From 5b10def43d134e5735bfcec1237c04cf66e8610b Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 19 Sep 2017 15:36:06 -0400 Subject: Feat: Refactor tor services In order to refactor the tor services, we need to split them out into three different services. This adds the hidden service class that is necessary to support the previous commits. Fixes #8864. --- provider_base/services/hidden_service.json | 11 ----------- provider_base/services/hidden_service.rb | 4 ---- provider_base/services/tor_exit.rb | 4 ++-- provider_base/services/tor_hidden_service.json | 11 +++++++++++ provider_base/services/tor_hidden_service.rb | 4 ++++ provider_base/services/tor_relay.rb | 4 ++-- puppet/manifests/site.pp | 2 +- puppet/modules/site_static/manifests/hidden_service.pp | 6 ++++-- puppet/modules/site_static/manifests/init.pp | 13 +++++++------ puppet/modules/site_tor/manifests/hidden_service.pp | 13 +++++++++++++ puppet/modules/site_webapp/manifests/hidden_service.pp | 3 ++- puppet/modules/site_webapp/manifests/init.pp | 3 ++- tests/platform-ci/ci-build.sh | 17 +++++++++++++---- tests/platform-ci/provider/nodes/catalogtest.json | 2 +- 14 files changed, 62 insertions(+), 35 deletions(-) delete mode 100644 provider_base/services/hidden_service.json delete mode 100644 provider_base/services/hidden_service.rb create mode 100644 provider_base/services/tor_hidden_service.json create mode 100644 provider_base/services/tor_hidden_service.rb create mode 100644 puppet/modules/site_tor/manifests/hidden_service.pp diff --git a/provider_base/services/hidden_service.json b/provider_base/services/hidden_service.json deleted file mode 100644 index 137932fa..00000000 --- a/provider_base/services/hidden_service.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "tor": { - "hidden_service": { - "key_type": "RSA", - "public_key": "= tor_public_key_path(:node_tor_pub_key, tor.hidden_service.key_type)", - "private_key": "= tor_private_key_path(:node_tor_priv_key, tor.hidden_service.key_type)", - "address": "=> onion_address(:node_tor_pub_key)", - "single_hop": false - } - } -} diff --git a/provider_base/services/hidden_service.rb b/provider_base/services/hidden_service.rb deleted file mode 100644 index 50701681..00000000 --- a/provider_base/services/hidden_service.rb +++ /dev/null @@ -1,4 +0,0 @@ -if self.services.include?("tor_exit") || self.services.include?("tor_relay") - LeapCli.log :error, "service `hidden_service` is not compatible with tor_exit or tor_relay (node #{self.name})." -end -self.tor['type'] = "hidden_service" \ No newline at end of file diff --git a/provider_base/services/tor_exit.rb b/provider_base/services/tor_exit.rb index 05c67438..bd801a3d 100644 --- a/provider_base/services/tor_exit.rb +++ b/provider_base/services/tor_exit.rb @@ -1,5 +1,5 @@ -if self.services.include?("hidden_service") || self.services.include?("tor_relay") - LeapCli.log :error, "service `tor_exit` is not compatible with tor_relay or hidden_service (node #{self.name})." +if self.services.include?("tor_hidden_service") || self.services.include?("tor_relay") + LeapCli.log :error, "service `tor_exit` is not compatible with tor_relay or tor_hidden_service (node #{self.name})." exit(1) end apply_partial("_tor_common") diff --git a/provider_base/services/tor_hidden_service.json b/provider_base/services/tor_hidden_service.json new file mode 100644 index 00000000..137932fa --- /dev/null +++ b/provider_base/services/tor_hidden_service.json @@ -0,0 +1,11 @@ +{ + "tor": { + "hidden_service": { + "key_type": "RSA", + "public_key": "= tor_public_key_path(:node_tor_pub_key, tor.hidden_service.key_type)", + "private_key": "= tor_private_key_path(:node_tor_priv_key, tor.hidden_service.key_type)", + "address": "=> onion_address(:node_tor_pub_key)", + "single_hop": false + } + } +} diff --git a/provider_base/services/tor_hidden_service.rb b/provider_base/services/tor_hidden_service.rb new file mode 100644 index 00000000..8b8eb24d --- /dev/null +++ b/provider_base/services/tor_hidden_service.rb @@ -0,0 +1,4 @@ +if self.services.include?("tor_exit") || self.services.include?("tor_relay") + LeapCli.log :error, "service `tor_hidden_service` is not compatible with tor_exit or tor_relay (node #{self.name})." +end +self.tor['type'] = "hidden_service" diff --git a/provider_base/services/tor_relay.rb b/provider_base/services/tor_relay.rb index 42bafb94..7fce6ae4 100644 --- a/provider_base/services/tor_relay.rb +++ b/provider_base/services/tor_relay.rb @@ -1,6 +1,6 @@ -if self.services.include?("tor_exit") || self.services.include?("hidden_service") - LeapCli.log :error, "service `tor_relay` is not compatible with tor_exit or hidden_service (node #{self.name})." +if self.services.include?("tor_exit") || self.services.include?