ghoneycutt · ghoneycutt · Dec 30, 2024 · Apr 3, 2024 · Dec 30, 2024 · Dec 30, 2024
diff --git a/.devcontainer/README.md b/.devcontainer/README.md
@@ -1,11 +1,11 @@
 # devcontainer
 
 
-For format details, see https://aka.ms/devcontainer.json. 
+For format details, see https://aka.ms/devcontainer.json.
 
 For config options, see the README at:
 https://github.com/microsoft/vscode-dev-containers/tree/v0.140.1/containers/puppet
- 
+
 ``` json
 {
 	"name": "Puppet Development Kit (Community)",

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -58,6 +58,7 @@ jobs:
           - "el8"
           - "el9"
           - "debian-11"
+          - "debian-12"
           - "ubuntu-2004"
           - "ubuntu-2204"
         puppet:
@@ -66,7 +67,7 @@ jobs:
     env:
       BUNDLE_WITHOUT: development:release
       BEAKER_debug: true
-    name: 
+    name:
     steps:
       - name: Enable IPv6 on docker
         run: |

diff --git a/README.md b/README.md
@@ -277,6 +277,7 @@ module aims to support the current and previous major Puppet versions.
  * Amazon Linux 2
  * Debian 10
  * Debian 11
+ * Debian 12
  * Ubuntu 20.04 LTS
  * Ubuntu 22.04 LTS
 

diff --git a/data/os/Debian/12.yaml b/data/os/Debian/12.yaml
@@ -0,0 +1,31 @@
+---
+pam::common_files_create_links: false
+pam::common_files_suffix:       ~
+pam::common_files:
+  - common_account
+  - common_auth
+  - common_password
+  - common_session
+  - common_session_noninteractive
+
+pam::pam_d_login_template: pam/login.debian12.erb
+pam::pam_d_sshd_template: pam/sshd.debian12.erb
+pam::package_name: libpam0g
+pam::pam_auth_lines:
+  - 'auth  [success=1 default=ignore]  pam_unix.so nullok'
+  - 'auth  requisite   pam_deny.so'
+  - 'auth  required    pam_permit.so'
+pam::pam_account_lines:
+  - 'account [success=1 new_authtok_reqd=done default=ignore]  pam_unix.so'
+  - 'account requisite     pam_deny.so'
+  - 'account required      pam_permit.so'
+pam::pam_password_lines:
+  - 'password  [success=1 default=ignore]  pam_unix.so obscure yescrypt'
+  - 'password  requisite     pam_deny.so'
+  - 'password  required      pam_permit.so'
+pam::pam_session_lines:
+  - 'session [default=1]   pam_permit.so'
+  - 'session requisite     pam_deny.so'
+  - 'session required      pam_permit.so'
+  - 'session required      pam_unix.so'
+  - 'session optional      pam_systemd.so'
diff --git a/manifests/faillock.pp b/manifests/faillock.pp
@@ -34,7 +34,7 @@
 #   The faillock 'root_unlock_time' config option
 # @param admin_group
 #   The faillock 'admin_group' config option
-# 
+#
 class pam::faillock (
   Stdlib::Absolutepath $config_file = '/etc/security/faillock.conf',
   String[1] $config_file_owner = 'root',

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -253,26 +253,6 @@
   Boolean $common_files_create_links                        = false,
   Optional[String] $common_files_suffix                     = undef,
 ) {
-  # Fail on unsupported platforms
-  if $facts['os']['family'] == 'RedHat' and !($facts['os']['release']['major'] in ['2','5','6','7','8', '9']) {
-    fail("osfamily RedHat's os.release.major is <${::facts['os']['release']['major']}> and must be 2, 5, 6, 7, 8 or 9")
-  }
-
-  if $facts['os']['family'] == 'Solaris' and !($facts['kernelrelease'] in ['5.9','5.10','5.11']) {
-    fail("osfamily Solaris' kernelrelease is <${facts['kernelrelease']}> and must be 5.9, 5.10 or 5.11")
-  }
-
-  if $facts['os']['family'] == 'Suse' and !($facts['os']['release']['major'] in ['9','10','11','12','13','15']) {
-    fail("osfamily Suse's os.release.major is <${::facts['os']['release']['major']}> and must be 9, 10, 11, 12, 13 or 15")
-  }
-
-  if $facts['os']['name'] == 'Debian' and !($facts['os']['release']['major'] in ['7','8','9','10', '11']) {
-    fail("Debian's os.release.major is <${facts['os']['release']['major']}> and must be 7, 8, 9, 10 or 11")
-  }
-
-  if $facts['os']['name'] == 'Ubuntu' and !($facts['os']['release']['major'] in ['12.04', '14.04', '16.04', '18.04', '20.04', '22.04']) {
-    fail("Ubuntu's os.release.major is <${facts['os']['release']['major']}> and must be 12.04, 14.04, 16.04, 18.04, 20.04 or 22.04")
-  }
 
   if $pam_d_sshd_template == 'pam/sshd.custom.erb' {
