diff options
| m--------- | puppet/modules/couchdb | 0 | ||||
| -rw-r--r-- | puppet/modules/leap_mx/manifests/init.pp | 24 | ||||
| -rw-r--r-- | puppet/modules/site_apt/manifests/init.pp | 16 | ||||
| -rw-r--r-- | puppet/modules/site_config/manifests/remove/files.pp | 14 | ||||
| -rw-r--r-- | puppet/modules/site_sshd/manifests/init.pp | 24 | ||||
| -rw-r--r-- | tests/helpers/client_side_db.py | 50 | ||||
| -rw-r--r-- | tests/white-box/mx.rb | 3 |
7 files changed, 73 insertions, 58 deletions
diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb -Subproject d4e0579ec88e999d42c9f4ffd32489396dce63c +Subproject 016ec71359f6b1b368624c6c94bac2b50979165 diff --git a/puppet/modules/leap_mx/manifests/init.pp b/puppet/modules/leap_mx/manifests/init.pp index 284662d2..5561e326 100644 --- a/puppet/modules/leap_mx/manifests/init.pp +++ b/puppet/modules/leap_mx/manifests/init.pp @@ -41,13 +41,7 @@ class leap_mx { notify => Service['leap-mx']; } - file { '/etc/default/leap_mx': - content => 'LOGFILE=/var/log/leap/mx.log', - owner => 'root', - group => 'root', - mode => '0644', - notify => Service['leap-mx']; - } + leap::logfile { 'mx': } # # LEAP-MX CODE AND DEPENDENCIES @@ -75,20 +69,4 @@ class leap_mx { hasrestart => true, require => [ Package['leap-mx'] ]; } - - augeas { - 'logrotate_mx': - context => '/files/etc/logrotate.d/leap-mx/rule', - changes => [ - 'set file /var/log/leap/mx.log', - 'set rotate 5', - 'set schedule daily', - 'clear nocreate', - 'rm create', - 'rm ifempty', - 'set compress compress', - 'set missingok missingok', - 'set copytruncate copytruncate' - ] - } } diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp index cf49f870..635ba975 100644 --- a/puppet/modules/site_apt/manifests/init.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -7,11 +7,19 @@ class site_apt { $apt_url_security = $apt_config['security'] $apt_url_backports = $apt_config['backports'] + # needed on jessie hosts for getting pnp4nagios from testing + if ( $::operatingsystemmajrelease == '8' ) { + $use_next_release = true + } else { + $use_next_release = false + } + class { 'apt': - custom_key_dir => 'puppet:///modules/site_apt/keys', - debian_url => $apt_url_basic, - security_url => $apt_url_security, - backports_url => $apt_url_backports + custom_key_dir => 'puppet:///modules/site_apt/keys', + debian_url => $apt_url_basic, + security_url => $apt_url_security, + backports_url => $apt_url_backports, + use_next_release => $use_next_release } # enable http://deb.leap.se debian package repository diff --git a/puppet/modules/site_config/manifests/remove/files.pp b/puppet/modules/site_config/manifests/remove/files.pp index 466f50c8..67171259 100644 --- a/puppet/modules/site_config/manifests/remove/files.pp +++ b/puppet/modules/site_config/manifests/remove/files.pp @@ -11,6 +11,12 @@ class site_config::remove::files { + # Platform 0.8 removals + tidy { + '/etc/default/leap_mx':; + '/etc/logrotate.d/leap-mx':; + } + # # Platform 0.7 removals # @@ -20,13 +26,19 @@ class site_config::remove::files { '/etc/rsyslog.d/99-leap-mx.conf':; '/etc/rsyslog.d/01-webapp.conf':; '/etc/rsyslog.d/50-stunnel.conf':; - '/etc/logrotate.d/mx':; '/etc/logrotate.d/stunnel':; '/var/log/stunnel4/stunnel.log':; 'leap_mx': path => '/var/log/', recurse => true, matches => 'leap_mx*'; + # We rotate 5 logs, so we should only have mx.log, mx.log.[1-5], with an + # optional .gz suffix. The following will remove any logs that are out + # of this range + 'leap_mx_rotate': + path => '/var/log/leap/', + recurse => true, + matches => [ 'mx.log.[6-9](.gz)?', 'mx.log.