cloud-mu 3.6.10 → 3.6.12

data/cookbooks/firewall/recipes/default.rb

@@ -1,76 +0,0 @@
-#
-# Cookbook:: firewall
-# Recipe:: default
-#
-# Copyright:: 2011-2019, Chef Software, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-firewall 'default' do
-  ipv6_enabled node['firewall']['ipv6_enabled']
-  action :install
-end
-
-# create a variable to use as a condition on some rules that follow
-iptables_firewall = rhel? || amazon_linux? || node['firewall']['ubuntu_iptables']
-
-firewall_rule 'allow loopback' do
-  interface 'lo'
-  protocol :none
-  command :allow
-  only_if { linux? && node['firewall']['allow_loopback'] }
-end
-
-firewall_rule 'allow icmp' do
-  protocol :icmp
-  command :allow
-  # debian ufw doesn't allow 'icmp' protocol, but does open
-  # icmp by default, so we skip it in default recipe
-  only_if { iptables_firewall && node['firewall']['allow_icmp'] }
-end
-
-firewall_rule 'allow world to ssh' do
-  port 22
-  source '0.0.0.0/0'
-  only_if { linux? && node['firewall']['allow_ssh'] }
-end
-
-firewall_rule 'allow world to winrm' do
-  port 5989
-  source '0.0.0.0/0'
-  only_if { windows? && node['firewall']['allow_winrm'] }
-end
-
-firewall_rule 'allow world to mosh' do
-  protocol :udp
-  port 60000..61000
-  source '0.0.0.0/0'
-  only_if { linux? && node['firewall']['allow_mosh'] }
-end
-
-# allow established connections, ufw defaults to this but iptables does not
-firewall_rule 'established' do
-  stateful [:related, :established]
-  protocol :none # explicitly don't specify protocol
-  command :allow
-  only_if { node['firewall']['allow_established'] && iptables_firewall }
-end
-
-# ipv6 needs ICMP to reliably work, so ensure it's enabled if ipv6
-# allow established connections, ufw defaults to this but iptables does not
-firewall_rule 'ipv6_icmp' do
-  protocol :'ipv6-icmp'
-  command :allow
-  only_if { node['firewall']['ipv6_enabled'] && node['firewall']['allow_established'] && iptables_firewall }
-end

data/cookbooks/firewall/recipes/firewalld.rb

@@ -1,87 +0,0 @@
-#
-# Cookbook:: firewall
-# Recipe:: firewalld
-#
-# Copyright:: 2011-2016, Chef Software, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-chef_sugar_cookbook_version = Gem::Version.new(run_context.cookbook_collection['chef-sugar'].metadata.version)
-
-include_recipe 'chef-sugar' if chef_sugar_cookbook_version < Gem::Version.new('4.0.0')
-
-firewall 'default' do
-  ipv6_enabled node['firewall']['ipv6_enabled']
-  enabled_zone node['firewall']['firewalld']['zone'].to_sym
-  action :install
-end
-
-# create a variable to use as a condition on some rules that follow
-iptables_firewall = rhel? || node['firewall']['ubuntu_iptables']
-
-firewall_rule 'allow loopback' do
-  interface 'lo'
-  protocol :none
-  command :allow
-  zone node['firewall']['firewalld']['loopback_zone']
-  only_if { linux? && node['firewall']['allow_loopback'] }
-end
-
-firewall_rule 'allow icmp' do
-  protocol :icmp
-  command :allow
-  zone node['firewall']['firewalld']['icmp_zone']
-  # debian ufw doesn't allow 'icmp' protocol, but does open
-  # icmp by default, so we skip it in default recipe
-  only_if { (!debian?(node) || iptables_firewall) && node['firewall']['allow_icmp'] }
-end
-
-firewall_rule 'allow world to ssh' do
-  port 22
-  source '0.0.0.0/0'
-  zone node['firewall']['firewalld']['ssh_zone']
-  only_if { linux? && node['firewall']['allow_ssh'] }
-end
-
-firewall_rule 'allow world to winrm' do
-  port 5989
-  source '0.0.0.0/0'
-  only_if { windows? && node['firewall']['allow_winrm'] }
-end
-
-firewall_rule 'allow world to mosh' do
-  protocol :udp
-  port 60000..61000
-  source '0.0.0.0/0'
-  zone node['firewall']['firewalld']['mosh_zone']
-  only_if { linux? && node['firewall']['allow_mosh'] }
-end
-
-# allow established connections, ufw defaults to this but iptables does not
-firewall_rule 'established' do
-  stateful [:related, :established]
-  protocol :none # explicitly don't specify protocol
-  command :allow
-  zone node['firewall']['firewalld']['established_zone']
-  only_if { node['firewall']['allow_established'] && iptables_firewall }
-end
-
-# ipv6 needs ICMP to reliably work, so ensure it's enabled if ipv6
-# allow established connections, ufw defaults to this but iptables does not
-firewall_rule 'ipv6_icmp' do
-  protocol :'ipv6-icmp'
-  command :allow
-  zone node['firewall']['firewalld']['icmp_zone']
-  only_if { node['firewall']['ipv6_enabled'] && node['firewall']['allow_established'] && iptables_firewall }
-end

