Merge pull request #12 from adfinis/sssd-auth

feat: add support for PAM authentication

Author: adf-patrickha

defaults/main.yml

@@ -77,3 +77,6 @@ bareos_dir_schedules: []
 
 # A list of storages to configure.
 bareos_dir_storages: []
+
+# Enable PAM authentication
+bareos_dir_pam_auth_enable: false

meta/argument_specs.yml

@@ -79,7 +79,44 @@ argument_specs:
       bareos_dir_consoles:
         type: "list"
         default: []
-        description: "A list of consoled to configure."
+        description: "A list of consoles to configure."
+        elements: "dict"
+        options:
+          name:
+            type: "str"
+            required: true
+            description: >
+              The name of the console.
+              This name must match the name specified at the Console client.
+          description:
+            type: "str"
+          password:
+            type: "str"
+            required: true
+            description: >
+              Specifies the password that must be supplied for a named Bareos Console to be authorized.
+          commandacl:
+            type: "list"
+            elements: "str"
+          jobacl:
+            type: "list"
+            elements: "str"
+          profile:
+            type: "str"
+            description: >
+              See https://docs.bareos.org/Configuration/Director.html#directorresourceprofile
+          tls_enable:
+            type: "bool"
+            default: true
+            description: "Enable TLS support."
+          use_pam_authentication:
+            type: "bool"
+            default: false
+            description: >
+              Use PAM authentication for this console.
+              Cannot be used in combination with the option `profile` or `commandacl`!
+              See: https://github.com/bareos/bareos/tree/master/contrib/misc/bareos_pam_integration#pam-configuration
+
       bareos_dir_counters:
         type: "list"
         default: []
@@ -130,3 +167,40 @@ argument_specs:
         elements: "str"
         required: false
         version_added: v1.1.0
+      bareos_dir_pam_auth_enable:
+        type: "bool"
+        default: false
+        description: >
+          Setup Bareos Director to use PAM authentication via Unix socket or LDAP socket.
+          Follows the setup guide at
+          https://github.com/bareos/bareos/tree/master/contrib/misc/bareos_pam_integration#pam-configuration
+      bareos_dir_pam_auth_method:
+        type: "str"
+        default: "unix"
+        choices:
+          - "ldap"
+          - "unix"
+        description: "Decide if Unix or LDAP socket should be used for PAM authentication"
+      bareos_dir_pam_auth_profile:
+        type: "str"
+        default: "webui-admin"
+        description: "The Bareos profile to use for the user, after a successful login attempt"
+      bareos_dir_pam_auth_username:
+        type: "str"
+        default: "pam-adduser"
+        description: >
+          Technical user account for the Bareos Console connection.
+          Required to be able to add the user resources in Bareos, after a successful PAM authentication.
+      bareos_dir_pam_auth_password:
+        type: "str"
+        default: "lookup('ansible.builtin.password', '/dev/null', seed=inventory_hostname')"
+        description: >-
+          Password for technical user account for the Bareos Console connection.
+          Randomized, but idempotent password will be generated if variable is unset.
+      bareos_dir_pam_auth_tls_enable:
+        type: "bool"
+        default: false
+        description: >
+          If TLS should be used for the Bareos Console
+          WebUI does not support pre-shared keys (PSK), so if this is desired,
+          an actual CA and certificates need to be in place.

molecule/default/converge.yml

@@ -24,6 +24,12 @@
             - .status
           jobacl:
             - "*all"
+          tls_enable: true
+        - name: pam-console
+          description: "Console uses PAM authentication"
+          password: "MySecretPAMPassword"
+          tls_enable: true
+          use_pam_authentication: true
       bareos_dir_clients:
         - name: bareos-fd
           address: 127.0.0.1
@@ -282,6 +288,10 @@
         - "[email protected]"
         - "[email protected]"
 
