diff --git a/.github/README.md b/.github/README.md index ee58cc7e..501cfecd 100644 --- a/.github/README.md +++ b/.github/README.md @@ -542,6 +542,46 @@ Installs, configures, and manages the CUPS service. * `papersize`: Sets the system's default `/etc/papersize`. See `man papersize` for supported values. +* `policies`: Sets the printing policies (`default` and `authenticated`) for CUPS. By default, + it enables the default CUPS settings. You can override those settings by setting all the options + you want set in a policy or setting all the directives in one of the limits under the policy. + You can, of course, also add more policies and other limits under the default policies as needed. + +```puppet + class { '::cups': + policies => { + 'default' => { + 'options' => [ + 'JobPrivateAccess default', + 'JobPrivateValues default', + 'SubscriptionPrivateAccess default', + ], + 'limits' => { + 'Create-Job Print-Job Print-URI Validate-Job' => [ + 'Require user @OWNER @SYSTEM', + 'Order deny,allow', + ], + }, + } + } + } +``` + +You can also do the same using hiera: + +```yaml +cups::policies: + default: + options: + - 'JobPrivateAccess default' + - 'JobPrivateValues default' + - 'SubscriptionPrivateAccess default' + limits: + 'Create-Job Print-Job Print-URI Validate-Job': + - 'Require user @OWNER @SYSTEM' + - 'Order deny,allow' +``` + * `purge_unmanaged_queues`: Setting `true` will remove all queues from the node which do not match a `cups_queue` resource in the current catalog. Defaults to `false`. diff --git a/README.md.erb b/README.md.erb index 784c826f..94fd2899 100644 --- a/README.md.erb +++ b/README.md.erb @@ -544,6 +544,46 @@ Installs, configures, and manages the CUPS service. * `papersize`: Sets the system's default `/etc/papersize`. See `man papersize` for supported values. +* `policies`: Sets the printing policies (`default` and `authenticated`) for CUPS. By default, + it enables the default CUPS settings. You can override those settings by setting all the options + you want set in a policy or setting all the directives in one of the limits under the policy. + You can, of course, also add more policies and other limits under the default policies as needed. + +```puppet + class { '::cups': + policies => { + 'default' => { + 'options' => [ + 'JobPrivateAccess default', + 'JobPrivateValues default', + 'SubscriptionPrivateAccess default', + ], + 'limits' => { + 'Create-Job Print-Job Print-URI Validate-Job' => [ + 'Require user @OWNER @SYSTEM', + 'Order deny,allow', + ], + }, + } + } + } +``` + +You can also do the same using hiera: + +```yaml +cups::policies: + default: + options: + - 'JobPrivateAccess default' + - 'JobPrivateValues default' + - 'SubscriptionPrivateAccess default' + limits: + 'Create-Job Print-Job Print-URI Validate-Job': + - 'Require user @OWNER @SYSTEM' + - 'Order deny,allow' +``` + * `purge_unmanaged_queues`: Setting `true` will remove all queues from the node which do not match a `cups_queue` resource in the current catalog. Defaults to `false`. diff --git a/manifests/init.pp b/manifests/init.pp index aac60d8f..1d26e06d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -50,6 +50,7 @@ # in order to run CUPS and provide `ipptool`. OS dependent defaults apply. # @param page_log_format Sets the `PageLogFormat` directive of the CUPS server. # @param papersize Sets the system's default `/etc/papersize`. See `man papersize` for supported values. +# @param policies Sets the access policies for the CUPS server to use. # @param purge_unmanaged_queues Setting `true` will remove all queues from the node # which do not match a `cups_queue` resource in the current catalog. # @param resources This attribute is intended for use with Hiera or any other ENC. @@ -82,6 +83,7 @@ Variant[String, Array[String]] $package_names = $::cups::params::package_names, Optional[String] $page_log_format = undef, Optional[String] $papersize = undef, + Optional[Hash] $policies = undef, Boolean $purge_unmanaged_queues = false, Optional[Hash] $resources = undef, Optional[Variant[String, Array[String]]] $server_alias = undef, diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index c060ed46..ecf836f5 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -293,6 +293,54 @@ end end + describe 'policies' do + let(:facts) { any_supported_os } + + describe 'by default' do + it { is_expected.to contain_file('/etc/cups/cupsd.conf').with(content: %r{\s*JobPrivateAccess default\s*JobPrivateValues default\s*SubscriptionPrivateAccess default\s*SubscriptionPrivateValues default\s*\s*JobPrivateAccess default\s*JobPrivateValues default\s*SubscriptionPrivateAccess