safeguard-devise 0.0.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +15 -0
- data/.vagrant/machines/default/virtualbox/action_provision +1 -0
- data/.vagrant/machines/default/virtualbox/action_set_name +1 -0
- data/.vagrant/machines/default/virtualbox/id +1 -0
- data/Gemfile +25 -0
- data/Gemfile.lock +186 -0
- data/Rakefile +51 -0
- data/VERSION +1 -0
- data/Vagrantfile +128 -0
- data/app/controllers/devise/devise_safeguard_controller.rb +56 -0
- data/app/views/devise/verify_safeguard.html.erb +9 -0
- data/app/views/devise/verify_safeguard.html.haml +7 -0
- data/config/locales/pt-BR.yml +5 -0
- data/lib/devise-safeguard/controllers/helpers.rb +54 -0
- data/lib/devise-safeguard/hooks/safeguard_authenticatable.rb +7 -0
- data/lib/devise-safeguard/models/safeguard_authenticatable.rb +18 -0
- data/lib/devise-safeguard/rails.rb +7 -0
- data/lib/devise-safeguard/routes.rb +17 -0
- data/lib/generators/active_record/devise_safeguard_generator.rb +13 -0
- data/lib/generators/active_record/templates/migration.rb +15 -0
- data/lib/generators/devise_safeguard/devise_safeguard_generator.rb +30 -0
- data/lib/generators/devise_safeguard/install_generator.rb +44 -0
- data/lib/safeguard-devise.rb +24 -0
- data/puppet/manifests/default.pp +66 -0
- data/puppet/modules/elasticsearch/CHANGELOG +62 -0
- data/puppet/modules/elasticsearch/CONTRIBUTORS +20 -0
- data/puppet/modules/elasticsearch/LICENSE +13 -0
- data/puppet/modules/elasticsearch/Modulefile +9 -0
- data/puppet/modules/elasticsearch/README.md +147 -0
- data/puppet/modules/elasticsearch/Rakefile +5 -0
- data/puppet/modules/elasticsearch/manifests/config.pp +64 -0
- data/puppet/modules/elasticsearch/manifests/init.pp +208 -0
- data/puppet/modules/elasticsearch/manifests/java.pp +50 -0
- data/puppet/modules/elasticsearch/manifests/package.pp +84 -0
- data/puppet/modules/elasticsearch/manifests/params.pp +103 -0
- data/puppet/modules/elasticsearch/manifests/plugin.pp +97 -0
- data/puppet/modules/elasticsearch/manifests/python.pp +34 -0
- data/puppet/modules/elasticsearch/manifests/service.pp +114 -0
- data/puppet/modules/elasticsearch/manifests/template.pp +118 -0
- data/puppet/modules/elasticsearch/metadata.json +41 -0
- data/puppet/modules/elasticsearch/spec/classes/elasticsearch_init_spec.rb +596 -0
- data/puppet/modules/elasticsearch/spec/defines/template_spec.rb +66 -0
- data/puppet/modules/elasticsearch/spec/spec_helper.rb +2 -0
- data/puppet/modules/elasticsearch/templates/etc/default/elasticsearch.erb +5 -0
- data/puppet/modules/elasticsearch/templates/etc/elasticsearch/elasticsearch.yml.erb +93 -0
- data/puppet/modules/memcached/.gitignore +2 -0
- data/puppet/modules/memcached/Modulefile +8 -0
- data/puppet/modules/memcached/README.md +29 -0
- data/puppet/modules/memcached/manifests/init.pp +33 -0
- data/puppet/modules/memcached/manifests/params.pp +21 -0
- data/puppet/modules/memcached/templates/memcached.conf.erb +46 -0
- data/puppet/modules/memcached/templates/memcached_sysconfig.erb +5 -0
- data/puppet/modules/mysql/.fixtures.yml +3 -0
- data/puppet/modules/mysql/.gemfile +5 -0
- data/puppet/modules/mysql/LICENSE +201 -0
- data/puppet/modules/mysql/Modulefile +8 -0
- data/puppet/modules/mysql/README.md +124 -0
- data/puppet/modules/mysql/files/mysqltuner.pl +966 -0
- data/puppet/modules/mysql/lib/puppet/parser/functions/mysql_password.rb +15 -0
- data/puppet/modules/mysql/lib/puppet/provider/database/mysql.rb +42 -0
- data/puppet/modules/mysql/lib/puppet/provider/database_grant/mysql.rb +177 -0
- data/puppet/modules/mysql/lib/puppet/provider/database_user/mysql.rb +42 -0
- data/puppet/modules/mysql/lib/puppet/type/database.rb +17 -0
- data/puppet/modules/mysql/lib/puppet/type/database_grant.rb +75 -0
- data/puppet/modules/mysql/lib/puppet/type/database_user.rb +25 -0
- data/puppet/modules/mysql/manifests/backup.pp +68 -0
- data/puppet/modules/mysql/manifests/config.pp +122 -0
- data/puppet/modules/mysql/manifests/db.pp +77 -0
- data/puppet/modules/mysql/manifests/init.pp +24 -0
- data/puppet/modules/mysql/manifests/java.pp +24 -0
- data/puppet/modules/mysql/manifests/params.pp +91 -0
- data/puppet/modules/mysql/manifests/python.pp +26 -0
- data/puppet/modules/mysql/manifests/ruby.pp +28 -0
- data/puppet/modules/mysql/manifests/server/account_security.pp +13 -0
- data/puppet/modules/mysql/manifests/server/monitor.pp +19 -0
- data/puppet/modules/mysql/manifests/server/mysqltuner.pp +22 -0
- data/puppet/modules/mysql/manifests/server.pp +52 -0
- data/puppet/modules/mysql/templates/my.cnf.erb +42 -0
