This patch impliments the survey spec:

I3c389596373b94459a32a4e540d514a2941acbb1 Co-Authored-By: Jeremy Stanley <fungi@yuggoth.org> Change-Id: Iad9e5bde37c467b9930c354f4d0b312b219d05b3 Story: 2000691 Task: 3164
2018-03-30 14:26:01 -04:00 · 2018-03-30 14:26:01 -04:00 · 06bbf62fc4
commit 06bbf62fc4
parent 5d071b7fcc
6 changed files with 340 additions and 0 deletions
--- a/manifests/site.pp
+++ b/manifests/site.pp
@ -904,6 +904,28 @@ node /^status\d*\.openstack\.org$/ {
  }
 }

+# Node-OS: xenial
+node /^survey\d+\.openstack\.org$/ {
+  $group = "survey"
+  class { 'openstack_project::server':
+    iptables_public_tcp_ports => [22, 80, 443],
+    sysadmins                 => hiera('sysadmins', []),
+  }
+
+  class { 'openstack_project::survey':
+    vhost_name              => 'survey.openstack.org',
+    auth_openid             => true,
+    ssl_cert_file_contents  => hiera('ssl_cert_file_contents'),
+    ssl_key_file_contents   => hiera('ssl_key_file_contents'),
+    ssl_chain_file_contents => hiera('ssl_chain_file_contents'),
+    dbpassword              => hiera('dbpassword'),
+    dbhost                  => hiera('dbhost'),
+    adminuser               => hiera('adminuser'),
+    adminpass               => hiera('adminpass'),
+    adminmail               => hiera('adminmail'),
+  }
+}
+
 # This is a hidden authoritative master nameserver, not publicly
 # accessible.
 # Node-OS: xenial
--- a/modules/openstack_project/files/puppetmaster/groups.txt
+++ b/modules/openstack_project/files/puppetmaster/groups.txt
@ -15,6 +15,7 @@ nodepool nodepool*.openstack.org:nb*.openstack.org:nl*.openstack.org
 review ~review\d+\.openstack\.org
 review-dev ~review-dev\d*\.openstack\.org
 subunit-worker ~subunit-worker\d+\.openstack\.org
+survey ~survey\d+\.openstack\.org
 translate ~translate\d+\.openstack\.org
 translate-dev ~translate-dev\d*\.openstack\.org
 wiki ~wiki\d+\.openstack\.org
--- a/modules/openstack_project/files/ssl_cert_check/ssldomains
+++ b/modules/openstack_project/files/ssl_cert_check/ssldomains
@ -13,6 +13,7 @@ refstack.openstack.org 443
 review.openstack.org 443
 static.openstack.org 443
 storyboard.openstack.org 443
+survey.openstack.org 443
 translate.openstack.org 443
 wiki.openstack.org 443
 www.openstack.org 443
--- a/modules/openstack_project/manifests/survey.pp
+++ b/modules/openstack_project/manifests/survey.pp
@ -0,0 +1,198 @@
+class openstack_project::survey (
+  $vhost_name = $::fqdn,
+  $ssl_cert_file = '/etc/ssl/certs/survey.openstack.org.pem',
+  $ssl_key_file = '/etc/ssl/private/survey.openstack.org.key',
+  $ssl_chain_file = '/etc/ssl/certs/intermediate.pem',
+  $ssl_cert_file_contents = '',
+  $ssl_key_file_contents = '',
+  $ssl_chain_file_contents = '',
+  $dbpassword = '',
+  $dbhost = '',
+  # Table containing openid auth details. If undef not enabled
+  # Example dict:
+  # {
+  #   banner         => "Welcome",
+  #   singleIdp      => "https://openstackid.org",
+  #   trusted        => '^https://openstackid.org/.*$',
+  #   any_valid_user => false,
+  #   users          => ['https://openstackid.org/foo',
+  #                      'https://openstackid.org/bar'],
+  # }
+  # Note that if you care which users get access set any_valid_user to false
+  # and then provide an explicit list of openids in the users list. Otherwise
+  # set any_valid_user to true and any successfully authenticated user will
+  # get access.
+  $auth_openid = undef,
+  $docroot = '/var/www',
+  $runtime_dir_mode = '0755',
+  $download_url = 'https://github.com/LimeSurvey/LimeSurvey/archive/',
+  $version = '3.7.0+180418',
+  $www_group = 'www-data',
+  $www_user = 'www-data',
+  # These are required for bootstrapping, so do not have defaults.
