From 0d85c95328916425d8e4e29189b63a40c8567eea Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 22 Sep 2014 14:57:24 -0400 Subject: stop logging user-agent in apache, fixes #6129 Change-Id: I66384ae4a723be063790362f70e57228a0f1539b --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 2 ++ puppet/modules/site_apache/templates/vhosts.d/common.conf.erb | 2 ++ 2 files changed, 4 insertions(+) diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index 3360ac59..74cd1ced 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -2,12 +2,14 @@ ServerName <%= api_domain %> RewriteEngine On RewriteRule ^.*$ https://<%= api_domain -%>:<%= api_port -%>%{REQUEST_URI} [R=permanent,L] + CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common Listen 0.0.0.0:<%= api_port %> > ServerName <%= api_domain %> + CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common SSLEngine on SSLProtocol all -SSLv2 diff --git a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb index ed430510..0e08529c 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb @@ -3,12 +3,14 @@ ServerAlias www.<%= domain %> RewriteEngine On RewriteRule ^.*$ https://<%= domain -%>%{REQUEST_URI} [R=permanent,L] + CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common ServerName <%= domain_name %> ServerAlias <%= domain %> ServerAlias www.<%= domain %> + CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common SSLEngine on SSLProtocol all -SSLv2 -- cgit v1.2.3 From af606967d39227390f5ef8403c64d693c1dfd76d Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 23 Sep 2014 14:48:48 -0700 Subject: couch: for neighbors, use 'couch.mode' instead of 'couch.master' (which might be false even for multimaster). closes #6064 --- provider_base/services/_couchdb_multimaster.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/provider_base/services/_couchdb_multimaster.json b/provider_base/services/_couchdb_multimaster.json index 8c433188..0f340e00 100644 --- a/provider_base/services/_couchdb_multimaster.json +++ b/provider_base/services/_couchdb_multimaster.json @@ -8,8 +8,8 @@ "ednp_server": "= stunnel_server(couch.bigcouch.ednp_port)" }, "clients": { - "epmd_clients": "= stunnel_client(nodes_like_me[:services => :couchdb], couch.bigcouch.epmd_port)", - "ednp_clients": "= stunnel_client(nodes_like_me[:services => :couchdb], couch.bigcouch.ednp_port)" + "epmd_clients": "= stunnel_client(nodes_like_me['services' => 'couchdb']['couch.mode' => 'multimaster'], couch.bigcouch.epmd_port)", + "ednp_clients": "= stunnel_client(nodes_like_me['services' => 'couchdb']['couch.mode' => 'multimaster'], couch.bigcouch.ednp_port)" } }, "couch": { @@ -18,7 +18,7 @@ "epmd_port": 4369, "ednp_port": 9002, "cookie": "= secret :bigcouch_cookie", - "neighbors": "= nodes_like_me['services' => 'couchdb']['couch.master' => true].exclude(self).field('domain.full')" + "neighbors": "= nodes_like_me['services' => 'couchdb']['couch.mode' => 'multimaster'].exclude(self).field('domain.full')" } } } -- cgit v1.2.3 From 9da2a36155d3b96e0dc41cac3dd38f8b6c50efd2 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 22 Sep 2014 14:57:24 -0400 Subject: stop logging user-agent in apache, fixes #6129 Change-Id: I66384ae4a723be063790362f70e57228a0f1539b --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 2 ++ puppet/modules/site_apache/templates/vhosts.d/common.conf.erb | 2 ++ 2 files changed, 4 insertions(+) diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index 3360ac59..74cd1ced 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -2,12 +2,14 @@ ServerName <%= api_domain %> RewriteEngine On RewriteRule ^.*$ https://<%= api_domain -%>:<%= api_port -%>%{REQUEST_URI} [R=permanent,L] + CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common Listen 0.0.0.0:<%= api_port %> > ServerName <%= api_domain %> + CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common SSLEngine on SSLProtocol all -SSLv2 diff --git a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb index ed430510..0e08529c 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb @@ -3,12 +3,14 @@ ServerAlias www.<%= domain %> RewriteEngine On RewriteRule ^.*$ https://<%= domain -%>%{REQUEST_URI} [R=permanent,L] + CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common ServerName <%= domain_name %> ServerAlias <%= domain %> ServerAlias www.<%= domain %> + CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common SSLEngine on SSLProtocol all -SSLv2 -- cgit v1.2.3 From 308ac3cb420cbce7a6c67e03e887db4723aa8169 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 24 Sep 2014 13:55:20 +0200 Subject: remove /etc/apt/preferences.d/fixed_rsyslog_anon_package (#6138) This was a leftover from earlier versions, where we installed rsyslog from the leap debian package repo. Change-Id: I88a852f08b5aff3bd7b591b6220ac354463a9786 --- puppet/modules/site_apt/manifests/preferences/rsyslog.pp | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/puppet/modules/site_apt/manifests/preferences/rsyslog.pp b/puppet/modules/site_apt/manifests/preferences/rsyslog.pp index 132a6e24..bfeaa7da 100644 --- a/puppet/modules/site_apt/manifests/preferences/rsyslog.pp +++ b/puppet/modules/site_apt/manifests/preferences/rsyslog.pp @@ -1,9 +1,13 @@ class site_apt::preferences::rsyslog { - apt::preferences_snippet { 'rsyslog_anon_depends': - package => 'libestr0 librelp0 rsyslog*', - priority => '999', - pin => 'release a=wheezy-backports', - before => Class['rsyslog::install'] + apt::preferences_snippet { + 'rsyslog_anon_depends': + package => 'libestr0 librelp0 rsyslog*', + priority => '999', + pin => 'release a=wheezy-backports', + before => Class['rsyslog::install']; + + 'fixed_rsyslog_anon_package': + ensure => absent; } } -- cgit v1.2.3 From 8f8862aab798cbf0b2dbb690a154cd54dd5d6592 Mon Sep 17 00:00:00 2001 From: irregulator Date: Thu, 25 Sep 2014 16:46:57 +0300 Subject: Use member function instead of regexp to check services array --- puppet/modules/site_obfsproxy/manifests/init.pp | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/puppet/modules/site_obfsproxy/manifests/init.pp b/puppet/modules/site_obfsproxy/manifests/init.pp index 40b7fba8..6275ebee 100644 --- a/puppet/modules/site_obfsproxy/manifests/init.pp +++ b/puppet/modules/site_obfsproxy/manifests/init.pp @@ -11,13 +11,13 @@ class site_obfsproxy { $dest_ip = $obfsproxy['gateway_address'] $dest_port = '443' - if $::services =~ /\bopenvpn\b/ { - $openvpn = hiera('openvpn') - $bind_address = $openvpn['gateway_address'] - } - elsif $::services =~ /\bobfsproxy\b/ { - $bind_address = hiera('ip_address') - } + if member($::services, 'openvpn') { + $openvpn = hiera('openvpn') + $bind_address = $openvpn['gateway_address'] + } + elsif member($::services, 'obfsproxy') { + $bind_address = hiera('ip_address') + } include site_apt::preferences::twisted include site_apt::preferences::obfsproxy -- cgit v1.2.3 From 027c20e2b8f779086d1480048152fe06d044b216 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 7 Oct 2014 13:55:58 +0200 Subject: every environment is defined as nagios hostsgroup (#5216) Change-Id: I6508ce0d06b37a1c5601a0e981a59f7fda47f76a --- provider_base/services/monitor.json | 1 + puppet/modules/site_check_mk/manifests/server.pp | 13 +++++++++---- puppet/modules/site_check_mk/templates/hostgroups.mk | 4 ++++ puppet/modules/site_nagios/manifests/server.pp | 9 ++++++--- puppet/modules/site_nagios/manifests/server/hostgroup.pp | 3 +++ 5 files changed, 23 insertions(+), 7 deletions(-) create mode 100644 puppet/modules/site_check_mk/templates/hostgroups.mk create mode 100644 puppet/modules/site_nagios/manifests/server/hostgroup.pp diff --git a/provider_base/services/monitor.json b/provider_base/services/monitor.json index c24724bf..56ca015b 100644 --- a/provider_base/services/monitor.json +++ b/provider_base/services/monitor.json @@ -1,6 +1,7 @@ { "nagios": { "nagiosadmin_pw": "= secret :nagios_admin_password", + "domains_internal": "= global.tags.field('domain.internal_suffix').compact.uniq", "hosts": "= (self.environment == 'local' ? nodes_like_me : nodes[:environment => '!local']).pick_fields('domain.internal', 'domain.full_suffix', 'ip_address', 'services', 'openvpn.gateway_address', 'ssh.port')" }, "hosts": "= self.environment == 'local' ? hosts_file(nodes_like_me) : hosts_file(nodes[:environment => '!local'])", diff --git a/puppet/modules/site_check_mk/manifests/server.pp b/puppet/modules/site_check_mk/manifests/server.pp index e544ef0d..aa24d96c 100644 --- a/puppet/modules/site_check_mk/manifests/server.pp +++ b/puppet/modules/site_check_mk/manifests/server.pp @@ -5,11 +5,12 @@ class site_check_mk::server { $type = $ssh_hash['authorized_keys']['monitor']['type'] $seckey = $ssh_hash['monitor']['private_key'] - $nagios_hiera = hiera_hash('nagios') - $nagios_hosts = $nagios_hiera['hosts'] + $nagios_hiera = hiera_hash('nagios') + $nagios_hosts = $nagios_hiera['hosts'] - $hosts = hiera_hash('hosts') - $all_hosts = inline_template ('<% @hosts.keys.sort.each do |key| -%>"<%= @hosts[key]["domain_internal"] %>", <% end -%>') + $hosts = hiera_hash('hosts') + $all_hosts = inline_template ('<% @hosts.keys.sort.each do |key| -%>"<%= @hosts[key]["domain_internal"] %>", <% end -%>') + $domains_internal = $nagios_hiera['domains_internal'] package { 'check-mk-server': ensure => installed, @@ -35,6 +36,10 @@ class site_check_mk::server { content => template('site_check_mk/use_ssh.mk'), notify => Exec['check_mk-refresh'], require => Package['check-mk-server']; + '/etc/check_mk/conf.d/hostgroups.mk': + content => template('site_check_mk/hostgroups.mk'), + notify => Exec['check_mk-refresh'], + require => Package['check-mk-server']; '/etc/check_mk/all_hosts_static': content => $all_hosts, notify => Exec['check_mk-refresh'], diff --git a/puppet/modules/site_check_mk/templates/hostgroups.mk b/puppet/modules/site_check_mk/templates/hostgroups.mk new file mode 100644 index 00000000..79b7f92f --- /dev/null +++ b/puppet/modules/site_check_mk/templates/hostgroups.mk @@ -0,0 +1,4 @@ +host_groups = [ + <% @domains_internal.each do |domain| %>( '<%= domain %>', [<% @nagios_hosts.keys.sort.each do |key| -%><% if @nagios_hosts[key]['domain_internal'] == key+'.'+domain -%>'<%= key %>.<%= domain %>', <% end -%><% end -%>] ), + <% end -%> +] diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index 85443917..8cc1ae24 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -3,9 +3,10 @@ class site_nagios::server inherits nagios::base { # First, purge old nagios config (see #1467) class { 'site_nagios::server::purge': } - $nagios_hiera = hiera('nagios') - $nagiosadmin_pw = htpasswd_sha1($nagios_hiera['nagiosadmin_pw']) - $nagios_hosts = $nagios_hiera['hosts'] + $nagios_hiera = hiera('nagios') + $nagiosadmin_pw = htpasswd_sha1($nagios_hiera['nagiosadmin_pw']) + $nagios_hosts = $nagios_hiera['hosts'] + $domains_internal = $nagios_hiera['domains_internal'] include nagios::defaults include nagios::base @@ -55,4 +56,6 @@ class site_nagios::server inherits nagios::base { 'set missingok missingok', 'set ifempty notifempty', 'set copytruncate copytruncate' ] } + + ::site_nagios::server::hostgroup { $domains_internal: } } diff --git a/puppet/modules/site_nagios/manifests/server/hostgroup.pp b/puppet/modules/site_nagios/manifests/server/hostgroup.pp new file mode 100644 index 00000000..035ba7d1 --- /dev/null +++ b/puppet/modules/site_nagios/manifests/server/hostgroup.pp @@ -0,0 +1,3 @@ +define site_nagios::server::hostgroup { + nagios_hostgroup { $name: } +} -- cgit v1.2.3 From 36a1332f5f6e43591a47b89ec505541f84381667 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 7 Oct 2014 14:16:54 +0200 Subject: include different nagios::defaults classes manually (#5216) nagios::defaults will include nagios::defaults::hostgroups which add "all" and "centos_servers" hostgroups which we don't want. Change-Id: If42faa11c167fb7305ebbb21dc358a8813afaa25 --- puppet/modules/site_nagios/manifests/server.pp | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index 8cc1ae24..b195c880 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -8,8 +8,14 @@ class site_nagios::server inherits nagios::base { $nagios_hosts = $nagios_hiera['hosts'] $domains_internal = $nagios_hiera['domains_internal'] - include nagios::defaults include nagios::base + include nagios::defaults::commands + include nagios::defaults::contactgroups + include nagios::defaults::contacts + include nagios::defaults::templates + include nagios::defaults::timeperiods + include nagios::defaults::plugins + class {'nagios': # don't manage apache class from nagios, cause we already include # it in site_apache::common -- cgit v1.2.3 From 189bd4b704ba685640ca01afe90f592e7b33567a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 15 Oct 2014 17:07:45 -0400 Subject: Disable SSLv3, and RC4 ciphers Change-Id: I7214aa4334e3d817dd1b6d8dce43523e3d955b5d --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 4 ++-- puppet/modules/site_apache/templates/vhosts.d/common.conf.erb | 4 ++-- puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb | 5 +++-- puppet/modules/site_static/templates/apache.conf.erb | 4 ++-- 4 files changed, 9 insertions(+), 8 deletions(-) diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index 74cd1ced..e4732289 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -12,10 +12,10 @@ Listen 0.0.0.0:<%= api_port %> CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common