- data/puppet/modules/mysql/templates/my.cnf.pass.erb +6 -0
- data/puppet/modules/mysql/templates/mysqlbackup.sh.erb +23 -0
- data/puppet/modules/postgresql/GPL-3 +674 -0
- data/puppet/modules/postgresql/Modulefile +13 -0
- data/puppet/modules/postgresql/README.md +156 -0
- data/puppet/modules/postgresql/lib/puppet/provider/pg_database/debian_postgresql.rb +30 -0
- data/puppet/modules/postgresql/lib/puppet/provider/pg_database/default.rb +17 -0
- data/puppet/modules/postgresql/lib/puppet/provider/pg_user/debian_postgresql.rb +63 -0
- data/puppet/modules/postgresql/lib/puppet/provider/pg_user/default.rb +17 -0
- data/puppet/modules/postgresql/lib/puppet/type/pg_database.rb +29 -0
- data/puppet/modules/postgresql/lib/puppet/type/pg_user.rb +45 -0
- data/puppet/modules/postgresql/manifests/db.pp +20 -0
- data/puppet/modules/postgresql/manifests/init.pp +12 -0
- data/puppet/modules/postgresql/manifests/params.pp +15 -0
- data/puppet/modules/postgresql/manifests/server.pp +47 -0
- data/puppet/modules/postgresql/templates/pg_hba.conf.erb +105 -0
- data/puppet/modules/postgresql/templates/postgresql.conf.erb +559 -0
- data/puppet/modules/redis/CHANGELOG +41 -0
- data/puppet/modules/redis/Gemfile +7 -0
- data/puppet/modules/redis/Gemfile.lock +18 -0
- data/puppet/modules/redis/Modulefile +10 -0
- data/puppet/modules/redis/README.md +34 -0
- data/puppet/modules/redis/Rakefile +6 -0
- data/puppet/modules/redis/manifests/init.pp +153 -0
- data/puppet/modules/redis/manifests/params.pp +39 -0
- data/puppet/modules/redis/metadata.json +31 -0
- data/puppet/modules/redis/spec/spec_helper.rb +17 -0
- data/puppet/modules/redis/templates/redis.debian.conf.erb +217 -0
- data/puppet/modules/redis/templates/redis.logrotate.erb +9 -0
- data/puppet/modules/redis/templates/redis.rhel.conf.erb +547 -0
- data/puppet/modules/redis/tests/init.pp +8 -0
- data/puppet/upgrade-puppet.sh +16 -0
- data/safeguard-devise.gemspec +249 -0
- data/spec/controllers/safeguard_devise_controller_spec.rb +67 -0
- data/spec/devise/safeguard_authenticatable_spec.rb +71 -0
- data/spec/orm/active_record.rb +4 -0
- data/spec/routing/routes_spec.rb +13 -0
- data/spec/safeguard-devise-test-app/.gitignore +16 -0
- data/spec/safeguard-devise-test-app/Gemfile +14 -0
- data/spec/safeguard-devise-test-app/Gemfile.lock +119 -0
- data/spec/safeguard-devise-test-app/README.rdoc +28 -0
- data/spec/safeguard-devise-test-app/Rakefile +6 -0
- data/spec/safeguard-devise-test-app/app/assets/images/.keep +0 -0
- data/spec/safeguard-devise-test-app/app/assets/javascripts/application.js +13 -0
- data/spec/safeguard-devise-test-app/app/assets/stylesheets/application.css +13 -0
- data/spec/safeguard-devise-test-app/app/controllers/application_controller.rb +5 -0
- data/spec/safeguard-devise-test-app/app/controllers/concerns/.keep +0 -0
- data/spec/safeguard-devise-test-app/app/controllers/home_controller.rb +6 -0
- data/spec/safeguard-devise-test-app/app/helpers/application_helper.rb +2 -0
- data/spec/safeguard-devise-test-app/app/mailers/.keep +0 -0
- data/spec/safeguard-devise-test-app/app/models/.keep +0 -0
- data/spec/safeguard-devise-test-app/app/models/concerns/.keep +0 -0
- data/spec/safeguard-devise-test-app/app/models/user.rb +6 -0
- data/spec/safeguard-devise-test-app/app/views/devise/devise_safeguard/verify_safeguard.html.erb +9 -0
- data/spec/safeguard-devise-test-app/app/views/devise/devise_safeguard/verify_safeguard.html.haml +6 -0
- data/spec/safeguard-devise-test-app/app/views/home/index.html.erb +1 -0
- data/spec/safeguard-devise-test-app/app/views/layouts/application.html.erb +14 -0
- data/spec/safeguard-devise-test-app/bin/bundle +3 -0
- data/spec/safeguard-devise-test-app/bin/rails +4 -0
- data/spec/safeguard-devise-test-app/bin/rake +4 -0
- data/spec/safeguard-devise-test-app/config/application.rb +31 -0
- data/spec/safeguard-devise-test-app/config/boot.rb +4 -0
- data/spec/safeguard-devise-test-app/config/database.yml +25 -0
- data/spec/safeguard-devise-test-app/config/environment.rb +5 -0
- data/spec/safeguard-devise-test-app/config/environments/development.rb +29 -0
- data/spec/safeguard-devise-test-app/config/environments/production.rb +80 -0
- data/spec/safeguard-devise-test-app/config/environments/test.rb +36 -0
- data/spec/safeguard-devise-test-app/config/initializers/backtrace_silencers.rb +7 -0
- data/spec/safeguard-devise-test-app/config/initializers/devise.rb +259 -0
- data/spec/safeguard-devise-test-app/config/initializers/filter_parameter_logging.rb +4 -0
