infrastructure/ansible
1
0
Fork 0
Code Pull requests 7 Activity Actions

fas2: good bye! You served long and well

Browse source 
Remove fas2 and all the checks that depended on it.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This commit is contained in:
Kevin Fenzi 2022-07-01 12:09:36 -07:00
parent f8073bed2b
commit 3c960624f4
35 changed files with 0 additions and 4100 deletions
Download patch file Download diff file Expand all files Collapse all files

1
playbooks/groups/copr-db.yml
View file

@ -25,7 +25,6 @@
roles:
- base
- rkhunter
- { role: fas_client, when: env != "staging" }
- { role: ipa/client, when: env == "staging" }
- nagios_client
- hosts

1
playbooks/hosts/cloud-noc01.fedorainfracloud.org.yml
View file

@ -17,7 +17,6 @@
- rkhunter
- nagios_client
- hosts
- fas_client
- collectd/base
- sudo
- dhcp_server

1
playbooks/manual/qadevel.yml
View file

@ -33,7 +33,6 @@
- base
- rkhunter
- nagios_client
- fas_client
- collectd/base
- sudo

85
playbooks/openshift-apps/fas.yml
View file

@ -1,85 +0,0 @@
- name: make the app be real
hosts: os_masters[0]:os_control_stg[0]
user: root
gather_facts: False
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
vars:
fas_db_host: "db-fas01{{ env_suffix }}.{{ datacenter }}.fedoraproject.org"
gen_cert: false
wsgi_procs: 4
wsgi_threads: 1
pre_tasks:
- include_vars: dir=/srv/web/infra/ansible/vars/all/ ignore_files=README
roles:
- role: openshift/project
app: fas
description: FAS
appowners:
- puiterwijk
- pingou
allow_fas_db: true
- role: openshift/imagestream
app: fas
imagename: fas
- role: openshift/object
app: fas
template: buildconfig-fas.yml
objectname: buildconfig-fas.yml
- role: openshift/object
app: fas
template_fullpath: "{{roles_path}}/fas_server/templates/configmap.yml"
objectname: configmap-fas.yml
- role: openshift/secret-file
app: fas
privatefile: "keytabs/{{env}}/fas_sync"
key: fas_sync_keytab
secret_name: fas-sync-keytab
- role: openshift/secret-file
app: fas
privatefile: "fas-gpg/pubring.gpg"
key: pubring.gpg
secret_name: fas-gpg-pubring
- role: openshift/object
app: fas
file: service-fas.yml
objectname: service-fas.yml
- role: openshift/route
app: fas
routename: fas
host: "admin{{ env_suffix }}.fedoraproject.org"
path: "/accounts"
serviceport: dynamic
servicename: fas
annotations:
haproxy.router.openshift.io/timeout: 5m
- role: openshift/route
app: fas
routename: fas-static
host: "admin{{ env_suffix }}.fedoraproject.org"
path: "/accounts/static"
serviceport: static
servicename: fas
- role: openshift/object
app: fas
template: deploymentconfig-fas.yml
objectname: deploymentconfig-fas.yml
- role: openshift/secret-tls
app: fas
key: tls-cert-primary
secret_name: tls-cert-primary
private_cert: "2fa-certs/keys/fas-all{{ env_suffix }}.{{ datacenter }}.fedoraproject.org.crt"
private_key: "2fa-certs/keys/fas-all{{ env_suffix }}.{{ datacenter }}.fedoraproject.org.key"
- role: openshift/secret-tls
app: fas
key: tls-cert-vpn
secret_name: tls-cert-vpn
private_cert: "2fa-certs/keys/fas-all.vpn.fedoraproject.org.crt"
private_key: "2fa-certs/keys/fas-all.vpn.fedoraproject.org.key"
when: env == "production"

