#11371 - Password protection for fileserver repositories

modules/adblockplus/manifests/web/fileserver/repository.pp

 # == Type: adblockplus::web::fileserver::repository
 #
 # Manage a repository on a fileserver.
 #
 # A repository is a site where a group of people can upload and artifacts.
 #
 # In its current form, a repository is simply a directory exposed on a web
 # server. This may evolve to make use of more advanced repositories in the
 # future (proxy to repository manager, or 3rd-party service, etc).
 #
 # === parameters:
 #
 # [*ensure*]
 #   Whether to set up the repository or not. Removing repositories is not
 #   supported.
 #
 # [*users*]
 # System users that should be created and added to the group that has 
 # write permissions for the repository directory
 #
-# [*auth_users*]
-# Array of users in the form of user:hash, used for http basic authentication
+# [*auth_file*]
+#   Overwrite the default options of the authentication file used for basic
+#   http authentication for nginx.
 #
 define adblockplus::web::fileserver::repository (
   $ensure = 'present',
   $users = {},
-  $auth_users = [],

[mathias, 2018/06/01 21:14:41]

This should be a Hash that allows for fine-tuning the File[$auth_file]
parameters, so one can either use the $source or $content parameters. You could
let it default to `undef` and use that in the condition in the template where
you decide whether to include the htpasswd configuration or not.

[f.lopez, 2018/06/02 18:29:40]

Acknowledged.

+  $auth_file = undef,
 ){
 
   $repositories_directory = "$adblockplus::directory/fileserver"
   $repository_directory = "$repositories_directory/$name"
   $group_name = "www-$name"
   $repository_host = $name ? {
     'www' =>  "$adblockplus::web::fileserver::domain",
     default => "$name.$adblockplus::web::fileserver::domain",
   }
-  $auth_file = "$adblockplus::directory/${name}_htpasswd"

[mathias, 2018/06/01 21:14:41]

I would prefer this to be either in `/var/www/${name}_htpasswd` (just to make it
easier to find) or in a sub-directory like
`${::adblockplus::directory}/htpasswd/${name}` (in order to not clutter the ABP
directory). 

[f.lopez, 2018/06/02 18:29:40]

Acknowledged.

+  $auth_filename = "${::adblockplus::directory}/htpasswd/${name}"
 
-  nginx::hostconfig{ "$repository_host":

[mathias, 2018/06/01 21:14:42]

Nit: The white-space around the curly bracket is inconsistent with the other
Puppet code in this repository.

[f.lopez, 2018/06/02 18:29:40]

Acknowledged.

+  nginx::hostconfig {"$repository_host":
     content => template("adblockplus/web/fileserver.conf.erb"),
     is_default => false,
     certificate => $adblockplus::web::fileserver::certificate,
     private_key => $adblockplus::web::fileserver::private_key,
     log => 'access_log_fileserver',
   }
 
-  file {"$auth_file":
-    ensure => ensure_file_state($ensure),
-    content => inline_template('<%= @auth_users.join("\n") if @auth_users %>')
+  if $auth_file != undef {
+    ensure_resource('file', $auth_filename, merge({
+      ensure => ensure_file_state($ensure),
+    }, $auth_file))
   }
 
   group {"$group_name":
     ensure => $ensure,
   }
 
   file {"$repository_directory":
     ensure => ensure_directory_state($ensure),
     group => $group_name,
     mode => '0775',
@@ skipping 11 matching lines @@
 
   realize(File[$adblockplus::directory])
 
   file {"/var/www/$repository_host":
     ensure => ensure_symlink_state($ensure),
     target => "$repository_directory",
     require => File["$repository_directory"],
   }
 }