SSLEngine on - SSLProtocol all -SSLv2 + SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCompression off - SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" + SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" SSLCACertificatePath /etc/ssl/certs SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::ca_name') %>.crt diff --git a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb index 0e08529c..a9733a97 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb @@ -13,10 +13,10 @@ CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common SSLEngine on - SSLProtocol all -SSLv2 + SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCompression off - SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" + SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" SSLCACertificatePath /etc/ssl/certs SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::commercial_ca_name') %>.crt diff --git a/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb index ae06410e..56a8d9f6 100644 --- a/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb +++ b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb @@ -9,9 +9,10 @@ Listen 0.0.0.0:<%= @nickserver_port -%> ServerAlias <%= @address_domain %> SSLEngine on - SSLProtocol -all +SSLv3 +TLSv1 - SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH + SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on + SSLCompression off + SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" SSLCACertificatePath /etc/ssl/certs SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::ca_name') %>.crt diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb index 07ac481d..9b516a10 100644 --- a/puppet/modules/site_static/templates/apache.conf.erb +++ b/puppet/modules/site_static/templates/apache.conf.erb @@ -46,10 +46,10 @@ #RewriteLogLevel 3 SSLEngine on - SSLProtocol all -SSLv2 + SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCompression off - SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" + SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" <%- if @tls_only -%> Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains" -- cgit v1.2.3 From 4faf77c2527312b85d836600c01c0d2d9f0b460e Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 20 Oct 2014 14:27:53 -0700 Subject: bumped default server certificate bit size to 4096 --- provider_base/provider.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/provider_base/provider.json b/provider_base/provider.json index 743964ee..4f71c7d5 100644 --- a/provider_base/provider.json +++ b/provider_base/provider.json @@ -44,7 +44,7 @@ "digest": "SHA256", "life_span": "10y", "server_certificates": { - "bit_size": 2048, + "bit_size": 4096, "digest": "SHA256", "life_span": "1y" }, -- cgit v1.2.3 From f6ffad33042aa6580ec00ef23836291861c1ae17 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 20 Oct 2014 21:44:37 -0400 Subject: implement custom puppet support (#6201, #6226) change puppet command to include in the --modulepath /srv/leap/files/puppet/modules If a provider places puppet code under files/puppet it will be sync'd over to all the nodes, once leap cli #6225 is merged. The custom puppet entry point is in class 'custom' which can be put into files/puppet/modules/custom/manifests/init.pp Change-Id: I74879c6ee056b03cd4691aa81a7668b60383bdad --- bin/puppet_command | 5 ++++- puppet/modules/site_config/manifests/default.pp | 6 +++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/bin/puppet_command b/bin/puppet_command index 5e690bef..cdb0b027 100755 --- a/bin/puppet_command +++ b/bin/puppet_command @@ -14,6 +14,8 @@ PUPPET_BIN = '/usr/bin/puppet' PUPPET_DIRECTORY = '/srv/leap' PUPPET_PARAMETERS = '--color=false --detailed-exitcodes --libdir=puppet/lib --confdir=puppet' SITE_MANIFEST = 'puppet/manifests/site.pp' +SITE_MODULES = 'puppet/modules' +CUSTOM_MODULES = ':files/puppet/modules' DEFAULT_TAGS = 'leap_base,leap_service' HIERA_FILE = '/etc/leap/hiera.yaml' @@ -93,10 +95,11 @@ end def puppet_apply(options={}, &block) options = {:verbosity => @verbosity, :tags => @tags}.merge(options) manifest = options[:manifest] || SITE_MANIFEST + modulepath = options[:module_path] || SITE_MODULES + CUSTOM_MODULES fqdn = hiera_file['domain']['name'] domain = hiera_file['domain']['full_suffix'] Dir.chdir(PUPPET_DIRECTORY) do - return run("FACTER_fqdn='#{fqdn}' FACTER_domain='#{domain}' #{PUPPET_BIN} apply #{custom_parameters(options)} #{PUPPET_PARAMETERS} #{manifest}", &block) + return run("FACTER_fqdn='#{fqdn}' FACTER_domain='#{domain}' #{PUPPET_BIN} apply #{custom_parameters(options)} --modulepath='#{modulepath}' #{PUPPET_PARAMETERS} #{manifest}", &block) end end diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index fc2179de..790b5a16 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -59,10 +59,10 @@ class site_config::default { include site_postfix::satellite } - # if class site_custom exists, include it. + # if class custom exists, include it. # possibility for users to define custom puppet recipes - if defined( '::site_custom') { - include ::site_custom + if defined( '::custom') { + include ::custom } include site_check_mk::agent -- cgit v1.2.3 From 51a1e1c6db33ed2868ec74728f854237e3dfd86a Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 21 Oct 2014 15:14:23 -0700 Subject: update platform to take advantage of new platform.rb. requires leap_cli 1.6 --- platform.rb | 18 +++++++++++++++++- provider_base/common.json | 4 ++++ provider_base/lib/macros/files.rb | 2 +- provider_base/provider.json | 1 - 4 files changed, 22 insertions(+), 3 deletions(-) diff --git a/platform.rb b/platform.rb index 270dd25a..35017559 100644 --- a/platform.rb +++ b/platform.rb @@ -5,15 +5,24 @@ Leap::Platform.define do self.version = "0.5.4.1" - self.compatible_cli = "1.5.8".."1.99" + self.compatible_cli = "1.6.0".."1.99" # # the facter facts that should be gathered # self.facts = ["ec2_local_ipv4", "ec2_public_ipv4"] + # + # absolute paths on the destination server + # + self.hiera_path = '/etc/leap/hiera.yaml' + self.leap_dir = '/srv/leap' + self.files_dir = '/srv/leap/files' + self.init_path = '/srv/leap/initialized' + # # the named paths for this platform + # (relative to the provider directory) # self.paths = { # directories @@ -43,6 +52,11 @@ Leap::Platform.define do :soledad_service_json_template => 'files/service-definitions/#{arg}/soledad-service.json.erb', :smtp_service_json_template => 'files/service-definitions/#{arg}/smtp-service.json.erb', + # custom puppet + :custom_puppet_dir => 'files/puppet', + :custom_puppet_modules_dir => 'files/puppet/modules', + :custom_puppet_manifests_dir => 'files/puppet/manifests', + # output files :facts => 'facts.json', :user_ssh => 'users/#{arg}/#{arg}_ssh.pub', @@ -85,5 +99,7 @@ Leap::Platform.define do self.monitor_username = 'monitor' self.reserved_usernames = ['monitor'] + + self.default_puppet_tags = ['leap_base','leap_service'] end diff --git a/provider_base/common.json b/provider_base/common.json index 87af2152..649db0d9 100644 --- a/provider_base/common.json +++ b/provider_base/common.json @@ -46,5 +46,9 @@ "stunnel": { "clients": {}, "servers": {} + }, + "platform": { + "version": "= Leap::Platform.version.to_s", + "major_version": "= Leap::Platform.major_version" } } diff --git a/provider_base/lib/macros/files.rb b/provider_base/lib/macros/files.rb index 0a491325..b3ba4a06 100644 --- a/provider_base/lib/macros/files.rb +++ b/provider_base/lib/macros/files.rb @@ -71,7 +71,7 @@ module LeapCli end relative_path = Path.relative_path(actual_path) @node.file_paths << relative_path - @node.manager.provider.hiera_sync_destination + '/' + relative_path + File.join(Leap::Platform.files_dir, relative_path) end end diff --git a/provider_base/provider.json b/provider_base/provider.json index 4f71c7d5..9ef0f76a 100644 --- a/provider_base/provider.json +++ b/provider_base/provider.json @@ -56,7 +56,6 @@ "unlimited_prefix": "UNLIMITED" } }, - "hiera_sync_destination": "/etc/leap", "client_version": { "min": "0.5", "max": null -- cgit v1.2.3 From b76445c07688ba1b4e8940189f8538a741de92d4 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 21 Oct 2014 20:27:06 -0400 Subject: modify the leap repository contents so they pick the correct repository, based on the hiera value 'major_version' (#6251) Change-Id: I10532ef83e3aa2d35d9c0be241952a35e366bba4 --- platform.rb | 2 +- puppet/modules/site_apt/manifests/leap_repo.pp | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/platform.rb b/platform.rb index 35017559..06a49b7e 100644 --- a/platform.rb +++ b/platform.rb @@ -4,7 +4,7 @@ # Leap::Platform.define do - self.version = "0.5.4.1" + self.version = "0.6" self.compatible_cli = "1.6.0".."1.99" # diff --git a/puppet/modules/site_apt/manifests/leap_repo.pp b/puppet/modules/site_apt/manifests/leap_repo.pp index 6b3d9919..2d4ba0e1 100644 --- a/puppet/modules/site_apt/manifests/leap_repo.pp +++ b/puppet/modules/site_apt/manifests/leap_repo.pp @@ -1,6 +1,9 @@ class site_apt::leap_repo { + $platform = hiera_hash('platform') + $major_version = $platform['major_version'] + apt::sources_list { 'leap.list': - content => 'deb http://deb.leap.se/debian stable main', + content => "deb http://deb.leap.se/${major_version} wheezy main\n", before => Exec[refresh_apt] } -- cgit v1.2.3 From 937c61b74bbd99f9955cbee426fb35e96050eea6 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 27 Oct 2014 09:23:23 -0400 Subject: Change stunnel default sslversion to be TLSv1, instead of the default SSLv3 (#6261) Change-Id: I7ab5a6455e434f8359169d31febed8b92f84bbcc --- puppet/modules/site_stunnel/manifests/client.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/puppet/modules/site_stunnel/manifests/client.pp b/puppet/modules/site_stunnel/manifests/client.pp index 12d664b4..76815174 100644 --- a/puppet/modules/site_stunnel/manifests/client.pp +++ b/puppet/modules/site_stunnel/manifests/client.pp @@ -35,6 +35,7 @@ define site_stunnel::client ( pid => "/var/run/stunnel4/${pid}.pid", rndfile => $rndfile, debuglevel => $debuglevel, + sslversion => 'TLSv1', subscribe => [ Class['Site_config::X509::Key'], Class['Site_config::X509::Cert'], -- cgit v1.2.3 From f14cfe9601ab60b30af7baf126cb223eacec3593 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 28 Oct 2014 12:18:27 -0400 Subject: upgrade unattended-upgrades on deploy (#6245) unattended-upgrades is not able to upgrade itself in certain situations, such as when the conffile prompt is generated due to the config being changed. We want to set this package as latest in the platform so that it is upgraded on every deploy (we deploy the config anyway). Change-Id: I8c99bfb1b001079f0e1a4ffbf048e0e867633335 --- puppet/modules/site_apt/manifests/init.pp | 4 ++-- puppet/modules/site_apt/manifests/unattended_upgrades.pp | 10 ++++++++++ 2 files changed, 12 insertions(+), 2 deletions(-) create mode 100644 puppet/modules/site_apt/manifests/unattended_upgrades.pp diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp index 9facf4cc..633ccf1e 100644 --- a/puppet/modules/site_apt/manifests/init.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -1,4 +1,4 @@ -class site_apt { +class site_apt { class { 'apt': custom_key_dir => 'puppet:///modules/site_apt/keys' @@ -11,7 +11,7 @@ class site_apt { content => 'Acquire::PDiffs "false";'; } - include ::apt::unattended_upgrades + include ::site_apt::unattended_upgrades apt::sources_list { 'secondary.list.disabled': content => template('site_apt/secondary.list'); diff --git a/puppet/modules/site_apt/manifests/unattended_upgrades.pp b/puppet/modules/site_apt/manifests/unattended_upgrades.pp new file mode 100644 index 00000000..daebffab --- /dev/null +++ b/puppet/modules/site_apt/manifests/unattended_upgrades.pp @@ -0,0 +1,10 @@ +class site_apt::unattended_upgrades inherits apt::unattended_upgrades { + # override unattended-upgrades package resource to make sure + # that it is upgraded on every deploy (#6245) + + include ::apt::unattended_upgrades + + Package['unattended-upgrades'] { + ensure => latest + } +} -- cgit v1.2.3 From d3e24760b33d6ae20f153d3c144d7d443fb0b69e Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 29 Oct 2014 15:20:54 -0700 Subject: added webapp.forbidden_usernames property to allow configuration of usernames to block. --- provider_base/services/webapp.json | 1 + puppet/modules/site_webapp/templates/config.yml.erb | 1 + 2 files changed, 2 insertions(+) diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index 3af0dade..44b5fa14 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -1,6 +1,7 @@ { "webapp": { "admins": [], + "forbidden_usernames": ["admin", "administrator", "arin-admin", "certmaster", "contact", "info", "maildrop", "postmaster", "ssladmin", "www-data"], "domain": "= domain.full_suffix", "modules": ["user", "billing", "help"], "couchdb_webapp_user": { diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index 9205438b..0c75f3ca 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -19,6 +19,7 @@ production: default_service_level: "<%= @webapp['default_service_level'] %>" service_levels: <%= @webapp['service_levels'].to_json %> allow_registration: <%= @webapp['allow_registration'].inspect %> + handle_blacklist: <%= @webapp['forbidden_usernames'].inspect %> <%- if @webapp['engines'] && @webapp['engines'].any? -%> engines: <%- @webapp['engines'].each do |engine| -%> -- cgit v1.2.3 From 