cloud-mu 3.6.10 → 3.6.11

data/cookbooks/firewall/libraries/helpers_firewalld_dbus.rb

@@ -1,72 +0,0 @@
-module FirewallCookbook
-  module Helpers
-    module FirewalldDBus
-      def firewalld(system_bus)
-        system_bus['org.fedoraproject.FirewallD1']
-      end
-
-      def firewalld_object(system_bus)
-        firewalld(system_bus)['/org/fedoraproject/FirewallD1']
-      end
-
-      def firewalld_interface(system_bus)
-        firewalld_object(system_bus)['org.fedoraproject.FirewallD1']
-      end
-
-      def config_object(system_bus)
-        firewalld(system_bus)['/org/fedoraproject/FirewallD1/config']
-      end
-
-      def config_interface(system_bus)
-        config_object(system_bus)['org.fedoraproject.FirewallD1.config']
-      end
-
-      def icmptype_interface(dbus, icmptype_path)
-        icmptype_object = firewalld(dbus)[icmptype_path]
-        icmptype_object['org.fedoraproject.FirewallD1.config.icmptype']
-      end
-
-      def ipset_interface(dbus, ipset_path)
-        ipset_object = firewalld(dbus)[ipset_path]
-        ipset_object['org.fedoraproject.FirewallD1.config.ipset']
-      end
-
-      def helper_interface(dbus, helper_path)
-        helper_object = firewalld(dbus)[helper_path]
-        helper_object['org.fedoraproject.FirewallD1.config.helper']
-      end
-
-      def service_interface(dbus, service_path)
-        service_object = firewalld(dbus)[service_path]
-        service_object['org.fedoraproject.FirewallD1.config.service']
-      end
-
-      def policy_interface(dbus, policy_path)
-        policy_object = firewalld(dbus)[policy_path]
-        policy_object['org.fedoraproject.FirewallD1.config.policy']
-      end
-
-      def zone_interface(dbus, zone_path)
-        zone_object = firewalld(dbus)[zone_path]
-        zone_object['org.fedoraproject.FirewallD1.config.zone']
-      end
-
-      # port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
-      def parse_forward_ports(forward_ports)
-        port_regex = %r{port=([\w-]+):proto=([\w]+)(:toport=([\w-]+)|)(:toaddr=([\d\./]+)|)}
-        captures = forward_ports.match(port_regex).captures
-        captures.delete_at(4)
-        captures.delete_at(2)
-        captures.map { |e| e || '' }
-      end
-
-      def forward_ports_to_dbus(new_resource)
-        fwp = new_resource.forward_ports.map do |e|
-          parse_forward_ports(e)
-        end
-        new_resource.forward_ports = fwp
-        DBus.variant('a(ssss)', new_resource.forward_ports)
-      end
-    end
-  end
-end

data/cookbooks/firewall/libraries/helpers_iptables.rb

@@ -1,112 +0,0 @@
-module FirewallCookbook
-  module Helpers
-    module Iptables
-      include FirewallCookbook::Helpers
-      include Chef::Mixin::ShellOut
-
-      CHAIN = { in: 'INPUT', out: 'OUTPUT', pre: 'PREROUTING', post: 'POSTROUTING' }.freeze unless defined? CHAIN # , nil => "FORWARD"}
-      TARGET = { allow: 'ACCEPT', reject: 'REJECT', deny: 'DROP', masquerade: 'MASQUERADE', redirect: 'REDIRECT', log: 'LOG --log-prefix "iptables: " --log-level 7' }.freeze unless defined? TARGET
-
-      def build_firewall_rule(current_node, rule_resource, ipv6 = false)
-        el5 = current_node['platform_family'] == 'rhel' && Gem::Dependency.new('', '~> 5.0').match?('', current_node['platform_version'])
-
-        return rule_resource.raw.strip if rule_resource.raw
-        firewall_rule = if rule_resource.direction
-                          "-A #{CHAIN[rule_resource.direction.to_sym]} "
-                        else
-                          '-A FORWARD '
-                        end
-
-        if [:pre, :post].include?(rule_resource.direction)
-          firewall_rule << '-t nat '
-        end
-
-        # Iptables order of prameters is important here see example output below:
-        # -A INPUT -s 1.2.3.4/32 -d 5.6.7.8/32 -i lo -p tcp -m tcp -m state --state NEW -m comment --comment "hello" -j DROP
-        firewall_rule << "-s #{ip_with_mask(rule_resource, rule_resource.source)} " if rule_resource.source && rule_resource.source != '0.0.0.0/0'
-        firewall_rule << "-d #{rule_resource.destination} " if rule_resource.destination
-
-        firewall_rule << "-i #{rule_resource.interface} " if rule_resource.interface
-        firewall_rule << "-o #{rule_resource.dest_interface} " if rule_resource.dest_interface
