(CAT-1417) Nested require support for authz_core mod

Author: Ramesh7

lib/puppet/functions/apache/authz_core_config.rb

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+# @summary
+#   Function to generate the authz_core configuration directives.
+#
+Puppet::Functions.create_function(:'apache::authz_core_config') do
+  # @param config
+  #   The input as JSON format.
+  #
+  # @return
+  #   Returns the authz_core config directives in array.
+  #
+  # @example
+  #
+  #    arg = {
+  #      require_all => {
+  #       'require_any' => {
+  #         'require' => ['user superadmin'],
+  #         'require_all' => {
+  #           'require' => ['group admins', 'ldap-group "cn=Administrators,o=Airius"'],
+  #         },
+  #        },
+  #       'require_none' => {
+  #         'require' => ['group temps', 'ldap-group "cn=Temporary Employees,o=Airius"']
+  #       }
+  #      }
+  #    }
+  #
+  #    apache::bool2httpd(arg)
+  #    returns :
+  #    [
+  #      "<RequireAll>",
+  #      "<RequireAny>",
+  #      "Require user superadmin",
+  #      "<RequireAll>",
+  #      "Require group admins",
+  #      "Require ldap-group \"cn=Administrators,o=Airius\"",
+  #      "</RequireAll>",
+  #      "</RequireAny>",
+  #      "<RequireNone>",
+  #      "Require group temps",
+  #      "Require ldap-group \"cn=Temporary Employees,o=Airius\"",
+  #      "</RequireNone>",
+  #      "</RequireAll>"
+  #    ]
+  #
+  dispatch :authz_core_config do
+    param 'Hash', :config
+    return_type 'Array'
+  end
+
+  def build_directive(value)
+    value.split('_').map(&:capitalize).join
+  end
+
+  def authz_core_config(config)
+    result_string = []
+    config.map do |key, value|
+      directive = build_directive(key)
+      if value.is_a?(Hash)
+        result_string << "<#{directive}>"
+        result_string << authz_core_config(value)
+        result_string << "</#{directive}>"
+      else
+        value.map do |v|
+          result_string << "#{directive} #{v}"
+        end
+      end
+    end
+    result_string.flatten
+  end
+end

manifests/mod/authz_core.pp

@@ -0,0 +1,10 @@
+# @summary
+#   Installs `mod_authz_core`.
+# 
+# @see https://httpd.apache.org/docs/current/mod/mod_authz_core.html for additional documentation.
+#
+class apache::mod::authz_core {
+  ::apache::mod { 'authz_core':
+    id => 'authz_core_module',
+  }
+}

manifests/vhost.pp

@@ -1455,6 +1455,33 @@
 #   }
 #   ```
 #
+# lint:ignore:parameter_documentation
+# @param authz_core
+# lint:endignore
+#   Specifies mod_authz_core parameters for particular directories in a virtual host directory
+#   ```puppet
+#   apache::vhost { 'sample.example.net':
+#     docroot     => '/path/to/directory',
+#     directories => [
+#       { path        => '/path/to/different/dir',
+#         authz_core  => {
+#           require_all => {
+#             'require_any' => {
+#               'require' => ['user superadmin'],
+#               'require_all' => {
+#                 'require' => ['group admins', 'ldap-group "cn=Administrators,o=Airius"'],
+#               },
+#             },
+#             'require_none' => {
+#               'require' => ['group temps', 'ldap-group "cn=Temporary Employees,o=Airius"']
+#             }
+#           }
+#         }
+#       },
+#     ],
+#   }
+#   ```
+#
 # @param ssl
 #   Enables SSL for the virtual host. SSL virtual hosts only respond to HTTPS queries.
 #
@@ -2301,6 +2328,11 @@
         include apache::mod::auth_gssapi
       }
 
+      if 'authz_core' in $directory {
+        include apache::mod::authn_file
+        include apache::mod::authz_user
+      }
+
       if $directory['provider'] and $directory['provider'] =~ 'location' and ('proxy_pass' in $directory or 'proxy_pass_match' in $directory) {
         include apache::mod::proxy_http
 

spec/acceptance/mod_auth_core_spec.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+require 'spec_helper_acceptance'
+apache_hash = apache_settings_hash
+
+describe 'apache::mod::authz_core' do
+  context 'Default ldap module installation' do
+    pp = <<-MANIFEST
+        class { 'apache': }
+        class { 'apache::mod::authz_core': }
+    MANIFEST
+
+    it 'succeeds in installing the ldap module' do
+      apply_manifest(pp, catch_failures: true)
+    end
+
+    describe file("#{apache_hash['mod_dir']}/authz_core.load") do
+      it { is_expected.to contain 'mod_authz_core.so' }
+    end
+  end
+end

spec/functions/authz_core_config_spec.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'apache::authz_core_config' do
+  let(:input) do
+    {
+      'Require' => [
+        'user foo',
+        'user bar',
+      ]
+    }
+  end
+
+  it { is_expected.to run.with_params(nil).and_raise_error(StandardError) }
+  it { is_expected.to run.with_params([]).and_raise_error(StandardError) }
+  it { is_expected.to run.with_params({}).and_return([]) }
+  it { is_expected.to run.with_params(input).and_return(['Require user foo', 'Require user bar']) }
+end

templates/vhost/_authz_core.epp

@@ -0,0 +1,3 @@
+<% $authz_core_config.each |$line| { -%>
+    <%= $line %>
+<%- } -%>

templates/vhost/_directories.erb

@@ -544,6 +544,9 @@
     <%- if directory['custom_fragment'] -%>
     <%= directory['custom_fragment'] %>
     <%- end -%>
+    <%- if directory['authz_core'] -%>
+      <%= scope.call_function('epp',["apache/vhost/_authz_core.epp", 'authz_core_config' => scope.call_function('apache::authz_core_config', directory['authz_core'])]) -%>
+    <%- end -%>
     <%- if directory['gssapi'] -%>
       <%= scope.call_function('epp',["apache/vhost/_gssapi.epp", directory['gssapi']]) -%>
     <%- end -%>