1d4670f8b9b4c1f3d4cd8017a3f6145ccdd41312 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 31 Oct 2014 00:01:57 -0700 Subject: add support for property tor.key --- platform.rb | 12 +++--- provider_base/lib/macros.rb | 1 + provider_base/lib/macros/files.rb | 14 ++++++- provider_base/lib/macros/keys.rb | 78 +++++++++++++++++++++++++++++++++++++++ provider_base/services/tor.json | 9 ++++- 5 files changed, 106 insertions(+), 8 deletions(-) create mode 100644 provider_base/lib/macros/keys.rb diff --git a/platform.rb b/platform.rb index 06a49b7e..c37b6d29 100644 --- a/platform.rb +++ b/platform.rb @@ -5,7 +5,7 @@ Leap::Platform.define do self.version = "0.6" - self.compatible_cli = "1.6.0".."1.99" + self.compatible_cli = "1.6.1".."1.99" # # the facter facts that should be gathered @@ -77,10 +77,12 @@ Leap::Platform.define do :vagrantfile => 'test/Vagrantfile', # node output files - :hiera => 'hiera/#{arg}.yaml', - :node_ssh_pub_key => 'files/nodes/#{arg}/#{arg}_ssh.pub', - :node_x509_key => 'files/nodes/#{arg}/#{arg}.key', - :node_x509_cert => 'files/nodes/#{arg}/#{arg}.crt', + :hiera => 'hiera/#{arg}.yaml', + :node_ssh_pub_key => 'files/nodes/#{arg}/#{arg}_ssh.pub', + :node_x509_key => 'files/nodes/#{arg}/#{arg}.key', + :node_x509_cert => 'files/nodes/#{arg}/#{arg}.crt', + :node_tor_priv_key => 'files/nodes/#{arg}/tor.key', + :node_tor_pub_key => 'files/nodes/#{arg}/tor.pub', # testing files :test_client_key => 'test/cert/client.key', diff --git a/provider_base/lib/macros.rb b/provider_base/lib/macros.rb index 854b92b5..ecc3e6ba 100644 --- a/provider_base/lib/macros.rb +++ b/provider_base/lib/macros.rb @@ -9,6 +9,7 @@ require_relative 'macros/core' require_relative 'macros/files' require_relative 'macros/haproxy' require_relative 'macros/hosts' +require_relative 'macros/keys' require_relative 'macros/nodes' require_relative 'macros/secrets' require_relative 'macros/stunnel' diff --git a/provider_base/lib/macros/files.rb b/provider_base/lib/macros/files.rb index b3ba4a06..958958bc 100644 --- a/provider_base/lib/macros/files.rb +++ b/provider_base/lib/macros/files.rb @@ -48,13 +48,22 @@ module LeapCli # * if the path does not exist locally, but exists in provider_base, then the default file from # provider_base is copied locally. this is required for rsync to work correctly. # - def file_path(path) + def file_path(path, options={}) if path.is_a? Symbol path = [path, @node.name] + elsif path.is_a? String + # ensure it prefixed with files/ + unless path =~ /^files\// + path = "files/" + path + end end actual_path = Path.find_file(path) if actual_path.nil? - Util::log 2, :skipping, "file_path(\"#{path}\") because there is no such file." + if options[:missing] + raise FileMissing.new(Path.named_path(path), options) + else + Util::log 2, :skipping, "file_path(\"#{path}\") because there is no such file." + end nil else if actual_path =~ /^#{Regexp.escape(Path.provider_base)}/ @@ -70,6 +79,7 @@ module LeapCli actual_path += '/' # ensure directories end with /, important for building rsync command end relative_path = Path.relative_path(actual_path) + relative_path.sub!(/^files\//, '') # remove "files/" prefix @node.file_paths << relative_path File.join(Leap::Platform.files_dir, relative_path) end diff --git a/provider_base/lib/macros/keys.rb b/provider_base/lib/macros/keys.rb new file mode 100644 index 00000000..0d46acb5 --- /dev/null +++ b/provider_base/lib/macros/keys.rb @@ -0,0 +1,78 @@ +# encoding: utf-8 + +# +# Macro for dealing with cryptographic keys +# + +module LeapCli + module Macro + + # + # return the path to the tor public key + # generating key if it is missing + # + def tor_public_key_path(path_name, key_type) + path = file_path(path_name) + if path.nil? + generate_tor_key(key_type) + end + return path + end + + # + # return the path to the tor private key + # generating key if it is missing + # + def tor_private_key_path(path_name, key_type) + path = file_path(path_name) + if path.nil? + generate_tor_key(key_type) + end + return path + end + + # + # on the command line an onion address can be created + # from an rsa public key using this: + # + # base64 -d < ./pubkey | sha1sum | awk '{print $1}' | + # perl -e '$l=<>; chomp $l; print pack("H*", $l)' | + # python -c 'import base64, sys; t=sys.stdin.read(); print base64.b32encode(t[:10]).lower()' + # + # path_name is the named path of the tor public key. + # + def onion_address(path_name) + require 'base32' + require 'base64' + require 'openssl' + path = Path.find_file([path_name, self.name]) + if path && File.exists?(path) + public_key_str = File.readlines(path).grep(/^[^-]/).join + public_key = Base64.decode64(public_key_str) + sha1sum_string = Digest::SHA1.new.hexdigest(public_key) + sha1sum_binary = [sha1sum_string].pack('H*') + Base32.encode(sha1sum_binary.slice(0,10)).downcase + else + LeapCli.log :warning, 'Tor public key file "%s" does not exist' % tor_public_key_path + end + end + + private + + def generate_tor_key(key_type) + if key_type == 'RSA' + require 'certificate_authority' + keypair = CertificateAuthority::MemoryKeyMaterial.new + bit_size = 1024 + LeapCli.log :generating, "%s bit RSA Tor key" % bit_size do + keypair.generate_key(bit_size) + LeapCli::Util.write_file! [:node_tor_priv_key, self.name], keypair.private_key.to_pem + LeapCli::Util.write_file! [:node_tor_pub_key, self.name], keypair.public_key.to_pem + end + else + LeapCli.bail! 'tor.key.type of %s is not yet supported' % key_type + end + end + + end +end diff --git a/provider_base/services/tor.json b/provider_base/services/tor.json index fc365a19..87fb9682 100644 --- a/provider_base/services/tor.json +++ b/provider_base/services/tor.json @@ -3,6 +3,13 @@ "bandwidth_rate": 6550, "contacts": "= [provider.contacts['tor'] || provider.contacts.default].flatten", "nickname": "= (self.name + secret(:tor_family)).sub('_','')[0..18]", - "family": "= nodes[:services => 'tor'][:environment => '!local'].field('tor.nickname').join(',')" + "family": "= nodes[:services => 'tor'][:environment => '!local'].field('tor.nickname').join(',')", + "hidden_service": null, + "key": { + "type": "RSA", + "public": "= tor_public_key_path(:node_tor_pub_key, tor.key.type) if tor.hidden_service", + "private": "= tor_private_key_path(:node_tor_priv_key, tor.key.type) if tor.hidden_service", + "address": "= onion_address(:node_tor_pub_key) if tor.hidden_service" + } } } -- cgit v1.2.3 From 84957fbd0f1e4aa26303b6488d9ec7df8af08ab7 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 31 Oct 2014 13:15:13 -0400 Subject: Fix deprecated dynamic lookups of variables in site_couchdb (#6286) Change-Id: I318944a6872a53ff9c533704514da339426d9401 --- puppet/modules/site_couchdb/manifests/bigcouch.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/puppet/modules/site_couchdb/manifests/bigcouch.pp b/puppet/modules/site_couchdb/manifests/bigcouch.pp index f0aab734..e3cba4ba 100644 --- a/puppet/modules/site_couchdb/manifests/bigcouch.pp +++ b/puppet/modules/site_couchdb/manifests/bigcouch.pp @@ -1,12 +1,12 @@ class site_couchdb::bigcouch { - $config = $couchdb_config['bigcouch'] + $config = $::site_couchdb::couchdb_config['bigcouch'] $cookie = $config['cookie'] $ednp_port = $config['ednp_port'] class { 'couchdb': - admin_pw => $couchdb_admin_pw, - admin_salt => $couchdb_admin_salt, + admin_pw => $::site_couchdb::couchdb_admin_pw, + admin_salt => $::site_couchdb::couchdb_admin_salt, bigcouch => true, bigcouch_cookie => $cookie, ednp_port => $ednp_port, -- cgit v1.2.3 From 5787c97b6f73dacae7f01adeff203287007c381d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 1 Nov 2014 10:36:48 -0400 Subject: stop using bad nist curve for ssh host key (#6294) update port parameter in site_sshd to be an array, otherwise puppet errors about it being a Fixnum with new sshd module Change-Id: I854d042edb98817169eef5e758d04d60d3c71dd5 --- puppet/modules/site_sshd/manifests/init.pp | 2 +- puppet/modules/sshd | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index 9a05b6ed..1da2f1d5 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -53,7 +53,7 @@ class site_sshd { ## class { '::sshd': manage_nagios => false, - ports => $ssh['port'], + ports => [ $ssh['port'] ], use_pam => 'yes', hardened_ssl => 'yes', print_motd => 'no', diff --git a/puppet/modules/sshd b/puppet/modules/sshd index 5c23b332..4652fbca 160000 --- a/puppet/modules/sshd +++ b/puppet/modules/sshd @@ -1 +1 @@ -Subproject commit 5c23b33200fc6229ada7f4e13672b5da0d4bdd8e +Subproject commit 4652fbcae0aadcded5d390e71882aec1b1b738ba -- cgit v1.2.3 From 38d7c80fae4efc1d365ec9f982cb025dc67a4386 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 2 Nov 2014 20:53:34 -0500 Subject: add missing TLSv1 sslversion parameter to site_stunnel::serviers Change-Id: I48dc8135943393bd11c7181853985f4a5799011e --- puppet/modules/site_stunnel/manifests/servers.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/puppet/modules/site_stunnel/manifests/servers.pp b/puppet/modules/site_stunnel/manifests/servers.pp index b1da5c59..8d537644 100644 --- a/puppet/modules/site_stunnel/manifests/servers.pp +++ b/puppet/modules/site_stunnel/manifests/servers.pp @@ -35,6 +35,7 @@ define site_stunnel::servers ( pid => "/var/run/stunnel4/${pid}.pid", rndfile => '/var/lib/stunnel4/.rnd', debuglevel => $debuglevel, + sslversion => 'TLSv1', require => [ Class['Site_config::X509::Key'], Class['Site_config::X509::Cert'], -- cgit v1.2.3 From 18f5d6ea49446f214cbb764ea223f427aafd641e Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 2 Nov 2014 21:47:36 -0500 Subject: change ordering hints to use refresh_stunnel exec instead of service (#6287) In a multi-node couch deployment, it was observed that the Service['stunnel'] would be activated, and then later a stunnel::client was created which would trigger an Exec['refresh_stunnel']. Because of this, and the ordering hints that were in place, the service would get started, and then the couchdb databases, users, designs, etc. were being put into place and then a stunnel client was created, triggering the refresh_stunnel exec, which would cause an interruption in the connectivity and result in failures. This change replaces the Service['stunnel'] hint with the the Exec['refresh_stunnel'] to make sure that the stunnels are fully setup before attempting couch operations. Change-Id: I33ddd24884b3c23a1df5555ca53ca65cd703da50 --- puppet/modules/couchdb | 2 +- puppet/modules/site_couchdb/manifests/bigcouch.pp | 2 +- puppet/modules/site_couchdb/manifests/init.pp | 8 ++++---- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index f01b3586..4c0d5673 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit f01b3586215bdc10f0067fa0f6d940be8e88bcea +Subproject commit 4c0d5673df02fe42e1bbadfee7d4ea1ca1f88e98 diff --git a/puppet/modules/site_couchdb/manifests/bigcouch.pp b/puppet/modules/site_couchdb/manifests/bigcouch.pp index e3cba4ba..d71c00c5 100644 --- a/puppet/modules/site_couchdb/manifests/bigcouch.pp +++ b/puppet/modules/site_couchdb/manifests/bigcouch.pp @@ -19,7 +19,7 @@ class site_couchdb::bigcouch { Class['site_config::default'] -> Class['couchdb::bigcouch::package::cloudant'] -> Service['shorewall'] - -> Service['stunnel'] + -> Exec['refresh_stunnel'] -> Class['site_couchdb::setup'] -> Class['site_couchdb::bigcouch::add_nodes'] -> Class['site_couchdb::bigcouch::settle_cluster'] diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 5a4fb936..a11f6309 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -42,13 +42,13 @@ class site_couchdb { $couchdb_backup = $couchdb_config['backup'] $couchdb_mode = $couchdb_config['mode'] - if $couchdb_mode == "multimaster" { include site_couchdb::bigcouch } - if $couchdb_mode == "master" { include site_couchdb::master } - if $couchdb_mode == "mirror" { include site_couchdb::mirror } + if $couchdb_mode == 'multimaster' { include site_couchdb::bigcouch } + if $couchdb_mode == 'master' { include site_couchdb::master } + if $couchdb_mode == 'mirror' { include site_couchdb::mirror } Class['site_config::default'] -> Service['shorewall'] - -> Service['stunnel'] + -> Exec['refresh_stunnel'] -> Class['couchdb'] -> Class['site_couchdb::setup'] -- cgit v1.2.3 From c150fa3eb79d822850205c0178de9bb5f422ae01 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 4 Nov 2014 11:34:42 -0500 Subject: add local 50unattended-upgrades to fix unattended-upgrades not upgrading leap packages (#4425) Change-Id: I78c00c4410ff9f712206f95854d8803e43acb286 --- .../modules/site_apt/files/Debian/50unattended-upgrades | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 puppet/modules/site_apt/files/Debian/50unattended-upgrades diff --git a/puppet/modules/site_apt/files/Debian/50unattended-upgrades b/puppet/modules/site_apt/files/Debian/50unattended-upgrades new file mode 100644 index 00000000..f2f574fc --- /dev/null +++ b/puppet/modules/site_apt/files/Debian/50unattended-upgrades @@ -0,0 +1,16 @@ +// this file is managed by puppet ! + +Unattended-Upgrade::Allowed-Origins { + "${distro_id}:stable"; + "${distro_id}:${distro_codename}-security"; + "${distro_id}:${distro_codename}-updates"; + "${distro_id} Backports:${distro_codename}-backports"; + "leap.se:stable"; +}; + +APT::Periodic::Update-Package-Lists "1"; +APT::Periodic::Download-Upgradeable-Packages "1"; +APT::Periodic::Unattended-Upgrade "1"; + +Unattended-Upgrade::Mail "root"; +Unattended-Upgrade::MailOnlyOnError "true"; -- cgit v1.2.3 From 90b672ed58982b232b1c96febcd9736ae5fc4faf Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 4 Nov 2014 12:25:54 -0800 Subject: tor - to activate hidden service, now set tor.hidden_service.active = true --- provider_base/lib/macros/keys.rb | 8 ++++++-- provider_base/services/tor.json | 12 ++++++------ 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/provider_base/lib/macros/keys.rb b/provider_base/lib/macros/keys.rb index 0d46acb5..ea4c3df2 100644 --- a/provider_base/lib/macros/keys.rb +++ b/provider_base/lib/macros/keys.rb @@ -15,8 +15,10 @@ module LeapCli path = file_path(path_name) if path.nil? generate_tor_key(key_type) + file_path(path_name) + else + path end - return path end # @@ -27,8 +29,10 @@ module LeapCli path = file_path(path_name) if path.nil? generate_tor_key(key_type) + file_path(path_name) + else + path end - return path end # diff --git a/provider_base/services/tor.json b/provider_base/services/tor.json index 87fb9682..55d3d2ee 100644 --- a/provider_base/services/tor.json +++ b/provider_base/services/tor.json @@ -4,12 +4,12 @@ "contacts": "= [provider.contacts['tor'] || provider.contacts.default].flatten", "nickname": "= (self.name + secret(:tor_family)).sub('_','')[0..18]", "family": "= nodes[:services => 'tor'][:environment => '!local'].field('tor.nickname').join(',')", - "hidden_service": null, - "key": { - "type": "RSA", - "public": "= tor_public_key_path(:node_tor_pub_key, tor.key.type) if tor.hidden_service", - "private": "= tor_private_key_path(:node_tor_priv_key, tor.key.type) if tor.hidden_service", - "address": "= onion_address(:node_tor_pub_key) if tor.hidden_service" + "hidden_service": { + "active": null, + "key_type": "RSA", + "public_key": "= tor_public_key_path(:node_tor_pub_key, tor.hidden_service.key_type) if tor.hidden_service.active", + "private_key": "= tor_private_key_path(:node_tor_priv_key, tor.hidden_service.key_type) if tor.hidden_service.active", + "address": "= onion_address(:node_tor_pub_key) if tor.hidden_service.active" } } } -- cgit v1.2.3 From 3c06efc2529188c175209d09f8db1932dc4295b8 Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 4 Nov 2014 12:25:54 -0800 Subject: tor - to activate hidden service, now set tor.hidden_service.active = true --- provider_base/lib/macros/keys.rb | 8 ++++++-- provider_base/services/tor.json | 12 ++++++------ 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/provider_base/lib/macros/keys.rb b/provider_base/lib/macros/keys.rb index 0d46acb5..ea4c3df2 100644 --- a/provider_base/lib/macros/keys.rb +++ b/provider_base/lib/macros/keys.rb @@ -15,8 +15,10 @@ module LeapCli path = file_path(path_name) if path.nil? generate_tor_key(key_type) + file_path(path_name) + else + path end - return path end # @@ -27,8 +29,10 @@ module LeapCli path = file_path(path_name) if path.nil? generate_tor_key(key_type) + file_path(path_name) + else + path end - return path end # diff --git a/provider_base/services/tor.json b/provider_base/services/tor.json index 87fb9682..55d3d2ee 100644 --- a/provider_base/services/tor.json +++ b/provider_base/services/tor.json @@ -4,12 +4,12 @@ "contacts": "= [provider.contacts['tor'] || provider.contacts.default].flatten", "nickname": "= (self.name + secret(:tor_family)).sub('_','')[0..18]", "family": "= nodes[:services => 'tor'][:environment => '!local'].field('tor.nickname').join(',')", - "hidden_service": null, - "key": { - "type": "RSA", - "public": "= tor_public_key_path(:node_tor_pub_key, tor.key.type) if tor.hidden_service", - "private": "= tor_private_key_path(:node_tor_priv_key, tor.key.type) if tor.hidden_service", - "address": "= onion_address(:node_tor_pub_key) if tor.hidden_service" + "hidden_service": { + "active": null, + "key_type": "RSA", + "public_key": "= tor_public_key_path(:node_tor_pub_key, tor.hidden_service.key_type) if tor.hidden_service.active", + "private_key": "= tor_private_key_path(:node_tor_priv_key, tor.hidden_service.key_type) if tor.hidden_service.active", + "address": "= onion_address(:node_tor_pub_key) if tor.hidden_service.active" } } } -- cgit v1.2.3 From 16c985a1b8e692c0e0f76a30b7ec052c9dc269bd Mon Sep 17 00:00:00 2001 From: guido Date: Tue, 28 Oct 2014 21:03:52 -0300 Subject: Adds support for Tor hidden service on webapp (Feature #6273) Change-Id: I56250e05e3a933deacd0b6e02192e712d3fd9fd5 --- .../templates/vhosts.d/hidden_service.conf.erb | 33 +++++++++++++++++ .../site_webapp/manifests/hidden_service.pp | 43 ++++++++++++++++++++++ puppet/modules/site_webapp/manifests/init.pp | 6 +++ 3 files changed, 82 insertions(+) create mode 100644 puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb create mode 100644 puppet/modules/site_webapp/manifests/hidden_service.pp diff --git a/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb new file mode 100644 index 00000000..0c6f3b8e --- /dev/null +++ b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb @@ -0,0 +1,33 @@ + + ServerName <%= tor_domain %> + + + Header always unset X-Powered-By + Header always unset X-Runtime + + +<% if (defined? @services) and (@services.include? 'webapp') -%> + DocumentRoot /srv/leap/webapp/public + + RewriteEngine On + # Check for maintenance file and redirect all requests + RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f + RewriteCond %{SCRIPT_FILENAME} !maintenance.html + RewriteCond %{REQUEST_URI} !/images/maintenance.jpg + RewriteRule ^.*$ %{DOCUMENT_ROOT}/system/maintenance.html [L] + + # http://www.modrails.com/documentation/Users%20guide%20Apache.html#_passengerallowencodedslashes_lt_on_off_gt + AllowEncodedSlashes on + PassengerAllowEncodedSlashes on + PassengerFriendlyErrorPages off + SetEnv TMPDIR /var/tmp + + # Allow rails assets to be cached for a very long time (since the URLs change whenever the content changes) + + Header unset ETag + FileETag None + ExpiresActive On + ExpiresDefault "access plus 1 year" + +<% end -%> + diff --git a/puppet/modules/site_webapp/manifests/hidden_service.pp b/puppet/modules/site_webapp/manifests/hidden_service.pp new file mode 100644 index 00000000..ac0e8a37 --- /dev/null +++ b/puppet/modules/site_webapp/manifests/hidden_service.pp @@ -0,0 +1,43 @@ +class site_webapp::hidden_service { + $tor = hiera('tor') + $hidden_service = $tor['hidden_service'] + $tor_domain = "${hidden_service['address']}.onion" + + include site_apache::common + include site_apache::module::headers + include site_apache::module::alias + include site_apache::module::expires + include site_apache::module::removeip + + include tor::daemon + tor::daemon::hidden_service { 'webapp': ports => '80 127.0.0.1:80' } + + file { + '/var/lib/tor/webapp/': + ensure => directory, + owner => 'debian-tor', + group => 'debian-tor', + mode => '2700'; + + '/var/lib/tor/webapp/private_key': + ensure => present, + source => '/srv/leap/files/nodes/web/tor.key', + owner => 'debian-tor', + group => 'debian-tor', + mode => '0600'; + + '/var/lib/tor/webapp/hostname': + ensure => present, + content => $tor_domain, + owner => 'debian-tor', + group => 'debian-tor', + mode => '0600'; + } + + apache::vhost::file { + 'hidden_service': + content => template('site_apache/vhosts.d/hidden_service.conf.erb') + } + + include site_shorewall::tor +} \ No newline at end of file diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 17b010f3..12c69a39 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -10,6 +10,8 @@ class site_webapp { $webapp = hiera('webapp') $api_version = $webapp['api_version'] $secret_token = $webapp['secret_token'] + $tor = hiera('tor') + $hidden_service = $tor['hidden_service'] Class['site_config::default'] -> Class['site_webapp'] @@ -157,6 +159,10 @@ class site_webapp { notify => Service['apache']; } + if $hidden_service['active'] { + include site_webapp::hidden_service + } + include site_shorewall::webapp include site_check_mk::agent::webapp } -- cgit v1.2.3 From d0658888a0af6b06b03fd172306ea3f346c50081 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 4 Nov 2014 20:45:39 -0500 Subject: revert 5787c97b6f73dacae7f01adeff203287007c381d: stop using bad nist curve for ssh host key (#6294) We need to transition smoother (see #6319) Change-Id: I8bee032aef9502a7d4b701b99719fbfb3b7169da --- puppet/modules/sshd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/sshd b/puppet/modules/sshd index 4652fbca..750a4977 160000 --- a/puppet/modules/sshd +++ b/puppet/modules/sshd @@ -1 +1 @@ -Subproject commit 4652fbcae0aadcded5d390e71882aec1b1b738ba +Subproject commit 750a497758d94c2f5a6cad23cecc3dbde2d2f92f -- cgit v1.2.3 From 3ec9b173c092f1b582285c3e3573259d289c400e Mon Sep 17 00:00:00 2001 From: guido Date: Thu, 6 Nov 2014 12:45:32 -0300 Subject: Better check for tor hidden service on a webapp node. Change-Id: I92f69b6fa30aae953243ae19096e2998810c9ac6 --- puppet/modules/site_webapp/manifests/init.pp | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 12c69a39..752993c1 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -10,8 +10,7 @@ class site_webapp { $webapp = hiera('webapp') $api_version = $webapp['api_version'] $secret_token = $webapp['secret_token'] - $tor = hiera('tor') - $hidden_service = $tor['hidden_service'] + $tor = hiera('tor', false) Class['site_config::default'] -> Class['site_webapp'] @@ -159,8 +158,11 @@ class site_webapp { notify => Service['apache']; } - if $hidden_service['active'] { - include site_webapp::hidden_service + if $tor { + $hidden_service = $tor['hidden_service'] + if $hidden_service['active'] { + include site_webapp::hidden_service + } } include site_shorewall::webapp -- cgit v1.2.3 From 180f32512a4c47444ea9e4f36d7376a894a83a4b Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 8 Nov 2014 00:44:30 -0500 Subject: Don't configure the tor DirPort options if the node is not an exit (#6335) Change-Id: I4c7fb20b6da6f6a5bb2dd5af70511a28d4581174 --- puppet/modules/site_tor/manifests/init.pp | 4 ---- 1 file changed, 4 deletions(-) diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp index e62cb12d..58f9e971 100644 --- a/puppet/modules/site_tor/manifests/init.pp +++ b/puppet/modules/site_tor/manifests/init.pp @@ -24,10 +24,6 @@ class site_tor { tor::daemon::directory { $::hostname: port => 80 } } else { - tor::daemon::directory { $::hostname: - port => 80, - port_front_page => ''; - } include site_tor::disable_exit } -- cgit v1.2.3 From fe23f66f0cff5af71c10aeefdbb0b1131d871219 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 8 Nov 2014 00:45:14 -0500 Subject: Only enable the tor DirPort options on an exit if the node isn't also a webapp node (#6336) Change-Id: Ib70bbd8fe7b94b7a1bfb09390d5dd1c535f2da16 --- puppet/modules/site_tor/manifests/init.pp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp index 58f9e971..8f68a4e4 100644 --- a/puppet/modules/site_tor/manifests/init.pp +++ b/puppet/modules/site_tor/manifests/init.pp @@ -21,7 +21,10 @@ class site_tor { } if ( $tor_type == 'exit'){ - tor::daemon::directory { $::hostname: port => 80 } + # Only enable the daemon directory if the node isn't also a webapp node + if ! member($::services, 'webapp') { + tor::daemon::directory { $::hostname: port => 80 } + } } else { include site_tor::disable_exit -- cgit v1.2.3 From 51d581583ca354232f6ccbfb771c1cad00ec2db3 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 8 Nov 2014 00:46:00 -0500 Subject: minor linting, arrow lining up Change-Id: Ibd08529b7d1c4fc22bcd0ca36e518afa5b8f6d24 --- puppet/modules/site_tor/manifests/init.pp | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp index 8f68a4e4..9944bb2b 100644 --- a/puppet/modules/site_tor/manifests/init.pp +++ b/puppet/modules/site_tor/manifests/init.pp @@ -13,11 +13,11 @@ class site_tor { class { 'tor::daemon': } tor::daemon::relay { $nickname: - port => 9001, - address => $address, - contact_info => obfuscate_email($contact_emails), - bandwidth_rate => $bandwidth_rate, - my_family => $family + port => 9001, + address => $address, + contact_info => obfuscate_email($contact_emails), + bandwidth_rate => $bandwidth_rate, + my_family => $family } if ( $tor_type == 'exit'){ -- cgit v1.2.3 From 9299574b45de02d417e7237ba49b0222002bbc21 Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 15 Oct 2014 15:28:54 -0700 Subject: tests - added test that creates user, authenticates, deletes user --- bin/run_tests | 224 ++++------------------------------------ tests/README.md | 27 +++-- tests/helpers/couchdb_helper.rb | 103 ++++++++++++++++++ tests/helpers/files_helper.rb | 54 ++++++++++ tests/helpers/http_helper.rb | 145 ++++++++++++++++++++++++++ tests/helpers/network_helper.rb | 79 ++++++++++++++ tests/helpers/os_helper.rb | 34 ++++++ tests/helpers/srp_helper.rb | 171 ++++++++++++++++++++++++++++++ tests/order.rb | 4 + tests/white-box/couchdb.rb | 58 ++++++----- tests/white-box/mx.rb | 50 +++++++++ tests/white-box/webapp.rb | 141 ++++++++++++++++++------- 12 files changed, 811 insertions(+), 279 deletions(-) create mode 100644 tests/helpers/couchdb_helper.rb create mode 100644 tests/helpers/files_helper.rb create mode 100644 tests/helpers/http_helper.rb create mode 100644 tests/helpers/network_helper.rb create mode 100644 tests/helpers/os_helper.rb create mode 100644 tests/helpers/srp_helper.rb create mode 100644 tests/white-box/mx.rb diff --git a/bin/run_tests b/bin/run_tests index e026b5f7..b3e60fcc 100755 --- a/bin/run_tests +++ b/bin/run_tests @@ -14,7 +14,6 @@ require 'minitest/unit' require 'yaml' require 'tsort' -require 'net/http' ## ## EXIT CODES @@ -114,7 +113,10 @@ class LeapTest < MiniTest::Unit::TestCase # the default fail() is part of the kernel and it just throws a runtime exception. for tests, # we want the same behavior as assert(false) # - def fail(msg=nil) + def fail(msg=nil, exception=nil) + if DEBUG && exception && exception.respond_to?