("tor_hidden_service") + LeapCli.log :error, "service `tor_relay` is not compatible with tor_exit or tor_hidden_service (node #{self.name})." end apply_partial("_tor_common") self.tor['type'] = "relay" diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index f3e752cc..1f80c47c 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -52,7 +52,7 @@ node default { include site_tor::relay } - if member($services, 'hidden_service') { + if member($services, 'tor_hidden_service') { include site_tor::hidden_service } diff --git a/puppet/modules/site_static/manifests/hidden_service.pp b/puppet/modules/site_static/manifests/hidden_service.pp index dcf3785e..f23727f7 100644 --- a/puppet/modules/site_static/manifests/hidden_service.pp +++ b/puppet/modules/site_static/manifests/hidden_service.pp @@ -1,13 +1,15 @@ # create hidden service for static sites class site_static::hidden_service ( $single_hop = false ) { + Class['site_tor::hidden_service'] -> Class['site_static::hidden_service'] + include site_tor::hidden_service - include site_tor tor::daemon::hidden_service { 'static': ports => [ '80 127.0.0.1:80'], single_hop => $single_hop } + file { - '/var/lib/tor/webapp/': + '/var/lib/tor/static/': ensure => directory, owner => 'debian-tor', group => 'debian-tor', diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index 4ddce5ed..40c6a28b 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -7,12 +7,13 @@ class site_static { include site_config::x509::key include site_config::x509::ca_bundle - $static = hiera('static') - $domains = $static['domains'] - $formats = $static['formats'] - $bootstrap = $static['bootstrap_files'] - $tor = hiera('tor', false) - if $tor and member($services, 'hidden_service') { + $services = hiera('services', []) + $static = hiera('static') + $domains = $static['domains'] + $formats = $static['formats'] + $bootstrap = $static['bootstrap_files'] + $tor = hiera('tor', false) + if $tor and member($services, 'tor_hidden_service') { $onion_active = true } else { $onion_active = false diff --git a/puppet/modules/site_tor/manifests/hidden_service.pp b/puppet/modules/site_tor/manifests/hidden_service.pp new file mode 100644 index 00000000..87a7b696 --- /dev/null +++ b/puppet/modules/site_tor/manifests/hidden_service.pp @@ -0,0 +1,13 @@ +# This class simply makes sure a base tor is installed and configured +# It doesn't configure any specific hidden service functionality, +# instead that is configured in site_webapp::hidden_service and +# site_static::hidden_service. +# +# Those could be factored out to make them more generic. +class site_tor::hidden_service { + tag 'leap_service' + Class['site_config::default'] -> Class['site_tor::hidden_service'] + + include site_config::default + include site_tor +} diff --git a/puppet/modules/site_webapp/manifests/hidden_service.pp b/puppet/modules/site_webapp/manifests/hidden_service.pp index 658d62f9..1f87da6b 100644 --- a/puppet/modules/site_webapp/manifests/hidden_service.pp +++ b/puppet/modules/site_webapp/manifests/hidden_service.pp @@ -1,5 +1,7 @@ # Configure tor hidden service for webapp class site_webapp::hidden_service { + Class['site_tor::hidden_service'] -> Class['site_webapp::hidden_service'] + include site_tor::hidden_service $tor = hiera('tor') $hidden_service = $tor['hidden_service'] $onion_domain = "${hidden_service['address']}.onion" @@ -10,7 +12,6 @@ class site_webapp::hidden_service { include apache::module::expires include apache::module::removeip - include site_tor tor::daemon::hidden_service { 'webapp': ports => [ '80 127.0.0.1:80'], single_hop => $hidden_service['single_hop'] diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 968859bf..605d71b3 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -1,6 +1,7 @@ # configure webapp service class site_webapp { tag 'leap_service' + $services = hiera('services', []) $definition_files = hiera('definition_files') $provider = $definition_files['provider'] $eip_service = $definition_files['eip_service'] @@ -177,7 +178,7 @@ class site_webapp { notify => Service['apache']; } - if $tor and member($services, 'hidden_service') { + if $tor and member($services, 'tor_hidden_service') { $hidden_service = $tor['hidden_service'] include ::site_webapp::hidden_service } diff --git a/tests/platform-ci/ci-build.sh b/tests/platform-ci/ci-build.sh index 4710bc88..06af59ca 100755 --- a/tests/platform-ci/ci-build.sh +++ b/tests/platform-ci/ci-build.sh @@ -71,6 +71,13 @@ test() { } build_from_scratch() { + # allow passing into the function the services, use a default set if empty + SERVICES=$1 + if [ -z "$SERVICES" ] + then + SERVICES='couchdb,soledad,mx,webapp,tor_relay,monitor' + fi + # when using gitlab-runner locally, CI_JOB_ID is always 1 which # will conflict with running/terminating AWS instances in subsequent runs # therefore we pick a random number in this case @@ -78,10 +85,7 @@ build_from_scratch() { # create node(s) with unique id so we can run tests in parallel NAME="citest${CI_JOB_ID:-0}" - - TAG='single' - SERVICES='couchdb,soledad,mx,webapp,tor,monitor' # leap_platform/tests/platform-ci/provider PROVIDERDIR="${ROOTDIR}/provider" @@ -184,7 +188,7 @@ upgrade_test() { cd "$PROVIDERDIR" - build_from_scratch + build_from_scratch 'couchdb,soledad,mx,webapp,tor,monitor' deploy test @@ -200,6 +204,11 @@ upgrade_test() { /usr/local/bin/bundle install cd "$PROVIDERDIR" + + # due to the 'tor' service no longer being valid in 0.10, we need to change + # that service to 'tor_relay'. This is done by changing the services array + # with jq to be set to the full correct list of services + jq '.services = ["couchdb","soledad","mx","webapp","tor_relay","monitor"]' < nodes/${NAME}.json deploy test diff --git a/tests/platform-ci/provider/nodes/catalogtest.json b/tests/platform-ci/provider/nodes/catalogtest.json index 05703666..bbf79d9e 100644 --- a/tests/platform-ci/provider/nodes/catalogtest.json +++ b/tests/platform-ci/provider/nodes/catalogtest.json @@ -10,7 +10,7 @@ "webapp", "monitor", "openvpn", - "tor", + "tor_relay", "obfsproxy", "static" ], -- cgit v1.2.3