From 30da2b134c607c55945adcaeb4eaa04fd091eff3 Mon Sep 17 00:00:00 2001
From: Joshua Hoblitt <josh@hoblitt.com>
Date: Wed, 15 Nov 2023 11:49:38 -0700
Subject: [PATCH] (profile::core::ipa_pwd_reset) rm; no known users; will not
 work on el9

Resolves frequent errors seen during puppet agent runs. E.g.:

    change from 78186 to 'ldap-passwd-reset' failed: Could not find user ldap-passwd-reset
---
 hieradata/role/ipareplica.yaml               |   2 -
 site/profile/manifests/core/ipa_pwd_reset.pp | 152 -------------------
 spec/classes/core/ipa_pwd_reset_spec.rb      |  29 ----
 spec/fixtures/hieradata/common.yaml          |   3 -
 4 files changed, 186 deletions(-)
 delete mode 100644 site/profile/manifests/core/ipa_pwd_reset.pp
 delete mode 100644 spec/classes/core/ipa_pwd_reset_spec.rb

diff --git a/hieradata/role/ipareplica.yaml b/hieradata/role/ipareplica.yaml
index 3645ec065f..961e2fcc4e 100644
--- a/hieradata/role/ipareplica.yaml
+++ b/hieradata/role/ipareplica.yaml
@@ -3,7 +3,6 @@ classes:
   - "clustershell"
   - "ipa"
   - "profile::core::common"
-  - "profile::core::ipa_pwd_reset"
   - "tailscale"
 
 profile::core::common::disable_ipv6: true
@@ -26,7 +25,6 @@ clustershell::groupmembers:
       - "ipa[1-3].tu.lsst.org"
       - "ipa1.dev.lsst.org"
 
