From b971cc837b8783402899e0aba3755a1f89ca1e27 Mon Sep 17 00:00:00 2001 From: Martin Zobel-Helas Date: Wed, 15 Feb 2012 17:19:10 +0100 Subject: [PATCH] add dacs module --- modules/dacs/files/common/acl-noauth.0 | 9 ++ modules/dacs/files/common/acl-private.0 | 12 ++ modules/dacs/files/common/dacs.conf | 43 +++++++ modules/dacs/files/common/site.conf | 163 ++++++++++++++++++++++++ modules/dacs/manifests/init.pp | 101 +++++++++++++++ 5 files changed, 328 insertions(+) create mode 100644 modules/dacs/files/common/acl-noauth.0 create mode 100644 modules/dacs/files/common/acl-private.0 create mode 100644 modules/dacs/files/common/dacs.conf create mode 100644 modules/dacs/files/common/site.conf create mode 100644 modules/dacs/manifests/init.pp diff --git a/modules/dacs/files/common/acl-noauth.0 b/modules/dacs/files/common/acl-noauth.0 new file mode 100644 index 000000000..4c573a600 --- /dev/null +++ b/modules/dacs/files/common/acl-noauth.0 @@ -0,0 +1,9 @@ + + + + + + + + + diff --git a/modules/dacs/files/common/acl-private.0 b/modules/dacs/files/common/acl-private.0 new file mode 100644 index 000000000..9c60c6095 --- /dev/null +++ b/modules/dacs/files/common/acl-private.0 @@ -0,0 +1,12 @@ + + + + + + + + user("auth") + + + + diff --git a/modules/dacs/files/common/dacs.conf b/modules/dacs/files/common/dacs.conf new file mode 100644 index 000000000..d0085d04a --- /dev/null +++ b/modules/dacs/files/common/dacs.conf @@ -0,0 +1,43 @@ + + + + FEDERATION_DOMAIN "debian.org" + FEDERATION_NAME "DEBIANORG" + EVAL ${Conf::JURISDICTION_AUTHSERVER}="sso.debian.org" + LOG_LEVEL "info" + + + JURISDICTION_NAME "DEBIAN" + ADMIN_IDENTITY "DEBIAN:zobel" + + URL "https://sso.debian.org/cgi-bin/dacs/local_apache_authenticate" + STYLE "pass" + CONTROL "sufficient" + OPTION "AUTH_FILE=/etc/apache2/dsa-guest-web-passwords" + OPTION "AUTH_MODULE=mod_auth" + + + URL "https://sso.debian.org/cgi-bin/dacs/local_apache_authenticate" + STYLE "pass" + CONTROL "required" + OPTION "AUTH_FILE=/var/lib/misc/thishost/web-passwords" + OPTION "AUTH_MODULE=mod_auth" + + + + + diff --git a/modules/dacs/files/common/site.conf b/modules/dacs/files/common/site.conf new file mode 100644 index 000000000..306bb627c --- /dev/null +++ b/modules/dacs/files/common/site.conf @@ -0,0 +1,163 @@ + + + + + + + + + + + +# TURN OFF ONLY FOR TESTING PURPOSES! +SECURE_MODE "on" + +STATUS_LINE "off" + +NAME_COMPARE "case" + +# Establish default URL prefixes for the default access control rules. +# Examine acls/acl-* in the distribution directory to see how these +# variables are used. +# Adjust or override these as necessary for your environment. +EVAL ${Conf::dacs_cgi_bin_prefix} = "/cgi-bin/dacs" +#EVAL ${Conf::dacs_sbin_prefix} = "${Conf::DACS_HOME}/sbin" +EVAL ${Conf::dacs_htdocs_prefix} = "" + +# You might consider setting this to ".cgi" or ".exe" so that the default +# access control rules work for DACS CGI executables. +#EVAL ${Conf::dacs_cgi_bin_suffix} = ${Conf::CGI_SUFFIX} + +# Used by ustamp(), this must be a pathname, not a vfs object +#EVAL ${Conf::ustamp_seqno} = "${Conf::DACS_HOME}/federations/seqno" + +# Enable for testing purposes only! +ALLOW_HTTP_COOKIE "no" + +# See dacs_auth_agent(8) +AUTH_AGENT_ALLOW_ADMIN_IDENTITY "no" + +#LOG_FILE "${Conf::DACS_HOME}/logs/${Conf::JURISDICTION_NAME}-" . strftime("%d-%b-%y") . ".log" +LOG_FILE "/var/log/dacs/${Conf::JURISDICTION_NAME}.log" +#LOG_FORMAT ${Env::REMOTE_ADDR:e} ? "[%t] [%l] [%p,%c,%F] [%sp:\"%sm\",%sf:%sl]" : "%a[%l]:" +#LOG_LEVEL ${Env::REMOTE_ADDR:e} ? "INFO" : undef() +LOG_LEVEL "notice" +LOG_SENSITIVE "no" +# Since it produces a lot of logging when tracing, override the default log +# level for messages produced by the file crypt.c; for that file only, set +# the log level to "debug" +LOG_FILTER 'filename exact debug "crypto.c"' + + +AUTH_FAIL_DELAY_SECS 2 + +VERIFY_IP "no" + +# Override this if you must, but this default will avoid potential problems +# and assorted complications if a request can be associated with multiple +# identities +ACS_CREDENTIALS_LIMIT "1" + +# The backward compatible default is to chuck the arguments and continue +# if there is a problem with POST arguments +#ACS_POST_EXCEPTION_MODE "discard" + +AUTH_CREDENTIALS_ADMIN_LIFETIME_SECS "20" +AUTH_CREDENTIALS_DEFAULT_LIFETIME_SECS "43200" + +# Optional: A single DACS username eligible for administrative rights +# This directive may be repeated to define multiple admins +#ADMIN_IDENTITY "METALOGIC:rmorriso" + +# Default access control handlers +# Note that these error handlers use local web-paths (relative to the +# DocumentRoot), not full file pathnames. For the default configuration to +# work properly, they require an Apache Alias directive to be configured to map +# "/handlers" to "${Conf::DACS_HOME}/www/handlers". +ACS_ERROR_HANDLER "* /handlers/acs_failed.html" + +# Default authentication and signout handlers +# Since these are relative URLs, the Alias directive must be used as +# explained above. +# Note that the syntaxes of these directives are different from that of +# ACS_ERROR_HANDLER. +#AUTH_SUCCESS_HANDLER "url /handlers/auth_ok.html" +AUTH_SUCCESS_HANDLER "url /cgi-bin/dacs/dacs_prenv" +AUTH_ERROR_HANDLER "* url /handlers/auth_failed.html" +SIGNOUT_HANDLER "url /handlers/signout_ok.html" + +# These handlers can only be URLs (absolute or relative) +NOTICES_ACCEPT_HANDLER "/handlers/notices_accepted.html" +NOTICES_DECLINE_HANDLER "/handlers/notices_declined.html" + +NOTICES_ACK_HANDLER "" +NOTICES_SECURE_HANDLER "yes" +NOTICES_WORKFLOW_LIFETIME_SECS 120 +NOTICES_NAT_NAME_PREFIX "NAT-DACS" + +SSL_PROG "${Conf::DACS_HOME}/bin/sslclient" +# Override this if you need it - this example is undoubtedly incorrect +#SSL_PROG_CA_CRT "${Conf::APACHE_HOME}/conf/dacs.example.com/ssl.crt/server.crt" +SSL_PROG_CA_CRT "/usr/share/ca-certificates/spi-inc.org/spi-cacert-2008.crt" + +# The default digest algorithm to use for DACS password entries +PASSWORD_DIGEST "SHA1" + +# The URLs for schemas and DTDs used by DACS +# Configure for your environment +XSD_BASE_URL "/dtd-xsd" +DTD_BASE_URL "/dtd-xsd" + +# The location of a directory containing the DTDs +VFS "[dtds]dacs-fs:${Conf::DACS_HOME}/www/dtd-xsd" + +# The location of a file containing federation-wide encryption keys +VFS "[federation_keys]dacs-fs:${Conf::FEDERATIONS_ROOT}/${Conf::FEDERATION_DOMAIN}/federation_keyfile" + +# The location of a file containing jurisdiction-specific encryption keys +VFS "[jurisdiction_keys]dacs-fs:${Conf::FEDERATIONS_ROOT}/${Conf::FEDERATION_DOMAIN}/${Conf::JURISDICTION_NAME}/jurisdiction_keyfile" + +# The location of a directory containing the revocation file ("revocations") +VFS "[revocations]dacs-fs:${Conf::FEDERATIONS_ROOT}/${Conf::FEDERATION_DOMAIN}/${Conf::JURISDICTION_NAME}/acls/revocations" + +# The location of the root directory containing jurisdictional ACLs +VFS "[acls]dacs-fs:${Conf::FEDERATIONS_ROOT}/${Conf::FEDERATION_DOMAIN}/${Conf::JURISDICTION_NAME}/acls" + +# The location of the root directory containing default ACLs for DACS services +#VFS "[dacs_acls]dacs-fs:${Conf::DACS_HOME}/acls" +VFS "[dacs_acls]dacs-fs:/etc/dacs/acls" + +# The location of the root directory for groups +VFS "[groups]dacs-fs:${Conf::FEDERATIONS_ROOT}/${Conf::FEDERATION_DOMAIN}/${Conf::JURISDICTION_NAME}/groups" + +# The pseudo-type mounted on the DACS password file +VFS "[passwds]dacs-kwv-fs:${Conf::FEDERATIONS_ROOT}/${Conf::FEDERATION_DOMAIN}/${Conf::JURISDICTION_NAME}/passwd" + +# The