(:backtrace) + msg += MiniTest::filter_backtrace(exception.backtrace).join "\n" + end assert(false, msg) end @@ -129,207 +131,6 @@ class LeapTest < MiniTest::Unit::TestCase :alpha end - # - # attempts a http GET on the url, yields |body, response, error| - # - def get(url, params=nil) - uri = URI(url) - if params - uri.query = URI.encode_www_form(params) - end - http = Net::HTTP.new uri.host, uri.port - if uri.scheme == 'https' - http.verify_mode = OpenSSL::SSL::VERIFY_NONE - http.use_ssl = true - end - http.start do |agent| - request = Net::HTTP::Get.new uri.request_uri - if uri.user - request.basic_auth uri.user, uri.password - end - response = agent.request(request) - if response.is_a?(Net::HTTPSuccess) - yield response.body, response, nil - else - yield nil, response, nil - end - end - rescue => exc - yield nil, nil, exc - end - - def assert_get(url, params=nil, options=nil) - options ||= {} - get(url, params) do |body, response, error| - if body - yield body if block_given? - elsif response - fail ["Expected a 200 status code from #{url}, but got #{response.code} instead.", options[:error_msg]].compact.join("\n") - else - fail ["Expected a response from #{url}, but got \"#{error}\" instead.", options[:error_msg]].compact.join("\n") - end - end - end - - # - # only a warning for now, should be a failure in the future - # - def assert_auth_fail(url, params) - uri = URI(url) - get(url, params) do |body, response, error| - unless response.code.to_s == "401" - warn "Expected a '401 Unauthorized' response, but got #{response.code} instead (GET #{uri.request_uri} with username '#{uri.user}')." - return false - end - end - true - end - - # - # test if a socket can be connected to - # - - # - # tcp connection helper with timeout - # - def try_tcp_connect(host, port, timeout = 5) - addr = Socket.getaddrinfo(host, nil) - sockaddr = Socket.pack_sockaddr_in(port, addr[0][3]) - - Socket.new(Socket.const_get(addr[0][0]), Socket::SOCK_STREAM, 0).tap do |socket| - socket.setsockopt(Socket::IPPROTO_TCP, Socket::TCP_NODELAY, 1) - begin - socket.connect_nonblock(sockaddr) - rescue IO::WaitReadable - if IO.select([socket], nil, nil, timeout) == nil - raise "Connection timeout" - else - socket.connect_nonblock(sockaddr) - end - rescue IO::WaitWritable - if IO.select(nil, [socket], nil, timeout) == nil - raise "Connection timeout" - else - socket.connect_nonblock(sockaddr) - end - end - return socket - end - end - - def try_tcp_write(socket, timeout = 5) - begin - socket.write_nonblock("\0") - rescue IO::WaitReadable - if IO.select([socket], nil, nil, timeout) == nil - raise "Write timeout" - else - retry - end - rescue IO::WaitWritable - if IO.select(nil, [socket], nil, timeout) == nil - raise "Write timeout" - else - retry - end - end - end - - def try_tcp_read(socket, timeout = 5) - begin - socket.read_nonblock(1) - rescue IO::WaitReadable - if IO.select([socket], nil, nil, timeout) == nil - raise "Read timeout" - else - retry - end - rescue IO::WaitWritable - if IO.select(nil, [socket], nil, timeout) == nil - raise "Read timeout" - else - retry - end - end - end - - def assert_tcp_socket(host, port, msg=nil) - begin - socket = try_tcp_connect(host, port, 1) - #try_tcp_write(socket,1) - #try_tcp_read(socket,1) - rescue StandardError => exc - fail ["Failed to open socket #{host}:#{port}", exc].join("\n") - ensure - socket.close if socket - end - end - - # - # Matches the regexp in the file, and returns the first matched string (or fails if no match). - # - def file_match(filename, regexp) - if match = File.read(filename).match(regexp) - match.captures.first - else - fail "Regexp #{regexp.inspect} not found in file #{filename.inspect}." - end - end - - # - # Matches the regexp in the file, and returns array of matched strings (or fails if no match). - # - def file_matches(filename, regexp) - if match = File.read(filename).match(regexp) - match.captures - else - fail "Regexp #{regexp.inspect} not found in file #{filename.inspect}." - end - end - - # - # checks to make sure the given property path exists in $node (e.g. hiera.yaml) - # and returns the value - # - def assert_property(property) - latest = $node - property.split('.').each do |segment| - latest = latest[segment] - fail "Required node property `#{property}` is missing." if latest.nil? - end - return latest - end - - # - # works like pgrep command line - # return an array of hashes like so [{:pid => "1234", :process => "ls"}] - # - def pgrep(match) - output = `pgrep --full --list-name '#{match}'` - output.each_line.map{|line| - pid = line.split(' ')[0] - process = line.gsub(/(#{pid} |\n)/, '') - if process =~ /pgrep --full --list-name/ - nil - else - {:pid => pid, :process => process} - end - }.compact - end -end - -def assert_running(process) - assert pgrep(process).any?, "No running process for #{process}" -end - -# -# runs the specified command, failing on a non-zero exit status. -# -def assert_run(command) - output = `#{command}` - if $?.exitstatus != 0 - fail "Error running `#{command}`:\n#{output}" - end end # @@ -441,7 +242,7 @@ class LeapRunner < MiniTest::Unit def report_line(prefix, klass, meth, e=nil, message=nil) msg_txt = nil if message - message = message.sub(/http:\/\/([a-z_]+):([a-zA-Z0-9_]+)@/, "http://\\1:password@") + message = message.sub(/http:\/\/([a-z_]+):([a-zA-Z0-9_]+)@/, "http://\\1:REDACTED@") if $output_format == :human indent = "\n " msg_txt = indent + message.split("\n").join(indent) @@ -556,7 +357,8 @@ def print_help " --test TEST Run only the test with name TEST.", " --list-tests Prints the names of all available tests and exit.", " --retry COUNT If the tests don't pass, retry COUNT additional times (default is zero)", - " --wait SECONDS Wait for SECONDS between retries (default is 5)"].join("\n") + " --wait SECONDS Wait for SECONDS between retries (default is 5)", + " --debug Print out full stack trace on errors"].join("\n") exit(0) end @@ -615,6 +417,9 @@ def main # load all test classes this_file = File.symlink?(__FILE__) ? File.readlink(__FILE__) : __FILE__ + Dir[File.expand_path('../../tests/helpers/*.rb', this_file)].each do |helper| + require helper + end Dir[File.expand_path('../../tests/white-box/*.rb', this_file)].each do |test_file| begin require test_file @@ -636,10 +441,19 @@ def main when '--list-tests' then list_tests when '--retry' then ARGV.shift; $retry = ARGV.shift.to_i when '--wait' then ARGV.shift; $wait = ARGV.shift.to_i + when '--debug' then ARGV.shift + when '-d' then ARGV.shift else break end end run_tests end +if ARGV.include?('--debug') || ARGV.include?('-d') + DEBUG=true + require 'debugger' +else + DEBUG=false +end + main() diff --git a/tests/README.md b/tests/README.md index debbf700..814c25b1 100644 --- a/tests/README.md +++ b/tests/README.md @@ -1,12 +1,25 @@ -This directory contains to kinds of tests: +Tests +--------------------------------- -White Box Tests -================================ +tests/white-box/ -These tests are run on the server as superuser. They are for troubleshooting any problems with the internal setup of the server. + These tests are run on the server as superuser. They are for + troubleshooting any problems with the internal setup of the server. -Black Box Tests -================================ +tests/black-box/ + + These test are run the user's local machine. They are for troubleshooting + any external problems with the service exposed by the server. + +Additional Files +--------------------------------- + +tests/helpers/ + + Utility functions made available to all tests. + +tests/order.rb + + Configuration file to specify which nodes should be tested in which order. -These test are run the user's local machine. They are for troubleshooting any external problems with the service exposed by the server. diff --git a/tests/helpers/couchdb_helper.rb b/tests/helpers/couchdb_helper.rb new file mode 100644 index 00000000..d4d3c0e0 --- /dev/null +++ b/tests/helpers/couchdb_helper.rb @@ -0,0 +1,103 @@ +class LeapTest + + # + # generates a couchdb url for when couchdb is running + # remotely and is available via stunnel. + # + # example properties: + # + # stunnel: + # clients: + # couch_client: + # couch1_5984: + # accept_port: 4000 + # connect: couch1.bitmask.i + # connect_port: 15984 + # + def couchdb_urls_via_stunnel(path="", options=nil) + if options && options[:username] && options[:password] + userpart = "%{username}:%{password}@" % options + else + userpart = "" + end + assert_property('stunnel.clients.couch_client').values.collect do |stunnel_conf| + assert port = stunnel_conf['accept_port'], 'Field `accept_port` must be present in `stunnel` property.' + URLString.new("http://#{userpart}localhost:#{port}#{path}").tap {|url| + remote_ip_address = TCPSocket.gethostbyname(stunnel_conf['connect']).last + url.memo = "(via stunnel to %s:%s, aka %s)" % [stunnel_conf['connect'], stunnel_conf['connect_port'], remote_ip_address] + } + end + end + + # + # generates a couchdb url for accessing couchdb via haproxy + # + # example properties: + # + # haproxy: + # couch: + # listen_port: 4096 + # servers: + # panda: + # backup: false + # host: localhost + # port: 4000 + # weight: 100 + # writable: true + # + def couchdb_url_via_haproxy(path="", options=nil) + if options && options[:username] && options[:password] + userpart = "%{username}:%{password}@" % options + else + userpart = "" + end + port = assert_property('haproxy.couch.listen_port') + return URLString.new("http://#{userpart}localhost:#{port}#{path}").tap { |url| + url.memo = '(via haproxy)' + } + end + + # + # generates a couchdb url for when couchdb is running locally. + # + # example properties: + # + # couch: + # port: 5984 + # + def couchdb_url_via_localhost(path="", options=nil) + port = (options && options[:port]) || assert_property('couch.port') + if options && options[:username] + password = property("couch.users.%{username}.password" % options) + userpart = "%s:%s@" % [options[:username], password] + else + userpart = "" + end + return URLString.new("http://#{userpart}localhost:#{port}#{path}").tap { |url| + url.memo = '(via direct localhost connection)' + } + end + + # + # returns a single url for accessing couchdb + # + def couchdb_url(path="", options=nil) + if property('couch.port') + couchdb_url_via_localhost(path, options) + elsif property('stunnel.clients.couch_client') + couchdb_urls_via_stunnel(path, options).first + end + end + + # + # returns an array of urls for accessing couchdb + # + def couchdb_urls(path="", options=nil) + if property('couch.port') + [couchdb_url_via_localhost(path, options)] + elsif property('stunnel.clients.couch_client') + couchdb_urls_via_stunnel(path, options) + end + end + +end \ No newline at end of file diff --git a/tests/helpers/files_helper.rb b/tests/helpers/files_helper.rb new file mode 100644 index 00000000..d6795889 --- /dev/null +++ b/tests/helpers/files_helper.rb @@ -0,0 +1,54 @@ +class LeapTest + + # + # Matches the regexp in the file, and returns the first matched string (or fails if no match). + # + def file_match(filename, regexp) + if match = File.read(filename).match(regexp) + match.captures.first + else + fail "Regexp #{regexp.inspect} not found in file #{filename.inspect}." + end + end + + # + # Matches the regexp in the file, and returns array of matched strings (or fails if no match). + # + def file_matches(filename, regexp) + if match = File.read(filename).match(regexp) + match.captures + else + fail "Regexp #{regexp.inspect} not found in file #{filename.inspect}." + end + end + + # + # checks to make sure the given property path exists in $node (e.g. hiera.yaml) + # and returns the value + # + def assert_property(property) + latest = $node + property.split('.').each do |segment| + latest = latest[segment] + fail "Required node property `#{property}` is missing." if latest.nil? + end + return latest + end + + # + # a handy function to get the value of a long property path + # without needing to test the existance individually of each part + # in the tree. + # + # e.g. property("stunnel.clients.couch_client") + # + def property(property) + latest = $node + property.split('.').each do |segment| + latest = latest[segment] + return nil if latest.nil? + end + return latest + end + +end \ No newline at end of file diff --git a/tests/helpers/http_helper.rb b/tests/helpers/http_helper.rb new file mode 100644 index 00000000..c941ef63 --- /dev/null +++ b/tests/helpers/http_helper.rb @@ -0,0 +1,145 @@ +require 'net/http' + +class LeapTest + + # + # In order to easily provide detailed error messages, it is useful + # to append a memo to a url string that details what this url is for + # (e.g. stunnel, haproxy, etc). + # + # So, the url happens to be a UrlString, the memo field is used + # if there is an error in assert_get. + # + class URLString < String + attr_accessor :memo + end + + # + # aliases for http_send() + # + def get(url, params=nil, options=nil, &block) + http_send("GET", url, params, options, &block) + end + def delete(url, params=nil, options=nil, &block) + http_send("DELETE", url, params, options, &block) + end + def post(url, params=nil, options=nil, &block) + http_send("POST", url, params, options, &block) + end + def put(url, params=nil, options=nil, &block) + http_send("PUT", url, params, options, &block) + end + + # + # send a GET, DELETE, POST, or PUT + # yields |body, response, error| + # + def http_send(method, url, params=nil, options=nil) + options ||= {} + response = nil + + # build uri + uri = URI(url) + if params && (method == 'GET' || method == 'DELETE') + uri.query = URI.encode_www_form(params) + end + + # build http + http = Net::HTTP.new uri.host, uri.port + if uri.scheme == 'https' + http.verify_mode = OpenSSL::SSL::VERIFY_NONE + http.use_ssl = true + end + + # build request + request = build_request(method, uri, params, options) + + # make http request + http.start do |agent| + response = agent.request(request) + yield response.body, response, nil + end + rescue => exc + yield nil, response, exc + end + + # + # Aliases for assert_http_send() + # + def assert_get(url, params=nil, options=nil, &block) + assert_http_send("GET", url, params, options, &block) + end + def assert_delete(url, params=nil, options=nil, &block) + assert_http_send("DELETE", url, params, options, &block) + end + def assert_post(url, params=nil, options=nil, &block) + assert_http_send("POST", url, params, options, &block) + end + def assert_put(url, params=nil, options=nil, &block) + assert_http_send("PUT", url, params, options, &block) + end + + # + # calls http_send, yielding results if successful or failing with + # descriptive infor otherwise. + # + def assert_http_send(method, url, params=nil, options=nil, &block) + options ||= {} + error_msg = options[:error_msg] || (url.respond_to?