-
-        firewall_rule << "-p #{rule_resource.protocol} " if rule_resource.protocol && rule_resource.protocol.to_s.to_sym != :none
-        firewall_rule << '-m tcp ' if rule_resource.protocol && rule_resource.protocol.to_s.to_sym == :tcp
-
-        # using multiport here allows us to simplify our greps and rule building
-        firewall_rule << "-m multiport --sports #{port_to_s(rule_resource.source_port)} " if rule_resource.source_port
-        firewall_rule << "-m multiport --dports #{port_to_s(dport_calc(rule_resource))} " if dport_calc(rule_resource)
-
-        firewall_rule << "-m state --state #{rule_resource.stateful.is_a?(Array) ? rule_resource.stateful.join(',').upcase : rule_resource.stateful.upcase} " if rule_resource.stateful
-        # the comments extension is not available for ip6tables on rhel/centos 5
-        unless el5 && ipv6
-          firewall_rule << "-m comment --comment \"#{rule_resource.description}\" " if rule_resource.include_comment
-        end
-
-        firewall_rule << "-j #{TARGET[rule_resource.command.to_sym]} "
-        firewall_rule << "--to-ports #{rule_resource.redirect_port} " if rule_resource.command == :redirect
-        firewall_rule.strip!
-        firewall_rule
-      end
-
-      def iptables_packages(new_resource)
-        packages = if ipv6_enabled?(new_resource) && !amazon_linux? && node['platform_version'].to_i < 8
-                     %w(iptables iptables-ipv6)
-                   else
-                     %w(iptables)
-                   end
-
-        # centos 7 requires extra service
-        if (!debian?(node) && node['platform_version'].to_i >= 7) || amazon_linux?
-          packages << %w(iptables-services)
-        end
-
-        packages.flatten
-      end
-
-      def iptables_commands(new_resource)
-        if ipv6_enabled?(new_resource)
-          %w(iptables ip6tables)
-        else
-          %w(iptables)
-        end
-      end
-
-      def log_iptables(new_resource)
-        iptables_commands(new_resource).each do |cmd|
-          shell_out!("#{cmd} -L -n")
-        end
-      rescue
-        Chef::Log.info('log_iptables failed!')
-      end
-
-      def iptables_flush!(new_resource)
-        iptables_commands(new_resource).each do |cmd|
-          shell_out!("#{cmd} -F")
-        end
-      end
-
-      def iptables_default_allow!(new_resource)
-        iptables_commands(new_resource).each do |cmd|
-          shell_out!("#{cmd} -P INPUT ACCEPT")
-          shell_out!("#{cmd} -P OUTPUT ACCEPT")
-          shell_out!("#{cmd} -P FORWARD ACCEPT")
-        end
-      end
-
-      def default_ruleset(current_node)
-        current_node['firewall']['iptables']['defaults'][:ruleset].to_h
-      end
-
-      def ensure_default_rules_exist(current_node, new_resource)
-        input = new_resource.rules
-
-        # don't use iptables_commands here since we do populate the
-        # hash regardless of ipv6 status
-        %w(iptables ip6tables).each do |name|
-          input[name] = {} unless input[name]
-          input[name].merge!(default_ruleset(current_node).to_h)
-        end
-      end
-    end
-  end
-end

data/cookbooks/firewall/libraries/helpers_nftables.rb

@@ -1,170 +0,0 @@
-module FirewallCookbook
-  module Helpers
-    module Nftables
-      include FirewallCookbook::Helpers
-
-      CHAIN ||= {
-        in: 'INPUT',
-        out: 'OUTPUT',
-        pre: 'PREROUTING',
-        post: 'POSTROUTING',
-        forward: 'FORWARD',
-      }.freeze
-
-      TARGET ||= {
-        accept: 'accept',
-        allow: 'accept',
-        counter: 'counter',
-        deny: 'drop',
-        drop: 'drop',
-        log: 'log',
-        masquerade: 'masquerade',
-        redirect: 'redirect',
-        reject: 'reject',
-      }.freeze
-
-      def port_to_s(ports)
-        case ports
-        when String
-          ports
-        when Integer
-          ports.to_s
-        when Array
-          p_strings = ports.map { |o| port_to_s(o) }
-          "{#{p_strings.sort.join(',')}}"
-        when Range
-          "#{ports.first}-#{ports.last}"
-        else
-          raise "unknown class of port definition: #{ports.class}"
-        end
-      end
-
-      def nftables_command_log(rule_resource)
-        log_prefix = 'prefix '
-        log_prefix << if rule_resource.log_prefix.nil?
