cloud-mu 3.6.10 → 3.6.12

data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb

@@ -1,200 +0,0 @@
-#
-# Author:: Seth Chisamore (<schisamo@opscode.com>)
-# Cookbook:: firewall
-# Resource:: default
-#
-# Copyright:: 2011-2019, Chef Software, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-class Chef
-  class Provider::FirewallIptablesUbuntu1404 < Chef::Provider::LWRPBase
-    include FirewallCookbook::Helpers
-    include FirewallCookbook::Helpers::Iptables
-
-    provides :firewall, os: 'linux', platform_family: %w(debian) do |node|
-      node['firewall'] && node['firewall']['ubuntu_iptables'] &&
-        node['platform_version'].to_f <= (node['platform'] == 'ubuntu' ? 14.04 : 7)
-    end
-
-    def whyrun_supported?
-      false
-    end
-
-    action :install do
-      return if disabled?(new_resource)
-
-      # Ensure the package is installed
-      pkg = package 'iptables-persistent' do
-        action :nothing
-      end
-      pkg.run_action(:install)
-      new_resource.updated_by_last_action(true) if pkg.updated_by_last_action?
-
-      rule_files = %w(rules.v4)
-      rule_files << 'rules.v6' if ipv6_enabled?(new_resource)
-      rule_files.each do |svc|
-        next if ::File.exist?("/etc/iptables/#{svc}")
-
-        # must create empty file for service to start
-        f = lookup_or_create_rulesfile(svc)
-        f.content '# created by chef to allow service to start'
-        f.run_action(:create)
-
-        new_resource.updated_by_last_action(true) if f.updated_by_last_action?
-      end
-
-      iptables_service = lookup_or_create_service('iptables-persistent')
-      [:enable, :start].each do |act|
-        # iptables-persistent isn't a real service
-        iptables_service.status_command 'true'
-
-        iptables_service.run_action(act)
-        new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action?
-      end
-    end
-
-    action :restart do
-      return if disabled?(new_resource)
-
-      # prints all the firewall rules
-      log_iptables(new_resource)
-
-      # ensure it's initialized
-      new_resource.rules({}) unless new_resource.rules
-      ensure_default_rules_exist(node, new_resource)
-
-      # this populates the hash of rules from firewall_rule resources
-      firewall_rules = Chef.run_context.resource_collection.select { |item| item.is_a?(Chef::Resource::FirewallRule) }
-      firewall_rules.each do |firewall_rule|
-        next unless firewall_rule.action.include?(:create) && !firewall_rule.should_skip?(:create)
-
-        types = if ipv6_rule?(firewall_rule) # an ip4 specific rule
-                  %w(ip6tables)
-                elsif ipv4_rule?(firewall_rule) # an ip6 specific rule
-                  %w(iptables)
-                else # or not specific
-                  %w(iptables ip6tables)
-                end
-
-        types.each do |iptables_type|
-          # build rules to apply with weight
-          k = build_firewall_rule(node, firewall_rule, iptables_type == 'ip6tables')
-          v = firewall_rule.position
-
-          # unless we're adding them for the first time.... bail out.
-          next if new_resource.rules[iptables_type].key?(k) && new_resource.rules[iptables_type][k] == v
