Skip to content
This repository has been archived by the owner on Jan 3, 2023. It is now read-only.

Allow for customization of policies #377

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 40 additions & 0 deletions .github/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -542,6 +542,46 @@ Installs, configures, and manages the CUPS service.

* `papersize`: Sets the system's default `/etc/papersize`. See `man papersize` for supported values.

* `policies`: Sets the printing policies (`default` and `authenticated`) for CUPS. By default,
it enables the default CUPS settings. You can override those settings by setting all the options
you want set in a policy or setting all the directives in one of the limits under the policy.
You can, of course, also add more policies and other limits under the default policies as needed.

```puppet
class { '::cups':
policies => {
'default' => {
'options' => [
'JobPrivateAccess default',
'JobPrivateValues default',
'SubscriptionPrivateAccess default',
],
'limits' => {
'Create-Job Print-Job Print-URI Validate-Job' => [
'Require user @OWNER @SYSTEM',
'Order deny,allow',
],
},
}
}
}
```

You can also do the same using hiera:

```yaml
cups::policies:
default:
options:
- 'JobPrivateAccess default'
- 'JobPrivateValues default'
- 'SubscriptionPrivateAccess default'
limits:
'Create-Job Print-Job Print-URI Validate-Job':
- 'Require user @OWNER @SYSTEM'
- 'Order deny,allow'
```

* `purge_unmanaged_queues`: Setting `true` will remove all queues from the node
which do not match a `cups_queue` resource in the current catalog. Defaults to `false`.

Expand Down
40 changes: 40 additions & 0 deletions README.md.erb
Original file line number Diff line number Diff line change
Expand Up @@ -544,6 +544,46 @@ Installs, configures, and manages the CUPS service.

* `papersize`: Sets the system's default `/etc/papersize`. See `man papersize` for supported values.

* `policies`: Sets the printing policies (`default` and `authenticated`) for CUPS. By default,
it enables the default CUPS settings. You can override those settings by setting all the options
you want set in a policy or setting all the directives in one of the limits under the policy.
You can, of course, also add more policies and other limits under the default policies as needed.

```puppet
class { '::cups':
policies => {
'default' => {
'options' => [
'JobPrivateAccess default',
'JobPrivateValues default',
'SubscriptionPrivateAccess default',
],
'limits' => {
'Create-Job Print-Job Print-URI Validate-Job' => [
'Require user @OWNER @SYSTEM',
'Order deny,allow',
],
},
}
}
}
```

You can also do the same using hiera:

```yaml
cups::policies:
default:
options:
- 'JobPrivateAccess default'
- 'JobPrivateValues default'
- 'SubscriptionPrivateAccess default'
limits:
'Create-Job Print-Job Print-URI Validate-Job':
- 'Require user @OWNER @SYSTEM'
- 'Order deny,allow'
```

* `purge_unmanaged_queues`: Setting `true` will remove all queues from the node
which do not match a `cups_queue` resource in the current catalog. Defaults to `false`.

Expand Down
2 changes: 2 additions & 0 deletions manifests/init.pp
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@
# in order to run CUPS and provide `ipptool`. OS dependent defaults apply.
# @param page_log_format Sets the `PageLogFormat` directive of the CUPS server.
# @param papersize Sets the system's default `/etc/papersize`. See `man papersize` for supported values.
# @param policies Sets the access policies for the CUPS server to use.
# @param purge_unmanaged_queues Setting `true` will remove all queues from the node
# which do not match a `cups_queue` resource in the current catalog.
# @param resources This attribute is intended for use with Hiera or any other ENC.
Expand Down Expand Up @@ -82,6 +83,7 @@
Variant[String, Array[String]] $package_names = $::cups::params::package_names,
Optional[String] $page_log_format = undef,
Optional[String] $papersize = undef,
Optional[Hash] $policies = undef,
Boolean $purge_unmanaged_queues = false,
Optional[Hash] $resources = undef,
Optional[Variant[String, Array[String]]] $server_alias = undef,
Expand Down
48 changes: 48 additions & 0 deletions spec/classes/init_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -293,6 +293,54 @@
end
end

describe 'policies' do
let(:facts) { any_supported_os }

describe 'by default' do
it { is_expected.to contain_file('/etc/cups/cupsd.conf').with(content: %r{<Policy default>\s*JobPrivateAccess default\s*JobPrivateValues default\s*SubscriptionPrivateAccess default\s*SubscriptionPrivateValues default\s*<Limit}) }
it { is_expected.to contain_file('/etc/cups/cupsd.conf').with(content: %r{<Policy authenticated>\s*JobPrivateAccess default\s*JobPrivateValues default\s*SubscriptionPrivateAccess default\s*SubscriptionPrivateValues default\s*<Limit}) }
end

context 'when policy options are overridden' do
let(:params) { {
'policies' => {
'default' => {
'options' => [
'JobPrivateAccess default',
'JobPrivateValues default',
],
},
'authenticated' => {
'options' => [
'SubscriptionPrivateAccess default',
'SubscriptionPrivateValues default',
],
}
}
} }