-                        "\"#{CHAIN[rule_resource.direction]}:\""
-                      else
-                        "\"#{rule_resource.log_prefix}\""
-                      end
-        log_group = if rule_resource.log_group.nil?
-                      nil
-                    else
-                      "group #{rule_resource.log_group} "
-                    end
-        "log #{log_prefix} #{log_group}"
-      end
-
-      def nftables_command_redirect(rule_resource)
-        if rule_resource.redirect_port.nil?
-          raise 'Specify redirect_port when using :redirect as commmand'
-        end
-
-        "redirect to #{rule_resource.redirect_port} "
-      end
-
-      def nftables_commands(rule_resource)
-        firewall_rule = ''
-        Array(rule_resource.command).each do |command|
-          begin
-            target = TARGET.fetch(command)
-          rescue KeyError
-            raise "Invalid command: #{command.inspect}. Use one of #{TARGET.keys}"
-          end
-          firewall_rule << case target
-                           when 'log'
-                             nftables_command_log(rule_resource)
-                           when 'redirect'
-                             nftables_command_redirect(rule_resource)
-                           else
-                             "#{TARGET[command.to_sym]} "
-                           end
-        end
-        firewall_rule
-      end
-
-      def build_firewall_rule(rule_resource)
-        return rule_resource.raw.strip if rule_resource.raw
-
-        ip = ipv6_rule?(rule_resource) ? 'ip6' : 'ip'
-        table = if [:pre, :post].include?(rule_resource.direction)
-                  'nat'
-                else
-                  'filter'
-                end
-        firewall_rule = if table == 'nat'
-                          "add rule #{ip} #{table} "
-                        else
-                          "add rule inet #{table} "
-                        end
-        firewall_rule << "#{CHAIN.fetch(rule_resource.direction.to_sym, 'FORWARD')} "
-
-        firewall_rule << "iif #{rule_resource.interface} " if rule_resource.interface
-        firewall_rule << "oif #{rule_resource.outerface} " if rule_resource.outerface
-
-        if rule_resource.source
-          source_with_mask = ip_with_mask(rule_resource, rule_resource.source)
-          if source_with_mask != '0.0.0.0/0' && source_with_mask != '::/128'
-            firewall_rule << "#{ip} saddr #{source_with_mask} "
-          end
-        end
-        firewall_rule << "#{ip} daddr #{rule_resource.destination} " if rule_resource.destination
-
-        case rule_resource.protocol
-        when :icmp
-          firewall_rule << 'icmp type echo-request '
-        when :'ipv6-icmp', :icmpv6
-          firewall_rule << 'icmpv6 type { echo-request, nd-router-solicit, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } '
-        when :tcp, :udp
-          firewall_rule << "#{rule_resource.protocol} sport #{port_to_s(rule_resource.sport)} " if rule_resource.sport
-          firewall_rule << "#{rule_resource.protocol} dport #{port_to_s(rule_resource.dport)} " if rule_resource.dport
-        when :esp, :ah
-          firewall_rule << "#{ip} #{ip == 'ip6' ? 'nexthdr' : 'protocol'} #{rule_resource.protocol} "
-        when :ipv6, :none
-          # nothing to do
-        end
-
-        firewall_rule << "ct state #{Array(rule_resource.stateful).join(',').downcase} " if rule_resource.stateful
-        firewall_rule << nftables_commands(rule_resource)
-        firewall_rule << "comment \"#{rule_resource.description}\" " if rule_resource.include_comment
-        firewall_rule.strip!
