Add ability for users to specify subpolicies #24

.fixtures.yml

@@ -4,4 +4,3 @@ fixtures:
     compliance_markup: https://github.com/simp/pupmod-simp-compliance_markup
     simp_options: https://github.com/simp/pupmod-simp-simp_options
     stdlib: https://github.com/simp/puppetlabs-stdlib
-    simplib: https://github.com/simp/pupmod-simp-simplib

CHANGELOG

@@ -1,3 +1,7 @@
+* Thu May 29 2025 Mike Riddle <mike@sicura.us> - 1.0.0
+- Removed dependency on simplib
+- Added ability for users to specify subpolicies
+
 * Thu May 08 2025 Richard Gardner <rick@sicura-us> - 1.0.0
 - Remove EOL OS's support (EL7, CentOS8)
 - Stardardize beaker nodesets

REFERENCE.md

@@ -29,11 +29,12 @@ The following parameters are available in the `crypto_policy` class:
 
 Data type: `Optional[String]`
 
-The system crypto policy that you wish to enforce
+The system crypto policy and subpolicies that you wish to enforce
 
-* Will be checked against `$facts['simplib__crypto_policy_state']['global_policies_available']` for validity
+* Will be checked against `$facts['crypto_policy_state']['global_policies_available']`
+  and `$facts['crypto_policy_state']['sub_policies_available']`for validity
 
-Default value: `simplib::lookup('simp_options::fips', { 'default_value' => pick($facts['fips_enabled'], false) }) ? { true => 'FIPS', default => undef`
+Default value: `pick($facts['fips_enabled'], false) ? { true => 'FIPS', default => undef`
 
 ##### <a name="-crypto_policy--validate_policy"></a>`validate_policy`
 
@@ -90,7 +91,7 @@ The 'ensure' parameter for `$packages`
 * NOTE: There are issues with `crypto-policies < 20190000` which may render
   a FIPS system inaccessible.
 
-Default value: `simplib::lookup('simp_options::package_ensure', { 'default_value' => 'latest' })`
+Default value: `'latest'`
 
 ### <a name="crypto_policy--update"></a>`crypto_policy::update`
 

lib/facter/crypto_policy_state.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+# @summary Provides the state of the configured crypto policies
+#
+# @see update-crypto-policy(8)
+#
+# @return [Hash]
+#
+# @example Output Hash
+#
+#   {
+#     'global_policy'             => 'POLICY_NAME',
+#     'global_policy_applied'     => BOOLEAN,
+#     'global_policies_available' => ['POLICY_ONE', 'POLICY_TWO']
+#     'sub_policies_available'    => ['SUB_POLICY_ONE', 'SUB_POLICY_TWO']
+#   }
+#
+Facter.add('crypto_policy_state') do
+  confine kernel: :linux
+
+  crypto_policy_cmd = Facter::Util::Resolution.which('update-crypto-policies')
+  confine { crypto_policy_cmd }
+
+  setcode do
+    system_state = nil
+
+    output = Facter::Core::Execution.execute(%(#{crypto_policy_cmd} --no-reload --show), on_fail: false)
+    output = output.strip if output
+
+    if output && !output.empty?
+      system_state = {}
+
+      system_state['global_policy'] = output.strip
+
+      output = Facter::Core::Execution.execute(%(#{crypto_policy_cmd} --no-reload --is-applied), on_fail: false)
+
+      system_state['global_policy_applied'] = !Array(output).grep(%r{is applied}).empty? if output
+
+      # This is everything past EL8.0
+      global_policies = Dir.glob(['/usr/share/crypto-policies/policies/*.pol', '/etc/crypto-policies/policies/*.pol'])
+
+      # Need available subpolicies to support users setting them
+      sub_policies = Dir.glob(['/usr/share/crypto-policies/policies/modules/*.pmod', '/etc/crypto-policies/policies/modules/*.pmod'])
+
+      # Fallback for 8.0
+      if global_policies.empty?
+        global_policies = Dir.glob('/usr/share/crypto-policies/*').select { |x| File.directory?(x) }
+      end
+
+      system_state['global_policies_available'] = global_policies.map { |x| File.basename(x, '.pol') }.uniq
+      system_state['sub_policies_available'] = sub_policies.map { |x| File.basename(x, '.pmod') }.uniq
+    end
+
+    system_state
+  rescue => e
+    Facter.warn("Failed to retrieve crypto policy state: #{e.message}")
+    nil
+  end
+end

