From 6d4652cecf3a7691aa5f7083913c8143251847a5 Mon Sep 17 00:00:00 2001 From: Martin Hagstrom Date: Wed, 18 Feb 2015 15:20:11 +0100 Subject: [PATCH 1/2] Refactored spec tests --- spec/classes/init_spec.rb | 3366 +++-------------- .../pam_common_account.defaults.suse10 | 3 + .../pam_common_account.defaults.ubuntu1204 | 5 + .../pam_common_account.defaults.ubuntu1404 | 5 + spec/fixtures/pam_common_account.vas.suse10 | 5 + .../pam_common_account.vas.ubuntu1204 | 7 + .../pam_common_account.vas.ubuntu1404 | 7 + .../pam_common_account_pc.defaults.suse11 | 3 + .../pam_common_account_pc.defaults.suse12 | 3 + .../fixtures/pam_common_account_pc.vas.suse11 | 5 + .../fixtures/pam_common_account_pc.vas.suse12 | 5 + spec/fixtures/pam_common_auth.defaults.suse10 | 4 + .../pam_common_auth.defaults.ubuntu1204 | 5 + .../pam_common_auth.defaults.ubuntu1404 | 6 + spec/fixtures/pam_common_auth.vas.suse10 | 6 + spec/fixtures/pam_common_auth.vas.ubuntu1204 | 6 + spec/fixtures/pam_common_auth.vas.ubuntu1404 | 6 + .../pam_common_auth_pc.defaults.suse11 | 4 + .../pam_common_auth_pc.defaults.suse12 | 4 + spec/fixtures/pam_common_auth_pc.vas.suse11 | 6 + spec/fixtures/pam_common_auth_pc.vas.suse12 | 6 + ...noninteractive_session.defaults.ubuntu1204 | 7 + ...noninteractive_session.defaults.ubuntu1404 | 8 + ...mmon_noninteractive_session.vas.ubuntu1204 | 9 + ...mmon_noninteractive_session.vas.ubuntu1404 | 9 + .../pam_common_password.defaults.suse10 | 4 + .../pam_common_password.defaults.ubuntu1204 | 5 + .../pam_common_password.defaults.ubuntu1404 | 5 + spec/fixtures/pam_common_password.vas.suse10 | 6 + .../pam_common_password.vas.ubuntu1204 | 7 + .../pam_common_password.vas.ubuntu1404 | 7 + .../pam_common_password_pc.defaults.suse11 | 4 + .../pam_common_password_pc.defaults.suse12 | 4 + .../pam_common_password_pc.vas.suse11 | 6 + .../pam_common_password_pc.vas.suse12 | 6 + .../pam_common_session.defaults.suse10 | 4 + .../pam_common_session.defaults.ubuntu1204 | 7 + .../pam_common_session.defaults.ubuntu1404 | 8 + spec/fixtures/pam_common_session.vas.suse10 | 6 + .../pam_common_session.vas.ubuntu1204 | 9 + .../pam_common_session.vas.ubuntu1404 | 9 + .../pam_common_session_pc.defaults.suse11 | 5 + .../pam_common_session_pc.defaults.suse12 | 5 + .../fixtures/pam_common_session_pc.vas.suse11 | 7 + .../fixtures/pam_common_session_pc.vas.suse12 | 7 + spec/fixtures/pam_conf.defaults.solaris10 | 26 + spec/fixtures/pam_conf.defaults.solaris9 | 27 + spec/fixtures/pam_conf.vas.solaris10 | 66 + spec/fixtures/pam_conf.vas.solaris9 | 27 + spec/fixtures/pam_d_login.defaults.el5 | 15 + spec/fixtures/pam_d_login.defaults.el6 | 17 + spec/fixtures/pam_d_login.defaults.el7 | 18 + spec/fixtures/pam_d_login.defaults.suse10 | 10 + spec/fixtures/pam_d_login.defaults.suse11 | 12 + spec/fixtures/pam_d_login.defaults.suse12 | 10 + spec/fixtures/pam_d_login.defaults.suse9 | 11 + spec/fixtures/pam_d_login.defaults.ubuntu1204 | 16 + spec/fixtures/pam_d_login.defaults.ubuntu1404 | 17 + spec/fixtures/pam_d_sshd.defaults.el5 | 9 + spec/fixtures/pam_d_sshd.defaults.el6 | 14 + spec/fixtures/pam_d_sshd.defaults.el7 | 15 + spec/fixtures/pam_d_sshd.defaults.suse10 | 6 + spec/fixtures/pam_d_sshd.defaults.suse11 | 9 + spec/fixtures/pam_d_sshd.defaults.suse12 | 9 + spec/fixtures/pam_d_sshd.defaults.suse9 | 10 + spec/fixtures/pam_d_sshd.defaults.ubuntu1204 | 10 + spec/fixtures/pam_d_sshd.defaults.ubuntu1404 | 15 + spec/fixtures/pam_other.defaults.solaris11 | 23 + spec/fixtures/pam_other.defaults.suse9 | 17 + spec/fixtures/pam_other.vas.solaris11 | 23 + spec/fixtures/pam_other.vas.suse9 | 17 + spec/fixtures/pam_system_auth_ac.defaults.el5 | 23 + spec/fixtures/pam_system_auth_ac.defaults.el6 | 25 + spec/fixtures/pam_system_auth_ac.defaults.el7 | 26 + spec/fixtures/pam_system_auth_ac.vas.el5 | 31 + spec/fixtures/pam_system_auth_ac.vas.el6 | 32 + spec/fixtures/pam_system_auth_ac.vas.el7 | 33 + 77 files changed, 1398 insertions(+), 2842 deletions(-) create mode 100644 spec/fixtures/pam_common_account.defaults.suse10 create mode 100644 spec/fixtures/pam_common_account.defaults.ubuntu1204 create mode 100644 spec/fixtures/pam_common_account.defaults.ubuntu1404 create mode 100644 spec/fixtures/pam_common_account.vas.suse10 create mode 100644 spec/fixtures/pam_common_account.vas.ubuntu1204 create mode 100644 spec/fixtures/pam_common_account.vas.ubuntu1404 create mode 100644 spec/fixtures/pam_common_account_pc.defaults.suse11 create mode 100644 spec/fixtures/pam_common_account_pc.defaults.suse12 create mode 100644 spec/fixtures/pam_common_account_pc.vas.suse11 create mode 100644 spec/fixtures/pam_common_account_pc.vas.suse12 create mode 100644 spec/fixtures/pam_common_auth.defaults.suse10 create mode 100644 spec/fixtures/pam_common_auth.defaults.ubuntu1204 create mode 100644 spec/fixtures/pam_common_auth.defaults.ubuntu1404 create mode 100644 spec/fixtures/pam_common_auth.vas.suse10 create mode 100644 spec/fixtures/pam_common_auth.vas.ubuntu1204 create mode 100644 spec/fixtures/pam_common_auth.vas.ubuntu1404 create mode 100644 spec/fixtures/pam_common_auth_pc.defaults.suse11 create mode 100644 spec/fixtures/pam_common_auth_pc.defaults.suse12 create mode 100644 spec/fixtures/pam_common_auth_pc.vas.suse11 create mode 100644 spec/fixtures/pam_common_auth_pc.vas.suse12 create mode 100644 spec/fixtures/pam_common_noninteractive_session.defaults.ubuntu1204 create mode 100644 spec/fixtures/pam_common_noninteractive_session.defaults.ubuntu1404 create mode 100644 spec/fixtures/pam_common_noninteractive_session.vas.ubuntu1204 create mode 100644 spec/fixtures/pam_common_noninteractive_session.vas.ubuntu1404 create mode 100644 spec/fixtures/pam_common_password.defaults.suse10 create mode 100644 spec/fixtures/pam_common_password.defaults.ubuntu1204 create mode 100644 spec/fixtures/pam_common_password.defaults.ubuntu1404 create mode 100644 spec/fixtures/pam_common_password.vas.suse10 create mode 100644 spec/fixtures/pam_common_password.vas.ubuntu1204 create mode 100644 spec/fixtures/pam_common_password.vas.ubuntu1404 create mode 100644 spec/fixtures/pam_common_password_pc.defaults.suse11 create mode 100644 spec/fixtures/pam_common_password_pc.defaults.suse12 create mode 100644 spec/fixtures/pam_common_password_pc.vas.suse11 create mode 100644 spec/fixtures/pam_common_password_pc.vas.suse12 create mode 100644 spec/fixtures/pam_common_session.defaults.suse10 create mode 100644 spec/fixtures/pam_common_session.defaults.ubuntu1204 create mode 100644 spec/fixtures/pam_common_session.defaults.ubuntu1404 create mode 100644 spec/fixtures/pam_common_session.vas.suse10 create mode 100644 spec/fixtures/pam_common_session.vas.ubuntu1204 create mode 100644 spec/fixtures/pam_common_session.vas.ubuntu1404 create mode 100644 spec/fixtures/pam_common_session_pc.defaults.suse11 create mode 100644 spec/fixtures/pam_common_session_pc.defaults.suse12 create mode 100644 spec/fixtures/pam_common_session_pc.vas.suse11 create mode 100644 spec/fixtures/pam_common_session_pc.vas.suse12 create mode 100644 spec/fixtures/pam_conf.defaults.solaris10 create mode 100644 spec/fixtures/pam_conf.defaults.solaris9 create mode 100644 spec/fixtures/pam_conf.vas.solaris10 create mode 100644 spec/fixtures/pam_conf.vas.solaris9 create mode 100644 spec/fixtures/pam_d_login.defaults.el5 create mode 100644 spec/fixtures/pam_d_login.defaults.el6 create mode 100644 spec/fixtures/pam_d_login.defaults.el7 create mode 100644 spec/fixtures/pam_d_login.defaults.suse10 create mode 100644 spec/fixtures/pam_d_login.defaults.suse11 create mode 100644 spec/fixtures/pam_d_login.defaults.suse12 create mode 100644 spec/fixtures/pam_d_login.defaults.suse9 create mode 100644 spec/fixtures/pam_d_login.defaults.ubuntu1204 create mode 100644 spec/fixtures/pam_d_login.defaults.ubuntu1404 create mode 100644 spec/fixtures/pam_d_sshd.defaults.el5 create mode 100644 spec/fixtures/pam_d_sshd.defaults.el6 create mode 100644 spec/fixtures/pam_d_sshd.defaults.el7 create mode 100644 spec/fixtures/pam_d_sshd.defaults.suse10 create mode 100644 spec/fixtures/pam_d_sshd.defaults.suse11 create mode 100644 spec/fixtures/pam_d_sshd.defaults.suse12 create mode 100644 spec/fixtures/pam_d_sshd.defaults.suse9 create mode 100644 spec/fixtures/pam_d_sshd.defaults.ubuntu1204 create mode 100644 spec/fixtures/pam_d_sshd.defaults.ubuntu1404 create mode 100644 spec/fixtures/pam_other.defaults.solaris11 create mode 100644 spec/fixtures/pam_other.defaults.suse9 create mode 100644 spec/fixtures/pam_other.vas.solaris11 create mode 100644 spec/fixtures/pam_other.vas.suse9 create mode 100644 spec/fixtures/pam_system_auth_ac.defaults.el5 create mode 100644 spec/fixtures/pam_system_auth_ac.defaults.el6 create mode 100644 spec/fixtures/pam_system_auth_ac.defaults.el7 create mode 100644 spec/fixtures/pam_system_auth_ac.vas.el5 create mode 100644 spec/fixtures/pam_system_auth_ac.vas.el6 create mode 100644 spec/fixtures/pam_system_auth_ac.vas.el7 diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 5247de17..569b7874 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -1,2907 +1,589 @@ require 'spec_helper' describe 'pam' do - describe 'on unsupported platforms' do - context 'with defaults params on osfamily RedHat 4' do - let(:facts) do - { :osfamily => 'RedHat', - :operatingsystemmajrelease => '4', - } - end - - it 'should fail' do - expect { - should contain_class('pam') - }.to raise_error(Puppet::Error,/Pam is only supported on EL 5, 6 and 7. Your operatingsystemmajrelease is identified as <4>./) - end - end - - context 'with defaults params on osfamily Suse 8' do - let(:facts) do - { :osfamily => 'Suse', - :lsbmajdistrelease => '8', - } - end - - it 'should fail' do - expect { - should contain_class('pam') - }.to raise_error(Puppet::Error,/Pam is only supported on Suse 10, 11, and 12. Your lsbmajdistrelease is identified as <8>./) - end - end - - context 'with defaults params on osfamily Debian' do - let(:facts) do - { :osfamily => 'Debian', - :lsbmajdistrelease => '7', - :lsbdistid => 'Debian', - } - end - - it 'should fail' do - expect { - should contain_class('pam') - }.to raise_error(Puppet::Error,/Pam is only supported on lsbdistid Ubuntu of the Debian osfamily. Your lsbdistid is ./) - end - end - - context 'with defaults params on Ubuntu 10.04 LTS' do - let(:facts) do - { :osfamily => 'Debian', - :lsbdistrelease => '10.04', - :lsbdistid => 'Ubuntu', - } - end - - it 'should fail' do - expect { - should contain_class('pam') - }.to raise_error(Puppet::Error,/Pam is only supported on Ubuntu 12.04 and 14.04. Your lsbdistrelease is identified as <10.04>./) - end - end + platforms = { + 'el5' => + { :osfamily => 'RedHat', + :release => '5', + :releasetype => 'operatingsystemmajrelease', + :packages => ['pam', 'util-linux', ], + :files => [ + { :prefix => 'pam_system_', + :types => ['auth', ], + :suffix => '_ac', + :symlink => true, + }, ], + }, + 'el6' => + { :osfamily => 'RedHat', + :release => '6', + :releasetype => 'operatingsystemmajrelease', + :packages => ['pam', ], + :files => [ + { :prefix => 'pam_system_', + :types => ['auth', ], + :suffix => '_ac', + :symlink => true, + }, ], + }, + 'el7' => + { :osfamily => 'RedHat', + :release => '7', + :releasetype => 'operatingsystemmajrelease', + :packages => ['pam', ], + :files => [ + { :prefix => 'pam_system_', + :types => ['auth', ], + :suffix => '_ac', + :symlink => true, + }, ], + }, + 'suse9' => + { :osfamily => 'Suse', + :release => '9', + :releasetype => 'lsbmajdistrelease', + :packages => ['pam', 'pam-modules', ], + :files => [ + { :prefix => 'pam_', + :types => ['other', ], + }, ], + }, + 'suse10' => + { :osfamily => 'Suse', + :release => '10', + :releasetype => 'lsbmajdistrelease', + :packages => ['pam', ], + :files => [ + { :prefix => 'pam_common_', + :types => ['auth', 'account', 'password', 'session', ], + }, ], + }, + 'suse11' => + { :osfamily => 'Suse', + :release => '11', + :releasetype => 'lsbmajdistrelease', + :packages => ['pam', ], + :files => [ + { :prefix => 'pam_common_', + :types => ['auth', 'account', 'password', 'session', ], + :suffix => '_pc', + :symlink => true, + }, ], + }, + 'suse12' => + { :osfamily => 'Suse', + :release => '12', + :releasetype => 'lsbmajdistrelease', + :packages => ['pam', ], + :files => [ + { :prefix => 'pam_common_', + :types => ['auth', 'account', 'password', 'session', ], + :suffix => '_pc', + :symlink => true, + }, ], + }, + 'solaris9' => + { :osfamily => 'Solaris', + :release => '5.9', + :releasetype => 'kernelrelease', + :packages => ['pam_package', ], + :files => [ + { :prefix => 'pam_', + :types => ['conf', ], + :group => 'sys', + :dirpath => '/etc/pam.', + }, ], + }, + 'solaris10' => + { :osfamily => 'Solaris', + :release => '5.10', + :releasetype => 'kernelrelease', + :packages => ['pam_package', ], + :files => [ + { :prefix => 'pam_', + :types => ['conf', ], + :group => 'sys', + :dirpath => '/etc/pam.', + }, ], + }, + 'solaris11' => + { :osfamily => 'Solaris', + :release => '5.11', + :releasetype => 'kernelrelease', + :packages => ['pam_package', ], + :files => [ + { :prefix => 'pam_', + :types => ['other', ], + :group => 'sys', + }, ], + }, + 'ubuntu1204' => + { :osfamily => 'Debian', + :lsbdistid => 'Ubuntu', + :release => '12.04', + :releasetype => 'lsbdistrelease', + :packages => [ 'libpam0g', ], + :files => [ + { :prefix => 'pam_common_', + :types => ['auth', 'account', 'password', 'session', 'noninteractive_session' ], + }, ], + }, + 'ubuntu1404' => + { :osfamily => 'Debian', + :lsbdistid => 'Ubuntu', + :release => '14.04', + :releasetype => 'lsbdistrelease', + :packages => [ 'libpam0g', ], + :files => [ + { :prefix => 'pam_common_', + :types => ['auth', 'account', 'password', 'session', 'noninteractive_session' ], + }, ], + } + } + unsupported_platforms = { + 'el4' => + { :osfamily => 'RedHat', + :release => '4', + :releasetype => 'operatingsystemmajrelease', + }, + 'suse8' => + { :osfamily => 'Suse', + :release => '8', + :releasetype => 'lsbmajdistrelease', + }, + 'debian7' => + { :osfamily => 'Debian', + :release => '7', + :lsbdistid => 'Debian', + :releasetype => 'lsbdistid', + }, + 'ubuntu1004' => + { :osfamily => 'Debian', + :release => '10.04', + :lsbdistid => 'Ubuntu', + :releasetype => 'lsbdistid', + }, + 'solaris8' => + { :osfamily => 'Solaris', + :release => '5.8', + :releasetype => 'kernelrelease', + }, + } - context 'with defaults params on Solaris 8' do - let(:facts) do - { :osfamily => 'Solaris', - :kernelrelease => '5.8', - } - end + describe 'on unsupported platforms' do + unsupported_platforms.sort.each do |k,v| + context "with defaults params on #{k}" do + let :facts do + { :osfamily => v[:osfamily], + :"#{v[:releasetype]}" => v[:release], + } + end - it 'should fail' do - expect { - should contain_class('pam') - }.to raise_error(Puppet::Error,/Pam is only supported on Solaris 9, 10 and 11. Your kernelrelease is identified as <5.8>./) + it 'should fail' do + expect { + should contain_class('pam') + }.to raise_error(Puppet::Error,/Pam is only supported on .* #{v[:releasetype]} .* <#{v[:release]}>/) + end end end end describe 'packages' do + platforms.sort.each do |k,v| + context "with defaults params on #{v[:osfamily]} with #{v[:releasetype]} #{v[:release]}" do + let :facts do + { :osfamily => v[:osfamily], + :"#{v[:releasetype]}" => v[:release], + :lsbdistid => v[:lsbdistid], + } + end - context 'with default params on osfamily RedHat with operatingsystemmajrelease 5' do - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemmajrelease => '5', - } - end - - ['pam', 'util-linux'].each do |pkg| - it { - should contain_package(pkg).with({ - 'ensure' => 'installed', - }) - } - end - end - - context 'with default params on osfamily RedHat with operatingsystemmajrelease 6' do - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemmajrelease => '6', - } - end - - it do - should contain_package('pam').with({ - 'ensure' => 'installed', - }) - end - end - - context 'with default params on osfamily RedHat with operatingsystemmajrelease 7' do - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemmajrelease => '7', - } - end - - it do - should contain_package('pam').with({ - 'ensure' => 'installed', - }) - end - end - - context 'with default params on osfamily Suse with lsbmajdistrelease 9' do - let :facts do - { - :osfamily => 'Suse', - :lsbmajdistrelease => '9', - } - end - - ['pam', 'pam-modules'].each do |pkg| - it { - should contain_package(pkg).with({ - 'ensure' => 'installed', - }) - } - end - end - - context 'with default params on osfamily Suse with lsbmajdistrelease 10' do - let :facts do - { - :osfamily => 'Suse', - :lsbmajdistrelease => '10', - } - end - - it { - should contain_package('pam').with({ - 'ensure' => 'installed', - }) - } - end - - context 'with default params on osfamily Suse with lsbmajdistrelease 11' do - let :facts do - { - :osfamily => 'Suse', - :lsbmajdistrelease => '11', - } - end - - it { - should contain_package('pam').with({ - 'ensure' => 'installed', - }) - } - end - - context 'with default params on osfamily Suse with lsbmajdistrelease 12' do - let :facts do - { - :osfamily => 'Suse', - :lsbmajdistrelease => '12', - } - end - - it { - should contain_package('pam').with({ - 'ensure' => 'installed', - }) - } - end - - context 'with default params on Solaris 9' do - let :facts do - { - :osfamily => 'Solaris', - :kernelrelease => '5.9', - } - end - - it { should_not contain_package('pam_package') } - end - - context 'with default params on Solaris 10' do - let :facts do - { - :osfamily => 'Solaris', - :kernelrelease => '5.10', - } - end - - it { should_not contain_package('pam_package') } - end - - context 'with default params on Solaris 11' do - let :facts do - { - :osfamily => 'Solaris', - :kernelrelease => '5.11', - } + if v[:osfamily] == 'Solaris' + v[:packages].each do |pkg| + it { + should_not contain_package(pkg) + } + end + else + v[:packages].each do |pkg| + it { + should contain_package(pkg).with({ + 'ensure' => 'installed', + }) + } + end + end end - it { should_not contain_package('pam_package') } - end + context "with specifying package_name on #{v[:osfamily]} with #{v[:releasetype]} #{v[:release]}" do + let :facts do + { :osfamily => v[:osfamily], + :"#{v[:releasetype]}" => v[:release], + :lsbdistid => v[:lsbdistid], + } + end + let(:params) { {:package_name => 'foo'} } - context 'with specifying package_name on valid platform' do - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemmajrelease => '5', - } + if v[:osfamily] != 'Solaris' + it { + should contain_package('foo').with({ + 'ensure' => 'installed', + }) + } + end end - - let(:params) { {:package_name => 'foo'} } - - it { - should contain_package('foo').with({ - 'ensure' => 'installed', - }) - } end end describe 'config files' do + platforms.sort.each do |k,v| + context "with specifying services param on #{v[:osfamily]} with #{v[:releasetype]} #{v[:release]}" do + let :facts do + { :osfamily => v[:osfamily], + :"#{v[:releasetype]}" => v[:release], + :lsbdistid => v[:lsbdistid], + } + end + let (:params) { {:services => { 'testservice' => { 'content' => 'foo' } } } } - context 'with specifying services param' do - let (:params) { {:services => { 'testservice' => { 'content' => 'foo' } } } } - let :facts do - { - :osfamily => 'Suse', - :lsbmajdistrelease => '9', - } - end - - it { - should contain_file('pam.d-service-testservice').