From 8684aa38ece3271a0eb0f8a1751f6c3297025afa Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 28 Jul 2015 14:35:40 -0400 Subject: Support RBL blocking of incoming mail (#5923) Set zen.spamhaus as the default rbl Change-Id: Ic3537d645c80ba42267bab370a1cf77730382158 --- provider_base/services/mx.json | 1 + 1 file changed, 1 insertion(+) (limited to 'provider_base') diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json index 11293ae8..db2e4795 100644 --- a/provider_base/services/mx.json +++ b/provider_base/services/mx.json @@ -16,6 +16,7 @@ "salt": "= hex_secret :couch_leap_mx_password_salt, 128" }, "mynetworks": "= nodes['environment' => '!local'].map{|name, n| [n.ip_address, (global.facts[name]||{})['ec2_public_ipv4']]}.flatten.compact.uniq", + "rbls": ["zen.spamhaus.org"], "x509": { "use": true, "use_commercial": true, -- cgit v1.2.3 From 738e77a729813901db8725cacfb15f4150fd49d2 Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 3 Aug 2015 14:44:24 -0700 Subject: webapp: add support for customizing locales --- provider_base/services/webapp.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'provider_base') diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index 941f4f61..081b3718 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -31,7 +31,9 @@ }, "engines": [ "support" - ] + ], + "locales": "= provider.languages", + "default_locale": "= provider.default_language" }, "stunnel": { "clients": { -- cgit v1.2.3 From 478987d564e96c123ae243b1f6e089e00df20fcf Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 3 Aug 2015 14:45:16 -0700 Subject: allow_registration should always be false if enrollment_policy is 'closed' --- provider_base/provider.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'provider_base') diff --git a/provider_base/provider.json b/provider_base/provider.json index 60ad2a9e..9b6e73ca 100644 --- a/provider_base/provider.json +++ b/provider_base/provider.json @@ -32,7 +32,7 @@ "allow_free": "= provider.service.levels.select {|l| l['rate'].nil?}.any?", "allow_paid": "= provider.service.levels.select {|l| !l['rate'].nil?}.any?", "allow_anonymous": "= provider.service.levels.select {|l| l['name'] == 'anonymous'}.any?", - "allow_registration": "= provider.service.levels.select {|l| l['name'] != 'anonymous'}.any?", + "allow_registration": "= provider.enrollment_policy != 'closed' && provider.service.levels.select {|l| l['name'] != 'anonymous'}.any?", "allow_limited_bandwidth": "= provider.service.levels.select {|l| l['bandwidth'] == 'limited'}.any?", "allow_unlimited_bandwidth": "= provider.service.levels.select {|l| l['bandwidth'].nil?}.any?" }, -- cgit v1.2.3 From e6f6324ebea9fc46d5d617a08c2eb239349d9f90 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 7 Aug 2015 18:08:14 -0700 Subject: move 'enabled service' calculation to a macro. --- .../files/service-definitions/provider.json.erb | 5 ----- provider_base/lib/macros.rb | 1 + provider_base/lib/macros/provider.rb | 20 ++++++++++++++++++++ provider_base/provider.json | 3 ++- 4 files changed, 23 insertions(+), 6 deletions(-) create mode 100644 provider_base/lib/macros/provider.rb (limited to 'provider_base') diff --git a/provider_base/files/service-definitions/provider.json.erb b/provider_base/files/service-definitions/provider.json.erb index be8ae484..e51f9c3a 100644 --- a/provider_base/files/service-definitions/provider.json.erb +++ b/provider_base/files/service-definitions/provider.json.erb @@ -6,11 +6,6 @@ ) hsh['domain'] = domain.full_suffix - # advertise services that are 'user services' and for which there are actually nodes - hsh['services'] ||= global.services[:service_type => :user_service].field(:name).select do |service| - nodes_like_me[:services => service].any? - end - hsh['api_version'] = "1" hsh['api_uri'] = ["https://", api.domain, ':', api.port].join diff --git a/provider_base/lib/macros.rb b/provider_base/lib/macros.rb index ecc3e6ba..fdb9a94e 100644 --- a/provider_base/lib/macros.rb +++ b/provider_base/lib/macros.rb @@ -13,3 +13,4 @@ require_relative 'macros/keys' require_relative 'macros/nodes' require_relative 'macros/secrets' require_relative 'macros/stunnel' +require_relative 'macros/provider' diff --git a/provider_base/lib/macros/provider.rb b/provider_base/lib/macros/provider.rb new file mode 100644 index 00000000..84c4e1b8 --- /dev/null +++ b/provider_base/lib/macros/provider.rb @@ -0,0 +1,20 @@ +# +# These macros are intended only for use in provider.json, although they are +# currently loaded in all .json contexts. +# + +module LeapCli + module Macro + + # + # returns an array of the service names, including only those services that + # are enabled for this environment. + # + def enabled_services + manager.env(self.environment).services[:service_type => :user_service].field(:name).select { |service| + manager.nodes[:environment => self.environment][:services => service].any? + } + end + + end +end diff --git a/provider_base/provider.json b/provider_base/provider.json index 9b6e73ca..81b2ea98 100644 --- a/provider_base/provider.json +++ b/provider_base/provider.json @@ -14,6 +14,7 @@ "languages": ["en"], "default_language": "en", "enrollment_policy": "open", + "services": "= enabled_services", "service": { // bandwidth limit is in Bytes, storage limit is in MB. // for example: @@ -31,7 +32,7 @@ "bandwidth_limit": 102400, "allow_free": "= provider.service.levels.select {|l| l['rate'].nil?