default\s*SubscriptionPrivateValues default\s* { + 'default' => { + 'options' => [ + 'JobPrivateAccess default', + 'JobPrivateValues default', + ], + }, + 'authenticated' => { + 'options' => [ + 'SubscriptionPrivateAccess default', + 'SubscriptionPrivateValues default', + ], + } + } + } } + + it { is_expected.to contain_file('/etc/cups/cupsd.conf').with(content: %r{\s*JobPrivateAccess default\s*JobPrivateValues default\s*\s*SubscriptionPrivateAccess default\s*SubscriptionPrivateValues default\s* { + 'default' => { + 'limits' => { + 'Create-Job Print-Job Print-URI Validate-Job' => [ + 'Require user @OWNER @SYSTEM', + 'Order deny,allow' + ], + } + } + } + } } + + it { is_expected.to contain_file('/etc/cups/cupsd.conf').with(content: %r{\s*Require\s*user\s*@OWNER\s*@SYSTEM\s*Order\s*deny,allow\s*}) } + end + end + describe 'log_debug_history' do let(:facts) { any_supported_os } diff --git a/templates/cupsd/_policies.erb b/templates/cupsd/_policies.erb index ae79eabc..bb098fef 100644 --- a/templates/cupsd/_policies.erb +++ b/templates/cupsd/_policies.erb @@ -1,63 +1,103 @@ - - JobPrivateAccess default - JobPrivateValues default - SubscriptionPrivateAccess default - SubscriptionPrivateValues default - - Order deny,allow - - - Require user @OWNER @SYSTEM - Order deny,allow - - - AuthType Default - Require user @SYSTEM - Order deny,allow - - - AuthType Default - Require user @SYSTEM - Order deny,allow - - - Require user @OWNER @SYSTEM - Order deny,allow - - - Order deny,allow - - - - JobPrivateAccess default - JobPrivateValues default - SubscriptionPrivateAccess default - SubscriptionPrivateValues default - - AuthType Default - Order deny,allow - - - AuthType Default - Require user @OWNER @SYSTEM - Order deny,allow - - - AuthType Default - Require user @SYSTEM - Order deny,allow - - - AuthType Default - Require user @SYSTEM - Order deny,allow - - - AuthType Default - Require user @OWNER @SYSTEM - Order deny,allow - - - Order deny,allow +<% +cups_policies_defaults = { + 'default' => { + 'options' => [ + 'JobPrivateAccess default', 'JobPrivateValues default', 'SubscriptionPrivateAccess default', 'SubscriptionPrivateValues default', + ], + 'limits' => { + 'Create-Job Print-Job Print-URI Validate-Job' => ['Order deny,allow'], + 'Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document' => [ + 'Require user @OWNER @SYSTEM', + 'Order deny,allow', + ], + 'CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices' => [ + 'AuthType Default', + 'Require user @SYSTEM', + 'Order deny,allow', + ], + 'Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs' => [ + 'AuthType Default', + 'Require user @SYSTEM', + 'Order deny,allow', + ], + 'Cancel-Job CUPS-Authenticate-Job' => [ + 'Require user @OWNER @SYSTEM', + 'Order deny,allow', + ], + 'All' => [ + 'Order deny,allow', + ], + }, + }, + 'authenticated' => { + 'options' => [ + 'JobPrivateAccess default', 'JobPrivateValues default', 'SubscriptionPrivateAccess default', 'SubscriptionPrivateValues default', + ], + 'limits' => { + 'Create-Job Print-Job Print-URI Validate-Job' => ['AuthType Default', 'Order deny,allow'], + 'Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document' => [ + 'AuthType Default', + 'Require user @OWNER @SYSTEM', + 'Order deny,allow', + ], + 'CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default' => [ + 'AuthType Default', + 'Require user @SYSTEM', + 'Order deny,allow', + ], + 'Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs' => [ + 'AuthType Default', + 'Require user @SYSTEM', + 'Order deny,allow', + ], + 'Cancel-Job CUPS-Authenticate-Job' => [ + 'AuthType Default', + 'Require user @OWNER @SYSTEM', + 'Order deny,allow', + ], + 'All' => [ + 'Order deny,allow', + ], + }, + }, +} + +@final_policies = cups_policies_defaults + +if ! @policies.nil? && @policies.is_a?(Hash) + @policies.each_pair do |policy, directives| + if ! @final_policies.has_key?(policy) + @final_policies[policy] ||= directives + else + if directives.has_key?('options') + @final_policies[policy]['options'] = directives['options'] + end + if directives.has_key?('limits') + directives['limits'].each_pair do |lim, opts| + @final_policies[policy]['limits'][lim] = opts + end + end + end + end +end + +-%> +<% @final_policies.each_pair do |policy, directives| -%> +<% next if directives.nil? || directives.empty? -%> +> +<% if directives.has_key?('options') -%> +<% directives['options'].each do |opt| -%> + <%= opt %> +<% end -%> +<% end -%> +<% if directives.has_key?('limits') -%> +<% directives['limits'].each_pair do |lim, opts| -%> + > +<% opts.each do |opt| -%> + <%= opt %> +<% end -%> +<% end -%> +<% end -%> +<% end -%>