From 06bbf62fc4ae50c04cbdf8eac7bb8e6e831685c4 Mon Sep 17 00:00:00 2001 From: Anita Kuno Date: Fri, 30 Mar 2018 14:26:01 -0400 Subject: [PATCH] This patch impliments the survey spec: I3c389596373b94459a32a4e540d514a2941acbb1 Co-Authored-By: Jeremy Stanley Change-Id: Iad9e5bde37c467b9930c354f4d0b312b219d05b3 Story: 2000691 Task: 3164 --- manifests/site.pp | 22 ++ .../files/puppetmaster/groups.txt | 1 + .../files/ssl_cert_check/ssldomains | 1 + modules/openstack_project/manifests/survey.pp | 198 ++++++++++++++++++ .../templates/survey.config.php.erb | 65 ++++++ .../templates/survey.vhost.erb | 53 +++++ 6 files changed, 340 insertions(+) create mode 100644 modules/openstack_project/manifests/survey.pp create mode 100644 modules/openstack_project/templates/survey.config.php.erb create mode 100644 modules/openstack_project/templates/survey.vhost.erb diff --git a/manifests/site.pp b/manifests/site.pp index 02b4f51a45..733dfc9a67 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -904,6 +904,28 @@ node /^status\d*\.openstack\.org$/ { } } +# Node-OS: xenial +node /^survey\d+\.openstack\.org$/ { + $group = "survey" + class { 'openstack_project::server': + iptables_public_tcp_ports => [22, 80, 443], + sysadmins => hiera('sysadmins', []), + } + + class { 'openstack_project::survey': + vhost_name => 'survey.openstack.org', + auth_openid => true, + ssl_cert_file_contents => hiera('ssl_cert_file_contents'), + ssl_key_file_contents => hiera('ssl_key_file_contents'), + ssl_chain_file_contents => hiera('ssl_chain_file_contents'), + dbpassword => hiera('dbpassword'), + dbhost => hiera('dbhost'), + adminuser => hiera('adminuser'), + adminpass => hiera('adminpass'), + adminmail => hiera('adminmail'), + } +} + # This is a hidden authoritative master nameserver, not publicly # accessible. # Node-OS: xenial diff --git a/modules/openstack_project/files/puppetmaster/groups.txt b/modules/openstack_project/files/puppetmaster/groups.txt index 91b075b845..e6138e923f 100644 --- a/modules/openstack_project/files/puppetmaster/groups.txt +++ b/modules/openstack_project/files/puppetmaster/groups.txt @@ -15,6 +15,7 @@ nodepool nodepool*.openstack.org:nb*.openstack.org:nl*.openstack.org review ~review\d+\.openstack\.org review-dev ~review-dev\d*\.openstack\.org subunit-worker ~subunit-worker\d+\.openstack\.org +survey ~survey\d+\.openstack\.org translate ~translate\d+\.openstack\.org translate-dev ~translate-dev\d*\.openstack\.org wiki ~wiki\d+\.openstack\.org diff --git a/modules/openstack_project/files/ssl_cert_check/ssldomains b/modules/openstack_project/files/ssl_cert_check/ssldomains index 729365d5a8..68bde3a6dc 100644 --- a/modules/openstack_project/files/ssl_cert_check/ssldomains +++ b/modules/openstack_project/files/ssl_cert_check/ssldomains @@ -13,6 +13,7 @@ refstack.openstack.org 443 review.openstack.org 443 static.openstack.org 443 storyboard.openstack.org 443 +survey.openstack.org 443 translate.openstack.org 443 wiki.openstack.org 443 www.openstack.org 443 diff --git a/modules/openstack_project/manifests/survey.pp b/modules/openstack_project/manifests/survey.pp new file mode 100644 index 0000000000..83d0df22f4 --- /dev/null +++ b/modules/openstack_project/manifests/survey.pp @@ -0,0 +1,198 @@ +class openstack_project::survey ( + $vhost_name = $::fqdn, + $ssl_cert_file = '/etc/ssl/certs/survey.openstack.org.pem', + $ssl_key_file = '/etc/ssl/private/survey.openstack.org.key', + $ssl_chain_file = '/etc/ssl/certs/intermediate.pem', + $ssl_cert_file_contents = '', + $ssl_key_file_contents = '', + $ssl_chain_file_contents = '', + $dbpassword = '', + $dbhost = '', + # Table containing openid auth details. If undef not enabled + # Example dict: + # { + # banner => "Welcome", + # singleIdp => "https://openstackid.org", + # trusted => '^https://openstackid.org/.