Refs #32885: Add puppet user to user_groups only if server or client certificate contains puppet path

ehelms · ehelms · commit e16eaa3e25a7 · 2021-06-25T11:23:50.000-04:00
diff --git a/manifests/config.pp b/manifests/config.pp
@@ -74,6 +74,12 @@
   }
 
   if $foreman::manage_user {
+    if $foreman::puppet_ssldir in $foreman::server_ssl_key or $foreman::puppet_ssldir in $foreman::client_ssl_key {
+      $_user_groups = $foreman::user_groups + ['puppet']
+    } else {
+      $_user_groups = $foreman::user_groups
+    }
+
     group { $foreman::group:
       ensure => 'present',
     }
@@ -83,7 +89,7 @@
       comment => 'Foreman',
       home    => $foreman::app_root,
       gid     => $foreman::group,
-      groups  => $foreman::user_groups,
+      groups  => unique($_user_groups),
     }
   }
 
diff --git a/manifests/params.pp b/manifests/params.pp
@@ -24,7 +24,7 @@
   $manage_user       = true
   $user              = 'foreman'
   $group             = 'foreman'
-  $user_groups       = ['puppet']
+  $user_groups       = []
   $rails_env         = 'production'
   $version           = 'present'
   $plugin_version    = 'present'
diff --git a/spec/acceptance/hieradata/common.yaml b/spec/acceptance/hieradata/common.yaml
@@ -5,4 +5,6 @@ foreman::server_ssl_cert: /etc/foreman-certs/certificate.pem
 foreman::server_ssl_chain: /etc/foreman-certs/certificate.pem
 foreman::server_ssl_crl: ""
 foreman::server_ssl_key: /etc/foreman-certs/key.pem
-foreman::user_groups: []
+foreman::client_ssl_ca: /etc/foreman-certs/certificate.pem
+foreman::client_ssl_cert: /etc/foreman-certs/certificate.pem
+foreman::client_ssl_key: /etc/foreman-certs/key.pem
diff --git a/spec/classes/foreman_spec.rb b/spec/classes/foreman_spec.rb
@@ -409,6 +409,19 @@
           it { should_not contain_class('redis::instance') }
         end
       end
+
+      describe 'with non-Puppet SSL certificates' do
+        let(:params) do
+          super().merge(
+            server_ssl_key: '/etc/pki/localhost.key',
+            server_ssl_cert: '/etc/pki/localhost.crt',
+            client_ssl_key: '/etc/pki/localhost.key',
+            client_ssl_cert: '/etc/pki/localhost.crt',
+          )
+        end
+
+        it { should contain_user('foreman').with('groups' => []) }
+      end
     end
   end
 end

Original file line number	Diff line number	Diff line change
`@@ -74,6 +74,12 @@`
`74`	`74`	`}`
`75`	`75`
`76`	`76`	`if $foreman::manage_user {`
	`77`	`+ if $foreman::puppet_ssldir in $foreman::server_ssl_key or $foreman::puppet_ssldir in $foreman::client_ssl_key {`
	`78`	`+ $_user_groups = $foreman::user_groups + ['puppet']`
	`79`	`+ } else {`
	`80`	`+ $_user_groups = $foreman::user_groups`
	`81`	`+ }`
	`82`	`+`
`77`	`83`	`group { $foreman::group:`
`78`	`84`	`ensure => 'present',`
`79`	`85`	`}`
`@@ -83,7 +89,7 @@`
`83`	`89`	`comment => 'Foreman',`
`84`	`90`	`home => $foreman::app_root,`
`85`	`91`	`gid => $foreman::group,`
`86`		`- groups => $foreman::user_groups,`
	`92`	`+ groups => unique($_user_groups),`
`87`	`93`	`}`
`88`	`94`	`}`
`89`	`95`