From 56fcbc5d4f195f3973c08a2155037ec9103c1c01 Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Wed, 29 Jul 2020 13:27:57 +0000 Subject: [PATCH 1/1] Remove remaining uses of "normal" attributes --- .rubocop_todo.yml | 25 +----------- cookbooks/chef/libraries/persistent_token.rb | 20 ++++++++++ cookbooks/dev/metadata.rb | 1 + cookbooks/dev/recipes/default.rb | 6 +-- cookbooks/mailman/metadata.rb | 1 + cookbooks/mailman/recipes/default.rb | 5 ++- .../mailman/templates/default/mm_cfg.py.erb | 2 +- cookbooks/mediawiki/metadata.rb | 1 + cookbooks/mediawiki/resources/site.rb | 15 ++++--- .../templates/default/LocalSettings.php.erb | 2 +- cookbooks/wordpress/resources/site.rb | 39 ++++++++++--------- 11 files changed, 64 insertions(+), 53 deletions(-) create mode 100644 cookbooks/chef/libraries/persistent_token.rb diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml index 24a331788..de96b3d16 100644 --- a/.rubocop_todo.yml +++ b/.rubocop_todo.yml @@ -1,32 +1,11 @@ # This configuration was generated by # `rubocop --auto-gen-config` -# on 2020-07-19 17:37:03 UTC using RuboCop version 0.88.0. +# on 2020-07-29 12:02:45 UTC using RuboCop version 0.88.0. # The point is for the user to remove these configuration records # one by one as the offenses are removed from the code base. # Note that changes in the inspected code, or installation of new # versions of RuboCop, may require this file to be generated again. -# Offense count: 15 -ChefCorrectness/NodeNormal: - Exclude: - - '**/metadata.rb' - - '**/Berksfile' - - 'cookbooks/dev/recipes/default.rb' - - 'cookbooks/mediawiki/resources/site.rb' - - 'cookbooks/networking/recipes/default.rb' - - 'cookbooks/openvpn/recipes/default.rb' - - 'cookbooks/web/recipes/backend.rb' - - 'cookbooks/wordpress/resources/site.rb' - -# Offense count: 12 -ChefCorrectness/NodeNormalUnless: - Exclude: - - '**/metadata.rb' - - '**/Berksfile' - - 'cookbooks/mailman/recipes/default.rb' - - 'cookbooks/mediawiki/resources/site.rb' - - 'cookbooks/wordpress/resources/site.rb' - # Offense count: 1 # Configuration parameters: Include. # Include: **/definitions/*.rb @@ -34,7 +13,7 @@ ChefModernize/Definitions: Exclude: - 'cookbooks/networking/definitions/firewall_rule.rb' -# Offense count: 1056 +# Offense count: 1038 # Cop supports --auto-correct. # Configuration parameters: . # SupportedStyles: strings, symbols diff --git a/cookbooks/chef/libraries/persistent_token.rb b/cookbooks/chef/libraries/persistent_token.rb new file mode 100644 index 000000000..8299e8550 --- /dev/null +++ b/cookbooks/chef/libraries/persistent_token.rb @@ -0,0 +1,20 @@ +require "digest" + +class Chef + module Mixin + module PersistentToken + def persistent_token(*args) + sha256 = Digest::SHA256.new + sha256.update(node[:machine_id]) + args.each do |arg| + sha256.update(arg) + end + sha256.hexdigest + end + end + end + + class Recipe + include Chef::Mixin::PersistentToken + end +end diff --git a/cookbooks/dev/metadata.rb b/cookbooks/dev/metadata.rb index 0f689f52b..457e46dd0 100644 --- a/cookbooks/dev/metadata.rb +++ b/cookbooks/dev/metadata.rb @@ -8,6 +8,7 @@ version "1.0.0" supports "ubuntu" depends "apache" depends "passenger" +depends "chef" depends "geoipupdate" depends "git" depends "memcached" diff --git a/cookbooks/dev/recipes/default.rb b/cookbooks/dev/recipes/default.rb index 1888e9cdd..e33c3b230 100644 --- a/cookbooks/dev/recipes/default.rb +++ b/cookbooks/dev/recipes/default.rb @@ -258,9 +258,9 @@ if node[:postgresql][:clusters][:"12/main"] if details[:repository] site_aliases = details[:aliases] || [] - secret_key_base = details[:secret_key_base] || SecureRandom.base64(96) + secret_key_base = persistent_token("dev", "rails", name, "secret_key_base") - node.normal[:dev][:rails][name][:secret_key_base] = secret_key_base + node.rm_normal(:dev, :rails, name) postgresql_database database_name do cluster "12/main" @@ -447,8 +447,6 @@ if node[:postgresql][:clusters][:"12/main"] action :drop cluster "12/main" end - - node.normal[:dev][:rails].delete(name) end end diff --git a/cookbooks/mailman/metadata.rb b/cookbooks/mailman/metadata.rb index dc12f2ffa..db8f66c69 100644 --- a/cookbooks/mailman/metadata.rb +++ b/cookbooks/mailman/metadata.rb @@ -7,3 +7,4 @@ description "Installs and