(#149) Added the cert_auth param and inactive param (#151)

* (#149) Added the cert_auth param and inactive param Fixes #149 Fixes #150 * Added RELENG changes
simp · Apr 10, 2024 · 1c8c2c4 · 1c8c2c4
1 parent 98dd210
commit 1c8c2c4
Show file tree

Hide file tree

Showing 7 changed files with 221 additions and 125 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,4 +1,8 @@
 
+* Tue Apr 09 2024 Mike Riddle <[email protected]> - 7.1.0
+- Added the cert_auth parameter
+- Added the inactive parameter
+
 * Wed Jan 31 2024 Mike Riddle <[email protected]> - 7.0.0
 - Added functionality to control /etc/security/pwhistory.conf
 - Fixed logic that would cause certain functionality to break on Amazon Linux 2022 and above

diff --git a/REFERENCE.md b/REFERENCE.md
@@ -93,6 +93,8 @@ The following parameters are available in the `pam` class:
 * [`su_content`](#-pam--su_content)
 * [`other_content`](#-pam--other_content)
 * [`auth_sections`](#-pam--auth_sections)
+* [`cert_auth`](#-pam--cert_auth)
+* [`inactive`](#-pam--inactive)
 * [`auth_content_pre`](#-pam--auth_content_pre)
 * [`fingerprint_auth_content`](#-pam--fingerprint_auth_content)
 * [`system_auth_content`](#-pam--system_auth_content)
@@ -595,6 +597,24 @@ The PAM ``*-auth`` files to manage
 
 Default value: `['fingerprint', 'system', 'password', 'smartcard']`
 
+##### <a name="-pam--cert_auth"></a>`cert_auth`
+
+Data type: `Optional[Enum['try','require']]`
+
+If set, should choose either 'require' or 'try' to set 'require_cert_auth' or
+'try_cert_auth' in the auth files
+
+Default value: `undef`
+
+##### <a name="-pam--inactive"></a>`inactive`
+
+Data type: `Optional[Integer]`
+
+If set, the number of days before a user can be inactive on a system
+before their account becomes locked
+
+Default value: `undef`
+
 ##### <a name="-pam--auth_content_pre"></a>`auth_content_pre`
 
 Data type: `Optional[Array[String]]`
@@ -1124,6 +1144,8 @@ The following parameters are available in the `pam::auth` defined type:
 * [`tty_audit_users`](#-pam--auth--tty_audit_users)
 * [`separator`](#-pam--auth--separator)
 * [`enable_separator`](#-pam--auth--enable_separator)
+* [`inactive`](#-pam--auth--inactive)
+* [`cert_auth`](#-pam--auth--cert_auth)
 * [`content`](#-pam--auth--content)
 
 ##### <a name="-pam--auth--password_check_backend"></a>`password_check_backend`
@@ -1518,6 +1540,22 @@ Data type: `Boolean`
 
 Default value: `$pam::enable_separator`
 
+##### <a name="-pam--auth--inactive"></a>`inactive`
+
+Data type: `Optional[Integer]`
+
+
+
+Default value: `$pam::inactive`
+
+##### <a name="-pam--auth--cert_auth"></a>`cert_auth`
+
+Data type: `Optional[Enum['try','require']]`
+
+
+
+Default value: `$pam::cert_auth`
+
 ##### <a name="-pam--auth--content"></a>`content`
 