     unless $pam_sshd_auth_lines and

diff --git a/metadata.json b/metadata.json
@@ -10,7 +10,7 @@
   "dependencies": [
     {
       "name": "puppet/nsswitch",
-      "version_requirement": ">= 3.0.0 < 4.0.0"
+      "version_requirement": ">= 3.2.0 < 4.0.0"
     },
     {
       "name": "puppetlabs/stdlib",
@@ -27,7 +27,8 @@
     {
       "operatingsystem": "Debian",
       "operatingsystemrelease": [
-        "11"
+        "11",
+        "12"
       ]
     },
     {

diff --git a/spec/acceptance/nodesets/debian-12.yml b/spec/acceptance/nodesets/debian-12.yml
@@ -0,0 +1,27 @@
+HOSTS:
+  debian12:
+    roles:
+      - agent
+    platform: debian-12-amd64
+    hypervisor: docker
+    image: debian:12
+    docker_preserve_image: true
+    docker_cmd:
+      - '/sbin/init'
+    docker_image_commands:
+      - 'apt-get install -y wget net-tools systemd-sysv locales apt-transport-https ca-certificates'
+      - 'echo "LC_ALL=en_US.UTF-8" >> /etc/environment'
+      - 'echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen'
+      - 'echo "LANG=en_US.UTF-8" > /etc/locale.conf'
+      - 'locale-gen en_US.UTF-8'
+    docker_env:
+      - LANG=en_US.UTF-8
+      - LANGUAGE=en_US.UTF-8
+      - LC_ALL=en_US.UTF-8
+    docker_container_name: 'pam-debian12'
+CONFIG:
+  log_level: debug
+  type: foss
+ssh:
+  password: root
+  auth_methods: ["password"]
diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
@@ -352,36 +352,4 @@
       end
     end
   end
-
-  describe 'on unsupported platforms' do
-    context 'with defaults params on Debian 6' do
-      let(:facts) { { os: { 'name' => 'Debian', 'release' => { 'major' => '6' } } } }
-
-      it { is_expected.to compile.and_raise_error(%r{must be}) }
-    end
-
-    context 'with defaults params on RedHat 4' do
-      let(:facts) { { os: { 'family' => 'RedHat', 'release' => { 'major' => '4' } } } }
-
-      it { is_expected.to compile.and_raise_error(%r{must be}) }
-    end
-
-    context 'with defaults params on Solaris 8' do
-      let(:facts) { { os: { 'family' => 'Solaris' }, kernelrelease: '5.8' } }
-
-      it { is_expected.to compile.and_raise_error(%r{must be}) }
-    end
-
-    context 'with defaults params on SLES 8' do
-      let(:facts) { { os: { 'family' => 'Suse', 'release' => { 'major' => '8' } } } }
-
-      it { is_expected.to compile.and_raise_error(%r{must be}) }
-    end
-
-    context 'with defaults params on Ubuntu 10.04' do
-      let(:facts) { { os: { 'name' => 'Ubuntu', 'release' => { 'major' => '10.04' } } } }
-
-      it { is_expected.to compile.and_raise_error(%r{must be}) }
-    end
-  end
 end
diff --git a/spec/fixtures/debian-12-x86_64-pam_common_account b/spec/fixtures/debian-12-x86_64-pam_common_account
@@ -0,0 +1,5 @@
+# This file is being maintained by Puppet.
+# DO NOT EDIT
+account [success=1 new_authtok_reqd=done default=ignore]  pam_unix.so
+account requisite     pam_deny.so
+account required      pam_permit.so
diff --git a/spec/fixtures/debian-12-x86_64-pam_common_auth b/spec/fixtures/debian-12-x86_64-pam_common_auth
@@ -0,0 +1,5 @@
+# This file is being maintained by Puppet.
+# DO NOT EDIT
+auth  [success=1 default=ignore]  pam_unix.so nullok
+auth  requisite   pam_deny.so
+auth  required    pam_permit.so
diff --git a/spec/fixtures/debian-12-x86_64-pam_common_password b/spec/fixtures/debian-12-x86_64-pam_common_password
@@ -0,0 +1,5 @@
+# This file is being maintained by Puppet.
+# DO NOT EDIT
+password  [success=1 default=ignore]  pam_unix.so obscure yescrypt
+password  requisite     pam_deny.so
+password  required      pam_permit.so
diff --git a/spec/fixtures/debian-12-x86_64-pam_common_session b/spec/fixtures/debian-12-x86_64-pam_common_session
@@ -0,0 +1,7 @@
+# This file is being maintained by Puppet.
+# DO NOT EDIT
+session [default=1]   pam_permit.so
+session requisite     pam_deny.so
+session required      pam_permit.so
+session required      pam_unix.so
+session optional      pam_systemd.so
diff --git a/spec/fixtures/debian-12-x86_64-pam_common_session_noninteractive b/spec/fixtures/debian-12-x86_64-pam_common_session_noninteractive
@@ -0,0 +1,7 @@
+# This file is being maintained by Puppet.
