simp-cli 1.0.12

data/lib/simp/cli/config/item/rsync_base.rb

@@ -0,0 +1,37 @@
+require 'highline/import'
+require File.expand_path( '../item', File.dirname(__FILE__) )
+require File.expand_path( '../utils', File.dirname(__FILE__) )
+
+module Simp; end
+class Simp::Cli; end
+module Simp::Cli::Config
+  class Item::RsyncBase < Item
+    def initialize
+      super
+      @key         = 'rsync::base'
+      @description = <<-EOF.gsub(/^ {8}/,'')
+        Several modules use rsync as a means of pulling down large
+        collections of files. This provides a single point of configuration
+        for the system defaults.
+
+        Individual modules can be overridden as required.
+      EOF
+      if Facter.value('lsbmajdistrelease') < '7' then
+        @base_dir = '/srv/rsync'
+      else
+        @base_dir = File.exists?( '/var/simp/' ) ? '/var/simp/rsync' : '/srv/simp/rsync'
+        @base_dir = "#{@base_dir}/%{::operatingsystem}/%{::lsbmajdistrelease}"
+      end
+    end
+
+    def os_value; nil; end
+
+    def validate( x )
+      x =~ %r{^/} ? true : false
+    end
+
+    def recommended_value
+      "#{@base_dir}"
+    end
+  end
+end

data/lib/simp/cli/config/item/rsync_server.rb

@@ -0,0 +1,44 @@
+require 'highline/import'
+require File.expand_path( '../item', File.dirname(__FILE__) )
+require File.expand_path( '../utils', File.dirname(__FILE__) )
+
+module Simp; end
+class Simp::Cli; end
+module Simp::Cli::Config
+  class Item::RsyncServer < Item
+    attr_accessor :file
+    def initialize
+      super
+      @key         = 'rsync::server'
+      @description = 'rsync server (usually the primary puppet master)'
+      @__warning   = false
+      @file        = '/etc/rsyncd.conf'
+      @skip_query  = true
+    end
+
+    def os_value
+      if File.readable?(@file)
+        res = File.readlines(@file).grep( /address\s*=/ ){|x| x.split('=').last.strip}
+        res.empty? ? nil : res.first
+      else
+        # only show the FIRST warning
+        if !@__warning
+          warning = "WARNING: cannot read #{file}"
+          say "<%= color(%q{#{warning}}, YELLOW) %>\n" unless @silent
+          @__warning = true
+        end
+        nil
+      end
+    end
+
+    def recommended_value
+      os_value || '127.0.0.1'
+    end
+
+    def validate item
+      ( Simp::Cli::Config::Utils.validate_ip( item ) ||
+        Simp::Cli::Config::Utils.validate_fqdn( item ) ||
+        Simp::Cli::Config::Utils.validate_hostname( item ) )
+    end
+  end
+end

data/lib/simp/cli/config/item/rsync_timeout.rb

@@ -0,0 +1,26 @@
+require 'highline/import'
+require File.expand_path( '../item', File.dirname(__FILE__) )
+require File.expand_path( '../utils', File.dirname(__FILE__) )
+
+module Simp; end
+class Simp::Cli; end
+module Simp::Cli::Config
+  class Item::RsyncTimeout < Item
+    def initialize
+      super
+      @key         = 'rsync::timeout'
+      @description = 'maximum rsync timeout in seconds.  0 = no timeout'
+      @skip_query  = true
+    end
+
+    def os_value; nil; end
+
+    def validate( x )
+      x.to_s =~ %r{^\d+} ? true : false
+    end
+
+    def recommended_value
+      '1'
+    end
+  end
+end

data/lib/simp/cli/config/item/set_grub_password.rb

@@ -0,0 +1,19 @@
+require 'highline/import'
+require File.expand_path( '../item', File.dirname(__FILE__) )
+require File.expand_path( '../utils', File.dirname(__FILE__) )
+
+module Simp; end
+class Simp::Cli; end
+module Simp::Cli::Config
+  class Item::SetGrubPassword < YesNoItem
+    def initialize
+      super
+      @key         = 'set_grub_password'
+      @description = %Q{Whether or not to set the GRUB password on this system.}
+    end
+
+    def recommended_value
+      os_value || 'yes'
+    end
+  end
+end

