fixtures:
# use the forge modules so we can easily pin to a specific version
- forge_modules:
- stdlib: "puppetlabs/stdlib"
-
+ #forge_modules:
+ # stdlib: "puppetlabs/stdlib"
+ repositories:
+ firewall: "git://github.com/puppetlabs/puppetlabs-firewall.git"
+ stdlib: "git://github.com/puppetlabs/puppetlabs-stdlib.git"
symlinks:
mailman3: "#{source_dir}"
### Setup Requirements **OPTIONAL**
+Mention optional dependency of puppetlabs/firewall here.
+
If your module requires anything extra before setting up (pluginsync enabled,
etc.), mention it here.
$core_manage_database = $mailman3::params::core_manage_database,
$core_manage_firewall = $mailman3::params::core_manage_firewall,
$core_override_options = {},
+ $core_override_allowed_hosts = {},
) inherits mailman3::params {
# Make sure parameters are properly formatted
validate_bool($core_manage_database)
validate_bool($core_manage_firewall)
validate_hash($core_override_options)
+ validate_hash($core_override_allowed_hosts)
- $core_options = merge($mailman3::params::core_default_options, $core_override_options)
+ # Merge together options with defaults from ::params, right most wins
+ $core_options = merge($mailman3::params::core_default_options,
+ $core_override_options)
+
+ $core_allowed_hosts = merge($mailman3::params::core_default_allowed_hosts,
+ $core_override_allowed_hosts)
anchor { 'mailman3::core::begin': }
anchor { 'mailman3::core::end': }
core_manage_database => $core_manage_database,
core_manage_firewall => $core_manage_firewall,
core_options => $core_options,
+ core_allowed_hosts => $core_allowed_hosts,
}
Anchor['mailman3::core::begin'] ->
$core_manage_database,
$core_manage_firewall,
$core_options,
+ $core_allowed_hosts,
) {
validate_bool($core_manage_database)
validate_bool($core_manage_firewall)
validate_hash($core_options)
+ validate_hash($core_allowed_hosts)
anchor{ 'mailman3::core::config::begin': }
anchor{ 'mailman3::core::config::end': }
content => template('mailman3/mailman.cfg.erb')
}
+ if ($core_manage_firewall) {
+ class { 'mailman3::core::config::firewall':
+ core_manage_firewall => $core_manage_firewall,
+ core_allowed_hosts => $core_allowed_hosts,
+ core_options => $core_options,
+ }
+ }
}
--- /dev/null
+# == Class: mailman3::core::config::firewall
+#
+# Full description of class mailman3 here.
+#
+# === Parameters
+#
+# Document parameters here.
+#
+# [*sample_parameter*]
+# Explanation of what this parameter affects and what it defaults to.
+# e.g. "Specify one or more upstream ntp servers as an array."
+#
+# === Variables
+#
+# Here you should define a list of variables that this module would require.
+#
+# [*sample_variable*]
+# Explanation of how this variable affects the function of this class and if
+# it has a default. e.g. "The parameter enc_ntp_servers must be set by the
+# External Node Classifier as a comma separated list of hostnames." (Note,
+# global variables should be avoided in favor of class parameters as
+# of Puppet 2.6.)
+#
+# === Examples
+#
+# class { 'mailman3':
+# servers => [ 'pool.ntp.org', 'ntp.local.company.com' ],
+# }
+#
+# === Authors
+#
+# Josh Farwell <jfarwell@linuxfoundation.org>
+#
+# === Copyright
+#
+# Copyright 2015 Josh Farwell, unless otherwise noted.