-          new_resource.rules[iptables_type][k] = v
-        end
-      end
-
-      restart_service = false
-
-      rule_files = %w(iptables)
-      rule_files << 'ip6tables' if ipv6_enabled?(new_resource)
-
-      rule_files.each do |iptables_type|
-        iptables_filename = if iptables_type == 'ip6tables'
-                              '/etc/iptables/rules.v6'
-                            else
-                              '/etc/iptables/rules.v4'
-                            end
-
-        # ensure a file resource exists with the current iptables rules
-        begin
-          iptables_file = Chef.run_context.resource_collection.find(file: iptables_filename)
-        rescue
-          iptables_file = file iptables_filename do
-            action :nothing
-          end
-        end
-        iptables_file.content build_rule_file(new_resource.rules[iptables_type])
-        iptables_file.run_action(:create)
-
-        # if the file was changed, restart iptables
-        restart_service = true if iptables_file.updated_by_last_action?
-      end
-
-      if restart_service
-        service_affected = service 'iptables-persistent' do
-          action :nothing
-        end
-        service_affected.run_action(:restart)
-        new_resource.updated_by_last_action(true)
-      end
-    end
-
-    action :disable do
-      return if disabled?(new_resource)
-
-      iptables_flush!(new_resource)
-      iptables_default_allow!(new_resource)
-      new_resource.updated_by_last_action(true)
-
-      iptables_service = lookup_or_create_service('iptables-persistent')
-      [:disable, :stop].each do |act|
-        iptables_service.run_action(act)
-        new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action?
-      end
-
-      %w(rules.v4 rules.v6).each do |svc|
-        # must create empty file for service to start
-        f = lookup_or_create_rulesfile(svc)
-        f.content '# created by chef to allow service to start'
-        f.run_action(:create)
-
-        new_resource.updated_by_last_action(true) if f.updated_by_last_action?
-      end
-    end
-
-    action :flush do
-      return if disabled?(new_resource)
-
-      iptables_flush!(new_resource)
-      new_resource.updated_by_last_action(true)
-
-      rule_files = %w(rules.v4)
-      rule_files << 'rules.v6' if ipv6_enabled?(new_resource)
-      rule_files.each do |svc|
-        # must create empty file for service to start
-        f = lookup_or_create_rulesfile(svc)
-        f.content '# created by chef to allow service to start'
-        f.run_action(:create)
-
-        new_resource.updated_by_last_action(true) if f.updated_by_last_action?
-      end
-    end
-
-    def lookup_or_create_service(name)
-      begin
-        iptables_service = Chef.run_context.resource_collection.find(service: svc)
-      rescue
-        iptables_service = service name do
-          action :nothing
-        end
-      end
-      iptables_service
-    end
-
-    def lookup_or_create_rulesfile(name)
-      begin
-        iptables_file = Chef.run_context.resource_collection.find(file: name)
-      rescue
-        iptables_file = file "/etc/iptables/#{name}" do
-          action :nothing
-        end
-      end
-      iptables_file
-    end
-  end
-end