data/lib/simp/cli/config/item/simp_yum_servers.rb

@@ -0,0 +1,30 @@
+require "resolv"
+require 'highline/import'
+require File.expand_path( '../item', File.dirname(__FILE__) )
+require File.expand_path( '../utils', File.dirname(__FILE__) )
+
+module Simp; end
+class Simp::Cli; end
+module Simp::Cli::Config
+  class Item::SimpYumServers < ListItem
+    def initialize
+      super
+      @key         = 'simp::yum::servers'
+      @description = %Q{Your SIMP yum server(s).}
+      @allow_empty_list = true
+    end
+
+    def recommended_value
+      ["%{hiera('puppet::server')}"]
+    end
+
+    def validate_item item
+      (
+        Simp::Cli::Config::Utils.validate_hiera_lookup( item ) ||
+        Simp::Cli::Config::Utils.validate_hostname( item ) ||
+        Simp::Cli::Config::Utils.validate_fqdn( item ) ||
+        Simp::Cli::Config::Utils.validate_ip( item )
+      )
+    end
+  end
+end

data/lib/simp/cli/config/item/use_auditd.rb

@@ -0,0 +1,19 @@
+require 'highline/import'
+require File.expand_path( '../item', File.dirname(__FILE__) )
+require File.expand_path( '../utils', File.dirname(__FILE__) )
+
+module Simp; end
+class Simp::Cli; end
+module Simp::Cli::Config
+  class Item::UseAuditd < YesNoItem
+    def initialize
+      super
+      @key         = 'use_auditd'
+      @description = %q{Whether or not to use auditd on this system.}
+    end
+
+    def recommended_value
+      os_value || 'yes'
+    end
+  end
+end

data/lib/simp/cli/config/item/use_fips.rb

@@ -0,0 +1,46 @@
+require 'highline/import'
+require File.expand_path( '../item', File.dirname(__FILE__) )
+require File.expand_path( '../utils', File.dirname(__FILE__) )
+
+module Simp; end
+class Simp::Cli; end
+module Simp::Cli::Config
+  class Item::UseFips < YesNoItem
+    include Simp::Cli::Config::SafeApplying
+
+    def initialize
+      super
+      @key         = 'use_fips'
+      @description = %q{Enable FIPS mode on this system.
+
+FIPS mode enforces strict compliance with FIPS-140-2.  All core SIMP modules
+can support this configuration.
+
+IMPORTANT: Be sure you know the security tradeoffs of FIPS-140-2 compliance.
+FIPS mode disables the use of MD5 and may require weaker ciphers or key lengths
+than your security policies allow.
+}
+     @allow_user_apply = true
+    end
+
+    def os_value
+      Facter.value('fips_enabled') ? 'yes' : 'no'
+    end
+
+    def recommended_value
+      os_value || 'yes'
+    end
+
+    def apply
+      if @value
+        # This is a one-off prep item needed to handle Puppet certs w/FIPS mode
+        cmd = %q(puppet config set digest_algorithm sha256)
+        puts cmd unless @silent
+        %x{#{cmd}}
+      else
+        puts 'not using FIPS mode: noop'
+        true # we applied nothing, successfully!
+      end
+    end
+  end
+end

data/lib/simp/cli/config/item/use_iptables.rb

@@ -0,0 +1,22 @@
+require 'highline/import'
+require File.expand_path( '../item', File.dirname(__FILE__) )
+require File.expand_path( '../utils', File.dirname(__FILE__) )
+
+module Simp; end
+class Simp::Cli; end
+module Simp::Cli::Config
+  class Item::UseIPtables < YesNoItem
+    def initialize
+      super
+      @key         = 'use_iptables'
+      @description = %Q{Whether or not to use iptables on this system.
+
+If there is code that calls the IPTables native type directly, this option may
+not function properly.  We are looking into solutions for this issue.}
+    end
+
+    def recommended_value
+      os_value || 'yes'
+    end
+  end
+end

