From da8e096b9df5913f0c13430d7faa94fdda5d7df9 Mon Sep 17 00:00:00 2001
From: Gabriel Detraz <detraz@crans.org>
Date: Tue, 7 Jul 2015 16:20:03 +0200
Subject: [PATCH] Config de cups sur bcfg2 pour les serveurs cups et o2

---
 Bundler/cups-service.xml       |   5 ++
 Metadata/groups.xml            |  34 +++++-----
 Python/etc/cups/cupsd.conf     | 109 +++++++++++++++++++++++++++++++++
 Python/etc/cups/cupsd.conf.old | 104 +++++++++++++++++++++++++++++++
 Rules/cups.xml                 |   3 +
 5 files changed, 237 insertions(+), 18 deletions(-)
 create mode 100644 Bundler/cups-service.xml
 create mode 100644 Python/etc/cups/cupsd.conf
 create mode 100644 Python/etc/cups/cupsd.conf.old
 create mode 100644 Rules/cups.xml

diff --git a/Bundler/cups-service.xml b/Bundler/cups-service.xml
new file mode 100644
index 0000000..65c9a0f
--- /dev/null
+++ b/Bundler/cups-service.xml
@@ -0,0 +1,5 @@
+<Bundle name="cups-service">
+    <Python name="/etc/cups/cupsd.conf"/>
+    <Service name="cups" />
+    <Package name="cups"/>
+</Bundle>
diff --git a/Metadata/groups.xml b/Metadata/groups.xml
index f2f9425..86644f2 100644
--- a/Metadata/groups.xml
+++ b/Metadata/groups.xml
@@ -58,6 +58,7 @@
   <Group name="cups"
      profile="true">
     <Group name="crans-vm-jessie"/>
+    <Group name="cups-service-server"/>
   </Group>
 
   <Group name="discourse"
@@ -145,10 +146,10 @@
     <Group name="users"/>
     <Group name="http-server"/>
     <Group name="intranet-server"/>
-    <Group name="print-server"/>
     <Group name="adh-sql-server"/>
     <Group name="adh-antispam-filter"/>
     <Group name="service-sms"/>
+    <Group name="cups-service"/>
 
     <Bundle name="quota"/>
 <!-- <Group name="ups-monitor"/> -->
@@ -391,8 +392,8 @@
     <Group name="crans-vm-jessie"/>
     <Group name="intranet2-server"/>
     <Group name="https_cert"/>
-    <Group name="print-server"/>
-  </Group>
+    <Group name="cups-service-client"/>
+ </Group>
 
  <Group name="radius"
     profile="true">
@@ -1013,11 +1014,6 @@
     <Group name="backup-client-backend"/>
   </Group>
 
-  <Group name="print-server">
-    <!-- Serveur d'impression de l'association -->
-    <Group name="print-server-backend"/>
-  </Group>
-
   <Group name="firewall">
     <!-- Le firewall de l'association -->
     <Group name="generate"/>
@@ -1103,6 +1099,18 @@
     <!--TODO: initscript, conf, monitoring, etc-->
   </Group>
 
+  <!-- *** CUPS *** -->
+
+  <Group name="cups-service-client">
+      <Group name="cups-service"/>
+      <Bundle name="cups-service"/>
+  </Group>
+
+  <Group name="cups-service-server">
+      <Group name="cups-service"/>
+      <Bundle name="cups-service"/>
+  </Group>
+
 
   <!-- +=================================+ -->
   <!-- | Tous les groupes intermediaires | -->
@@ -1305,11 +1313,6 @@
     <Group name="rsync"/>
   </Group>
 
-  <Group name="print-server-backend">
-    <Group name="cups-service"/>
-    <Group name="non-free"/>
-  </Group>
-
   <Group name="radius-server-backend">
     <Group name="freeradius"/>
   </Group>
@@ -1462,11 +1465,6 @@
     <Bundle name="rsync-client"/>
   </Group>
 
