From 6c50616c421f48b6a40b7a073d75dff0bab10b74 Mon Sep 17 00:00:00 2001
From: Phil Friderici <phil.friderici@elits.com>
Date: Fri, 24 Nov 2023 15:36:57 +0000
Subject: [PATCH 1/3] Use config_user and config_group instead of hard coded
 root

---
 REFERENCE.md             | 22 ++++++++++++++++++++--
 manifests/config.pp      |  4 ++--
 manifests/configfile.pp  |  4 ++--
 manifests/init.pp        | 12 ++++++++++--
 manifests/patternfile.pp |  4 ++--
 manifests/service.pp     |  4 ++--
 6 files changed, 38 insertions(+), 12 deletions(-)

diff --git a/REFERENCE.md b/REFERENCE.md
index 951ed620..e877fa79 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -110,6 +110,8 @@ The following parameters are available in the `logstash` class:
 * [`home_dir`](#-logstash--home_dir)
 * [`logstash_user`](#-logstash--logstash_user)
 * [`logstash_group`](#-logstash--logstash_group)
+* [`config_user`](#-logstash--config_user)
+* [`config_group`](#-logstash--config_group)
 * [`purge_config`](#-logstash--purge_config)
 * [`service_provider`](#-logstash--service_provider)
 * [`settings`](#-logstash--settings)
@@ -220,7 +222,7 @@ Default value: `'/usr/share/logstash'`
 
 Data type: `String`
 
-The user that Logstash should run as. This also controls file ownership.
+The user that Logstash should run as.
 
 Default value: `'logstash'`
 
@@ -228,10 +230,26 @@ Default value: `'logstash'`
 
 Data type: `String`
 
-The group that Logstash should run as. This also controls file group ownership.
+The group that Logstash should run as.
 
 Default value: `'logstash'`
 
+##### <a name="-logstash--config_user"></a>`config_user`
+
+Data type: `String`
+
+The user that owns Logstash control files.
+
+Default value: `'root'`
+
+##### <a name="-logstash--config_group"></a>`config_group`
+
+Data type: `String`
+
+The group that owns Logstash control files.
+
+Default value: `'root'`
+
 ##### <a name="-logstash--purge_config"></a>`purge_config`
 
 Data type: `Boolean`
diff --git a/manifests/config.pp b/manifests/config.pp
index 6933788c..556945ae 100644
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -9,8 +9,8 @@
   require logstash::package
 
   File {
-    owner => 'root',
-    group => 'root',
+    owner => $logstash::config_user,
+    group => $logstash::config_group,
   }
 
   # Configuration "fragment" directories for pipeline config and pattern files.
diff --git a/manifests/configfile.pp b/manifests/configfile.pp
index eb8c9719..f1ebc462 100644
--- a/manifests/configfile.pp
+++ b/manifests/configfile.pp
@@ -49,8 +49,8 @@
 ) {
   include logstash
 