data/lib/simp/cli/config/item/use_ldap.rb

@@ -0,0 +1,19 @@
+require 'highline/import'
+require File.expand_path( '../item', File.dirname(__FILE__) )
+require File.expand_path( '../utils', File.dirname(__FILE__) )
+
+module Simp; end
+class Simp::Cli; end
+module Simp::Cli::Config
+  class Item::UseLdap < YesNoItem
+    def initialize
+      super
+      @key         = 'use_ldap'
+      @description = %Q{Whether or not to use LDAP on this system.\nIf you disable this, modules will not attempt to use LDAP where possible.}
+    end
+
+    def recommended_value
+      os_value || 'yes'
+    end
+  end
+end

data/lib/simp/cli/config/item/use_selinux.rb

@@ -0,0 +1,32 @@
+require 'highline/import'
+require File.expand_path( '../item', File.dirname(__FILE__) )
+require File.expand_path( '../utils', File.dirname(__FILE__) )
+
+module Simp; end
+class Simp::Cli; end
+module Simp::Cli::Config
+  class Item::UseSELinux < Item
+    def initialize
+      super
+      @key         = 'selinux::ensure'
+      @fact        = 'selinux_current_mode'
+      @description = %Q{SELinux is good.
+
+Not all modules are compatible with SELinux in enforcing mode but the core
+SIMP modules are. You should not take this below 'permissive' unless it is
+truly necessary.}
+    end
+
+    def validate( x )
+      (x.to_s =~ /permissive|disabled|enforcing/i ) ? true : false
+    end
+
+    def not_valid_message
+      'Must be "enforcing," "permissive," or "disabled" (not recommended)'
+    end
+
+    def recommended_value
+      os_value || 'enforcing'
+    end
+  end
+end

data/lib/simp/cli/config/item/yum_repositories.rb

@@ -0,0 +1,75 @@
+require "resolv"
+require 'highline/import'
+require File.expand_path( '../item', File.dirname(__FILE__) )
+require File.expand_path( '../utils', File.dirname(__FILE__) )
+
+module Simp; end
+class Simp::Cli; end
+module Simp::Cli::Config
+  class Item::YumRepositories < ActionItem
+
+    attr_accessor :www_yum_dir, :yum_repos_d, :yaml_file
+    def initialize
+      super
+      @key         = 'yum::repositories'
+      @description = %Q{Sets up the yum repositores for SIMP on apply. (apply-only; noop)}
+      @www_yum_dir = File.exists?( '/var/www/yum/') ? '/var/www/yum' : '/srv/www/yum'
+      @yum_repos_d = '/etc/yum.repos.d'
+      @yaml_file   = '/etc/puppet/environments/simp/hieradata/hosts/puppet.your.domain.yaml'
+    end
+
+    def apply
+      result = true
+
+      # set up yum repos
+      say_green 'Updating YUM Updates Repositories (NOTE: This may take some time)' if !@silent
+      yumpath = File.join( @www_yum_dir,
+                           Facter.value('operatingsystem'),
+                           Facter.value('operatingsystemrelease'),
+                           Facter.value('architecture')
+                         )
+      begin
+        Dir.chdir(yumpath) do
+          FileUtils.mkdir('Updates') unless File.directory?('Updates')
+          Dir.chdir('Updates') do
+            system( %q(find .. -type f -name '*.rpm' -exec ln -sf {} \\;) )
+            cmd = 'createrepo -qqq -p --update .'
+            if @silent
+              cmd << ' &> /dev/null'
+            else
+              puts cmd
+            end
+            system(cmd)
+            raise RuntimeError "'#{cmd}' failed in #{Dir.pwd}" unless ($?.nil? || $?.success?)
+          end
+        end
+        system("chown -R root:apache #{@www_yum_dir}/ #{ '&> /dev/null' if @silent }")
+        system("chmod -R u=rwX,g=rX,o-rwx #{@www_yum_dir}/")
+        raise RuntimeError, "chmod -R u=rwX,g=rX,o-rwx #{@www_yum_dir}/ failed!"  unless ($?.nil? || $?.success?)
+        say_green "Finished configuring Updates repository at #{yumpath}/Updates" if !@silent
+      rescue => err
+        say_red "ERROR: Something went wrong setting up the Updates repo in #{yumpath}!"
+        say_red '       Please make sure your Updates repo is properly configured.'
+        say_red "\nError output:\n  #{err.class}\n\n  #{err}"
+        result = false
+      end
+
+      # disable any CentOS repo spam
+      Dir.chdir( @yum_repos_d ) do
+        if ! Dir.glob('CentOS*.repo').empty?
+          `grep "\\[*\\]" *CentOS*.repo | cut -d "[" -f2 | cut -d "]" -f1 | xargs yum-config-manager --disable`
+        end
+
+        # enable 'simp::yum::enable_simp_repos' in hosts/puppet.your.domain.yaml
+        if @config_items.fetch('is_master_yum_server').value && !File.exist?('filesystem.repo')
+          cmd = %Q{sed -i '/simp::yum::enable_simp_repos : false/ c\\simp::yum::enable_simp_repos : true' #{@yaml_file}}
+          puts cmd if !@silent
+          %x{#{cmd}}
+          result = result && ($?.nil? || $?.success?)
+        end
+      end
+
+      result
+    end
+  end
+end