- data/spec/safeguard-devise-test-app/config/initializers/inflections.rb +16 -0
- data/spec/safeguard-devise-test-app/config/initializers/mime_types.rb +5 -0
- data/spec/safeguard-devise-test-app/config/initializers/secret_token.rb +12 -0
- data/spec/safeguard-devise-test-app/config/initializers/session_store.rb +3 -0
- data/spec/safeguard-devise-test-app/config/initializers/wrap_parameters.rb +14 -0
- data/spec/safeguard-devise-test-app/config/locales/devise.en.yml +59 -0
- data/spec/safeguard-devise-test-app/config/locales/devise.safeguard.pt-BR.yml +5 -0
- data/spec/safeguard-devise-test-app/config/locales/en.yml +23 -0
- data/spec/safeguard-devise-test-app/config/routes.rb +59 -0
- data/spec/safeguard-devise-test-app/config.ru +4 -0
- data/spec/safeguard-devise-test-app/db/migrate/20140220191103_create_users.rb +9 -0
- data/spec/safeguard-devise-test-app/db/migrate/20140220191247_add_devise_to_users.rb +49 -0
- data/spec/safeguard-devise-test-app/db/migrate/20140220191522_devise_safeguard_add_to_users.rb +15 -0
- data/spec/safeguard-devise-test-app/db/schema.rb +37 -0
- data/spec/safeguard-devise-test-app/db/seeds.rb +7 -0
- data/spec/safeguard-devise-test-app/lib/assets/.keep +0 -0
- data/spec/safeguard-devise-test-app/lib/tasks/.keep +0 -0
- data/spec/safeguard-devise-test-app/log/.keep +0 -0
- data/spec/safeguard-devise-test-app/public/404.html +58 -0
- data/spec/safeguard-devise-test-app/public/422.html +58 -0
- data/spec/safeguard-devise-test-app/public/500.html +57 -0
- data/spec/safeguard-devise-test-app/public/favicon.ico +0 -0
- data/spec/safeguard-devise-test-app/public/robots.txt +5 -0
- data/spec/safeguard-devise-test-app/test/controllers/.keep +0 -0
- data/spec/safeguard-devise-test-app/test/fixtures/.keep +0 -0
- data/spec/safeguard-devise-test-app/test/fixtures/users.yml +9 -0
- data/spec/safeguard-devise-test-app/test/helpers/.keep +0 -0
- data/spec/safeguard-devise-test-app/test/integration/.keep +0 -0
- data/spec/safeguard-devise-test-app/test/mailers/.keep +0 -0
- data/spec/safeguard-devise-test-app/test/models/.keep +0 -0
- data/spec/safeguard-devise-test-app/test/models/user_test.rb +7 -0
- data/spec/safeguard-devise-test-app/test/test_helper.rb +15 -0
- data/spec/safeguard-devise-test-app/vendor/assets/javascripts/.keep +0 -0
- data/spec/safeguard-devise-test-app/vendor/assets/stylesheets/.keep +0 -0
- data/spec/spec_helper.rb +31 -0
- data/spec/tests_helper/helpers.rb +34 -0
- metadata +381 -0
@@ -0,0 +1,15 @@
|
|
1
|
+
# hash a string as mysql's "PASSWORD()" function would do it
|
2
|
+
require 'digest/sha1'
|
3
|
+
|
4
|
+
module Puppet::Parser::Functions
|
5
|
+
newfunction(:mysql_password, :type => :rvalue, :doc => <<-EOS
|
6
|
+
Returns the mysql password hash from the clear text password.
|
7
|
+
EOS
|
8
|
+
) do |args|
|
9
|
+
|
10
|
+
raise(Puppet::ParseError, "mysql_password(): Wrong number of arguments " +
|
11
|
+
"given (#{args.size} for 1)") if args.size != 1
|
12
|
+
|
13
|
+
'*' + Digest::SHA1.hexdigest(Digest::SHA1.digest(args[0])).upcase
|
14
|
+
end
|
15
|
+
end
|
@@ -0,0 +1,42 @@
|
|
1
|
+
Puppet::Type.type(:database).provide(:mysql) do
|
2
|
+
|
3
|
+
desc "Manages MySQL database."
|
4
|
+
|
5
|
+
defaultfor :kernel => 'Linux'
|
6
|
+
|
7
|
+
optional_commands :mysql => 'mysql'
|
8
|
+
optional_commands :mysqladmin => 'mysqladmin'
|
9
|
+
|
10
|
+
def self.instances
|
11
|
+
mysql('-NBe', "show databases").split("\n").collect do |name|
|
12
|
+
new(:name => name)
|
13
|
+
end
|
14
|
+
end
|
15
|
+
|
16
|
+
def create
|
17
|
+
mysql('-NBe', "create database `#{@resource[:name]}` character set #{resource[:charset]}")
|
18
|
+
end
|
19
|
+
|
20
|
+
def destroy
|
21
|
+
mysqladmin('-f', 'drop', @resource[:name])
|
22
|
+
end
|
23
|
+
|
24
|
+
def charset
|
25
|
+
mysql('-NBe', "show create database `#{resource[:name]}`").match(/.*?(\S+)\s\*\//)[1]
|
26
|
+
end
|
27
|
+
|
28
|
+
def charset=(value)
|
29
|
+
mysql('-NBe', "alter database `#{resource[:name]}` CHARACTER SET #{value}")
|
30
|
+
end
|
31
|
+
|
32
|
+
def exists?
|
33
|
+
begin
|
34
|
+
mysql('-NBe', "show databases").match(/^#{@resource[:name]}$/)
|
35
|
+
rescue => e
|
36
|
+
debug(e.message)
|
37
|
+
return nil
|
38
|
+
end
|
39
|
+
end
|
40
|
+
|
41
|
+
end
|
42
|
+
|
@@ -0,0 +1,177 @@
|
|
1
|
+
# A grant is either global or per-db. This can be distinguished by the syntax
|
2
|
+
# of the name:
|
3
|
+
# user@host => global
|
4
|
+
# user@host/db => per-db
|
5
|
+
|
6
|
+
Puppet::Type.type(:database_grant).provide(:mysql) do
|
7
|
+
|
8
|
+
desc "Uses mysql as database."
