# Class: profile::puppet::autosign
#
# This class manages an autosign script for the Puppet master.
# It sets up a Ruby script that automatically signs Puppet node requests
# originating from certain IP subnet ranges.
#
# Parameters:
#  - `subnet_ranges`: An array of IP subnet ranges for which to automatically
#     sign certificate requests.
#
# Actions:
# - Ensures the autosign script file is present and has the correct content and permissions.
#
# Usage:
#   The class can be declared in a node definition or classified using an ENC or Hiera.
#   Example:
#     node 'puppet.example.com' {
#       class { 'profile::puppet::autosign':
#         subnet_ranges => ['198.18.17.0/24', '10.0.0.0/8'],
#       }
#     }
#
# Requirements:
# - Puppet master must have access to the /opt/puppetlabs/bin directory.
# - The gem 'ipaddr' module must be installed on the Puppet master.
# - The puppet 'puppetlabs/stdlib' module must be installed on the Puppet master.
#
# Limitations:
# This is designed to work on Unix-like systems.
class profile::puppet::autosign (
  Array[Stdlib::IP::Address::V4::CIDR] $subnet_ranges,
) {

  $script_content = @(END)
    #!/usr/bin/env ruby

    require 'yaml'
    require 'ipaddr'

    csr = YAML.load(STDIN.read)
    networks = #{subnet_ranges}

    ip = IPAddr.new(csr['facts']['networking']['ip'])

    exit 1 unless networks.any? { |network| IPAddr.new(network).include?(ip) }
    exit 0
  END

  file { '/opt/puppetlabs/bin/autosign.rb':
    ensure  => file,
    content => $script_content,
    mode    => '0755',
  }
}