RubyGems - safeguard-devise - Versions diffs - 0.0.2 - Mend

safeguard-devise 0.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (185) hide show

data/puppet/modules/mysql/lib/puppet/parser/functions/mysql_password.rb ADDED Viewed

@@ -0,0 +1,15 @@
+# hash a string as mysql's "PASSWORD()" function would do it
+require 'digest/sha1'
+module Puppet::Parser::Functions
+  newfunction(:mysql_password, :type => :rvalue, :doc => <<-EOS
+    Returns the mysql password hash from the clear text password.
+    EOS
+  ) do |args|
+    raise(Puppet::ParseError, "mysql_password(): Wrong number of arguments " +
+      "given (#{args.size} for 1)") if args.size != 1
+    '*' + Digest::SHA1.hexdigest(Digest::SHA1.digest(args[0])).upcase
+  end
+end

data/puppet/modules/mysql/lib/puppet/provider/database/mysql.rb ADDED Viewed

@@ -0,0 +1,42 @@
+Puppet::Type.type(:database).provide(:mysql) do
+  desc "Manages MySQL database."
+  defaultfor :kernel => 'Linux'
+  optional_commands :mysql      => 'mysql'
+  optional_commands :mysqladmin => 'mysqladmin'
+  def self.instances
+    mysql('-NBe', "show databases").split("\n").collect do |name|
+      new(:name => name)
+    end
+  end
+  def create
+    mysql('-NBe', "create database `#{@resource[:name]}` character set #{resource[:charset]}")
+  end
+  def destroy
+    mysqladmin('-f', 'drop', @resource[:name])
+  end
+  def charset
+    mysql('-NBe', "show create database `#{resource[:name]}`").match(/.*?(\S+)\s\*\//)[1]
+  end
+  def charset=(value)
+    mysql('-NBe', "alter database `#{resource[:name]}` CHARACTER SET #{value}")
+  end
+  def exists?
+    begin
+      mysql('-NBe', "show databases").match(/^#{@resource[:name]}$/)
+    rescue => e
+      debug(e.message)
+      return nil
+    end
+  end
+end

data/puppet/modules/mysql/lib/puppet/provider/database_grant/mysql.rb ADDED Viewed

