diff options
61 files changed, 1269 insertions, 376 deletions
diff --git a/bin/puppet_command b/bin/puppet_command index 5e690bef..cdb0b027 100755 --- a/bin/puppet_command +++ b/bin/puppet_command @@ -14,6 +14,8 @@ PUPPET_BIN = '/usr/bin/puppet' PUPPET_DIRECTORY = '/srv/leap' PUPPET_PARAMETERS = '--color=false --detailed-exitcodes --libdir=puppet/lib --confdir=puppet' SITE_MANIFEST = 'puppet/manifests/site.pp' +SITE_MODULES = 'puppet/modules' +CUSTOM_MODULES = ':files/puppet/modules' DEFAULT_TAGS = 'leap_base,leap_service' HIERA_FILE = '/etc/leap/hiera.yaml' @@ -93,10 +95,11 @@ end def puppet_apply(options={}, &block) options = {:verbosity => @verbosity, :tags => @tags}.merge(options) manifest = options[:manifest] || SITE_MANIFEST + modulepath = options[:module_path] || SITE_MODULES + CUSTOM_MODULES fqdn = hiera_file['domain']['name'] domain = hiera_file['domain']['full_suffix'] Dir.chdir(PUPPET_DIRECTORY) do - return run("FACTER_fqdn='#{fqdn}' FACTER_domain='#{domain}' #{PUPPET_BIN} apply #{custom_parameters(options)} #{PUPPET_PARAMETERS} #{manifest}", &block) + return run("FACTER_fqdn='#{fqdn}' FACTER_domain='#{domain}' #{PUPPET_BIN} apply #{custom_parameters(options)} --modulepath='#{modulepath}' #{PUPPET_PARAMETERS} #{manifest}", &block) end end diff --git a/bin/run_tests b/bin/run_tests index e026b5f7..4addc0c8 100755 --- a/bin/run_tests +++ b/bin/run_tests @@ -14,7 +14,6 @@ require 'minitest/unit' require 'yaml' require 'tsort' -require 'net/http' ## ## EXIT CODES @@ -37,6 +36,14 @@ def bail(code, msg=nil) end ## +## UTILITY +## + +def service?(service) + $node["services"].include?(service.to_s) +end + +## ## EXCEPTIONS ## @@ -114,7 +121,10 @@ class LeapTest < MiniTest::Unit::TestCase # the default fail() is part of the kernel and it just throws a runtime exception. for tests, # we want the same behavior as assert(false) # - def fail(msg=nil) + def fail(msg=nil, exception=nil) + if DEBUG && exception && exception.respond_to?(:backtrace) + msg += MiniTest::filter_backtrace(exception.backtrace).join "\n" + end assert(false, msg) end @@ -129,207 +139,6 @@ class LeapTest < MiniTest::Unit::TestCase :alpha end - # - # attempts a http GET on the url, yields |body, response, error| - # - def get(url, params=nil) - uri = URI(url) - if params - uri.query = URI.encode_www_form(params) - end - http = Net::HTTP.new uri.host, uri.port - if uri.scheme == 'https' - http.verify_mode = OpenSSL::SSL::VERIFY_NONE - http.use_ssl = true - end - http.start do |agent| - request = Net::HTTP::Get.new uri.request_uri - if uri.user - request.basic_auth uri.user, uri.password - end - response = agent.request(request) - if response.is_a?(Net::HTTPSuccess) - yield response.body, response, nil - else - yield nil, response, nil - end - end - rescue => exc - yield nil, nil, exc - end - - def assert_get(url, params=nil, options=nil) - options ||= {} - get(url, params) do |body, response, error| - if body - yield body if block_given? - elsif response - fail ["Expected a 200 status code from #{url}, but got #{response.code} instead.", options[:error_msg]].compact.join("\n") - else - fail ["Expected a response from #{url}, but got \"#{error}\" instead.", options[:error_msg]].compact.join("\n") - end - end - end - - # - # only a warning for now, should be a failure in the future - # - def assert_auth_fail(url, params) - uri = URI(url) - get(url, params) do |body, response, error| - unless response.code.to_s == "401" - warn "Expected a '401 Unauthorized' response, but got #{response.code} instead (GET #{uri.request_uri} with username '#{uri.user}')." - return false - end - end - true - end - - # - # test if a socket can be connected to - # - - # - # tcp connection helper with timeout - # - def try_tcp_connect(host, port, timeout = 5) - addr = Socket.getaddrinfo(host, nil) - sockaddr = Socket.pack_sockaddr_in(port, addr[0][3]) - - Socket.new(Socket.const_get(addr[0][0]), Socket::SOCK_STREAM, 0).tap do |socket| - socket.setsockopt(Socket::IPPROTO_TCP, Socket::TCP_NODELAY, 1) - begin - socket.connect_nonblock(sockaddr) - rescue IO::WaitReadable - if IO.select([socket], nil, nil, timeout) == nil - raise "Connection timeout" - else - socket.connect_nonblock(sockaddr) - end - rescue IO::WaitWritable - if IO.select(nil, [socket], nil, timeout) == nil - raise "Connection timeout" - else - socket.connect_nonblock(sockaddr) - end - end - return socket - end - end - - def try_tcp_write(socket, timeout = 5) - begin - socket.write_nonblock("\0") - rescue IO::WaitReadable - if IO.select([socket], nil, nil, timeout) == nil - raise "Write timeout" - else - retry - end - rescue IO::WaitWritable - if IO.select(nil, [socket], nil, timeout) == nil - raise "Write timeout" - else - retry - end - end - end - - def try_tcp_read(socket, timeout = 5) - begin - socket.read_nonblock(1) - rescue IO::WaitReadable - if IO.select([socket], nil, nil, timeout) == nil - raise "Read timeout" - else - retry - end - rescue IO::WaitWritable - if IO.select(nil, [socket], nil, timeout) == nil - raise "Read timeout" - else - retry - end - end - end - - def assert_tcp_socket(host, port, msg=nil) - begin - socket = try_tcp_connect(host, port, 1) - #try_tcp_write(socket,1) - #try_tcp_read(socket,1) - rescue StandardError => exc - fail ["Failed to open socket #{host}:#{port}", exc].join("\n") - ensure - socket.close if socket - end - end - - # - # Matches the regexp in the file, and returns the first matched string (or fails if no match). - # - def file_match(filename, regexp) - if match = File.read(filename).match(regexp) - match.captures.first - else - fail "Regexp #{regexp.inspect} not found in file #{filename.inspect}." - end - end - - # - # Matches the regexp in the file, and returns array of matched strings (or fails if no match). - # - def file_matches(filename, regexp) - if match = File.read(filename).match(regexp) - match.captures - else - fail "Regexp #{regexp.inspect} not found in file #{filename.inspect}." - end - end - - # - # checks to make sure the given property path exists in $node (e.g. hiera.yaml) - # and returns the value - # - def assert_property(property) - latest = $node - property.split('.').each do |segment| - latest = latest[segment] - fail "Required node property `#{property}` is missing." if latest.nil? - end - return latest - end - - # - # works like pgrep command line - # return an array of hashes like so [{:pid => "1234", :process => "ls"}] - # - def pgrep(match) - output = `pgrep --full --list-name '#{match}'` - output.each_line.map{|line| - pid = line.split(' ')[0] - process = line.gsub(/(#{pid} |\n)/, '') - if process =~ /pgrep --full --list-name/ - nil - else - {:pid => pid, :process => process} - end - }.compact - end -end - -def assert_running(process) - assert pgrep(process).any?, "No running process for #{process}" -end - -# -# runs the specified command, failing on a non-zero exit status. -# -def assert_run(command) - output = `#{command}` - if $?.exitstatus != 0 - fail "Error running `#{command}`:\n#{output}" - end end # @@ -441,7 +250,7 @@ class LeapRunner < MiniTest::Unit def report_line(prefix, klass, meth, e=nil, message=nil) msg_txt = nil if message - message = message.sub(/http:\/\/([a-z_]+):([a-zA-Z0-9_]+)@/, "http://\\1:password@") + message = message.sub(/http:\/\/([a-z_]+):([a-zA-Z0-9_]+)@/, "http://\\1:REDACTED@") if $output_format == :human indent = "\n " msg_txt = indent + message.split("\n").join(indent) @@ -556,7 +365,8 @@ def print_help " --test TEST Run only the test with name TEST.", " --list-tests Prints the names of all available tests and exit.", " --retry COUNT If the tests don't pass, retry COUNT additional times (default is zero)", - " --wait SECONDS Wait for SECONDS between retries (default is 5)"].join("\n") + " --wait SECONDS Wait for SECONDS between retries (default is 5)", + " --debug Print out full stack trace on errors"].join("\n") exit(0) end @@ -615,6 +425,9 @@ def main # load all test classes this_file = File.symlink?(__FILE__) ? File.readlink(__FILE__) : __FILE__ + Dir[File.expand_path('../../tests/helpers/*.rb', this_file)].each do |helper| + require helper + end Dir[File.expand_path('../../tests/white-box/*.rb', this_file)].each do |test_file| begin require test_file @@ -636,10 +449,19 @@ def main when '--list-tests' then list_tests when '--retry' then ARGV.shift; $retry = ARGV.shift.to_i when '--wait' then ARGV.shift; $wait = ARGV.shift.to_i + when '--debug' then ARGV.shift + when '-d' then ARGV.shift else break end end run_tests end +if ARGV.include?('--debug') || ARGV.include?