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/testservice', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam.d-service-testservice').with_content('foo') } - end - - context 'with specifying services param as invalid type (non-hash)' do - let (:params) { {:services => ['not', 'a', 'hash'] } } - let :facts do - { - :osfamily => 'Suse', - :lsbmajdistrelease => '9', + it { + should contain_file('pam.d-service-testservice').with({ + 'ensure' => 'file', + 'path' => '/etc/pam.d/testservice', + 'owner' => 'root', + 'group' => 'root', + 'mode' => '0644', + }) } - end - it 'should fail' do - expect { - should contain_class('pam') - }.to raise_error(Puppet::Error) + it { should contain_file('pam.d-service-testservice').with_content('foo') } + end + + ['defaults', 'vas'].each do |check| + context "with #{check} params on #{v[:osfamily]} with #{v[:releasetype]} #{v[:release]}" do + let :facts do + { :osfamily => v[:osfamily], + :"#{v[:releasetype]}" => v[:release], + :lsbdistid => v[:lsbdistid], + } + end + if check == 'vas' + let(:params) { {:ensure_vas => 'present'} } + end + + v[:files].each do |file| + group = file[:group] || 'root' + dirpath = file[:dirpath] || '/etc/pam.d/' + + file[:types].each do |type| + filename = "#{file[:prefix]}#{type}#{file[:suffix]}" + path = "#{dirpath}#{file[:prefix]}#{type}#{file[:suffix]}" + path.gsub! '_', '-' + path.sub! 'pam-', '' + path.sub! 'noninteractive-session', 'session-noninteractive' + it { + should contain_file(filename).with({ + 'ensure' => 'file', + 'path' => path, + 'owner' => 'root', + 'group' => group, + 'mode' => '0644', + }) + } + fixture = File.read(fixtures("#{filename}.#{check}.#{k}")) + it { should contain_file(filename).with_content(fixture) } + + v[:packages].sort.each do |pkg| + if v[:osfamily] != 'Solaris' and (v[:osfamily] != 'Suse' and v[:release] != 9) + it { should contain_file(filename).that_requires("Package[#{pkg}]") } + end + end + + if file[:symlinkname] + symlinkname = "#{file[:prefix]}#{type}" + symlinkpath = "#{dirpath}#{file[:prefix]}#{type}" + it { + should contain_file(symlinkname).with({ + 'ensure' => 'symlink', + 'path' => symlinkpath, + 'owner' => 'root', + 'group' => 'root', + }) + } + v[:packages].sort.each do |pkg| + if v[:osfamily] != 'Solaris' + it { should contain_file(filename).that_requires("Package[#{pkg}]") } + end + end + end + end + + if v[:osfamily] != 'Solaris' + it { + should contain_file('pam_d_login').with({ + 'ensure' => 'file', + 'path' => '/etc/pam.d/login', + 'owner' => 'root', + 'group' => 'root', + 'mode' => '0644', + }) + } + pam_d_login_fixture = File.read(fixtures("pam_d_login.defaults.#{k}")) + it { should contain_file('pam_d_login').with_content(pam_d_login_fixture) } + + it { + should contain_file('pam_d_sshd').with({ + 'ensure' => 'file', + 'path' => '/etc/pam.d/sshd', + 'owner' => 'root', + 'group' => 'root', + 'mode' => '0644', + }) + } + pam_d_sshd_fixture = File.read(fixtures("pam_d_sshd.defaults.#{k}")) + it { should contain_file('pam_d_sshd').with_content(pam_d_sshd_fixture) } + end + end + end end - end + context "with login_pam_access => sufficient on osfamily #{v[:osfamily]} with #{v[:releasetype]} #{v[:release]}" do + let :facts do + { :osfamily => v[:osfamily], + :"#{v[:releasetype]}" => v[:release], + } + end + let(:params) {{ :login_pam_access => 'sufficient' }} - context 'with default params on osfamily RedHat with operatingsystemmajrelease 5' do - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemmajrelease => '5', - } + if (v[:osfamily] == 'RedHat' and (v[:release] == '5' or v[:release] == '6')) or (v[:osfamily] == 'Suse' and v[:release] == '11') + it { should contain_file('pam_d_login').with_content(/account[\s]+sufficient[\s]+pam_access.so/) } + end end - it { - should contain_file('pam_system_auth_ac').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/system-auth-ac', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_system_auth_ac').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -# Auth -auth required pam_env.so -auth sufficient pam_unix.so nullok try_first_pass -auth requisite pam_succeed_if.so uid >= 500 quiet -auth required pam_deny.so - -# Account -account required pam_unix.so -account sufficient pam_succeed_if.so uid < 500 quiet -account required pam_permit.so - -# Password -password requisite pam_cracklib.so try_first_pass retry=3 -password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok -password required pam_deny.so - -# Session -session optional pam_keyinit.so revoke -session required pam_limits.so -session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -session required pam_unix.so -") - } - - it { - should contain_file('pam_system_auth').with({ - 'ensure' => 'symlink', - 'path' => '/etc/pam.d/system-auth', - 'owner' => 'root', - 'group' => 'root', - }) - } - - it { - should contain_file('pam_d_login').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/login', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_d_login').with_content("#%PAM-1.0 -auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so -auth include system-auth -account required pam_nologin.so -account include system-auth -account required pam_access.so -password include system-auth -# pam_selinux.so close should be the first session rule -session required pam_selinux.so close -session optional pam_keyinit.so force revoke -session required pam_loginuid.so -session include system-auth -session optional pam_console.so -# pam_selinux.so open should only be followed by sessions to be executed in the user context -session required pam_selinux.so open -") - } - - it { - should contain_file('pam_d_sshd').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/sshd', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_d_sshd').with_content("#%PAM-1.0 -auth include system-auth -account required pam_nologin.so -account include system-auth -account required pam_access.so -password include system-auth -session optional pam_keyinit.so force revoke -session include system-auth -session required pam_loginuid.so -") - } - - it { should_not contain_file('pam_system_auth_ac').with_content(/auth[\s]+sufficient[\s]+pam_vas3.so/) } - end + context "with login_pam_access => absent on osfamily #{v[:osfamily]} with #{v[:releasetype]} #{v[:release]}" do + let :facts do + { :osfamily => v[:osfamily], + :"#{v[:releasetype]}" => v[:release], + :lsbdistid => v[:lsbdistid], + } + end + let(:params) {{ :login_pam_access => 'absent' }} - context 'with login_pam_access => sufficient on osfamily RedHat with operatingsystemmajrelease 5' do - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemmajrelease => '5', - } + if v[:osfamily] != 'Solaris' + it { should contain_file('pam_d_login').without_content(/^account.*pam_access.so$/) } + end end - let(:params) {{ :login_pam_access => 'sufficient' }} - - it { should contain_file('pam_d_login').with_content("#%PAM-1.0 -auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so -auth include system-auth -account required pam_nologin.so -account include system-auth -account sufficient pam_access.so -password include system-auth -# pam_selinux.so close should be the first session rule -session required pam_selinux.so close -session optional pam_keyinit.so force revoke -session required pam_loginuid.so -session include system-auth -session optional pam_console.so -# pam_selinux.so open should only be followed by sessions to be executed in the user context -session required pam_selinux.so open -") - } - end + context "with sshd_pam_access => sufficient on osfamily #{v[:osfamily]} with #{v[:releasetype]} #{v[:release]}" do + let :facts do + { :osfamily => v[:osfamily], + :"#{v[:releasetype]}" => v[:release], + } + end + let(:params) {{ :sshd_pam_access => 'sufficient' }} - context 'with sshd_pam_access => sufficient on osfamily RedHat with operatingsystemmajrelease 5' do - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemmajrelease => '5', - } + if (v[:osfamily] == 'RedHat' and (v[:release] == '5' or v[:release] == '6')) or (v[:osfamily] == 'Suse' and v[:release] == '11') + it { should contain_file('pam_d_sshd').with_content(/^account[\s]+sufficient[\s]+pam_access.so$/) } + end end - let(:params) {{ :sshd_pam_access => 'sufficient' }} - - it { should contain_file('pam_d_sshd').with_content("#%PAM-1.0 -auth include system-auth -account required pam_nologin.so -account include system-auth -account sufficient pam_access.so -password include system-auth -session optional pam_keyinit.so force revoke -session include system-auth -session required pam_loginuid.so -") - } - end + context "with sshd_pam_access => absent on osfamily #{v[:osfamily]} with #{v[:releasetype]} #{v[:release]}" do + let :facts do + { :osfamily => v[:osfamily], + :"#{v[:releasetype]}" => v[:release], + :lsbdistid => v[:lsbdistid], + } + end + let(:params) {{ :sshd_pam_access => 'absent' }} - context 'with login_pam_access => absent on osfamily RedHat with operatingsystemmajrelease 5' do - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemmajrelease => '5', - } + if v[:osfamily] != 'Solaris' + it { should contain_file('pam_d_sshd').without_content(/^account.*pam_access.so$/) } + end end - let(:params) {{ :login_pam_access => 'absent' }} + context "with ensure_vas => present and vas_major_version => 3 on osfamily #{v[:osfamily]} with #{v[:releasetype]} #{v[:release]}" do + let :facts do + { :osfamily => v[:osfamily], + :"#{v[:releasetype]}" => v[:release], + :lsbdistid => v[:lsbdistid], + } + end + let :params do + { :ensure_vas => 'present', + :vas_major_version => '3', + } + end - it { should contain_file('pam_d_login').with_content("#%PAM-1.0 -auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so -auth include system-auth -account required pam_nologin.so -account include system-auth -password include system-auth -# pam_selinux.so close should be the first session rule -session required pam_selinux.so close -session optional pam_keyinit.so force revoke -session required pam_loginuid.so -session include system-auth -session optional pam_console.so -# pam_selinux.so open should only be followed by sessions to be executed in the user context -session required pam_selinux.so open -") - } - end + if v[:osfamily] == 'RedHat' and (v[:release] == '5' or v[:release] == '6') + it { + should contain_file('pam_system_auth_ac').with({ + 'ensure' => 'file', + 'path' => '/etc/pam.d/system-auth-ac', + 'owner' => 'root', + 'group' => 'root', + 'mode' => '0644', + }) + } - context 'with sshd_pam_access => sufficient on osfamily RedHat with operatingsystemmajrelease 5' do - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemmajrelease => '5', - } - end + v[:packages].sort.each do |pkg| + it { should contain_file('pam_system_auth_ac').that_requires("Package[#{pkg}]") } + end - let(:params) {{ :sshd_pam_access => 'absent' }} + it { should contain_file('pam_system_auth_ac').with_content(/auth[\s]+sufficient[\s]+pam_vas3.so.*store_creds/) } + it { should contain_file('pam_system_auth_ac').with_content(/account[\s]+sufficient[\s]+pam_vas3.so/) } + it { should contain_file('pam_system_auth_ac').with_content(/password[\s]+sufficient[\s]+pam_vas3.so/) } + it { should contain_file('pam_system_auth_ac').with_content(/session[\s]+required[\s]+pam_vas3.so/) } + end - it { should contain_file('pam_d_sshd').with_content("#%PAM-1.0 -auth include system-auth -account required pam_nologin.so -account include system-auth -password include system-auth -session optional pam_keyinit.so force revoke -session include system-auth -session required pam_loginuid.so -") - } - end + if v[:osfamily] == 'Debian' + it { should contain_class('pam::accesslogin') } + it { should contain_class('pam::limits') } + + ['auth', 'account', 'password', 'session'].each do |type| + it { + should contain_file("pam_common_#{type}").with({ + 'ensure' => 'file', + 'path' => "/etc/pam.d/common-#{type}", + 'owner' => 'root', + 'group' => 'root', + 'mode' => '0644', + }) + } + pam_common_fixture = File.read(fixtures("pam_common_#{type}.vas.#{k}")) + it { should contain_file("pam_common_#{type}").with_content(pam_common_fixture) } + + v[:packages].sort.each do |pkg| + it { should contain_file("pam_common_#{type}").that_requires("Package[#{pkg}]") } + end + end + + it { + should contain_file('pam_common_noninteractive_session').with({ + 'ensure' => 'file', + 'path' => '/etc/pam.d/common-session-noninteractive', + 'owner' => 'root', + 'group' => 'root', + 'mode' => '0644', + }) + } + pam_common_noninteractive_session_fixture = File.read(fixtures("pam_common_noninteractive_session.vas.#{k}")) + it { should contain_file('pam_common_noninteractive_session').with_content(pam_common_noninteractive_session_fixture) } - context 'with default params on osfamily RedHat with operatingsystemmajrelease 6' do - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemmajrelease => '6', - } + v[:packages].sort.each do |pkg| + it { should contain_file("pam_common_noninteractive_session").that_requires("Package[#{pkg}]") } + end + end end - - it { - should contain_file('pam_system_auth_ac').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/system-auth-ac', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - it { should contain_file('pam_system_auth_ac').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -# Auth -auth required pam_env.so -auth sufficient pam_fprintd.so -auth sufficient pam_unix.so nullok try_first_pass -auth requisite pam_succeed_if.so uid >= 500 quiet -auth required pam_deny.so - -# Account -account required pam_unix.so -account sufficient pam_localuser.so -account sufficient pam_succeed_if.so uid < 500 quiet -account required pam_permit.so - -# Password -password requisite pam_cracklib.so try_first_pass retry=3 type= -password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok -password required pam_deny.so - -# Session -session optional pam_keyinit.so revoke -session required pam_limits.so -session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -session required pam_unix.so -") - } - - it { - should contain_file('pam_system_auth').with({ - 'ensure' => 'symlink', - 'path' => '/etc/pam.d/system-auth', - 'owner' => 'root', - 'group' => 'root', - }) - } - - it { - should contain_file('pam_d_login').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/login', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_d_login').with_content("#%PAM-1.0 -auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so -auth include system-auth -account required pam_nologin.so -account include system-auth -account required pam_access.so -password include system-auth -# pam_selinux.so close should be the first session rule -session required pam_selinux.so close -session required pam_loginuid.so -session optional pam_console.so -# pam_selinux.so open should only be followed by sessions to be executed in the user context -session required pam_selinux.so open -session required pam_namespace.so -session optional pam_keyinit.so force revoke -session include system-auth --session optional pam_ck_connector.so -") - } - - it { - should contain_file('pam_d_sshd').