cloud-mu 3.1.2 → 3.2.0

data/cookbooks/mu-activedirectory/resources/domain.rb

@@ -19,7 +19,7 @@ attribute :domain_admin_password, :kind_of => String, :required => true
 attribute :restore_mode_password, :kind_of => String, :required => true
 attribute :site_name, :kind_of => String, :default => node['ad']['site_name'], :required => false
 attribute :computer_name, :kind_of => String, :default => node['ad']['computer_name']
-attribute :ntds_static_port, :kind_of => Fixnum, :default => node['ad']['ntds_static_port']
-attribute :ntfrs_static_port, :kind_of => Fixnum, :default => node['ad']['ntfrs_static_port']
-attribute :dfsr_static_port, :kind_of => Fixnum, :default => node['ad']['dfsr_static_port']
-attribute :netlogon_static_port, :kind_of => Fixnum, :default => node['ad']['netlogon_static_port']
+attribute :ntds_static_port, :kind_of => Integer, :default => node['ad']['ntds_static_port']
+attribute :ntfrs_static_port, :kind_of => Integer, :default => node['ad']['ntfrs_static_port']
+attribute :dfsr_static_port, :kind_of => Integer, :default => node['ad']['dfsr_static_port']
+attribute :netlogon_static_port, :kind_of => Integer, :default => node['ad']['netlogon_static_port']

data/cookbooks/mu-activedirectory/resources/domain_controller.rb

@@ -19,7 +19,7 @@ attribute :domain_admin_password, :kind_of => String, :required => true
 attribute :restore_mode_password, :kind_of => String, :required => true
 attribute :site_name, :kind_of => String, :default => node['ad']['site_name'], :required => false
 attribute :computer_name, :kind_of => String, :default => node['ad']['computer_name']
-attribute :ntds_static_port, :kind_of => Fixnum, :default => node['ad']['ntds_static_port']
-attribute :ntfrs_static_port, :kind_of => Fixnum, :default => node['ad']['ntfrs_static_port']
-attribute :dfsr_static_port, :kind_of => Fixnum, :default => node['ad']['dfsr_static_port']
-attribute :netlogon_static_port, :kind_of => Fixnum, :default => node['ad']['netlogon_static_port']
+attribute :ntds_static_port, :kind_of => Integer, :default => node['ad']['ntds_static_port']
+attribute :ntfrs_static_port, :kind_of => Integer, :default => node['ad']['ntfrs_static_port']
+attribute :dfsr_static_port, :kind_of => Integer, :default => node['ad']['dfsr_static_port']
+attribute :netlogon_static_port, :kind_of => Integer, :default => node['ad']['netlogon_static_port']

data/cookbooks/mu-tools/libraries/helper.rb

@@ -49,7 +49,6 @@ module Mutools
     @authorizer = nil
     def set_gcp_cfg_params
       begin
-        require "google/cloud"
         require "googleauth"
         @project ||= get_google_metadata("project/project-id")
         @authorizer ||= ::Google::Auth.get_application_default(['https://www.googleapis.com/auth/cloud-platform', 'https://www.googleapis.com/auth/compute.readonly'])
@@ -202,6 +201,8 @@ module Mutools
           Chef::Log.info("Fetching deploy secret: #{gsutil} cp gs://#{bucket}/#{filename} -")
           cmd = if File.exist?("/usr/bin/python2.7")
             %Q{CLOUDSDK_PYTHON=/usr/bin/python2.7 #{gsutil} cp gs://#{bucket}/#{filename} -}
+          elsif File.exist?("/opt/rh/python27/root/usr/bin/python")
+            %Q{CLOUDSDK_PYTHON=/opt/rh/python27/root/usr/bin/python #{gsutil} cp gs://#{bucket}/#{filename} -}
           else
             %Q{#{gsutil} cp gs://#{bucket}/#{filename} -}
           end
@@ -235,7 +236,7 @@ module Mutools
       response = nil
       begin
         secret = get_deploy_secret
-        if secret.nil?
+        if secret.nil? or secret.empty?
           raise "Failed to fetch deploy secret, and I can't communicate with Momma Cat without it"
         end
 

