1
1
Puppet::Type.newtype(:macauthorization) do
3
3
@doc = "Manage the Mac OS X authorization database.
5
5
http://developer.apple.com/documentation/Security/Conceptual/Security_Overview/Security_Services/chapter_4_section_5.html for more information."
9
9
autorequire(:file) do
10
10
["/etc/authorization"]
13
13
def munge_boolean(value)
15
when true, "true", :true:
15
when true, "true", :true
17
17
when false, "false", :false
20
raise Puppet::Error("munge_boolean only takes booleans")
20
fail("munge_boolean only takes booleans")
24
def munge_integer(value)
28
fail("munge_integer only takes integers")
25
33
desc "The name of the right or rule to be managed.
26
Corresponds to 'key' in Authorization Services. The key is the name
27
of a rule. A key uses the same naming conventions as a right. The
28
Security Server uses a rule’s key to match the rule with a right.
29
Wildcard keys end with a ‘.’. The generic rule has an empty key value.
34
Corresponds to 'key' in Authorization Services. The key is the name
35
of a rule. A key uses the same naming conventions as a right. The
36
Security Server uses a rule’s key to match the rule with a right.
37
Wildcard keys end with a ‘.’. The generic rule has an empty key value.
30
38
Any rights that do not match a specific rule use the generic rule."
35
43
newproperty(:auth_type) do
36
desc "type - can be a 'right' or a 'rule'. 'comment' has not yet been
44
desc "type - can be a 'right' or a 'rule'. 'comment' has not yet been
41
49
# newvalue(:comment) # not yet implemented.
44
52
newproperty(:allow_root, :boolean => true) do
45
desc "Corresponds to 'allow-root' in the authorization store, renamed
46
due to hyphens being problematic. Specifies whether a right should be
47
allowed automatically if the requesting process is running with
48
uid == 0. AuthorizationServices defaults this attribute to false if
53
desc "Corresponds to 'allow-root' in the authorization store, renamed
54
due to hyphens being problematic. Specifies whether a right should be
55
allowed automatically if the requesting process is running with
56
uid == 0. AuthorizationServices defaults this attribute to false if
55
63
@resource.munge_boolean(value)
59
67
newproperty(:authenticate_user, :boolean => true) do
60
desc "Corresponds to 'authenticate-user' in the authorization store,
68
desc "Corresponds to 'authenticate-user' in the authorization store,
61
69
renamed due to hyphens being problematic."
67
75
@resource.munge_boolean(value)
71
79
newproperty(:auth_class) do
72
desc "Corresponds to 'class' in the authorization store, renamed due
80
desc "Corresponds to 'class' in the authorization store, renamed due
73
81
to 'class' being a reserved word."
76
84
newvalue(:'evaluate-mechanisms')
79
90
newproperty(:comment) do
80
91
desc "The 'comment' attribute for authorization resources."
83
94
newproperty(:group) do
84
desc "The user must authenticate as a member of this group. This
95
desc "The user must authenticate as a member of this group. This
85
96
attribute can be set to any one group."
88
99
newproperty(:k_of_n) do
89
desc "k-of-n. Built-in rights only show a value of '1' or absent,
90
other values may be acceptable. Undocumented."
100
desc "k-of-n describes how large a subset of rule mechanisms must
101
succeed for successful authentication. If there are 'n' mechanisms,
102
then 'k' (the integer value of this parameter) mechanisms must succeed.
103
The most common setting for this parameter is '1'. If k-of-n is not
104
set, then 'n-of-n' mechanisms must succeed."
107
@resource.munge_integer(value)
93
111
newproperty(:mechanisms, :array_matching => :all) do
94
112
desc "an array of suitable mechanisms."
97
newproperty(:rule, :array_match => :all) do
115
newproperty(:rule, :array_matching => :all) do
98
116
desc "The rule(s) that this right refers to."
101
119
newproperty(:session_owner, :boolean => true) do
102
desc "Corresponds to 'session-owner' in the authorization store,
103
renamed due to hyphens being problematic. Whether the session owner
120
desc "Corresponds to 'session-owner' in the authorization store,
121
renamed due to hyphens being problematic. Whether the session owner
104
122
automatically matches this rule or right."
110
128
@resource.munge_boolean(value)
114
132
newproperty(:shared, :boolean => true) do
115
133
desc "If this is set to true, then the Security Server marks the
116
credentials used to gain this right as shared. The Security Server
117
may use any shared credentials to authorize this right. For maximum
118
security, set sharing to false so credentials stored by the Security
134
credentials used to gain this right as shared. The Security Server
135
may use any shared credentials to authorize this right. For maximum
136
security, set sharing to false so credentials stored by the Security
119
137
Server for one application may not be used by another application."
125
143
@resource.munge_boolean(value)
129
147
newproperty(:timeout) do
130
desc "The credential used by this rule expires in the specified
131
number of seconds. For maximum security where the user must
132
authenticate every time, set the timeout to 0. For minimum security,
133
remove the timeout attribute so the user authenticates only once per
148
desc "The credential used by this rule expires in the specified
149
number of seconds. For maximum security where the user must
150
authenticate every time, set the timeout to 0. For minimum security,
151
remove the timeout attribute so the user authenticates only once per
155
@resource.munge_integer(value)
137
159
newproperty(:tries) do
138
160
desc "The number of tries allowed."
162
@resource.munge_integer(value)