safeguard-devise 0.0.2

data/puppet/modules/mysql/lib/puppet/parser/functions/mysql_password.rb

@@ -0,0 +1,15 @@
+# hash a string as mysql's "PASSWORD()" function would do it
+require 'digest/sha1'
+
+module Puppet::Parser::Functions
+  newfunction(:mysql_password, :type => :rvalue, :doc => <<-EOS
+    Returns the mysql password hash from the clear text password.
+    EOS
+  ) do |args|
+
+    raise(Puppet::ParseError, "mysql_password(): Wrong number of arguments " +
+      "given (#{args.size} for 1)") if args.size != 1
+
+    '*' + Digest::SHA1.hexdigest(Digest::SHA1.digest(args[0])).upcase
+  end
+end

data/puppet/modules/mysql/lib/puppet/provider/database/mysql.rb

@@ -0,0 +1,42 @@
+Puppet::Type.type(:database).provide(:mysql) do
+
+  desc "Manages MySQL database."
+
+  defaultfor :kernel => 'Linux'
+
+  optional_commands :mysql      => 'mysql'
+  optional_commands :mysqladmin => 'mysqladmin'
+
+  def self.instances
+    mysql('-NBe', "show databases").split("\n").collect do |name|
+      new(:name => name)
+    end
+  end
+
+  def create
+    mysql('-NBe', "create database `#{@resource[:name]}` character set #{resource[:charset]}")
+  end
+
+  def destroy
+    mysqladmin('-f', 'drop', @resource[:name])
+  end
+
+  def charset
+    mysql('-NBe', "show create database `#{resource[:name]}`").match(/.*?(\S+)\s\*\//)[1]
+  end
+
+  def charset=(value)
+    mysql('-NBe', "alter database `#{resource[:name]}` CHARACTER SET #{value}")
+  end
+
+  def exists?
+    begin
+      mysql('-NBe', "show databases").match(/^#{@resource[:name]}$/)
+    rescue => e
+      debug(e.message)
+      return nil
+    end
+  end
+
+end
+