+      bareos_dir_pam_auth_enable: true
+      bareos_dir_pam_auth_method: unix
+      bareos_dir_pam_auth_tls_enable: true
+
     - role: adfinis.bareos_console
       bareos_console_directors:
         - name: bareos-dir

tasks/assert.yml

@@ -124,14 +124,20 @@
       - bareos_dir_storages is iterable
     quiet: true
 
+- name: assert | Test bareos_dir_packages
+  ansible.builtin.assert:
+    that:
+      - bareos_dir_packages is defined
+      - bareos_dir_packages is iterable
+    quiet: true
+
 - name: assert | Test bareos_dir_install_debug_packages
   ansible.builtin.assert:
     that:
       - bareos_dir_install_debug_packages is defined
       - bareos_dir_install_debug_packages is boolean
     quiet: true
 
-
 - name: assert | Test bareos_dir_catalogs
   ansible.builtin.assert:
     that:
@@ -185,3 +191,25 @@
   ansible.builtin.assert:
     that:
       - bareos_dir_messages is defined
+    quiet: true
+
+- name: assert | Test bareos_dir_pam_auth_enable
+  ansible.builtin.assert:
+    that:
+      - bareos_dir_pam_auth_enable is defined
+      - bareos_dir_pam_auth_enable is boolean
+    quiet: true
+
+- name: assert | Test bareos_dir_pam_auth_requirements
+  ansible.builtin.assert:
+    that:
+      - bareos_dir_pam_auth_requirements is defined
+      - bareos_dir_pam_auth_requirements is iterable
+    quiet: true
+
+- name: assert | Test bareos_dir_plugin_list
+  ansible.builtin.assert:
+    that:
+      - bareos_dir_plugin_list is defined
+      - bareos_dir_plugin_list is iterable
+    quiet: true

tasks/main.yml

@@ -277,6 +277,15 @@
     - bareos_dir_plugins is defined
     - bareos_dir_plugins is iterable
 
+- name: Import PAM authentication tasklist
+  ansible.builtin.import_tasks:
+    file: pam_auth.yml
+  when:
+    - bareos_dir_pam_auth_enable
+    - bareos_dir_pam_auth_method is defined
+    - bareos_dir_pam_auth_method == "ldap" or
+      bareos_dir_pam_auth_method == "unix"
+
 - name: Start bareos-dir
   ansible.builtin.service:
     name: bareos-dir

tasks/pam_auth.yml

@@ -0,0 +1,78 @@
+---
+# Follows the setup process according to
+# https://github.com/bareos/bareos/tree/master/contrib/misc/bareos_pam_integration#pam-configuration
+
+- name: pam_auth | Install PAM dependencies
+  ansible.builtin.package:
+    name: "{{ bareos_dir_pam_auth_requirements }}"
+    state: present
+
+- name: pam_auth | Create bconsole password if bareos_dir_pam_auth_password unset
+  ansible.builtin.set_fact:
+    bareos_dir_pam_auth_password: "{{ lookup('ansible.builtin.password', '/dev/null', seed=inventory_hostname) }}"
+  when:
+    - bareos_dir_pam_auth_password is not defined or
+      bareos_dir_pam_auth_password == ""
+
+- name: pam_auth | Create bareos conf in /etc/pam.d/
+  ansible.builtin.template:
+    src: templates/pam.d/bareos.j2
+    dest: /etc/pam.d/bareos
+    owner: root
+    group: bareos
+    mode: "0644"
+
+# required for unix.socket auth to read /etc/shadow
+- name: pam_auth | Add bareos user to group shadow
+  ansible.builtin.user:
+    name: bareos
+    groups: shadow
+    append: true
+  when:
+    - bareos_dir_pam_auth_method == "unix"
+    - ansible_facts.os_family == "Debian"
+
+# required for unix.socket auth to read /etc/shadow
+- name: pam_auth | Change permissions for /etc/shadow
+  ansible.builtin.file:
+    path: "/etc/shadow"
+    owner: root
+    group: bareos
+    mode: "0040"
+  when:
+    - bareos_dir_pam_auth_method == "unix"
+    - ansible_facts.os_family == "RedHat"
+
+- name: pam_auth | Download pam_exec_add_bareos_user.py from bareos Github
+  ansible.builtin.get_url:
+    url: https://github.com/bareos/bareos/blob/master/contrib/misc/bareos_pam_integration/pam_exec_add_bareos_user.py
+    dest: "/usr/local/bin/pam_exec_add_bareos_user.py"
+    owner: bareos
+    group: bareos
+    mode: "0744"
+
+- name: pam_auth | Create PAM specific Bareos Console
+  ansible.builtin.template:
+    src: console.conf.j2
+    dest: "/etc/bareos/bareos-dir.d/console/{{ item.name }}.conf"
+    owner: bareos
+    group: bareos
+    mode: "0644"
+    backup: "{{ bareos_dir_backup_configurations }}"
+  loop:
+    - name: "{{ bareos_dir_pam_auth_username | default('pam-adduser') }}"
+      description: >-
+        Dedicated Console for PAM authentication.
+        Using this, a user who successfully authenticates against LDAP,
+        will be created as Bareos user with ACLs as defined in profile {{ bareos_dir_pam_auth_profile | default('webui-admin') }}.
+      password: "{{ bareos_dir_pam_auth_password }}"
+      tls_enable: "{{ bareos_dir_pam_auth_tls_enable | default(false) }}"
+      commandacl:
+        - ".api"
+        - ".profiles"
+        - ".users"
+        - "configure"
+        - "version"
+  notify:
+    - Check configuration
+    - Reload bareos-dir

