Manage DNF module for mod_auth_openidc

ekohl · ekohl · commit 8417c0b123ad · 2022-08-10T13:57:26.000+02:00
On EL 8 mod_auth_openidc is in a DNF module that must be enabled.
Otherwise the package is uninstallable. This is verified by adding an
acceptance test for the class.

The inheritance on apache::params is removed since it was redundant.
That is only needed if a class parameter uses apache::params.

$oidc_settings on apache::vhost is changed to have a default. The
template expects one and With that it's impossible to miscompile. The
alternative is to implement a fail() inside the code if it is empty, but
this provides some safety.
diff --git a/manifests/mod/auth_openidc.pp b/manifests/mod/auth_openidc.pp
@@ -1,11 +1,30 @@
 # @summary
 #   Installs and configures `mod_auth_openidc`.
-# 
+#
+# @param manage_dnf_module Whether to manage the DNF module
+# @param dnf_module_ensure The DNF module name to ensure. Only relevant if manage_dnf_module is set to true.
+# @param dnf_module_name The DNF module name to manage. Only relevant if manage_dnf_module is set to true.
+#
 # @see https://github.com/zmartzone/mod_auth_openidc for additional documentation.
+# @note Unsupported platforms: OracleLinux: 6; RedHat: 6; Scientific: 6; SLES: all
 #
-class apache::mod::auth_openidc inherits apache::params {
+class apache::mod::auth_openidc (
+  Boolean $manage_dnf_module = $facts['os']['family'] == 'RedHat' and $facts['os']['release']['major'] == '8',
+  String[1] $dnf_module_ensure = 'present',
+  String[1] $dnf_module_name = 'mod_auth_openidc',
+) {
   include apache
   include apache::mod::authn_core
   include apache::mod::authz_user
+
   apache::mod { 'auth_openidc': }
+
+  if $manage_dnf_module {
+    package { 'dnf-module-mod_auth_openidc':
+      ensure   => $dnf_module_ensure,
+      name     => $dnf_module_name,
+      provider => 'dnfmodule',
+      before   => Apache::Mod['auth_openidc'],
+    }
+  }
 }
diff --git a/manifests/vhost.pp b/manifests/vhost.pp
@@ -1945,7 +1945,7 @@
   Optional[Variant[String, Array[String]]] $comment                                   = undef,
   Hash $define                                                                        = {},
   Boolean $auth_oidc                                                                  = false,
-  Optional[Apache::OIDCSettings] $oidc_settings                                       = undef,
+  Apache::OIDCSettings $oidc_settings                                                 = {},
   Optional[Variant[Boolean, String]] $mdomain                                         = undef,
   Optional[Variant[String[1], Array[String[1]]]] $userdir                             = undef,
 ) {
diff --git a/spec/acceptance/auth_openidc_spec.rb b/spec/acceptance/auth_openidc_spec.rb
@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+require 'spec_helper_acceptance'
+
+describe 'apache::mod::auth_openidc', if: mod_supported_on_platform?('apache::mod::auth_openidc') do
+  pp = <<-MANIFEST
+    include apache
+    apache::vhost { 'example.com':
+      docroot       => '/var/www/example.com',
+      port          => 80,
+      auth_oidc     => true,
+      oidc_settings => {
+        'ProviderMetadataURL'       => 'https://login.example.com/.well-known/openid-configuration',
+        'ClientID'                  => 'test',
+        'RedirectURI'               => 'https://login.example.com/redirect_uri',
+        'ProviderTokenEndpointAuth' => 'client_secret_basic',
+        'RemoteUserClaim'           => 'sub',
+        'ClientSecret'              => 'aae053a9-4abf-4824-8956-e94b2af335c8',
+        'CryptoPassphrase'          => '4ad1bb46-9979-450e-ae58-c696967df3cd',
+       },
+    }
+  MANIFEST
+
+  it 'succeeds in configuring a virtual host using mod_auth_openidc' do
+    apply_manifest(pp, catch_failures: true)
+  end
+
+  it 'is idempotent' do
+    apply_manifest(pp, catch_changes: true)
+  end
+end
diff --git a/spec/classes/mod/auth_openidc_spec.rb b/spec/classes/mod/auth_openidc_spec.rb
@@ -9,29 +9,43 @@
     context 'on a Debian OS', :compile do
       include_examples 'Debian 11'
 
-      it { is_expected.to contain_class('apache::params') }
       it { is_expected.to contain_class('apache::mod::authn_core') }
       it { is_expected.to contain_class('apache::mod::authz_user') }
       it { is_expected.to contain_apache__mod('auth_openidc') }
       it { is_expected.to contain_package('libapache2-mod-auth-openidc') }
+      it { is_expected.not_to contain_package('dnf-module-mod_auth_openidc') }
     end
-    context 'on a RedHat OS', :compile do
-      include_examples 'RedHat 6'
+    context 'on RedHat 7', :compile do
+      include_examples 'RedHat 7'
 
-      it { is_expected.to contain_class('apache::params') }
       it { is_expected.to contain_class('apache::mod::authn_core') }
       it { is_expected.to contain_class('apache::mod::authz_user') }
       it { is_expected.to contain_apache__mod('auth_openidc') }
       it { is_expected.to contain_package('mod_auth_openidc') }
+      it { is_expected.not_to contain_package('dnf-module-mod_auth_openidc') }
+    end
+    context 'on RedHat 8', :compile do
+      include_examples 'RedHat 8'
+
+      it { is_expected.to contain_class('apache::mod::authn_core') }
+      it { is_expected.to contain_class('apache::mod::authz_user') }
+      it { is_expected.to contain_apache__mod('auth_openidc') }
+      it { is_expected.to contain_package('mod_auth_openidc') }
+      it do
+        is_expected.to contain_package('dnf-module-mod_auth_openidc')
+          .with_ensure('present')
+          .with_name('mod_auth_openidc')
+          .that_comes_before('Package[mod_auth_openidc]')
+      end
     end
     context 'on a FreeBSD OS', :compile do
       include_examples 'FreeBSD 9'
 
-      it { is_expected.to contain_class('apache::params') }
       it { is_expected.to contain_class('apache::mod::authn_core') }
       it { is_expected.to contain_class('apache::mod::authz_user') }
       it { is_expected.to contain_apache__mod('auth_openidc') }
       it { is_expected.to contain_package('www/mod_auth_openidc') }
+      it { is_expected.not_to contain_package('dnf-module-mod_auth_openidc') }
     end
   end
   context 'overriding mod_packages' do
@@ -48,7 +62,6 @@ class { 'apache':
         MANIFEST
       end
 
-      it { is_expected.to contain_class('apache::params') }
       it { is_expected.to contain_class('apache::mod::authn_core') }
       it { is_expected.to contain_class('apache::mod::authz_user') }
       it { is_expected.to contain_apache__mod('auth_openidc') }