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/sshd', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_d_sshd').with_content("#%PAM-1.0 -auth required pam_sepermit.so -auth include password-auth -account required pam_access.so -account required pam_nologin.so -account include password-auth -password include password-auth -# pam_selinux.so close should be the first session rule -session required pam_selinux.so close -session required pam_loginuid.so -# pam_selinux.so open should only be followed by sessions to be executed in the user context -session required pam_selinux.so open env_params -session optional pam_keyinit.so force revoke -session include password-auth -") - } - - it { should_not contain_file('pam_system_auth_ac').with_content(/auth[\s]+sufficient[\s]+pam_vas3.so/) } end + end - context 'with login_pam_access => sufficient on osfamily RedHat with operatingsystemmajrelease 6' do - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemmajrelease => '6', - } - end - - let(:params) {{ :login_pam_access => 'sufficient' }} - - it { should contain_file('pam_d_login').with_content("#%PAM-1.0 -auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so -auth include system-auth -account required pam_nologin.so -account include system-auth -account sufficient pam_access.so -password include system-auth -# pam_selinux.so close should be the first session rule -session required pam_selinux.so close -session required pam_loginuid.so -session optional pam_console.so -# pam_selinux.so open should only be followed by sessions to be executed in the user context -session required pam_selinux.so open -session required pam_namespace.so -session optional pam_keyinit.so force revoke -session include system-auth --session optional pam_ck_connector.so -") - } - end + describe 'validating versions' do + platforms.sort.each do |k,v| + context "with ensure_vas => present and unsupported vas_major_version on #{v[:osfamily]} with #{v[:releasetype]} #{v[:release]}" do + let :facts do + { :osfamily => v[:osfamily], + :"#{v[:releasetype]}" => v[:release], + :lsbdistid => v[:lsbdistid], + } + end + let :params do + { + :ensure_vas => 'present', + :vas_major_version => '5', + } + end - context 'with sshd_pam_access => sufficient on osfamily RedHat with operatingsystemmajrelease 6' do - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemmajrelease => '6', - } + if v[:osfamily] == 'RedHat' + if v[:release] == '5' or v[:release] == '6' + it 'should fail' do + expect { + should contain_class('pam') + }.to raise_error(Puppet::Error,/Pam is only supported with vas_major_version 3 or 4/) + end + else + it 'should fail' do + expect { + should contain_class('pam') + }.to raise_error(Puppet::Error,/Pam is only supported with vas_major_version 4 on EL7/) + end + end + end end - - let(:params) {{ :sshd_pam_access => 'sufficient' }} - - it { should contain_file('pam_d_sshd').with_content("#%PAM-1.0 -auth required pam_sepermit.so -auth include password-auth -account sufficient pam_access.so -account required pam_nologin.so -account include password-auth -password include password-auth -# pam_selinux.so close should be the first session rule -session required pam_selinux.so close -session required pam_loginuid.so -# pam_selinux.so open should only be followed by sessions to be executed in the user context -session required pam_selinux.so open env_params -session optional pam_keyinit.so force revoke -session include password-auth -") - } end + end - context 'with login_pam_access => absent on osfamily RedHat with operatingsystemmajrelease 6' do - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemmajrelease => '6', - } - end - - let(:params) {{ :login_pam_access => 'absent' }} + describe 'validating params' do + platforms.sort.slice(0,1).each do |k,v| + ['required','requisite','sufficient','optional','absent'].each do |value| + context "with login_pam_access set to valid value: #{value} on #{v[:osfamily]} with #{v[:releasetype]} #{v[:release]}" do + let :facts do + { :osfamily => v[:osfamily], + :"#{v[:releasetype]}" => v[:release], + :lsbdistid => v[:lsbdistid], + } + end + let(:params) {{ :login_pam_access => value }} + + it { should contain_class('pam') } + end - it { should contain_file('pam_d_login').with_content("#%PAM-1.0 -auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so -auth include system-auth -account required pam_nologin.so -account include system-auth -password include system-auth -# pam_selinux.so close should be the first session rule -session required pam_selinux.so close -session required pam_loginuid.so -session optional pam_console.so -# pam_selinux.so open should only be followed by sessions to be executed in the user context -session required pam_selinux.so open -session required pam_namespace.so -session optional pam_keyinit.so force revoke -session include system-auth --session optional pam_ck_connector.so -") - } - end + context "with sshd_pam_access set to valid value: #{value} on #{v[:osfamily]} with #{v[:releasetype]} #{v[:release]}" do + let :facts do + { :osfamily => v[:osfamily], + :"#{v[:releasetype]}" => v[:release], + :lsbdistid => v[:lsbdistid], + } + end + let(:params) {{ :sshd_pam_access => value }} - context 'with sshd_pam_access => absent on osfamily RedHat with operatingsystemmajrelease 6' do - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemmajrelease => '6', - } + it { should contain_class('pam') } + end end - let(:params) {{ :sshd_pam_access => 'absent' }} - - it { should contain_file('pam_d_sshd').with_content("#%PAM-1.0 -auth required pam_sepermit.so -auth include password-auth -account required pam_nologin.so -account include password-auth -password include password-auth -# pam_selinux.so close should be the first session rule -session required pam_selinux.so close -session required pam_loginuid.so -# pam_selinux.so open should only be followed by sessions to be executed in the user context -session required pam_selinux.so open env_params -session optional pam_keyinit.so force revoke -session include password-auth -") - } - end + context "with login_pam_access set to invalid value on #{v[:osfamily]} with #{v[:releasetype]} #{v[:release]}" do + let :facts do + { :osfamily => v[:osfamily], + :"#{v[:releasetype]}" => v[:release], + :lsbdistid => v[:lsbdistid], + } + end + let(:params) {{ :login_pam_access => 'invalid' }} - context 'with default params on osfamily RedHat with operatingsystemmajrelease 7' do - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemmajrelease => '7', - } + it 'should fail' do + expect { + should contain_class('pam') + }.to raise_error(Puppet::Error,/pam::login_pam_access is and must be either 'required', 'requisite', 'sufficient', 'optional' or 'absent'./) + end end - it { - should contain_file('pam_system_auth_ac').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/system-auth-ac', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - it { should contain_file('pam_system_auth_ac').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -# Auth -auth required pam_env.so -auth sufficient pam_fprintd.so -auth sufficient pam_unix.so nullok try_first_pass -auth requisite pam_succeed_if.so uid >= 1000 quiet_success -auth required pam_deny.so - -# Account -account required pam_unix.so -account sufficient pam_localuser.so -account sufficient pam_succeed_if.so uid < 1000 quiet -account required pam_permit.so - -# Password -password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= -password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok -password required pam_deny.so - -# Session -session optional pam_keyinit.so revoke -session required pam_limits.so --session optional pam_systemd.so -session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -session required pam_unix.so -") - } - - it { - should contain_file('pam_system_auth').with({ - 'ensure' => 'symlink', - 'path' => '/etc/pam.d/system-auth', - 'owner' => 'root', - 'group' => 'root', - }) - } - - it { - should contain_file('pam_d_login').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/login', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_d_login').with_content("#%PAM-1.0 -auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so -auth substack system-auth -auth include postlogin -account required pam_nologin.so -account include system-auth -password include system-auth -# pam_selinux.so close should be the first session rule -session required pam_selinux.so close -session required pam_loginuid.so -session optional pam_console.so -# pam_selinux.so open should only be followed by sessions to be executed in the user context -session required pam_selinux.so open -session required pam_namespace.so -session optional pam_keyinit.so force revoke -session include system-auth -session include postlogin --session optional pam_ck_connector.so -") - } - - it { - should contain_file('pam_d_sshd').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/sshd', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_d_sshd').with_content("#%PAM-1.0 -auth required pam_sepermit.so -auth substack password-auth -auth include postlogin -account required pam_nologin.so -account include password-auth -password include password-auth -# pam_selinux.so close should be the first session rule -session required pam_selinux.so close -session required pam_loginuid.so -# pam_selinux.so open should only be followed by sessions to be executed in the user context -session required pam_selinux.so open env_params -session optional pam_keyinit.so force revoke -session include password-auth -session include postlogin -") - } - - it { should_not contain_file('pam_system_auth_ac').with_content(/auth[\s]+sufficient[\s]+pam_vas3.so/) } - end + context "with sshd_pam_access set to invalid value on #{v[:osfamily]} with #{v[:releasetype]} #{v[:release]}" do + let :facts do + { :osfamily => v[:osfamily], + :"#{v[:releasetype]}" => v[:release], + :lsbdistid => v[:lsbdistid], + } + end + let(:params) {{ :sshd_pam_access => 'invalid' }} - context 'with default params on Ubuntu 12.04 LTS' do - let :facts do - { - :lsbdistid => 'Ubuntu', - :osfamily => 'Debian', - :lsbdistrelease => '12.04', - } + it 'should fail' do + expect { + should contain_class('pam') + }.to raise_error(Puppet::Error,/pam::sshd_pam_access is and must be either 'required', 'requisite', 'sufficient', 'optional' or 'absent'./) + end end - it { - should contain_package('libpam0g').with({ - 'ensure' => 'installed', - }) - } - - it { - should contain_file('pam_common_auth').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/common-auth', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_common_auth').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -auth [success=1 default=ignore] pam_unix.so nullok_secure -auth requisite pam_deny.so -auth required pam_permit.so -") - } - - it { - should contain_file('pam_common_account').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/common-account', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_common_account').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so -account requisite pam_deny.so -account required pam_permit.so -") - } - - it { - should contain_file('pam_common_password').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/common-password', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_common_password').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -password [success=1 default=ignore] pam_unix.so obscure sha512 -password requisite pam_deny.so -password required pam_permit.so -") - } - - it { should contain_file('pam_common_noninteractive_session').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/common-session-noninteractive', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_common_noninteractive_session').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -session [default=1] pam_permit.so -session requisite pam_deny.so -session required pam_permit.so -session optional pam_umask.so -session required pam_unix.so -") - } - - it { should contain_file('pam_common_session').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/common-session', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_common_session').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -session [default=1] pam_permit.so -session requisite pam_deny.so -session required pam_permit.so -session optional pam_umask.so -session required pam_unix.so -") - } - - it { - should contain_file('pam_d_login').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/login', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_d_login').with_content("auth optional pam_faildelay.so delay=3000000 -auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so -auth requisite pam_nologin.so -session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close -session required pam_env.so readenv=1 -session required pam_env.so readenv=1 envfile=/etc/default/locale -@include common-auth -auth optional pam_group.so -session required pam_limits.so -session optional pam_lastlog.so -session optional pam_motd.so -session optional pam_mail.so standard -@include common-account -@include common-session -@include common-password -session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open -") - } - - it { - should contain_file('pam_d_sshd').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/sshd', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_d_sshd').with_content("auth required pam_env.so # [1] -auth required pam_env.so envfile=/etc/default/locale -@include common-auth -account required pam_nologin.so -@include common-account -@include common-session -session optional pam_motd.so # [1] -session optional pam_mail.so standard noenv # [1] -session required pam_limits.so -@include common-password -") - } - end - - context 'with default params on Ubuntu 14.04 LTS' do - let :facts do - { - :lsbdistid => 'Ubuntu', - :osfamily => 'Debian', - :lsbdistrelease => '14.04', - } - end - - it { - should contain_package('libpam0g').with({ - 'ensure' => 'installed', - }) - } - - it { - should contain_file('pam_common_auth').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/common-auth', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_common_auth').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -auth [success=1 default=ignore] pam_unix.so nullok_secure -auth requisite pam_deny.so -auth required pam_permit.so -auth optional pam_cap.so -") - } - - it { - should contain_file('pam_common_account').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/common-account', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_common_account').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so -account requisite pam_deny.so -account required pam_permit.so -") - } - - it { - should contain_file('pam_common_password').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/common-password', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_common_password').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -password [success=1 default=ignore] pam_unix.so obscure sha512 -password requisite pam_deny.so -password required pam_permit.so -") - } - - it { should contain_file('pam_common_noninteractive_session').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/common-session-noninteractive', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_common_noninteractive_session').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -session [default=1] pam_permit.so -session requisite pam_deny.so -session required pam_permit.so -session optional pam_umask.so -session required pam_unix.so -session optional pam_systemd.so -") - } - - it { should contain_file('pam_common_session').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/common-session', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_common_session').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -session [default=1] pam_permit.so -session requisite pam_deny.so -session required pam_permit.so -session optional pam_umask.so -session required pam_unix.so -session optional pam_systemd.so -") - } - - it { - should contain_file('pam_d_login').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/login', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_d_login').with_content("auth optional pam_faildelay.so delay=3000000 -auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so -auth requisite pam_nologin.so -session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close -session required pam_env.so readenv=1 -session required pam_env.so readenv=1 envfile=/etc/default/locale -@include common-auth -auth optional pam_group.so -session required pam_limits.so -session optional pam_lastlog.so -session optional pam_motd.so motd=/run/motd.dynamic noupdate -session optional pam_motd.so -session optional pam_mail.so standard -@include common-account -@include common-session -@include common-password -session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open -") - } - - it { - should contain_file('pam_d_sshd').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/sshd', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_d_sshd').with_content("@include common-auth -account required pam_nologin.so -@include common-account -session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close -session required pam_loginuid.so -session optional pam_keyinit.so force revoke -@include common-session -session optional pam_motd.so motd=/run/motd.dynamic noupdate -session optional pam_motd.so # [1] -session optional pam_mail.so standard noenv # [1] -session required pam_limits.so -session required pam_env.so # [1] -session required pam_env.so user_readenv=1 envfile=/etc/default/locale -session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open -@include common-password -") - } - end - - context 'with default params on osfamily Suse with lsbmajdistrelease 9' do - let :facts do - { - :osfamily => 'Suse', - :lsbmajdistrelease => '9', - } - end - - it { - should contain_file('pam_other').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/other', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_other').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -# Auth -auth required pam_warn.so -auth required pam_unix2.so - -# Account -account required pam_warn.so -account required pam_unix2.so - -# Password -password required pam_warn.so -password required pam_pwcheck.so use_cracklib - -# Session -session required pam_warn.so -session required pam_unix2.so debug -") - } - end - - context 'with default params on osfamily Suse with lsbmajdistrelease 10' do - let :facts do - { - :osfamily => 'Suse', - :lsbmajdistrelease => '10', - } - end - - it { - should contain_file('pam_common_auth').