simp · greatflyingsteve · Aug 3, 2022 · Aug 12, 2022
diff --git a/README.md b/README.md
@@ -31,7 +31,7 @@ To configure a Compile Master (or other node) to function as both a server
 and a client (of the primary server), setup hiera for the node:
 
 ```
-rsync::server::global::port: 8873
+rsync::server::listen_port: 8873
 rsync::server::trusted_nets:
   - <client_net>
   - <client_net>

diff --git a/manifests/server.pp b/manifests/server.pp
@@ -16,6 +16,9 @@
 # @param stunnel_port
 #   The port upon which Stunnel should listen for connections.
 #
+# @param listen_port
+#   The port upon which the rsync daemon should listen for connections.
+#
 # @param listen_address
 #   The IP Address upon which to listen. Set to 0.0.0.0 to listen on all
 #   addresses.
@@ -33,6 +36,9 @@
 #   A list of networks and/or hostnames that are allowed to connect to this
 #   service.
 #
+# @param tcpwrappers
+#   Use tcpwrappers to secure the rsync service
+#
 # @param package_ensure
 #   The ensure status of the package to be managed
 #
@@ -44,43 +50,59 @@
 class rsync::server (
   Boolean          $stunnel            = simplib::lookup('simp_options::stunnel', { default_value => true }),
   Simplib::Port    $stunnel_port       = 8730,
+  Simplib::Port    $listen_port        = 873,
   Simplib::IP      $listen_address     = '0.0.0.0',
   Boolean          $drop_rsyslog_noise = true,
   Boolean          $firewall           = simplib::lookup('simp_options::firewall', { default_value => false }),
   Simplib::Netlist $trusted_nets       = simplib::lookup('simp_options::trusted_nets', { default_value => ['127.0.0.1'] }),
+  Boolean          $tcpwrappers        = simplib::lookup('simp_options::tcpwrappers', { default_value => false }),
   String           $package_ensure     = simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' }),
-  String           $package            # module data
+  String           $package,           # module data
 ) {
   include '::rsync'
-  include '::rsync::server::global'
 
   # ensure_resource instead of package resource, because for some OS versions,
   # the client package managed by the rsync class also contains the rsync
   # daemon files.
   ensure_resource('package', $package , { ensure => $package_ensure })
 
-  $_subscribe  = $stunnel ? {
-    true    => Service['stunnel'],
-    default => undef
-  }
-
   if $stunnel {
+    class { '::rsync::server::global':
+      port    => $listen_port,
+    }
+
     include '::stunnel'
 
     stunnel::connection { 'rsync_server':
-      connect      => [$::rsync::server::global::port],
+      connect      => [$listen_port],
       accept       => "${listen_address}:${stunnel_port}",
       client       => false,
-      trusted_nets => $trusted_nets
+      trusted_nets => $trusted_nets,
+      notify       => Service['rsyncd'],
     }
+
+    $_tcp_wrappers_name = 'rsync_server'
   } else {
+    class { '::rsync::server::global':
+      port    => $listen_port,
+      address => $listen_address,
+    }
+
     if $firewall {
       iptables::listen::tcp_stateful { 'allow_rsync_server':
         order        => 11,
         trusted_nets => $trusted_nets,
-        dports       => [$::rsync::server::global::port],
+        dports       => [$listen_port],
       }
     }
+
+    $_tcp_wrappers_name = 'rsync'
+  }
+
+  if $tcpwrappers {
+    include '::tcpwrappers'
+
+    tcpwrappers::allow { $_tcp_wrappers_name: pattern => $trusted_nets }
   }
 
   concat { '/etc/rsyncd.conf':
@@ -100,7 +122,6 @@
       hasstatus  => true,
       hasrestart => true,
       require    => Package[$package],
-      subscribe  => $_subscribe
     }
   }
   else {
@@ -119,7 +140,6 @@
       hasrestart => true,
       require    => Package[$package],
       provider   => 'redhat',
-      subscribe  => $_subscribe
     }
     File['/etc/init.d/rsyncd'] ~> Service['rsyncd']
   }