-        firewall_rule
-      end
-
-      def default_ruleset(new_resource)
-        rules = {
-          'add table inet filter' => 1,
-          "add chain inet filter INPUT { type filter hook input priority 0 ; policy #{new_resource.input_policy}; }" => 2,
-          "add chain inet filter OUTPUT { type filter hook output priority 0 ; policy #{new_resource.output_policy}; }" => 2,
-          "add chain inet filter FORWARD { type filter hook forward priority 0 ; policy #{new_resource.forward_policy}; }" => 2,
-        }
-        if new_resource.table_ip_nat
-          rules['add table ip nat'] = 1
-          rules['add chain ip nat POSTROUTING { type nat hook postrouting priority 100 ;}'] = 2
-          rules['add chain ip nat PREROUTING { type nat hook prerouting priority -100 ;}'] = 2
-        end
-        if new_resource.table_ip6_nat
-          rules['add table ip6 nat'] = 1
-          rules['add chain ip6 nat POSTROUTING { type nat hook postrouting priority 100 ;}'] = 2
-          rules['add chain ip6 nat PREROUTING { type nat hook prerouting priority -100 ;}'] = 2
-        end
-        rules
-      end
-
-      def ensure_default_rules_exist(new_resource)
-        input = new_resource.rules || {}
-        input.merge!(default_ruleset(new_resource))
-      end
-
-      def default_nftables_conf_path
-        case node['platform_family']
-        when 'rhel'
-          '/etc/sysconfig/nftables.conf'
-        when 'debian'
-          '/etc/nftables.conf'
-        else
-          raise "default_nftables_conf_path: Unsupported platform_family #{node['platform_family']}."
-        end
-      end
-    end
-  end
-end

data/cookbooks/firewall/libraries/helpers_ufw.rb

@@ -1,142 +0,0 @@
-module FirewallCookbook
-  module Helpers
-    module Ufw
-      include FirewallCookbook::Helpers
-      include Chef::Mixin::ShellOut
-
-      def ufw_rules_filename
-        '/etc/default/ufw-chef.rules'
-      end
-
-      def ufw_active?
-        cmd = shell_out!('ufw', 'status')
-        cmd.stdout =~ /^Status:\sactive/
-      end
-
-      def ufw_disable!
-        shell_out!('ufw', 'disable', input: 'yes')
-      end
-
-      def ufw_enable!
-        shell_out!('ufw', 'enable', input: 'yes')
-      end
-
-      def ufw_reset!
-        shell_out!('ufw', 'reset', input: 'yes')
-      end
-
-      def ufw_logging!(param)
-        shell_out!('ufw', 'logging', param.to_s)
-      end
-
-      def ufw_rule!(cmd)
-        shell_out!(cmd, input: 'yes')
-      end
-
-      def build_rule(new_resource)
-        Chef::Log.info("#{new_resource.name} apply_rule #{new_resource.command}")
-
-        # if we don't do this, we may see some bugs where traffic is opened on all ports to all hosts when only RELATED,ESTABLISHED was intended
-        if new_resource.stateful
-          msg = ''
-          msg << "firewall_rule[#{new_resource.name}] was asked to "
-          msg << "#{new_resource.command} a stateful rule using #{new_resource.stateful} "
-          msg << 'but ufw does not support this kind of rule. Consider guarding by platform_family.'
-          raise msg
-        end
-
-        # if we don't do this, ufw will fail as it does not support protocol numbers, so we'll only allow it to run if specifying icmp/tcp/udp protocol types
-        if new_resource.protocol && !new_resource.protocol.to_s.downcase.match('^(tcp|udp|esp|ah|ipv6|none)$')
-          msg = ''
-          msg << "firewall_rule[#{new_resource.name}] was asked to "
-          msg << "#{new_resource.command} a rule using protocol #{new_resource.protocol} "
-          msg << 'but ufw does not support this kind of rule. Consider guarding by platform_family.'