('-d') + DEBUG=true + require 'debugger' +else + DEBUG=false +end + main() diff --git a/platform.rb b/platform.rb index 270dd25a..c37b6d29 100644 --- a/platform.rb +++ b/platform.rb @@ -4,8 +4,8 @@ # Leap::Platform.define do - self.version = "0.5.4.1" - self.compatible_cli = "1.5.8".."1.99" + self.version = "0.6" + self.compatible_cli = "1.6.1".."1.99" # # the facter facts that should be gathered @@ -13,7 +13,16 @@ Leap::Platform.define do self.facts = ["ec2_local_ipv4", "ec2_public_ipv4"] # + # absolute paths on the destination server + # + self.hiera_path = '/etc/leap/hiera.yaml' + self.leap_dir = '/srv/leap' + self.files_dir = '/srv/leap/files' + self.init_path = '/srv/leap/initialized' + + # # the named paths for this platform + # (relative to the provider directory) # self.paths = { # directories @@ -43,6 +52,11 @@ Leap::Platform.define do :soledad_service_json_template => 'files/service-definitions/#{arg}/soledad-service.json.erb', :smtp_service_json_template => 'files/service-definitions/#{arg}/smtp-service.json.erb', + # custom puppet + :custom_puppet_dir => 'files/puppet', + :custom_puppet_modules_dir => 'files/puppet/modules', + :custom_puppet_manifests_dir => 'files/puppet/manifests', + # output files :facts => 'facts.json', :user_ssh => 'users/#{arg}/#{arg}_ssh.pub', @@ -63,10 +77,12 @@ Leap::Platform.define do :vagrantfile => 'test/Vagrantfile', # node output files - :hiera => 'hiera/#{arg}.yaml', - :node_ssh_pub_key => 'files/nodes/#{arg}/#{arg}_ssh.pub', - :node_x509_key => 'files/nodes/#{arg}/#{arg}.key', - :node_x509_cert => 'files/nodes/#{arg}/#{arg}.crt', + :hiera => 'hiera/#{arg}.yaml', + :node_ssh_pub_key => 'files/nodes/#{arg}/#{arg}_ssh.pub', + :node_x509_key => 'files/nodes/#{arg}/#{arg}.key', + :node_x509_cert => 'files/nodes/#{arg}/#{arg}.crt', + :node_tor_priv_key => 'files/nodes/#{arg}/tor.key', + :node_tor_pub_key => 'files/nodes/#{arg}/tor.pub', # testing files :test_client_key => 'test/cert/client.key', @@ -85,5 +101,7 @@ Leap::Platform.define do self.monitor_username = 'monitor' self.reserved_usernames = ['monitor'] + + self.default_puppet_tags = ['leap_base','leap_service'] end diff --git a/provider_base/common.json b/provider_base/common.json index 87af2152..649db0d9 100644 --- a/provider_base/common.json +++ b/provider_base/common.json @@ -46,5 +46,9 @@ "stunnel": { "clients": {}, "servers": {} + }, + "platform": { + "version": "= Leap::Platform.version.to_s", + "major_version": "= Leap::Platform.major_version" } } diff --git a/provider_base/files/service-definitions/v1/eip-service.json.erb b/provider_base/files/service-definitions/v1/eip-service.json.erb index 3b8976fd..4bd220df 100644 --- a/provider_base/files/service-definitions/v1/eip-service.json.erb +++ b/provider_base/files/service-definitions/v1/eip-service.json.erb @@ -42,8 +42,14 @@ end configuration = node.openvpn.configuration end - hsh["gateways"] = gateways.compact - hsh["locations"] = locations - hsh["openvpn_configuration"] = configuration + if gateways.any? + configuration = configuration.dup + if configuration['fragment'] && configuration['fragment'] == 1500 + configuration.delete('fragment') + end + hsh["gateways"] = gateways.compact + hsh["locations"] = locations + hsh["openvpn_configuration"] = configuration + end JSON.sorted_generate hsh %>
\ No newline at end of file diff --git a/provider_base/lib/macros.rb b/provider_base/lib/macros.rb index 854b92b5..ecc3e6ba 100644 --- a/provider_base/lib/macros.rb +++ b/provider_base/lib/macros.rb @@ -9,6 +9,7 @@ require_relative 'macros/core' require_relative 'macros/files' require_relative 'macros/haproxy' require_relative 'macros/hosts' +require_relative 'macros/keys' require_relative 'macros/nodes' require_relative 'macros/secrets' require_relative 'macros/stunnel' diff --git a/provider_base/lib/macros/files.rb b/provider_base/lib/macros/files.rb index 0a491325..958958bc 100644 --- a/provider_base/lib/macros/files.rb +++ b/provider_base/lib/macros/files.rb @@ -48,13 +48,22 @@ module LeapCli # * if the path does not exist locally, but exists in provider_base, then the default file from # provider_base is copied locally. this is required for rsync to work correctly. # - def file_path(path) + def file_path(path, options={}) if path.is_a? Symbol path = [path, @node.name] + elsif path.is_a? String + # ensure it prefixed with files/ + unless path =~ /^files\// + path = "files/" + path + end end actual_path = Path.find_file(path) if actual_path.nil? - Util::log 2, :skipping, "file_path(\"#{path}\") because there is no such file." + if options[:missing] + raise FileMissing.new(Path.named_path(path), options) + else + Util::log 2, :skipping, "file_path(\"#{path}\") because there is no such file." + end nil else if actual_path =~ /^#{Regexp.escape(Path.provider_base)}/ @@ -70,8 +79,9 @@ module LeapCli actual_path += '/' # ensure directories end with /, important for building rsync command end relative_path = Path.relative_path(actual_path) + relative_path.sub!(/^files\//, '') # remove "files/" prefix @node.file_paths << relative_path - @node.manager.provider.hiera_sync_destination + '/' + relative_path + File.join(Leap::Platform.files_dir, relative_path) end end diff --git a/provider_base/lib/macros/keys.rb b/provider_base/lib/macros/keys.rb new file mode 100644 index 00000000..ea4c3df2 --- /dev/null +++ b/provider_base/lib/macros/keys.rb @@ -0,0 +1,82 @@ +# encoding: utf-8 + +# +# Macro for dealing with cryptographic keys +# + +module LeapCli + module Macro + + # + # return the path to the tor public key + # generating key if it is missing + # + def tor_public_key_path(path_name, key_type) + path = file_path(path_name) + if path.nil? + generate_tor_key(key_type) + file_path(path_name) + else + path + end + end + + # + # return the path to the tor private key + # generating key if it is missing + # + def tor_private_key_path(path_name, key_type) + path = file_path(path_name) + if path.nil? + generate_tor_key(key_type) + file_path(path_name) + else + path + end + end + + # + # on the command line an onion address can be created + # from an rsa public key using this: + # + # base64 -d < ./pubkey | sha1sum | awk '{print $1}' | + # perl -e '$l=<>; chomp $l; print pack("H*", $l)' | + # python -c 'import base64, sys; t=sys.stdin.read(); print base64.b32encode(t[:10]).lower()' + # + # path_name is the named path of the tor public key. + # + def onion_address(path_name) + require 'base32' + require 'base64' + require 'openssl' + path = Path.find_file([path_name, self.name]) + if path && File.exists?(path) + public_key_str = File.readlines(path).grep(/^[^-]/).join + public_key = Base64.decode64(public_key_str) + sha1sum_string = Digest::SHA1.new.hexdigest(public_key) + sha1sum_binary = [sha1sum_string].pack('H*') + Base32.encode(sha1sum_binary.slice(0,10)).downcase + else + LeapCli.log :warning, 'Tor public key file "%s" does not exist' % tor_public_key_path + end + end + + private + + def generate_tor_key(key_type) + if key_type == 'RSA' + require 'certificate_authority' + keypair = CertificateAuthority::MemoryKeyMaterial.new + bit_size = 1024 + LeapCli.log :generating, "%s bit RSA Tor key" % bit_size do + keypair.generate_key(bit_size) + LeapCli::Util.write_file! [:node_tor_priv_key, self.name], keypair.private_key.to_pem + LeapCli::Util.write_file! [:node_tor_pub_key, self.name], keypair.public_key.to_pem + end + else + LeapCli.bail! 'tor.key.type of %s is not yet supported' % key_type + end + end + + end +end diff --git a/provider_base/provider.json b/provider_base/provider.json index 743964ee..9ef0f76a 100644 --- a/provider_base/provider.json +++ b/provider_base/provider.json @@ -44,7 +44,7 @@ "digest": "SHA256", "life_span": "10y", "server_certificates": { - "bit_size": 2048, + "bit_size": 4096, "digest": "SHA256", "life_span": "1y" }, @@ -56,7 +56,6 @@ "unlimited_prefix": "UNLIMITED" } }, - "hiera_sync_destination": "/etc/leap", "client_version": { "min": "0.5", "max": null diff --git a/provider_base/services/_couchdb_multimaster.json b/provider_base/services/_couchdb_multimaster.json index 8c433188..0f340e00 100644 --- a/provider_base/services/_couchdb_multimaster.json +++ b/provider_base/services/_couchdb_multimaster.json @@ -8,8 +8,8 @@ "ednp_server": "= stunnel_server(couch.bigcouch.ednp_port)" }, "clients": { - "epmd_clients": "= stunnel_client(nodes_like_me[:services => :couchdb], couch.bigcouch.epmd_port)", - "ednp_clients": "= stunnel_client(nodes_like_me[:services => :couchdb], couch.bigcouch.ednp_port)" + "epmd_clients": "= stunnel_client(nodes_like_me['services' => 'couchdb']['couch.mode' => 'multimaster'], couch.bigcouch.epmd_port)", + "ednp_clients": "= stunnel_client(nodes_like_me['services' => 'couchdb']['couch.mode' => 'multimaster'], couch.bigcouch.ednp_port)" } }, "couch": { @@ -18,7 +18,7 @@ "epmd_port": 4369, "ednp_port": 9002, "cookie": "= secret :bigcouch_cookie", - "neighbors": "= nodes_like_me['services' => 'couchdb']['couch.master' => true].exclude(self).field('domain.full')" + "neighbors": "= nodes_like_me['services' => 'couchdb']['couch.mode' => 'multimaster'].exclude(self).field('domain.full')" } } } diff --git a/provider_base/services/monitor.json b/provider_base/services/monitor.json index c24724bf..56ca015b 100644 --- a/provider_base/services/monitor.json +++ b/provider_base/services/monitor.json @@ -1,6 +1,7 @@ { "nagios": { "nagiosadmin_pw": "= secret :nagios_admin_password", + "domains_internal": "= global.tags.field('domain.internal_suffix').compact.uniq", "hosts": "= (self.environment == 'local' ? nodes_like_me : nodes[:environment => '!local']).pick_fields('domain.internal', 