Merge pull request #524 from simondeziel/apparmor

bastelfreak · web-flow · commit 332e3bca80e0 · 2020-09-02T20:19:56.000+02:00
Add apparmor_hat support to php::fpm::pool
diff --git a/REFERENCE.md b/REFERENCE.md
@@ -2248,6 +2248,9 @@ documented here: http://php.net/manual/en/install.fpm.configuration.php.
 [*group*]
   The group that php-fpm should run as
 
+[*apparmor_hat*]
+  The Apparmor hat to use
+
 [*pm*]
 
 [*pm_max_children*]
diff --git a/manifests/fpm/pool.pp b/manifests/fpm/pool.pp
@@ -30,6 +30,9 @@
 # [*group*]
 #   The group that php-fpm should run as
 #
+# [*apparmor_hat*]
+#   The Apparmor hat to use
+#
 # [*pm*]
 #
 # [*pm_max_children*]
@@ -127,6 +130,7 @@
   $listen_mode                             = undef,
   $user                                    = $php::fpm::config::user,
   $group                                   = $php::fpm::config::group,
+  Optional[String[1]] $apparmor_hat        = undef,
   $pm                                      = 'dynamic',
   $pm_max_children                         = '50',
   $pm_start_servers                        = '5',
diff --git a/spec/classes/php_spec.rb b/spec/classes/php_spec.rb
@@ -239,6 +239,46 @@
         it { is_expected.to contain_file(dstfile).with_content(%r{group = nginx}) }
       end
 
+      describe 'when configured with a pool with apparmor_hat parameter' do
+        let(:params) { { fpm_pools: { 'www' => { 'apparmor_hat' => 'www' } } } }
+
+        it { is_expected.to contain_php__fpm__pool('www').with(apparmor_hat: 'www') }
+
+        dstfile = case facts[:osfamily]
+                  when 'Debian'
+                    case facts[:os]['name']
+                    when 'Debian'
+                      case facts[:os]['release']['major']
+                      when '10'
+                        '/etc/php/7.3/fpm/pool.d/www.conf'
+                      when '9'
+                        '/etc/php/7.0/fpm/pool.d/www.conf'
+                      else
+                        '/etc/php5/fpm/pool.d/www.conf'
+                      end
+                    when 'Ubuntu'
+                      case facts[:os]['release']['major']
+                      when '18.04'
+                        '/etc/php/7.2/fpm/pool.d/www.conf'
+                      when '16.04'
+                        '/etc/php/7.0/fpm/pool.d/www.conf'
+                      else
+                        '/etc/php5/fpm/pool.d/www.conf'
+                      end
+                    end
+                  when 'Archlinux'
+                    '/etc/php/php-fpm.d/www.conf'
+                  when 'Suse'
+                    '/etc/php5/fpm/pool.d/www.conf'
+                  when 'RedHat'
+                    '/etc/php-fpm.d/www.conf'
+                  when 'FreeBSD'
+                    '/usr/local/etc/php-fpm.d/www.conf'
+                  end
+
+        it { is_expected.to contain_file(dstfile).with_content(%r{apparmor_hat = www}) }
+      end
+
       describe 'when fpm is disabled' do
         let(:params) { { fpm: false } }
 
diff --git a/templates/fpm/pool.conf.erb b/templates/fpm/pool.conf.erb
@@ -46,6 +46,10 @@ listen.mode = <%= @listen_mode %>
 user = <%= @user %>
 ; RPM: Keep a group allowed to write in log dir.
 group = <%= @group_final %>
+<% if @apparmor_hat -%>
+; Apparmor hat to change to
+apparmor_hat = <%= @apparmor_hat %>
+<% end -%>
 
 ; Choose how the process manager will control the number of child processes.
 ; Possible Values:
