Merge branch 'feature/127-new_ldap_dir_structure' of kosmos/chef into master

2020-02-20 13:29:05 +00:00 · 2020-02-20 13:29:05 +00:00 · c01f5c1038
commit c01f5c1038
parent afaff86551 90a0e6be9f
6 changed files with 47 additions and 40 deletions
--- a/data_bags/credentials/ejabberd.json
+++ b/data_bags/credentials/ejabberd.json
@ -1,16 +1,23 @@
 {
  "id": "ejabberd",
  "5apps_ldap_password": {
-    "encrypted_data": "LRafA47WMyuQe5KA4oOc6i/pTflwpG8Gq8v7cvsTr51XwJD62i9L\n",
+    "encrypted_data": "mfV9TyC4OM055JnyV73mq4qY840pH1tZC9LnIaA3A80CY2kVteC4\n",
-    "iv": "CSvV2mbofDQP4T42\n",
+    "iv": "gpEC3IK9BN9RkaYz\n",
-    "auth_tag": "PERdYnrFKGs+HaPBD6Um+A==\n",
+    "auth_tag": "WXYWOjUCgEw5OR5VMh+Enw==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "kosmos_ldap_password": {
    "encrypted_data": "Q9znUOIIXU+XsPWet4rDCjHsPPxlA3EfNTkEER/EdfoCajd1Txuh\n",
    "iv": "7SAOAwSU8rZGopB1\n",
    "auth_tag": "X8yIyw2BFbQMAVTMYLA67g==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "admins": {
-    "encrypted_data": "D1fEa5S7ADU4tornw/FdcDifE6CzqM6TrLliWYxQ1AxwAuewdh0G2OfgjKOt\nvvibgIEMkr83FkX4La2wOjW8X6/DpBiyeys9RznVD4s0jmSaCG7qGHask3+R\nFLRl0gcYFCPkQopIAYihjnwvm9t1MwPXPF9c7B7rN5W2VvctQ9OEN3MgboHl\n",
+    "encrypted_data": "xKtiBOgn4ysJt4byry31cVJUHEsatWDwHEzEve/N5NxTOh1f4QBD+Q68IYzv\nV0ulBjtW91yFcQqKNx/prAVcK3khbnsEzg8uoub9o6hSMwp16LL5x/u6T6u2\n5DwWBEy08yuaujkko57ir0Yv7mfRedT1i5SaH9pgg5VLm56G/PXrlPFfjwaU\n",
-    "iv": "IgodYNr3muNTfkhX\n",
+    "iv": "fpL3EA1VbXxxi+yq\n",
-    "auth_tag": "OJ42GSFtEp/KCxSIGhdbVg==\n",
+    "auth_tag": "iJMJAmw5gHWLFJM5kdzR9A==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  }
--- a/data_bags/credentials/mediawiki.json
+++ b/data_bags/credentials/mediawiki.json
@ -1,15 +1,31 @@
 {
  "id": "mediawiki",
  "antispam_key": {
-    "encrypted_data": "0geoVeZ/umKaBCbhDfxkacWt4sWQBHrRxYGTSsaC5gw=\n",
+    "encrypted_data": "OD5RrVaQoUFbGV1Xs6i3hqZ024IJsbOC4CAWzrw5jQ==\n",
-    "iv": "YxwNvI3HXeMZRHFpv+QLcQ==\n",
+    "iv": "8sfvTg7uGe1ofS2C\n",
-    "version": 1,
+    "auth_tag": "hquilck+xxOQqHjE+szPgA==\n",
-    "cipher": "aes-256-cbc"
+    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "db_pass": {
-    "encrypted_data": "aQ1soJeRPq9TQuDglkXrl10rIx5RpBNd5HltKVsYgLHedS5zXy8ylBhNdgBW\nb6slPhsbAB9d45aZAac7LUSbMIDIg8P+Zdx/0+IaEuwcpuQ=\n",
+    "encrypted_data": "2IntmJdBmfGyHghAXDJnaew58u9dvjKCz/q1Uivs8Q+nH3wVqARkf52BIHhZ\nbIHY3cy50EwcKTxDcr1arQFmb88cKBxt\n",
-    "iv": "RDS39dqjBPO0CyyANsa+2g==\n",
+    "iv": "pkCrp07s4LJfaPmq\n",
-    "version": 1,
+    "auth_tag": "yBsriBc/X2bP6v25NY3cSg==\n",
-    "cipher": "aes-256-cbc"
+    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "ldap_user": {
    "encrypted_data": "l/Q63Mvm/tANfvZ+1ijjTB1lpirOhAjWDz4k+R1OkzYIXQNwo6VM2saTH2eu\nBNHFLTyUSMqzlAcq6OvH++En05wk\n",
    "iv": "y+n/Lo8t6O3Ab4/+\n",
    "auth_tag": "7eHYjF8A0T611Y+JT1GeJg==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "ldap_password": {
    "encrypted_data": "+qYb9F/f9QRRCTsMoRIyWWVQyCSLcQRHSPWD2Nf7z7Kauywh1zIg\n",
    "iv": "sivNzq6G+mScbRnn\n",
    "auth_tag": "ybUpDlIOJm0bsqlY5qt1xA==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  }
 }
--- a/site-cookbooks/kosmos-ejabberd/metadata.rb
+++ b/site-cookbooks/kosmos-ejabberd/metadata.rb
@ -4,7 +4,7 @@ maintainer_email 'ops@kosmos.org'
 license 'MIT'
 description 'Installs/Configures kosmos-ejabberd'
 long_description 'Installs/Configures kosmos-ejabberd'
-version '0.1.2'
+version '0.2.0'
 chef_version '>= 12.14' if respond_to?(:chef_version)
 # The `issues_url` points to the location where issues for this cookbook are
--- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb
+++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb
@ -61,7 +61,8 @@ hosts = [
  {
    name: "kosmos.org",
    sql_database: "ejabberd",
-    ldap_enabled: false,
+    ldap_enabled: true,
    ldap_password: ejabberd_credentials['kosmos_ldap_password'],