@@ -0,0 +1,177 @@
+# A grant is either global or per-db. This can be distinguished by the syntax
+# of the name:
+#   user@host => global
+#   user@host/db => per-db
+Puppet::Type.type(:database_grant).provide(:mysql) do
+  desc "Uses mysql as database."
+  defaultfor :kernel => 'Linux'
+  optional_commands :mysql      => 'mysql'
+  optional_commands :mysqladmin => 'mysqladmin'
+  def self.prefetch(resources)
+    @user_privs = query_user_privs
+    @db_privs = query_db_privs
+  end
+  def self.user_privs
+    @user_privs || query_user_privs
+  end
+  def self.db_privs
+    @db_privs || query_db_privs
+  end
+  def user_privs
+    self.class.user_privs
+  end
+  def db_privs
+    self.class.db_privs
+  end
+  def self.query_user_privs
+    results = mysql("mysql", "-Be", "describe user")
+    column_names = results.split(/\n/).map { |l| l.chomp.split(/\t/)[0] }
+    @user_privs = column_names.delete_if { |e| !( e =~/_priv$/) }
+  end
+  def self.query_db_privs
+    results = mysql("mysql", "-Be", "describe db")
+    column_names = results.split(/\n/).map { |l| l.chomp.split(/\t/)[0] }
+    @db_privs = column_names.delete_if { |e| !(e =~/_priv$/) }
+  end
+  def mysql_flush
+    mysqladmin "flush-privileges"
+  end
+  # this parses the
+  def split_name(string)
+    matches = /^([^@]*)@([^\/]*)(\/(.*))?$/.match(string).captures.compact
+    case matches.length
+    when 2
+      {
+        :type => :user,
+        :user => matches[0],
+        :host => matches[1]
+      }
+    when 4
+      {
+        :type => :db,
+        :user => matches[0],
+        :host => matches[1],
+        :db => matches[3]
+      }
+    end
+  end
+  def create_row
+    unless @resource.should(:privileges).empty?
+      name = split_name(@resource[:name])
+      case name[:type]
+      when :user
+        mysql "mysql", "-e", "INSERT INTO user (host, user) VALUES ('%s', '%s')" % [
+          name[:host], name[:user],
+        ]
+      when :db
+        mysql "mysql", "-e", "INSERT INTO db (host, user, db) VALUES ('%s', '%s', '%s')" % [
+          name[:host], name[:user], name[:db],
+        ]
+      end
+      mysql_flush
+    end
+  end
+  def destroy
+    mysql "mysql", "-e", "REVOKE ALL ON '%s'.* FROM '%s@%s'" % [ @resource[:privileges], @resource[:database], @resource[:name], @resource[:host] ]
+  end
+  def row_exists?
+    name = split_name(@resource[:name])
+    fields = [:user, :host]
+    if name[:type] == :db
+      fields << :db
+    end
+    not mysql( "mysql", "-NBe", 'SELECT "1" FROM %s WHERE %s' % [ name[:type], fields.map do |f| "%s = '%s'" % [f, name[f]] end.join(' AND ')]).empty?
+  end
+  def all_privs_set?
+    all_privs = case split_name(@resource[:name])[:type]
+                when :user
+                  user_privs
+                when :db
+                  db_privs
+                end
+    all_privs = all_privs.collect do |p| p.downcase end.sort.join("|")
+    privs = privileges.collect do |p| p.downcase end.sort.join("|")
+    all_privs == privs
+  end
+  def privileges
+    name = split_name(@resource[:name])
+    privs = ""
+    case name[:type]
+    when :user
+      privs = mysql "mysql", "-Be", 'select * from user where user="%s" and host="%s"' % [ name[:user], name[:host] ]
+    when :db
+      privs = mysql "mysql", "-Be", 'select * from db where user="%s" and host="%s" and db="%s"' % [ name[:user], name[:host], name[:db] ]
+    end
+    if privs.match(/^$/)
+      privs = [] # no result, no privs
+    else
+      # returns a line with field names and a line with values, each tab-separated
+      privs = privs.split(/\n/).map! do |l| l.chomp.split(/\t/) end
+      # transpose the lines, so we have key/value pairs
+      privs = privs[0].zip(privs[1])
+      privs = privs.select do |p| p[0].match(/_priv$/) and p[1] == 'Y' end
+    end
+    privs.collect do |p| p[0] end
+  end
+  def privileges=(privs)
+    unless row_exists?
+      create_row
+    end
+    # puts "Setting privs: ", privs.join(", ")
+    name = split_name(@resource[:name])
+    stmt = ''
+    where = ''
+    all_privs = []
+    case name[:type]
+    when :user
+      stmt = 'update user set '
+      where = ' where user="%s" and host="%s"' % [ name[:user], name[:host] ]
+      all_privs = user_privs
+    when :db
+      stmt = 'update db set '
+      where = ' where user="%s" and host="%s" and db="%s"' % [ name[:user], name[:host], name[:db] ]
+      all_privs = db_privs
+    end
+    if privs[0].downcase == 'all'
+      privs = all_privs
+    end
+    # Downcase the requested priviliges for case-insensitive selection
+    # we don't map! here because the all_privs object has to remain in
+    # the same case the DB gave it to us in
+    privs = privs.map { |p| p.downcase }
+    # puts "stmt:", stmt
+    set = all_privs.collect do |p| "%s = '%s'" % [p, privs.include?(p.downcase) ? 'Y' : 'N'] end.join(', ')
+    # puts "set:", set
+    stmt = stmt << set << where
+    mysql "mysql", "-Be", stmt
+    mysql_flush
+  end
+end

data/puppet/modules/mysql/lib/puppet/provider/database_user/mysql.rb ADDED Viewed

@@ -0,0 +1,42 @@
+Puppet::Type.type(:database_user).provide(:mysql) do
+  desc "manage users for a mysql database."
+  defaultfor :kernel => 'Linux'
+  optional_commands :mysql      => 'mysql'
+  optional_commands :mysqladmin => 'mysqladmin'
+  def self.instances
+    users = mysql("mysql", '-BNe' "select concat(User, '@',Host) as User from mysql.user").split("\n")
+    users.select{ |user| user =~ /.+@/ }.collect do |name|
+      new(:name => name)
+    end
+  end
+  def create
+    mysql("mysql", "-e", "create user '%s' identified by PASSWORD '%s'" % [ @resource[:name].sub("@", "'@'"), @resource.value(:password_hash) ])
+  end
+  def destroy
+    mysql("mysql", "-e", "drop user '%s'" % @resource.value(:name).sub("@", "'@'") )
+  end
+  def password_hash
+    mysql("mysql", "-NBe", "select password from user where CONCAT(user, '@', host) = '%s'" % @resource.value(:name)).chomp
+  end
+  def password_hash=(string)
+    mysql("mysql", "-e", "SET PASSWORD FOR '%s' = '%s'" % [ @resource[:name].sub("@", "'@'"), string ] )
+  end
+  def exists?
+    not mysql("mysql", "-NBe", "select '1' from user where CONCAT(user, '@', host) = '%s'" % @resource.value(:name)).empty?
+  end
+  def flush
+    @property_hash.clear
+    mysqladmin "flush-privileges"
+  end
+end

