "3.9.2", + "version": "4.0.0", "author": "jgazeley", "summary": "Install and configure FreeRADIUS", "license": "Apache-2.0", From 72f3d2bf67597ea1130029895f2b9fc1f8d44c02 Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Wed, 15 May 2024 12:41:53 +0100 Subject: [PATCH 31/43] Publish on new release only --- .github/workflows/publish.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 3528885f..fc852970 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -1,9 +1,8 @@ name: Build and publish to Puppet Forge on: - push: - tags: - - [0-9]+.[0-9]+.[0-9]+ + release: + types: [published] jobs: build: From 43a29e708a5f040d26c7e4db0175bc824761b516 Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Wed, 15 May 2024 12:50:54 +0100 Subject: [PATCH 32/43] Update Forge publish action --- .github/workflows/publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index fc852970..3a124cc5 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -16,7 +16,7 @@ jobs: with: ref: ${{ steps.vars.outputs.tag }} - name: Build and publish module - uses: barnumbirr/action-forge-publish@v2 + uses: barnumbirr/action-forge-publish@v2.15.0 env: FORGE_API_KEY: ${{ secrets.FORGE_API_KEY }} REPOSITORY_URL: https://forgeapi.puppet.com/v3/releases From 738232d33945152968e3135f84c945f7ae180b55 Mon Sep 17 00:00:00 2001 From: Jo Rhett Date: Sat, 7 Sep 2024 12:53:07 -0700 Subject: [PATCH 33/43] Version 4.0.1 fix Puppet 8 compatibility, replace classic facts --- README.md | 2 +- manifests/init.pp | 2 +- manifests/params.pp | 40 ++++++++++++++++++++-------------------- metadata.json | 2 +- 4 files changed, 23 insertions(+), 23 deletions(-) diff --git a/README.md b/README.md index 60b067fe..90593008 100644 --- a/README.md +++ b/README.md @@ -170,7 +170,7 @@ The shared secret for the status server. Required. The port to listen for status requests on. Default: `18121` ##### `listen` -The address to listen on. Defaults to listen on all addresses but you could set this to `$::ipaddress` or `127.0.0.1`. Default: `*` +The address to listen on. Defaults to listen on all addresses but you could set this to `$facts['networking]['ip']` or `127.0.0.1`. Default: `*` ```puppet # Enable status server diff --git a/manifests/init.pp b/manifests/init.pp index 6ce600be..9eedc121 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -566,7 +566,7 @@ # This should be fixed in FreeRADIUS 2.2.0 # http://lists.freeradius.org/pipermail/freeradius-users/2012-October/063232.html # Only affects RPM-based systems - if $::osfamily == 'RedHat' { + if $facts['os']['family'] == 'RedHat' { exec { 'delete-radius-rpmnew': command => "find ${freeradius::fr_basepath} -name *.rpmnew -delete", onlyif => "find ${freeradius::fr_basepath} -name *.rpmnew | grep rpmnew", diff --git a/manifests/params.pp b/manifests/params.pp index c584c77f..94071f25 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -1,9 +1,9 @@ # Default parameters for freeradius class freeradius::params { # Make an educated guess which version of FR we are running, based on the OS - case $::operatingsystem { + case $facts['os']['name'] { /RedHat|CentOS|Rocky|AlmaLinux/: { - $fr_guessversion = $::operatingsystemmajrelease ? { + $fr_guessversion = $facts['os']['release']['major'] ? { 5 => '2', 6 => '2', 7 => '3', @@ -13,7 +13,7 @@ } } 'Debian': { - $fr_guessversion = $::operatingsystemmajrelease ? { + $fr_guessversion = $facts['os']['release']['major'] ? { 6 => '2', 7 => '2', 8 => '2', @@ -22,7 +22,7 @@ } } 'Fedora': { - $fr_guessversion = $::operatingsystemmajrelease ? { + $fr_guessversion = $facts['os']['release']['major'] ? { 21 => '3', 22 => '3', 23 => '3', @@ -30,7 +30,7 @@ } } 'Ubuntu': { - $fr_guessversion = $::operatingsystemmajrelease ? { + $fr_guessversion = $facts['os']['release']['major'] ? { '14.04' => '2', '14.10' => '2', '15.04' => '2', @@ -42,7 +42,7 @@ } } default: { - fail("OS ${::operatingsystem} is not supported") + fail("OS ${facts['os']['name']} is not