'domain.full_suffix', 'ip_address', 'services', 'openvpn.gateway_address', 'ssh.port')" }, "hosts": "= self.environment == 'local' ? hosts_file(nodes_like_me) : hosts_file(nodes[:environment => '!local'])", diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json index 1906244c..11cb0dc2 100644 --- a/provider_base/services/openvpn.json +++ b/provider_base/services/openvpn.json @@ -24,7 +24,8 @@ "auth": "SHA1", "cipher": "AES-128-CBC", "keepalive": "10 30", - "tun-ipv6": true + "tun-ipv6": true, + "fragment": 1500 } }, "obfsproxy": { diff --git a/provider_base/services/tor.json b/provider_base/services/tor.json index fc365a19..55d3d2ee 100644 --- a/provider_base/services/tor.json +++ b/provider_base/services/tor.json @@ -3,6 +3,13 @@ "bandwidth_rate": 6550, "contacts": "= [provider.contacts['tor'] || provider.contacts.default].flatten", "nickname": "= (self.name + secret(:tor_family)).sub('_','')[0..18]", - "family": "= nodes[:services => 'tor'][:environment => '!local'].field('tor.nickname').join(',')" + "family": "= nodes[:services => 'tor'][:environment => '!local'].field('tor.nickname').join(',')", + "hidden_service": { + "active": null, + "key_type": "RSA", + "public_key": "= tor_public_key_path(:node_tor_pub_key, tor.hidden_service.key_type) if tor.hidden_service.active", + "private_key": "= tor_private_key_path(:node_tor_priv_key, tor.hidden_service.key_type) if tor.hidden_service.active", + "address": "= onion_address(:node_tor_pub_key) if tor.hidden_service.active" + } } } diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index 3af0dade..67744f99 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -1,6 +1,7 @@ { "webapp": { "admins": [], + "forbidden_usernames": ["admin", "administrator", "arin-admin", "certmaster", "contact", "info", "maildrop", "postmaster", "ssladmin", "www-data"], "domain": "= domain.full_suffix", "modules": ["user", "billing", "help"], "couchdb_webapp_user": { @@ -21,7 +22,7 @@ "secure": false, "git": { "source": "https://leap.se/git/leap_web", - "revision": "origin/master" + "revision": "origin/version/0.6" }, "client_version": "= provider.client_version", "nagios_test_user": { diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb -Subproject f01b3586215bdc10f0067fa0f6d940be8e88bce +Subproject 4c0d5673df02fe42e1bbadfee7d4ea1ca1f88e9 diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index 3360ac59..e4732289 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -2,18 +2,20 @@ ServerName <%= api_domain %> RewriteEngine On RewriteRule ^.*$ https://<%= api_domain -%>:<%= api_port -%>%{REQUEST_URI} [R=permanent,L] + CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common </VirtualHost> Listen 0.0.0.0:<%= api_port %> <VirtualHost *:<%= api_port -%>> ServerName <%= api_domain %> + CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common SSLEngine on - SSLProtocol all -SSLv2 + SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCompression off - SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" + SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" SSLCACertificatePath /etc/ssl/certs SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::ca_name') %>.crt diff --git a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb index ed430510..a9733a97 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb @@ -3,18 +3,20 @@ ServerAlias www.<%= domain %> RewriteEngine On RewriteRule ^.*$ https://<%= domain -%>%{REQUEST_URI} [R=permanent,L] + CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common </VirtualHost> <VirtualHost *:443> ServerName <%= domain_name %> ServerAlias <%= domain %> ServerAlias www.<%= domain %> + CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common SSLEngine on - SSLProtocol all -SSLv2 + SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCompression off - SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" + SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" SSLCACertificatePath /etc/ssl/certs SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::commercial_ca_name') %>.crt diff --git a/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb new file mode 100644 index 00000000..0c6f3b8e --- /dev/null +++ b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb @@ -0,0 +1,33 @@ +<VirtualHost 127.0.0.1:80> + ServerName <%= tor_domain %> + + <IfModule mod_headers.c> + Header always unset X-Powered-By + Header always unset X-Runtime + </IfModule> + +<% if (defined? @services) and (@services.include? 'webapp') -%> + DocumentRoot /srv/leap/webapp/public + + RewriteEngine On + # Check for maintenance file and redirect all requests + RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f + RewriteCond %{SCRIPT_FILENAME} !maintenance.html + RewriteCond %{REQUEST_URI} !/images/maintenance.jpg + RewriteRule ^.*$ %{DOCUMENT_ROOT}/system/maintenance.html [L] + + # http://www.modrails.com/documentation/Users%20guide%20Apache.html#_passengerallowencodedslashes_lt_on_off_gt + AllowEncodedSlashes on + PassengerAllowEncodedSlashes on + PassengerFriendlyErrorPages off + SetEnv TMPDIR /var/tmp + + # Allow rails assets to be cached for a very long time (since the URLs change whenever the content changes) + <Location /assets/> + Header unset ETag + FileETag None + ExpiresActive On + ExpiresDefault "access plus 1 year" + </Location> +<% end -%> +</VirtualHost> diff --git a/puppet/modules/site_apt/files/Debian/50unattended-upgrades b/puppet/modules/site_apt/files/Debian/50unattended-upgrades new file mode 100644 index 00000000..f2f574fc --- /dev/null +++ b/puppet/modules/site_apt/files/Debian/50unattended-upgrades @@ -0,0 +1,16 @@ +// this file is managed by puppet ! + +Unattended-Upgrade::Allowed-Origins { + "${distro_id}:stable"; + "${distro_id}:${distro_codename}-security"; + "${distro_id}:${distro_codename}-updates"; + "${distro_id} Backports:${distro_codename}-backports"; + "leap.se:stable"; +}; + +APT::Periodic::Update-Package-Lists "1"; +APT::Periodic::Download-Upgradeable-Packages "1"; +APT::Periodic::Unattended-Upgrade "1"; + +Unattended-Upgrade::Mail "root"; +Unattended-Upgrade::MailOnlyOnError "true"; diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp index 9facf4cc..633ccf1e 100644 --- a/puppet/modules/site_apt/manifests/init.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -1,4 +1,4 @@ -class site_apt { +class site_apt { class { 'apt': custom_key_dir => 'puppet:///modules/site_apt/keys' @@ -11,7 +11,7 @@ class site_apt { content => 'Acquire::PDiffs "false";'; } - include ::apt::unattended_upgrades + include ::site_apt::unattended_upgrades apt::sources_list { 'secondary.list.disabled': content => template('site_apt/secondary.list'); diff --git a/puppet/modules/site_apt/manifests/leap_repo.pp b/puppet/modules/site_apt/manifests/leap_repo.pp index 6b3d9919..2d4ba0e1 100644 --- a/puppet/modules/site_apt/manifests/leap_repo.pp +++ b/puppet/modules/site_apt/manifests/leap_repo.pp @@ -1,6 +1,9 @@ class site_apt::leap_repo { + $platform = hiera_hash('platform') + $major_version = $platform['major_version'] + apt::sources_list { 'leap.list': - content => 'deb http://deb.leap.se/debian stable main', + content => "deb http://deb.leap.se/${major_version} wheezy main\n", before => Exec[refresh_apt] } diff --git a/puppet/modules/site_apt/manifests/preferences/rsyslog.pp b/puppet/modules/site_apt/manifests/preferences/rsyslog.pp index 132a6e24..bfeaa7da 100644 --- a/puppet/modules/site_apt/manifests/preferences/rsyslog.pp +++ b/puppet/modules/site_apt/manifests/preferences/rsyslog.pp @@ -1,9 +1,13 @@ class site_apt::preferences::rsyslog { - apt::preferences_snippet { 'rsyslog_anon_depends': - package => 'libestr0 librelp0 rsyslog*', - priority => '999', - pin => 'release a=wheezy-backports', - before => Class['rsyslog::install'] + apt::preferences_snippet { + 'rsyslog_anon_depends': + package => 'libestr0 librelp0 rsyslog*', + priority => '999', + pin => 'release a=wheezy-backports', + before => Class['rsyslog::install']; + + 'fixed_rsyslog_anon_package': + ensure => absent; } } diff --git a/puppet/modules/site_apt/manifests/unattended_upgrades.pp b/puppet/modules/site_apt/manifests/unattended_upgrades.pp new file mode 100644 index 00000000..daebffab --- /dev/null +++ b/puppet/modules/site_apt/manifests/unattended_upgrades.pp @@ -0,0 +1,10 @@ +class site_apt::unattended_upgrades inherits apt::unattended_upgrades { + # override unattended-upgrades package resource to make sure + # that it is upgraded on every deploy (#6245) + + include ::apt::unattended_upgrades + + Package['unattended-upgrades'] { + ensure => latest + } +} diff --git a/puppet/modules/site_check_mk/files/host_contactgroups.mk b/puppet/modules/site_check_mk/files/host_contactgroups.mk new file mode 100644 index 00000000..e89323fb --- /dev/null +++ b/puppet/modules/site_check_mk/files/host_contactgroups.mk @@ -0,0 +1,3 @@ +host_contactgroups = [ + ( "admins", ALL_HOSTS ), +] diff --git a/puppet/modules/site_check_mk/manifests/server.pp b/puppet/modules/site_check_mk/manifests/server.pp index e544ef0d..388ae94b 100644 --- a/puppet/modules/site_check_mk/manifests/server.pp +++ b/puppet/modules/site_check_mk/manifests/server.pp @@ -5,11 +5,12 @@ class site_check_mk::server { $type = $ssh_hash['authorized_keys']['monitor']['type'] $seckey = $ssh_hash['monitor']['private_key'] - $nagios_hiera = hiera_hash('nagios') - $nagios_hosts = $nagios_hiera['hosts'] + $nagios_hiera = hiera_hash('nagios') + $nagios_hosts = $nagios_hiera['hosts'] - $hosts = hiera_hash('hosts') - $all_hosts = inline_template ('<% @hosts.keys.sort.each do |key| -%>"<%= @hosts[key]["domain_internal"] %>", <% end -%>') + $hosts = hiera_hash('hosts') + $all_hosts = inline_template ('<% @hosts.keys.sort.each do |key| -%>"<%= @hosts[key]["domain_internal"] %>", <% end -%>') + $domains_internal = $nagios_hiera['domains_internal'] package { 'check-mk-server': ensure => installed, @@ -35,6 +36,14 @@ class site_check_mk::server { content => template('site_check_mk/use_ssh.mk'), notify => Exec['check_mk-refresh'], require => Package['check-mk-server']; + '/etc/check_mk/conf.d/hostgroups.mk': + content => template('site_check_mk/hostgroups.mk'), + notify => Exec['check_mk-refresh'], + require => Package['check-mk-server']; + '/etc/check_mk/conf.d/host_contactgroups.mk': + source => 'puppet:///modules/site_check_mk/host_contactgroups.mk', + notify => Exec['check_mk-refresh'], + require => Package['check-mk-server']; '/etc/check_mk/all_hosts_static': content => $all_hosts, notify => Exec['check_mk-refresh'], @@ -59,6 +68,5 @@ class site_check_mk::server { require => Package['nagios-plugins-basic']; } - include check_mk::agent::local_checks } diff --git a/puppet/modules/site_check_mk/templates/hostgroups.mk b/puppet/modules/site_check_mk/templates/hostgroups.mk new file mode 100644 index 00000000..79b7f92f --- /dev/null +++ b/puppet/modules/site_check_mk/templates/hostgroups.mk @@ -0,0 +1,4 @@ +host_groups = [ + <% @domains_internal.each do |domain| %>( '<%= domain %>', [<% @nagios_hosts.keys.sort.each do |key| -%><% if @nagios_hosts[key]['domain_internal'] == key+'.'+domain -%>'<%= key %>.<%= domain %>', <% end -%><% end -%>] ), + <% end -%> +] diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 42359a00..a20ffc3b 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -56,10 +56,10 @@ class site_config::default { include site_postfix::satellite } - # if class site_custom exists, include it. + # if class custom exists, include it. # possibility for users to define custom puppet recipes - if defined( '::site_custom') { - include ::site_custom + if defined( '::custom') { + include ::custom } include site_check_mk::agent diff --git a/puppet/modules/site_couchdb/files/runit_config b/puppet/modules/site_couchdb/files/runit_config new file mode 100644 index 00000000..169b4832 --- /dev/null +++ b/puppet/modules/site_couchdb/files/runit_config @@ -0,0 +1,6 @@ +#!/bin/bash +exec 2>&1 +export HOME=/home/bigcouch +ulimit -H -n 32768 +ulimit -S -n 32768 +exec chpst -u bigcouch /opt/bigcouch/bin/bigcouch diff --git a/puppet/modules/site_couchdb/manifests/bigcouch.pp b/puppet/modules/site_couchdb/manifests/bigcouch.pp index d3352000..82c85b52 100644 --- a/puppet/modules/site_couchdb/manifests/bigcouch.pp +++ b/puppet/modules/site_couchdb/manifests/bigcouch.pp @@ -1,12 +1,12 @@ class site_couchdb::bigcouch { - $config = $couchdb_config['bigcouch'] + $config = $::site_couchdb::couchdb_config['bigcouch'] $cookie = $config['cookie'] $ednp_port = $config['ednp_port'] class { 'couchdb': - admin_pw => $couchdb_admin_pw, - admin_salt => $couchdb_admin_salt, + admin_pw => $::site_couchdb::couchdb_admin_pw, + admin_salt => $::site_couchdb::couchdb_admin_salt, bigcouch => true, bigcouch_cookie => $cookie, ednp_port => $ednp_port, @@ -20,7 +20,7 @@ class site_couchdb::bigcouch { -> Class['site_config::resolvconf'] -> Class['couchdb::bigcouch::package::cloudant'] -> Service['shorewall'] - -> Service['stunnel'] + -> Exec['refresh_stunnel'] -> Class['site_couchdb::setup'] -> Class['site_couchdb::bigcouch::add_nodes'] -> Class['site_couchdb::bigcouch::settle_cluster'] @@ -32,4 +32,14 @@ class site_couchdb::bigcouch { file { '/var/log/bigcouch': ensure => directory } + + file { '/etc/sv/bigcouch/run': + ensure => present, + source => 'puppet:///modules/site_couchdb/runit_config', + owner => root, + group => root, + mode => '0755', + require => Package['couchdb'], + notify => Service['couchdb'] + } } diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 5a4fb936..a11f6309 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -42,13 +42,13 @@ class site_couchdb { $couchdb_backup = $couchdb_config['backup'] $couchdb_mode = $couchdb_config['mode'] - if $couchdb_mode == "multimaster" { include site_couchdb::bigcouch } - if $couchdb_mode == "master" { include site_couchdb::master } - if $couchdb_mode == "mirror" { include site_couchdb::mirror } + if $couchdb_mode == 'multimaster' { include site_couchdb::bigcouch } + if $couchdb_mode == 'master' { include site_couchdb::master } + if $couchdb_mode == 'mirror' { include site_couchdb::mirror } Class['site_config::default'] -> Service['shorewall'] - -> Service['stunnel'] + -> Exec['refresh_stunnel'] -> Class['couchdb'] -> Class['site_couchdb::setup'] diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index 85443917..b195c880 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -3,12 +3,19 @@ class site_nagios::server inherits nagios::base { # First, purge old nagios config (see #1467) class { 'site_nagios::server::purge': } - $nagios_hiera = hiera('nagios') - $nagiosadmin_pw = htpasswd_sha1($nagios_hiera['nagiosadmin_pw']) - $nagios_hosts = $nagios_hiera['hosts'] + $nagios_hiera = hiera('nagios') + $nagiosadmin_pw = htpasswd_sha1($nagios_hiera['nagiosadmin_pw']) + $nagios_hosts = $nagios_hiera['hosts'] + $domains_internal = $nagios_hiera['domains_internal'] - include nagios::defaults include nagios::base + include nagios::defaults::commands + include nagios::defaults::contactgroups + include nagios::defaults::contacts + include nagios::defaults::templates + include nagios::defaults::timeperiods + include nagios::defaults::plugins + class {'nagios': # don't manage apache class from nagios, cause we already include # it in site_apache::common @@ -55,4 +62,6 @@ class site_nagios::server inherits nagios::base { 'set missingok missingok', 'set ifempty notifempty', 'set copytruncate copytruncate' ] } + + ::site_nagios::server::hostgroup { $domains_internal: } } diff --git a/puppet/modules/site_nagios/manifests/server/hostgroup.pp b/puppet/modules/site_nagios/manifests/server/hostgroup.pp new file mode 100644 index 00000000..035ba7d1 --- /dev/null +++ b/puppet/modules/site_nagios/manifests/server/hostgroup.pp @@ -0,0 +1,3 @@ +define site_nagios::server::hostgroup { + nagios_hostgroup { $name: } +} diff --git a/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb index ae06410e..56a8d9f6 100644 --- a/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb +++ b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb @@ -9,9 +9,10 @@ Listen 0.0.0.0:<%= @nickserver_port -%> ServerAlias <%= @address_domain %> SSLEngine on - SSLProtocol -all +SSLv3 +TLSv1 - SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH + SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on + SSLCompression off + SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" SSLCACertificatePath /etc/ssl/certs SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::ca_name') %>.crt diff --git a/puppet/modules/site_obfsproxy/manifests/init.pp b/puppet/modules/site_obfsproxy/manifests/init.pp index 40b7fba8..6275ebee 100644 --- a/puppet/modules/site_obfsproxy/manifests/init.pp +++ b/puppet/modules/site_obfsproxy/manifests/init.pp @@ -11,13 +11,13 @@ class site_obfsproxy { $dest_ip = $obfsproxy['gateway_address'] $dest_port = '443' - if $::services =~ /\bopenvpn\b/ { - $openvpn = hiera('openvpn') - $bind_address = $openvpn['gateway_address'] - } - elsif $::services =~ /\bobfsproxy\b/ { - $bind_address = hiera('ip_address') - } + if member($::services, 'openvpn') { + $openvpn = hiera('openvpn') + $bind_address = $openvpn['gateway_address'] + } + elsif member($::services, 'obfsproxy') { + $bind_address = hiera('ip_address') + } include site_apt::preferences::twisted include site_apt::preferences::obfsproxy diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index b6331f12..d6f9150b 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -148,13 +148,17 @@ class site_openvpn { exec { 'restart_openvpn': command => '/etc/init.d/openvpn restart', refreshonly => true, - subscribe => File['/etc/openvpn'], + subscribe => [ + File['/etc/openvpn'], + Class['Site_config::X509::Key'], + Class['Site_config::X509::Cert'], + Class['Site_config::X509::Ca_bundle'] ], require => [ - Package['openvpn'], - File['/etc/openvpn'], - Class['Site_config::X509::Key'], - Class['Site_config::X509::Cert'], - Class['Site_config::X509::Ca_bundle'] ]; + Package['openvpn'], + File['/etc/openvpn'], + Class['Site_config::X509::Key'], + Class['Site_config::X509::Cert'], + Class['Site_config::X509::Ca_bundle'] ]; } cron { 