}.any?", "allow_paid": "= provider.service.levels.select {|l| !l['rate'].nil?}.any?", - "allow_anonymous": "= provider.service.levels.select {|l| l['name'] == 'anonymous'}.any?", + "allow_anonymous": "= provider.service.levels.select {|l| l['name'] == 'anonymous'}.any? && services.include?('openvpn')", "allow_registration": "= provider.enrollment_policy != 'closed' && provider.service.levels.select {|l| l['name'] != 'anonymous'}.any?", "allow_limited_bandwidth": "= provider.service.levels.select {|l| l['bandwidth'] == 'limited'}.any?", "allow_unlimited_bandwidth": "= provider.service.levels.select {|l| l['bandwidth'].nil?}.any?" -- cgit v1.2.3 From 64787942086b6fbfdf432cd6250f0937c785de1a Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 12 Aug 2015 14:37:21 -0700 Subject: mv commands and macros to lib/leap_cli --- provider_base/lib/macros.rb | 16 ------ provider_base/lib/macros/core.rb | 94 ----------------------------------- provider_base/lib/macros/files.rb | 89 --------------------------------- provider_base/lib/macros/haproxy.rb | 73 --------------------------- provider_base/lib/macros/hosts.rb | 68 -------------------------- provider_base/lib/macros/keys.rb | 83 ------------------------------- provider_base/lib/macros/nodes.rb | 88 --------------------------------- provider_base/lib/macros/provider.rb | 20 -------- provider_base/lib/macros/secrets.rb | 39 --------------- provider_base/lib/macros/stunnel.rb | 95 ------------------------------------ 10 files changed, 665 deletions(-) delete mode 100644 provider_base/lib/macros.rb delete mode 100644 provider_base/lib/macros/core.rb delete mode 100644 provider_base/lib/macros/files.rb delete mode 100644 provider_base/lib/macros/haproxy.rb delete mode 100644 provider_base/lib/macros/hosts.rb delete mode 100644 provider_base/lib/macros/keys.rb delete mode 100644 provider_base/lib/macros/nodes.rb delete mode 100644 provider_base/lib/macros/provider.rb delete mode 100644 provider_base/lib/macros/secrets.rb delete mode 100644 provider_base/lib/macros/stunnel.rb (limited to 'provider_base') diff --git a/provider_base/lib/macros.rb b/provider_base/lib/macros.rb deleted file mode 100644 index fdb9a94e..00000000 --- a/provider_base/lib/macros.rb +++ /dev/null @@ -1,16 +0,0 @@ -# -# MACROS -# -# The methods in these files are available in the context of a .json configuration file. -# (The module LeapCli::Macro is included in Config::Object) -# - -require_relative 'macros/core' -require_relative 'macros/files' -require_relative 'macros/haproxy' -require_relative 'macros/hosts' -require_relative 'macros/keys' -require_relative 'macros/nodes' -require_relative 'macros/secrets' -require_relative 'macros/stunnel' -require_relative 'macros/provider' diff --git a/provider_base/lib/macros/core.rb b/provider_base/lib/macros/core.rb deleted file mode 100644 index 7de50f2f..00000000 --- a/provider_base/lib/macros/core.rb +++ /dev/null @@ -1,94 +0,0 @@ -# encoding: utf-8 - -module LeapCli - module Macro - - # - # return a fingerprint for a x509 certificate - # - def fingerprint(filename) - "SHA256: " + X509.fingerprint("SHA256", Path.named_path(filename)) - end - - # - # Creates a hash from the ssh key info in users directory, for use in - # updating authorized_keys file. Additionally, the 'monitor' public key is - # included, which is used by the monitor nodes to run particular commands - # remotely. - # - def authorized_keys - hash = {} - keys = Dir.glob(Path.named_path([:user_ssh, '*'])) - keys.sort.each do |keyfile| - ssh_type, ssh_key = File.read(keyfile, :encoding => 'UTF-8').strip.split(" ") - name = File.basename(File.dirname(keyfile)) - until hash[name].nil? - i ||= 1; name = "#{name}#{i+=1}" - end - hash[name] = { - "type" => ssh_type, - "key" => ssh_key - } - end - ssh_type, ssh_key = File.read(Path.named_path(:monitor_pub_key), :encoding => 'UTF-8').strip.split(" ") - hash[Leap::Platform.monitor_username] = { - "type" => ssh_type, - "key" => ssh_key - } - hash - end - - def assert(assertion) - if instance_eval(assertion) - true - else - raise AssertionFailed.new(assertion), assertion, caller - end - end - - def error(msg) - raise ConfigError.new(@node, msg), msg, caller - end - - # - # applies a JSON partial to this node - # - def apply_partial(partial_path) - manager.partials(partial_path).each do |partial_data| - self.deep_merge!