-  $owner = 'root'
-  $group = $logstash::logstash_group
+  $owner = $logstash::config_user
+  $group = $logstash::config_group
   $mode  = '0640'
   $require = Package['logstash'] # So that we have '/etc/logstash/conf.d'.
   $tag = ['logstash_config'] # So that we notify the service.
diff --git a/manifests/init.pp b/manifests/init.pp
index 0d5b02d3..b2a8c094 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -52,10 +52,16 @@
 #   The home directory for logstash.
 #
 # @param [String] logstash_user
-#   The user that Logstash should run as. This also controls file ownership.
+#   The user that Logstash should run as.
 #
 # @param [String] logstash_group
-#   The group that Logstash should run as. This also controls file group ownership.
+#   The group that Logstash should run as.
+#
+# @param [String] config_user
+#   The user that owns Logstash control files.
+#
+# @param [String] config_group
+#   The group that owns Logstash control files.
 #
 # @param [Boolean] purge_config
 #   Purge the config directory of any unmanaged files,
@@ -152,6 +158,8 @@
   Stdlib::Absolutepath $home_dir = '/usr/share/logstash',
   $logstash_user     = 'logstash',
   $logstash_group    = 'logstash',
+  $config_user       = 'root',
+  $config_group      = 'root',
   $config_dir         = '/etc/logstash',
   Boolean $purge_config = true,
   $service_provider  = undef,
diff --git a/manifests/patternfile.pp b/manifests/patternfile.pp
index 4490ff15..996904b5 100644
--- a/manifests/patternfile.pp
+++ b/manifests/patternfile.pp
@@ -30,8 +30,8 @@
   file { "${logstash::config_dir}/patterns/${destination}":
     ensure => file,
     source => $source,
-    owner  => 'root',
-    group  => $logstash::logstash_group,
+    owner  => $logstash::config_user,
+    group  => $logstash::config_group,
     mode   => '0640',
     tag    => ['logstash_config'],
   }
diff --git a/manifests/service.pp b/manifests/service.pp
index 9b1c1758..05487674 100644
--- a/manifests/service.pp
+++ b/manifests/service.pp
@@ -37,8 +37,8 @@
   $pipelines = $logstash::pipelines
 
   File {
-    owner  => 'root',
-    group  => 'root',
+    owner  => $logstash::config_user,
+    group  => $logstash::config_group,
     mode   => '0644',
     notify => Exec['logstash-system-install'],
   }

From 139d2929364077f05498840e49f5543afc5a1bc7 Mon Sep 17 00:00:00 2001
From: Phil Friderici <phil.friderici@elits.com>
Date: Fri, 24 Nov 2023 15:38:33 +0000
Subject: [PATCH 2/3] Restrict access for 'others'

---
 manifests/config.pp  | 6 +++---
 manifests/service.pp | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/manifests/config.pp b/manifests/config.pp
index 556945ae..55d1eb78 100644
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -21,14 +21,14 @@
   if($logstash::ensure == 'present') {
     file { $logstash::config_dir:
       ensure => directory,
-      mode   => '0755',
+      mode   => '0750',
     }
 
     file { "${logstash::config_dir}/conf.d":
       ensure  => directory,
       purge   => $logstash::purge_config,
       recurse => $logstash::purge_config,
-      mode    => '0775',
+      mode    => '0770',
       notify  => Service['logstash'],
     }
 
@@ -36,7 +36,7 @@
       ensure  => directory,
       purge   => $logstash::purge_config,
       recurse => $logstash::purge_config,
-      mode    => '0755',
+      mode    => '0750',
     }
   }
   elsif($logstash::ensure == 'absent') {
diff --git a/manifests/service.pp b/manifests/service.pp
index 05487674..43e97478 100644
--- a/manifests/service.pp
+++ b/manifests/service.pp
@@ -39,7 +39,7 @@
   File {
     owner  => $logstash::config_user,
     group  => $logstash::config_group,
-    mode   => '0644',
+    mode   => '0640',
     notify => Exec['logstash-system-install'],
   }
 

From ded756b340a96c1fc371a7cee99964e42da61ba0 Mon Sep 17 00:00:00 2001
From: Phil Friderici <phil.friderici@elits.com>
Date: Tue, 5 Dec 2023 14:24:21 +0000
Subject: [PATCH 3/3] Remove incorrect @param tags to satisfy linting

---
 manifests/patternfile.pp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/manifests/patternfile.pp b/manifests/patternfile.pp
index 996904b5..eb7f3235 100644
--- a/manifests/patternfile.pp
+++ b/manifests/patternfile.pp
@@ -1,9 +1,9 @@
 # This type represents a Grok pattern file for Logstash.
 #
-# @param [String] source
+# @param source
 #   File source for the pattern file. eg. `puppet://[...]` or `file://[...]`
 #
-# @param [String] filename
+# @param filename
 #   Optionally set the destination filename.
 #
 # @example Define a pattern file.