diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 87601740..3a124cc5 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -1,9 +1,8 @@ name: Build and publish to Puppet Forge on: - push: - tags: - - v[0-9]+.[0-9]+.[0-9]+ + release: + types: [published] jobs: build: @@ -17,7 +16,7 @@ jobs: with: ref: ${{ steps.vars.outputs.tag }} - name: Build and publish module - uses: barnumbirr/action-forge-publish@v2 + uses: barnumbirr/action-forge-publish@v2.15.0 env: FORGE_API_KEY: ${{ secrets.FORGE_API_KEY }} REPOSITORY_URL: https://forgeapi.puppet.com/v3/releases diff --git a/CHANGELOG.md b/CHANGELOG.md index c8d5eab3..9a0379ac 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,7 @@ ## Changelog +Please refer to the [GitHub releases page](https://github.com/djjudas21/puppet-freeradius/releases) for the changelog for 4.0.0 and onwards + ### 3.9.2 * Bugfix: Restart FreeRADIUS after any huntgroups modification diff --git a/README.md b/README.md index b6f89861..60b067fe 100644 --- a/README.md +++ b/README.md @@ -138,6 +138,9 @@ Add a syslog rule (using the `saz/rsyslog` module). Default: `false`. ##### `log_auth` Log authentication requests (yes/no). Default: `no`. +##### `allow_vulnerable_openssl` +Allow the server to start with versions of OpenSSL known to have critical vulnerabilities. (yes/no). Default: `yes`. + ##### `package_ensure` Choose whether the package is just installed and left (`installed`), or updated every Puppet run (`latest`). Default: `installed` diff --git a/manifests/client.pp b/manifests/client.pp index f8fc7e4d..876d4da9 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -61,17 +61,18 @@ if $port { if $ip { firewall { "100 ${name} ${port_description} v4": - proto => 'udp', - dport => $port, - action => 'accept', - source => $ip, + proto => 'udp', + dport => $port, + jump => 'ACCEPT', + protocol => 'IPv4', + source => $ip, } } elsif $ip6 { firewall { "100 ${name} ${port_description} v6": proto => 'udp', dport => $port, - action => 'accept', - provider => 'ip6tables', + jump => 'ACCEPT', + protocol => 'IPv6', source => $ip6, } } diff --git a/manifests/init.pp b/manifests/init.pp index b855fe20..c8b8092d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -17,11 +17,17 @@ Boolean $syslog = false, String $syslog_facility = 'daemon', Freeradius::Boolean $log_auth = 'no', + Freeradius::Boolean $allow_vulnerable_openssl = 'yes', Boolean $preserve_mods = true, Boolean $correct_escapes = true, Boolean $manage_logpath = true, + Boolean $manage_logrotate = $freeradius::params::manage_logrotate, Optional[String] $package_ensure = 'installed', String $radacctdir = $freeradius::params::radacctdir, + String $snmp_traps_enable = 'disable', + String $snmp_traps_community = 'public', + String $snmp_traps_dest = '127.0.0.1', + Array $snmp_traps_list = [], ) inherits freeradius::params { if $freeradius::fr_version !~ /^3/ { notify { 'This module is only compatible with FreeRADIUS 3.': } @@ -157,7 +163,45 @@ preserve => true, } } - + if empty($snmp_traps_list) { + $snmp_traps = [ + 'server_start', + 'server_stop', + 'server_max_requests', + 'server_client_add', + 'server_signal_hup', + 'server_signal_term', + 'server_thread_start', + 'server_thread_stop', + 'server_thread_Unresponsive', + 'server_thread_max_threads', + 'home_server_alive', + 'home_server_zombie', + 'home_server_dead', + 'home_server_pool_normal', + 'home_server_pool_fallback', + 'server_files_module_hup', + 'server_ldap_module_connection_up', + 'server_ldap_module_connection_down', + 'server_ldap_module_hup', + 'server_sql_module_connection_up', + 'server_sql_module_connection_close', + 'server_sql_module_connection_fail', + 'server_sql_module_hup', + ] + } else { + $snmp_traps = $snmp_traps_list + } + # Add trigger.conf snmp trap configuration + file { "${freeradius::fr_basepath}/trigger.conf": + ensure => file, + mode => '0640', + owner => 'root', + group => $freeradius::fr_group, + content => template('freeradius/trigger.conf.erb'), + require => [Package[$freeradius::fr_package], Group[$freeradius::fr_group]], + notify => Service['radiusd'], + } # Set up concat policy file, as there is only one global policy # We also add standard header and footer concat { 'freeradius policy.conf': @@ -428,37 +472,39 @@ } } - logrotate::rule { 'radacct': - path => "${freeradius::fr_logpath}/radacct/*/*.log", - rotate_every => 'day', - rotate => 7, - create => false, - missingok => true, - compress => true, - postrotate => "kill -HUP `cat ${freeradius::fr_pidfile}`", - sharedscripts => true, - } - - logrotate::rule { 'checkrad': - path => "${freeradius::fr_logpath}/checkrad.log", - rotate_every => 'week', - rotate => 1, - create => true, - missingok => true, - compress => true, - postrotate => "kill -HUP `cat ${freeradius::fr_pidfile}`", - sharedscripts => true, - } - - logrotate::rule { 'radiusd': - path => "${freeradius::fr_logpath}/radius*.log", - rotate_every => 'week', - rotate => 26, - create => true, - missingok => true, - compress => true, - postrotate => "kill -HUP `cat ${freeradius::fr_pidfile}`", - sharedscripts => true, + if $manage_logrotate { + logrotate::rule { 'radacct': + path => "${freeradius::fr_logpath}/radacct/*/*.log", + rotate_every => 'day', + rotate => 7, + create => false, + missingok => true, + compress => true, + postrotate => "kill -HUP `cat ${freeradius::fr_pidfile}`", + sharedscripts => true, + } + + logrotate::rule { 'checkrad': + path => "${freeradius::fr_logpath}/checkrad.log", + rotate_every => 'week', + rotate => 1, + create => true, + missingok => true, + compress => true, + postrotate => "kill -HUP `cat ${freeradius::fr_pidfile}`", + sharedscripts => true, + } + + logrotate::rule { 'radiusd': + path => "${freeradius::fr_logpath}/radius*.log", + rotate_every => 'week', + rotate => 26, + create => true, + missingok => true, + compress => true, + postrotate => "kill -HUP `cat ${freeradius::fr_pidfile}`", + sharedscripts => true, + } } # Placeholder resource for dh and random as they are dynamically generated, so they diff --git a/manifests/listen.pp b/manifests/listen.pp index e73d2f25..352f3a00 100644 --- a/manifests/listen.pp +++ b/manifests/listen.pp @@ -1,30 +1,21 @@ # == Define freeradius::listen # define freeradius::listen ( - Freeradius::Ensure $ensure = 'present', - Enum['auth','acct','proxy','detail','status','coa'] $type = 'auth', - Optional[String] $ip = undef, - Optional[String] $ip6 = undef, - Integer $port = 0, - Optional[String] $interface = undef, - Optional[String] $virtual_server = undef, - Array[String] $clients = [], - Integer $max_connections = 16, - Integer $lifetime = 0, - Integer $idle_timeout = 30, + Freeradius::Ensure $ensure = 'present', + Enum['auth','acct','proxy','detail','status','coa'] $type = 'auth', + Optional[Variant[Stdlib::IP::Address::V4, Enum['*']]] $ip = undef, + Optional[Variant[Stdlib::IP::Address::V6, Enum['*']]] $ip6 = undef, + Integer $port = 0, + Optional[String] $interface = undef, + Optional[String] $virtual_server = undef, + Array[String] $clients = [], + Integer $max_connections = 16, + Integer $lifetime = 0, + Integer $idle_timeout = 30, ) { $fr_basepath = $::freeradius::params::fr_basepath $fr_group = $::freeradius::params::fr_group - # Parameter validation - if $ip and $ip != '*' and !is_ip_address($ip) { - fail('ip must be a valid IP address or \'*\'') - } - - if $ip6 and $ip6 != '::' and !is_ip_address($ip6) { - fail('ip6 must be a valid IP address or \'::\'') - } - if $ip and $ip6 { fail('Only one of ip or ip6 can be used') } diff --git a/manifests/params.pp b/manifests/params.pp index c584c77f..c4e7ef8f 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -188,4 +188,9 @@ # Default radsniff pid file location $fr_radsniff_pidfile = "/var/run/${fr_service}/radsniff.pid" + + $manage_logrotate = $::osfamily ? { + 'Debian' => false, + default => true, + } } diff --git a/manifests/site.pp b/manifests/site.pp index b1b351a5..16a132b1 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -43,6 +43,6 @@ file { "freeradius sites-enabled/${name}": ensure => $ensure_link, path => "${fr_basepath}/sites-enabled/${name}", - target => "${fr_basepath}/sites-available/${name}", + target => "../sites-available/${name}", } } diff --git a/metadata.json b/metadata.json index 8025bcae..4154c522 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "jgazeley-freeradius", - "version": "3.9.2", + "version": "4.0.0", "author": "jgazeley", "summary": "Install and configure FreeRADIUS", "license": "Apache-2.0", @@ -10,11 +10,11 @@ "dependencies": [ { "name": "puppetlabs/stdlib", - "version_requirement": ">=4.25.0 <10.0.0" + "version_requirement": ">=5.0.0 <10.0.0" }, { "name": "puppetlabs/firewall", - "version_requirement": ">=1.0.0 <7.0.0" + "version_requirement": ">=7.0.0 <9.0.0" }, { "name": "saz/rsyslog", diff --git a/spec/defines/client_spec.rb b/spec/defines/client_spec.rb index fcf8c73f..f234d7ab 100644 --- a/spec/defines/client_spec.rb +++ b/spec/defines/client_spec.rb @@ -85,8 +85,9 @@ is_expected.to contain_firewall('100 test 1234 v4') .with_proto('udp') .with_dport(1234) - .with_action('accept') + .with_jump('ACCEPT') .with_source('1.2.3.4') + .with_protocol('IPv4') end context 'with ipv6' do @@ -102,9 +103,9 @@ is_expected.to contain_firewall('100 test 1234 v6') .with_proto('udp') .with_dport(1234) - .with_action('accept') + .with_jump('ACCEPT') .with_source('2001:db8::100') - .with_provider('ip6tables') + .with_protocol('IPv6') end end end @@ -120,7 +121,7 @@ is_expected.to contain_firewall('100 test 1234,4321 v4') .with_proto('udp') .with_dport([1234, 4321]) - .with_action('accept') + .with_jump('ACCEPT') .with_source('1.2.3.4') end @@ -137,9 +138,9 @@ is_expected.to contain_firewall('100 test 1234,4321 v6') .with_proto('udp') .with_dport([1234, 4321]) - .with_action('accept') + .with_jump('ACCEPT') .with_source('2001:db8::100') - .with_provider('ip6tables') + .with_protocol('IPv6') end end end diff --git a/spec/defines/site_spec.rb b/spec/defines/site_spec.rb index 0f08c415..72dec9e1 100644 --- a/spec/defines/site_spec.rb +++ b/spec/defines/site_spec.rb @@ -29,6 +29,6 @@ is_expected.to contain_file('freeradius sites-enabled/test') .with_path('/etc/raddb/sites-enabled/test') .with_ensure('link') - .with_target('/etc/raddb/sites-available/test') + .with_target('../sites-available/test') end end diff --git a/templates/radiusd.conf.erb b/templates/radiusd.conf.erb index 3d715654..87e8614e 100644 --- a/templates/radiusd.conf.erb +++ b/templates/radiusd.conf.erb @@ -574,7 +574,7 @@ security { # and may not reflect patches applied to libssl by # distribution maintainers. # - allow_vulnerable_openssl = yes + allow_vulnerable_openssl = <%= @allow_vulnerable_openssl%> } # PROXY CONFIGURATION diff --git a/templates/trigger.conf.erb b/templates/trigger.conf.erb new file mode 100644 index 00000000..59b8956f --- /dev/null +++ b/templates/trigger.conf.erb @@ -0,0 +1,310 @@ +# -*- text -*- +## +## trigger.conf -- Events in the server can trigger a hook to be executed. +## +## $Id: 413a182eec6a193ef8ffd284295e181962265395 $ + +# +# The triggers are named as "type.subtype.value". These names refer +# to subsections and then configuration items in the "trigger" +# section below. When an event occurs, the trigger is executed. The +# trigger is simply a program that is run, with optional arguments. +# +# The server does not wait when a trigger is executed. It is simply +# a "one-shot" event that is sent. +# +# The trigger names should be self-explanatory. +# + +# +# SNMP configuration. +# +# For now, this is only for SNMP traps. +# +# They are enabled by uncommenting (or adding) "$INCLUDE trigger.conf" +# in the main "radiusd.conf" file. +# +# The traps *REQUIRE* that the files in the "mibs" directory be copied +# to the global mibs directory, usually /usr/share/snmp/mibs/. +# If this is not done, the "snmptrap" program has no idea what information +# to send, and will not work. The MIB installation is *NOT* done as +# part of the default installation, so that step *MUST* be done manually. +# +# The global MIB directory can be found by running the following command: +# +# snmptranslate -Dinit_mib .1.3 2>&1 | grep MIBDIR | sed "s/' .*//;s/.* '//;s/.