diff --git a/manifests/server/global.pp b/manifests/server/global.pp
@@ -2,6 +2,9 @@
 #
 # See ``rsyncd.conf(5)`` for details of parameters not listed below.
 #
+# @param port
+#   The port upon which to listen for client connections
+#
 # @param motd_file
 #   The path to the default MOTD file that should be displayed upon connection
 #
@@ -11,47 +14,22 @@
 # @param syslog_facility
 #   A valid syslog ``facility`` to use for logging
 #
-# @param port
-#   The port upon which to listen for client connections
-#
 # @param address
 #   The IP address upon which to listen for connections
 #
 #   * Leave this at ``127.0.0.1`` if using stunnel
 #
-# @param trusted_nets
-#   The networks to allow to connect to this service
-#
-#
-# @param tcpwrappers
-#   Use tcpwrappers to secure the rsync service
-#
 # @author Trevor Vaughan <[email protected]>
 #
 class rsync::server::global (
+  Simplib::Port                  $port,
   Optional[Stdlib::Absolutepath] $motd_file       = undef,
   Stdlib::Absolutepath           $pid_file        = '/var/run/rsyncd.pid',
   String                         $syslog_facility = 'daemon',
-  Simplib::Port                  $port            = 873,
   Simplib::IP                    $address         = '127.0.0.1',
-  Simplib::Netlist               $trusted_nets    = simplib::lookup('simp_options::trusted_nets', { default_value => ['127.0.0.1'] }),
-  Boolean                        $tcpwrappers     = simplib::lookup('simp_options::tcpwrappers', { default_value => false })
 ) {
   assert_private()
 
-  include '::rsync::server'
-
-  if $tcpwrappers {
-    include '::tcpwrappers'
-
-    $_tcp_wrappers_name = $::rsync::server::stunnel ? {
-      true    => 'rsync_server',
-      default => 'rsync',
-    }
-
-    tcpwrappers::allow { $_tcp_wrappers_name: pattern => $trusted_nets }
-  }
-
   if $facts['selinux_current_mode'] and $facts['selinux_current_mode'] != 'disabled' {
     vox_selinux::port { "allow_rsync_port_${port}":
       ensure   => 'present',

diff --git a/spec/acceptance/suites/default/10_server_client_spec.rb b/spec/acceptance/suites/default/10_server_client_spec.rb
@@ -80,24 +80,20 @@
         }
 
         let(:hieradata_server1) {{
-          'iptables::precise_match'             => true,
-          'simp_options::pki'                   => false,
-          'simp_options::firewall'              => true,
-          'rsync::server::stunnel'              => false,
-          'rsync::server::trusted_nets'         => [server2_ip],
-          'rsync::server::global::trusted_nets' => [server2_ip],
-          'rsync::server::global::address'      => '0.0.0.0',
+          'iptables::precise_match'     => true,
+          'simp_options::pki'           => false,
+          'simp_options::firewall'      => true,
+          'rsync::server::stunnel'      => false,
+          'rsync::server::trusted_nets' => [server2_ip],
         }}
 
         let(:hieradata_server2) {{
-          'iptables::precise_match'             => true,
-          'simp_options::pki'                   => false,
-          'simp_options::firewall'              => true,
-          'rsync::server::stunnel'              => false,
-          'rsync::server::global::port'         => 8873,
-          'rsync::server::trusted_nets'         => [server1_ip],
-          'rsync::server::global::trusted_nets' => [server1_ip],
-          'rsync::server::global::address'      => '0.0.0.0',
+          'iptables::precise_match'     => true,
+          'simp_options::pki'           => false,
+          'simp_options::firewall'      => true,
+          'rsync::server::stunnel'      => false,
+          'rsync::server::listen_port'  => 8873,
+          'rsync::server::trusted_nets' => [server1_ip],
         }}
 
         let(:server1_interface) { get_private_network_interface(server1) }

diff --git a/spec/acceptance/suites/default/20_server_client_stunnel_spec.rb b/spec/acceptance/suites/default/20_server_client_stunnel_spec.rb
@@ -141,7 +141,7 @@
           'simp_options::pki::source'   => '/etc/pki/simp-testing/pki',
           'simp_options::firewall'      => true,
           'rsync::server::stunnel'      => true,
-          'rsync::server::global::port' => 8873,
+          'rsync::server::listen_port'  => 8873,
           'rsync::server::trusted_nets' => [server1_ip],
         }}
 

diff --git a/spec/classes/server/global_spec.rb b/spec/classes/server/global_spec.rb
@@ -10,21 +10,11 @@
   context 'supported operating systems' do
     on_supported_os.each do |os, os_facts|
       let(:facts) { os_facts }
+      let(:params) { { 'port' => 873 } }
 
       context "on #{os}" do
         it { is_expected.to compile.with_all_deps }
         it { is_expected.to create_concat__fragment('rsync_global').with_content(/address = 127.0.0.1/) }
-        it { is_expected.to_not create_tcpwrappers__allow('rsync') }
-
-        context 'with tcpwrappers' do
-          let(:params) {{
-            :tcpwrappers => true
-          }}
-
-          it { is_expected.to compile.with_all_deps }
-          it { is_expected.to create_concat__fragment('rsync_global').with_content(/address = 127.0.0.1/) }
-          it { is_expected.to create_tcpwrappers__allow('rsync_server') }
-        end
       end
     end
   end

diff --git a/spec/classes/server_spec.rb b/spec/classes/server_spec.rb
@@ -4,22 +4,37 @@
   context 'supported operating systems' do
     on_supported_os.each do |os, os_facts|
       let(:facts) { os_facts }
+      let(:params) { { tcpwrappers: false } }
 
       context "on #{os}" do
         it { is_expected.to compile.with_all_deps }
 
         it { is_expected.to create_class('rsync') }
         it { is_expected.to create_class('stunnel') }
+        it { is_expected.to create_stunnel__connection('rsync_server').that_notifies('Service[rsyncd]') }
         it { is_expected.to create_concat('/etc/rsyncd.conf').that_notifies('Service[rsyncd]') }
-        it { is_expected.to create_service('rsyncd').that_subscribes_to('Service[stunnel]') }
+        it { is_expected.to create_service('rsyncd').that_subscribes_to('Stunnel::Connection[rsync_server]') }
+        it { is_expected.to_not create_tcpwrappers__allow('rsync_server') }
+        context 'with tcpwrappers' do
+          let(:params) { super().merge(tcpwrappers: true) }
+
+          it { is_expected.to create_tcpwrappers__allow('rsync_server') }
+        end
 
         context 'no_stunnel' do
-          let(:params){{ :stunnel => false }}
+          let(:params) { super().merge(stunnel: false) }
 
           it { is_expected.to compile.with_all_deps }
           it { is_expected.to create_concat('/etc/rsyncd.conf').that_notifies('Service[rsyncd]') }
           it { is_expected.to create_service('rsyncd') }
           it { is_expected.to create_service('rsyncd').without_subscribes }
+          it { is_expected.to_not create_class('stunnel') }
+          it { is_expected.to_not create_tcpwrappers__allow('rsync') }
+          context 'with tcpwrappers' do
+            let(:params) { super().merge(tcpwrappers: true) }
+
+            it { is_expected.to create_tcpwrappers__allow('rsync') }
+          end
         end
       end
     end