data/cookbooks/firewall/libraries/provider_firewall_rule.rb

@@ -1,34 +0,0 @@
-#
-# Author:: Ronald Doorn (<rdoorn@schubergphilis.com>)
-# Cookbook:: firewall
-# Provider:: rule_iptables
-#
-# Copyright:: 2015-2016, computerlyrik
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-class Chef
-  class Provider::FirewallRuleGeneric < Chef::Provider::LWRPBase
-    provides :firewall_rule
-
-    action :create do
-      return unless new_resource.notify_firewall
-
-      firewall_resource = Chef.run_context.resource_collection.find(firewall: new_resource.firewall_name)
-      raise 'could not find a firewall resource' unless firewall_resource
-
-      new_resource.notifies(:restart, firewall_resource, :delayed)
-      new_resource.updated_by_last_action(true)
-    end
-  end
-end

data/cookbooks/firewall/libraries/provider_firewall_ufw.rb

@@ -1,138 +0,0 @@
-#
-# Author:: Seth Chisamore (<schisamo@opscode.com>)
-# Cookbook:: firewall
-# Resource:: default
-#
-# Copyright:: 2011-2019, Chef Software, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-class Chef
-  class Provider::FirewallUfw < Chef::Provider::LWRPBase
-    include FirewallCookbook::Helpers::Ufw
-
-    provides :firewall, os: 'linux', platform_family: %w(debian) do |node|
-      !(node['firewall'] && node['firewall']['ubuntu_iptables'])
-    end
-
-    def whyrun_supported?
-      false
-    end
-
-    action :install do
-      return if disabled?(new_resource)
-
-      pkg_ufw = package 'ufw' do
-        action :nothing
-      end
-      pkg_ufw.run_action(:install)
-      new_resource.updated_by_last_action(true) if pkg_ufw.updated_by_last_action?
-
-      defaults_ufw = template '/etc/default/ufw' do
-        action :nothing
-        owner 'root'
-        group 'root'
-        mode '0644'
-        source 'ufw/default.erb'
-        cookbook 'firewall'
-      end
-      defaults_ufw.run_action(:create)
-      new_resource.updated_by_last_action(true) if defaults_ufw.updated_by_last_action?
-
-      return if ::File.exist?(ufw_rules_filename)
-
-      ufw_file = lookup_or_create_rulesfile
-      ufw_file.content '# created by chef to allow service to start'
-      ufw_file.run_action(:create)
-
-      new_resource.updated_by_last_action(true) if ufw_file.updated_by_last_action?
-    end
-
-    action :restart do
-      return if disabled?(new_resource)
-
-      # ensure it's initialized
-      new_resource.rules({}) unless new_resource.rules
-      new_resource.rules['ufw'] = {} unless new_resource.rules['ufw']
-
-      # this populates the hash of rules from firewall_rule resources
-      firewall_rules = Chef.run_context.resource_collection.select { |item| item.is_a?(Chef::Resource::FirewallRule) }
-      firewall_rules.each do |firewall_rule|
-        next unless firewall_rule.action.include?(:create) && !firewall_rule.should_skip?(:create)
-
-        # build rules to apply with weight
-        k = build_rule(firewall_rule)
-        v = firewall_rule.position
-
-        # unless we're adding them for the first time.... bail out.
-        unless new_resource.rules['ufw'].key?(k) && new_resource.rules['ufw'][k] == v
-          new_resource.rules['ufw'][k] = v
-        end
-      end
-
-      # ensure a file resource exists with the current ufw rules
-      ufw_file = lookup_or_create_rulesfile
-      ufw_file.content build_rule_file(new_resource.rules['ufw'])
-      ufw_file.run_action(:create)
-
-      # if the file was changed, restart iptables
-      return unless ufw_file.updated_by_last_action?
-      ufw_reset!
-      ufw_logging!(new_resource.log_level) if new_resource.log_level
-
-      new_resource.rules['ufw'].sort_by { |_k, v| v }.map { |k, _v| k }.each do |cmd|
-        ufw_rule!(cmd)
-      end
-
-      # ensure it's enabled _after_ rules are inputted, to catch malformed rules
-      ufw_enable! unless ufw_active?
-      new_resource.updated_by_last_action(true)
-    end
-
-    action :disable do
-      return if disabled?(new_resource)
-
-      ufw_file = lookup_or_create_rulesfile
-      ufw_file.content '# created by chef to allow service to start'
-      ufw_file.run_action(:create)
-      new_resource.updated_by_last_action(true) if ufw_file.updated_by_last_action?
-
-      return unless ufw_active?
-      ufw_disable!
-      new_resource.updated_by_last_action(true)
-    end
-
-    action :flush do
-      return if disabled?(new_resource)
-
-      ufw_reset!
-      new_resource.updated_by_last_action(true)
-
-      ufw_file = lookup_or_create_rulesfile
-      ufw_file.content '# created by chef to allow service to start'
-      ufw_file.run_action(:create)
-      new_resource.updated_by_last_action(true) if ufw_file.updated_by_last_action?
-    end
-
-    def lookup_or_create_rulesfile
-      begin
-        ufw_file = Chef.run_context.resource_collection.find(file: ufw_rules_filename)
-      rescue
-        ufw_file = file ufw_rules_filename do
-          action :nothing
-        end
-      end
-      ufw_file
-    end
-  end
-end

