Commit 4f118df4 authored by Jonathan Gazeley's avatar Jonathan Gazeley
Browse files

Add type validation to all parameters

parent fe4fd491
# Install FreeRADIUS config snippets
define freeradius::attr (
$source,
$ensure = present,
$key = 'User-Name',
$prefix = 'filter',
String $source,
Freeradius::Ensure $ensure = present,
Optional[String] $key = 'User-Name',
Optional[String] $prefix = 'filter',
) {
$fr_package = $::freeradius::params::fr_package
$fr_service = $::freeradius::params::fr_service
......
# Install FreeRADIUS certificates
define freeradius::cert (
$source = undef,
$content = undef,
$type = 'key',
$ensure = present,
Optional[String] $source = undef,
Optional[String] $content = undef,
Optional[String] $type = 'key',
Freeradius::Ensure $ensure = present,
) {
$fr_package = $::freeradius::params::fr_package
$fr_service = $::freeradius::params::fr_service
......
# Install FreeRADIUS clients (WISMs or testing servers)
define freeradius::client (
$secret,
$shortname = $title,
$ip = undef,
$ip6 = undef,
$proto = undef,
$require_message_authenticator = 'no',
$virtual_server = undef,
$nastype = undef,
$login = undef,
$password = undef,
$coa_server = undef,
$response_window = undef,
$max_connections = undef,
$lifetime = undef,
$idle_timeout = undef,
$redirect = undef,
$port = undef,
$srcip = undef,
$firewall = false,
$ensure = present,
$attributes = [],
$huntgroups = undef,
String $secret,
Optional[String] $shortname = $title,
Optional[String] $ip = undef,
Optional[String] $ip6 = undef,
Enum['*', 'udp', 'tcp'] $proto = undef,
Freeradius::Boolean $require_message_authenticator = 'no',
Optional[String] $virtual_server = undef,
Enum['cisco', 'computone', 'livingston', 'juniper', 'max40xx', 'multitech', 'netserver', 'pathras', 'patton', 'portslave', 'tc', 'usrhiper', 'other'] $nastype = undef,
Optional[String] $login = undef,
Optional[String] $password = undef,
Optional[String] $coa_server = undef,
Optional[String] $response_window = undef,
Optional[Integer] $max_connections = undef,
Optional[Integer] $lifetime = undef,
Optional[Integer] $idle_timeout = undef,
Optional[String] $redirect = undef,
Optional[Integer] $port = undef,
Optional[String] $srcip = undef,
Boolean $firewall = false,
Freeradius::Ensure $ensure = present,
Array $attributes = [],
Optional[String] $huntgroups = undef,
) {
$fr_package = $::freeradius::params::fr_package
$fr_service = $::freeradius::params::fr_service
$fr_basepath = $::freeradius::params::fr_basepath
$fr_group = $::freeradius::params::fr_group
if $proto {
unless $proto in ['*', 'udp', 'tcp'] {
fail('$proto must be one of udp, tcp or *')
}
}
unless $require_message_authenticator in ['yes', 'no'] {
fail('$require_message_authenticator must be one of yes or no')
}
if $nastype {
unless $nastype in ['cisco', 'computone', 'livingston', 'juniper', 'max40xx',
'multitech', 'netserver', 'pathras', 'patton', 'portslave', 'tc', 'usrhiper', 'other'] {
fail('$nastype must be one of cisco, computone, livingston, juniper, max40xx, multitech, netserver, pathras, patton, portslave, tc, usrhiper, other')
}
}
file { "${fr_basepath}/clients.d/${shortname}.conf":
ensure => $ensure,
mode => '0640',
......
# Install FreeRADIUS config snippets
define freeradius::config (
$source = undef,
$content = undef,
$ensure = present,
Optional[String] $source = undef,
Optional[String] $content = undef,
Freeradius::Ensure $ensure = present,
) {
$fr_package = $::freeradius::params::fr_package
$fr_service = $::freeradius::params::fr_service
......
