jlambert121 · mgeggie-uber · Feb 26, 2016 · Feb 26, 2016 · Feb 26, 2016 · Mar 3, 2016
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -11,6 +11,10 @@
   String                                       $puppetmaster      = $::puppet::params::puppetmaster,
 
   # Server
+  String                                       $autosign          = $::puppet::params::autosign,
+  Boolean                                      $autosign_runnable = $::puppet::params::autosign_runnable,
+  Optional[Array[String]]                      $autosign_list     = $::puppet::params::autosign_list,
+  Optional[String]                             $autosign_script   = $::puppet::params::autosign_script,
   Optional[Array[String]]                      $dns_alt_names     = $::puppet::params::dns_alt_names,
   Optional[Hash[String, Hash[String, String]]] $fileserver_conf   = $::puppet::params::fileserver_conf,
   Boolean                                      $manage_hiera      = $::puppet::params::manage_hiera,
@@ -41,19 +45,31 @@
     fail('Puppet: fileserver_conf must be a of hash of mountpoints')
   }
 
+  if $autosign_runnable == true and $autosign_script == '' {
+    fail('Puppet: autosign_runnable requires autosign_script')
+  }
+
+  if is_array($autosign_list) and !empty($autosign_list) and $autosign_script != '' {
+    fail('Puppet: autosign_list and autosign_script can not both be specified')
+  }
+
   if ( $agent or $server ) {
     $ensure = 'present'
   } else {
     $ensure = 'absent'
   }
 
+  if ($server and $runmode == 'service') {
+    Service['puppetserver'] -> Service['puppet']
+  }
+
   class { '::puppet::common': }
 
-  class { '::puppet::agent':
+  class { '::puppet::server':
     require => Class['puppet::common'],
   } ->
 
-  class { '::puppet::server':
+  class { '::puppet::agent':
     require => Class['puppet::common'],
   }
 

diff --git a/manifests/params.pp b/manifests/params.pp
@@ -9,6 +9,10 @@
   $environment = undef
   $puppetmaster = "puppet.${::domain}"
 
+  $autosign = '/etc/puppetlabs/puppet/autosign.conf'
+  $autosign_runnable = false
+  $autosign_list     = []
+  $autosign_script   = ''
   $dns_alt_names = undef
   $fileserver_conf = undef
   $manage_hiera = true

diff --git a/manifests/server/config.pp b/manifests/server/config.pp
@@ -1,24 +1,28 @@
 # document me
 class puppet::server::config (
-  $ca_enabled      = $::puppet::server_ca_enabled,
-  $config_dir      = $::puppet::params::server_config_dir,
-  $dns_alt_names   = $::puppet::dns_alt_names,
-  $fileserver      = $::puppet::fileserver_conf,
-  $manage_hiera    = $::puppet::manage_hiera,
-  $hiera_source    = $::puppet::hiera_source,
-  $java_opts       = $::puppet::server_java_opts,
-  $log_dir         = $::puppet::server_log_dir,
-  $log_file        = $::puppet::server_log_file,
-  $server          = $::puppet::server,
-  $runinterval     = $::puppet::runinterval,
-  $puppetdb        = $::puppet::puppetdb,
-  $puppetdb_port   = $::puppet::puppetdb_port,
-  $puppetdb_server = $::puppet::puppetdb_server,
-  $manage_puppetdb = $::puppet::manage_puppetdb,
-  $reports         = $::puppet::server_reports,
-  $firewall        = $::puppet::firewall,
-  $jruby_instances = $::puppet::jruby_instances,
-  $use_legacy_auth = $::puppet::use_legacy_auth,
+  $autosign          = $::puppet::autosign,
+  $autosign_runnable = $::puppet::autosign_runnable,
+  $autosign_list     = $::puppet::autosign_list,
+  $autosign_script   = $::puppet::autosign_script,
+  $ca_enabled        = $::puppet::server_ca_enabled,
+  $config_dir        = $::puppet::params::server_config_dir,
+  $dns_alt_names     = $::puppet::dns_alt_names,
+  $fileserver        = $::puppet::fileserver_conf,
+  $manage_hiera      = $::puppet::manage_hiera,
+  $hiera_source      = $::puppet::hiera_source,
+  $java_opts         = $::puppet::server_java_opts,
+  $log_dir           = $::puppet::server_log_dir,
+  $log_file          = $::puppet::server_log_file,
+  $server            = $::puppet::server,
+  $runinterval       = $::puppet::runinterval,
+  $puppetdb          = $::puppet::puppetdb,
+  $puppetdb_port     = $::puppet::puppetdb_port,
+  $puppetdb_server   = $::puppet::puppetdb_server,
+  $manage_puppetdb   = $::puppet::manage_puppetdb,
+  $reports           = $::puppet::server_reports,
+  $firewall          = $::puppet::firewall,
+  $jruby_instances   = $::puppet::jruby_instances,
+  $use_legacy_auth   = $::puppet::use_legacy_auth,
 ) {
 
   $file_ensure = $server ? {
@@ -103,6 +107,22 @@
     }
   }
 
+  if ( $autosign_runnable ) {
+    $autosign_mode    = '0550'
+    $autosign_content = $autosign_script
+  }
+  else {
+    $autosign_mode = '0440'
+    $autosign_content = join($autosign_list, '\n')
+  }
+
+  if ($server and ($autosign_list != [] or $autosign_script != '' )) {
+    file { $autosign:
+      content => $autosign_content,
+      mode    => $autosign_mode,
+    }
+  }
+
   if ( $server and $fileserver ) {
     # Template uses
     # - $fileserver

diff --git a/spec/classes/puppet_init_spec.rb b/spec/classes/puppet_init_spec.rb
@@ -32,6 +32,36 @@
       it { expect { should create_class('puppet') }.to raise_error(/expects a match for Enum/) }
     end
 
+    context 'bad autosign' do
+      let(:params) { { :autosign => false } }
+      it { expect { should create_class('puppet') }.to raise_error(/expects a String value/) }
+    end
+
+    context 'bad autosign_runnable' do
+      let(:params) { { :autosign_runnable => 'breakme' } }
+      it { expect { should create_class('puppet') }.to raise_error(/expects a Boolean value/) }
+    end
+
+    context 'bad autosign_list' do
+      let(:params) { { :autosign_list => 'breakme' } }
+      it { expect { should create_class('puppet') }.to raise_error(/expects an Array value/) }
+    end
+
+    context 'bad autosign_script' do
+      let(:params) { { :autosign_script => false } }
+      it { expect { should create_class('puppet') }.to raise_error(/expects a String value/) }
+    end
+
+    context 'autosign_runnable, no autosign_script' do
+      let(:params) { { :autosign_runnable => true } }
+      it { expect { should create_class('puppet')}.to raise_error(/requires autosign_script/) }
+    end
+
+    context 'autosign_list, autosign_script' do
+      let(:params) { { :autosign_list => ["blah", "blah"], :autosign_script => '/bin/false' } }
+      it { expect { should create_class('puppet')}.to raise_error(/autosign_list and autosign_script/) }
+    end
+
     context 'bad hiera_source' do
       let(:params) { { :hiera_source => 'breakme' } }
       it { expect { should create_class('puppet') }.to raise_error(/expects a match for Pattern/) }

diff --git a/spec/classes/puppet_server_config_spec.rb b/spec/classes/puppet_server_config_spec.rb
@@ -69,6 +69,16 @@
       it { should contain_file('/etc/sysconfig/puppetserver').with(:content => /JAVA_ARGS="blah"/) }
     end
 
+    context 'set autosign list' do
+      let(:pre_condition) { 'class { "puppet": server => true, autosign_list => [ "blah", "blah2" ] }'}
+      it { should contain_file('/etc/puppetlabs/puppet/autosign.conf').with(:content => /blah\\nblah2/, :mode => '0440') }
+    end
+
+    context 'set autosign script' do
+      let(:pre_condition) { 'class { "puppet": server => true, autosign_runnable => true, autosign_script => "/bin/false" }'}
+      it { should contain_file('/etc/puppetlabs/puppet/autosign.conf').with(:content => "/bin/false", :mode => '0550') }
+    end
+
     context 'set disable ca' do
       let(:pre_condition) { 'class { "puppet": server => true, server_ca_enabled => false }'}
       it { should_not contain_file('/etc/puppetlabs/puppetserver/bootstrap.cfg').with(:content => /puppetlabs\.services\.ca\.certificate\-authority\-service\/certificate\-authority\-service/) }

diff --git a/templates/puppet.master.erb b/templates/puppet.master.erb
@@ -6,6 +6,7 @@
   codedir = /etc/puppetlabs/code
 
   always_cache_features = true
+  autosign = <%= @autosign %>
   ca = <%= @ca_enabled %>
 <% if @dns_alt_names && @dns_alt_names.length > 0-%>
   dns_alt_names = <%= @dns_alt_names.join(', ') %>

diff --git a/templates/server/puppetserver.sysconfig.erb b/templates/server/puppetserver.sysconfig.erb
@@ -6,3 +6,5 @@ INSTALL_DIR="/opt/puppetlabs/server/apps/puppetserver"
 JARFILE="server/apps/puppetserver/puppet-server-release.jar"
 CONFIG="/etc/puppetlabs/puppetserver/conf.d"
 BOOTSTRAP_CONFIG="/etc/puppetlabs/puppetserver/bootstrap.cfg"
+USER="puppet"
+GROUP="puppet"