(partial_data) - end - end - - # - # If at first you don't succeed, then it is time to give up. - # - # try{} returns nil if anything in the block throws an exception. - # - # You can wrap something that might fail in `try`, like so. - # - # "= try{ nodes[:services => 'tor'].first.ip_address } " - # - def try(&block) - yield - rescue NoMethodError - rescue ArgumentError - nil - end - - protected - - # - # returns a node list, if argument is not already one - # - def listify(node_list) - if node_list.is_a? Config::ObjectList - node_list - elsif node_list.is_a? Config::Object - Config::ObjectList.new(node_list) - else - raise ArgumentError, 'argument must be a node or node list, not a `%s`' % node_list.class, caller - end - end - - end -end diff --git a/provider_base/lib/macros/files.rb b/provider_base/lib/macros/files.rb deleted file mode 100644 index 958958bc..00000000 --- a/provider_base/lib/macros/files.rb +++ /dev/null @@ -1,89 +0,0 @@ -# encoding: utf-8 - -## -## FILES -## - -module LeapCli - module Macro - - # - # inserts the contents of a file - # - def file(filename, options={}) - if filename.is_a? Symbol - filename = [filename, @node.name] - end - filepath = Path.find_file(filename) - if filepath - if filepath =~ /\.erb$/ - ERB.new(File.read(filepath, :encoding => 'UTF-8'), nil, '%<>').result(binding) - else - File.read(filepath, :encoding => 'UTF-8') - end - else - raise FileMissing.new(Path.named_path(filename), options) - "" - end - end - - # - # like #file, but allow missing files - # - def try_file(filename) - return file(filename) - rescue FileMissing - return nil - end - - # - # returns what the file path will be, once the file is rsynced to the server. - # an internal list of discovered file paths is saved, in order to rsync these files when needed. - # - # notes: - # - # * argument 'path' is relative to Path.provider/files or Path.provider_base/files - # * the path returned by this method is absolute - # * the path stored for use later by rsync is relative to Path.provider - # * if the path does not exist locally, but exists in provider_base, then the default file from - # provider_base is copied locally. this is required for rsync to work correctly. - # - def file_path(path, options={}) - if path.is_a? Symbol - path = [path, @node.name] - elsif path.is_a? String - # ensure it prefixed with files/ - unless path =~ /^files\// - path = "files/" + path - end - end - actual_path = Path.find_file(path) - if actual_path.nil? - if options[:missing] - raise FileMissing.new(Path.named_path(path), options) - else - Util::log 2, :skipping, "file_path(\"#{path}\") because there is no such file." - end - nil - else - if actual_path =~ /^#{Regexp.escape(Path.provider_base)}/ - # if file is under Path.provider_base, we must copy the default file to - # to Path.provider in order for rsync to be able to sync the file. - local_provider_path = actual_path.sub(/^#{Regexp.escape(Path.provider_base)}/, Path.provider) - FileUtils.mkdir_p File.dirname(local_provider_path), :mode => 0700 - FileUtils.install actual_path, local_provider_path, :mode => 0600 - Util.log :created, Path.relative_path(local_provider_path) - actual_path = local_provider_path - end - if File.directory?(actual_path) && actual_path !~ /\/$/ - actual_path += '/' # ensure directories end with /, important for building rsync command - end - relative_path = Path.relative_path(actual_path) - relative_path.sub!(/^files\//, '') # remove "files/" prefix - @node.file_paths << relative_path - File.join(Leap::Platform.files_dir, relative_path) - end - end - - end -end \ No newline at end of file diff --git a/provider_base/lib/macros/haproxy.rb b/provider_base/lib/macros/haproxy.rb deleted file mode 100644 index 602ae726..00000000 --- a/provider_base/lib/macros/haproxy.rb +++ /dev/null @@ -1,73 +0,0 @@ -# encoding: utf-8 - -## -## HAPROXY -## - -module LeapCli - module Macro - - # - # creates a hash suitable for configuring haproxy. the key is the node name of the server we are proxying to. - # - # * node_list - a hash of nodes for the haproxy servers - # * stunnel_client - contains the mappings to local ports for each server node. - # * non_stunnel_port - in case self is included in node_list, the port to connect to. - # - # 1000 weight is used for nodes in the same location. - # 100 otherwise. - # - def haproxy_servers(node_list, stunnel_clients, non_stunnel_port=nil) - default_weight = 10 - local_weight = 100 - - # record the hosts_file - hostnames(node_list) - - # create a simple map for node name -> local stunnel accept port - accept_ports = stunnel_clients.inject({}) do |hsh, stunnel_entry| - name = stunnel_entry.first.sub /_[0-9]+$/, '' - hsh[name] = stunnel_entry.last['accept_port'] - hsh - end - - # if one the nodes in the node list is ourself, then there will not be a stunnel to it, - # but we need to include it anyway in the haproxy config. - if node_list[self.name] && non_stunnel_port - accept_ports[self.name] = non_stunnel_port - end - - # create the first pass of the servers hash - servers = node_list.values.inject(Config::ObjectList.new) do |hsh, node| - # make sure we have a port to talk to - unless accept_ports[node.name] - error "haproxy needs a local port to talk to when connecting to #{node.name}" - end - weight = default_weight - try { - weight = local_weight if self.location.name == node.location.name - } - hsh[node.name] = Config::Object[ - 'backup', false, - 'host', 'localhost', - 'port', accept_ports[node.name], - 'weight', weight - ] - if node.services.include?