Refactor to use osfamily instead of operatingsystem

The notion of operatingsystem should be abstracted for most usages by
using osfamily (which gives windows, RedHat and Debian that I know of -
not sure about MacOS).

Some specific log files were missing from the default configuration for
mail filters.

.travis.yml

@@ -1,22 +1,33 @@
+---
 language: ruby
 rvm:
   - 1.8.7
   - 1.9.3
-script:
-  - "rake spec SPEC_OPTS='--format documentation'"
+  - 2.0.0
+script: "bundle exec rake spec SPEC_OPTS='--format documentation' && bundle exec rake test"
+branches:
+  only:
+    master
 env:
-  - PUPPET_VERSION="~> 2.6.0"
-  - PUPPET_VERSION="~> 2.7.0"
-  - PUPPET_VERSION="~> 3.0.0"
-  - PUPPET_VERSION="~> 3.1.0"
+  matrix:
+    - PUPPET_GEM_VERSION="~> 2.7.0"
+    - PUPPET_GEM_VERSION="~> 3.0.0"
+    - PUPPET_GEM_VERSION="~> 3.1.0"
+    - PUPPET_GEM_VERSION="~> 3.2.0"
 matrix:
+  allow_failures:
+    # - rvm: ruby-head
   exclude:
+    - rvm: 1.8.7
+      env: PUPPET_GEM_VERSION="~> 2.7.0"
     - rvm: 1.9.3
-      env: PUPPET_VERSION="~> 2.6.0"
-      gemfile: .gemfile
-    - rvm: 1.9.3
-      env: PUPPET_VERSION="~> 2.7.0"
-      gemfile: .gemfile
+      env: PUPPET_GEM_VERSION="~> 2.7.0"
+    - rvm: 2.0.0
+      env: PUPPET_GEM_VERSION="~> 2.7.0"
+    - rvm: 2.0.0
+      env: PUPPET_GEM_VERSION="~> 3.0.0"
+    - rvm: 2.0.0
+      env: PUPPET_GEM_VERSION="~> 3.1.0"
 gemfile: .gemfile
 notifications:
   email:

Modulefile

@@ -1,5 +1,5 @@
 name    'netmanagers-fail2ban'
-version '1.2.0'
+version '1.4.0'
 author  'Javier Bertoli'
 license 'Apache2'
 project_page 'http://www.netmanagers.com.ar'

Rakefile

@@ -1,5 +1,41 @@
-require 'rubygems'
 require 'puppetlabs_spec_helper/rake_tasks'
 require 'puppet-lint/tasks/puppet-lint'
-PuppetLint.configuration.send('disable_80chars')
+require 'puppet-syntax/tasks/puppet-syntax'
+
+# These two gems aren't always present, for instance
+# on Travis with --without development
+begin
+  require 'rspec-system/rake_task'
+rescue LoadError
+end
+
+begin
+  require 'puppet_blacksmith/rake_tasks'
+rescue LoadError
+end
+
+PuppetLint.configuration.send("disable_80chars")
+PuppetLint.configuration.log_format = "%{path}:%{linenumber}:%{check}:%{KIND}:%{message}"
+PuppetLint.configuration.fail_on_warnings = true
+PuppetLint.configuration.relative = true
+
+# Forsake support for Puppet 2.6.2 for the benefit of cleaner code.
+# http://puppet-lint.com/checks/class_parameter_defaults/
 PuppetLint.configuration.send('disable_class_parameter_defaults')
+# http://puppet-lint.com/checks/class_inherits_from_params_class/
+PuppetLint.configuration.send('disable_class_inherits_from_params_class')
+
+exclude_paths = [
+  "pkg/**/*",
+  "vendor/**/*",
+  "spec/**/*",
+]
+PuppetLint.configuration.ignore_paths = exclude_paths
+PuppetSyntax.exclude_paths = exclude_paths
+
+desc "Run syntax, lint, and spec tests."
+task :test => [
+  :syntax,
+  :lint,
+  :spec,
+]

manifests/filter.pp

@@ -92,7 +92,10 @@ define fail2ban::filter (
 
   $manage_file_content = $filtertemplate ? {
     ''        => undef,
-    default   => template($filtertemplate),
+    default   => $filtersource ? {
+      ''        => template($filtertemplate),
+      default   => undef,
+    }
   }
 
   file { "${real_filtername}.local":

