Factor out Apache to its own class

lib/facter/sssd.rb

@@ -1,19 +1,6 @@
 require 'facter/util/sssd'
 
 if defined? Facter::Util::Sssd
-  # == Fact: foreman_ipa
-  Facter.add(:foreman_ipa, :type => :aggregate) do
-    {
-      :default_realm => 'global/realm',
-      :default_server => 'global/server',
-    }.each do |key, path|
-      chunk(key) do
-        val = Facter::Util::Sssd.ipa_value(path)
-        {key => val} if val
-      end
-    end
-  end
-
   # == Fact: foreman_sssd
   Facter.add(:foreman_sssd, :type => :aggregate) do
     {

lib/facter/util/sssd.rb

@@ -11,10 +11,6 @@ def self.aug_value(lens, file, path)
       end
     end
 
-    def self.ipa_value(path)
-      aug_value('Puppet.lns', '/etc/ipa/default.conf', path)
-    end
-
     def self.sssd_value(path)
       val = aug_value('Sssd.lns', '/etc/sssd/sssd.conf', path)
       val.split(',').map(&:strip) if val

manifests/apache.pp

@@ -0,0 +1,82 @@
+# @summary The apache configuration for Foreman
+# @api private
+class foreman::apache {
+  class { 'foreman::config::apache':
+    app_root           => $foreman::app_root,
+    priority           => $foreman::vhost_priority,
+    servername         => $foreman::servername,
+    serveraliases      => $foreman::serveraliases,
+    server_port        => $foreman::server_port,
+    server_ssl_port    => $foreman::server_ssl_port,
+    proxy_backend      => "unix://${foreman::listen_socket}",
+    ssl                => $foreman::ssl,
+    ssl_ca             => $foreman::server_ssl_ca,
+    ssl_chain          => $foreman::server_ssl_chain,
+    ssl_cert           => $foreman::server_ssl_cert,
+    ssl_certs_dir      => $foreman::server_ssl_certs_dir,
+    ssl_key            => $foreman::server_ssl_key,
+    ssl_crl            => $foreman::server_ssl_crl,
+    ssl_protocol       => $foreman::server_ssl_protocol,
+    ssl_verify_client  => $foreman::server_ssl_verify_client,
+    user               => $foreman::user,
+    foreman_url        => $foreman::foreman_url,
+    ipa_authentication => $foreman::ipa_authentication,
+    keycloak           => $foreman::keycloak,
+    keycloak_app_name  => $foreman::keycloak_app_name,
+    keycloak_realm     => $foreman::keycloak_realm,
+  }
+
+  contain foreman::config::apache
+
+  if $foreman::ipa_authentication {
+    if $facts['os']['selinux']['enabled'] {
+      selboolean { ['allow_httpd_mod_auth_pam', 'httpd_dbus_sssd']:
+        persistent => true,
+        value      => 'on',
+      }
+    }
+
+    if $foreman::ipa_manage_sssd {
+      service { 'sssd':
+        ensure  => running,
+        enable  => true,
+        require => Package['sssd-dbus'],
+      }
+    }
+
+    file { "/etc/pam.d/${foreman::pam_service}":
+      ensure  => file,
+      owner   => root,
+      group   => root,
+      mode    => '0644',
+      content => template('foreman/pam_service.erb'),
+    }
+
+    $http_keytab = pick($foreman::http_keytab, "${apache::conf_dir}/http.keytab")
+
+    exec { 'ipa-getkeytab':
+      command => "/bin/echo Get keytab \
+        && KRB5CCNAME=KEYRING:session:get-http-service-keytab kinit -k \
+        && KRB5CCNAME=KEYRING:session:get-http-service-keytab /usr/sbin/ipa-getkeytab -k ${http_keytab} -p HTTP/${facts['networking']['fqdn']} \
+        && kdestroy -c KEYRING:session:get-http-service-keytab",
+      creates => $http_keytab,
+    }
+    -> file { $http_keytab:
+      ensure => file,
+      owner  => $apache::user,
+      mode   => '0600',
+    }
+
+    foreman::config::apache::fragment { 'intercept_form_submit':
+      ssl_content => template('foreman/intercept_form_submit.conf.erb'),
+    }
+
+    foreman::config::apache::fragment { 'lookup_identity':
+      ssl_content => template('foreman/lookup_identity.conf.erb'),
+    }
+
+    foreman::config::apache::fragment { 'auth_gssapi':
+      ssl_content => template('foreman/auth_gssapi.conf.erb'),
+    }
+  }
+}

