From: Peter Palfrader Date: Tue, 29 Oct 2019 14:52:42 +0000 (+0100) Subject: Merge remote-tracking branch 'gfa/gfa/prosody' X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=7b813b20680e394a2ccc5697ea59000d5866dd15;hp=9e27d3f0aaa21b93d9d256414dcd6335b07c0f53;p=mirror%2Fdsa-puppet.git Merge remote-tracking branch 'gfa/gfa/prosody' * gfa/gfa/prosody: Notify prosody when its certificates change manage prosody using puppet Add the posix_acl module Add the prosody module --- diff --git a/3rdparty/Puppetfile b/3rdparty/Puppetfile index e80b68972..0d751cbf9 100644 --- a/3rdparty/Puppetfile +++ b/3rdparty/Puppetfile @@ -12,5 +12,11 @@ mod 'nanliu/staging', '1.0.3' mod 'puppetlabs/certregen', '0.2.0' +# Prosody +mod 'mayflower-prosody', + git: 'https://github.com/mayflower/puppet-prosody.git', + ref: '863bb4ee0cd3369ad69a211042b4c5f7d66f4444' +mod 'puppet-posix_acl', '0.1.1' + # OpenStack -mod 'duritong/sysctl', '0.0.11' +mod 'duritong/sysctl', '0.0.11' diff --git a/3rdparty/modules/posix_acl/CHANGELOG.md b/3rdparty/modules/posix_acl/CHANGELOG.md new file mode 100644 index 000000000..b95dc9c6a --- /dev/null +++ b/3rdparty/modules/posix_acl/CHANGELOG.md @@ -0,0 +1,87 @@ +# Changelog + +All notable changes to this project will be documented in this file. +Each new release typically also includes the latest modulesync defaults. +These should not affect the functionality of the module. + +## [v0.1.1](https://github.com/voxpupuli/puppet-posix_acl/tree/v0.1.1) (2018-10-14) + +[Full Changelog](https://github.com/voxpupuli/puppet-posix_acl/compare/v0.1.0...v0.1.1) + +**Merged pull requests:** + +- modulesync 2.2.0 and allow puppet 6.x [\#53](https://github.com/voxpupuli/puppet-posix_acl/pull/53) ([bastelfreak](https://github.com/bastelfreak)) + +## [v0.1.0](https://github.com/voxpupuli/puppet-posix_acl/tree/v0.1.0) (2018-07-16) + +[Full Changelog](https://github.com/voxpupuli/puppet-posix_acl/compare/0.0.5...v0.1.0) + +**Implemented enhancements:** + +- Move to Vox Pupuli [\#29](https://github.com/voxpupuli/puppet-posix_acl/issues/29) + +**Merged pull requests:** + +- Remove docker nodesets [\#47](https://github.com/voxpupuli/puppet-posix_acl/pull/47) ([bastelfreak](https://github.com/bastelfreak)) +- drop EOL OSs; fix puppet version range [\#46](https://github.com/voxpupuli/puppet-posix_acl/pull/46) ([bastelfreak](https://github.com/bastelfreak)) +- Rubocop: Fix Style/PredicateName [\#42](https://github.com/voxpupuli/puppet-posix_acl/pull/42) ([alexjfisher](https://github.com/alexjfisher)) +- Rubocop: Fix Style/GuardClause [\#41](https://github.com/voxpupuli/puppet-posix_acl/pull/41) ([alexjfisher](https://github.com/alexjfisher)) +- Rubocop: Fix Lint/UselessAssignment [\#40](https://github.com/voxpupuli/puppet-posix_acl/pull/40) ([alexjfisher](https://github.com/alexjfisher)) +- Rubocop auto fixes [\#39](https://github.com/voxpupuli/puppet-posix_acl/pull/39) ([alexjfisher](https://github.com/alexjfisher)) +- Fix metadata and add LICENSE file [\#36](https://github.com/voxpupuli/puppet-posix_acl/pull/36) ([alexjfisher](https://github.com/alexjfisher)) +- remove ruby 1.9.3 support [\#35](https://github.com/voxpupuli/puppet-posix_acl/pull/35) ([dobbymoodge](https://github.com/dobbymoodge)) + +## [0.0.5](https://github.com/voxpupuli/puppet-posix_acl/tree/0.0.5) (2017-12-12) + +[Full Changelog](https://github.com/voxpupuli/puppet-posix_acl/compare/0.0.4...0.0.5) + +## [0.0.4](https://github.com/voxpupuli/puppet-posix_acl/tree/0.0.4) (2017-12-12) + +[Full Changelog](https://github.com/voxpupuli/puppet-posix_acl/compare/0.0.3...0.0.4) + +**Fixed bugs:** + +- module name conflict [\#26](https://github.com/voxpupuli/puppet-posix_acl/issues/26) + +**Closed issues:** + +- Race condition with non existing file and recursemode =\> deep [\#22](https://github.com/voxpupuli/puppet-posix_acl/issues/22) +- Publish to the forge [\#21](https://github.com/voxpupuli/puppet-posix_acl/issues/21) + +**Merged pull requests:** + +- Time to deprecate Ruby 1.8.7 support [\#31](https://github.com/voxpupuli/puppet-posix_acl/pull/31) ([dobbymoodge](https://github.com/dobbymoodge)) +- Fixes ACL's with spaces [\#30](https://github.com/voxpupuli/puppet-posix_acl/pull/30) ([i1tech](https://github.com/i1tech)) +- fix another Ruby error when the file doesn't exist yet [\#28](https://github.com/voxpupuli/puppet-posix_acl/pull/28) ([tequeter](https://github.com/tequeter)) +- use inspect instead of join to stringify arrays [\#27](https://github.com/voxpupuli/puppet-posix_acl/pull/27) ([tequeter](https://github.com/tequeter)) +- Do not downcase acl group/user names when checking for insync?. [\#25](https://github.com/voxpupuli/puppet-posix_acl/pull/25) ([tdevelioglu](https://github.com/tdevelioglu)) +- Check if a path exists before calling getfacl [\#23](https://github.com/voxpupuli/puppet-posix_acl/pull/23) ([roidelapluie](https://github.com/roidelapluie)) + +## [0.0.3](https://github.com/voxpupuli/puppet-posix_acl/tree/0.0.3) (2016-01-13) + +[Full Changelog](https://github.com/voxpupuli/puppet-posix_acl/compare/650e19723054c74baa662d3f1589398550524b33...0.0.3) + +**Closed issues:** + +- Accept short acls. [\#4](https://github.com/voxpupuli/puppet-posix_acl/issues/4) + +**Merged pull requests:** + +- Switch from Modulefile to metadata.json [\#20](https://github.com/voxpupuli/puppet-posix_acl/pull/20) ([roidelapluie](https://github.com/roidelapluie)) +- Fix defaults: behaviour [\#19](https://github.com/voxpupuli/puppet-posix_acl/pull/19) ([roidelapluie](https://github.com/roidelapluie)) +- Add autorequire on parent ACL [\#18](https://github.com/voxpupuli/puppet-posix_acl/pull/18) ([roidelapluie](https://github.com/roidelapluie)) +- Fix ruby 1.8.7 quirks [\#17](https://github.com/voxpupuli/puppet-posix_acl/pull/17) ([dobbymoodge](https://github.com/dobbymoodge)) +- Better support for 'deep' recursive acls [\#15](https://github.com/voxpupuli/puppet-posix_acl/pull/15) ([roidelapluie](https://github.com/roidelapluie)) +- Adds space around operators in ternary expressions [\#14](https://github.com/voxpupuli/puppet-posix_acl/pull/14) ([dobbymoodge](https://github.com/dobbymoodge)) +- Add recursemode parameter to apply ACLs recursively [\#13](https://github.com/voxpupuli/puppet-posix_acl/pull/13) ([dobbymoodge](https://github.com/dobbymoodge)) +- Add the Puppetlabs Skeleton for testing [\#11](https://github.com/voxpupuli/puppet-posix_acl/pull/11) ([roidelapluie](https://github.com/roidelapluie)) +- Drop duplicate ACL's. [\#10](https://github.com/voxpupuli/puppet-posix_acl/pull/10) ([kevincox](https://github.com/kevincox)) +- Update sync [\#7](https://github.com/voxpupuli/puppet-posix_acl/pull/7) ([mwoodson](https://github.com/mwoodson)) +- Normalize ACL's. [\#5](https://github.com/voxpupuli/puppet-posix_acl/pull/5) ([kevincox](https://github.com/kevincox)) +- Make posixacl the default for the redhat family [\#3](https://github.com/voxpupuli/puppet-posix_acl/pull/3) ([nhemingway](https://github.com/nhemingway)) +- Add a acl::requirements class [\#2](https://github.com/voxpupuli/puppet-posix_acl/pull/2) ([duritong](https://github.com/duritong)) +- Fix typo and make Modulefile validate by puppet module tool [\#1](https://github.com/voxpupuli/puppet-posix_acl/pull/1) ([carlossg](https://github.com/carlossg)) + + + +\* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)* diff --git a/3rdparty/modules/posix_acl/CONTRIBUTING.md b/3rdparty/modules/posix_acl/CONTRIBUTING.md new file mode 100644 index 000000000..bfeaa701c --- /dev/null +++ b/3rdparty/modules/posix_acl/CONTRIBUTING.md @@ -0,0 +1,220 @@ +Checklist (and a short version for the impatient) +================================================= + + * Commits: + + - Make commits of logical units. + + - Check for unnecessary whitespace with "git diff --check" before + committing. + + - Commit using Unix line endings (check the settings around "crlf" in + git-config(1)). + + - Do not check in commented out code or unneeded files. + + - The first line of the commit message should be a short + description (50 characters is the soft limit, excluding ticket + number(s)), and should skip the full stop. + + - Associate the issue in the message. The first line should include + the issue number in the form "(#XXXX) Rest of message". + + - The body should provide a meaningful commit message, which: + + - uses the imperative, present tense: "change", not "changed" or + "changes". + + - includes motivation for the change, and contrasts its + implementation with the previous behavior. + + - Make sure that you have tests for the bug you are fixing, or + feature you are adding. + + - Make sure the test suites passes after your commit: + `bundle exec rspec spec/acceptance` More information on [testing](#Testing) below + + - When introducing a new feature, make sure it is properly + documented in the README.md + + * Submission: + + * Pre-requisites: + + - Make sure you have a [GitHub account](https://github.com/join) + + - [Create a ticket](https://tickets.puppetlabs.com/secure/CreateIssue!default.jspa), or [watch the ticket](https://tickets.puppetlabs.com/browse/) you are patching for. + + * Preferred method: + + - Fork the repository on GitHub. + + - Push your changes to a topic branch in your fork of the + repository. (the format ticket/1234-short_description_of_change is + usually preferred for this project). + + - Submit a pull request to the repository in the puppetlabs + organization. + +The long version +================ + + 1. Make separate commits for logically separate changes. + + Please break your commits down into logically consistent units + which include new or changed tests relevant to the rest of the + change. The goal of doing this is to make the diff easier to + read for whoever is reviewing your code. In general, the easier + your diff is to read, the more likely someone will be happy to + review it and get it into the code base. + + If you are going to refactor a piece of code, please do so as a + separate commit from your feature or bug fix changes. + + We also really appreciate changes that include tests to make + sure the bug is not re-introduced, and that the feature is not + accidentally broken. + + Describe the technical detail of the change(s). If your + description starts to get too long, that is a good sign that you + probably need to split up your commit into more finely grained + pieces. + + Commits which plainly describe the things which help + reviewers check the patch and future developers understand the + code are much more likely to be merged in with a minimum of + bike-shedding or requested changes. Ideally, the commit message + would include information, and be in a form suitable for + inclusion in the release notes for the version of Puppet that + includes them. + + Please also check that you are not introducing any trailing + whitespace or other "whitespace errors". You can do this by + running "git diff --check" on your changes before you commit. + + 2. Sending your patches + + To submit your changes via a GitHub pull request, we _highly_ + recommend that you have them on a topic branch, instead of + directly on "master". + It makes things much easier to keep track of, especially if + you decide to work on another thing before your first change + is merged in. + + GitHub has some pretty good + [general documentation](http://help.github.com/) on using + their site. They also have documentation on + [creating pull requests](http://help.github.com/send-pull-requests/). + + In general, after pushing your topic branch up to your + repository on GitHub, you can switch to the branch in the + GitHub UI and click "Pull Request" towards the top of the page + in order to open a pull request. + + + 3. Update the related GitHub issue. + + If there is a GitHub issue associated with the change you + submitted, then you should update the ticket to include the + location of your branch, along with any other commentary you + may wish to make. + +Testing +======= + +Getting Started +--------------- + +Our puppet modules provide [`Gemfile`](./Gemfile)s which can tell a ruby +package manager such as [bundler](http://bundler.io/) what Ruby packages, +or Gems, are required to build, develop, and test this software. + +Please make sure you have [bundler installed](http://bundler.io/#getting-started) +on your system, then use it to install all dependencies needed for this project, +by running + +```shell +% bundle install +Fetching gem metadata from https://rubygems.org/........ +Fetching gem metadata from https://rubygems.org/.. +Using rake (10.1.0) +Using builder (3.2.2) +-- 8><-- many more --><8 -- +Using rspec-system-puppet (2.2.0) +Using serverspec (0.6.3) +Using rspec-system-serverspec (1.0.0) +Using bundler (1.3.5) +Your bundle is complete! +Use `bundle show [gemname]` to see where a bundled gem is installed. +``` + +NOTE some systems may require you to run this command with sudo. + +If you already have those gems installed, make sure they are up-to-date: + +```shell +% bundle update +``` + +With all dependencies in place and up-to-date we can now run the tests: + +```shell +% bundle exec rake spec +``` + +This will execute all the [rspec tests](http://rspec-puppet.com/) tests +under [spec/defines](./spec/defines), [spec/classes](./spec/classes), +and so on. rspec tests may have the same kind of dependencies as the +module they are testing. While the module defines in its [Modulefile](./Modulefile), +rspec tests define them in [.fixtures.yml](./fixtures.yml). + +Some puppet modules also come with [beaker](https://github.com/puppetlabs/beaker) +tests. These tests spin up a virtual machine under +[VirtualBox](https://www.virtualbox.org/)) with, controlling it with +[Vagrant](http://www.vagrantup.com/) to actually simulate scripted test +scenarios. In order to run these, you will need both of those tools +installed on your system. + +You can run them by issuing the following command + +```shell +% bundle exec rake spec_clean +% bundle exec rspec spec/acceptance +``` + +This will now download a pre-fabricated image configured in the [default node-set](./spec/acceptance/nodesets/default.yml), +install puppet, copy this module and install its dependencies per [spec/spec_helper_acceptance.rb](./spec/spec_helper_acceptance.rb) +and then run all the tests under [spec/acceptance](./spec/acceptance). + +Writing Tests +------------- + +XXX getting started writing tests. + +If you have commit access to the repository +=========================================== + +Even if you have commit access to the repository, you will still need to +go through the process above, and have someone else review and merge +in your changes. The rule is that all changes must be reviewed by a +developer on the project (that did not write the code) to ensure that +all changes go through a code review process. + +Having someone other than the author of the topic branch recorded as +performing the merge is the record that they performed the code +review. + + +Additional Resources +==================== + +* [Getting additional help](http://puppetlabs.com/community/get-help) + +* [Writing tests](http://projects.puppetlabs.com/projects/puppet/wiki/Development_Writing_Tests) + +* [Patchwork](https://patchwork.puppetlabs.com) + +* [General GitHub documentation](http://help.github.com/) + +* [GitHub pull request documentation](http://help.github.com/send-pull-requests/) + diff --git a/3rdparty/modules/posix_acl/Gemfile b/3rdparty/modules/posix_acl/Gemfile new file mode 100644 index 000000000..7ed69d4e5 --- /dev/null +++ b/3rdparty/modules/posix_acl/Gemfile @@ -0,0 +1,82 @@ +source ENV['GEM_SOURCE'] || "https://rubygems.org" + +def location_for(place, fake_version = nil) + if place =~ /^(git[:@][^#]*)#(.