it { is_expected.to contain_file('/etc/cups/cupsd.conf').with(content: %r{<Policy default>\s*JobPrivateAccess default\s*JobPrivateValues default\s*<Limit}) }
it { is_expected.to contain_file('/etc/cups/cupsd.conf').with(content: %r{<Policy authenticated>\s*SubscriptionPrivateAccess default\s*SubscriptionPrivateValues default\s*<Limit}) }
end

context 'when policy options are overridden' do
let(:params) { {
'policies' => {
'default' => {
'limits' => {
'Create-Job Print-Job Print-URI Validate-Job' => [
'Require user @OWNER @SYSTEM',
'Order deny,allow'
],
}
}
}
} }

it { is_expected.to contain_file('/etc/cups/cupsd.conf').with(content: %r{<Limit\s*Create-Job\s*Print-Job\s*Print-URI\s*Validate-Job>\s*Require\s*user\s*@OWNER\s*@SYSTEM\s*Order\s*deny,allow\s*</Limit>}) }
end
end

describe 'log_debug_history' do
let(:facts) { any_supported_os }

Expand Down
162 changes: 101 additions & 61 deletions templates/cupsd/_policies.erb
Original file line number Diff line number Diff line change
@@ -1,63 +1,103 @@
<Policy default>
JobPrivateAccess default
JobPrivateValues default
SubscriptionPrivateAccess default
SubscriptionPrivateValues default
<Limit Create-Job Print-Job Print-URI Validate-Job>
Order deny,allow
</Limit>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
<Limit Cancel-Job CUPS-Authenticate-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit All>
Order deny,allow
</Limit>
</Policy>
<Policy authenticated>
JobPrivateAccess default
JobPrivateValues default
SubscriptionPrivateAccess default
SubscriptionPrivateValues default
<Limit Create-Job Print-Job Print-URI Validate-Job>
AuthType Default
Order deny,allow
</Limit>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
AuthType Default
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
<Limit Cancel-Job CUPS-Authenticate-Job>
AuthType Default
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit All>
Order deny,allow
<%
cups_policies_defaults = {
'default' => {
'options' => [
'JobPrivateAccess default', 'JobPrivateValues default', 'SubscriptionPrivateAccess default', 'SubscriptionPrivateValues default',
],
'limits' => {
'Create-Job Print-Job Print-URI Validate-Job' => ['Order deny,allow'],
'Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document' => [
'Require user @OWNER @SYSTEM',
'Order deny,allow',
],
'CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices' => [
'AuthType Default',
'Require user @SYSTEM',
'Order deny,allow',
],
'Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs' => [
'AuthType Default',
'Require user @SYSTEM',
'Order deny,allow',
],
'Cancel-Job CUPS-Authenticate-Job' => [
'Require user @OWNER @SYSTEM',
'Order deny,allow',
],
'All' => [
'Order deny,allow',
],
},
},
'authenticated' => {
'options' => [
'JobPrivateAccess default', 'JobPrivateValues default', 'SubscriptionPrivateAccess default', 'SubscriptionPrivateValues default',
],
'limits' => {
'Create-Job Print-Job Print-URI Validate-Job' => ['AuthType Default', 'Order deny,allow'],
'Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document' => [
'AuthType Default',
'Require user @OWNER @SYSTEM',
'Order deny,allow',
],
'CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default' => [
'AuthType Default',
'Require user @SYSTEM',
'Order deny,allow',
],
'Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs' => [
'AuthType Default',
'Require user @SYSTEM',
'Order deny,allow',
],
'Cancel-Job CUPS-Authenticate-Job' => [
'AuthType Default',
'Require user @OWNER @SYSTEM',
'Order deny,allow',
],
'All' => [
'Order deny,allow',
],
},
},
}

@final_policies = cups_policies_defaults

if ! @policies.nil? && @policies.is_a?(Hash)
@policies.each_pair do |policy, directives|
if ! @final_policies.has_key?(policy)
@final_policies[policy] ||= directives
else
if directives.has_key?('options')
@final_policies[policy]['options'] = directives['options']
end
if directives.has_key?('limits')
directives['limits'].each_pair do |lim, opts|
@final_policies[policy]['limits'][lim] = opts
end
end
end
end
end

-%>
<% @final_policies.each_pair do |policy, directives| -%>
<% next if directives.nil? || directives.empty? -%>
<Policy <%= policy -%>>
<% if directives.has_key?('options') -%>
<% directives['options'].each do |opt| -%>
<%= opt %>
<% end -%>
<% end -%>
<% if directives.has_key?('limits') -%>
<% directives['limits'].each_pair do |lim, opts| -%>
<Limit <%= lim %>>
<% opts.each do |opt| -%>
<%= opt %>
<% end -%>
</Limit>
<% end -%>
<% end -%>
</Policy>
<% end -%>