961
roles/distgit/pagure/files/fas2.py
View file

@ -1,961 +0,0 @@
# -*- coding: utf-8 -*-
#
# Copyright (C) 2008-2012 Ricky Zhou, Red Hat, Inc.
# This file is part of python-fedora
#
# python-fedora is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# python-fedora is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with python-fedora; if not, see <http://www.gnu.org/licenses/>
#
'''
Provide a client module for talking to the Fedora Account System.
.. moduleauthor:: Ricky Zhou <ricky@fedoraproject.org>
.. moduleauthor:: Toshio Kuratomi <tkuratom@redhat.com>
.. moduleauthor:: Ralph Bean <rbean@redhat.com>
'''
import itertools
import urllib
import warnings
from bunch import Bunch
from kitchen.text.converters import to_bytes
try:
import libravatar
except ImportError:
libravatar = None
try:
from hashlib import md5
except ImportError:
from md5 import new as md5
from fedora.client import (
AppError, BaseClient, FasProxyClient,
FedoraClientError, FedoraServiceError
)
from fedora import __version__
### FIXME: To merge:
# /usr/bin/fasClient from fas
# API from Will Woods
# API from MyFedora
class FASError(FedoraClientError):
'''FAS Error'''
pass
class CLAError(FASError):
'''CLA Error'''
pass
USERFIELDS = [
'affiliation', 'bugzilla_email', 'certificate_serial',
'comments', 'country_code', 'creation', 'email', 'emailtoken',
'facsimile', 'gpg_keyid', 'human_name', 'id', 'internal_comments',
'ircnick', 'latitude', 'last_seen', 'longitude', 'password',
'password_changed', 'passwordtoken', 'postal_address', 'privacy',
'locale', 'ssh_key', 'status', 'status_change', 'telephone',
'unverified_email', 'timezone', 'username', 'security_question',
'security_answer', ]
class AccountSystem(BaseClient):
'''An object for querying the Fedora Account System.
The Account System object provides a python API for talking to the Fedora
Account System. It abstracts the http requests, cookie handling, and
other details so you can concentrate on the methods that are important to
your program.
.. warning::
If your code is trying to use the AccountSystem object to
connect to fas for multiple users you probably want to use
:class:`~fedora.client.FasProxyClient` instead. If your code is
trying to reuse a single instance of AccountSystem for multiple users
you *definitely* want to use :class:`~fedora.client.FasProxyClient`
instead. Using AccountSystem in these cases may result in a user
being logged in as a different user. (This may be the case even if
you instantiate a new AccountSystem object for each user if
:attr:cache_session: is True since that creates a file on the file
system that can end up loading session credentials for the wrong
person.
.. versionchanged:: 0.3.26
Added :meth:`~fedora.client.AccountSystem.gravatar_url` that returns
a url to a gravatar for a user.
.. versionchanged:: 0.3.33
Renamed :meth:`~fedora.client.AccountSystem.gravatar_url` to
:meth:`~fedora.client.AccountSystem.avatar_url`.
'''
# proxy is a thread-safe connection to the fas server for verifying
# passwords of other users
proxy = None
# size that we allow to request from remote avatar providers.
_valid_avatar_sizes = (32, 64, 140)
# URLs for remote avatar providers.
_valid_avatar_services = ['libravatar', 'gravatar']
def __init__(self, base_url='https://accounts.fedoraproject.org/',
*args, **kwargs):
'''Create the AccountSystem client object.
:kwargs base_url: Base of every URL used to contact the server.
Defaults to the Fedora Project FAS instance.
:kwargs useragent: useragent string to use. If not given, default to
"Fedora Account System Client/VERSION"
:kwargs debug: If True, log debug information
:kwargs username: username for establishing authenticated connections
:kwargs password: password to use with authenticated connections
:kwargs session_cookie: **Deprecated** Use session_id instead.
User's session_cookie to connect to the server
:kwargs session_id: user's session_id to connect to the server
:kwargs cache_session: if set to true, cache the user's session cookie
on the filesystem between runs.
'''
if 'useragent' not in kwargs:
kwargs['useragent'] = \
'Fedora Account System Client/%s' % __version__
super(AccountSystem, self).__init__(base_url, *args, **kwargs)
# We need a single proxy for the class to verify username/passwords
# against.
if not self.proxy:
self.proxy = FasProxyClient(base_url, useragent=self.useragent,
session_as_cookie=False,
debug=self.debug,
insecure=self.insecure)
# Preseed a list of FAS accounts with bugzilla addresses
# This allows us to specify a different email for bugzilla than is
# in the FAS db. It is a hack, however, until FAS has a field for the
# bugzilla address.
self.__bugzilla_email = {
# Konstantin Ryabitsev: mricon@gmail.com
100029: 'icon@fedoraproject.org',
# Sean Reifschneider: jafo@tummy.com
100488: 'jafo-redhat@tummy.com',
# Karen Pease: karen-pease@uiowa.edu
100281: 'meme@daughtersoftiresias.org',
# Robert Scheck: redhat@linuxnetz.de
100093: 'redhat-bugzilla@linuxnetz.de',
# Scott Bakers: bakers@web-ster.com
100881: 'scott@perturb.org',
# Colin Charles: byte@aeon.com.my
100014: 'byte@fedoraproject.org',
# W. Michael Petullo: mike@flyn.org
100136: 'redhat@flyn.org',
# Elliot Lee: sopwith+fedora@gmail.com
100060: 'sopwith@redhat.com',
# Control Center Team: Bugzilla user but email doesn't exist
9908: 'control-center-maint@redhat.com',
# Máirín Duffy
100548: 'duffy@redhat.com',
# Muray McAllister: murray.mcallister@gmail.com
102321: 'mmcallis@redhat.com',
# William Jon McCann: mccann@jhu.edu
102489: 'jmccann@redhat.com',
# Matt Domsch's rebuild script -- bz email goes to /dev/null
103590: 'ftbfs@fedoraproject.org',
# Sindre Pedersen Bjørdal: foolish@guezz.net
100460: 'sindrepb@fedoraproject.org',
# Jesus M. Rodriguez: jmrodri@gmail.com
102180: 'jesusr@redhat.com',
# Roozbeh Pournader: roozbeh@farsiweb.info
100350: 'roozbeh@gmail.com',
# Michael DeHaan: michael.dehaan@gmail.com
100603: 'mdehaan@redhat.com',
# Sebastian Gosenheimer: sgosenheimer@googlemail.com
103647: 'sebastian.gosenheimer@proio.com',
# Ben Konrath: bkonrath@redhat.com
101156: 'ben@bagu.org',
# Kai Engert: kaie@redhat.com
100399: 'kengert@redhat.com',
# William Jon McCann: william.jon.mccann@gmail.com
102952: 'jmccann@redhat.com',
# Simon Wesp: simon@w3sp.de
109464: 'cassmodiah@fedoraproject.org',
# Robert M. Albrecht: romal@gmx.de
101475: 'mail@romal.de',
# Davide Cescato: davide.cescato@iaeste.ch
123204: 'ceski@fedoraproject.org',
# Nick Bebout: nick@bebout.net
101458: 'nb@fedoraproject.org',
# Niels Haase: haase.niels@gmail.com
126862: 'arxs@fedoraproject.org',
# Thomas Janssen: th.p.janssen@googlemail.com
103110: 'thomasj@fedoraproject.org',
# Michael J Gruber: 'michaeljgruber+fedoraproject@gmail.com'
105113: 'mjg@fedoraproject.org',
# Juan Manuel Rodriguez Moreno: 'nushio@gmail.com'
101302: 'nushio@fedoraproject.org',
# Andrew Cagney: 'andrew.cagney@gmail.com'
102169: 'cagney@fedoraproject.org',
# Jeremy Katz: 'jeremy@katzbox.net'
100036: 'katzj@fedoraproject.org',
# Dominic Hopf: 'dmaphy@gmail.com'
124904: 'dmaphy@fedoraproject.org',
# Christoph Wickert: 'christoph.wickert@googlemail.com':
100271: 'cwickert@fedoraproject.org',
# Elliott Baron: 'elliottbaron@gmail.com'
106760: 'ebaron@fedoraproject.org',
# Thomas Spura: 'spurath@students.uni-mainz.de'
111433: 'tomspur@fedoraproject.org',
# Adam Miller: 'maxamillion@gmail.com'
110673: 'admiller@redhat.com',
# Garrett Holmstrom: 'garrett.holmstrom@gmail.com'
131739: 'gholms@fedoraproject.org',
# Tareq Al Jurf: taljurf.fedora@gmail.com
109863: 'taljurf@fedoraproject.org',
# Josh Kayse: jokajak@gmail.com
148243: 'jokajak@fedoraproject.org',
# Behdad Esfahbod: fedora@behdad.org
100102: 'behdad@fedoraproject.org',
# Daniel Bruno: danielbrunos@gmail.com
101608: 'dbruno@fedoraproject.org',
# Beth Lynn Eicher: bethlynneicher@gmail.com
148706: 'bethlynn@fedoraproject.org',
# Andre Robatino: andre.robatino@verizon.net
114970: 'robatino@fedoraproject.org',
# Jeff Sheltren: jeff@tag1consulting.com
100058: 'sheltren@fedoraproject.org',
# Josh Boyer: jwboyer@gmail.com
100115: 'jwboyer@redhat.com',
# Matthew Miller: mattdm@mattdm.org
100042: 'mattdm@redhat.com',
# Jamie Nguyen: j@jamielinux.com
160587: 'jamielinux@fedoraproject.org',
# Nikos Roussos: nikos@roussos.cc
144436: 'comzeradd@fedoraproject.org',
# Benedikt Schäfer: benedikt@schaefer-flieden.de
154726: 'ib54003@fedoraproject.org',
# Ricky Elrod: codeblock@elrod.me
139137: 'relrod@redhat.com',
# David Xie: david.scriptfan@gmail.com
167133: 'davidx@fedoraproject.org',
# Felix Schwarz: felix.schwarz@oss.schwarz.eu
103551: 'fschwarz@fedoraproject.org',
# Martin Holec: martix@martix.names
137561: 'mholec@redhat.com',
# John Dulaney: j_dulaney@live.com
149140: 'jdulaney@fedoraproject.org',
# Niels de Vos: niels@nixpanic.net
102792: 'ndevos@redhat.com',
# Shawn Wells: shawn@redhat.com
156515: 'swells@redhat.com',
# Christopher Tubbs: ctubbsii+fedora@gmail.com
160404: 'ctubbsii@fedoraproject.org',
# Björn Esser: bjoern.esser@gmail.com
163460: 'besser82@fedoraproject.org',
# Amit Shah: amit@amitshah.net
115389: 'amitshah@fedoraproject.org',
# Mark Wielard: fedora@wildebeest.org
102697: 'mjw@fedoraproject.org',
# Benjamin Lefoul: benjamin.lefoul@nwise.se
189661: 'lef@fedoraproject.org',
# Mike Ruckman: roshi@mykolab.com
172063: 'roshi@fedoraproject.org',
# Dusty Mabe: dusty@dustymabe.com
170115: 'dustymabe@redhat.com',
# Ben Williams: vaioof@gmail.com
100572: 'jbwillia@math.vt.edu',
# David Dykstra: dwd@fnal.gov
216452: 'dwd@fedoraproject.org',
# Till Hofmann: <till.hofmann@posteo.de>
175557: 'thofmann@fedoraproject.org',
# Philip Kovacs: phil@mxbits.io
218108: 'pkfed@fedoraproject.org',
}
# A few people have an email account that is used in owners.list but
# have setup a bugzilla account for their primary account system email
# address now. Map these here.
self.__alternate_email = {
# Damien Durand: splinux25@gmail.com
'splinux@fedoraproject.org': 100406,
# Kevin Fenzi: kevin@tummy.com
'kevin-redhat-bugzilla@tummy.com': 100037,
}
for bugzilla_map in self.__bugzilla_email.items():
self.__alternate_email[bugzilla_map[1]] = bugzilla_map[0]
# We use the two mappings as follows::
# When looking up a user by email, use __alternate_email.
# When looking up a bugzilla email address use __bugzilla_email.
#
# This allows us to parse in owners.list and have a value for all the
# emails in there while not using the alternate email unless it is
# the only option.
# TODO: Use exceptions properly
### Set insecure properly ###
# When setting insecure, we have to set it both on ourselves and on
# self.proxy
def _get_insecure(self):
return self._insecure
def _set_insecure(self, insecure):
self._insecure = insecure
self.proxy = FasProxyClient(self.base_url, useragent=self.useragent,
session_as_cookie=False, debug=self.debug,
insecure=insecure)
return insecure
#: If this attribute is set to True, do not check server certificates
#: against their CA's. This means that man-in-the-middle attacks are
#: possible. You might turn this option on for testing against a local
#: version of a server with a self-signed certificate but it should be off
#: in production.
insecure = property(_get_insecure, _set_insecure)
### Groups ###
def create_group(self, name, display_name, owner, group_type,
invite_only=0, needs_sponsor=0, user_can_remove=1,
prerequisite='', joinmsg='', apply_rules='None'):
'''Creates a FAS group.
:arg name: The short group name (alphanumeric only).
:arg display_name: A longer version of the group's name.
:arg owner: The username of the FAS account which owns the new group.
:arg group_type: The kind of group being created. Current valid options
are git, svn, hg, shell, and tracking.
:kwarg invite_only: Users must be invited to the group, they cannot
join on their own.
:kwarg needs_sponsor: Users must be sponsored into the group.
:kwarg user_can_remove: Users can remove themselves from the group.
:kwarg prerequisite: Users must be in the given group (string) before
they can join the new group.
:kwarg joinmsg: A message shown to users when they apply to the group.
:kwarg apply_rules: Rules for applying to the group, shown to users
before they apply.
:rtype: :obj:`bunch.Bunch`
:returns: A Bunch containing information about the group that was
created.
.. versionadded:: 0.3.29
'''
req_params = {
'invite_only': invite_only,
'needs_sponsor': needs_sponsor,
'user_can_remove': user_can_remove,
'prerequisite': prerequisite,
'joinmsg': joinmsg,
'apply_rules': apply_rules
}
request = self.send_request(
'/group/create/%s/%s/%s/%s' % (
urllib.quote(name),
urllib.quote(display_name),
urllib.quote(owner),
urllib.quote(group_type)),
req_params=req_params,
auth=True
)
return request
def group_by_id(self, group_id):
'''Returns a group object based on its id'''
params = {'group_id': int(group_id)}
request = self.send_request(
'json/group_by_id',
auth=True,
req_params=params
)
if request['success']:
return request['group']
else:
return dict()
def group_by_name(self, groupname):
'''Returns a group object based on its name'''
params = {'groupname': groupname}
request = self.send_request(
'json/group_by_name',
auth=True,
req_params=params
)
if request['success']:
return request['group']
else:
raise AppError(
message='FAS server unable to retrieve group'
' %(group)s' % {'group': to_bytes(groupname)},
name='FASError')
def group_members(self, groupname):
'''Return a list of people approved for a group.
This method returns a list of people who are in the requested group.
The people are all approved in the group. Unapproved people are not
shown. The format of data is::
\[{'username': 'person1', 'role_type': 'user'},
\{'username': 'person2', 'role_type': 'sponsor'}]
role_type can be one of 'user', 'sponsor', or 'administrator'.
.. versionadded:: 0.3.2
.. versionchanged:: 0.3.21
Return a Bunch instead of a DictContainer
'''
request = self.send_request('/group/dump/%s' %
urllib.quote(groupname), auth=True)
return [Bunch(username=user[0],
role_type=user[3]) for user in request['people']]
### People ###
def person_by_id(self, person_id):
'''Returns a person object based on its id'''
person_id = int(person_id)
params = {'person_id': person_id}
request = self.send_request('json/person_by_id', auth=True,
req_params=params)
if request['success']:
if person_id in self.__bugzilla_email:
request['person']['bugzilla_email'] = \
self.__bugzilla_email[person_id]
else:
request['person']['bugzilla_email'] = \
request['person']['email']
# In a devel version of FAS, membership info was returned
# separately
# This was later corrected (can remove this code at some point)
if 'approved' in request:
request['person']['approved_memberships'] = request['approved']
if 'unapproved' in request:
request['person']['unapproved_memberships'] = \
request['unapproved']
return request['person']
else:
return dict()
def person_by_username(self, username):
'''Returns a person object based on its username'''
params = {'username': username}
request = self.send_request(
'json/person_by_username',
auth=True,
req_params=params)
if request['success']:
person = request['person']
if person['id'] in self.__bugzilla_email:
person['bugzilla_email'] = self.__bugzilla_email[person['id']]
else:
person['bugzilla_email'] = person['email']
# In a devel version of FAS, membership info was returned
# separately
# This was later corrected (can remove this code at some point)
if 'approved' in request:
request['person']['approved_memberships'] = request['approved']
if 'unapproved' in request:
request['person']['unapproved_memberships'] = \
request['unapproved']
return person
else:
return dict()
def avatar_url(self, username, size=64,
default=None, lookup_email=True,
service=None):
''' Returns a URL to an avatar for a given username.
Avatars are drawn from third party services.
:arg username: FAS username to construct a avatar url for
:kwarg size: size of the avatar. Allowed sizes are 32, 64, 140.
Default: 64
:kwarg default: If the service does not have a avatar image for the
email address, this url is returned instead. Default:
the fedora logo at the specified size.
:kwarg lookup_email: If true, use the email from FAS for gravatar.com
lookups, otherwise just append @fedoraproject.org to the username.
For libravatar.org lookups, this is ignored. The openid identifier
of the user is used instead.
Note that gravatar.com lookups will be much slower if lookup_email
is set to True since we'd have to make a query against FAS itself.
:kwarg service: One of 'libravatar' or 'gravatar'.
Default: 'libravatar'.
:raises ValueError: if the size parameter is not allowed or if the
service is not one of 'libravatar' or 'gravatar'
:rtype: :obj:`str`
:returns: url of a avatar for the user
If that user has no avatar entry, instruct the remote service to
redirect us to the Fedora logo.
If that user has no email attribute, then make a fake request to
the third party service.
.. versionadded:: 0.3.26
.. versionchanged: 0.3.30
Add lookup_email parameter to control whether we generate avatar
urls with the email in fas or username@fedoraproject.org
.. versionchanged: 0.3.33
Renamed from `gravatar_url` to `avatar_url`
.. versionchanged: 0.3.34
Updated libravatar to use the user's openid identifier.
'''
if size not in self._valid_avatar_sizes:
raise ValueError(
'Size %(size)i disallowed. Must be in %(valid_sizes)r' % {
'size': size,
'valid_sizes': self._valid_avatar_sizes
}
)
# If our caller explicitly requested libravatar but they don't have
# it installed, then we need to raise a nice error and let them know.
if service == 'libravatar' and not libravatar:
raise ValueError("Install python-pylibravatar if you want to "
"use libravatar as an avatar provider.")
# If our caller didn't specify a service, let's pick a one for them.
# If they have pylibravatar installed, then by all means let freedom
# ring! Otherwise, we'll use gravatar.com if we have to.
if not service:
if libravatar:
service = 'libravatar'
else:
service = 'gravatar'
# Just double check to make sure they didn't pass us a bogus service.
if service not in self._valid_avatar_services:
raise ValueError(
'Service %(service)r disallowed. '
'Must be in %(valid_services)r' % {
'service': service,
'valid_services': self._valid_avatar_services
}
)
if not default:
default = "http://fedoraproject.org/static/images/" + \
"fedora_infinity_%ix%i.png" % (size, size)
if service == 'libravatar':
openid = 'http://%s.id.fedoraproject.org/' % username
return libravatar.libravatar_url(
openid=openid,
size=size,
default=default,
)
else:
if lookup_email:
person = self.person_by_username(username)
email = person.get('email', 'no_email')
else:
email = "%s@fedoraproject.org" % username
query_string = urllib.urlencode({
's': size,
'd': default,
})
hash = md5(email).hexdigest()
return "http://www.gravatar.com/avatar/%s?%s" % (
hash, query_string)
def gravatar_url(self, *args, **kwargs):
""" *Deprecated* - Use avatar_url.
.. versionadded:: 0.3.26
.. versionchanged: 0.3.30
Add lookup_email parameter to control whether we generate gravatar
urls with the email in fas or username@fedoraproject.org
.. versionchanged: 0.3.33
Deprecated in favor of `avatar_url`.
"""
warnings.warn(
"gravatar_url is deprecated and will be removed in"
" a future version. Please port your code to use avatar_url(...,"
" service='libravatar', ...) instead",
DeprecationWarning, stacklevel=2)
if 'service' in kwargs:
raise TypeError("'service' is an invalid keyword argument for"
" this function. Use avatar_url() instead)")
return self.avatar_url(*args, service='gravatar', **kwargs)
def user_id(self):
'''Returns a dict relating user IDs to usernames'''
request = self.send_request('json/user_id', auth=True)
people = {}
for person_id, username in request['people'].items():
# change userids from string back to integer
people[int(person_id)] = username
return people
def people_by_key(self, key=u'username', search=u'*', fields=None):
'''Return a dict of people
:kwarg key: Key by this field. Valid values are 'id', 'username', or
'email'. Default is 'username'
:kwarg search: Pattern to match usernames against. Defaults to the
'*' wildcard which matches everyone.
:kwarg fields: Limit the data returned to a specific list of fields.
The default is to retrieve all fields.
Valid fields are:
* affiliation
* alias_enabled
* bugzilla_email
* certificate_serial
* comments
* country_code
* creation
* email
* emailtoken
* facsimile
* gpg_keyid
* group_roles
* human_name
* id
* internal_comments
* ircnick
* last_seen
* latitude
* locale
* longitude
* memberships
* old_password
* password
* password_changed
* passwordtoken
* postal_address
* privacy
* roles
* ssh_key
* status
* status_change
* telephone
* timezone
* unverified_email
* username
Note that for most users who access this data, many of these
fields will be set to None due to security or privacy settings.
:returns: a dict relating the key value to the fields.
.. versionchanged:: 0.3.21
Return a Bunch instead of a DictContainer
.. versionchanged:: 0.3.26
Fixed to return a list with both people who have signed the CLA
and have not
'''
# Make sure we have a valid key value
if key not in ('id', 'username', 'email'):
raise KeyError('key must be one of "id", "username", or'
' "email"')
if fields:
fields = list(fields)
for field in fields:
if field not in USERFIELDS:
raise KeyError('%(field)s is not a valid field to'
' filter' % {'field': to_bytes(field)})
else:
fields = USERFIELDS
# Make sure we retrieve the key value
unrequested_fields = []
if key not in fields:
unrequested_fields.append(key)
fields.append(key)
if 'bugzilla_email' in fields:
# Need id and email for the bugzilla information
if 'id' not in fields:
unrequested_fields.append('id')
fields.append('id')
if 'email' not in fields:
unrequested_fields.append('email')
fields.append('email')
request = self.send_request(
'/user/list',
req_params={
'search': search,
'fields': [f for f in fields if f != 'bugzilla_email']
},
auth=True)
people = Bunch()
for person in itertools.chain(request['people'],
request['unapproved_people']):
# Retrieve bugzilla_email from our list if necessary
if 'bugzilla_email' in fields:
if person['id'] in self.__bugzilla_email:
person['bugzilla_email'] = \
self.__bugzilla_email[person['id']]
else:
person['bugzilla_email'] = person['email']
person_key = person[key]
# Remove any fields that weren't requested by the user
if unrequested_fields:
for field in unrequested_fields:
del person[field]
# Add the person record to the people dict
people[person_key] = person
return people
def people_by_id(self):
'''*Deprecated* Use people_by_key() instead.
Returns a dict relating user IDs to human_name, email, username,
and bugzilla email
.. versionchanged:: 0.3.21
Return a Bunch instead of a DictContainer
'''
warnings.warn(
"people_by_id() is deprecated and will be removed in"
" 0.4. Please port your code to use people_by_key(key='id',"
" fields=['human_name', 'email', 'username', 'bugzilla_email'])"
" instead", DeprecationWarning, stacklevel=2)
request = self.send_request('/json/user_id', auth=True)
user_to_id = {}
people = Bunch()
for person_id, username in request['people'].items():
person_id = int(person_id)
# change userids from string back to integer
people[person_id] = {'username': username, 'id': person_id}
user_to_id[username] = person_id
# Retrieve further useful information about the users
request = self.send_request('/group/dump', auth=True)
for user in request['people']:
userid = user_to_id[user[0]]
person = people[userid]
person['email'] = user[1]
person['human_name'] = user[2]
if userid in self.__bugzilla_email:
person['bugzilla_email'] = self.__bugzilla_email[userid]
else:
person['bugzilla_email'] = person['email']
return people
### Utils ###
def people_by_groupname(self, groupname):
'''Return a list of persons for the given groupname.
:arg groupname: Name of the group to look up
:returns: A list of person objects from the group. If the group
contains no entries, then an empty list is returned.
'''
people = self.people_by_id()
group = dict(self.group_by_name(groupname))
userids = [user[u'person_id'] for user in
group[u'approved_roles'] + group[u'unapproved_roles']]
return [people[userid] for userid in userids]
### Configs ###
def get_config(self, username, application, attribute):
'''Return the config entry for the key values.
:arg username: Username of the person
:arg application: Application for which the config is set
:arg attribute: Attribute key to lookup
:raises AppError: if the server returns an exception
:returns: The unicode string that describes the value. If no entry
matched the username, application, and attribute then None is
returned.
'''
request = self.send_request('config/list/%s/%s/%s' %
(username, application, attribute),
auth=True)
if 'exc' in request:
raise AppError(
name=request['exc'],
message=request['tg_flash']
)
# Return the value if it exists, else None.
if 'configs' in request and attribute in request['configs']:
return request['configs'][attribute]
return None
def get_configs_like(self, username, application, pattern=u'*'):
'''Return the config entries that match the keys and the pattern.
Note: authentication on the server will prevent anyone but the user
or a fas admin from viewing or changing their configs.
:arg username: Username of the person
:arg application: Application for which the config is set
:kwarg pattern: A pattern to select values for. This accepts * as a
wildcard character. Default='*'
:raises AppError: if the server returns an exception
:returns: A dict mapping ``attribute`` to ``value``.
'''
request = self.send_request(
'config/list/%s/%s/%s' %
(username, application, pattern),
auth=True)
if 'exc' in request:
raise AppError(
name=request['exc'],
message=request['tg_flash'])
return request['configs']
def set_config(self, username, application, attribute, value):
'''Set a config entry in FAS for the user.
Note: authentication on the server will prevent anyone but the user
or a fas admin from viewing or changing their configs.
:arg username: Username of the person
:arg application: Application for which the config is set
:arg attribute: The name of the config key that we're setting
:arg value: The value to set this to
:raises AppError: if the server returns an exception
'''
request = self.send_request(
'config/set/%s/%s/%s' %
(username, application, attribute),
req_params={'value': value}, auth=True)
if 'exc' in request:
raise AppError(
name=request['exc'],
message=request['tg_flash'])
def people_query(self, constraints=None, columns=None):
'''Returns a list of dicts representing database rows
:arg constraints: A dictionary specifying WHERE constraints on columns
:arg columns: A list of columns to be selected in the query
:raises AppError: if the query failed on the server (most likely
because the server was given a bad query)
:returns: A list of dicts representing database rows (the keys of
the dict are the columns requested)
.. versionadded:: 0.3.12.1
'''
if constraints is None:
constraints = {}
if columns is None:
columns = []
req_params = {}
req_params.update(constraints)
req_params['columns'] = ','.join(columns)
try:
request = self.send_request(
'json/people_query',
req_params=req_params, auth=True)
if request['success']:
return request['data']
else:
raise AppError(message=request['error'], name='FASError')
except FedoraServiceError:
raise
### Certs ###
def user_gencert(self):
'''Generate a cert for a user'''
try:
request = self.send_request('user/dogencert', auth=True)
except FedoraServiceError:
raise
if not request['cla']:
raise CLAError
return "%(cert)s\n%(key)s" % request
### Passwords ###
def verify_password(self, username, password):
'''Return whether the username and password pair are valid.
:arg username: username to try authenticating
:arg password: password for the user
:returns: True if the username/password are valid. False otherwise.
'''
return self.proxy.verify_password(username, password)
### fasClient Special Methods ###
def group_data(self, force_refresh=None):
'''Return administrators/sponsors/users and group type for all groups
:arg force_refresh: If true, the returned data will be queried from the
database, as opposed to memcached.
:raises AppError: if the query failed on the server
:returns: A dict mapping group names to the group type and the
user IDs of the administrator, sponsors, and users of the group.
.. versionadded:: 0.3.8
'''
params = {}
if force_refresh:
params['force_refresh'] = True
try:
request = self.send_request(
'json/fas_client/group_data',
req_params=params, auth=True)
if request['success']:
return request['data']
else:
raise AppError(
message='FAS server unable to retrieve'
' group members', name='FASError')
except FedoraServiceError:
raise
def user_data(self):
'''Return user data for all users in FAS
Note: If the user is not authorized to see password hashes,
'*' is returned for the hash.
:raises AppError: if the query failed on the server
:returns: A dict mapping user IDs to a username, password hash,
SSH public key, email address, and status.
.. versionadded:: 0.3.8
'''
try:
request = self.send_request('json/fas_client/user_data', auth=True)
if request['success']:
return request['data']
else:
raise AppError(
message='FAS server unable to retrieve user'
' information', name='FASError')
except FedoraServiceError:
raise

