From 05cee0f709e2d77fa431027dfc493f4d0d6da53e Mon Sep 17 00:00:00 2001 From: Michael Krotscheck Date: Wed, 13 Aug 2014 17:24:59 -0700 Subject: [PATCH] Support Apache 2.4.3 Apache version 2.4.3 changes the Order Allow,Deny security configuration options. This patch modifies the input parameters as well as the vhost templates in order to support it. Change-Id: I179ffa924fed204c45a08ba19ea4acdc519edda2 --- manifests/application.pp | 42 +++++++++++++++------------- manifests/cert.pp | 36 ++++++++++++------------ templates/storyboard_http.vhost.erb | 8 ++++++ templates/storyboard_https.vhost.erb | 9 ++++++ 4 files changed, 58 insertions(+), 37 deletions(-) diff --git a/manifests/application.pp b/manifests/application.pp index 5e354ee..465f7ec 100644 --- a/manifests/application.pp +++ b/manifests/application.pp @@ -21,6 +21,7 @@ class storyboard::application ( # Installation parameters + $install_root = '/var/lib/storyboard', $www_root = '/var/lib/storyboard/www', $server_admin = undef, $hostname = $::fqdn, @@ -62,10 +63,10 @@ class storyboard::application ( # Create the storyboard configuration directory. file { '/etc/storyboard': - ensure => directory, - owner => $storyboard::params::user, - group => $storyboard::params::group, - mode => '0700', + ensure => directory, + owner => $storyboard::params::user, + group => $storyboard::params::group, + mode => '0700', } # Configure the StoryBoard API @@ -105,7 +106,7 @@ class storyboard::application ( } # Create the root dir - file { '/var/lib/storyboard': + file { $install_root: ensure => directory, owner => $storyboard::params::user, group => $storyboard::params::group, @@ -113,18 +114,18 @@ class storyboard::application ( # Create the log dir file { '/var/log/storyboard': - ensure => directory, - owner => $storyboard::params::user, - group => $storyboard::params::group, + ensure => directory, + owner => $storyboard::params::user, + group => $storyboard::params::group, } # Install the wsgi app - file { '/var/lib/storyboard/storyboard.wsgi': + file { "${install_root}/storyboard.wsgi": source => '/opt/storyboard/storyboard/api/app.wsgi', owner => $storyboard::params::user, group => $storyboard::params::group, require => [ - File['/var/lib/storyboard'], + File[$install_root], Exec['install-storyboard'], ], notify => Service['httpd'], @@ -155,17 +156,20 @@ class storyboard::application ( # Copy the downloaded source into the configured www_root file { $www_root: - ensure => directory, - owner => $storyboard::params::user, - group => $storyboard::params::group, - require => Puppi::Netinstall['storyboard-webclient'], - source => '/opt/storyboard-webclient/dist', - recurse => true, - purge => true, - force => true, - notify => Service['httpd'], + ensure => directory, + owner => $storyboard::params::user, + group => $storyboard::params::group, + require => Puppi::Netinstall['storyboard-webclient'], + source => '/opt/storyboard-webclient/dist', + recurse => true, + purge => true, + force => true, + notify => Service['httpd'], } + # Check vhost permission set. + $new_vhost_perms = (versioncmp($::apache::apache_version, '2.4') >= 0) + # Are we setting up TLS or non-TLS? if defined(Class['storyboard::cert']) { # Set up storyboard as HTTPS diff --git a/manifests/cert.pp b/manifests/cert.pp index 4754b5b..f669283 100644 --- a/manifests/cert.pp +++ b/manifests/cert.pp @@ -35,12 +35,12 @@ class storyboard::cert ( if $ssl_cert_file != undef { file { $ssl_cert: - owner => 'root', - group => 'ssl-cert', - mode => '0640', - source => $ssl_cert_file, - before => Class['storyboard::application'], - notify => Class['storyboard::application'], + owner => 'root', + group => 'ssl-cert', + mode => '0640', + source => $ssl_cert_file, + before => Class['storyboard::application'], + notify => Class['storyboard::application'], } } elsif $ssl_cert_content != undef { @@ -59,12 +59,12 @@ class storyboard::cert ( if $ssl_key_file != undef { file { $ssl_key: - owner => 'root', - group => 'ssl-cert', - mode => '0640', - source => $ssl_key_file, - before => Class['storyboard::application'], - notify => Class['storyboard::application'], + owner => 'root', + group => 'ssl-cert', + mode => '0640', + source => $ssl_key_file, + before => Class['storyboard::application'], + notify => Class['storyboard::application'], } } elsif $ssl_key_content != undef { @@ -91,12 +91,12 @@ class storyboard::cert ( if $ssl_ca_file != undef { file { $resolved_ssl_ca: - owner => 'root', - group => 'ssl-cert', - mode => '0640', - source => $ssl_ca_file, - before => Class['storyboard::application'], - notify => Class['storyboard::application'], + owner => 'root', + group => 'ssl-cert', + mode => '0640', + source => $ssl_ca_file, + before => Class['storyboard::application'], + notify => Class['storyboard::application'], } } elsif $ssl_ca_content != undef { diff --git a/templates/storyboard_http.vhost.erb b/templates/storyboard_http.vhost.erb index d4c8923..9f9f638 100644 --- a/templates/storyboard_http.vhost.erb +++ b/templates/storyboard_http.vhost.erb @@ -14,4 +14,12 @@ ErrorLog ${APACHE_LOG_DIR}/storyboard-error.log CustomLog ${APACHE_LOG_DIR}/storyboard-access.log combined + "> + <% if @new_vhost_perms %> + Require all granted + <% else %> + Order allow,deny + Allow from all + <% end %> + \ No newline at end of file diff --git a/templates/storyboard_https.vhost.erb b/templates/storyboard_https.vhost.erb index 5e9e793..4e3918d 100644 --- a/templates/storyboard_https.vhost.erb +++ b/templates/storyboard_https.vhost.erb @@ -50,5 +50,14 @@ WSGIDaemonProcess storyboard user=<%= scope.lookupvar("storyboard::params::user") %> group=<%= scope.lookupvar("storyboard::params::group") %> threads=5 python-path=/usr/local/lib/python2.7/dist-packages WSGIScriptAlias /api /var/lib/storyboard/storyboard.wsgi WSGIPassAuthorization On + + "> + <% if @new_vhost_perms %> + Require all granted + <% else %> + Order allow,deny + Allow from all + <% end %> +