*$', + # any_valid_user => false, + # users => ['https://openstackid.org/foo', + # 'https://openstackid.org/bar'], + # } + # Note that if you care which users get access set any_valid_user to false + # and then provide an explicit list of openids in the users list. Otherwise + # set any_valid_user to true and any successfully authenticated user will + # get access. + $auth_openid = undef, + $docroot = '/var/www', + $runtime_dir_mode = '0755', + $download_url = 'https://github.com/LimeSurvey/LimeSurvey/archive/', + $version = '3.7.0+180418', + $www_group = 'www-data', + $www_user = 'www-data', + # These are required for bootstrapping, so do not have defaults. + $adminuser, + $adminpass, + $adminmail, +) { + + $distro_packages = [ + 'libapache2-mod-php', + 'php', + 'php-gd', + 'php-imap', + 'php-ldap', + 'php-mbstring', + 'php-mcrypt', + 'php-mysql', + 'php-xml', + 'php-zip', + 'ssl-cert', + ] + + package { $distro_packages: + ensure => present, + } + + exec { 'limesurvey-download': + path => '/bin:/usr/bin', + creates => "${docroot}/tmp/runtime", + command => "bash -c 'cd /tmp; wget ${download_url}${version}.tar.gz'", + require => File[$docroot], + user => $www_user, + } + + exec { 'limesurvey-unzip': + path => '/bin:/usr/bin', + cwd => '/tmp', + creates => "${docroot}/tmp/runtime", + command => "bash -c 'cd /tmp; tar zxf /tmp/${version}.tar.gz -C ${docroot} --strip-components=1'", + notify => Exec['limesurvey-install'], + require => Exec['limesurvey-download'], + user => $www_user, + } + + exec { 'limesurvey-install': + command => "/usr/bin/php console.php install ${adminuser} ${adminpass} 'Default Administrator' ${adminmail}", + cwd => "${docroot}/application/commands", + refreshonly => true, + require => [ + File["${docroot}/application/config/config.php"], + Package[$distro_packages], + ], + user => $www_user, + } + + file { "/tmp/${version}.tar.gz": + ensure => absent, + require => Exec['limesurvey-unzip'], + } + + file { "${docroot}/tmp/runtime/": + ensure => directory, + mode => $runtime_dir_mode, + require => Exec['limesurvey-install'], + } + + file { "${docroot}/application/config/config.php": + ensure => present, + owner => $www_user, + group => $www_group, + mode => '0660', + content => template ('openstack_project/survey.config.php.erb'), + replace => true, + require => Exec['limesurvey-unzip'], + } + + include ::httpd + ::httpd::vhost { $vhost_name: + port => 443, + docroot => $docroot, + priority => '50', + template => 'openstack_project/survey.vhost.erb', + ssl => true, + } + + if !defined(Mod['rewrite']) { + httpd::mod { 'rewrite': + ensure => present, + } + } + if ($auth_openid != undef) { + if !defined(Package['libapache2-mod-auth-openid']) { + package { 'libapache2-mod-auth-openid': + ensure => present, + } + } + if !defined(Mod['auth_openid']) { + # Workaround for https://bugs.debian.org/759209 + file { '/etc/apache2/mods-available/auth_openid.load': + ensure => present, + content => 'LoadModule authopenid_module /usr/lib/apache2/modules/mod_auth_openid.so', + replace => true, + require => Package['libapache2-mod-auth-openid'], + } + httpd::mod { 'auth_openid': + ensure => present, + require => File['/etc/apache2/mods-available/auth_openid.load'], + } + } + } + + file { $docroot: + ensure => directory, + owner => $www_user, + group => $www_group, + } + + file { "${docroot}/robots.txt": + ensure => present, + source => 'puppet:///modules/openstack_project/disallow_robots.txt', + owner => 'root', + group => 'root', + mode => '0444', + require => File[$docroot], + } + + file { '/etc/ssl/certs': + ensure => directory, + owner => 'root', + mode => '0755', + } + + file { '/etc/ssl/private': + ensure => directory, + owner => 'root', + mode => '0700', + } + + if $ssl_cert_file_contents != '' { + file { $ssl_cert_file: + owner => 'root', + group => 'root', + mode => '0640', + content => $ssl_cert_file_contents, + before => Httpd::Vhost[$vhost_name], + } + } + + if $ssl_key_file_contents != '' { + file { $ssl_key_file: + owner => 'root', + group => 'ssl-cert', + mode => '0640', + content => $ssl_key_file_contents, + require => Package['ssl-cert'], + before => Httpd::Vhost[$vhost_name], + } + } + + if $ssl_chain_file_contents != '' { + file { $ssl_chain_file: + owner => 'root', + group => 'root', + mode => '0640', + content => $ssl_chain_file_contents, + before => Httpd::Vhost[$vhost_name], + } + } +} diff --git a/modules/openstack_project/templates/survey.config.php.erb b/modules/openstack_project/templates/survey.config.php.erb new file mode 100644 index 0000000000..9e398b7236 --- /dev/null +++ b/modules/openstack_project/templates/survey.config.php.erb @@ -0,0 +1,65 @@ + array( + 'db' => array( + 'connectionString' => 'mysql:host=<%= @dbhost %>;port=3306;dbname=limesurvey;', + 'emulatePrepare' => true, + 'username' => 'limesurvey', + 'password' => '<%= @dbpassword %>', + 'charset' => 'utf8mb4', + 'tablePrefix' => '', + ), + + // Uncomment the following line if you need table-based sessions + // 'session' => array ( + // 'class' => 'application.core.web.DbHttpSession', + // 'connectionID' => 'db', + // 'sessionTableName' => '{{sessions}}', + // ), + + 'urlManager' => array( + 'urlFormat' => 'path', + 'rules' => array( + // You can add your own rules here + ), + 'showScriptName' => true, + ), + + ), + // Use the following config variable to set modified optional settings copied from config-defaults.php + 'config'=>array( + // debug: Set this to 1 if you are looking for errors. If you still get no errors after enabling this + // then please check your error-logs - either in your hosting provider admin panel or in some /logs directory + // on your webspace. + // LimeSurvey developers: Set this to 2 to additionally display STRICT PHP error messages and get full access to standard templates + 'debug'=>0, + 'debugsql'=>0, // Set this to 1 to enanble sql logging, only active when debug = 2 + // Update default LimeSurvey config here + 'auth_webserver'=>true, + 'auth_webserver_autocreate_user'=>true, + ) +); +/* End of file config.php */ +/* Location: ./application/config/config.php */ diff --git a/modules/openstack_project/templates/survey.vhost.erb b/modules/openstack_project/templates/survey.vhost.erb new file mode 100644 index 0000000000..8892c41053 --- /dev/null +++ b/modules/openstack_project/templates/survey.vhost.erb @@ -0,0 +1,53 @@ +# ************************************ +# Managed by Puppet +# ************************************ + +:80> + ServerName <%= @srvname %> + ReWriteEngine On + ReWriteRule ^/(.*) https://<%= @srvname %>/$1 [last,redirect=permanent] + LogLevel warn + ErrorLog /var/log/apache2/<%= @name %>_error.log + CustomLog /var/log/apache2/<%= @name %>_access.log combined + ServerSignature Off + + +:<%= @port %>> + ServerName <%= @srvname %> + + DocumentRoot <%= @docroot %> + > + Options <%= @options %> + AllowOverride None + Order allow,deny + allow from all + Require all granted + + + <% if @auth_openid != nil %> + + AuthType OpenID + AuthName "Welcome" + AuthOpenIDSecureCookie On + AuthOpenIDCookieLifespan 3600 + AuthOpenIDTrustRoot https://survey01.openstack.org + AuthOpenIDServerName https://survey01.openstack.org + AuthOpenIDSingleIdP https://openstackid.org + AuthOpenIDTrusted ^https://openstackid.org/.*$ + Require valid-user + + <% end %> + + SSLEngine on + SSLProtocol ALL -SSLv2 -SSLv3 + SSLCertificateFile <%= scope.lookupvar("openstack_project::survey::ssl_cert_file") %> + SSLCertificateKeyFile <%= scope.lookupvar("openstack_project::survey::ssl_key_file") %> + <% if scope.lookupvar("openstack_project::survey::ssl_chain_file") != "" %> + SSLCertficateChainFile <%= scope.lookupvar("openstack_project::survey::ssl_chain_file") %> + <% end %> + + ErrorLog /var/log/apache2/<%= @name %>_error.log + LogLevel warn + CustomLog /var/log/apache2/<%= @name %>_access.log combined + ServerSignature Off +