|
9
|
+
|
10
|
+
defaultfor :kernel => 'Linux'
|
11
|
+
|
12
|
+
optional_commands :mysql => 'mysql'
|
13
|
+
optional_commands :mysqladmin => 'mysqladmin'
|
14
|
+
|
15
|
+
def self.prefetch(resources)
|
16
|
+
@user_privs = query_user_privs
|
17
|
+
@db_privs = query_db_privs
|
18
|
+
end
|
19
|
+
|
20
|
+
def self.user_privs
|
21
|
+
@user_privs || query_user_privs
|
22
|
+
end
|
23
|
+
|
24
|
+
def self.db_privs
|
25
|
+
@db_privs || query_db_privs
|
26
|
+
end
|
27
|
+
|
28
|
+
def user_privs
|
29
|
+
self.class.user_privs
|
30
|
+
end
|
31
|
+
|
32
|
+
def db_privs
|
33
|
+
self.class.db_privs
|
34
|
+
end
|
35
|
+
|
36
|
+
def self.query_user_privs
|
37
|
+
results = mysql("mysql", "-Be", "describe user")
|
38
|
+
column_names = results.split(/\n/).map { |l| l.chomp.split(/\t/)[0] }
|
39
|
+
@user_privs = column_names.delete_if { |e| !( e =~/_priv$/) }
|
40
|
+
end
|
41
|
+
|
42
|
+
def self.query_db_privs
|
43
|
+
results = mysql("mysql", "-Be", "describe db")
|
44
|
+
column_names = results.split(/\n/).map { |l| l.chomp.split(/\t/)[0] }
|
45
|
+
@db_privs = column_names.delete_if { |e| !(e =~/_priv$/) }
|
46
|
+
end
|
47
|
+
|
48
|
+
def mysql_flush
|
49
|
+
mysqladmin "flush-privileges"
|
50
|
+
end
|
51
|
+
|
52
|
+
# this parses the
|
53
|
+
def split_name(string)
|
54
|
+
matches = /^([^@]*)@([^\/]*)(\/(.*))?$/.match(string).captures.compact
|
55
|
+
case matches.length
|
56
|
+
when 2
|
57
|
+
{
|
58
|
+
:type => :user,
|
59
|
+
:user => matches[0],
|
60
|
+
:host => matches[1]
|
61
|
+
}
|
62
|
+
when 4
|
63
|
+
{
|
64
|
+
:type => :db,
|
65
|
+
:user => matches[0],
|
66
|
+
:host => matches[1],
|
67
|
+
:db => matches[3]
|
68
|
+
}
|
69
|
+
end
|
70
|
+
end
|
71
|
+
|
72
|
+
def create_row
|
73
|
+
unless @resource.should(:privileges).empty?
|
74
|
+
name = split_name(@resource[:name])
|
75
|
+
case name[:type]
|
76
|
+
when :user
|
77
|
+
mysql "mysql", "-e", "INSERT INTO user (host, user) VALUES ('%s', '%s')" % [
|
78
|
+
name[:host], name[:user],
|
79
|
+
]
|
80
|
+
when :db
|
81
|
+
mysql "mysql", "-e", "INSERT INTO db (host, user, db) VALUES ('%s', '%s', '%s')" % [
|
82
|
+
name[:host], name[:user], name[:db],
|
83
|
+
]
|
84
|
+
end
|
85
|
+
mysql_flush
|
86
|
+
end
|
87
|
+
end
|
88
|
+
|
89
|
+
def destroy
|
90
|
+
mysql "mysql", "-e", "REVOKE ALL ON '%s'.* FROM '%s@%s'" % [ @resource[:privileges], @resource[:database], @resource[:name], @resource[:host] ]
|
91
|
+
end
|
92
|
+
|
93
|
+
def row_exists?
|
94
|
+
name = split_name(@resource[:name])
|
95
|
+
fields = [:user, :host]
|
96
|
+
if name[:type] == :db
|
97
|
+
fields << :db
|
98
|
+
end
|
99
|
+
not mysql( "mysql", "-NBe", 'SELECT "1" FROM %s WHERE %s' % [ name[:type], fields.map do |f| "%s = '%s'" % [f, name[f]] end.join(' AND ')]).empty?
|
100
|
+
end
|
101
|
+
|
102
|
+
def all_privs_set?
|
103
|
+
all_privs = case split_name(@resource[:name])[:type]
|
104
|
+
when :user
|
105
|
+
user_privs
|
106
|
+
when :db
|
107
|
+
db_privs
|
108
|
+
end
|
109
|
+
all_privs = all_privs.collect do |p| p.downcase end.sort.join("|")
|
110
|
+
privs = privileges.collect do |p| p.downcase end.sort.join("|")
|
111
|
+
|
112
|
+
all_privs == privs
|
113
|
+
end
|
114
|
+
|
115
|
+
def privileges
|
116
|
+
name = split_name(@resource[:name])
|
117
|
+
privs = ""
|
118
|
+
|
119
|
+
case name[:type]
|
120
|
+
when :user
|
121
|
+
privs = mysql "mysql", "-Be", 'select * from user where user="%s" and host="%s"' % [ name[:user], name[:host] ]
|
122
|
+
when :db
|
123
|
+
privs = mysql "mysql", "-Be", 'select * from db where user="%s" and host="%s" and db="%s"' % [ name[:user], name[:host], name[:db] ]
|
124
|
+
end
|
125
|
+
|
126
|
+
if privs.match(/^$/)
|
127
|
+
privs = [] # no result, no privs
|
128
|
+
else
|
129
|
+
# returns a line with field names and a line with values, each tab-separated
|
130
|
+
privs = privs.split(/\n/).map! do |l| l.chomp.split(/\t/) end
|
131
|
+
# transpose the lines, so we have key/value pairs
|
132
|
+
privs = privs[0].zip(privs[1])
|
133
|
+
privs = privs.select do |p| p[0].match(/_priv$/) and p[1] == 'Y' end
|
134
|
+
end
|
135
|
+
|
136
|
+
privs.collect do |p| p[0] end
|
137
|
+
end
|
138
|
+
|
139
|
+
def privileges=(privs)
|
140
|
+
unless row_exists?