+#
+class mailman3::core::config::firewall (
+ $core_allowed_hosts,
+ $core_manage_firewall,
+ $core_options,
+){
+ validate_hash($core_allowed_hosts)
+ validate_bool($core_manage_firewall)
+ validate_hash($core_options)
+
+ if ($core_manage_firewall) {
+ if ( has_key($core_options, 'webservice') ) {
+
+ if ( has_key($core_options['webservice'], 'hostname') ) {
+ validate_string($core_options['webservice']['hostname'])
+ $rest_hostname = $core_options['webservice']['hostname']
+ }
+ else {
+ $rest_hostname = 'localhost'
+ }
+
+ if ( has_key($core_options['webservice'], 'port') ) {
+ validate_string($core_options['webservice']['port'])
+ $rest_port = $core_options['webservice']['port']
+ }
+ else {
+ $rest_port = '8001'
+ }
+
+ }
+ else {
+ $rest_port = '8001'
+ $rest_hostname = 'localhost'
+ }
+
+ unless ($rest_hostname =~ '^localhost$|^127\.0\.0\.1$') {
+ $core_allowed_hosts['rest'].each |String $host| {
+ firewall { "060 mailman3 REST allow ${host}":
+ proto => 'tcp',
+ state => ['NEW'],
+ action => 'accept',
+ port => $rest_port,
+ source => $host,
+ }
+ }
+ }
+
+ if ( has_key($core_options, 'mta') ) {
+ if (has_key($core_options['mta'], 'lmtp_host') ) {
+ validate_string($core_options['mta']['lmtp_host'])
+ $lmtp_host = $core_options['mta']['lmtp_host']
+ }
+ else {
+ $lmtp_host = '127.0.0.1'
+ }
+
+ if (has_key($core_options['mta'], 'lmtp_port') ) {
+ validate_string($core_options['mta']['lmtp_port'])
+ $lmtp_port = $core_options['mta']['lmtp_port']
+ }
+ else {
+ $lmtp_port = '8024'
+ }
+ }
+ else {
+ $lmtp_host = '127.0.0.1'
+ $lmtp_port = '8024'
+ }
+
+ unless ($lmtp_host =~ '^localhost$|^127\.0\.0\.1$') {
+ $core_allowed_hosts['lmtp'].each |String $host| {
+ firewall { "060 mailman3 LMTP allow ${host}":
+ proto => 'tcp',
+ state => ['NEW'],
+ action => 'accept',
+ port => $lmtp_port,
+ source => $host,
+ }
+ }
+ }
+ }
+}
$rest_admin_pass = 'restpass'
# Mailman Core values
- $core_layout = 'fhs'
- $core_bin_dir = '/usr/libexec/mailman3'
- $core_var_dir = '/var/lib/mailman3'
- $core_queue_dir = '/var/spool/mailman3'
- $core_log_dir = '/var/log/mailman3'
- $core_lock_dir = '/run/lock/mailman3'
- $core_ext_dir = '/etc/mailman3.d'
- $core_pid_file = '/run/mailman3/master.pid'
- $core_site_owner = 'root@localhost'
- $core_version = 'installed' # could also be 3.0.0
+ $core_layout = 'fhs'
+ $core_bin_dir = '/usr/libexec/mailman3'
+ $core_var_dir = '/var/lib/mailman3'
+ $core_queue_dir = '/var/spool/mailman3'
+ $core_log_dir = '/var/log/mailman3'
+ $core_lock_dir = '/run/lock/mailman3'
+ $core_ext_dir = '/etc/mailman3.d'
+ $core_pid_file = '/run/mailman3/master.pid'
+ $core_site_owner = 'root@localhost'
+ $core_version = 'installed' # could also be 3.0.0
- # Mailman Core default options hashes
+ # Mailman Core default options
+ $core_default_allowed_hosts = {
+ 'rest' => ['0.0.0.0'],
+ 'lmtp' => ['0.0.0.0'],
+ }
$core_default_options = {
'mailman' => {
'site_owner' => $mailman3::params::core_site_owner,
'admin_user' => $mailman3::params::rest_admin_user,
'admin_pass' => $mailman3::params::rest_admin_pass,
}
-
}
}
--- /dev/null
+require 'spec_helper'
+
+describe 'mailman3::core::config::firewall', :type => :class do
+ # we do not have default values so the class should fail to compile
+ context 'with defaults for all parameters' do
+ let (:params) {{}}
+
+ it do
+ expect {
+ should compile
+ }.to raise_error(RSpec::Expectations::ExpectationNotMetError,
+ /Must pass /)
+ end
+ end
+
+ context 'with assumed default parameters' do
+ let (:params) { {
+ 'core_manage_firewall' => true,