('couchdb') - hsh[node.name]['writable'] = node.couch.mode != 'mirror' - end - hsh - end - - # if there are some local servers, make the others backup - if servers.detect{|k,v| v.weight == local_weight} - servers.each do |k,server| - server['backup'] = server['weight'] == default_weight - end - end - - return servers - end - - end -end diff --git a/provider_base/lib/macros/hosts.rb b/provider_base/lib/macros/hosts.rb deleted file mode 100644 index 8281329f..00000000 --- a/provider_base/lib/macros/hosts.rb +++ /dev/null @@ -1,68 +0,0 @@ -# encoding: utf-8 - -module LeapCli - module Macro - - ## - ## HOSTS - ## - - # - # records the list of hosts that are encountered for this node - # - def hostnames(nodes) - @referenced_nodes ||= Config::ObjectList.new - nodes = listify(nodes) - nodes.each_node do |node| - @referenced_nodes[node.name] ||= node - end - return nodes.values.collect {|node| node.domain.name} - end - - # - # Generates entries needed for updating /etc/hosts on a node (as a hash). - # - # Argument `nodes` can be nil or a list of nodes. If nil, only include the - # IPs of the other nodes this @node as has encountered (plus all mx nodes). - # - # Also, for virtual machines, we use the local address if this @node is in - # the same location as the node in question. - # - # We include the ssh public key for each host, so that the hash can also - # be used to generate the /etc/ssh/known_hosts - # - def hosts_file(nodes=nil) - if nodes.nil? - if @referenced_nodes && @referenced_nodes.any? - nodes = @referenced_nodes - nodes = nodes.merge(nodes_like_me[:services => 'mx']) # all nodes always need to communicate with mx nodes. - end - end - return {} unless nodes - hosts = {} - my_location = @node['location'] ? @node['location']['name'] : nil - nodes.each_node do |node| - hosts[node.name] = { - 'ip_address' => node.ip_address, - 'domain_internal' => node.domain.internal, - 'domain_full' => node.domain.full, - 'port' => node.ssh.port - } - node_location = node['location'] ? node['location']['name'] : nil - if my_location == node_location - if facts = @node.manager.facts[node.name] - if facts['ec2_public_ipv4'] - hosts[node.name]['ip_address'] = facts['ec2_public_ipv4'] - end - end - end - host_pub_key = Util::read_file([:node_ssh_pub_key,node.name]) - if host_pub_key - hosts[node.name]['host_pub_key'] = host_pub_key - end - end - hosts - end - - end -end \ No newline at end of file diff --git a/provider_base/lib/macros/keys.rb b/provider_base/lib/macros/keys.rb deleted file mode 100644 index 0ed7ccd0..00000000 --- a/provider_base/lib/macros/keys.rb +++ /dev/null @@ -1,83 +0,0 @@ -# encoding: utf-8 - -# -# Macro for dealing with cryptographic keys -# - -module LeapCli - module Macro - - # - # return the path to the tor public key - # generating key if it is missing - # - def tor_public_key_path(path_name, key_type) - path = file_path(path_name) - if path.nil? - generate_tor_key(key_type) - file_path(path_name) - else - path - end - end - - # - # return the path to the tor private key - # generating key if it is missing - # - def tor_private_key_path(path_name, key_type) - path = file_path(path_name) - if path.nil? - generate_tor_key(key_type) - file_path(path_name) - else - path - end - end - - # - # Generates a onion_address from a public RSA key file. - # - # path_name is the named path of the Tor public key. - # - # Basically, an onion address is nothing more than a base32 encoding - # of the first 10 bytes of a sha1 digest of the public key. - # - # Additionally, Tor ignores the 22 byte header of the public key - # before taking the sha1 digest. - # - def onion_address(path_name) - require 'base32' - require 'base64' - require 'openssl' - path = Path.find_file([path_name, self.name]) - if path && File.exists?(path) - public_key_str = File.readlines(path).grep(/^[^-]/).join - public_key = Base64.decode64(public_key_str) - public_key = public_key.slice(22..-1) # Tor ignores the 22 byte SPKI header - sha1sum = Digest::SHA1.new.digest(public_key) - Base32.encode(sha1sum.slice(0,10)).downcase - else - LeapCli.log :warning, 'Tor public key file "%s" does not exist' % tor_public_key_path - end - end - - private - - def generate_tor_key(key_type) - if key_type == 'RSA' - require 'certificate_authority' - keypair = CertificateAuthority::MemoryKeyMaterial.new - bit_size = 1024 - LeapCli.log :generating, "%s bit RSA Tor key" % bit_size do - keypair.generate_key(bit_size) - LeapCli::Util.write_file! [:node_tor_priv_key, self.name], keypair.private_key.to_pem - LeapCli::Util.write_file! [:node_tor_pub_key, self.name], keypair.public_key.to_pem - end - else - LeapCli.bail! 