data/puppet/modules/mysql/lib/puppet/provider/database_grant/mysql.rb

@@ -0,0 +1,177 @@
+# A grant is either global or per-db. This can be distinguished by the syntax
+# of the name:
+#   user@host => global
+#   user@host/db => per-db
+
+Puppet::Type.type(:database_grant).provide(:mysql) do
+
+  desc "Uses mysql as database."
+
+  defaultfor :kernel => 'Linux'
+
+  optional_commands :mysql      => 'mysql'
+  optional_commands :mysqladmin => 'mysqladmin'
+
+  def self.prefetch(resources)
+    @user_privs = query_user_privs
+    @db_privs = query_db_privs
+  end
+
+  def self.user_privs
+    @user_privs || query_user_privs
+  end
+
+  def self.db_privs
+    @db_privs || query_db_privs
+  end
+
+  def user_privs
+    self.class.user_privs
+  end
+
+  def db_privs
+    self.class.db_privs
+  end
+
+  def self.query_user_privs
+    results = mysql("mysql", "-Be", "describe user")
+    column_names = results.split(/\n/).map { |l| l.chomp.split(/\t/)[0] }
+    @user_privs = column_names.delete_if { |e| !( e =~/_priv$/) }
+  end
+
+  def self.query_db_privs
+    results = mysql("mysql", "-Be", "describe db")
+    column_names = results.split(/\n/).map { |l| l.chomp.split(/\t/)[0] }
+    @db_privs = column_names.delete_if { |e| !(e =~/_priv$/) }
+  end
+
+  def mysql_flush
+    mysqladmin "flush-privileges"
+  end
+
+  # this parses the
+  def split_name(string)
+    matches = /^([^@]*)@([^\/]*)(\/(.*))?$/.match(string).captures.compact
+    case matches.length
+    when 2
+      {
+        :type => :user,
+        :user => matches[0],
+        :host => matches[1]
+      }
+    when 4
+      {
+        :type => :db,
+        :user => matches[0],
+        :host => matches[1],
+        :db => matches[3]
+      }
+    end
+  end
+
+  def create_row
+    unless @resource.should(:privileges).empty?
+      name = split_name(@resource[:name])
+      case name[:type]
+      when :user
+        mysql "mysql", "-e", "INSERT INTO user (host, user) VALUES ('%s', '%s')" % [
+          name[:host], name[:user],
+        ]
+      when :db
+        mysql "mysql", "-e", "INSERT INTO db (host, user, db) VALUES ('%s', '%s', '%s')" % [
+          name[:host], name[:user], name[:db],
+        ]
+      end
+      mysql_flush
+    end
+  end
+
+  def destroy
+    mysql "mysql", "-e", "REVOKE ALL ON '%s'.* FROM '%s@%s'" % [ @resource[:privileges], @resource[:database], @resource[:name], @resource[:host] ]
+  end
+
+  def row_exists?
+    name = split_name(@resource[:name])
+    fields = [:user, :host]
+    if name[:type] == :db
+      fields << :db
+    end
+    not mysql( "mysql", "-NBe", 'SELECT "1" FROM %s WHERE %s' % [ name[:type], fields.map do |f| "%s = '%s'" % [f, name[f]] end.join(' AND ')]).empty?
+  end
+
+  def all_privs_set?
+    all_privs = case split_name(@resource[:name])[:type]
+                when :user
+                  user_privs
+                when :db
+                  db_privs
+                end
+    all_privs = all_privs.collect do |p| p.downcase end.sort.join("|")
+    privs = privileges.collect do |p| p.downcase end.sort.join("|")
+
+    all_privs == privs
+  end
+
+  def privileges
+    name = split_name(@resource[:name])
+    privs = ""
+
+    case name[:type]
+    when :user
+      privs = mysql "mysql", "-Be", 'select * from user where user="%s" and host="%s"' % [ name[:user], name[:host] ]
+    when :db
+      privs = mysql "mysql", "-Be", 'select * from db where user="%s" and host="%s" and db="%s"' % [ name[:user], name[:host], name[:db] ]
+    end
+
+    if privs.match(/^$/)
+      privs = [] # no result, no privs
+    else
+      # returns a line with field names and a line with values, each tab-separated
+      privs = privs.split(/\n/).map! do |l| l.chomp.split(/\t/) end
+      # transpose the lines, so we have key/value pairs
+      privs = privs[0].zip(privs[1])
+      privs = privs.select do |p| p[0].match(/_priv$/) and p[1] == 'Y' end
+    end
+
+    privs.collect do |p| p[0] end
+  end
+
+  def privileges=(privs)
+    unless row_exists?
+      create_row
+    end
+
+    # puts "Setting privs: ", privs.join(", ")
+    name = split_name(@resource[:name])
+    stmt = ''
+    where = ''
+    all_privs = []
+    case name[:type]
+    when :user
+      stmt = 'update user set '
+      where = ' where user="%s" and host="%s"' % [ name[:user], name[:host] ]
+      all_privs = user_privs
+    when :db
+      stmt = 'update db set '
+      where = ' where user="%s" and host="%s" and db="%s"' % [ name[:user], name[:host], name[:db] ]
+      all_privs = db_privs
+    end
+
+    if privs[0].downcase == 'all'
+      privs = all_privs
+    end
+
+    # Downcase the requested priviliges for case-insensitive selection
+    # we don't map! here because the all_privs object has to remain in
+    # the same case the DB gave it to us in
+    privs = privs.map { |p| p.downcase }
+
+    # puts "stmt:", stmt
+    set = all_privs.collect do |p| "%s = '%s'" % [p, privs.include?(p.downcase) ? 'Y' : 'N'] end.join(', ')
+    # puts "set:", set
+    stmt = stmt << set << where
+
+    mysql "mysql", "-Be", stmt
+    mysql_flush
+  end
+end

data/puppet/modules/mysql/lib/puppet/provider/database_user/mysql.rb

@@ -0,0 +1,42 @@
+Puppet::Type.type(:database_user).provide(:mysql) do
+
+  desc "manage users for a mysql database."
+
+  defaultfor :kernel => 'Linux'
+
+  optional_commands :mysql      => 'mysql'
+  optional_commands :mysqladmin => 'mysqladmin'
+
+  def self.instances
+    users = mysql("mysql", '-BNe' "select concat(User, '@',Host) as User from mysql.user").split("\n")
+    users.select{ |user| user =~ /.+@/ }.collect do |name|
+      new(:name => name)
+    end
+  end
+
+  def create
+    mysql("mysql", "-e", "create user '%s' identified by PASSWORD '%s'" % [ @resource[:name].sub("@", "'@'"), @resource.value(:password_hash) ])
+  end
+
+  def destroy
+    mysql("mysql", "-e", "drop user '%s'" % @resource.value(:name).sub("@", "'@'") )
+  end
+
+  def password_hash
+    mysql("mysql", "-NBe", "select password from user where CONCAT(user, '@', host) = '%s'" % @resource.value(:name)).chomp
+  end
+
+  def password_hash=(string)
+    mysql("mysql", "-e", "SET PASSWORD FOR '%s' = '%s'" % [ @resource[:name].sub("@", "'@'"), string ] )
+  end
+
+  def exists?
+    not mysql("mysql", "-NBe", "select '1' from user where CONCAT(user, '@', host) = '%s'" % @resource.value(:name)).empty?
+  end
+
+  def flush
+    @property_hash.clear
+    mysqladmin "flush-privileges"
+  end
+
+end