*)/ + [fake_version, { :git => $1, :branch => $2, :require => false }].compact + elsif place =~ /^file:\/\/(.*)/ + ['>= 0', { :path => File.expand_path($1), :require => false }] + else + [place, { :require => false }] + end +end + +group :test do + gem 'puppetlabs_spec_helper', '>= 2.11.0', :require => false + gem 'rspec-puppet-facts', '>= 1.8.0', :require => false + gem 'rspec-puppet-utils', :require => false + gem 'puppet-lint-leading_zero-check', :require => false + gem 'puppet-lint-trailing_comma-check', :require => false + gem 'puppet-lint-version_comparison-check', :require => false + gem 'puppet-lint-classes_and_types_beginning_with_digits-check', :require => false + gem 'puppet-lint-unquoted_string-check', :require => false + gem 'puppet-lint-variable_contains_upcase', :require => false + gem 'metadata-json-lint', :require => false + gem 'redcarpet', :require => false + gem 'rubocop', '~> 0.49.1', :require => false if RUBY_VERSION >= '2.3.0' + gem 'rubocop-rspec', '~> 1.15.0', :require => false if RUBY_VERSION >= '2.3.0' + gem 'mocha', '~> 1.4.0', :require => false + gem 'coveralls', :require => false + gem 'simplecov-console', :require => false + gem 'rack', '~> 1.0', :require => false if RUBY_VERSION < '2.2.2' + gem 'parallel_tests', :require => false +end + +group :development do + gem 'travis', :require => false + gem 'travis-lint', :require => false + gem 'guard-rake', :require => false + gem 'overcommit', '>= 0.39.1', :require => false +end + +group :system_tests do + gem 'winrm', :require => false + if beaker_version = ENV['BEAKER_VERSION'] + gem 'beaker', *location_for(beaker_version) + else + gem 'beaker', '>= 3.9.0', :require => false + end + if beaker_rspec_version = ENV['BEAKER_RSPEC_VERSION'] + gem 'beaker-rspec', *location_for(beaker_rspec_version) + else + gem 'beaker-rspec', :require => false + end + gem 'serverspec', :require => false + gem 'beaker-hostgenerator', '>= 1.1.10', :require => false + gem 'beaker-docker', :require => false + gem 'beaker-puppet', :require => false + gem 'beaker-puppet_install_helper', :require => false + gem 'beaker-module_install_helper', :require => false + gem 'rbnacl', '>= 4', :require => false if RUBY_VERSION >= '2.2.6' + gem 'rbnacl-libsodium', :require => false if RUBY_VERSION >= '2.2.6' + gem 'bcrypt_pbkdf', :require => false +end + +group :release do + gem 'github_changelog_generator', :require => false, :git => 'https://github.com/github-changelog-generator/github-changelog-generator' if RUBY_VERSION >= '2.2.2' + gem 'puppet-blacksmith', :require => false + gem 'voxpupuli-release', :require => false, :git => 'https://github.com/voxpupuli/voxpupuli-release-gem' + gem 'puppet-strings', '>= 1.0', :require => false +end + + + +if facterversion = ENV['FACTER_GEM_VERSION'] + gem 'facter', facterversion.to_s, :require => false, :groups => [:test] +else + gem 'facter', :require => false, :groups => [:test] +end + +ENV['PUPPET_VERSION'].nil? ? puppetversion = '~> 5.0' : puppetversion = ENV['PUPPET_VERSION'].to_s +gem 'puppet', puppetversion, :require => false, :groups => [:test] + +# vim: syntax=ruby diff --git a/3rdparty/modules/posix_acl/LICENSE b/3rdparty/modules/posix_acl/LICENSE new file mode 100644 index 000000000..d64569567 --- /dev/null +++ b/3rdparty/modules/posix_acl/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/3rdparty/modules/posix_acl/README.org b/3rdparty/modules/posix_acl/README.org new file mode 100644 index 000000000..de4826326 --- /dev/null +++ b/3rdparty/modules/posix_acl/README.org @@ -0,0 +1,174 @@ +#+TITLE: Acl module for Puppet + +* Description +This plugin module provides a way to set POSIX 1.e (and other standards) file ACLs via Puppet. + +* Usage: + - the =posix_acl= resource =title= is used as the path specifier. + - ACLs are specified in the =permission= property as an array of strings in the same format as is used for =setfacl=. + - the =action= parameter can be one of =set=, =exact=, =unset= or =purge=. These are described in detail below. + - the =provider= parameter allows a choice of filesystem ACL provider. Currently only POSIX 1.e is implemented. + - the =recursive= parameter allows you to apply the ACLs to all files under the specified path. + + : posix_acl { "/var/log/httpd": + : action => set, + : permission => [ + : "user::rwx", + : "group::---", + : "mask::r-x", + : "other::---", + : "group:logview:r-x", + : "default:user::rwx", + : "default:group::---", + : "default:mask::rwx", + : "default:other::---", + : "default:group:logview:r-x", + : ], + : provider => posixacl, + : require => [ + : Group["logview"], + : Package["httpd"], + : Mount["/var"], + : ], + : recursive => false, + : } + +** Using action => set: +The =set= option for the =action= parameter allows you to specify a minimal set of ACLs which will be guaranteed by Puppet. ACLs applied to the path which do not match those specified in the =permission= property will remain unchanged. +*** Initial permissions: + : # file /var/www/site1 + : user::rwx + : group::r-x + : other::r-x + : mask::rwx + : group:webadmin:r-x + : group:httpadmin:rwx +*** Specified acls: + : permission => [ + : 'user::rwx', + : 'group::r-x', + : 'other::r-x', + : 'mask::rwx', + : 'group:webadmin:rwx', + : 'user:apache:rwx', + : ], +*** Updated permissions: + : # file /var/www/site1 + : user::rwx + : group::r-x + : other::r-x + : mask::rwx + : user:apache:rwx + : group:webadmin:rwx + : group:httpadmin:rwx +** Using action => exact: +The =exact= option for the =action= parameter will specify the exact set of ACLs guaranteed and enforced by Puppet. ACLs applied to the path which do not match those specified in the =permission= property will be removed. +*** Initial permissions: + : # file /var/www/site1 + : user::rwx + : group::r-x + : other::r-x + : mask::rwx + : group:webadmin:r-x + : group:httpadmin:rwx +*** Specified acls: + : permission => [ + : 'user::rwx', + : 'group::r-x', + : 'other::r-x', + : 'mask::rwx', + : 'group:webadmin:r--', + : 'user:apache:rwx', + : ], +*** Updated permissions: + - group:httpadmin permission is removed + - user:apache permission is added + - group:webadmin permission is updated + : # file /var/www/site1 + : user::rwx + : group::r-x + : other::r-x + : mask::rwx + : group:webadmin:r-- + : user:apache:rwx +** Using action => unset: +The =unset= option for the =action= parameter will specify the set of ACLs guaranteed by Puppet to NOT be applied to the path. ACLs applied to the path which match those specified in the =permission= property will be removed. ACLs applied to the path which do not match those specified in the =permission= property will remain unchanged. +*** Initial permissions: + : # file /var/www/site1 + : user::rwx + : group::r-x + : other::r-x + : mask::rwx + : group:webadmin:r-x + : group:httpadmin:rwx +*** Specified acls: + : permission => [ + : 'user::rwx', + : 'group::r-x', + : 'other::r-x', + : 'mask::rwx', + : 'group:webadmin:r--', + : 'user:apache:rwx', + : ], +*** Updated permissions: + : # file /var/www/site1 + : user::rwx + : group::r-x + : other::r-x + : mask::rwx + : group:httpadmin:rwx +** Using action => purge: +The =purge= option for the =action= parameter will cause Puppet to remove any file ACLs applied to the path. + +NOTE: Although the =permission= property is unused for this action, it needs to have a valid ACL value for the action to work. This is a known issue. +*** Initial permissions: + : # file /var/www/site1 + : user::rwx + : group::r-x + : other::r-x + : mask::rwx + : group:webadmin:r-x + : group:httpadmin:rwx +*** Specified acls: +See above + : permission => [ + : 'user::rwx', + : 'group::r-x', + : 'other::r-x', + : 'mask::rwx', + : 'group:webadmin:r--', + : 'user:apache:rwx', + : ], +*** Updated permissions: + - All file ACLs are removed + : # file /var/www/site1 + : user::rwx + : group::r-x + : other::r-x + +* Notes: +** Conflicts with "file" resource type: +If the path being modified is managed via the =File= resource type, the path's mode bits must match the value specified in the =permission= property of the ACL +** Mask check: +The ACL setter doesn't recalculate the rights mask based on the user/group ACLs specified, so it is possible to specify ACLs on a file for which a more restrictive set of rights is enforced, known as "effective rights". For example, with these =permission= parameters on a file =test=: + : permission => [ + : 'user::rw-', + : 'group::---', + : 'mask::r--', + : 'other::---', + : 'user:apache:rwx', + : 'group:root:r-x', + : 'group:admin:rwx', + : ], + +The output of =getfacl test= reveals a more restrictive set of effective rights, which might not be what was expected: + : # file: test + : # owner: root + : # group: root + : user::rw- + : group::--- + : other::--- + : mask::r-- + : user:apache:rwx #effective:r-- + : group:root:r-x #effective:r-- + : group:admin:rwx #effective:r-- diff --git a/3rdparty/modules/posix_acl/Rakefile b/3rdparty/modules/posix_acl/Rakefile new file mode 100644 index 000000000..279580ac6 --- /dev/null +++ b/3rdparty/modules/posix_acl/Rakefile @@ -0,0 +1,92 @@ +require 'puppetlabs_spec_helper/rake_tasks' + +# load optional tasks for releases +# only available if gem group releases is installed +begin + require 'puppet_blacksmith/rake_tasks' + require 'voxpupuli/release/rake_tasks' + require 'puppet-strings/tasks' +rescue LoadError +end + +PuppetLint.configuration.log_format = '%{path}:%{line}:%{check}:%{KIND}:%{message}' +PuppetLint.configuration.fail_on_warnings = true +PuppetLint.configuration.send('relative') +PuppetLint.configuration.send('disable_140chars') +PuppetLint.configuration.send('disable_class_inherits_from_params_class') +PuppetLint.configuration.send('disable_documentation') +PuppetLint.configuration.send('disable_single_quote_string_with_variables') + +exclude_paths = %w( + pkg/**/* + vendor/**/* + .vendor/**/* + spec/**/* +) +PuppetLint.configuration.ignore_paths = exclude_paths +PuppetSyntax.exclude_paths = exclude_paths + +desc 'Auto-correct puppet-lint offenses' +task 'lint:auto_correct' do + PuppetLint.configuration.fix = true + Rake::Task[:lint].invoke +end + +desc 'Run acceptance tests' +RSpec::Core::RakeTask.new(:acceptance) do |t| + t.pattern = 'spec/acceptance' +end + +desc 'Run tests metadata_lint, release_checks' +task test: [ + :metadata_lint, + :release_checks, +] + +desc "Run main 'test' task and report merged results to coveralls" +task test_with_coveralls: [:test] do + if Dir.exist?(File.expand_path('../lib', __FILE__)) + require 'coveralls/rake/task' + Coveralls::RakeTask.new + Rake::Task['coveralls:push'].invoke + else + puts 'Skipping reporting to coveralls. Module has no lib dir' + end +end + +desc "Print supported beaker sets" +task 'beaker_sets', [:directory] do |t, args| + directory = args[:directory] + + metadata = JSON.load(File.read('metadata.json')) + + (metadata['operatingsystem_support'] || []).each do |os| + (os['operatingsystemrelease'] || []).each do |release| + if directory + beaker_set = "#{directory}/#{os['operatingsystem'].downcase}-#{release}" + else + beaker_set = "#{os['operatingsystem'].downcase}-#{release}-x64" + end + + filename = "spec/acceptance/nodesets/#{beaker_set}.yml" + + puts beaker_set if File.exists? filename + end + end +end + +begin + require 'github_changelog_generator/task' + GitHubChangelogGenerator::RakeTask.new :changelog do |config| + version = (Blacksmith::Modulefile.new).version + config.future_release = "v#{version}" if version =~ /^\d+\.\d+.\d+$/ + config.header = "# Changelog\n\nAll notable changes to this project will be documented in this file.\nEach new release typically also includes the latest modulesync defaults.