|
141
|
+
create_row
|
142
|
+
end
|
143
|
+
|
144
|
+
# puts "Setting privs: ", privs.join(", ")
|
145
|
+
name = split_name(@resource[:name])
|
146
|
+
stmt = ''
|
147
|
+
where = ''
|
148
|
+
all_privs = []
|
149
|
+
case name[:type]
|
150
|
+
when :user
|
151
|
+
stmt = 'update user set '
|
152
|
+
where = ' where user="%s" and host="%s"' % [ name[:user], name[:host] ]
|
153
|
+
all_privs = user_privs
|
154
|
+
when :db
|
155
|
+
stmt = 'update db set '
|
156
|
+
where = ' where user="%s" and host="%s" and db="%s"' % [ name[:user], name[:host], name[:db] ]
|
157
|
+
all_privs = db_privs
|
158
|
+
end
|
159
|
+
|
160
|
+
if privs[0].downcase == 'all'
|
161
|
+
privs = all_privs
|
162
|
+
end
|
163
|
+
|
164
|
+
# Downcase the requested priviliges for case-insensitive selection
|
165
|
+
# we don't map! here because the all_privs object has to remain in
|
166
|
+
# the same case the DB gave it to us in
|
167
|
+
privs = privs.map { |p| p.downcase }
|
168
|
+
|
169
|
+
# puts "stmt:", stmt
|
170
|
+
set = all_privs.collect do |p| "%s = '%s'" % [p, privs.include?(p.downcase) ? 'Y' : 'N'] end.join(', ')
|
171
|
+
# puts "set:", set
|
172
|
+
stmt = stmt << set << where
|
173
|
+
|
174
|
+
mysql "mysql", "-Be", stmt
|
175
|
+
mysql_flush
|
176
|
+
end
|
177
|
+
end
|
@@ -0,0 +1,42 @@
|
|
1
|
+
Puppet::Type.type(:database_user).provide(:mysql) do
|
2
|
+
|
3
|
+
desc "manage users for a mysql database."
|
4
|
+
|
5
|
+
defaultfor :kernel => 'Linux'
|
6
|
+
|
7
|
+
optional_commands :mysql => 'mysql'
|
8
|
+
optional_commands :mysqladmin => 'mysqladmin'
|
9
|
+
|
10
|
+
def self.instances
|
11
|
+
users = mysql("mysql", '-BNe' "select concat(User, '@',Host) as User from mysql.user").split("\n")
|
12
|
+
users.select{ |user| user =~ /.+@/ }.collect do |name|
|
13
|
+
new(:name => name)
|
14
|
+
end
|
15
|
+
end
|
16
|
+
|
17
|
+
def create
|
18
|
+
mysql("mysql", "-e", "create user '%s' identified by PASSWORD '%s'" % [ @resource[:name].sub("@", "'@'"), @resource.value(:password_hash) ])
|
19
|
+
end
|
20
|
+
|
21
|
+
def destroy
|
22
|
+
mysql("mysql", "-e", "drop user '%s'" % @resource.value(:name).sub("@", "'@'") )
|
23
|
+
end
|
24
|
+
|
25
|
+
def password_hash
|
26
|
+
mysql("mysql", "-NBe", "select password from user where CONCAT(user, '@', host) = '%s'" % @resource.value(:name)).chomp
|
27
|
+
end
|
28
|
+
|
29
|
+
def password_hash=(string)
|
30
|
+
mysql("mysql", "-e", "SET PASSWORD FOR '%s' = '%s'" % [ @resource[:name].sub("@", "'@'"), string ] )
|
31
|
+
end
|
32
|
+
|
33
|
+
def exists?
|
34
|
+
not mysql("mysql", "-NBe", "select '1' from user where CONCAT(user, '@', host) = '%s'" % @resource.value(:name)).empty?
|
35
|
+
end
|
36
|
+
|
37
|
+
def flush
|
38
|
+
@property_hash.clear
|
39
|
+
mysqladmin "flush-privileges"
|
40
|
+
end
|
41
|
+
|
42
|
+
end
|
@@ -0,0 +1,17 @@
|
|
1
|
+
# This has to be a separate type to enable collecting
|
2
|
+
Puppet::Type.newtype(:database) do
|
3
|
+
@doc = "Manage databases."
|
4
|
+
|
5
|
+
ensurable
|
6
|
+
|
7
|
+
newparam(:name, :namevar=>true) do
|
8
|
+
desc "The name of the database."
|
9
|
+
end
|
10
|
+
|
11
|
+
newproperty(:charset) do
|
12
|
+
desc "The characterset to use for a database"
|
13
|
+
defaultto :utf8
|
14
|
+
newvalue(/^\S+$/)
|
15
|
+
end
|
16
|
+
|
17
|
+
end
|
@@ -0,0 +1,75 @@
|
|
1
|
+
# This has to be a separate type to enable collecting
|
2
|
+
Puppet::Type.newtype(:database_grant) do
|
3
|
+
@doc = "Manage a database user's rights."
|
4
|
+
#ensurable
|
5
|
+
|
6
|
+
autorequire :database do
|
7
|
+
# puts "Starting db autoreq for %s" % self[:name]
|
8
|
+
reqs = []
|
9
|
+
matches = self[:name].match(/^([^@]+)@([^\/]+)\/(.+)$/)
|
10
|
+
unless matches.nil?