 Data type: `Optional[String]`

diff --git a/manifests/auth.pp b/manifests/auth.pp
@@ -55,61 +55,65 @@
 # @param tty_audit_users
 # @param separator
 # @param enable_separator
+# @param inactive
+# @param cert_auth
 # @param content
 #
 # @author https://github.com/simp/pupmod-simp-pam/graphs/contributors
 #
 define pam::auth (
-  Pam::PasswordBackends          $password_check_backend    = $pam::password_check_backend,
-  Optional[Stdlib::Absolutepath] $locale_file               = $pam::locale_file,
-  Optional[Array[String]]        $auth_content_pre          = $pam::auth_content_pre,
-  Boolean                        $cracklib_enforce_for_root = $pam::cracklib_enforce_for_root,
-  Boolean                        $cracklib_reject_username  = $pam::cracklib_reject_username,
-  Optional[Integer[0]]           $cracklib_difok            = $pam::cracklib_difok,
-  Optional[Integer[0]]           $cracklib_maxrepeat        = $pam::cracklib_maxrepeat,
-  Optional[Integer[0]]           $cracklib_maxsequence      = $pam::cracklib_maxsequence,
-  Optional[Integer[0]]           $cracklib_maxclassrepeat   = $pam::cracklib_maxclassrepeat,
-  Optional[Boolean]              $cracklib_gecoscheck       = $pam::cracklib_gecoscheck,
-  Optional[Integer]              $cracklib_dcredit          = $pam::cracklib_dcredit,
-  Optional[Integer]              $cracklib_ucredit          = $pam::cracklib_ucredit,
-  Optional[Integer]              $cracklib_lcredit          = $pam::cracklib_lcredit,
-  Optional[Integer]              $cracklib_ocredit          = $pam::cracklib_ocredit,
-  Optional[Integer[0]]           $cracklib_minclass         = $pam::cracklib_minclass,
-  Optional[Integer[0]]           $cracklib_minlen           = $pam::cracklib_minlen,
-  Integer[0]                     $cracklib_retry            = $pam::cracklib_retry,
-  Integer[0]                     $deny                      = $pam::deny,
-  Boolean                        $faillock                  = $pam::faillock,
-  Boolean                        $manage_faillock_conf      = $pam::manage_faillock_conf,
-  Optional[Stdlib::Absolutepath] $faillock_log_dir          = $pam::faillock_log_dir,
-  Boolean                        $faillock_audit            = $pam::faillock_audit,
-  Boolean                        $faillock_no_log_info      = $pam::faillock_no_log_info,
-  Boolean                        $faillock_local_users_only = $pam::faillock_local_users_only,
-  Boolean                        $faillock_nodelay          = $pam::faillock_nodelay,
-  Optional[String]               $faillock_admin_group      = $pam::faillock_admin_group,
-  Boolean                        $display_account_lock      = $pam::display_account_lock,
-  Integer[0]                     $fail_interval             = $pam::fail_interval,
-  Boolean                        $manage_pwhistory_conf     = $pam::manage_pwhistory_conf,
-  Boolean                        $remember_debug            = $pam::remember_debug,
-  Integer[0]                     $remember                  = $pam::remember,
-  Integer[0]                     $remember_retry            = $pam::remember_retry,
-  Boolean                        $remember_for_root         = $pam::remember_for_root,
-  Stdlib::Absolutepath           $remember_file             = $pam::remember_file,
-  Boolean                        $even_deny_root            = $pam::even_deny_root,
-  Integer[0]                     $root_unlock_time          = $pam::root_unlock_time,
-  Pam::HashAlgorithm             $hash_algorithm            = $pam::hash_algorithm,
-  Integer[0]                     $rounds                    = $pam::rounds,
-  Integer[0]                     $uid                       = $pam::uid,
-  Pam::AccountUnlockTime         $unlock_time               = $pam::unlock_time,
-  Boolean                        $preserve_ac               = $pam::preserve_ac,
-  Boolean                        $use_netgroups             = $pam::use_netgroups,
-  Boolean                        $use_openshift             = $pam::use_openshift,
-  Boolean                        $sssd                      = $pam::sssd,
-  Array[String[0]]               $tty_audit_users           = $pam::tty_audit_users,
-  String[0]                      $separator                 = $pam::separator,
-  Boolean                        $enable_separator          = $pam::enable_separator,
-  Boolean                        $oath                      = $pam::oath,
-  Integer[0]                     $oath_window               = $pam::oath_window,
-  Optional[String]               $content                   = undef
+  Pam::PasswordBackends           $password_check_backend    = $pam::password_check_backend,
+  Optional[Stdlib::Absolutepath]  $locale_file               = $pam::locale_file,
+  Optional[Array[String]]         $auth_content_pre          = $pam::auth_content_pre,