\nThese should not affect the functionality of the module." + config.exclude_labels = %w{duplicate question invalid wontfix wont-fix modulesync skip-changelog} + config.user = 'voxpupuli' + metadata_json = File.join(File.dirname(__FILE__), 'metadata.json') + metadata = JSON.load(File.read(metadata_json)) + config.project = metadata['name'] + end +rescue LoadError +end +# vim: syntax=ruby diff --git a/3rdparty/modules/posix_acl/checksums.json b/3rdparty/modules/posix_acl/checksums.json new file mode 100644 index 000000000..14780a684 --- /dev/null +++ b/3rdparty/modules/posix_acl/checksums.json @@ -0,0 +1,42 @@ +{ + "CHANGELOG.md": "a9773633c6662eb81dc1746eab49dc25", + "CONTRIBUTING.md": "ad65d271f183b5adb9fdd58207939f5f", + "Gemfile": "cdd43fe4fc5ef35ddc132407551180b2", + "LICENSE": "3b83ef96387f14655fc854ddc3c6bd57", + "README.org": "64db9bd628c28fe105bc2be006b5fd17", + "Rakefile": "3c6f218e7e63e1a6e24251f365423e49", + "lib/puppet/provider/posix_acl/genericacl.rb": "4f0869eb98de0f3c8d1d7bd57d27ba96", + "lib/puppet/provider/posix_acl/posixacl.rb": "de6392553292e752fee9426e83a33e66", + "lib/puppet/type/posix_acl.rb": "2d5efc0bf8039f81eb28745b561dd1f6", + "manifests/requirements.pp": "899a1e79ead355c8f98aad3520e80d39", + "metadata.json": "4f219497dd99654406b0c37e31f8d31f", + "spec/acceptance/nodesets/archlinux-2-x64.yml": "daafcfcb4c8c8766856f52cec6ae5e86", + "spec/acceptance/nodesets/centos-511-x64.yml": "ca8258bc835dd985a1754689d124cd66", + "spec/acceptance/nodesets/centos-59-x64.yml": "57eb3e471b9042a8ea40978c467f8151", + "spec/acceptance/nodesets/centos-6-x64.yml": "58065782a8d40780d9728257a23504cd", + "spec/acceptance/nodesets/centos-64-x64-pe.yml": "ec075d95760df3d4702abea1ce0a829b", + "spec/acceptance/nodesets/centos-65-x64.yml": "3e5c36e6aa5a690229e720f4048bb8af", + "spec/acceptance/nodesets/centos-66-x64-pe.yml": "e68e03dc562bf58f7c5bba54a1a34619", + "spec/acceptance/nodesets/centos-7-x64.yml": "68d3556f670b8ac0a169a8270ff8c37a", + "spec/acceptance/nodesets/debian-78-x64.yml": "56af2760a64c13a0bccd59404435939c", + "spec/acceptance/nodesets/debian-82-x64.yml": "26f2f696e6073549fe0a844f9a46f85b", + "spec/acceptance/nodesets/ec2/amazonlinux-2016091.yml": "b3dc2d81918fcc6d56855c88ba5b7ce8", + "spec/acceptance/nodesets/ec2/image_templates.yaml": "516f9c4c3407993a100090ce9e1a643c", + "spec/acceptance/nodesets/ec2/rhel-73-x64.yml": "e74670a1cb8eea32afc879a5d786f9bd", + "spec/acceptance/nodesets/ec2/sles-12sp2-x64.yml": "2506efcc9fb420132edc37bf88d6e21d", + "spec/acceptance/nodesets/ec2/ubuntu-1604-x64.yml": "87efd97ff1b073c3448f429a8ffc5a7c", + "spec/acceptance/nodesets/ec2/windows-2016-base-x64.yml": "e9db4dd16c60c52b433694130c2583a0", + "spec/acceptance/nodesets/fedora-25-x64.yml": "807fbf45f95fc7bc2af8c689d34e4160", + "spec/acceptance/nodesets/fedora-26-x64.yml": "e7ee1e18590548ff098192c2127c6697", + "spec/acceptance/nodesets/fedora-27-x64.yml": "326a10c4eb327ccd85775dfa0f76e5c1", + "spec/acceptance/nodesets/ubuntu-server-10044-x64.yml": "75e86400b7889888dc0781c0ae1a1297", + "spec/acceptance/nodesets/ubuntu-server-1204-x64.yml": "0dd7639bf95bfb18169ebba9a2bac163", + "spec/acceptance/nodesets/ubuntu-server-12042-x64.yml": "d30d73e34cd50b043c7d14e305955269", + "spec/acceptance/nodesets/ubuntu-server-1404-x64.yml": "7455367b784060b921360b29a56cd74c", + "spec/acceptance/nodesets/ubuntu-server-1604-x64.yml": "37673118cc3bf052755d65fb5dd90226", + "spec/default_facts.yml": "11504073ebebb30015eb85ff9805f2d9", + "spec/spec.opts": "a600ded995d948e393fbe2320ba8e51c", + "spec/spec_helper.rb": "2e78c273353985a5b95d70b47019a344", + "spec/unit/puppet/provider/posixacl_spec.rb": "9715390fbd16bd566ea0784a1739facc", + "spec/unit/puppet/type/acl_spec.rb": "e349f44546d03614e01bbc08a943778c" +} \ No newline at end of file diff --git a/3rdparty/modules/posix_acl/lib/puppet/provider/posix_acl/genericacl.rb b/3rdparty/modules/posix_acl/lib/puppet/provider/posix_acl/genericacl.rb new file mode 100644 index 000000000..3acf1a566 --- /dev/null +++ b/3rdparty/modules/posix_acl/lib/puppet/provider/posix_acl/genericacl.rb @@ -0,0 +1,2 @@ +Puppet::Type.type(:posix_acl).provide(:genericacl, parent: Puppet::Provider) do +end diff --git a/3rdparty/modules/posix_acl/lib/puppet/provider/posix_acl/posixacl.rb b/3rdparty/modules/posix_acl/lib/puppet/provider/posix_acl/posixacl.rb new file mode 100644 index 000000000..a534db529 --- /dev/null +++ b/3rdparty/modules/posix_acl/lib/puppet/provider/posix_acl/posixacl.rb @@ -0,0 +1,109 @@ +Puppet::Type.type(:posix_acl).provide(:posixacl, parent: Puppet::Provider) do + desc 'Provide posix 1e acl functions using posix getfacl/setfacl commands' + + commands setfacl: '/usr/bin/setfacl' + commands getfacl: '/usr/bin/getfacl' + + confine feature: :posix + defaultfor operatingsystem: [:debian, :ubuntu, :redhat, :centos, :fedora, :sles] + + def exists? + permission + end + + def unset_perm(perm, path) + # Don't try to unset mode bits, it doesn't make sense! + return if perm =~ %r{^(((u(ser)?)|(g(roup)?)|(m(ask)?)|(o(ther)?)):):} + + perm = perm.split(':')[0..-2].join(':') + if check_recursive + setfacl('-R', '-n', '-x', perm, path) + else + setfacl('-n', '-x', perm, path) + end + end + + def set_perm(perm, path) + if check_recursive + setfacl('-R', '-n', '-m', perm, path) + else + setfacl('-n', '-m', perm, path) + end + end + + def unset + @resource.value(:permission).each do |perm| + unset_perm(perm, @resource.value(:path)) + end + end + + def purge + if check_recursive + setfacl('-R', '-b', @resource.value(:path)) + else + setfacl('-b', @resource.value(:path)) + end + end + + def permission + return [] unless File.exist?(@resource.value(:path)) + value = [] + # String#lines would be nice, but we need to support Ruby 1.8.5 + getfacl('--absolute-names', '--no-effective', @resource.value(:path)).split("\n").each do |line| + # Strip comments and blank lines + value << line.gsub('\040', ' ') if line !~ %r{^#} && line != '' + end + value.sort + end + + def check_recursive + # Changed functionality to return boolean true or false + @resource.value(:recursive) == :true && resource.value(:recursemode) == :lazy + end + + def check_exact + @resource.value(:action) == :exact + end + + def check_unset + @resource.value(:action) == :unset + end + + def check_purge + @resource.value(:action) == :purge + end + + def check_set + @resource.value(:action) == :set + end + + def permission=(_value) # TODO: Investigate why we're not using this parameter + Puppet.debug @resource.value(:action) + case @resource.value(:action) + when :unset + unset + when :purge + purge + when :exact, :set + cur_perm = permission + perm_to_set = @resource.value(:permission) - cur_perm + perm_to_unset = cur_perm - @resource.value(:permission) + return false if perm_to_set.empty? && perm_to_unset.empty? + # Take supplied perms literally, unset any existing perms which + # are absent from ACLs given + if check_exact + perm_to_unset.each do |perm| + # Skip base perms in unset step + if perm =~ %r{^(((u(ser)?)|(g(roup)?)|(m(ask)?)|(o(ther)?)):):} + Puppet.debug "skipping unset of base perm: #{perm}" + else + unset_perm(perm, @resource.value(:path)) + end + end + end + perm_to_set.each do |perm| + set_perm(perm, @resource.value(:path)) + end + end + end +end diff --git a/3rdparty/modules/posix_acl/lib/puppet/type/posix_acl.rb b/3rdparty/modules/posix_acl/lib/puppet/type/posix_acl.rb new file mode 100644 index 000000000..1405f268c --- /dev/null +++ b/3rdparty/modules/posix_acl/lib/puppet/type/posix_acl.rb @@ -0,0 +1,279 @@ +require 'set' +require 'pathname' + +Puppet::Type.newtype(:posix_acl) do + desc <<-EOT + Ensures that a set of ACL permissions are applied to a given file + or directory. + + Example: + + posix_acl { '/var/www/html': + action => exact, + permission => [ + 'user::rwx', + 'group::r-x', + 'mask::rwx', + 'other::r--', + 'default:user::rwx', + 'default:user:www-data:r-x', + 'default:group::r-x', + 'default:mask::rwx', + 'default:other::r--', + ], + provider => posixacl, + recursive => true, + } + + In this example, Puppet will ensure that the user and group + permissions are set recursively on /var/www/html as well as add + default permissions that will apply to new directories and files + created under /var/www/html + + Setting an ACL can change a file's mode bits, so if the file is + managed by a File resource, that resource needs to set the mode + bits according to what the calculated mode bits will be, for + example, the File resource for the ACL above should be: + + file { '/var/www/html': + mode => 754, + } + EOT + + newparam(:action) do + desc 'What do we do with this list of ACLs? Options are set, unset, exact, and purge' + newvalues(:set, :unset, :exact, :purge) + defaultto :set + end + + newparam(:path) do + desc 'The file or directory to which the ACL applies.' + isnamevar + validate do |value| + path = Pathname.new(value) + unless path.absolute? + raise ArgumentError, "Path must be absolute: #{path}" + end + end + end + + newparam(:recursemode) do + desc "Should Puppet apply the ACL recursively with the -R option or + apply it to individual files? + + lazy means -R option + deep means apply to every file" + + newvalues(:lazy, :deep) + defaultto :lazy + end + + # Credits to @itdoesntwork + # http://stackoverflow.com/questions/26878341/how-do-i-tell-if-one-path-is-an-ancestor-of-another + def self.descendant?(a, b) + a_list = File.expand_path(a).split('/') + b_list = File.expand_path(b).split('/') + + b_list[0..a_list.size - 1] == a_list && b_list != a_list + end + + # Snippet based on upstream Puppet (ASL 2.0) + [:posix_acl, :file].each do |autorequire_type| + autorequire(autorequire_type) do + req = [] + path = Pathname.new(self[:path]) + # rubocop:disable Style/MultilineBlockChain + if autorequire_type != :posix_acl + if self[:recursive] == :true + catalog.resources.select do |r| + r.is_a?(Puppet::Type.type(autorequire_type)) && self.class.descendant?(self[:path], r[:path]) + end.each do |found| + req << found[:path] + end + end + req << self[:path] + end + unless path.root? + # Start at our parent, to avoid autorequiring ourself + parents = path.parent.enum_for(:ascend) + # should this be = or == ? I don't know + if found = parents.find { |p| catalog.resource(autorequire_type, p.to_s) } # rubocop:disable Lint/AssignmentInCondition + req << found.to_s + end + end + req + end + # rubocop:enable Style/MultilineBlockChain + end + # End of Snippet + + autorequire(:package) do + ['acl'] + end + + newproperty(:permission, array_matching: :all) do + desc 'ACL permission(s).' + + def is_to_s(value) # rubocop:disable Style/PredicateName + if value == :absent || value.include?(:absent) + super + else + value.sort.inspect + end + end + + def should_to_s(value) + if value == :absent || value.include?(:absent) + super + else + value.sort.inspect + end + end + + def retrieve + provider.permission + end + + # Remove permission bits from an ACL line, eg: + # 'user:root:rwx' becomes 'user:root:' + def strip_perms(pl) + Puppet.debug 'permission.strip_perms' + value = [] + pl.each do |perm| + unless perm =~ %r{^(((u(ser)?)|(g(roup)?)|(m(ask)?)|(o(ther)?)):):} + perm = perm.split(':', -1)[0..-2].join(':') + value << perm + end + end + value.sort + end + + # in unset_insync and set_insync the test_should has been added as a work around + # to prevent puppet-posix_acl from interpreting recursive permission notation (e.g. rwX) + # from causing a false mismatch. A better solution needs to be implemented to + # recursively check permissions, not rely upon getfacl + def unset_insync(cur_perm) + # Puppet.debug "permission.unset_insync" + test_should = [] + @should.each { |x| test_should << x.downcase } + cp = strip_perms(cur_perm) + sp = strip_perms(test_should) + (sp - cp).sort == sp + end + + def set_insync(cur_perm) # rubocop:disable Style/AccessorMethodName + should = @should.uniq.sort + (cur_perm.sort == should) || (provider.check_set && (should - cur_perm).empty?) + end + + def purge_insync(cur_perm) + # Puppet.debug "permission.purge_insync" + cur_perm.each do |perm| + # If anything other than the mode bits are set, we're not in sync + return false unless perm =~ %r{^(((u(ser)?)|(g(roup)?)|(o(ther)?)):):} + end + true + end + + def insync?(is) + Puppet.debug "permission.insync? is: #{is.inspect} @should: #{@should.inspect}" + return purge_insync(is) if provider.check_purge + return unset_insync(is) if provider.check_unset + set_insync(is) + end + + # Munge into normalised form + munge do |acl| + r = '' + a = acl.split ':', -1 # -1 keeps trailing empty fields. + raise ArgumentError, "Too few fields. At least 3 required, got #{a.length}." if a.length < 3 + raise ArgumentError, "Too many fields. At most 4 allowed, got #{a.length}." if a.length > 4 + if a.length == 4 + d = a.shift + raise ArgumentError, %(First field of 4 must be "d" or "default", got "#{d}".) unless %w[d default].include?(d) + r << 'default:' + end + t = a.shift # Copy the type. + r << case t + when 'u', 'user' + 'user:' + when 'g', 'group' + 'group:' + when 'o', 'other' + 'other:' + when 'm', 'mask' + 'mask:' + else + raise ArgumentError, %(Unknown type "#{t}", expected "user", "group", "other" or "mask".) + end + r << "#{a.shift}:" # Copy the "who". + p = a.shift + if p =~ %r{[0-7]} + p = p.oct + r << (p | 4 ? 'r' : '-') + r << (p | 2 ? 'w' : '-') + r << (p | 1 ? 'x' : '-') + else + # Not the most efficient but checks for multiple and invalid chars. + s = p.tr '-', '' + r << (s.sub!('r', '') ? 'r' : '-') + r << (s.sub!('w', '') ? 'w' : '-') + r << (s.sub!('x', '') ? 'x' : '-') + raise ArgumentError, %(Invalid permission set "#{p}".) unless s.empty? + end + r + end + end + + newparam(:recursive) do + desc 'Apply ACLs recursively.' + newvalues(:true, :false) + defaultto :false + end + + def self.pick_default_perms(acl) + acl.reject { |a| a.split(':', -1).length == 4 } + end + + def newchild(path) + options = @original_parameters.merge(name: path).reject { |_param, value| value.nil? } + unless File.directory?(options[:name]) + options[:permission] = self.class.pick_default_perms(options[:permission]) if options.include?(:permission) + end + [:recursive, :recursemode, :path].each do |param| + options.delete(param) if options.include?(param) + end + self.class.new(options) + end + + def generate + return [] unless self[:recursive] == :true && self[:recursemode] == :deep + results = [] + paths = Set.new + if File.directory?(self[:path]) + Dir.chdir(self[:path]) do + Dir['**/*'].each do |path| + paths << ::File.join(self[:path], path) + end + end + end + # At the time we generate extra resources, all the files might now be present yet. + # In prediction to that we also create ACL resources for child file resources that + # might not have been applied yet. + catalog.resources.select do |r| + r.is_a?(Puppet::Type.type(:file)) && self.class.descendant?