-profile::core::ipa_pwd_reset::ldap_user: "ldap-passwd-reset"
 profile::core::ipa::default:
   global:
     server: "%{facts.fqdn}"
diff --git a/site/profile/manifests/core/ipa_pwd_reset.pp b/site/profile/manifests/core/ipa_pwd_reset.pp
deleted file mode 100644
index fe8441ccca..0000000000
--- a/site/profile/manifests/core/ipa_pwd_reset.pp
+++ /dev/null
@@ -1,152 +0,0 @@
-# @summary
-#   Plugin to reset IPA password through the Web UI
-#
-# @param keytab_base64
-#   base64 encoded krb5 keytab for the ldap-passwd-reset user
-#
-# @param secret_key
-#   Random key for encryption purposes
-#
-# @param ldap_user
-#   AD user for email delivery
-#
-# @param ldap_pwd
-#   AD user's password for email delivery
-#
-
-class profile::core::ipa_pwd_reset (
-  Sensitive[String[1]] $keytab_base64,
-  String $secret_key,
-  String $ldap_user,
-  String $ldap_pwd,
-) {
-  include redis
-
-  $keytab_path = '/opt/IPAPasswordReset'
-  $keytab_path_settings = "${keytab_path}/PasswordReset/PasswordReset"
-  #  Install required packages
-  $yum_packages = [
-    'python2-pip',
-    'python-virtualenv',
-    'git-core',
-  ]
-
-  # Initialize Virtenv
-  $init_virtualenv = @("VIRTUALENV")
-    cd ${keytab_path}
-    virtualenv --system-site-packages ./virtualenv
-    . ./virtualenv/bin/activate
-    pip install -r requirements.txt
-    systemctl daemon-reload
-    | VIRTUALENV
-
-  # HTTP Content
-  $ipa_reset_http = @(HTTP)
-    <Location "/reset">
-      RedirectMatch 301 ^/reset$ /reset/
-    </Location>
-
-    <Location "/reset/">
-      ProxyPass "http://127.0.0.1:8000/reset/"
-    </Location>
-    | HTTP
-
-  #  Modify ldap-password-reset settings.py
-  $ldap_setting = @("SETTINGS")
-    #!/usr/bin/env bash
-    sed 's/^SECRET_KEY.*/SECRET_KEY=\"${secret_key}\"/g' ${keytab_path_settings}/settings.py.example > ${keytab_path_settings}/settings.py
-    sed -i 's/^KEYTAB_PATH.*/KEYTAB_PATH=\"\/opt\/IPAPasswordReset\/ldap-passwd-reset.keytab\"/g' ${keytab_path_settings}/settings.py
-    sed -i 's/^TOKEN_LEN.*/TOKEN_LEN=10/g' ${keytab_path_settings}/settings.py
-    sed -i '174,197d' ${keytab_path_settings}/settings.py
-    sed -i '144,157d' ${keytab_path_settings}/settings.py
-    sed -i 's/            "msg_template.*/            "msg_template": "Your one-time token is: {0} \\nDo not share the token with anyone. The token has a duration of 60min.\\n\\nBest RegardsnRubinObs IT",/g' ${keytab_path_settings}/settings.py
-    sed -i 's/            "msg_subject.*/            "msg_subject": "RubinObs IPA password reset code",/g' ${keytab_path_settings}/settings.py
-    sed -i 's/            "smtp_from.*/            "smtp_from": "ipa-passwd-reset@lsst.org",/g' ${keytab_path_settings}/settings.py
-    sed -i 's/            "smtp_user.*/            "smtp_user": "ipa-passwd-reset@lsst.local",/g' ${keytab_path_settings}/settings.py
-    sed -i 's/            "smtp_pass.*/            "smtp_pass": "${ldap_pwd}",/g' ${keytab_path_settings}/settings.py
-    sed -i 's/            "smtp_server_addr.*/            "smtp_server_addr": "endeavour.lsst.org",/g' ${keytab_path_settings}/settings.py
-    sed -i 's/            "smtp_server_port.*/            "smtp_server_port": 587,/g' ${keytab_path_settings}/settings.py
-    sed -i 's/            "smtp_server_tls.*/            "smtp_server_tls": True,/g' ${keytab_path_settings}/settings.py
-    sed -i 's/        "enabled.*/        "enabled": True,/g' ${keytab_path_settings}/settings.py
-    | SETTINGS
-
-  #  'ldap-password-reset ' Service Content
-  $ldap_service = @("SERVICE")
-    [Unit]
-    Description=FreeIPA Password Reset Service
-    After=network.target remote-fs.target
-
-    [Service]
-    Type=simple
-    User=ldap-passwd-reset
-    Group=ldap-passwd-reset
-    WorkingDirectory=${keytab_path_settings}/
-    ExecStart=${keytab_path}/virtualenv/bin/python ${keytab_path}/PasswordReset/manage.py runserver
-    Restart=always
-    RestartSec=20
-    PrivateTmp=true
-
-    [Install]
-    WantedBy=multi-user.target
-    |SERVICE
-
-  #  Install packages
-  package { $yum_packages:
-    ensure => 'present',
-  }
-
-  vcsrepo { "${keytab_path}/":
-    ensure   => present,
-    provider => git,
-    source   => 'https://github.com/larrabee/freeipa-password-reset.git',
-  }
-  #  Create Keytab
-  file { "${keytab_path}/${ldap_user}.keytab":
-    ensure  => file,
-    content => base64('decode', $keytab_base64.unwrap),
-    mode    => '0600',
-    owner   => $ldap_user,
-    group   => $ldap_user,
-  }
-  #  Script to modify settings.py
-  -> file { "${keytab_path}/settings_mod.sh":
-    ensure  => file,
-    mode    => '0755',
-    content => $ldap_setting,
-  }
-  #  Create ldap-passwd-reset service
-  -> file { "/etc/systemd/system/${ldap_user}.service":
-    ensure  => file,
-    mode    => '0644',
-    owner   => 'root',
-    group   => 'root',
-    content => $ldap_service,
-  }
-  -> exec { $init_virtualenv:
-    cwd      => '/var/tmp/',
-    path     => ['/sbin', '/usr/sbin', '/bin'],
-    onlyif   => ["test ! -d ${keytab_path}/virtualenv"],
-    loglevel => debug,
-    require  => Package[$yum_packages],
-  }
-  -> exec { "${keytab_path}/settings_mod.sh":
-    cwd      => '/var/tmp/',
-    path     => ['/sbin', '/usr/sbin', '/bin'],
-    loglevel => debug,
-    onlyif   => ["test ! -f  ${keytab_path_settings}/settings.py"],
-    notify   => Service["${ldap_user}.service"],
-  }
-
-  #  Ensure ldap-passwd-reset service is running
-  service { "${ldap_user}.service":
-    ensure  => 'running',
-    require => File["/etc/systemd/system/${ldap_user}.service"],
-  }
-
-  #  Declare reset interface
-  file { '/etc/httpd/conf.d/ipa-password-reset.conf':
-    ensure  => file,
-    mode    => '0644',
-    content => $ipa_reset_http,
-  }
-}
diff --git a/spec/classes/core/ipa_pwd_reset_spec.rb b/spec/classes/core/ipa_pwd_reset_spec.rb
deleted file mode 100644
index 5467579a13..0000000000
--- a/spec/classes/core/ipa_pwd_reset_spec.rb
+++ /dev/null
@@ -1,29 +0,0 @@
-# frozen_string_literal: true
-
-require 'spec_helper'
-
-describe 'profile::core::ipa_pwd_reset' do
-  on_supported_os.each do |os, facts|
-    context "on #{os}" do
-      let(:facts) { facts }
-      let(:pre_condition) do
-        <<~PP
-          service { 'httpd': }
-        PP
-      end
-
-      context 'with no params' do
-        let(:params) do
-          {
-            keytab_base64: sensitive('foo'),
-            ldap_pwd: 'quix',
-            ldap_user: 'baz',
-            secret_key: 'bar',
-          }
-        end
-
-        it { is_expected.to compile.with_all_deps }
-      end
-    end
-  end
-end
diff --git a/spec/fixtures/hieradata/common.yaml b/spec/fixtures/hieradata/common.yaml
index d706a68123..13a9e91bfe 100644
--- a/spec/fixtures/hieradata/common.yaml
+++ b/spec/fixtures/hieradata/common.yaml
@@ -12,9 +12,6 @@ ipa::domain_join_password: "foofoofoofoo"  # 8 char min
 foreman_proxy::plugin::dns::route53::aws_access_key: "foo"
 foreman_proxy::plugin::dns::route53::aws_secret_key: "foo"
 profile::ccs::postfix::auth: "foo"
-profile::core::ipa_pwd_reset::keytab_base64: "foo"
-profile::core::ipa_pwd_reset::ldap_pwd: "foo"
-profile::core::ipa_pwd_reset::secret_key: "foo"
 profile::core::monitoring::database: "foo"
 profile::core::monitoring::password: "foo"
 profile::core::monitoring::url: "foo"