supported") } } @@ -54,28 +54,28 @@ } # Name of FreeRADIUS package - $fr_package = $::osfamily ? { + $fr_package = $facts['os']['family'] ? { 'RedHat' => 'freeradius', 'Debian' => 'freeradius', default => 'freeradius', } # Name of wpa_supplicant package - $fr_wpa_supplicant = $::osfamily ? { + $fr_wpa_supplicant = $facts['os']['family'] ? { 'RedHat' => 'wpa_supplicant', 'Debian' => 'wpasupplicant', default => 'wpa_supplicant', } # Name of FreeRADIUS service - $fr_service = $::osfamily ? { + $fr_service = $facts['os']['family'] ? { 'RedHat' => 'radiusd', 'Debian' => 'freeradius', default => 'radiusd', } # Whether the FreeRADIUS init.d startup script has a status setting or not - $fr_service_has_status = $::osfamily ? { + $fr_service = $facts['os']['family'] ? { 'RedHat' => true, 'Debian' => true, default => false, @@ -85,13 +85,13 @@ $fr_pidfile = "/var/run/${fr_service}/${fr_service}.pid" # Default base path for FreeRADIUS configs - case $::osfamily { + case $facts['os']['family'] { 'RedHat': { $fr_basepath = '/etc/raddb' $fr_raddbdir = "\${sysconfdir}/raddb" } 'Debian': { - $fr_basepath = $::operatingsystemmajrelease ? { + $fr_basepath = facts['os']['release']['major'] ? { '9' => '/etc/freeradius/3.0', '10' => '/etc/freeradius/3.0', '11' => '/etc/freeradius/3.0', @@ -101,7 +101,7 @@ '22.04' => '/etc/freeradius/3.0', default => '/etc/freeradius', } - $fr_raddbdir = $::operatingsystemmajrelease ? { + $fr_raddbdir = facts['os']['release']['major'] ? { '9' => "\${sysconfdir}/freeradius/3.0", '10' => "\${sysconfdir}/freeradius/3.0", '11' => "\${sysconfdir}/freeradius/3.0", @@ -139,40 +139,40 @@ $fr_moduleconfigpath = "${fr_basepath}/${fr_modconfigdir}" # Path for FreeRADIUS logs - $fr_logpath = $::osfamily ? { + $fr_logpath = $facts['os']['family'] ? { 'RedHat' => '/var/log/radius', 'Debian' => '/var/log/freeradius', default => '/var/log/radius', } # FreeRADIUS user - $fr_user = $::osfamily ? { + $fr_user = $facts['os']['family'] ? { 'RedHat' => 'radiusd', 'Debian' => 'freerad', default => 'radiusd', } # FreeRADIUS group - $fr_group = $::osfamily ? { + $fr_group = $facts['os']['family'] ? { 'RedHat' => 'radiusd', 'Debian' => 'freerad', default => 'radiusd', } # Privileged winbind user - $fr_wbpriv_user = $::osfamily ? { + $fr_wbpriv_user = $facts['os']['family'] ? { 'RedHat' => 'wbpriv', 'Debian' => 'winbindd_priv', default => 'wbpriv', } - $fr_libdir = $::osfamily ? { + $fr_libdir = $facts['os']['family'] ? { 'RedHat' => '/usr/lib64/freeradius', 'Debian' => '/usr/lib/freeradius', default => '/usr/lib64/freeradius', } - $fr_db_dir = $::osfamily ? { + $fr_db_dir = $facts['os']['family'] ? { 'Debian' => "\${raddbdir}", default => "\${localstatedir}/lib/radiusd", } @@ -180,7 +180,7 @@ $radacctdir = "\${logdir}/radacct" # Default radsniff environment file location - $fr_radsniff_envfile = $::osfamily ? { + $fr_radsniff_envfile = $facts['os']['family'] ? { 'RedHat' => '/etc/sysconfig/radsniff', 'Debian' => '/etc/defaults/radsniff', default => undef, diff --git a/metadata.json b/metadata.json index 4154c522..5bf6379a 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "jgazeley-freeradius", - "version": "4.0.0", + "version": "4.0.1", "author": "jgazeley", "summary": "Install and configure FreeRADIUS", "license": "Apache-2.0", From 20eefea66fb541375124b4242f5bf3953c9980f9 Mon Sep 17 00:00:00 2001 From: Jo Rhett Date: Sat, 7 Sep 2024 13:32:06 -0700 Subject: [PATCH 34/43] Bugfix cannot reassign variable fr_service Bugfix cannot reassign variable fr_service Bugfix unknown variable in ldap module --- manifests/module/ldap.pp | 2 +- manifests/params.pp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/module/ldap.pp b/manifests/module/ldap.pp index 279e3771..dc547bbb 100644 --- a/manifests/module/ldap.pp +++ b/manifests/module/ldap.pp @@ -74,7 +74,7 @@ # FR3.1 format server = 'ldap1.example.com' # server = 'ldap2.example.com' # server = 'ldap3.example.com' - $serverconcatarray = $::freeradius_version ? { + $serverconcatarray = $facts['freeradius_version'] ? { /^3\.0\./ => any2array(join($server, ',')), default => $server, } diff --git a/manifests/params.pp b/manifests/params.pp index 94071f25..87e3fd17 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -75,7 +75,7 @@ } # Whether the FreeRADIUS init.d startup script has a status setting or not - $fr_service = $facts['os']['family'] ? { + $fr_service_has_status = $facts['os']['family'] ? { 'RedHat' => true, 'Debian' => true, default => false, From 977edd1fb172bc7fa346773564bc04ab5c174c84 Mon Sep 17 00:00:00 2001 From: deligatedgeek Date: Tue, 9 Jul 2024 17:12:29 +0100 Subject: [PATCH 35/43] Update metadata.json --- metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metadata.json b/metadata.json index 5bf6379a..178f3790 100644 --- a/metadata.json +++ b/metadata.json @@ -30,7 +30,7 @@ }, { "name": "puppet/systemd", - "version_requirement": ">=3.0.0 <6.0.0" + "version_requirement": ">=3.0.0 <6.3.0" } ], "operatingsystem_support": [ From 25423250a34ea24904c1d877366f09bf53ab58c0 Mon Sep 17 00:00:00 2001 From: deligatedgeek Date: Tue, 9 Jul 2024 17:19:20 +0100 Subject: [PATCH 36/43] Update metadata.json --- metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metadata.json b/metadata.json index 178f3790..c0a7b510 100644 --- a/metadata.json +++ b/metadata.json @@ -30,7 +30,7 @@ }, { "name": "puppet/systemd", - "version_requirement": ">=3.0.0 <6.3.0" + "version_requirement": ">=3.0.0 <6.4.0" } ], "operatingsystem_support": [ From e85876918fca2aa99619e87ef36e92d7e17ce115 Mon Sep 17 00:00:00 2001 From: Mark Ottaway Date: Mon, 16 Sep 2024 16:31:05 +0100 Subject: [PATCH 37/43] Added Ubuntu Default paramters --- manifests/params.pp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/manifests/params.pp b/manifests/params.pp index 87e3fd17..abd618eb 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -38,6 +38,7 @@ '18.04' => '3', '20.04' => '3', '22.04' => '3', + '24.04' => '3', default => '2', } } @@ -99,6 +100,7 @@ '18.04' => '/etc/freeradius/3.0', '20.04' => '/etc/freeradius/3.0', '22.04' => '/etc/freeradius/3.0', + '24.04' => '/etc/freeradius/3.0', default => '/etc/freeradius', } $fr_raddbdir = facts['os']['release']['major'] ? { @@ -109,6 +111,7 @@ '18.04' => "\${sysconfdir}/freeradius/3.0", '20.04' => "\${sysconfdir}/freeradius/3.0", '22.04' => "\${sysconfdir}/freeradius/3.0", + '24.04' => "\${sysconfdir}/freeradius/3.0", default => "\${sysconfdir}/freeradius", } } From 46977b00040c34a9b44b3f76fd5dbdc4437e257c Mon Sep 17 00:00:00 2001 From: Mark Ottaway Date: Fri, 25 Oct 2024 15:32:58 +0100 Subject: [PATCH 38/43] Replaced buster/sid with 16.04 --- manifests/params.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/params.pp b/manifests/params.pp index abd618eb..e2b6c4e2 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -96,7 +96,7 @@ '9' => '/etc/freeradius/3.0', '10' => '/etc/freeradius/3.0', '11' => '/etc/freeradius/3.0', - 'buster/sid' => '/etc/freeradius/3.0', + '16.04' => '/etc/freeradius/3.0', '18.04' => '/etc/freeradius/3.0', '20.04' => '/etc/freeradius/3.0', '22.04' => '/etc/freeradius/3.0', @@ -107,7 +107,7 @@ '9' => "\${sysconfdir}/freeradius/3.0", '10' => "\${sysconfdir}/freeradius/3.0", '11' => "\${sysconfdir}/freeradius/3.0", - 'buster/sid' => "\${sysconfdir}/freeradius/3.0", + '16.04' => "\${sysconfdir}/freeradius/3.0", '18.04' => "\${sysconfdir}/freeradius/3.0", '20.04' => "\${sysconfdir}/freeradius/3.0", '22.04' => "\${sysconfdir}/freeradius/3.0", From acf08d687d973f2e105ddd88db37b865dc7e4116 Mon Sep 17 00:00:00 2001 From: Mark Ottaway Date: Fri, 25 Oct 2024 15:58:10 +0100 Subject: [PATCH 39/43] Missing $ on facts ? --- manifests/params.pp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/manifests/params.pp b/manifests/params.pp index e2b6c4e2..1f61a00e 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -92,22 +92,22 @@ $fr_raddbdir = "\${sysconfdir}/raddb" } 