Add Console section to the Director configuration

REFERENCE.md

@@ -17,6 +17,7 @@
 ### Defined types
 
 * [`bacula::director::client`](#bacula--director--client): Define a Bacula Director Client
+* [`bacula::director::console`](#bacula--director--console): Define a Bacula Director Console
 * [`bacula::director::fileset`](#bacula--director--fileset): Configure a Bacula Director Fileset
 * [`bacula::director::job`](#bacula--director--job): Configure a Bacula Director Job
 * [`bacula::director::pool`](#bacula--director--pool): Configure a Bacula Director Pool
@@ -34,6 +35,7 @@
 
 ### Data types
 
+* [`Bacula::Command`](#Bacula--Command): A Bacula console command
 * [`Bacula::JobType`](#Bacula--JobType): The type of job
 * [`Bacula::Message`](#Bacula--Message): A Bacula message specification
 * [`Bacula::Runscript`](#Bacula--Runscript): A Bacula Runscript specification
@@ -1007,6 +1009,127 @@ The path to the bacula configuration directory
 
 Default value: `$bacula::conf_dir`
 
+### <a name="bacula--director--console"></a>`bacula::director::console`
+
+This define creates a console declaration for the director.
+Resources of this type are intended to manage conf.d/console.conf entries.
+
+Aside from Director resource names and console command names,
+the special keyword *all* can be specified in any of the above access control lists.
+When this keyword is present, any resource or command name (which ever is appropriate) will be accepted.
+
+#### Examples
+
+##### 
+
+```puppet
+bacula::director::console { 'Monitoring':
+  password     => 'monitoring_password',
+}
+```
+
+#### Parameters
+
+The following parameters are available in the `bacula::director::console` defined type:
+
+* [`conf_dir`](#-bacula--director--console--conf_dir)
+* [`password`](#-bacula--director--console--password)
+* [`jobacl`](#-bacula--director--console--jobacl)
+* [`clientacl`](#-bacula--director--console--clientacl)
+* [`storageacl`](#-bacula--director--console--storageacl)
+* [`scheduleacl`](#-bacula--director--console--scheduleacl)
+* [`poolacl`](#-bacula--director--console--poolacl)
+* [`filesetacl`](#-bacula--director--console--filesetacl)
+* [`catalogacl`](#-bacula--director--console--catalogacl)
+* [`commandacl`](#-bacula--director--console--commandacl)
+* [`whereacl`](#-bacula--director--console--whereacl)
+
+##### <a name="-bacula--director--console--conf_dir"></a>`conf_dir`
+
+Data type: `String`
+
+The bacula configuration director.  Should not need adjusting
+
+Default value: `$bacula::conf_dir`
+
+##### <a name="-bacula--director--console--password"></a>`password`
+
+Data type: `String[1]`
+
+The password that must be supplied for a named Bacula Console to be authorized
+
+##### <a name="-bacula--director--console--jobacl"></a>`jobacl`
+
+Data type: `Optional[String[1]]`
+
+A list of Job resource names that can be accessed by the console.
+
+Default value: `undef`
+
+##### <a name="-bacula--director--console--clientacl"></a>`clientacl`
+
+Data type: `Optional[String[1]]`
+
+A list of Client resource names that can be accessed by the console.
+
+Default value: `undef`
+
+##### <a name="-bacula--director--console--storageacl"></a>`storageacl`
+
+Data type: `Optional[String[1]]`
+
+A list of Storage resource names that can be accessed by the console.
+
+Default value: `undef`
+
+##### <a name="-bacula--director--console--scheduleacl"></a>`scheduleacl`
+
+Data type: `Optional[String[1]]`
+
+A list of Schedule resource names that can be accessed by the console.
+
+Default value: `undef`
+
+##### <a name="-bacula--director--console--poolacl"></a>`poolacl`
+
+Data type: `Optional[String[1]]`
+
+A list of Pool resource names that can be accessed by the console.
+
+Default value: `undef`
+
+##### <a name="-bacula--director--console--filesetacl"></a>`filesetacl`
+
+Data type: `Optional[String[1]]`
+
+A list of FileSet resource names that can be accessed by the console.
+
+Default value: `undef`
+
+##### <a name="-bacula--director--console--catalogacl"></a>`catalogacl`
+
+Data type: `String[1]`
+
+A list of Catalog resource names that can be accessed by the console.
+
+Default value: `'*all*'`
+
+##### <a name="-bacula--director--console--commandacl"></a>`commandacl`
+
+Data type: `Array[Bacula::Command]`
+
+A list of of console commands that can be executed by the console.
+
+Default value: `['list']`
+
+##### <a name="-bacula--director--console--whereacl"></a>`whereacl`
+
+Data type: `Optional[String[1]]`
+
+This directive permits you to specify where a restricted console can restore files.
+
+Default value: `undef`
+
 ### <a name="bacula--director--fileset"></a>`bacula::director::fileset`
 