'add_gateway_ips.sh': diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 97cf2842..466f6d00 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -85,6 +85,18 @@ define site_openvpn::server_config( key => 'tcp-nodelay', server => $openvpn_configname; } + } elsif $proto == 'udp' { + if $config['fragment'] != 1500 { + openvpn::option { + "fragment ${openvpn_configname}": + key => 'fragment', + value => $config['fragment'], + server => $openvpn_configname; + "mssfix ${openvpn_configname}": + key => 'mssfix', + server => $openvpn_configname; + } + } } openvpn::option { diff --git a/puppet/modules/site_shorewall/manifests/dnat_rule.pp b/puppet/modules/site_shorewall/manifests/dnat_rule.pp index aa298408..f9fbe950 100644 --- a/puppet/modules/site_shorewall/manifests/dnat_rule.pp +++ b/puppet/modules/site_shorewall/manifests/dnat_rule.pp @@ -4,41 +4,45 @@ define site_shorewall::dnat_rule { if $port != 1194 { if $site_openvpn::openvpn_allow_unlimited { shorewall::rule { - "dnat_tcp_port_$port": + "dnat_tcp_port_${port}": action => 'DNAT', source => 'net', destination => "\$FW:${site_openvpn::unlimited_gateway_address}:1194", proto => 'tcp', destinationport => $port, + originaldest => $site_openvpn::unlimited_gateway_address, order => 100; } shorewall::rule { - "dnat_udp_port_$port": + "dnat_udp_port_${port}": action => 'DNAT', source => 'net', destination => "\$FW:${site_openvpn::unlimited_gateway_address}:1194", proto => 'udp', destinationport => $port, + originaldest => $site_openvpn::unlimited_gateway_address, order => 100; } } if $site_openvpn::openvpn_allow_limited { shorewall::rule { - "dnat_free_tcp_port_$port": + "dnat_free_tcp_port_${port}": action => 'DNAT', source => 'net', destination => "\$FW:${site_openvpn::limited_gateway_address}:1194", proto => 'tcp', destinationport => $port, + originaldest => $site_openvpn::unlimited_gateway_address, order => 100; } shorewall::rule { - "dnat_free_udp_port_$port": + "dnat_free_udp_port_${port}": action => 'DNAT', source => 'net', destination => "\$FW:${site_openvpn::limited_gateway_address}:1194", proto => 'udp', destinationport => $port, + originaldest => $site_openvpn::unlimited_gateway_address, order => 100; } } diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index 9a05b6ed..1da2f1d5 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -53,7 +53,7 @@ class site_sshd { ## class { '::sshd': manage_nagios => false, - ports => $ssh['port'], + ports => [ $ssh['port'] ], use_pam => 'yes', hardened_ssl => 'yes', print_motd => 'no', diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb index 07ac481d..9b516a10 100644 --- a/puppet/modules/site_static/templates/apache.conf.erb +++ b/puppet/modules/site_static/templates/apache.conf.erb @@ -46,10 +46,10 @@ #RewriteLogLevel 3 SSLEngine on - SSLProtocol all -SSLv2 + SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCompression off - SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" + SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" <%- if @tls_only -%> Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains" diff --git a/puppet/modules/site_stunnel/manifests/client.pp b/puppet/modules/site_stunnel/manifests/client.pp index 12d664b4..3b10ecb8 100644 --- a/puppet/modules/site_stunnel/manifests/client.pp +++ b/puppet/modules/site_stunnel/manifests/client.pp @@ -35,10 +35,7 @@ define site_stunnel::client ( pid => "/var/run/stunnel4/${pid}.pid", rndfile => $rndfile, debuglevel => $debuglevel, - subscribe => [ - Class['Site_config::X509::Key'], - Class['Site_config::X509::Cert'], - Class['Site_config::X509::Ca'] ]; + sslversion => 'TLSv1'; } site_shorewall::stunnel::client { $name: diff --git a/puppet/modules/site_stunnel/manifests/init.pp b/puppet/modules/site_stunnel/manifests/init.pp index b292f1cd..2e0cf5b8 100644 --- a/puppet/modules/site_stunnel/manifests/init.pp +++ b/puppet/modules/site_stunnel/manifests/init.pp @@ -28,5 +28,7 @@ class site_stunnel { $clients = $stunnel['clients'] $client_sections = keys($clients) site_stunnel::clients { $client_sections: } + + include site_stunnel::override_service } diff --git a/puppet/modules/site_stunnel/manifests/override_service.pp b/puppet/modules/site_stunnel/manifests/override_service.pp new file mode 100644 index 00000000..96187048 --- /dev/null +++ b/puppet/modules/site_stunnel/manifests/override_service.pp @@ -0,0 +1,13 @@ +class site_stunnel::override_service inherits stunnel::debian { + + include site_config::x509::cert + include site_config::x509::key + include site_config::x509::ca + + Service[stunnel] { + subscribe => [ + Class['Site_config::X509::Key'], + Class['Site_config::X509::Cert'], + Class['Site_config::X509::Ca'] ] + } +} diff --git a/puppet/modules/site_stunnel/manifests/servers.pp b/puppet/modules/site_stunnel/manifests/servers.pp index b1da5c59..b6fac319 100644 --- a/puppet/modules/site_stunnel/manifests/servers.pp +++ b/puppet/modules/site_stunnel/manifests/servers.pp @@ -35,10 +35,7 @@ define site_stunnel::servers ( pid => "/var/run/stunnel4/${pid}.pid", rndfile => '/var/lib/stunnel4/.rnd', debuglevel => $debuglevel, - require => [ - Class['Site_config::X509::Key'], - Class['Site_config::X509::Cert'], - Class['Site_config::X509::Ca'] ]; + sslversion => 'TLSv1'; } # allow incoming connections on $accept_port diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp index e62cb12d..d14e813d 100644 --- a/puppet/modules/site_tor/manifests/init.pp +++ b/puppet/modules/site_tor/manifests/init.pp @@ -11,23 +11,31 @@ class site_tor { $address = hiera('ip_address') + $openvpn = hiera('openvpn', undef) + if $openvpn { + $openvpn_ports = $openvpn['ports'] + } + else { + $openvpn_ports = [] + } + class { 'tor::daemon': } tor::daemon::relay { $nickname: - port => 9001, - address => $address, - contact_info => obfuscate_email($contact_emails), - bandwidth_rate => $bandwidth_rate, - my_family => $family + port => 9001, + address => $address, + contact_info => obfuscate_email($contact_emails), + bandwidth_rate => $bandwidth_rate, + my_family => $family } if ( $tor_type == 'exit'){ - tor::daemon::directory { $::hostname: port => 80 } + # Only enable the daemon directory if the node isn't also a webapp node + # or running openvpn on port 80 + if ! member($::services, 'webapp') and ! member($openvpn_ports, '80') { + tor::daemon::directory { $::hostname: port => 80 } + } } else { - tor::daemon::directory { $::hostname: - port => 80, - port_front_page => ''; - } include site_tor::disable_exit } diff --git a/puppet/modules/site_webapp/manifests/hidden_service.pp b/puppet/modules/site_webapp/manifests/hidden_service.pp new file mode 100644 index 00000000..ac0e8a37 --- /dev/null +++ b/puppet/modules/site_webapp/manifests/hidden_service.pp @@ -0,0 +1,43 @@ +class site_webapp::hidden_service { + $tor = hiera('tor') + $hidden_service = $tor['hidden_service'] + $tor_domain = "${hidden_service['address']}.onion" + + include site_apache::common + include site_apache::module::headers + include site_apache::module::alias + include site_apache::module::expires + include site_apache::module::removeip + + include tor::daemon + tor::daemon::hidden_service { 'webapp': ports => '80 127.0.0.1:80' } + + file { + '/var/lib/tor/webapp/': + ensure => directory, + owner => 'debian-tor', + group => 'debian-tor', + mode => '2700'; + + '/var/lib/tor/webapp/private_key': + ensure => present, + source => '/srv/leap/files/nodes/web/tor.key', + owner => 'debian-tor', + group => 'debian-tor', + mode => '0600'; + + '/var/lib/tor/webapp/hostname': + ensure => present, + content => $tor_domain, + owner => 'debian-tor', + group => 'debian-tor', + mode => '0600'; + } + + apache::vhost::file { + 'hidden_service': + content => template('site_apache/vhosts.d/hidden_service.conf.erb') + } + + include site_shorewall::tor +}
