Initial Chef repository

cookbooks/ufw/recipes/databag.rb

@@ -0,0 +1,58 @@
+#
+# Author:: Matt Ray <matt@opscode.com>
+# Cookbook Name:: ufw
+# Recipe:: databag
+#
+# Copyright 2011, Opscode, Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+#flatten the run_list to just the names of the roles and recipes in order
+def run_list_names(run_list)
+  names = []
+  run_list.each do |entry|
+    Chef::Log.debug "ufw::databag:run_list_names+name: #{entry.name}"
+    if entry.name.index('::') #cookbook::recipe
+      names.push(entry.name.sub('::', '__'))
+    else
+      names.push(entry.name)
+    end
+    if entry.role?
+      rol = search(:role, "name:#{entry.name}")[0]
+      names.concat(run_list_names(rol.run_list))
+    end
+  end
+  Chef::Log.debug "ufw::databag:run_list_names+names: #{names}"
+  return names
+end
+
+rlist = run_list_names(node.run_list)
+rlist.uniq!
+Chef::Log.debug "ufw::databag:rlist: #{rlist}"
+
+fw_db = data_bag('firewall')
+Chef::Log.debug "ufw::databag:firewall:#{fw_db}"
+
+rlist.each do |entry|
+  Chef::Log.debug "ufw::databag: \"#{entry}\""
+  if fw_db.member?(entry)
+    #add the list of firewall rules to the current list
+    item = data_bag_item('firewall', entry)
+    rules = item['rules']
+    node.set['firewall']['rules'].concat(rules) unless rules.nil?
+  end
+end
+
+#now go apply the rules
+include_recipe "ufw::default"

cookbooks/ufw/recipes/default.rb

@@ -0,0 +1,90 @@
+#
+# Author:: Matt Ray <matt@opscode.com>
+# Cookbook Name:: ufw
+# Recipe:: default
+#
+# Copyright 2011, Opscode, Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+package "ufw"
+
+old_state = node['firewall']['state']
+new_state = node['firewall']['rules'].to_s
+Chef::Log.debug "Old firewall state:#{old_state}"
+Chef::Log.debug "New firewall state:#{new_state}"
+
+#check to see if the firewall rules changed.
+#the rules are always changed the first run
+if old_state == new_state
+  Chef::Log.info "Firewall rules unchanged."
+else
+  Chef::Log.info "Firewall rules updated."
+  node.set['firewall']['state'] = new_state
+
+  #drop rules and re-enable
+  execute "ufw --force reset"
+
+  firewall "ufw" do
+    action :enable
+  end
+
+  #leave this on by default
+  firewall_rule "ssh" do
+    port 22
+    action :allow
+  end
+
+  node['firewall']['rules'].each do |rule_mash|
+    Chef::Log.debug "ufw:rule \"#{rule_mash}\""
+    rule_mash.keys.each do |rule|
+      Chef::Log.debug "ufw:rule:name \"#{rule}\""
+      params = rule_mash[rule]
+      Chef::Log.debug "ufw:rule:parameters \"#{params}\""
+      Chef::Log.debug "ufw:rule:name #{params['name']}" if params['name']
+      Chef::Log.debug "ufw:rule:protocol #{params['protocol']}" if params['protocol']
+      Chef::Log.debug "ufw:rule:direction #{params['direction']}" if params['direction']
+      Chef::Log.debug "ufw:rule:interface #{params['interface']}" if params['interface']
+      Chef::Log.debug "ufw:rule:logging #{params['logging']}" if params['logging']
+      Chef::Log.debug "ufw:rule:port #{params['port']}" if params['port']
+      Chef::Log.debug "ufw:rule:port_range #{params['port_range']}" if params['port_range']
+      Chef::Log.debug "ufw:rule:source #{params['source']}" if params['source']
+      Chef::Log.debug "ufw:rule:destination #{params['destination']}" if params['destination']
+      Chef::Log.debug "ufw:rule:dest_port #{params['dest_port']}" if params['dest_port']
+      Chef::Log.debug "ufw:rule:position #{params['position']}" if params['position']
+      act = params['action']
+      act ||= "allow"
+      raise "ufw: port_range was specified to firewall_rule without protocol" if params['port_range'] && !params['protocol']
+      Chef::Log.debug "ufw:rule:action :#{act}"
+      firewall_rule rule do
+        name params['name'] if params['name']
+        protocol params['protocol'].to_sym if params['protocol']
+        direction params['direction'].to_sym if params['direction']
+        interface params['interface'] if params['interface']
+        logging params['logging'].to_sym if params['logging']
+        port params['port'].to_i if params['port']
+	if params['port_range']
+	  ends = params['port_range'].split('..').map{|d| Integer(d)}
+	  port_range ends[0]..ends[1]
+	end
+        source params['source'] if params['source']
+        destination params['destination'] if params['destination']
+        dest_port params['dest_port'].to_i if params['dest_port']
+        position params['position'].to_i if params['position']
+        action act
+      end
+    end
+  end
+
+end

