From ffd340e7b014bc9f35fb6f9365230d483650cc1d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 3 Sep 2015 13:03:01 -0400 Subject: rewrite openpgp header to be always correct (#7413) The openpgp header added by the client is sometimes incorrect, because the client doesn't actually know what the proper URL is for the webapp. The server knows, however. Change-Id: I2243b19a6337d8e0be97590e2ca9c9c0b0fffdac --- puppet/modules/site_postfix/manifests/mx.pp | 6 +++++- .../site_postfix/manifests/mx/rewrite_openpgp_header.pp | 11 +++++++++++ .../templates/checks/rewrite_openpgp_headers.erb | 13 +++++++++++++ 3 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_postfix/manifests/mx/rewrite_openpgp_header.pp create mode 100644 puppet/modules/site_postfix/templates/checks/rewrite_openpgp_headers.erb diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 334d04d0..2b311e06 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -52,6 +52,7 @@ class site_postfix::mx { include site_postfix::mx::smtp_tls include site_postfix::mx::smtpd_tls include site_postfix::mx::static_aliases + include site_postfix::mx::rewrite_openpgp_header # greater verbosity for debugging, take out for production #include site_postfix::debug @@ -74,7 +75,10 @@ class site_postfix::mx { -o smtpd_tls_wrappermode=yes -o smtpd_tls_security_level=encrypt -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions - -o smtpd_helo_restrictions=\$smtps_helo_restrictions", + -o smtpd_helo_restrictions=\$smtps_helo_restrictions + -o cleanup_service_name=clean_smtps +clean_smtps unix n - n - 0 cleanup + -o header_checks=pcre:/etc/postfix/checks/rewrite_openpgp_headers", require => [ Class['Site_config::X509::Key'], Class['Site_config::X509::Cert'], diff --git a/puppet/modules/site_postfix/manifests/mx/rewrite_openpgp_header.pp b/puppet/modules/site_postfix/manifests/mx/rewrite_openpgp_header.pp new file mode 100644 index 00000000..71f945b8 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/rewrite_openpgp_header.pp @@ -0,0 +1,11 @@ +class site_postfix::mx::rewrite_openpgp_header { + $mx = hiera('mx') + $correct_domain = $mx['key_lookup_domain'] + + file { '/etc/postfix/checks/rewrite_openpgp_headers': + content => template('site_postfix/checks/rewrite_openpgp_headers.erb'), + mode => '0644', + owner => root, + group => root; + } +} diff --git a/puppet/modules/site_postfix/templates/checks/rewrite_openpgp_headers.erb b/puppet/modules/site_postfix/templates/checks/rewrite_openpgp_headers.erb new file mode 100644 index 00000000..7af14f7d --- /dev/null +++ b/puppet/modules/site_postfix/templates/checks/rewrite_openpgp_headers.erb @@ -0,0 +1,13 @@ +# THIS FILE IS MANAGED BY PUPPET +# +# This will replace the OpenPGP header that the client adds, because it is +# sometimes incorrect (due to the client not always knowing what the proper URL +# is for the webapp). +# e.g. This will rewrite this header: +# OpenPGP: id=4C0E01CD50E2F653; url="https://leap.se/key/elijah"; preference="signencrypt +# with this replacement: +# OpenPGP: id=4C0E01CD50E2F653; url="https://user.leap.se/key/elijah"; preference="signencrypt +# +# Note: whitespace in the pattern is represented by [[:space:]] to avoid these warnings from postmap: +# "record is in "key: value" format; is this an alias file?" and "duplicate entry" +/^(OpenPGP:[[:space:]]id=[[:alnum:]]+;[[:space:]]url="https:\/\/)<%= @domain %>(\/key\/[[:alpha:]]+";.*)/i REPLACE ${1}<%= @correct_domain %>${2} -- cgit v1.2.3 From 2d20633ceaa670c58ca575eb2a751605bf5b4156 Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 3 Sep 2015 20:18:12 -0700 Subject: service definition .json files should not refer to properties inherited from common.json. closes #7423 --- provider_base/services/webapp.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index 7b1ca8fb..dbcfe0a6 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -9,7 +9,7 @@ "owner", "owners", "postmaster", "reply", "robot", "ssladmin", "staff", "support", "tech-support", "tech_support", "techsupport", "ticket", "tickets", "vmail", "www-data"], - "domain": "= domain.full_suffix", + "domain": "= provider.domain", "modules": ["user", "billing", "help"], "couchdb_webapp_user": "= global.services[:couchdb].couch.users[:webapp]", "couchdb_admin_user": "= global.services[:couchdb].couch.users[:admin]", -- cgit v1.2.3 From 2b1911f17b0ed5ee5ad2384e176b84b84243802f Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 3 Sep 2015 23:24:43 -0700 Subject: make couchdb.admin.yml only readable by root, make non-admin cron run as webapp user. --- puppet/modules/site_webapp/manifests/couchdb.pp | 16 ++++++++-------- puppet/modules/site_webapp/manifests/cron.pp | 4 ++++ 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 1dbc745d..5cf7f953 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -14,29 +14,29 @@ class site_webapp::couchdb { file { '/srv/leap/webapp/config/couchdb.yml': content => template('site_webapp/couchdb.yml.erb'), - owner => leap-webapp, - group => leap-webapp, + owner => 'leap-webapp', + group => 'leap-webapp', mode => '0600', require => Vcsrepo['/srv/leap/webapp']; '/srv/leap/webapp/config/couchdb.admin.yml': content => template('site_webapp/couchdb.admin.yml.erb'), - owner => leap-webapp, - group => leap-webapp, + owner => 'root', + group => 'root', mode => '0600', require => Vcsrepo['/srv/leap/webapp']; '/srv/leap/webapp/log': ensure => directory, - owner => leap-webapp, - group => leap-webapp, + owner => 'leap-webapp', + group => 'leap-webapp', mode => '0755', require => Vcsrepo['/srv/leap/webapp']; '/srv/leap/webapp/log/production.log': ensure => present, - owner => leap-webapp, - group => leap-webapp, + owner => 'leap-webapp', + group => 'leap-webapp', mode => '0666', require => Vcsrepo['/srv/leap/webapp']; } diff --git a/puppet/modules/site_webapp/manifests/cron.pp b/puppet/modules/site_webapp/manifests/cron.pp index d26ee312..7147a0d2 100644 --- a/puppet/modules/site_webapp/manifests/cron.pp +++ b/puppet/modules/site_webapp/manifests/cron.pp @@ -5,12 +5,14 @@ class site_webapp::cron { 'rotate_databases': command => 'cd /srv/leap/webapp && bundle exec rake db:rotate', environment => 'RAILS_ENV=production', + user => 'root', hour => [0,6,12,18], minute => 0; 'delete_tmp_databases': command => 'cd /srv/leap/webapp && bundle exec rake db:deletetmp', environment => 'RAILS_ENV=production', + user => 'root', hour => 1, minute => 1; @@ -19,6 +21,7 @@ class site_webapp::cron { 'remove_expired_sessions': command => 'cd /srv/leap/webapp && bundle exec rake cleanup:sessions', environment => 'RAILS_ENV=production', + user => 'leap-webapp', hour => 2, minute => 30, ensure => absent; @@ -26,6 +29,7 @@ class site_webapp::cron { 'remove_expired_tokens': command => 'cd /srv/leap/webapp && bundle exec rake cleanup:tokens', environment => 'RAILS_ENV=production', + user => 'leap-webapp', hour => 3, minute => 0; } -- cgit v1.2.3