diff options
author | mh <mh@immerda.ch> | 2016-11-01 21:29:31 +0100 |
---|---|---|
committer | mh <mh@immerda.ch> | 2016-11-01 21:29:31 +0100 |
commit | 914df896d915cea5acade2732526d3bbc75b176d (patch) | |
tree | a4fb70a7ad0664026b267cd8fb67168319f00c2f | |
parent | 720c1670750345e8c361219a58c2722a603e26bb (diff) |
make it possible to also add pregenerated private keys for onion services or even let them pregenerate on the fly
-rw-r--r-- | .gitignore | 3 | ||||
-rw-r--r-- | manifests/daemon/hidden_service.pp | 48 | ||||
-rw-r--r-- | spec/defines/daemon_hidden_service_spec.rb | 122 | ||||
-rw-r--r-- | spec/tmp/.keep | 0 | ||||
-rw-r--r-- | templates/torrc.hidden_service.erb | 2 |
5 files changed, 170 insertions, 5 deletions
@@ -3,5 +3,6 @@ .tmp spec/fixtures/modules spec/fixtures/manifests -spec/fixtures/tmp +spec/tmp +!spec/tmp/.keep *.lock diff --git a/manifests/daemon/hidden_service.pp b/manifests/daemon/hidden_service.pp index cf316b5..895fc53 100644 --- a/manifests/daemon/hidden_service.pp +++ b/manifests/daemon/hidden_service.pp @@ -1,14 +1,56 @@ # hidden services definition define tor::daemon::hidden_service( - $ports = [], - $data_dir = $tor::daemon::data_dir, - $ensure = present ) { + $ensure = present, + $ports = [], + $data_dir = $tor::daemon::data_dir, + $private_key = undef, + $private_key_name = $name, + $private_key_store_path = undef, +) { + $data_dir_path = "${data_dir}/${name}" + include ::tor::daemon::params concat::fragment { "05.hidden_service.${name}": ensure => $ensure, content => template('tor/torrc.hidden_service.erb'), order => '05', target => $tor::daemon::config_file, } + if $private_key or ($private_key_name and $private_key_store_path) { + if $private_key and ($private_key_name and $private_key_store_path) { + fail("Either private_key OR (private_key_name AND private_key_store_path) must be set, but not all three of them") + } + if $private_key_store_path and $private_key_name { + $tmp = generate_onion_key($private_key_store_path,$private_key_name) + $os_hostname = $tmp[0] + $real_private_key = $tmp[1] + } else { + $os_hostname = onion_address($private_key) + $real_private_key = $private_key + } + file{ + $data_dir_path: + ensure => directory, + purge => true, + force => true, + recurse => true, + owner => $tor::daemon::params::user, + group => $tor::daemon::params::group, + mode => $tor::daemon::params::data_dir_mode, + require => Package['tor']; + "${data_dir_path}/private_key": + content => $real_private_key, + owner => $tor::daemon::params::user, + group => $tor::daemon::params::group, + mode => '0600', + notify => Service['tor']; + "${data_dir_path}/hostname": + content => "${os_hostname}.onion\n", + owner => $tor::daemon::params::user, + group => $tor::daemon::params::group, + mode => '0600', + notify => Service['tor']; + } + } } diff --git a/spec/defines/daemon_hidden_service_spec.rb b/spec/defines/daemon_hidden_service_spec.rb new file mode 100644 index 0000000..7a3aae6 --- /dev/null +++ b/spec/defines/daemon_hidden_service_spec.rb @@ -0,0 +1,122 @@ +require File.expand_path(File.join(File.dirname(__FILE__),'../spec_helper')) +require 'openssl' + +describe 'tor::daemon::hidden_service', :type => 'define' do + let(:default_facts) { + { + :osfamily => 'RedHat', + :operatingsystem => 'CentOS', + } + } + let(:title){ 'test_os' } + let(:facts){ default_facts } + let(:pre_condition){'Exec{path => "/bin"} + include tor::daemon' } + describe 'with standard' do + it { is_expected.to compile.with_all_deps } + + it { is_expected.to contain_concat__fragment('05.hidden_service.test_os').with( + :ensure => 'present', + :content => /HiddenServiceDir \/var\/lib\/tor\/test_os/, + :order => '05', + :target => '/etc/tor/torrc', + )} + it { is_expected.to_not contain_concat__fragment('05.hidden_service.test_os').with_content(/^HiddenServicePort/) } + it { is_expected.to_not contain_file('/var/lib/tor/test_os') } + context 'on Debian' do + let(:facts) { + { + :osfamily => 'Debian', + :operatingsystem => 'Debian', + } + } + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_concat__fragment('05.hidden_service.test_os').with( + :ensure => 'present', + :content => /HiddenServiceDir \/var\/lib\/tor\/test_os/, + :order => '05', + :target => '/etc/tor/torrc', + )} + it { is_expected.to_not contain_concat__fragment('05.hidden_service.test_os').with_content(/^HiddenServicePort/) } + it { is_expected.to_not contain_file('/var/lib/tor/test_os') } + end + context 'with differt port params' do + let(:params){ + { + :ports => ['25','443 192.168.0.1:8443'] + } + } + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_concat__fragment('05.hidden_service.test_os').with_content(/^HiddenServicePort 25 127.0.0.1:25/) } + it { is_expected.to contain_concat__fragment('05.hidden_service.test_os').with_content(/^HiddenServicePort 443 192.168.0.1:8443/) } + it { is_expected.to_not contain_file('/var/lib/tor/test_os') } + end + context 'with private_key' do + let(:params){ + { + :ports => ['80'], + :private_key => OpenSSL::PKey::RSA.generate(1024).to_s, + } + } + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_concat__fragment('05.hidden_service.test_os').with_content(/^HiddenServicePort 80 127.0.0.1:80/) } + it { is_expected.to contain_file('/var/lib/tor/test_os').with( + :ensure => 'directory', + :purge => true, + :force => true, + :recurse => true, + :owner => 'toranon', + :group => 'toranon', + :mode => '0750', + :require => 'Package[tor]', + )} + it { is_expected.to contain_file('/var/lib/tor/test_os/hostname').with( + :content => /^[a-z2-7]{16}\.onion\n/, + :owner => 'toranon', + :group => 'toranon', + :mode => '0600', + :notify => 'Service[tor]', + )} + it { is_expected.to contain_file('/var/lib/tor/test_os/private_key').with( + :owner => 'toranon', + :group => 'toranon', + :mode => '0600', + :notify => 'Service[tor]', + )} + end + context 'with private key to generate' do + let(:params){ + { + :ports => ['80'], + :private_key_name => 'test_os', + :private_key_store_path => File.expand_path(File.join(File.dirname(__FILE__),'..','tmp')), + } + } + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_concat__fragment('05.hidden_service.test_os').with_content(/^HiddenServicePort 80 127.0.0.1:80/) } + it { is_expected.to contain_file('/var/lib/tor/test_os').with( + :ensure => 'directory', + :purge => true, + :force => true, + :recurse => true, + :owner => 'toranon', + :group => 'toranon', + :mode => '0750', + :require => 'Package[tor]', + )} + it { is_expected.to contain_file('/var/lib/tor/test_os/hostname').with( + :content => /^[a-z2-7]{16}\.onion\n/, + :owner => 'toranon', + :group => 'toranon', + :mode => '0600', + :notify => 'Service[tor]', + )} + it { is_expected.to contain_file('/var/lib/tor/test_os/private_key').with( + :owner => 'toranon', + :group => 'toranon', + :mode => '0600', + :notify => 'Service[tor]', + )} + end + end +end diff --git a/spec/tmp/.keep b/spec/tmp/.keep new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/spec/tmp/.keep diff --git a/templates/torrc.hidden_service.erb b/templates/torrc.hidden_service.erb index 6a97351..77168d8 100644 --- a/templates/torrc.hidden_service.erb +++ b/templates/torrc.hidden_service.erb @@ -1,5 +1,5 @@ # hidden service <%= @name %> -HiddenServiceDir <%= @data_dir %>/<%= @name %> +HiddenServiceDir <%= @data_dir_path %> <% Array(@ports).each do |port| -%> HiddenServicePort <%= port =~ /^\d+$/ ? "#{port} 127.0.0.1:#{port}" : port %> <% end -%> |