-          raise msg
-        end
-
-        # some examples:
-        # ufw allow from 192.168.0.4 to any port 22
-        # ufw deny proto tcp from 10.0.0.0/8 to 192.168.0.1 port 25
-        # ufw insert 1 allow proto tcp from 0.0.0.0/0 to 192.168.0.1 port 25
-
-        if new_resource.raw
-          "ufw #{new_resource.raw.strip}"
-        else
-          "ufw #{rule(new_resource)}"
-        end
-      end
-
-      def rule(new_resource)
-        rule = ''
-        rule << "#{new_resource.command} "
-        rule << rule_interface(new_resource)
-        rule << rule_logging(new_resource)
-        rule << rule_proto(new_resource)
-        rule << rule_dest_port(new_resource)
-        rule << rule_source_port(new_resource)
-        rule << rule_description(new_resource)
-        rule = rule.strip
-
-        if rule == 'ufw allow in proto tcp to any from any'
-          Chef::Log.warn("firewall_rule[#{new_resource.name}] produced a rule that opens all traffic. This may be a logic error in your cookbook.")
-        end
-
-        rule
-      end
-
-      def rule_interface(new_resource)
-        rule = ''
-        rule << "#{new_resource.direction} " if new_resource.direction
-        rule << "on #{new_resource.interface} " if new_resource.interface && new_resource.direction
-        rule << "in on #{new_resource.interface} " if new_resource.interface && !new_resource.direction
-        rule
-      end
-
-      def rule_proto(new_resource)
-        rule = ''
-        rule << "proto #{new_resource.protocol} " if new_resource.protocol && new_resource.protocol.to_s.to_sym != :none
-        rule
-      end
-
-      def rule_description(new_resource)
-        rule = ''
-        rule << "comment \"#{new_resource.description}\" " if new_resource.description && new_resource.include_comment
-        rule
-      end
-
-      def rule_dest_port(new_resource)
-        rule = if new_resource.destination
-                 "to #{new_resource.destination} "
-               else
-                 'to any '
-               end
-        rule << "port #{port_to_s(dport_calc(new_resource))} " if dport_calc(new_resource)
-        rule
-      end
-
-      def rule_source_port(new_resource)
-        rule = if new_resource.source
-                 "from #{new_resource.source} "
-               else
-                 'from any '
-               end
-
-        if new_resource.source_port
-          rule << "port #{port_to_s(new_resource.source_port)} "
-        end
-        rule
-      end
-
-      def rule_logging(new_resource)
-        case new_resource.logging && new_resource.logging.to_sym
-        when :connections
-          'log '
-        when :packets
-          'log-all '
-        else
-          ''
-        end
-      end
-    end
-  end
-end

data/cookbooks/firewall/libraries/helpers_windows.rb

@@ -1,129 +0,0 @@
-module FirewallCookbook
-  module Helpers
-    module Windows
-      include FirewallCookbook::Helpers
-      include Chef::Mixin::ShellOut
-
-      def fixup_cidr(str)
-        newstr = str.clone
-        newstr.gsub!('0.0.0.0/0', 'any') if newstr.include?('0.0.0.0/0')
-        newstr.gsub!('/0', '') if newstr.include?('/0')
-        newstr
-      end
-
-      def windows_rules_filename
-        "#{ENV['HOME']}/windows-chef.rules"
-      end
-
-      def active?
-        @active ||= begin
-          cmd = shell_out!('netsh advfirewall show currentprofile')
-          cmd.stdout =~ /^State\sON/
-        end
-      end
-
-      def enable!
-        shell_out!('netsh advfirewall set currentprofile state on')
-      end
-
-      def disable!
-        shell_out!('netsh advfirewall set currentprofile state off')
-      end
-
-      def reset!
-        shell_out!('netsh advfirewall reset')
-      end
-
-      def add_rule!(params)
-        shell_out!("netsh advfirewall #{params}")
-      end
-
-      def delete_all_rules!