data/puppet/modules/mysql/lib/puppet/type/database.rb ADDED Viewed

@@ -0,0 +1,17 @@
+# This has to be a separate type to enable collecting
+Puppet::Type.newtype(:database) do
+  @doc = "Manage databases."
+  ensurable
+  newparam(:name, :namevar=>true) do
+    desc "The name of the database."
+  end
+  newproperty(:charset) do
+    desc "The characterset to use for a database"
+    defaultto :utf8
+    newvalue(/^\S+$/)
+  end
+end

data/puppet/modules/mysql/lib/puppet/type/database_grant.rb ADDED Viewed

@@ -0,0 +1,75 @@
+# This has to be a separate type to enable collecting
+Puppet::Type.newtype(:database_grant) do
+  @doc = "Manage a database user's rights."
+  #ensurable
+  autorequire :database do
+    # puts "Starting db autoreq for %s" % self[:name]
+    reqs = []
+    matches = self[:name].match(/^([^@]+)@([^\/]+)\/(.+)$/)
+    unless matches.nil?
+      reqs << matches[3]
+    end
+    # puts "Autoreq: '%s'" % reqs.join(" ")
+    reqs
+  end
+  autorequire :database_user do
+    # puts "Starting user autoreq for %s" % self[:name]
+    reqs = []
+    matches = self[:name].match(/^([^@]+)@([^\/]+).*$/)
+    unless matches.nil?
+      reqs << "%s@%s" % [ matches[1], matches[2] ]
+    end
+    # puts "Autoreq: '%s'" % reqs.join(" ")
+    reqs
+  end
+  newparam(:name, :namevar=>true) do
+    desc "The primary key: either user@host for global privilges or user@host/database for database specific privileges"
+  end
+  newproperty(:privileges, :array_matching => :all) do
+    desc "The privileges the user should have. The possible values are implementation dependent."
+    def should_to_s(newvalue = @should)
+      if newvalue
+        unless newvalue.is_a?(Array)
+          newvalue = [ newvalue ]
+        end
+        newvalue.collect do |v| v.downcase end.sort.join ", "
+      else
+        nil
+      end
+    end
+    def is_to_s(currentvalue = @is)
+      if currentvalue
+        unless currentvalue.is_a?(Array)
+          currentvalue = [ currentvalue ]
+        end
+        currentvalue.collect do |v| v.downcase end.sort.join ", "
+      else
+        nil
+      end
+    end
+    # use the sorted outputs for comparison
+    def insync?(is)
+      if defined? @should and @should
+        case self.should_to_s
+        when "all"
+          self.provider.all_privs_set?
+        when self.is_to_s(is)
+          true
+        else
+          false
+        end
+      else
+        true
+      end
+    end
+  end
+end

data/puppet/modules/mysql/lib/puppet/type/database_user.rb ADDED Viewed

@@ -0,0 +1,25 @@
+# This has to be a separate type to enable collecting
+Puppet::Type.newtype(:database_user) do
+  @doc = "Manage a database user. This includes management of users password as well as priveleges"
+  ensurable
+  newparam(:name, :namevar=>true) do
+    desc "The name of the user. This uses the 'username@hostname' or username@hostname."
+    validate do |value|
+      # https://dev.mysql.com/doc/refman/5.1/en/account-names.html
+      # Regex should problably be more like this: /^[`'"]?[^`'"]*[`'"]?@[`'"]?[\w%\.]+[`'"]?$/
+      raise(ArgumentError, "Invalid database user #{value}") unless value =~ /[\w-]*@[\w%\.]+/
+      username = value.split('@')[0]
+      if username.size > 16
+        raise ArgumentError, "MySQL usernames are limited to a maximum of 16 characters"
+      end
+    end
+  end
+  newproperty(:password_hash) do
+    desc "The password hash of the user. Use mysql_password() for creating such a hash."
+    newvalue(/\w+/)
+  end
+end