manifests/init.pp

@@ -31,6 +31,14 @@
 #   (source => $source_dir , recurse => true , purge => true)
 #   Can be defined also by the (top scope) variable $fail2ban_source_dir_purge
 #
+# [*source_dir_owner*]
+#   Configuration directory owner
+#   Default: root
+#
+# [*source_dir_group*]
+#   Configuration directory group
+#   Default: root
+#
 # [*template*]
 #   Sets the path to the template to use as content for main configuration file
 #   If defined, fail2ban main config file has: content => content("$template")
@@ -278,6 +286,8 @@ class fail2ban (
   $source                = params_lookup( 'source' ),
   $source_dir            = params_lookup( 'source_dir' ),
   $source_dir_purge      = params_lookup( 'source_dir_purge' ),
+  $source_dir_owner      = params_lookup( 'source_dir_owner' ),
+  $source_dir_group      = params_lookup( 'source_dir_group' ),
   $template              = params_lookup( 'template' ),
   $service_autorestart   = params_lookup( 'service_autorestart' , 'global' ),
   $options               = params_lookup( 'options' ),
@@ -412,18 +422,18 @@ class fail2ban (
 
   ### Managed resources
   package { $fail2ban::package:
-    ensure  => $fail2ban::manage_package,
-    noop    => $fail2ban::noops,
+    ensure => $fail2ban::manage_package,
+    noop   => $fail2ban::noops,
   }
 
   service { 'fail2ban':
-    ensure     => $fail2ban::manage_service_ensure,
-    name       => $fail2ban::service,
-    enable     => $fail2ban::manage_service_enable,
-    hasstatus  => $fail2ban::service_status,
-    pattern    => $fail2ban::process,
-    require    => Package[$fail2ban::package],
-    noop       => $fail2ban::noops,
+    ensure    => $fail2ban::manage_service_ensure,
+    name      => $fail2ban::service,
+    enable    => $fail2ban::manage_service_enable,
+    hasstatus => $fail2ban::service_status,
+    pattern   => $fail2ban::process,
+    require   => Package[$fail2ban::package],
+    noop      => $fail2ban::noops,
   }
 
   if $fail2ban::manage_file_source
@@ -497,6 +507,8 @@ class fail2ban (
       source  => $fail2ban::source_dir,
       recurse => true,
       purge   => $fail2ban::bool_source_dir_purge,
+      owner   => $fail2ban::source_dir_owner,
+      group   => $fail2ban::source_dir_group,
       force   => $fail2ban::bool_source_dir_purge,
       replace => $fail2ban::manage_file_replace,
       audit   => $fail2ban::manage_audit,

manifests/jail.pp

@@ -15,7 +15,9 @@
 #             Defaults to true
 # $filter   - The filter rule to use.
 #             If empty, defaults to == $jailname.
+# $ignoreip - Don't ban a host which matches an address in this list.
 # $port     - The port to filter. It can be an array of ports.
+# $protocol - The protocol for this jail's action.
 # $logpath  - The log file to monitor
 # $maxretry - How many fails are acceptable
 # $action   - The action to take when fail2ban finds $maxretry $filter-matching
@@ -29,7 +31,9 @@ define fail2ban::jail (
   $order     = '',
   $status    = '',
   $filter    = '',
+  $ignoreip  = '',
   $port      = '',
+  $protocol  = '',
   $action    = '',
   $logpath   = '',
   $maxretry  = '',
@@ -62,6 +66,14 @@ define fail2ban::jail (
     default => $filter,
   }
 
+  $array_ignoreip = is_array($ignoreip) ? {
+    false     => $ignoreip ? {
+      ''      => [],
+      default => [$ignoreip],
+    },
+    default   => $ignoreip,
+  }
+
   $array_port = is_array($port) ? {
     false     => $port ? {
       ''      => [],
@@ -70,6 +82,11 @@ define fail2ban::jail (
     default   => $port,
   }
 
+  $real_protocol = $protocol ? {
+    ''      => undef,
+    default => $protocol,
+  }
+
   $array_action = is_array($action) ? {
     false     => $action ? {
       ''      => [],

manifests/params.pp

@@ -16,48 +16,49 @@ class fail2ban::params {
 
   ### Application related parameters
 
-  $package = $::operatingsystem ? {
+  $package = $::osfamily ? {
     default => 'fail2ban',
   }
 
-  $service = $::operatingsystem ? {
+  $service = $::osfamily ? {
     default => 'fail2ban',
   }
 
-  $service_status = $::operatingsystem ? {
+  $service_status = $::osfamily ? {
     default => true,
   }
 
-  $process = $::operatingsystem ? {
-    /(?i:Debian|Ubuntu|Mint)/ => 'fail2ban-server',
-    default                   => 'fail2ban',
+  $process = $::osfamily ? {
+    'Debian' => 'fail2ban-server',
+    'RedHat' => 'fail2ban-server',
+    default  => 'fail2ban',
   }
 
-  $process_args = $::operatingsystem ? {
+  $process_args = $::osfamily ? {
     default => '',
   }
 
