Merge branch 'master' of /git/ansible

inventory/group_vars/people

@@ -14,3 +14,18 @@ fedmsg_certs:
   group: planet-user
   can_send:
   - planet.post.new
+
+# For the MOTD
+csi_security_category: Low
+csi_primary_contact: Fedora admins - adminfedoraproject.org
+csi_purpose: Provide hosting space for Fedora contributors and Fedora Planet
+
+csi_relationship: |
+ - shell accounts and web space for fedora contributors
+ - web space for personal yum repos
+ - shared space for small group/personal git repos
+
+  Please be aware that this is a shared server, and you should not upload
+  Private/Secret SSH or GPG keys onto this system. Any such keys found
+  will be deleted.
+

inventory/host_vars/209.132.184.150

@@ -1 +0,0 @@
-209.132.184.144

playbooks/groups/jenkins-cloud.yml

@@ -471,21 +471,36 @@
     - pwgen             # Required for mpi4py
     - openmpi-devel     # Required for mpi4py
     - mpich2-devel      # Required for mpi4py
-    - python-openid      # Required by Ipsilon
+    - pylint            # Required by Ipsilon
-    - python-openid-teams  # Required by Ipsilon
+    - python-pep8
-    - python-openid-cla  # Required by Ipsilon
+    - nodejs-less
-    - python-cherrypy    # Required by Ipsilon
+    - python-openid
-    - m2crypto           # Required by Ipsilon
+    - python-openid-teams
-    - lasso-python       # Required by Ipsilon
+    - python-openid-cla
-    - python-sqlalchemy  # Required by Ipsilon
+    - python-cherrypy
-    - python-ldap        # Required by Ipsilon
+    - m2crypto
-    - python-pam         # Required by Ipsilon
+    - lasso-python
-    - freeipa-python     # Required by Ipsilon
+    - python-sqlalchemy
-    - httpd              # Required by Ipsilon
+    - python-ldap
-    - mod_auth_mellon    # Required by Ipsilon
+    - python-pam
-    - postgresql-server  # Required by Ipsilon
+    - python-fedora
-    - mod_wsgi           # Required by Ipsilon
+    - freeipa-python
-    - python-jinja2      # Required by Ipsilon
+    - httpd
+    - mod_auth_mellon
+    - postgresql-server
+    - openssl
+    - mod_wsgi
+    - python-jinja2
+    - python-psycopg2
+    - sssd
+    - libsss_simpleifp
+    - openldap-servers
+    - mod_auth_gssapi
+    - krb5-server
+    - socket_wrapper
+    - nss_wrapper
+    - python-requests-kerberos
+    - python-lesscpy     # End requires for Ipsilon
     - libxml2-python     # Required by gimp-docs
     - createrepo         # Required by dnf
     tags:

playbooks/include/proxies-redirects.yml

@@ -64,6 +64,12 @@
     target: http://www.flocktofedora.org/
     status: 302
 
+  - role: httpd/redirect
+    name: fedoramy
+    website: fedora.my
+    target: http://www.fedora.my/
+    status: 302
+
   - role: httpd/redirect
     name: join-fedora
     website: join.fedoraproject.org

playbooks/include/proxies-websites.yml

@@ -232,6 +232,12 @@
     - flocktofedora.com
     ssl: false
 
+  - role: httpd/website
+    name: fedora.my
+    server_aliases:
+    - fedora.my
+    ssl: false
+
   - role: httpd/website
     name: bugz.fedoraproject.org
     server_aliases: [bugz.stg.fedoraproject.org]

roles/bodhi2/base/templates/staging.ini.j2

@@ -40,8 +40,7 @@ captcha.secret = {{ bodhi2CaptchaSecret }}
 captcha.image_width = 300
 captcha.image_height = 80
 # Any truetype font will do.
-# This font lives in pcaro-hermit-fonts package
+captcha.font_path = /usr/share/fonts/liberation/LiberationMono-Regular.ttf
-captcha.font_path = /usr/share/fonts/pcaro-hermit/Hermit-medium.otf
 captcha.font_size = 36
 # Colors
 captcha.font_color = #000000