data/cookbooks/firewall/libraries/provider_firewall_windows.rb

@@ -1,126 +0,0 @@
-#
-# Author:: Sander van Harmelen (<svanharmelen@schubergphilis.com>)
-# Cookbook:: firewall
-# Provider:: windows
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-class Chef
-  class Provider::FirewallWindows < Chef::Provider::LWRPBase
-    include FirewallCookbook::Helpers::Windows
-
-    provides :firewall, os: 'windows'
-
-    def whyrun_supported?
-      false
-    end
-
-    action :install do
-      return if disabled?(new_resource)
-
-      svc = service 'MpsSvc' do
-        action :nothing
-      end
-
-      [:enable, :start].each do |act|
-        svc.run_action(act)
-        new_resource.updated_by_last_action(true) if svc.updated_by_last_action?
-      end
-    end
-
-    action :restart do
-      return if disabled?(new_resource)
-
-      # ensure it's initialized
-      new_resource.rules({}) unless new_resource.rules
-      new_resource.rules['windows'] = {} unless new_resource.rules['windows']
-
-      firewall_rules = Chef.run_context.resource_collection.select { |item| item.is_a?(Chef::Resource::FirewallRule) }
-      firewall_rules.each do |firewall_rule|
-        next unless firewall_rule.action.include?(:create) && !firewall_rule.should_skip?(:create)
-
-        # build rules to apply with weight
-        k = build_rule(firewall_rule)
-        v = firewall_rule.position
-
-        # unless we're adding them for the first time.... bail out.
-        unless new_resource.rules['windows'].key?(k) && new_resource.rules['windows'][k] == v
-          new_resource.rules['windows'][k] = v
-        end
-      end
-
-      input_policy = node['firewall']['windows']['defaults']['policy']['input']
-      output_policy = node['firewall']['windows']['defaults']['policy']['output']
-      unless new_resource.rules['windows'].key?("set currentprofile firewallpolicy #{input_policy},#{output_policy}")
-        # Make this the possible last rule in the list
-        new_resource.rules['windows']["set currentprofile firewallpolicy #{input_policy},#{output_policy}"] = 99999
-      end
-
-      # ensure a file resource exists with the current rules
-      begin
-        windows_file = Chef.run_context.resource_collection.find(file: windows_rules_filename)
-      rescue
-        windows_file = file windows_rules_filename do
-          action :nothing
-        end
-      end
-      windows_file.content build_rule_file(new_resource.rules['windows'])
-      windows_file.run_action(:create)
-
-      # if the file was changed, restart iptables
-      return unless windows_file.updated_by_last_action?
-
-      disable! if active?
-      delete_all_rules! # clear entirely
-      reset! # populate default rules
-
-      new_resource.rules['windows'].sort_by { |_k, v| v }.map { |k, _v| k }.each do |cmd|
-        add_rule!(cmd)
-      end
-      # ensure it's enabled _after_ rules are inputted, to catch malformed rules
-      enable! unless active?
-
-      new_resource.updated_by_last_action(true)
-    end
-
-    action :disable do
-      return if disabled?(new_resource)
-
-      if active?
-        disable!
-        Chef::Log.info("#{new_resource} disabled.")
-        new_resource.updated_by_last_action(true)
-      else
-        Chef::Log.debug("#{new_resource} already disabled.")
-      end
-
-      svc = service 'MpsSvc' do
-        action :nothing
-      end
-
-      [:disable, :stop].each do |act|
-        svc.run_action(act)
-        new_resource.updated_by_last_action(true) if svc.updated_by_last_action?
-      end
-    end
-
-    action :flush do
-      return if disabled?(new_resource)
-
-      reset!
-      Chef::Log.info("#{new_resource} reset.")
-      new_resource.updated_by_last_action(true)
-    end
-  end
-end

data/cookbooks/firewall/libraries/resource_firewall.rb

@@ -1,26 +0,0 @@
-class Chef
-  class Resource::Firewall < Chef::Resource::LWRPBase
-    resource_name(:firewall)
-    provides(:firewall)
-    actions(:install, :restart, :disable, :flush, :save)
-    default_action(:install)
-
-    # allow both kinds of logic -- eventually remove the :disabled one.
-    # the positive logic is much easier to follow.
-    attribute(:disabled, kind_of: [TrueClass, FalseClass], default: false)
-    attribute(:enabled, kind_of: [TrueClass, FalseClass], default: true)
-
-    attribute(:log_level, kind_of: Symbol, equal_to: [:low, :medium, :high, :full, :off], default: :low)
-    attribute(:rules, kind_of: Hash)
-
-    # for firewalld, specify the zone when firewall is disable and enabled
-    attribute(:disabled_zone, kind_of: Symbol, default: :public)
-    attribute(:enabled_zone, kind_of: Symbol, default: :drop)
-
-    # for firewall implementations where ipv6 can be skipped (currently iptables-specific)
-    attribute(:ipv6_enabled, kind_of: [TrueClass, FalseClass], default: true)
-
-    # allow override of package options for firewalld package
-    attribute(:package_options, kind_of: String, default: nil)
-  end
-end

