WIP

leoarnold · Sep 16, 2018 · ebaf602 · ebaf602
1 parent 98271a9
commit ebaf602
Show file tree

Hide file tree

Showing 5 changed files with 337 additions and 63 deletions.
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -50,13 +50,14 @@
   Boolean                        $package_manage         = true,
   Variant[String, Array[String]] $package_names          = $::cups::params::package_names,
   Optional[String]               $papersize              = undef,
+  Hash                           $policies               = {},
   Boolean                        $purge_unmanaged_queues = false,
   Optional[Hash]                 $resources              = undef,
   Boolean                        $service_enable         = true,
   String                         $service_ensure         = 'running',
   Boolean                        $service_manage         = true,
   Variant[String, Array[String]] $service_names          = 'cups',
-  Optional[Boolean]              $web_interface          = undef,
+  Optional[Boolean]              $web_interface          = true,
 ) inherits cups::params {
 
   contain cups::packages

diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
@@ -11,11 +11,13 @@
         listen: ['localhost:631', '/var/run/cups/cups.sock'],
         package_ensure: 'present',
         package_manage: 'true',
+        policies: {},
         purge_unmanaged_queues: 'false',
         service_enable: 'true',
         service_ensure: 'running',
         service_manage: 'true',
-        service_names: 'cups'
+        service_names: 'cups',
+        web_interface: true
       }
     end
 
@@ -24,10 +26,11 @@
         default_queue
         papersize
         resources
-        web_interface
       ]
     end
 
+    let(:content) { file_fixture('cupsd.conf.default').read }
+
     it { is_expected.to contain_class('cups::params') }
 
     it { is_expected.to contain_class('cups').with(defaults) }
@@ -46,7 +49,7 @@
 
     it { is_expected.to contain_file('/etc/cups/cupsd.conf').with(mode: '0640') }
 
-    it { is_expected.to contain_file('/etc/cups/cupsd.conf').with(content: /\A#.*DO NOT/) }
+    it { is_expected.to contain_file('/etc/cups/cupsd.conf').with(content: content) }
 
     it { is_expected.to contain_class('cups::server').that_requires('Class[cups::packages]') }
 
@@ -232,6 +235,96 @@
       end
     end
 
+    describe 'policies' do
+      let(:facts) { any_supported_os }
+
+      context 'when modifying the default policy' do
+        context 'when setting JobPrivateAccess to all' do
+          let(:params) { { policies: { 'default' => { 'JobPrivateAccess' => 'all' } } } }
+          let(:content) { %r{<Policy default>.*?^\s*JobPrivateAccess all$.*?</Policy>}m }
+
+          it { is_expected.to contain_file('/etc/cups/cupsd.conf').with(content: content) }
+        end
+
+        context 'when setting JobPrivateValues to none' do
+          let(:params) { { policies: { 'default' => { 'JobPrivateValues' => 'none' } } } }
+          let(:content) { %r{<Policy default>.*?^\s*JobPrivateValues none$.*?</Policy>}m }
+
+          it { is_expected.to contain_file('/etc/cups/cupsd.conf').with(content: content) }
+        end
+
+        context 'when setting SubscriptionPrivateAccess to all' do
+          let(:params) { { policies: { 'default' => { 'SubscriptionPrivateAccess' => 'all' } } } }
+          let(:content) { %r{<Policy default>.*?^\s*SubscriptionPrivateAccess all$.*?</Policy>}m }
+
+          it { is_expected.to contain_file('/etc/cups/cupsd.conf').with(content: content) }
+        end
+
+        context 'when setting SubscriptionPrivateValues to none' do
+          let(:params) { { policies: { 'default' => { 'SubscriptionPrivateValues' => 'none' } } } }
+          let(:content) { %r{<Policy default>.*?^\s*SubscriptionPrivateValues none$.*?</Policy>}m }
+
+          it { is_expected.to contain_file('/etc/cups/cupsd.conf').with(content: content) }
+        end
+
+        context 'when modifying a Limit' do
+          let(:params) do
+            {
+              policies: {
+                'default' => {
+                  'Limit' => {
+                    'Create-Job' => {
+                      'AuthType' => 'Negotiate',
+                      'Order' => 'deny,allow'
+                    }
+                  }
+                }
+              }
+            }
+          end
+          let(:content) { %r{<Policy default>.*?<Limit [^>]*Create-Job[^>]*>\s*AuthType Negotiate\s*Order deny,allow\s*</Limit>.*?</Policy>}m }
+
+          it { is_expected.to contain_file('/etc/cups/cupsd.conf').with(content: content) }
+        end
+      end
+
+      context 'when adding a custom policy' do
+        context 'with an empty hash as value' do
+          let(:params) { { policies: { 'lab999' => {} } } }
+
+          it { is_expected.to contain_file('/etc/cups/cupsd.conf').with(content: %r{^<Policy lab999>.*</Policy>$}m) }
+        end
+
+        context 'when setting JobPrivateAccess to all' do
+          let(:params) { { policies: { 'lab999' => { 'JobPrivateAccess' => 'all' } } } }
+          let(:content) { %r{<Policy lab999>.*?^\s*JobPrivateAccess all$.*?</Policy>}m }
+
+          it { is_expected.to contain_file('/etc/cups/cupsd.conf').with(content: content) }
+        end
+
+        context 'when setting JobPrivateValues to none' do
+          let(:params) { { policies: { 'lab999' => { 'JobPrivateValues' => 'none' } } } }
+          let(:content) { %r{<Policy lab999>.*?^\s*JobPrivateValues none$.*?</Policy>}m }
+
+          it { is_expected.to contain_file('/etc/cups/cupsd.conf').with(content: content) }
+        end
+
+        context 'when setting SubscriptionPrivateAccess to all' do
+          let(:params) { { policies: { 'lab999' => { 'SubscriptionPrivateAccess' => 'all' } } } }
+          let(:content) { %r{<Policy lab999>.*?^\s*SubscriptionPrivateAccess all$.*?</Policy>}m }
+
+          it { is_expected.to contain_file('/etc/cups/cupsd.conf').with(content: content) }
+        end
+
+        context 'when setting SubscriptionPrivateValues to none' do
+          let(:params) { { policies: { 'lab999' => { 'SubscriptionPrivateValues' => 'none' } } } }
+          let(:content) { %r{<Policy lab999>.*?^\s*SubscriptionPrivateValues none$.*?</Policy>}m }
+
+          it { is_expected.to contain_file('/etc/cups/cupsd.conf').with(content: content) }
+        end
+      end
+    end
+
     describe 'purge_unmanaged_queues' do
       let(:facts) { any_supported_os }
 

