djjudas21 · wolfaba · Nov 10, 2023 · Nov 10, 2023 · Nov 10, 2023 · Nov 10, 2023
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -1,9 +1,8 @@
 name: Build and publish to Puppet Forge
 
 on:
- push:
-  tags:
-      - v[0-9]+.[0-9]+.[0-9]+
+  release:
+    types: [published]
 
 jobs:
   build:
@@ -17,7 +16,7 @@ jobs:
       with:
         ref: ${{ steps.vars.outputs.tag }}
     - name: Build and publish module
-      uses: barnumbirr/action-forge-publish@v2
+      uses: barnumbirr/action-forge-publish@v2.15.0
       env:
        FORGE_API_KEY: ${{ secrets.FORGE_API_KEY }}
        REPOSITORY_URL: https://forgeapi.puppet.com/v3/releases
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,7 @@
 ## Changelog
 
+Please refer to the [GitHub releases page](https://github.com/djjudas21/puppet-freeradius/releases) for the changelog for 4.0.0 and onwards
+
 ### 3.9.2
   * Bugfix: Restart FreeRADIUS after any huntgroups modification
 

diff --git a/README.md b/README.md
@@ -138,6 +138,9 @@ Add a syslog rule (using the `saz/rsyslog` module). Default: `false`.
 ##### `log_auth`
 Log authentication requests (yes/no). Default: `no`.
 
+##### `allow_vulnerable_openssl`
+Allow the server to start with versions of OpenSSL known to have critical vulnerabilities. (yes/no). Default: `yes`.
+
 ##### `package_ensure`
 Choose whether the package is just installed and left (`installed`), or updated every Puppet run (`latest`). Default: `installed`
 

diff --git a/manifests/client.pp b/manifests/client.pp
@@ -61,17 +61,18 @@
     if $port {
       if $ip {
         firewall { "100 ${name} ${port_description} v4":
-          proto  => 'udp',
-          dport  => $port,
-          action => 'accept',
-          source => $ip,
+          proto    => 'udp',
+          dport    => $port,
+          jump     => 'ACCEPT',
+          protocol => 'IPv4',
+          source   => $ip,
         }
       } elsif $ip6 {
         firewall { "100 ${name} ${port_description} v6":
           proto    => 'udp',
           dport    => $port,
-          action   => 'accept',
-          provider => 'ip6tables',
+          jump     => 'ACCEPT',
+          protocol => 'IPv6',
           source   => $ip6,
         }
       }

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -17,11 +17,17 @@
   Boolean $syslog                                              = false,
   String $syslog_facility                                      = 'daemon',
   Freeradius::Boolean $log_auth                                = 'no',
+  Freeradius::Boolean $allow_vulnerable_openssl                = 'yes',
   Boolean $preserve_mods                                       = true,
   Boolean $correct_escapes                                     = true,
   Boolean $manage_logpath                                      = true,
+  Boolean $manage_logrotate                                    = $freeradius::params::manage_logrotate,
   Optional[String] $package_ensure                             = 'installed',
   String $radacctdir                                           = $freeradius::params::radacctdir,
+  String $snmp_traps_enable                                    = 'disable',
+  String $snmp_traps_community                                 = 'public',
+  String $snmp_traps_dest                                      = '127.0.0.1',
+  Array $snmp_traps_list                                       = [],
 ) inherits freeradius::params {
   if $freeradius::fr_version !~ /^3/ {
     notify { 'This module is only compatible with FreeRADIUS 3.': }
@@ -157,7 +163,45 @@
       preserve => true,
     }
   }
-
+  if empty($snmp_traps_list) {
+    $snmp_traps = [
+      'server_start',
+      'server_stop',
+      'server_max_requests',
+      'server_client_add',
+      'server_signal_hup',
+      'server_signal_term',
+      'server_thread_start',
+      'server_thread_stop',
+      'server_thread_Unresponsive',
+      'server_thread_max_threads',
+      'home_server_alive',
+      'home_server_zombie',
+      'home_server_dead',
+      'home_server_pool_normal',
+      'home_server_pool_fallback',
+      'server_files_module_hup',
+      'server_ldap_module_connection_up',
+      'server_ldap_module_connection_down',
+      'server_ldap_module_hup',
+      'server_sql_module_connection_up',
+      'server_sql_module_connection_close',
+      'server_sql_module_connection_fail',
+      'server_sql_module_hup',
+    ]
+  } else {
+    $snmp_traps = $snmp_traps_list
+  }
+  # Add trigger.conf snmp trap configuration 
+  file { "${freeradius::fr_basepath}/trigger.conf":
+    ensure  => file,
+    mode    => '0640',
+    owner   => 'root',
+    group   => $freeradius::fr_group,
+    content => template('freeradius/trigger.conf.erb'),
+    require => [Package[$freeradius::fr_package], Group[$freeradius::fr_group]],
+    notify  => Service['radiusd'],
+  }
   # Set up concat policy file, as there is only one global policy
   # We also add standard header and footer
   concat { 'freeradius policy.conf':
@@ -428,37 +472,39 @@
     }
   }
 