data/cookbooks/firewall/resources/firewalld.rb

@@ -1,28 +0,0 @@
-unified_mode true
-
-provides :firewalld,
-         os: 'linux'
-
-action :install do
-  chef_gem 'ruby-dbus'
-  require 'dbus'
-  package 'firewalld'
-end
-
-action :reload do
-  service 'firewalld' do
-    action :reload
-  end
-end
-
-action :restart do
-  service 'firewalld' do
-    action :restart
-  end
-end
-
-action :disable do
-  service 'firewalld' do
-    action [:disable, :stop]
-  end
-end

data/cookbooks/firewall/resources/firewalld_config.rb

@@ -1,39 +0,0 @@
-unified_mode true
-
-provides :firewalld_config,
-         os: 'linux'
-
-property :default_zone,
-         String,
-         description: 'Set default zone for connections and interfaces where no zone has been selected to zone. Setting the default zone changes the zone for the connections or interfaces, that are using the default zone.'
-property :log_denied,
-         String,
-         equal_to: %w(all unicast broadcast multicast off),
-         description: 'Set LogDenied value to value. If LogDenied is enabled, then logging rules are added right before reject and drop rules in the INPUT, FORWARD and OUTPUT chains for the default rules and also final reject and drop rules in zones.'
-
-load_current_value do |_new_resource|
-  sysbus = DBus.system_bus
-  firewalld_service = sysbus['org.fedoraproject.FirewallD1']
-  firewalld_object = firewalld_service['/org/fedoraproject/FirewallD1']
-  interface = firewalld_object['org.fedoraproject.FirewallD1']
-
-  default_zone interface.getDefaultZone
-  log_denied interface.getLogDenied
-end
-
-action :update do
-  dbus = DBus.system_bus
-  fw = firewalld_interface(dbus)
-
-  converge_if_changed :default_zone do
-    fw.setDefaultZone new_resource.default_zone
-  end
-
-  converge_if_changed :log_denied do
-    fw.setLogDenied new_resource.log_denied
-  end
-end
-
-action_class do
-  include FirewallCookbook::Helpers::FirewalldDBus
-end