*://" +# +# Or maybe just: +# +# snmptranslate -Dinit_mib .1.3 2>&1 | grep MIBDIR +# +# If you have copied the MIBs to that directory, you can test the +# FreeRADIUS MIBs by running the following command: +# +# snmptranslate -m +FREERADIUS-NOTIFICATION-MIB -IR -On serverStart +# +# It should print out: +# +# .1.3.6.1.4.1.11344.4.1.1 +# +# As always, run the server in debugging mode after enabling the +# traps. You will see the "snmptrap" command being run, and it will +# print out any errors or issues that it encounters. Those need to +# be fixed before running the server in daemon mode. +# +# We also suggest running in debugging mode as the "radiusd" user, if +# you have "user/group" set in radiusd.conf. The "snmptrap" program +# may behave differently when run as "root" or as the "radiusd" user. +# +snmp { + # + # Configuration for SNMP traps / notifications + # + # To disable traps, edit "radiusd.conf", and delete the line + # which says "$INCUDE trigger.conf" + # + trap { + # + # Absolute path for the "snmptrap" command, and + # default command-line arguments. + # + # You can disable traps by changing the command to + # "/bin/echo". + # + <%- if @snmp_traps_enable == 'enable' -%> + cmd = "/usr/bin/snmptrap -v2c" + <%- else -%> + cmd = "/bin/echo" + <%- end -%> + + # + # Community string + # + community = "<%= @snmp_traps_community %>" + + # + # Agent configuration. + # + agent = "<%= @snmp_traps_dest %> ''" + } +} + +# +# The "snmptrap" configuration defines the full command used to run the traps. +# +# This entry should not be edited. Instead, edit the "trap" section above. +# +snmptrap = "${snmp.trap.cmd} -c ${snmp.trap.community} ${snmp.trap.agent} FREERADIUS-NOTIFICATION-MIB" + +# +# The individual triggers are defined here. You can disable one by +# deleting it, or by commenting it out. You can disable an entire +# section of traps by deleting the section. +# +# The entries below should not be edited. For example, the double colons +# *must* immediately follow the ${snmptrap} reference. Adding a space +# before the double colons will break all SNMP traps. +# +# However... the traps are just programs which are run when +# particular events occur. If you want to replace a trap with +# another program, you can. Just edit the definitions below, so that +# they run a program of your choice. +# +# For example, you can leverage the "start/stop" triggers to run a +# program when the server starts, or when it stops. But that will +# prevent the start/stop SNMP traps from working, of course. +# +trigger { + # + # Events in the server core + # + server { + # the server has just started + <% unless @snmp_traps.include?('server_start') %> + # <% end %>start = "${snmptrap}::serverStart" + + + + # the server is about to stop + <% unless @snmp_traps.include?('server_stop') %> + # <% end %>stop = "${snmptrap}::serverStop" + + # The "max_requests" condition has been reached. + # This will trigger only once per 60 seconds. + <% unless @snmp_traps.include?('server_max_requests') %> + # <% end %>max_requests = "${snmptrap}::serverMaxRequests" + + # For events related to clients + client { + # Added a new dynamic client + <% unless @snmp_traps.include?('server_client_add') %> + # <% end %>add = "/path/to/file %{Packet-Src-IP-Address}" + + # There is no event for when dynamic clients expire + } + + # Events related to signals received. + signal { + # a HUP signal + <% unless @snmp_traps.include?('server_signal_hup') %> + # <% end %>hup = "${snmptrap}::signalHup" + + # a TERM signal + <% unless @snmp_traps.include?('server_signal_term') %> + # <% end %>term = "${snmptrap}::signalTerm" + } + + + # Events related to the thread pool + thread { + # A new thread has been started + <% unless @snmp_traps.include?('server_thread_start') %> + # <% end %>start = "${snmptrap}::threadStart" + + # an existing thread has been stopped + <% unless @snmp_traps.include?('server_thread_stop') %> + # <% end %>stop = "${snmptrap}::threadStop" + + # an existing thread is unresponsive + <% unless @snmp_traps.include?('server_thread_Unresponsive') %> + # <% end %>unresponsive = "${snmptrap}::threadUnresponsive" + + # the "max_threads" limit has been reached + <% unless @snmp_traps.include?('server_thread_max_threads') %> + # <% end %>max_threads = "${snmptrap}::threadMaxThreads" + } + } + + # When a home server changes state. + # These traps are edge triggered. + home_server { + # common arguments: IP, port, identifier + args = "radiusAuthServerAddress a %{proxy-request:Packet-Dst-IP-Address} radiusAuthClientServerPortNumber i %{proxy-request:Packet-Dst-Port} radiusAuthServIdent s '%{home_server:instance}'" + + # The home server has been marked "alive" + <% unless @snmp_traps.include?