'tor.key.type of %s is not yet supported' % key_type - end - end - - end -end diff --git a/provider_base/lib/macros/nodes.rb b/provider_base/lib/macros/nodes.rb deleted file mode 100644 index 8b961cbc..00000000 --- a/provider_base/lib/macros/nodes.rb +++ /dev/null @@ -1,88 +0,0 @@ -# encoding: utf-8 - -## -## node related macros -## - -module LeapCli - module Macro - - # - # the list of all the nodes - # - def nodes - global.nodes - end - - # - # simple alias for global.provider - # - def provider - global.provider - end - - # - # returns a list of nodes that match the same environment - # - # if @node.environment is not set, we return other nodes - # where environment is not set. - # - def nodes_like_me - nodes[:environment => @node.environment] - end - - # - # returns a list of nodes that match the location name - # and environment of @node. - # - def nodes_near_me - if @node['location'] && @node['location']['name'] - nodes_like_me['location.name' => @node.location.name] - else - nodes_like_me['location' => nil] - end - end - - # - # - # picks a node out from the node list in such a way that: - # - # (1) which nodes picked which nodes is saved in secrets.json - # (2) when other nodes call this macro with the same node list, they are guaranteed to get a different node - # (3) if all the nodes in the pick_node list have been picked, remaining nodes are distributed randomly. - # - # if the node_list is empty, an exception is raised. - # if node_list size is 1, then that node is returned and nothing is - # memorized via the secrets.json file. - # - # `label` is needed to distinguish between pools of nodes for different purposes. - # - # TODO: more evenly balance after all the nodes have been picked. - # - def pick_node(label, node_list) - if node_list.any? - if node_list.size == 1 - return node_list.values.first - else - secrets_key = "pick_node(:#{label},#{node_list.keys.sort.join(',')})" - secrets_value = @manager.secrets.retrieve(secrets_key, @node.environment) || {} - secrets_value[@node.name] ||= begin - node_to_pick = nil - node_list.each_node do |node| - next if secrets_value.values.include?(node.name) - node_to_pick = node.name - end - node_to_pick ||= secrets_value.values.shuffle.first # all picked already, so pick a random one. - node_to_pick - end - picked_node_name = secrets_value[@node.name] - @manager.secrets.set(secrets_key, secrets_value, @node.environment) - return node_list[picked_node_name] - end - else - raise ArgumentError.new('pick_node(node_list): node_list cannot be empty') - end - end - - end -end \ No newline at end of file diff --git a/provider_base/lib/macros/provider.rb b/provider_base/lib/macros/provider.rb deleted file mode 100644 index 84c4e1b8..00000000 --- a/provider_base/lib/macros/provider.rb +++ /dev/null @@ -1,20 +0,0 @@ -# -# These macros are intended only for use in provider.json, although they are -# currently loaded in all .json contexts. -# - -module LeapCli - module Macro - - # - # returns an array of the service names, including only those services that - # are enabled for this environment. - # - def enabled_services - manager.env(self.environment).services[:service_type => :user_service].field(:name).select { |service| - manager.nodes[:environment => self.environment][:services => service].any? - } - end - - end -end diff --git a/provider_base/lib/macros/secrets.rb b/provider_base/lib/macros/secrets.rb deleted file mode 100644 index 8d1feb55..00000000 --- a/provider_base/lib/macros/secrets.rb +++ /dev/null @@ -1,39 +0,0 @@ -# encoding: utf-8 - -require 'base32' - -module LeapCli - module Macro - - # - # inserts a named secret, generating it if needed. - # - # manager.export_secrets should be called later to capture any newly generated secrets. - # - # +length+ is the character length of the generated password. - # - def secret(name, length=32) - manager.secrets.set(name, @node.environment) { Util::Secret.generate(length) } - end - - # inserts a base32 encoded secret - def base32_secret(name, length=20) - manager.secrets.set(name, @node.environment) { Base32.encode(Util::Secret.generate(length)) } - end - - # Picks a random obfsproxy port from given range - def rand_range(name, range) - manager.secrets.set(name, @node.environment) { rand(range) } - end - - # - # inserts an hexidecimal secret string, generating it if needed. - # - # +bit_length+ is the bits in the secret, (ie length of resulting hex string will be bit_length/4) - # - def hex_secret(name, bit_length=128) - manager.secrets.set(name, @node.environment) { Util::Secret.generate_hex(bit_length) } - end - - end -end \ No newline at end of file diff --git a/provider_base/lib/macros/stunnel.rb b/provider_base/lib/macros/stunnel.rb deleted file mode 100644 index f16308c7..00000000 --- a/provider_base/lib/macros/stunnel.rb +++ /dev/null @@ -1,95 +0,0 @@ -## -## STUNNEL -## - -# -# About stunnel -# -------------------------- -# -# The network looks like this: -# -# From the client's perspective: -# -# |------- stunnel client --------------| |---------- stunnel server -----------------------| -# consumer app -> localhost:accept_port -> connect:connect_port -> ?? -# -# From the server's perspective: -# -# |------- stunnel client --------------| |---------- stunnel server -----------------------| -# ?? -> *:accept_port -> localhost:connect_port -> service -# - -module LeapCli - module Macro - - # - # stunnel configuration for the client