cloud-mu 2.0.1 → 2.0.2

data/cookbooks/firewall/libraries/helpers_iptables.rb

@@ -0,0 +1,112 @@
+module FirewallCookbook
+  module Helpers
+    module Iptables
+      include FirewallCookbook::Helpers
+      include Chef::Mixin::ShellOut
+
+      CHAIN = { in: 'INPUT', out: 'OUTPUT', pre: 'PREROUTING', post: 'POSTROUTING' }.freeze unless defined? CHAIN # , nil => "FORWARD"}
+      TARGET = { allow: 'ACCEPT', reject: 'REJECT', deny: 'DROP', masquerade: 'MASQUERADE', redirect: 'REDIRECT', log: 'LOG --log-prefix "iptables: " --log-level 7' }.freeze unless defined? TARGET
+
+      def build_firewall_rule(current_node, rule_resource, ipv6 = false)
+        el5 = current_node['platform_family'] == 'rhel' && Gem::Dependency.new('', '~> 5.0').match?('', current_node['platform_version'])
+
+        return rule_resource.raw.strip if rule_resource.raw
+        firewall_rule = if rule_resource.direction
+                          "-A #{CHAIN[rule_resource.direction.to_sym]} "
+                        else
+                          '-A FORWARD '
+                        end
+
+        if [:pre, :post].include?(rule_resource.direction)
+          firewall_rule << '-t nat '
+        end
+
+        # Iptables order of prameters is important here see example output below:
+        # -A INPUT -s 1.2.3.4/32 -d 5.6.7.8/32 -i lo -p tcp -m tcp -m state --state NEW -m comment --comment "hello" -j DROP
+        firewall_rule << "-s #{ip_with_mask(rule_resource, rule_resource.source)} " if rule_resource.source && rule_resource.source != '0.0.0.0/0'
+        firewall_rule << "-d #{rule_resource.destination} " if rule_resource.destination
+
+        firewall_rule << "-i #{rule_resource.interface} " if rule_resource.interface
+        firewall_rule << "-o #{rule_resource.dest_interface} " if rule_resource.dest_interface
+
+        firewall_rule << "-p #{rule_resource.protocol} " if rule_resource.protocol && rule_resource.protocol.to_s.to_sym != :none
+        firewall_rule << '-m tcp ' if rule_resource.protocol && rule_resource.protocol.to_s.to_sym == :tcp
+
+        # using multiport here allows us to simplify our greps and rule building
+        firewall_rule << "-m multiport --sports #{port_to_s(rule_resource.source_port)} " if rule_resource.source_port
+        firewall_rule << "-m multiport --dports #{port_to_s(dport_calc(rule_resource))} " if dport_calc(rule_resource)
+
+        firewall_rule << "-m state --state #{rule_resource.stateful.is_a?(Array) ? rule_resource.stateful.join(',').upcase : rule_resource.stateful.upcase} " if rule_resource.stateful
+        # the comments extension is not available for ip6tables on rhel/centos 5
+        unless el5 && ipv6
+          firewall_rule << "-m comment --comment \"#{rule_resource.description}\" " if rule_resource.include_comment
+        end
+
+        firewall_rule << "-j #{TARGET[rule_resource.command.to_sym]} "
+        firewall_rule << "--to-ports #{rule_resource.redirect_port} " if rule_resource.command == :redirect
+        firewall_rule.strip!
+        firewall_rule
+      end
+
+      def iptables_packages(new_resource)
+        packages = if ipv6_enabled?(new_resource)
+                     %w(iptables iptables-ipv6)
+                   else
+                     %w(iptables)
+                   end
+
+        # centos 7 requires extra service
+        if !debian?(node) && node['platform_family'] != "amazon" && node['platform_version'].to_i >= 7
+          packages << %w(iptables-services)
+        end
+
+        packages.flatten
+      end
+
+      def iptables_commands(new_resource)
+        if ipv6_enabled?(new_resource)
+          %w(iptables ip6tables)
+        else
+          %w(iptables)
+        end
+      end
+
+      def log_iptables(new_resource)
+        iptables_commands(new_resource).each do |cmd|
+          shell_out!("#{cmd} -L -n")
+        end
+      rescue
+        Chef::Log.info('log_iptables failed!')
+      end
+
+      def iptables_flush!(new_resource)
+        iptables_commands(new_resource).each do |cmd|
+          shell_out!("#{cmd} -F")
+        end
+      end
+
+      def iptables_default_allow!(new_resource)
+        iptables_commands(new_resource).each do |cmd|
+          shell_out!("#{cmd} -P INPUT ACCEPT")
+          shell_out!("#{cmd} -P OUTPUT ACCEPT")
+          shell_out!("#{cmd} -P FORWARD ACCEPT")
+        end
+      end
+
+      def default_ruleset(current_node)
+        current_node['firewall']['iptables']['defaults'][:ruleset].to_h
+      end
+
+      def ensure_default_rules_exist(current_node, new_resource)
+        input = new_resource.rules
+
+        # don't use iptables_commands here since we do populate the
+        # hash regardless of ipv6 status
+        %w(iptables ip6tables).each do |name|
+          input[name] = {} unless input[name]
+          input[name].merge!(default_ruleset(current_node).to_h)
+        end
+      end
+    end
+  end
+end