data/lib/simp/cli/config/item_list_factory.rb

@@ -0,0 +1,236 @@
+require File.expand_path( 'item', File.dirname(__FILE__) )
+
+module Simp; end
+class Simp::Cli; end
+module Simp::Cli::Config; end
+
+# Builds an Array of Config::Items
+class Simp::Cli::Config::ItemListFactory
+  def initialize( options )
+    @options = {
+      :verbose            => 0,
+      :puppet_system_file => '/tmp/out.yaml',
+    }.merge( options )
+
+    # A hash to look up Config::Item values set from other sources (files, cli).
+    # for each Hash element:
+    # - the key will be the the Config::Item#key
+    # - the value will be the @options#value
+    @answers_hash = {}
+  end
+
+
+  def process( yaml=nil, answers_hash={} )
+    @answers_hash = answers_hash
+
+    # Require the config items
+    rb_files = File.expand_path( '../config/item/*.rb', File.dirname(__FILE__))
+    Dir.glob( rb_files ).sort_by(&:to_s).each { |file| require file }
+
+    items_yaml = yaml || <<-EOF.gsub(/^ {6}/,'')
+      # The Config::Item list is really a conditional tree.  Some Items can
+      # prepend additional Items to the queue, depending on the answer.
+      #
+      # This YAML describes the full Item structure.  The format is:
+      #
+      # - ItemA
+      # - ItemB
+      #   answer1:
+      #     - ItemC
+      #     - ItemD
+      #   answer2:
+      #     - ItemE
+      #     - ItemF
+      # - ItemG
+      ---
+      # ==== network ====
+      - UseFips
+      - NetworkInterface
+      - SetupNIC:
+         true:
+         - DHCP:
+            static:                # gather info first, then configure network
+             - Hostname
+             - IPAddress
+             - Netmask
+             - Gateway
+             - DNSServers
+             - DNSSearch
+             - NetworkConf
+            dhcp:                  # configure network, then get info (silently)
+             - NetworkConf
+             - Hostname     SILENT
+             - IPAddress    SILENT
+             - Netmask      SILENT
+             - Gateway      SILENT
+             - DNSServers   SILENT
+             - DNSSearch    SILENT
+         false:                    # don't configure network (but get network info)
+         - Hostname
+         - IPAddress
+         - Netmask
+         - Gateway
+         - DNSServers
+         - DNSSearch
+      - HostnameConf
+      - ClientNets
+
+      # ==== globals ====
+      - NTPServers          NOAPPLY
+      - LogServers
+      - FailoverLogServers
+      - SimpYumServers
+      - UseAuditd
+      - UseIPtables
+      - CommonRunLevelDefault
+      - UseSELinux
+      - SetGrubPassword:
+         true:
+          - GrubPassword
+      - Certificates
+      - IsMasterYumServer
+      - YumRepositories
+      - RenameFqdnYaml
+
+      # ==== puppet ====
+      - PuppetServer
+      - PuppetServerIP
+      - PuppetCA
+      - PuppetCAPort
+      ### NOTE: removed since update to puppet server: - PuppetFileServer
+      - PuppetAutosign
+      - PuppetConf
+      - PuppetHostsEntry
+      - PuppetDBServer
+      - PuppetDBPort
+
+      # ==== ldap ====
+      - UseLdap:
+         true:
+          - AddLdapToHiera
+          - LdapBaseDn
+          - LdapBindDn
+          - LdapBindPw
+          - LdapBindHash
+          - LdapSyncDn
+          - LdapSyncPw
+          - LdapSyncHash
+          - LdapRootDn
+          - LdapRootHash
+          - LdapMaster
+          - LdapUri
+         false:
+          - RemoveLdapFromHiera