|
11
|
+
reqs << matches[3]
|
12
|
+
end
|
13
|
+
# puts "Autoreq: '%s'" % reqs.join(" ")
|
14
|
+
reqs
|
15
|
+
end
|
16
|
+
|
17
|
+
autorequire :database_user do
|
18
|
+
# puts "Starting user autoreq for %s" % self[:name]
|
19
|
+
reqs = []
|
20
|
+
matches = self[:name].match(/^([^@]+)@([^\/]+).*$/)
|
21
|
+
unless matches.nil?
|
22
|
+
reqs << "%s@%s" % [ matches[1], matches[2] ]
|
23
|
+
end
|
24
|
+
# puts "Autoreq: '%s'" % reqs.join(" ")
|
25
|
+
reqs
|
26
|
+
end
|
27
|
+
|
28
|
+
newparam(:name, :namevar=>true) do
|
29
|
+
desc "The primary key: either user@host for global privilges or user@host/database for database specific privileges"
|
30
|
+
end
|
31
|
+
|
32
|
+
newproperty(:privileges, :array_matching => :all) do
|
33
|
+
desc "The privileges the user should have. The possible values are implementation dependent."
|
34
|
+
|
35
|
+
def should_to_s(newvalue = @should)
|
36
|
+
if newvalue
|
37
|
+
unless newvalue.is_a?(Array)
|
38
|
+
newvalue = [ newvalue ]
|
39
|
+
end
|
40
|
+
newvalue.collect do |v| v.downcase end.sort.join ", "
|
41
|
+
else
|
42
|
+
nil
|
43
|
+
end
|
44
|
+
end
|
45
|
+
|
46
|
+
def is_to_s(currentvalue = @is)
|
47
|
+
if currentvalue
|
48
|
+
unless currentvalue.is_a?(Array)
|
49
|
+
currentvalue = [ currentvalue ]
|
50
|
+
end
|
51
|
+
currentvalue.collect do |v| v.downcase end.sort.join ", "
|
52
|
+
else
|
53
|
+
nil
|
54
|
+
end
|
55
|
+
end
|
56
|
+
|
57
|
+
# use the sorted outputs for comparison
|
58
|
+
def insync?(is)
|
59
|
+
if defined? @should and @should
|
60
|
+
case self.should_to_s
|
61
|
+
when "all"
|
62
|
+
self.provider.all_privs_set?
|
63
|
+
when self.is_to_s(is)
|
64
|
+
true
|
65
|
+
else
|
66
|
+
false
|
67
|
+
end
|
68
|
+
else
|
69
|
+
true
|
70
|
+
end
|
71
|
+
end
|
72
|
+
end
|
73
|
+
|
74
|
+
end
|
75
|
+
|
@@ -0,0 +1,25 @@
|
|
1
|
+
# This has to be a separate type to enable collecting
|
2
|
+
Puppet::Type.newtype(:database_user) do
|
3
|
+
@doc = "Manage a database user. This includes management of users password as well as priveleges"
|
4
|
+
|
5
|
+
ensurable
|
6
|
+
|
7
|
+
newparam(:name, :namevar=>true) do
|
8
|
+
desc "The name of the user. This uses the 'username@hostname' or username@hostname."
|
9
|
+
validate do |value|
|
10
|
+
# https://dev.mysql.com/doc/refman/5.1/en/account-names.html
|
11
|
+
# Regex should problably be more like this: /^[`'"]?[^`'"]*[`'"]?@[`'"]?[\w%\.]+[`'"]?$/
|
12
|
+
raise(ArgumentError, "Invalid database user #{value}") unless value =~ /[\w-]*@[\w%\.]+/
|
13
|
+
username = value.split('@')[0]
|
14
|
+
if username.size > 16
|
15
|
+
raise ArgumentError, "MySQL usernames are limited to a maximum of 16 characters"
|
16
|
+
end
|
17
|
+
end
|
18
|
+
end
|
19
|
+
|
20
|
+
newproperty(:password_hash) do
|
21
|
+
desc "The password hash of the user. Use mysql_password() for creating such a hash."
|
22
|
+
newvalue(/\w+/)