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/common-auth', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_common_auth').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -auth required pam_env.so -auth required pam_unix2.so -") - } - - it { - should contain_file('pam_common_account').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/common-account', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_common_account').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -account required pam_unix2.so -") - } - - it { - should contain_file('pam_common_password').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/common-password', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_common_password').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -password required pam_pwcheck.so nullok -password required pam_unix2.so nullok use_authtok -") - } - - it { - should contain_file('pam_common_session').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/common-session', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_common_session').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -session required pam_limits.so -session required pam_unix2.so -") - } - - it { - should contain_file('pam_d_login').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/login', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_d_login').with_content("#%PAM-1.0 -auth required pam_securetty.so -auth include common-auth -auth required pam_nologin.so -account include common-account -password include common-password -session include common-session -session required pam_lastlog.so nowtmp -session required pam_resmgr.so -session optional pam_mail.so standard -") - } - - it { - should contain_file('pam_d_sshd').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/sshd', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_d_sshd').with_content("#%PAM-1.0 -auth include common-auth -auth required pam_nologin.so -account include common-account -password include common-password -session include common-session -") - } - end - - context 'with default params on osfamily Suse with lsbmajdistrelease 11' do - let :facts do - { - :osfamily => 'Suse', - :lsbmajdistrelease => '11', - } - end - - it { - should contain_file('pam_common_auth_pc').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/common-auth-pc', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_common_auth_pc').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -auth required pam_env.so -auth required pam_unix2.so -") - } - - it { - should contain_file('pam_common_auth').with({ - 'ensure' => 'symlink', - 'path' => '/etc/pam.d/common-auth', - 'owner' => 'root', - 'group' => 'root', - }) - } - - it { - should contain_file('pam_common_account_pc').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/common-account-pc', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_common_account_pc').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -account required pam_unix2.so -") - } - - it { - should contain_file('pam_common_account').with({ - 'ensure' => 'symlink', - 'path' => '/etc/pam.d/common-account', - 'owner' => 'root', - 'group' => 'root', - }) - } - - it { - should contain_file('pam_common_password_pc').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/common-password-pc', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_common_password_pc').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -password required pam_pwcheck.so nullok cracklib -password required pam_unix2.so nullok use_authtok -") - } - - it { - should contain_file('pam_common_password').with({ - 'ensure' => 'symlink', - 'path' => '/etc/pam.d/common-password', - 'owner' => 'root', - 'group' => 'root', - }) - } - - it { - should contain_file('pam_common_session_pc').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/common-session-pc', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_common_session_pc').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -session required pam_limits.so -session required pam_unix2.so -session optional pam_umask.so -") - } - - it { - should contain_file('pam_common_session').with({ - 'ensure' => 'symlink', - 'path' => '/etc/pam.d/common-session', - 'owner' => 'root', - 'group' => 'root', - }) - } - - it { - should contain_file('pam_d_login').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/login', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_d_login').with_content("#%PAM-1.0 -auth requisite pam_nologin.so -auth [user_unknown=ignore success=ok ignore=ignore auth_err=die default=bad] pam_securetty.so -auth include common-auth -account include common-account -account required pam_access.so -password include common-password -session required pam_loginuid.so -session include common-session -session required pam_lastlog.so nowtmp -session optional pam_mail.so standard -session optional pam_ck_connector.so -") - } - - it { - should contain_file('pam_d_sshd').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/sshd', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_d_sshd').with_content("#%PAM-1.0 -auth requisite pam_nologin.so -auth include common-auth -account required pam_access.so -account requisite pam_nologin.so -account include common-account -password include common-password -session required pam_loginuid.so -session include common-session -") - } - end - - context 'with login_pam_access => sufficient on osfamily Suse with lsbmajdistrelease 11' do - let :facts do - { - :osfamily => 'Suse', - :lsbmajdistrelease => '11', - } - end - - let(:params) {{ :login_pam_access => 'sufficient' }} - - it { should contain_file('pam_d_login').with_content("#%PAM-1.0 -auth requisite pam_nologin.so -auth [user_unknown=ignore success=ok ignore=ignore auth_err=die default=bad] pam_securetty.so -auth include common-auth -account include common-account -account sufficient pam_access.so -password include common-password -session required pam_loginuid.so -session include common-session -session required pam_lastlog.so nowtmp -session optional pam_mail.so standard -session optional pam_ck_connector.so -") - } - end - - context 'with sshd_pam_access => sufficient on osfamily Suse with lsbmajdistrelease 11' do - let :facts do - { - :osfamily => 'Suse', - :lsbmajdistrelease => '11', - } - end - - let(:params) {{ :sshd_pam_access => 'sufficient' }} - - it { should contain_file('pam_d_sshd').with_content("#%PAM-1.0 -auth requisite pam_nologin.so -auth include common-auth -account sufficient pam_access.so -account requisite pam_nologin.so -account include common-account -password include common-password -session required pam_loginuid.so -session include common-session -") - } - end - - context 'with login_pam_access => absent on osfamily Suse with lsbmajdistrelease 11' do - let :facts do - { - :osfamily => 'Suse', - :lsbmajdistrelease => '11', - } - end - - let(:params) {{ :login_pam_access => 'absent' }} - - it { should contain_file('pam_d_login').with_content("#%PAM-1.0 -auth requisite pam_nologin.so -auth [user_unknown=ignore success=ok ignore=ignore auth_err=die default=bad] pam_securetty.so -auth include common-auth -account include common-account -password include common-password -session required pam_loginuid.so -session include common-session -session required pam_lastlog.so nowtmp -session optional pam_mail.so standard -session optional pam_ck_connector.so -") - } - end - - context 'with sshd_pam_access => absent on osfamily Suse with lsbmajdistrelease 11' do - let :facts do - { - :osfamily => 'Suse', - :lsbmajdistrelease => '11', - } - end - - let(:params) {{ :sshd_pam_access => 'absent' }} - - it { should contain_file('pam_d_sshd').with_content("#%PAM-1.0 -auth requisite pam_nologin.so -auth include common-auth -account requisite pam_nologin.so -account include common-account -password include common-password -session required pam_loginuid.so -session include common-session -") - } - end - - context 'with default params on osfamily Suse with lsbmajdistrelease 12' do - let :facts do - { - :osfamily => 'Suse', - :lsbmajdistrelease => '12', - } - end - - it { - should contain_file('pam_common_auth_pc').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/common-auth-pc', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_common_auth_pc').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -auth required pam_env.so -auth required pam_unix2.so -") - } - - it { - should contain_file('pam_common_auth').with({ - 'ensure' => 'symlink', - 'path' => '/etc/pam.d/common-auth', - 'owner' => 'root', - 'group' => 'root', - }) - } - - it { - should contain_file('pam_common_account_pc').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/common-account-pc', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_common_account_pc').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -account required pam_unix2.so -") - } - - it { - should contain_file('pam_common_account').with({ - 'ensure' => 'symlink', - 'path' => '/etc/pam.d/common-account', - 'owner' => 'root', - 'group' => 'root', - }) - } - - it { - should contain_file('pam_common_password_pc').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/common-password-pc', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_common_password_pc').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -password required pam_pwcheck.so nullok cracklib -password required pam_unix2.so nullok use_authtok -") - } - - it { - should contain_file('pam_common_password').with({ - 'ensure' => 'symlink', - 'path' => '/etc/pam.d/common-password', - 'owner' => 'root', - 'group' => 'root', - }) - } - - it { - should contain_file('pam_common_session_pc').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/common-session-pc', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_common_session_pc').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -session required pam_limits.so -session required pam_unix2.so -session optional pam_umask.so -") - } - - it { - should contain_file('pam_common_session').with({ - 'ensure' => 'symlink', - 'path' => '/etc/pam.d/common-session', - 'owner' => 'root', - 'group' => 'root', - }) - } - - it { - should contain_file('pam_d_login').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/login', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_d_login').with_content("#%PAM-1.0 -auth requisite pam_nologin.so -auth [user_unknown=ignore success=ok ignore=ignore auth_err=die default=bad] pam_securetty.so -auth include common-auth -account include common-account -password include common-password -session required pam_loginuid.so -session include common-session -session optional pam_mail.so standard -session optional pam_ck_connector.so -") - } - - it { - should contain_file('pam_d_sshd').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/sshd', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_d_sshd').with_content("#%PAM-1.0 -auth requisite pam_nologin.so -auth include common-auth -account requisite pam_nologin.so -account include common-account -password include common-password -session required pam_loginuid.so -session include common-session -session optional pam_lastlog.so silent noupdate showfailed -") - } - end - - context 'with default params on osfamily Solaris with kernelrelease 5.9' do - let :facts do - { - :osfamily => 'Solaris', - :kernelrelease => '5.9', - } - end - - it { - should contain_file('pam_conf').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.conf', - 'owner' => 'root', - 'group' => 'sys', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_conf').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -# Auth -login auth requisite pam_authtok_get.so.1 -login auth required pam_dhkeys.so.1 -login auth required pam_unix_auth.so.1 -login auth required pam_dial_auth.so.1 -passwd auth required pam_passwd_auth.so.1 -other auth requisite pam_authtok_get.so.1 -other auth required pam_dhkeys.so.1 -other auth required pam_unix_auth.so.1 - -# Account -cron account required pam_projects.so.1 -cron account required pam_unix_account.so.1 -other account requisite pam_roles.so.1 -other account required pam_projects.so.1 -other account required pam_unix_account.so.1 - -# Password -other password required pam_dhkeys.so.1 -other password requisite pam_authtok_get.so.1 -other password requisite pam_authtok_check.so.1 -other password required pam_authtok_store.so.1 - -# Session -other session required pam_unix_session.so.1 -") - } - end - - context 'with default params on osfamily Solaris with kernelrelease 5.10' do - let :facts do - { - :osfamily => 'Solaris', - :kernelrelease => '5.10', - } - end - - it { - should contain_file('pam_conf').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.conf', - 'owner' => 'root', - 'group' => 'sys', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_conf').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -# Auth -login auth requisite pam_authtok_get.so.1 -login auth required pam_dhkeys.so.1 -login auth required pam_unix_cred.so.1 -login auth required pam_unix_auth.so.1 -login auth required pam_dial_auth.so.1 -passwd auth required pam_passwd_auth.so.1 -other auth requisite pam_authtok_get.so.1 -other auth required pam_dhkeys.so.1 -other auth required pam_unix_cred.so.1 -other auth required pam_unix_auth.so.1 - -# Account -other account requisite pam_roles.so.1 -other account required pam_unix_account.so.1 - -# Password -other password required pam_dhkeys.so.1 -other password requisite pam_authtok_get.so.1 -other password requisite pam_authtok_check.so.1 -other password required pam_authtok_store.so.1 - -# Session -other session required pam_unix_session.so.1 -") - } - end - - context 'with default params on osfamily Solaris with kernelrelease 5.11' do - let :facts do - { - :osfamily => 'Solaris', - :kernelrelease => '5.11', - } - end - - it { - should contain_file('pam_other').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/other', - 'owner' => 'root', - 'group' => 'sys', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_other').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -# Auth -auth definitive pam_user_policy.so.1 -auth requisite pam_authtok_get.so.1 -auth required pam_dhkeys.so.1 -auth required pam_unix_auth.so.1 -auth required pam_unix_cred.so.1 - -# Account -account requisite pam_roles.so.1 -account definitive pam_user_policy.so.1 -account required pam_unix_account.so.1 -account required pam_tsol_account.so.1 - -# Password -password definitive pam_user_policy.so.1 -password include pam_authtok_common -password required pam_authtok_store.so.1 - -# Session -session definitive pam_user_policy.so.1 -session required pam_unix_session.so.1 -") - } - end - - context 'with ensure_vas=present and default vas_major_version (4) on osfamily RedHat with operatingsystemmajrelease 5' do - let (:params) do - { - :ensure_vas => 'present', - } - end - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemmajrelease => '5', - } - end - - it { - should contain_file('pam_system_auth_ac').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/system-auth-ac', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_system_auth_ac').with_content(/auth[\s]+sufficient[\s]+pam_vas3.so/) } - it { should contain_file('pam_system_auth_ac').with_content(/account[\s]+sufficient[\s]+pam_vas3.so/) } - it { should contain_file('pam_system_auth_ac').with_content(/password[\s]+sufficient[\s]+pam_vas3.so/) } - it { should contain_file('pam_system_auth_ac').with_content(/session[\s]+required[\s]+pam_vas3.so/) } - it { should_not contain_file('pam_system_auth_ac').with_content(/auth[\s]+sufficient[\s]+pam_vas3.so.*store_creds/) } - end - - context 'with ensure_vas=present and default vas_major_version (4) on osfamily RedHat with operatingsystemmajrelease 6' do - let (:params) do - { - :ensure_vas => 'present', - } - end - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemmajrelease => '6', - } - end - - it { - should contain_file('pam_system_auth_ac').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/system-auth-ac', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_system_auth_ac').with_content(/auth[\s]+sufficient[\s]+pam_vas3.so/) } - it { should contain_file('pam_system_auth_ac').with_content(/account[\s]+sufficient[\s]+pam_vas3.so/) } - it { should contain_file('pam_system_auth_ac').with_content(/password[\s]+sufficient[\s]+pam_vas3.so/) } - it { should contain_file('pam_system_auth_ac').with_content(/session[\s]+required[\s]+pam_vas3.so/) } - it { should_not contain_file('pam_system_auth_ac').with_content(/auth[\s]+sufficient[\s]+pam_vas3.so.*store_creds/) } - end - - context 'with ensure_vas=present and default vas_major_version (4) on osfamily RedHat with operatingsystemmajrelease 7' do - let (:params) do - { - :ensure_vas => 'present', - } - end - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemmajrelease => '7', - } - end - - it { - should contain_file('pam_system_auth_ac').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/system-auth-ac', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_system_auth_ac').with_content(/auth[\s]+sufficient[\s]+pam_vas3.so/) } - it { should contain_file('pam_system_auth_ac').with_content(/account[\s]+sufficient[\s]+pam_vas3.so/) } - it { should contain_file('pam_system_auth_ac').with_content(/password[\s]+sufficient[\s]+pam_vas3.so/) } - it { should contain_file('pam_system_auth_ac').with_content(/session[\s]+required[\s]+pam_vas3.so/) } - it { should_not contain_file('pam_system_auth_ac').with_content(/auth[\s]+sufficient[\s]+pam_vas3.so.