(:memo) ? url.memo : nil) + http_send(method, url, params, options) do |body, response, error| + if body && response && response.code.to_i >= 200 && response.code.to_i < 300 + if block + yield(body) if block.arity == 1 + yield(response, body) if block.arity == 2 + end + elsif response + fail ["Expected a 200 status code from #{url}, but got #{response.code} instead.", error_msg, body].compact.join("\n") + else + fail ["Expected a response from #{url}, but got \"#{error}\" instead.", error_msg, body].compact.join("\n"), error + end + end + end + + # + # only a warning for now, should be a failure in the future + # + def assert_auth_fail(url, params) + uri = URI(url) + get(url, params) do |body, response, error| + unless response.code.to_s == "401" + warn "Expected a '401 Unauthorized' response, but got #{response.code} instead (GET #{uri.request_uri} with username '#{uri.user}')." + return false + end + end + true + end + + private + + def build_request(method, uri, params, options) + request = case method + when "GET" then Net::HTTP::Get.new(uri.request_uri) + when "DELETE" then Net::HTTP::Delete.new(uri.request_uri) + when "POST" then Net::HTTP::Post.new(uri.request_uri) + when "PUT" then Net::HTTP::Put.new(uri.request_uri) + end + if uri.user + request.basic_auth uri.user, uri.password + end + if params && (method == 'POST' || method == 'PUT') + if options[:format] == :json || options[:format] == 'json' + request["Content-Type"] = "application/json" + request.body = params.to_json + else + request.set_form_data(params) if params + end + end + if options[:headers] + options[:headers].each do |key, value| + request[key] = value + end + end + request + end + +end \ No newline at end of file diff --git a/tests/helpers/network_helper.rb b/tests/helpers/network_helper.rb new file mode 100644 index 00000000..ff92d382 --- /dev/null +++ b/tests/helpers/network_helper.rb @@ -0,0 +1,79 @@ +class LeapTest + + # + # tcp connection helper with timeout + # + def try_tcp_connect(host, port, timeout = 5) + addr = Socket.getaddrinfo(host, nil) + sockaddr = Socket.pack_sockaddr_in(port, addr[0][3]) + + Socket.new(Socket.const_get(addr[0][0]), Socket::SOCK_STREAM, 0).tap do |socket| + socket.setsockopt(Socket::IPPROTO_TCP, Socket::TCP_NODELAY, 1) + begin + socket.connect_nonblock(sockaddr) + rescue IO::WaitReadable + if IO.select([socket], nil, nil, timeout) == nil + raise "Connection timeout" + else + socket.connect_nonblock(sockaddr) + end + rescue IO::WaitWritable + if IO.select(nil, [socket], nil, timeout) == nil + raise "Connection timeout" + else + socket.connect_nonblock(sockaddr) + end + end + return socket + end + end + + def try_tcp_write(socket, timeout = 5) + begin + socket.write_nonblock("\0") + rescue IO::WaitReadable + if IO.select([socket], nil, nil, timeout) == nil + raise "Write timeout" + else + retry + end + rescue IO::WaitWritable + if IO.select(nil, [socket], nil, timeout) == nil + raise "Write timeout" + else + retry + end + end + end + + def try_tcp_read(socket, timeout = 5) + begin + socket.read_nonblock(1) + rescue IO::WaitReadable + if IO.select([socket], nil, nil, timeout) == nil + raise "Read timeout" + else + retry + end + rescue IO::WaitWritable + if IO.select(nil, [socket], nil, timeout) == nil + raise "Read timeout" + else + retry + end + end + end + + def assert_tcp_socket(host, port, msg=nil) + begin + socket = try_tcp_connect(host, port, 1) + #try_tcp_write(socket,1) + #try_tcp_read(socket,1) + rescue StandardError => exc + fail ["Failed to open socket #{host}:#{port}", exc].join("\n") + ensure + socket.close if socket + end + end + +end \ No newline at end of file diff --git a/tests/helpers/os_helper.rb b/tests/helpers/os_helper.rb new file mode 100644 index 00000000..529e899f --- /dev/null +++ b/tests/helpers/os_helper.rb @@ -0,0 +1,34 @@ +class LeapTest + + # + # works like pgrep command line + # return an array of hashes like so [{:pid => "1234", :process => "ls"}] + # + def pgrep(match) + output = `pgrep --full --list-name '#{match}'` + output.each_line.map{|line| + pid = line.split(' ')[0] + process = line.gsub(/(#{pid} |\n)/, '') + if process =~ /pgrep --full --list-name/ + nil + else + {:pid => pid, :process => process} + end + }.compact + end + + def assert_running(process) + assert pgrep(process).any?, "No running process for #{process}" + end + + # + # runs the specified command, failing on a non-zero exit status. + # + def assert_run(command) + output = `#{command}` + if $?.exitstatus != 0 + fail "Error running `#{command}`:\n#{output}" + end + end + +end \ No newline at end of file diff --git a/tests/helpers/srp_helper.rb b/tests/helpers/srp_helper.rb new file mode 100644 index 00000000..9f4d7f5b --- /dev/null +++ b/tests/helpers/srp_helper.rb @@ -0,0 +1,171 @@ +# +# Here are some very stripped down helper methods for SRP, useful only for +# testing the client side. +# + +require 'digest' +require 'openssl' +require 'securerandom' + +module SRP + + ## + ## UTIL + ## + + module Util + PRIME_N = <<-EOS.split.join.hex +115b8b692e0e045692cf280b436735c77a5a9e8a9e7ed56c965f87db5b2a2ece3 + EOS + BIG_PRIME_N = <<-EOS.split.join.hex # 1024 bits modulus (N) +eeaf0ab9adb38dd69c33f80afa8fc5e86072618775ff3c0b9ea2314c9c25657 +6d674df7496ea81d3383b4813d692c6e0e0d5d8e250b98be48e495c1d6089da +d15dc7d7b46154d6b6ce8ef4ad69b15d4982559b297bcf1885c529f566660e5 +7ec68edbc3c05726cc02fd4cbf4976eaa9afd5138fe8376435b9fc61d2fc0eb +06e3 + EOS + GENERATOR = 2 # g + + def hn_xor_hg + byte_xor_hex(sha256_int(BIG_PRIME_N), sha256_int(GENERATOR)) + end + + # a^n (mod m) + def modpow(a, n, m = BIG_PRIME_N) + r = 1 + while true + r = r * a % m if n[0] == 1 + n >>= 1 + return r if n == 0 + a = a * a % m + end + end + + # Hashes the (long) int args + def sha256_int(*args) + sha256_hex(*args.map{|a| "%02x" % a}) + end + + # Hashes the hex args + def sha256_hex(*args) + h = args.map{|a| a.length.odd? ? "0#{a}" : a }.join('') + sha256_str([h].pack('H*')) + end + + def sha256_str(s) + Digest::SHA2.hexdigest(s) + end + + def bigrand(bytes) + OpenSSL::Random.random_bytes(bytes).unpack("H*")[0] + end + + def multiplier + @muliplier ||= calculate_multiplier + end + + protected + + def calculate_multiplier + sha256_int(BIG_PRIME_N, GENERATOR).hex + end + + def byte_xor_hex(a, b) + a = [a].pack('H*') + b = [b].pack('H*') + a.bytes.each_with_index.map do |a_byte, i| + (a_byte ^ (b[i].ord || 0)).chr + end.join + end + end + + ## + ## SESSION + ## + + class Session + include SRP::Util + attr_accessor :user + attr_accessor :bb + + def initialize(user, aa=nil) + @user = user + @a = bigrand(32).hex + end + + def m + @m ||= sha256_hex(n_xor_g_long, login_hash, @user.salt.to_s(16), aa, bb, k) + end + + def aa + @aa ||= modpow(GENERATOR, @a).to_s(16) # A = g^a (mod N) + end + + protected + + # client: K = H( (B - kg^x) ^ (a + ux) ) + def client_secret + base = bb.hex + base -= modpow(GENERATOR, @user.private_key) * multiplier + base = base % BIG_PRIME_N + modpow(base, @user.private_key * u.hex + @a) + end + + def k + @k ||= sha256_int(client_secret) + end + + def n_xor_g_long + @n_xor_g_long ||= hn_xor_hg.bytes.map{|b| "%02x" % b.ord}.join + end + + def login_hash + @login_hash ||= sha256_str(@user.username) + end + + def u + @u ||= sha256_hex(aa, bb) + end + end + + ## + ## Dummy USER + ## + + class User + include SRP::Util + + attr_accessor :username + attr_accessor :password + attr_accessor :salt + attr_accessor :verifier + + def initialize + @username = "test_user_" + SecureRandom.urlsafe_base64(10).downcase.gsub(/[_-]/, '') + @password = "password_" + SecureRandom.urlsafe_base64(10) + @salt = bigrand(4).hex + @verifier = modpow(GENERATOR, private_key) + end + + def private_key + @private_key ||= calculate_private_key + end + + def to_params + { + 'user[login]' => @username, + 'user[password_verifier]' => @verifier.to_s(16), + 'user[password_salt]' => @salt.to_s(16) + } + end + + private + + def calculate_private_key + shex = '%x' % [@salt] + inner = sha256_str([@username, @password].join(':')) + sha256_hex(shex, inner).hex + end + end + +end diff --git a/tests/order.rb b/tests/order.rb index ffa6ae4e..4468686f 100644 --- a/tests/order.rb +++ b/tests/order.rb @@ -3,6 +3,10 @@ class LeapCli::Config::Node # returns a list of node names that should be tested before this node. # make sure to not return ourselves (please no dependency loops!). # + # NOTE: this method determines the order that nodes are tested in. To specify + # the order of tests on a particular node, each test can call class method + # LeapTest.depends_on(). + # def test_dependencies dependents = LeapCli::Config::ObjectList.new unless services.include?('couchdb') diff --git a/tests/white-box/couchdb.rb b/tests/white-box/couchdb.rb index a5adb2bf..d438b193 100644 --- a/tests/white-box/couchdb.rb +++ b/tests/white-box/couchdb.rb @@ -52,7 +52,7 @@ class CouchDB < LeapTest # def test_03_Are_configured_nodes_online? return unless multimaster? - url = couchdb_url("/_membership", :user => 'admin') + url = couchdb_url("/_membership", :username => 'admin') assert_get(url) do |body| response = JSON.parse(body) nodes_configured_but_not_available = response['cluster_nodes'] - response['all_nodes'] @@ -71,7 +71,7 @@ class CouchDB < LeapTest def test_04_Do_ACL_users_exist? acl_users = ['_design/_auth', 'leap_mx', 'nickserver', 'soledad', 'tapicero', 'webapp', 'replication'] - url = couchdb_backend_url("/_users/_all_docs", :user => 'admin') + url = couchdb_backend_url("/_users/_all_docs", :username => 'admin') assert_get(url) do |body| response = JSON.parse(body) assert_equal acl_users.count, response['total_rows'] @@ -84,7 +84,7 @@ class CouchDB < LeapTest def test_05_Do_required_databases_exist? dbs_that_should_exist = ["customers","identities","keycache","sessions","shared","tickets","tokens","users"] dbs_that_should_exist.each do |db_name| - url = couchdb_url("/"+db_name, :user => 'admin') + url = couchdb_url("/"+db_name, :username => 'admin') assert_get(url) do |body| assert response = JSON.parse(body) assert_equal db_name, response['db_name'] @@ -102,50 +102,54 @@ class CouchDB < LeapTest #def test_06_Is_ACL_enforced? # ok = assert_auth_fail( - # couchdb_url('/users/_all_docs', :user => 'leap_mx'), + # couchdb_url('/users/_all_docs', :username => 'leap_mx'), # {:limit => 1} # ) # ok = assert_auth_fail( - # couchdb_url('/users/_all_docs', :user => 'leap_mx'), + # couchdb_url('/users/_all_docs', :username => 'leap_mx'), # {:limit => 1} # ) && ok # pass if ok #end - def test_07_What? + def test_07_Can_records_be_created? + token = Token.new + url = couchdb_url("/tokens", :username => 'admin') + assert_post(url, token, :format => :json) do |body| + assert response = JSON.parse(body), "POST response should be JSON" + assert response["ok"], "POST response should be OK" + assert_delete(File.join(url, response["id"]), :rev => response["rev"]) do |body| + assert response = JSON.parse(body), "DELETE response should be JSON" + assert response["ok"], "DELETE response should be OK" + end + end pass end private - def couchdb_url(path="", options=nil) - options||={} - @port ||= begin - assert_property 'couch.port' - $node['couch']['port'] - end - url = 'http://' - if options[:user] - assert_property 'couch.users.' + options[:user] - password = $node['couch']['users'][options[:user]]['password'] - url += "%s:%s@" % [options[:user], password] - end - url += "localhost:#{options[:port] || @port}#{path}" - url + def multimaster? + mode == "multimaster" end + def mode + assert_property('couch.mode') + end + + # TODO: admin port is hardcoded for now but should be configurable. def couchdb_backend_url(path="", options={}) - # TODO: admin port is hardcoded for now but should be configurable. options = {port: multimaster? && "5986"}.merge options couchdb_url(path, options) end - def multimaster? - mode == "multimaster" - end - - def mode - assert_property('couch.mode') + require 'securerandom' + require 'digest/sha2' + class Token < Hash + def initialize + self['token'] = SecureRandom.urlsafe_base64(32).gsub(/^_*/, '') + self['_id'] = Digest::SHA512.hexdigest(self['token']) + self['last_seen_at'] = Time.now + end end end diff --git a/tests/white-box/mx.rb b/tests/white-box/mx.rb new file mode 100644 index 00000000..da780de4 --- /dev/null +++ b/tests/white-box/mx.rb @@ -0,0 +1,50 @@ +raise SkipTest unless $node["services"].include?