|
23
|
+
end
|
24
|
+
|
25
|
+
end
|
@@ -0,0 +1,68 @@
|
|
1
|
+
# Class: mysql::backup
|
2
|
+
#
|
3
|
+
# This module handles ...
|
4
|
+
#
|
5
|
+
# Parameters:
|
6
|
+
# [*backupuser*] - The name of the mysql backup user.
|
7
|
+
# [*backuppassword*] - The password of the mysql backup user.
|
8
|
+
# [*backupdir*] - The target directory of the mysqldump.
|
9
|
+
#
|
10
|
+
# Actions:
|
11
|
+
# GRANT SELECT, RELOAD, LOCK TABLES ON *.* TO 'user'@'localhost'
|
12
|
+
# IDENTIFIED BY 'password';
|
13
|
+
#
|
14
|
+
# Requires:
|
15
|
+
# Class['mysql::config']
|
16
|
+
#
|
17
|
+
# Sample Usage:
|
18
|
+
# class { 'mysql::backup':
|
19
|
+
# backupuser => 'myuser',
|
20
|
+
# backuppassword => 'mypassword',
|
21
|
+
# backupdir => '/tmp/backups',
|
22
|
+
# }
|
23
|
+
#
|
24
|
+
class mysql::backup (
|
25
|
+
$backupuser,
|
26
|
+
$backuppassword,
|
27
|
+
$backupdir,
|
28
|
+
$ensure = 'present'
|
29
|
+
) {
|
30
|
+
|
31
|
+
database_user { "${backupuser}@localhost":
|
32
|
+
ensure => $ensure,
|
33
|
+
password_hash => mysql_password($backuppassword),
|
34
|
+
provider => 'mysql',
|
35
|
+
require => Class['mysql::config'],
|
36
|
+
}
|
37
|
+
|
38
|
+
database_grant { "${backupuser}@localhost":
|
39
|
+
privileges => [ 'Select_priv', 'Reload_priv', 'Lock_tables_priv' ],
|
40
|
+
require => Database_user["${backupuser}@localhost"],
|
41
|
+
}
|
42
|
+
|
43
|
+
cron { 'mysql-backup':
|
44
|
+
ensure => $ensure,
|
45
|
+
command => '/usr/local/sbin/mysqlbackup.sh',
|
46
|
+
user => 'root',
|
47
|
+
hour => 23,
|
48
|
+
minute => 5,
|
49
|
+
require => File['mysqlbackup.sh'],
|
50
|
+
}
|
51
|
+
|
52
|
+
file { 'mysqlbackup.sh':
|
53
|
+
ensure => $ensure,
|
54
|
+
path => '/usr/local/sbin/mysqlbackup.sh',
|
55
|
+
mode => '0700',
|
56
|
+
owner => 'root',
|
57
|
+
group => 'root',
|
58
|
+
content => template('mysql/mysqlbackup.sh.erb'),
|
59
|
+
}
|
60
|
+
|
61
|
+
file { 'mysqlbackupdir':
|
62
|
+
ensure => 'directory',
|
63
|
+
path => $backupdir,
|
64
|
+
mode => '0700',
|
65
|
+
owner => 'root',
|
66
|
+
group => 'root',
|
67
|
+
}
|
68
|
+
}
|
@@ -0,0 +1,122 @@
|
|
1
|
+
# Class: mysql::config
|
2
|
+
#
|
3
|
+
# Parameters:
|
4
|
+
#
|
5
|
+
# [*root_password*] - root user password.
|
6
|
+
# [*old_root_password*] - previous root user password,
|
7
|
+
# [*bind_address*] - address to bind service.
|
8
|
+
# [*port*] - port to bind service.
|
9
|
+
# [*etc_root_password*] - whether to save /etc/.my.cnf.
|
10
|
+
# [*service_name*] - mysql service name.
|
11
|
+
# [*config_file*] - my.cnf configuration file path.
|
12
|
+
# [*socket*] - mysql socket.
|
13
|
+
# [*datadir*] - path to datadir.
|
14
|
+
# [*ssl] - enable ssl
|
15
|
+
# [*ssl_ca] - path to ssl-ca
|
16
|
+
# [*ssl_cert] - path to ssl-cert
|
17
|
+
# [*ssl_key] - path to ssl-key
|
18
|
+
#
|
19
|
+
# Actions:
|
20
|
+
#
|
21
|
+
# Requires:
|
22
|
+
#
|
23
|
+
# class mysql::server
|
24
|
+
#
|
25
|
+
# Usage:
|
26
|
+
#
|
27
|
+
# class { 'mysql::config':
|
28
|
+
# root_password => 'changeme',
|
29
|
+
# bind_address => $::ipaddress,
|
30
|
+
# }
|
31
|
+
#
|
32
|
+
class mysql::config(
|
33
|
+
$root_password = 'UNSET',
|
34
|
+
$old_root_password = '',
|
35
|
+
$bind_address = $mysql::params::bind_address,
|
36
|
+
$port = $mysql::params::port,
|
37
|
+
$etc_root_password = $mysql::params::etc_root_password,
|
38
|
+
$service_name = $mysql::params::service_name,
|
39
|
+
$config_file = $mysql::params::config_file,
|
40
|
+
$socket = $mysql::params::socket,
|
41
|
+
$datadir = $mysql::params::datadir,
|
42
|
+
$ssl = $mysql::params::ssl,
|
43
|
+
$ssl_ca = $mysql::params::ssl_ca,
|
44
|
+
$ssl_cert = $mysql::params::ssl_cert,
|
45
|
+
$ssl_key = $mysql::params::ssl_key,
|
46
|
+
$log_error = $mysql::params::log_error,
|
47
|
+
$default_engine = 'UNSET',
|
48
|
+
$root_group = $mysql::params::root_group
|
49
|
+
) inherits mysql::params {
|
50
|
+
|
51
|
+
File {
|
52
|
+
owner => 'root',
|
53
|
+
group => $root_group,
|
54
|
+
mode => '0400',
|
55
|
+
notify => Exec['mysqld-restart'],
|
56
|
+
}
|
57
|
+
|
58
|
+
if $ssl and $ssl_ca == undef {
|
59
|
+
fail('The ssl_ca parameter is required when ssl is true')
|
60
|
+
}
|
61
|
+
|
62
|
+
if $ssl and $ssl_cert == undef {
|
63
|
+
fail('The ssl_cert parameter is required when ssl is true')
|
64
|
+
}
|
65
|
+
|
66
|
+
if $ssl and $ssl_key == undef {
|
67
|
+
fail('The ssl_key parameter is required when ssl is true')
|
68
|
+
}
|
69
|
+
|
70
|
+
# This kind of sucks, that I have to specify a difference resource for
|
71
|
+
# restart. the reason is that I need the service to be started before mods
|
72
|
+
