From 5700fd4f5bfc3e237195c8833039f9ed1045cd6b Mon Sep 17 00:00:00 2001 From: Alexander Fisher Date: Thu, 1 Nov 2018 13:32:17 +0000 Subject: [PATCH] BREAKING: Enhance data types * Make use of stdlib data types * Create our own types for syslog facility and ssl version * Use proper booleans for `debug`, `dont_blame_nrpe` and `allow_bash_command_substitution` * Use `Enum['no', 'ask', 'require']` for `ssl_client_certs` --- manifests/command.pp | 20 +++---- manifests/init.pp | 130 ++++++++++++++++++++++------------------ manifests/params.pp | 6 +- manifests/plugin.pp | 14 ++--- types/sslversion.pp | 8 +++ types/syslogfacility.pp | 25 ++++++++ 6 files changed, 124 insertions(+), 79 deletions(-) create mode 100644 types/sslversion.pp create mode 100644 types/syslogfacility.pp diff --git a/manifests/command.pp b/manifests/command.pp index df9389e..9a1da14 100644 --- a/manifests/command.pp +++ b/manifests/command.pp @@ -1,15 +1,15 @@ # define nrpe::command ( - String $command, - Enum['present', 'absent'] $ensure = present, - String $include_dir = $nrpe::include_dir, - Variant[String, Array[String]] $package_name = $nrpe::package_name, - String $service_name = $nrpe::service_name, - String $libdir = $nrpe::params::libdir, - String $file_group = $nrpe::params::nrpe_files_group, - String $file_mode = $nrpe::command_file_default_mode, - Boolean $sudo = false, - String $sudo_user = 'root', + String[1] $command, + Enum['present', 'absent'] $ensure = present, + Stdlib::Absolutepath $include_dir = $nrpe::include_dir, + Variant[String[1], Array[String[1]]] $package_name = $nrpe::package_name, + String[1] $service_name = $nrpe::service_name, + Stdlib::Absolutepath $libdir = $nrpe::params::libdir, + String[1] $file_group = $nrpe::params::nrpe_files_group, + Stdlib::Filemode $file_mode = $nrpe::command_file_default_mode, + Boolean $sudo = false, + String[1] $sudo_user = 'root', ) { file { "${include_dir}/${title}.cfg": ensure => $ensure, diff --git a/manifests/init.pp b/manifests/init.pp index 7c381d0..a16d851 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -19,41 +19,41 @@ # Copyright 2013 Computer Action Team, unless otherwise noted. # class nrpe ( - Array[String] $allowed_hosts = ['127.0.0.1'], - String $server_address = '0.0.0.0', - Integer $command_timeout = 60, - String $config = $nrpe::params::nrpe_config, - String $include_dir = $nrpe::params::nrpe_include_dir, - Variant[String, Array[String]] $package_name = $nrpe::params::nrpe_packages, - Optional[String] $provider = $nrpe::params::nrpe_provider, - Boolean $manage_package = true, - Optional[Boolean] $purge = undef, - Optional[Boolean] $recurse = undef, - String $service_name = $nrpe::params::nrpe_service, - Integer $dont_blame_nrpe = $nrpe::params::dont_blame_nrpe, - String $log_facility = $nrpe::params::log_facility, - Integer $server_port = $nrpe::params::server_port, - Optional[String] $command_prefix = $nrpe::params::command_prefix, - Integer $debug = $nrpe::params::debug, - Integer $connection_timeout = $nrpe::params::connection_timeout, - Optional[Integer]$allow_bash_command_substitution = $nrpe::params::allow_bash_command_substitution, - String $nrpe_user = $nrpe::params::nrpe_user, - String $nrpe_group = $nrpe::params::nrpe_group, - String $nrpe_pid_file = $nrpe::params::nrpe_pid_file, - String $nrpe_ssl_dir = $nrpe::params::nrpe_ssl_dir, - Optional[String] $ssl_cert_file_content = undef, - Optional[String] $ssl_privatekey_file_content = undef, - Optional[String] $ssl_cacert_file_content = undef, - String $ssl_version = $nrpe::params::ssl_version, - Array[String] $ssl_ciphers = $nrpe::params::ssl_ciphers, - Integer $ssl_client_certs = $nrpe::params::ssl_client_certs, - Boolean $ssl_log_startup_params = false, - Boolean $ssl_log_remote_ip = false, - Boolean $ssl_log_protocol_version = false, - Boolean $ssl_log_cipher = false, - Boolean $ssl_log_client_cert = false, - Boolean $ssl_log_client_cert_details = false, - String $command_file_default_mode = '0644', + Array[Stdlib::Host] $allowed_hosts = ['127.0.0.1'], + Stdlib::IP::Address $server_address = '0.0.0.0', + Integer[0] $command_timeout = 60, + Stdlib::Absolutepath $config = $nrpe::params::nrpe_config, + Stdlib::Absolutepath $include_dir = $nrpe::params::nrpe_include_dir, + Variant[String[1], Array[String[1]]] $package_name = $nrpe::params::nrpe_packages, + Optional[String[1]] $provider = $nrpe::params::nrpe_provider, + Boolean $manage_package = true, + Optional[Boolean] $purge = undef, + Optional[Boolean] $recurse = undef, + String[1] $service_name = $nrpe::params::nrpe_service, + Boolean $dont_blame_nrpe = $nrpe::params::dont_blame_nrpe, + Nrpe::Syslogfacility $log_facility = $nrpe::params::log_facility, + Stdlib::Port $server_port = $nrpe::params::server_port, + Optional[Stdlib::Absolutepath] $command_prefix = $nrpe::params::command_prefix, + Boolean $debug = $nrpe::params::debug, + Integer[0] $connection_timeout = $nrpe::params::connection_timeout, + Optional[Boolean] $allow_bash_command_substitution = $nrpe::params::allow_bash_command_substitution, + String[1] $nrpe_user = $nrpe::params::nrpe_user, + String[1] $nrpe_group = $nrpe::params::nrpe_group, + Stdlib::Absolutepath $nrpe_pid_file = $nrpe::params::nrpe_pid_file, + Stdlib::Absolutepath $nrpe_ssl_dir = $nrpe::params::nrpe_ssl_dir, + Optional[String[1]] $ssl_cert_file_content = undef, + Optional[String[1]] $ssl_privatekey_file_content = undef, + Optional[String[1]] $ssl_cacert_file_content = undef, + Nrpe::Sslversion $ssl_version = $nrpe::params::ssl_version, + Array[String[1]] $ssl_ciphers = $nrpe::params::ssl_ciphers, + Enum['no','ask','require'] $ssl_client_certs = $nrpe::params::ssl_client_certs, + Boolean $ssl_log_startup_params = false, + Boolean $ssl_log_remote_ip = false, + Boolean $ssl_log_protocol_version = false, + Boolean $ssl_log_cipher = false, + Boolean $ssl_log_client_cert = false, + Boolean $ssl_log_client_cert_details = false, + Stdlib::Filemode $command_file_default_mode = '0644', ) inherits nrpe::params { if $manage_package { @@ -79,6 +79,11 @@ ensure => present, } + $_allow_bash_command_substitution = $allow_bash_command_substitution ? { + undef => undef, + default => bool2str($allow_bash_command_substitution, '1', '0'), + } + concat::fragment { 'nrpe main config': target => $config, content => epp( @@ -91,39 +96,46 @@ 'nrpe_user' => $nrpe_user, 'nrpe_group' => $nrpe_group, 'allowed_hosts' => $allowed_hosts, - 'dont_blame_nrpe' => "${dont_blame_nrpe}", - 'allow_bash_command_substitution' => $allow_bash_command_substitution, + 'dont_blame_nrpe' => bool2str($dont_blame_nrpe, '1', '0'), + 'allow_bash_command_substitution' => $_allow_bash_command_substitution, 'libdir' => $nrpe::params::libdir, 'command_prefix' => $command_prefix, - 'debug' => "${debug}", - 'command_timeout' => $command_timeout + 0, - 'connection_timeout' => $connection_timeout + 0, + 'debug' => bool2str($debug, '1', '0'), + 'command_timeout' => $command_timeout, + 'connection_timeout' => $connection_timeout, } ), order => '01', } if $ssl_cert_file_content { + + $_ssl_client_certs = $ssl_client_certs ? { + 'ask' => '1', + 'require' => '2', + default => '0', # $ssl_client_certs = 'no' + } + concat::fragment { 'nrpe ssl fragment': - target => $config, - content => epp( - 'nrpe/nrpe.cfg-ssl.epp', - { - 'ssl_version' => $ssl_version, - 'ssl_ciphers' => $ssl_ciphers, - 'nrpe_ssl_dir' => $nrpe_ssl_dir, - 'ssl_client_certs' => "${ssl_client_certs}", - 'ssl_logging' => nrpe::ssl_logging( - $ssl_log_startup_params, - $ssl_log_remote_ip, - $ssl_log_protocol_version, - $ssl_log_cipher, - $ssl_log_client_cert, - $ssl_log_client_cert_details - ) - } - ), - order => '02', + target => $config, + content => epp( + 'nrpe/nrpe.cfg-ssl.epp', + { + 'ssl_version' => $ssl_version, + 'ssl_ciphers' => $ssl_ciphers, + 'nrpe_ssl_dir' => $nrpe_ssl_dir, + 'ssl_client_certs' => $_ssl_client_certs, + 'ssl_logging' => nrpe::ssl_logging( + $ssl_log_startup_params, + $ssl_log_remote_ip, + $ssl_log_protocol_version, + $ssl_log_cipher, + $ssl_log_client_cert, + $ssl_log_client_cert_details + ) + } + ), + order => '02', } file { $nrpe_ssl_dir: diff --git a/manifests/params.pp b/manifests/params.pp index 9d48b0c..3bf9d02 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -136,12 +136,12 @@ } } - $dont_blame_nrpe = 0 + $dont_blame_nrpe = false $allow_bash_command_substitution = undef # not in very old NRPE $log_facility = 'daemon' $server_port = 5666 $command_prefix = undef - $debug = 0 + $debug = false $connection_timeout = 300 $ssl_version = 'TLSv1.2+' @@ -153,5 +153,5 @@ 'DHE-RSA-AES128-SHA256', 'DHE-RSA-AES256-SHA256', ] - $ssl_client_certs = 1 + $ssl_client_certs = 'ask' } diff --git a/manifests/plugin.pp b/manifests/plugin.pp index f3b7d6a..2aca21c 100644 --- a/manifests/plugin.pp +++ b/manifests/plugin.pp @@ -1,12 +1,12 @@ # define nrpe::plugin ( - Enum['present', 'absent'] $ensure = present, - Optional[String] $content = undef, - Optional[String] $source = undef, - String $mode = $nrpe::params::nrpe_plugin_file_mode, - String $libdir = $nrpe::params::libdir, - Variant[String, Array[String]] $package_name = $nrpe::params::nrpe_packages, - String $file_group = $nrpe::params::nrpe_files_group, + Enum['present', 'absent'] $ensure = present, + Optional[String[1]] $content = undef, + Optional[Stdlib::Filesource] $source = undef, + Stdlib::Filemode $mode = $nrpe::params::nrpe_plugin_file_mode, + Stdlib::Absolutepath $libdir = $nrpe::params::libdir, + Variant[String[1], Array[String[1]]] $package_name = $nrpe::params::nrpe_packages, + String[1] $file_group = $nrpe::params::nrpe_files_group, ) { file { "${libdir}/${title}": ensure => $ensure, diff --git a/types/sslversion.pp b/types/sslversion.pp new file mode 100644 index 0000000..9b70154 --- /dev/null +++ b/types/sslversion.pp @@ -0,0 +1,8 @@ +# SSL VERSION +# This can be any of: SSLv2 (only use SSLv2), SSLv2+ (use any version), +# SSLv3 (only use SSLv3), SSLv3+ (use SSLv3 or above), TLSv1 (only use +# TLSv1), TLSv1+ (use TLSv1 or above), TLSv1.1 (only use TLSv1.1), +# TLSv1.1+ (use TLSv1.1 or above), TLSv1.2 (only use TLSv1.2), +# TLSv1.2+ (use TLSv1.2 or above) + +type Nrpe::Sslversion = Enum['SSLv2','SSLv2+','SSLv3','SSLv3+','TLSv1','TLSv1+','TLSv1.1','TLSv1.1+','TLSv1.2','TLSv1.2+'] diff --git a/types/syslogfacility.pp b/types/syslogfacility.pp new file mode 100644 index 0000000..195d87f --- /dev/null +++ b/types/syslogfacility.pp @@ -0,0 +1,25 @@ +type Nrpe::Syslogfacility = Enum[ + 'user', + 'mail', + 'daemon', + 'auth', + 'syslog', + 'lpr', + 'news', + 'uucp', + 'cron', + 'authpriv', + 'ftp', + 'ntp', + 'security', + 'console', + 'solaris-cron', + 'local0', + 'local1', + 'local2', + 'local3', + 'local4', + 'local5', + 'local6', + 'local7' +]