data/cookbooks/firewall/resources/firewalld_helpers.rb

@@ -1,106 +0,0 @@
-unified_mode true
-
-provides :firewalld_helper,
-         os: 'linux'
-
-property :version,
-         String,
-         default: '',
-         description: 'see version attribute of helper tag in firewalld.helper(5).'
-property :short,
-         String,
-         name_property: true,
-         description: 'see short tag in firewalld.helper(5).'
-property :description,
-         String,
-         description: 'see description tag in firewalld.helper(5).'
-property :family,
-         String,
-         equal_to: %w(ipv4 ipv6),
-         default: 'ipv4',
-         description: 'see family tag in firewalld.helper(5).'
-property :nf_module,
-         String,
-         description: 'see module tag in firewalld.helper(5).'
-property :ports,
-         [Array, String],
-         default: [],
-         description: 'array of port and protocol pairs. See port tag in firewalld.helper(5).',
-         coerce: proc { |o| Array(o) }
-
-load_current_value do |new_resource|
-  dbus = DBus.system_bus
-  firewalld_service = dbus['org.fedoraproject.FirewallD1']
-  firewalld_object = firewalld_service['/org/fedoraproject/FirewallD1/config']
-  fw_config = firewalld_object['org.fedoraproject.FirewallD1.config']
-  if fw_config.getHelperNames.include?(new_resource.short)
-    helper_path = fw_config.getHelperByName(new_resource.short)
-    object = firewalld_service[helper_path]
-    config_helper = object['org.fedoraproject.FirewallD1.config.helper']
-    settings = config_helper.getSettings
-    version settings[0]
-    # short settings[1]
-    description settings[2]
-    family settings[3]
-    nf_module settings[4]
-    ports settings[5]
-  else
-    Chef::Log.info "Helper #{new_resource.short} does not exist. Will be created."
-  end
-end
-
-action :update do
-  dbus = DBus.system_bus
-  fw = firewalld_interface(dbus)
-  fw_config = config_interface(dbus)
-  helper_names = fw_config.getHelperNames
-  reload = false
-  if !helper_names.include?(new_resource.short)
-    values = [
-      new_resource.version,
-      new_resource.short,
-      default_description(new_resource),
-      new_resource.family,
-      new_resource.nf_module,
-      new_resource.ports.map { |e| e.split('/') },
-    ]
-    converge_by "Add Helper #{new_resource.short}" do
-      fw_config.addHelper(new_resource.short, values)
-    end
-    reload = true
-  else
-    helper_path = fw_config.getHelperByName(new_resource.short)
-    helper = helper_interface(dbus, helper_path)
-    converge_if_changed :version do
-      helper.setVersion new_resource.version
-      reload = true
-    end
-    converge_if_changed :description do
-      helper.setDescription default_description(new_resource)
-      reload = true
-    end
-    converge_if_changed :family do
-      helper.setFamily new_resource.family
-      reload = true
-    end
-    converge_if_changed :nf_module do
-      helper.setModule new_resource.nf_module
-      reload = true
-    end
-    converge_if_changed :ports do
-      helper.setPorts new_resource.ports.map { |e| e.split('/') }
-      reload = true
-    end
-  end
-
-  if reload
-    converge_by ['reload permanent configuration of firewalld'] do
-      fw.reload
-    end
-  end
-end
-
-action_class do
-  include FirewallCookbook::Helpers
-  include FirewallCookbook::Helpers::FirewalldDBus
-end

data/cookbooks/firewall/resources/firewalld_icmptype.rb

@@ -1,88 +0,0 @@
-unified_mode true
-
-provides :firewalld_icmptype,
-         os: 'linux'
-
-property :version,
-         String,
-         default: '',
-         description: 'see version attribute of icmptype tag in firewalld.icmptype(5).'
-property :short,
-         String,
-         name_property: true,
-         description: 'see short tag in firewalld.icmptype(5).'
-property :description,
-         String,
-         description: 'see description tag in firewalld.icmptype(5).'
-property :destinations,
-         Array,
-         equal_to: [['ipv4'], ['ipv6'], %w(ipv4 ipv6)],
-         default: 'ipv4',
-         description: 'array, either empty or containing strings \'ipv4\' and/or \'ipv6\', see destination tag in firewalld.icmptype(5).',
-         coerce: proc { |o| Array(o) }
-
-load_current_value do |new_resource|
-  sysbus = DBus.system_bus
-  firewalld_service = sysbus['org.fedoraproject.FirewallD1']
-  firewalld_object = firewalld_service['/org/fedoraproject/FirewallD1/config']
-  fw_config = firewalld_object['org.fedoraproject.FirewallD1.config']
-  if fw_config.getIcmpTypeNames.include?(new_resource.short)
-    icmptype_path = fw_config.getIcmpTypeByName(new_resource.short)
-    object = firewalld_service[icmptype_path]
-    config_icmptype = object['org.fedoraproject.FirewallD1.config.icmptype']
-    settings = config_icmptype.getSettings
-    version settings[0]
-    # short settings[1]
-    description settings[2]
-    destinations settings[3]
-  else
-    Chef::Log.info "IcmpType #{new_resource.short} does not exist. Will be created."
-  end
-end
-
-action :update do
-  dbus = DBus.system_bus
-  fw_config = config_interface(dbus)
-  fw = firewalld_interface(dbus)
-  reload = false
-  icmptype_names = fw_config.getIcmpTypeNames
-  if !icmptype_names.include?(new_resource.short)
-    values = [
-      new_resource.version,
-      new_resource.short,
-      default_description(new_resource),
-      new_resource.destinations,
-    ]
-
-    converge_by "Add IcmpType #{new_resource.short}" do
-      fw_config.addIcmpType(new_resource.short, values)
-    end
-    reload = true
-  else
-    icmptype_path = fw_config.getIcmpTypeByName(new_resource.short)
-    icmptype = icmptype_interface(dbus, icmptype_path)
-    converge_if_changed :version do
-      icmptype.setVersion new_resource.version
-      reload = true
-    end
-    converge_if_changed :description do
-      icmptype.setDescription default_description(new_resource)
-      reload = true
-    end
-    converge_if_changed :destinations do
-      icmptype.setDestinations new_resource.destinations
-      reload = true
-    end
-  end
-
-  if reload
-    converge_by ['reload permanent configuration of firewalld'] do
-      fw.reload
-    end
-  end
-end
-
-action_class do
-  include FirewallCookbook::Helpers
-  include FirewallCookbook::Helpers::FirewalldDBus
-end