manifests/init.pp

@@ -1,9 +1,10 @@
 # @summary Configure the system crypto policy settings
 #
 # @param ensure
-#   The system crypto policy that you wish to enforce
+#   The system crypto policy and subpolicies that you wish to enforce
 #
-#   * Will be checked against `$facts['simplib__crypto_policy_state']['global_policies_available']` for validity
+#   * Will be checked against `$facts['crypto_policy_state']['global_policies_available']`
+#     and `$facts['crypto_policy_state']['sub_policies_available']`for validity
 #
 # @param validate_policy
 #   Disables validation of the `$ensure` parameter prior to application
@@ -20,13 +21,11 @@
 # @author https://github.com/simp/pupmod-simp-crypto_policy/graphs/contributors
 #
 class crypto_policy (
-  Optional[String] $ensure              = simplib::lookup('simp_options::fips', { 'default_value' => pick($facts['fips_enabled'], false) }) ? { true => 'FIPS', default => undef },
+  Optional[String] $ensure              = pick($facts['fips_enabled'], false) ? { true => 'FIPS', default => undef },
   Boolean          $validate_policy     = true,
   Boolean          $force_fips_override = false,
   Boolean          $manage_installation = true
 ) {
-  simplib::assert_metadata($module_name)
-
   include crypto_policy::update
 
   if $manage_installation {
@@ -48,10 +47,14 @@
     $_ensure = $ensure
   }
 
-  $global_policies_available = $facts.dig('simplib__crypto_policy_state', 'global_policies_available')
+  $global_policies_available = $facts.dig('crypto_policy_state', 'global_policies_available')
+  $sub_policies_available = $facts.dig('crypto_policy_state', 'sub_policies_available')
 
-  if $_ensure and $global_policies_available {
-    unless $_ensure in $global_policies_available {
+  if $_ensure and $global_policies_available and $sub_policies_available {
+    $_policy_components = $_ensure.split(':')
+    $_global_policy = $_policy_components[0]
+    $_sub_policies = $_policy_components.delete($_policy_components[0])
+    unless $_global_policy in $global_policies_available {
       $_available_policies = join($global_policies_available,"', '")
 
       if $ensure == $_ensure {
@@ -63,6 +66,13 @@
       fail("${module_name}::ensure (${ensure_message}) must be one of '${_available_policies}'")
     }
 
+    unless $_sub_policies.empty or ($_sub_policies - $sub_policies_available).empty {
+      $_available_sub_policies = join($sub_policies_available, "', '")
+      # Any sub policies not available to use will be displayed back to the user
+      $_unknown_sub_policies = join(($_sub_policies - $sub_policies_available), "', '")
+      fail("${module_name}::ensure unknown sub_policies (${$_unknown_sub_policies}) must be one of '${_available_sub_policies}'")
+    }
+
     $_crypto_config = @("CRYPTO_CONFIG")
       # This file managed by Puppet using ${module_name}
       #

manifests/install.pp

@@ -13,7 +13,7 @@
 #
 class crypto_policy::install (
   Array[String[1]] $packages       = ['crypto-policies', 'crypto-policies-scripts'],
-  String[1]        $package_ensure = simplib::lookup('simp_options::package_ensure', { 'default_value' => 'latest' })
+  String[1]        $package_ensure = 'latest'
 ) {
   assert_private()
 

manifests/update.pp

@@ -11,13 +11,13 @@
 class crypto_policy::update (
   Stdlib::Absolutepath $command = '/usr/bin/update-crypto-policies'
 ) {
-  if $facts['simplib__crypto_policy_state'] {
+  if $facts['crypto_policy_state'] {
     exec { 'update global crypto policy':
       command     => $command,
       refreshonly => true
     }
   }
   else {
-    warning("${module_name}: simplib__crypto_policy_state fact not found, updating not enabled")
+    warning("${module_name}: crypto_policy_state fact not found, updating not enabled")
   }
 }

metadata.json

@@ -9,10 +9,6 @@
     {
       "name": "puppetlabs/stdlib",
       "version_requirement": ">= 8.0.0 < 10.0.0"
-    },
-    {
-      "name": "simp/simplib",
-      "version_requirement": ">= 4.9.0 < 5.0.0"
     }
   ],
   "tags": [

spec/acceptance/suites/default/00_default_spec.rb

@@ -28,17 +28,18 @@
         apply_manifest_on(host, manifest, { catch_changes: true })
       end
 
-      it 'has a valid simplib__crypto_policy_state fact' do
-        crypto_policy_state = pfact_on(host, 'simplib__crypto_policy_state')
+      it 'has a valid crypto_policy_state fact' do
+        crypto_policy_state = pfact_on(host, 'crypto_policy_state')
 
         expect(crypto_policy_state).not_to be_empty
         expect(crypto_policy_state['global_policy']).to eq default_policy
         expect(crypto_policy_state['global_policy_applied']).to eq true
         expect(crypto_policy_state['global_policies_available']).to include('DEFAULT', 'EMPTY', 'FIPS', 'FUTURE', 'LEGACY')
+        expect(crypto_policy_state['sub_policies_available']).to include('AD-SUPPORT', 'ECDHE-ONLY', 'NO-CAMELLIA', 'NO-SHA1', 'OSPP')
       end
     end
 