data/cookbooks/mu-tools/libraries/monkey.rb

@@ -0,0 +1,35 @@
+class Chef
+  class Provider
+    class Package
+      class Rubygems < Chef::Provider::Package
+
+        def install_via_gem_command(name, version)
+          src = []
+          if new_resource.source.is_a?(String) && new_resource.source =~ /\.gem$/i
+            name = new_resource.source
+          else
+            src << "--clear-sources" if new_resource.clear_sources
+            src += gem_sources.map { |s| "--source=#{s}" }
+          end
+          src_str = src.empty? ? "" : " #{src.join(" ")}"
+          cmd = if !version.nil? && !version.empty?
+            "#{gem_binary_path} install #{name} -q --no-rdoc --no-ri -v \"#{version}\"#{src_str}#{opts}"
+          else
+            "#{gem_binary_path} install \"#{name}\" -q --no-rdoc --no-ri #{src_str}#{opts}"
+          end
+
+          begin
+            shell_out_with_timeout!(cmd, env: nil)
+          rescue StandardError => e
+            if cmd.match(/--no-rdoc|--no-ri/)
+              cmd.gsub!(/--no-rdoc --no-ri/, "--no-document")
+              retry
+            end
+            raise e
+          end
+        end
+
+      end
+    end
+  end
+end

data/cookbooks/mu-tools/recipes/apply_security.rb

@@ -252,21 +252,21 @@ if !node['application_attributes']['skip_recipes'].include?('apply_security')
       #		end
       # 6.3 Configure PAM
       # 6.3.2 Set Password Creation Requirement Parameters Using pam_cracklib
-      template "/etc/pam.d/password-auth-local" do
-        source "etc_pamd_password-auth.erb"
-        mode 0644
-      end
-      link "/etc/pam.d/password-auth" do
-        to "/etc/pam.d/password-auth-local"
-      end
+#      template "/etc/pam.d/password-auth-local" do
+#        source "etc_pamd_password-auth.erb"
+#        mode 0644
+#      end
+#      link "/etc/pam.d/password-auth" do
+#        to "/etc/pam.d/password-auth-local"
+#      end
       #6.3.3 Set Lockout for Failed Password Attempts
-      template "/etc/pam.d/system-auth-local" do
-        source "etc_pamd_system-auth.erb"
-        mode 0644
-      end
-      link "/etc/pam.d/system-auth" do
-        to "/etc/pam.d/system-auth-local"
-      end
+#      template "/etc/pam.d/system-auth-local" do
+#        source "etc_pamd_system-auth.erb"
+#        mode 0644
+#      end
+#      link "/etc/pam.d/system-auth" do
+#        to "/etc/pam.d/system-auth-local"
+#      end
   
       #SV-50303r1_rule/SV-50304r1_rule
       execute "chown root:root /etc/shadow"

data/cookbooks/mu-tools/recipes/aws_api.rb

@@ -21,3 +21,12 @@ chef_gem "aws-sdk-core" do
   version "2.11.24"
   action :install
 end
+
+if platform_family?("rhel") or platform_family?("amazon")
+  if node['platform_version'].to_i == 6
+    package "python34-pip"
+    execute "/usr/bin/pip3 install awscli" do
+      not_if "test -x /usr/bin/aws"
+    end
+  end
+end

data/cookbooks/mu-tools/recipes/eks.rb

@@ -160,8 +160,8 @@ Environment='KUBELET_EXTRA_ARGS=$KUBELET_EXTRA_ARGS'
 
   opento.uniq.each { |src|
     [:tcp, :udp, :icmp].each { |proto|
-      execute "iptables -I INPUT -p #{proto} -s #{src}" do
-        not_if "iptables -L -n | tr -s ' ' | grep -- '#{proto} -- #{src.sub(/\/32$/, "")}' > /dev/null"
+      execute "iptables -w 30 -I INPUT -p #{proto} -s #{src}" do
+        not_if "iptables -w 30 -L -n | tr -s ' ' | grep -- '#{proto} -- #{src.sub(/\/32$/, "")}' > /dev/null"
       end
     }
   }

data/cookbooks/mu-tools/recipes/google_api.rb

@@ -16,10 +16,10 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-["google-api-client", "google-cloud", "googleauth"].each { |gem|
+["google-api-client", "googleauth"].each { |gem|
   chef_gem gem do
     compile_time true
     action :install
-		only_if { !get_google_metadata("name").nil? }
+		only_if { !get_google_metadata("instance/name").nil? }
   end
 }

data/cookbooks/mu-tools/recipes/selinux.rb

@@ -4,7 +4,8 @@
 #
 # Copyright:: 2019, The Authors, All Rights Reserved.
 