+  $adminuser,
+  $adminpass,
+  $adminmail,
+) {
+
+  $distro_packages = [
+    'libapache2-mod-php',
+    'php',
+    'php-gd',
+    'php-imap',
+    'php-ldap',
+    'php-mbstring',
+    'php-mcrypt',
+    'php-mysql',
+    'php-xml',
+    'php-zip',
+    'ssl-cert',
+  ]
+
+  package { $distro_packages:
+    ensure => present,
+  }
+
+  exec { 'limesurvey-download':
+    path    => '/bin:/usr/bin',
+    creates => "${docroot}/tmp/runtime",
+    command => "bash -c 'cd /tmp; wget ${download_url}${version}.tar.gz'",
+    require => File[$docroot],
+    user    => $www_user,
+  }
+
+  exec { 'limesurvey-unzip':
+    path    => '/bin:/usr/bin',
+    cwd     => '/tmp',
+    creates => "${docroot}/tmp/runtime",
+    command => "bash -c 'cd /tmp; tar zxf /tmp/${version}.tar.gz -C ${docroot} --strip-components=1'",
+    notify  => Exec['limesurvey-install'],
+    require => Exec['limesurvey-download'],
+    user    => $www_user,
+  }
+
+  exec { 'limesurvey-install':
+    command     => "/usr/bin/php console.php install ${adminuser} ${adminpass} 'Default Administrator' ${adminmail}",
+    cwd         => "${docroot}/application/commands",
+    refreshonly => true,
+    require     => [
+      File["${docroot}/application/config/config.php"],
+      Package[$distro_packages],
+    ],
+    user        => $www_user,
+  }
+
+  file { "/tmp/${version}.tar.gz":
+    ensure  => absent,
+    require => Exec['limesurvey-unzip'],
+  }
+
+  file { "${docroot}/tmp/runtime/":
+    ensure  => directory,
+    mode    => $runtime_dir_mode,
+    require => Exec['limesurvey-install'],
+  }
+
+  file { "${docroot}/application/config/config.php":
+    ensure  => present,
+    owner   => $www_user,
+    group   => $www_group,
+    mode    => '0660',
+    content => template ('openstack_project/survey.config.php.erb'),
+    replace => true,
+    require => Exec['limesurvey-unzip'],
+  }
+
+  include ::httpd
+  ::httpd::vhost { $vhost_name:
+    port     => 443,
+    docroot  => $docroot,
+    priority => '50',
+    template => 'openstack_project/survey.vhost.erb',
+    ssl      => true,
+  }
+
+  if !defined(Mod['rewrite']) {
+    httpd::mod { 'rewrite':
+      ensure => present,
+    }
+  }
+  if ($auth_openid != undef) {
+    if !defined(Package['libapache2-mod-auth-openid']) {
+      package { 'libapache2-mod-auth-openid':
+        ensure => present,
+      }
+    }
+    if !defined(Mod['auth_openid']) {
+      # Workaround for https://bugs.debian.org/759209
+      file { '/etc/apache2/mods-available/auth_openid.load':
+        ensure  => present,
+        content => 'LoadModule authopenid_module /usr/lib/apache2/modules/mod_auth_openid.so',
+        replace => true,
+        require => Package['libapache2-mod-auth-openid'],
+      }
+      httpd::mod { 'auth_openid':
+        ensure  => present,
+        require => File['/etc/apache2/mods-available/auth_openid.load'],
+      }
+    }
+  }
+
+  file { $docroot:
+    ensure => directory,
+    owner  => $www_user,
+    group  => $www_group,
+  }
+
+  file { "${docroot}/robots.txt":
+    ensure  => present,
+    source  => 'puppet:///modules/openstack_project/disallow_robots.txt',
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0444',
+    require => File[$docroot],
+  }
+
+  file { '/etc/ssl/certs':
+    ensure => directory,
+    owner  => 'root',
+    mode   => '0755',
+  }
+
+  file { '/etc/ssl/private':
+    ensure => directory,
+    owner  => 'root',
+    mode   => '0700',
+  }
+
+  if $ssl_cert_file_contents != '' {
+    file { $ssl_cert_file:
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0640',
+      content => $ssl_cert_file_contents,
+      before  => Httpd::Vhost[$vhost_name],
+    }
+  }
+
+  if $ssl_key_file_contents != '' {
+    file { $ssl_key_file:
+      owner   => 'root',
+      group   => 'ssl-cert',
+      mode    => '0640',
+      content => $ssl_key_file_contents,
+      require => Package['ssl-cert'],
+      before  => Httpd::Vhost[$vhost_name],
+    }
+  }
+
+  if $ssl_chain_file_contents != '' {
+    file { $ssl_chain_file:
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0640',
+      content => $ssl_chain_file_contents,
+      before  => Httpd::Vhost[$vhost_name],
+    }
+  }
+}
--- a/modules/openstack_project/templates/survey.config.php.erb
+++ b/modules/openstack_project/templates/survey.config.php.erb
@ -0,0 +1,65 @@
+<?php if (!defined('BASEPATH')) exit('No direct script access allowed');
+/*
+| -------------------------------------------------------------------
+| DATABASE CONNECTIVITY SETTINGS
+| -------------------------------------------------------------------
+| This file will contain the settings needed to access your database.