data/cookbooks/firewall/libraries/helpers_ufw.rb

@@ -0,0 +1,135 @@
+module FirewallCookbook
+  module Helpers
+    module Ufw
+      include FirewallCookbook::Helpers
+      include Chef::Mixin::ShellOut
+
+      def ufw_rules_filename
+        '/etc/default/ufw-chef.rules'
+      end
+
+      def ufw_active?
+        cmd = shell_out!('ufw', 'status')
+        cmd.stdout =~ /^Status:\sactive/
+      end
+
+      def ufw_disable!
+        shell_out!('ufw', 'disable', input: 'yes')
+      end
+
+      def ufw_enable!
+        shell_out!('ufw', 'enable', input: 'yes')
+      end
+
+      def ufw_reset!
+        shell_out!('ufw', 'reset', input: 'yes')
+      end
+
+      def ufw_logging!(param)
+        shell_out!('ufw', 'logging', param.to_s)
+      end
+
+      def ufw_rule!(cmd)
+        shell_out!(cmd, input: 'yes')
+      end
+
+      def build_rule(new_resource)
+        Chef::Log.info("#{new_resource.name} apply_rule #{new_resource.command}")
+
+        # if we don't do this, we may see some bugs where traffic is opened on all ports to all hosts when only RELATED,ESTABLISHED was intended
+        if new_resource.stateful
+          msg = ''
+          msg << "firewall_rule[#{new_resource.name}] was asked to "
+          msg << "#{new_resource.command} a stateful rule using #{new_resource.stateful} "
+          msg << 'but ufw does not support this kind of rule. Consider guarding by platform_family.'
+          raise msg
+        end
+
+        # if we don't do this, ufw will fail as it does not support protocol numbers, so we'll only allow it to run if specifying icmp/tcp/udp protocol types
+        if new_resource.protocol && !new_resource.protocol.to_s.downcase.match('^(tcp|udp|esp|ah|ipv6|none)$')
+          msg = ''
+          msg << "firewall_rule[#{new_resource.name}] was asked to "
+          msg << "#{new_resource.command} a rule using protocol #{new_resource.protocol} "
+          msg << 'but ufw does not support this kind of rule. Consider guarding by platform_family.'
+          raise msg
+        end
+
+        # some examples:
+        # ufw allow from 192.168.0.4 to any port 22
+        # ufw deny proto tcp from 10.0.0.0/8 to 192.168.0.1 port 25
+        # ufw insert 1 allow proto tcp from 0.0.0.0/0 to 192.168.0.1 port 25
+
+        if new_resource.raw
+          "ufw #{new_resource.raw.strip}"
+        else
+          "ufw #{rule(new_resource)}"
+        end
+      end
+
+      def rule(new_resource)
+        rule = ''
+        rule << "#{new_resource.command} "
+        rule << rule_interface(new_resource)
+        rule << rule_logging(new_resource)
+        rule << rule_proto(new_resource)
+        rule << rule_dest_port(new_resource)
+        rule << rule_source_port(new_resource)
+        rule = rule.strip
+
+        if rule == 'ufw allow in proto tcp to any from any'
+          Chef::Log.warn("firewall_rule[#{new_resource.name}] produced a rule that opens all traffic. This may be a logic error in your cookbook.")
+        end
+
+        rule
+      end
+
+      def rule_interface(new_resource)
+        rule = ''
+        rule << "#{new_resource.direction} " if new_resource.direction
+        rule << "on #{new_resource.interface} " if new_resource.interface && new_resource.direction
+        rule << "in on #{new_resource.interface} " if new_resource.interface && !new_resource.direction
+        rule
+      end
+
+      def rule_proto(new_resource)
+        rule = ''
+        rule << "proto #{new_resource.protocol} " if new_resource.protocol && new_resource.protocol.to_s.to_sym != :none
+        rule
+      end
+
+      def rule_dest_port(new_resource)
+        rule = if new_resource.destination
+                 "to #{new_resource.destination} "
+               else
+                 'to any '
+               end
+        rule << "port #{port_to_s(dport_calc(new_resource))} " if dport_calc(new_resource)
+        rule
+      end
+
+      def rule_source_port(new_resource)
+        rule = if new_resource.source
+                 "from #{new_resource.source} "
+               else
+                 'from any '
+               end
+
+        if new_resource.source_port
+          rule << "port #{port_to_s(new_resource.source_port)} "
+        end
+        rule
+      end
+
+      def rule_logging(new_resource)
+        case new_resource.logging && new_resource.logging.to_sym
+        when :connections
+          'log '
+        when :packets
+          'log-all '
+        else
+          ''
+        end
+      end
+    end
+  end
+end