-if !node['application_attributes']['skip_recipes'].include?('selinux')
+if !node['application_attributes']['skip_recipes'].include?('selinux') and
+   (platform_family?("rhel") or platform_family?("amazon"))
 
   selinux_state "SELinux Enforcing" do
     action :enforcing

data/cookbooks/mu-tools/recipes/windows-client.rb

@@ -26,20 +26,22 @@ if !node['application_attributes']['skip_recipes'].include?('windows-client')
 
       sshd_password = windows_vault[node['windows_sshd_password_field']]
 
+      admin_user = node['windows_admin_username'] || "Administrator"
+
       windows_version = node['platform_version'].to_i
       
       public_keys = Array.new
 
-      if windows_version == 10
+      if windows_version >= 10
         Chef::Log.info "version #{windows_version}, using openssh"
 
         include_recipe 'chocolatey'
 
         openssh_path = 'C:\Program Files\OpenSSH-Win64'
 
-        ssh_program_data = "#{ENV['ProgramData']}/ssh"
+        ssh_program_data = "#{ENV['ProgramData']}\\ssh"
 
-        ssh_dir = "C:/Users/Administrator/.ssh"
+        ssh_dir = "C:/Users/#{admin_user}/.ssh"
 
         authorized_keys = "#{ssh_dir}/authorized_keys"
 
@@ -86,7 +88,8 @@ if !node['application_attributes']['skip_recipes'].include?('windows-client')
           path ssh_program_data
           owner sshd_user
           rights :full_control, sshd_user
-          rights :full_control, 'Administrator'
+          rights :full_control, admin_user
+          notifies :run, 'ruby[find files to change ownership of]', :immediately
           notifies :run, 'powershell_script[Generate Host Key]', :immediately
         end
 
@@ -97,22 +100,22 @@ if !node['application_attributes']['skip_recipes'].include?('windows-client')
           notifies :create, "template[#{ssh_program_data}/sshd_config]", :immediately
         end
 
-        template "#{ssh_program_data}/sshd_config" do
+        directory "set file ownership" do
           action :nothing
+          path ssh_program_data
           owner sshd_user
-          source "sshd_config.erb"
           mode '0600'
-          cookbook "mu-tools"
-          notifies :run, 'ruby[find files to change ownership of]', :immediately
+          rights :full_control, sshd_user
+          deny_rights :full_control, admin_user
         end
 
-        directory "set file ownership" do
+        template "#{ssh_program_data}/sshd_config" do
           action :nothing
-          path ssh_program_data
           owner sshd_user
+          source "sshd_config.erb"
           mode '0600'
-          rights :full_control, sshd_user
-          deny_rights :full_control, 'Administrator'
+          cookbook "mu-tools"
+          notifies :run, 'ruby[find files to change ownership of]', :immediately
         end
 
         windows_service 'sshd' do
@@ -120,26 +123,26 @@ if !node['application_attributes']['skip_recipes'].include?('windows-client')
         end
 
         group 'sshusers' do
-          members [sshd_user, 'Administrator']
+          members [sshd_user, admin_user]
         end
 
         ruby 'find files to change ownership of' do
           action :nothing
           code <<-EOH
-            files = Dir.entries ssh_program_data
+            files = Dir.entries '#{ssh_program_data}'
             puts files
           EOH
         end
 
-        log 'files in ssh' do
-          message files.join
-          level :info
-        end
-
+#        log 'files in ssh' do
+#          message files.join
+#          level :info
+#        end
+#
         files.each do |file|
           file "#{ssh_program_data}#{file}" do
             owner sshd_user
-            deny_rights :full_control, 'Administrator'
+            deny_rights :full_control, admin_user
           end
         end
 