data/puppet/modules/mysql/lib/puppet/type/database.rb

@@ -0,0 +1,17 @@
+# This has to be a separate type to enable collecting
+Puppet::Type.newtype(:database) do
+  @doc = "Manage databases."
+
+  ensurable
+
+  newparam(:name, :namevar=>true) do
+    desc "The name of the database."
+  end
+
+  newproperty(:charset) do
+    desc "The characterset to use for a database"
+    defaultto :utf8
+    newvalue(/^\S+$/)
+  end
+
+end

data/puppet/modules/mysql/lib/puppet/type/database_grant.rb

@@ -0,0 +1,75 @@
+# This has to be a separate type to enable collecting
+Puppet::Type.newtype(:database_grant) do
+  @doc = "Manage a database user's rights."
+  #ensurable
+
+  autorequire :database do
+    # puts "Starting db autoreq for %s" % self[:name]
+    reqs = []
+    matches = self[:name].match(/^([^@]+)@([^\/]+)\/(.+)$/)
+    unless matches.nil?
+      reqs << matches[3]
+    end
+    # puts "Autoreq: '%s'" % reqs.join(" ")
+    reqs
+  end
+
+  autorequire :database_user do
+    # puts "Starting user autoreq for %s" % self[:name]
+    reqs = []
+    matches = self[:name].match(/^([^@]+)@([^\/]+).*$/)
+    unless matches.nil?
+      reqs << "%s@%s" % [ matches[1], matches[2] ]
+    end
+    # puts "Autoreq: '%s'" % reqs.join(" ")
+    reqs
+  end
+
+  newparam(:name, :namevar=>true) do
+    desc "The primary key: either user@host for global privilges or user@host/database for database specific privileges"
+  end
+
+  newproperty(:privileges, :array_matching => :all) do
+    desc "The privileges the user should have. The possible values are implementation dependent."
+
+    def should_to_s(newvalue = @should)
+      if newvalue
+        unless newvalue.is_a?(Array)
+          newvalue = [ newvalue ]
+        end
+        newvalue.collect do |v| v.downcase end.sort.join ", "
+      else
+        nil
+      end
+    end
+
+    def is_to_s(currentvalue = @is)
+      if currentvalue
+        unless currentvalue.is_a?(Array)
+          currentvalue = [ currentvalue ]
+        end
+        currentvalue.collect do |v| v.downcase end.sort.join ", "
+      else
+        nil
+      end
+    end
+
+    # use the sorted outputs for comparison
+    def insync?(is)
+      if defined? @should and @should
+        case self.should_to_s
+        when "all"
+          self.provider.all_privs_set?
+        when self.is_to_s(is)
+          true
+        else
+          false
+        end
+      else
+        true
+      end
+    end
+  end
+
+end
+

data/puppet/modules/mysql/lib/puppet/type/database_user.rb

@@ -0,0 +1,25 @@
+# This has to be a separate type to enable collecting
+Puppet::Type.newtype(:database_user) do
+  @doc = "Manage a database user. This includes management of users password as well as priveleges"
+
+  ensurable
+
+  newparam(:name, :namevar=>true) do
+    desc "The name of the user. This uses the 'username@hostname' or username@hostname."
+    validate do |value|
+      # https://dev.mysql.com/doc/refman/5.1/en/account-names.html
+      # Regex should problably be more like this: /^[`'"]?[^`'"]*[`'"]?@[`'"]?[\w%\.]+[`'"]?$/
+      raise(ArgumentError, "Invalid database user #{value}") unless value =~ /[\w-]*@[\w%\.]+/
+      username = value.split('@')[0]
+      if username.size > 16
+        raise ArgumentError, "MySQL usernames are limited to a maximum of 16 characters"
+      end
+    end
+  end
+
+  newproperty(:password_hash) do
+    desc "The password hash of the user. Use mysql_password() for creating such a hash."
+    newvalue(/\w+/)
+  end
+
+end

