Unverified Commit 8225c28e authored by Nathan Ward's avatar Nathan Ward Committed by GitHub
Browse files

Merge pull request #163 from SearchLightNZ/validate_secrets

Password and secret sanity checks
parents 7a43a765 fe940a6a
# Install FreeRADIUS clients (WISMs or testing servers) # Install FreeRADIUS clients (WISMs or testing servers)
define freeradius::client ( define freeradius::client (
String $secret, Freeradius::Secret $secret,
Optional[String] $shortname = $title, Optional[String] $shortname = $title,
Optional[String] $ip = undef, Optional[String] $ip = undef,
Optional[String] $ip6 = undef, Optional[String] $ip6 = undef,
...@@ -23,7 +23,7 @@ define freeradius::client ( ...@@ -23,7 +23,7 @@ define freeradius::client (
'other', 'other',
]] $nastype = undef, ]] $nastype = undef,
Optional[String] $login = undef, Optional[String] $login = undef,
Optional[String] $password = undef, Optional[Freeradius::Password] $password = undef,
Optional[String] $coa_server = undef, Optional[String] $coa_server = undef,
Optional[String] $response_window = undef, Optional[String] $response_window = undef,
Optional[Integer] $max_connections = undef, Optional[Integer] $max_connections = undef,
......
# Configure a home_server for proxy config # Configure a home_server for proxy config
define freeradius::home_server ( define freeradius::home_server (
String $secret, Freeradius::Secret $secret,
Enum['udp', 'tcp'] $proto = 'udp', Enum['udp', 'tcp'] $proto = 'udp',
Enum['none', 'status-server', 'request'] $status_check = 'none', Enum['none', 'status-server', 'request'] $status_check = 'none',
Enum['auth', 'acct', 'auth+acct', 'coa'] $type = 'auth', Enum['auth', 'acct', 'auth+acct', 'coa'] $type = 'auth',
...@@ -11,7 +11,7 @@ define freeradius::home_server ( ...@@ -11,7 +11,7 @@ define freeradius::home_server (
Optional[Integer] $max_outstanding = undef, Optional[Integer] $max_outstanding = undef,
Optional[Enum['no', 'yes']] $no_response_fail = undef, Optional[Enum['no', 'yes']] $no_response_fail = undef,
Optional[Integer] $num_answers_to_alive = undef, Optional[Integer] $num_answers_to_alive = undef,
Optional[String] $password = undef, Optional[Freeradius::Password] $password = undef,
Optional[Integer] $port = 1812, Optional[Integer] $port = 1812,
Optional[Integer] $response_window = undef, Optional[Integer] $response_window = undef,
Optional[Integer] $revive_interval = undef, Optional[Integer] $revive_interval = undef,
......
# Configure LDAP support for FreeRADIUS # Configure LDAP support for FreeRADIUS
define freeradius::ldap ( define freeradius::ldap (
String $identity, String $identity,
String $password, Freeradius::Password $password,
String $basedn, String $basedn,
Array[String] $server = ['localhost'], Array[String] $server = ['localhost'],
Integer $port = 389, Integer $port = 389,
......
...@@ -17,7 +17,7 @@ define freeradius::module::eap ( ...@@ -17,7 +17,7 @@ define freeradius::module::eap (
Optional[String] $gtc_challenge = undef, Optional[String] $gtc_challenge = undef,
String $gtc_auth_type = 'PAP', String $gtc_auth_type = 'PAP',
String $tls_config_name = 'tls-common', String $tls_config_name = 'tls-common',
Optional[String] $tls_private_key_password = undef, Optional[Freeradius::Password] $tls_private_key_password = undef,
String $tls_private_key_file = "\${certdir}/server.pem", String $tls_private_key_file = "\${certdir}/server.pem",
String $tls_certificate_file = "\${certdir}/server.pem", String $tls_certificate_file = "\${certdir}/server.pem",
String $tls_ca_file = "\${certdir}/ca.pem", String $tls_ca_file = "\${certdir}/ca.pem",
......
...@@ -5,7 +5,7 @@ define freeradius::module::ldap ( ...@@ -5,7 +5,7 @@ define freeradius::module::ldap (
Array[String] $server = ['localhost'], Array[String] $server = ['localhost'],
Integer $port = 389, Integer $port = 389,
Optional[String] $identity = undef, Optional[String] $identity = undef,
Optional[String] $password = undef, Optional[Freeradius::Password] $password = undef,
Optional[Freeradius::Sasl] $sasl = {}, Optional[Freeradius::Sasl] $sasl = {},
Optional[String] $valuepair_attribute = undef, Optional[String] $valuepair_attribute = undef,
Optional[Array[String]] $update = undef, Optional[Array[String]] $update = undef,
......