35
roles/distgit/pagure/tasks/main.yml
View file

@ -227,41 +227,6 @@
tags:
- selinux
# HOTFIX: adjust bugzilla overrides
#- name: HOTFIX - adjust bugzilla overrides
# copy: src=fas2.py dest=/usr/lib/python2.7/site-packages/fedora/client/fas2.py
# tags:
# - config
# - pagure
# - fas
# - hotfix
# - hotfixfas
#
#- name: generate pagure-sync-bugzilla.py script
# template:
# src: pagure-sync-bugzilla.py.j2
# dest: /usr/local/bin/pagure-sync-bugzilla.py
# owner: root
# group: root
# mode: 0700
# tags:
# - pagure
# - bugzilla
#- name: Configure cron job for a daily pagure-sync-bugzilla.py script run
# cron:
# name: pagure-sync-bugzilla
# user: root
# minute: 0
# hour: 18
# job: /usr/local/bin/lock-wrapper pagure-sync-bugzilla "/usr/local/bin/pagure-sync-bugzilla.py"
# cron_file: pagure-sync-bugzilla
# state: present
# when: env != 'staging'
# tags:
# - pagure
# - bugzilla
# Cron job to export extras information from the pagure DB
- name: Install the apache configuration file for /extras
copy: src={{ item }} dest=/etc/httpd/conf.d/{{ item }}

379
roles/fas_client/files/aliases.template
View file

@ -1,379 +0,0 @@
#
# Aliases in this file will NOT be expanded in the header from
# Mail, but WILL be visible over networks or from /bin/mail.
#
# >>>>>>>>>> The program "newaliases" must be run after
# >> NOTE >> this file is updated for any changes to
# >>>>>>>>>> show through to sendmail.
#
# Basic system aliases -- these MUST be present.
mailer-daemon: postmaster
postmaster: sysadmin-main
# General redirections for pseudo accounts.
bin: root
daemon: root
adm: root
lp: root
sync: root
shutdown: root
halt: root
mail: root
#news: root
uucp: root
operator: root
games: root
gopher: root
ftp: root
#nobody: root
radiusd: root
nut: root
dbus: root
vcsa: root
canna: root
wnn: root
rpm: root
nscd: root
pcap: root
apache: root
webalizer: root
dovecot: root
fax: root
quagga: root
radvd: root
pvm: root
amanda: root
privoxy: root
ident: root
named: root
xfs: root
gdm: root
mailnull: root
postgres: root
sshd: root
smmsp: root
postfix: root
netdump: root
ldap: root
squid: root
ntp: root
mysql: root
desktop: root
rpcuser: root
rpc: root
nfsnobody: root
ingres: root
system: root
toor: root
manager: root
dumper: root
abuse: root
nagios: root
newsadm: news
newsadmin: news
usenet: news
ftpadm: ftp
ftpadmin: ftp
ftp-adm: ftp
ftp-admin: ftp
# trap decode to catch security attacks
decode: root
# Person who should get root's mail
root: sysadmin-main
# Mail blackholes for various services
nobody: /dev/null
dmarc-admin: /dev/null
fedorawiki-noreply: /dev/null
extras-orphan: /dev/null
orphan: /dev/null
retired-packages: /dev/null
control-center-maint: /dev/null
gecko-bugs-nobody: /dev/null
ftbfs: /dev/null
trac: /dev/null
taskotron: /dev/null
# Fedora Scholarship
scholarship: /dev/null
# Asterisk
asterisk: /dev/null
# Old stuff
fedoraextras-qa: /dev/null
extras-qa: /dev/null
notifications: /dev/null
# Bodhi & pkgdb aliases
updates: /dev/null
pkgdb: /dev/null
fudcon-cfp: /dev/null
download-logs: /dev/null
git: /dev/null
# Administrative & Management Aliases
accounts: sysadmin-main
admin: sysadmin-main
s3-mirror: sysadmin-main
fedora-admin-xmlrpc: kevin
hostmaster: admin,sysadmin-dns-members
sysadmin-main: sysadmin-main-members
# For vendors to email us
vendor-support: vendor-support-members
cpe-managers: pfrields@redhat.com,lgriffin@redhat.com,ancarrol@redhat.com,smattejiet@redhat.com
## Cruft aliases because we used cvs
cvsextras: scm-commits@lists.fedoraproject.org
cvsdirsec: 389-commits@lists.fedoraproject.org
cvseclipse: eclipse-commits@lists.fedoraproject.org
cvsfont: lohit-devel-list@redhat.com
cvs-sysadmin: fedora-sysadmin-list@redhat.com
# GDK is the human who suggested this redirection
#legal-cla-archive: fedora-lit@redhat.com
# this email address no longer exists internally (2020-06?) and is
# causing large amounts of bouncebacks and weighing email down from
# our servers in the RH scanners.
legal-cla-archive: /dev/null
vendors: distribution-members
# Fedora Council
legal: bsutula@redhat.com
fpl: chair
board: council-private@lists.fedoraproject.org
chairman: chair
directors: board
## Fedora Project Leader (FPL)
## https://docs.fedoraproject.org/en-US/council/fpl/
chair: mattdm
## Fedora Community Action and Impact Coordinator
## https://docs.fedoraproject.org/en-US/council/fcaic/
fcaic: riecatnor
# Code of Conduct
codeofconduct: fpl,fcaic
## Fedora Program Manager
## https://docs.fedoraproject.org/en-US/council/fpgm/
fpgm: bcotton
program-manager: fpgm
## Fedora Diversity & Inclusion Advisor
## https://docs.fedoraproject.org/en-US/council/diversity-advisor/
diversity: fpl,fcaic,siddharthvipul1
diversity-inclusion: diversity
# FESCo
fesco-chair: kevin
fesco: fesco@lists.fedoraproject.org
sponsors-feedback: packager-sponsors@fedoraproject.org,fesco@lists.fedoraproject.org
# Fedora Hosted Inquiries
#hosted-issues: mmcgrath,lmacken,pfrields,spot
# Fedora Mentors
rave-review: mentors@lists.fedoraproject.org
# FUDCon
fudcon-register: flock-admin
fudcon-paper: flock-admin
# Fudcon regional aliases - point to point person before that fudcon
fudcon-emea: flock-admin
# fudcon-apac:
# fudcon-na:
fudcon-latam: flock-admin
# flock
flockpress: fcaic,fpl
flockinfo: fcaic,fpl
flock-staff: fcaic,fpl,jmadriag@redhat.com
flock-admin: fcaic,fpl,jmadriag@redhat.com
flock-coc: fcaic,fpl
flock-access: flock-admin
# News
#news: nman64,pfrields,sundaram,tchung,kwade
news: news-members@fedoraproject.org
askfedora: sysadmin-ask-members
security: security-private@lists.fedoraproject.org
secalert: security-private@lists.fedoraproject.org
# Infrastructure security officer
infra-security: puiterwijk,kevin,smooge,codeblock,mobrien
webmaster: websites@lists.fedoraproject.org
logo: rlerch@redhat.com,duffy@redhat.com
ham-radio-exams: nb,jbwillia
podcast: x3mboy,computerkid,riecatnor
# Misc Aliases
cvs-access: accounts
ftpsync: kevin,smooge,mobrien
# Used for openshift census instance
census: npmccallum,kevin,ianweller,tflink
# User for openshift fedora-status instance
fedora-status: kevin,codeblock,mobrien
# User for openshift fedora magazine wordpress instance.
fedora-mag-admin: kevin,duffy,chrisroberts,mitzie,jzb,nb
endoflife: triage@lists.fedoraproject.org
fas: admin@fedoraproject.org
grokmirror: kevin
# Fedora server working group. ticket 4093
server-wg: sgallagh,jperrin,davidstrauss,tuanta,duffy,mitr,simo,johannbg
# Amazon cloud account, ticket #1903
community-cloud: mattdm@redhat.com,cpe-managers,dustymabe
# People always confuse things this is a special case
dgilmore: ausil
gregdek: gdk
keys: pnasrat@redhat.com
relnotes: relnotes-content@lists.fedoraproject.org
jaboutboul: jack
kwade: quaid
stickster: pfrields
spevack: mspevack
rsc: robert
patrick: puiterwijk
masta: parasense
relrod: codeblock
rbergeron: rbergero
jwf: jflory7
axk4545: abkahrs
bexelbie: bex
bt0: bt0dotninja
# Mirror admin alias
mirror-admin: mirror-admin@lists.fedoraproject.org
# Fedora Marketing and Fedora Ambassadors
famsco: famsco-members@fedoraproject.org
fedora-marketing: famsco
info: marketing@lists.fedoraproject.org
fedorarewards: famsco@lists.fedoraproject.org
openvideo: tchung
freemedia: tchung,susmit
fama: robyduck,nb
# Firstname.lastname exceptions (preferrably only for people with a good reason)
# History: these are people wishing to keep their firstname.lastname email
# We offered it once but no longer do. Exceptions should be rare.
johan.cwiklinski: trashy
maxime.carron: mxcarron
bart.de.soete: badeso
david.nalley: ke4qqq
guillaume.kulakowski: llaumgui
thierry.delmonte: titax
fabian.affolter: fab
nick.bebout: nb
dan.mashal: vicodan
# Wiki
wikiadmin: wikiadmin-members
# torrent
opentracker: admin
# DNS
dnsadmin: sysadmin-dns-members
# docker trusted email
fedora-docker-trusted: scollier,lsm5,mattdm
# Fedora-qa-devel alias
fedoraqa-devel-admin: tflink,kparal,frantisekz
# fedora kernel aliases
kernel-team: jwboyer@redhat.com,jforbes@redhat.com
kernel-maint: kernel-maint@redhat.com
lvm-team: lvm-team@redhat.com
fedora-kernel-acpi: acpi@linux.intel.com,len.brown@intel.com,mjg59@srcf.ucam.org
fedora-kernel-audit: rgb@redhat.com,eparis@redhat.com
fedora-kernel-block: jmoyer@redhat.com
fedora-kernel-dmar: dwmw2@infradead.org
fedora-kernel-ethernet: nhorman@redhat.com
fedora-kernel-ethernet-ath: jogreene@redhat.com,linville@redhat.com
fedora-kernel-ethernet-broadcom: mcarlson@broadcom.com
fedora-kernel-ethernet-realtek: romieu@fr.zoreil.com
fedora-kernel-aio: jmoyer@redhat.com
fedora-kernel-directio: jmoyer@redhat.com
fedora-kernel-fsbuffer: jmoyer@redhat.com
fedora-kernel-btrfs: fs-maint@redhat.com,josef@toxicpanda.com,bugzilla@colorremedies.com
fedora-kernel-extfs: fs-maint@redhat.com,tytso@mit.edu
fedora-kernel-xfs: fs-maint@redhat.com
fedora-kernel-firewire: fenlason@redhat.com,stefan-r-rhbz@s5r6.in-berlin.de
fedora-kernel-drm: airlied@redhat.com
fedora-kernel-input: benjamin.tissoires@redhat.com
fedora-kernel-intelpstate: dirk.brandewie@gmail.com
fedora-kernel-ata: dmilburn@redhat.com
fedora-kernel-networking: nhorman@redhat.com
fedora-kernel-nfc: sameo@linux.intel.com,linville@redhat.com
fedora-kernel-openvswitch: tgraf@redhat.com
fedora-kernel-ptrace: oleg@redhat.com
fedora-kernel-pci: bhelgaas@google.com
fedora-kernel-raid: Jes.Sorensen@redhat.com
fedora-kernel-scsi: dmilburn@redhat.com
fedora-kernel-selinux: dwalsh@redhat.com,eparis@redhat.com
fedora-kernel-uefi: mjg59@srcf.ucam.org
fedora-kernel-usb-cameras: hdegoede@redhat.com
fedora-kernel-v4l: mchehab@redhat.com
fedora-kernel-kvm: mtosatti@redhat.com,fedora-virt-maint@redhat.com
fedora-kernel-xen: ketuzsezr@darnok.org
fedora-kernel-wireless: linville@redhat.com,sgruszka@redhat.com,jogreene@redhat.com
fedora-kernel-wireless-ath: jogreene@redhat.com,linville@redhat.com
fedora-kernel-wireless-b43: larry.finger@lwfinger.net
fedora-kernel-wireless-brcm80211: jogreene@redhat.com,linville@redhat.com,brcm80211-dev-list@broadcom.com
fedora-kernel-wireless-iwl: sgruszka@redhat.com,linville@redhat.com
fedora-kernel-wireless-ralink: sgruszka@redhat.com,linville@redhat.com
fedora-kernel-wireless-realtek: larry.finger@lwfinger.net,jogreene@redhat.com
anaconda-maint: anaconda-maint-list@redhat.com
xen-maint: xen-maint@redhat.com
xgl-maint: xgl-maint@redhat.com
perl-sig: perl-devel@lists.fedoraproject.org
retired: retired-packages@fedoraproject.org
ctrl-center-team: control-center-maint@fedoraproject.org
fonts-sig: fonts-bugs@lists.fedoraproject.org
gecko-maint: gecko-bugs-nobody@fedoraproject.org
astronomy-sig: astronomy@lists.fedoraproject.org
systems: admin+systems@fedoraproject.org
hams-sig: fedora-hams@fedoraunity.org
i18n-team: i18n-bugs@lists.fedoraproject.org
haskell-sig: haskell-devel@lists.fedoraproject.org
mono-sig: mono@lists.fedoraproject.org
virtmaint: virt-maint@lists.fedoraproject.org
fcommunity: johnp@fedoraproject.org
ocamlmaint: ocaml-devel@lists.fedoraproject.org
mingwmaint: mingw@lists.fedoraproject.org
java-sig: java-devel@lists.fedoraproject.org
#upstream-release-monitoring: pingou,ralph
aws: aws-members
awsci: kevin@scrye.com
msftazure: msftazure-members
relicensing: relicensing@lists.fedoraproject.org
abrt-bot: jmoskovc@redhat.com,kklic@redhat.com,mtoman@redhat.com,mlichvar@redhat.com
packaging-team: ffesti,james,pmatilai,timlau,zpavlas,jnovy,jbowes,lmacken
blockerbugs: tflink+blockerbugs@redhat.com
epel: /dev/null
# fedora release engineering
releng-team: mohanboddu,kevin,humaton
containerbuild: cverna
#### The rest of this file is automatically generated - edit using the accounts system!