data/cookbooks/firewall/resources/firewalld_ipset.rb

@@ -1,104 +0,0 @@
-unified_mode true
-
-provides :firewalld_ipset,
-         os: 'linux'
-
-property :version,
-         String,
-         description: 'see version attribute of ipset tag in firewalld.ipset(5).'
-property :short,
-         String,
-         name_property: true,
-         description: 'see short tag in firewalld.ipset(5).'
-property :description,
-         String,
-         description: 'see description tag in firewalld.ipset(5).'
-property :type,
-         String,
-         default: 'hash:ip',
-         description: 'see type attribute of ipset tag in firewalld.ipset(5).',
-         equal_to:
-           %w(hash:ip hash:ip,mark hash:ip,port hash:ip,port,ip hash:ip,port,net hash:mac hash:net hash:net,iface hash:net,net hash:net,port hash:net,port,net)
-property :options,
-         Hash,
-         description: 'hash of {option : value} . See options tag in firewalld.ipset(5).'
-property :entries,
-         [Array, String],
-         description: 'array of entries, see entry tag in firewalld.ipset(5).',
-         coerce: proc { |o| Array(o) }
-
-load_current_value do |new_resource|
-  sysbus = DBus.system_bus
-  firewalld_service = sysbus['org.fedoraproject.FirewallD1']
-  firewalld_object = firewalld_service['/org/fedoraproject/FirewallD1/config']
-  fw_config = firewalld_object['org.fedoraproject.FirewallD1.config']
-  if fw_config.getIPSetNames.include?(new_resource.short)
-    ipset_path = fw_config.getIPSetByName(new_resource.short)
-    object = firewalld_service[ipset_path]
-    config_ipset = object['org.fedoraproject.FirewallD1.config.ipset']
-    settings = config_ipset.getSettings
-    version settings[0]
-    # short settings[1]
-    description settings[2]
-    type settings[3]
-    options settings[4]
-    entries settings[5]
-  else
-    Chef::Log.info "Ipset #{new_resource.short} does not exist. Will be created."
-  end
-end
-
-action :update do
-  dbus = DBus.system_bus
-  fw = firewalld_interface(dbus)
-  fw_config = config_interface(dbus)
-  reload = false
-  if !fw_config.getIPSetNames.include?(new_resource.short)
-    values = [
-      new_resource.version || '',
-      new_resource.short,
-      default_description(new_resource),
-      new_resource.type,
-      new_resource.options || {},
-      new_resource.entries,
-    ]
-    converge_by "Add ipset #{new_resource.short}" do
-      fw_config.addIPSet(new_resource.short, values)
-    end
-    reload = true
-  else
-    ipset_path = fw_config.getIPSetByName(new_resource.short)
-    ipset = ipset_interface(dbus, ipset_path)
-    converge_if_changed :version do
-      ipset.setVersion new_resource.version
-      reload = true
-    end
-    converge_if_changed :description do
-      ipset.setDescriptions default_description(new_resource)
-      reload = true
-    end
-    converge_if_changed :type do
-      ipset.setType new_resource.type
-      reload = true
-    end
-    converge_if_changed :options do
-      ipset.setOptions(new_resource.options || {})
-      reload = true
-    end
-    converge_if_changed :entries do
-      ipset.setEntries new_resource.entries
-      reload = true
-    end
-  end
-
-  if reload
-    converge_by ['reload permanent configuration of firewalld'] do
-      fw.reload
-    end
-  end
-end
-
-action_class do
-  include FirewallCookbook::Helpers
-  include FirewallCookbook::Helpers::FirewalldDBus
-end