("mx") + +require 'json' + +class Mx < LeapTest + depends_on "Network" + + def setup + end + + def test_01_Can_contact_couchdb? + dbs = ["identities"] + dbs.each do |db_name| + couchdb_urls("/"+db_name, url_options).each do |url| + assert_get(url) do |body| + assert response = JSON.parse(body) + assert_equal db_name, response['db_name'] + end + end + end + pass + end + + def test_02_Can_contact_couchdb_via_haproxy? + if property('haproxy.couch') + url = couchdb_url_via_haproxy("", url_options) + assert_get(url) do |body| + assert_match /"couchdb":"Welcome"/, body, "Request to #{url} should return couchdb welcome message." + end + pass + end + end + + def test_03_Are_MX_daemons_running? + assert_running 'leap_mx' + assert_running '/usr/lib/postfix/master' + assert_running '/usr/sbin/unbound' + pass + end + + private + + def url_options + { + :username => property('couchdb_leap_mx_user.username'), + :password => property('couchdb_leap_mx_user.password') + } + end + +end diff --git a/tests/white-box/webapp.rb b/tests/white-box/webapp.rb index 7df57fd7..0fea1c7f 100644 --- a/tests/white-box/webapp.rb +++ b/tests/white-box/webapp.rb @@ -1,58 +1,29 @@ raise SkipTest unless $node["services"].include?("webapp") -require 'socket' +require 'json' class Webapp < LeapTest depends_on "Network" - HAPROXY_CONFIG = '/etc/haproxy/haproxy.cfg' - def setup end - # - # example properties: - # - # stunnel: - # clients: - # couch_client: - # couch1_5984: - # accept_port: 4000 - # connect: couch1.bitmask.i - # connect_port: 15984 - # def test_01_Can_contact_couchdb? - assert_property('stunnel.clients.couch_client') - $node['stunnel']['clients']['couch_client'].values.each do |stunnel_conf| - assert port = stunnel_conf['accept_port'], 'Field `accept_port` must be present in `stunnel` property.' - local_stunnel_url = "http://localhost:#{port}" - remote_ip_address = TCPSocket.gethostbyname(stunnel_conf['connect']).last - msg = "(stunnel to %s:%s, aka %s)" % [stunnel_conf['connect'], stunnel_conf['connect_port'], remote_ip_address] - assert_get(local_stunnel_url, nil, error_msg: msg) do |body| - assert_match /"couchdb":"Welcome"/, body, "Request to #{local_stunnel_url} should return couchdb welcome message." - end + url = couchdb_url("", url_options) + assert_get(url) do |body| + assert_match /"couchdb":"Welcome"/, body, "Request to #{url} should return couchdb welcome message." end pass end - # - # example properties: - # - # haproxy: - # servers: - # couch1: - # backup: false - # host: localhost - # port: 4000 - # weight: 10 - # - def test_02_Is_haproxy_working? - port = file_match(HAPROXY_CONFIG, /^ bind localhost:(\d+)$/) - url = "http://localhost:#{port}" - assert_get(url) do |body| - assert_match /"couchdb":"Welcome"/, body, "Request to #{url} should return couchdb welcome message." + def test_02_Can_contact_couchdb_via_haproxy? + if property('haproxy.couch') + url = couchdb_url_via_haproxy("", url_options) + assert_get(url) do |body| + assert_match /"couchdb":"Welcome"/, body, "Request to #{url} should return couchdb welcome message." + end + pass end - pass end def test_03_Are_daemons_running? @@ -70,4 +41,94 @@ class Webapp < LeapTest pass end + def test_05_Can_create_user? + @@user = nil + user = SRP::User.new + url = api_url("/1/users.json") + assert_post(url, user.to_params) do |body| + assert response = JSON.parse(body), 'response should be JSON' + assert response['ok'], 'creating a user should be successful' + end + @@user = user + pass + end + + def test_06_Can_authenticate? + @@user_id = nil + @@session_token = nil + if @@user.nil? + skip "Depends on user creation" + else + url = api_url("/1/sessions.json") + session = SRP::Session.new(@@user) + params = {'login' => @@user.username, 'A' => session.aa} + assert_post(url, params) do |response, body| + cookie = response['Set-Cookie'].split(';').first + assert(response = JSON.parse(body), 'response should be JSON') + assert(bb = response["B"]) + session.bb = bb + url = api_url("/1/sessions/login.json") + params = {'client_auth' => session.m, 'A' => session.aa} + options = {:headers => {'Cookie' => cookie}} + assert_put(url, params, options) do |body| + assert(response = JSON.parse(body), 'response should be JSON') + assert(response['M2'], 'response should include M2') + assert(@@session_token = response['token'], 'response should include token') + assert(@@user_id = response['id'], 'response should include user id') + end + end + pass + end + end + + def test_07_Can_delete_user? + if @@user_id.nil? || @@session_token.nil? + skip "Depends on authentication" + else + url = api_url("/1/users/#{@@user_id}.json") + options = {:headers => { + "Authorization" => "Token token=\"#{@@session_token}\"" + }} + delete(url, {}, options) do |body, response, error| + if response.code.to_i != 200 + skip "It appears the web api is too old to support deleting users" + else + assert(response = JSON.parse(body), 'response should be JSON') + assert(response["success"], 'delete should be a success') + pass + end + end + end + end + + private + + def url_options + { + :username => property('couchdb_webapp_user.username'), + :password => property('couchdb_webapp_user.password') + } + end + + def api_url(path) + "https://%{domain}:%{port}#{path}" % { + :domain => property('api.domain'), + :port => property('api.port') + } + end + + # + # I tried, but couldn't get this working: + # # + # # get an CSRF authenticity token + # # + # url = api_url("/") + # csrf_token = nil + # assert_get(url) do |body| + # lines = body.split("\n").grep(/csrf-token/) + # assert lines.any?, 'failed to find csrf-token' + # csrf_token = lines.first.split('"')[1] + # assert csrf_token, 'failed to find csrf-token' + # end + end -- cgit v1.2.3 From b9d2030beb890e8dccbbe42bfcc430a2c2702a92 Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 10 Nov 2014 20:43:24 -0800 Subject: openvpn - support customizing --fragment, and set default to 1400 --- .../files/service-definitions/v1/eip-service.json.erb | 4 ++++ provider_base/services/openvpn.json | 3 ++- puppet/modules/site_openvpn/manifests/server_config.pp | 12 ++++++++++++ 3 files changed, 18 insertions(+), 1 deletion(-) diff --git a/provider_base/files/service-definitions/v1/eip-service.json.erb b/provider_base/files/service-definitions/v1/eip-service.json.erb index 3b8976fd..0ecd002a 100644 --- a/provider_base/files/service-definitions/v1/eip-service.json.erb +++ b/provider_base/files/service-definitions/v1/eip-service.json.erb @@ -42,6 +42,10 @@ end configuration = node.openvpn.configuration end + configuration = configuration.dup + if configuration['fragment'] && configuration['fragment'] == 1500 + configuration.delete('fragment') + end hsh["gateways"] = gateways.compact hsh["locations"] = locations hsh["openvpn_configuration"] = configuration diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json index 1906244c..127f5890 100644 --- a/provider_base/services/openvpn.json +++ b/provider_base/services/openvpn.json @@ -24,7 +24,8 @@ "auth": "SHA1", "cipher": "AES-128-CBC", "keepalive": "10 30", - "tun-ipv6": true + "tun-ipv6": true, + "fragment": 1400 } }, "obfsproxy": { diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 97cf2842..466f6d00 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -85,6 +85,18 @@ define site_openvpn::server_config( key => 'tcp-nodelay', server => $openvpn_configname; } + } elsif $proto == 'udp' { + if $config['fragment'] != 1500 { + openvpn::option { + "fragment ${openvpn_configname}": + key => 'fragment', + value => $config['fragment'], + server => $openvpn_configname; + "mssfix ${openvpn_configname}": + key => 'mssfix', + server => $openvpn_configname; + } + } } openvpn::option { -- cgit v1.2.3 From e18853b16969cb164613003edfab9a5b5800e099 Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 10 Nov 2014 20:56:38 -0800 Subject: change default openvpn fragment size back to 1500 so we don't break backward compatibility with older clients --- provider_base/services/openvpn.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json index 127f5890..11cb0dc2 100644 --- a/provider_base/services/openvpn.json +++ b/provider_base/services/openvpn.json @@ -25,7 +25,7 @@ "cipher": "AES-128-CBC", "keepalive": "10 30", "tun-ipv6": true, - "fragment": 1400 + "fragment": 1500 } }, "obfsproxy": { -- cgit v1.2.3 From 7521958cc6c210d65009aa87c6c7297fd9be3dd2 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 15 Nov 2014 13:36:51 -0500 Subject: don't enable Tor DirPort if openvpn is running on port 80 (Bug #6377) We need to check the openvpn hiera value, which may or may not be set. If it is not set, then we need to not lookup the $openvpn['ports]' values or we will get an error because it wont be the correct type. If we do have it, then $openvpn_ports gets set with the hash, otherwise it gets set to an empty hash (otherwise puppet will complain when we try to query the member() later with "member(): Requires array to work with"). Finally, if it is set to port 80, we don't include the tor::daemon::directory Change-Id: Ic366c72e966cae9d611e8fe5aa7ea7943be51241 --- puppet/modules/site_tor/manifests/init.pp | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp index 9944bb2b..d14e813d 100644 --- a/puppet/modules/site_tor/manifests/init.pp +++ b/puppet/modules/site_tor/manifests/init.pp @@ -11,6 +11,14 @@ class site_tor { $address = hiera('ip_address') + $openvpn = hiera('openvpn', undef) + if $openvpn { + $openvpn_ports = $openvpn['ports'] + } + else { + $openvpn_ports = [] + } + class { 'tor::daemon': } tor::daemon::relay { $nickname: port => 9001, @@ -22,7 +30,8 @@ class site_tor { if ( $tor_type == 'exit'){ # Only enable the daemon directory if the node isn't also a webapp node - if ! member($::services, 'webapp') { + # or running openvpn on port 80 + if ! member($::services, 'webapp') and ! member($openvpn_ports, '80') { tor::daemon::directory { $::hostname: port => 80 } } } -- cgit v1.2.3 From 6200be6fbf1f05665158e9ce8b218433f2440240 Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 19 Nov 2014 11:37:45 -0800 Subject: test if soledad daemon is running --- bin/run_tests | 8 ++++++++ tests/white-box/couchdb.rb | 2 +- tests/white-box/mx.rb | 2 +- tests/white-box/openvpn.rb | 4 ++-- tests/white-box/soledad.rb | 17 +++++++++++++++++ tests/white-box/webapp.rb | 2 +- 6 files changed, 30 insertions(+), 5 deletions(-) create mode 100644 tests/white-box/soledad.rb diff --git a/bin/run_tests b/bin/run_tests index b3e60fcc..4addc0c8 100755 --- a/bin/run_tests +++ b/bin/run_tests @@ -35,6 +35,14 @@ def bail(code, msg=nil) end end +## +## UTILITY +## + +def service?(service) + $node["services"].include?(service.to_s) +end + ## ## EXCEPTIONS ## diff --git a/tests/white-box/couchdb.rb b/tests/white-box/couchdb.rb index d438b193..2788f4f7 100644 --- a/tests/white-box/couchdb.rb +++ b/tests/white-box/couchdb.rb @@ -1,4 +1,4 @@ -raise SkipTest unless $node["services"].include?("couchdb") +raise SkipTest unless service?(:couchdb) require 'json' diff --git a/tests/white-box/mx.rb b/tests/white-box/mx.rb index da780de4..794a9a41 100644 --- a/tests/white-box/mx.rb +++ b/tests/white-box/mx.rb @@ -1,4 +1,4 @@ -raise SkipTest unless $node["services"].include?("mx") +raise SkipTest unless service?(:mx) require 'json' diff --git a/tests/white-box/openvpn.rb b/tests/white-box/openvpn.rb index 5eb2bdb5..23a40426 100644 --- a/tests/white-box/openvpn.rb +++ b/tests/white-box/openvpn.rb @@ -1,6 +1,6 @@ -raise SkipTest unless $node["services"].include?("openvpn") +raise SkipTest unless service?(:openvpn) -class Openvpn < LeapTest +class OpenVPN < LeapTest depends_on "Network" def setup diff --git a/tests/white-box/soledad.rb b/tests/white-box/soledad.rb new file mode 100644 index 00000000..5a13e4a6 --- /dev/null +++ b/tests/white-box/soledad.rb @@ -0,0 +1,17 @@ +raise SkipTest unless service?(:soledad) + +require 'json' + +class Soledad < LeapTest + depends_on "Network" + depends_on "CouchDB" if service?(:couchdb) + + def setup + end + + def test_00_Is_Soledad_running? + assert_running 'soledad' + pass + end + +end diff --git a/tests/white-box/webapp.rb b/tests/white-box/webapp.rb index 0fea1c7f..2aa87403 100644 --- a/tests/white-box/webapp.rb +++ b/tests/white-box/webapp.rb @@ -1,4 +1,4 @@ -raise SkipTest unless $node["services"].include?("webapp") +raise SkipTest unless service?