*store_creds/) } - end - - context 'with ensure_vas=present and vas_major_version=3 on osfamily RedHat with operatingsystemmajrelease 5' do - let (:params) do - { - :ensure_vas => 'present', - :vas_major_version => '3', - } - end - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemmajrelease => '5', - } - end - - it { - should contain_file('pam_system_auth_ac').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/system-auth-ac', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_system_auth_ac').with_content(/auth[\s]+sufficient[\s]+pam_vas3.so.*store_creds/) } - it { should contain_file('pam_system_auth_ac').with_content(/account[\s]+sufficient[\s]+pam_vas3.so/) } - it { should contain_file('pam_system_auth_ac').with_content(/password[\s]+sufficient[\s]+pam_vas3.so/) } - it { should contain_file('pam_system_auth_ac').with_content(/session[\s]+required[\s]+pam_vas3.so/) } - end - - context 'with ensure_vas=present and vas_major_version=3 on osfamily RedHat with operatingsystemmajrelease 6' do - let (:params) do - { - :ensure_vas => 'present', - :vas_major_version => '3', - } - end - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemmajrelease => '6', - } - end - - it { - should contain_file('pam_system_auth_ac').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/system-auth-ac', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_system_auth_ac').with_content(/auth[\s]+sufficient[\s]+pam_vas3.so.*store_creds/) } - it { should contain_file('pam_system_auth_ac').with_content(/account[\s]+sufficient[\s]+pam_vas3.so/) } - it { should contain_file('pam_system_auth_ac').with_content(/password[\s]+sufficient[\s]+pam_vas3.so/) } - it { should contain_file('pam_system_auth_ac').with_content(/session[\s]+required[\s]+pam_vas3.so/) } - end - - context 'with ensure_vas=present on osfamily Suse with lsbmajdistrelease 10' do - let(:params) { { :ensure_vas => 'present' } } - let :facts do - { - :osfamily => 'Suse', - :lsbmajdistrelease => '10', - } - end - - it { - should contain_file('pam_common_auth').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/common-auth', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_common_auth').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -auth required pam_env.so -auth sufficient pam_vas3.so show_lockout_msg get_nonvas_pass store_creds -auth requisite pam_vas3.so echo_return -auth required pam_unix2.so use_first_pass -") - } - - it { - should contain_file('pam_common_account').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/common-account', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_common_account').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -account sufficient pam_vas3.so -account requisite pam_vas3.so echo_return -account required pam_unix2.so -") - } - - it { - should contain_file('pam_common_password').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/common-password', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_common_password').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -password sufficient pam_vas3.so -password requisite pam_vas3.so echo_return -password requisite pam_pwcheck.so nullok -password required pam_unix2.so use_authtok nullok -") - } - - it { - should contain_file('pam_common_session').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/common-session', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_common_session').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -session required pam_limits.so -session required pam_vas3.so -session requisite pam_vas3.so echo_return -session required pam_unix2.so -") - } - - it { - should contain_file('pam_d_login').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/login', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_d_login').with_content("#%PAM-1.0 -auth required pam_securetty.so -auth include common-auth -auth required pam_nologin.so -account include common-account -password include common-password -session include common-session -session required pam_lastlog.so nowtmp -session required pam_resmgr.so -session optional pam_mail.so standard -") - } - - it { - should contain_file('pam_d_sshd').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/sshd', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_d_sshd').with_content("#%PAM-1.0 -auth include common-auth -auth required pam_nologin.so -account include common-account -password include common-password -session include common-session -") - } - end - - context 'with ensure_vas=present on osfamily Suse with lsbmajdistrelease 11' do - let(:params) { { :ensure_vas => 'present' } } - let :facts do - { - :osfamily => 'Suse', - :lsbmajdistrelease => '11', - } - end - - it { - should contain_file('pam_common_auth_pc').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/common-auth-pc', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_common_auth_pc').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -auth required pam_env.so -auth sufficient pam_vas3.so create_homedir get_nonvas_pass -auth requisite pam_vas3.so echo_return -auth required pam_unix2.so use_first_pass -") - } - - it { - should contain_file('pam_common_auth').with({ - 'ensure' => 'symlink', - 'path' => '/etc/pam.d/common-auth', - 'owner' => 'root', - 'group' => 'root', - }) - } - - it { - should contain_file('pam_common_account_pc').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/common-account-pc', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_common_account_pc').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -account sufficient pam_vas3.so -account requisite pam_vas3.so echo_return -account required pam_unix2.so -") - } - - it { - should contain_file('pam_common_account').with({ - 'ensure' => 'symlink', - 'path' => '/etc/pam.d/common-account', - 'owner' => 'root', - 'group' => 'root', - }) - } - - it { - should contain_file('pam_common_password_pc').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/common-password-pc', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_common_password_pc').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -password sufficient pam_vas3.so -password requisite pam_vas3.so echo_return -password requisite pam_pwcheck.so nullok cracklib -password required pam_unix2.so use_authtok nullok -") - } - - it { - should contain_file('pam_common_password').with({ - 'ensure' => 'symlink', - 'path' => '/etc/pam.d/common-password', - 'owner' => 'root', - 'group' => 'root', - }) - } - - it { - should contain_file('pam_common_session_pc').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/common-session-pc', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_common_session_pc').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -session required pam_limits.so -session required pam_vas3.so create_homedir -session requisite pam_vas3.so echo_return -session required pam_unix2.so -session optional pam_umask.so -") - } - - it { - should contain_file('pam_common_session').with({ - 'ensure' => 'symlink', - 'path' => '/etc/pam.d/common-session', - 'owner' => 'root', - 'group' => 'root', - }) - } - - it { - should contain_file('pam_d_login').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/login', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_d_login').with_content("#%PAM-1.0 -auth requisite pam_nologin.so -auth [user_unknown=ignore success=ok ignore=ignore auth_err=die default=bad] pam_securetty.so -auth include common-auth -account include common-account -account required pam_access.so -password include common-password -session required pam_loginuid.so -session include common-session -session required pam_lastlog.so nowtmp -session optional pam_mail.so standard -session optional pam_ck_connector.so -") - } - - it { - should contain_file('pam_d_sshd').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/sshd', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_d_sshd').with_content("#%PAM-1.0 -auth requisite pam_nologin.so -auth include common-auth -account required pam_access.so -account requisite pam_nologin.so -account include common-account -password include common-password -session required pam_loginuid.so -session include common-session -") - } - end - - context 'with ensure_vas=present on osfamily Suse with lsbmajdistrelease 12' do - let(:params) { { :ensure_vas => 'present' } } - let :facts do - { - :osfamily => 'Suse', - :lsbmajdistrelease => '11', - } - end - - it { - should contain_file('pam_common_auth_pc').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/common-auth-pc', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_common_auth_pc').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -auth required pam_env.so -auth sufficient pam_vas3.so create_homedir get_nonvas_pass -auth requisite pam_vas3.so echo_return -auth required pam_unix2.so use_first_pass -") - } - - it { - should contain_file('pam_common_auth').with({ - 'ensure' => 'symlink', - 'path' => '/etc/pam.d/common-auth', - 'owner' => 'root', - 'group' => 'root', - }) - } - - it { - should contain_file('pam_common_account_pc').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/common-account-pc', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_common_account_pc').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -account sufficient pam_vas3.so -account requisite pam_vas3.so echo_return -account required pam_unix2.so -") - } - - it { - should contain_file('pam_common_account').with({ - 'ensure' => 'symlink', - 'path' => '/etc/pam.d/common-account', - 'owner' => 'root', - 'group' => 'root', - }) - } - - it { - should contain_file('pam_common_password_pc').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/common-password-pc', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_common_password_pc').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -password sufficient pam_vas3.so -password requisite pam_vas3.so echo_return -password requisite pam_pwcheck.so nullok cracklib -password required pam_unix2.so use_authtok nullok -") - } - - it { - should contain_file('pam_common_password').with({ - 'ensure' => 'symlink', - 'path' => '/etc/pam.d/common-password', - 'owner' => 'root', - 'group' => 'root', - }) - } - - it { - should contain_file('pam_common_session_pc').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/common-session-pc', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_common_session_pc').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -session required pam_limits.so -session required pam_vas3.so create_homedir -session requisite pam_vas3.so echo_return -session required pam_unix2.so -session optional pam_umask.so -") - } - - it { - should contain_file('pam_common_session').with({ - 'ensure' => 'symlink', - 'path' => '/etc/pam.d/common-session', - 'owner' => 'root', - 'group' => 'root', - }) - } - - it { - should contain_file('pam_d_login').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/login', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_d_login').with_content("#%PAM-1.0 -auth requisite pam_nologin.so -auth [user_unknown=ignore success=ok ignore=ignore auth_err=die default=bad] pam_securetty.so -auth include common-auth -account include common-account -account required pam_access.so -password include common-password -session required pam_loginuid.so -session include common-session -session required pam_lastlog.so nowtmp -session optional pam_mail.so standard -session optional pam_ck_connector.so -") - } - - it { - should contain_file('pam_d_sshd').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/sshd', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_d_sshd').with_content("#%PAM-1.0 -auth requisite pam_nologin.so -auth include common-auth -account required pam_access.so -account requisite pam_nologin.so -account include common-account -password include common-password -session required pam_loginuid.so -session include common-session -") - } - end - - context 'with ensure_vas=present and vas_major_version=3 on Ubuntu 12.04 LTS' do - let (:params) do - { - :ensure_vas => 'present', - :vas_major_version => '3', - } - end - let :facts do - { - :osfamily => 'Debian', - :lsbdistid => 'Ubuntu', - :lsbdistrelease => '12.04', - } - end - - it { should contain_class('pam::accesslogin') } - it { should contain_class('pam::limits') } - - it { - should contain_package('libpam0g').with({ - 'ensure' => 'installed', - }) - } - - it { - should contain_file('pam_d_login').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/login', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_d_login').with_content("auth optional pam_faildelay.so delay=3000000 -auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so -auth requisite pam_nologin.so -session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close -session required pam_env.so readenv=1 -session required pam_env.so readenv=1 envfile=/etc/default/locale -@include common-auth -auth optional pam_group.so -session required pam_limits.so -session optional pam_lastlog.so -session optional pam_motd.so -session optional pam_mail.so standard -@include common-account -@include common-session -@include common-password -session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open -") - } - - it { - should contain_file('pam_d_sshd').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/sshd', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_d_sshd').with_content("auth required pam_env.so # [1] -auth required pam_env.so envfile=/etc/default/locale -@include common-auth -account required pam_nologin.so -@include common-account -@include common-session -session optional pam_motd.so # [1] -session optional pam_mail.so standard noenv # [1] -session required pam_limits.so -@include common-password -") - } - - it { - should contain_file('pam_common_auth').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/common-auth', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_common_auth').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -auth required pam_env.so -auth sufficient pam_vas3.so show_lockout_msg get_nonvas_pass store_creds -auth requisite pam_vas3.so echo_return -auth required pam_unix.so use_first_pass -") - } - - it { - should contain_file('pam_common_account').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/common-account', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_common_account').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -account sufficient pam_vas3.so -account requisite pam_vas3.so echo_return -account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so -account requisite pam_deny.so -account required pam_permit.so -") - } - - it { - should contain_file('pam_common_password').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/common-password', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_common_password').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -password sufficient pam_vas3.so -password requisite pam_vas3.so echo_return -password [success=1 default=ignore] pam_unix.so obscure sha512 -password requisite pam_deny.so -password required pam_permit.so -") - } - - it { should contain_file('pam_common_session').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/common-session', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_common_session').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -session [default=1] pam_permit.so -session requisite pam_deny.so -session required pam_permit.so -session optional pam_umask.so -session required pam_vas3.so create_homedir -session requisite pam_vas3.so echo_return -session required pam_unix.so -") - } - - it { should contain_file('pam_common_noninteractive_session').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.d/common-session-noninteractive', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_common_noninteractive_session').