(self[:path], r[:path]) + end.each do |found| # rubocop:disable Style/MultilineBlockChain + paths << found[:path] + end + paths.each do |path| + results << newchild(path) + end + results + end + + validate do + unless self[:permission] + raise(Puppet::Error, 'permission is a required property.') + end + end +end diff --git a/3rdparty/modules/posix_acl/manifests/requirements.pp b/3rdparty/modules/posix_acl/manifests/requirements.pp new file mode 100644 index 000000000..b4ad25e97 --- /dev/null +++ b/3rdparty/modules/posix_acl/manifests/requirements.pp @@ -0,0 +1,5 @@ +class posix_acl::requirements { + package { 'acl': + ensure => 'present', + } +} diff --git a/3rdparty/modules/posix_acl/metadata.json b/3rdparty/modules/posix_acl/metadata.json new file mode 100644 index 000000000..6998bdeba --- /dev/null +++ b/3rdparty/modules/posix_acl/metadata.json @@ -0,0 +1,47 @@ +{ + "name": "puppet-posix_acl", + "version": "0.1.1", + "author": "Vox Pupuli", + "summary": "Puppet ACL Module", + "license": "Apache-2.0", + "source": "https://github.com/voxpupuli/puppet-posix_acl.git", + "project_page": "https://github.com/voxpupuli/puppet-posix_acl", + "issues_url": "https://github.com/voxpupuli/puppet-posix_acl/issues", + "dependencies": [ + + ], + "data_provider": null, + "operatingsystem_support": [ + { + "operatingsystem": "RedHat", + "operatingsystemrelease": [ + "7" + ] + }, + { + "operatingsystem": "CentOS", + "operatingsystemrelease": [ + "7" + ] + }, + { + "operatingsystem": "OracleLinux", + "operatingsystemrelease": [ + "7" + ] + }, + { + "operatingsystem": "Scientific", + "operatingsystemrelease": [ + "7" + ] + } + ], + "requirements": [ + { + "name": "puppet", + "version_requirement": ">= 4.10.0 < 7.0.0" + } + ], + "description": "Manages posix 1e ACLs on files, provides base classes so additional ACL standards can be supported." +} diff --git a/3rdparty/modules/posix_acl/spec/acceptance/nodesets/archlinux-2-x64.yml b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/archlinux-2-x64.yml new file mode 100644 index 000000000..89b63003f --- /dev/null +++ b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/archlinux-2-x64.yml @@ -0,0 +1,13 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +HOSTS: + archlinux-2-x64: + roles: + - master + platform: archlinux-2-x64 + box: archlinux/archlinux + hypervisor: vagrant +CONFIG: + type: foss diff --git a/3rdparty/modules/posix_acl/spec/acceptance/nodesets/centos-511-x64.yml b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/centos-511-x64.yml new file mode 100644 index 000000000..089d646a5 --- /dev/null +++ b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/centos-511-x64.yml @@ -0,0 +1,15 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +HOSTS: + centos-511-x64: + roles: + - master + platform: el-5-x86_64 + box: puppetlabs/centos-5.11-64-nocm + hypervisor: vagrant +CONFIG: + type: foss +... +# vim: syntax=yaml diff --git a/3rdparty/modules/posix_acl/spec/acceptance/nodesets/centos-59-x64.yml b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/centos-59-x64.yml new file mode 100644 index 000000000..2ad90b86a --- /dev/null +++ b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/centos-59-x64.yml @@ -0,0 +1,10 @@ +HOSTS: + centos-59-x64: + roles: + - master + platform: el-5-x86_64 + box : centos-59-x64-vbox4210-nocm + box_url : http://puppet-vagrant-boxes.puppetlabs.com/centos-59-x64-vbox4210-nocm.box + hypervisor : vagrant +CONFIG: + type: git diff --git a/3rdparty/modules/posix_acl/spec/acceptance/nodesets/centos-6-x64.yml b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/centos-6-x64.yml new file mode 100644 index 000000000..16abc8f1c --- /dev/null +++ b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/centos-6-x64.yml @@ -0,0 +1,15 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +HOSTS: + centos-6-x64: + roles: + - master + platform: el-6-x86_64 + box: centos/6 + hypervisor: vagrant +CONFIG: + type: aio +... +# vim: syntax=yaml diff --git a/3rdparty/modules/posix_acl/spec/acceptance/nodesets/centos-64-x64-pe.yml b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/centos-64-x64-pe.yml new file mode 100644 index 000000000..7d9242f1b --- /dev/null +++ b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/centos-64-x64-pe.yml @@ -0,0 +1,12 @@ +HOSTS: + centos-64-x64: + roles: + - master + - database + - dashboard + platform: el-6-x86_64 + box : centos-64-x64-vbox4210-nocm + box_url : http://puppet-vagrant-boxes.puppetlabs.com/centos-64-x64-vbox4210-nocm.box + hypervisor : vagrant +CONFIG: + type: pe diff --git a/3rdparty/modules/posix_acl/spec/acceptance/nodesets/centos-65-x64.yml b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/centos-65-x64.yml new file mode 100644 index 000000000..4e2cb809e --- /dev/null +++ b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/centos-65-x64.yml @@ -0,0 +1,10 @@ +HOSTS: + centos-65-x64: + roles: + - master + platform: el-6-x86_64 + box : centos-65-x64-vbox436-nocm + box_url : http://puppet-vagrant-boxes.puppetlabs.com/centos-65-x64-virtualbox-nocm.box + hypervisor : vagrant +CONFIG: + type: foss diff --git a/3rdparty/modules/posix_acl/spec/acceptance/nodesets/centos-66-x64-pe.yml b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/centos-66-x64-pe.yml new file mode 100644 index 000000000..1e7aea6d4 --- /dev/null +++ b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/centos-66-x64-pe.yml @@ -0,0 +1,17 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +HOSTS: + centos-66-x64: + roles: + - master + - database + - dashboard + platform: el-6-x86_64 + box: puppetlabs/centos-6.6-64-puppet-enterprise + hypervisor: vagrant +CONFIG: + type: pe +... +# vim: syntax=yaml diff --git a/3rdparty/modules/posix_acl/spec/acceptance/nodesets/centos-7-x64.yml b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/centos-7-x64.yml new file mode 100644 index 000000000..e05a3ae16 --- /dev/null +++ b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/centos-7-x64.yml @@ -0,0 +1,15 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +HOSTS: + centos-7-x64: + roles: + - master + platform: el-7-x86_64 + box: centos/7 + hypervisor: vagrant +CONFIG: + type: aio +... +# vim: syntax=yaml diff --git a/3rdparty/modules/posix_acl/spec/acceptance/nodesets/debian-78-x64.yml b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/debian-78-x64.yml new file mode 100644 index 000000000..6ef6de8c8 --- /dev/null +++ b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/debian-78-x64.yml @@ -0,0 +1,15 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +HOSTS: + debian-78-x64: + roles: + - master + platform: debian-7-amd64 + box: puppetlabs/debian-7.8-64-nocm + hypervisor: vagrant +CONFIG: + type: foss +... +# vim: syntax=yaml diff --git a/3rdparty/modules/posix_acl/spec/acceptance/nodesets/debian-82-x64.yml b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/debian-82-x64.yml new file mode 100644 index 000000000..9897a8fc7 --- /dev/null +++ b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/debian-82-x64.yml @@ -0,0 +1,15 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +HOSTS: + debian-82-x64: + roles: + - master + platform: debian-8-amd64 + box: puppetlabs/debian-8.2-64-nocm + hypervisor: vagrant +CONFIG: + type: foss +... +# vim: syntax=yaml diff --git a/3rdparty/modules/posix_acl/spec/acceptance/nodesets/ec2/amazonlinux-2016091.yml b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/ec2/amazonlinux-2016091.yml new file mode 100644 index 000000000..19dd43ed7 --- /dev/null +++ b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/ec2/amazonlinux-2016091.yml @@ -0,0 +1,31 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +# +# Additional ~/.fog config file with AWS EC2 credentials +# required. +# +# see: https://github.com/puppetlabs/beaker/blob/master/docs/how_to/hypervisors/ec2.md +# +# Amazon Linux is not a RHEL clone. +# +HOSTS: + amazonlinux-2016091-x64: + roles: + - master + platform: centos-6-x86_64 + hypervisor: ec2 + # refers to image_tempaltes.yaml AMI[vmname] entry: + vmname: amazonlinux-2016091-eu-central-1 + # refers to image_tempaltes.yaml entry inside AMI[vmname][:image]: + snapshot: aio + # t2.micro is free tier eligible (https://aws.amazon.com/en/free/): + amisize: t2.micro + # required so that beaker sanitizes sshd_config and root authorized_keys: + user: ec2-user +CONFIG: + type: aio + :ec2_yaml: spec/acceptance/nodesets/ec2/image_templates.yaml +... +# vim: syntax=yaml diff --git a/3rdparty/modules/posix_acl/spec/acceptance/nodesets/ec2/image_templates.yaml b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/ec2/image_templates.yaml new file mode 100644 index 000000000..e50593ee0 --- /dev/null +++ b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/ec2/image_templates.yaml @@ -0,0 +1,34 @@ +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +# +# see also: https://github.com/puppetlabs/beaker/blob/master/docs/how_to/hypervisors/ec2.md +# +# Hint: image IDs (ami-*) for the same image are different per location. +# +AMI: + # Amazon Linux AMI 2016.09.1 (HVM), SSD Volume Type + amazonlinux-2016091-eu-central-1: + :image: + :aio: ami-af0fc0c0 + :region: eu-central-1 + # Red Hat Enterprise Linux 7.3 (HVM), SSD Volume Type + rhel-73-eu-central-1: + :image: + :aio: ami-e4c63e8b + :region: eu-central-1 + # SUSE Linux Enterprise Server 12 SP2 (HVM), SSD Volume Type + sles-12sp2-eu-central-1: + :image: + :aio: ami-c425e4ab + :region: eu-central-1 + # Ubuntu Server 16.04 LTS (HVM), SSD Volume Type + ubuntu-1604-eu-central-1: + :image: + :aio: ami-fe408091 + :region: eu-central-1 + # Microsoft Windows Server 2016 Base + windows-2016-base-eu-central-1: + :image: + :aio: ami-88ec20e7 + :region: eu-central-1 diff --git a/3rdparty/modules/posix_acl/spec/acceptance/nodesets/ec2/rhel-73-x64.yml b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/ec2/rhel-73-x64.yml new file mode 100644 index 000000000..7fac8236a --- /dev/null +++ b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/ec2/rhel-73-x64.yml @@ -0,0 +1,29 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +# +# Additional ~/.fog config file with AWS EC2 credentials +# required. +# +# see: https://github.com/puppetlabs/beaker/blob/master/docs/how_to/hypervisors/ec2.md +# +HOSTS: + rhel-73-x64: + roles: + - master + platform: el-7-x86_64 + hypervisor: ec2 + # refers to image_tempaltes.yaml AMI[vmname] entry: + vmname: rhel-73-eu-central-1 + # refers to image_tempaltes.yaml entry inside AMI[vmname][:image]: + snapshot: aio + # t2.micro is free tier eligible (https://aws.amazon.com/en/free/): + amisize: t2.micro + # required so that beaker sanitizes sshd_config and root authorized_keys: + user: ec2-user +CONFIG: + type: aio + :ec2_yaml: spec/acceptance/nodesets/ec2/image_templates.yaml +... +# vim: syntax=yaml diff --git a/3rdparty/modules/posix_acl/spec/acceptance/nodesets/ec2/sles-12sp2-x64.yml b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/ec2/sles-12sp2-x64.yml new file mode 100644 index 000000000..8542154df --- /dev/null +++ b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/ec2/sles-12sp2-x64.yml @@ -0,0 +1,29 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +# +# Additional ~/.fog config file with AWS EC2 credentials +# required. +# +# see: https://github.com/puppetlabs/beaker/blob/master/docs/how_to/hypervisors/ec2.md +# +HOSTS: + sles-12sp2-x64: + roles: + - master + platform: sles-12-x86_64 + hypervisor: ec2 + # refers to image_tempaltes.yaml AMI[vmname] entry: + vmname: sles-12sp2-eu-central-1 + # refers to image_tempaltes.yaml entry inside AMI[vmname][:image]: + snapshot: aio + # t2.micro is free tier eligible (https://aws.amazon.com/en/free/): + amisize: t2.micro + # required so that beaker sanitizes sshd_config and root authorized_keys: + user: ec2-user +CONFIG: + type: aio + :ec2_yaml: spec/acceptance/nodesets/ec2/image_templates.yaml +... +# vim: syntax=yaml diff --git a/3rdparty/modules/posix_acl/spec/acceptance/nodesets/ec2/ubuntu-1604-x64.yml b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/ec2/ubuntu-1604-x64.yml new file mode 100644 index 000000000..9cf59d59e --- /dev/null +++ b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/ec2/ubuntu-1604-x64.yml @@ -0,0 +1,29 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +# +# Additional ~/.fog config file with AWS EC2 credentials +# required. +# +# see: https://github.com/puppetlabs/beaker/blob/master/docs/how_to/hypervisors/ec2.md +# +HOSTS: + ubuntu-1604-x64: + roles: + - master + platform: ubuntu-16.04-amd64 + hypervisor: ec2 + # refers to image_tempaltes.yaml AMI[vmname] entry: + vmname: ubuntu-1604-eu-central-1 + # refers to image_tempaltes.yaml entry inside AMI[vmname][:image]: + snapshot: aio + # t2.micro is free tier eligible (https://aws.amazon.com/en/free/): + amisize: t2.micro + # required so that beaker sanitizes sshd_config and root authorized_keys: + user: ubuntu +CONFIG: + type: aio + :ec2_yaml: spec/acceptance/nodesets/ec2/image_templates.yaml +... +# vim: syntax=yaml diff --git a/3rdparty/modules/posix_acl/spec/acceptance/nodesets/ec2/windows-2016-base-x64.yml b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/ec2/windows-2016-base-x64.yml new file mode 100644 index 000000000..0932e29c8 --- /dev/null +++ b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/ec2/windows-2016-base-x64.yml @@ -0,0 +1,29 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +# +# Additional ~/.fog config file with AWS EC2 credentials +# required. +# +# see: https://github.com/puppetlabs/beaker/blob/master/docs/how_to/hypervisors/ec2.md +# +HOSTS: + windows-2016-base-x64: + roles: + - master + platform: windows-2016-64 + hypervisor: ec2 + # refers to image_tempaltes.yaml AMI[vmname] entry: + vmname: windows-2016-base-eu-central-1 + # refers to image_tempaltes.yaml entry inside AMI[vmname][:image]: + snapshot: aio + # t2.micro is free tier eligible (https://aws.amazon.com/en/free/): + amisize: t2.micro + # required so that beaker sanitizes sshd_config and root authorized_keys: + user: ec2-user +CONFIG: + type: aio + :ec2_yaml: spec/acceptance/nodesets/ec2/image_templates.yaml +... +# vim: syntax=yaml diff --git a/3rdparty/modules/posix_acl/spec/acceptance/nodesets/fedora-25-x64.yml b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/fedora-25-x64.yml new file mode 100644 index 000000000..54dd33054 --- /dev/null +++ b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/fedora-25-x64.yml @@ -0,0 +1,16 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +# +HOSTS: + fedora-25-x64: + roles: + - master + platform: fedora-25-x86_64 + box: fedora/25-cloud-base + hypervisor: vagrant +CONFIG: + type: aio +... +# vim: syntax=yaml diff --git a/3rdparty/modules/posix_acl/spec/acceptance/nodesets/fedora-26-x64.yml b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/fedora-26-x64.yml new file mode 100644 index 000000000..598822b0e --- /dev/null +++ b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/fedora-26-x64.yml @@ -0,0 +1,16 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +# +HOSTS: + fedora-26-x64: + roles: + - master + platform: fedora-26-x86_64 + box: fedora/26-cloud-base + hypervisor: vagrant +CONFIG: + type: aio +... +# vim: syntax=yaml diff --git a/3rdparty/modules/posix_acl/spec/acceptance/nodesets/fedora-27-x64.yml b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/fedora-27-x64.yml new file mode 100644 index 000000000..c2b61ebbf --- /dev/null +++ b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/fedora-27-x64.yml @@ -0,0 +1,18 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +# +# platform is fedora 26 because there is no puppet-agent +# for fedora 27 as of 2017-11-17 +HOSTS: + fedora-27-x64: + roles: + - master + platform: fedora-26-x86_64 + box: fedora/27-cloud-base + hypervisor: vagrant +CONFIG: + type: aio +... +# vim: syntax=yaml diff --git a/3rdparty/modules/posix_acl/spec/acceptance/nodesets/ubuntu-server-10044-x64.yml b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/ubuntu-server-10044-x64.yml new file mode 100644 index 000000000..5ca1514e4 --- /dev/null +++ b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/ubuntu-server-10044-x64.yml @@ -0,0 +1,10 @@ +HOSTS: + ubuntu-server-10044-x64: + roles: + - master + platform: ubuntu-10.04-amd64 + box : ubuntu-server-10044-x64-vbox4210-nocm + box_url : http://puppet-vagrant-boxes.puppetlabs.com/ubuntu-server-10044-x64-vbox4210-nocm.box + hypervisor : vagrant +CONFIG: + type: foss diff --git a/3rdparty/modules/posix_acl/spec/acceptance/nodesets/ubuntu-server-1204-x64.yml b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/ubuntu-server-1204-x64.yml new file mode 100644 index 000000000..29102c565 --- /dev/null +++ b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/ubuntu-server-1204-x64.yml @@ -0,0 +1,15 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +HOSTS: + ubuntu-server-1204-x64: + roles: + - master + platform: ubuntu-12.04-amd64 + box: puppetlabs/ubuntu-12.04-64-nocm + hypervisor: vagrant +CONFIG: + type: foss +... +# vim: syntax=yaml diff --git a/3rdparty/modules/posix_acl/spec/acceptance/nodesets/ubuntu-server-12042-x64.yml b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/ubuntu-server-12042-x64.yml new file mode 100644 index 000000000..d065b304f --- /dev/null +++ b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/ubuntu-server-12042-x64.yml @@ -0,0 +1,10 @@ +HOSTS: + ubuntu-server-12042-x64: + roles: + - master + platform: ubuntu-12.04-amd64 + box : ubuntu-server-12042-x64-vbox4210-nocm + box_url : http://puppet-vagrant-boxes.puppetlabs.com/ubuntu-server-12042-x64-vbox4210-nocm.box + hypervisor : vagrant +CONFIG: + type: foss diff --git a/3rdparty/modules/posix_acl/spec/acceptance/nodesets/ubuntu-server-1404-x64.yml b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/ubuntu-server-1404-x64.yml new file mode 100644 index 000000000..054e65880 --- /dev/null +++ b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/ubuntu-server-1404-x64.yml @@ -0,0 +1,15 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +HOSTS: + ubuntu-server-1404-x64: + roles: + - master + platform: ubuntu-14.04-amd64 + box: puppetlabs/ubuntu-14.04-64-nocm + hypervisor: vagrant +CONFIG: + type: foss +... +# vim: syntax=yaml diff --git a/3rdparty/modules/posix_acl/spec/acceptance/nodesets/ubuntu-server-1604-x64.yml b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/ubuntu-server-1604-x64.yml new file mode 100644 index 000000000..bc85e0e84 --- /dev/null +++ b/3rdparty/modules/posix_acl/spec/acceptance/nodesets/ubuntu-server-1604-x64.yml @@ -0,0 +1,15 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +HOSTS: + ubuntu-server-1604-x64: + roles: + - master + platform: ubuntu-16.04-amd64 + box: puppetlabs/ubuntu-16.04-64-nocm + hypervisor: vagrant +CONFIG: + type: foss +... +# vim: syntax=yaml diff --git a/3rdparty/modules/posix_acl/spec/default_facts.yml b/3rdparty/modules/posix_acl/spec/default_facts.yml new file mode 100644 index 000000000..2f6698d5b --- /dev/null +++ b/3rdparty/modules/posix_acl/spec/default_facts.yml @@ -0,0 +1,13 @@ +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +# +# use default_module_facts.yaml for module specific +# facts. +# +# Hint if using with rspec-puppet-facts ("on_supported_os.each"): +# if a same named fact exists in facterdb it will be overridden. +--- +ipaddress: "172.16.254.254" +is_pe: false +macaddress: "AA:AA:AA:AA:AA:AA" diff --git a/3rdparty/modules/posix_acl/spec/spec.opts b/3rdparty/modules/posix_acl/spec/spec.opts new file mode 100644 index 000000000..91cd6427e --- /dev/null +++ b/3rdparty/modules/posix_acl/spec/spec.opts @@ -0,0 +1,6 @@ +--format +s +--colour +--loadby +mtime +--backtrace diff --git a/3rdparty/modules/posix_acl/spec/spec_helper.rb b/3rdparty/modules/posix_acl/spec/spec_helper.rb new file mode 100644 index 000000000..88bca595c --- /dev/null +++ b/3rdparty/modules/posix_acl/spec/spec_helper.rb @@ -0,0 +1,34 @@ +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +require 'puppetlabs_spec_helper/module_spec_helper' +require 'rspec-puppet-facts' +include RspecPuppetFacts + +if Dir.exist?(File.expand_path('../../lib', __FILE__)) + require 'coveralls' + require 'simplecov' + require 'simplecov-console' + SimpleCov.formatters = [ + SimpleCov::Formatter::HTMLFormatter, + SimpleCov::Formatter::Console + ] + SimpleCov.start do + track_files 'lib/**/*.rb' + add_filter '/spec' + add_filter '/vendor' + add_filter '/.vendor' + end +end + +RSpec.configure do |c| + default_facts = {} + default_facts.merge!(YAML.load(File.read(File.expand_path('../default_facts.yml', __FILE__)))) if File.exist?(File.expand_path('../default_facts.yml', __FILE__)) + default_facts.merge!(YAML.load(File.read(File.expand_path('../default_module_facts.yml', __FILE__)))) if File.exist?(File.expand_path('../default_module_facts.yml', __FILE__)) + c.default_facts = default_facts + + # Coverage generation + c.after(:suite) do + RSpec::Puppet::Coverage.report! + end +end diff --git a/3rdparty/modules/posix_acl/spec/unit/puppet/provider/posixacl_spec.rb b/3rdparty/modules/posix_acl/spec/unit/puppet/provider/posixacl_spec.rb new file mode 100644 index 000000000..b05712697 --- /dev/null +++ b/3rdparty/modules/posix_acl/spec/unit/puppet/provider/posixacl_spec.rb @@ -0,0 +1,26 @@ +require 'spec_helper' +require 'rspec/mocks' + +provider_class = Puppet::Type.type(:posix_acl).provider(:posixacl) + +describe provider_class do + it 'declares a getfacl command' do + expect do + provider_class.command :getfacl + end.not_to raise_error + end + it 'declares a setfacl command' do + expect do + provider_class.command :setfacl + end.not_to raise_error + end + it 'encodes spaces in group names' do + RSpec::Mocks.with_temporary_scope do + Puppet::Type.stubs(:getfacl).returns("group:test group:rwx\n") + File.stubs(:exist?).returns(true) + expect do + provider_class.command :permission + end == ['group:test\040group:rwx'] + end + end +end diff --git a/3rdparty/modules/posix_acl/spec/unit/puppet/type/acl_spec.rb b/3rdparty/modules/posix_acl/spec/unit/puppet/type/acl_spec.rb new file mode 100644 index 000000000..aa62a427b --- /dev/null +++ b/3rdparty/modules/posix_acl/spec/unit/puppet/type/acl_spec.rb @@ -0,0 +1,156 @@ +require 'spec_helper' + +# rubocop:disable RSpec/MultipleExpectations +acl_type = Puppet::Type.type(:posix_acl) + +describe acl_type do + context 'when not setting parameters' do + it 'fails without permissions' do + expect do + acl_type.new name: '/tmp/foo' + end.to raise_error + end + end + context 'when setting parameters' do + it 'works with a correct permission parameter' do + resource = acl_type.new name: '/tmp/foo', permission: ['user:root:rwx'] + expect(resource[:name]).to eq('/tmp/foo') + expect(resource[:permission]).to eq(['user:root:rwx']) + end + it 'converts a permission string to an array' do + resource = acl_type.new name: '/tmp/foo', permission: 'user:root:rwx' + expect(resource[:name]).to eq('/tmp/foo') + expect(resource[:permission]).to eq(['user:root:rwx']) + end + it 'converts the u: shorcut to user:' do + resource = acl_type.new name: '/tmp/foo', permission: ['u:root:rwx'] + expect(resource[:name]).to eq('/tmp/foo') + expect(resource[:permission]).to eq(['user:root:rwx']) + end + it 'converts the g: shorcut to group:' do + resource = acl_type.new name: '/tmp/foo', permission: ['g:root:rwx'] + expect(resource[:name]).to eq('/tmp/foo') + expect(resource[:permission]).to eq(['group:root:rwx']) + end + it 'converts the m: shorcut to mask:' do + resource = acl_type.new name: '/tmp/foo', permission: ['m::rwx'] + expect(resource[:name]).to eq('/tmp/foo') + expect(resource[:permission]).to eq(['mask::rwx']) + end + it 'converts the o: shorcut to other:' do + resource = acl_type.new name: '/tmp/foo', permission: ['o::rwx'] + expect(resource[:name]).to eq('/tmp/foo') + expect(resource[:permission]).to eq(['other::rwx']) + end + it 'has the "set" action by default' do + resource = acl_type.new name: '/tmp/foo', permission: ['o::rwx'] + expect(resource[:name]).to eq('/tmp/foo') + expect(resource[:action]).to eq(:set) + end + it 'accepts an action "set"' do + resource = acl_type.new name: '/tmp/foo', permission: ['o::rwx'], action: :set + expect(resource[:name]).to eq('/tmp/foo') + expect(resource[:action]).to eq(:set) + end + it 'accepts an action "purge"' do + resource = acl_type.new name: '/tmp/foo', permission: ['o::rwx'], action: :purge + expect(resource[:name]).to eq('/tmp/foo') + expect(resource[:action]).to eq(:purge) + end + it 'accepts an action "unset"' do + resource = acl_type.new name: '/tmp/foo', permission: ['o::rwx'], action: :unset + expect(resource[:name]).to eq('/tmp/foo') + expect(resource[:action]).to eq(:unset) + end + it 'accepts an action "exact"' do + resource = acl_type.new name: '/tmp/foo', permission: ['o::rwx'], action: :exact + expect(resource[:name]).to eq('/tmp/foo') + expect(resource[:action]).to eq(:exact) + end + it 'has path as namevar' do + resource = acl_type.new name: '/tmp/foo', permission: ['o::rwx'] + expect(resource[:name]).to eq('/tmp/foo') + expect(resource[:path]).to eq(resource[:name]) + end + it 'accepts a path parameter' do + resource = acl_type.new path: '/tmp/foo', permission: ['o::rwx'], action: :exact + expect(resource[:path]).to eq('/tmp/foo') + expect(resource[:name]).to eq(resource[:path]) + end + it 'is not recursive by default' do + resource = acl_type.new name: '/tmp/foo', permission: ['o::rwx'] + expect(resource[:name]).to eq('/tmp/foo') + expect(resource[:recursive]).to eq(:false) + end + it 'accepts a recursive "true"' do + resource = acl_type.new name: '/tmp/foo', permission: ['o::rwx'], recursive: true + expect(resource[:name]).to eq('/tmp/foo') + expect(resource[:recursive]).to eq(:true) + end + it 'accepts a recurse "false"' do + resource = acl_type.new name: '/tmp/foo', permission: ['o::rwx'], recursive: false + expect(resource[:name]).to eq('/tmp/foo') + expect(resource[:recursive]).to eq(:false) + end + it 'gets recursemode lazy by default' do + resource = acl_type.new name: '/tmp/foo', permission: ['o::rwx'] + expect(resource[:name]).to eq('/tmp/foo') + expect(resource[:recursemode]).to eq(:lazy) + end + it 'accepts a recursemode deep' do + resource = acl_type.new name: '/tmp/foo', permission: ['o::rwx'], recursemode: 'deep' + expect(resource[:name]).to eq('/tmp/foo') + expect(resource[:recursemode]).to eq(:deep) + end + it 'accepts a recursemode lazy' do + resource = acl_type.new name: '/tmp/foo', permission: ['o::rwx'], recursemode: :lazy + expect(resource[:name]).to eq('/tmp/foo') + expect(resource[:recursemode]).to eq(:lazy) + end + it 'fails with a wrong action' do + expect do + acl_type.new name: '/tmp/foo', permission: ['o::rwx'], action: :xset + end.to raise_error + end + it 'fails with a wrong recurselimit' do + expect do + acl_type.new name: '/tmp/foo', permission: ['o::rwx'], recurselimit: :a + end.to raise_error + end + it 'fails with a wrong first argument' do + expect do + acl_type.new name: '/tmp/foo', permission: ['wrong::rwx'] + end.to raise_error + end + it 'fails with a wrong last argument' do + expect do + acl_type.new name: '/tmp/foo', permission: ['user::-_-'] + end.to raise_error + end + end + + context 'when removing default parameters' do + basic_perms = ['user:foo:rwx', 'group:foo:rwx'] + advanced_perms = ['user:foo:rwx', 'group:foo:rwx', 'default:user:foo:---'] + advanced_perms_results = ['user:foo:rwx', 'group:foo:rwx'] + mysql_perms = [ + 'user:mysql:rwx', + 'd:user:mysql:rw', + 'mask::rwx' + ] + mysql_perms_results = [ + 'user:mysql:rwx', + 'mask::rwx' + ] + it 'does not do anything with no defaults' do + expect(acl_type.pick_default_perms(basic_perms)).to match_array(basic_perms) + end + it 'removes defaults' do + expect(acl_type.pick_default_perms(advanced_perms)).to match_array(advanced_perms_results) + end + it 'removes defaults with d:' do + expect(acl_type.pick_default_perms(mysql_perms)).to match_array(mysql_perms_results) + end + end +end +# rubocop:enable RSpec/MultipleExpectations diff --git a/3rdparty/modules/prosody/.fixtures.yml b/3rdparty/modules/prosody/.fixtures.yml new file mode 100644 index 000000000..3fb1341ee --- /dev/null +++ b/3rdparty/modules/prosody/.fixtures.yml @@ -0,0 +1,6 @@ +--- +fixtures: + repositories: + stdlib: "git://github.com/puppetlabs/puppetlabs-stdlib.git" + symlinks: + prosody: "#{source_dir}" diff --git a/3rdparty/modules/prosody/.gitignore b/3rdparty/modules/prosody/.gitignore new file mode 100644 index 000000000..e8b4e12f3 --- /dev/null +++ b/3rdparty/modules/prosody/.gitignore @@ -0,0 +1,8 @@ +.idea +.rvmrc +.bundle +Gemfile.lock +pkg +vendor +coverage/* +spec/fixtures/* diff --git a/3rdparty/modules/prosody/.pmtignore b/3rdparty/modules/prosody/.pmtignore new file mode 100644 index 000000000..48b8bf907 --- /dev/null +++ b/3rdparty/modules/prosody/.pmtignore @@ -0,0 +1 @@ +vendor/ diff --git a/3rdparty/modules/prosody/.rubocop.yml b/3rdparty/modules/prosody/.rubocop.yml new file mode 100644 index 000000000..b35f11b9a --- /dev/null +++ b/3rdparty/modules/prosody/.rubocop.yml @@ -0,0 +1,7 @@ +--- +AllCops: + Exclude: + - 'spec/fixtures/**/*' +Metrics/BlockLength: {Enabled: false} +Metrics/LineLength: {Enabled: true, Max: 180} +Style/FormatStringToken: {Enabled: false} diff --git a/3rdparty/modules/prosody/.travis.yml b/3rdparty/modules/prosody/.travis.yml new file mode 100644 index 000000000..8edb593ec --- /dev/null +++ b/3rdparty/modules/prosody/.travis.yml @@ -0,0 +1,9 @@ +--- +language: ruby +script: "bundle exec rake validate lint spec" +matrix: + include: + - env: PUPPET_VERSION=5.5.10 + rvm: 2.4.1 + - env: PUPPET_VERSION=6.2.0 + rvm: 2.5.1 diff --git a/3rdparty/modules/prosody/Gemfile b/3rdparty/modules/prosody/Gemfile new file mode 100644 index 000000000..3cf2218b9 --- /dev/null +++ b/3rdparty/modules/prosody/Gemfile @@ -0,0 +1,34 @@ +source ENV['GEM_SOURCE'] || 'https://rubygems.org' + +group :development, :test do + gem 'metadata-json-lint' + gem 