forked from theforeman/puppet-foreman
-
Notifications
You must be signed in to change notification settings - Fork 0
/
foreman_config_ipa_spec.rb
66 lines (52 loc) · 2.29 KB
/
foreman_config_ipa_spec.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
require 'spec_helper'
describe 'foreman' do
on_supported_os.each do |os, facts|
context "on #{os}" do
let(:facts) { facts.merge(interfaces: '') }
let(:params) { { ipa_authentication: true } }
keytab_path = facts[:osfamily] == 'RedHat' ? '/etc/httpd/conf/http.keytab' : '/etc/apache2/http.keytab'
describe 'without apache' do
let(:params) { super().merge(apache: false) }
it { should raise_error(Puppet::Error, /External authentication via IPA can only be enabled when Apache is used/) }
end
context 'with apache' do
let(:params) { super().merge(apache: true) }
describe 'enrolled system' do
let(:facts) do
super().merge(
foreman_sssd: {
services: ['ifp']
}
)
end
it { should contain_exec('ipa-getkeytab') }
it { should contain_class('apache::mod::authnz_pam') }
it { should contain_class('apache::mod::intercept_form_submit') }
it { should contain_class('apache::mod::lookup_identity') }
it { should contain_class('apache::mod::auth_gssapi') }
it 'should contain Apache fragments' do
should contain_foreman__config__apache__fragment('intercept_form_submit')
.with_ssl_content(/^\s*InterceptFormPAMService foreman$/)
should contain_foreman__config__apache__fragment('lookup_identity')
should contain_foreman__config__apache__fragment('auth_gssapi')
.with_ssl_content(%r{^\s*GssapiCredStore keytab:#{keytab_path}$})
.with_ssl_content(/^\s*require pam-account foreman$/)
end
context 'with SELinux' do
let(:facts) { override_facts(super(), os: {'selinux' => {'enabled' => selinux}}) }
context 'enabled' do
let(:selinux) { true }
it { should contain_selboolean('allow_httpd_mod_auth_pam') }
it { should contain_selboolean('httpd_dbus_sssd') }
end
context 'disabled' do
let(:selinux) { false }
it { should_not contain_selboolean('allow_httpd_mod_auth_pam') }
it { should_not contain_selboolean('httpd_dbus_sssd') }
end
end
end
end
end
end
end