data/puppet/modules/mysql/manifests/backup.pp ADDED Viewed

@@ -0,0 +1,68 @@
+# Class: mysql::backup
+#
+# This module handles ...
+#
+# Parameters:
+#   [*backupuser*]     - The name of the mysql backup user.
+#   [*backuppassword*] - The password of the mysql backup user.
+#   [*backupdir*]      - The target directory of the mysqldump.
+#
+# Actions:
+#   GRANT SELECT, RELOAD, LOCK TABLES ON *.* TO 'user'@'localhost'
+#    IDENTIFIED BY 'password';
+#
+# Requires:
+#   Class['mysql::config']
+#
+# Sample Usage:
+#   class { 'mysql::backup':
+#     backupuser     => 'myuser',
+#     backuppassword => 'mypassword',
+#     backupdir      => '/tmp/backups',
+#   }
+#
+class mysql::backup (
+  $backupuser,
+  $backuppassword,
+  $backupdir,
+  $ensure = 'present'
+) {
+  database_user { "${backupuser}@localhost":
+    ensure        => $ensure,
+    password_hash => mysql_password($backuppassword),
+    provider      => 'mysql',
+    require       => Class['mysql::config'],
+  }
+  database_grant { "${backupuser}@localhost":
+    privileges => [ 'Select_priv', 'Reload_priv', 'Lock_tables_priv' ],
+    require    => Database_user["${backupuser}@localhost"],
+  }
+  cron { 'mysql-backup':
+    ensure  => $ensure,
+    command => '/usr/local/sbin/mysqlbackup.sh',
+    user    => 'root',
+    hour    => 23,
+    minute  => 5,
+    require => File['mysqlbackup.sh'],
+  }
+  file { 'mysqlbackup.sh':
+    ensure  => $ensure,
+    path    => '/usr/local/sbin/mysqlbackup.sh',
+    mode    => '0700',
+    owner   => 'root',
+    group   => 'root',
+    content => template('mysql/mysqlbackup.sh.erb'),
+  }
+  file { 'mysqlbackupdir':
+    ensure => 'directory',
+    path   => $backupdir,
+    mode   => '0700',
+    owner  => 'root',
+    group  => 'root',
+  }
+}

data/puppet/modules/mysql/manifests/config.pp ADDED Viewed

@@ -0,0 +1,122 @@
+# Class: mysql::config
+#
+# Parameters:
+#
+#   [*root_password*]     - root user password.
+#   [*old_root_password*] - previous root user password,
+#   [*bind_address*]      - address to bind service.
+#   [*port*]              - port to bind service.
+#   [*etc_root_password*] - whether to save /etc/.my.cnf.
+#   [*service_name*]      - mysql service name.
+#   [*config_file*]       - my.cnf configuration file path.
+#   [*socket*]            - mysql socket.
+#   [*datadir*]           - path to datadir.
+#   [*ssl]                - enable ssl
+#   [*ssl_ca]             - path to ssl-ca
+#   [*ssl_cert]           - path to ssl-cert
+#   [*ssl_key]            - path to ssl-key
+#
+# Actions:
+#
+# Requires:
+#
+#   class mysql::server
+#
+# Usage:
+#
+#   class { 'mysql::config':
+#     root_password => 'changeme',
+#     bind_address  => $::ipaddress,
+#   }
+#
+class mysql::config(
+  $root_password     = 'UNSET',
+  $old_root_password = '',
+  $bind_address      = $mysql::params::bind_address,
+  $port              = $mysql::params::port,
+  $etc_root_password = $mysql::params::etc_root_password,
+  $service_name      = $mysql::params::service_name,
+  $config_file       = $mysql::params::config_file,
+  $socket            = $mysql::params::socket,
+  $datadir           = $mysql::params::datadir,
+  $ssl               = $mysql::params::ssl,
+  $ssl_ca            = $mysql::params::ssl_ca,
+  $ssl_cert          = $mysql::params::ssl_cert,
+  $ssl_key           = $mysql::params::ssl_key,
+  $log_error         = $mysql::params::log_error,
+  $default_engine    = 'UNSET',
+  $root_group        = $mysql::params::root_group
+) inherits mysql::params {
+  File {
+    owner  => 'root',
+    group  => $root_group,
+    mode   => '0400',
+    notify => Exec['mysqld-restart'],
+  }
+  if $ssl and $ssl_ca == undef {
+    fail('The ssl_ca parameter is required when ssl is true')
+  }
+  if $ssl and $ssl_cert == undef {
+    fail('The ssl_cert parameter is required when ssl is true')
+  }
+  if $ssl and $ssl_key == undef {
+    fail('The ssl_key parameter is required when ssl is true')
+  }
+  # This kind of sucks, that I have to specify a difference resource for
+  # restart.  the reason is that I need the service to be started before mods
+  # to the config file which can cause a refresh
+  exec { 'mysqld-restart':
+    command     => "service ${service_name} restart",
+    logoutput   => on_failure,
+    refreshonly => true,
+    path        => '/sbin/:/usr/sbin/:/usr/bin/:/bin/',
+  }
+  # manage root password if it is set
+  if $root_password != 'UNSET' {
+    case $old_root_password {
+      '':      { $old_pw='' }
+      default: { $old_pw="-p'${old_root_password}'" }
+    }
+    exec { 'set_mysql_rootpw':
+      command   => "mysqladmin -u root ${old_pw} password '${root_password}'",
+      logoutput => true,
+      unless    => "mysqladmin -u root -p'${root_password}' status > /dev/null",
+      path      => '/usr/local/sbin:/usr/bin:/usr/local/bin',
+      notify    => Exec['mysqld-restart'],
+      require   => File['/etc/mysql/conf.d'],
+    }
+    file { '/root/.my.cnf':
+      content => template('mysql/my.cnf.pass.erb'),
+      require => Exec['set_mysql_rootpw'],
+    }
+    if $etc_root_password {
+      file{ '/etc/my.cnf':
+        content => template('mysql/my.cnf.pass.erb'),
+        require => Exec['set_mysql_rootpw'],
+      }
+    }
+  }
+  file { '/etc/mysql':
+    ensure => directory,
+    mode   => '0755',
+  }
+  file { '/etc/mysql/conf.d':
+    ensure => directory,
+    mode   => '0755',
+  }
+  file { $config_file:
+    content => template('mysql/my.cnf.erb'),
+    mode    => '0644',
+  }
+}