side. - # - # +node_list+ is a ObjectList of nodes running stunnel servers. - # - # +port+ is the real port of the ultimate service running on the servers - # that the client wants to connect to. - # - # * accept_port is the port on localhost to which local clients - # can connect. it is auto generated serially. - # - # * connect_port is the port on the stunnel server to connect to. - # it is auto generated from the +port+ argument. - # - # generates an entry appropriate to be passed directly to - # create_resources(stunnel::service, hiera('..'), defaults) - # - # local ports are automatically generated, starting at 4000 - # and incrementing in sorted order (by node name). - # - def stunnel_client(node_list, port, options={}) - @next_stunnel_port ||= 4000 - node_list = listify(node_list) - hostnames(node_list) # record the hosts - result = Config::ObjectList.new - node_list.each_node do |node| - if node.name != self.name || options[:include_self] - result["#{node.name}_#{port}"] = Config::Object[ - 'accept_port', @next_stunnel_port, - 'connect', node.domain.internal, - 'connect_port', stunnel_port(port), - 'original_port', port - ] - @next_stunnel_port += 1 - end - end - result - end - - # - # generates a stunnel server entry. - # - # +port+ is the real port targeted service. - # - # * `accept_port` is the publicly bound port - # * `connect_port` is the port that the local service is running on. - # - def stunnel_server(port) - { - "accept_port" => stunnel_port(port), - "connect_port" => port - } - end - - private - - # - # maps a real port to a stunnel port (used as the connect_port in the client config - # and the accept_port in the server config) - # - def stunnel_port(port) - port = port.to_i - if port < 50000 - return port + 10000 - else - return port - 10000 - end - end - - end -end \ No newline at end of file -- cgit v1.2.3 From 3f1c9f42cd93f6ef099124b33663fd9f288eb430 Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 19 Aug 2015 17:41:45 -0700 Subject: allow ca_cert_uri to be configured --- provider_base/files/service-definitions/provider.json.erb | 2 +- provider_base/services/webapp.json | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) (limited to 'provider_base') diff --git a/provider_base/files/service-definitions/provider.json.erb b/provider_base/files/service-definitions/provider.json.erb index e51f9c3a..a75bea61 100644 --- a/provider_base/files/service-definitions/provider.json.erb +++ b/provider_base/files/service-definitions/provider.json.erb @@ -9,7 +9,7 @@ hsh['api_version'] = "1" hsh['api_uri'] = ["https://", api.domain, ':', api.port].join - hsh['ca_cert_uri'] = 'https://' + webapp.domain + '/ca.crt' + hsh['ca_cert_uri'] = api.ca_cert_uri hsh['ca_cert_fingerprint'] = fingerprint(:ca_cert) hsh.dump_json diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index 081b3718..7b1ca8fb 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -55,7 +55,8 @@ "service_type": "public_service", "api": { "domain": "= 'api.' + webapp.domain", - "port": 4430 + "port": 4430, + "ca_cert_uri": "= 'https://' + webapp.domain + '/ca.crt'" }, "nickserver": { "domain": "= 'nicknym.' + domain.full_suffix", -- cgit v1.2.3 From 4f42910a6792ec3016aa6f9d0792801f75972a62 Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 31 Aug 2015 12:22:20 -0700 Subject: mx: added mx.key_lookup_domain property --- provider_base/services/mx.json | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'provider_base') diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json index db2e4795..4d1b3dad 100644 --- a/provider_base/services/mx.json +++ b/provider_base/services/mx.json @@ -1,4 +1,11 @@ { + "mx": { + // provider should define their own custom aliases. + // these are in *addition* to the standard reserved aliases for root and postmaster, etc. + "aliases": {}, + // this is the domain that is used for the OpenPGP header + "key_lookup_domain": "= global.services[:webapp].webapp.domain" + }, "stunnel": { "clients": { "couch_client": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.port)" -- cgit v1.2.3 From da53a4a723cc05cfa39e066c64a9467d7efad04b Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 3 Sep 2015 20:18:12 -0700 Subject: service definition .json files should not refer to properties inherited from common.json. closes #7423 --- provider_base/services/webapp.