templates/console.conf.j2

@@ -7,17 +7,18 @@ Console {
   Description = "{{ item.description }}"
 {% endif %}
   Password = "{{ item.password }}"
+  TLS Enable = {{ item.tls_enable | default(true) | ternary('Yes', 'No') }}
 {% if item.commandacl is defined %}
-  CommandACL = {{ item.commandacl | join(', ') }}
+  Command ACL = {{ item.commandacl | join(', ') }}
 {% endif %}
 {% if item.jobacl is defined %}
-  JobACL = {{ item.jobacl | join(', ') }}
+  Job ACL = {{ item.jobacl | join(', ') }}
 {% endif %}
 {% if item.profile is defined %}
   Profile = "{{ item.profile }}"
 {% endif %}
-{% if item.tlsenable is defined %}
-  TlsEnable = {{ item.tlsenable | ternary('Yes', 'No') }}
+{% if item.use_pam_authentication is defined %}
+  UsePamAuthentication = {{ item.use_pam_authentication | ternary('Yes', 'No') }}
 {% endif %}
 }
 {% else %}

templates/pam.d/bareos.j2

@@ -0,0 +1,9 @@
+{{ ansible_managed | comment }}
+{% if bareos_dir_pam_auth_method | default("unix") == "unix" %}
+auth       required            pam_unix.so
+account    requisite           pam_unix.so
+{% elif bareos_dir_pam_auth_method == "ldap" %}
+auth       required            pam_ldap.so
+account    requisite           pam_ldap.so
+{% endif %}
+account    [default=ignore]    pam_exec.so /usr/bin/python3 /usr/local/bin/pam_exec_add_bareos_user.py --name {{ bareos_dir_pam_auth_username | default('pam-adduser') }} --password {{ bareos_dir_pam_auth_password }} --profile {{ bareos_dir_pam_auth_profile | default("webui-admin") }}

vars/Debian.yml

@@ -8,3 +8,7 @@ bareos_dir_debug_packages:
   - gdb
 
 bareos_dir_plugin_dir: "/usr/lib/bareos/plugins"
+
+bareos_dir_pam_auth_requirements:
+  - libpam-modules
+  - python3-bareos

vars/RedHat.yml

@@ -0,0 +1,10 @@
+---
+
+bareos_dir_debug_packages:
+  - bareos-debuginfo
+  - gdb
+
+bareos_dir_plugin_name: python3
+
+bareos_dir_pam_auth_requirements:
+  - pam

vars/main.yml

@@ -27,3 +27,5 @@ bareos_dir_plugin_list:
   - name: director-python
     packages:
       - bareos-director-python3-plugin
+
+bareos_dir_pam_auth_requirements: []