-        shell_out!('netsh advfirewall firewall delete rule name=all')
-      end
-
-      def to_type(new_resource)
-        cmd = new_resource.command
-        if cmd == :reject || cmd == :deny
-          :block
-        else
-          :allow
-        end
-      end
-
-      def build_rule(new_resource)
-        type = to_type(new_resource)
-        parameters = {}
-
-        parameters['description'] = "\"#{new_resource.description}\""
-        parameters['dir'] = new_resource.direction
-
-        new_resource.program && parameters['program'] = new_resource.program
-        new_resource.service && parameters['service'] = new_resource.service
-        parameters['protocol'] = new_resource.protocol
-
-        if new_resource.direction.to_sym == :out
-          parameters['localip'] = new_resource.source ? fixup_cidr(new_resource.source) : 'any'
-          parameters['localport'] = new_resource.source_port ? port_to_s(new_resource.source_port) : 'any'
-          parameters['interfacetype'] = new_resource.interface || 'any'
-          parameters['remoteip'] = new_resource.destination ? fixup_cidr(new_resource.destination) : 'any'
-          parameters['remoteport'] = new_resource.dest_port ? port_to_s(new_resource.dest_port) : 'any'
-        else
-          parameters['localip'] = new_resource.destination || 'any'
-          parameters['localport'] = dport_calc(new_resource) ? port_to_s(dport_calc(new_resource)) : 'any'
-          parameters['interfacetype'] = new_resource.dest_interface || 'any'
-          parameters['remoteip'] = new_resource.source ? fixup_cidr(new_resource.source) : 'any'
-          parameters['remoteport'] = new_resource.source_port ? port_to_s(new_resource.source_port) : 'any'
-        end
-
-        parameters['action'] = type.to_s
-
-        partial_command = parameters.map { |k, v| "#{k}=#{v}" }.join(' ')
-        "firewall add rule name=\"#{new_resource.name}\" #{partial_command}"
-      end
-
-      def rule_exists?(name)
-        @exists ||= begin
-          cmd = shell_out!("netsh advfirewall firewall show rule name=\"#{name}\"", returns: [0, 1])
-          cmd.stdout !~ /^No rules match the specified criteria/
-        end
-      end
-
-      def show_all_rules!
-        cmd = shell_out!('netsh advfirewall firewall show rule name=all')
-        cmd.stdout.each_line do |line|
-          Chef::Log.warn(line)
-        end
-      end
-
-      def rule_up_to_date?(name, type)
-        @up_to_date ||= begin
-          desired_parameters = rule_parameters(type)
-          current_parameters = {}
-
-          cmd = shell_out!("netsh advfirewall firewall show rule name=\"#{name}\" verbose")
-          cmd.stdout.each_line do |line|
-            current_parameters['description'] = "\"#{Regexp.last_match(1).chomp}\"" if line =~ /^Description:\s+(.*)$/
-            current_parameters['dir'] = Regexp.last_match(1).chomp if line =~ /^Direction:\s+(.*)$/
-            current_parameters['program'] = Regexp.last_match(1).chomp if line =~ /^Program:\s+(.*)$/
-            current_parameters['service'] = Regexp.last_match(1).chomp if line =~ /^Service:\s+(.*)$/
-            current_parameters['protocol'] = Regexp.last_match(1).chomp if line =~ /^Protocol:\s+(.*)$/
-            current_parameters['localip'] = Regexp.last_match(1).chomp if line =~ /^LocalIP:\s+(.*)$/
-            current_parameters['localport'] = Regexp.last_match(1).chomp if line =~ /^LocalPort:\s+(.*)$/
-            current_parameters['interfacetype'] = Regexp.last_match(1).chomp if line =~ /^InterfaceTypes:\s+(.*)$/
-            current_parameters['remoteip'] = Regexp.last_match(1).chomp if line =~ /^RemoteIP:\s+(.*)$/
-            current_parameters['remoteport'] = Regexp.last_match(1).chomp if line =~ /^RemotePort:\s+(.*)$/
-            current_parameters['action'] = Regexp.last_match(1).chomp if line =~ /^Action:\s+(.*)$/
-          end
-
-          up_to_date = true
-          desired_parameters.each do |k, v|
-            up_to_date = false if current_parameters[k] !~ /^["]?#{v}["]?$/i
-          end
-
-          up_to_date
-        end
-      end
-    end
-  end
-end