From be3dd4fbf612223ac3183e0e8d946ba142b5c00b Mon Sep 17 00:00:00 2001 From: Pascal de Bruijn Date: Tue, 14 Jun 2022 09:54:18 +0200 Subject: [PATCH] feat(googleauth): rhel family support --- users/googleauth.sls | 34 +++++++++++++++++++++++++++++++++- users/init.sls | 8 +++++++- users/map.jinja | 13 +++++++++++++ 3 files changed, 53 insertions(+), 2 deletions(-) diff --git a/users/googleauth.sls b/users/googleauth.sls index e03fbe5..88a1766 100644 --- a/users/googleauth.sls +++ b/users/googleauth.sls @@ -1,7 +1,7 @@ # vim: sts=2 ts=2 sw=2 et ai {%- from "users/map.jinja" import users with context %} -{%- if not grains['os_family'] in ['RedHat', 'Suse'] %} +{%- if not grains['os_family'] in ['Suse'] %} users_googleauth-package: pkg.installed: - name: {{ users.googleauth_package }} @@ -15,6 +15,27 @@ users_{{ users.googleauth_dir }}: - group: {{ users.root_group }} - mode: '0700' +{%- if grains['os_family'] == 'RedHat' %} +policycoreutils-package: + pkg.installed: + - pkgs: + - policycoreutils +{%- if grains['osmajorrelease']|int <= 7 %} + - policycoreutils-python +{%- else %} + - policycoreutils-python-utils +{%- endif %} +users_googleauth_selinux_present: + selinux.fcontext_policy_present: + - name: "{{ users.googleauth_dir }}(/.*)?" + - filetype: 'a' + - sel_user: unconfined_u + - sel_type: ssh_home_t + - sel_level: s0 + - require: + - pkg: policycoreutils-package +{%- endif %} + {%- for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %} {%- if 'google_auth' in user %} {%- for svc in user['google_auth'] %} @@ -33,7 +54,11 @@ users_{{ users.googleauth_dir }}: users_googleauth-pam-{{ svc }}-{{ name }}: file.replace: - name: /etc/pam.d/{{ svc }} +{%- if grains['os_family'] == 'RedHat' %} + - pattern: '^(auth[ \t]*substack[ \t]*password-auth)' +{%- else %} - pattern: '^(@include[ \t]*common-auth)' +{%- endif %} - repl: '{{ repl }}\n\1' - unless: grep pam_google_authenticator.so /etc/pam.d/{{ svc }} - backup: .bak @@ -41,4 +66,11 @@ users_googleauth-pam-{{ svc }}-{{ name }}: {%- endfor %} {%- endif %} {%- endfor %} + +{%- if grains['os_family'] == 'RedHat' %} +users_googleauth_selinux_applied: + selinux.fcontext_policy_applied: + - name: {{ users.googleauth_dir }} +{%- endif %} + {%- endif %} diff --git a/users/init.sls b/users/init.sls index e6727b4..78f7ec3 100644 --- a/users/init.sls +++ b/users/init.sls @@ -50,6 +50,9 @@ include: - users.sudo {%- endif %} {%- if used_googleauth %} +{%- if grains['os_family'] == 'RedHat' %} + - epel +{%- endif %} - users.googleauth {%- endif %} {%- if used_user_files %} @@ -506,7 +509,7 @@ users_{{ users.sudoers_dir }}/{{ sudoers_d_filename }}: - name: {{ users.sudoers_dir }}/{{ sudoers_d_filename }} {% endif %} -{%- if not grains['os_family'] in ['RedHat', 'Suse'] %} +{%- if not grains['os_family'] in ['Suse'] %} {%- if 'google_auth' in user %} {%- for svc in user['google_auth'] %} users_googleauth-{{ svc }}-{{ name }}: @@ -518,6 +521,9 @@ users_googleauth-{{ svc }}-{{ name }}: - group: {{ users.root_group }} - mode: '0600' - require: +{%- if grains['os_family'] == 'RedHat' %} + - pkg: epel_release +{%- endif %} - pkg: users_googleauth-package {%- endfor %} {%- endif %} diff --git a/users/map.jinja b/users/map.jinja index f1c0772..d7123b0 100644 --- a/users/map.jinja +++ b/users/map.jinja @@ -30,6 +30,19 @@ 'polkit_dir': '/etc/polkit-1/localauthority.conf.d', 'polkit_defaults': 'unix-group:sudo;' }, + 'RedHat': { + 'sudoers_dir': '/etc/sudoers.d', + 'sudoers_file': '/etc/sudoers', + 'googleauth_dir': '/etc/google_authenticator.d', + 'root_group': 'root', + 'shell': '/bin/bash', + 'visudo_shell': '/bin/bash', + 'bash_package': 'bash', + 'sudo_package': 'sudo', + 'googleauth_package': 'google-authenticator', + 'polkit_dir': '/etc/polkit-1/localauthority.conf.d', + 'polkit_defaults': 'unix-group:sudo;' + }, 'Gentoo': { 'sudoers_dir': '/etc/sudoers.d', 'sudoers_file': '/etc/sudoers',