data/puppet/modules/mysql/manifests/db.pp ADDED Viewed

@@ -0,0 +1,77 @@
+# Define: mysql::db
+#
+# This module creates database instances, a user, and grants that user
+# privileges to the database.  It can also import SQL from a file in order to,
+# for example, initialize a database schema.
+#
+# Since it requires class mysql::server, we assume to run all commands as the
+# root mysql user against the local mysql server.
+#
+# Parameters:
+#   [*title*]       - mysql database name.
+#   [*user*]        - username to create and grant access.
+#   [*password*]    - user's password.
+#   [*charset*]     - database charset.
+#   [*host*]        - host for assigning privileges to user.
+#   [*grant*]       - array of privileges to grant user.
+#   [*enforce_sql*] - whether to enforce or conditionally run sql on creation.
+#   [*sql*]         - sql statement to run.
+#
+# Actions:
+#
+# Requires:
+#
+#   class mysql::server
+#
+# Sample Usage:
+#
+#  mysql::db { 'mydb':
+#    user     => 'my_user',
+#    password => 'password',
+#    host     => $::hostname,
+#    grant    => ['all']
+#  }
+#
+define mysql::db (
+  $user,
+  $password,
+  $charset     = 'utf8',
+  $host        = 'localhost',
+  $grant       = 'all',
+  $sql         = '',
+  $enforce_sql = false
+) {
+  database { $name:
+    ensure   => present,
+    charset  => $charset,
+    provider => 'mysql',
+    require  => Class['mysql::server'],
+  }
+  database_user { "${user}@${host}":
+    ensure        => present,
+    password_hash => mysql_password($password),
+    provider      => 'mysql',
+    require       => Database[$name],
+  }
+  database_grant { "${user}@${host}/${name}":
+    privileges => $grant,
+    provider   => 'mysql',
+    require    => Database_user["${user}@${host}"],
+  }
+  $refresh = ! $enforce_sql
+  if $sql {
+    exec{ "${name}-import":
+      command     => "/usr/bin/mysql ${name} < ${sql}",
+      logoutput   => true,
+      refreshonly => $refresh,
+      require     => Database_grant["${user}@${host}/${name}"],
+      subscribe   => Database[$name],
+    }
+  }
+}

data/puppet/modules/mysql/manifests/init.pp ADDED Viewed

@@ -0,0 +1,24 @@
+# Class: mysql
+#
+#   This class installs mysql client software.
+#
+# Parameters:
+#   [*client_package_name*]  - The name of the mysql client package.
+#
+# Actions:
+#
+# Requires:
+#
+# Sample Usage:
+#
+class mysql (
+  $package_name   = $mysql::params::client_package_name,
+  $package_ensure = 'present'
+) inherits mysql::params {
+  package { 'mysql_client':
+    name    => $package_name,
+    ensure  => $package_ensure,
+  }
+}