diff --git a/spec/fixtures/files/cupsd.conf.default b/spec/fixtures/files/cupsd.conf.default
@@ -0,0 +1,122 @@
+# This file is managed by Puppet. DO NOT EDIT.
+LogLevel warn
+PageLogFormat
+MaxLogSize 0
+Listen localhost:631
+Listen /var/run/cups/cups.sock
+Browsing Off
+BrowseLocalProtocols dnssd
+DefaultAuthType Basic
+WebInterface Yes
+<Location />
+  Order allow,deny
+</Location>
+<Location /admin>
+  Order allow,deny
+</Location>
+<Location /admin/conf>
+  AuthType Default
+  Require user @SYSTEM
+  Order allow,deny
+</Location>
+<Location /admin/log>
+  AuthType Default
+  Require user @SYSTEM
+  Order allow,deny
+</Location>
+<Policy default>
+  JobPrivateAccess default
+  JobPrivateValues default
+  SubscriptionPrivateAccess default
+  SubscriptionPrivateValues default
+  <Limit Create-Job Print-Job Print-URI Validate-Job>
+    Order deny,allow
+  </Limit>
+  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit Cancel-Job CUPS-Authenticate-Job>
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit All>
+    Order deny,allow
+  </Limit>
+</Policy>
+<Policy authenticated>
+  JobPrivateAccess default
+  JobPrivateValues default
+  SubscriptionPrivateAccess default
+  SubscriptionPrivateValues default
+  <Limit Create-Job Print-Job Print-URI Validate-Job>
+    AuthType Default
+    Order deny,allow
+  </Limit>
+  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
+    AuthType Default
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit Cancel-Job CUPS-Authenticate-Job>
+    AuthType Default
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit All>
+    Order deny,allow
+  </Limit>
+</Policy>
+<Policy kerberos>
+  JobPrivateAccess default
+  JobPrivateValues default
+  SubscriptionPrivateAccess default
+  SubscriptionPrivateValues default
+  <Limit Create-Job Print-Job Print-URI Validate-Job>
+    AuthType Negotiate
+    Order deny,allow
+  </Limit>
+  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
+    AuthType Negotiate
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit Cancel-Job CUPS-Authenticate-Job>
+    AuthType Negotiate
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit All>
+    Order deny,allow
+  </Limit>
+</Policy>
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
@@ -62,3 +62,9 @@ def any_supported_os(morefacts = {})
 Dir["#{PROJECT_ROOT}/lib/puppet_x/**/*.rb"].each do |file|
   require file
 end
+
+def file_fixture(*relative_path)
+  path = File.expand_path(File.join(__dir__, 'fixtures', 'files', *relative_path))
+
+  Pathname.new(path)
+end