+ 'core_options' => {},
+ 'core_allowed_hosts' => {
+ 'rest' => ['0.0.0.0'],
+ 'lmtp' => ['0.0.0.0'],
+ },
+ } }
+
+ # because default settings allow localhost only, no firewall changes are needed
+ it { is_expected.to_not contain_firewall('060 mailman3 REST allow 0.0.0.0') }
+ it { is_expected.to_not contain_firewall('060 mailman3 LMTP allow 0.0.0.0') }
+
+ end
+
+ # even if relevant settings are present, if the flag is false, no rules should be created
+ context 'with manage_firewall flag set to false' do
+ let (:params) { {
+ 'core_manage_firewall' => false,
+ 'core_options' => {
+ 'webservice' => {
+ 'hostname' => 'example.com',
+ 'port' => '4242',
+ },
+ 'mta' => {
+ 'lmtp_host' => '10.1.10.1',
+ 'lmtp_port' => '9999',
+ },
+ },
+ 'core_allowed_hosts' => {
+ 'rest' => ['0.0.0.0'],
+ 'lmtp' => ['0.0.0.0'],
+ },
+ } }
+
+ it { is_expected.to_not contain_firewall('060 mailman3 REST allow 0.0.0.0') }
+ it { is_expected.to_not contain_firewall('060 mailman3 LMTP allow 0.0.0.0') }
+
+ end
+
+ context 'with user defined hostname and port' do
+ let (:params) { {
+ 'core_allowed_hosts' => {
+ 'rest' => ['0.0.0.0'],
+ 'lmtp' => ['0.0.0.0'],
+ },
+ 'core_manage_firewall' => true,
+ 'core_options' => {
+ 'webservice' => {
+ 'hostname' => 'example.com',
+ 'port' => '4242',
+ },
+ 'mta' => {
+ 'lmtp_host' => '10.1.10.1',
+ 'lmtp_port' => '9999',
+ },
+ },
+ } }
+
+ it { is_expected.to contain_firewall('060 mailman3 REST allow 0.0.0.0').with(
+ 'proto' => 'tcp',
+ 'state' => ['NEW'],
+ 'action' => 'accept',
+ 'port' => '4242',
+ 'source' => '0.0.0.0',
+ ) }
+
+ it { is_expected.to contain_firewall('060 mailman3 LMTP allow 0.0.0.0').with(
+ 'proto' => 'tcp',
+ 'state' => ['NEW'],
+ 'action' => 'accept',
+ 'port' => '9999',
+ 'source' => '0.0.0.0',
+ ) }
+
+ end
+
+ context 'with user defined allowed_hosts' do
+ let (:params) { {
+ 'core_allowed_hosts' => {
+ 'rest' => ['10.0.0.0/16','10.1.10.2','example.com'],
+ 'lmtp' => ['10.0.0.0/16','10.1.10.2','example.com'],
+ },
+ 'core_manage_firewall' => true,
+ 'core_options' => {
+ 'webservice' => {
+ 'hostname' => 'mail.example.com',
+ },
+ 'mta' => {
+ 'lmtp_host' => '192.168.1.1',
+ },
+ },
+ } }
+
+ it { is_expected.to contain_firewall("060 mailman3 REST allow 10.0.0.0/16").with(
+ 'proto' => 'tcp',
+ 'state' => ['NEW'],
+ 'action' => 'accept',
+ 'port' => '8001',
+ 'source' => '10.0.0.0/16',
+ ) }
+
+ it { is_expected.to contain_firewall("060 mailman3 REST allow 10.1.10.2").with(
+ 'proto' => 'tcp',
+ 'state' => ['NEW'],
+ 'action' => 'accept',
+ 'port' => '8001',
+ 'source' => '10.1.10.2',
+ ) }
+
+ it { is_expected.to contain_firewall("060 mailman3 REST allow example.com").with(
+ 'proto' => 'tcp',
+ 'state' => ['NEW'],
+ 'action' => 'accept',
+ 'port' => '8001',
+ 'source' => 'example.com',
+ ) }
+
+ it { is_expected.to contain_firewall("060 mailman3 LMTP allow 10.0.0.0/16").with(
+ 'proto' => 'tcp',
+ 'state' => ['NEW'],
+ 'action' => 'accept',
+ 'port' => '8024',
+ 'source' => '10.0.0.0/16',
+ ) }
+
+ it { is_expected.to contain_firewall("060 mailman3 LMTP allow 10.1.10.2").with(
+ 'proto' => 'tcp',
+ 'state' => ['NEW'],
+ 'action' => 'accept',
+ 'port' => '8024',
+ 'source' => '10.1.10.2',
+ ) }
+
+ it { is_expected.to contain_firewall("060 mailman3 LMTP allow example.com").with(
+ 'proto' => 'tcp',
+ 'state' => ['NEW'],
+ 'action' => 'accept',
+ 'port' => '8024',
+ 'source' => 'example.com',
+ ) }
+ end
+end
+
context 'with assumed default parameters' do
let (:params) {
{
+ 'core_allowed_hosts' => {
+ 'rest' => ['0.0.0.0'],
