From 06bbf62fc4ae50c04cbdf8eac7bb8e6e831685c4 Mon Sep 17 00:00:00 2001
From: Anita Kuno <anteaya@anteaya.info>
Date: Fri, 30 Mar 2018 14:26:01 -0400
Subject: [PATCH] This patch impliments the survey spec:
I3c389596373b94459a32a4e540d514a2941acbb1
Co-Authored-By: Jeremy Stanley <fungi@yuggoth.org>
Change-Id: Iad9e5bde37c467b9930c354f4d0b312b219d05b3
Story: 2000691
Task: 3164
---
manifests/site.pp | 22 ++
.../files/puppetmaster/groups.txt | 1 +
.../files/ssl_cert_check/ssldomains | 1 +
modules/openstack_project/manifests/survey.pp | 198 ++++++++++++++++++
.../templates/survey.config.php.erb | 65 ++++++
.../templates/survey.vhost.erb | 53 +++++
6 files changed, 340 insertions(+)
create mode 100644 modules/openstack_project/manifests/survey.pp
create mode 100644 modules/openstack_project/templates/survey.config.php.erb
create mode 100644 modules/openstack_project/templates/survey.vhost.erb
diff --git a/manifests/site.pp b/manifests/site.pp
index 02b4f51a45..733dfc9a67 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -904,6 +904,28 @@ node /^status\d*\.openstack\.org$/ {
}
}
+# Node-OS: xenial
+node /^survey\d+\.openstack\.org$/ {
+ $group = "survey"
+ class { 'openstack_project::server':
+ iptables_public_tcp_ports => [22, 80, 443],
+ sysadmins => hiera('sysadmins', []),
+ }
+
+ class { 'openstack_project::survey':
+ vhost_name => 'survey.openstack.org',
+ auth_openid => true,
+ ssl_cert_file_contents => hiera('ssl_cert_file_contents'),
+ ssl_key_file_contents => hiera('ssl_key_file_contents'),
+ ssl_chain_file_contents => hiera('ssl_chain_file_contents'),
+ dbpassword => hiera('dbpassword'),
+ dbhost => hiera('dbhost'),
+ adminuser => hiera('adminuser'),
+ adminpass => hiera('adminpass'),
+ adminmail => hiera('adminmail'),
+ }
+}
+
# This is a hidden authoritative master nameserver, not publicly
# accessible.
# Node-OS: xenial
diff --git a/modules/openstack_project/files/puppetmaster/groups.txt b/modules/openstack_project/files/puppetmaster/groups.txt
index 91b075b845..e6138e923f 100644
--- a/modules/openstack_project/files/puppetmaster/groups.txt
+++ b/modules/openstack_project/files/puppetmaster/groups.txt
@@ -15,6 +15,7 @@ nodepool nodepool*.openstack.org:nb*.openstack.org:nl*.openstack.org
review ~review\d+\.openstack\.org
review-dev ~review-dev\d*\.openstack\.org
subunit-worker ~subunit-worker\d+\.openstack\.org
+survey ~survey\d+\.openstack\.org
translate ~translate\d+\.openstack\.org
translate-dev ~translate-dev\d*\.openstack\.org
wiki ~wiki\d+\.openstack\.org
diff --git a/modules/openstack_project/files/ssl_cert_check/ssldomains b/modules/openstack_project/files/ssl_cert_check/ssldomains
index 729365d5a8..68bde3a6dc 100644
--- a/modules/openstack_project/files/ssl_cert_check/ssldomains
+++ b/modules/openstack_project/files/ssl_cert_check/ssldomains
@@ -13,6 +13,7 @@ refstack.openstack.org 443
review.openstack.org 443
static.openstack.org 443
storyboard.openstack.org 443
+survey.openstack.org 443
translate.openstack.org 443