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -session [default=1] pam_permit.so -session requisite pam_deny.so -session required pam_permit.so -session optional pam_umask.so -session required pam_vas3.so create_homedir -session requisite pam_vas3.so echo_return -session required pam_unix.so -") - } - end - - context 'with ensure_vas=present on osfamily Solaris with kernelrelease 5.10' do - let(:params) { { :ensure_vas => 'present' } } - let :facts do - { - :osfamily => 'Solaris', - :kernelrelease => '5.10', - } - end - - it { - should contain_file('pam_conf').with({ - 'ensure' => 'file', - 'path' => '/etc/pam.conf', - 'owner' => 'root', - 'group' => 'sys', - 'mode' => '0644', - }) - } - - it { should contain_file('pam_conf').with_content("# This file is being maintained by Puppet. -# DO NOT EDIT -# Auth -login auth required pam_unix_cred.so.1 -login auth sufficient pam_vas3.so create_homedir get_nonvas_pass try_first_pass -login auth requisite pam_vas3.so echo_return -login auth requisite pam_authtok_get.so.1 use_first_pass -login auth required pam_dhkeys.so.1 -login auth required pam_unix_auth.so.1 -login auth required pam_dial_auth.so.1 -rlogin auth required pam_unix_cred.so.1 -rlogin auth sufficient pam_vas3.so create_homedir get_nonvas_pass try_first_pass -rlogin auth requisite pam_vas3.so echo_return -rlogin auth requisite pam_authtok_get.so.1 use_first_pass -rlogin auth required pam_dhkeys.so.1 -rlogin auth required pam_unix_auth.so.1 -krlogin auth required pam_unix_cred.so.1 -krlogin auth sufficient pam_vas3.so create_homedir get_nonvas_pass try_first_pass -krlogin auth requisite pam_vas3.so echo_return -krlogin auth required pam_krb5.so.1 use_first_pass -krsh auth required pam_unix_cred.so.1 -krsh auth sufficient pam_vas3.so create_homedir get_nonvas_pass try_first_pass -krsh auth requisite pam_vas3.so echo_return -krsh auth required pam_krb5.so.1 use_first_pass -ktelnet auth required pam_unix_cred.so.1 -ktelnet auth sufficient pam_vas3.so create_homedir get_nonvas_pass try_first_pass -ktelnet auth requisite pam_vas3.so echo_return -ktelnet auth required pam_krb5.so.1 use_first_pass -ppp auth required pam_unix_cred.so.1 -ppp auth sufficient pam_vas3.so create_homedir get_nonvas_pass try_first_pass -ppp auth requisite pam_vas3.so echo_return -ppp auth requisite pam_authtok_get.so.1 use_first_pass -ppp auth required pam_dhkeys.so.1 -ppp auth required pam_unix_auth.so.1 -ppp auth required pam_dial_auth.so.1 -other auth required pam_unix_cred.so.1 -other auth sufficient pam_vas3.so create_homedir get_nonvas_pass try_first_pass -other auth requisite pam_vas3.so echo_return -other auth requisite pam_authtok_get.so.1 use_first_pass -other auth required pam_dhkeys.so.1 -other auth required pam_unix_auth.so.1 -passwd auth sufficient pam_vas3.so create_homedir get_nonvas_pass try_first_pass -passwd auth requisite pam_vas3.so echo_return -passwd auth required pam_passwd_auth.so.1 use_first_pass - -# Account -cron account sufficient pam_vas3.so -cron account requisite pam_vas3.so echo_return -cron account required pam_unix_account.so.1 -other account requisite pam_roles.so.1 -other account sufficient pam_vas3.so -other account requisite pam_vas3.so echo_return -other account required pam_unix_account.so.1 - -# Password -other password required pam_dhkeys.so.1 -other password requisite pam_authtok_get.so.1 -other password sufficient pam_vas3.so -other password requisite pam_vas3.so echo_return -other password requisite pam_authtok_check.so.1 -other password required pam_authtok_store.so.1 - -# Session -other session required pam_vas3.so create_homedir -other session requisite pam_vas3.so echo_return -other session required pam_unix_session.so.1 -") - } - end - - context 'with ensure_vas=present and unsupported vas_major_version on osfamily RedHat with operatingsystemmajrelease 5' do - let (:params) do - { - :ensure_vas => 'present', - :vas_major_version => '5', - } - end - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemmajrelease => '5', - } - end - - it 'should fail' do - expect { - should contain_class('pam') - }.to raise_error(Puppet::Error,/Pam is only supported with vas_major_version 3 or 4/) - end - end - - context 'with ensure_vas=present and unsupported vas_major_version on osfamily RedHat with operatingsystemmajrelease 5' do - let (:params) do - { - :ensure_vas => 'present', - :vas_major_version => '5', - } - end - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemmajrelease => '5', - } - end - - it 'should fail' do - expect { - should contain_class('pam') - }.to raise_error(Puppet::Error,/Pam is only supported with vas_major_version 3 or 4/) - end - end - - context 'with ensure_vas=present and unsupported vas_major_version on osfamily RedHat with operatingsystemmajrelease 6' do - let (:params) do - { - :ensure_vas => 'present', - :vas_major_version => '5', - } - end - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemmajrelease => '6', - } - end - - it 'should fail' do - expect { - should contain_class('pam') - }.to raise_error(Puppet::Error,/Pam is only supported with vas_major_version 3 or 4/) - end - end - - context 'with ensure_vas=present and unsupported vas_major_version on osfamily RedHat with operatingsystemmajrelease 7' do - let (:params) do - { - :ensure_vas => 'present', - :vas_major_version => '3', - } - end - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemmajrelease => '7', - } - end - - it 'should fail' do - expect { - should contain_class('pam') - }.to raise_error(Puppet::Error,/Pam is only supported with vas_major_version 4 on EL7/) - end - end - end - - describe 'validating params' do - ['required','requisite','sufficient','optional','absent'].each do |value| - context "with login_pam_access set to valid value: #{value}" do + context "with specifying services param as invalid type (non-hash) on #{v[:osfamily]} with #{v[:releasetype]} #{v[:release]}" do let :facts do - { - :osfamily => 'RedHat', - :operatingsystemmajrelease => '5', + { :osfamily => v[:osfamily], + :"#{v[:releasetype]}" => v[:release], } end - - let(:params) {{ :login_pam_access => value }} - - it { should contain_class('pam') } - end - - context "with sshd_pam_access set to valid value: #{value}" do - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemmajrelease => '5', - } + let (:params) { {:services => ['not', 'a', 'hash'] } } + it 'should fail' do + expect { + should contain_class('pam') + }.to raise_error(Puppet::Error) end - - let(:params) {{ :sshd_pam_access => value }} - - it { should contain_class('pam') } - end - end - - context 'with login_pam_access set to invalid value' do - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemmajrelease => '5', - } - end - - let(:params) {{ :login_pam_access => 'invalid' }} - - it 'should fail' do - expect { - should contain_class('pam') - }.to raise_error(Puppet::Error,/pam::login_pam_access is and must be either 'required', 'requisite', 'sufficient', 'optional' or 'absent'./) - end - end - - context 'with sshd_pam_access set to invalid value' do - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemmajrelease => '5', - } - end - - let(:params) {{ :sshd_pam_access => 'invalid' }} - - it 'should fail' do - expect { - should contain_class('pam') - }.to raise_error(Puppet::Error,/pam::sshd_pam_access is and must be either 'required', 'requisite', 'sufficient', 'optional' or 'absent'./) end end end diff --git a/spec/fixtures/pam_common_account.defaults.suse10 b/spec/fixtures/pam_common_account.defaults.suse10 new file mode 100644 index 00000000..98517d80 --- /dev/null +++ b/spec/fixtures/pam_common_account.defaults.suse10 @@ -0,0 +1,3 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +account required pam_unix2.so diff --git a/spec/fixtures/pam_common_account.defaults.ubuntu1204 b/spec/fixtures/pam_common_account.defaults.ubuntu1204 new file mode 100644 index 00000000..9d331866 --- /dev/null +++ b/spec/fixtures/pam_common_account.defaults.ubuntu1204 @@ -0,0 +1,5 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so +account requisite pam_deny.so +account required pam_permit.so diff --git a/spec/fixtures/pam_common_account.defaults.ubuntu1404 b/spec/fixtures/pam_common_account.defaults.ubuntu1404 new file mode 100644 index 00000000..9d331866 --- /dev/null +++ b/spec/fixtures/pam_common_account.defaults.ubuntu1404 @@ -0,0 +1,5 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so +account requisite pam_deny.so +account required pam_permit.so diff --git a/spec/fixtures/pam_common_account.vas.suse10 b/spec/fixtures/pam_common_account.vas.suse10 new file mode 100644 index 00000000..e2f6b6e2 --- /dev/null +++ b/spec/fixtures/pam_common_account.vas.suse10 @@ -0,0 +1,5 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +account sufficient pam_vas3.so +account requisite pam_vas3.so echo_return +account required pam_unix2.so diff --git a/spec/fixtures/pam_common_account.vas.ubuntu1204 b/spec/fixtures/pam_common_account.vas.ubuntu1204 new file mode 100644 index 00000000..99c79353 --- /dev/null +++ b/spec/fixtures/pam_common_account.vas.ubuntu1204 @@ -0,0 +1,7 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +account sufficient pam_vas3.so +account requisite pam_vas3.so echo_return +account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so +account requisite pam_deny.so +account required pam_permit.so diff --git a/spec/fixtures/pam_common_account.vas.ubuntu1404 b/spec/fixtures/pam_common_account.vas.ubuntu1404 new file mode 100644 index 00000000..99c79353 --- /dev/null +++ b/spec/fixtures/pam_common_account.vas.ubuntu1404 @@ -0,0 +1,7 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +account sufficient pam_vas3.so +account requisite pam_vas3.so echo_return +account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so +account requisite pam_deny.so +account required pam_permit.so diff --git a/spec/fixtures/pam_common_account_pc.defaults.suse11 b/spec/fixtures/pam_common_account_pc.defaults.suse11 new file mode 100644 index 00000000..98517d80 --- /dev/null +++ b/spec/fixtures/pam_common_account_pc.defaults.suse11 @@ -0,0 +1,3 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +account required pam_unix2.so diff --git a/spec/fixtures/pam_common_account_pc.defaults.suse12 b/spec/fixtures/pam_common_account_pc.defaults.suse12 new file mode 100644 index 00000000..98517d80 --- /dev/null +++ b/spec/fixtures/pam_common_account_pc.defaults.suse12 @@ -0,0 +1,3 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +account required pam_unix2.so diff --git a/spec/fixtures/pam_common_account_pc.vas.suse11 b/spec/fixtures/pam_common_account_pc.vas.suse11 new file mode 100644 index 00000000..e2f6b6e2 --- /dev/null +++ b/spec/fixtures/pam_common_account_pc.vas.suse11 @@ -0,0 +1,5 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +account sufficient pam_vas3.so +account requisite pam_vas3.so echo_return +account required pam_unix2.so diff --git a/spec/fixtures/pam_common_account_pc.vas.suse12 b/spec/fixtures/pam_common_account_pc.vas.suse12 new file mode 100644 index 00000000..e2f6b6e2 --- /dev/null +++ b/spec/fixtures/pam_common_account_pc.vas.suse12 @@ -0,0 +1,5 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +account sufficient pam_vas3.so +account requisite pam_vas3.so echo_return +account required pam_unix2.so diff --git a/spec/fixtures/pam_common_auth.defaults.suse10 b/spec/fixtures/pam_common_auth.defaults.suse10 new file mode 100644 index 00000000..475d561d --- /dev/null +++ b/spec/fixtures/pam_common_auth.defaults.suse10 @@ -0,0 +1,4 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +auth required pam_env.so +auth required pam_unix2.so diff --git a/spec/fixtures/pam_common_auth.defaults.ubuntu1204 b/spec/fixtures/pam_common_auth.defaults.ubuntu1204 new file mode 100644 index 00000000..f629ec0b --- /dev/null +++ b/spec/fixtures/pam_common_auth.defaults.ubuntu1204 @@ -0,0 +1,5 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +auth [success=1 default=ignore] pam_unix.so nullok_secure +auth requisite pam_deny.so +auth required pam_permit.so diff --git a/spec/fixtures/pam_common_auth.defaults.ubuntu1404 b/spec/fixtures/pam_common_auth.defaults.ubuntu1404 new file mode 100644 index 00000000..9800d8c4 --- /dev/null +++ b/spec/fixtures/pam_common_auth.defaults.ubuntu1404 @@ -0,0 +1,6 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +auth [success=1 default=ignore] pam_unix.so nullok_secure +auth requisite pam_deny.so +auth required pam_permit.so +auth optional pam_cap.so diff --git a/spec/fixtures/pam_common_auth.vas.suse10 b/spec/fixtures/pam_common_auth.vas.suse10 new file mode 100644 index 00000000..cadacdd8 --- /dev/null +++ b/spec/fixtures/pam_common_auth.vas.suse10 @@ -0,0 +1,6 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +auth required pam_env.so +auth sufficient pam_vas3.so show_lockout_msg get_nonvas_pass store_creds +auth requisite pam_vas3.so echo_return +auth required pam_unix2.so use_first_pass diff --git a/spec/fixtures/pam_common_auth.vas.ubuntu1204 b/spec/fixtures/pam_common_auth.vas.ubuntu1204 new file mode 100644 index 00000000..db1ecbbe --- /dev/null +++ b/spec/fixtures/pam_common_auth.vas.ubuntu1204 @@ -0,0 +1,6 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +auth required pam_env.so +auth sufficient pam_vas3.so show_lockout_msg get_nonvas_pass store_creds +auth requisite pam_vas3.so echo_return +auth required pam_unix.so use_first_pass diff --git a/spec/fixtures/pam_common_auth.vas.ubuntu1404 b/spec/fixtures/pam_common_auth.vas.ubuntu1404 new file mode 100644 index 00000000..db1ecbbe --- /dev/null +++ b/spec/fixtures/pam_common_auth.vas.ubuntu1404 @@ -0,0 +1,6 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +auth required pam_env.so +auth sufficient pam_vas3.so show_lockout_msg get_nonvas_pass store_creds +auth requisite pam_vas3.so echo_return +auth required pam_unix.so use_first_pass diff --git a/spec/fixtures/pam_common_auth_pc.defaults.suse11 b/spec/fixtures/pam_common_auth_pc.defaults.suse11 new file mode 100644 index 00000000..475d561d --- /dev/null +++ b/spec/fixtures/pam_common_auth_pc.defaults.suse11 @@ -0,0 +1,4 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +auth required pam_env.so +auth required pam_unix2.so diff --git a/spec/fixtures/pam_common_auth_pc.defaults.suse12 b/spec/fixtures/pam_common_auth_pc.defaults.suse12 new file mode 100644 index 00000000..475d561d --- /dev/null +++ b/spec/fixtures/pam_common_auth_pc.defaults.suse12 @@ -0,0 +1,4 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +auth required pam_env.so +auth required pam_unix2.so diff --git a/spec/fixtures/pam_common_auth_pc.vas.suse11 b/spec/fixtures/pam_common_auth_pc.vas.suse11 new file mode 100644 index 00000000..0444de2e --- /dev/null +++ b/spec/fixtures/pam_common_auth_pc.vas.suse11 @@ -0,0 +1,6 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +auth required pam_env.so +auth sufficient pam_vas3.so create_homedir get_nonvas_pass +auth requisite pam_vas3.so echo_return +auth required pam_unix2.so use_first_pass diff --git a/spec/fixtures/pam_common_auth_pc.vas.suse12 b/spec/fixtures/pam_common_auth_pc.vas.suse12 new file mode 100644 index 00000000..0444de2e --- /dev/null +++ b/spec/fixtures/pam_common_auth_pc.vas.suse12 @@ -0,0 +1,6 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +auth required pam_env.so +auth sufficient pam_vas3.so create_homedir get_nonvas_pass +auth requisite pam_vas3.so echo_return +auth required pam_unix2.so use_first_pass diff --git a/spec/fixtures/pam_common_noninteractive_session.defaults.ubuntu1204 b/spec/fixtures/pam_common_noninteractive_session.defaults.ubuntu1204 new file mode 100644 index 00000000..5893e675 --- /dev/null +++ b/spec/fixtures/pam_common_noninteractive_session.defaults.ubuntu1204 @@ -0,0 +1,7 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +session [default=1] pam_permit.so +session requisite pam_deny.so +session required pam_permit.so +session optional pam_umask.so +session required pam_unix.so diff --git a/spec/fixtures/pam_common_noninteractive_session.defaults.ubuntu1404 b/spec/fixtures/pam_common_noninteractive_session.defaults.ubuntu1404 new file mode 100644 index 00000000..0eb89d03 --- /dev/null +++ b/spec/fixtures/pam_common_noninteractive_session.defaults.ubuntu1404 @@ -0,0 +1,8 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +session [default=1] pam_permit.so +session requisite pam_deny.so +session required pam_permit.so +session optional pam_umask.so +session required pam_unix.so +session optional pam_systemd.so diff --git a/spec/fixtures/pam_common_noninteractive_session.vas.ubuntu1204 b/spec/fixtures/pam_common_noninteractive_session.vas.ubuntu1204 new file mode 100644 index 00000000..902c25a7 --- /dev/null +++ b/spec/fixtures/pam_common_noninteractive_session.vas.ubuntu1204 @@ -0,0 +1,9 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +session [default=1] pam_permit.so +session requisite pam_deny.so +session required pam_permit.so +session optional pam_umask.so +session required pam_vas3.so create_homedir +session requisite pam_vas3.so echo_return +session required pam_unix.so diff --git a/spec/fixtures/pam_common_noninteractive_session.vas.ubuntu1404 b/spec/fixtures/pam_common_noninteractive_session.vas.ubuntu1404 new file mode 100644 index 00000000..902c25a7 --- /dev/null +++ b/spec/fixtures/pam_common_noninteractive_session.vas.ubuntu1404 @@ -0,0 +1,9 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +session [default=1] pam_permit.so +session requisite pam_deny.so +session required pam_permit.so +session optional pam_umask.so +session required pam_vas3.so create_homedir +session requisite pam_vas3.so echo_return +session required pam_unix.so diff --git a/spec/fixtures/pam_common_password.defaults.suse10 b/spec/fixtures/pam_common_password.defaults.suse10 new file mode 100644 index 00000000..2753f801 --- /dev/null +++ b/spec/fixtures/pam_common_password.defaults.suse10 @@ -0,0 +1,4 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +password required pam_pwcheck.so nullok +password required pam_unix2.so nullok use_authtok diff --git a/spec/fixtures/pam_common_password.defaults.ubuntu1204 b/spec/fixtures/pam_common_password.defaults.ubuntu1204 new file mode 100644 index 00000000..7f278d0e --- /dev/null +++ b/spec/fixtures/pam_common_password.defaults.ubuntu1204 @@ -0,0 +1,5 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +password [success=1 default=ignore] pam_unix.so obscure sha512 +password requisite pam_deny.so +password required pam_permit.so diff --git a/spec/fixtures/pam_common_password.defaults.ubuntu1404 b/spec/fixtures/pam_common_password.defaults.ubuntu1404 new file mode 100644 index 00000000..7f278d0e --- /dev/null +++ b/spec/fixtures/pam_common_password.defaults.ubuntu1404 @@ -0,0 +1,5 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +password [success=1 default=ignore] pam_unix.so obscure sha512 +password requisite pam_deny.so +password required pam_permit.so diff --git a/spec/fixtures/pam_common_password.vas.suse10 b/spec/fixtures/pam_common_password.vas.suse10 new file mode 100644 index 00000000..ad9a40be --- /dev/null +++ b/spec/fixtures/pam_common_password.vas.suse10 @@ -0,0 +1,6 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +password sufficient pam_vas3.so +password requisite pam_vas3.so echo_return +password requisite pam_pwcheck.so nullok +password required pam_unix2.so use_authtok nullok diff --git a/spec/fixtures/pam_common_password.vas.ubuntu1204 b/spec/fixtures/pam_common_password.vas.ubuntu1204 new file mode 100644 index 00000000..b2d0557b --- /dev/null +++ b/spec/fixtures/pam_common_password.vas.ubuntu1204 @@ -0,0 +1,7 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +password sufficient pam_vas3.so +password requisite pam_vas3.so echo_return +password [success=1 