data/cookbooks/firewall/libraries/helpers_windows.rb

@@ -0,0 +1,130 @@
+module FirewallCookbook
+  module Helpers
+    module Windows
+      include FirewallCookbook::Helpers
+      include Chef::Mixin::ShellOut
+
+      def fixup_cidr(str)
+        newstr = str.clone
+        newstr.gsub!('0.0.0.0/0', 'any') if newstr.include?('0.0.0.0/0')
+        newstr.gsub!('/0', '') if newstr.include?('/0')
+        newstr
+      end
+
+      def windows_rules_filename
+        "#{ENV['HOME']}/windows-chef.rules"
+      end
+
+      def active?
+        @active ||= begin
+          cmd = shell_out!('netsh advfirewall show currentprofile')
+          cmd.stdout =~ /^State\sON/
+        end
+      end
+
+      def enable!
+        shell_out!('netsh advfirewall set currentprofile state on')
+      end
+
+      def disable!
+        shell_out!('netsh advfirewall set currentprofile state off')
+      end
+
+      def reset!
+        shell_out!('netsh advfirewall reset')
+      end
+
+      def add_rule!(params)
+        shell_out!("netsh advfirewall #{params}")
+      end
+
+      def delete_all_rules!
+        shell_out!('netsh advfirewall firewall delete rule name=all')
+      end
+
+      def to_type(new_resource)
+        cmd = new_resource.command
+        type = if cmd == :reject || cmd == :deny
+                 :block
+               else
+                 :allow
+               end
+        type
+      end
+
+      def build_rule(new_resource)
+        type = to_type(new_resource)
+        parameters = {}
+
+        parameters['description'] = "\"#{new_resource.description}\""
+        parameters['dir'] = new_resource.direction
+
+        new_resource.program && parameters['program'] = new_resource.program
+        new_resource.service && parameters['service'] = new_resource.service
+        parameters['protocol'] = new_resource.protocol
+
+        if new_resource.direction.to_sym == :out
+          parameters['localip'] = new_resource.source ? fixup_cidr(new_resource.source) : 'any'
+          parameters['localport'] = new_resource.source_port ? port_to_s(new_resource.source_port) : 'any'
+          parameters['interfacetype'] = new_resource.interface ? new_resource.interface : 'any'
+          parameters['remoteip'] = new_resource.destination ? fixup_cidr(new_resource.destination) : 'any'
+          parameters['remoteport'] = new_resource.dest_port ? port_to_s(new_resource.dest_port) : 'any'
+        else
+          parameters['localip'] = new_resource.destination ? new_resource.destination : 'any'
+          parameters['localport'] = dport_calc(new_resource) ? port_to_s(dport_calc(new_resource)) : 'any'
+          parameters['interfacetype'] = new_resource.dest_interface ? new_resource.dest_interface : 'any'
+          parameters['remoteip'] = new_resource.source ? fixup_cidr(new_resource.source) : 'any'
+          parameters['remoteport'] = new_resource.source_port ? port_to_s(new_resource.source_port) : 'any'
+        end
+
+        parameters['action'] = type.to_s
+
+        partial_command = parameters.map { |k, v| "#{k}=#{v}" }.join(' ')
+        "firewall add rule name=\"#{new_resource.name}\" #{partial_command}"
+      end
+
+      def rule_exists?(name)
+        @exists ||= begin
+          cmd = shell_out!("netsh advfirewall firewall show rule name=\"#{name}\"", returns: [0, 1])
+          cmd.stdout !~ /^No rules match the specified criteria/
+        end
+      end
+
+      def show_all_rules!
+        cmd = shell_out!('netsh advfirewall firewall show rule name=all')
+        cmd.stdout.each_line do |line|
+          Chef::Log.warn(line)
+        end
+      end
+
+      def rule_up_to_date?(name, type)
+        @up_to_date ||= begin
+          desired_parameters = rule_parameters(type)
+          current_parameters = {}
+
+          cmd = shell_out!("netsh advfirewall firewall show rule name=\"#{name}\" verbose")
+          cmd.stdout.each_line do |line|
+            current_parameters['description'] = "\"#{Regexp.last_match(1).chomp}\"" if line =~ /^Description:\s+(.*)$/
+            current_parameters['dir'] = Regexp.last_match(1).chomp if line =~ /^Direction:\s+(.*)$/
+            current_parameters['program'] = Regexp.last_match(1).chomp if line =~ /^Program:\s+(.*)$/
+            current_parameters['service'] = Regexp.last_match(1).chomp if line =~ /^Service:\s+(.*)$/
+            current_parameters['protocol'] = Regexp.last_match(1).chomp if line =~ /^Protocol:\s+(.*)$/
+            current_parameters['localip'] = Regexp.last_match(1).chomp if line =~ /^LocalIP:\s+(.*)$/
+            current_parameters['localport'] = Regexp.last_match(1).chomp if line =~ /^LocalPort:\s+(.*)$/
+            current_parameters['interfacetype'] = Regexp.last_match(1).chomp if line =~ /^InterfaceTypes:\s+(.*)$/
+            current_parameters['remoteip'] = Regexp.last_match(1).chomp if line =~ /^RemoteIP:\s+(.*)$/
+            current_parameters['remoteport'] = Regexp.last_match(1).chomp if line =~ /^RemotePort:\s+(.*)$/
+            current_parameters['action'] = Regexp.last_match(1).chomp if line =~ /^Action:\s+(.*)$/
+          end
+
+          up_to_date = true
+          desired_parameters.each do |k, v|
+            up_to_date = false if current_parameters[k] !~ /^["]?#{v}["]?$/i
+          end
+
+          up_to_date
+        end
+      end
+    end
+  end
+end

