Merge pull request #157 from SearchLightNZ/radsniff

Add support for installing and managing radsniff

.fixtures.yml

@@ -5,3 +5,4 @@ fixtures:
     logrotate: "puppet/logrotate"
     rsyslog: "saz/rsyslog"
     stdlib: "puppetlabs/stdlib"
+    systemd: "camptocamp/systemd"

README.md

@@ -193,6 +193,22 @@ Whether the control socket should be read-only or read-write. Choose from `ro`,
   }
 ```
 
+#### `freeradius::radsniff`
+
+The `freeradius::radsniff` class configures and runs the [RADSNIFF](https://freeradius.org/radiusd/man/radsniff.html) service.
+It requires freeradius-utils to be installed, so will fail if `utils_support` is not enabled on the `freeradius` class.
+
+Note: This is only supported on RedHat like systems at present.
+
+##### `options`
+Command line options to be passed to radsniff. Quotes are escaped
+```puppet
+  # Enable radsniff, with a filter, sending data to collectd (requires freeradius to be compiled for this)
+  class { 'freeradius::radsniff':
+    options => '-m -p1812,1813 -O unix:/var/run/collectd.sock -N freeradius -W 10 -i eth0 -f "src not 192.0.2.1"',
+  }
+```
+
 ### Resources
 
 #### `freeradius::attr`

manifests/init.pp

@@ -240,7 +240,7 @@ class freeradius (
   concat { "${freeradius::fr_basepath}/dictionary":
     owner   => 'root',
     group   => $freeradius::fr_group,
-    mode    => '0640',
+    mode    => '0644',
     require => [Package[$freeradius::fr_package], Group[$freeradius::fr_group]],
   }
   concat::fragment { 'dictionary_header':

manifests/params.pp

@@ -172,4 +172,14 @@ class freeradius::params {
   }
 
   $radacctdir = "\${logdir}/radacct"
+
+  # Default radsniff environment file location
+  $fr_radsniff_envfile = $::osfamily ? {
+    'RedHat' => '/etc/sysconfig/radsniff',
+    'Debian' => '/etc/defaults/radsniff',
+    default  => undef,
+  }
+
+  # Default radsniff pid file location
+  $fr_radsniff_pidfile = "/var/run/${fr_service}/radsniff.pid"
 }

manifests/radsniff.pp

+# @summary configure and run radsniff
+#
+# @param envfile path to the environment file, used by the systemd unit
+# @param options commandline options passed to radsniff when it runs
+# @param
+class freeradius::radsniff (
+  Optional[String] $envfile = undef,
+  String $options = '',
+  Optional[String] $pidfile = undef,
+) inherits freeradius::params {
+  unless $::freeradius::utils_support {
+    fail('freeradius::radsniff requires freeradius have utils_support enabled')
+  }
+
+  # Calculate the envfile to use - specified, then calculated, then error if none
+  if $envfile {
+    $final_envfile = $envfile
+  } else {
+    if $freeradius::radsniff::fr_radsniff_envfile {
+      $final_envfile = $freeradius::radsniff::fr_radsniff_envfile
+    } else {
+      fail('freeradius::radsniff requires envfile to be explicitly set on this OS')
+    }
+  }
+
+  # Calculate the pidfile to use - specified, then calculated, then error if none
+  if $pidfile {
+    $final_pidfile = $pidfile
+  } else {
+    if $freeradius::radsniff::fr_radsniff_pidfile {
+      $final_pidfile = $freeradius::radsniff::fr_radsniff_pidfile
+    } else {
+      fail('freeradius::radsniff requires pidfile to be explicitly set on this OS')
+    }
+  }
+
+  $escaped_cmd = $options.regsubst('"','\\\\"','G')
+
+  file { $final_envfile:
+    content => @("SYSCONFIG"),
+      RADSNIFF_OPTIONS="${escaped_cmd}"
+      | SYSCONFIG
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    require => Package['freeradius-utils'],
+  }
+  ~> service { 'radsniff':
+    ensure => running,
+    enable => true,
+  }
+
+  systemd::unit_file {'radsniff.service':
+    content => template('freeradius/radsniff.service.erb'),
+    notify  => Service['radsniff'],
+  }
+}

metadata.json

@@ -27,6 +27,10 @@
     {
       "name": "puppetlabs/concat",
       "version_requirement": ">=1.0.0 <7.0.0"
+    },
+    {
+      "name": "camptocamp/systemd",
+      "version_requirement": ">=2.0.0 <3.0.0"
     }
   ],
   "operatingsystem_support": [

spec/classes/freeradius_spec.rb

@@ -151,7 +151,7 @@ describe 'freeradius' do
         is_expected.to contain_concat('/etc/raddb/dictionary')
           .with(
             'group'   => 'radiusd',
-            'mode'    => '0640',
+            'mode'    => '0644',
             'owner'   => 'root',
           )
           .that_requires('Package[freeradius]')

spec/classes/radsniff_spec.rb

+require 'spec_helper'
+
+describe 'freeradius::radsniff' do
+  on_supported_os.each do |os, os_facts|
+    include_context 'freeradius_with_utils'
+
+    context "on #{os}" do
+      let(:facts) { os_facts }
+
+      let(:params) do
+        {
+          options: 'radsniff cmd "line" options',
+        }
+      end
+
+      let(:pre_condition) do
+        precondition = case os_facts[:osfamily]
+                       when 'RedHat'
+                         'class freeradius::params {
+                             $fr_basepath = "/etc/raddb"
+                             $fr_radsniff_pidfile = "/var/run/radiusd/radsniff.pid"
+                             $fr_radsniff_envfile = "/etc/sysconfig/radsniff"
