Merge pull request #93 from sts/master

Add puppet class for huntgroups

Merge pull request #93 from sts/master
a137f477 · Jonathan · GitHub · 0a9e0b27 · d2b38ef2 · a137f477
Unverified Commit a137f477 authored Dec 20, 2017 by Jonathan Committed by GitHub Dec 20, 2017
--- a/README.md
+++ b/README.md
@@ -277,6 +277,18 @@ freeradius::client { "wlan-controllers":
 }
 ```
+```puppet
+# Huntgroup Example
+freeradius::client { "asa01":
+  ip         => '192.168.0.1',
+  secret     => 'testing123',
+  huntgroups => [
+    { name       => 'firewall',
+      conditions => [ 'NAS-IP-Address == 192.168.0.1' ] },
+  ]
+}
+```
 ##### `ip`
 The IP address of the client or range in CIDR format. For IPv6, use `ipv6addr`. `ip` and `ip6` are mutually exclusive but one must be supplied.
 Default: `undef`.
@@ -332,6 +344,10 @@ Create a firewall exception for this virtual server. If this is set to `true`, y
 ##### `attributes`
 Array of attributes to assign to this client. Default: empty.
+##### `huntgroups`
+Array of hashes, each hash defines one freeradius::huntgroup. Hash keys are all passed to a new instance of freeradius::huntgroup.
 #### `freeradius::config`
 Install arbitrary config snippets from a flat file. These are installed in `/etc/raddb/conf.d`
@@ -440,6 +456,30 @@ fallback, such as the DEFAULT realm.
 For reasons of stability, this home server SHOULD be a virtual server. Otherwise, the fallback may itself be dead!
+#### `freeradius::huntgroup`
+Define a huntgroup given a name and the conditions under which a huntgroup matches a client.
+```puppet
+freeradius::huntgroup { 'switchaccess':
+  huntgroup  => 'switchaccess',
+  conditions => [
+    'NAS-IP-Address == 192.168.0.1'
+  ]
+}
+##### `huntgroup`
+Name of the huntgroup to assign, if conditions are all met. Default to the resource title.
+##### `conditons`
+Array of conditions which are used to match the client, each element should contain a condition in the form of 'Key == Value'.
+##### `type`
+##### `home_server`
 #### `freeradius::instantiate`
 Instantiate a module that is not automatically instantiated.

--- a/files/huntgroups.header
+++ b/files/huntgroups.header
+#
+# huntgroups    This file defines the `huntgroups' that you have. A
+#        huntgroup is defined by specifying the IP address of
+#        the NAS and possibly a port range. Port can be identified
+#        as just one port, or a range (from-to), and multiple ports
+#        or ranges of ports must be separated by a comma. For
+#        example: 1,2,3-8
+#
+#        Matching is done while RADIUS scans the user file; if it
+#        includes the selection criterium "Huntgroup-Name == XXX"
+#        the huntgroup is looked up in this file to see if it
+#        matches. There can be multiple definitions of the same
+#        huntgroup; the first one that matches will be used.
+#
+#        This file can also be used to define restricted access
+#        to certain huntgroups. The second and following lines
+#        define the access restrictions (based on username and
+#        UNIX usergroup) for the huntgroup.
+#
+#
+# Our POP in Alphen a/d Rijn has 3 terminal servers. Create a Huntgroup-Name
+# called Alphen that matches on all three terminal servers.
+#
+#alphen        NAS-IP-Address == 192.0.2.5
+#alphen        NAS-IP-Address == 192.0.2.6
+#alphen        NAS-IP-Address == 192.0.2.7
+#
+# The POP in Delft consists of only one terminal server.
+#
+#delft        NAS-IP-Address == 198.51.100.5
+#
+# Ports 0-7 on the first terminal server in Alphen are connected to
+# a huntgroup that is for business users only. Note that only one
+# of the username or groupname has to match to get access (OR/OR).
+#
+# Note that this huntgroup is a subset of the "alphen" huntgroup.
+#
+#business    NAS-IP-Address == 198.51.100.5, NAS-Port-Id == 0-7
+#        User-Name = rogerl,
+#        User-Name = henks,
+#        Group = business,
+#        Group = staff
--- a/manifests/client.pp
+++ b/manifests/client.pp
@@ -21,6 +21,7 @@ define freeradius::client (
  $firewall                      = false,
  $ensure                        = present,
  $attributes                    = [],
+  $huntgroups                    = undef,
 ) {
  $fr_package  = $::freeradius::params::fr_package
  $fr_service  = $::freeradius::params::fr_service
@@ -76,4 +77,12 @@ define freeradius::client (
      fail('Must specify $port if you specify $firewall')
    }
  }
+  if $huntgroups {
+    $huntgroups.each |$index, $huntgroup| {
+      freeradius::huntgroup { "huntgroup.client.${shortname}.${index}":
+        * => $huntgroup
+      }
+    }
+  }
 }
--- a/manifests/huntgroup.pp
+++ b/manifests/huntgroup.pp
+# Install FreeRADIUS huntgroups
+define freeradius::huntgroup (
+  $ensure      = present,
+  $huntgroup   = $title,
+  $conditions  = [],
+  $order       = 50,
+) {
+  $fr_basepath = $::freeradius::params::fr_basepath
+  $fr_service  = $::freeradius::params::fr_service
+  $conditionals = join($conditions, ", ")
+  $content    = "${huntgroup}\t${conditionals}\n"
+  concat::fragment { "huntgroup.${title}":
+    ensure  => $ensure,
+    target  => "${fr_basepath}/mods-config/preprocess/huntgroups",
+    content => $content,
+    order   => $order,
+    notify  => Service[$fr_service],
+  }
+}
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -213,6 +213,20 @@ class freeradius (
    order  => 90,
  }
+  # Install a huntgroups file
+  concat { "${freeradius::fr_basepath}/mods-config/preprocess/huntgroups":
+    owner   => 'root',
+    group   => $freeradius::fr_group,
+    mode    => '0640',
+    require => [Package[$freeradius::fr_package], Group[$freeradius::fr_group]],
+  }
+  concat::fragment { 'huntgroups_header':
+    target => "${freeradius::fr_basepath}/mods-config/preprocess/huntgroups",
+    source => 'puppet:///modules/freeradius/huntgroups.header',
+    order  => 10,
+  }
  # Install FreeRADIUS packages
  package { 'freeradius':
    ensure => $package_ensure,