-  logrotate::rule { 'radacct':
-    path          => "${freeradius::fr_logpath}/radacct/*/*.log",
-    rotate_every  => 'day',
-    rotate        => 7,
-    create        => false,
-    missingok     => true,
-    compress      => true,
-    postrotate    => "kill -HUP `cat ${freeradius::fr_pidfile}`",
-    sharedscripts => true,
-  }
-
-  logrotate::rule { 'checkrad':
-    path          => "${freeradius::fr_logpath}/checkrad.log",
-    rotate_every  => 'week',
-    rotate        => 1,
-    create        => true,
-    missingok     => true,
-    compress      => true,
-    postrotate    => "kill -HUP `cat ${freeradius::fr_pidfile}`",
-    sharedscripts => true,
-  }
-
-  logrotate::rule { 'radiusd':
-    path          => "${freeradius::fr_logpath}/radius*.log",
-    rotate_every  => 'week',
-    rotate        => 26,
-    create        => true,
-    missingok     => true,
-    compress      => true,
-    postrotate    => "kill -HUP `cat ${freeradius::fr_pidfile}`",
-    sharedscripts => true,
+  if $manage_logrotate {
+    logrotate::rule { 'radacct':
+      path          => "${freeradius::fr_logpath}/radacct/*/*.log",
+      rotate_every  => 'day',
+      rotate        => 7,
+      create        => false,
+      missingok     => true,
+      compress      => true,
+      postrotate    => "kill -HUP `cat ${freeradius::fr_pidfile}`",
+      sharedscripts => true,
+    }
+
+    logrotate::rule { 'checkrad':
+      path          => "${freeradius::fr_logpath}/checkrad.log",
+      rotate_every  => 'week',
+      rotate        => 1,
+      create        => true,
+      missingok     => true,
+      compress      => true,
+      postrotate    => "kill -HUP `cat ${freeradius::fr_pidfile}`",
+      sharedscripts => true,
+    }
+
+    logrotate::rule { 'radiusd':
+      path          => "${freeradius::fr_logpath}/radius*.log",
+      rotate_every  => 'week',
+      rotate        => 26,
+      create        => true,
+      missingok     => true,
+      compress      => true,
+      postrotate    => "kill -HUP `cat ${freeradius::fr_pidfile}`",
+      sharedscripts => true,
+    }
   }
 
   # Placeholder resource for dh and random as they are dynamically generated, so they

diff --git a/manifests/listen.pp b/manifests/listen.pp
@@ -1,30 +1,21 @@
 # == Define freeradius::listen
 #
 define freeradius::listen (
-  Freeradius::Ensure $ensure                                = 'present',
-  Enum['auth','acct','proxy','detail','status','coa'] $type = 'auth',
-  Optional[String] $ip                                      = undef,
-  Optional[String] $ip6                                     = undef,
-  Integer $port                                             = 0,
-  Optional[String] $interface                               = undef,
-  Optional[String] $virtual_server                          = undef,
-  Array[String] $clients                                    = [],
-  Integer $max_connections                                  = 16,
-  Integer $lifetime                                         = 0,
-  Integer $idle_timeout                                     = 30,
+  Freeradius::Ensure $ensure                                 = 'present',
+  Enum['auth','acct','proxy','detail','status','coa'] $type  = 'auth',
+  Optional[Variant[Stdlib::IP::Address::V4, Enum['*']]] $ip  = undef,
+  Optional[Variant[Stdlib::IP::Address::V6, Enum['*']]] $ip6 = undef,
+  Integer $port                                              = 0,
+  Optional[String] $interface                                = undef,
+  Optional[String] $virtual_server                           = undef,
+  Array[String] $clients                                     = [],
+  Integer $max_connections                                   = 16,
+  Integer $lifetime                                          = 0,
+  Integer $idle_timeout                                      = 30,
 ) {
   $fr_basepath = $::freeradius::params::fr_basepath
   $fr_group    = $::freeradius::params::fr_group
 