 This class handles a Director's fileset.conf entry.  Filesets are intended to
@@ -2164,6 +2287,15 @@ A boolean value
 
 ## Data types
 
+### <a name="Bacula--Command"></a>`Bacula::Command`
+
+A Bacula console command
+
+* **See also**
+  * https://www.bacula.org/15.0.x-manuals/en/console/Bacula_Enterprise_Console.html
+
+Alias of `Enum['add', 'autodisplay', 'automount', 'cancel', 'cloud', 'create', 'delete', 'disable', 'enable', 'estimate', 'exit', 'gui', 'help', 'label', 'list', 'llist', 'messages', 'memory', 'mount', 'prune', 'purge', 'query', 'quit', 'relabel', 'release', 'reload', 'restart', 'resume', 'restore', 'run', 'setbandwidth', 'setdebug', 'setip', 'show', 'sqlquery', 'status', 'tag', 'time', 'trace', 'umount', 'unmount', 'update', 'use', 'var', 'version', 'wait', '.api', '.backups', '.clients', '.catalogs', '.defaults', '.die', '.dir', '.dump', '.exit', '.events', '.filesets', '.help', '.jobs', '.estimate', '.jlist', '.levels', '.messages', '.msgs', '.pools', '.quit', '.putfile', '.schedule', '.sql', '.status', '.storage', '.volstatus', '.media', '.mediatypes', '.locations', '.actiononpurge', '.bvfs_lsdirs', '.bvfs_lsfiles', '.bvfs_get_volumes', '.bvfs_update', '.bvfs_get_jobids', '.bvfs_get_jobs', '.bvfs_get_bootstrap', '.bvfs_get_fileindex', '.bvfs_versions', '.bvfs_get_delta', '.bvfs_restore', '.bvfs_cleanup', '.bvfs_decode_lstat', '.bvfs_clear_cache', '.bvfs_update_fv', '.bvfs_delete_fileid', '.setuid', '.ls', '.types', '.query', '.tags']`
+
 ### <a name="Bacula--JobType"></a>`Bacula::JobType`
 
 The type of job

manifests/director.pp

@@ -155,6 +155,7 @@
   ]
 
   $sub_confs_with_secrets = [
+    "${conf_dir}/conf.d/console.conf",
     "${conf_dir}/conf.d/client.conf",
     "${conf_dir}/conf.d/storage.conf",
   ]

manifests/director/console.pp

@@ -0,0 +1,58 @@
+# @summary Define a Bacula Director Console
+#
+# This define creates a console declaration for the director.
+# Resources of this type are intended to manage conf.d/console.conf entries.
+#
+# @param conf_dir    The bacula configuration director.  Should not need adjusting
+# @param password    The password that must be supplied for a named Bacula Console to be authorized
+# @param jobacl      A list of Job resource names that can be accessed by the console.
+# @param clientacl   A list of Client resource names that can be accessed by the console.
+# @param storageacl  A list of Storage resource names that can be accessed by the console.
+# @param scheduleacl A list of Schedule resource names that can be accessed by the console.
+# @param poolacl     A list of Pool resource names that can be accessed by the console.
+# @param filesetacl  A list of FileSet resource names that can be accessed by the console.
+# @param catalogacl  A list of Catalog resource names that can be accessed by the console.
+# @param commandacl  A list of of console commands that can be executed by the console.
+# @param whereacl    This directive permits you to specify where a restricted console can restore files.
+#
+# Aside from Director resource names and console command names,
+# the special keyword *all* can be specified in any of the above access control lists.
+# When this keyword is present, any resource or command name (which ever is appropriate) will be accepted.
+#
+# @example
+#   bacula::director::console { 'Monitoring':
+#     password     => 'monitoring_password',
+#   }
+#
+define bacula::director::console (
+  String[1] $password,
+  String $conf_dir                   = $bacula::conf_dir,
+  String[1] $catalogacl              = '*all*',
+  Array[Bacula::Command] $commandacl = ['list'],
+  Optional[String[1]] $jobacl        = undef,
+  Optional[String[1]] $clientacl     = undef,
+  Optional[String[1]] $storageacl    = undef,
+  Optional[String[1]] $scheduleacl   = undef,
+  Optional[String[1]] $poolacl       = undef,
+  Optional[String[1]] $filesetacl    = undef,
+  Optional[String[1]] $whereacl      = undef,
+) {
+  $epp_console_variables = {
+    name         => $name,
+    password     => $password,
+    commandacl   => $commandacl,
+    whereacl     => $whereacl,
+    jobacl       => $jobacl,
+    clientacl    => $clientacl,
+    storageacl   => $storageacl,
+    scheduleacl  => $scheduleacl,
+    poolacl      => $poolacl,
+    filesetacl   => $filesetacl,
+    catalogacl   => $catalogacl,
+  }
+
+  concat::fragment { "bacula-director-console-${name}":
+    target  => "${conf_dir}/conf.d/console.conf",
+    content => epp('bacula/bacula-dir-console.epp', $epp_console_variables),
+  }
+}