+ 'lmtp' => ['0.0.0.0'],
+ },
'core_manage_database' => false,
- 'core_manage_firewall' => false,
+ 'core_manage_firewall' => true,
'core_options' => {
'mailman' => {
'site_owner' => 'root@localhost',
},
} }
- it { is_expected.to contain_file('/etc/mailman.cfg').with(
- 'ensure' => 'file',
- 'owner' => 'mailman',
- 'group' => 'mailman',
- 'mode' => '0640',
- 'content' => "; MANAGED BY PUPPET\n\n[mailman]\n layout = fhs\n site_owner = root@localhost\n\n[paths.fhs]\n bin_dir = /usr/libexec/mailman3\n ext_dir = /etc/mailman3.d\n lock_dir = /run/lock/mailman3\n log_dir = /var/log/mailman3\n pid_file = /run/mailman3/master.pid\n queue_dir = /var/spool/mailman3\n var_dir = /var/lib/mailman3\n\n[webservice]\n admin_pass = GENERATE\n admin_user = restadmin\n\n",
- ) }
+ it { is_expected.to contain_file('/etc/mailman.cfg').with(
+ 'ensure' => 'file',
+ 'owner' => 'mailman',
+ 'group' => 'mailman',
+ 'mode' => '0640',
+ 'content' => "; MANAGED BY PUPPET\n\n[mailman]\n layout = fhs\n site_owner = root@localhost\n\n[paths.fhs]\n bin_dir = /usr/libexec/mailman3\n ext_dir = /etc/mailman3.d\n lock_dir = /run/lock/mailman3\n log_dir = /var/log/mailman3\n pid_file = /run/mailman3/master.pid\n queue_dir = /var/spool/mailman3\n var_dir = /var/lib/mailman3\n\n[webservice]\n admin_pass = GENERATE\n admin_user = restadmin\n\n",
+ ) }
+
+ it { is_expected.to contain_class('mailman3::core::config::firewall').with(
+ 'core_allowed_hosts' => {
+ 'rest' => ['0.0.0.0'],
+ 'lmtp' => ['0.0.0.0'],
+ },
+ ) }
end
context 'with user defined parameters' do
let (:params) {
{
+ 'core_allowed_hosts' => {
+ 'rest' => ['10.0.0.1'],
+ 'lmtp' => ['10.0.0.1'],
+ },
'core_manage_database' => false,
- 'core_manage_firewall' => false,
+ 'core_manage_firewall' => true,
'core_options' => {
'mailman' => {
'site_owner' => 'admin@example.com',
},
} }
- it { is_expected.to contain_file('/etc/mailman.cfg').with(
- 'ensure' => 'file',
- 'owner' => 'mailman',
- 'group' => 'mailman',
- 'mode' => '0640',
- 'content' => "; MANAGED BY PUPPET\n\n[mailman]\n layout = fhs\n site_owner = admin@example.com\n\n[paths.fhs]\n bin_dir = /foo/libexec/mailman3\n ext_dir = /foo/mailman3.d\n lock_dir = /foo/lock/mailman3\n log_dir = /foo/log/mailman3\n pid_file = /foo/mailman3/master.pid\n queue_dir = /foo/spool/mailman3\n var_dir = /foo/lib/mailman3\n\n[testsection]\n test_value = foobar\n\n[webservice]\n admin_pass = bar\n admin_user = fooadmin\n\n",
- ) }
+ it { is_expected.to contain_file('/etc/mailman.cfg').with(
+ 'ensure' => 'file',
+ 'owner' => 'mailman',
+ 'group' => 'mailman',
+ 'mode' => '0640',
+ 'content' => "; MANAGED BY PUPPET\n\n[mailman]\n layout = fhs\n site_owner = admin@example.com\n\n[paths.fhs]\n bin_dir = /foo/libexec/mailman3\n ext_dir = /foo/mailman3.d\n lock_dir = /foo/lock/mailman3\n log_dir = /foo/log/mailman3\n pid_file = /foo/mailman3/master.pid\n queue_dir = /foo/spool/mailman3\n var_dir = /foo/lib/mailman3\n\n[testsection]\n test_value = foobar\n\n[webservice]\n admin_pass = bar\n admin_user = fooadmin\n\n",
+ ) }
+
+ it { is_expected.to contain_class('mailman3::core::config::firewall').with(
+ 'core_allowed_hosts' => { 'rest' => ['10.0.0.1'], 'lmtp' => ['10.0.0.1'] },
+ ) }
+
+ end
+
+ context 'with manage_firewall flag set to false' do
+
+ let (:params) {
+ {
+ 'core_manage_database' => false,
+ 'core_manage_firewall' => false,
+ 'core_allowed_hosts' => {},
+ 'core_options' => {},
+ } }
+
+ it { is_expected.to_not contain_class('mailman3::core::config::firewall') }
end
Code Review / puppet / modules / mailman3.git / commitdiff