'puppet-blacksmith', '>= 3.1.0' + gem 'puppet-lint', '>= 2' + gem 'puppet-lint-absolute_classname-check' + gem 'puppet-lint-empty_string-check' + gem 'puppet-lint-file_ensure-check' + gem 'puppet-lint-leading_zero-check' + gem 'puppet-lint-spaceship_operator_without_tag-check' + gem 'puppet-lint-trailing_comma-check' + gem 'puppet-lint-undef_in_function-check' + gem 'puppet-lint-unquoted_string-check' + gem 'puppet-lint-variable_contains_upcase' + gem 'puppetlabs_spec_helper' + gem 'rake' + gem 'rspec' + gem 'rspec-puppet' + gem 'semantic_puppet' + gem 'simplecov' +end + +if ENV['FACTER_VERSION'] + gem 'facter', ENV['FACTER_VERSION'] +else + gem 'facter' # rubocop:disable Bundler/DuplicatedGem +end + +if ENV['PUPPET_VERSION'] + gem 'puppet', ENV['PUPPET_VERSION'] +else + gem 'puppet' # rubocop:disable Bundler/DuplicatedGem +end diff --git a/3rdparty/modules/prosody/README.md b/3rdparty/modules/prosody/README.md new file mode 100644 index 000000000..0439c1dc6 --- /dev/null +++ b/3rdparty/modules/prosody/README.md @@ -0,0 +1,51 @@ +![Prosody](http://prosody.im/prosody.png) + +[![Build Status](https://travis-ci.org/mayflower/puppet-prosody.svg?branch=master)](https://travis-ci.org/mayflower/puppet-prosody) + +Puppet module for the [Prosody](http://prosody.im/) Jabber/XMPP server. + +This module is a fork of rtyler/puppet-prosody because the upstream is dead. A +bunch of features were added and bugs were fixed. + +If you want to use Prosody in a production environment, this is the Puppet +module to use. + +## Using + +**Note:** This module has currently been tested on CentOS 7, Ubuntu and OpenBSD. + +```puppet +node myserver { + + class { 'prosody': + user => 'prosody', + group => 'prosody', + community_modules => ['mod_auth_ldap'], + authentication => 'ldap', + custom_options => { + 'ldap_base' => 'OU="accounts",DC="mydomain",DC="com"', + 'ldap_server' => 'ldapserver1:636 ldapserver2:636', + 'ldap_rootdn' => 'DN="prosody",OU="accounts",DC="mydomain",DC="com"', + 'ldap_password' => hiera(prosody-ldap-password), + 'ldap_scope' => 'subtree', + 'ldap_tls' => 'true', + }, + } + + prosody::virtualhost { + 'mydomain.com' : + ensure => present, + ssl_key => '/etc/ssl/key/mydomain.com.key', + ssl_cert => '/etc/ssl/crt/mydomain.com.crt', + } + + prosody::user { 'foo': + host => 'mydomain.com', + pass => 'itsasecret', + } +} +``` + +## Support + +Please file bugs and enhancement requests in the [GitHub issue tracker](https://github.com/mayflower/puppet-prosody/issues) diff --git a/3rdparty/modules/prosody/Rakefile b/3rdparty/modules/prosody/Rakefile new file mode 100644 index 000000000..cfc950569 --- /dev/null +++ b/3rdparty/modules/prosody/Rakefile @@ -0,0 +1,31 @@ +require 'puppetlabs_spec_helper/rake_tasks' +require 'puppet-lint/tasks/puppet-lint' + +PuppetLint.configuration.ignore_paths = ['spec/**/*.pp', 'tests/**/*.pp', 'pkg/**/*.pp', 'vendor/**/*.pp'] +PuppetLint.configuration.log_format = '%{path}:%{line}:%{KIND}: %{message}' + +desc 'Validate manifests, templates, and ruby files' +task :validate do + Dir['manifests/**/*.pp'].each do |manifest| + sh "puppet parser validate --noop #{manifest}" + end + Dir['spec/**/*.rb', 'lib/**/*.rb'].each do |ruby_file| + sh "ruby -c #{ruby_file}" unless ruby_file =~ %r{/spec\/fixtures/} + end + Dir['templates/**/*.erb'].each do |template| + sh "erb -P -x -T '-' #{template} | ruby -c" + end +end + +# blacksmith is broken with ruby 1.8.7 +if Gem::Version.new(RUBY_VERSION) > Gem::Version.new('1.8.7') + # blacksmith isn't always present, e.g. on Travis with --without development + begin + require 'puppet_blacksmith/rake_tasks' + Blacksmith::RakeTask.new do |t| + t.tag_pattern = '%s' + end + rescue LoadError => e + warn(e) + end +end diff --git a/3rdparty/modules/prosody/data/common.yaml b/3rdparty/modules/prosody/data/common.yaml new file mode 100644 index 000000000..706e50f10 --- /dev/null +++ b/3rdparty/modules/prosody/data/common.yaml @@ -0,0 +1,65 @@ +--- +prosody::admins: [] +prosody::allow_registration: false +prosody::authentication: internal_plain +prosody::c2s_require_encryption: true +prosody::community_modules: [] +prosody::components: {} +prosody::custom_options: {} +prosody::daemonize: true +prosody::error_log: /var/log/prosody/prosody.err +prosody::group: prosody +prosody::info_log: /var/log/prosody/prosody.log +prosody::interfaces: + - '0.0.0.0' + - '::' +prosody::log_level: info +prosody::log_sinks: + - syslog +prosody::log_advanced: {} +prosody::modules: [] +prosody::modules_base: + - admin_adhoc + - dialback + - disco + - pep + - ping + - posix + - private + - roster + - saslauth + - time + - tls + - uptime + - vcard + - version +prosody::modules_disabled: [] +prosody::package_ensure: present +prosody::package_name: prosody +prosody::pidfile: /var/run/prosody/prosody.pid +prosody::s2s_insecure_domains: [] +prosody::s2s_require_encryption: true +prosody::s2s_secure_auth: true +prosody::s2s_secure_domains: [] +prosody::ssl_ciphers: 'DH+AES:ECDH+AES:+ECDH+SHA:AES:!PSK:!SRP:!DSS:!ADH:!AECDH' +prosody::ssl_curve: secp521r1 +prosody::ssl_custom_config: true +prosody::ssl_dhparam: '' +prosody::ssl_options: + - cipher_server_preference + - no_compression + - no_sslv2 + - no_sslv3 + - no_ticket + - single_dh_use + - single_ecdh_use +prosody::storage: internal +prosody::use_libevent: true +prosody::user: prosody +prosody::virtualhost_defaults: {} +prosody::virtualhosts: {} + +prosody::community_modules::ensure: present +prosody::community_modules::path: /var/lib/prosody/modules +prosody::community_modules::source: https://hg.prosody.im/prosody-modules/ +prosody::community_modules::type: hg diff --git a/3rdparty/modules/prosody/hiera.yaml b/3rdparty/modules/prosody/hiera.yaml new file mode 100644 index 000000000..e7d124623 --- /dev/null +++ b/3rdparty/modules/prosody/hiera.yaml @@ -0,0 +1,5 @@ +--- +version: 5 +hierarchy: + - name: common + path: common.yaml diff --git a/3rdparty/modules/prosody/manifests/community_modules.pp b/3rdparty/modules/prosody/manifests/community_modules.pp new file mode 100644 index 000000000..c0bc9779d --- /dev/null +++ b/3rdparty/modules/prosody/manifests/community_modules.pp @@ -0,0 +1,21 @@ +# == Class: prosody::community_modules +class prosody::community_modules( + Enum[present, latest] $ensure, + Stdlib::Absolutepath $path, + String $source, + Prosody::Moduletype $type, + Optional[String] $revision = undef, +) { + case $type { + 'hg': { $_packages = ['mercurial'] } + 'git': { $_packages = ['git'] } + default: { $_packages = [] } + } + ensure_packages($_packages) + -> vcsrepo { $path: + ensure => $ensure, + provider => $type, + source => $source, + revision => $revision, + } +} diff --git a/3rdparty/modules/prosody/manifests/config.pp b/3rdparty/modules/prosody/manifests/config.pp new file mode 100644 index 000000000..ef182a080 --- /dev/null +++ b/3rdparty/modules/prosody/manifests/config.pp @@ -0,0 +1,16 @@ +# == Class: prosody::config +class prosody::config { + file { '/etc/prosody/conf.avail': + ensure => directory, + } + + file { '/etc/prosody/conf.d': + ensure => directory, + } + + file { '/etc/prosody/prosody.cfg.lua': + content => template('prosody/prosody.cfg.erb'), + require => Class['::prosody::package'], + notify => Class['::prosody::service'], + } +} diff --git a/3rdparty/modules/prosody/manifests/init.pp b/3rdparty/modules/prosody/manifests/init.pp new file mode 100644 index 000000000..7591e966c --- /dev/null +++ b/3rdparty/modules/prosody/manifests/init.pp @@ -0,0 +1,58 @@ +# == Class: prosody +class prosody( + Array[String] $admins, + Boolean $allow_registration, + Prosody::Authentication $authentication, + Boolean $c2s_require_encryption, + Array[String] $community_modules, + Hash $components, + Hash $custom_options, + Boolean $daemonize, + Stdlib::Absolutepath $error_log, + String $group, + Stdlib::Absolutepath $info_log, + Array[Stdlib::IP::Address] $interfaces, + Prosody::Loglevel $log_level, + Array[String] $log_sinks, + Hash[Optional[Prosody::Loglevel], Data] $log_advanced, + Array[String] $modules, + Array[String] $modules_base, + Array[String] $modules_disabled, + Prosody::Packageensure $package_ensure, + String $package_name, + Stdlib::Absolutepath $pidfile, + Array[Stdlib::Fqdn] $s2s_insecure_domains, + Boolean $s2s_require_encryption, + Boolean $s2s_secure_auth, + Array[Stdlib::Fqdn] $s2s_secure_domains, + String $ssl_ciphers, + String $ssl_curve, + Boolean $ssl_custom_config, + String $ssl_dhparam, + Array[String] $ssl_options, + Prosody::Storage $storage, + Boolean $use_libevent, + String $user, + Hash $virtualhost_defaults, + Hash $virtualhosts, + Optional[Hash] $sql = undef, + Optional[Stdlib::Absolutepath] $ssl_cert = undef, + Optional[Stdlib::Absolutepath] $ssl_key = undef, + Optional[String] $ssl_protocol = undef, +) { + if ($community_modules != []) { + class { '::prosody::community_modules': + require => Class['::prosody::package'], + before => Class['::prosody::config'], + } + } + + anchor { 'prosody::begin': } + -> class { '::prosody::package': } + -> class { '::prosody::config': } + -> class { '::prosody::service': } + -> anchor { '::prosody::end': } + + # create virtualhost resources via hiera + create_resources('prosody::virtualhost', $virtualhosts, $virtualhost_defaults) +} diff --git a/3rdparty/modules/prosody/manifests/package.pp b/3rdparty/modules/prosody/manifests/package.pp new file mode 100644 index 000000000..2ac8a4af2 --- /dev/null +++ b/3rdparty/modules/prosody/manifests/package.pp @@ -0,0 +1,6 @@ +# == Class: prosody::package +class prosody::package { + package { $::prosody::package_name: + ensure => $::prosody::package_ensure, + } +} diff --git a/3rdparty/modules/prosody/manifests/service.pp b/3rdparty/modules/prosody/manifests/service.pp new file mode 100644 index 000000000..494fada0b --- /dev/null +++ b/3rdparty/modules/prosody/manifests/service.pp @@ -0,0 +1,22 @@ +# == Class: prosody::service +class prosody::service { + if $::prosody::daemonize { + case $::osfamily { + 'OpenBSD': { + service { 'prosody': + ensure => running, + enable => true, + require => Class[prosody::config], + } + } + default: { + service { 'prosody' : + ensure => running, + hasstatus => false, + restart => '/usr/bin/prosodyctl reload', + require => Class[prosody::config], + } + } + } + } +} diff --git a/3rdparty/modules/prosody/manifests/user.pp b/3rdparty/modules/prosody/manifests/user.pp new file mode 100644 index 000000000..23881f747 --- /dev/null +++ b/3rdparty/modules/prosody/manifests/user.pp @@ -0,0 +1,33 @@ +# == Define: prosody::user +define prosody::user( + String $pass, + Prosody::Host $host = 'localhost', +) { + $dir = regsubst($host, '\.', '%2e', 'G') + + ensure_resource('file', "/var/lib/prosody/${dir}", { + ensure => 'directory', + owner => 'prosody', + group => 'prosody', + }) + + ensure_resource('file', "/var/lib/prosody/${dir}/accounts", { + ensure => 'directory', + owner => 'prosody', + group => 'prosody', + require => File["/var/lib/prosody/${dir}"], + }) + + $_content = " +return { + [\"password\"] = \"${pass}\"; +}; +" + file {"/var/lib/prosody/${dir}/accounts/${name}.dat": + owner => 'prosody', + group => 'prosody', + mode => '0640', + content => $_content, + require => File["/var/lib/prosody/${dir}/accounts"], + } +} diff --git a/3rdparty/modules/prosody/manifests/virtualhost.pp b/3rdparty/modules/prosody/manifests/virtualhost.pp new file mode 100644 index 000000000..1f0e909d2 --- /dev/null +++ b/3rdparty/modules/prosody/manifests/virtualhost.pp @@ -0,0 +1,75 @@ +# == Type: prosody::virtualhost +define prosody::virtualhost( + Hash $custom_options = {}, + Enum[present, absent] $ensure = present, + Optional[Stdlib::Absolutepath] $ssl_key = undef, + Optional[Stdlib::Absolutepath] $ssl_cert = undef, + Boolean $ssl_copy = true, + Optional[String] $user = undef, + Optional[String] $group = undef, + Hash $components = {}, +) { + # Check if SSL set correctly + if (($ssl_key != undef) and ($ssl_cert == undef)) { + fail('The prosody::virtualhost type needs both ssl_key *and* ssl_cert set') + } + if (($ssl_key == undef) and ($ssl_cert != undef)) { + fail('The prosody::virtualhost type needs both ssl_key *and* ssl_cert set') + } + + if (($ssl_key != undef) and ($ssl_cert != undef) and ($ssl_copy == true)) { + # Copy the provided sources to prosody certs folder + $prosody_ssl_key = "/etc/prosody/certs/${name}.key" + $prosody_ssl_cert = "/etc/prosody/certs/${name}.crt" + + $file_user = pick_default($user, 'prosody') + $file_group = pick_default($group, 'prosody') + + file { + $prosody_ssl_key: + source => $ssl_key, + links => follow, + mode => '0640', + owner => $file_user, + group => $file_group; + $prosody_ssl_cert: + source => $ssl_cert, + links => follow, + mode => '0644', + owner => $file_user, + group => $file_group; + } + + $config_requires = [File[$prosody_ssl_key], File[$prosody_ssl_cert], Class['::prosody::package']] + } + + elsif (($ssl_key != undef) and ($ssl_cert != undef) and ($ssl_copy == false)) { + $prosody_ssl_key = $ssl_key + $prosody_ssl_cert = $ssl_cert + } + + else { + $config_requires = Class['::prosody::package'] + } + + $conf_avail_fn = "/etc/prosody/conf.avail/${name}.cfg.lua" + + file { $conf_avail_fn: + ensure => $ensure, + require => $config_requires, + content => template('prosody/virtualhost.cfg.erb'), + notify => Class['::prosody::service'], + } + + $cfg_ensure = $ensure ? { + 'present' => link, + 'absent' => absent, + } + + file { "/etc/prosody/conf.d/${name}.cfg.lua": + ensure => $cfg_ensure, + target => $conf_avail_fn, + notify => Class['::prosody::service'], + require => File[$conf_avail_fn]; + } +} diff --git a/3rdparty/modules/prosody/metadata.json b/3rdparty/modules/prosody/metadata.json new file mode 100644 index 000000000..8dbaac479 --- /dev/null +++ b/3rdparty/modules/prosody/metadata.json @@ -0,0 +1,26 @@ +{ + "name": "mayflower-prosody", + "version": "0.4.1", + "author": "Franz Pletz", + "summary": "Simple Puppet module for managing the Prosody Jabber/XMPP server", + "license": "Apache-2.0", + "source": "https://github.com/mayflower/puppet-prosody", + "issues_url": "https://github.com/mayflower/puppet-prosody/issues", + "description": "This module supports most configuration options and installing community modules", + "dependencies": [ + { + "name": "puppetlabs/stdlib", + "version_requirement": ">= 4.25.0" + }, + { + "name": "puppetlabs/vcsrepo", + "version_requirement": ">= 1.0.0 < 3.0.0" + } + ], + "requirements": [ + { + "name": "puppet", + "version_requirement": ">= 5.5.10 < 7" + } + ] +} diff --git a/3rdparty/modules/prosody/spec/classes/prosody_spec.rb b/3rdparty/modules/prosody/spec/classes/prosody_spec.rb new file mode 100644 index 000000000..6cb425e06 --- /dev/null +++ b/3rdparty/modules/prosody/spec/classes/prosody_spec.rb @@ -0,0 +1,48 @@ +require 'spec_helper' + +describe 'prosody' do + let(:facts) do + { osfamily: 'SomeOS' } + end + context 'on every platform' do + it { should contain_class 'prosody::package' } + it { should contain_class 'prosody::config' } + it { should contain_class 'prosody::service' } + + it { should contain_package('prosody').with(ensure: 'present') } + end + + context 'with daemonize => true' do + let(:params) { { daemonize: true } } + it { + should contain_service('prosody').with( + ensure: 'running' + ) + } + end + + context 'with daemonize => false' do + let(:params) { { daemonize: false } } + it { + should_not contain_service('prosody').with( + ensure: 'running' + ) + } + end + + context 'with custom options' do + let(:params) { { custom_options: { 'foo' => 'bar', 'baz' => 'quux' } } } + it { + should contain_file('/etc/prosody/prosody.cfg.lua') \ + .with_content(/^foo = "bar"$/, /^baz = "quux"$/) + } + end + + context 'with deeply nested custom options' do + let(:params) { { custom_options: { 'foo' => { 'fnord' => '23', 'xyzzy' => '42' }, 'bar' => %w[cool elements], 'baz' => 'quux' } } } + it { + should contain_file('/etc/prosody/prosody.cfg.lua') \ + .with_content(/^foo = {\n fnord = "23";\n xyzzy = "42";\n}$/, /^baz = "quux"$/, /^bar = [ "cool"; "elements" ]$/) + } + end +end diff --git a/3rdparty/modules/prosody/spec/defines/virtualhost_spec.rb b/3rdparty/modules/prosody/spec/defines/virtualhost_spec.rb new file mode 100644 index 000000000..d3b31cb91 --- /dev/null +++ b/3rdparty/modules/prosody/spec/defines/virtualhost_spec.rb @@ -0,0 +1,105 @@ +require 'spec_helper' +require 'erb' + +describe 'prosody::virtualhost' do + let(:pre_condition) do + 'include ::prosody' + end + let(:facts) do + { + osfamily: 'SomeOS' + } + end + let(:title) { 'mockvirtualhost' } + + before :each do + @path_avail = "/etc/prosody/conf.avail/#{title}.cfg.lua" + @path_link = "/etc/prosody/conf.d/#{title}.cfg.lua" + end + + context 'with no parameters' do + it { + should contain_file(@path_avail).with( + ensure: 'present' + ) + } + + it { + should contain_file(@path_link).with( + ensure: 'link', + target: @path_avail, + require: "File[#{@path_avail}]" + ) + } + end + + context 'with ssl_key but no ssl_cert' do + let(:params) { { ssl_key: 'bananas' } } + it { + expect do + should contain_class('prosody') + end.to raise_error(Puppet::Error) + } + end + + context 'with ssl_cert but no ssl_key' do + let(:params) { { ssl_cert: 'bananas' } } + it { + expect do + should contain_class('prosody') + end.to raise_error(Puppet::Error) + } + end + + context 'with ssl keys and certs' do + let(:ssl_key) { '/etc/prosody/certs/rspec-puppet.com.key' } + let(:ssl_cert) { '/etc/prosody/certs/rspec-puppet.com.crt' } + let(:params) { { ssl_key: ssl_key, ssl_cert: ssl_cert } } + + before :each do + @ssl_key = ssl_key + @ssl_cert = ssl_cert + end + + it { + # This require statment is bananas + should contain_file(@path_avail).with( + ensure: 'present', + require: ['File[/etc/prosody/certs/mockvirtualhost.key]', 'File[/etc/prosody/certs/mockvirtualhost.crt]', 'Class[Prosody::Package]'] + ) + + should contain_file('/etc/prosody/certs/mockvirtualhost.key').with_source(@ssl_key) + should contain_file('/etc/prosody/certs/mockvirtualhost.crt').with_source(@ssl_cert) + } + end + + context 'ensure => absent' do + let(:params) { { ensure: 'absent' } } + it { + @ensure = 'absent' + should contain_file(@path_avail).with( + ensure: @ensure + ) + } + + it { + should contain_file(@path_link).with_ensure('absent') + } + end + + context 'with custom options' do + let(:params) { { custom_options: { 'foo' => 'bar', 'baz' => 'quux' } } } + it { + should contain_file(@path_avail) \ + .with_content(/^foo = "bar"$/, /^baz = "quux"$/) + } + end + + context 'with deeply nested custom options' do + let(:params) { { custom_options: { 'foo' => { 'fnord' => '23', 'xyzzy' => '42' }, 'bar' => %w[cool elements], 'baz' => 'quux' } } } + it { + should contain_file(@path_avail) \ + .with_content(/^foo = {\n fnord = "23";\n xyzzy = "42";\n}$/, /^baz = "quux"$/, /^bar = [ "cool"; "elements" ]$/) + } + end +end diff --git a/3rdparty/modules/prosody/spec/spec_helper.rb b/3rdparty/modules/prosody/spec/spec_helper.rb new file mode 100644 index 000000000..203737b7f --- /dev/null +++ b/3rdparty/modules/prosody/spec/spec_helper.rb @@ -0,0 +1,6 @@ +require 'puppetlabs_spec_helper/module_spec_helper' +require 'simplecov' + +SimpleCov.start do + add_filter '/spec/' +end diff --git a/3rdparty/modules/prosody/templates/prosody.cfg.erb b/3rdparty/modules/prosody/templates/prosody.cfg.erb new file mode 100644 index 000000000..8c7492895 --- /dev/null +++ b/3rdparty/modules/prosody/templates/prosody.cfg.erb @@ -0,0 +1,258 @@ +-- Prosody XMPP Server Configuration +-- +-- Information on configuring Prosody can be found on our +-- website at https://prosody.im/doc/configure +-- +-- Tip: You can check that the syntax of this file is correct +-- when you have finished by running this command: +-- prosodyctl check config +-- If there are any errors, it will let you know what and where +-- they are, otherwise it will keep quiet. +-- +-- Good luck, and happy Jabbering! + + +---------- Server-wide settings ---------- +-- Settings in this section apply to the whole server and are the default settings +-- for any virtual hosts + +-- This is a (by default, empty) list of accounts that are admins +-- for the server. Note that you must create the accounts separately +-- (see https://prosody.im/doc/creating_accounts for info) +-- Example: admins = { "user1@example.com", "user2@example.net" } +admins = { +<% scope.lookupvar('prosody::admins').each do |admin| -%> + "<%= admin %>", +<% end -%> +} + +<% if scope.lookupvar('prosody::user') != '' -%> +-- User to run prosody as +prosody_user = "<%= scope.lookupvar('prosody::user') %>" +<% end -%> +<% if scope.lookupvar('prosody::group') != '' -%> +-- Group to run prosody as +prosody_group = "<%= scope.lookupvar('prosody::group') %>" +<% end -%> + +-- Which interfaces (addresses) to listen on +interfaces = { +<% scope.lookupvar('prosody::interfaces').each do |interface| -%> + "<%= interface %>", +<% end -%> +} + +-- Enable use of libevent for better performance under high load +-- For more information see: https://prosody.im/doc/libevent +use_libevent = <%= scope.lookupvar('prosody::use_libevent') %>; + +-- This is the list of modules Prosody will load on startup. +-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too. +-- Documentation on modules can be found at: https://prosody.im/doc/modules +modules_enabled = { + + -- Base modules +<% scope.lookupvar('prosody::modules_base').each do |mod| -%> + "<%= mod %>"; +<% end -%> + + -- Custom modules +<% scope.lookupvar('prosody::modules').each do |mod| -%> + "<%= mod %>"; +<% end -%> + +}; + +<%- community_modules = scope.lookupvar('prosody::community_modules') + if community_modules != [] -%> +-- Where to search for plugins/modules +plugin_paths = { +<%- base_path = scope.lookupvar('prosody::community_modules::path') + community_modules.each do |mod| -%> + "<%= base_path + '/mod_' + mod %>"; +<%- end -%> +}; +<%- end -%> + +<%- modules_disabled = scope.lookupvar('prosody::modules_disabled') + if modules_disabled != [] -%> +-- These modules are auto-loaded, but should you want +-- to disable them then uncomment them here: +modules_disabled = { +<% scope.lookupvar('prosody::modules_disabled').each do |mod| -%> + "<%= mod %>"; +<%- end -%> +}; +<%- end -%> + +-- Disable account creation by default, for security +-- For more information see https://prosody.im/doc/creating_accounts +allow_registration = <%= scope.lookupvar('prosody::allow_registration') %>; + +-- Debian: +-- send the server to background. +-- +daemonize = <%= scope.lookupvar('prosody::daemonize') %>; + +<% if scope.lookupvar('prosody::ssl_custom_config') -%> +-- These are the SSL/TLS-related settings. If you don't want +-- to use SSL/TLS, you may comment or remove this +ssl = { + <% unless scope.lookupvar('prosody::ssl_protocol').nil? -%> + protocol = "<%= scope.lookupvar('prosody::ssl_protocol') %>"; + <% end -%> + options = { + <%- scope.lookupvar('prosody::ssl_options').each do |option| -%> + "<%= option %>", + <%- end -%> + }; + ciphers = "<%= scope.lookupvar('prosody::ssl_ciphers') %>"; + curve = "<%= scope.lookupvar('prosody::ssl_curve') %>"; + <%- dhparam = scope.lookupvar('prosody::ssl_dhparam') + if dhparam != '' -%> + dhparam = "<%= dhparam %>"; + <%- end -%> + <%- ssl_key = scope.lookupvar('prosody::ssl_key') + if ssl_key != :undef -%> + key = "<%= ssl_key %>"; + <%- end -%> + <%- ssl_cert = scope.lookupvar('prosody::ssl_cert') + if ssl_cert != :undef -%> + certificate = "<%= ssl_cert %>"; + <%- end -%> +} +<% end -%> + +-- Force clients to use encrypted connections? This option will +-- prevent clients from authenticating unless they are using encryption. + +c2s_require_encryption = <%= scope.lookupvar('prosody::c2s_require_encryption') %> + +-- Force servers to use encrypted connections? + +s2s_require_encryption = <%= scope.lookupvar('prosody::s2s_require_encryption') %> + + +-- Force certificate authentication for server-to-server connections? +-- This provides ideal security, but requires servers you communicate +-- with to support encryption AND present valid, trusted certificates. +-- NOTE: Your version of LuaSec must support certificate verification! +-- For more information see https://prosody.im/doc/s2s#security + +s2s_secure_auth = <%= scope.lookupvar('prosody::s2s_secure_auth') %> + +-- Many servers don't support encryption or have invalid or self-signed +-- certificates. You can list domains here that will not be required to +-- authenticate using certificates. They will be authenticated using DNS. + +s2s_insecure_domains = { +<% scope.lookupvar('prosody::s2s_insecure_domains').each do |domain| -%> + "<%= domain %>", +<% end -%> +} + +-- Even if you leave s2s_secure_auth disabled, you can still require valid +-- certificates for some domains by specifying a list here. + +s2s_secure_domains = { +<% scope.lookupvar('prosody::s2s_secure_domains').each do |domain| -%> + "<%= domain %>", +<% end -%> +} + +------ Custom config options ------ + +<%- +def print_recursive(object, indentation = 0) + case object + when Array + '{ "' + object.join('"; "') + '" }' + when Hash + "{\n" + ' ' * (indentation + 2) + object.map {|k,v| + "#{k} = " + print_recursive(v, indentation + 2)}.join(";\n" + ' ' * (indentation + 2)) + ";\n" + (' ' * indentation) + '}' + when TrueClass, FalseClass + object.to_s + else + '"' + object.to_s + '"' + end +end +-%> + +<% scope.lookupvar('prosody::custom_options').sort.each do |option, value| -%> +<%= option %> = <%= print_recursive(value) %> +<% end -%> + +-- Required for init scripts and prosodyctl +pidfile = "<%= scope.lookupvar('prosody::pidfile') %>" + +-- Select the authentication backend to use. The 'internal' providers +-- use Prosody's configured data storage to store the authentication data. +-- To allow Prosody to offer secure authentication mechanisms to clients, the +-- default provider stores passwords in plaintext. If you do not trust your +-- server please see https://prosody.im/doc/modules/mod_auth_internal_hashed +-- for information about using the hashed backend. + +authentication = "<%= scope.lookupvar('prosody::authentication') %>" + +-- Select the storage backend to use. By default Prosody uses flat files +-- in its configured data directory, but it also supports more backends +-- through modules. An "sql" backend is included by default, but requires +-- additional dependencies. See https://prosody.im/doc/storage for more info. + +<%- storage = scope.lookupvar('prosody::storage') + if storage != :undef + if storage.is_a?(String) -%> +storage = "<%= storage %>" + <%- elsif storage.is_a?(Hash) -%> +storage = { + <%- storage.sort.each do |type,location| -%> + <%= type %> = "<%= location %>"; + <%- end -%> +} + <%- end -%> +<%- end -%> + +<%- sql = scope.lookupvar('prosody::sql') +unless sql.nil? -%> +sql = { driver = "<%= sql['driver'] %>", database = "<%= sql ['database'] %>", username = "<%= sql['username'] %>", password = "<%= sql['password'] %>", host = "<%= sql['host'] %>" } +<%- end -%> + +-- Logging configuration +-- For advanced logging see https://prosody.im/doc/logging +log = { + <%= scope.lookupvar('prosody::log_level') -%> = "<%= scope.lookupvar('prosody::info_log') -%>"; -- Change 'info' to 'debug' for verbose logging + error = "<%= scope.lookupvar('prosody::error_log') -%>"; +<% scope.lookupvar('prosody::log_sinks').each do |sink| -%> + "*<%= sink %>"; +<% end -%> +<% scope.lookupvar('prosody::log_advanced').each do |level, destination| -%> + { levels = { <%= level %> }; to = <%= destination %>; }; +<% end -%> +} + +------ Components ------ +-- You can specify components to add hosts that provide special services, +-- like multi-user conferences, and transports. +-- For more information on components, see https://prosody.im/doc/components + +<% scope.lookupvar('prosody::components').sort.each do |name, component| %> +Component "<%= name %>" <% if component.include?('type') then %>"<%= component['type'] %>"<% end %> + <%- if component.include?('secret') -%> + component_secret = "<%= component['secret'] %>" + <%- end -%> + <%- if component.include?