data/cookbooks/firewall/libraries/resource_firewall_rule.rb

@@ -1,52 +0,0 @@
-require 'ipaddr'
-
-class Chef
-  class Resource::FirewallRule < Chef::Resource::LWRPBase
-    include FirewallCookbook::Helpers
-
-    resource_name(:firewall_rule)
-    provides(:firewall_rule)
-    default_action(:create)
-
-    attribute(:firewall_name, kind_of: String, default: 'default')
-
-    attribute(:command, kind_of: Symbol, equal_to: [:reject, :allow, :deny, :masquerade, :redirect, :log], default: :allow)
-
-    attribute(:protocol, kind_of: [Integer, Symbol], default: :tcp,
-                         callbacks: { 'must be either :tcp, :udp, :icmp, :\'ipv6-icmp\', :icmpv6, :none, or a valid IP protocol number' => lambda do |p|
-                           !!(p.to_s =~ /(udp|tcp|icmp|icmpv6|ipv6-icmp|esp|ah|ipv6|none)/ || (p.to_s =~ /^\d+$/ && p.between?(0, 142)))
-                         end })
-    attribute(:direction, kind_of: Symbol, equal_to: [:in, :out, :pre, :post], default: :in)
-    attribute(:logging, kind_of: Symbol, equal_to: [:connections, :packets])
-
-    attribute(:source, kind_of: String, callbacks: { 'must be a valid ip address' => ->(ip) { !!IPAddr.new(ip) } })
-    attribute(:source_port, kind_of: [Integer, Array, Range]) # source port
-    attribute(:interface, kind_of: String)
-
-    attribute(:port, kind_of: [Integer, Array, Range]) # shorthand for dest_port
-    attribute(:destination, kind_of: String, callbacks: { 'must be a valid ip address' => ->(ip) { !!IPAddr.new(ip) } })
-    attribute(:dest_port, kind_of: [Integer, Array, Range])
-    attribute(:dest_interface, kind_of: String)
-
-    attribute(:position, kind_of: Integer, default: 50)
-    attribute(:stateful, kind_of: [Symbol, Array])
-    attribute(:redirect_port, kind_of: Integer)
-    attribute(:description, kind_of: String, name_attribute: true)
-    attribute(:include_comment, kind_of: [TrueClass, FalseClass], default: true)
-
-    # only used for firewalld
-    attribute(:permanent, kind_of: [TrueClass, FalseClass], default: false)
-    attribute(:zone, kind_of: String, default: 'drop')
-
-    # only used for Windows Firewalls
-    attribute(:program, kind_of: String)
-    attribute(:service, kind_of: String)
-
-    # for when you just want to pass a raw rule
-    attribute(:raw, kind_of: String)
-
-    # do you want this rule to notify the firewall to recalculate
-    # (and potentially reapply) the firewall_rule(s) it finds?
-    attribute(:notify_firewall, kind_of: [TrueClass, FalseClass], default: true)
-  end
-end

data/cookbooks/firewall/metadata.json

@@ -1,40 +0,0 @@
-{
-  "name": "firewall",
-  "description": "Provides a set of primitives for managing firewalls and associated rules.",
-  "long_description": "",
-  "maintainer": "Sous Chefs",
-  "maintainer_email": "help@sous-chefs.org",
-  "license": "Apache-2.0",
-  "platforms": {
-    "amazon": ">= 0.0.0",
-    "centos": ">= 0.0.0",
-    "debian": ">= 0.0.0",
-    "ubuntu": ">= 0.0.0",
-    "windows": ">= 0.0.0"
-  },
-  "dependencies": {
-
-  },
-  "providing": {
-
-  },
-  "recipes": {
-
-  },
-  "version": "6.3.7",
-  "source_url": "https://github.com/sous-chefs/firewall",
-  "issues_url": "https://github.com/sous-chefs/firewall/issues",
-  "privacy": false,
-  "chef_versions": [
-    [
-      ">= 15.5"
-    ]
-  ],
-  "ohai_versions": [
-
-  ],
-  "gems": [
-
-  ],
-  "eager_load_libraries": true
-}

data/cookbooks/firewall/metadata.rb

@@ -1,15 +0,0 @@
-name              'firewall'
-maintainer        'Sous Chefs'
-maintainer_email  'help@sous-chefs.org'
-license           'Apache-2.0'
-description       'Provides a set of primitives for managing firewalls and associated rules.'
-version           '6.3.7'
-source_url        'https://github.com/sous-chefs/firewall'
-issues_url        'https://github.com/sous-chefs/firewall/issues'
-chef_version      '>= 15.5'
-
-supports 'amazon'
-supports 'centos'
-supports 'debian'
-supports 'ubuntu'
-supports 'windows'