data/puppet/modules/mysql/manifests/backup.pp

@@ -0,0 +1,68 @@
+# Class: mysql::backup
+#
+# This module handles ...
+#
+# Parameters:
+#   [*backupuser*]     - The name of the mysql backup user.
+#   [*backuppassword*] - The password of the mysql backup user.
+#   [*backupdir*]      - The target directory of the mysqldump.
+#
+# Actions:
+#   GRANT SELECT, RELOAD, LOCK TABLES ON *.* TO 'user'@'localhost'
+#    IDENTIFIED BY 'password';
+#
+# Requires:
+#   Class['mysql::config']
+#
+# Sample Usage:
+#   class { 'mysql::backup':
+#     backupuser     => 'myuser',
+#     backuppassword => 'mypassword',
+#     backupdir      => '/tmp/backups',
+#   }
+#
+class mysql::backup (
+  $backupuser,
+  $backuppassword,
+  $backupdir,
+  $ensure = 'present'
+) {
+
+  database_user { "${backupuser}@localhost":
+    ensure        => $ensure,
+    password_hash => mysql_password($backuppassword),
+    provider      => 'mysql',
+    require       => Class['mysql::config'],
+  }
+
+  database_grant { "${backupuser}@localhost":
+    privileges => [ 'Select_priv', 'Reload_priv', 'Lock_tables_priv' ],
+    require    => Database_user["${backupuser}@localhost"],
+  }
+
+  cron { 'mysql-backup':
+    ensure  => $ensure,
+    command => '/usr/local/sbin/mysqlbackup.sh',
+    user    => 'root',
+    hour    => 23,
+    minute  => 5,
+    require => File['mysqlbackup.sh'],
+  }
+
+  file { 'mysqlbackup.sh':
+    ensure  => $ensure,
+    path    => '/usr/local/sbin/mysqlbackup.sh',
+    mode    => '0700',
+    owner   => 'root',
+    group   => 'root',
+    content => template('mysql/mysqlbackup.sh.erb'),
+  }
+
+  file { 'mysqlbackupdir':
+    ensure => 'directory',
+    path   => $backupdir,
+    mode   => '0700',
+    owner  => 'root',
+    group  => 'root',
+  }
+}

data/puppet/modules/mysql/manifests/config.pp

@@ -0,0 +1,122 @@
+# Class: mysql::config
+#
+# Parameters:
+#
+#   [*root_password*]     - root user password.
+#   [*old_root_password*] - previous root user password,
+#   [*bind_address*]      - address to bind service.
+#   [*port*]              - port to bind service.
+#   [*etc_root_password*] - whether to save /etc/.my.cnf.
+#   [*service_name*]      - mysql service name.
+#   [*config_file*]       - my.cnf configuration file path.
+#   [*socket*]            - mysql socket.
+#   [*datadir*]           - path to datadir.
+#   [*ssl]                - enable ssl
+#   [*ssl_ca]             - path to ssl-ca
+#   [*ssl_cert]           - path to ssl-cert
+#   [*ssl_key]            - path to ssl-key
+#
+# Actions:
+#
+# Requires:
+#
+#   class mysql::server
+#
+# Usage:
+#
+#   class { 'mysql::config':
+#     root_password => 'changeme',
+#     bind_address  => $::ipaddress,
+#   }
+#
+class mysql::config(
+  $root_password     = 'UNSET',
+  $old_root_password = '',
+  $bind_address      = $mysql::params::bind_address,
+  $port              = $mysql::params::port,
+  $etc_root_password = $mysql::params::etc_root_password,
+  $service_name      = $mysql::params::service_name,
+  $config_file       = $mysql::params::config_file,
+  $socket            = $mysql::params::socket,
+  $datadir           = $mysql::params::datadir,
+  $ssl               = $mysql::params::ssl,
+  $ssl_ca            = $mysql::params::ssl_ca,
+  $ssl_cert          = $mysql::params::ssl_cert,
+  $ssl_key           = $mysql::params::ssl_key,
+  $log_error         = $mysql::params::log_error,
+  $default_engine    = 'UNSET',
+  $root_group        = $mysql::params::root_group
+) inherits mysql::params {
+
+  File {
+    owner  => 'root',
+    group  => $root_group,
+    mode   => '0400',
+    notify => Exec['mysqld-restart'],
+  }
+
+  if $ssl and $ssl_ca == undef {
+    fail('The ssl_ca parameter is required when ssl is true')
+  }
+
+  if $ssl and $ssl_cert == undef {
+    fail('The ssl_cert parameter is required when ssl is true')
+  }
+
+  if $ssl and $ssl_key == undef {
+    fail('The ssl_key parameter is required when ssl is true')
+  }
+
+  # This kind of sucks, that I have to specify a difference resource for
+  # restart.  the reason is that I need the service to be started before mods
+  # to the config file which can cause a refresh
+  exec { 'mysqld-restart':
+    command     => "service ${service_name} restart",
+    logoutput   => on_failure,
+    refreshonly => true,
+    path        => '/sbin/:/usr/sbin/:/usr/bin/:/bin/',
+  }
+
+  # manage root password if it is set
+  if $root_password != 'UNSET' {
+    case $old_root_password {
+      '':      { $old_pw='' }
+      default: { $old_pw="-p'${old_root_password}'" }
+    }
+
+    exec { 'set_mysql_rootpw':
+      command   => "mysqladmin -u root ${old_pw} password '${root_password}'",
+      logoutput => true,
+      unless    => "mysqladmin -u root -p'${root_password}' status > /dev/null",
+      path      => '/usr/local/sbin:/usr/bin:/usr/local/bin',
+      notify    => Exec['mysqld-restart'],
+      require   => File['/etc/mysql/conf.d'],
+    }
+
+    file { '/root/.my.cnf':
+      content => template('mysql/my.cnf.pass.erb'),
+      require => Exec['set_mysql_rootpw'],
+    }
+
+    if $etc_root_password {
+      file{ '/etc/my.cnf':
+        content => template('mysql/my.cnf.pass.erb'),
+        require => Exec['set_mysql_rootpw'],
+      }
+    }
+  }
+
+  file { '/etc/mysql':
+    ensure => directory,
+    mode   => '0755',
+  }
+  file { '/etc/mysql/conf.d':
+    ensure => directory,
+    mode   => '0755',
+  }
+  file { $config_file:
+    content => template('mysql/my.cnf.erb'),
+    mode    => '0644',
+  }
+
+}

data/puppet/modules/mysql/manifests/db.pp

@@ -0,0 +1,77 @@
+# Define: mysql::db
+#
+# This module creates database instances, a user, and grants that user
+# privileges to the database.  It can also import SQL from a file in order to,
+# for example, initialize a database schema.
+#
+# Since it requires class mysql::server, we assume to run all commands as the
+# root mysql user against the local mysql server.
+#
+# Parameters:
+#   [*title*]       - mysql database name.
+#   [*user*]        - username to create and grant access.
+#   [*password*]    - user's password.
+#   [*charset*]     - database charset.
+#   [*host*]        - host for assigning privileges to user.
+#   [*grant*]       - array of privileges to grant user.
+#   [*enforce_sql*] - whether to enforce or conditionally run sql on creation.
+#   [*sql*]         - sql statement to run.
+#
+# Actions:
+#
+# Requires:
+#
+#   class mysql::server
+#
+# Sample Usage:
+#
+#  mysql::db { 'mydb':
+#    user     => 'my_user',
+#    password => 'password',
+#    host     => $::hostname,
+#    grant    => ['all']
+#  }
+#
+define mysql::db (
+  $user,
+  $password,
+  $charset     = 'utf8',
+  $host        = 'localhost',
+  $grant       = 'all',
+  $sql         = '',
+  $enforce_sql = false
+) {
+
+  database { $name:
+    ensure   => present,
+    charset  => $charset,
+    provider => 'mysql',
+    require  => Class['mysql::server'],
+  }
+
+  database_user { "${user}@${host}":
+    ensure        => present,
+    password_hash => mysql_password($password),
+    provider      => 'mysql',
+    require       => Database[$name],
+  }
+
+  database_grant { "${user}@${host}/${name}":
+    privileges => $grant,
+    provider   => 'mysql',
+    require    => Database_user["${user}@${host}"],
+  }
+
+  $refresh = ! $enforce_sql
+
+  if $sql {
+    exec{ "${name}-import":
+      command     => "/usr/bin/mysql ${name} < ${sql}",
+      logoutput   => true,
+      refreshonly => $refresh,
+      require     => Database_grant["${user}@${host}/${name}"],
+      subscribe   => Database[$name],
+    }
+  }
+
+}

data/puppet/modules/mysql/manifests/init.pp

@@ -0,0 +1,24 @@
+# Class: mysql
+#
+#   This class installs mysql client software.
+#
+# Parameters:
+#   [*client_package_name*]  - The name of the mysql client package.
+#
+# Actions:
+#
+# Requires:
+#
+# Sample Usage:
+#
+class mysql (
+  $package_name   = $mysql::params::client_package_name,
+  $package_ensure = 'present'
+) inherits mysql::params {
+
+  package { 'mysql_client':
+    name    => $package_name,
+    ensure  => $package_ensure,
+  }
+
+}