feat(googleauth): rhel family support

Author: unilogicbv

users/googleauth.sls

@@ -1,7 +1,7 @@
 # vim: sts=2 ts=2 sw=2 et ai
 {%- from "users/map.jinja" import users with context %}
 
-{%- if not grains['os_family'] in ['RedHat', 'Suse'] %}
+{%- if not grains['os_family'] in ['Suse'] %}
 users_googleauth-package:
   pkg.installed:
     - name: {{ users.googleauth_package }}
@@ -15,6 +15,27 @@ users_{{ users.googleauth_dir }}:
     - group: {{ users.root_group }}
     - mode: '0700'
 
+{%-   if grains['os_family'] == 'RedHat' %}
+policycoreutils-package:
+  pkg.installed:
+    - pkgs:
+      - policycoreutils
+{%-     if grains['osmajorrelease']|int <= 7 %}
+      - policycoreutils-python
+{%-     else %}
+      - policycoreutils-python-utils
+{%-     endif %}
+users_googleauth_selinux_present:
+  selinux.fcontext_policy_present:
+    - name: "{{ users.googleauth_dir }}(/.*)?"
+    - filetype: 'a'
+    - sel_user: unconfined_u
+    - sel_type: ssh_home_t
+    - sel_level: s0
+    - require:
+        - pkg: policycoreutils-package
+{%-   endif %}
+
 {%-   for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %}
 {%-     if 'google_auth' in user %}
 {%-       for svc in user['google_auth'] %}
@@ -33,12 +54,23 @@ users_{{ users.googleauth_dir }}:
 users_googleauth-pam-{{ svc }}-{{ name }}:
   file.replace:
     - name: /etc/pam.d/{{ svc }}
+{%- if grains['os_family'] == 'RedHat' %}
+    - pattern: '^(auth[ \t]*substack[ \t]*password-auth)'
+{%- else %}
     - pattern: '^(@include[ \t]*common-auth)'
+{%- endif %}
     - repl: '{{ repl }}\n\1'
     - unless: grep pam_google_authenticator.so /etc/pam.d/{{ svc }}
     - backup: .bak
 {%-         endif %}
 {%-       endfor %}
 {%-     endif %}
 {%-   endfor %}
+
+{%-   if grains['os_family'] == 'RedHat' %}
+users_googleauth_selinux_applied:
+  selinux.fcontext_policy_applied:
+    - name: {{ users.googleauth_dir }}
+{%-   endif %}
+
 {%- endif %}

users/init.sls

@@ -50,6 +50,9 @@ include:
   - users.sudo
 {%- endif %}
 {%- if used_googleauth %}
+{%- if grains['os_family'] == 'RedHat' %}
+  - epel
+{%- endif %}
   - users.googleauth
 {%- endif %}
 {%- if used_user_files %}
@@ -506,7 +509,7 @@ users_{{ users.sudoers_dir }}/{{ sudoers_d_filename }}:
     - name: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}
 {% endif %}
 
-{%- if not grains['os_family'] in ['RedHat', 'Suse'] %}
+{%- if not grains['os_family'] in ['Suse'] %}
 {%-   if 'google_auth' in user %}
 {%-     for svc in user['google_auth'] %}
 users_googleauth-{{ svc }}-{{ name }}:
@@ -518,6 +521,9 @@ users_googleauth-{{ svc }}-{{ name }}:
     - group: {{ users.root_group }}
     - mode: '0600'
     - require:
+{%-       if grains['os_family'] == 'RedHat' %}
+      - pkg: epel_release
+{%-       endif %}
       - pkg: users_googleauth-package
 {%-     endfor %}
 {%-   endif %}

users/map.jinja

@@ -30,6 +30,19 @@
     'polkit_dir': '/etc/polkit-1/localauthority.conf.d',
     'polkit_defaults': 'unix-group:sudo;'
   },
+  'RedHat': {
+    'sudoers_dir': '/etc/sudoers.d',
+    'sudoers_file': '/etc/sudoers',
+    'googleauth_dir': '/etc/google_authenticator.d',
+    'root_group': 'root',
+    'shell': '/bin/bash',
+    'visudo_shell': '/bin/bash',
+    'bash_package': 'bash',
+    'sudo_package': 'sudo',
+    'googleauth_package': 'google-authenticator',
+    'polkit_dir': '/etc/polkit-1/localauthority.conf.d',
+    'polkit_defaults': 'unix-group:sudo;'
+  },
   'Gentoo': {
     'sudoers_dir': '/etc/sudoers.d',
     'sudoers_file': '/etc/sudoers',