-    context 'when setting the config' do
+    context 'when setting the config to a global policy' do
       let(:hieradata) do
         {
           'crypto_policy::ensure' => 'LEGACY'
@@ -56,21 +57,47 @@
 
       if pfact_on(host, 'fips_enabled')
         it 'has the global policy set to FIPS' do
-          crypto_policy_state = pfact_on(host, 'simplib__crypto_policy_state')
+          crypto_policy_state = pfact_on(host, 'crypto_policy_state')
 
           expect(crypto_policy_state).not_to be_empty
           expect(crypto_policy_state['global_policy']).to eq 'FIPS'
           expect(crypto_policy_state['global_policy_applied']).to eq true
         end
       else
         it 'has the global policy set to LEGACY' do
-          crypto_policy_state = pfact_on(host, 'simplib__crypto_policy_state')
+          crypto_policy_state = pfact_on(host, 'crypto_policy_state')
 
           expect(crypto_policy_state).not_to be_empty
           expect(crypto_policy_state['global_policy']).to eq hieradata['crypto_policy::ensure']
           expect(crypto_policy_state['global_policy_applied']).to eq true
         end
       end
     end
+
+    context 'when setting the config with a subpolicy' do
+      let(:hieradata) do
+        {
+          'crypto_policy::ensure' => 'DEFAULT:NO-SHA1',
+          'force_fips_override'   => true
+        }
+      end
+
+      it 'works without error' do
+        set_hieradata_on(host, hieradata)
+        apply_manifest_on(host, manifest, catch_failures: true)
+      end
+
+      it 'is idempotent' do
+        apply_manifest_on(host, manifest, { catch_changes: true })
+      end
+
+      it 'has the global policy set to DEFAULT:NO-SHA1' do
+        crypto_policy_state = pfact_on(host, 'crypto_policy_state')
+
+        expect(crypto_policy_state).not_to be_empty
+        expect(crypto_policy_state['global_policy']).to eq hieradata['crypto_policy::ensure']
+        expect(crypto_policy_state['global_policy_applied']).to eq true
+      end
+    end
   end
 end

spec/classes/init_spec.rb

@@ -8,8 +8,9 @@
       let(:fips_enabled) { false }
       let(:facts) do
         os_facts.merge(
-          simplib__crypto_policy_state: {
-            'global_policies_available' => ['DEFAULT', 'FIPS', 'LEGACY', 'FUTURE', 'NONE']
+          crypto_policy_state: {
+            'global_policies_available' => ['DEFAULT', 'FIPS', 'LEGACY', 'FUTURE', 'NONE'],
+            'sub_policies_available'    => ['AD-SUPPORT', 'ECDHE-ONLY', 'NO-CAMELLIA', 'NO-SHA1', 'OSPP']
           },
           fips_enabled: fips_enabled,
         )
@@ -52,6 +53,80 @@
           it { is_expected.to create_exec('update global crypto policy') }
         end
 
+        context 'with ensure set to DEFAULT:NO-SHA1:OSPP' do
+          let(:params) do
+            {
+              ensure: 'DEFAULT:NO-SHA1:OSPP',
+            }
+          end
+
+          it { is_expected.to compile.with_all_deps }
+
+          it {
+            is_expected.to create_file('/etc/crypto-policies/config').with_content(
+              <<~CONTENT,
+                # This file managed by Puppet using crypto_policy
+                #
+                DEFAULT:NO-SHA1:OSPP
+              CONTENT
+            ).that_notifies('Class[crypto_policy::update]')
+          }
+
+          it { is_expected.to create_exec('update global crypto policy') }
+        end
+
+        context 'with ensure set to DEFAULT:NO-SHA1' do
+          let(:params) do
+            {
+              ensure: 'DEFAULT:NO-SHA1',
+            }
+          end
+
+          it { is_expected.to compile.with_all_deps }
+
+          it {
+            is_expected.to create_file('/etc/crypto-policies/config').with_content(
+              <<~CONTENT,
+                # This file managed by Puppet using crypto_policy
+                #
+                DEFAULT:NO-SHA1
+              CONTENT
+            ).that_notifies('Class[crypto_policy::update]')
+          }
+
+          it { is_expected.to create_exec('update global crypto policy') }
+        end
+
+        context 'with ensure set to non-existent global policy' do
+          let(:params) do
+            {
+              ensure: 'FAKE',
+            }
+          end
+
+          it { is_expected.not_to compile }
+        end
+
+        context 'with ensure set to non-existent subpolicy' do
+          let(:params) do
+            {
+              ensure: 'DEFAULT:FAKE',
+            }
+          end
+
+          it { is_expected.not_to compile }
+        end
+
+        context 'with ensure set to real and non-existent subpolicy' do
+          let(:params) do
+            {
+              ensure: 'DEFAULT:NO-SHA1:FAKE',
+            }
+          end
+
+          it { is_expected.not_to compile }
+        end
+
         context 'with the system in FIPS mode' do
           let(:fips_enabled) { true }
 
@@ -92,7 +167,7 @@
     end
 
     context "on #{os} without required facts" do
-      let(:facts) { os_facts.reject { |k, _v| k == :simplib__crypto_policy_state } }
+      let(:facts) { os_facts.reject { |k, _v| k == :crypto_policy_state } }
       let(:params) { { ensure: 'DEFAULT' } }
 
       it { is_expected.to compile.with_all_deps }