default=ignore] pam_unix.so obscure sha512 +password requisite pam_deny.so +password required pam_permit.so diff --git a/spec/fixtures/pam_common_password.vas.ubuntu1404 b/spec/fixtures/pam_common_password.vas.ubuntu1404 new file mode 100644 index 00000000..b2d0557b --- /dev/null +++ b/spec/fixtures/pam_common_password.vas.ubuntu1404 @@ -0,0 +1,7 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +password sufficient pam_vas3.so +password requisite pam_vas3.so echo_return +password [success=1 default=ignore] pam_unix.so obscure sha512 +password requisite pam_deny.so +password required pam_permit.so diff --git a/spec/fixtures/pam_common_password_pc.defaults.suse11 b/spec/fixtures/pam_common_password_pc.defaults.suse11 new file mode 100644 index 00000000..4a50a380 --- /dev/null +++ b/spec/fixtures/pam_common_password_pc.defaults.suse11 @@ -0,0 +1,4 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +password required pam_pwcheck.so nullok cracklib +password required pam_unix2.so nullok use_authtok diff --git a/spec/fixtures/pam_common_password_pc.defaults.suse12 b/spec/fixtures/pam_common_password_pc.defaults.suse12 new file mode 100644 index 00000000..4a50a380 --- /dev/null +++ b/spec/fixtures/pam_common_password_pc.defaults.suse12 @@ -0,0 +1,4 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +password required pam_pwcheck.so nullok cracklib +password required pam_unix2.so nullok use_authtok diff --git a/spec/fixtures/pam_common_password_pc.vas.suse11 b/spec/fixtures/pam_common_password_pc.vas.suse11 new file mode 100644 index 00000000..3a3ff79c --- /dev/null +++ b/spec/fixtures/pam_common_password_pc.vas.suse11 @@ -0,0 +1,6 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +password sufficient pam_vas3.so +password requisite pam_vas3.so echo_return +password requisite pam_pwcheck.so nullok cracklib +password required pam_unix2.so use_authtok nullok diff --git a/spec/fixtures/pam_common_password_pc.vas.suse12 b/spec/fixtures/pam_common_password_pc.vas.suse12 new file mode 100644 index 00000000..3a3ff79c --- /dev/null +++ b/spec/fixtures/pam_common_password_pc.vas.suse12 @@ -0,0 +1,6 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +password sufficient pam_vas3.so +password requisite pam_vas3.so echo_return +password requisite pam_pwcheck.so nullok cracklib +password required pam_unix2.so use_authtok nullok diff --git a/spec/fixtures/pam_common_session.defaults.suse10 b/spec/fixtures/pam_common_session.defaults.suse10 new file mode 100644 index 00000000..77dfd8c2 --- /dev/null +++ b/spec/fixtures/pam_common_session.defaults.suse10 @@ -0,0 +1,4 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +session required pam_limits.so +session required pam_unix2.so diff --git a/spec/fixtures/pam_common_session.defaults.ubuntu1204 b/spec/fixtures/pam_common_session.defaults.ubuntu1204 new file mode 100644 index 00000000..5893e675 --- /dev/null +++ b/spec/fixtures/pam_common_session.defaults.ubuntu1204 @@ -0,0 +1,7 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +session [default=1] pam_permit.so +session requisite pam_deny.so +session required pam_permit.so +session optional pam_umask.so +session required pam_unix.so diff --git a/spec/fixtures/pam_common_session.defaults.ubuntu1404 b/spec/fixtures/pam_common_session.defaults.ubuntu1404 new file mode 100644 index 00000000..0eb89d03 --- /dev/null +++ b/spec/fixtures/pam_common_session.defaults.ubuntu1404 @@ -0,0 +1,8 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +session [default=1] pam_permit.so +session requisite pam_deny.so +session required pam_permit.so +session optional pam_umask.so +session required pam_unix.so +session optional pam_systemd.so diff --git a/spec/fixtures/pam_common_session.vas.suse10 b/spec/fixtures/pam_common_session.vas.suse10 new file mode 100644 index 00000000..f4bf1a05 --- /dev/null +++ b/spec/fixtures/pam_common_session.vas.suse10 @@ -0,0 +1,6 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +session required pam_limits.so +session required pam_vas3.so +session requisite pam_vas3.so echo_return +session required pam_unix2.so diff --git a/spec/fixtures/pam_common_session.vas.ubuntu1204 b/spec/fixtures/pam_common_session.vas.ubuntu1204 new file mode 100644 index 00000000..902c25a7 --- /dev/null +++ b/spec/fixtures/pam_common_session.vas.ubuntu1204 @@ -0,0 +1,9 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +session [default=1] pam_permit.so +session requisite pam_deny.so +session required pam_permit.so +session optional pam_umask.so +session required pam_vas3.so create_homedir +session requisite pam_vas3.so echo_return +session required pam_unix.so diff --git a/spec/fixtures/pam_common_session.vas.ubuntu1404 b/spec/fixtures/pam_common_session.vas.ubuntu1404 new file mode 100644 index 00000000..902c25a7 --- /dev/null +++ b/spec/fixtures/pam_common_session.vas.ubuntu1404 @@ -0,0 +1,9 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +session [default=1] pam_permit.so +session requisite pam_deny.so +session required pam_permit.so +session optional pam_umask.so +session required pam_vas3.so create_homedir +session requisite pam_vas3.so echo_return +session required pam_unix.so diff --git a/spec/fixtures/pam_common_session_pc.defaults.suse11 b/spec/fixtures/pam_common_session_pc.defaults.suse11 new file mode 100644 index 00000000..19759495 --- /dev/null +++ b/spec/fixtures/pam_common_session_pc.defaults.suse11 @@ -0,0 +1,5 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +session required pam_limits.so +session required pam_unix2.so +session optional pam_umask.so diff --git a/spec/fixtures/pam_common_session_pc.defaults.suse12 b/spec/fixtures/pam_common_session_pc.defaults.suse12 new file mode 100644 index 00000000..19759495 --- /dev/null +++ b/spec/fixtures/pam_common_session_pc.defaults.suse12 @@ -0,0 +1,5 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +session required pam_limits.so +session required pam_unix2.so +session optional pam_umask.so diff --git a/spec/fixtures/pam_common_session_pc.vas.suse11 b/spec/fixtures/pam_common_session_pc.vas.suse11 new file mode 100644 index 00000000..47c6009f --- /dev/null +++ b/spec/fixtures/pam_common_session_pc.vas.suse11 @@ -0,0 +1,7 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +session required pam_limits.so +session required pam_vas3.so create_homedir +session requisite pam_vas3.so echo_return +session required pam_unix2.so +session optional pam_umask.so diff --git a/spec/fixtures/pam_common_session_pc.vas.suse12 b/spec/fixtures/pam_common_session_pc.vas.suse12 new file mode 100644 index 00000000..47c6009f --- /dev/null +++ b/spec/fixtures/pam_common_session_pc.vas.suse12 @@ -0,0 +1,7 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +session required pam_limits.so +session required pam_vas3.so create_homedir +session requisite pam_vas3.so echo_return +session required pam_unix2.so +session optional pam_umask.so diff --git a/spec/fixtures/pam_conf.defaults.solaris10 b/spec/fixtures/pam_conf.defaults.solaris10 new file mode 100644 index 00000000..cf34c6bf --- /dev/null +++ b/spec/fixtures/pam_conf.defaults.solaris10 @@ -0,0 +1,26 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +# Auth +login auth requisite pam_authtok_get.so.1 +login auth required pam_dhkeys.so.1 +login auth required pam_unix_cred.so.1 +login auth required pam_unix_auth.so.1 +login auth required pam_dial_auth.so.1 +passwd auth required pam_passwd_auth.so.1 +other auth requisite pam_authtok_get.so.1 +other auth required pam_dhkeys.so.1 +other auth required pam_unix_cred.so.1 +other auth required pam_unix_auth.so.1 + +# Account +other account requisite pam_roles.so.1 +other account required pam_unix_account.so.1 + +# Password +other password required pam_dhkeys.so.1 +other password requisite pam_authtok_get.so.1 +other password requisite pam_authtok_check.so.1 +other password required pam_authtok_store.so.1 + +# Session +other session required pam_unix_session.so.1 diff --git a/spec/fixtures/pam_conf.defaults.solaris9 b/spec/fixtures/pam_conf.defaults.solaris9 new file mode 100644 index 00000000..868fe4ae --- /dev/null +++ b/spec/fixtures/pam_conf.defaults.solaris9 @@ -0,0 +1,27 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +# Auth +login auth requisite pam_authtok_get.so.1 +login auth required pam_dhkeys.so.1 +login auth required pam_unix_auth.so.1 +login auth required pam_dial_auth.so.1 +passwd auth required pam_passwd_auth.so.1 +other auth requisite pam_authtok_get.so.1 +other auth required pam_dhkeys.so.1 +other auth required pam_unix_auth.so.1 + +# Account +cron account required pam_projects.so.1 +cron account required pam_unix_account.so.1 +other account requisite pam_roles.so.1 +other account required pam_projects.so.1 +other account required pam_unix_account.so.1 + +# Password +other password required pam_dhkeys.so.1 +other password requisite pam_authtok_get.so.1 +other password requisite pam_authtok_check.so.1 +other password required pam_authtok_store.so.1 + +# Session +other session required pam_unix_session.so.1 diff --git a/spec/fixtures/pam_conf.vas.solaris10 b/spec/fixtures/pam_conf.vas.solaris10 new file mode 100644 index 00000000..94247561 --- /dev/null +++ b/spec/fixtures/pam_conf.vas.solaris10 @@ -0,0 +1,66 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +# Auth +login auth required pam_unix_cred.so.1 +login auth sufficient pam_vas3.so create_homedir get_nonvas_pass try_first_pass +login auth requisite pam_vas3.so echo_return +login auth requisite pam_authtok_get.so.1 use_first_pass +login auth required pam_dhkeys.so.1 +login auth required pam_unix_auth.so.1 +login auth required pam_dial_auth.so.1 +rlogin auth required pam_unix_cred.so.1 +rlogin auth sufficient pam_vas3.so create_homedir get_nonvas_pass try_first_pass +rlogin auth requisite pam_vas3.so echo_return +rlogin auth requisite pam_authtok_get.so.1 use_first_pass +rlogin auth required pam_dhkeys.so.1 +rlogin auth required pam_unix_auth.so.1 +krlogin auth required pam_unix_cred.so.1 +krlogin auth sufficient pam_vas3.so create_homedir get_nonvas_pass try_first_pass +krlogin auth requisite pam_vas3.so echo_return +krlogin auth required pam_krb5.so.1 use_first_pass +krsh auth required pam_unix_cred.so.1 +krsh auth sufficient pam_vas3.so create_homedir get_nonvas_pass try_first_pass +krsh auth requisite pam_vas3.so echo_return +krsh auth required pam_krb5.so.1 use_first_pass +ktelnet auth required pam_unix_cred.so.1 +ktelnet auth sufficient pam_vas3.so create_homedir get_nonvas_pass try_first_pass +ktelnet auth requisite pam_vas3.so echo_return +ktelnet auth required pam_krb5.so.1 use_first_pass +ppp auth required pam_unix_cred.so.1 +ppp auth sufficient pam_vas3.so create_homedir get_nonvas_pass try_first_pass +ppp auth requisite pam_vas3.so echo_return +ppp auth requisite pam_authtok_get.so.1 use_first_pass +ppp auth required pam_dhkeys.so.1 +ppp auth required pam_unix_auth.so.1 +ppp auth required pam_dial_auth.so.1 +other auth required pam_unix_cred.so.1 +other auth sufficient pam_vas3.so create_homedir get_nonvas_pass try_first_pass +other auth requisite pam_vas3.so echo_return +other auth requisite pam_authtok_get.so.1 use_first_pass +other auth required pam_dhkeys.so.1 +other auth required pam_unix_auth.so.1 +passwd auth sufficient pam_vas3.so create_homedir get_nonvas_pass try_first_pass +passwd auth requisite pam_vas3.so echo_return +passwd auth required pam_passwd_auth.so.1 use_first_pass + +# Account +cron account sufficient pam_vas3.so +cron account requisite pam_vas3.so echo_return +cron account required pam_unix_account.so.1 +other account requisite pam_roles.so.1 +other account sufficient pam_vas3.so +other account requisite pam_vas3.so echo_return +other account required pam_unix_account.so.1 + +# Password +other password required pam_dhkeys.so.1 +other password requisite pam_authtok_get.so.1 +other password sufficient pam_vas3.so +other password requisite pam_vas3.so echo_return +other password requisite pam_authtok_check.so.1 +other password required pam_authtok_store.so.1 + +# Session +other session required pam_vas3.so create_homedir +other session requisite pam_vas3.so echo_return +other session required pam_unix_session.so.1 diff --git a/spec/fixtures/pam_conf.vas.solaris9 b/spec/fixtures/pam_conf.vas.solaris9 new file mode 100644 index 00000000..868fe4ae --- /dev/null +++ b/spec/fixtures/pam_conf.vas.solaris9 @@ -0,0 +1,27 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +# Auth +login auth requisite pam_authtok_get.so.1 +login auth required pam_dhkeys.so.1 +login auth required pam_unix_auth.so.1 +login auth required pam_dial_auth.so.1 +passwd auth required pam_passwd_auth.so.1 +other auth requisite pam_authtok_get.so.1 +other auth required pam_dhkeys.so.1 +other auth required pam_unix_auth.so.1 + +# Account +cron account required pam_projects.so.1 +cron account required pam_unix_account.so.1 +other account requisite pam_roles.so.1 +other account required pam_projects.so.1 +other account required pam_unix_account.so.1 + +# Password +other password required pam_dhkeys.so.1 +other password requisite pam_authtok_get.so.1 +other password requisite pam_authtok_check.so.1 +other password required pam_authtok_store.so.1 + +# Session +other session required pam_unix_session.so.1 diff --git a/spec/fixtures/pam_d_login.defaults.el5 b/spec/fixtures/pam_d_login.defaults.el5 new file mode 100644 index 00000000..9bd0992c --- /dev/null +++ b/spec/fixtures/pam_d_login.defaults.el5 @@ -0,0 +1,15 @@ +#%PAM-1.0 +auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so +auth include system-auth +account required pam_nologin.so +account include system-auth +account required pam_access.so +password include system-auth +# pam_selinux.so close should be the first session rule +session required pam_selinux.so close +session optional pam_keyinit.so force revoke +session required pam_loginuid.so +session include system-auth +session optional pam_console.so +# pam_selinux.so open should only be followed by sessions to be executed in the user context +session required pam_selinux.so open diff --git a/spec/fixtures/pam_d_login.defaults.el6 b/spec/fixtures/pam_d_login.defaults.el6 new file mode 100644 index 00000000..5223575f --- /dev/null +++ b/spec/fixtures/pam_d_login.defaults.el6 @@ -0,0 +1,17 @@ +#%PAM-1.0 +auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so +auth include system-auth +account required pam_nologin.so +account include system-auth +account required pam_access.so +password include system-auth +# pam_selinux.so close should be the first session rule +session required pam_selinux.so close +session required pam_loginuid.so +session optional pam_console.so +# pam_selinux.so open should only be followed by sessions to be executed in the user context +session required pam_selinux.so open +session required pam_namespace.so +session optional pam_keyinit.so force revoke +session include system-auth +-session optional pam_ck_connector.so diff --git a/spec/fixtures/pam_d_login.defaults.el7 b/spec/fixtures/pam_d_login.defaults.el7 new file mode 100644 index 00000000..3c039276 --- /dev/null +++ b/spec/fixtures/pam_d_login.defaults.el7 @@ -0,0 +1,18 @@ +#%PAM-1.0 +auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so +auth substack system-auth +auth include postlogin +account required pam_nologin.so +account include system-auth +password include system-auth +# pam_selinux.so close should be the first session rule +session required pam_selinux.so close +session required pam_loginuid.so +session optional pam_console.so +# pam_selinux.so open should only be followed by sessions to be executed in the user context +session required pam_selinux.so open +session required pam_namespace.so +session optional pam_keyinit.so force revoke +session include system-auth +session include postlogin +-session optional pam_ck_connector.so diff --git a/spec/fixtures/pam_d_login.defaults.suse10 b/spec/fixtures/pam_d_login.defaults.suse10 new file mode 100644 index 00000000..45f5d8ad --- /dev/null +++ b/spec/fixtures/pam_d_login.defaults.suse10 @@ -0,0 +1,10 @@ +#%PAM-1.0 +auth required pam_securetty.so +auth include common-auth +auth required pam_nologin.so +account include common-account +password include common-password +session include common-session +session required pam_lastlog.so nowtmp +session required pam_resmgr.so +session optional pam_mail.so standard diff --git a/spec/fixtures/pam_d_login.defaults.suse11 b/spec/fixtures/pam_d_login.defaults.suse11 new file mode 100644 index 00000000..33cbd957 --- /dev/null +++ b/spec/fixtures/pam_d_login.defaults.suse11 @@ -0,0 +1,12 @@ +#%PAM-1.0 +auth requisite pam_nologin.so +auth [user_unknown=ignore success=ok ignore=ignore auth_err=die default=bad] pam_securetty.so +auth include common-auth +account include common-account +account required pam_access.so +password include common-password +session required pam_loginuid.so +session include common-session +session required pam_lastlog.so nowtmp +session optional pam_mail.so standard +session optional pam_ck_connector.so diff --git a/spec/fixtures/pam_d_login.defaults.suse12 b/spec/fixtures/pam_d_login.defaults.suse12 new file mode 100644 index 00000000..675480e2 --- /dev/null +++ b/spec/fixtures/pam_d_login.defaults.suse12 @@ -0,0 +1,10 @@ +#%PAM-1.0 +auth requisite pam_nologin.so +auth [user_unknown=ignore success=ok ignore=ignore auth_err=die default=bad] pam_securetty.so +auth include common-auth +account include common-account +password include common-password +session required pam_loginuid.so +session include common-session +session optional pam_mail.so standard +session optional pam_ck_connector.so diff --git a/spec/fixtures/pam_d_login.defaults.suse9 