@@ -150,7 +153,7 @@ if !node['application_attributes']['skip_recipes'].include?('windows-client')
         end
 
         file authorized_keys do
-          owner 'Administrator'
+          owner admin_user
           content public_key
         end
 
@@ -184,153 +187,149 @@ if !node['application_attributes']['skip_recipes'].include?('windows-client')
 #        end
 #      }
 
-        reboot "Cygwin LSA" do
-          action :nothing
-          reason "Enabling Cygwin LSA support"
-        end
-
-        powershell_script "Configuring Cygwin LSA support" do
-          code <<-EOH
-            Invoke-Expression '& #{cygwindir}/bin/bash.exe --login -c "echo yes | /bin/cyglsa-config"'
-          EOH
-          not_if {
-            lsa_found = false
-            if registry_key_exists?("HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa")
-              registry_get_values("HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa").each { |val|
-                if val[:name] == "Authentication Packages"
-                  lsa_found = true if val[:data].grep(/cyglsa64\.dll/)
-                  break
-                end
-              }
-            end
-            lsa_found
-          }
-          notifies :reboot_now, "reboot[Cygwin LSA]", :immediately
-        end
-
-        powershell_script "enable Cygwin sshd" do
-          code <<-EOH
-            Invoke-Expression -Debug '& #{cygwindir}/bin/bash.exe --login -c "ssh-host-config -y -c ntsec -w ''#{sshd_password}'' -u #{sshd_user}"'
-            Invoke-Expression -Debug '& #{cygwindir}/bin/bash.exe --login -c "sed -i.bak ''s/#.*StrictModes.*yes/StrictModes no/'' /etc/sshd_config"'
-            Invoke-Expression -Debug '& #{cygwindir}/bin/bash.exe --login -c "sed -i.bak ''s/#.*PasswordAuthentication.*yes/PasswordAuthentication no/'' /etc/sshd_config"'
-            Invoke-Expression -Debug '& #{cygwindir}/bin/bash --login -c "chown #{sshd_user} /var/empty /var/log/sshd.log /etc/ssh*; chmod 755 /var/empty"'
-          EOH
-          sensitive true
-          not_if %Q{Get-Service "sshd"}
-        end
-        powershell_script "set unix-style Cygwin sshd permissions" do
-          code <<-EOH
-            if((Get-WmiObject win32_computersystem).partofdomain){
-              Invoke-Expression -Debug '& #{cygwindir}/bin/bash --login -c "mkpasswd -d > /etc/passwd"'
-              Invoke-Expression -Debug '& #{cygwindir}/bin/bash --login -c "mkgroup -l -d > /etc/group"'
-            } else {
-              Invoke-Expression -Debug '& #{cygwindir}/bin/bash --login -c "mkpasswd -l > /etc/passwd"'
-              Invoke-Expression -Debug '& #{cygwindir}/bin/bash --login -c "mkgroup -l > /etc/group"'
-            }
-            Invoke-Expression -Debug '& #{cygwindir}/bin/bash --login -c "chown #{sshd_user} /var/empty /var/log/sshd.log /etc/ssh*; chmod 755 /var/empty"'
-          EOH
-        end
-
-        include_recipe 'mu-activedirectory'
-
-        ::Chef::Recipe.send(:include, Chef::Mixin::PowershellOut)
-
-        template "c:/bin/cygwin/etc/sshd_config" do
-          source "sshd_config.erb"
-          mode 0644
-          cookbook "mu-tools"
-          ignore_failure true
-        end
-
-        ec2config_user= windows_vault[node['windows_ec2config_username_field']]
-        ec2config_password = windows_vault[node['windows_ec2config_password_field']]
-        login_dom = "."
-
-        if in_domain?
-
-          ad_vault = chef_vault_item(node['ad']['domain_admin_vault'], node['ad']['domain_admin_item'])
-          login_dom = node['ad']['netbios_name']
-
-          windows_users node['ad']['computer_name'] do
-            username ad_vault[node['ad']['domain_admin_username_field']]
-            password ad_vault[node['ad']['domain_admin_password_field']]
-            domain_name node['ad']['domain_name']
-            netbios_name node['ad']['netbios_name']
-            dc_ips node['ad']['dc_ips']
-            ssh_user sshd_user
-            ssh_password sshd_password
-            ec2config_user ec2config_user
-            ec2config_password ec2config_password