# Install FreeRADIUS custom dictionaries
define freeradius::dictionary (
$source = undef,
$content = undef,
$order = 50,
$ensure = present,
Optional[String] $source = undef,
Optional[String] $content = undef,
Optional[Integer] $order = 50,
Freeradius::Ensure $ensure = 'present',
) {
$fr_package = $::freeradius::params::fr_package
$fr_service = $::freeradius::params::fr_service
......@@ -11,7 +11,7 @@ define freeradius::dictionary (
$fr_group = $::freeradius::params::fr_group
if !$source and !$content {
fail('source or content parameter should be provided')
fail('source or content parameter must be provided')
}
# Install dictionary in dictionary.d
......
# Configure a home_server for proxy config
define freeradius::home_server (
$secret,
$type = 'auth',
$ipaddr = undef,
$ipv6addr = undef,
$virtual_server = undef,
$port = 1812,
$proto = 'udp',
$status_check = undef,
String $secret,
Enum['auth', 'acct', 'auth+acct', 'coa'] $type = 'auth',
Optional[String] $ipaddr = undef,
Optional[String] $ipv6addr = undef,
Optional[String] $virtual_server = undef,
Optional[Integer] $port = 1812,
Enum['udp', 'tcp'] $proto = 'udp',
Enum['none', 'status-server', 'request'] $status_check = 'none',
) {
$fr_basepath = $::freeradius::params::fr_basepath
# Validate multiple choice options
unless $type in ['auth', 'acct', 'auth+acct', 'coa'] {
fail('$type must be one of auth, acct, auth+acct, coa')
}
unless $proto in ['udp', 'tcp'] {
fail('$type must be one of udp, tcp')
}
# Validate integers
unless is_integer($port) {
fail('$port must be an integer')
}
if $status_check {
unless $status_check in ['none', 'status-server', 'request'] {
fail('$status_check must be one of none, status-server, request')
}
}
# Configure config fragment for this home server
concat::fragment { "homeserver-${name}":
target => "${fr_basepath}/proxy.conf",
......@@ -37,4 +18,3 @@ define freeradius::home_server (
order => 10,
}
}
# Configure home server pools
define freeradius::home_server_pool (
$home_server,
$type = 'fail-over',
$virtual_server = undef,
$fallback = undef,
String $home_server,
Enum['fail-over', 'load-balance', 'client-balance', 'client-port-balance', 'keyed-balance'] $type = 'fail-over',
Optional[String] $virtual_server = undef,
Optional[String] $fallback = undef,
) {
$fr_basepath = $::freeradius::params::fr_basepath
# Validate multi-value options
unless $type in ['fail-over', 'load-balance', 'client-balance', 'client-port-balance', 'keyed-balance'] {
fail('$type must be one of fail-over, load-balance, client-balance, client-port-balance, keyed-balance')
}
# Configure config fragment for this home server
concat::fragment { "homeserverpool-${name}":
target => "${fr_basepath}/proxy.conf",
......
# Install FreeRADIUS huntgroups
define freeradius::huntgroup (
$ensure = present,
$huntgroup = $title,
$conditions = [],
$order = 50,
Freeradius::Ensure $ensure = present,
Optional[String] $huntgroup = $title,
Optional[Array[String]] $conditions = [],
Optional[Integer] $order = 50,
) {
$fr_basepath = $::freeradius::params::fr_basepath
$fr_service = $::freeradius::params::fr_service
......
# Base class to install FreeRADIUS
class freeradius (
$control_socket = false,
$max_servers = '4096',
$max_requests = '4096',
$mysql_support = false,
$pgsql_support = false,
$perl_support = false,
$utils_support = false,
$ldap_support = false,
$dhcp_support = false,
$krb5_support = false,
$wpa_supplicant = false,
$winbind_support = false,
$log_destination = 'files',
$syslog = false,
$log_auth = 'no',
$preserve_mods = true,
$correct_escapes = true,
$manage_logpath = true,
$package_ensure = 'installed',
$radacctdir = $freeradius::params::radacctdir,
Boolean $control_socket = false,
Integer $max_servers = 4096,
Integer $max_requests = 4096,
Boolean $mysql_support = false,
Boolean $pgsql_support = false,
Boolean $perl_support = false,
Boolean $utils_support = false,
Boolean $ldap_support = false,
Boolean $dhcp_support = false,
Boolean $krb5_support = false,
Boolean $wpa_supplicant = false,
Boolean $winbind_support = false,
String $log_destination = 'files',
Boolean $syslog = false,
Freeradius::Boolean $log_auth = 'no',
Boolean $preserve_mods = true,
Boolean $correct_escapes = true,
Boolean $manage_logpath = true,
Optional[String] $package_ensure = 'installed',
String $radacctdir = $freeradius::params::radacctdir,
) inherits freeradius::params {
if $freeradius::fr_version !~ /^3/ {
......@@ -29,8 +29,6 @@ class freeradius (
validate_re($log_destination, '^(files|syslog|stdout|stderr)$',
"log_destination value (${log_destination}) is not a valid value")
validate_re($package_ensure, '^(installed|latest)$', 'package_ensure must be one of installed, latest')
if $control_socket == true {
warning('Use of the control_socket parameter in the freeradius class is deprecated. Please use the freeradius::control_socket class instead.')