('home_server_alive') %> + # <% end %>alive = "${snmptrap}::homeServerAlive ${args}" + + # The home server has been marked "zombie" + <% unless @snmp_traps.include?('home_server_zombie') %> + # <% end %>zombie = "${snmptrap}::homeServerZombie ${args}" + + # The home server has been marked "dead" + <% unless @snmp_traps.include?('home_server_dead') %> + # <% end %>dead = "${snmptrap}::homeServerDead ${args}" + } + + # When a pool of home servers changes state. + home_server_pool { + # common arguments + args = "radiusdConfigName s %{home_server:instance}" + + # It has reverted to "normal" mode, where at least one + # home server is alive. + <% unless @snmp_traps.include?('home_server_pool_normal') %> + # <% end %>normal = "${snmptrap}::homeServerPoolNormal ${args}" + + # It is in "fallback" mode, with all home servers "dead" + <% unless @snmp_traps.include?('home_server_pool_fallback') %> + # <% end %>fallback = "${snmptrap}::homeServerPoolFallback ${args}" + } + + # Triggers for specific modules. These are NOT in the module + # configuration because they are global to all instances of the + # module. You can have module-specific triggers, by placing a + # "trigger" subsection in the module configuration. + modules { + # Common arguments + args = "radiusdModuleInstance s ''" + + # The files module + files { + # Common arguments + args = "radiusdModuleName s files ${..args}" + + # The module has been HUP'd via radmin + <% unless @snmp_traps.include?('server_files_module_hup') %> + # <% end %>hup = "${snmptrap}::serverModuleHup ${args}" + + # Note that "hup" can be used for every module + # which can be HUP'd via radmin + } + + # The LDAP module + # If the server does "bind as user", it will open and close + # an LDAP connection ofr every "bind as user". Be aware that + # this will likely produce a lot of triggers. + ldap { + # Common arguments + args = "radiusdModuleName s ldap ${..args}" + + # A new connection to the DB has been opened + <% unless @snmp_traps.include?('server_ldap_module_connection_up') %> + # <% end %>open = "${snmptrap}::serverModuleConnectionUp ${args}" + + # A connection to the DB has been closed + <% unless @snmp_traps.include?('server_ldap_module_connection_down') %> + # <% end %>close = "${snmptrap}::serverModuleConnectionDown ${args}" + + # The module has been HUP'd via radmin + <% unless @snmp_traps.include?('server_ldap_module_hup') %> + # <% end %>hup = "${snmptrap}::serverModuleHup ${args}" + } + + # The SQL module + sql { + # Common arguments + args = "radiusdModuleName s sql ${..args}" + + # A new connection to the DB has been opened + <% unless @snmp_traps.include?('server_sql_module_connection_up') %> + # <% end %>open = "${snmptrap}::serverModuleConnectionUp ${args}" + + # A connection to the DB has been closed + <% unless @snmp_traps.include?('server_sql_module_connection_close') %> + # <% end %>close = "${snmptrap}::serverModuleConnectionDown ${args}" + + # Failed to open a new connection to the DB + <% unless @snmp_traps.include?('server_sql_module_connection_fail') %> + # <% end %>fail = "${snmptrap}::serverModuleConnectionFail ${args}" + + # The module has been HUP'd via radmin + <% unless @snmp_traps.include?('server_sql_module_hup') %> + # <% end %>hup = "${snmptrap}::serverModuleHup ${args}" + } + + # You can also use connection pool's start/stop/open/close triggers + # for any module which uses the "pool" section, here and under + # pool.trigger in module configuration. + } +} + +# +# The complete list of triggers as generated from the source code is below. +# +# These are the ONLY traps which are generated. You CANNOT add new traps +# by defining them in one of the sections above. New traps can be created +# only by edited both the source code to the server, *and* the MIBs. +# If you are not an expert in C and SNMP, then adding new traps will be +# difficult to create. +# +# home_server.alive +# home_server.dead +# home_server.zombie +# home_server_pool.fallback +# home_server_pool.normal +# modules.*.hup +# modules.ldap.timeout +# modules.sql.close +# modules.sql.fail +# modules.sql.open +# server.client.add +# server.max_requests +# server.signal.hup +# server.signal.term +# server.start +# server.stop +# server.thread.max_threads +# server.thread.start +# server.thread.stop +# server.thread.unresponsive