data/cookbooks/firewall/libraries/matchers.rb

@@ -0,0 +1,30 @@
+if defined?(ChefSpec)
+  ChefSpec.define_matcher(:firewall)
+  ChefSpec.define_matcher(:firewall_rule)
+
+  # actions(:install, :restart, :disable, :flush, :save)
+
+  def install_firewall(resource)
+    ChefSpec::Matchers::ResourceMatcher.new(:firewall, :install, resource)
+  end
+
+  def restart_firewall(resource)
+    ChefSpec::Matchers::ResourceMatcher.new(:firewall, :restart, resource)
+  end
+
+  def disable_firewall(resource)
+    ChefSpec::Matchers::ResourceMatcher.new(:firewall, :disable, resource)
+  end
+
+  def flush_firewall(resource)
+    ChefSpec::Matchers::ResourceMatcher.new(:firewall, :flush, resource)
+  end
+
+  def save_firewall(resource)
+    ChefSpec::Matchers::ResourceMatcher.new(:firewall, :save, resource)
+  end
+
+  def create_firewall_rule(resource)
+    ChefSpec::Matchers::ResourceMatcher.new(:firewall_rule, :create, resource)
+  end
+end

data/cookbooks/firewall/libraries/provider_firewall_firewalld.rb

@@ -0,0 +1,179 @@
+#
+# Author:: Ronald Doorn (<rdoorn@schubergphilis.com>)
+# Cookbook:: firewall
+# Resource:: default
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+class Chef
+  class Provider::FirewallFirewalld < Chef::Provider::LWRPBase
+    include FirewallCookbook::Helpers::Firewalld
+
+    provides :firewall, os: 'linux', platform_family: %w(rhel fedora) do |node|
+      node['platform_version'].to_f >= 7.0 && !node['firewall']['redhat7_iptables']
+    end
+
+    def whyrun_supported?
+      false
+    end
+
+    def action_install
+      return if disabled?(new_resource)
+
+      firewalld_package = package 'firewalld' do
+        action :nothing
+        options new_resource.package_options
+      end
+      firewalld_package.run_action(:install)
+      new_resource.updated_by_last_action(firewalld_package.updated_by_last_action?)
+
+      unless ::File.exist?(firewalld_rules_filename)
+        rules_file = lookup_or_create_rulesfile
+        rules_file.content '# created by chef to allow service to start'
+        rules_file.run_action(:create)
+        new_resource.updated_by_last_action(rules_file.updated_by_last_action?)
+      end
+
+      firewalld_service = lookup_or_create_service
+      [:enable, :start].each do |a|
+        firewalld_service.run_action(a)
+        new_resource.updated_by_last_action(firewalld_service.updated_by_last_action?)
+      end
+    end
+
+    def action_restart
+      return if disabled?(new_resource)
+
+      # ensure it's initialized
+      new_resource.rules({}) unless new_resource.rules
+      new_resource.rules['firewalld'] = {} unless new_resource.rules['firewalld']
+
+      # this populates the hash of rules from firewall_rule resources
+      firewall_rules = Chef.run_context.resource_collection.select { |item| item.is_a?(Chef::Resource::FirewallRule) }
+      firewall_rules.each do |firewall_rule|
+        next unless firewall_rule.action.include?(:create) && !firewall_rule.should_skip?(:create)
+
+        ip_versions(firewall_rule).each do |ip_version|
+          # build rules to apply with weight
+          k = "firewall-cmd --direct --add-rule #{build_firewall_rule(firewall_rule, ip_version)}"
+          v = firewall_rule.position
+
+          # unless we're adding them for the first time.... bail out.
+          next if new_resource.rules['firewalld'].key?(k) && new_resource.rules['firewalld'][k] == v
+          new_resource.rules['firewalld'][k] = v
+
+          # If persistent rules is enabled (default) make sure we add a permanent rule at the same time