+  Boolean                         $cracklib_enforce_for_root = $pam::cracklib_enforce_for_root,
+  Boolean                         $cracklib_reject_username  = $pam::cracklib_reject_username,
+  Optional[Integer[0]]            $cracklib_difok            = $pam::cracklib_difok,
+  Optional[Integer[0]]            $cracklib_maxrepeat        = $pam::cracklib_maxrepeat,
+  Optional[Integer[0]]            $cracklib_maxsequence      = $pam::cracklib_maxsequence,
+  Optional[Integer[0]]            $cracklib_maxclassrepeat   = $pam::cracklib_maxclassrepeat,
+  Optional[Boolean]               $cracklib_gecoscheck       = $pam::cracklib_gecoscheck,
+  Optional[Integer]               $cracklib_dcredit          = $pam::cracklib_dcredit,
+  Optional[Integer]               $cracklib_ucredit          = $pam::cracklib_ucredit,
+  Optional[Integer]               $cracklib_lcredit          = $pam::cracklib_lcredit,
+  Optional[Integer]               $cracklib_ocredit          = $pam::cracklib_ocredit,
+  Optional[Integer[0]]            $cracklib_minclass         = $pam::cracklib_minclass,
+  Optional[Integer[0]]            $cracklib_minlen           = $pam::cracklib_minlen,
+  Integer[0]                      $cracklib_retry            = $pam::cracklib_retry,
+  Integer[0]                      $deny                      = $pam::deny,
+  Boolean                         $faillock                  = $pam::faillock,
+  Boolean                         $manage_faillock_conf      = $pam::manage_faillock_conf,
+  Optional[Stdlib::Absolutepath]  $faillock_log_dir          = $pam::faillock_log_dir,
+  Boolean                         $faillock_audit            = $pam::faillock_audit,
+  Boolean                         $faillock_no_log_info      = $pam::faillock_no_log_info,
+  Boolean                         $faillock_local_users_only = $pam::faillock_local_users_only,
+  Boolean                         $faillock_nodelay          = $pam::faillock_nodelay,
+  Optional[String]                $faillock_admin_group      = $pam::faillock_admin_group,
+  Boolean                         $display_account_lock      = $pam::display_account_lock,
+  Integer[0]                      $fail_interval             = $pam::fail_interval,
+  Boolean                         $manage_pwhistory_conf     = $pam::manage_pwhistory_conf,
+  Boolean                         $remember_debug            = $pam::remember_debug,
+  Integer[0]                      $remember                  = $pam::remember,
+  Integer[0]                      $remember_retry            = $pam::remember_retry,
+  Boolean                         $remember_for_root         = $pam::remember_for_root,
+  Stdlib::Absolutepath            $remember_file             = $pam::remember_file,
+  Boolean                         $even_deny_root            = $pam::even_deny_root,
+  Integer[0]                      $root_unlock_time          = $pam::root_unlock_time,
+  Pam::HashAlgorithm              $hash_algorithm            = $pam::hash_algorithm,
+  Integer[0]                      $rounds                    = $pam::rounds,
+  Integer[0]                      $uid                       = $pam::uid,
+  Pam::AccountUnlockTime          $unlock_time               = $pam::unlock_time,
+  Boolean                         $preserve_ac               = $pam::preserve_ac,
+  Boolean                         $use_netgroups             = $pam::use_netgroups,
+  Boolean                         $use_openshift             = $pam::use_openshift,
+  Boolean                         $sssd                      = $pam::sssd,
+  Array[String[0]]                $tty_audit_users           = $pam::tty_audit_users,
+  String[0]                       $separator                 = $pam::separator,
+  Boolean                         $enable_separator          = $pam::enable_separator,
+  Boolean                         $oath                      = $pam::oath,
+  Integer[0]                      $oath_window               = $pam::oath_window,
+  Optional[Integer]               $inactive                  = $pam::inactive,
+  Optional[Enum['try','require']] $cert_auth                 = $pam::cert_auth,
+  Optional[String]                $content                   = undef
 ) {
   include 'oddjob::mkhomedir'
 
@@ -147,6 +151,11 @@
 
   $target = "${name}-auth"
 
+  $_pam_cert_auth = $cert_auth ? {
+    undef   => undef,
+    default => "${cert_auth}_cert_auth"
+  }
+
   if $content {
     $_content = $content
   }
@@ -222,7 +231,9 @@
           separator                 => $separator,
           enable_separator          => $enable_separator,
           oath                      => $oath,
-          oath_window               => $oath_window
+          oath_window               => $oath_window,
+          inactive                  => $inactive,
+          pam_cert_auth             => $_pam_cert_auth
       })
     }
   }