configures mailman" version "1.0.0" supports "ubuntu" depends "apache" +depends "chef" diff --git a/cookbooks/mailman/recipes/default.rb b/cookbooks/mailman/recipes/default.rb index bd88b9d92..1759bf50b 100644 --- a/cookbooks/mailman/recipes/default.rb +++ b/cookbooks/mailman/recipes/default.rb @@ -23,13 +23,16 @@ include_recipe "apache" package "mailman" -node.normal_unless[:mailman][:subscribe_form_secret] = SecureRandom.base64(48) +node.rm_normal(:mailman, :subscribe_form_secret) + +subscribe_form_secret = persistent_token("mailman", "subscribe_form_secret") template "/etc/mailman/mm_cfg.py" do source "mm_cfg.py.erb" user "root" group "root" mode "644" + variables :subscribe_form_secret => subscribe_form_secret notifies :restart, "service[mailman]" end diff --git a/cookbooks/mailman/templates/default/mm_cfg.py.erb b/cookbooks/mailman/templates/default/mm_cfg.py.erb index 5252157f2..53b4990d4 100644 --- a/cookbooks/mailman/templates/default/mm_cfg.py.erb +++ b/cookbooks/mailman/templates/default/mm_cfg.py.erb @@ -109,7 +109,7 @@ POSTFIX_STYLE_VIRTUAL_DOMAINS = ['openstreetmap.org'] #------------------------------------------------------------- # Secret for web forms to protect against XSRF attacks -SUBSCRIBE_FORM_SECRET='<%= node[:mailman][:subscribe_form_secret] %>' +SUBSCRIBE_FORM_SECRET='<%= @subscribe_form_secret %>' # Note - if you're looking for something that is imported from mm_cfg, but you # didn't find it above, it's probably in /usr/lib/mailman/Mailman/Defaults.py. diff --git a/cookbooks/mediawiki/metadata.rb b/cookbooks/mediawiki/metadata.rb index 2c4ad74d0..6bc4c0ee6 100644 --- a/cookbooks/mediawiki/metadata.rb +++ b/cookbooks/mediawiki/metadata.rb @@ -9,6 +9,7 @@ supports "ubuntu" depends "accounts" depends "apache" depends "apt" +depends "chef" depends "git" depends "memcached" depends "mysql" diff --git a/cookbooks/mediawiki/resources/site.rb b/cookbooks/mediawiki/resources/site.rb index de0651f35..f2ff05050 100644 --- a/cookbooks/mediawiki/resources/site.rb +++ b/cookbooks/mediawiki/resources/site.rb @@ -47,12 +47,14 @@ property :fpm_max_children, :kind_of => Integer, :default => 5 property :reload_apache, :kind_of => [TrueClass, FalseClass], :default => true action :create do - node.normal_unless[:mediawiki][:sites][new_resource.site] = {} + node.rm_normal(:mediawiki, :sites, new_resource.site) - node.normal[:mediawiki][:sites][new_resource.site][:directory] = site_directory - node.normal[:mediawiki][:sites][new_resource.site][:version] = new_resource.version + node.default[:mediawiki][:sites][new_resource.site] = { + :directory => site_directory, + :version => new_resource.version + } - node.normal_unless[:mediawiki][:sites][new_resource.site][:wgSecretKey] = SecureRandom.base64(48) + secret_key = persistent_token("mediawiki", new_resource.site, "wgSecretKey") mysql_user "#{new_resource.database_user}@localhost" do password new_resource.database_password @@ -172,7 +174,8 @@ action :create do variables :name => new_resource.site, :directory => mediawiki_directory, :database_params => database_params, - :mediawiki => mediawiki_params + :mediawiki => mediawiki_params, + :secret_key => secret_key notifies :run, "execute[#{mediawiki_directory}/maintenance/update.php]" end @@ -592,6 +595,8 @@ action :delete do end action_class do + include Chef::Mixin::PersistentToken + def site_directory new_resource.directory || "/srv/#{new_resource.site}" end diff --git a/cookbooks/mediawiki/templates/default/LocalSettings.php.erb b/cookbooks/mediawiki/templates/default/LocalSettings.php.erb index 0fd10ae3d..99670dc0f 100644 --- a/cookbooks/mediawiki/templates/default/LocalSettings.php.erb +++ b/cookbooks/mediawiki/templates/default/LocalSettings.php.erb @@ -141,7 +141,7 @@ $wgLanguageCode = "en"; $wgPageLanguageUseDB = true; $wgGroupPermissions['user']['pagelang'] = true; -$wgSecretKey = '<%= @node[:mediawiki][:sites][@name][:wgSecretKey] %>'; +$wgSecretKey = '<%= @secret_key %>'; # Site upgrade key. Must be set to a string (default provided) to turn on the # web installer while LocalSettings.php is in place diff --git a/cookbooks/wordpress/resources/site.rb b/cookbooks/wordpress/resources/site.rb index ee4f12b91..99b506fd4 100644 --- a/cookbooks/wordpress/resources/site.rb +++ b/cookbooks/wordpress/resources/site.rb @@ -34,18 +34,20 @@ property :reload_apache, :kind_of => [TrueClass, FalseClass], :default => true action :create do version = new_resource.version || Chef::Wordpress.current_version - node.normal_unless[:wordpress][:sites][new_resource.site] = {} + node.rm_normal(:wordpress, :sites, new_resource.site) - node.normal[:wordpress][:sites][new_resource.site][:directory] = site_directory + node.default[:wordpress][:sites][new_resource.site] = { + :directory => site_directory + } - node.normal_unless[:wordpress][:sites][new_resource.site][:auth_key] = SecureRandom.base64(48) - node.normal_unless[:wordpress][:sites][new_resource.site][:secure_auth_key] = SecureRandom.base64(48) - node.normal_unless[:wordpress][:sites][new_resource.site][:logged_in_key] = SecureRandom.base64(48) - node.normal_unless[:wordpress][:sites][new_resource.site][:nonce_key] = SecureRandom.base64(48) - node.normal_unless[:wordpress][:sites][new_resource.site][:auth_salt] = SecureRandom.base64(48) - node.normal_unless[:wordpress][:sites][new_resource.site][:secure_auth_salt] = SecureRandom.base64(48) - node.normal_unless[:wordpress][:sites][new_resource.site][:logged_in_salt] = SecureRandom.base64(48) - node.normal_unless[:wordpress][:sites][new_resource.site][:nonce_salt] = SecureRandom.base64(48) + auth_key = persistent_token("wordpress", new_resource.site, "auth_key") + secure_auth_key = persistent_token("wordpress", new_resource.site, "secure_auth_key") + logged_in_key = persistent_token("wordpress", new_resource.site, "logged_in_key") + nonce_key = persistent_token("wordpress", new_resource.site, "nonce_key") + auth_salt = persistent_token("wordpress", new_resource.site, "auth_salt") + secure_auth_salt = persistent_token("wordpress", new_resource.site, "secure_auth_salt") + logged_in_salt = persistent_token("wordpress", new_resource.site, "logged_in_salt") + nonce_salt = persistent_token("wordpress", new_resource.site, "nonce_salt") mysql_user "#{new_resource.database_user}@localhost" do password new_resource.database_password @@ -75,14 +77,14 @@ action :create do line.gsub!(/password_here/, new_resource.database_password) line.gsub!(/wp_/, new_resource.database_prefix) - line.gsub!(/('AUTH_KEY', *)'put your unique phrase here'/, "\\1'#{node[:wordpress][:sites][new_resource.site][:auth_key]}'") - line.gsub!(/('SECURE_AUTH_KEY', *)'put your unique phrase here'/, "\\1'#{node[:wordpress][:sites][new_resource.site][:secure_auth_key]}'") - line.gsub!(/('LOGGED_IN_KEY', *)'put your unique phrase here'/, "\\1'#{node[:wordpress][:sites][new_resource.site][:logged_in_key]}'") - line.gsub!(/('NONCE_KEY', *)'put your unique phrase here'/, "\\1'#{node[:wordpress][:sites][new_resource.site][:nonce_key]}'") - line.gsub!(/('AUTH_SALT', *)'put your unique phrase here'/, "\\1'#{node[:wordpress][:sites][new_resource.site][:auth_salt]}'") - line.gsub!(/('SECURE_AUTH_SALT', *)'put your unique phrase here'/, "\\1'#{node[:wordpress][:sites][new_resource.site][:secure_auth_salt]}'") - line.gsub!(/('LOGGED_IN_SALT', *)'put your unique phrase here'/, "\\1'#{node[:wordpress][:sites][new_resource.site][:logged_in_salt]}'") - line.gsub!(/('NONCE_SALT', *)'put your unique phrase here'/, "\\1'#{node[:wordpress][:sites][new_resource.site][:nonce_salt]}'") + line.gsub!(/('AUTH_KEY', *)'put your unique phrase here'/, "\\1'#{auth_key}'") + line.gsub!(/('SECURE_AUTH_KEY', *)'put your unique phrase here'/, "\\1'#{secure_auth_key}'") + line.gsub!(/('LOGGED_IN_KEY', *)'put your unique phrase here'/, "\\1'#{logged_in_key}'") + line.gsub!(/('NONCE_KEY', *)'put your unique phrase here'/, "\\1'#{nonce_key}'") + line.gsub!(/('AUTH_SALT', *)'put your unique phrase here'/, "\\1'#{auth_salt}'") + line.gsub!(/('SECURE_AUTH_SALT', *)'put your unique phrase here'/, "\\1'#{secure_auth_salt}'") + line.gsub!(/('LOGGED_IN_SALT', *)'put your unique phrase here'/, "\\1'#{logged_in_salt}'") + line.gsub!(/('NONCE_SALT', *)'put your unique phrase here'/, "\\1'#{nonce_salt}'") if line =~ /define\('WP_DEBUG'/ line += "\n" @@ -202,6 +204,7 @@ end action_class do include Chef::Mixin::EditFile + include Chef::Mixin::PersistentToken def site_directory new_resource.directory || "/srv/#{new_resource.site}" -- 2.39.5