-  <Group name="cups-service"
-     category="print-server-backend">
-    <!-- TODO: a implementer -->
-  </Group>
-
   <Group name="freeradius"
     category="radius-server-backend">
    <Bundle name="freeradius"/>
diff --git a/Python/etc/cups/cupsd.conf b/Python/etc/cups/cupsd.conf
new file mode 100644
index 0000000..59a3b2e
--- /dev/null
+++ b/Python/etc/cups/cupsd.conf
@@ -0,0 +1,109 @@
+# -*- coding: utf-8 -*-
+
+info["owner"] = "root"
+info["group"] = "lp"
+info["mode"] = 0644
+
+include("ldap_conn")
+
+comment_start = "#"
+
+header("Configuration pour cups entre le serveur cups et l'intranet")
+
+conn = ldap_conn
+
+
+def ipv4(serveur):
+    return str(conn.search(u'host=%s.adm.crans.org' % serveur)[0]['ipHostNumber'][0])
+
+
+out("""LogLevel info
+MaxLogSize 0
+# Allow remote access""")
+if has ("cups"):
+    out("""Listen """ + ipv4('cups') + ":631")
+if has ("o2"):
+    out("""Listen """ + ipv4('o2') + ":631")
+out("""Listen /var/run/cups/cups.sock
+# Share local printers on the local network.
+Browsing On
+BrowseLocalProtocols dnssd
+DefaultAuthType Basic
+<Location />
+  # Allow shared printing...
+  Order allow,deny
+  Allow @LOCAL
+</Location>
+<Location /admin>
+  Order allow,deny
+  Allow @LOCAL
+</Location>
+<Location /admin/conf>
+  AuthType Default
+  Require user @SYSTEM
+  Order allow,deny
+</Location>
+<Policy default>
+  JobPrivateAccess default
+  JobPrivateValues default
+  SubscriptionPrivateAccess default
+  SubscriptionPrivateValues default
+  <Limit Create-Job Print-Job Print-URI Validate-Job>
+    Order deny,allow
+  </Limit>
+  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit Cancel-Job CUPS-Authenticate-Job>
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit All>
+    Order deny,allow
+  </Limit>
+</Policy>
+<Policy authenticated>
+  JobPrivateAccess default
+  JobPrivateValues default
+  SubscriptionPrivateAccess default
+  SubscriptionPrivateValues default
+  <Limit Create-Job Print-Job Print-URI Validate-Job>
+    AuthType Default
+    Order deny,allow
+  </Limit>
+  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
+    AuthType Default
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit Cancel-Job CUPS-Authenticate-Job>
+    AuthType Default
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit All>
+    Order deny,allow
+  </Limit>
+</Policy>""")
+
diff --git a/Python/etc/cups/cupsd.conf.old b/Python/etc/cups/cupsd.conf.old
new file mode 100644
index 0000000..b90621e
--- /dev/null
+++ b/Python/etc/cups/cupsd.conf.old
@@ -0,0 +1,104 @@
+# -*- coding: utf-8 -*-
+
+info["owner"] = "root"
+info["group"] = "lp"
+info["mode"] = 0644
+
+include("ldap_conn")
+
+comment_start = "#"
+
+header("Configuration pour cups entre le serveur cups et l'intranet")
+
+def ipv4(serveur):
+    return str(conn.search(u'host=%s.adm.crans.org' % serveur)[0]['ipHostNumber'][0])
+
+
+out("""LogLevel info
+MaxLogSize 0
+# Allow remote access""")
+out("""Listen """ + ipv4('o2'))
+out("""Listen /var/run/cups/cups.sock
+# Share local printers on the local network.
+Browsing On
+BrowseLocalProtocols dnssd
+DefaultAuthType Basic
+<Location />
+  # Allow shared printing...
+    Order allow,deny
+    Allow @LOCAL
+</Location>
+<Location /admin>
+    Order allow,deny
+    Allow @LOCAL
+</Location>
+<Location /admin/conf>
+    AuthType Default
+    Require user @SYSTEM
+    Order allow,deny
+</Location>
+<Policy default>
+   JobPrivateAccess default
+   JobPrivateValues default
+   SubscriptionPrivateAccess default
+   SubscriptionPrivateValues default
+   <Limit Create-Job Print-Job Print-URI Validate-Job>
+    Order deny,allow
+  </Limit>
+  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-        Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-     Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit Cancel-Job CUPS-Authenticate-Job>
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit All>
+    Order deny,allow
+  </Limit>
+</Policy>
+<Policy authenticated>
+  JobPrivateAccess default
+  JobPrivateValues default
+  SubscriptionPrivateAccess default
+  SubscriptionPrivateValues default
+  <Limit Create-Job Print-Job Print-URI Validate-Job>
+    AuthType Default
+    Order deny,allow
+  </Limit>
+  </Limit>
+  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-        Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
+    AuthType Default
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-     Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit Cancel-Job CUPS-Authenticate-Job>
+    AuthType Default
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+  <Limit All>
+    Order deny,allow
+  </Limit>
+</Policy>""")
+
diff --git a/Rules/cups.xml b/Rules/cups.xml
new file mode 100644
index 0000000..7cbbee4
--- /dev/null
+++ b/Rules/cups.xml
@@ -0,0 +1,3 @@
+<Rules priority="1">
+    <Service type="deb" name="cups" status="on"/>
+</Rules>