data/cookbooks/firewall/resources/firewalld_policy.rb

@@ -1,115 +0,0 @@
-unified_mode true
-
-provides :firewalld_policy,
-         os: 'linux'
-
-property :description,
-         String,
-         description: 'see description tag in firewalld.policy(5).'
-property :egress_zones,
-         [Array, String],
-         description: 'array of zone names. See egress-zone tag in firewalld.policy(5).',
-         coerce: proc { |o| Array(o) }
-property :forward_ports,
-         [Array, String],
-         description: 'array of `portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]`. See forward-port tag in firewalld.policy(5).',
-         coerce: proc { |o| Array(o) }
-property :icmp_blocks,
-         [Array, String],
-         description: 'array of icmp-blocks. See icmp-block tag in firewalld.policy(5).'
-property :ingress_zones,
-         [Array, String],
-         description: 'array of zone names. See ingress-zone tag in firewalld.policy(5).',
-         coerce: proc { |o| Array(o) }
-property :masquerade,
-         [true, false],
-         description: 'see masquerade tag in firewalld.policy(5).'
-property :ports,
-         [Array, String],
-         description: 'array of port and protocol pairs. See port tag in firewalld.policy(5).',
-         coerce: proc { |o| Array(o) }
-property :priority,
-         Integer,
-         description: 'see priority tag in firewalld.policy(5).'
-property :protocols,
-         [Array, String],
-         description: 'array of protocols, see protocol tag in firewalld.policy(5).',
-         coerce: proc { |o| Array(o) }
-property :rich_rules,
-         [Array, String],
-         description: 'array of rich-language rules. See rule tag in firewalld.policy(5).',
-         coerce: proc { |o| Array(o) }
-property :services,
-         [Array, String],
-         description: 'array of service names, see service tag in firewalld.policy(5).',
-         coerce: proc { |o| Array(o) }
-property :short,
-         String,
-         description: 'see short tag in firewalld.policy(5).',
-         name_property: true
-property :source_ports,
-         [Array, String],
-         description: 'array of port and protocol pairs. See source-port tag in firewalld.policy(5).',
-         coerce: proc { |o| Array(o) }
-property :target,
-         String,
-         description: 'see target attribute of policy tag in firewalld.policy(5).'
-property :version,
-         String,
-         description: 'see version attribute of policy tag in firewalld.policy(5).'
-
-load_current_value do |new_resource|
-  sysbus = DBus.system_bus
-  firewalld_service = sysbus['org.fedoraproject.FirewallD1']
-  firewalld_object = firewalld_service['/org/fedoraproject/FirewallD1/config']
-  fw_config = firewalld_object['org.fedoraproject.FirewallD1.config']
-  if fw_config.getPolicyNames.include?(new_resource.short)
-    policy_path = fw_config.getPolicyByName(new_resource.short)
-    object = firewalld_service[policy_path]
-    config_policy = object['org.fedoraproject.FirewallD1.config.policy']
-    config_policy.getSettings.each do |k, v|
-      send(k, v)
-    end
-  else
-    Chef::Log.info "Zone #{new_resource.short} does not exist. Will be created."
-  end
-end
-
-action :update do
-  dbus = DBus.system_bus
-  fw = firewalld_interface(dbus)
-  fw_config = config_interface(dbus)
-  reload = false
-
-  unless fw_config.getPolicyNames.include?(new_resource.short)
-    fw_config.addPolicy(new_resource.short, {})
-  end
-  policy_path = fw_config.getPolicyByName(new_resource.short)
-  policy = policy_interface(dbus, policy_path)
-  properties = new_resource.class.state_properties.map(&:name)
-  properties.each do |property|
-    new_value = new_resource.send(property)
-    next if new_value.nil?
-    if [:ports, :source_ports].include?(property)
-      new_value = DBus.variant('a(ss)', new_value.map { |e| e.split('/') })
-    elsif [:forward_ports].include?(property)
-      new_value = forward_ports_to_dbus(new_resource)
-    elsif [:priority].include?(property)
-      new_value = DBus.variant('i', new_value)
-    end
-    converge_if_changed property do
-      policy.update({ property.to_s => new_value })
-      reload = true
-    end
-  end
-
-  if reload
-    converge_by ['reload permanent configuration of firewalld'] do
-      fw.reload
-    end
-  end
-end
-
-action_class do
-  include FirewallCookbook::Helpers::FirewalldDBus
-end