[0-9][0-9]']; '/srv/leap/webapp/public/provider.json':; '/srv/leap/couchdb/designs/tmp_users': recurse => true, diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index e92a6af7..5efd459f 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -50,6 +50,21 @@ class site_sshd { } } + # we cannot use the 'hardened' parameter because leap_cli uses an + # old net-ssh gem that is incompatible with the included + # "KexAlgorithms curve25519-sha256@libssh.org", + # see https://leap.se/code/issues/7591 + # therefore we don't use it here, but include all other options + # that would be applied by the 'hardened' parameter + # not all options are available on wheezy + if ( $::lsbdistcodename == 'wheezy' ) { + $tail_additional_options = 'Ciphers aes256-ctr +MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160' + } else { + $tail_additional_options = 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160' + } + ## ## SSHD SERVER CONFIGURATION ## @@ -61,13 +76,6 @@ class site_sshd { tcp_forwarding => $ssh_config['AllowTcpForwarding'], manage_client => false, use_storedconfigs => true, - # we cannot use the 'hardened' parameter because leap_cli uses an - # old net-ssh gem that is incompatible with the included - # "KexAlgorithms curve25519-sha256@libssh.org", - # see https://leap.se/code/issues/7591 - # therefore we don't use it here, but include all other options - # that would be applied by the 'hardened' parameter - tail_additional_options => 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr -MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' + tail_additional_options => $tail_additional_options } } diff --git a/tests/helpers/client_side_db.py b/tests/helpers/client_side_db.py index d2a4bbcb..2f8c220f 100644 --- a/tests/helpers/client_side_db.py +++ b/tests/helpers/client_side_db.py @@ -2,11 +2,15 @@ import logging import os import tempfile import getpass -import requests -import srp._pysrp as srp import binascii import json +try: + import requests + import srp._pysrp as srp +except ImportError: + pass + from twisted.internet.defer import inlineCallbacks from leap.soledad.client import Soledad @@ -14,6 +18,7 @@ from leap.soledad.client import Soledad """ Helper functions to give access to client-side Soledad database. +Copied over from soledad/scripts folder. """ # create a logger @@ -33,6 +38,27 @@ def _fail(reason): exit(2) +def get_soledad_instance(uuid, passphrase, basedir, server_url, cert_file, + token): + # setup soledad info + logger.info('UUID is %s' % uuid) + logger.info('Server URL is %s' % server_url) + secrets_path = os.path.join( + basedir, '%s.secret' % uuid) + local_db_path = os.path.join( + basedir, '%s.db' % uuid) + # instantiate soledad + return Soledad( + uuid, + unicode(passphrase), + secrets_path=secrets_path, + local_db_path=local_db_path, + server_url=server_url, + cert_file=cert_file, + auth_token=token, + defer_encryption=True) + + def _get_api_info(provider): info = requests.get( 'https://'+provider+'/provider.json', verify=False).json() @@ -96,26 +122,6 @@ def _get_soledad_info(username, provider, passphrase, basedir): return auth[2]['id'], server_url, cert_file, auth[2]['token'] -def get_soledad_instance(uuid, passphrase, basedir, server_url, cert_file, - token): - # setup soledad info - logger.info('UUID is %s' % uuid) - logger.info('Server URL is %s' % server_url) - secrets_path = os.path.join( - basedir, '%s.secret' % uuid) - local_db_path = os.path.join( - basedir, '%s.db' % uuid) - # instantiate soledad - return Soledad( - uuid, - unicode(passphrase), - secrets_path=secrets_path, - local_db_path=local_db_path, - server_url=server_url, - cert_file=cert_file, - auth_token=token, - defer_encryption=True) - def _get_passphrase(args): passphrase = args.passphrase if passphrase is None: diff --git a/tests/white-box/mx.rb b/tests/white-box/mx.rb index 794a9a41..f49d2ab4 100644 --- a/tests/white-box/mx.rb +++ b/tests/white-box/mx.rb @@ -34,6 +34,9 @@ class Mx < LeapTest def test_03_Are_MX_daemons_running? assert_running 'leap_mx' assert_running '/usr/lib/postfix/master' + assert_running '/usr/sbin/postfwd' + assert_running 'postfwd2::cache' + assert_running 'postfwd2::policy' assert_running '/usr/sbin/unbound' pass end |