From f627a07cb4ac806d6845f2a2782f5808e193dce0 Mon Sep 17 00:00:00 2001 From: "Robin H. Johnson" Date: Tue, 12 May 2015 17:24:18 -0700 Subject: [PATCH 1/3] Fix non-ssl usage If enable_ssl is false, the script still tries to read the public/private_key_path, and completely fails if the files are missing or invalid. This fixes the script to NOT pass those parameters (or try to read the files) unless enable_ssl is true. Signed-off-by: Robin H. Johnson --- templates/webhook.bin.erb | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/templates/webhook.bin.erb b/templates/webhook.bin.erb index 5be350e2..30f0a271 100755 --- a/templates/webhook.bin.erb +++ b/templates/webhook.bin.erb @@ -42,16 +42,18 @@ $config['private_key_path'] = File.join("#{$config['certpath']}", "#{$config['ce <% end %> opts = { - :Host => $config['bind_address'], - :Port => $config['port'], - :Logger => $logger, - :ServerType => WEBrick::Daemon, - :SSLEnable => $config['enable_ssl'], - :SSLVerifyClient => OpenSSL::SSL::VERIFY_NONE, - :SSLCertificate => OpenSSL::X509::Certificate.new(File.open("#{$config['public_key_path']}").read), - :SSLPrivateKey => OpenSSL::PKey::RSA.new(File.open("#{$config['private_key_path']}").read), - :SSLCertName => [ [ "CN",WEBrick::Utils::getservername ] ] + :Host => $config['bind_address'], + :Port => $config['port'], + :Logger => $logger, + :ServerType => WEBrick::Daemon, + :SSLEnable => $config['enable_ssl'], } +if $config['enable_ssl'] then + opts[:SSLVerifyClient] = OpenSSL::SSL::VERIFY_NONE, + opts[:SSLCertificate] = OpenSSL::X509::Certificate.new(File.open("#{$config['public_key_path']}").read), + opts[:SSLPrivateKey] = OpenSSL::PKey::RSA.new(File.open("#{$config['private_key_path']}").read), + opts[:SSLCertName] = [ [ "CN",WEBrick::Utils::getservername ] ] +end class Server < Sinatra::Base From b748318df7b57cdb9c1746b0a2889b6f6daaae8b Mon Sep 17 00:00:00 2001 From: "Robin H. Johnson" Date: Tue, 12 May 2015 17:32:59 -0700 Subject: [PATCH 2/3] parameterize template arguments. Signed-off-by: Robin H. Johnson --- manifests/config.pp | 3 ++- manifests/params.pp | 2 ++ manifests/webhook.pp | 3 ++- manifests/webhook/config.pp | 3 ++- 4 files changed, 8 insertions(+), 3 deletions(-) diff --git a/manifests/config.pp b/manifests/config.pp index 83e7e09f..1aa4a0d0 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -58,6 +58,7 @@ $r10k_basedir = $r10k::params::r10k_basedir, $manage_configfile_symlink = $r10k::params::manage_configfile_symlink, $configfile_symlink = '/etc/r10k.yaml', + $r10k_yaml_template = 'r10k/r10k.yaml.erb' ) inherits r10k::params { validate_bool($manage_modulepath) @@ -92,7 +93,7 @@ group => '0', mode => '0644', path => $configfile, - content => template('r10k/r10k.yaml.erb'), + content => template($r10k_yaml_template), } if $manage_configfile_symlink_real == true { diff --git a/manifests/params.pp b/manifests/params.pp index 32455374..32330566 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -51,6 +51,8 @@ $webhook_r10k_deploy_arguments = '-pv' $webhook_public_key_path = undef $webhook_private_key_path = undef + $webhook_bin_template = 'r10k/webhook.bin.erb' + $webhook_yaml_template = 'r10k/webhook.yaml.erb' if $::osfamily == Debian { $functions_path = '/lib/lsb/init-functions' diff --git a/manifests/webhook.pp b/manifests/webhook.pp index 890a3ce6..92346e0e 100644 --- a/manifests/webhook.pp +++ b/manifests/webhook.pp @@ -3,6 +3,7 @@ $user = 'peadmin', $group = 'peadmin', $git_server = 'localhost', + $webhook_bin_template = $::r10k::params::webhook_bin_template, ) inherits r10k::params { File { @@ -35,7 +36,7 @@ } file { 'webhook_bin': - content => template('r10k/webhook.bin.erb'), + content => template($webhook_bin_template), path => '/usr/local/bin/webhook', notify => Service['webhook'], } diff --git a/manifests/webhook/config.pp b/manifests/webhook/config.pp index 506c75db..de5be8eb 100644 --- a/manifests/webhook/config.pp +++ b/manifests/webhook/config.pp @@ -27,6 +27,7 @@ $r10k_deploy_arguments = $r10k::params::webhook_r10k_deploy_arguments, $public_key_path = $r10k::params::webhook_public_key_path, $private_key_path = $r10k::params::webhook_private_key_path, + $yaml_template = $r10k::params::webhook_yaml_template, $configfile = '/etc/webhook.yaml', ) inherits r10k::params { @@ -65,7 +66,7 @@ group => '0', mode => '0644', path => $configfile, - content => template('r10k/webhook.yaml.erb'), + content => template($yaml_template), notify => Service['webhook'], } } From 9a80bfa614d9bf07eefd213368471224d3a50752 Mon Sep 17 00:00:00 2001 From: "Robin H. Johnson" Date: Tue, 12 May 2015 17:41:25 -0700 Subject: [PATCH 3/3] command_prefix: Ability to run mco/r10k via sudo It should be possible to run the webhook as an unprivileged user (eg nobody) and only invoke r10k/mco via sudo. sudoers examples: nobody ALL=(root) NOPASSWD: r10k deploy environment *, r10k deploy module * nobody ALL=(peadmin) NOPASSWD: mco r10k deploy *, mco r10k deploy_module * Signed-off-by: Robin H. Johnson --- manifests/params.pp | 1 + manifests/webhook/config.pp | 2 ++ templates/webhook.bin.erb | 10 ++++++---- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/manifests/params.pp b/manifests/params.pp index 32330566..2f50718a 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -53,6 +53,7 @@ $webhook_private_key_path = undef $webhook_bin_template = 'r10k/webhook.bin.erb' $webhook_yaml_template = 'r10k/webhook.yaml.erb' + $webhook_command_prefix = '' # 'sudo' is the canonical example for this if $::osfamily == Debian { $functions_path = '/lib/lsb/init-functions' diff --git a/manifests/webhook/config.pp b/manifests/webhook/config.pp index de5be8eb..6cf48f7d 100644 --- a/manifests/webhook/config.pp +++ b/manifests/webhook/config.pp @@ -28,6 +28,7 @@ $public_key_path = $r10k::params::webhook_public_key_path, $private_key_path = $r10k::params::webhook_private_key_path, $yaml_template = $r10k::params::webhook_yaml_template, + $command_prefix = $r10k::params::webhook_command_prefix, $configfile = '/etc/webhook.yaml', ) inherits r10k::params { @@ -54,6 +55,7 @@ 'r10k_deploy_arguments' => $r10k_deploy_arguments, 'public_key_path' => $public_key_path, 'private_key_path' => $private_key_path, + 'command_prefix' => $command_prefix, } } else { validate_hash($hash) diff --git a/templates/webhook.bin.erb b/templates/webhook.bin.erb index 30f0a271..c5507e33 100755 --- a/templates/webhook.bin.erb +++ b/templates/webhook.bin.erb @@ -55,6 +55,8 @@ if $config['enable_ssl'] then opts[:SSLCertName] = [ [ "CN",WEBrick::Utils::getservername ] ] end +$command_prefix = $config['command_prefix'] || '' + class Server < Sinatra::Base set :static, false @@ -128,10 +130,10 @@ class Server < Sinatra::Base def deploy_module(module_name) begin if $config['use_mcollective'] - command = "mco r10k deploy_module #{module_name} >> #{$config['mco_logfile']} 2>&1 &" + command = "#{$command_prefix} mco r10k deploy_module #{module_name} >> #{$config['mco_logfile']} 2>&1 &" else # If you don't use mcollective then this hook needs to be running as r10k's user i.e. root - command = "r10k deploy module #{module_name} >> #{$config['mco_logfile']} 2>&1 &" + command = "#{$command_prefix} r10k deploy module #{module_name} >> #{$config['mco_logfile']} 2>&1 &" end message = "triggered: #{command}" Process.detach(fork{ exec "#{command}"}) @@ -154,10 +156,10 @@ class Server < Sinatra::Base end else if $config['use_mcollective'] - command = "mco r10k deploy #{branch} >> #{$config['mco_logfile']} 2>&1 &" + command = "#{$command_prefix} mco r10k deploy #{branch} >> #{$config['mco_logfile']} 2>&1 &" else # If you don't use mcollective then this hook needs to be running as r10k's user i.e. root - command = "r10k deploy environment #{branch} #{$config['r10k_deploy_arguments']} >> #{$config['mco_logfile']} 2>&1 &" + command = "#{$command_prefix} r10k deploy environment #{branch} #{$config['r10k_deploy_arguments']} >> #{$config['mco_logfile']} 2>&1 &" end message = "triggered: #{command}" Process.detach(fork{ exec "#{command}"})