-  $process_user = $::operatingsystem ? {
+  $process_user = $::osfamily ? {
     default => 'fail2ban',
   }
 
-  $config_dir = $::operatingsystem ? {
+  $config_dir = $::osfamily ? {
     default => '/etc/fail2ban',
   }
 
-  $config_file = $::operatingsystem ? {
+  $config_file = $::osfamily ? {
     default => '/etc/fail2ban/fail2ban.local',
   }
 
-  $config_file_mode = $::operatingsystem ? {
+  $config_file_mode = $::osfamily ? {
     default => '0644',
   }
 
-  $config_file_owner = $::operatingsystem ? {
+  $config_file_owner = $::osfamily ? {
     default => 'root',
   }
 
-  $config_file_group = $::operatingsystem ? {
+  $config_file_group = $::osfamily ? {
     default => 'root',
   }
 
@@ -68,41 +69,41 @@ class fail2ban::params {
   #            fail2ban::jail define
   $jails_config = ''
 
-  $jails_file = $::operatingsystem ? {
+  $jails_file = $::osfamily ? {
     default => '/etc/fail2ban/jail.local',
   }
 
-  $jails_file_mode = $::operatingsystem ? {
+  $jails_file_mode = $::osfamily ? {
     default => '0644',
   }
 
-  $jails_file_owner = $::operatingsystem ? {
+  $jails_file_owner = $::osfamily ? {
     default => 'root',
   }
 
-  $jails_file_group = $::operatingsystem ? {
+  $jails_file_group = $::osfamily ? {
     default => 'root',
   }
 
-  $config_file_init = $::operatingsystem ? {
-    /(?i:Debian|Ubuntu|Mint)/ => '/etc/default/fail2ban',
-    default                   => '/etc/sysconfig/fail2ban',
+  $config_file_init = $::osfamily ? {
+    'Debian' => '/etc/default/fail2ban',
+    default  => '/etc/sysconfig/fail2ban',
   }
 
-  $pid_file = $::operatingsystem ? {
-    /(?i:Debian|Ubuntu|Mint)/ => '/var/run/fail2ban/fail2ban.pid',
-    default                   => '/var/run/fail2ban.pid',
+  $pid_file = $::osfamily ? {
+    'Debian' => '/var/run/fail2ban/fail2ban.pid',
+    default  => '/var/run/fail2ban.pid',
   }
 
-  $data_dir = $::operatingsystem ? {
+  $data_dir = $::osfamily ? {
     default => '/etc/fail2ban',
   }
 
-  $log_dir = $::operatingsystem ? {
+  $log_dir = $::osfamily ? {
     default => '/var/log/fail2ban',
   }
 
-  $log_file = $::operatingsystem ? {
+  $log_file = $::osfamily ? {
     default => '/var/log/fail2ban/fail2ban.log',
   }
 
@@ -132,6 +133,8 @@ class fail2ban::params {
   $template = ''
   $source_dir = ''
   $source_dir_purge = false
+  $source_dir_owner = 'root'
+  $source_dir_group = 'root'
   $options = ''
   $service_autorestart = true
   $version = 'present'

spec/classes/fail2ban_spec.rb

@@ -26,7 +26,7 @@ describe 'fail2ban' do
   end
 
   describe 'Test jails managed throuh file - template' do
-    let(:facts) { {:operatingsystem => 'Debian' } }
+    let(:facts) { {:osfamily => 'Debian' } }
     let(:params) { {:jails_config => 'file', :jails_template => 'fail2ban/jail.local.erb', :jails => 'ssh' } }
     it { should contain_file('jail.local').without_source }
     it { should contain_file('jail.local').with_content(/ssh-iptables\]
@@ -97,12 +97,10 @@ enabled  = true/) }
   describe 'Test customizations - template' do
     let(:params) { {:template => "fail2ban/spec.erb" , :options => { 'opt_a' => 'value_a' } } }
     it 'should generate a valid template' do
-      content = catalogue.resource('file', 'fail2ban.local').send(:parameters)[:content]
-      content.should match "fqdn: rspec.example42.com"
+      should contain_file('fail2ban.local').with_content(/fqdn: rspec.example42.com/)
     end
     it 'should generate a template that uses custom options' do
-      content = catalogue.resource('file', 'fail2ban.local').send(:parameters)[:content]
-      content.should match "value_a"
+      should contain_file('fail2ban.local').with_content(/value_a/)
     end
   end
 