1
roles/fas_client/files/fas-client-aliases.cron
View file

@ -1 +0,0 @@
*/10 * * * * root /usr/local/bin/lock-wrapper fasClient "/bin/sleep $(($RANDOM \% 45)); /usr/bin/fasClient -ia | /usr/local/bin/nag-once fassync 1d 2>&1"

45
roles/fas_client/files/nsswitch.conf
View file

@ -1,45 +0,0 @@
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# nisplus or nis+ Use NIS+ (NIS version 3)
# nis or yp Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
passwd: db files
shadow: db files
group: db files
#hosts: db files nisplus nis dns
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus

3
roles/fas_client/handlers/main.yml
View file

@ -1,3 +0,0 @@
---
- name: run fasclient
command: /usr/bin/fasClient -i

98
roles/fas_client/tasks/main.yml
View file

@ -1,98 +0,0 @@
---
#
# This task sets up fasClient on a machine.
# It installs the fas-clients package, then the /etc/fas.conf and finally a cron job update.
#
#
# fas-clients is in the infrastructure repo.
# nss_db is needed to store user/group info.
#
- name: install package needed for fas-client
package:
state: present
name:
- fas-clients
- cronie
tags:
- packages
- fas_client
when: ansible_cmdline.ostree is not defined
- name: install nss_db on rhel or fedora 25 or greater hosts only
package: state=present name=nss_db
when: ansible_distribution == 'RedHat' or ansible_distribution == 'Fedora'
tags:
- packages
- fas_client
#
# setup /etc/nsswitch.conf to use nssdb
#
- name: setup /etc/nsswitch.conf for client use
copy: src=nsswitch.conf dest=/etc/nsswitch.conf owner=root mode=0644
tags:
- config
- fas_client
#
# fasClients needs a valid /etc/fas.conf.
# There's vars used in this template:
#
# fas_client_groups = "sysadmin-main"
# fas_client_restricted_app = ""
# fas_client_admin_app = ""
# fas_client_ssh_groups = ""
#
# if desired, set them on a per host/group basis.
#
# Currently the default template is used, but could be modified on a host basis.
#
- name: setup /etc/fas.conf for client use
template: src={{ item }} dest=/etc/fas.conf owner=root mode=0600
with_first_found:
- ../templates/{{ inventory_hostname }}.fas.conf.j2
- ../templates/{{ ansible_hostname }}.fas.conf.j2
- ../templates/{{ ansible_hostname }}.fas.conf.j2
- ../templates/fas.conf.j2
tags:
- config
- fas_client
notify:
- run fasclient
#
# setup /etc/cron.d/ file to run sync every 10min
# TODO: use cron module when it's fixed
#
#- name: fas_client cron job
# cron: name="fas client" user=root cron_file=fas-client minute="*/10" job="/usr/bin/fasClient -i"
# tags:
# - config
- name: fas_client cron job
template: src=fas-client.cron.j2 dest=/etc/cron.d/fas-client owner=root mode=0644
tags:
- config
- fas_client
- name: fas_client_aliases cron job
copy: src=fas-client-aliases.cron dest=/etc/cron.d/fas-client-aliases owner=root mode=0644
tags:
- config
- fas_client
when: fas_aliases is defined
- name: fas_client_aliases template
copy: src=aliases.template dest=/etc/aliases.template owner=root mode=0644
tags:
- config
- fas_client
when: fas_aliases is defined
- name: run fas_client only if we just installed
command: fasClient -if creates=/var/db/shadow.db
tags:
- config
- fas_client
when: not inventory_hostname.startswith('fas')

5
roles/fas_client/templates/fas-client.cron.j2
View file

@ -1,5 +0,0 @@
{% if ansible_hostname.startswith(('pkgs01', 'pkgs02', 'people02')) %}
*/15 * * * * root /usr/local/bin/lock-wrapper fasClient "/usr/bin/fasClient -i |& grep -vi deprecation | /usr/local/bin/nag-once fassync 1d 2>&1"
{% else %}
00 20 * * * root /usr/local/bin/lock-wrapper fasClient "/bin/sleep $(($RANDOM \% 3600)); /usr/bin/fasClient -i |& grep -vi deprecation | /usr/local/bin/nag-once fassync 1d 2>&1"
{% endif %}

96
roles/fas_client/templates/fas.conf.j2
View file

@ -1,96 +0,0 @@
[global]
; url - Location to fas server
{% if env == "staging" %}
url = https://admin.stg.fedoraproject.org/accounts/
{% else %}
url = https://admin.fedoraproject.org/accounts/
{% endif %}
; temp - Location to generate files while user creation process is happening
temp = /var/db
; login - username to contact fas
login = {{ fedorathirdpartyUser }}
; password - password for login name
password = {{ fedorathirdpartyPassword }}
; prefix - install to a location other than /
prefix = /
; modefile - Location of a file containing saved home directory modes
modefile = /var/lib/fas/client_dir_perms
; cla_group - Group for CLA requirements
cla_group = cla_done
[host]
; Group hierarchy is 1) groups, 2) restricted_groups 3) ssh_restricted_groups
; so if someone is in all 3, the client behaves the same as if they were just
; in 'groups'
; groups that should have a shell account on this system.
{% if fas_client_groups is defined %}
groups = sysadmin-main,{{ fas_client_groups }}
{% else %}
groups = sysadmin-main
{% endif %}
; groups that should have a restricted account on this system.
; restricted accounts use the restricted_shell value in [users]
restricted_groups =
; ssh_restricted_groups: groups that should be restricted by ssh key. You will
; need to disable password based logins in order for this value to have any
; security meaning. Group types can be placed here as well, for example
; @hg,@git,@svn
{% if fas_client_ssh_groups is defined %}
ssh_restricted_groups = {{ fas_client_ssh_groups }}
{% else %}
ssh_restricted_groups =
{% endif %}
; aliases_template: Gets prepended to the aliases file when it is generated by
; fasClient
aliases_template = /etc/aliases.template
[users]
; default shell given to people in [host] groups
shell = /bin/bash
; home - the location for fas user home dirs
home = /home/fedora
; home_backup_dir - Location home dirs should get moved to when a user is
; deleted this location should be tmpwatched
home_backup_dir = /home/fedora.bak
; ssh_restricted_app - This is the path to the restricted shell script. It
; will not work automatically for most people though through alterations it
; is a powerfull way to restrict access to a machine. An alternative example
; could be given to people who should only have cvs access on the machine.
; setting this value to "/usr/bin/cvs server" would do this.
{% if fas_client_restricted_app is defined %}
ssh_restricted_app = {{ fas_client_restricted_app }}
{% else %}
ssh_restricted_app =
{% endif %}
; ssh_admin_app - This is the path to an app that an admin is allowed to use.
{% if fas_client_admin_app is defined %}
ssh_admin_app = {{ fas_client_admin_app }}
{% else %}
ssh_admin_app =
{% endif %}
; restricted_shell - The shell given to users in the ssh_restricted_groups
restricted_shell = /sbin/nologin
; ssh_restricted_shell - The shell given to users in the ssh_restricted_groups
ssh_restricted_shell = /bin/bash
; ssh_key_options - Options to be appended to people ssh keys. Users in the
; ssh_restricted_groups will have the keys they uploaded altered when they are
; installed on this machine, appended with the options below.
ssh_key_options = no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty

29
roles/fas_server/files/0001-bugfix.patch
View file

@ -1,29 +0,0 @@
From 73d349a219733f7517f35b67e20f4f9364c0175e Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <patrick@puiterwijk.org>
Date: Sat, 11 May 2019 02:37:25 +0200
Subject: [PATCH] Backport bugfix
Backport of https://github.com/cherrypy/cherrypy/commit/8bb5e280e639eb4c44050bfcf3d31cf29ed74712
Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
---
cherrypy/_cphttptools.py | 3 +++
1 file changed, 3 insertions(+)
diff --git a/cherrypy/_cphttptools.py b/cherrypy/_cphttptools.py
index 1f75c1c5..9cc81c8e 100644
--- a/cherrypy/_cphttptools.py
+++ b/cherrypy/_cphttptools.py
@@ -431,6 +431,9 @@ class Response(object):
cookie = self.simple_cookie.output()
if cookie:
for line in cookie.split("\n"):
+ if line.endswith("\r"):
+ # Python 2.4 emits cookies joined by LF but 2.5+ by CRLF.
+ line = line[:-1]
name, value = line.split(": ", 1)
self.header_list.append((name, value))
--
2.21.0

70
roles/fas_server/files/Makefile.fedora-ca
View file

@ -1,70 +0,0 @@
# $Id: Makefile,v 1.4 2006/06/20 18:55:37 jmates Exp $
#
# NOTE If running OpenSSL 0.9.8a or higher, see -newkey, below.
#
# Automates the setup of a custom Certificate Authority and provides
# routines for signing and revocation of certificates. To use, first
# customize the commands in this file and the settings in openssl.cnf,
# then run:
#
# make init
#
# Then, copy in certificate signing requests, and ensure their suffix is
# .csr before signing them with the following command:
#
# make sign
#
# To revoke a key, name the certificate file with the cert option
# as shown below:
#
# make revoke cert=foo.cert
#
# This will revoke the certificate and call gencrl; the revocation list
# will then need to be copied somehow to the various systems that use
# your CA cert.
requests = *.csr
# remove -batch option if want chance to not certify a particular request
sign: FORCE
@openssl ca -batch -config openssl.cnf -days 180 -in $(req) -out $(cert)
revoke:
@test $${cert:?"usage: make revoke cert=certificate"}
@openssl ca -config openssl.cnf -revoke $(cert)
@$(MAKE) gencrl
gencrl:
@openssl ca -config openssl.cnf -gencrl -out crl/crl.pem
clean:
-rm ${requests}
# creates required supporting files, CA key and certificate
init:
@test ! -f serial
@mkdir crl newcerts private
@chmod go-rwx private
@echo '01' > serial
@touch index
# NOTE use "-newkey rsa:2048" if running OpenSSL 0.9.8a or higher
@openssl req -nodes -config openssl.cnf -days 1825 -x509 -newkey rsa:2048 -out ca-cert.pem -outform PEM
help:
@echo make sign req=in.csr cert=out.cert
@echo ' - signs in.csr, outputting to out.cert'
@echo
@echo make revoke cert=filename
@echo ' - revokes certificate in named file and calls gencrl'
@echo
@echo make gencrl
@echo ' - updates Certificate Revocation List (CRL)'
@echo
@echo make clean
@echo ' - removes all *.csr files in this directory'
@echo
@echo make init
@echo ' - required initial setup command for new CA'
# for legacy make support
FORCE:

283
roles/fas_server/files/certhelper.py
View file

@ -1,283 +0,0 @@
#!/usr/bin/python
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Library General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
#
# Copyright 2005 Dan Williams <dcbw@redhat.com> and Red Hat, Inc.
import sys, os, tempfile
OPENSSL_PROG = '/usr/bin/openssl'
def print_usage(prog):
print "\nUsage:\n"
print " %s ca --outdir=<outdir> --name=<name>\n" % prog
print " %s normal --outdir=<outdir> --name=<name> --cadir=<cadir> --caname=<ca-name>" % prog
print ""
print " Types:"
print " ca - Build system Certificate Authority key & certificate"
print " normal - Key & certificate that works with the build server and builders"
print ""
print "Examples:\n"
print " %s ca --outdir=/etc/plague/ca --name=my_ca" % prog
print " %s normal --outdir=/etc/plague/server/certs --name=server --cadir=/etc/plague/ca --caname=my_ca" % prog
print " %s normal --outdir=/etc/plague/builder/certs --name=builder1 --cadir=/etc/plague/ca --caname=my_ca" % prog
print "\n"
class CertHelperException:
def __init__(self, message):
self.message = message
class CertHelper:
def __init__(self, prog, outdir, name):
self._prog = prog
self._outdir = outdir
self._name = name
def dispatch(self, cmd, argslist):
if cmd.lower() == 'ca':
self._gencert_ca(argslist)
elif cmd.lower() == 'normal':
self._gencert_normal(argslist)
else:
print_usage(self._prog)
def _gencert_ca(self, args):
# Set up CA directory
if not os.path.exists(self._outdir):
os.makedirs(self._outdir)
try:
os.makedirs(os.path.join(self._outdir, 'certs'))
os.makedirs(os.path.join(self._outdir, 'crl'))
os.makedirs(os.path.join(self._outdir, 'newcerts'))
os.makedirs(os.path.join(self._outdir, 'private'))
except:
pass
cert_db = os.path.join(self._outdir, "index.txt")
os.system("/bin/touch %s" % cert_db)
serial = os.path.join(self._outdir, "serial")
if not os.path.exists(serial):
os.system("/bin/echo '01' > %s" % serial)
cnf = write_openssl_cnf(self._outdir, self._name, {})
# Create the CA key
key_file = os.path.join(self._outdir, "private", "cakey.pem")
cmd = "%s genrsa -out %s 4096" % (OPENSSL_PROG, key_file)
if os.system(cmd) != 0:
raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd)
# Make the self-signed CA certificate
cert_file = os.path.join(self._outdir, "%s_ca_cert.pem" % self._name)
cmd = "%s req -config %s -new -x509 -days 3650 -key %s -out %s -extensions v3_ca" % (OPENSSL_PROG, cnf, key_file, cert_file)
if os.system(cmd) != 0:
raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd)
os.remove(cnf)
print "Success. Your Certificate Authority directory is: %s\n" % self._outdir
def _gencert_normal(self, args):
cadir = argfind(args, 'cadir')
if not cadir:
print_usage(self._prog)
sys.exit(1)
caname = argfind(args, 'caname')
if not caname:
print_usage(self._prog)
sys.exit(1)
cnf = write_openssl_cnf(cadir, caname, self._name, {})
# Generate key
key_file = os.path.join(self._outdir, "%s_key.pem" % self._name)
cmd = "%s genrsa -out %s 4096" % (OPENSSL_PROG, key_file)
if os.system(cmd) != 0:
raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd)
print ""
# Generate the certificate request
req_file = os.path.join(self._outdir, "%s_req.pem" % self._name)
cmd = '%s req -config %s -new -nodes -out %s -key %s' % (OPENSSL_PROG, cnf, req_file, key_file)
if os.system(cmd) != 0:
raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd)
print ""
# Sign the request with the CA's certificate and key
cert_file = os.path.join(self._outdir, "%s_cert.pem" % self._name)
cmd = '%s ca -config %s -days 3650 -out %s -infiles %s' % (OPENSSL_PROG, cnf, cert_file, req_file)
if os.system(cmd) != 0:
raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd)
print ""
# Cat the normal cert and key together
key_and_cert = os.path.join(self._outdir, "%s_key_and_cert.pem" % self._name)
cmd = '/bin/cat %s %s > %s' % (key_file, cert_file, key_and_cert)
if os.system(cmd) != 0:
raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd)
# Cleanup: remove the cert, key, and request files
cmd = "/bin/rm -f %s %s %s" % (key_file, req_file, cert_file)
if os.system(cmd) != 0:
raise CertHelperException("\n\nERROR: Command '%s' was not successful.\n" % cmd)
os.remove(cnf)
print "Success. Your certificate and key file is: %s\n" % key_and_cert
def write_openssl_cnf(home, ca_name, commonname, opt_dict):
(fd, name) = tempfile.mkstemp('', 'openssl_cnf_', dir=None, text=True)
os.write(fd, """
##############################
HOME = %s
RANDFILE = .rand
##############################
[ ca ]
default_ca = CA_default\n
##############################
[ CA_default ]
dir = $HOME
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
serial = $dir/serial
crl = $dir/crl.pem
x509_extensions = usr_cert
name_opt = ca_default
cert_opt = ca_default
default_days = 3650
default_crl_days= 30
default_md = sha256
preserve = no
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
##############################
[ req ]
default_bits = 4096
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = MASK:0x2002
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = North Carolina
localityName = Locality Name (eg, city)
localityName_default = Raleigh
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Fedora Project
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Fedora Builders
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_default = %s
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
emailAddress_default = buildsys@fedoraproject.org
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
##############################
[ usr_cert ]
basicConstraints=CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
##############################
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
""" % (home, commonname ))
return name
def argfind(arglist, prefix):
val = None
for arg in arglist:
if arg.startswith('--%s=' % prefix):
val = arg
break
if not val:
return None
val = val.replace('--%s=' % prefix, '')
return val
if __name__ == '__main__':
prog = sys.argv[0]
if len(sys.argv) < 3:
print_usage(prog)
sys.exit(1)
outdir = argfind(sys.argv, 'outdir')
if not outdir:
print_usage(prog)
sys.exit(1)
name = argfind(sys.argv, 'name')
if not name:
print_usage(prog)
sys.exit(1)
ch = CertHelper(prog, outdir, name)
try:
ch.dispatch(sys.argv[1], sys.argv)
except CertHelperException, e:
print e.message
sys.exit(1)
sys.exit(0)