cookbooks/ufw/recipes/disable.rb

@@ -0,0 +1,23 @@
+#
+# Author:: Matt Ray <matt@opscode.com>
+# Cookbook Name:: ufw
+# Recipe:: disable
+#
+# Copyright 2011, Opscode, Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+firewall "ufw" do
+  action :disable
+end

cookbooks/ufw/recipes/recipes.rb

@@ -0,0 +1,41 @@
+#
+# Author:: Matt Ray <matt@opscode.com>
+# Cookbook Name:: ufw
+# Recipe:: recipes
+#
+# Copyright 2011, Opscode, Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# expand and parse the node's runlist for recipes and find attributes of the form node[<recipe>]['firewall']['rules']
+# append them to the node['firewall']['rules'] array attribute
+node.expand!.recipes.each do |recipe|
+  Chef::Log.debug "ufw::recipes: #{recipe}"
+  cookbook = recipe.split('::')[0]
+  #get the cookbook attributes if there are any
+  if recipe != cookbook and node[cookbook] and node[cookbook]['firewall'] and node[cookbook]['firewall']['rules']
+    rules = node[cookbook]['firewall']['rules']
+    Chef::Log.debug "ufw::recipes:#{cookbook}:rules #{rules}"
+    node.set['firewall']['rules'].concat(rules) unless rules.nil?
+  end
+  #get the recipe attributes if there are any
+  if node[recipe] and node[recipe]['firewall'] and node[recipe]['firewall']['rules']
+    rules = node[recipe]['firewall']['rules']
+    Chef::Log.debug "ufw::recipes:#{recipe}:rules #{rules}"
+    node.set['firewall']['rules'].concat(rules) unless rules.nil?
+  end
+end
+
+#now go apply the rules
+include_recipe "ufw::default"

cookbooks/ufw/recipes/securitylevel.rb

@@ -0,0 +1,41 @@
+#
+# Author:: Matt Ray <matt@opscode.com>
+# Cookbook Name:: ufw
+# Recipe:: securitylevel
+#
+# Copyright 2011, Opscode, Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+securitylevel = node['firewall']['securitylevel']
+
+Chef::Log.info "ufw::securitylevel:#{securitylevel}"
+
+#verify that only 1 "color" security group is applied"
+count = node.expand!.roles.count {|role| role =~ /SecurityLevel-(Red|Green|Yellow)/ }
+if count > 1
+  raise Chef::Exceptions::AmbiguousRunlistSpecification, "conflicting SecurityLevel-'color' roles, only 1 may be applied."
+end
+
+case securitylevel
+when 'red'
+  #put special stuff for red here
+when 'yellow'
+  #put special stuff for red here
+when 'green'
+  #put special stuff for red here
+end
+
+#now go apply the rules
+include_recipe "ufw::default"