-  # Parameter validation
-  if $ip and $ip != '*' and !is_ip_address($ip) {
-    fail('ip must be a valid IP address or \'*\'')
-  }
-
-  if $ip6 and $ip6 != '::' and !is_ip_address($ip6) {
-    fail('ip6 must be a valid IP address or \'::\'')
-  }
-
   if $ip and $ip6 {
     fail('Only one of ip or ip6 can be used')
   }

diff --git a/manifests/params.pp b/manifests/params.pp
@@ -188,4 +188,9 @@
 
   # Default radsniff pid file location
   $fr_radsniff_pidfile = "/var/run/${fr_service}/radsniff.pid"
+
+  $manage_logrotate = $::osfamily ? {
+    'Debian' => false,
+    default  => true,
+  }
 }
diff --git a/manifests/site.pp b/manifests/site.pp
@@ -43,6 +43,6 @@
   file { "freeradius sites-enabled/${name}":
     ensure => $ensure_link,
     path   => "${fr_basepath}/sites-enabled/${name}",
-    target => "${fr_basepath}/sites-available/${name}",
+    target => "../sites-available/${name}",
   }
 }
diff --git a/metadata.json b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "jgazeley-freeradius",
-  "version": "3.9.2",
+  "version": "4.0.0",
   "author": "jgazeley",
   "summary": "Install and configure FreeRADIUS",
   "license": "Apache-2.0",
@@ -10,11 +10,11 @@
   "dependencies": [
     {
       "name": "puppetlabs/stdlib",
-      "version_requirement": ">=4.25.0 <10.0.0"
+      "version_requirement": ">=5.0.0 <10.0.0"
     },
     {
       "name": "puppetlabs/firewall",
-      "version_requirement": ">=1.0.0 <7.0.0"
+      "version_requirement": ">=7.0.0 <9.0.0"
     },
     {
       "name": "saz/rsyslog",

diff --git a/spec/defines/client_spec.rb b/spec/defines/client_spec.rb
@@ -85,8 +85,9 @@
         is_expected.to contain_firewall('100 test 1234 v4')
           .with_proto('udp')
           .with_dport(1234)
-          .with_action('accept')
+          .with_jump('ACCEPT')
           .with_source('1.2.3.4')
+          .with_protocol('IPv4')
       end
 
       context 'with ipv6' do
@@ -102,9 +103,9 @@
           is_expected.to contain_firewall('100 test 1234 v6')
             .with_proto('udp')
             .with_dport(1234)
-            .with_action('accept')
+            .with_jump('ACCEPT')
             .with_source('2001:db8::100')
-            .with_provider('ip6tables')
+            .with_protocol('IPv6')
         end
       end
     end
@@ -120,7 +121,7 @@
         is_expected.to contain_firewall('100 test 1234,4321 v4')
           .with_proto('udp')
           .with_dport([1234, 4321])
-          .with_action('accept')
+          .with_jump('ACCEPT')
           .with_source('1.2.3.4')
       end
 
@@ -137,9 +138,9 @@
           is_expected.to contain_firewall('100 test 1234,4321 v6')
             .with_proto('udp')
             .with_dport([1234, 4321])
-            .with_action('accept')
+            .with_jump('ACCEPT')
             .with_source('2001:db8::100')
-            .with_provider('ip6tables')
+            .with_protocol('IPv6')
         end
       end
     end

diff --git a/spec/defines/site_spec.rb b/spec/defines/site_spec.rb
@@ -29,6 +29,6 @@
     is_expected.to contain_file('freeradius sites-enabled/test')
       .with_path('/etc/raddb/sites-enabled/test')
       .with_ensure('link')
-      .with_target('/etc/raddb/sites-available/test')
+      .with_target('../sites-available/test')
   end
 end
diff --git a/templates/radiusd.conf.erb b/templates/radiusd.conf.erb
@@ -574,7 +574,7 @@ security {
 	#  and may not reflect patches applied to libssl by
 	#  distribution maintainers.
 	#
-	allow_vulnerable_openssl = yes
+  allow_vulnerable_openssl = <%= @allow_vulnerable_openssl%>
 }
 
 # PROXY CONFIGURATION