From fa36a5f1c1830a56a1ded0413b990ae75967c201 Mon Sep 17 00:00:00 2001
From: Ryan Rotter <rrotter@users.noreply.github.com>
Date: Thu, 16 Jan 2025 18:18:28 -0500
Subject: [PATCH] don't require two-factor for sudo

- remove check for historical duo-unix package
- don't modify /etc/pam.d/sudo
- revert /etc/pam.d/sudo to default state on each supported disro
  - this should be removed after all hosts are reverted
---
 manifests/profile/duo.pp         | 22 +++++-----------------
 spec/classes/profile/duo_spec.rb |  7 ++-----
 2 files changed, 7 insertions(+), 22 deletions(-)

diff --git a/manifests/profile/duo.pp b/manifests/profile/duo.pp
index 9f8c734e2..416441753 100644
--- a/manifests/profile/duo.pp
+++ b/manifests/profile/duo.pp
@@ -26,23 +26,11 @@
     'libpam-duo'
   ])
 
-  package { 'duo-unix':
-    ensure => absent
-  }
-
-  ['sudo'].each |$pamfile| {
-    file_line { "/etc/pam.d/${pamfile}: pam_duo":
-      path    => "/etc/pam.d/${pamfile}",
-      line    => 'auth required pam_duo.so',
-      after   => '^@include common-auth',
-      require => Package['sudo', 'libpam-duo'],
-    }
-
-    file_line { "/etc/pam.d/${pamfile}: remove /lib64/security/pam_duo":
-      ensure => absent,
-      path   => "/etc/pam.d/${pamfile}",
-      line   => 'auth required /lib64/security/pam_duo.so'
-    }
+  # Replace default /etc/pam.d/sudo
+  # This is only here to eliminate previous customizations
+  # Remove after January 2025
+  file { '/etc/pam.d/sudo':
+    source  => "puppet:///modules/nebula/default/${facts['os']['distro']['codename']}/etc/pam.d/sudo",
   }
 
   concat_fragment { '/etc/pam.d/sshd: pam_duo':
diff --git a/spec/classes/profile/duo_spec.rb b/spec/classes/profile/duo_spec.rb
index d605bbe2c..06c31c4de 100644
--- a/spec/classes/profile/duo_spec.rb
+++ b/spec/classes/profile/duo_spec.rb
@@ -24,11 +24,8 @@ def contain_pam_duo
       end
 
       it do
-        expect(subject).to contain_file_line("/etc/pam.d/sudo: pam_duo")
-          .with_path("/etc/pam.d/sudo")
-          .with_line("auth required pam_duo.so")
-          .with_after("^@include common-auth")
-          .that_requires(["Package[sudo]", "Package[libpam-duo]"])
+        expect(subject).to contain_file("/etc/pam.d/sudo")
+          .with_source("puppet:///modules/nebula/default/#{facts[:os]["distro"]["codename"]}/etc/pam.d/sudo")
       end
 
       it do