# @summary
# Authentication service for the communication module.
#
# Sets up the authentication service for the communication module in the
# new exam system. Connects to the broker to authenticate users.
#
#
# @param keytab_production_base64
# Keytab contents (in base64) for the Kerberos host key used to authenticate
# in the production environment (aes-devel.edu.liu.se).
#
# @param keytab_devel_base64
# Keytab contents (in base64) for the Kerberos host key used to authenticate
# in the development environment (aes-devel.edu.liu.se).
#
class aes::auth (
Optional[String] $keytab_production_base64 = undef,
Optional[String] $keytab_devel_base64 = undef
) {
$auth_user = auth
$auth_group = $auth_user
$auth_home = "/srv/${auth_user}"
$auth_service = 'aes_auth'
# Decode base64 encoded keytabs
$keytab_production = Binary.new($keytab_production_base64, '%b')
$keytab_devel = Binary.new($keytab_devel_base64, '%b')
# Pick the right keytab for the current environment. We use the fqdn rather than
# $environment since the keys are tied to the domain name rather than what
# environment the machine is configured in.
if $facts[fqdn] == 'aes.edu.liu.se' {
# The AD service account for this key is: ida_sys002_srv
$auth_keytab_data = $keytab_production
$server_type = 'production'
} elsif $facts[fqdn] == 'aes-devel.edu.liu.se' {
# The AD service account for this key is: ida_sys004_srv
$auth_keytab_data = $keytab_devel
$server_type = 'devel'
} else {
$auth_keytab_data = undef
}
# Note: We rely on Boost being installed by the broker. It seems Puppet does not like
# that we specify "boost" multiple times, even though it would look nice, modularity-wise
# since both the auth server and the broker requires boost.
package {
[
'krb5-libs',
'krb5-devel',
'openssl-devel',
]:
ensure => installed,
}
# Group for local authentication. All accounts that are members
# of this group are considered trusted by the authentication system.
group { 'aes_local_auth' :
ensure => present,
}
user { $auth_user :
ensure => present,
home => $auth_home,
comment => 'Authentication server for AES',
managehome => false,
membership => inclusive,
groups => ['aes_local_auth'],
system => true,
shell => '/sbin/nologin',
}
file { $auth_home :
ensure => directory,
owner => $auth_user,
group => $auth_group,
mode => '0755',
}
file { "/etc/systemd/system/${auth_service}.service" :
ensure => file,
owner => root,
group => root,
mode => '0644',
source => "puppet:///modules/${module_name}/auth/auth.service",
}
file { "${auth_home}/on_update.sh" :
ensure => file,
owner => $auth_user,
group => $auth_group,
mode => '0755',
source => "puppet:///modules/${module_name}/auth/on_update.sh",
}
file { "${auth_home}/config.json" :
ensure => file,
owner => $auth_user,
group => $auth_group,
mode => '0644',
source => "puppet:///modules/${module_name}/auth/config.json",
}
file { "${auth_home}/start.sh" :
ensure => file,
owner => $auth_user,
group => $auth_group,
mode => '0755',
source => "puppet:///modules/${module_name}/auth/start.sh",
}
file { "${auth_home}/keys" :
ensure => directory,
owner => $auth_user,
group => $auth_group,
mode => '0700',
}
if $auth_keytab_data {
file { "${auth_home}/keys/kerberos.keytab" :
ensure => file,
owner => root,
group => $auth_group,
mode => '0640',
content => $auth_keytab_data,
}
}
vcsrepo { "${auth_home}/src":
ensure => latest,
provider => git,
source => 'https://oauth2:F-agHaRXCdyFy38q4c-N@gitlab.liu.se/upp-aes/communication.git',
revision => $server_type,
owner => $auth_user,
group => $auth_group,
notify => Exec['compile-auth-repo'],
}
exec { 'compile-auth-repo':
user => $auth_user,
group => $auth_group,
cwd => $auth_home,
path => '/bin:/usr/bin',
command => "${auth_home}/on_update.sh",
environment => ["HOME=${auth_home}"],
refreshonly => true,
require => File["${auth_home}/on_update.sh"],
notify => Service[$auth_service],
}
service { $auth_service :
ensure => 'running',
enable => true,
}
}