\ No newline at end of file diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 17b010f3..752993c1 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -10,6 +10,7 @@ class site_webapp { $webapp = hiera('webapp') $api_version = $webapp['api_version'] $secret_token = $webapp['secret_token'] + $tor = hiera('tor', false) Class['site_config::default'] -> Class['site_webapp'] @@ -157,6 +158,13 @@ class site_webapp { notify => Service['apache']; } + if $tor { + $hidden_service = $tor['hidden_service'] + if $hidden_service['active'] { + include site_webapp::hidden_service + } + } + include site_shorewall::webapp include site_check_mk::agent::webapp } diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index 9205438b..0c75f3ca 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -19,6 +19,7 @@ production: default_service_level: "<%= @webapp['default_service_level'] %>" service_levels: <%= @webapp['service_levels'].to_json %> allow_registration: <%= @webapp['allow_registration'].inspect %> + handle_blacklist: <%= @webapp['forbidden_usernames'].inspect %> <%- if @webapp['engines'] && @webapp['engines'].any? -%> engines: <%- @webapp['engines'].each do |engine| -%> diff --git a/puppet/modules/sshd b/puppet/modules/sshd -Subproject 5c23b33200fc6229ada7f4e13672b5da0d4bdd8 +Subproject 750a497758d94c2f5a6cad23cecc3dbde2d2f92 diff --git a/tests/README.md b/tests/README.md index debbf700..814c25b1 100644 --- a/tests/README.md +++ b/tests/README.md @@ -1,12 +1,25 @@ -This directory contains to kinds of tests: +Tests +--------------------------------- -White Box Tests -================================ +tests/white-box/ -These tests are run on the server as superuser. They are for troubleshooting any problems with the internal setup of the server. + These tests are run on the server as superuser. They are for + troubleshooting any problems with the internal setup of the server. -Black Box Tests -================================ +tests/black-box/ + + These test are run the user's local machine. They are for troubleshooting + any external problems with the service exposed by the server. + +Additional Files +--------------------------------- + +tests/helpers/ + + Utility functions made available to all tests. + +tests/order.rb + + Configuration file to specify which nodes should be tested in which order. -These test are run the user's local machine. They are for troubleshooting any external problems with the service exposed by the server. diff --git a/tests/helpers/couchdb_helper.rb b/tests/helpers/couchdb_helper.rb new file mode 100644 index 00000000..d4d3c0e0 --- /dev/null +++ b/tests/helpers/couchdb_helper.rb @@ -0,0 +1,103 @@ +class LeapTest + + # + # generates a couchdb url for when couchdb is running + # remotely and is available via stunnel. + # + # example properties: + # + # stunnel: + # clients: + # couch_client: + # couch1_5984: + # accept_port: 4000 + # connect: couch1.bitmask.i + # connect_port: 15984 + # + def couchdb_urls_via_stunnel(path="", options=nil) + if options && options[:username] && options[:password] + userpart = "%{username}:%{password}@" % options + else + userpart = "" + end + assert_property('stunnel.clients.couch_client').values.collect do |stunnel_conf| + assert port = stunnel_conf['accept_port'], 'Field `accept_port` must be present in `stunnel` property.' + URLString.new("http://#{userpart}localhost:#{port}#{path}").tap {|url| + remote_ip_address = TCPSocket.gethostbyname(stunnel_conf['connect']).last + url.memo = "(via stunnel to %s:%s, aka %s)" % [stunnel_conf['connect'], stunnel_conf['connect_port'], remote_ip_address] + } + end + end + + # + # generates a couchdb url for accessing couchdb via haproxy + # + # example properties: + # + # haproxy: + # couch: + # listen_port: 4096 + # servers: + # panda: + # backup: false + # host: localhost + # port: 4000 + # weight: 100 + # writable: true + # + def couchdb_url_via_haproxy(path="", options=nil) + if options && options[:username] && options[:password] + userpart = "%{username}:%{password}@" % options + else + userpart = "" + end + port = assert_property('haproxy.couch.listen_port') + return URLString.new("http://#{userpart}localhost:#{port}#{path}").tap { |url| + url.memo = '(via haproxy)' + } + end + + # + # generates a couchdb url for when couchdb is running locally. + # + # example properties: + # + # couch: + # port: 5984 + # + def couchdb_url_via_localhost(path="", options=nil) + port = (options && options[:port]) || assert_property('couch.port') + if options && options[:username] + password = property("couch.users.%{username}.password" % options) + userpart = "%s:%s@" % [options[:username], password] + else + userpart = "" + end + return URLString.new("http://#{userpart}localhost:#{port}#{path}").tap { |url| + url.memo = '(via direct localhost connection)' + } + end + + # + # returns a single url for accessing couchdb + # + def couchdb_url(path="", options=nil) + if property('couch.port') + couchdb_url_via_localhost(path, options) + elsif property('stunnel.clients.couch_client') + couchdb_urls_via_stunnel(path, options).first + end + end + + # + # returns an array of urls for accessing couchdb + # + def couchdb_urls(path="", options=nil) + if property('couch.port') + [couchdb_url_via_localhost(path, options)] + elsif property('stunnel.clients.couch_client') + couchdb_urls_via_stunnel(path, options) + end + end + +end
\ No newline at end of file diff --git a/tests/helpers/files_helper.rb b/tests/helpers/files_helper.rb new file mode 100644 index 00000000..d6795889 --- /dev/null +++ b/tests/helpers/files_helper.rb @@ -0,0 +1,54 @@ +class LeapTest + + # + # Matches the regexp in the file, and returns the first matched string (or fails if no match). + # + def file_match(filename, regexp) + if match = File.read(filename).match(regexp) + match.captures.first + else + fail "Regexp #{regexp.inspect} not found in file #{filename.inspect}." + end + end + + # + # Matches the regexp in the file, and returns array of matched strings (or fails if no match). + # + def file_matches(filename, regexp) + if match = File.read(filename).match(regexp) + match.captures + else + fail "Regexp #{regexp.inspect} not found in file #{filename.inspect}." + end + end + + # + # checks to make sure the given property path exists in $node (e.g. hiera.yaml) + # and returns the value + # + def assert_property(property) + latest = $node + property.split('.').each do |segment| + latest = latest[segment] + fail "Required node property `#{property}` is missing." if latest.nil? + end + return latest + end + + # + # a handy function to get the value of a long property path + # without needing to test the existance individually of each part + # in the tree. + # + # e.g. property("stunnel.clients.couch_client") + # + def property(property) + latest = $node + property.split('.').each do |segment| + latest = latest[segment] + return nil if latest.nil? + end + return latest + end + +end
\ No newline at end of file diff --git a/tests/helpers/http_helper.rb b/tests/helpers/http_helper.rb new file mode 100644 index 00000000..c941ef63 --- /dev/null +++ b/tests/helpers/http_helper.rb @@ -0,0 +1,145 @@ +require 'net/http' + +class LeapTest + + # + # In order to easily provide detailed error messages, it is useful + # to append a memo to a url string that details what this url is for + # (e.g. stunnel, haproxy, etc). + # + # So, the url happens to be a UrlString, the memo field is used + # if there is an error in assert_get. + # + class URLString < String + attr_accessor :memo + end + + # + # aliases for http_send() + # + def get(url, params=nil, options=nil, &block) + http_send("GET", url, params, options, &block) + end + def delete(url, params=nil, options=nil, &block) + http_send("DELETE", url, params, options, &block) + end + def post(url, params=nil, options=nil, &block) + http_send("POST", url, params, options, &block) + end + def put(url, params=nil, options=nil, &block) + http_send("PUT", url, params, options, &block) + end + + # + # send a GET, DELETE, POST, or PUT + # yields |body, response, error| + # + def http_send(method, url, params=nil, options=nil) + options ||= {} + response = nil + + # build uri + uri = URI(url) + if params && (method == 'GET' || method == 'DELETE') + uri.query = URI.encode_www_form(params) + end + + # build http + http = Net::HTTP.new uri.host, uri.port + if uri.scheme == 'https' + http.verify_mode = OpenSSL::SSL::VERIFY_NONE + http.use_ssl = true + end + + # build request + request = build_request(method, uri, params, options) + + # make http request + http.start do |agent| + response = agent.request(request) + yield response.body, response, nil + end + rescue => exc + yield nil, response, exc + end + + # + # Aliases for assert_http_send() + # + def assert_get(url, params=nil, options=nil, &block) + assert_http_send("GET", url, params, options, &block) + end + def assert_delete(url, params=nil, options=nil, &block) + assert_http_send("DELETE", url, params, options, &block) + end + def assert_post(url, params=nil, options=nil, &block) + assert_http_send("POST", url, params, options, &block) + end + def assert_put(url, params=nil, options=nil, &block) + assert_http_send("PUT", url, params, options, &block) + end + + # + # calls http_send, yielding results if successful or failing with + # descriptive infor otherwise. + # + def assert_http_send(method, url, params=nil, options=nil, &block) + options ||= {} + error_msg = options[:error_msg] || (url.respond_to?(:memo) ? url.memo : nil) + http_send(method, url, params, options) do |body, response, error| + if body && response && response.code.to_i >= 200 && response.code.to_i < 300 + if block + yield(body) if block.arity == 1 + yield(response, body) if block.arity == 2 + end + elsif response + fail ["Expected a 200 status code from #{url}, but got #{response.code} instead.", error_msg, body].compact.join("\n") + else + fail ["Expected a response from #{url}, but got \"#{error}\" instead.", error_msg, body].compact.join("\n"), error + end + end + end + + # + # only a warning for now, should be a failure in the future + # + def assert_auth_fail(url, params) + uri = URI(url) + get(url, params) do |body, response, error| + unless response.code.to_s == "401" + warn "Expected a '401 Unauthorized' response, but got #{response.code} instead (GET #{uri.request_uri} with username '#{uri.user}')." + return false + end + end + true + end + + private + + def build_request(method, uri, params, options) + request = case method + when "GET" then Net::HTTP::Get.new(uri.request_uri) + when "DELETE" then Net::HTTP::Delete.new(uri.request_uri) + when "POST" then Net::HTTP::Post.new(uri.request_uri) + when "PUT" then Net::HTTP::Put.new(uri.request_uri) + end + if uri.user + request.basic_auth uri.user, uri.password + end + if params && (method == 'POST' || method == 'PUT') + if options[:format] == :json || options[:format] == 'json' + request["Content-Type"] = "application/json" + request.body = params.to_json + else + request.set_form_data(params) if params + end + end + if options[:headers] + options[:headers].each do |key, value| + request[key] = value + end + end + request + end + +end