(:webapp) require 'json' -- cgit v1.2.3 From be18ba31fadd2e587672adc44175dd106187ceba Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 20 Nov 2014 13:13:33 -0500 Subject: minor linting Change-Id: I6d04cc7e028e86ee0012d96d7ef075fdd7ecef19 --- puppet/modules/site_shorewall/manifests/dnat_rule.pp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/puppet/modules/site_shorewall/manifests/dnat_rule.pp b/puppet/modules/site_shorewall/manifests/dnat_rule.pp index aa298408..49b929f2 100644 --- a/puppet/modules/site_shorewall/manifests/dnat_rule.pp +++ b/puppet/modules/site_shorewall/manifests/dnat_rule.pp @@ -4,7 +4,7 @@ define site_shorewall::dnat_rule { if $port != 1194 { if $site_openvpn::openvpn_allow_unlimited { shorewall::rule { - "dnat_tcp_port_$port": + "dnat_tcp_port_${port}": action => 'DNAT', source => 'net', destination => "\$FW:${site_openvpn::unlimited_gateway_address}:1194", @@ -13,7 +13,7 @@ define site_shorewall::dnat_rule { order => 100; } shorewall::rule { - "dnat_udp_port_$port": + "dnat_udp_port_${port}": action => 'DNAT', source => 'net', destination => "\$FW:${site_openvpn::unlimited_gateway_address}:1194", @@ -24,7 +24,7 @@ define site_shorewall::dnat_rule { } if $site_openvpn::openvpn_allow_limited { shorewall::rule { - "dnat_free_tcp_port_$port": + "dnat_free_tcp_port_${port}": action => 'DNAT', source => 'net', destination => "\$FW:${site_openvpn::limited_gateway_address}:1194", @@ -33,7 +33,7 @@ define site_shorewall::dnat_rule { order => 100; } shorewall::rule { - "dnat_free_udp_port_$port": + "dnat_free_udp_port_${port}": action => 'DNAT', source => 'net', destination => "\$FW:${site_openvpn::limited_gateway_address}:1194", -- cgit v1.2.3 From e334f10447303209ac3802436437670f45511603 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 20 Nov 2014 13:13:55 -0500 Subject: specify the destination IP for DNAT rules for gateway addresses on port 443 (#6388) Previously the DNAT rule would redirect the incoming port 443 requests to openvpn, which was the wrong thing to do on the primary IP (but the right thing to do on the openvpn gateway IPs). This manifested in the webapp not being available when it was also configured as a service on the node. Change-Id: Ic8c6b6c0389859fab168a7df687351e11263277a --- puppet/modules/site_shorewall/manifests/dnat_rule.pp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/puppet/modules/site_shorewall/manifests/dnat_rule.pp b/puppet/modules/site_shorewall/manifests/dnat_rule.pp index 49b929f2..f9fbe950 100644 --- a/puppet/modules/site_shorewall/manifests/dnat_rule.pp +++ b/puppet/modules/site_shorewall/manifests/dnat_rule.pp @@ -10,6 +10,7 @@ define site_shorewall::dnat_rule { destination => "\$FW:${site_openvpn::unlimited_gateway_address}:1194", proto => 'tcp', destinationport => $port, + originaldest => $site_openvpn::unlimited_gateway_address, order => 100; } shorewall::rule { @@ -19,6 +20,7 @@ define site_shorewall::dnat_rule { destination => "\$FW:${site_openvpn::unlimited_gateway_address}:1194", proto => 'udp', destinationport => $port, + originaldest => $site_openvpn::unlimited_gateway_address, order => 100; } } @@ -30,6 +32,7 @@ define site_shorewall::dnat_rule { destination => "\$FW:${site_openvpn::limited_gateway_address}:1194", proto => 'tcp', destinationport => $port, + originaldest => $site_openvpn::unlimited_gateway_address, order => 100; } shorewall::rule { @@ -39,6 +42,7 @@ define site_shorewall::dnat_rule { destination => "\$FW:${site_openvpn::limited_gateway_address}:1194", proto => 'udp', destinationport => $port, + originaldest => $site_openvpn::unlimited_gateway_address, order => 100; } } -- cgit v1.2.3 From 896dd69710fa24a0235fc70081a71f35adbf9af1 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 20 Nov 2014 15:22:09 -0500 Subject: Make sure that stunnel restarts when cert/key change (#6181) Change-Id: I5085247a87018e18e73833119ac73225afbfea1e --- puppet/modules/site_stunnel/manifests/client.pp | 6 +----- puppet/modules/site_stunnel/manifests/init.pp | 2 ++ puppet/modules/site_stunnel/manifests/override_service.pp | 13 +++++++++++++ puppet/modules/site_stunnel/manifests/servers.pp | 6 +----- 4 files changed, 17 insertions(+), 10 deletions(-) create mode 100644 puppet/modules/site_stunnel/manifests/override_service.pp diff --git a/puppet/modules/site_stunnel/manifests/client.pp b/puppet/modules/site_stunnel/manifests/client.pp index 76815174..3b10ecb8 100644 --- a/puppet/modules/site_stunnel/manifests/client.pp +++ b/puppet/modules/site_stunnel/manifests/client.pp @@ -35,11 +35,7 @@ define site_stunnel::client ( pid => "/var/run/stunnel4/${pid}.pid", rndfile => $rndfile, debuglevel => $debuglevel, - sslversion => 'TLSv1', - subscribe => [ - Class['Site_config::X509::Key'], - Class['Site_config::X509::Cert'], - Class['Site_config::X509::Ca'] ]; + sslversion => 'TLSv1'; } site_shorewall::stunnel::client { $name: diff --git a/puppet/modules/site_stunnel/manifests/init.pp b/puppet/modules/site_stunnel/manifests/init.pp index b292f1cd..2e0cf5b8 100644 --- a/puppet/modules/site_stunnel/manifests/init.pp +++ b/puppet/modules/site_stunnel/manifests/init.pp @@ -28,5 +28,7 @@ class site_stunnel { $clients = $stunnel['clients'] $client_sections = keys($clients) site_stunnel::clients { $client_sections: } + + include site_stunnel::override_service } diff --git a/puppet/modules/site_stunnel/manifests/override_service.pp b/puppet/modules/site_stunnel/manifests/override_service.pp new file mode 100644 index 00000000..96187048 --- /dev/null +++ b/puppet/modules/site_stunnel/manifests/override_service.pp @@ -0,0 +1,13 @@ +class site_stunnel::override_service inherits stunnel::debian { + + include site_config::x509::cert + include site_config::x509::key + include site_config::x509::ca + + Service[stunnel] { + subscribe => [ + Class['Site_config::X509::Key'], + Class['Site_config::X509::Cert'], + Class['Site_config::X509::Ca'] ] + } +} diff --git a/puppet/modules/site_stunnel/manifests/servers.pp b/puppet/modules/site_stunnel/manifests/servers.pp index 8d537644..b6fac319 100644 --- a/puppet/modules/site_stunnel/manifests/servers.pp +++ b/puppet/modules/site_stunnel/manifests/servers.pp @@ -35,11 +35,7 @@ define site_stunnel::servers ( pid => "/var/run/stunnel4/${pid}.pid", rndfile => '/var/lib/stunnel4/.rnd', debuglevel => $debuglevel, - sslversion => 'TLSv1', - require => [ - Class['Site_config::X509::Key'], - Class['Site_config::X509::Cert'], - Class['Site_config::X509::Ca'] ]; + sslversion => 'TLSv1'; } # allow incoming connections on $accept_port -- cgit v1.2.3 From dff949811324215278ab7e4c2db5de63d8a6218b Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 20 Nov 2014 15:31:27 -0500 Subject: Make sure openvpn is restarted when cert/key change (#6405) I reformatted the section below for consistency. Change-Id: I18f5e23850e0c1ab4b1f2ee467d5af54ae9ff303 --- puppet/modules/site_openvpn/manifests/init.pp | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index b6331f12..a8d2044d 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -148,13 +148,17 @@ class site_openvpn { exec { 'restart_openvpn': command => '/etc/init.d/openvpn restart', refreshonly => true, - subscribe => File['/etc/openvpn'], + subscribe => [ + File['/etc/openvpn'], + Class['Site_config::X509::Key'], + Class['Site_config::X509::Cert'], + Class['Site_config::X509::Ca'] ], require => [ - Package['openvpn'], - File['/etc/openvpn'], - Class['Site_config::X509::Key'], - Class['Site_config::X509::Cert'], - Class['Site_config::X509::Ca_bundle'] ]; + Package['openvpn'], + File['/etc/openvpn'], + Class['Site_config::X509::Key'], + Class['Site_config::X509::Cert'], + Class['Site_config::X509::Ca_bundle'] ]; } cron { 'add_gateway_ips.sh': -- cgit v1.2.3 From 503a316e67da2b4e0dbae7db28bbd0574fa3739f Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 20 Nov 2014 16:27:35 -0500 Subject: ship a modified runit config for bigcouch that raises the open file descriptor limits to account for bigcouch sync spikes (#4935) Change-Id: I242fba31f961b6139ec641e1708b170f5c0d009b --- puppet/modules/site_couchdb/files/runit_config | 6 ++++++ puppet/modules/site_couchdb/manifests/bigcouch.pp | 10 ++++++++++ 2 files changed, 16 insertions(+) create mode 100644 puppet/modules/site_couchdb/files/runit_config diff --git a/puppet/modules/site_couchdb/files/runit_config b/puppet/modules/site_couchdb/files/runit_config new file mode 100644 index 00000000..169b4832 --- /dev/null +++ b/puppet/modules/site_couchdb/files/runit_config @@ -0,0 +1,6 @@ +#!/bin/bash +exec 2>&1 +export HOME=/home/bigcouch +ulimit -H -n 32768 +ulimit -S -n 32768 +exec chpst -u bigcouch /opt/bigcouch/bin/bigcouch diff --git a/puppet/modules/site_couchdb/manifests/bigcouch.pp b/puppet/modules/site_couchdb/manifests/bigcouch.pp index d71c00c5..16593ec7 100644 --- a/puppet/modules/site_couchdb/manifests/bigcouch.pp +++ b/puppet/modules/site_couchdb/manifests/bigcouch.pp @@ -31,4 +31,14 @@ class site_couchdb::bigcouch { file { '/var/log/bigcouch': ensure => directory } + + file { '/etc/sv/bigcouch/run': + ensure => present, + source => 'puppet:///modules/site_couchdb/runit_config', + owner => root, + group => root, + mode => '0755', + require => Package['couchdb'], + notify => Service['couchdb'] + } } -- cgit v1.2.3 From 6ebd8cee202c81260c151e7903ff2f16518ffa41 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 20 Nov 2014 23:00:50 +0100 Subject: Fix Check_mk notifications (Bug #6403) Let check_mk put all hosts into the same "admin" contactgroup, which is defined as default contactgroup by nagios. Change-Id: I13b434925711ef2037de0cf6e919ce39a8255a94 --- puppet/modules/site_check_mk/files/host_contactgroups.mk | 3 +++ puppet/modules/site_check_mk/manifests/server.pp | 5 ++++- 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_check_mk/files/host_contactgroups.mk diff --git a/puppet/modules/site_check_mk/files/host_contactgroups.mk b/puppet/modules/site_check_mk/files/host_contactgroups.mk new file mode 100644 index 00000000..e89323fb --- /dev/null +++ b/puppet/modules/site_check_mk/files/host_contactgroups.mk @@ -0,0 +1,3 @@ +host_contactgroups = [ + ( "admins", ALL_HOSTS ), +] diff --git a/puppet/modules/site_check_mk/manifests/server.pp b/puppet/modules/site_check_mk/manifests/server.pp index aa24d96c..388ae94b 100644 --- a/puppet/modules/site_check_mk/manifests/server.pp +++ b/puppet/modules/site_check_mk/manifests/server.pp @@ -40,6 +40,10 @@ class site_check_mk::server { content => template('site_check_mk/hostgroups.mk'), notify => Exec['check_mk-refresh'], require => Package['check-mk-server']; + '/etc/check_mk/conf.d/host_contactgroups.mk': + source => 'puppet:///modules/site_check_mk/host_contactgroups.mk', + notify => Exec['check_mk-refresh'], + require => Package['check-mk-server']; '/etc/check_mk/all_hosts_static': content => $all_hosts, notify => Exec['check_mk-refresh'], @@ -64,6 +68,5 @@ class site_check_mk::server { require => Package['nagios-plugins-basic']; } - include check_mk::agent::local_checks } -- cgit v1.2.3 From fbfc88d8e4ff032fd8155e264ba75668b426fdb2 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 23 Nov 2014 10:30:10 -0500 Subject: fix dependency on x509 ca_bundle class (#6410) Change-Id: Ia1e7009240d61464d7ba45ad07291664f6a3b768 --- puppet/modules/site_openvpn/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index a8d2044d..d6f9150b 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -152,7 +152,7 @@ class site_openvpn { File['/etc/openvpn'], Class['Site_config::X509::Key'], Class['Site_config::X509::Cert'], - Class['Site_config::X509::Ca'] ], + Class['Site_config::X509::Ca_bundle'] ], require => [ Package['openvpn'], File['/etc/openvpn'], -- cgit v1.2.3 From 95d30570f681ba2f43bbe7ffe344b92439be1ae9 Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 24 Nov 2014 12:11:32 -0800 Subject: fixed bug when there is no vpn service --- .../files/service-definitions/v1/eip-service.json.erb | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/provider_base/files/service-definitions/v1/eip-service.json.erb b/provider_base/files/service-definitions/v1/eip-service.json.erb index 0ecd002a..4bd220df 100644 --- a/provider_base/files/service-definitions/v1/eip-service.json.erb +++ b/provider_base/files/service-definitions/v1/eip-service.json.erb @@ -42,12 +42,14 @@ end configuration = node.openvpn.configuration end - configuration = configuration.dup - if configuration['fragment'] && configuration['fragment'] == 1500 - configuration.delete('fragment') + if gateways.any? + configuration = configuration.dup + if configuration['fragment'] && configuration['fragment'] == 1500 + configuration.delete('fragment') + end + hsh["gateways"] = gateways.compact + hsh["locations"] = locations + hsh["openvpn_configuration"] = configuration end - hsh["gateways"] = gateways.compact - hsh["locations"] = locations - hsh["openvpn_configuration"] = configuration JSON.sorted_generate hsh %> \ No newline at end of file -- cgit v1.2.3 From de51b83384d97a67cdbdf1992ba9ad771a292c5d Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 24 Nov 2014 14:17:43 -0800 Subject: bind webapp to version/0.6 branch --- provider_base/services/webapp.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index 44b5fa14..67744f99 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -22,7 +22,7 @@ "secure": false, "git": { "source": "https://leap.se/git/leap_web", - "revision": "origin/master" + "revision": "origin/version/0.6" }, "client_version": "= provider.client_version", "nagios_test_user": { -- cgit v1.2.3