263
roles/fas_server/files/controllers.py
View file

@ -1,263 +0,0 @@
# -*- coding: utf-8 -*-
#
# Copyright © 2008 Ricky Zhou
# Copyright © 2008-2014 Red Hat, Inc.
#
# This copyrighted material is made available to anyone wishing to use, modify,
# copy, or redistribute it subject to the terms and conditions of the GNU
# General Public License v.2. This program is distributed in the hope that it
# will be useful, but WITHOUT ANY WARRANTY expressed or implied, including the
# implied warranties of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
# See the GNU General Public License for more details. You should have
# received a copy of the GNU General Public License along with this program;
# if not, write to the Free Software Foundation, Inc., 51 Franklin Street,
# Fifth Floor, Boston, MA 02110-1301, USA. Any Red Hat trademarks that are
# incorporated in the source code or documentation are not subject to the GNU
# General Public License and may only be used or replicated with the express
# permission of Red Hat, Inc.
#
# Author(s): Ricky Zhou <ricky@fedoraproject.org>
# Mike McGrath <mmcgrath@redhat.com>
# Toshio Kuratomi <toshio@redhat.com>
#
from bunch import Bunch
from turbogears import expose, config, identity, redirect
from turbogears.database import session
from cherrypy import request
import turbogears
import cherrypy
import time
from fedora.tg import controllers as f_ctrlers
from fedora.tg.utils import request_format
from fas import release
from fas.user import User
from fas.group import Group
from fas.configs import Config
from fas.fpca import FPCA
from fas.json_request import JsonRequest
from fas.help import Help
from fas.model import Session, People
from fas.model import SessionTable
from fas.auth import undeprecated_cla_done
from fas.util import available_languages
from fas import plugin
import os
import datetime
import socket
try:
import cPickle as pickle
except ImportError:
import pickle
class SQLAlchemyStorage:
def __init__(self):
pass
def load(self, session_id):
s = Session.query.get(session_id)
if not s:
return None
expiration_time = s.expiration_time
pickled_data = s.data
data = pickle.loads(pickled_data.encode('utf-8'))
return (data, expiration_time)
# This is an iffy one. CherryPy's built in session
# storage classes use delete(self, id=None), but it
# isn't called from anywhere in cherrypy. I think we
# can do this as long as we're careful about how we call it.
def delete(self, session_id=None):
if session_id is None:
session_id = cherrypy.session.id
s = Session.query.get(session_id)
session.delete(s)
session.flush()
def save(self, session_id, data, expiration_time):
pickled_data = pickle.dumps(data)
s = Session.query.get(session_id)
if not s:
s = Session()
s.id = session_id
s.data = pickled_data
s.expiration_time = expiration_time
session.flush()
def acquire_lock(self):
pass
def release_lock(self):
pass
def clean_up(self, sess):
# This is to make sure that only one server cleans up sessions
if socket.gethostname() != 'fas01.phx2.fedoraproject.org':
return
result = SessionTable.delete(
SessionTable.c.expiration_time.__lt__(datetime.datetime.now())
).execute()
config.update({'session_filter.storage_class': SQLAlchemyStorage})
def get_locale(locale=None):
if locale:
return locale
try:
return turbogears.identity.current.user.locale
except AttributeError:
pass
try:
return cherrypy.request.simple_cookie['fas_locale'].value
except KeyError:
pass
default_language = config.get('default_language',
turbogears.i18n.utils._get_locale())
return default_language
config.update({'i18n.get_locale': get_locale})
def add_custom_stdvars(variables):
return variables.update({'gettext': _, "lang": get_locale(),
'available_languages': available_languages(),
'fas_version': release.VERSION,
'webmaster_email': config.get('webmaster_email')})
turbogears.view.variable_providers.append(add_custom_stdvars)
# from fas import json
# import logging
# log = logging.getLogger("fas.controllers")
#TODO: Appropriate flash icons for errors, etc.
# mmcgrath wonders if it will be handy to expose an encrypted mailer with fas
# over json for our apps
class Root(plugin.RootController):
user = User()
group = Group()
fpca = FPCA()
json = JsonRequest()
config = Config()
help = Help()
def __init__(self):
# TODO: Find a better place for this.
os.environ['GNUPGHOME'] = config.get('gpghome')
plugin.RootController.__init__(self)
def getpluginident(self):
return 'fas'
@expose(template="fas.templates.welcome", allow_json=True)
def index(self):
if turbogears.identity.not_anonymous():
if request_format() == 'json':
# redirects don't work with JSON calls. This is a bit of a
# hack until we can figure out something better.
return dict()
turbogears.redirect('/home')
return dict(now=time.ctime())
@identity.require(identity.not_anonymous())
@expose(template="fas.templates.home", allow_json=True)
def home(self):
user_name = turbogears.identity.current.user_name
person = People.by_username(user_name)
(cla_done, undeprecated_cla) = undeprecated_cla_done(person)
person = person.filter_private()
return dict(person=person, memberships=person['memberships'], cla=undeprecated_cla)
@expose(template="fas.templates.about")
def about(self):
return dict()
@expose(template="fas.templates.login", allow_json=True)
def login(self, forward_url=None, *args, **kwargs):
'''Page to become authenticated to the Account System.
This shows a small login box to type in your username and password
from the Fedora Account System.
:kwarg forward_url: The url to send to once authentication succeeds
'''
actual_login_dict = f_ctrlers.login(forward_url=forward_url, *args, **kwargs)
try:
login_dict = Bunch()
login_dict['user'] = Bunch()
for field in People.allow_fields['complete']:
login_dict['user'][field] = None
for field in People.allow_fields['self']:
login_dict['user'][field] = getattr(actual_login_dict['user'], field)
# Strip out things that the user shouldn't see about their own
# login
login_dict['user']['internal_comments'] = None
login_dict['user']['emailtoken'] = None
login_dict['user']['security_answer'] = None
login_dict['user']['alias_enabled'] = None
login_dict['user']['passwordtoken'] = None
# Add things that are needed by some other apps
login_dict['user'].approved_memberships = list(
actual_login_dict['user'].approved_memberships)
login_dict['user'].memberships = list(actual_login_dict['user'].memberships)
login_dict['user'].unapproved_memberships = list(
actual_login_dict['user'].unapproved_memberships)
login_dict['user'].group_roles = list(actual_login_dict['user'].group_roles)
login_dict['user'].roles = list(actual_login_dict['user'].roles)
login_dict['user'].groups = [g.name for g in actual_login_dict['user'].approved_memberships]
return login_dict
except KeyError, e:
# No problem, this usually means that we failed to login and
# therefore we don't have a user field.
login_dict = actual_login_dict
if not identity.current.anonymous and identity.was_login_attempted() \
and not identity.get_identity_errors():
# Success that needs to be passed back via json
return login_dict
if identity.was_login_attempted() and request.fas_provided_username:
if request.fas_identity_failure_reason == 'status_inactive':
turbogears.flash(_('Your old password has expired. Please'
' reset your password below.'))
if request_format() != 'json':
redirect('/user/resetpass')
if request.fas_identity_failure_reason == 'status_account_disabled':
turbogears.flash(_('Your account is currently disabled. For'
' more information, please contact %(admin_email)s' %
{'admin_email': config.get('accounts_email')}))
if request_format() != 'json':
redirect('/login')
return login_dict
@expose(allow_json=True)
def logout(self):
return f_ctrlers.logout()
@expose()
def language(self, locale):
if locale not in available_languages():
turbogears.flash(_('The language \'%s\' is not available.') % locale)
redirect(request.headers.get("Referer", "/"))
return dict()
#turbogears.i18n.set_session_locale(locale)
cherrypy.response.simple_cookie['fas_locale'] = locale
redirect(request.headers.get("Referer", "/"))
return dict()

153
roles/fas_server/files/export-bugzilla
View file

@ -1,153 +0,0 @@
#!/usr/bin/python -t
__requires__ = 'TurboGears'
import pkg_resources
pkg_resources.require('CherryPy >= 2.0, < 3.0alpha')
import logging
logging.basicConfig()
import os
import sys
import getopt
import xmlrpclib
import smtplib
from email.Message import Message
import warnings
# Ignore DeprecationWarnings. This allows us to stop getting email
# from the cron job. We'll see the same warnings from the server starting up
warnings.simplefilter('ignore', DeprecationWarning)
import turbogears
import bugzilla
from turbogears import config
cfgfile = '/etc/export-bugzilla.cfg'
if os.access('./export-bugzilla.cfg', os.R_OK):
cfgfile = './export-bugzilla.cfg'
turbogears.update_config(configfile=cfgfile)
from turbogears.database import session
from fas.model import BugzillaQueue
BZSERVER = config.get('bugzilla.url', 'https://bugdev.devel.redhat.com/bugzilla-cvs/xmlrpc.cgi')
BZUSER = config.get('bugzilla.username')
BZPASS = config.get('bugzilla.password')
MAILSERVER = config.get('mail.server', 'localhost')
ADMINEMAIL = config.get('mail.admin_email', 'admin@fedoraproject.org')
NOTIFYEMAIL = config.get('mail.notify_email', ['admin@fedoraproject.org'])
if __name__ == '__main__':
opts, args = getopt.getopt(sys.argv[1:], '', ('usage', 'help'))
if len(args) != 2 or ('--usage','') in opts or ('--help','') in opts:
print """
Usage: export-bugzilla.py GROUP BUGZILLA_GROUP
"""
sys.exit(1)
ourGroup = args[0]
bzGroup = args[1]
server = bugzilla.Bugzilla(url=BZSERVER, user=BZUSER, password=BZPASS,
cookiefile=None, tokenfile=None)
bugzilla_queue = BugzillaQueue.query.join('group').filter_by(
name=ourGroup)
no_bz_account = []
for entry in bugzilla_queue:
# Make sure we have a record for this user in bugzilla
if entry.action == 'r':
# Remove the user's bugzilla group
try:
server.updateperms(entry.email, 'rem', bzGroup)
except xmlrpclib.Fault, e:
if e.faultCode == 51:
# It's okay, not having this user is equivalent to setting
# them to not have this group.
pass
else:
raise
elif entry.action == 'a':
# Make sure the user exists
try:
server.getuser(entry.email)
except xmlrpclib.Fault, e:
if e.faultCode == 51:
# This user doesn't have a bugzilla account yet
# add them to a list and we'll let them know.
no_bz_account.append(entry)
continue
else:
print 'Error:', e, entry.email, entry.person.human_name
raise
server.updateperms(entry.email, 'add', bzGroup)
else:
print 'Unrecognized action code: %s %s %s %s %s' % (entry.action,
entry.email, entry.person.human_name, entry.person.username, entry.group.name)
continue
# Remove them from the queue
session.delete(entry)
session.flush()
# Mail the people without bugzilla accounts
if '$USER' in NOTIFYEMAIL:
for person in no_bz_account:
smtplib.SMTP(MAILSERVER)
msg = Message()
message = '''Hello %(name)s,
As a Fedora packager, we grant you permissions to make changes to bugs in
bugzilla to all Fedora bugs. This lets you work together with other Fedora
developers in an easier fashion. However, to enable this functionality, we
need to have your bugzilla email address stored in the Fedora Account System.
At the moment you have:
%(email)s
which bugzilla is telling us is not an account in bugzilla. If you could
please set up an account in bugzilla with this address or change your email
address on your Fedora Account to match an existing bugzilla account this would
let us go forward.
Note: this message is being generated by an automated script. You'll continue
getting this message until the problem is resolved. Sorry for the
inconvenience.
Thank you,
The Fedora Account System
%(admin_email)s
''' % {'name': person.person.human_name, 'email': person.email,
'admin_email': ADMINEMAIL}
msg.add_header('To', person.email)
msg.add_header('From', ADMINEMAIL)
msg.add_header('Subject', 'Fedora Account System and Bugzilla Mismatch')
msg.set_payload(message)
smtp = smtplib.SMTP(MAILSERVER)
smtp.sendmail(ADMINEMAIL, [person.email], msg.as_string())
smtp.quit()
recipients = [e for e in NOTIFYEMAIL if e != '$USER']
if recipients and no_bz_account:
smtplib.SMTP(MAILSERVER)
msg = Message()
people = []
for person in no_bz_account:
if person.person.status == 'Active':
people.append(' %(user)s -- %(name)s -- %(email)s' %
{'name': person.person.human_name, 'email': person.email,
'user': person.person.username})
if people:
people = '\n'.join(people)
message = '''
The following people are in the packager group but do not have email addresses
that are valid in bugzilla:
%s
''' % people
msg.add_header('From', ADMINEMAIL)
msg.add_header('To', ', '.join(recipients))
msg.add_header('Subject', 'Fedora Account System and Bugzilla Mismatch')
msg.set_payload(message)
smtp = smtplib.SMTP(MAILSERVER)
smtp.sendmail(ADMINEMAIL, recipients, msg.as_string())
smtp.quit()

29
roles/fas_server/files/fas-log.cfg
View file

@ -1,29 +0,0 @@
# LOGGING
# Logging is often deployment specific, but some handlers and
# formatters can be defined here.
[logging]
[[formatters]]
[[[message_only]]]
format='*(message)s'
[[[full_content]]]
format='*(name)s *(levelname)s *(message)s'
[[handlers]]
[[[debug_out]]]
class='StreamHandler'
level='DEBUG'
args='(sys.stdout,)'
formatter='full_content'
[[[access_out]]]
class='StreamHandler'
level='WARN'
args='(sys.stdout,)'
formatter='message_only'
[[[error_out]]]
class='StreamHandler'
level='ERROR'
args='(sys.stdout,)'

