added support for rotating couchdb databases.

7 files changed, 54 insertions, 6 deletions

diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json
index e80a758a..b0646579 100644
--- a/provider_base/services/webapp.json
+++ b/provider_base/services/webapp.json
@@ -4,11 +4,8 @@
     "forbidden_usernames": ["admin", "administrator", "arin-admin", "certmaster", "contact", "info", "maildrop", "postmaster", "ssladmin", "www-data"],
     "domain": "= domain.full_suffix",
     "modules": ["user", "billing", "help"],
-    "couchdb_webapp_user": {
-      "username": "= global.services[:couchdb].couch.users[:webapp].username",
-      "password": "= secret :couch_webapp_password",
-      "salt": "= hex_secret :couch_webapp_password_salt, 128"
-    },
+    "couchdb_webapp_user": "= global.services[:couchdb].couch.users[:webapp]",
+    "couchdb_admin_user": "= global.services[:couchdb].couch.users[:admin]",
     "customization_dir": "= file_path 'webapp'",
     "client_certificates": "= provider.ca.client_certificates",
     "allow_limited_certs": "= provider.service.allow_limited_bandwidth",
diff --git a/puppet/modules/site_couchdb/files/designs/tmp_users/User.json b/puppet/modules/site_couchdb/files/designs/tmp_users/User.json
new file mode 120000
index 00000000..ed3d0af9
--- /dev/null
+++ b/puppet/modules/site_couchdb/files/designs/tmp_users/User.json
@@ -0,0 +1 @@
+../users/User.json
\ No newline at end of file
diff --git a/puppet/modules/site_couchdb/manifests/create_dbs.pp b/puppet/modules/site_couchdb/manifests/create_dbs.pp
index 40148b8e..f9a08807 100644
--- a/puppet/modules/site_couchdb/manifests/create_dbs.pp
+++ b/puppet/modules/site_couchdb/manifests/create_dbs.pp
@@ -64,6 +64,13 @@ class site_couchdb::create_dbs {
     require => Couchdb::Query::Setup['localhost']
   }
 
+  ## tmp_users database
+  ## r/w: webapp
+  couchdb::create_db { 'tmp_users':
+    members => "{ \"names\": [], \"roles\": [\"replication\", \"users\"] }",
+    require => Couchdb::Query::Setup['localhost']
+  }
+
   ## messages db
   ## store messages to the clients such as payment reminders
   ## r/w: webapp
diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp
index 3ae4d266..1dbc745d 100644
--- a/puppet/modules/site_webapp/manifests/couchdb.pp
+++ b/puppet/modules/site_webapp/manifests/couchdb.pp
@@ -6,6 +6,8 @@ class site_webapp::couchdb {
   $couchdb_port            = '4096'
   $couchdb_webapp_user     = $webapp['couchdb_webapp_user']['username']
   $couchdb_webapp_password = $webapp['couchdb_webapp_user']['password']
+  $couchdb_admin_user      = $webapp['couchdb_admin_user']['username']
+  $couchdb_admin_password  = $webapp['couchdb_admin_user']['password']
 
   include x509::variables
 
@@ -17,6 +19,13 @@ class site_webapp::couchdb {
       mode    => '0600',
       require => Vcsrepo['/srv/leap/webapp'];
 
+    '/srv/leap/webapp/config/couchdb.admin.yml':
+      content => template('site_webapp/couchdb.admin.yml.erb'),
+      owner   => leap-webapp,
+      group   => leap-webapp,
+      mode    => '0600',
+      require => Vcsrepo['/srv/leap/webapp'];
+
     '/srv/leap/webapp/log':
       ensure  => directory,
       owner   => leap-webapp,
diff --git a/puppet/modules/site_webapp/manifests/cron.pp b/puppet/modules/site_webapp/manifests/cron.pp
index 811ad11d..bdf0fb74 100644
--- a/puppet/modules/site_webapp/manifests/cron.pp
+++ b/puppet/modules/site_webapp/manifests/cron.pp
@@ -2,6 +2,18 @@ class site_webapp::cron {
 
   # cron tasks that need to be performed to cleanup the database
   cron {
+    'rotate_databases':
+      command     => 'cd /srv/leap/webapp && bundle exec rake db:rotate',
+      environment => 'RAILS_ENV=production',
+      hour        => [0,6,12,18],
+      minute      => 0;
+
+    'delete_tmp_databases':
+      command     => 'cd /srv/leap/webapp && bundle exec rake db:deletetmp',
+      environment => 'RAILS_ENV=production',
+      hour        => 1,
+      minute      => 1;
+
     'remove_expired_sessions':
       command     => 'cd /srv/leap/webapp && bundle exec rake cleanup:sessions',
       environment => 'RAILS_ENV=production',
diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp
index ea64048b..5071d9bc 100644
--- a/puppet/modules/site_webapp/manifests/init.pp
+++ b/puppet/modules/site_webapp/manifests/init.pp
@@ -50,7 +50,7 @@ class site_webapp {
     owner    => 'leap-webapp',
     group    => 'leap-webapp',
     require  => [ User['leap-webapp'], Group['leap-webapp'] ],
-    notify   => Exec['bundler_update']
+    notify   => [ Exec['bundler_update'], Exec['rotate_dbs'] ]
   }
 
   exec { 'bundler_update':
@@ -67,6 +67,19 @@ class site_webapp {
     notify  => Service['apache'];
   }
 
+  # this only needs to be called before the first time the web app is run.
+  # after that, the cron job will take care of running db:rotate regularly.
+  exec { 'rotate_dbs':
+    cwd     => '/srv/leap/webapp',
+    command => '/bin/bash -c "RAILS_ENV=production /usr/bin/bundle exec rake db:rotate"',
+    user    => 'leap-webapp',
+    timeout => 600,
+    refreshonly => true,
+    require => [
+      Vcsrepo['/srv/leap/webapp'],
+      Class['site_config::ruby::dev']];
+  }
+
   #
   # NOTE: in order to support a webapp that is running on a subpath and not the
   # root of the domain assets:precompile needs to be run with
diff --git a/puppet/modules/site_webapp/templates/couchdb.admin.yml.erb b/puppet/modules/site_webapp/templates/couchdb.admin.yml.erb
new file mode 100644
index 00000000..a0921add
--- /dev/null
+++ b/puppet/modules/site_webapp/templates/couchdb.admin.yml.erb
@@ -0,0 +1,9 @@
+production:
+  prefix: ""
+  protocol: 'http'
+  host: <%= @couchdb_host %>
+  port: <%= @couchdb_port %>
+  auto_update_design_doc: false
+  username: <%= @couchdb_admin_user %>
+  password: <%= @couchdb_admin_password %>
+