\ No newline at end of file diff --git a/tests/helpers/network_helper.rb b/tests/helpers/network_helper.rb new file mode 100644 index 00000000..ff92d382 --- /dev/null +++ b/tests/helpers/network_helper.rb @@ -0,0 +1,79 @@ +class LeapTest + + # + # tcp connection helper with timeout + # + def try_tcp_connect(host, port, timeout = 5) + addr = Socket.getaddrinfo(host, nil) + sockaddr = Socket.pack_sockaddr_in(port, addr[0][3]) + + Socket.new(Socket.const_get(addr[0][0]), Socket::SOCK_STREAM, 0).tap do |socket| + socket.setsockopt(Socket::IPPROTO_TCP, Socket::TCP_NODELAY, 1) + begin + socket.connect_nonblock(sockaddr) + rescue IO::WaitReadable + if IO.select([socket], nil, nil, timeout) == nil + raise "Connection timeout" + else + socket.connect_nonblock(sockaddr) + end + rescue IO::WaitWritable + if IO.select(nil, [socket], nil, timeout) == nil + raise "Connection timeout" + else + socket.connect_nonblock(sockaddr) + end + end + return socket + end + end + + def try_tcp_write(socket, timeout = 5) + begin + socket.write_nonblock("\0") + rescue IO::WaitReadable + if IO.select([socket], nil, nil, timeout) == nil + raise "Write timeout" + else + retry + end + rescue IO::WaitWritable + if IO.select(nil, [socket], nil, timeout) == nil + raise "Write timeout" + else + retry + end + end + end + + def try_tcp_read(socket, timeout = 5) + begin + socket.read_nonblock(1) + rescue IO::WaitReadable + if IO.select([socket], nil, nil, timeout) == nil + raise "Read timeout" + else + retry + end + rescue IO::WaitWritable + if IO.select(nil, [socket], nil, timeout) == nil + raise "Read timeout" + else + retry + end + end + end + + def assert_tcp_socket(host, port, msg=nil) + begin + socket = try_tcp_connect(host, port, 1) + #try_tcp_write(socket,1) + #try_tcp_read(socket,1) + rescue StandardError => exc + fail ["Failed to open socket #{host}:#{port}", exc].join("\n") + ensure + socket.close if socket + end + end + +end
\ No newline at end of file diff --git a/tests/helpers/os_helper.rb b/tests/helpers/os_helper.rb new file mode 100644 index 00000000..529e899f --- /dev/null +++ b/tests/helpers/os_helper.rb @@ -0,0 +1,34 @@ +class LeapTest + + # + # works like pgrep command line + # return an array of hashes like so [{:pid => "1234", :process => "ls"}] + # + def pgrep(match) + output = `pgrep --full --list-name '#{match}'` + output.each_line.map{|line| + pid = line.split(' ')[0] + process = line.gsub(/(#{pid} |\n)/, '') + if process =~ /pgrep --full --list-name/ + nil + else + {:pid => pid, :process => process} + end + }.compact + end + + def assert_running(process) + assert pgrep(process).any?, "No running process for #{process}" + end + + # + # runs the specified command, failing on a non-zero exit status. + # + def assert_run(command) + output = `#{command}` + if $?.exitstatus != 0 + fail "Error running `#{command}`:\n#{output}" + end + end + +end
\ No newline at end of file diff --git a/tests/helpers/srp_helper.rb b/tests/helpers/srp_helper.rb new file mode 100644 index 00000000..9f4d7f5b --- /dev/null +++ b/tests/helpers/srp_helper.rb @@ -0,0 +1,171 @@ +# +# Here are some very stripped down helper methods for SRP, useful only for +# testing the client side. +# + +require 'digest' +require 'openssl' +require 'securerandom' + +module SRP + + ## + ## UTIL + ## + + module Util + PRIME_N = <<-EOS.split.join.hex +115b8b692e0e045692cf280b436735c77a5a9e8a9e7ed56c965f87db5b2a2ece3 + EOS + BIG_PRIME_N = <<-EOS.split.join.hex # 1024 bits modulus (N) +eeaf0ab9adb38dd69c33f80afa8fc5e86072618775ff3c0b9ea2314c9c25657 +6d674df7496ea81d3383b4813d692c6e0e0d5d8e250b98be48e495c1d6089da +d15dc7d7b46154d6b6ce8ef4ad69b15d4982559b297bcf1885c529f566660e5 +7ec68edbc3c05726cc02fd4cbf4976eaa9afd5138fe8376435b9fc61d2fc0eb +06e3 + EOS + GENERATOR = 2 # g + + def hn_xor_hg + byte_xor_hex(sha256_int(BIG_PRIME_N), sha256_int(GENERATOR)) + end + + # a^n (mod m) + def modpow(a, n, m = BIG_PRIME_N) + r = 1 + while true + r = r * a % m if n[0] == 1 + n >>= 1 + return r if n == 0 + a = a * a % m + end + end + + # Hashes the (long) int args + def sha256_int(*args) + sha256_hex(*args.map{|a| "%02x" % a}) + end + + # Hashes the hex args + def sha256_hex(*args) + h = args.map{|a| a.length.odd? ? "0#{a}" : a }.join('') + sha256_str([h].pack('H*')) + end + + def sha256_str(s) + Digest::SHA2.hexdigest(s) + end + + def bigrand(bytes) + OpenSSL::Random.random_bytes(bytes).unpack("H*")[0] + end + + def multiplier + @muliplier ||= calculate_multiplier + end + + protected + + def calculate_multiplier + sha256_int(BIG_PRIME_N, GENERATOR).hex + end + + def byte_xor_hex(a, b) + a = [a].pack('H*') + b = [b].pack('H*') + a.bytes.each_with_index.map do |a_byte, i| + (a_byte ^ (b[i].ord || 0)).chr + end.join + end + end + + ## + ## SESSION + ## + + class Session + include SRP::Util + attr_accessor :user + attr_accessor :bb + + def initialize(user, aa=nil) + @user = user + @a = bigrand(32).hex + end + + def m + @m ||= sha256_hex(n_xor_g_long, login_hash, @user.salt.to_s(16), aa, bb, k) + end + + def aa + @aa ||= modpow(GENERATOR, @a).to_s(16) # A = g^a (mod N) + end + + protected + + # client: K = H( (B - kg^x) ^ (a + ux) ) + def client_secret + base = bb.hex + base -= modpow(GENERATOR, @user.private_key) * multiplier + base = base % BIG_PRIME_N + modpow(base, @user.private_key * u.hex + @a) + end + + def k + @k ||= sha256_int(client_secret) + end + + def n_xor_g_long + @n_xor_g_long ||= hn_xor_hg.bytes.map{|b| "%02x" % b.ord}.join + end + + def login_hash + @login_hash ||= sha256_str(@user.username) + end + + def u + @u ||= sha256_hex(aa, bb) + end + end + + ## + ## Dummy USER + ## + + class User + include SRP::Util + + attr_accessor :username + attr_accessor :password + attr_accessor :salt + attr_accessor :verifier + + def initialize + @username = "test_user_" + SecureRandom.urlsafe_base64(10).downcase.gsub(/[_-]/, '') + @password = "password_" + SecureRandom.urlsafe_base64(10) + @salt = bigrand(4).hex + @verifier = modpow(GENERATOR, private_key) + end + + def private_key + @private_key ||= calculate_private_key + end + + def to_params + { + 'user[login]' => @username, + 'user[password_verifier]' => @verifier.to_s(16), + 'user[password_salt]' => @salt.to_s(16) + } + end + + private + + def calculate_private_key + shex = '%x' % [@salt] + inner = sha256_str([@username, @password].join(':')) + sha256_hex(shex, inner).hex + end + end + +end diff --git a/tests/order.rb b/tests/order.rb index ffa6ae4e..4468686f 100644 --- a/tests/order.rb +++ b/tests/order.rb @@ -3,6 +3,10 @@ class LeapCli::Config::Node # returns a list of node names that should be tested before this node. # make sure to not return ourselves (please no dependency loops!). # + # NOTE: this method determines the order that nodes are tested in. To specify + # the order of tests on a particular node, each test can call class method + # LeapTest.depends_on(). + # def test_dependencies dependents = LeapCli::Config::ObjectList.new unless services.include?('couchdb') diff --git a/tests/white-box/couchdb.rb b/tests/white-box/couchdb.rb index a5adb2bf..2788f4f7 100644 --- a/tests/white-box/couchdb.rb +++ b/tests/white-box/couchdb.rb @@ -1,4 +1,4 @@ -raise SkipTest unless $node["services"].include?("couchdb") +raise SkipTest unless service?