@@ -136,8 +134,7 @@ enabled  = true/) }
       }
     end
     it 'should not automatically restart the service, when service_autorestart => false' do
-      content = catalogue.resource('file', 'fail2ban.local').send(:parameters)[:notify]
-      content.should be_nil
+      should contain_file('fail2ban.local').with_notify(nil)
     end
   end
 

spec/defines/fail2ban_filter_spec.rb

@@ -61,7 +61,7 @@ b = 2
 not c
 "
      end
- 
+
      it { should contain_file('sample2.local').with_path('/etc/fail2ban/filter.d/sample2.local').with_content(expected) }
      it { should contain_file('sample2.local').without_source }
    end
@@ -75,6 +75,7 @@ not c
     end
 
     it { should contain_file('sample3.local').with_path('/etc/fail2ban/filter.d/sample3.local').with_source('puppet:///some/path/to/source') }
+    it { should contain_file('sample3.local').with_content(nil) }
     it { should contain_file('sample3.local').without_template }
   end
 end

spec/defines/fail2ban_jail_spec.rb

@@ -37,8 +37,10 @@ filter   = fail2ban::jail
       {
         :name     => 'sample1',
         :port     => ['42', '43'],
+        :protocol => 'udp',
         :logpath  => '/path/to/somelog',
         :enable   => true,
+        :ignoreip => [ '10.3.2.0/24', '192.168.56.0/24' ],
         :findtime => '9000',
         :maxretry => '5',
         :bantime  => '3600',
@@ -53,7 +55,9 @@ filter   = fail2ban::jail
 [fail2ban::jail]
 enabled  = true
 filter   = fail2ban::jail
+ignoreip = 10.3.2.0/24 192.168.56.0/24
 port     = 42,43
+protocol = udp
 action   = iptables[name=SSH, port=ssh, protocol=tcp]
 	mail-whois[name=SSH, dest=yourmail@mail.com]
 logpath  = /path/to/somelog

templates/concat/jail.local-stanza.erb

@@ -4,9 +4,15 @@ enabled  = <%= @real_status %>
 <% if @real_filter != '' -%>
 filter   = <%= @real_filter %>
 <% end -%>
+<% if @array_ignoreip != [] -%>
+ignoreip = <%= @array_ignoreip * ' ' %>
+<% end -%>
 <% if @array_port != [] -%>
 port     = <%= @array_port * ',' %>
 <% end -%>
+<% if @real_protocol -%>
+protocol = <%= @real_protocol %>
+<% end -%>
 <% if @array_action != [] -%>
 action   = <%= @array_action.join("\n\t") %>
 <% end -%>

templates/jail.local.erb

@@ -1,6 +1,6 @@
 # This file is managed by Puppet. DO NOT EDIT.
 [DEFAULT]
-ignoreip = <%= scope.lookupvar('fail2ban::ignoreip') %>
+ignoreip = <%= scope.lookupvar('fail2ban::ignoreip') * ' ' %>
 bantime  = <%= scope.lookupvar('fail2ban::bantime') %>
 findtime = <%= scope.lookupvar('fail2ban::findtime') %>
 maxretry = <%= scope.lookupvar('fail2ban::maxretry') %>
@@ -13,7 +13,11 @@ action   = iptables[name=IMAP, port=imap, protocol=tcp]
 <% unless scope.lookupvar('fail2ban::mailto').empty? -%>
            sendmail-whois[name=POP3, dest=<%= scope.lookupvar('fail2ban::mailto') %>, sender=fail2ban@<%= @fqdn %>]
 <% end -%>
+<% if @osfamily == "Debian" -%>
+logpath  = /var/log/mail.log
+<% else -%>
 logpath  = /var/log/maillog
+<% end -%>
 maxretry = 5
 
 [pop3-iptables]
@@ -23,7 +27,11 @@ action   = iptables[name=POP3, port=pop3, protocol=tcp]
 <% unless scope.lookupvar('fail2ban::mailto').empty? -%>
            sendmail-whois[name=POP3, dest=<%= scope.lookupvar('fail2ban::mailto') %>, sender=fail2ban@<%= @fqdn %>]
 <% end -%>
+<% if @osfamily == "Debian" -%>
+logpath  = /var/log/mail.log
+<% else -%>
 logpath  = /var/log/maillog
+<% end -%>
 maxretry = 5
 
 [ssh-iptables]
@@ -33,7 +41,7 @@ action   = iptables[name=SSH, port=ssh, protocol=tcp]
 <% unless scope.lookupvar('fail2ban::mailto').empty? -%>
            sendmail-whois[name=SSH, dest=<%= scope.lookupvar('fail2ban::mailto') %>, sender=fail2ban@<%= @fqdn %>]
 <% end -%>
-<% if @operatingsystem == "Debian" -%>
+<% if @osfamily == "Debian" -%>
 logpath  = /var/log/auth.log
 <% else -%>
 logpath  = /var/log/secure