-          end
-
-          aws_windows "ec2" do
-            username ec2config_user
-            service_username "#{node['ad']['netbios_name']}\\#{ec2config_user}"
-            password ec2config_password
-          end
-
-          scheduled_tasks "tasks" do
-            username ad_vault[node['ad']['domain_admin_username_field']]
-            password ad_vault[node['ad']['domain_admin_password_field']]
-          end
-
-          sshd_service "sshd" do
-            service_username "#{node['ad']['netbios_name']}\\#{sshd_user}"
-            username sshd_user
-            password sshd_password
-          end
-
-          begin
-            resources('service[sshd]')
-          escue Chef::Exceptions::ResourceNotFound
-            service "sshd" do
-              action [:enable, :start]
-              sensitive true
-            end
-          end
-        else
-          windows_users node['hostname'] do
-            username node['windows_admin_username']
-            password windows_vault[node['windows_auth_password_field']]
-            ssh_user sshd_user
-            ssh_password sshd_password
-            ec2config_user ec2config_user
-            ec2config_password ec2config_password
-          end
-
-          aws_windows "ec2" do
-            username ec2config_user
-            service_username ".\\#{ec2config_user}"
-            password ec2config_password
-          end
-
-          scheduled_tasks "tasks" do
-            username node['windows_admin_username']
-            password windows_vault[node['windows_auth_password_field']]
-          end
+#        reboot "Cygwin LSA" do
+#          action :nothing
+#          reason "Enabling Cygwin LSA support"
+#        end
+#
+#        powershell_script "Configuring Cygwin LSA support" do
+#          code <<-EOH
+#            Invoke-Expression '& #{cygwindir}/bin/bash.exe --login -c "echo yes | /bin/cyglsa-config"'
+#          EOH
+#          not_if {
+#            lsa_found = false
+#            if registry_key_exists?("HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa")
+#              registry_get_values("HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa").each { |val|
+#                if val[:name] == "Authentication Packages"
+#                  lsa_found = true if val[:data].grep(/cyglsa64\.dll/)
+#                  break
+#                end
+#              }
+#            end
+#            lsa_found
+#          }
+#          notifies :reboot_now, "reboot[Cygwin LSA]", :immediately
+#        end
+#
+#        powershell_script "enable Cygwin sshd" do
+#          code <<-EOH
+#            Invoke-Expression -Debug '& #{cygwindir}/bin/bash.exe --login -c "ssh-host-config -y -c ntsec -w ''#{sshd_password}'' -u #{sshd_user}"'
+#            Invoke-Expression -Debug '& #{cygwindir}/bin/bash.exe --login -c "sed -i.bak ''s/#.*StrictModes.*yes/StrictModes no/'' /etc/sshd_config"'
+#            Invoke-Expression -Debug '& #{cygwindir}/bin/bash.exe --login -c "sed -i.bak ''s/#.*PasswordAuthentication.*yes/PasswordAuthentication no/'' /etc/sshd_config"'
+#            Invoke-Expression -Debug '& #{cygwindir}/bin/bash --login -c "chown #{sshd_user} /var/empty /var/log/sshd.log /etc/ssh*; chmod 755 /var/empty"'
+#          EOH
+#          sensitive true
+#          not_if %Q{Get-Service "sshd"}
+#        end
+#        powershell_script "set unix-style Cygwin sshd permissions" do
+#          code <<-EOH
+#            if((Get-WmiObject win32_computersystem).partofdomain){
+#              Invoke-Expression -Debug '& #{cygwindir}/bin/bash --login -c "mkpasswd -d > /etc/passwd"'
+#              Invoke-Expression -Debug '& #{cygwindir}/bin/bash --login -c "mkgroup -l -d > /etc/group"'
+#            } else {
+#              Invoke-Expression -Debug '& #{cygwindir}/bin/bash --login -c "mkpasswd -l > /etc/passwd"'
+#              Invoke-Expression -Debug '& #{cygwindir}/bin/bash --login -c "mkgroup -l > /etc/group"'
+#            }
+#            Invoke-Expression -Debug '& #{cygwindir}/bin/bash --login -c "chown #{sshd_user} /var/empty /var/log/sshd.log /etc/ssh*; chmod 755 /var/empty"'
