[PATCH configure] story 1241: Allow https to be toggled indendently of other security features
This patchset allows https to be toggled indepedently of other security configurations. Additionally, the curl invocation used to seed data has been updated to correctly follow redirects so it works whether the http or https setup is selected.
--- bin/aeolus-cleanup | 2 ++ bin/aeolus-configure | 2 ++ recipes/aeolus_recipe/manifests/aeolus.pp | 7 +++++++ recipes/aeolus_recipe/manifests/conductor.pp | 2 +- recipes/apache/manifests/init.pp | 3 ++- 5 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/bin/aeolus-cleanup b/bin/aeolus-cleanup index acf3fed..87fb405 100644 --- a/bin/aeolus-cleanup +++ b/bin/aeolus-cleanup @@ -1,7 +1,9 @@ #!/bin/sh
+export FACTER_AEOLUS_ENABLE_HTTPS=true export FACTER_AEOLUS_ENABLE_SECURITY=false puppet /usr/share/aeolus-configure/aeolus_uninstall.pp \ --modulepath=/usr/share/aeolus-configure/modules/ \ --logdest=/var/log/aeolus-configure/aeolus-cleanup.log \ --logdest=console + diff --git a/bin/aeolus-configure b/bin/aeolus-configure index 34fa2ff..6d87cb1 100644 --- a/bin/aeolus-configure +++ b/bin/aeolus-configure @@ -1,7 +1,9 @@ #!/bin/sh
+export FACTER_AEOLUS_ENABLE_HTTPS=true export FACTER_AEOLUS_ENABLE_SECURITY=false puppet /usr/share/aeolus-configure/aeolus_recipe.pp \ --modulepath=/usr/share/aeolus-configure/modules/ \ --logdest=/var/log/aeolus-configure/aeolus-configure.log \ --logdest=console + diff --git a/recipes/aeolus_recipe/manifests/aeolus.pp b/recipes/aeolus_recipe/manifests/aeolus.pp index 2b7d54e..de43f9c 100644 --- a/recipes/aeolus_recipe/manifests/aeolus.pp +++ b/recipes/aeolus_recipe/manifests/aeolus.pp @@ -11,6 +11,13 @@ import "deltacloud" import "iwhd" import "image-factory"
+if $aeolus_enable_https == "true" or $aeolus_enable_https == "1" { + import "openssl" + $enable_https = true +} else { + $enable_https = false +} + if $aeolus_enable_security == "true" or $aeolus_enable_security == "1" { import "openssl" $enable_security = true diff --git a/recipes/aeolus_recipe/manifests/conductor.pp b/recipes/aeolus_recipe/manifests/conductor.pp index 4d0fe43..474424a 100644 --- a/recipes/aeolus_recipe/manifests/conductor.pp +++ b/recipes/aeolus_recipe/manifests/conductor.pp @@ -149,7 +149,7 @@ class aeolus::conductor inherits aeolus {
### Setup apache for deltacloud include apache - if $enable_security { + if $enable_https { apache::site{"aeolus-conductor": source => 'puppet:///modules/aeolus_recipe/aggregator-httpd-ssl.conf'} } else{ apache::site{"aeolus-conductor": source => 'puppet:///modules/aeolus_recipe/aggregator-httpd.conf'} diff --git a/recipes/apache/manifests/init.pp b/recipes/apache/manifests/init.pp index dbecbf8..de703aa 100644 --- a/recipes/apache/manifests/init.pp +++ b/recipes/apache/manifests/init.pp @@ -5,7 +5,7 @@ class apache { # require apache and mod_ssl package { "httpd": ensure => installed }
- if $enable_security { + if $enable_https { package { "mod_ssl": ensure => installed } }
@@ -40,3 +40,4 @@ define apache::site ( $ensure = 'present', $source = '') { require => Service['httpd'] } } +
- Use --location --post301 --post302 to follow the redirects correctly - Use -k to ignore certification warnings related to going through localhost instead of via fqdn - Use -f to make curl return fail for bad http conditions --- recipes/aeolus_recipe/manifests/conductor.pp | 11 +++++++---- 1 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/recipes/aeolus_recipe/manifests/conductor.pp b/recipes/aeolus_recipe/manifests/conductor.pp index 474424a..fee834f 100644 --- a/recipes/aeolus_recipe/manifests/conductor.pp +++ b/recipes/aeolus_recipe/manifests/conductor.pp @@ -234,14 +234,15 @@ define aeolus::conductor::login($user,$password){ -d user_session[login]=${user} \ -d user_session[password]=${password} \ -d commit=submit \ - -c /tmp/aeolus-${user}.cookie", + -c /tmp/aeolus-${user}.cookie \ + --location --post301 --post302 -k -f", onlyif => "/usr/bin/test ! -f /tmp/aeolus-${user}.cookie || "" == "`curl -X GET http://localhost/conductor -b /tmp/aeolus-${user}.cookie -i --silent | grep 'HTTP/1.1 200'`"", require => Service['aeolus-conductor', 'httpd']} }
define aeolus::conductor::logout($user){ exec{"conductor-logout-for-${name}": - command => "/usr/bin/curl -X GET http://localhost/conductor/logout -b /tmp/aeolus-${user}.cookie", + command => "/usr/bin/curl -X GET http://localhost/conductor/logout -b /tmp/aeolus-${user}.cookie --location -k -f", onlyif => "/usr/bin/test -f /tmp/aeolus-${user}.cookie" } # TODO add condition ensuring cookie / session is valid exec{"conductor-logout-cookie-for-${name}": command => "/bin/rm /tmp/aeolus-${user}.cookie", @@ -258,7 +259,8 @@ define aeolus::conductor::provider($type="",$url="",$login_user="",$login_passwo -b /tmp/aeolus-${login_user}.cookie \ -d provider[name]=${name} \ -d provider[url]=${url} \ - -d provider[provider_type_codename]=${type}", + -d provider[provider_type_codename]=${type} \ + --location --post301 --post302 -k -f", logoutput => true, require => [Aeolus::Conductor::Login["provider-$name"]] } aeolus::conductor::logout{"provider-${name}": @@ -280,7 +282,8 @@ define aeolus::conductor::hwp($memory='', $cpu='', $storage='', $architecture='' -d hardware_profile[cpu_attributes][name]=cpu -d hardware_profile[cpu_attributes][unit]=count \ -d hardware_profile[storage_attributes][name]=storage -d hardware_profile[storage_attributes][unit]=GB \ -d hardware_profile[architecture_attributes][name]=architecture -d hardware_profile[architecture_attributes][unit]=label \ - -d commit=Save", + -d commit=Save \ + --location --post301 --post302 -k -f", logoutput => true, require => [Aeolus::Conductor::Login["hwp-$name"]] } aeolus::conductor::logout{"hwp-${name}":
On 04/21/2011 03:31 PM, Mike Orazi wrote:
This patchset allows https to be toggled indepedently of other security configurations. Additionally, the curl invocation used to seed data has been updated to correctly follow redirects so it works whether the http or https setup is selected. _______________________________________________ aeolus-devel mailing list aeolus-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/aeolus-devel
ACK to both patches.
At some point it would be good to remove this AEOLUS_ENABLE_HTTPS flag and just rely on AEOLUS_ENABLE_SECURITY in conjunction w/ a specific list of services that we want to enable security for, but this works for now.
-Mo
aeolus-devel@lists.fedorahosted.org
-
Mike Orazi -
Mo Morsi