+# DO NOT EDIT
+session [default=1]   pam_permit.so
+session requisite     pam_deny.so
+session required      pam_permit.so
+session required      pam_unix.so
+session optional      pam_systemd.so
diff --git a/spec/fixtures/debian-12-x86_64-pam_d_login b/spec/fixtures/debian-12-x86_64-pam_d_login
@@ -0,0 +1,18 @@
+auth       optional   pam_faildelay.so  delay=3000000
+auth       requisite  pam_nologin.so
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+session    required     pam_loginuid.so
+session    optional   pam_motd.so motd=/run/motd.dynamic
+session    optional   pam_motd.so noupdate
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+session       required   pam_env.so readenv=1
+session       required   pam_env.so readenv=1 envfile=/etc/default/locale
+@include common-auth
+auth       optional   pam_group.so
+session    required   pam_limits.so
+session    optional   pam_lastlog.so
+session    optional   pam_mail.so standard
+session    optional   pam_keyinit.so force revoke
+@include common-account
+@include common-session
+@include common-password
diff --git a/spec/fixtures/debian-12-x86_64-pam_d_sshd b/spec/fixtures/debian-12-x86_64-pam_d_sshd
@@ -0,0 +1,16 @@
+@include common-auth
+account    required     pam_nologin.so
+account  required     pam_access.so
+@include common-account
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
+session    required     pam_loginuid.so
+session    optional     pam_keyinit.so force revoke
+@include common-session
+session    optional     pam_motd.so  motd=/run/motd.dynamic
+session    optional     pam_motd.so noupdate
+session    optional     pam_mail.so standard noenv # [1]
+session    required     pam_limits.so
+session    required     pam_env.so # [1]
+session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
+@include common-password
diff --git a/templates/login.debian10.erb b/templates/login.debian10.erb
@@ -0,0 +1,19 @@
+auth       optional   pam_faildelay.so  delay=3000000
+auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
+auth       requisite  pam_nologin.so
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+session    required     pam_loginuid.so
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+session       required   pam_env.so readenv=1
+session       required   pam_env.so readenv=1 envfile=/etc/default/locale
+@include common-auth
+auth       optional   pam_group.so
+session    required   pam_limits.so
+session    optional   pam_lastlog.so
+session    optional   pam_motd.so motd=/run/motd.dynamic
+session    optional   pam_motd.so noupdate
+session    optional   pam_mail.so standard
+session    optional   pam_keyinit.so force revoke
+@include common-account
+@include common-session
+@include common-password
diff --git a/templates/login.debian12.erb b/templates/login.debian12.erb
@@ -0,0 +1,18 @@
+auth       optional   pam_faildelay.so  delay=3000000
+auth       requisite  pam_nologin.so
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+session    required     pam_loginuid.so
+session    optional   pam_motd.so motd=/run/motd.dynamic
+session    optional   pam_motd.so noupdate
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+session       required   pam_env.so readenv=1
+session       required   pam_env.so readenv=1 envfile=/etc/default/locale
+@include common-auth
+auth       optional   pam_group.so
+session    required   pam_limits.so
+session    optional   pam_lastlog.so
+session    optional   pam_mail.so standard
+session    optional   pam_keyinit.so force revoke
+@include common-account
+@include common-session
+@include common-password
diff --git a/templates/sshd.debian10.erb b/templates/sshd.debian10.erb
@@ -0,0 +1,18 @@
+@include common-auth
+account    required     pam_nologin.so
+<% if @sshd_pam_access != 'absent' -%>
+account  <%= @sshd_pam_access %>     pam_access.so
+<% end -%>
+@include common-account
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
+session    required     pam_loginuid.so
+session    optional     pam_keyinit.so force revoke
+@include common-session
+session    optional     pam_motd.so  motd=/run/motd.dynamic
+session    optional     pam_motd.so noupdate
+session    optional     pam_mail.so standard noenv # [1]
+session    required     pam_limits.so
+session    required     pam_env.so # [1]
+session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
+@include common-password
diff --git a/templates/sshd.debian12.erb b/templates/sshd.debian12.erb
@@ -0,0 +1,18 @@
+@include common-auth
+account    required     pam_nologin.so
+<% if @sshd_pam_access != 'absent' -%>
+account  <%= @sshd_pam_access %>     pam_access.so
+<% end -%>
+@include common-account
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
+session    required     pam_loginuid.so
+session    optional     pam_keyinit.so force revoke
+@include common-session
+session    optional     pam_motd.so  motd=/run/motd.dynamic
+session    optional     pam_motd.so noupdate
+session    optional     pam_mail.so standard noenv # [1]
+session    required     pam_limits.so
+session    required     pam_env.so # [1]
+session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
+@include common-password