}
......
# Instantiate a module in global config
define freeradius::instantiate (
$ensure = present,
Freeradius::Ensure $ensure = present,
) {
$fr_package = $::freeradius::params::fr_package
$fr_service = $::freeradius::params::fr_service
......
# Configure Kerberos support for FreeRADIUS
define freeradius::krb5 (
$keytab,
$principal,
$start = "\${thread[pool].start_servers}",
$min = "\${thread[pool].min_spare_servers}",
$max = "\${thread[pool].max_servers}",
$spare = "\${thread[pool].max_spare_servers}",
$ensure = 'present',
String $keytab,
String $principal,
Freeradius::Integer $start = "\${thread[pool].start_servers}",
Freeradius::Integer $min = "\${thread[pool].min_spare_servers}",
Freeradius::Integer $max = "\${thread[pool].max_servers}",
Freeradius::Integer $spare = "\${thread[pool].max_spare_servers}",
Freeradius::Ensure $ensure = 'present',
) {
$fr_package = $::freeradius::params::fr_package
$fr_service = $::freeradius::params::fr_service
......
# Configure LDAP support for FreeRADIUS
define freeradius::ldap (
$identity,
$password,
$basedn,
$server = ['localhost'],
$port = 389,
$uses = 0,
$idle = 60,
$probes = 3,
$interval = 3,
$timeout = 10,
$start = "\${thread[pool].start_servers}",
$min = "\${thread[pool].min_spare_servers}",
$max = "\${thread[pool].max_servers}",
$spare = "\${thread[pool].max_spare_servers}",
$ensure = 'present',
$starttls = 'no',
$cafile = undef,
$certfile = undef,
$keyfile = undef,
String $identity,
String $password,
String $basedn,
Array[String] $server = ['localhost'],
Integer $port = 389,
Integer $uses = 0,
Integer $idle = 60,
Integer $probes = 3,
Integer $interval = 3,
Integer $timeout = 10,
Freeradius::Integer $start = "\${thread[pool].start_servers}",
Freeradius::Integer $min = "\${thread[pool].min_spare_servers}",
Freeradius::Integer $max = "\${thread[pool].max_servers}",
Freeradius::Integer $spare = "\${thread[pool].max_spare_servers}",
Freeradius::Ensure $ensure = 'present',
Freeradius::Boolean $starttls = 'no',
Optional[String] $cafile = undef,
Optional[String] $certfile = undef,
Optional[String] $keyfile = undef,
$requirecert = 'allow',
) {
warning('The use of freeradius::ldap is deprecated. You must use freeradius::module::ldap instead')
......
# == Define freeradius::listen
#
define freeradius::listen (
$ensure = 'present',
Freeradius::Ensure $ensure = 'present',
Enum['auth','acct','proxy','detail','status','coa'] $type = 'auth',
$ip = undef,
$ip6 = undef,
Integer $port = 0,
$interface = undef,
Array $clients = [],
Integer $max_connections = 16,
Integer $lifetime = 0,
Integer $idle_timeout = 30,
Optional[String] $ip = undef,
Optional[String] $ip6 = undef,
Integer $port = 0,
String $interface = undef,
Array[String] $clients = [],
Integer $max_connections = 16,
Integer $lifetime = 0,
Integer $idle_timeout = 30,
) {
$fr_package = $::freeradius::params::fr_package
$fr_service = $::freeradius::params::fr_service
$fr_basepath = $::freeradius::params::fr_basepath
$fr_group = $::freeradius::params::fr_group
#
# Parameters' validation
# Parameter validation
if $ip and $ip != '*' and !is_ip_address($ip) {
fail('ip must be a valid IP address or \'*\'')
}
......@@ -28,7 +27,7 @@ define freeradius::listen (
}
if $ip and $ip6 {
fail('Only of ip and ip6 can be used')
fail('Only one of ip or ip6 can be used')
}
file { "${fr_basepath}/listen.d/${name}.conf":
......