('options') -%> + <%- component['options'].sort.each do |k, v| -%> + <%- if ( v.is_a? Array ) -%> + <%= k %> = { "<%= v.join('", "') %>" }; + <%- else -%> + <%= k %> = <%= v %>; + <%- end -%> + <%- end -%> + <%- end -%> +<% end -%> + +------ Additional config files ------ +-- For organizational purposes you may prefer to add VirtualHost and +-- Component definitions in their own config files. This line includes +-- all config files in /etc/prosody/conf.d/ + +Include "conf.d/*.cfg.lua" diff --git a/3rdparty/modules/prosody/templates/virtualhost.cfg.erb b/3rdparty/modules/prosody/templates/virtualhost.cfg.erb new file mode 100644 index 000000000..ffb369dbf --- /dev/null +++ b/3rdparty/modules/prosody/templates/virtualhost.cfg.erb @@ -0,0 +1,56 @@ +VirtualHost "<%= @name %>" +<% if @ensure == 'present' -%> + enabled = true +<% else -%> + enabled = false +<% end -%> + +<% if (@ssl_key != 'UNSET') && (@ssl_cert != 'UNSET') -%> + -- Assign this host a certificate for TLS, otherwise it would use the one + -- set in the global section (if any). + -- Note that old-style SSL on port 5223 only supports one certificate, and will always + -- use the global one. + ssl = { + key = "<%= @prosody_ssl_key %>"; + certificate = "<%= @prosody_ssl_cert %>"; + } +<% end -%> + +<%- if @custom_options != {} -%> +<%- +def print_recursive(object, indentation = 0) + case object + when Array + '{ "' + object.join('"; "') + '" }' + when Hash + "{\n" + ' ' * (indentation + 2) + object.map {|k,v| + "#{k} = " + print_recursive(v, indentation + 2)}.join(";\n" + ' ' * (indentation + 2)) + ";\n" + (' ' * indentation) + '}' + when TrueClass, FalseClass + object.to_s + else + '"' + object.to_s + '"' + end +end +-%> +------ Custom config options ------ +<%- @custom_options.sort.each do |option, value| -%> +<%= option %> = <%= print_recursive(value) %> +<%- end; end -%> + +<%- if @components != {} -%> +------ Components ------ +-- You can specify components to add hosts that provide special services, +-- like multi-user conferences, and transports. +-- For more information on components, see http://prosody.im/doc/components + +<% @components.sort.each do |name, component| %> +Component "<%= name %>" <% if component.include?('type') then %>"<%= component['type'] %>"<% end %> + <%- if component.include?('secret') -%> + component_secret = "<%= component['secret'] %>" + <%- end -%> + <%- if component.include?('options') -%> + <%- component['options'].sort.each do |k, v| -%> + <%= k %> = <%= v %>; + <%- end -%> + <%- end -%> +<% end -%> +<% end -%> diff --git a/3rdparty/modules/prosody/tests/init.pp b/3rdparty/modules/prosody/tests/init.pp new file mode 100644 index 000000000..94d9b59cf --- /dev/null +++ b/3rdparty/modules/prosody/tests/init.pp @@ -0,0 +1,8 @@ +node default { + include ::prosody + + prosody::virtualhost { + 'puppetlabs.com' : + ensure => present; + } +} diff --git a/3rdparty/modules/prosody/tests/modules/prosody/manifests b/3rdparty/modules/prosody/tests/modules/prosody/manifests new file mode 120000 index 000000000..21186f015 --- /dev/null +++ b/3rdparty/modules/prosody/tests/modules/prosody/manifests @@ -0,0 +1 @@ +../../../manifests \ No newline at end of file diff --git a/3rdparty/modules/prosody/tests/modules/prosody/templates b/3rdparty/modules/prosody/tests/modules/prosody/templates new file mode 120000 index 000000000..0e4c94ff6 --- /dev/null +++ b/3rdparty/modules/prosody/tests/modules/prosody/templates @@ -0,0 +1 @@ +../../../templates \ No newline at end of file diff --git a/3rdparty/modules/prosody/types/authentication.pp b/3rdparty/modules/prosody/types/authentication.pp new file mode 100644 index 000000000..ccf59416a --- /dev/null +++ b/3rdparty/modules/prosody/types/authentication.pp @@ -0,0 +1 @@ +type Prosody::Authentication = Enum['internal_plain', 'internal_hashed', 'cyrus', 'anonymous', 'ha1'] diff --git a/3rdparty/modules/prosody/types/host.pp b/3rdparty/modules/prosody/types/host.pp new file mode 100644 index 000000000..a08e8c795 --- /dev/null +++ b/3rdparty/modules/prosody/types/host.pp @@ -0,0 +1,2 @@ +# Note: Stdlib::Host does not match "localhost" +type Prosody::Host = Variant[Pattern[/^localhost$/], Stdlib::Host] diff --git a/3rdparty/modules/prosody/types/loglevel.pp b/3rdparty/modules/prosody/types/loglevel.pp new file mode 100644 index 000000000..d6866c960 --- /dev/null +++ b/3rdparty/modules/prosody/types/loglevel.pp @@ -0,0 +1 @@ +type Prosody::Loglevel = Enum['debug', 'info', 'warn', 'error'] diff --git a/3rdparty/modules/prosody/types/moduletype.pp b/3rdparty/modules/prosody/types/moduletype.pp new file mode 100644 index 000000000..9d4e2160c --- /dev/null +++ b/3rdparty/modules/prosody/types/moduletype.pp @@ -0,0 +1 @@ +type Prosody::Moduletype = Enum['hg', 'git'] diff --git a/3rdparty/modules/prosody/types/packageensure.pp b/3rdparty/modules/prosody/types/packageensure.pp new file mode 100644 index 000000000..7c9e86b5e --- /dev/null +++ b/3rdparty/modules/prosody/types/packageensure.pp @@ -0,0 +1 @@ +type Prosody::Packageensure = Variant[Enum[present, latest], String] diff --git a/3rdparty/modules/prosody/types/storage.pp b/3rdparty/modules/prosody/types/storage.pp new file mode 100644 index 000000000..7e8d15b73 --- /dev/null +++ b/3rdparty/modules/prosody/types/storage.pp @@ -0,0 +1 @@ +type Prosody::Storage = Variant[Hash, Enum['internal', 'sql', 'memory', 'null', 'none']] diff --git a/modules/profile/manifests/prosody.pp b/modules/profile/manifests/prosody.pp new file mode 100644 index 000000000..65ec2debd --- /dev/null +++ b/modules/profile/manifests/prosody.pp @@ -0,0 +1,78 @@ +# Please contact the RTC team about this service at debian-rtc-team@alioth-lists.debian.net +# + +class profile::prosody { + + class { 'prosody': + user => 'prosody', + group => 'prosody', + use_libevent => false, + daemonize => true, + s2s_secure_auth => false, + package_name => 'prosody-modules', + ssl_custom_config => false, + log_sinks => [], + log_advanced => { + 'error' => 'syslog', + }, + authentication => 'ha1', + custom_options => { + 'auth_ha1_file' => '/var/local/rtc-passwords.prosody', + 'auth_ha1_use_ha1b' => true, + 'auth_ha1_realm' => 'rtc.debian.org', + }, + # we override whatever the module decides as a base + modules_base => [ + 'roster', 'saslauth', 'tls', 'dialback', 'disco', 'posix', 'private', + 'vcard', 'version', 'uptime', 'time', 'ping', 'pep', 'register', + ], + # and add the modules we want on top + modules => [ + 'admin_adhoc', 'blocking', 'carbons', 'carbons_adhoc', + 'cloud_notify', 'csi', 'filter_chatstates', 'http', + 'http_upload', 'mam', 'smacks', 'smaks', 'throttle_presence', + ], + } + + -> prosody::virtualhost { + 'debian.org': + ensure => present, + ssl_key => '/etc/ssl/private/debian.org.key', + ssl_cert => '/etc/ssl/debian/certs/debian.org.crt-chained', + ssl_copy => false, + components => { + 'conference.debian.org' => { + 'type' => 'muc', + } + } + } + + -> posix_acl { '/etc/prosody/prosody.cfg.lua': + action => exact, + recursive => false, + provider => posixacl, + permission => [ + 'user::rw', + 'group::r', + 'group:debvoip:rw', + 'group:prosody:r', + 'mask::r', + 'other::', + ], + } + + -> posix_acl { '/etc/prosody/conf.avail/debian.org.cfg.lua': + action => exact, + recursive => false, + provider => posixacl, + permission => [ + 'user::rw', + 'group::r', + 'group:debvoip:rw', + 'group:prosody:r', + 'mask::r', + 'other::', + ], + } + +} diff --git a/modules/roles/manifests/rtc.pp b/modules/roles/manifests/rtc.pp index 26a6e52fd..e0ab563c2 100644 --- a/modules/roles/manifests/rtc.pp +++ b/modules/roles/manifests/rtc.pp @@ -1,144 +1,154 @@ +# = Class: roles::rtc +# +# Setup for machines used by the RTC Team +# +# == Sample Usage: +# +# include roles::rtc +# class roles::rtc { - ssl::service { 'debian.org': - tlsaport => [], - notify => Service['repro'], - key => true, - } + include profile::prosody - ssl::service { 'sip-ws.debian.org': - notify => Service['repro'], - key => true, - } + ssl::service { 'debian.org': + tlsaport => [], + notify => Service['repro', 'prosody'], + key => true, + } - dnsextras::tlsa_record{ 'tlsa-xmpp': - zone => 'debian.org', - certfile => "/etc/puppet/modules/ssl/files/servicecerts/www.debian.org.crt", - port => [5061, 5222, 5269], - hostname => $::fqdn, - } + ssl::service { 'sip-ws.debian.org': + notify => Service['repro'], + key => true, + } - ferm::rule { 'dsa-xmpp-client-ip4': - domain => 'ip', - description => 'XMPP connections (client to server)', - rule => 'proto tcp dport (5222) ACCEPT' - } - ferm::rule { 'dsa-xmpp-client-ip6': - domain => 'ip6', - description => 'XMPP connections (client to server)', - rule => 'proto tcp dport (5222) ACCEPT' - } - ferm::rule { 'dsa-xmpp-server-ip4': - domain => 'ip', - description => 'XMPP connections (server to server)', - rule => 'proto tcp dport (5269) ACCEPT' - } - ferm::rule { 'dsa-xmpp-server-ip6': - domain => 'ip6', - description => 'XMPP connections (server to server)', - rule => 'proto tcp dport (5269) ACCEPT' - } + dnsextras::tlsa_record{ 'tlsa-xmpp': + zone => 'debian.org', + certfile => '/etc/puppet/modules/ssl/files/servicecerts/www.debian.org.crt', + port => [5061, 5222, 5269], + hostname => $::fqdn, + } - ferm::rule { 'dsa-sip-ws-ip4': - domain => 'ip', - description => 'SIP connections (WebSocket; for WebRTC)', - rule => 'proto tcp dport (443) ACCEPT' - } - ferm::rule { 'dsa-sip-ws-ip6': - domain => 'ip6', - description => 'SIP connections (WebSocket; for WebRTC)', - rule => 'proto tcp dport (443) ACCEPT' - } - ferm::rule { 'dsa-sip-tls-ip4': - domain => 'ip', - description => 'SIP connections (TLS)', - rule => 'proto tcp dport (5061) ACCEPT' - } - ferm::rule { 'dsa-sip-tls-ip6': - domain => 'ip6', - description => 'SIP connections (TLS)', - rule => 'proto tcp dport (5061) ACCEPT' - } - ferm::rule { 'dsa-turn-ip4': - domain => 'ip', - description => 'TURN connections', - rule => 'proto udp dport (3478) ACCEPT' - } - ferm::rule { 'dsa-turn-ip6': - domain => 'ip6', - description => 'TURN connections', - rule => 'proto udp dport (3478) ACCEPT' - } - ferm::rule { 'dsa-turn-tls-ip4': - domain => 'ip', - description => 'TURN connections (TLS)', - rule => 'proto tcp dport (5349) ACCEPT' - } - ferm::rule { 'dsa-turn-tls-ip6': - domain => 'ip6', - description => 'TURN connections (TLS)', - rule => 'proto tcp dport (5349) ACCEPT' - } - ferm::rule { 'dsa-rtp-ip4': - domain => 'ip', - description => 'RTP streams', - rule => 'proto udp dport (49152:65535) ACCEPT' - } - ferm::rule { 'dsa-rtp-ip6': - domain => 'ip6', - description => 'RTP streams', - rule => 'proto udp dport (49152:65535) ACCEPT' - } + ferm::rule { 'dsa-xmpp-client-ip4': + domain => 'ip', + description => 'XMPP connections (client to server)', + rule => 'proto tcp dport (5222) ACCEPT' + } + ferm::rule { 'dsa-xmpp-client-ip6': + domain => 'ip6', + description => 'XMPP connections (client to server)', + rule => 'proto tcp dport (5222) ACCEPT' + } + ferm::rule { 'dsa-xmpp-server-ip4': + domain => 'ip', + description => 'XMPP connections (server to server)', + rule => 'proto tcp dport (5269) ACCEPT' + } + ferm::rule { 'dsa-xmpp-server-ip6': + domain => 'ip6', + description => 'XMPP connections (server to server)', + rule => 'proto tcp dport (5269) ACCEPT' + } - file { '/etc/monit/monit.d/50rtc': - ensure => absent, - } + ferm::rule { 'dsa-sip-ws-ip4': + domain => 'ip', + description => 'SIP connections (WebSocket; for WebRTC)', + rule => 'proto tcp dport (443) ACCEPT' + } + ferm::rule { 'dsa-sip-ws-ip6': + domain => 'ip6', + description => 'SIP connections (WebSocket; for WebRTC)', + rule => 'proto tcp dport (443) ACCEPT' + } + ferm::rule { 'dsa-sip-tls-ip4': + domain => 'ip', + description => 'SIP connections (TLS)', + rule => 'proto tcp dport (5061) ACCEPT' + } + ferm::rule { 'dsa-sip-tls-ip6': + domain => 'ip6', + description => 'SIP connections (TLS)', + rule => 'proto tcp dport (5061) ACCEPT' + } + ferm::rule { 'dsa-turn-ip4': + domain => 'ip', + description => 'TURN connections', + rule => 'proto udp dport (3478) ACCEPT' + } + ferm::rule { 'dsa-turn-ip6': + domain => 'ip6', + description => 'TURN connections', + rule => 'proto udp dport (3478) ACCEPT' + } + ferm::rule { 'dsa-turn-tls-ip4': + domain => 'ip', + description => 'TURN connections (TLS)', + rule => 'proto tcp dport (5349) ACCEPT' + } + ferm::rule { 'dsa-turn-tls-ip6': + domain => 'ip6', + description => 'TURN connections (TLS)', + rule => 'proto tcp dport (5349) ACCEPT' + } + ferm::rule { 'dsa-rtp-ip4': + domain => 'ip', + description => 'RTP streams', + rule => 'proto udp dport (49152:65535) ACCEPT' + } + ferm::rule { 'dsa-rtp-ip6': + domain => 'ip6', + description => 'RTP streams', + rule => 'proto udp dport (49152:65535) ACCEPT' + } - service { 'repro': - ensure => running, - } - dsa_systemd::override { 'repro': - content => @("EOF"), + file { '/etc/monit/monit.d/50rtc': + ensure => absent, + } + + service { 'repro': + ensure => running, + } + dsa_systemd::override { 'repro': + content => @("EOF"), [Unit] After=network-online.target | EOF - } + } - package { 'freeradius': - ensure => installed, - } - service { 'freeradius': - ensure => running, - } - $radius_password = hkdf('/etc/puppet/secret', "rtc-${::hostname}-radius-password") - file { '/etc/freeradius/3.0/sites-available/rtc.debian.org': - content => template('roles/rtc/freeradius-rtc.erb'), - mode => '0440', - group => freerad, - } - file { '/etc/freeradius/3.0/sites-enabled/rtc.debian.org': - ensure => link, - target => '../sites-available/rtc.debian.org', - } - file { '/etc/freeradius/3.0/mods-available/passwd_rtc': - source => 'puppet:///modules/roles/rtc/freeradius-mod-passwd-rtc', - mode => '0440', - group => freerad, - } - file { '/etc/freeradius/3.0/mods-enabled/passwd_rtc': - ensure => link, - target => '../mods-available/passwd_rtc', - } - file { '/etc/repro/radius-servers': - content => inline_template('localhost/localhost <%= @radius_password %>'), - mode => '0440', - group => repro, - notify => Service['repro'], - } - file { '/etc/freeradius/3.0/sites-enabled/default': - ensure => absent, - } - file { '/etc/freeradius/3.0/sites-enabled/inner-tunnel': - ensure => absent, - } + package { 'freeradius': + ensure => installed, + } + service { 'freeradius': + ensure => running, + } + $radius_password = hkdf('/etc/puppet/secret', "rtc-${::hostname}-radius-password") + file { '/etc/freeradius/3.0/sites-available/rtc.debian.org': + content => template('roles/rtc/freeradius-rtc.erb'), + mode => '0440', + group => freerad, + } + file { '/etc/freeradius/3.0/sites-enabled/rtc.debian.org': + ensure => link, + target => '../sites-available/rtc.debian.org', + } + file { '/etc/freeradius/3.0/mods-available/passwd_rtc': + source => 'puppet:///modules/roles/rtc/freeradius-mod-passwd-rtc', + mode => '0440', + group => freerad, + } + file { '/etc/freeradius/3.0/mods-enabled/passwd_rtc': + ensure => link, + target => '../mods-available/passwd_rtc', + } + file { '/etc/repro/radius-servers': + content => inline_template('localhost/localhost <%= @radius_password %>'), + mode => '0440', + group => repro, + notify => Service['repro'], + } + file { '/etc/freeradius/3.0/sites-enabled/default': + ensure => absent, + } + file { '/etc/freeradius/3.0/sites-enabled/inner-tunnel': + ensure => absent, + } }