+|
+| For complete instructions please consult the 'Database Connection'
+| page of the User Guide.
+|
+| -------------------------------------------------------------------
+| EXPLANATION OF VARIABLES
+| -------------------------------------------------------------------
+|
+|    'connectionString' Hostname, database, port and database type for
+|     the connection. Driver example: mysql. Currently supported:
+|                 mysql, pgsql, mssql, sqlite, oci
+|    'username' The username used to connect to the database
+|    'password' The password used to connect to the database
+|    'tablePrefix' You can add an optional prefix, which will be added
+|                 to the table name when using the Active Record class
+|
+*/
+return array(
+        'components' => array(
+                'db' => array(
+                        'connectionString' => 'mysql:host=<%= @dbhost %>;port=3306;dbname=limesurvey;',
+                        'emulatePrepare' => true,
+                        'username' => 'limesurvey',
+                        'password' => '<%= @dbpassword %>',
+                        'charset' => 'utf8mb4',
+                        'tablePrefix' => '',
+                ),
+
+                // Uncomment the following line if you need table-based sessions
+                // 'session' => array (
+                        // 'class' => 'application.core.web.DbHttpSession',
+                        // 'connectionID' => 'db',
+                        // 'sessionTableName' => '{{sessions}}',
+                // ),
+
+                'urlManager' => array(
+                        'urlFormat' => 'path',
+                        'rules' => array(
+                                // You can add your own rules here
+                        ),
+                        'showScriptName' => true,
+                ),
+
+        ),
+        // Use the following config variable to set modified optional settings copied from config-defaults.php
+        'config'=>array(
+        // debug: Set this to 1 if you are looking for errors. If you still get no errors after enabling this
+        // then please check your error-logs - either in your hosting provider admin panel or in some /logs directory
+        // on your webspace.
+        // LimeSurvey developers: Set this to 2 to additionally display STRICT PHP error messages and get full access to standard templates
+                'debug'=>0,
+                'debugsql'=>0, // Set this to 1 to enanble sql logging, only active when debug = 2
+                // Update default LimeSurvey config here
+                'auth_webserver'=>true,
+                'auth_webserver_autocreate_user'=>true,
+        )
+);
+/* End of file config.php */
+/* Location: ./application/config/config.php */
--- a/modules/openstack_project/templates/survey.vhost.erb
+++ b/modules/openstack_project/templates/survey.vhost.erb
@ -0,0 +1,53 @@
+# ************************************
+# Managed by Puppet
+# ************************************
+
+<VirtualHost <%= @vhost_name %>:80>
+  ServerName <%= @srvname %>
+  ReWriteEngine On
+  ReWriteRule ^/(.*) https://<%= @srvname %>/$1 [last,redirect=permanent]
+  LogLevel warn
+  ErrorLog /var/log/apache2/<%= @name %>_error.log
+  CustomLog /var/log/apache2/<%= @name %>_access.log combined
+  ServerSignature Off
+</VirtualHost>
+
+<VirtualHost <%= @vhost_name %>:<%= @port %>>
+  ServerName <%= @srvname %>
+
+  DocumentRoot <%= @docroot %>
+  <Directory <%= @docroot %>>
+    Options <%= @options %>
+    AllowOverride None
+    Order allow,deny
+    allow from all
+    Require all granted
+  </Directory>
+
+  <% if @auth_openid != nil %>
+    <Location /index.php/admin/>
+      AuthType OpenID
+      AuthName "Welcome"
+      AuthOpenIDSecureCookie On
+      AuthOpenIDCookieLifespan 3600
+      AuthOpenIDTrustRoot https://survey01.openstack.org
+      AuthOpenIDServerName https://survey01.openstack.org
+      AuthOpenIDSingleIdP https://openstackid.org
+      AuthOpenIDTrusted ^https://openstackid.org/.*$
+      Require valid-user
+    </Location>
+  <% end %>
+
+  SSLEngine on
+  SSLProtocol ALL -SSLv2 -SSLv3
+  SSLCertificateFile <%= scope.lookupvar("openstack_project::survey::ssl_cert_file") %>
+  SSLCertificateKeyFile <%= scope.lookupvar("openstack_project::survey::ssl_key_file") %>
+  <% if scope.lookupvar("openstack_project::survey::ssl_chain_file") != "" %>
+    SSLCertficateChainFile <%= scope.lookupvar("openstack_project::survey::ssl_chain_file") %>
+  <% end %>
+
+  ErrorLog /var/log/apache2/<%= @name %>_error.log
+  LogLevel warn
+  CustomLog /var/log/apache2/<%= @name %>_access.log combined
+  ServerSignature Off
+</VirtualHost>