Make storyboard run over ssl

We're doing auth now, so we should really do it over SSL.

The cert contents are already in hiera.

Change-Id: Ia939e228785168705840acd6d377e6c25ba3370d

manifests/site.pp

@@ -458,9 +458,9 @@ node 'storyboard.openstack.org' {
     mysql_host              => hiera('storyboard_db_host'),
     mysql_user              => hiera('storyboard_db_user'),
     mysql_password          => hiera('storyboard_db_password'),
-#    ssl_cert_file_contents  => hiera('storyboard_ssl_cert_file_contents'),
+    ssl_cert_file_contents  => hiera('storyboard_ssl_cert_file_contents'),
-#    ssl_key_file_contents   => hiera('storyboard_ssl_key_file_contents'),
+    ssl_key_file_contents   => hiera('storyboard_ssl_key_file_contents'),
-#    ssl_chain_file_contents => hiera('storyboard_ssl_chain_file_contents'),
+    ssl_chain_file_contents => hiera('storyboard_ssl_chain_file_contents'),
   }
 }
 

modules/openstack_project/manifests/storyboard.pp

@@ -5,10 +5,13 @@ class openstack_project::storyboard(
   $mysql_password = '',
   $mysql_user = '',
   $sysadmins = [],
+  $ssl_cert_file_contents = '',
+  $ssl_key_file_contents = '',
+  $ssl_chain_file_contents = '',
 ) {
   class { 'openstack_project::server':
     sysadmins                 => $sysadmins,
-    iptables_public_tcp_ports => [80],
+    iptables_public_tcp_ports => [80, 443],
   }
 
   class { '::storyboard':
@@ -17,6 +20,14 @@ class openstack_project::storyboard(
     mysql_user              => $mysql_user,
     projects_file           =>
       'puppet:///modules/openstack_project/review.projects.yaml',
+    ssl_cert_file           =>
+      '/etc/ssl/certs/storyboard.openstack.org.pem',
+    ssl_key_file            =>
+      '/etc/ssl/private/storyboard.openstack.org.key',
+    ssl_chain_file          => '/etc/ssl/certs/intermediate.pem',
+    ssl_cert_file_contents  => $ssl_cert_file_contents,
+    ssl_key_file_contents   => $ssl_key_file_contents,
+    ssl_chain_file_contents => $ssl_chain_file_contents,
   }
 
 }

modules/storyboard/manifests/init.pp

@@ -20,10 +20,16 @@ class storyboard (
   $mysql_password,
   $mysql_user,
   $projects_file,
+  $ssl_cert_file,
+  $ssl_key_file,
+  $ssl_chain_file,
   $storyboard_git_source_repo = 'https://git.openstack.org/openstack-infra/storyboard/',
   $storyboard_revision = 'master',
-  $storyboard_webclient_url = 'http://tarballs.openstack.org/storyboard-webclient/storyboard-webclient-latest.tar.gz'
+  $storyboard_webclient_url = 'http://tarballs.openstack.org/storyboard-webclient/storyboard-webclient-latest.tar.gz',
-
+  $serveradmin = "webmaster@${::fqdn}",
+  $ssl_cert_file_contents = '',
+  $ssl_key_file_contents = '',
+  $ssl_chain_file_contents = ''
 ) {
   include apache
   include mysql::python
@@ -162,6 +168,7 @@ class storyboard (
     priority => '50',
     template => 'storyboard/storyboard.vhost.erb',
     require  => Package['libapache2-mod-wsgi'],
+    ssl      => true,
   }
 
   a2mod { 'proxy':
@@ -177,4 +184,33 @@ class storyboard (
     require => Package['libapache2-mod-wsgi'],
   }
 
+  if $ssl_cert_file_contents != '' {
+    file { $ssl_cert_file:
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0640',
+      content => $ssl_cert_file_contents,
+      before  => Apache::Vhost[$vhost_name],
+    }
+  }
+
+  if $ssl_key_file_contents != '' {
+    file { $ssl_key_file:
+      owner   => 'root',
+      group   => 'ssl-cert',
+      mode    => '0640',
+      content => $ssl_key_file_contents,
+      before  => Apache::Vhost[$vhost_name],
+    }
+  }
+
+  if $ssl_chain_file_contents != '' {
+    file { $ssl_chain_file:
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0640',
+      content => $ssl_chain_file_contents,
+      before  => Apache::Vhost[$vhost_name],
+    }
+  }
 }

modules/storyboard/templates/storyboard.vhost.erb

@@ -1,7 +1,49 @@
-<VirtualHost *:80>
+<VirtualHost <%= scope.lookupvar("storyboard::vhost_name") %>:80>
+  ServerAdmin <%= scope.lookupvar("storyboard::serveradmin") %>
+
+  ErrorLog ${APACHE_LOG_DIR}/storyboard-error.log
+
+  LogLevel warn
+
+  CustomLog ${APACHE_LOG_DIR}/storyboard-access.log combined
+
+  Redirect / https://<%= scope.lookupvar("storyboard::vhost_name") %>/
+
+</VirtualHost>
+
+<IfModule mod_ssl.c>
+<VirtualHost <%= scope.lookupvar("storyboard::vhost_name") %>:443>
+  ServerName <%= scope.lookupvar("storyboard::vhost_name") %>
+  ServerAdmin <%= scope.lookupvar("storyboard::serveradmin") %>
+
+  ErrorLog ${APACHE_LOG_DIR}/storyboard-ssl-error.log
+
+  LogLevel warn
+
+  CustomLog ${APACHE_LOG_DIR}/storyboard-ssl-access.log combined
+
+  SSLEngine on
+
+  SSLCertificateFile      <%= scope.lookupvar("storyboard::ssl_cert_file") %>
+  SSLCertificateKeyFile   <%= scope.lookupvar("storyboard::ssl_key_file") %>
+<% if scope.lookupvar("storyboard::ssl_chain_file") != "" %>
+  SSLCertificateChainFile <%= scope.lookupvar("storyboard::ssl_chain_file") %>
+<% end %>
+
+  <FilesMatch "\.(cgi|shtml|phtml|php)$">
+      SSLOptions +StdEnvVars
+  </FilesMatch>
+  <Directory /usr/lib/cgi-bin>
+      SSLOptions +StdEnvVars
+  </Directory>
+
+  BrowserMatch "MSIE [2-6]" \
+      nokeepalive ssl-unclean-shutdown \
+      downgrade-1.0 force-response-1.0
+  # MSIE 7 and newer should be able to use keepalive
+  BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
+
   DocumentRoot /var/lib/storyboard/www
-  ErrorLog /var/log/apache2/storyboard-error.log
-  CustomLog /var/log/apache2/storyboard-access.log common
 
   WSGIDaemonProcess storyboard user=storyboard group=storyboard threads=5 python-path=/usr/local/lib/python2.7/dist-packages
   WSGIScriptAlias /api /usr/local/lib/python2.7/dist-packages/storyboard/api/app.wsgi
@@ -15,4 +57,6 @@
              Order deny,allow
              Allow from all
   </Directory>
+
 </VirtualHost>
+</IfModule>