14
roles/fas_server/files/fas_read_only_notice.patch
View file

@ -1,14 +0,0 @@
--- fas-0.14.0-1.el6.src.rpm-master.html 2021-03-02 16:30:47.058370054 +1000
+++ fas-0.14.0-1.el6.src.rpm-master.html.new 2021-03-02 16:33:24.458905969 +1000
@@ -62,6 +62,11 @@
</ul>
</div>
</div>
+ <div style="font-size:2em;text-align: center;padding-bottom: 1em;padding-top: 1em;background: #f8d7dd;color: #721c24;border: 2px solid #f5c6cb;">
+ <strong>FAS2 is deprecated, and currently in read-only mode.</strong>
+ <br/>
+ Use <a href="https://accounts.fedoraproject.org/">Fedora Accounts</a> to create or manage your Fedora contributor account
+ </div>
<div id="main">
<div id="sidebar">
<ul>

317
roles/fas_server/files/fedora-ca-client-openssl.cnf
View file

@ -1,317 +0,0 @@
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = /var/lib/fedora-ca/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = . # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem # The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 4096
default_md = sha256
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
# we use PrintableString+UTF8String mask so if pure ASCII texts are used
# the resulting certificates are compatible with Netscape
string_mask = MASK:0x2002
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = North Carolina
localityName = Locality Name (eg, city)
localityName_default = Raleigh
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Fedora Project
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
# SET-ex3 = SET extension number 3
[ req_attributes ]
#challengePassword = A challenge password
#challengePassword_min = 0
#challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always
[ proxy_cert_ext ]
# These extensions should be added when creating a proxy certificate
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

23
roles/fas_server/files/ipa.production.pem
View file

@ -1,23 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIDpDCCAoygAwIBAgIBATANBgkqhkiG9w0BAQsFADA8MRowGAYDVQQKDBFGRURP
UkFQUk9KRUNULk9SRzEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4X
DTE2MTAxMzEzMDQ0NloXDTM2MTAxMzEzMDQ0NlowPDEaMBgGA1UECgwRRkVET1JB
UFJPSkVDVC5PUkcxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALLFCPrsPD3YW/yzvId7UsWCq/Ac
cD7IOtlt46slTa490TvfpwzB1IwA3H0LTEYV7LONMIxJIT8H4H2P7A/S4eDtA6sZ
s26Qp+3YLj+jHOwvNiONG5YBIn6vgUKc1SdwyuQsNwcGsH1nV2vXrKYz4ccMud1P
tzzwRMSWgwZLXcLvMMXYpDCxu4pVmgEtTnYz7Dii7MJ2aJsWEuslzjL6HjaegfGD
JjXCrqmNKcgbgD7fQq05wiYw8AbArjhfObDO626b4naB0VxLb9vGTDBaRbIeL7Or
nM11BWVqYAFFRZPL1jXkeb9Bpr9oj4PduRq6+tSZPa3wgtnoowAN2AqLHKMCAwEA
AaOBsDCBrTAfBgNVHSMEGDAWgBQVrijBhrLB6xwkwjZroAlWJGIpvDAPBgNVHRMB
Af8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQUFa4owYaywescJMI2
a6AJViRiKbwwSgYIKwYBBQUHAQEEPjA8MDoGCCsGAQUFBzABhi5odHRwOi8vaXBh
MDEucGh4Mi5mZWRvcmFwcm9qZWN0Lm9yZzo4MC9jYS9vY3NwMA0GCSqGSIb3DQEB
CwUAA4IBAQAZE5ZVf2MROtRR2O00ecXwl3vBE72xw87EQdAQ6J9sDjug5YrVW6OU
OfaRoVLyBSi5uPgj2RZ9VePdGNSDZ66DhspPtmbWcW0M1X2QPXwWQ/Idj3MfKE33
b+V4A6T55p1kxXniNl0KZHlDVMECltwRBkd9mjr3LgWzk/EgqyiP56xrWEsvKUyv
ZMvoyFky2/BaNTN8KOposjDQZwR5sqE/CJzm/QJPg/6zQ4/tkFDOc7ZqIVkfIqoY
sycNYLLakqCV59xuJ2uDbV8Sn8LbH5+e3Px0mapnVxn8fJAPcCqDOmXJ5TVkVYlH
nYYOskqEw5stHYuEwujR2uXo8vfmIMpZ
-----END CERTIFICATE-----

23
roles/fas_server/files/ipa.staging.pem
View file

@ -1,23 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIDsDCCApigAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMR4wHAYDVQQKDBVTVEcu
RkVET1JBUFJPSkVDVC5PUkcxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0
eTAeFw0xNjA4MDQxNzI3NTlaFw0zNjA4MDQxNzI3NTlaMEAxHjAcBgNVBAoMFVNU
Ry5GRURPUkFQUk9KRUNULk9SRzEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9y
aXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5HiQvnHPP+3AEJPR
wlizXKhaxPhwVoO68r9VEcEDUOkRo78LQ0ZLEcwaAZBX64uTeStPd5azU6pEN0Gi
124djqJZpBs3v9YNsvt+R4Au7SQhAdBu370VcKEKjj79UYc7e70E04ycv3jJP6hi
7+RD+BeOwPHmMwEUXF2JrKytNOmRCfxoZ7LnQfH80a+YZA1MmpAEGIo8+pRuvGth
cORUTtyEWsaBgpek6wnPjs7lDQG1LJyi0K2L/YQPYAisZCMBoM/ck5SAHSd4F6+P
BcHMhQd2DhsxRhIb5Se4Zi8LUxAvkVdRlCsIk+6bdIM9SpzVd9+RtBnE3LOKu1TH
bxCW2QIDAQABo4G0MIGxMB8GA1UdIwQYMBaAFFfHodJF0pk5OgP9sgMqtPOdOaqC
MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMB0GA1UdDgQWBBRXx6HS
RdKZOToD/bIDKrTznTmqgjBOBggrBgEFBQcBAQRCMEAwPgYIKwYBBQUHMAGGMmh0
dHA6Ly9pcGEwMS5zdGcucGh4Mi5mZWRvcmFwcm9qZWN0Lm9yZzo4MC9jYS9vY3Nw
MA0GCSqGSIb3DQEBCwUAA4IBAQAnBIll/83TixgIu6JByImWWK7Ew++33heW+rDQ
GQhol1Bp7Gk4wsLpGLATDI+ur25kREnzPfwXLcptO/5GvMEe8rwwvo1b6zkl5VEq
vCA5dQimBTKTlTX2JFZze/KkiKa7WKZAopnSQVkPsSnAZXClTbjALXHwdQ0bDEUU
old29skK0Xvf+WGmE3/SvQmEcueDeDJcV7Jckj45ZuqegklBG6y+fG5ELV0B4u9l
p0ySWPVoaWSRR+izB8Kq9gCP0a5HsO3u5qJ+HRWr+Md7KboMGX29pQehakvtcnta
jr+txnKWhel7c7bEwa6JVRFoOO7jcOHEMohPbKl3Ef/n0uCQ
-----END CERTIFICATE-----

386
roles/fas_server/tasks/main.yml
View file

@ -1,386 +0,0 @@
---
# Tasks to set up fas_server
- name: install needed packages
package:
state: present
name:
- fas
- fas-plugin-yubikey
- python-turbojson
- python-tgcaptcha
- httpd
- mod_wsgi
- python-bunch
- python-requests-kerberos
tags:
- packages
- fas
- name: install needed packages
package:
state: present
name:
- krb5-workstation
- python-requests-kerberos
tags:
- packages
- fas
- name: install IPA keytab
copy: >
src="{{ private }}/files/keytabs/{{env}}/fas_sync"
dest="/etc/fas_sync_keytab"
owner=fas
group=fas
mode=0600
tags:
- config
- fas
- name: install ipa public cert
copy: src=ipa.{{env}}.pem dest=/etc/fas_sync_cert.pem owner=root group=root mode=0644
tags:
- config
- fas
- name: enable httpd_can_network_connect selinux boolean
seboolean: name={{ item }} state=yes persistent=yes
with_items:
- httpd_can_network_connect
- allow_ypbind
tags:
- config
- fas
- name: setup /var/www/.python-eggs directory
file: path=/var/www/.python-eggs owner=apache group=apache mode=0700 state=directory
tags:
- config
- fas
- name: setup /etc/fas-gpg directory
file: path=/etc/fas-gpg owner=fas group=fas mode=0700 state=directory setype=httpd_sys_rw_content_t
tags:
- config
- fas
- name: install /etc/httpd/conf.d/accounts.conf file
template: >
src="fas-app.conf.j2"
dest="/etc/httpd/conf.d/accounts.conf"
owner=root
group=root
mode=0644
notify:
- reload httpd
tags:
- config
- fas
- name: setup /etc/pki/fas directory
file: path=/etc/pki/fas owner=fas group=fas mode=0755 state=directory
tags:
- config
- fas
- name: install pythonsitelib/fas/config/log.cfg
copy: >
src="fas-log.cfg"
dest="/usr/lib/python2.6/site-packages/fas/config/log.cfg"
owner=root
group=root
mode=0644
notify:
- reload httpd
tags:
- config
- fas
# $bugzillaUser = "fedora-admin-xmlrpc@redhat.com"
- name: install /etc/fas-gpg/pubring.gpg file
copy: >
src="{{ private }}/files/fas-gpg/pubring.gpg"
dest="/etc/fas-gpg/pubring.gpg"
owner=fas
group=fas
mode=0600
tags:
- config
- fas
- name: install /etc/pki/fas/fedora-server-ca.cert file
copy: >
src="{{ private }}/files/fedora-ca.cert"
dest="/etc/pki/fas/fedora-server-ca.cert"
owner=fas
group=fas
mode=0644
tags:
- config
- fas
- name: install /etc/pki/fas/fedora-upload-ca.cert file
copy: >
src="{{ private }}/files/fedora-ca.cert"
dest="/etc/pki/fas/fedora-upload-ca.cert"
owner=fas
group=fas
mode=0644
tags:
- config
- fas
- name: install /usr/share/fas/static/fedora-server-ca.cert file
copy: >
src="{{ private }}/files/fedora-ca.cert"
dest="/usr/share/fas/static/fedora-server-ca.cert"
owner=root
group=root
mode=0644
tags:
- config
- fas
- name: install /usr/share/fas/static/fedora-upload-ca.cert file
copy: >
src="{{ private }}/files/fedora-ca.cert"
dest="/usr/share/fas/static/fedora-upload-ca.cert"
owner=root
group=root
mode=0644
tags:
- config
- fas
- name: install /etc/fas.cfg file
template: >
src="fas.cfg.j2"
dest="/etc/fas.cfg"
owner=fas
group=apache
mode=0640
notify:
- reload httpd
tags:
- config
- fas
- name: install /usr/local/bin/yubikey-remove.py file
template: >
src="yubikey-remove.py.j2"
dest="/usr/local/bin/yubikey-remove.py"
owner=fas
group=fas
mode=0750
tags:
- config
- fas
# $gen_cert = "True"
- name: install /etc/fas.cfg file
template: >
src="fas.cfg.j2"
dest="/etc/fas.cfg"
owner=fas
group=apache
mode=0640
when: master_fas_node == True
notify:
- reload httpd
tags:
- config
- fas
- name: setup /var/lock/fedora-ca directory
file: path=/var/lock/fedora-ca owner=fas group=fas mode=0700 state=directory setype=var_lock_t
when: master_fas_node == True
tags:
- config
- fas
- name: setup /var/lib/fedora-ca directory
file: path=/var/lib/fedora-ca owner=fas group=fas mode=0771 state=directory setype=httpd_sys_content_t
when: master_fas_node == True
tags:
- config
- fas
#- name: install /var/lib/fedora-ca/.rnd file
# file: path=/var/lib/fedora-ca/.rnd owner=fas group=fas mode=0600 setype=httpd_sys_content_t
# when: master_fas_node == True
# tags:
# - config
# - fas
- name: setup /var/lib/fedora-ca/newcerts directory
file: path=/var/lib/fedora-ca/newcerts owner=fas group=fas mode=0700 state=directory
when: master_fas_node == True
tags:
- config
- fas
- name: setup /var/lib/fedora-ca/private directory
file: path=/var/lib/fedora-ca/private owner=fas group=fas mode=0700 state=directory
when: master_fas_node == True
tags:
- config
- fas
- name: install /var/lib/fedora-ca/private/cakey.pem file
copy: >
src="{{ private }}/files/cakey.pem"
dest="/var/lib/fedora-ca/private/cakey.pem"
owner=fas
group=fas
mode=0400
when: master_fas_node == True
tags:
- config
- fas
- name: install /var/lib/fedora-ca/Makefile file
copy: >
src="Makefile.fedora-ca"
dest="/var/lib/fedora-ca/Makefile"
owner=root
group=root
mode=0644
when: master_fas_node == True
tags:
- config
- fas
- name: install /var/lib/fedora-ca/openssl.cnf file
copy: >
src="fedora-ca-client-openssl.cnf"
dest="/var/lib/fedora-ca/openssl.cnf"
owner=root
group=root
mode=0644
when: master_fas_node == True
tags:
- config
- fas
- name: install /var/lib/fedora-ca/certhelper.py file
copy: >
src="certhelper.py"
dest="/var/lib/fedora-ca/certhelper.py"
owner=root
group=root
mode=0755
when: master_fas_node == True
tags:
- config
- fas
- name: install /var/lib/fedora-ca/cacert.pem file
copy: >
src="{{ private }}/files/fedora-ca.cert"
dest="/var/lib/fedora-ca/cacert.pem"
owner=root
group=root
mode=0644
when: master_fas_node == True
tags:
- config
- fas
#For publishing the crl
- name: setup /srv/web/ca directory
file: path=/srv/web/ca owner=apache group=apache mode=0755 state=directory
when: master_fas_node == True
tags:
- config
- fas
- name: twice every month, force a new crl to be created
cron: >
name="gen-crl"
job="cd /var/lib/fedora-ca ; /usr/bin/make gencrl &> /dev/null"
user="fas"
minute="0"
hour="0"
day="1,15"
when: master_fas_node == True
tags:
- config
- fas
- name: create directory /var/lib/fedora-ca/crl/
file: path={{ item }} state=directory
with_items:
- /var/lib/fedora-ca/crl/
tags:
- fas
- name: touch /var/lib/fedora-ca/crl/crl.pem and /var/lib/fedora-ca/cacert.pem
command: touch /var/lib/fedora-ca/cacert.pem /var/lib/fedora-ca/crl/crl.pem
when: master_fas_node == True
changed_when: "1 != 1"
tags:
- config
- fas
- name: create /srv/web/ca/crl.pem link
file: path="/srv/web/ca/crl.pem" state=link src="/var/lib/fedora-ca/crl/crl.pem"
when: master_fas_node == True
tags:
- config
- fas
- name: create /srv/web/ca/cacert.pem link
file: path="/srv/web/ca/cacert.pem" state=link src="/var/lib/fedora-ca/cacert.pem"
when: master_fas_node == True
tags:
- config
- fas
- name: install /etc/export-bugzilla.cfg file
template: >
src="export-bugzilla.cfg.j2"
dest="/etc/export-bugzilla.cfg"
owner=fas
group=fas
mode=0600
when: master_fas_node == True
tags:
- config
- fas
- name: HOTFIX fix the export-bugzilla cron to not store bugzilla token
copy: >
src="export-bugzilla"
dest="/usr/sbin/export-bugzilla"
owner=root
group=root
mode=0755
tags:
- config
- hotfix
- fas
- name: run export-bugzilla program
cron: >
name="export-bugzilla"
job="cd /etc; MAILTO=root; /usr/sbin/export-bugzilla fedorabugs fedora_contrib"
user="fas"
minute="10"
when: master_fas_node == True
tags:
- config
- fas
- name: HOTFIX make sure only fas01 cleans up sessions
copy: src={{ roles_path }}/fas_server/files/controllers.py
dest=/usr/lib/python2.6/site-packages/fas/controllers.py
mode=644 owner=root group=root
tags:
- config
- fas
- hotfixfas