manifests/config.pp

@@ -94,114 +94,10 @@
   }
 
   if $foreman::apache {
-    $listen_socket = '/run/foreman.sock'
-
-    class { 'foreman::config::apache':
-      app_root           => $foreman::app_root,
-      priority           => $foreman::vhost_priority,
-      servername         => $foreman::servername,
-      serveraliases      => $foreman::serveraliases,
-      server_port        => $foreman::server_port,
-      server_ssl_port    => $foreman::server_ssl_port,
-      proxy_backend      => "unix://${listen_socket}",
-      ssl                => $foreman::ssl,
-      ssl_ca             => $foreman::server_ssl_ca,
-      ssl_chain          => $foreman::server_ssl_chain,
-      ssl_cert           => $foreman::server_ssl_cert,
-      ssl_certs_dir      => $foreman::server_ssl_certs_dir,
-      ssl_key            => $foreman::server_ssl_key,
-      ssl_crl            => $foreman::server_ssl_crl,
-      ssl_protocol       => $foreman::server_ssl_protocol,
-      ssl_verify_client  => $foreman::server_ssl_verify_client,
-      user               => $foreman::user,
-      foreman_url        => $foreman::foreman_url,
-      ipa_authentication => $foreman::ipa_authentication,
-      keycloak           => $foreman::keycloak,
-      keycloak_app_name  => $foreman::keycloak_app_name,
-      keycloak_realm     => $foreman::keycloak_realm,
-    }
-
-    contain foreman::config::apache
-
     $foreman_socket_override = template('foreman/foreman.socket-overrides.erb')
 
     if $foreman::ipa_authentication {
-      unless fact('foreman_ipa.default_server') {
-        fail("${facts['networking']['hostname']}: The system does not seem to be IPA-enrolled")
-      }
-
-      if $facts['os']['selinux']['enabled'] {
-        selboolean { ['allow_httpd_mod_auth_pam', 'httpd_dbus_sssd']:
-          persistent => true,
-          value      => 'on',
-        }
-      }
-
-      if $foreman::ipa_manage_sssd {
-        service { 'sssd':
-          ensure  => running,
-          enable  => true,
-          require => Package['sssd-dbus'],
-        }
-      }
-
-      file { "/etc/pam.d/${foreman::pam_service}":
-        ensure  => file,
-        owner   => root,
-        group   => root,
-        mode    => '0644',
-        content => template('foreman/pam_service.erb'),
-      }
-
-      $http_keytab = pick($foreman::http_keytab, "${apache::conf_dir}/http.keytab")
-
-      exec { 'ipa-getkeytab':
-        command => "/bin/echo Get keytab \
-          && KRB5CCNAME=KEYRING:session:get-http-service-keytab kinit -k \
-          && KRB5CCNAME=KEYRING:session:get-http-service-keytab /usr/sbin/ipa-getkeytab -s ${facts['foreman_ipa']['default_server']} -k ${http_keytab} -p HTTP/${facts['networking']['fqdn']} \
-          && kdestroy -c KEYRING:session:get-http-service-keytab",
-        creates => $http_keytab,
-      }
-      -> file { $http_keytab:
-        ensure => file,
-        owner  => $apache::user,
-        mode   => '0600',
-      }
-
-      foreman::config::apache::fragment { 'intercept_form_submit':
-        ssl_content => template('foreman/intercept_form_submit.conf.erb'),
-      }
-
-      foreman::config::apache::fragment { 'lookup_identity':
-        ssl_content => template('foreman/lookup_identity.conf.erb'),
-      }
-
-      foreman::config::apache::fragment { 'auth_gssapi':
-        ssl_content => template('foreman/auth_gssapi.conf.erb'),
-      }
-
-
-      if $foreman::ipa_manage_sssd {
-        $sssd = $facts['foreman_sssd']
-        $sssd_services = join(unique(pick($sssd['services'], []) + ['ifp']), ', ')
-        $sssd_ldap_user_extra_attrs = join(unique(pick($sssd['ldap_user_extra_attrs'], []) + ['email:mail', 'lastname:sn', 'firstname:givenname']), ', ')
-        $sssd_allowed_uids = join(unique(pick($sssd['allowed_uids'], []) + [$apache::user, 'root']), ', ')
-        $sssd_user_attributes = join(unique(pick($sssd['user_attributes'], []) + ['+email', '+firstname', '+lastname']), ', ')
-
-        augeas { 'sssd-ifp-extra-attributes':
-          context => '/files/etc/sssd/sssd.conf',
-          changes => [
-            "set target[.=~regexp('domain/.*')]/ldap_user_extra_attrs '${sssd_ldap_user_extra_attrs}'",
-            "set target[.='sssd']/services '${sssd_services}'",
-            'set target[.=\'ifp\'] \'ifp\'',
-            "set target[.='ifp']/allowed_uids '${sssd_allowed_uids}'",
-            "set target[.='ifp']/user_attributes '${sssd_user_attributes}'",
-          ],
-          notify  => Service['sssd'],
-        }
-      }
-
-      concat::fragment {'foreman_settings+02-authorize_login_delegation.yaml':
+      concat::fragment { 'foreman_settings+02-authorize_login_delegation.yaml':
         target  => '/etc/foreman/settings.yaml',
         content => template('foreman/settings-external-auth.yaml.erb'),
         order   => '02',

