lib/puppet/type/macauthorization.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166

Puppet::Type.newtype(:macauthorization) do

    @doc = "Manage the Mac OS X authorization database.
        See:
        http://developer.apple.com/documentation/Security/Conceptual/Security_Overview/Security_Services/chapter_4_section_5.html for more information."

    ensurable

    autorequire(:file) do
        ["/etc/authorization"]
    end

    def munge_boolean(value)
        case value
        when true, "true", :true
            :true
        when false, "false", :false
            :false
        else
            fail("munge_boolean only takes booleans")
        end
    end

    def munge_integer(value)
        begin
            Integer(value)
        rescue ArgumentError
            fail("munge_integer only takes integers")
        end
    end

    newparam(:name) do
        desc "The name of the right or rule to be managed.
        Corresponds to 'key' in Authorization Services. The key is the name
        of a rule. A key uses the same naming conventions as a right. The
        Security Server uses a rule’s key to match the rule with a right.
        Wildcard keys end with a ‘.’. The generic rule has an empty key value.
        Any rights that do not match a specific rule use the generic rule."

        isnamevar
    end

    newproperty(:auth_type) do
        desc "type - can be a 'right' or a 'rule'. 'comment' has not yet been
        implemented."

        newvalue(:right)
        newvalue(:rule)
        # newvalue(:comment)  # not yet implemented.
    end

    newproperty(:allow_root, :boolean => true) do
        desc "Corresponds to 'allow-root' in the authorization store, renamed
        due to hyphens being problematic. Specifies whether a right should be
        allowed automatically if the requesting process is running with
        uid == 0.  AuthorizationServices defaults this attribute to false if
        not specified"

        newvalue(:true)
        newvalue(:false)

        munge do |value|
            @resource.munge_boolean(value)
        end
    end

    newproperty(:authenticate_user, :boolean => true) do
        desc "Corresponds to 'authenticate-user' in the authorization store,
        renamed due to hyphens being problematic."

        newvalue(:true)
        newvalue(:false)

        munge do |value|
            @resource.munge_boolean(value)
        end
    end

    newproperty(:auth_class) do
        desc "Corresponds to 'class' in the authorization store, renamed due
        to 'class' being a reserved word."

        newvalue(:user)
        newvalue(:'evaluate-mechanisms')
        newvalue(:allow)
        newvalue(:deny)
        newvalue(:rule)
    end

    newproperty(:comment) do
        desc "The 'comment' attribute for authorization resources."
    end

    newproperty(:group) do
        desc "The user must authenticate as a member of this group. This
        attribute can be set to any one group."
    end

    newproperty(:k_of_n) do
        desc "k-of-n describes how large a subset of rule mechanisms must
        succeed for successful authentication. If there are 'n' mechanisms,
        then 'k' (the integer value of this parameter) mechanisms must succeed.
        The most common setting for this parameter is '1'. If k-of-n is not
        set, then 'n-of-n' mechanisms must succeed."

        munge do |value|
            @resource.munge_integer(value)
        end
    end

    newproperty(:mechanisms, :array_matching => :all) do
        desc "an array of suitable mechanisms."
    end

    newproperty(:rule, :array_matching => :all) do
        desc "The rule(s) that this right refers to."
    end

    newproperty(:session_owner, :boolean => true) do
        desc "Corresponds to 'session-owner' in the authorization store,
        renamed due to hyphens being problematic.  Whether the session owner
        automatically matches this rule or right."

        newvalue(:true)
        newvalue(:false)

        munge do |value|
            @resource.munge_boolean(value)
        end
    end

    newproperty(:shared, :boolean => true) do
        desc "If this is set to true, then the Security Server marks the
        credentials used to gain this right as shared. The Security Server
        may use any shared credentials to authorize this right. For maximum
        security, set sharing to false so credentials stored by the Security
        Server for one application may not be used by another application."

        newvalue(:true)
        newvalue(:false)

        munge do |value|
            @resource.munge_boolean(value)
        end
    end

    newproperty(:timeout) do
        desc "The credential used by this rule expires in the specified
        number of seconds. For maximum security where the user must
        authenticate every time, set the timeout to 0. For minimum security,
        remove the timeout attribute so the user authenticates only once per
        session."

        munge do |value|
            @resource.munge_integer(value)
        end
    end

    newproperty(:tries) do
        desc "The number of tries allowed."
        munge do |value|
            @resource.munge_integer(value)
        end
    end

end