b/spec/fixtures/pam_d_login.defaults.suse9 new file mode 100644 index 00000000..91e566cb --- /dev/null +++ b/spec/fixtures/pam_d_login.defaults.suse9 @@ -0,0 +1,11 @@ +#%PAM-1.0 +auth requisite pam_unix2.so nullok +auth required pam_securetty.so +auth required pam_nologin.so +auth required pam_env.so +auth required pam_mail.so +account required pam_unix2.so +password required pam_pwcheck.so nullok +password required pam_unix2.so nullok use_first_pass use_authtok +session required pam_unix2.so none +session required pam_limits.so diff --git a/spec/fixtures/pam_d_login.defaults.ubuntu1204 b/spec/fixtures/pam_d_login.defaults.ubuntu1204 new file mode 100644 index 00000000..980ff7d6 --- /dev/null +++ b/spec/fixtures/pam_d_login.defaults.ubuntu1204 @@ -0,0 +1,16 @@ +auth optional pam_faildelay.so delay=3000000 +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so +auth requisite pam_nologin.so +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close +session required pam_env.so readenv=1 +session required pam_env.so readenv=1 envfile=/etc/default/locale +@include common-auth +auth optional pam_group.so +session required pam_limits.so +session optional pam_lastlog.so +session optional pam_motd.so +session optional pam_mail.so standard +@include common-account +@include common-session +@include common-password +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open diff --git a/spec/fixtures/pam_d_login.defaults.ubuntu1404 b/spec/fixtures/pam_d_login.defaults.ubuntu1404 new file mode 100644 index 00000000..8bf0fcaa --- /dev/null +++ b/spec/fixtures/pam_d_login.defaults.ubuntu1404 @@ -0,0 +1,17 @@ +auth optional pam_faildelay.so delay=3000000 +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so +auth requisite pam_nologin.so +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close +session required pam_env.so readenv=1 +session required pam_env.so readenv=1 envfile=/etc/default/locale +@include common-auth +auth optional pam_group.so +session required pam_limits.so +session optional pam_lastlog.so +session optional pam_motd.so motd=/run/motd.dynamic noupdate +session optional pam_motd.so +session optional pam_mail.so standard +@include common-account +@include common-session +@include common-password +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open diff --git a/spec/fixtures/pam_d_sshd.defaults.el5 b/spec/fixtures/pam_d_sshd.defaults.el5 new file mode 100644 index 00000000..954c9418 --- /dev/null +++ b/spec/fixtures/pam_d_sshd.defaults.el5 @@ -0,0 +1,9 @@ +#%PAM-1.0 +auth include system-auth +account required pam_nologin.so +account include system-auth +account required pam_access.so +password include system-auth +session optional pam_keyinit.so force revoke +session include system-auth +session required pam_loginuid.so diff --git a/spec/fixtures/pam_d_sshd.defaults.el6 b/spec/fixtures/pam_d_sshd.defaults.el6 new file mode 100644 index 00000000..0f5a66d0 --- /dev/null +++ b/spec/fixtures/pam_d_sshd.defaults.el6 @@ -0,0 +1,14 @@ +#%PAM-1.0 +auth required pam_sepermit.so +auth include password-auth +account required pam_access.so +account required pam_nologin.so +account include password-auth +password include password-auth +# pam_selinux.so close should be the first session rule +session required pam_selinux.so close +session required pam_loginuid.so +# pam_selinux.so open should only be followed by sessions to be executed in the user context +session required pam_selinux.so open env_params +session optional pam_keyinit.so force revoke +session include password-auth diff --git a/spec/fixtures/pam_d_sshd.defaults.el7 b/spec/fixtures/pam_d_sshd.defaults.el7 new file mode 100644 index 00000000..af19ec0b --- /dev/null +++ b/spec/fixtures/pam_d_sshd.defaults.el7 @@ -0,0 +1,15 @@ +#%PAM-1.0 +auth required pam_sepermit.so +auth substack password-auth +auth include postlogin +account required pam_nologin.so +account include password-auth +password include password-auth +# pam_selinux.so close should be the first session rule +session required pam_selinux.so close +session required pam_loginuid.so +# pam_selinux.so open should only be followed by sessions to be executed in the user context +session required pam_selinux.so open env_params +session optional pam_keyinit.so force revoke +session include password-auth +session include postlogin diff --git a/spec/fixtures/pam_d_sshd.defaults.suse10 b/spec/fixtures/pam_d_sshd.defaults.suse10 new file mode 100644 index 00000000..185f43ec --- /dev/null +++ b/spec/fixtures/pam_d_sshd.defaults.suse10 @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth include common-auth +auth required pam_nologin.so +account include common-account +password include common-password +session include common-session diff --git a/spec/fixtures/pam_d_sshd.defaults.suse11 b/spec/fixtures/pam_d_sshd.defaults.suse11 new file mode 100644 index 00000000..0333284e --- /dev/null +++ b/spec/fixtures/pam_d_sshd.defaults.suse11 @@ -0,0 +1,9 @@ +#%PAM-1.0 +auth requisite pam_nologin.so +auth include common-auth +account required pam_access.so +account requisite pam_nologin.so +account include common-account +password include common-password +session required pam_loginuid.so +session include common-session diff --git a/spec/fixtures/pam_d_sshd.defaults.suse12 b/spec/fixtures/pam_d_sshd.defaults.suse12 new file mode 100644 index 00000000..5fe05937 --- /dev/null +++ b/spec/fixtures/pam_d_sshd.defaults.suse12 @@ -0,0 +1,9 @@ +#%PAM-1.0 +auth requisite pam_nologin.so +auth include common-auth +account requisite pam_nologin.so +account include common-account +password include common-password +session required pam_loginuid.so +session include common-session +session optional pam_lastlog.so silent noupdate showfailed diff --git a/spec/fixtures/pam_d_sshd.defaults.suse9 b/spec/fixtures/pam_d_sshd.defaults.suse9 new file mode 100644 index 00000000..c8e925cb --- /dev/null +++ b/spec/fixtures/pam_d_sshd.defaults.suse9 @@ -0,0 +1,10 @@ +#%PAM-1.0 +auth required pam_unix2.so # set_secrpc +auth required pam_nologin.so +auth required pam_env.so +account required pam_unix2.so +account required pam_nologin.so +password required pam_pwcheck.so +password required pam_unix2.so use_first_pass use_authtok +session required pam_unix2.so none # trace or debug +session required pam_limits.so diff --git a/spec/fixtures/pam_d_sshd.defaults.ubuntu1204 b/spec/fixtures/pam_d_sshd.defaults.ubuntu1204 new file mode 100644 index 00000000..585c9fbb --- /dev/null +++ b/spec/fixtures/pam_d_sshd.defaults.ubuntu1204 @@ -0,0 +1,10 @@ +auth required pam_env.so # [1] +auth required pam_env.so envfile=/etc/default/locale +@include common-auth +account required pam_nologin.so +@include common-account +@include common-session +session optional pam_motd.so # [1] +session optional pam_mail.so standard noenv # [1] +session required pam_limits.so +@include common-password diff --git a/spec/fixtures/pam_d_sshd.defaults.ubuntu1404 b/spec/fixtures/pam_d_sshd.defaults.ubuntu1404 new file mode 100644 index 00000000..87fc593b --- /dev/null +++ b/spec/fixtures/pam_d_sshd.defaults.ubuntu1404 @@ -0,0 +1,15 @@ +@include common-auth +account required pam_nologin.so +@include common-account +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close +session required pam_loginuid.so +session optional pam_keyinit.so force revoke +@include common-session +session optional pam_motd.so motd=/run/motd.dynamic noupdate +session optional pam_motd.so # [1] +session optional pam_mail.so standard noenv # [1] +session required pam_limits.so +session required pam_env.so # [1] +session required pam_env.so user_readenv=1 envfile=/etc/default/locale +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +@include common-password diff --git a/spec/fixtures/pam_other.defaults.solaris11 b/spec/fixtures/pam_other.defaults.solaris11 new file mode 100644 index 00000000..f69e217d --- /dev/null +++ b/spec/fixtures/pam_other.defaults.solaris11 @@ -0,0 +1,23 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +# Auth +auth definitive pam_user_policy.so.1 +auth requisite pam_authtok_get.so.1 +auth required pam_dhkeys.so.1 +auth required pam_unix_auth.so.1 +auth required pam_unix_cred.so.1 + +# Account +account requisite pam_roles.so.1 +account definitive pam_user_policy.so.1 +account required pam_unix_account.so.1 +account required pam_tsol_account.so.1 + +# Password +password definitive pam_user_policy.so.1 +password include pam_authtok_common +password required pam_authtok_store.so.1 + +# Session +session definitive pam_user_policy.so.1 +session required pam_unix_session.so.1 diff --git a/spec/fixtures/pam_other.defaults.suse9 b/spec/fixtures/pam_other.defaults.suse9 new file mode 100644 index 00000000..6e37c390 --- /dev/null +++ b/spec/fixtures/pam_other.defaults.suse9 @@ -0,0 +1,17 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +# Auth +auth required pam_warn.so +auth required pam_unix2.so + +# Account +account required pam_warn.so +account required pam_unix2.so + +# Password +password required pam_warn.so +password required pam_pwcheck.so use_cracklib + +# Session +session required pam_warn.so +session required pam_unix2.so debug diff --git a/spec/fixtures/pam_other.vas.solaris11 b/spec/fixtures/pam_other.vas.solaris11 new file mode 100644 index 00000000..f69e217d --- /dev/null +++ b/spec/fixtures/pam_other.vas.solaris11 @@ -0,0 +1,23 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +# Auth +auth definitive pam_user_policy.so.1 +auth requisite pam_authtok_get.so.1 +auth required pam_dhkeys.so.1 +auth required pam_unix_auth.so.1 +auth required pam_unix_cred.so.1 + +# Account +account requisite pam_roles.so.1 +account definitive pam_user_policy.so.1 +account required pam_unix_account.so.1 +account required pam_tsol_account.so.1 + +# Password +password definitive pam_user_policy.so.1 +password include pam_authtok_common +password required pam_authtok_store.so.1 + +# Session +session definitive pam_user_policy.so.1 +session required pam_unix_session.so.1 diff --git a/spec/fixtures/pam_other.vas.suse9 b/spec/fixtures/pam_other.vas.suse9 new file mode 100644 index 00000000..6e37c390 --- /dev/null +++ b/spec/fixtures/pam_other.vas.suse9 @@ -0,0 +1,17 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +# Auth +auth required pam_warn.so +auth required pam_unix2.so + +# Account +account required pam_warn.so +account required pam_unix2.so + +# Password +password required pam_warn.so +password required pam_pwcheck.so use_cracklib + +# Session +session required pam_warn.so +session required pam_unix2.so debug diff --git a/spec/fixtures/pam_system_auth_ac.defaults.el5 b/spec/fixtures/pam_system_auth_ac.defaults.el5 new file mode 100644 index 00000000..59043a0e --- /dev/null +++ b/spec/fixtures/pam_system_auth_ac.defaults.el5 @@ -0,0 +1,23 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +# Auth +auth required pam_env.so +auth sufficient pam_unix.so nullok try_first_pass +auth requisite pam_succeed_if.so uid >= 500 quiet +auth required pam_deny.so + +# Account +account required pam_unix.so +account sufficient pam_succeed_if.so uid < 500 quiet +account required pam_permit.so + +# Password +password requisite pam_cracklib.so try_first_pass retry=3 +password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok +password required pam_deny.so + +# Session +session optional pam_keyinit.so revoke +session required pam_limits.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so diff --git a/spec/fixtures/pam_system_auth_ac.defaults.el6 b/spec/fixtures/pam_system_auth_ac.defaults.el6 new file mode 100644 index 00000000..e98ecf2e --- /dev/null +++ b/spec/fixtures/pam_system_auth_ac.defaults.el6 @@ -0,0 +1,25 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +# Auth +auth required pam_env.so +auth sufficient pam_fprintd.so +auth sufficient pam_unix.so nullok try_first_pass +auth requisite pam_succeed_if.so uid >= 500 quiet +auth required pam_deny.so + +# Account +account required pam_unix.so +account sufficient pam_localuser.so +account sufficient pam_succeed_if.so uid < 500 quiet +account required pam_permit.so + +# Password +password requisite pam_cracklib.so try_first_pass retry=3 type= +password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok +password required pam_deny.so + +# Session +session optional pam_keyinit.so revoke +session required pam_limits.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so diff --git a/spec/fixtures/pam_system_auth_ac.defaults.el7 b/spec/fixtures/pam_system_auth_ac.defaults.el7 new file mode 100644 index 00000000..9b392088 --- /dev/null +++ b/spec/fixtures/pam_system_auth_ac.defaults.el7 @@ -0,0 +1,26 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +# Auth +auth required pam_env.so +auth sufficient pam_fprintd.so +auth sufficient pam_unix.so nullok try_first_pass +auth requisite pam_succeed_if.so uid >= 1000 quiet_success +auth required pam_deny.so + +# Account +account required pam_unix.so +account sufficient pam_localuser.so +account sufficient pam_succeed_if.so uid < 1000 quiet +account required pam_permit.so + +# Password +password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= +password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok +password required pam_deny.so + +# Session +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so diff --git a/spec/fixtures/pam_system_auth_ac.vas.el5 b/spec/fixtures/pam_system_auth_ac.vas.el5 new file mode 100644 index 00000000..0e84e49f --- /dev/null +++ b/spec/fixtures/pam_system_auth_ac.vas.el5 @@ -0,0 +1,31 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +# Auth +auth required pam_env.so +auth sufficient pam_vas3.so show_lockout_msg get_nonvas_pass +auth requisite pam_vas3.so echo_return +auth sufficient pam_unix.so nullok try_first_pass use_first_pass +auth requisite pam_succeed_if.so uid >= 500 quiet +auth required pam_deny.so + +# Account +account sufficient pam_vas3.so +account requisite pam_vas3.so echo_return +account required pam_unix.so +account sufficient pam_succeed_if.so uid < 500 quiet +account required pam_permit.so + +# Password +password sufficient pam_vas3.so +password requisite pam_vas3.so echo_return +password requisite pam_cracklib.so try_first_pass retry=3 type= +password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok +password required pam_deny.so + +# Session +session optional pam_keyinit.so revoke +session required pam_limits.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_vas3.so show_lockout_msg +session requisite pam_vas3.so echo_return +session required pam_unix.so diff --git a/spec/fixtures/pam_system_auth_ac.vas.el6 b/spec/fixtures/pam_system_auth_ac.vas.el6 new file mode 100644 index 00000000..d98bd7a2 --- /dev/null +++ b/spec/fixtures/pam_system_auth_ac.vas.el6 @@ -0,0 +1,32 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +# Auth +auth required pam_env.so +auth sufficient pam_vas3.so show_lockout_msg get_nonvas_pass +auth requisite pam_vas3.so echo_return +auth sufficient pam_unix.so nullok try_first_pass use_first_pass +auth requisite pam_succeed_if.so uid >= 500 quiet +auth required pam_deny.so + +# Account +account sufficient pam_vas3.so +account requisite pam_vas3.so echo_return +account required pam_unix.so +account sufficient pam_localuser.so +account sufficient pam_succeed_if.so uid < 500 quiet +account required pam_permit.so + +# Password +password sufficient pam_vas3.so +password requisite pam_vas3.so echo_return +password requisite pam_cracklib.so try_first_pass retry=3 type= +password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok +password required pam_deny.so + +# Session +session optional pam_keyinit.so revoke +session required pam_limits.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_vas3.so show_lockout_msg +session requisite pam_vas3.so echo_return +session required pam_unix.so diff --git a/spec/fixtures/pam_system_auth_ac.vas.el7 b/spec/fixtures/pam_system_auth_ac.vas.el7 new file mode 100644 index 00000000..8b651407 --- /dev/null +++ b/spec/fixtures/pam_system_auth_ac.vas.el7 @@ -0,0 +1,33 @@ +# This file is being maintained by Puppet. +# DO NOT EDIT +# Auth +auth required pam_env.so +auth sufficient pam_vas3.so show_lockout_msg get_nonvas_pass +auth requisite pam_vas3.so echo_return +auth sufficient pam_unix.so nullok try_first_pass use_first_pass +auth requisite pam_succeed_if.so uid >= 1000 quiet_success +auth required pam_deny.so + +# Account +account sufficient pam_vas3.so +account requisite pam_vas3.so echo_return +account required pam_unix.so +account sufficient pam_localuser.so +account sufficient pam_succeed_if.so uid < 1000 quiet +account required pam_permit.so + +# Password +password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= +password sufficient pam_vas3.so +password requisite pam_vas3.so echo_return +password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok +password required pam_deny.so + +# Session +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_vas3.so show_lockout_msg +session requisite pam_vas3.so echo_return +session required pam_unix.so From b01e9ca24c9128ee63a92be8841ffad7aefdcef1 Mon Sep 17 00:00:00 2001 From: Martin Hagstrom Date: Fri, 27 Feb 2015 13:14:23 +0100 Subject: [PATCH 2/2] Fix symlinks Will be rebased, doing separate commit for clarity. --- spec/classes/init_spec.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 569b7874..27af80fc 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -299,9 +299,11 @@ end end - if file[:symlinkname] + if file[:symlink] symlinkname = "#{file[:prefix]}#{type}" symlinkpath = "#{dirpath}#{file[:prefix]}#{type}" + symlinkpath.gsub! '_', '-' + symlinkpath.sub! 'pam-', '' it { should contain_file(symlinkname).with({ 'ensure' => 'symlink',