Update cookbooks and add wordpress cookbook

2016-02-19 18:09:49 +01:00
parent 9ba973e3ac
commit 820b0ab3f8
606 changed files with 22421 additions and 14084 deletions
--- a/cookbooks/firewall/libraries/provider_firewall_ufw.rb
+++ b/cookbooks/firewall/libraries/provider_firewall_ufw.rb
@@ -17,18 +17,25 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
-require 'poise'
-
 class Chef
-  class Provider::FirewallUfw < Provider
-    include Poise
-    include Chef::Mixin::ShellOut
+  class Provider::FirewallUfw < Chef::Provider::LWRPBase
+    include FirewallCookbook::Helpers::Ufw

-    def action_enable
-      converge_by('install ufw, template some defaults, and ufw enable') do
+    provides :firewall, os: 'linux', platform_family: %w(debian) do |node|
+      !(node['firewall'] && node['firewall']['ubuntu_iptables'])
+    end
+
+    def whyrun_supported?
+      false
+    end
+
+    action :install do
+      next if disabled?(new_resource)
+
+      converge_by('install ufw, create template for /etc/default') do
        package 'ufw' do
-          action :nothing
-        end.run_action(:install) # need this now if running in a provider
+          action :install
+        end

        template '/etc/default/ufw' do
          action [:create]
@@ -37,40 +44,87 @@ class Chef
          mode '0644'
          source 'ufw/default.erb'
          cookbook 'firewall'
-          action :nothing
-        end.run_action(:create) # need this now if running in a provider
+        end

-        # new_resource.subresources contains all the firewall rules
-        if active?
-          Chef::Log.debug("#{new_resource} already enabled.")
-        else
-          shell_out!('ufw', 'enable', :input => 'yes')
-          Chef::Log.info("#{new_resource} enabled")
-          if new_resource.log_level
-            shell_out!('ufw', 'logging', new_resource.log_level.to_s)
-            Chef::Log.info("#{new_resource} logging enabled at '#{new_resource.log_level}' level")
-          end
-          new_resource.updated_by_last_action(true)
+        file "create empty #{ufw_rules_filename}" do
+          path ufw_rules_filename
+          content '# created by chef to allow service to start'
+          not_if { ::File.exist?(ufw_rules_filename) }
        end
      end
    end

-    def action_disable
-      if active?
-        shell_out!('ufw', 'disable')
-        Chef::Log.info("#{new_resource} disabled")
+    action :restart do
+      next if disabled?(new_resource)
+
+      # ensure it's initialized
+      new_resource.rules({}) unless new_resource.rules
+      new_resource.rules['ufw'] = {} unless new_resource.rules['ufw']
+
+      # this populates the hash of rules from firewall_rule resources
+      firewall_rules = run_context.resource_collection.select { |item| item.is_a?(Chef::Resource::FirewallRule) }
+      firewall_rules.each do |firewall_rule|
+        next unless firewall_rule.action.include?(:create) && !firewall_rule.should_skip?(:create)
+
+        # build rules to apply with weight
+        k = build_rule(firewall_rule)
+        v = firewall_rule.position
+
+        # unless we're adding them for the first time.... bail out.
+        unless new_resource.rules['ufw'].key?(k) && new_resource.rules['ufw'][k] == v
+          new_resource.rules['ufw'][k] = v
+        end
+      end
+
+      # ensure a file resource exists with the current ufw rules
+      begin
+        ufw_file = run_context.resource_collection.find(file: ufw_rules_filename)
+      rescue
+        ufw_file = file ufw_rules_filename do
+          action :nothing
+        end
+      end
+      ufw_file.content build_rule_file(new_resource.rules['ufw'])
+      ufw_file.run_action(:create)
+
+      # if the file was changed, restart iptables
+      if ufw_file.updated_by_last_action?
+        ufw_reset!
+        ufw_logging!(new_resource.log_level) if new_resource.log_level
+
+        new_resource.rules['ufw'].sort_by { |_k, v| v }.map { |k, _v| k }.each do |cmd|
+          ufw_rule!(cmd)
+        end
+
+        # ensure it's enabled _after_ rules are inputted, to catch malformed rules
+        ufw_enable! unless ufw_active?
        new_resource.updated_by_last_action(true)
-      else
-        Chef::Log.debug("#{new_resource} already disabled.")
      end
    end

-    private
+    action :disable do
+      next if disabled?(new_resource)

-    def active?
-      @active ||= begin
-        cmd = shell_out!('ufw', 'status')
-        cmd.stdout =~ /^Status:\sactive/
+      file "create empty #{ufw_rules_filename}" do
+        path ufw_rules_filename
+        content '# created by chef to allow service to start'
+      end
+
+      if ufw_active?
+        ufw_disable!
+        new_resource.updated_by_last_action(true)
+      end
+    end
+
+    action :flush do
+      next if disabled?(new_resource)
+
+      ufw_reset!
+      new_resource.updated_by_last_action(true)
+
+      file "create empty #{ufw_rules_filename}" do
+        path ufw_rules_filename
+        content '# created by chef to allow service to start'
      end
    end
  end