manifests/init.pp

@@ -312,19 +312,28 @@
     timeout => 0,
   }
 
+  $listen_socket = '/run/foreman.sock'
+
   include foreman::install
   include foreman::config
   include foreman::database
-  contain foreman::service
+  include foreman::service
+
+  anchor { 'foreman::running': # lint:ignore:anchor_resource
+  }
 
   Anchor <| title == 'foreman::repo' |> ~> Class['foreman::install']
   Class['foreman::install'] ~> Class['foreman::config', 'foreman::service']
   Class['foreman::config'] ~> Class['foreman::database', 'foreman::service']
   Class['foreman::database'] ~> Class['foreman::service']
-  Class['foreman::service'] -> Foreman_smartproxy <| base_url == $foreman_url |>
+  Class['foreman::service'] -> Anchor['foreman::running']
+  Anchor['foreman::running'] -> Foreman_smartproxy <| base_url == $foreman_url |>
 
   if $apache {
-    Class['foreman::database'] -> Class['apache::service']
+    include foreman::apache
+
+    Class['foreman::config', 'foreman::database'] -> Class['foreman::apache']
+    Class['foreman::apache', 'apache::service'] -> Anchor['foreman::running']
     if $ipa_authentication and $keycloak {
       fail("${facts['networking']['hostname']}: External authentication via IPA and Keycloak are mutually exclusive.")
     }
@@ -334,6 +343,15 @@
     fail("${facts['networking']['hostname']}: External authentication via Keycloak can only be enabled when Apache is used.")
   }
 
+  # Ensure SSL certs from the puppetmaster are available
+  # Relationship is duplicated there as defined() is parse-order dependent
+  if $ssl and defined(Class['puppet::server::config']) {
+    Class['puppet::server::config'] -> Class['foreman::service']
+    if $apache {
+      Class['puppet::server::config'] -> Class['foreman::apache']
+    }
+  }
+
   # Anchor these separately so as not to break
   # the notify between main classes
   Class['foreman::install']

manifests/service.pp

@@ -25,16 +25,6 @@
     }
   }
 
-  if $apache {
-    Class['apache::service'] -> Class['foreman::service']
-
-    # Ensure SSL certs from the puppetmaster are available
-    # Relationship is duplicated there as defined() is parse-order dependent
-    if $ssl and defined(Class['puppet::server::config']) {
-      Class['puppet::server::config'] -> Class['foreman::service']
-    }
-  }
-
   service { "${foreman_service}.socket":
     ensure => $foreman_service_ensure,
     enable => $foreman_service_enable,

spec/classes/foreman_config_ipa_spec.rb

@@ -16,23 +16,9 @@
       context 'with apache' do
         let(:params) { super().merge(apache: true) }
 
-        describe 'not IPA-enrolled system' do
-          describe 'ipa_server fact missing' do
-            it { should raise_error(Puppet::Error, /The system does not seem to be IPA-enrolled/) }
-          end
-
-          describe 'default_ipa_realm fact missing' do
-            it { should raise_error(Puppet::Error, /The system does not seem to be IPA-enrolled/) }
-          end
-        end
-
         describe 'enrolled system' do
           let(:facts) do
             super().merge(
-              foreman_ipa: {
-                default_server: 'ipa.example.com',
-                default_realm: 'REALM'
-              },
               foreman_sssd: {
                 services: ['ifp']
               }

templates/foreman.socket-overrides.erb

@@ -1,5 +1,5 @@
 [Socket]
 ListenStream=
-ListenStream=<%= @listen_socket %>
+ListenStream=<%= scope['foreman::listen_socket'] %>
 SocketUser=<%= scope['apache::user'] %>
 SocketMode=0600