+          perm_rules = node && node['firewall'] && node['firewall']['firewalld'] && node['firewall']['firewalld']['permanent']
+          if firewall_rule.permanent || perm_rules
+            k = "firewall-cmd --permanent --direct --add-rule #{build_firewall_rule(firewall_rule, ip_version)}"
+            new_resource.rules['firewalld'][k] = v
+          end
+        end
+      end
+
+      # ensure a file resource exists with the current firewalld rules
+      rules_file = lookup_or_create_rulesfile
+      rules_file.content build_rule_file(new_resource.rules['firewalld'])
+      rules_file.run_action(:create)
+
+      # ensure the service is running without waiting.
+      firewalld_service = lookup_or_create_service
+      [:enable, :start].each do |a|
+        firewalld_service.run_action(a)
+        new_resource.updated_by_last_action(firewalld_service.updated_by_last_action?)
+      end
+
+      # mark updated if we changed the zone
+      unless firewalld_default_zone?(new_resource.enabled_zone)
+        firewalld_default_zone!(new_resource.enabled_zone)
+        new_resource.updated_by_last_action(true)
+      end
+
+      # if the file was changed, load new ruleset
+      return unless rules_file.updated_by_last_action?
+      firewalld_flush!
+      # TODO: support logging
+
+      new_resource.rules['firewalld'].sort_by { |_k, v| v }.map { |k, _v| k }.each do |cmd|
+        firewalld_rule!(cmd)
+      end
+
+      new_resource.updated_by_last_action(true)
+    end
+
+    def action_disable
+      return if disabled?(new_resource)
+
+      if firewalld_active?
+        firewalld_flush!
+        firewalld_default_zone!(new_resource.disabled_zone)
+        new_resource.updated_by_last_action(true)
+      end
+
+      # ensure the service is stopped without waiting.
+      firewalld_service = lookup_or_create_service
+      [:disable, :stop].each do |a|
+        firewalld_service.run_action(a)
+        new_resource.updated_by_last_action(firewalld_service.updated_by_last_action?)
+      end
+
+      rules_file = lookup_or_create_rulesfile
+      rules_file.content '# created by chef to allow service to start'
+      rules_file.run_action(:create)
+      new_resource.updated_by_last_action(rules_file.updated_by_last_action?)
+    end
+
+    def action_flush
+      return if disabled?(new_resource)
+      return unless firewalld_active?
+
+      firewalld_flush!
+      new_resource.updated_by_last_action(true)
+
+      rules_file = lookup_or_create_rulesfile
+      rules_file.content '# created by chef to allow service to start'
+      rules_file.run_action(:create)
+      new_resource.updated_by_last_action(rules_file.updated_by_last_action?)
+    end
+
+    def action_save
+      return if disabled?(new_resource)
+      return if firewalld_all_rules_permanent!
+
+      firewalld_save!
+      new_resource.updated_by_last_action(true)
+    end
+
+    def lookup_or_create_service
+      begin
+        firewalld_service = Chef.run_context.resource_collection.find(service: 'firewalld')
+      rescue
+        firewalld_service = service 'firewalld' do
+          action :nothing
+        end
+      end
+      firewalld_service
+    end
+
+    def lookup_or_create_rulesfile
+      begin
+        firewalld_file = Chef.run_context.resource_collection.find(file: firewalld_rules_filename)
+      rescue
+        firewalld_file = file firewalld_rules_filename do
+          action :nothing
+        end
+      end
+      firewalld_file
+    end
+  end
+end