109
roles/fas_server/templates/configmap.yml
View file

@ -1,109 +0,0 @@
{% macro load_file(filename) %}{% include filename %}{%- endmacro -%}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: fas
labels:
app: fas
data:
krb5.conf: |-
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = {{ ipa_realm }}
rdns = false
dns_canonicalize_hostname = false
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
{{ ipa_realm }} = {
kdc = ipa01{{ env_suffix }}.iad2.fedoraproject.org
}
[domain_realm]
.fedoraproject.org = FEDORAPROJECT.ORG
fedoraproject.org = FEDORAPROJECT.ORG
{% if env == "staging" %}
.stg.iad2.fedoraproject.org = STG.FEDORAPROJECT.ORG
{% endif %}
.stg.fedoraproject.org = STG.FEDORAPROJECT.ORG
stg.fedoraproject.org = STG.FEDORAPROJECT.ORG
static_start.sh: |-
set -xe
rm -rf /httpdir/*
mkdir /httpdir/run
ln -s /etc/httpd/modules /httpdir/modules
truncate --size=0 /httpdir/accesslog /httpdir/errorlog
tail -qf /httpdir/accesslog /httpdir/errorlog &
exec /usr/sbin/httpd.worker -f /etc/fas/static_httpd.conf -DFOREGROUND -DNO_DETACH
static_httpd.conf: |-
Listen 0.0.0.0:8080
ServerRoot "/httpdir"
PidFile "/httpdir/httpd.pid"
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_anon_module modules/mod_authn_anon.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule include_module modules/mod_include.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule ext_filter_module modules/mod_ext_filter.so
LoadModule expires_module modules/mod_expires.so
LoadModule headers_module modules/mod_headers.so
LoadModule mime_module modules/mod_mime.so
LoadModule dir_module modules/mod_dir.so
LoadModule alias_module modules/mod_alias.so
LoadModule version_module modules/mod_version.so
StartServers 4
MaxClients 300
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25
MaxRequestsPerChild 0
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
CustomLog /httpdir/accesslog combined
ErrorLog /httpdir/errorlog
LogLevel info
TypesConfig /etc/mime.types
AddDefaultCharset UTF-8
CoreDumpDirectory /tmp
Alias /accounts/static /usr/share/fas/static
<Directory /usr/share/fas/static>
Order deny,allow
Allow from all
</Directory>
app_start.sh: |-
set -xe
rm -rf /tmp/fas-gpg
mkdir /tmp/fas-gpg
ln -s /etc/fas-gpg/pubring.gpg /tmp/fas-gpg/pubring.gpg
python /etc/fas/app_gunicorn.py --bind :8000 --chdir /app app --timeout 300 --workers 4
app_gunicorn.py: |-
# We need a custom gunicorn script because we need to inject various requires
import __main__
__main__.__requires__ = []
__main__.__requires__.append('SQLAlchemy >= 0.5, <= 0.6')
__main__.__requires__.append('TurboGears[future]')
__main__.__requires__.append('gunicorn==18.0')
import sys
from pkg_resources import load_entry_point
if __name__ == '__main__':
sys.exit(
load_entry_point('gunicorn==18.0', 'console_scripts', 'gunicorn')()
)
fas_sync_cert.pem: |-
{{ lookup('file', '{{ roles_path }}/fas_server/files/ipa.{{env}}.pem') | indent() }}
fas-log.cfg: |-
{{ lookup('file', '{{ roles_path }}/fas_server/files/fas-log.cfg') | indent() }}
fas.cfg: |-
{{ load_file('fas.cfg.j2') | indent() }}
export-bugzilla.cfg: |-
{{ load_file('export-bugzilla.cfg.j2') | indent() }}
export-bugzilla: |-
{{ lookup('file', '{{ roles_path }}/fas_server/files/export-bugzilla') | indent() }}

20
roles/fas_server/templates/export-bugzilla.cfg.j2
View file

@ -1,20 +0,0 @@
[global]
# bugzilla.url = https://bugdev.devel.redhat.com/bugzilla-cvs/xmlrpc.cgi
# Running from fas1 so we need the PHX available address.
bugzilla.url = "https://bugzilla.redhat.com/xmlrpc.cgi"
# bugzilla.url = "https://bugzilla.redhat.com/xmlrpc.cgi"
bugzilla.username = "fedora-admin-xmlrpc@fedoraproject.org"
bugzilla.password = "{{ bugzillaPassword }}"
# Mail server for sending invalid bugzilla account messages
mail.server = 'bastion-dummy'
mail.admin_email = 'admin@fedoraproject.org'
# This is a list (*must* have a comma) of email addresses to send messages about
# invalid bugzilla accounts to. The strin '$USER' is special. If present in the
# list, it will send an email to the user whose email address is not in bugzilla.
mail.notify_email = 'admin@fedoraproject.org',
# At the moment, we have to extract this information directly from the fas2
# database. We can build a json interface for it at a later date.
sqlalchemy.dburi = "postgres://fas:{{ fasDbPassword }}@db-fas/fas2"

29
roles/fas_server/templates/fas-app.conf.j2
View file

@ -1,29 +0,0 @@
Alias /accounts/static /usr/share/fas/static
Alias /favicon.ico /usr/share/fas/static/favicon.ico
Alias /accounts/fedora-server-ca.cert /usr/share/fas/static/fedora-server-ca.cert
Alias /accounts/fedora-upload-ca.cert /usr/share/fas/static/fedora-upload-ca.cert
# For serving the crl
Alias /ca /srv/web/ca
AddType application/x-x509-ca-cert cacert.pem
AddType application/x-x509-crl crl.pem
WSGISocketPrefix run/wsgi
# TG implements its own signal handler.
WSGIRestrictSignal Off
# These are the real tunables
WSGIDaemonProcess fas processes={{wsgi_procs}} threads={{wsgi_threads}} maximum-requests=100 user=fas group=fas display-name=fas inactivity-timeout=300 shutdown-timeout=10
WSGIPythonOptimize 1
WSGIScriptAlias /accounts /usr/sbin/fas.wsgi/accounts
<Location /accounts>
WSGIProcessGroup fas
Order deny,allow
Allow from all
</Location>

313
roles/fas_server/templates/fas.cfg.j2
View file

@ -1,313 +0,0 @@
[global]
#
# Deployment type
# Determines which color of the header is being used
# Valid options:
# - "dev": Development
# - "stg": Staging
# - "prod": Production
#
{% if env == "staging" %}
deployment_type = "stg"
{% else %}
deployment_type = "prod"
{% endif %}
# TODO: better namespacing (maybe a [fas] section)
# admingroup is for humans that can see and do anything
###
### OpenID Support
###
{% if env == "staging" %}
samadhi.baseurl = 'https://admin.stg.fedoraproject.org/'
{% else %}
samadhi.baseurl = 'https://admin.fedoraproject.org/'
{% endif %}
openidstore = "/var/tmp/fas/openid"
###
### GPG Keys for specific operations
###
# This is the GPG Key ID used to encrypt the answer to the user's security question.
# The private key should be known to the admins to verify that the user supplied the correct answer.
key_securityquestion = 'D1E6AA0A'
###
### UI
###
theme = 'fas'
# Personal Info / Form availability
# Select/deselect items in the form
show_postal_address = 0
# Language support
available_languages = ['en', 'en_GB', 'ar', 'ast', 'bg', 'bn', 'bn_IN', 'bs', 'ca', 'cs', 'da', 'de', 'el', 'es', 'eu', 'fa', 'fi', 'fr', 'ga', 'gl', 'he', 'hi', 'hu', 'id', 'is', 'it', 'ja', 'ko', 'lv', 'mai', 'ml', 'mr', 'nb', 'nl', 'pa', 'pl', 'pt_BR', 'pt', 'ru', 'si', 'sk', 'sq', 'sr', 'sv', 'ta', 'te', 'tg', 'tr', 'uk', 'vi', 'zh_CN', 'zh_HK', 'zh_TW']
default_language = 'en'
# Country codes from GEOIP that we don't want to display in
# country selection boxes
country_blacklist = ["--", "A1", "A2", "AN", "AS", "AX", "BI", "BL", "BV", "CC", "CU", "CV", "CX", "DM", "FK", "FO", "GF", "GG", "GP", "GS", "GW", "HM", "IO", "IR", "IQ", "JE", "KI", "KP", "MF", "MP", "MS", "MW", "NF", "NR", "NU", "PM", "PN", "RE", "SB", "SD", "SH", "SJ", "SY", "TC", "TF", "TK", "TL", "TV", "UM", "VC", "VG", "WF", "YT"]
# Captcha
{% if env == "production" %}
tgcaptcha2.key = '{{ fasProdCaptchaSecret }}'
{% else %}
tgcaptcha2.key = '{{ fasStgCaptchaSecret }}'
{% endif %}
tgcaptcha2.jpeg_generator = 'vanasco_dowty'
###
### IPA Sync settings
###
ipa_sync_enabled = True
ipa_sync_keytab = '/etc/fas_sync_keytab/fas_sync_keytab'
ipa_sync_principal = 'fas_sync@{{ ipa_realm }}'
ipa_sync_server = 'ipa01{{env_suffix}}.iad2.fedoraproject.org'
ipa_sync_certfile = '/etc/fas/fas_sync_cert.pem'
###
### Administrative settings
###
# Usernames that are unavailable for fas allocation
{% if env == "staging" %}
username_blacklist = "abuse,accounts,adm,admin,amanda,anonymous,apache,askfedora,asterisk,axk4545,bexelbie,bin,board,bodhi,bodhi2,canna,census,chair,chairman,containerbuild,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,fama,famsco,fas,fas_sync,fax,fcaic,fedora,fedorarewards,fedora-admin-xmlrpc,fesco,freemedia,freshmaker,ftbfs,ftp,ftpadm,ftpadmin,ftpsync,games,gdm,git,gnomebackup,gopher,gregdek,grokmirror,halt,hostmaster,hotness,ident,info,ingres,jaboutboul,jan,jwf,keys,kojiadmin,ldap,legal,logo,lp,m8y,mail,mailnull,manager,marketing,masher,masta,mirrormanager,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,notifications,nrpe,nscd,ntp,nut,openvideo,operator,packager,pagure,paguremirroring,patrick,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,relrod,rel-eng,root,rpc,rpcuser,rpm,rsc,s3-mirror,sales,scholarship,secalert,secondary-signer,security,server-wg,shutdown,smmsp,spevack,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,vendor-support,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix"
{% else %}
username_blacklist = "abuse,accounts,adm,admin,amanda,anonymous,apache,askfedora,asterisk,axk4545,bin,board,bodhi,bodhi2,canna,census,chair,chairman,containerbuild,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,fama,famsco,fas,fax,fcaic,fedora,fedorarewards,fesco,freemedia,freshmaker,ftbfs,ftp,ftpadm,ftpadmin,ftpsync,games,gdm,git,gnomebackup,gopher,gregdek,grokmirror,halt,hostmaster,hotness,ident,info,ingres,jaboutboul,jan,jwf,keys,kojiadmin,ldap,legal,logo,lp,m8y,mail,mailnull,manager,marketing,masher,masta,mirrormanager,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,notifications,nrpe,nscd,ntp,nut,openvideo,operator,packager,pagure,paguremirroring,patrick,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,relrod,rel-eng,root,rpc,rpcuser,rpm,rsc,s3-mirror,sales,scholarship,secalert,secondary-signer,security,server-wg,shutdown,smmsp,spevack,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,vendor-support,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix"
{% endif %}
email_domain_blacklist = "{{ fas_blocked_emails }}"
# Valid SSH Key
valid_ssh_key = "rsa,ssh-rsa,ssh-ed25519,ecdsa-sha2-nistp256"
# admingroup has powers to change anything in the fas UI
admingroup = 'accounts'
# systemgroup is for automated systems that can read any info from the FAS db
systemgroup = 'fas-system'
# Moderator group provides its members restricted admin power
# allowed by defined action below.
# Valid action :
# modo.allow.update_status, allow approved member to do related action.
modo.group = 'accounts-moderators'
modo.allow.update_status = True
# thirdpartygroup is for thirdparties that also need group management
# via fas, but maintain their own actual account systems
thirdpartygroup = 'thirdparty'
# Placing a group into privileged_view_group protects the information in it
# only admins of the group can view the group
privileged_view_groups = "(^fas-.*)"
# Who should we say is sending email from fas and get email
# when fas sends a message about something?
accounts_email = "accounts@fedoraproject.org"
# Who should be listed as the legal contact for the Contributor Agreement?
legal_cla_email = "legal-cla-archive@fedoraproject.org"
# Who should be listed as the webmaster contact for the site?
webmaster_email = "webmaster@fedoraproject.org"
# All groups and some users get email aliases created for them via a cron
# job. This setting is appended to group names when sending email to members
# of a group. Be sure to set up a cron job for your site for this to work
email_host = "fedoraproject.org" # as in, web-members@email_host
# Settings for Contributor Agreements
# Meta group for anyone who's satisfied the contributor agreement requirement
cla_done_group = "cla_done"
# The standard group is what you're placed in when you sign the contributor
# agreement via fas
cla_standard_group = "cla_fpca"
# If you have a contributor agreement that you're getting rid of but want
# to give people a transition period to sign a new one, you can put the
# deprecated group in here for now.
cla_deprecated_groups = ['cla_fedora']
# Groups that automatically grant membership to other groups
# Format: 'group1:a,b,c|group2:d,e,f'
auto_approve_groups = 'packager:fedorabugs|qa:fedorabugs|security-team:fedorabugs|qa-beaker-user:qa-automation-shell|docs:fedorabugs|cla_fpca:cla_done|cla_redhat:cla_done|cla_dell:cla_done|cla_ibm:cla_done|cla_intel:cla_done'
# Anti-spam approval check script, which injects in both registration and CLA steps
# In Fedora, this is provided by the Basset service
{% if env == "staging" %}
antispam.api.url = 'http://basset01.stg.iad2.fedoraproject.org/basset'
antispam.api.username = '{{ basset_stg_frontend_user }}'
antispam.api.password = '{{ basset_stg_frontend_pass }}'
antispam.registration.autoaccept = False
antispam.cla.autoaccept = False
{% else %}
#antispam.api.url = 'http://basset01.iad2.fedoraproject.org/basset'
#antispam.api.username = '{{ basset_prod_frontend_user }}'
#antispam.api.password = '{{ basset_prod_frontend_pass }}'
#antispam.registration.autoaccept = False
#antispam.cla.autoaccept = False
{% endif %}
# Some server parameters that you may want to tweak
server.socket_port=8088
server.thread_pool=50
server.socket_queue_size=30
# Needed for translations
### Q for ricky: Should this move to app.cfg?
session_filter.on = False
# Set to True if you'd like to abort execution if a controller gets an
# unexpected parameter. False by default
tg.strict_parameters = True
server.webpath='/accounts'
base_url_filter.on = True
base_url_filter.use_x_forwarded_host = False
{% if env == "staging" %}
base_url_filter.base_url = "https://admin.stg.fedoraproject.org"
fas.url = "https://admin.stg.fedoraproject.org/accounts/"
{% else %}
base_url_filter.base_url = "https://admin.fedoraproject.org"
fas.url = "https://admin.fedoraproject.org/accounts/"
{% endif %}
# Knobs to tweak for debugging
# Enable the debug output at the end on pages.
# log_debug_info_filter.on = False
debug = 'off'
server.environment="production"
autoreload.package="fas"
autoreload.on = False
server.throw_errors = False
server.log_to_screen = False
# Make the session cookie only return to the host over an SSL link
visit.cookie.secure = True
session_filter.cookie_secure = True
visit.cookie.httponly = True
###
### Communicating to other services
###
# Database
{% if env == "staging" %}
sqlalchemy.dburi="postgres://fas:{{ fasDbPassword }}@db-fas.stg/fas2"
{% else %}
sqlalchemy.dburi="postgres://fas:{{ fasDbPassword }}@db-fas/fas2"
{% endif %}
sqlalchemy.echo=False
# When using wsgi, we want the pool to be very low (as a separate instance is
# run in each apache mod_wsgi thread. So each one is going to have very few
# concurrent db connections.
sqlalchemy.pool_size=1
sqlalchemy.max_overflow=2
# If you're serving standalone (cherrypy), since FAS2 is much busier than
# other servers due to serving visit and auth via JSON you want higher values
#sqlalchemy.pool_size=10
#sqlalchemy.max_overflow=25
memcached_server = "fas01:11211,fas02:11211"
# Sending of email via TurboMail
mail.on = False
mail.smtp.server = 'bastion-dummy'
#mail.testmode = True
mail.smtp.debug = False
mail.encoding = 'utf-8'
mail.transport = 'smtp'
mail.manager = 'demand'
# Enable yubikeys
{% if inventory_hostname.startswith('os-') %}
{% if env == "staging" %}
yubi_server_prefix='http://yubikey.fas.svc.cluster.local:8080/yk-val/verify?id='
{% else %}
yubi_server_prefix='http://yubikey:8080/yk-val/verify?id='
{% endif %}
{% else %}
yubi_server_prefix='http://localhost/yk-val/verify?id='
{% endif %}
{% if env == "staging" %}
ykksm_db="postgres://ykksmimporter:{{ ykksmimporterPassword }}@db-fas01.stg/ykksm"
ykval_db="postgres://ykval_verifier:{{ ykval_verifierPassword }}@db-fas01.stg/ykval"
{% else %}
ykksm_db="postgres://ykksmimporter:{{ ykksmimporterPassword }}@db-ykksm/ykksm"
ykval_db="postgres://ykval_verifier:{{ ykval_verifierPassword }}@db-ykval/ykval"
{% endif %}
# Enable or disable generation of SSL certificates for users
gencert = "{{ gen_cert }}"
makeexec = "/usr/bin/make"
openssl_lockdir = "/var/lock/fedora-ca"
openssl_digest = "sha256"
openssl_expire = 15552000 # 60*60*24*180 = 6 months
openssl_ca_dir = "/var/lib/fedora-ca"
openssl_ca_newcerts = "/var/lib/fedora-ca/newcerts"
openssl_ca_index = "/var/lib/fedora-ca/index.txt"
openssl_c = "US"
openssl_st = "North Carolina"
openssl_l = "Raleigh"
openssl_o = "Fedora Project"
openssl_ou = "Fedora User Cert"
# Source of entrophy for salts, tokens, passwords
# os.urandom will be used if this is false.
use_openssl_rand_bytes = True
# These determine where FAS will read the public keyring from used in all GPG operations
gpgexec = "/usr/bin/gpg"
gpghome = "/tmp/fas-gpg"
# Note: gpg_fingerprint and gpg_passphrase are for encrypting password reset mail if the user has
# a gpg key registered. It's currently broken
gpg_fingerprint = "7662 A6D3 4F21 A653 7BD4 BA64 20A0 8C45 4A0E 6255"
gpg_passphrase = "{{ fasGpgPassphrase }}"
gpg_keyserver = "hkp://subkeys.pgp.net"
[/fedora-server-ca.cert]
static_filter.on = True
static_filter.file = "/etc/pki/fas/fedora-server-ca.cert"
[/fedora-upload-ca.cert]
static_filter.on = True
static_filter.file = "/etc/pki/fas/fedora-upload-ca.cert"
# LOGGING
# Logging configuration generally follows the style of the standard
# Python logging module configuration. Note that when specifying
# log format messages, you need to use *() for formatting variables.
# Deployment independent log configuration is in fas/config/log.cfg
[logging]
[[loggers]]
[[[fas]]]
level='DEBUG'
qualname='fas'
handlers=['debug_out']
[[[allinfo]]]
level='INFO'
handlers=['debug_out']
#[[[access]]]
#level='INFO'
#qualname='turbogears.access'
#handlers=['access_out']
#propagate=0
[[[identity]]]
level='WARN'
qualname='turbogears.identity'
handlers=['access_out']
propagate=0
[[[database]]]
# Set to INFO to make SQLAlchemy display SQL commands
level='ERROR'
qualname='sqlalchemy.engine'
handlers=['debug_out']
propagate=0