wiki.openstack.org 443
www.openstack.org 443
diff --git a/modules/openstack_project/manifests/survey.pp b/modules/openstack_project/manifests/survey.pp
new file mode 100644
index 0000000000..83d0df22f4
--- /dev/null
+++ b/modules/openstack_project/manifests/survey.pp
@@ -0,0 +1,198 @@
+class openstack_project::survey (
+ $vhost_name = $::fqdn,
+ $ssl_cert_file = '/etc/ssl/certs/survey.openstack.org.pem',
+ $ssl_key_file = '/etc/ssl/private/survey.openstack.org.key',
+ $ssl_chain_file = '/etc/ssl/certs/intermediate.pem',
+ $ssl_cert_file_contents = '',
+ $ssl_key_file_contents = '',
+ $ssl_chain_file_contents = '',
+ $dbpassword = '',
+ $dbhost = '',
+ # Table containing openid auth details. If undef not enabled
+ # Example dict:
+ # {
+ # banner => "Welcome",
+ # singleIdp => "https://openstackid.org",
+ # trusted => '^https://openstackid.org/.*$',
+ # any_valid_user => false,
+ # users => ['https://openstackid.org/foo',
+ # 'https://openstackid.org/bar'],
+ # }
+ # Note that if you care which users get access set any_valid_user to false
+ # and then provide an explicit list of openids in the users list. Otherwise
+ # set any_valid_user to true and any successfully authenticated user will
+ # get access.
+ $auth_openid = undef,
+ $docroot = '/var/www',
+ $runtime_dir_mode = '0755',
+ $download_url = 'https://github.com/LimeSurvey/LimeSurvey/archive/',
+ $version = '3.7.0+180418',
+ $www_group = 'www-data',
+ $www_user = 'www-data',
+ # These are required for bootstrapping, so do not have defaults.
+ $adminuser,
+ $adminpass,
+ $adminmail,
+) {
+
+ $distro_packages = [
+ 'libapache2-mod-php',
+ 'php',
+ 'php-gd',
+ 'php-imap',
+ 'php-ldap',
+ 'php-mbstring',
+ 'php-mcrypt',
+ 'php-mysql',
+ 'php-xml',
+ 'php-zip',
+ 'ssl-cert',
+ ]
+
+ package { $distro_packages:
+ ensure => present,
+ }
+
+ exec { 'limesurvey-download':
+ path => '/bin:/usr/bin',
+ creates => "${docroot}/tmp/runtime",
+ command => "bash -c 'cd /tmp; wget ${download_url}${version}.tar.gz'",
+ require => File[$docroot],
+ user => $www_user,
+ }
+
+ exec { 'limesurvey-unzip':
+ path => '/bin:/usr/bin',
+ cwd => '/tmp',
+ creates => "${docroot}/tmp/runtime",
+ command => "bash -c 'cd /tmp; tar zxf /tmp/${version}.tar.gz -C ${docroot} --strip-components=1'",
+ notify => Exec['limesurvey-install'],
+ require => Exec['limesurvey-download'],
+ user => $www_user,
+ }
+
+ exec { 'limesurvey-install':
+ command => "/usr/bin/php console.php install ${adminuser} ${adminpass} 'Default Administrator' ${adminmail}",
+ cwd => "${docroot}/application/commands",
+ refreshonly => true,
+ require => [
+ File["${docroot}/application/config/config.php"],
+ Package[$distro_packages],
+ ],
+ user => $www_user,
+ }
+
+ file { "/tmp/${version}.tar.gz":
+ ensure => absent,
+ require => Exec['limesurvey-unzip'],
+ }
+
+ file { "${docroot}/tmp/runtime/":
+ ensure => directory,
+ mode => $runtime_dir_mode,
+ require => Exec['limesurvey-install'],
+ }
+
+ file { "${docroot}/application/config/config.php":
+ ensure => present,
+ owner => $www_user,
+ group => $www_group,
+ mode => '0660',
+ content => template ('openstack_project/survey.config.php.erb'),
+ replace => true,
+ require => Exec['limesurvey-unzip'],
+ }
+
+ include ::httpd
+ ::httpd::vhost { $vhost_name:
+ port => 443,
+ docroot => $docroot,
+ priority => '50',
+ template => 'openstack_project/survey.vhost.erb',
+ ssl => true,
+ }
+
+ if !defined(Mod['rewrite']) {
+ httpd::mod { 'rewrite':
+ ensure => present,
+ }
+ }
+ if ($auth_openid != undef) {
+ if !defined(Package['libapache2-mod-auth-openid']) {
+ package { 'libapache2-mod-auth-openid':
+ ensure => present,
+ }
+ }
+ if !defined(Mod['auth_openid']) {
+ # Workaround for https://bugs.debian.org/759209
+ file { '/etc/apache2/mods-available/auth_openid.load':
+ ensure => present,
+ content => 'LoadModule authopenid_module /usr/lib/apache2/modules/mod_auth_openid.so',
+ replace => true,
+ require => Package['libapache2-mod-auth-openid'],
+ }
+ httpd::mod { 'auth_openid':
+ ensure => present,
+ require => File['/etc/apache2/mods-available/auth_openid.load'],
+ }
+ }
+ }
+
+ file { $docroot:
+ ensure => directory,
+ owner => $www_user,
+ group => $www_group,
+ }
+
+ file { "${docroot}/robots.txt":
+ ensure => present,
+ source => 'puppet:///modules/openstack_project/disallow_robots.txt',
+ owner => 'root',
+ group => 'root',
+ mode => '0444',
+ require => File[$docroot],
+ }
+
+ file { '/etc/ssl/certs':
+ ensure => directory,
+ owner => 'root',
+ mode => '0755',
+ }
+
+ file { '/etc/ssl/private':
+ ensure => directory,
+ owner => 'root',
+ mode => '0700',
+ }
+
+ if $ssl_cert_file_contents != '' {
+ file { $ssl_cert_file:
+ owner => 'root',
+ group => 'root',
+ mode => '0640',
+ content => $ssl_cert_file_contents,
+ before => Httpd::Vhost[$vhost_name],
+ }
+ }
+
+ if $ssl_key_file_contents != '' {
+ file { $ssl_key_file:
+ owner => 'root',
+ group => 'ssl-cert',
+ mode => '0640',
+ content => $ssl_key_file_contents,
+ require => Package['ssl-cert'],
+ before => Httpd::Vhost[$vhost_name],
+ }
+ }
+
+ if $ssl_chain_file_contents != '' {
+ file { $ssl_chain_file:
+ owner => 'root',
+ group => 'root',
+ mode => '0640',
+ content => $ssl_chain_file_contents,
+ before => Httpd::Vhost[$vhost_name],
+ }
+ }
+}
diff --git a/modules/openstack_project/templates/survey.config.php.erb b/modules/openstack_project/templates/survey.config.php.erb
new file mode 100644
index 0000000000..9e398b7236
--- /dev/null
+++ b/modules/openstack_project/templates/survey.config.php.erb
@@ -0,0 +1,65 @@
+<?php if (!defined('BASEPATH')) exit('No direct script access allowed');
+/*
+| -------------------------------------------------------------------
+| DATABASE CONNECTIVITY SETTINGS
+| -------------------------------------------------------------------
+| This file will contain the settings needed to access your database.
+|
+| For complete instructions please consult the 'Database Connection'
+| page of the User Guide.
+|
+| -------------------------------------------------------------------
+| EXPLANATION OF VARIABLES
+| -------------------------------------------------------------------
+|
+| 'connectionString' Hostname, database, port and database type for
+| the connection. Driver example: mysql. Currently supported:
+| mysql, pgsql, mssql, sqlite, oci
+| 'username' The username used to connect to the database
+| 'password' The password used to connect to the database
+| 'tablePrefix' You can add an optional prefix, which will be added
+| to the table name when using the Active Record class
+|
+*/
+return array(
+ 'components' => array(
+ 'db' => array(
+ 'connectionString' => 'mysql:host=<%= @dbhost %>;port=3306;dbname=limesurvey;',
+ 'emulatePrepare' => true,
+ 'username' => 'limesurvey',
+ 'password' => '<%= @dbpassword %>',
+ 'charset' => 'utf8mb4',
+ 'tablePrefix' => '',
+ ),
+
+ // Uncomment the following line if you need table-based sessions
+ // 'session' => array (
+ // 'class' => 'application.core.web.DbHttpSession',
+ // 'connectionID' => 'db',
+ // 'sessionTableName' => '{{sessions}}',
+ // ),
+
+ 'urlManager' => array(
+ 'urlFormat' => 'path',
+ 'rules' => array(
+ // You can add your own rules here
+ ),
+ 'showScriptName' => true,
+ ),
+
+ ),
+ // Use the following config variable to set modified optional settings copied from config-defaults.php
+ 'config'=>array(
+ // debug: Set this to 1 if you are looking for errors. If you still get no errors after enabling this
+ // then please check your error-logs - either in your hosting provider admin panel or in some /logs directory
+ // on your webspace.
+ // LimeSurvey developers: Set this to 2 to additionally display STRICT PHP error messages and get full access to standard templates
+ 'debug'=>0,
+ 'debugsql'=>0, // Set this to 1 to enanble sql logging, only active when debug = 2
+ // Update default LimeSurvey config here
+ 'auth_webserver'=>true,
+ 'auth_webserver_autocreate_user'=>true,
+ )
+);
+/* End of file config.php */
+/* Location: ./application/config/config.php */
diff --git a/modules/openstack_project/templates/survey.vhost.erb b/modules/openstack_project/templates/survey.vhost.erb
new file mode 100644
index 0000000000..8892c41053
--- /dev/null
+++ b/modules/openstack_project/templates/survey.vhost.erb
@@ -0,0 +1,53 @@
+# ************************************
+# Managed by Puppet
+# ************************************
+
+<VirtualHost <%= @vhost_name %>:80>
+ ServerName <%= @srvname %>
+ ReWriteEngine On
+ ReWriteRule ^/(.*) https://<%= @srvname %>/$1 [last,redirect=permanent]
+ LogLevel warn
+ ErrorLog /var/log/apache2/<%= @name %>_error.log
+ CustomLog /var/log/apache2/<%= @name %>_access.log combined
+ ServerSignature Off
+</VirtualHost>
+
+<VirtualHost <%= @vhost_name %>:<%= @port %>>
+ ServerName <%= @srvname %>
+
+ DocumentRoot <%= @docroot %>
+ <Directory <%= @docroot %>>
+ Options <%= @options %>
+ AllowOverride None
+ Order allow,deny
+ allow from all
+ Require all granted
+ </Directory>
+
+ <% if @auth_openid != nil %>
+ <Location /index.php/admin/>
+ AuthType OpenID
+ AuthName "Welcome"
+ AuthOpenIDSecureCookie On
+ AuthOpenIDCookieLifespan 3600
+ AuthOpenIDTrustRoot https://survey01.openstack.org
+ AuthOpenIDServerName https://survey01.openstack.org
+ AuthOpenIDSingleIdP https://openstackid.org
+ AuthOpenIDTrusted ^https://openstackid.org/.*$
+ Require valid-user
+ </Location>
+ <% end %>
+
+ SSLEngine on
+ SSLProtocol ALL -SSLv2 -SSLv3
+ SSLCertificateFile <%= scope.lookupvar("openstack_project::survey::ssl_cert_file") %>
+ SSLCertificateKeyFile <%= scope.lookupvar("openstack_project::survey::ssl_key_file") %>
+ <% if scope.lookupvar("openstack_project::survey::ssl_chain_file") != "" %>
+ SSLCertficateChainFile <%= scope.lookupvar("openstack_project::survey::ssl_chain_file") %>
+ <% end %>
+
+ ErrorLog /var/log/apache2/<%= @name %>_error.log
+ LogLevel warn
+ CustomLog /var/log/apache2/<%= @name %>_access.log combined
+ ServerSignature Off
+</VirtualHost>