roles/epylog/files/merged/weed_local.cf

@@ -89,6 +89,7 @@ kernel:.*usb 3-3: new full-speed USB device number.*using xhci_hcd
 kernel:.*usb 3-3: Device not responding to set address.
 kernel:.*usb 3-3: Device not responding to set address.
 kernel:.*usb 3-3: device not accepting address.*error -71
+koschei*:.*
 lvm.*: Another thread is handling an event. Waiting...*
 nagios: Auto-save of retention data completed successfully
 nagios: CURRENT.*

roles/ipsilon/files/api.py

@@ -0,0 +1,98 @@
+# Copyright (C) 2015 Patrick Uiterwijk, for license see COPYING
+
+from __future__ import absolute_import
+
+from ipsilon.providers.openid.extensions.common import OpenidExtensionBase
+import ipsilon.root
+from ipsilon.util.page import Page
+from ipsilon.util.user import User
+
+import json
+import inspect
+
+
+class OpenidExtension(OpenidExtensionBase):
+
+    def __init__(self, *pargs):
+        super(OpenidExtension, self).__init__('API')
+
+    def enable(self):
+        # This is the most ugly hack in my history of python...
+        # But I need to find the root object, and that is not passed into
+        #  the OpenID extension system anywhere...
+        root_obj = inspect.stack()[5][0].f_locals['self']
+        root_obj.api = APIPage(root_obj)
+
+
+class APIPage(Page):
+    def __init__(self, root_obj):
+        ipsilon.root.sites['api'] = dict()
+        ipsilon.root.sites['api']['template_env'] = \
+            ipsilon.root.sites['default']['template_env']
+        super(APIPage, self).__init__(ipsilon.root.sites['api'])
+        self.v1 = APIV1Page(root_obj)
+
+
+class APIV1Page(Page):
+    def __init__(self, root_obj):
+        ipsilon.root.sites['api_v1'] = dict()
+        ipsilon.root.sites['api_v1']['template_env'] = \
+            ipsilon.root.sites['default']['template_env']
+        super(APIV1Page, self).__init__(ipsilon.root.sites['api_v1'])
+        self.root_obj = root_obj
+
+    def root(self, *args, **kwargs):
+        return json.dumps(self._perform_call(kwargs))
+
+    def _perform_call(self, arguments):
+        fas = self.root_obj.login.fas.lm
+        openid = self.root_obj.openid
+
+        openid_request = None
+        try:
+            openid_request = openid.cfg.server.decodeRequest(arguments)
+        except Exception, ex:
+            print 'Error during openid decoding: %s' % ex
+            return {'success': False,
+                    'status': 400,
+                    'message': 'Invalid request'
+                    }
+        if not openid_request:
+            print 'No OpenID request parsed'
+            return {'success': False,
+                    'status': 400,
+                    'message': 'Invalid request'
+                    }
+        if not arguments['auth_module'] == 'fedoauth.auth.fas.Auth_FAS':
+            print 'Unknown auth module selected'
+            return {'success': False,
+                    'status': 400,
+                    'message': 'Unknown authentication module'
+                    }
+        username = arguments['username']
+        password = arguments['password']
+        user = None
+        userdata = None
+        try:
+            _, user = fas.fpc.login(username, password)
+            userdata = fas.page.make_userdata(user.user)
+        except Exception, ex:
+            print 'Error during auth: %s' % ex
+            pass
+
+        if user is None or userdata is None:
+            print 'No user or data: %s, %s' % (user, userdata)
+            return {'success': False,
+                    'status': 400,
+                    'message': 'Authentication failed'}
+
+        us_obj = User(username)
+        fake_session = lambda: None
+        setattr(fake_session, 'get_user', lambda *args: us_obj)
+        setattr(fake_session, 'get_user_attrs', lambda *args: userdata)
+
+        openid_response = openid._response(openid_request, fake_session)
+        openid_response = openid.cfg.server.signatory.sign(openid_response).fields.toPostArgs()
+        return {'success': True,
+                'response': openid_response}
+