+#          EOH
+#        end
+#
+#        include_recipe 'mu-activedirectory'
+#
+#        ::Chef::Recipe.send(:include, Chef::Mixin::PowershellOut)
+#
+#        template "c:/bin/cygwin/etc/sshd_config" do
+#          source "sshd_config.erb"
+#          mode 0644
+#          cookbook "mu-tools"
+#          ignore_failure true
+#        end
+#
+#        ec2config_user= windows_vault[node['windows_ec2config_username_field']]
+#        ec2config_password = windows_vault[node['windows_ec2config_password_field']]
+#        login_dom = "."
+#
+#        if in_domain?
+#
+#          ad_vault = chef_vault_item(node['ad']['domain_admin_vault'], node['ad']['domain_admin_item'])
+#          login_dom = node['ad']['netbios_name']
+#
+#          windows_users node['ad']['computer_name'] do
+#            username ad_vault[node['ad']['domain_admin_username_field']]
+#            password ad_vault[node['ad']['domain_admin_password_field']]
+#            domain_name node['ad']['domain_name']
+#            netbios_name node['ad']['netbios_name']
+#            dc_ips node['ad']['dc_ips']
+#            ssh_user sshd_user
+#            ssh_password sshd_password
+#            ec2config_user ec2config_user
+#            ec2config_password ec2config_password
+#          end
+#
+#          aws_windows "ec2" do
+#            username ec2config_user
+#            service_username "#{node['ad']['netbios_name']}\\#{ec2config_user}"
+#            password ec2config_password
+#          end
+#
+#          scheduled_tasks "tasks" do
+#            username ad_vault[node['ad']['domain_admin_username_field']]
+#            password ad_vault[node['ad']['domain_admin_password_field']]
+#          end
+#
+#          sshd_service "sshd" do
+#            service_username "#{node['ad']['netbios_name']}\\#{sshd_user}"
+#            username sshd_user
+#            password sshd_password
+#          end
+#
+#          begin
+#            resources('service[sshd]')
+#          escue Chef::Exceptions::ResourceNotFound
+#            service "sshd" do
+#              action [:enable, :start]
+#              sensitive true
+#            end
+#          end
+#        else
+#          windows_users node['hostname'] do
+#            username node['windows_admin_username']
+#            password windows_vault[node['windows_auth_password_field']]
+#            ssh_user sshd_user
+#            ssh_password sshd_password
+#            ec2config_user ec2config_user
+#            ec2config_password ec2config_password
+#          end
+#
+#          aws_windows "ec2" do
+#            username ec2config_user
+#            service_username ".\\#{ec2config_user}"
+#            password ec2config_password
+#          end
+#
+#          scheduled_tasks "tasks" do
+#            username node['windows_admin_username']
+#            password windows_vault[node['windows_auth_password_field']]
+#          end
+#
+#          sshd_service "sshd" do
+#            username sshd_user
+#            service_username ".\\#{sshd_user}"
+#            password sshd_password
+#        end
+#        begin
+#          resources('service[sshd]')
+#        rescue Chef::Exceptions::ResourceNotFound
+#          service "Cygwin sshd as '#{sshd_user}'" do
+#						service_name "sshd"
+#            action [:enable, :start]
+#            sensitive true
+#          end
+#        end
 
-          sshd_service "sshd" do
-            username sshd_user
-            service_username ".\\#{sshd_user}"
-            password sshd_password
-        end
-        begin
-          resources('service[sshd]')
-        rescue Chef::Exceptions::ResourceNotFound
-          service "Cygwin sshd as '#{sshd_user}'" do
-						service_name "sshd"
-            action [:enable, :start]
-            sensitive true
-          end
-        end
-      end
     end
 
     else
       Chef::Log.info("mu-tools::windows-client: Unsupported platform #{node['platform']}")
   end
 end
-# Copyright:: Copyright (c) 2014 eGlobalTech, Inc., all rights reserved
-#
-# Cookbook Name:: mu-tools
-# Recipe:: windows-client