+
+      # ==== rsync ====
+      - RsyncBase
+      - RsyncServer
+      - RsyncTimeout
+
+      # ==== writers ====
+      - AnswersYAMLFileWriter FILE=#{ @options.fetch( :puppet_system_file, '/dev/null') }
+      - AnswersYAMLFileWriter FILE=#{ @options.fetch( :output_file, '/dev/null') } USERAPPLY
+    EOF
+    items = YAML.load items_yaml
+    item_queue = build_item_queue( [], items )
+    item_queue
+  end
+
+
+
+  def assign_value_from_hash( hash, item )
+    value = hash.fetch( item.key, nil )
+    if !value.nil?
+      # workaround to allow cli/env var arrays
+      value = value.split(',,') if item.is_a?(Simp::Cli::Config::ListItem) && !value.is_a?(Array)
+      if ! item.validate value
+        print_warning "'#{value}' is not an acceptable answer for '#{item.key}' (skipping)."
+      else
+        item.value = value
+      end
+    end
+    item
+  end
+
+
+  # returns an instance of an Config::Item based on a String of its class name
+  def create_item item_string
+    # create item instance
+    parts = item_string.split( /\s+/ )
+    name  = parts.shift
+    item  = Simp::Cli::Config::Item.const_get(name).new
+
+    # set item options
+    #   ...based on YAML keywords
+    while !parts.empty?
+      part = parts.shift
+      if part =~ /^#/
+        parts = []
+        next
+      end
+      item.silent           = true if part == 'SILENT'
+      item.skip_apply       = true if part == 'NOAPPLY'
+      item.skip_query       = true if part == 'SKIPQUERY'
+      item.skip_yaml        = true if part == 'NOYAML'
+      item.allow_user_apply = true if part == 'USERAPPLY'
+      if part =~ /^FILE=(.+)/
+        item.file = $1
+      end
+
+    end
+    #  ...based on cli options
+    item.silent     = true if @options.fetch( :verbose ) < 0
+    item.skip_apply = true if @options.fetch( :dry_run, false )
+
+    # (try to) assign item values from various sources
+    item = assign_value_from_hash( @answers_hash, item )
+  end
+
+
+  # recursively build an item queue
+  def build_item_queue( item_queue, items )
+    writer = create_safety_writer_item
+    if !items.empty?
+      item = items.shift
+      item_queue << writer if writer
+
+      if item.is_a? String
+        item_queue << create_item( item )
+
+      elsif item.is_a? Hash
+        answers_tree = {}
+        item.values.first.each{ |answer, values|
+          answers_tree[ answer ] = build_item_queue( [], values )
+        }
+        _item = create_item( item.keys.first )
+        _item.next_items_tree = answers_tree
+        item_queue << _item
+        item_queue << writer if writer
+      end
+
+      item_queue = build_item_queue( item_queue, items )
+    end
+
+    # append a silent YAML writer to save progress after each item
+
+    item_queue
+  end
+
+
+  # create a YAML writer that will "safety save" after each answer
+  def create_safety_writer_item
+    if file =  @options.fetch( :output_file, nil)
+      FileUtils.mkdir_p File.dirname( file ), :verbose => false
+      writer = Simp::Cli::Config::Item::AnswersYAMLFileWriter.new
+      file   = File.join( File.dirname( file ), ".#{File.basename( file )}" )
+      writer.file             = file
+      writer.allow_user_apply = true
+      writer.silent           = true  if @options.fetch(:verbose, 0) < 2
+      writer
+    end
+  end
+
+  def print_warning error
+    say "<%= color(%q{WARNING: }, YELLOW,BOLD) %><%= color(%q{#{error}}, YELLOW) %>\n"
+  end
+end