roles/ipsilon/tasks/main.yml

@@ -18,6 +18,11 @@
   tags:
   - packages
 
+- name: Copy OpenID API extension
+  copy: src=api.py
+        dest=/usr/lib/python2.7/site-packages/ipsilon/providers/openid/extensions/api.py
+        owner=root group=root mode=0644
+
 - name: copy ipsilon templates
   copy: src=templates/
         dest=/usr/share/ipsilon/templates-fedora

roles/ipsilon/templates/configuration.conf

@@ -33,7 +33,7 @@ openid endpoint url=https://id.fedoraproject.org/openid/
 openid identity url template=http://%(username)s.id.fedoraproject.org/
 openid trusted roots=http://jenkins.cloud.fedoraproject.org/securityRealm/finishLogin,https://ask.fedoraproject.org/,https://fedorahosted.org/,https://badges.fedoraproject.org,https://apps.fedoraproject.org/tagger/,https://apps.fedoraproject.org/nuancier/,https://apps.fedoraproject.org/datagrepper/,https://apps.fedoraproject.org/calendar/,http://apps.fedoraproject.org/notifications/,http://copr.fedoraproject.org/,http://copr-fe.cloud.fedoraproject.org/,https://admin.fedoraproject.org/pkgdb/,https://admin.fedoraproject.org/voting/,https://apps.fedoraproject.org/github2fedmsg,https://admin.fedoraproject.org,https://apps.fedoraproject.org/,https://release-monitoring.org/
 {% endif %}
-openid database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_name }}
+openid database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_openid_name }}
 openid untrusted roots=
-openid enabled extensions=Teams,Attribute Exchange,CLAs,Simple Registration
+openid enabled extensions=Teams,Attribute Exchange,CLAs,Simple Registration,API
 

roles/ipsilon/templates/ipsilon.conf

@@ -6,13 +6,13 @@ template_dir = "/usr/share/ipsilon/templates-fedora"
 log.screen = False
 base.dir = "/usr/share/ipsilon"
 admin.config.db = "configfile:///etc/ipsilon/configuration.conf"
-user.prefs.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_name }}"
+user.prefs.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_prefs_name }}"
-transactions.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_name }}"
+transactions.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_transactions_name }}"
 
 tools.sessions.on = True
 tools.sessions.name = "fedora_ipsilon_session_id"
 tools.sessions.storage_type = "Sql"
-tools.sessions.storage_dburi = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_name }}"
+tools.sessions.storage_dburi = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_sessions_name }}"
 tools.sessions.timeout = 60
 tools.sessions.httponly = True
 tools.sessions.secure = True

roles/koschei/tasks/main.yml

@@ -125,3 +125,44 @@
             owner=koschei group=koschei mode=0600
   tags:
   - koschei
+
+- name: Create libexec/koschei dir
+  file: path=/usr/libexec/koschei state=directory
+  when: env == "production"
+  tags:
+  - koschei
+  - hotfix
+
+- name: Create symlinks to python to get specific executable names
+  file: path="/usr/libexec/koschei/koschei-{{ item }}"
+        src=/usr/bin/python
+        state=link
+  when: env == "production"
+  with_items:
+  - polling
+  - resolver
+  - scheduler
+  - watcher
+  tags:
+  - koschei
+  - hotfix
+
+- name: Run using specific symlinks
+  lineinfile: dest="/usr/lib/systemd/system/koschei-{{ item }}.service"
+              regexp="^ExecStart"
+              line="ExecStart=/usr/libexec/koschei/koschei-{{ item }} -m koschei.main {{ item }}"
+  when: env == "production"
+  with_items:
+  - polling
+  - resolver
+  - scheduler
+  - watcher
+  tags:
+  - koschei
+  - hotfix
+  notify:
+  - reload systemd
+  - restart koschei-polling
+  - restart koschei-resolver
+  - restart koschei-scheduler
+  - restart koschei-watcher