62
roles/fas_server/templates/yubikey-remove.py.j2
View file

@ -1,62 +0,0 @@
#!/usr/bin/python -tt
import sys
import psycopg2
FAS_HOST = "db-fas"
YKKSM_HOST = "db-ykksm"
YKVAL_HOST = "db-ykksm"
FAS_USER = "fas"
FAS_PASS = "{{ fasDbPassword }}"
YKKSM_USER = "ykksmimporter"
YKKSM_PASS = "{{ ykksmimporterPassword }}"
YKVAL_USER = "ykval_verifier"
YKVAL_PASS = "{{ ykval_verifierPassword }}"
fasdb = None
yk_ksmdb = None
yk_valdb = None
def usage():
usage = '''
fas-yubiremove [USERNAME1 [USERNAME2 [...]]]
Remove existing yubikey for the listed USERNAMEs.
'''.strip()
print usage
def init():
global fasdb, yk_ksmdb, yk_valdb
fasdb = psycopg2.connect("user='%s' password='%s' host='%s' dbname='fas2'" % (FAS_USER, FAS_PASS, FAS_HOST))
yk_ksmdb = psycopg2.connect("user='%s' password='%s' host='%s' dbname='ykksm'" % (YKKSM_USER, YKKSM_PASS, YKKSM_HOST))
yk_valdb = psycopg2.connect("user='%s' password='%s' host='%s' dbname='ykval'" % (YKVAL_USER, YKVAL_PASS, YKVAL_HOST))
def main():
init()
# Get username from commandline
usernames = sys.argv[1:]
# get the yubikey for the user from the fas configs db
for username in usernames:
fas = fasdb.cursor()
fas.execute("select value from configs, people where people.id = configs.person_id and username=%s and application = 'yubikey' and attribute = 'prefix'", (username,))
prefix = fas.fetchall()[0]
# Remove the keys from the yubikey database
yk_ksm = yk_ksmdb.cursor()
yk_ksm.execute('delete from yubikeys where publicname=%s', (prefix[0],))
yk_val = yk_valdb.cursor()
yk_val.execute('delete from yubikeys where yk_publicname=%s', (prefix[0],))
# Remove the key from fas
fas.execute("delete from configs where person_id = (select id from people where username=%s) and application = 'yubikey'", (username,))
yk_valdb.commit()
yk_ksmdb.commit()
fasdb.commit()
if __name__ == '__main__':
sys.exit(main())

60
roles/ipa/client/tasks/cleanup.yml
View file

@ -1,60 +0,0 @@
---
# Repair nsswitch.conf, the fas_client role installed a version which didn't include sss
- name: Ensure SSSD is consulted when looking up users and groups
replace:
path: /etc/nsswitch.conf
regexp: >-
^(?P<dbchunk>\s*(?:passwd|group|services|netgroup|automount)\s*:\s*)(?P<specchunk>(?:(?!sss(\s|$)).)*)$
replace: >-
\g<dbchunk>sss \g<specchunk>
# REMOVEME: After all affected hosts have been migrated over from fas_client, 2fa_client to
# ipa/client, this can go away.
#
# Restore pristine sudo configuration, TOTPCGI configuration messes with IPA integration
- name: Check if /etc/pam.d/sudo exists
stat:
path: /etc/pam.d/sudo
register: pam_sudo_stat
- name: Check if /etc/pam.d/sudo needs to be restored
lineinfile:
name: /etc/pam.d/sudo
regexp: 'pam_url\.so'
state: absent
check_mode: yes
changed_when: false
register: pam_sudo_pam_url_so
when: pam_sudo_stat.stat.exists and not pam_sudo_stat.stat.islnk
- name: Remove the fas-client cron jobs so they do not mess with system
file:
path=/etc/cron.d/fas-client
state=absent
- name: Remove the fas-client email cron jobs so they do not mess with system
file:
path=/etc/cron.d/fas-client-aliases
state=absent
- name: Remove butchered sudo pam.d file
file:
name: /etc/pam.d/sudo
state: absent
when: pam_sudo_stat.stat.exists and pam_sudo_pam_url_so.found
- name: Uninstall sudo package, but not any dependencies
command:
cmd: rpm -e --nodeps sudo
# We really don't want to use yum/dnf here
warn: no
failed_when: false
when: not pam_sudo_stat.stat.exists or pam_sudo_pam_url_so.found
- name: (Re)install sudo package
package:
name: sudo
state: present
when: not pam_sudo_stat.stat.exists or pam_sudo_pam_url_so.found

9
roles/ipa/client/tasks/hbac.yml
View file

@ -86,15 +86,6 @@
# shell access
- name: "Warn if `fas_client_groups` is set"
fail:
msg: >-
`fas_client_groups` is defined, please convert to a (group var) list named
`ipa_client_shell_groups`
ignore_errors: true
when: fas_client_groups is defined
run_once: false
- name: "Warn if essential IPA client variables are unset"
fail:
msg: "`{{ item }}` is not defined"

6
roles/ipa/client/tasks/main.yml
View file

@ -8,12 +8,6 @@
- ipa/client
- packages
- name: Clean up annoying remnants of previous FAS client installations
import_tasks: cleanup.yml
tags:
- ipa/client
- fas-client-cleanup
- name: Enable VPN hosts to talk to IPA
import_tasks: vpn.yml
tags:

18
roles/openshift-apps/fas/files/service-fas.yml
View file

@ -1,18 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: fas
labels:
app: fas
service: fas
namespace: fas
spec:
ports:
- name: dynamic
port: 8000
targetPort: 8000
- name: static
port: 8080
targetPort: 8080
selector:
deploymentconfig: fas

61
roles/openshift-apps/fas/templates/buildconfig-fas.yml
View file

@ -1,61 +0,0 @@
apiVersion: v1
kind: BuildConfig
metadata:
labels:
build: fas
name: fas
spec:
runPolicy: Serial
source:
dockerfile: |-
FROM registry.access.redhat.com/rhel6
RUN curl -o /etc/yum.repos.d/rhel6.repo https://infrastructure.fedoraproject.org/infra/ansible/files/common/rhel6.repo && \
{% if env == "staging" %}
curl -o /etc/yum.repos.d/infra-tags-stg.repo https://infrastructure.fedoraproject.org/infra/ansible/files/common/rhel-infra-tags-stg.repo && \
{% endif %}
curl -o /etc/yum.repos.d/epel6.repo https://infrastructure.fedoraproject.org/infra/ansible/files/common/epel6.repo
RUN yum install -y \
fas \
fas-plugin-yubikey \
python-turbojson \
python-tgcaptcha \
python-bunch \
python-requests-kerberos \
krb5-workstation \
httpd \
python-gunicorn
{% if env == "staging" %}
RUN sed -i -e 's|//localhost/|//yubikey:8080/|' /usr/lib/python2.6/site-packages/fas_yubikey/__init__.py
{% endif %}
# Set up config symlinks
RUN rm -f /etc/krb5.conf && \
rm -f /etc/fas.cfg && \
rm -f /usr/sbin/export-bugzilla && \
rm -f /usr/lib/python2.6/site-packages/fas/config/log.cfg && \
ln -sf /etc/fas/krb5.conf /etc/krb5.conf && \
ln -sf /etc/fas/fas.cfg /etc/fas.cfg && \
ln -sf /etc/fas/fas-log.cfg /usr/lib/python2.6/site-packages/fas/config/log.cfg && \
ln -sf /etc/fas/export-bugzilla /usr/local/bin/export-bugzilla && \
ln -sf /etc/fas/export-bugzilla.cfg /etc/export-bugzilla.cfg && \
mkdir -p /app && \
ln -sf /usr/sbin/fas.wsgi /app/app.py
RUN yum install -y patch && \
curl https://infrastructure.fedoraproject.org/infra/ansible/roles/fas_server/files/0001-bugfix.patch | patch /usr/lib/python2.6/site-packages/CherryPy-2.3.0-py2.6.egg/cherrypy/_cphttptools.py && \
rm -f /usr/lib/python2.6/site-packages/CherryPy-2.3.0-py2.6.egg/cherrypy/_cphttptools.py{c,o}
RUN curl https://infrastructure.fedoraproject.org/infra/ansible/roles/fas_server/files/fas-readonly_notice.patch | patch /usr/lib/python2.6/site-packages/fas/templates/master.html
EXPOSE 8080
EXPOSE 8000
ENTRYPOINT bash
type: Dockerfile
strategy:
type: Docker
output:
to:
kind: ImageStreamTag
name: fas:latest

112
roles/openshift-apps/fas/templates/deploymentconfig-fas.yml
View file

@ -1,112 +0,0 @@
apiVersion: v1
kind: DeploymentConfig
metadata:
labels:
app: fas
service: fas
name: fas
spec:
replicas: 5
selector:
deploymentconfig: fas
strategy:
activeDeadlineSeconds: 21600
recreateParams:
timeoutSeconds: 600
resources: {}
rollingParams:
intervalSeconds: 1
maxSurge: 25%
maxUnavailable: 25%
timeoutSeconds: 600
updatePeriodSeconds: 1
type: Rolling
template:
metadata:
creationTimestamp: null
labels:
app: fas
deploymentconfig: fas
spec:
containers:
- name: fas
image: fas:latest
env:
- name: TZ
value: UTC
command:
- bash
- /etc/fas/app_start.sh
ports:
- containerPort: 8000
volumeMounts:
- name: config-volume
mountPath: /etc/fas
readOnly: true
- name: secret-sync-keytab
mountPath: /etc/fas_sync_keytab
readOnly: true
- name: secret-pubring
mountPath: /etc/fas-gpg
readOnly: true
readinessProbe:
timeoutSeconds: 5
initialDelaySeconds: 1
httpGet:
path: /accounts/
port: 8000
livenessProbe:
timeoutSeconds: 5
initialDelaySeconds: 1
httpGet:
path: /accounts/
port: 8000
- name: static
image: fas:latest
command:
- bash
- /etc/fas/static_start.sh
ports:
- containerPort: 8080
volumeMounts:
- name: config-volume
mountPath: /etc/fas
readOnly: true
- name: httpdir-volume
mountPath: /httpdir
readinessProbe:
timeoutSeconds: 5
initialDelaySeconds: 1
httpGet:
path: /accounts/static/robots.txt
port: 8080
livenessProbe:
timeoutSeconds: 5
initialDelaySeconds: 1
httpGet:
path: /accounts/static/robots.txt
port: 8080
volumes:
- name: config-volume
configMap:
name: fas
- name: secret-sync-keytab
secret:
secretName: fas-sync-keytab
- name: secret-pubring
secret:
secretName: fas-gpg-pubring
- name: httpdir-volume
emptyDir: {}
triggers:
- imageChangeParams:
automatic: true
containerNames:
- fas
- static
from:
kind: ImageStreamTag
name: fas:latest
namespace: fas
type: ImageChange
- type: ConfigChange