pseudo-type mounted on the DACS roles file +VFS "[roles]dacs-kwv-fs:${Conf::FEDERATIONS_ROOT}/${Conf::FEDERATION_DOMAIN}/${Conf::JURISDICTION_NAME}/roles" + +# For dacstoken/local_token_authenticate +VFS "[auth_token]dacs-kwv-fs:${Conf::FEDERATIONS_ROOT}/${Conf::FEDERATION_DOMAIN}/${Conf::JURISDICTION_NAME}/auth_tokens" +VFS "[auth_token_keys]dacs-fs:${Conf::FEDERATIONS_ROOT}/${Conf::FEDERATION_DOMAIN}/${Conf::JURISDICTION_NAME}/auth_token_keys" +VFS "[auth_token_keys_prev]dacs-fs:${Conf::FEDERATIONS_ROOT}/${Conf::FEDERATION_DOMAIN}/${Conf::JURISDICTION_NAME}/auth_token_keys.prev" + +# This partially determines when a user agent will send a DACS cookie. +# Set it to the most specific URL path under which all DACS-wrapped +# services appear. This is particularly important if some CGI programs +# at the jurisdiction are not trusted, since they might be used to steal +# DACS identities. +COOKIE_PATH "/" + +HTTP_PROG "${Conf::DACS_HOME}/bin/http" + +# InfoCard-related defaults +# This assumes there is an Apache 'Alias' directive; e.g., +# Alias /infocards "/usr/local/dacs/www/infocards/" +INFOCARD_CARD_IMAGE_BASE_URL "${Conf::DACS_HOME}/www/infocards" +INFOCARD_CARD_OUTPUTDIR "${Conf::DACS_HOME}/www/infocards/output" +INFOCARD_IP_PRIVACY_URL "/infocards/managed_privacy_default.txt" +INFOCARD_IP_PRIVACY_VERSION "1" + + + + diff --git a/modules/dacs/manifests/init.pp b/modules/dacs/manifests/init.pp new file mode 100644 index 000000000..a9e703de2 --- /dev/null +++ b/modules/dacs/manifests/init.pp @@ -0,0 +1,101 @@ +class dacs { + package { + "dacs": ensure => installed; + "libapache2-mod-dacs": ensure => installed; + } + + file { + "/etc/dacs/federations": + ensure => directory, + owner => root, + group => www-data, + mode => 750, + purge => true + ; + + "/etc/dacs/federations/debian.org/": + ensure => directory, + owner => root, + group => www-data, + mode => 750, + purge => true + ; + + "/etc/dacs/federations/debian.org/DEBIAN": + ensure => directory, + owner => root, + group => www-data, + mode => 750, + purge => true + ; + + "/etc/dacs/federations/debian.org/DEBIAN/acls": + ensure => directory, + owner => root, + group => www-data, + mode => 750, + purge => true + ; + + "/etc/dacs/federations/debian.org/DEBIAN/groups": + ensure => directory, + owner => root, + group => www-data, + mode => 750, + purge => true + ; + + "/etc/dacs/federations/site.conf": + source => [ "puppet:///modules/dacs/per-host/$fqdn/site.conf", + "puppet:///modules/dacs/common/site.conf" ], + mode => 640, + owner => root, + group => www-data + ; + + "/etc/dacs/federations/debian.org/DEBIAN/dacs.conf": + source => [ "puppet:///modules/dacs/per-host/$fqdn/dacs.conf", + "puppet:///modules/dacs/common/dacs.conf" ], + mode => 640, + owner => root, + group => www-data + ; + + "/etc/dacs/federations/debian.org/DEBIAN/acls/revocations": + source => [ "puppet:///modules/dacs/per-host/$fqdn/revocations", + "puppet:///modules/dacs/common/revocations" ], + mode => 640, + owner => root, + group => www-data + ; + + "/etc/dacs/federations/debian.org/DEBIAN/acls/acl-noauth.0": + source => [ "puppet:///modules/dacs/per-host/$fqdn/acl-noauth.0", + "puppet:///modules/dacs/common/acl-noauth.0" ], + mode => 640, + owner => root, + group => www-data + notify => Exec["dacsacl"] + ; + + "/etc/dacs/federations/debian.org/DEBIAN/acls/acl-private.0": + source => [ "puppet:///modules/dacs/per-host/$fqdn/acl-private.0", + "puppet:///modules/dacs/common/acl-private.0" ], + mode => 640, + owner => root, + group => www-data + notify => Exec["dacsacl"] + ; + } + + exec { + "dacsacl": + command => "dacsacl -uj DEBIAN", + refreshonly => true, + } + + +} +# vim:set et: +# vim:set sts=4 ts=4: +# vim:set shiftwidth=4: -- 2.20.1