(:couchdb) require 'json' @@ -52,7 +52,7 @@ class CouchDB < LeapTest # def test_03_Are_configured_nodes_online? return unless multimaster? - url = couchdb_url("/_membership", :user => 'admin') + url = couchdb_url("/_membership", :username => 'admin') assert_get(url) do |body| response = JSON.parse(body) nodes_configured_but_not_available = response['cluster_nodes'] - response['all_nodes'] @@ -71,7 +71,7 @@ class CouchDB < LeapTest def test_04_Do_ACL_users_exist? acl_users = ['_design/_auth', 'leap_mx', 'nickserver', 'soledad', 'tapicero', 'webapp', 'replication'] - url = couchdb_backend_url("/_users/_all_docs", :user => 'admin') + url = couchdb_backend_url("/_users/_all_docs", :username => 'admin') assert_get(url) do |body| response = JSON.parse(body) assert_equal acl_users.count, response['total_rows'] @@ -84,7 +84,7 @@ class CouchDB < LeapTest def test_05_Do_required_databases_exist? dbs_that_should_exist = ["customers","identities","keycache","sessions","shared","tickets","tokens","users"] dbs_that_should_exist.each do |db_name| - url = couchdb_url("/"+db_name, :user => 'admin') + url = couchdb_url("/"+db_name, :username => 'admin') assert_get(url) do |body| assert response = JSON.parse(body) assert_equal db_name, response['db_name'] @@ -102,50 +102,54 @@ class CouchDB < LeapTest #def test_06_Is_ACL_enforced? # ok = assert_auth_fail( - # couchdb_url('/users/_all_docs', :user => 'leap_mx'), + # couchdb_url('/users/_all_docs', :username => 'leap_mx'), # {:limit => 1} # ) # ok = assert_auth_fail( - # couchdb_url('/users/_all_docs', :user => 'leap_mx'), + # couchdb_url('/users/_all_docs', :username => 'leap_mx'), # {:limit => 1} # ) && ok # pass if ok #end - def test_07_What? + def test_07_Can_records_be_created? + token = Token.new + url = couchdb_url("/tokens", :username => 'admin') + assert_post(url, token, :format => :json) do |body| + assert response = JSON.parse(body), "POST response should be JSON" + assert response["ok"], "POST response should be OK" + assert_delete(File.join(url, response["id"]), :rev => response["rev"]) do |body| + assert response = JSON.parse(body), "DELETE response should be JSON" + assert response["ok"], "DELETE response should be OK" + end + end pass end private - def couchdb_url(path="", options=nil) - options||={} - @port ||= begin - assert_property 'couch.port' - $node['couch']['port'] - end - url = 'http://' - if options[:user] - assert_property 'couch.users.' + options[:user] - password = $node['couch']['users'][options[:user]]['password'] - url += "%s:%s@" % [options[:user], password] - end - url += "localhost:#{options[:port] || @port}#{path}" - url + def multimaster? + mode == "multimaster" end + def mode + assert_property('couch.mode') + end + + # TODO: admin port is hardcoded for now but should be configurable. def couchdb_backend_url(path="", options={}) - # TODO: admin port is hardcoded for now but should be configurable. options = {port: multimaster? && "5986"}.merge options couchdb_url(path, options) end - def multimaster? - mode == "multimaster" - end - - def mode - assert_property('couch.mode') + require 'securerandom' + require 'digest/sha2' + class Token < Hash + def initialize + self['token'] = SecureRandom.urlsafe_base64(32).gsub(/^_*/, '') + self['_id'] = Digest::SHA512.hexdigest(self['token']) + self['last_seen_at'] = Time.now + end end end diff --git a/tests/white-box/mx.rb b/tests/white-box/mx.rb new file mode 100644 index 00000000..794a9a41 --- /dev/null +++ b/tests/white-box/mx.rb @@ -0,0 +1,50 @@ +raise SkipTest unless service?(:mx) + +require 'json' + +class Mx < LeapTest + depends_on "Network" + + def setup + end + + def test_01_Can_contact_couchdb? + dbs = ["identities"] + dbs.each do |db_name| + couchdb_urls("/"+db_name, url_options).each do |url| + assert_get(url) do |body| + assert response = JSON.parse(body) + assert_equal db_name, response['db_name'] + end + end + end + pass + end + + def test_02_Can_contact_couchdb_via_haproxy? + if property('haproxy.couch') + url = couchdb_url_via_haproxy("", url_options) + assert_get(url) do |body| + assert_match /"couchdb":"Welcome"/, body, "Request to #{url} should return couchdb welcome message." + end + pass + end + end + + def test_03_Are_MX_daemons_running? + assert_running 'leap_mx' + assert_running '/usr/lib/postfix/master' + assert_running '/usr/sbin/unbound' + pass + end + + private + + def url_options + { + :username => property('couchdb_leap_mx_user.username'), + :password => property('couchdb_leap_mx_user.password') + } + end + +end diff --git a/tests/white-box/openvpn.rb b/tests/white-box/openvpn.rb index 5eb2bdb5..23a40426 100644 --- a/tests/white-box/openvpn.rb +++ b/tests/white-box/openvpn.rb @@ -1,6 +1,6 @@ -raise SkipTest unless $node["services"].include?("openvpn") +raise SkipTest unless service?(:openvpn) -class Openvpn < LeapTest +class OpenVPN < LeapTest depends_on "Network" def setup diff --git a/tests/white-box/soledad.rb b/tests/white-box/soledad.rb new file mode 100644 index 00000000..5a13e4a6 --- /dev/null +++ b/tests/white-box/soledad.rb @@ -0,0 +1,17 @@ +raise SkipTest unless service?(:soledad) + +require 'json' + +class Soledad < LeapTest + depends_on "Network" + depends_on "CouchDB" if service?(:couchdb) + + def setup + end + + def test_00_Is_Soledad_running? + assert_running 'soledad' + pass + end + +end diff --git a/tests/white-box/webapp.rb b/tests/white-box/webapp.rb index 7df57fd7..2aa87403 100644 --- a/tests/white-box/webapp.rb +++ b/tests/white-box/webapp.rb @@ -1,58 +1,29 @@ -raise SkipTest unless $node["services"].include?("webapp") +raise SkipTest unless service?(:webapp) -require 'socket' +require 'json' class Webapp < LeapTest depends_on "Network" - HAPROXY_CONFIG = '/etc/haproxy/haproxy.cfg' - def setup end - # - # example properties: - # - # stunnel: - # clients: - # couch_client: - # couch1_5984: - # accept_port: 4000 - # connect: couch1.bitmask.i - # connect_port: 15984 - # def test_01_Can_contact_couchdb? - assert_property('stunnel.clients.couch_client') - $node['stunnel']['clients']['couch_client'].values.each do |stunnel_conf| - assert port = stunnel_conf['accept_port'], 'Field `accept_port` must be present in `stunnel` property.' - local_stunnel_url = "http://localhost:#{port}" - remote_ip_address = TCPSocket.gethostbyname(stunnel_conf['connect']).last - msg = "(stunnel to %s:%s, aka %s)" % [stunnel_conf['connect'], stunnel_conf['connect_port'], remote_ip_address] - assert_get(local_stunnel_url, nil, error_msg: msg) do |body| - assert_match /"couchdb":"Welcome"/, body, "Request to #{local_stunnel_url} should return couchdb welcome message." - end + url = couchdb_url("", url_options) + assert_get(url) do |body| + assert_match /"couchdb":"Welcome"/, body, "Request to #{url} should return couchdb welcome message." end pass end - # - # example properties: - # - # haproxy: - # servers: - # couch1: - # backup: false - # host: localhost - # port: 4000 - # weight: 10 - # - def test_02_Is_haproxy_working? - port = file_match(HAPROXY_CONFIG, /^ bind localhost:(\d+)$/) - url = "http://localhost:#{port}" - assert_get(url) do |body| - assert_match /"couchdb":"Welcome"/, body, "Request to #{url} should return couchdb welcome message." + def test_02_Can_contact_couchdb_via_haproxy? + if property('haproxy.couch') + url = couchdb_url_via_haproxy("", url_options) + assert_get(url) do |body| + assert_match /"couchdb":"Welcome"/, body, "Request to #{url} should return couchdb welcome message." + end + pass end - pass end def test_03_Are_daemons_running? @@ -70,4 +41,94 @@ class Webapp < LeapTest pass end + def test_05_Can_create_user? + @@user = nil + user = SRP::User.new + url = api_url("/1/users.json") + assert_post(url, user.to_params) do |body| + assert response = JSON.parse(body), 'response should be JSON' + assert response['ok'], 'creating a user should be successful' + end + @@user = user + pass + end + + def test_06_Can_authenticate? + @@user_id = nil + @@session_token = nil + if @@user.nil? + skip "Depends on user creation" + else + url = api_url("/1/sessions.json") + session = SRP::Session.new(@@user) + params = {'login' => @@user.username, 'A' => session.aa} + assert_post(url, params) do |response, body| + cookie = response['Set-Cookie'].split(';').first + assert(response = JSON.parse(body), 'response should be JSON') + assert(bb = response["B"]) + session.bb = bb + url = api_url("/1/sessions/login.json") + params = {'client_auth' => session.m, 'A' => session.aa} + options = {:headers => {'Cookie' => cookie}} + assert_put(url, params, options) do |body| + assert(response = JSON.parse(body), 'response should be JSON') + assert(response['M2'], 'response should include M2') + assert(@@session_token = response['token'], 'response should include token') + assert(@@user_id = response['id'], 'response should include user id') + end + end + pass + end + end + + def test_07_Can_delete_user? + if @@user_id.nil? || @@session_token.nil? + skip "Depends on authentication" + else + url = api_url("/1/users/#{@@user_id}.json") + options = {:headers => { + "Authorization" => "Token token=\"#{@@session_token}\"" + }} + delete(url, {}, options) do |body, response, error| + if response.code.to_i != 200 + skip "It appears the web api is too old to support deleting users" + else + assert(response = JSON.parse(body), 'response should be JSON') + assert(response["success"], 'delete should be a success') + pass + end + end + end + end + + private + + def url_options + { + :username => property('couchdb_webapp_user.username'), + :password => property('couchdb_webapp_user.password') + } + end + + def api_url(path) + "https://%{domain}:%{port}#{path}" % { + :domain => property('api.domain'), + :port => property('api.port') + } + end + + # + # I tried, but couldn't get this working: + # # + # # get an CSRF authenticity token + # # + # url = api_url("/") + # csrf_token = nil + # assert_get(url) do |body| + # lines = body.split("\n").grep(/csrf-token/) + # assert lines.any?, 'failed to find csrf-token' + # csrf_token = lines.first.split('"')[1] + # assert csrf_token, 'failed to find csrf-token' + # end + end |