feat(googleauth): rhel family support

unilogicbv · unilogicbv · commit 52c35201705c · 2022-06-13T15:03:50.000+02:00
diff --git a/users/googleauth.sls b/users/googleauth.sls
@@ -1,7 +1,7 @@
 # vim: sts=2 ts=2 sw=2 et ai
 {%- from "users/map.jinja" import users with context %}
 
-{%- if not grains['os_family'] in ['RedHat', 'Suse'] %}
+{%- if not grains['os_family'] in ['Suse'] %}
 users_googleauth-package:
   pkg.installed:
     - name: {{ users.googleauth_package }}
@@ -33,7 +33,11 @@ users_{{ users.googleauth_dir }}:
 users_googleauth-pam-{{ svc }}-{{ name }}:
   file.replace:
     - name: /etc/pam.d/{{ svc }}
+{%- if grains['os_family'] == 'RedHat' %}
+    - pattern: '^(auth[ \t]*substack[ \t]*password-auth)'
+{%- else %}
     - pattern: '^(@include[ \t]*common-auth)'
+{%- endif %}
     - repl: '{{ repl }}\n\1'
     - unless: grep pam_google_authenticator.so /etc/pam.d/{{ svc }}
     - backup: .bak
diff --git a/users/init.sls b/users/init.sls
@@ -50,6 +50,9 @@ include:
   - users.sudo
 {%- endif %}
 {%- if used_googleauth %}
+{%- if grains['os_family'] == 'RedHat' %}
+  - epel
+{%- endif %}
   - users.googleauth
 {%- endif %}
 {%- if used_user_files %}
@@ -506,7 +509,28 @@ users_{{ users.sudoers_dir }}/{{ sudoers_d_filename }}:
     - name: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}
 {% endif %}
 
-{%- if not grains['os_family'] in ['RedHat', 'Suse'] %}
+{%- if grains['os_family'] == 'RedHat' %}
+policycoreutils-package:
+  pkg.installed:
+    - pkgs:
+      - policycoreutils
+{%-   if grains['osmajorrelease']|int <= 7 %}
+      - policycoreutils-python
+{%-   else %}
+      - policycoreutils-python-utils
+{%-   endif %}
+users_googleauth_selinux_present:
+  selinux.fcontext_policy_present:
+    - name: "{{ users.googleauth_dir }}(/.*)?"
+    - filetype: 'a'
+    - sel_user: unconfined_u
+    - sel_type: ssh_home_t
+    - sel_level: s0
+    - require:
+        - pkg: policycoreutils-package
+{%- endif %}
+
+{%- if not grains['os_family'] in ['Suse'] %}
 {%-   if 'google_auth' in user %}
 {%-     for svc in user['google_auth'] %}
 users_googleauth-{{ svc }}-{{ name }}:
@@ -518,11 +542,20 @@ users_googleauth-{{ svc }}-{{ name }}:
     - group: {{ users.root_group }}
     - mode: '0600'
     - require:
+{%-       if grains['os_family'] == 'RedHat' %}
+      - pkg: epel_release
+{%-       endif %}
       - pkg: users_googleauth-package
 {%-     endfor %}
 {%-   endif %}
 {%- endif %}
 
+{%- if grains['os_family'] == 'RedHat' %}
+users_googleauth_selinux_applied:
+  selinux.fcontext_policy_applied:
+    - name: {{ users.googleauth_dir }}
+{%- endif %}
+
 # this doesn't work (Salt bug), therefore need to run state.apply twice
 #include:
 #  - users
diff --git a/users/map.jinja b/users/map.jinja
@@ -30,6 +30,19 @@
     'polkit_dir': '/etc/polkit-1/localauthority.conf.d',
     'polkit_defaults': 'unix-group:sudo;'
   },
+  'RedHat': {
+    'sudoers_dir': '/etc/sudoers.d',
+    'sudoers_file': '/etc/sudoers',
+    'googleauth_dir': '/etc/google_authenticator.d',
+    'root_group': 'root',
+    'shell': '/bin/bash',
+    'visudo_shell': '/bin/bash',
+    'bash_package': 'bash',
+    'sudo_package': 'sudo',
+    'googleauth_package': 'google-authenticator',
+    'polkit_dir': '/etc/polkit-1/localauthority.conf.d',
+    'polkit_defaults': 'unix-group:sudo;'
+  },
   'Gentoo': {
     'sudoers_dir': '/etc/sudoers.d',
     'sudoers_file': '/etc/sudoers',