# to the config file which can cause a refresh
|
73
|
+
exec { 'mysqld-restart':
|
74
|
+
command => "service ${service_name} restart",
|
75
|
+
logoutput => on_failure,
|
76
|
+
refreshonly => true,
|
77
|
+
path => '/sbin/:/usr/sbin/:/usr/bin/:/bin/',
|
78
|
+
}
|
79
|
+
|
80
|
+
# manage root password if it is set
|
81
|
+
if $root_password != 'UNSET' {
|
82
|
+
case $old_root_password {
|
83
|
+
'': { $old_pw='' }
|
84
|
+
default: { $old_pw="-p'${old_root_password}'" }
|
85
|
+
}
|
86
|
+
|
87
|
+
exec { 'set_mysql_rootpw':
|
88
|
+
command => "mysqladmin -u root ${old_pw} password '${root_password}'",
|
89
|
+
logoutput => true,
|
90
|
+
unless => "mysqladmin -u root -p'${root_password}' status > /dev/null",
|
91
|
+
path => '/usr/local/sbin:/usr/bin:/usr/local/bin',
|
92
|
+
notify => Exec['mysqld-restart'],
|
93
|
+
require => File['/etc/mysql/conf.d'],
|
94
|
+
}
|
95
|
+
|
96
|
+
file { '/root/.my.cnf':
|
97
|
+
content => template('mysql/my.cnf.pass.erb'),
|
98
|
+
require => Exec['set_mysql_rootpw'],
|
99
|
+
}
|
100
|
+
|
101
|
+
if $etc_root_password {
|
102
|
+
file{ '/etc/my.cnf':
|
103
|
+
content => template('mysql/my.cnf.pass.erb'),
|
104
|
+
require => Exec['set_mysql_rootpw'],
|
105
|
+
}
|
106
|
+
}
|
107
|
+
}
|
108
|
+
|
109
|
+
file { '/etc/mysql':
|
110
|
+
ensure => directory,
|
111
|
+
mode => '0755',
|
112
|
+
}
|
113
|
+
file { '/etc/mysql/conf.d':
|
114
|
+
ensure => directory,
|
115
|
+
mode => '0755',
|
116
|
+
}
|
117
|
+
file { $config_file:
|
118
|
+
content => template('mysql/my.cnf.erb'),
|
119
|
+
mode => '0644',
|
120
|
+
}
|
121
|
+
|
122
|
+
}
|
@@ -0,0 +1,77 @@
|
|
1
|
+
# Define: mysql::db
|
2
|
+
#
|
3
|
+
# This module creates database instances, a user, and grants that user
|
4
|
+
# privileges to the database. It can also import SQL from a file in order to,
|
5
|
+
# for example, initialize a database schema.
|
6
|
+
#
|
7
|
+
# Since it requires class mysql::server, we assume to run all commands as the
|
8
|
+
# root mysql user against the local mysql server.
|
9
|
+
#
|
10
|
+
# Parameters:
|
11
|
+
# [*title*] - mysql database name.
|
12
|
+
# [*user*] - username to create and grant access.
|
13
|
+
# [*password*] - user's password.
|
14
|
+
# [*charset*] - database charset.
|
15
|
+
# [*host*] - host for assigning privileges to user.
|
16
|
+
# [*grant*] - array of privileges to grant user.
|
17
|
+
# [*enforce_sql*] - whether to enforce or conditionally run sql on creation.
|
18
|
+
# [*sql*] - sql statement to run.
|
19
|
+
#
|
20
|
+
# Actions:
|
21
|
+
#
|
22
|
+
# Requires:
|
23
|
+
#
|
24
|
+
# class mysql::server
|
25
|
+
#
|
26
|
+
# Sample Usage:
|
27
|
+
#
|
28
|
+
# mysql::db { 'mydb':
|
29
|
+
# user => 'my_user',
|
30
|
+
# password => 'password',
|
31
|
+
# host => $::hostname,
|
32
|
+
# grant => ['all']
|
33
|
+
# }
|
34
|
+
#
|
35
|
+
define mysql::db (
|
36
|
+
$user,
|
37
|
+
$password,
|
38
|
+
$charset = 'utf8',
|
39
|
+
$host = 'localhost',
|
40
|
+
$grant = 'all',
|
41
|
+
$sql = '',
|
42
|
+
$enforce_sql = false
|
43
|
+
) {
|
44
|
+
|
45
|
+
database { $name:
|
46
|
+
ensure => present,
|
47
|
+
charset => $charset,
|
48
|
+
provider => 'mysql',
|
49
|
+
require => Class['mysql::server'],
|
50
|
+
}
|
51
|
+
|
52
|
+
database_user { "${user}@${host}":
|
53
|
+
ensure => present,
|
54
|
+
password_hash => mysql_password($password),
|
55
|
+
provider => 'mysql',
|
56
|
+
require => Database[$name],
|
57
|
+
}
|
58
|
+
|
59
|
+
database_grant { "${user}@${host}/${name}":
|
60
|
+
privileges => $grant,
|
61
|
+
provider => 'mysql',
|
62
|
+
require => Database_user["${user}@${host}"],
|
63
|
+
}
|
64
|
+
|
65
|
+
$refresh = ! $enforce_sql
|
66
|
+
|
67
|
+
if $sql {
|
68
|
+
exec{ "${name}-import":
|
69
|
+
command => "/usr/bin/mysql ${name} < ${sql}",
|
70
|
+
logoutput => true,
|
71
|
+
refreshonly => $refresh,
|
72
|
+
require => Database_grant["${user}@${host}/${name}"],
|
73
|
+
subscribe => Database[$name],
|
74
|
+
}
|
75
|
+
}
|
76
|
+
|
77
|
+
}
|
@@ -0,0 +1,24 @@
|
|
1
|
+
# Class: mysql
|
2
|
+
#
|
3
|
+
# This class installs mysql client software.
|
4
|
+
#
|
5
|
+
# Parameters:
|
6
|
+
# [*client_package_name*] - The name of the mysql client package.
|
7
|
+
#
|
8
|
+
# Actions:
|
9
|
+
#
|
10
|
+
# Requires:
|
11
|
+
#
|
12
|
+
# Sample Usage:
|
13
|
+
#
|
14
|
+
class mysql (
|
15
|
+
$package_name = $mysql::params::client_package_name,
|
16
|
+
$package_ensure = 'present'
|
17
|
+
) inherits mysql::params {
|
18
|
+
|
19
|
+
package { 'mysql_client':
|
20
|
+
name => $package_name,
|
21
|
+
ensure => $package_ensure,
|
22
|
+
}
|
23
|
+
|
24
|
+
}
|