# Configure SQL support for FreeRADIUS # Configure SQL support for FreeRADIUS
define freeradius::sql ( define freeradius::sql (
Enum['mysql', 'mssql', 'oracle', 'postgresql'] $database, Enum['mysql', 'mssql', 'oracle', 'postgresql'] $database,
String $password, Freeradius::Password $password,
Optional[String] $server = 'localhost', Optional[String] $server = 'localhost',
Optional[String] $login = 'radius', Optional[String] $login = 'radius',
Optional[String] $radius_db = 'radius', Optional[String] $radius_db = 'radius',
......
# Install FreeRADIUS clients (WISMs or testing servers) # Install FreeRADIUS clients (WISMs or testing servers)
define freeradius::statusclient ( define freeradius::statusclient (
String $secret, Freeradius::Secret $secret,
Optional[String] $ip = undef, Optional[String] $ip = undef,
Optional[String] $ip6 = undef, Optional[String] $ip6 = undef,
Optional[Integer] $port = undef, Optional[Integer] $port = undef,
......
...@@ -24,4 +24,28 @@ describe 'freeradius::client' do ...@@ -24,4 +24,28 @@ describe 'freeradius::client' do
.that_requires('File[/etc/raddb/clients.d]') .that_requires('File[/etc/raddb/clients.d]')
.that_requires('Group[radiusd]') .that_requires('Group[radiusd]')
end end
context 'with secret containing a newline' do
let(:params) do
super().merge(
secret: "foo\nbar",
)
end
it do
is_expected.to compile.and_raise_error(%r{parameter 'secret' expects a match for Freeradius::Secret})
end
end
context 'with password containing a newline' do
let(:params) do
super().merge(
password: "foo\nbar",
)
end
it do
is_expected.to compile.and_raise_error(%r{parameter 'password' expects a match for Freeradius::Password})
end
end
end end
...@@ -18,4 +18,28 @@ describe 'freeradius::home_server' do ...@@ -18,4 +18,28 @@ describe 'freeradius::home_server' do
.with_order('10') .with_order('10')
.with_target('/etc/raddb/proxy.conf') .with_target('/etc/raddb/proxy.conf')
end end
context 'with secret containing a newline' do
let(:params) do
super().merge(
secret: "foo\nbar",
)
end
it do
is_expected.to compile.and_raise_error(%r{parameter 'secret' expects a match for Freeradius::Secret})
end
end
context 'with password containing a newline' do
let(:params) do
super().merge(
password: "foo\nbar",
)
end
it do
is_expected.to compile.and_raise_error(%r{parameter 'password' expects a match for Freeradius::Password})
end
end
end end
...@@ -134,4 +134,16 @@ describe 'freeradius::module::ldap' do ...@@ -134,4 +134,16 @@ describe 'freeradius::module::ldap' do
# is_expected.to compile.and_raise_error(%r{^The `use_referral_credentials` parameter requires FreeRADIUS 3.1.x}) # is_expected.to compile.and_raise_error(%r{^The `use_referral_credentials` parameter requires FreeRADIUS 3.1.x})
# end # end
# end # end
context 'with password containing a newline' do
let(:params) do
super().merge(
password: "foo\nbar",
)
end
it do
is_expected.to compile.and_raise_error(%r{parameter 'password' expects a match for Freeradius::Password})
end
end
end end
...@@ -133,6 +133,18 @@ describe 'freeradius::sql' do ...@@ -133,6 +133,18 @@ describe 'freeradius::sql' do
# is_expected.to compile.and_raise_error(%r{^The `pool_connect_timeout` parameter requires FreeRADIUS 3.1.x}) # is_expected.to compile.and_raise_error(%r{^The `pool_connect_timeout` parameter requires FreeRADIUS 3.1.x})
# end # end
# end # end
context 'with password containing a newline' do
let(:params) do
super().merge(
password: "foo\nbar",
)
end
it do
is_expected.to compile.and_raise_error(%r{parameter 'password' expects a match for Freeradius::Password})
end
end
end end
end end
end end
...@@ -24,4 +24,16 @@ describe 'freeradius::statusclient' do ...@@ -24,4 +24,16 @@ describe 'freeradius::statusclient' do
.that_requires('Group[radiusd]') .that_requires('Group[radiusd]')
.that_requires('File[/etc/raddb/clients.d]') .that_requires('File[/etc/raddb/clients.d]')
end end
context 'with secret containing a newline' do
let(:params) do
super().merge(
secret: "foo\nbar",
)
end
it do
is_expected.to compile.and_raise_error(%r{parameter 'secret' expects a match for Freeradius::Secret})
end
end
end end
type Freeradius::Password = Pattern[/\A[^\n]+\z/]
type Freeradius::Secret = Pattern[/\A[^\n]+\z/]
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment