From 22d3ff6cd4406de99241fa661b54e12189013a8e Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Wed, 8 Jul 2015 00:33:26 +0000 Subject: [PATCH 01/15] Add Ipsilon OpenID API Extension --- roles/ipsilon/files/api.py | 98 ++++++++++++++++++++++ roles/ipsilon/tasks/main.yml | 5 ++ roles/ipsilon/templates/configuration.conf | 2 +- 3 files changed, 104 insertions(+), 1 deletion(-) create mode 100644 roles/ipsilon/files/api.py diff --git a/roles/ipsilon/files/api.py b/roles/ipsilon/files/api.py new file mode 100644 index 0000000000..dd0f8b05c0 --- /dev/null +++ b/roles/ipsilon/files/api.py @@ -0,0 +1,98 @@ +# Copyright (C) 2015 Patrick Uiterwijk, for license see COPYING + +from __future__ import absolute_import + +from ipsilon.providers.openid.extensions.common import OpenidExtensionBase +import ipsilon.root +from ipsilon.util.page import Page +from ipsilon.util.user import User + +import json +import inspect + + +class OpenidExtension(OpenidExtensionBase): + + def __init__(self, *pargs): + super(OpenidExtension, self).__init__('API') + + def enable(self): + # This is the most ugly hack in my history of python... + # But I need to find the root object, and that is not passed into + # the OpenID extension system anywhere... + root_obj = inspect.stack()[5][0].f_locals['self'] + root_obj.api = APIPage(root_obj) + + +class APIPage(Page): + def __init__(self, root_obj): + ipsilon.root.sites['api'] = dict() + ipsilon.root.sites['api']['template_env'] = \ + ipsilon.root.sites['default']['template_env'] + super(APIPage, self).__init__(ipsilon.root.sites['api']) + self.v1 = APIV1Page(root_obj) + + +class APIV1Page(Page): + def __init__(self, root_obj): + ipsilon.root.sites['api_v1'] = dict() + ipsilon.root.sites['api_v1']['template_env'] = \ + ipsilon.root.sites['default']['template_env'] + super(APIV1Page, self).__init__(ipsilon.root.sites['api_v1']) + self.root_obj = root_obj + + def root(self, *args, **kwargs): + return json.dumps(self._perform_call(kwargs)) + + def _perform_call(self, arguments): + fas = self.root_obj.login.fas.lm + openid = self.root_obj.openid + + openid_request = None + try: + openid_request = openid.cfg.server.decodeRequest(arguments) + except Exception, ex: + print 'Error during openid decoding: %s' % ex + return {'success': False, + 'status': 400, + 'message': 'Invalid request' + } + if not openid_request: + print 'No OpenID request parsed' + return {'success': False, + 'status': 400, + 'message': 'Invalid request' + } + if not arguments['auth_module'] == 'fedoauth.auth.fas.Auth_FAS': + print 'Unknown auth module selected' + return {'success': False, + 'status': 400, + 'message': 'Unknown authentication module' + } + username = arguments['username'] + password = arguments['password'] + user = None + userdata = None + try: + _, user = fas.fpc.login(username, password) + userdata = fas.page.make_userdata(user.user) + except Exception, ex: + print 'Error during auth: %s' % ex + pass + + if user is None or userdata is None: + print 'No user or data: %s, %s' % (user, userdata) + return {'success': False, + 'status': 400, + 'message': 'Authentication failed'} + + us_obj = User(username) + fake_session = lambda: None + setattr(fake_session, 'get_user', lambda *args: us_obj) + setattr(fake_session, 'get_user_attrs', lambda *args: userdata) + + openid_response = openid._response(openid_request, fake_session) + openid_response = openid.cfg.server.signatory.sign(openid_response).fields.toPostArgs() + return {'success': True, + 'response': openid_response} + diff --git a/roles/ipsilon/tasks/main.yml b/roles/ipsilon/tasks/main.yml index 0ea6fac2c3..ad00d60565 100644 --- a/roles/ipsilon/tasks/main.yml +++ b/roles/ipsilon/tasks/main.yml @@ -18,6 +18,11 @@ tags: - packages +- name: Copy OpenID API extension + copy: src=api.py + dest=/usr/lib/python2.7/site-packages/ipsilon/providers/openid/extensions/api.py + owner=root group=root mode=0644 + - name: copy ipsilon templates copy: src=templates/ dest=/usr/share/ipsilon/templates-fedora diff --git a/roles/ipsilon/templates/configuration.conf b/roles/ipsilon/templates/configuration.conf index c64a69559d..3ed8e4eeeb 100644 --- a/roles/ipsilon/templates/configuration.conf +++ b/roles/ipsilon/templates/configuration.conf @@ -35,5 +35,5 @@ openid trusted roots=http://jenkins.cloud.fedoraproject.org/securityRealm/finish {% endif %} openid database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_name }} openid untrusted roots= -openid enabled extensions=Teams,Attribute Exchange,CLAs,Simple Registration +openid enabled extensions=Teams,Attribute Exchange,CLAs,Simple Registration,API From 4cd711357e85c7658c507d7116c41004758bae8e Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Wed, 8 Jul 2015 00:47:25 +0000 Subject: [PATCH 02/15] Update Jenkins deps for Ipsilon --- playbooks/groups/jenkins-cloud.yml | 44 ++++++++++++++++++++---------- 1 file changed, 29 insertions(+), 15 deletions(-) diff --git a/playbooks/groups/jenkins-cloud.yml b/playbooks/groups/jenkins-cloud.yml index 95e033b3d2..2c13740f75 100644 --- a/playbooks/groups/jenkins-cloud.yml +++ b/playbooks/groups/jenkins-cloud.yml @@ -471,21 +471,35 @@ - pwgen # Required for mpi4py - openmpi-devel # Required for mpi4py - mpich2-devel # Required for mpi4py - - python-openid # Required by Ipsilon - - python-openid-teams # Required by Ipsilon - - python-openid-cla # Required by Ipsilon - - python-cherrypy # Required by Ipsilon - - m2crypto # Required by Ipsilon - - lasso-python # Required by Ipsilon - - python-sqlalchemy # Required by Ipsilon - - python-ldap # Required by Ipsilon - - python-pam # Required by Ipsilon - - freeipa-python # Required by Ipsilon - - httpd # Required by Ipsilon - - mod_auth_mellon # Required by Ipsilon - - postgresql-server # Required by Ipsilon - - mod_wsgi # Required by Ipsilon - - python-jinja2 # Required by Ipsilon + - pylint # Required by Ipsilon + - python-pep8 + - python-openid + - python-openid-teams + - python-openid-cla + - python-cherrypy + - m2crypto + - lasso-python + - python-sqlalchemy + - python-ldap + - python-pam + - python-fedora + - freeipa-python + - httpd + - mod_auth_mellon + - postgresql-server + - openssl + - mod_wsgi + - python-jinja2 + - python-psycopg2 + - sssd + - libsss_simpleifp + - openldap-servers + - mod_auth_gssapi + - krb5-server + - socket_wrapper + - nss_wrapper + - python-requests-kerberos + - python-lesscpy # End requires for Ipsilon - libxml2-python # Required by gimp-docs - createrepo # Required by dnf tags: From 2720aca44d778d80e5be5ef343204aeca84a5fd1 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Wed, 8 Jul 2015 00:58:14 +0000 Subject: [PATCH 03/15] Add missing dep for Ipsilon --- playbooks/groups/jenkins-cloud.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/groups/jenkins-cloud.yml b/playbooks/groups/jenkins-cloud.yml index 2c13740f75..374985cce3 100644 --- a/playbooks/groups/jenkins-cloud.yml +++ b/playbooks/groups/jenkins-cloud.yml @@ -473,6 +473,7 @@ - mpich2-devel # Required for mpi4py - pylint # Required by Ipsilon - python-pep8 + - nodejs-less - python-openid - python-openid-teams - python-openid-cla From a550daf5622099f65c5465452fa5a1fe5103a4ef Mon Sep 17 00:00:00 2001 From: Luke Macken Date: Wed, 8 Jul 2015 03:11:39 +0000 Subject: [PATCH 04/15] bodhi2: Use the liberation font for the captcha --- roles/bodhi2/base/templates/staging.ini.j2 | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/bodhi2/base/templates/staging.ini.j2 b/roles/bodhi2/base/templates/staging.ini.j2 index f5d26169aa..6009361aec 100644 --- a/roles/bodhi2/base/templates/staging.ini.j2 +++ b/roles/bodhi2/base/templates/staging.ini.j2 @@ -40,8 +40,7 @@ captcha.secret = {{ bodhi2CaptchaSecret }} captcha.image_width = 300 captcha.image_height = 80 # Any truetype font will do. -# This font lives in pcaro-hermit-fonts package -captcha.font_path = /usr/share/fonts/pcaro-hermit/Hermit-medium.otf +captcha.font_path = /usr/share/fonts/liberation/LiberationMono-Regular.ttf captcha.font_size = 36 # Colors captcha.font_color = #000000 From 2d40ff86380b3f54a6693cbc6f1364a965774bca Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Wed, 8 Jul 2015 08:19:34 +0000 Subject: [PATCH 05/15] Use seperate databases for different Ipsilon databases --- roles/ipsilon/templates/configuration.conf | 2 +- roles/ipsilon/templates/ipsilon.conf | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/ipsilon/templates/configuration.conf b/roles/ipsilon/templates/configuration.conf index 3ed8e4eeeb..fed2673c0e 100644 --- a/roles/ipsilon/templates/configuration.conf +++ b/roles/ipsilon/templates/configuration.conf @@ -33,7 +33,7 @@ openid endpoint url=https://id.fedoraproject.org/openid/ openid identity url template=http://%(username)s.id.fedoraproject.org/ openid trusted roots=http://jenkins.cloud.fedoraproject.org/securityRealm/finishLogin,https://ask.fedoraproject.org/,https://fedorahosted.org/,https://badges.fedoraproject.org,https://apps.fedoraproject.org/tagger/,https://apps.fedoraproject.org/nuancier/,https://apps.fedoraproject.org/datagrepper/,https://apps.fedoraproject.org/calendar/,http://apps.fedoraproject.org/notifications/,http://copr.fedoraproject.org/,http://copr-fe.cloud.fedoraproject.org/,https://admin.fedoraproject.org/pkgdb/,https://admin.fedoraproject.org/voting/,https://apps.fedoraproject.org/github2fedmsg,https://admin.fedoraproject.org,https://apps.fedoraproject.org/,https://release-monitoring.org/ {% endif %} -openid database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_name }} +openid database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_openid_name }} openid untrusted roots= openid enabled extensions=Teams,Attribute Exchange,CLAs,Simple Registration,API diff --git a/roles/ipsilon/templates/ipsilon.conf b/roles/ipsilon/templates/ipsilon.conf index d67d0a0e0b..c8cf554cf2 100644 --- a/roles/ipsilon/templates/ipsilon.conf +++ b/roles/ipsilon/templates/ipsilon.conf @@ -6,13 +6,13 @@ template_dir = "/usr/share/ipsilon/templates-fedora" log.screen = False base.dir = "/usr/share/ipsilon" admin.config.db = "configfile:///etc/ipsilon/configuration.conf" -user.prefs.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_name }}" -transactions.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_name }}" +user.prefs.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_prefs_name }}" +transactions.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_transactions_name }}" tools.sessions.on = True tools.sessions.name = "fedora_ipsilon_session_id" tools.sessions.storage_type = "Sql" -tools.sessions.storage_dburi = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_name }}" +tools.sessions.storage_dburi = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_sessions_name }}" tools.sessions.timeout = 60 tools.sessions.httponly = True tools.sessions.secure = True From 8067e501c3bad6db4abf1e724a0bd23b8938673a Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Wed, 8 Jul 2015 15:54:59 +0000 Subject: [PATCH 06/15] Setup fedora.my -> www.fedora.my redirect --- playbooks/include/proxies-redirects.yml | 6 ++++++ playbooks/include/proxies-websites.yml | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/playbooks/include/proxies-redirects.yml b/playbooks/include/proxies-redirects.yml index dda36c1448..b850888047 100644 --- a/playbooks/include/proxies-redirects.yml +++ b/playbooks/include/proxies-redirects.yml @@ -64,6 +64,12 @@ target: http://www.flocktofedora.org/ status: 302 + - role: httpd/redirect + name: flocktofedora + website: fedora.my + target: http://www.fedora.my/ + status: 302 + - role: httpd/redirect name: join-fedora website: join.fedoraproject.org diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml index 63691c33ec..d83a32d1fd 100644 --- a/playbooks/include/proxies-websites.yml +++ b/playbooks/include/proxies-websites.yml @@ -232,6 +232,12 @@ - flocktofedora.com ssl: false + - role: httpd/website + name: fedora.my + server_aliases: + - fedora.my + ssl: false + - role: httpd/website name: bugz.fedoraproject.org server_aliases: [bugz.stg.fedoraproject.org] From 359ee53eb4521db49445c3efdf903a09302f6ebd Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Wed, 8 Jul 2015 16:03:06 +0000 Subject: [PATCH 07/15] Copy-paste is dangerous Signed-off-by: Patrick Uiterwijk --- playbooks/include/proxies-redirects.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/include/proxies-redirects.yml b/playbooks/include/proxies-redirects.yml index b850888047..e5c6785467 100644 --- a/playbooks/include/proxies-redirects.yml +++ b/playbooks/include/proxies-redirects.yml @@ -65,7 +65,7 @@ status: 302 - role: httpd/redirect - name: flocktofedora + name: fedoramy website: fedora.my target: http://www.fedora.my/ status: 302 From b252ecc2ce034492ace78f367622981b671f6335 Mon Sep 17 00:00:00 2001 From: Michael Simacek Date: Wed, 8 Jul 2015 16:24:53 +0000 Subject: [PATCH 08/15] Run koschei services through specific symlinks --- roles/koschei/tasks/main.yml | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/roles/koschei/tasks/main.yml b/roles/koschei/tasks/main.yml index 62a3f4fda8..c0f3c72725 100644 --- a/roles/koschei/tasks/main.yml +++ b/roles/koschei/tasks/main.yml @@ -125,3 +125,36 @@ owner=koschei group=koschei mode=0600 tags: - koschei + +- name: Create symlinks to python to get specific executable names + file: path="/usr/libexec/koschei/koschei-{{ item }}" + src=/usr/bin/python + state=link + when: env == "production" + with_items: + - polling + - resolver + - scheduler + - watcher + tags: + - koschei + - hotfix + +- name: Run using specific symlinks + lineinfile: dest="/usr/lib/systemd/system/koschei-{{ item }}.service" + regexp="^ExecStart" + line="ExecStart=/usr/libexec/koschei/koschei-{{ item }} -m koschei.main {{ item }}" + when: env == "production" + with_items: + - polling + - resolver + - scheduler + - watcher + tags: + - koschei + - hotfix + notify: + - restart koschei-polling + - restart koschei-resolver + - restart koschei-scheduler + - restart koschei-watcher From 5ae63e9d066fa0f4ab8cc6b422fc2ca7f1527c2d Mon Sep 17 00:00:00 2001 From: Michael Simacek Date: Wed, 8 Jul 2015 16:38:37 +0000 Subject: [PATCH 09/15] Create libexec koschei dir --- roles/koschei/tasks/main.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/roles/koschei/tasks/main.yml b/roles/koschei/tasks/main.yml index c0f3c72725..a4cb4a79d2 100644 --- a/roles/koschei/tasks/main.yml +++ b/roles/koschei/tasks/main.yml @@ -126,6 +126,13 @@ tags: - koschei +- name: Create libexec/koschei dir + file: path=/usr/libexec/koschei state=directory + when: env == "production" + tags: + - koschei + - hotfix + - name: Create symlinks to python to get specific executable names file: path="/usr/libexec/koschei/koschei-{{ item }}" src=/usr/bin/python From bcd5a7b59cc05f109f516140452b48136c9bf5f3 Mon Sep 17 00:00:00 2001 From: Michael Simacek Date: Wed, 8 Jul 2015 16:42:08 +0000 Subject: [PATCH 10/15] Reload systemd --- roles/koschei/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/koschei/tasks/main.yml b/roles/koschei/tasks/main.yml index a4cb4a79d2..a7854dd282 100644 --- a/roles/koschei/tasks/main.yml +++ b/roles/koschei/tasks/main.yml @@ -161,6 +161,7 @@ - koschei - hotfix notify: + - reload systemd - restart koschei-polling - restart koschei-resolver - restart koschei-scheduler From 24a23540558533eccdcfd92a87b2df83c2016e8f Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 8 Jul 2015 16:56:20 +0000 Subject: [PATCH 11/15] Weed out the koschei messages from log reports for now, can add serious ones back in later. --- roles/epylog/files/merged/weed_local.cf | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/epylog/files/merged/weed_local.cf b/roles/epylog/files/merged/weed_local.cf index d6e9f65a97..924ca50780 100644 --- a/roles/epylog/files/merged/weed_local.cf +++ b/roles/epylog/files/merged/weed_local.cf @@ -89,6 +89,7 @@ kernel:.*usb 3-3: new full-speed USB device number.*using xhci_hcd kernel:.*usb 3-3: Device not responding to set address. kernel:.*usb 3-3: Device not responding to set address. kernel:.*usb 3-3: device not accepting address.*error -71 +koschei*:.* lvm.*: Another thread is handling an event. Waiting...* nagios: Auto-save of retention data completed successfully nagios: CURRENT.* From 91f8878d6a1686cceb6f27e61a0147400ae81831 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 8 Jul 2015 17:02:55 +0000 Subject: [PATCH 12/15] Remove broken link in host_vars --- inventory/host_vars/209.132.184.150 | 1 - 1 file changed, 1 deletion(-) delete mode 120000 inventory/host_vars/209.132.184.150 diff --git a/inventory/host_vars/209.132.184.150 b/inventory/host_vars/209.132.184.150 deleted file mode 120000 index c3328866fa..0000000000 --- a/inventory/host_vars/209.132.184.150 +++ /dev/null @@ -1 +0,0 @@ -209.132.184.144 \ No newline at end of file From 7fab7f318e029074698f9f9984b8ac23764b8c7e Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 8 Jul 2015 17:08:02 +0000 Subject: [PATCH 13/15] Add csi info for people01 --- inventory/group_vars/people | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/inventory/group_vars/people b/inventory/group_vars/people index 2115d692e9..d9e3846b04 100644 --- a/inventory/group_vars/people +++ b/inventory/group_vars/people @@ -14,3 +14,18 @@ fedmsg_certs: group: planet-user can_send: - planet.post.new + +# For the MOTD +csi_security_category: Low +csi_primary_contact: Fedora admins - adminfedoraproject.org +csi_purpose: Provide hosting space for Fedora contributors and Fedora Planet + +csi_relationship: | + - shell accounts and web space for fedora contributors + - web space for personal yum repos + - shared space for small group/personal git repos + +Please be aware that this is a shared server, and you should not upload +Private/Secret SSH or GPG keys onto this system. Any such keys found +will be deleted. + From 7e27f6e791b8bbc2870d8c85bd8e4aea8795500d Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 8 Jul 2015 17:09:13 +0000 Subject: [PATCH 14/15] Asnible might not like the / there. --- inventory/group_vars/people | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inventory/group_vars/people b/inventory/group_vars/people index d9e3846b04..fe86931561 100644 --- a/inventory/group_vars/people +++ b/inventory/group_vars/people @@ -26,6 +26,6 @@ csi_relationship: | - shared space for small group/personal git repos Please be aware that this is a shared server, and you should not upload -Private/Secret SSH or GPG keys onto this system. Any such keys found +Private or Secret SSH or GPG keys onto this system. Any such keys found will be deleted. From eaf61402d2faa4d022904e6cea5e306dba097fcf Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 8 Jul 2015 17:10:24 +0000 Subject: [PATCH 15/15] Try this format --- inventory/group_vars/people | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/inventory/group_vars/people b/inventory/group_vars/people index fe86931561..2049109ca9 100644 --- a/inventory/group_vars/people +++ b/inventory/group_vars/people @@ -25,7 +25,7 @@ csi_relationship: | - web space for personal yum repos - shared space for small group/personal git repos -Please be aware that this is a shared server, and you should not upload -Private or Secret SSH or GPG keys onto this system. Any such keys found -will be deleted. + Please be aware that this is a shared server, and you should not upload + Private/Secret SSH or GPG keys onto this system. Any such keys found + will be deleted.