'Debian': { - $fr_basepath = facts['os']['release']['major'] ? { + $fr_basepath = $facts['os']['release']['major'] ? { '9' => '/etc/freeradius/3.0', '10' => '/etc/freeradius/3.0', '11' => '/etc/freeradius/3.0', - '16.04' => '/etc/freeradius/3.0', + 'buster/sid' => '/etc/freeradius/3.0', '18.04' => '/etc/freeradius/3.0', '20.04' => '/etc/freeradius/3.0', '22.04' => '/etc/freeradius/3.0', '24.04' => '/etc/freeradius/3.0', default => '/etc/freeradius', } - $fr_raddbdir = facts['os']['release']['major'] ? { + $fr_raddbdir = $facts['os']['release']['major'] ? { '9' => "\${sysconfdir}/freeradius/3.0", '10' => "\${sysconfdir}/freeradius/3.0", '11' => "\${sysconfdir}/freeradius/3.0", - '16.04' => "\${sysconfdir}/freeradius/3.0", + 'buster/sid' => "\${sysconfdir}/freeradius/3.0", '18.04' => "\${sysconfdir}/freeradius/3.0", '20.04' => "\${sysconfdir}/freeradius/3.0", '22.04' => "\${sysconfdir}/freeradius/3.0", From fa1ce3f049d4647720d63914c7cf93100aba1429 Mon Sep 17 00:00:00 2001 From: Mark Ottaway Date: Fri, 25 Oct 2024 16:33:16 +0100 Subject: [PATCH 40/43] Adding content option to policy so templates can be used. --- manifests/policy.pp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/manifests/policy.pp b/manifests/policy.pp index 27226673..1d272697 100644 --- a/manifests/policy.pp +++ b/manifests/policy.pp @@ -1,6 +1,7 @@ # Install FreeRADIUS policies define freeradius::policy ( Optional[String] $source, + Optional[String] $content, Optional[Integer] $order = 50, Freeradius::Ensure $ensure = present, ) { @@ -15,6 +16,7 @@ owner => 'root', group => $fr_group, source => $source, + content => $content, require => [Package['freeradius'], Group['radiusd']], notify => Service['radiusd'], } From 48c166fe1eb447c87dfe611df6519e25fc0ddf32 Mon Sep 17 00:00:00 2001 From: Mark Ottaway Date: Fri, 25 Oct 2024 17:01:54 +0100 Subject: [PATCH 41/43] Testing content and source as undefined --- manifests/policy.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/policy.pp b/manifests/policy.pp index 1d272697..eab71fe6 100644 --- a/manifests/policy.pp +++ b/manifests/policy.pp @@ -1,7 +1,7 @@ # Install FreeRADIUS policies define freeradius::policy ( - Optional[String] $source, - Optional[String] $content, + Optional[String] $source = undef, + Optional[String] $content = undef, Optional[Integer] $order = 50, Freeradius::Ensure $ensure = present, ) { From d84106b4f40e4ca4b31f2bd8d14ef3f24a55cfca Mon Sep 17 00:00:00 2001 From: Mark Ottaway Date: Mon, 4 Nov 2024 18:58:16 +0000 Subject: [PATCH 42/43] For MFA at LDAP, 1 second isnt long enough --- manifests/module/ldap.pp | 2 ++ templates/ldap.erb | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/manifests/module/ldap.pp b/manifests/module/ldap.pp index dc547bbb..2f66cbdc 100644 --- a/manifests/module/ldap.pp +++ b/manifests/module/ldap.pp @@ -62,6 +62,8 @@ Integer $lifetime = 0, Integer $idle_timeout = 60, Optional[Float] $connect_timeout = undef, + Integer $net_timeout = 1, + ) { $fr_package = $::freeradius::params::fr_package $fr_service = $::freeradius::params::fr_service diff --git a/templates/ldap.erb b/templates/ldap.erb index c04d3b39..eb43b455 100644 --- a/templates/ldap.erb +++ b/templates/ldap.erb @@ -642,7 +642,7 @@ ldap <%= @name %> { # failures) default: 10 # # LDAP_OPT_NETWORK_TIMEOUT is set to this value. - net_timeout = 1 + net_timeout = <%= @net_timeout %> # LDAP_OPT_X_KEEPALIVE_IDLE idle = <%= @idle %> From d8af21ee53d7e9224585761e8da48e36d7d466c1 Mon Sep 17 00:00:00 2001 From: Mark Ottaway Date: Thu, 7 Nov 2024 13:05:16 +0000 Subject: [PATCH 43/43] Remove subdirectories of $purged_dirs --- manifests/init.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/manifests/init.pp b/manifests/init.pp index 9eedc121..108f38e2 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -110,6 +110,7 @@ path => $path, purge => true, recurse => true, + force => true, mode => '0755', owner => 'root', group => $freeradius::fr_group,