    append_host_config: <<-EOF
 modules:
      mod_muc:
@ -134,6 +135,7 @@ hosts.each do |host|
              ldap_base: ldap_base,
              ldap_server: ldap_domain,
              ldap_encryption_type: ldap_encryption_type
    notifies :run, "execute[ejabberdctl reload_config]", :delayed
  end
 end
--- a/site-cookbooks/kosmos-mediawiki/metadata.rb
+++ b/site-cookbooks/kosmos-mediawiki/metadata.rb
@ -4,7 +4,7 @@ maintainer_email 'mail@kosmos.org'
 license          'MIT'
 description      'Installs/Configures kosmos-mediawiki'
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
-version          '0.2.1'
+version          '0.3.0'
 depends "mediawiki"
 depends "ark"
--- a/site-cookbooks/kosmos-mediawiki/recipes/default.rb
+++ b/site-cookbooks/kosmos-mediawiki/recipes/default.rb
@ -39,8 +39,8 @@ node.override['mediawiki']['server_name']     = server_name
 node.override['mediawiki']['site_name']       = 'Kosmos Wiki'
 protocol = node.chef_environment == "development" ? "http" : "https"
 node.override['mediawiki']['server']          = "#{protocol}://#{server_name}"
-mysql_credentials = Chef::EncryptedDataBagItem.load('credentials', 'mysql')
+mysql_credentials = data_bag_item('credentials', 'mysql')
-mediawiki_credentials = Chef::EncryptedDataBagItem.load('credentials', 'mediawiki')
+mediawiki_credentials = data_bag_item('credentials', 'mediawiki')
 node.override['mediawiki']['db']['root_password'] = mysql_credentials["root_password"]
 node.override['mediawiki']['db']['pass'] = mediawiki_credentials["db_pass"]
@ -167,15 +167,6 @@ if node["mediawiki"]["ldap_enabled"]
    action :dump
  end
  ark "LDAPAuthorization" do
    url "https://extdist.wmflabs.org/dist/extensions/LDAPAuthorization-REL1_31-118f0eb.tar.gz"
    path "#{node['mediawiki']['webdir']}/extensions"
    owner node["nginx"]["user"]
    group node["nginx"]["group"]
    mode 0750
    action :dump
  end
  ark "LDAPAuthentication2" do
    url "https://extdist.wmflabs.org/dist/extensions/LDAPAuthentication2-REL1_31-8bd6bc8.tar.gz"
    path "#{node['mediawiki']['webdir']}/extensions"
@ -187,10 +178,9 @@ if node["mediawiki"]["ldap_enabled"]
  package "php-ldap"
  ldap_credentials = data_bag_item("credentials", "dirsrv")
  ldap_domain = node['kosmos-dirsrv']['master_hostname']
  ldap_encryption_type = node.chef_environment == "development" ? "clear" : "tls"
-  ldap_base = "ou=users,dc=kosmos,dc=org"
+  ldap_base = "ou=kosmos.org,cn=users,dc=kosmos,dc=org"
 end
 ruby_block "configuration" do
@ -260,8 +250,8 @@ $LDAPProviderDomainConfigProvider = function()
            "connection" => [
                "server" => "#{ldap_domain}",
                "enctype" => "#{ldap_encryption_type}",
-                "user" => "cn=Directory Manager",
+                "user" => "#{mediawiki_credentials['ldap_user']}",
-                "pass" => "#{ldap_credentials['admin_password']}",
+                "pass" => "#{mediawiki_credentials['ldap_password']}",
                "basedn" => "#{ldap_base}",
                "groupbasedn" => "#{ldap_base}",
                "userbasedn" => "#{ldap_base}",
@ -270,13 +260,6 @@ $LDAPProviderDomainConfigProvider = function()
                "usernameattribute" => "uid",
                "realnameattribute" => "cn",
                "emailattribute" => "mail"
            ],
            "authorization" => [
                "rules" => [
                        "attributes" => [
                                        "wiki" => "enabled"
                    ]
                ]
            ]
        ]
    ];
@ -288,7 +271,6 @@ $LDAPProviderDomainConfigProvider = function()
 $wgPluggableAuth_ButtonLabel = 'Log in';
 wfLoadExtension( 'LDAPProvider' );
 wfLoadExtension( 'PluggableAuth' );
 wfLoadExtension( 'LDAPAuthorization' );
 wfLoadExtension( 'LDAPAuthentication2' );
 # Disable account creation page, since this is not possible to create an account
 # when only LDAP login is enabled