+                           }
+                           include freeradius::params'
+                       when 'Debian'
+                         'class freeradius::params {
+                             $fr_basepath = "/etc/freeradius"
+                             $fr_radsniff_pidfile = "/var/run/freeradius/radsniff.pid"
+                             $fr_radsniff_envfile = "/etc/defaults/radsniff"
+                           }
+                           include freeradius::params'
+                       else
+                         'class freeradius::params {
+                             $fr_basepath = "/etc/raddb"
+                             $fr_radsniff_pidfile = "/var/run/radiusd/radsniff.pid"
+                             $fr_radsniff_envfile = undef
+                           }
+                           include freeradius::params'
+                       end
+
+        super().push(precondition)
+      end
+
+      if os_facts[:osfamily] =~ %r{^RedHat|Debian$}
+        it do
+          is_expected.to contain_service('radsniff')
+            .with_ensure('running')
+            .with_enable(true)
+        end
+      end
+
+      case os_facts[:osfamily]
+      when 'RedHat'
+        it do
+          is_expected.to contain_file('/etc/sysconfig/radsniff')
+            .with_content(%r{RADSNIFF_OPTIONS="radsniff cmd \\"line\\" options"})
+            .that_notifies('Service[radsniff]')
+            .that_requires('Package[freeradius-utils]')
+        end
+
+        it do
+          is_expected.to contain_systemd__unit_file('radsniff.service')
+            .with_content(%r{^Pidfile=/var/run/radiusd/radsniff.pid$})
+            .with_content(%r{^EnvironmentFile=/etc/sysconfig/radsniff$})
+            .with_content(%r{^ExecStart=/usr/bin/radsniff -P /var/run/radiusd/radsniff.pid -d /etc/raddb \$RADSNIFF_OPTIONS$})
+            .that_notifies('Service[radsniff]')
+        end
+      when 'Debian'
+        it do
+          is_expected.to contain_file('/etc/defaults/radsniff')
+            .with_content(%r{RADSNIFF_OPTIONS="radsniff cmd \\"line\\" options"})
+            .that_notifies('Service[radsniff]')
+            .that_requires('Package[freeradius-utils]')
+        end
+
+        it do
+          is_expected.to contain_systemd__unit_file('radsniff.service')
+            .with_content(%r{^Pidfile=/var/run/freeradius/radsniff.pid$})
+            .with_content(%r{^EnvironmentFile=/etc/defaults/radsniff$})
+            .with_content(%r{^ExecStart=/usr/bin/radsniff -P /var/run/freeradius/radsniff.pid -d /etc/freeradius \$RADSNIFF_OPTIONS$})
+            .that_notifies('Service[radsniff]')
+        end
+      else
+        it do
+          is_expected.to compile.and_raise_error(%r{freeradius::radsniff requires envfile to be explicitly set on this OS})
+          is_expected.to compile.and_raise_error(%r{freeradius::radsniff requires pidfile to be explicitly set on this OS})
+        end
+      end
+
+      context 'with envfile and pidfile set' do
+        let(:params) do
+          super().merge(
+            envfile: '/test/env/file',
+            pidfile: '/a/pid/file',
+          )
+        end
+
+        if os_facts[:osfamily] !~ %r{^RedHat|Debian$}
+          it do
+            is_expected.to contain_service('radsniff')
+              .with_ensure('running')
+              .with_enable(true)
+          end
+        end
+
+        it do
+          is_expected.to contain_file('/test/env/file')
+            .with_content(%r{RADSNIFF_OPTIONS="radsniff cmd \\"line\\" options"})
+            .that_notifies('Service[radsniff]')
+            .that_requires('Package[freeradius-utils]')
+        end
+
+        it do
+          is_expected.to contain_systemd__unit_file('radsniff.service')
+            .with_content(%r{^Pidfile=/a/pid/file$})
+            .with_content(%r{^EnvironmentFile=/test/env/file$})
+            .with_content(%r{^ExecStart=/usr/bin/radsniff -P /a/pid/file -d .* \$RADSNIFF_OPTIONS$})
+            .that_notifies('Service[radsniff]')
+        end
+      end
+    end
+  end
+end

spec/spec_helper_local.rb

@@ -53,6 +53,20 @@ shared_context 'freeradius_default' do
   end
 end
 
+# Same as above but enable utils
+shared_context 'freeradius_with_utils' do
+  let(:pre_condition) do
+    [
+      'class freeradius {
+        $utils_support = true
+      }
+      include freeradius
+
+      package { "freeradius-utils": }',
+    ]
+  end
+end
+
 # Some common dependencies for things based on names for redhat systems
 shared_context 'redhat_common_dependencies' do
   let(:pre_condition) do

templates/radsniff.service.erb

+[Unit]
+Description=Capture RADIUS statistics
+After=syslog.target network.target
+After=radiusd.target
+
+[Service]
+Type=forking
+Pidfile=<%=scope['::freeradius::radsniff::final_pidfile']%>
+EnvironmentFile=<%=scope['::freeradius::radsniff::final_envfile']%>
+ExecStart=/usr/bin/radsniff -P <%=scope['::freeradius::radsniff::final_pidfile']%> -d <%=scope['::freeradius::radsniff::fr_basepath']%> $RADSNIFF_OPTIONS
+
+[Install]
+WantedBy=multi-user.target