spec/defines/director_console_spec.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'bacula::director::console' do
+  on_supported_os.each do |os, facts|
+    context "on #{os}" do
+      let(:facts) { facts }
+
+      let(:pre_condition) { 'include bacula' }
+
+      context 'with default parameters' do
+        let(:title) { 'Monitoring' }
+
+        let(:params) do
+          {
+            password: 'monitoring_password',
+          }
+        end
+
+        it { is_expected.to contain_concat__fragment('bacula-director-console-Monitoring').with(content: <<~FRAGMENT) }
+          Console {
+              Name        = Monitoring
+              Password    = "monitoring_password"
+              CatalogACL  = *all*
+              CommandACL  = list
+          }
+        FRAGMENT
+      end
+
+      context 'with all parameters set' do
+        let(:title) { 'restricted-user' }
+
+        let(:params) do
+          {
+            password: 'A different UntrustedUser',
+            jobacl: 'Restricted Client Save',
+            clientacl: 'restricted-client',
+            storageacl: 'second-storage',
+            scheduleacl: 'weekly-schedule',
+            poolacl: 'backup-pool',
+            filesetacl: "Restricted Client's FileSet",
+            catalogacl: 'RestrictedCatalog',
+            commandacl: %w[run restore],
+            whereacl: '/',
+          }
+        end
+
+        it { is_expected.to contain_concat__fragment('bacula-director-console-restricted-user').with(content: <<~FRAGMENT) }
+          Console {
+              Name        = restricted-user
+              Password    = "A different UntrustedUser"
+              JobACL      = Restricted Client Save
+              ClientACL   = restricted-client
+              StorageACL  = second-storage
+              ScheduleACL = weekly-schedule
+              PoolACL     = backup-pool
+              FileSetACL  = Restricted Client's FileSet
+              CatalogACL  = RestrictedCatalog
+              CommandACL  = run, restore
+              WhereACL = /
+          }
+        FRAGMENT
+      end
+    end
+  end
+end

templates/bacula-dir-console.epp

@@ -0,0 +1,42 @@
+<%
+  |
+    String $name,
+    String $password,
+    String $catalogacl,
+    Array $commandacl,
+    Optional[String] $jobacl,
+    Optional[String] $clientacl,
+    Optional[String] $storageacl,
+    Optional[String] $scheduleacl,
+    Optional[String] $poolacl,
+    Optional[String] $filesetacl,
+    Optional[String] $whereacl,
+  |
+-%>
+Console {
+    Name        = <%= $name %>
+    Password    = "<%= $password %>"
+<% if $jobacl { -%>
+    JobACL      = <%= $jobacl %>
+<% } -%>
+<% if $clientacl { -%>
+    ClientACL   = <%= $clientacl %>
+<% } -%>
+<% if $storageacl { -%>
+    StorageACL  = <%= $storageacl %>
+<% } -%>
+<% if $scheduleacl { -%>
+    ScheduleACL = <%= $scheduleacl %>
+<% } -%>
+<% if $poolacl { -%>
+    PoolACL     = <%= $poolacl %>
+<% } -%>
+<% if $filesetacl { -%>
+    FileSetACL  = <%= $filesetacl %>
+<% } -%>
+    CatalogACL  = <%= $catalogacl %>
+    CommandACL  = <%= $commandacl.join(', ') %>
+<% if $whereacl { -%>
+    WhereACL = <%= $whereacl %>
+<% } -%>
+}

templates/bacula-dir-tail.epp

@@ -5,3 +5,4 @@
 @<%= $bacula::conf_dir %>/conf.d/fileset.conf
 @<%= $bacula::conf_dir %>/conf.d/jobdefs.conf
 @<%= $bacula::conf_dir %>/conf.d/job.conf
+@<%= $bacula::conf_dir %>/conf.d/console.conf