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'provider_base') diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index 7b1ca8fb..dbcfe0a6 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -9,7 +9,7 @@ "owner", "owners", "postmaster", "reply", "robot", "ssladmin", "staff", "support", "tech-support", "tech_support", "techsupport", "ticket", "tickets", "vmail", "www-data"], - "domain": "= domain.full_suffix", + "domain": "= provider.domain", "modules": ["user", "billing", "help"], "couchdb_webapp_user": "= global.services[:couchdb].couch.users[:webapp]", "couchdb_admin_user": "= global.services[:couchdb].couch.users[:admin]", -- cgit v1.2.3 From 492c452801e2679d47b3b09505779a11ed3892cc Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 9 Sep 2015 12:16:36 -0700 Subject: updates to zone compile and tags/development.json to be compatible with the definition of 'domain' in provider.env.json. --- provider_base/tags/development.json | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) (limited to 'provider_base') diff --git a/provider_base/tags/development.json b/provider_base/tags/development.json index d9c2c007..caf18e9d 100644 --- a/provider_base/tags/development.json +++ b/provider_base/tags/development.json @@ -1,7 +1,3 @@ { - "environment": "development", - "domain": { - "full_suffix": "= 'dev.' + provider.domain", - "internal_suffix": "= 'dev.' + provider.domain_internal" - } + "environment": "development" } \ No newline at end of file -- cgit v1.2.3 From f93e6904fe2abca3cfc7a93a08892dbdcea97327 Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 9 Sep 2015 18:05:19 -0700 Subject: ensure that the webapp has the service levels config it requires. --- provider_base/services/webapp.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'provider_base') diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index dbcfe0a6..039b1c0b 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -20,7 +20,7 @@ "allow_anonymous_certs": "= provider.service.allow_anonymous", "allow_registration": "= provider.service.allow_registration", "default_service_level": "= provider.service.default_service_level", - "service_levels": "= provider.service.levels", + "service_levels": "= service_levels()", "secret_token": "= secret :webapp_secret_token", "api_version": 1, "secure": false, -- cgit v1.2.3 From 818930af8a05dc44372b99f8e589527050120431 Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 10 Sep 2015 22:38:44 -0700 Subject: sshd: let nodes change default AllowTcpForwarding --- provider_base/common.json | 3 +++ 1 file changed, 3 insertions(+) (limited to 'provider_base') diff --git a/provider_base/common.json b/provider_base/common.json index 3d2965d7..e968dd27 100644 --- a/provider_base/common.json +++ b/provider_base/common.json @@ -16,6 +16,9 @@ }, "ssh": { "authorized_keys": "= authorized_keys", + "config": { + "AllowTcpForwarding": "no" + }, "port": 22, "mosh": { "ports": "60000:61000", -- cgit v1.2.3 From 9352ce45a7950ff1175d3a7e5412fc9006691799 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 7 Aug 2015 14:22:48 -0700 Subject: added firewall information to nodes (needed for `leap compile firewall`) --- provider_base/common.json | 8 ++++++++ provider_base/services/dns.json | 9 ++++++++- provider_base/services/monitor.json | 7 +++++++ provider_base/services/mx.json | 9 ++++++++- provider_base/services/openvpn.json | 7 +++++++ provider_base/services/soledad.json | 9 ++++++++- provider_base/services/static.json | 9 ++++++++- provider_base/services/webapp.json | 7 +++++++ 8 files changed, 61 insertions(+), 4 deletions(-) (limited to 'provider_base') diff --git a/provider_base/common.json b/provider_base/common.json index e968dd27..9cc7875a 100644 --- a/provider_base/common.json +++ b/provider_base/common.json @@ -50,6 +50,14 @@ "clients": {}, "servers": {} }, + "firewall": { + "ssh": { + "from": "sysadmin", + "to": "= ip_address", + "port": "= ssh.port" + }, + "stunnel": "=> stunnel_firewall" + }, "platform": { "version": "= Leap::Platform.version.to_s", "major_version": "= Leap::Platform.major_version" diff --git a/provider_base/services/dns.json b/provider_base/services/dns.json index 677d9b2c..67948ef8 100644 --- a/provider_base/services/dns.json +++ b/provider_base/services/dns.json @@ -3,5 +3,12 @@ "public": "= nodes['dns.public' => true].fields('domain.name', 'dns.aliases', 'ip_address')", "private": "= nodes['dns.public' => false].fields('domain.name', 'dns.aliases', 'ip_address')" }, - "service_type": "public_service" + "service_type": "public_service", + "firewall": { + "dns": { + "from": "*", + "to": "= ip_address", + "port": "53" + } + } } \ No newline at end of file diff --git a/provider_base/services/monitor.json b/provider_base/services/monitor.json index 10d5ac81..28fb837c 100644 --- a/provider_base/services/monitor.json +++ b/provider_base/services/monitor.json @@ -18,5 +18,12 @@ "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'", "client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'", "client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`'" + }, + "firewall": { + "monitor": { + "from": "sysadmin", + "to": "= ip_address", + "port": [443, 80] + } } } diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json index 4d1b3dad..d6e9fff9 100644 --- a/provider_base/services/mx.json +++ b/provider_base/services/mx.json @@ -31,5 +31,12 @@ "client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'", "client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`'" }, - "service_type": "user_service" + "service_type": "user_service", + "firewall": { + "mx": { + "from": "*", + "to": "= ip_address", + "port": [25, 465] + } + } } diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json index 11cb0dc2..6f73e31c 100644 --- a/provider_base/services/openvpn.json +++ b/provider_base/services/openvpn.json @@ -34,5 +34,12 @@ "port" : "= rand_range('scramblesuit_port_'+name, 18000..32000)" }, "gateway_address": "= openvpn.gateway_address" + }, + "firewall": { + "vpn": { + "from": "*", + "to": "= openvpn.gateway_address", + "port": "= openvpn.ports + [obfsproxy.scramblesuit.port]" + } } } diff --git a/provider_base/services/soledad.json b/provider_base/services/soledad.json index ed6fbc9f..76f7155f 100644 --- a/provider_base/services/soledad.json +++ b/provider_base/services/soledad.json @@ -8,5 +8,12 @@ "salt": "= hex_secret :couch_soledad_password_salt, 128" } }, - "service_type": "public_service" + "service_type": "public_service", + "firewall": { + "soledad": { + "from": "*", + "to": "= ip_address", + "port": "= soledad.port" + } + } } diff --git a/provider_base/services/static.json b/provider_base/services/static.json index d9f52b36..2f408ec1 100644 --- a/provider_base/services/static.json +++ b/provider_base/services/static.json @@ -9,5 +9,12 @@ "client_version": "= static.bootstrap_files.enabled ? provider.client_version : nil" } }, - "service_type": "public_service" + "service_type": "public_service", + "firewall": { + "static": { + "from": "*", + "to": "= ip_address", + "port": [80, 443] + } + } } \ No newline at end of file diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index 039b1c0b..9e3d751b 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -76,5 +76,12 @@ "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'", "client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`.'", "client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`.'" + }, + "firewall": { + "webapp": { + "from": "*", + "to": "= ip_address", + "port": "= [api.port, 443, 80, nickserver.port]" + } } } -- cgit v1.2.3 From b1e50fc76ddece9944ae253da9bacd485ffea84b Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 6 Oct 2015 13:23:56 +0200 Subject: [feat] Remove tapicero from more places Remove from: - platform white-box tests (couchdb user ACLs, tapicero daemon test) - provider_base/ dir that handles the compilation of the hiera config file - Resolves: #7501 --- provider_base/common.json | 5 ----- provider_base/services/couchdb.json | 5 ----- 2 files changed, 10 deletions(-) (limited to 'provider_base') diff --git a/provider_base/common.json b/provider_base/common.json index 9cc7875a..5821789b 100644 --- a/provider_base/common.json +++ b/provider_base/common.json @@ -83,11 +83,6 @@ "package": "soledad-server", "revision": "latest" }, - "tapicero": { - "type": "git", - "source": "https://leap.se/git/tapicero", - "revision": "origin/version/0.7" - }, "webapp": { "type": "git", "source": "https://leap.se/git/leap_web", diff --git a/provider_base/services/couchdb.json b/provider_base/services/couchdb.json index 8b1386f8..5e65b2ec 100644 --- a/provider_base/services/couchdb.json +++ b/provider_base/services/couchdb.json @@ -31,11 +31,6 @@ "password": "= secret :couch_soledad_password", "salt": "= hex_secret :couch_soledad_password_salt, 128" }, - "tapicero": { - "username": "tapicero", - "password": "= secret :couch_tapicero_password", - "salt": "= hex_secret :couch_tapicero_password_salt, 128" - }, "webapp": { "username": "webapp", "password": "= secret :couch_webapp_password", -- cgit v1.2.3 From d6b521372243b79105a1513d4559572dfab6db54 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 22 Sep 2015 15:04:33 -0400 Subject: add clamav filtering, with sanesecurity signature updating and provider whitelisting (#3625) Change-Id: I15985ca00ee95bc62855f098a78e364ebbc32616 --- provider_base/services/mx.json | 3 +++ 1 file changed, 3 insertions(+) (limited to 'provider_base') diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json index d6e9fff9..70acf5cb 100644 --- a/provider_base/services/mx.json +++ b/provider_base/services/mx.json @@ -24,6 +24,9 @@ }, "mynetworks": "= nodes['environment' => '!local'].map{|name, n| [n.ip_address, (global.facts[name]||{})['ec2_public_ipv4']]}.flatten.compact.uniq", "rbls": ["zen.spamhaus.org"], + "clamav": { + "whitelisted_addresses": [] + }, "x509": { "use": true, "use_commercial": true, -- cgit v1.2.3 From 171a5a9a3794224a92244078574aac4b22845266 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 26 Oct 2015 16:18:17 +0100 Subject: [bug] Add leap_mx username to soledad.conf - Tested: [unstable.pixelated-project.org] - Related: https://github.com/pixelated/pixelated-platform/issues/127 --- provider_base/services/soledad.json | 3 +++ 1 file changed, 3 insertions(+) (limited to 'provider_base') diff --git a/provider_base/services/soledad.json b/provider_base/services/soledad.json index 76f7155f..99390d17 100644 --- a/provider_base/services/soledad.json +++ b/provider_base/services/soledad.json @@ -6,6 +6,9 @@ "username": "= global.services[:couchdb].couch.users[:soledad].username", "password": "= secret :couch_soledad_password", "salt": "= hex_secret :couch_soledad_password_salt, 128" + }, + "couchdb_leap_mx_user": { + "username": "= global.services[:couchdb].couch.users[:leap_mx].username" } }, "service_type": "public_service", -- cgit v1.2.3