# Install FreeRADIUS modules
define freeradius::module (
$source = undef,
$content = undef,
$ensure = present,
$preserve = false,
Optional[String] $source = undef,
Optional[String] $content = undef,
Freeradius::Ensure $ensure = present,
Boolean $preserve = false,
) {
$fr_package = $::freeradius::params::fr_package
$fr_service = $::freeradius::params::fr_service
......
......@@ -4,7 +4,7 @@ define freeradius::module::ippool (
String $range_start,
String $range_stop,
String $netmask,
$ensure = 'present',
Freeradius::Ensure $ensure = 'present',
Optional[Integer] $cache_size = undef,
String $filename = "\${db_dir}/db.${name}",
String $ip_index = "\${db_dir}/db.${name}.index",
......
# Configure LDAP support for FreeRADIUS
define freeradius::module::ldap (
String $basedn,
Enum['present','absent'] $ensure = 'present',
$server = ['localhost'],
Freeradius::Ensure $ensure = 'present',
Array[String] $server = ['localhost'],
Integer $port = 389,
Optional[String] $identity = undef,
Optional[String] $password = undef,
......@@ -70,19 +70,13 @@ define freeradius::module::ldap (
$fr_group = $::freeradius::params::fr_group
# Validate our inputs
# Hostnames
$serverarray = any2array($server)
unless is_array($serverarray) {
fail('$server must be an array of hostnames or IP addresses')
}
# FR3.0 format server = 'ldap1.example.com, ldap1.example.com, ldap1.example.com'
# FR3.1 format server = 'ldap1.example.com'
# server = 'ldap2.example.com'
# server = 'ldap3.example.com'
$serverconcatarray = $::freeradius_version ? {
/^3\.0\./ => any2array(join($serverarray, ',')),
default => $serverarray,
/^3\.0\./ => any2array(join($server, ',')),
default => $server,
}
# Generate a module config, based on ldap.conf
......
......@@ -3,7 +3,7 @@
# Create the perl module configuration for FreeRADIUS
#
define freeradius::module::perl (
$ensure = file,
Optional[String] $ensure = file,
String $moddir = "${fr_moduleconfigpath}/perl",
Optional[String] $perl_filename = undef,
Optional[String] $path = undef,
......
# Install FreeRADIUS policies
define freeradius::policy (
$source,
$order = 50,
$ensure = present,
Optional[String] $source,
Optional[Integer] $order = 50,
Freeradius::Ensure $ensure = present,
) {
$fr_package = $::freeradius::params::fr_package
$fr_service = $::freeradius::params::fr_service
......
# Set up proxy realms
define freeradius::realm (
$virtual_server = undef,
$auth_pool = undef,
$acct_pool = undef,
$pool = undef,
$nostrip = false,
$order = 30,
Optional[String] $virtual_server = undef,
Optional[String] $auth_pool = undef,
Optional[String] $acct_pool = undef,
Optional[String] $pool = undef,
Optional[Boolean] $nostrip = false,
Optional[Integer] $order = 30,
) {
$fr_basepath = $::freeradius::params::fr_basepath
# Validate bools
unless is_bool($nostrip) {
fail('nostrip must be true or false')
}
# Configure config fragment for this realm
concat::fragment { "realm-${name}":
target => "${fr_basepath}/proxy.conf",
......
# Install FreeRADIUS helper scripts
define freeradius::script (
$source,
$ensure = present,
String $source,
Freeradius::Ensure $ensure = present,
) {
$fr_package = $::freeradius::params::fr_package
$fr_service = $::freeradius::params::fr_service
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment