diff --git a/.fixtures.yml b/.fixtures.yml index 63f3809..839ed5f 100644 --- a/.fixtures.yml +++ b/.fixtures.yml @@ -2,6 +2,8 @@ fixtures: repositories: stdlib: repo: "git://github.com/puppetlabs/puppetlabs-stdlib" - ref: "4.3.2" + ref: "a656880f13cc13a30baa892dcc4c8e3efefcc867" + reboot: "git://github.com/puppetlabs/puppetlabs-reboot" + powershell: "git://github.com/puppetlabs/puppetlabs-powershell" symlinks: domain_membership: "#{source_dir}" diff --git a/.gitignore b/.gitignore index 56efb9c..22ce31f 100644 --- a/.gitignore +++ b/.gitignore @@ -20,3 +20,4 @@ /vendor/ /convert_report.txt .DS_Store +.vendor diff --git a/tests/init.pp b/examples/init.pp similarity index 100% rename from tests/init.pp rename to examples/init.pp diff --git a/manifests/init.pp b/manifests/init.pp index f59d871..3d217df 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -50,50 +50,32 @@ # Copyright 2013 Thomas Linkin, unless otherwise noted. # class domain_membership ( - $domain, - $username, - $password, - $secure_password = false, - $machine_ou = undef, - $resetpw = true, - $reboot = true, - $reboot_apply = 'finished', - $join_options = '1', - $user_domain = undef, + Stdlib::Fqdn $domain, + String $username, + Variant[String,Sensitive] $password, + Optional[Stdlib::Fqdn] $user_domain = undef, + Boolean $secure_password = false, + String $machine_ou = '$null', + Boolean $resetpw = true, + Boolean $reboot = true, + Enum['immediately', 'finished'] $reboot_apply = 'finished', + Pattern[/\d+/] $join_options = '1', ){ - # Validate Parameters - validate_string($username) - validate_string($password) - validate_bool($resetpw) - validate_re($join_options, '\d+', 'join_options parameter must be a number.') - validate_re($reboot_apply, 'immediately|finished', 'reboot_apply only accepts "immediately" or "finished"') - unless is_domain_name($domain) { - fail('Class[domain_membership] domain parameter must be a valid rfc1035 domain name') + $this_password = ($password =~ Sensitive) ? { + true => $password, + false => Sensitive($password) } # Use Either a "Secure String" password or an unencrypted password if $secure_password { - $_password = "(New-Object System.Management.Automation.PSCredential('user',(convertto-securestring '${password}'))).GetNetworkCredential().password" + $_password = ("(New-Object System.Management.Automation.PSCredential('user',(convertto-securestring '${this_password}'))).GetNetworkCredential().password") }else{ - $_password = "'${password}'" - } - - # Allow an optional OU location for the creation of the machine - # account to be specified. If unset, we use the powershell representation - # of nil, which is the `$null` variable. - if $machine_ou { - validate_string($machine_ou) - $_machine_ou = "'${machine_ou}'" - }else{ - $_machine_ou = '$null' + $_password = "'${this_password}'" } # Allow an optional user_domain to accomodate multi-domain AD forests if $user_domain { - unless is_domain_name($user_domain) { - fail('Class[domain_membership] user_domain parameter must be a valid rfc1035 domain name') - } $_user_domain = $user_domain $_reset_username = "${user_domain}\\${username}" } else { @@ -101,22 +83,20 @@ $_reset_username = $username } - # Since the powershell command is combersome, we'll construct it here for clarity... well, almost clarity - # - $command = "(Get-WmiObject -Class Win32_ComputerSystem).JoinDomainOrWorkGroup('${domain}',${_password},'${username}@${_user_domain}',${_machine_ou},${join_options})" - exec { 'join_domain': - command => "exit ${command}.ReturnValue", - unless => "if((Get-WmiObject -Class Win32_ComputerSystem).domain -ne '${domain}'){ exit 1 }", - provider => powershell, + environment => [ "Password=${_password}" ], + command => "exit (Get-WmiObject -Class Win32_ComputerSystem).JoinDomainOrWorkGroup('${domain}',\$Password,'${username}@${_user_domain}',${machine_ou},${join_options}).ReturnValue", + unless => "if((Get-WmiObject -Class Win32_ComputerSystem).domain -ne '${domain}'){ exit 1 }", + provider => powershell, } if $resetpw { exec { 'reset_computer_trust': - command => "netdom /RESETPWD /UserD:${_reset_username} /PasswordD:${_password} /Server:${domain}", - unless => "if ($(nltest /sc_verify:${domain}) -match 'ERROR_INVALID_PASSWORD') {exit 1}", - provider => powershell, - require => Exec['join_domain'], + environment => [ "Password=${_password}" ], + command => "netdom /RESETPWD /UserD:${_reset_username} /PasswordD:\$Password /Server:${domain}", + unless => "if ($(nltest /sc_verify:${domain}) -match 'ERROR_INVALID_PASSWORD') {exit 1}", + provider => powershell, + require => Exec['join_domain'], } } diff --git a/metadata.json b/metadata.json index 24ae427..2c46fa3 100644 --- a/metadata.json +++ b/metadata.json @@ -13,7 +13,7 @@ }, { "name": "puppetlabs/stdlib", - "version_requirement": ">= 4.1.0" + "version_requirement": ">= 4.25.0" }, { "name": "puppetlabs/reboot", diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb new file mode 100644 index 0000000..0b5ecb2 --- /dev/null +++ b/spec/classes/init_spec.rb @@ -0,0 +1,22 @@ +require 'spec_helper' +require 'puppetlabs_spec_helper/module_spec_helper' + +describe 'domain_membership' do + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) { facts } + + context 'with insecure password passed' do + let(:params) do + { + domain: 'test.domain', + username: 'testuser', + password: 'password1', + } + end + + it { is_expected.to compile.with_all_deps } + end + end + end +end