From 3cb54deea39a79d1134824758e6e2419e4afa27d Mon Sep 17 00:00:00 2001 From: Bradley Bishop Date: Sat, 4 Feb 2023 11:06:29 -0500 Subject: [PATCH 1/8] Added manage epel repo flag to be passed in. --- manifests/init.pp | 1 + manifests/params.pp | 2 ++ manifests/repo.pp | 2 +- 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index 19fce3e4..fb771b02 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -262,6 +262,7 @@ $version = 'present', String $python_version = 'system', St2::Repository $repository = $st2::params::repository, + $manage_epel_repo = $st2::params::manage_epel_repo, $conf_dir = $st2::params::conf_dir, $conf_file = "${st2::params::conf_dir}/st2.conf", $use_ssl = $st2::params::use_ssl, diff --git a/manifests/params.pp b/manifests/params.pp index 0b36fd76..e99bf938 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -55,6 +55,8 @@ $conf_dir = '/etc/st2' $datstore_keys_dir = "${conf_dir}/keys" + $manage_epel_repo = true + $st2_server_packages = [ 'st2', ] diff --git a/manifests/repo.pp b/manifests/repo.pp index 4ef6af3f..e684d74b 100644 --- a/manifests/repo.pp +++ b/manifests/repo.pp @@ -17,7 +17,7 @@ class st2::repo ( Enum['present', 'absent'] $ensure = 'present', St2::Repository $repository = $st2::repository, - Boolean $manage_epel_repo = true, + Boolean $manage_epel_repo = $st2::manage_epel_repo, ) inherits st2 { case $facts['os']['family'] { 'RedHat': { From 859e44fba22fa3ff9bee220fe72079b9ecc8285f Mon Sep 17 00:00:00 2001 From: Bradley Bishop Date: Sat, 4 Feb 2023 15:42:26 -0500 Subject: [PATCH 2/8] Fixing epel dependancy --- manifests/profile/rabbitmq.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/manifests/profile/rabbitmq.pp b/manifests/profile/rabbitmq.pp index e5c6eeab..dd69f12a 100644 --- a/manifests/profile/rabbitmq.pp +++ b/manifests/profile/rabbitmq.pp @@ -36,6 +36,7 @@ $erlang_rhel_sslverify = $st2::erlang_rhel_sslverify, $erlang_rhel_gpgcheck = $st2::erlang_rhel_gpgcheck, $erlang_rhel_repo_gpgcheck = $st2::erlang_rhel_repo_gpgcheck, + $manage_epel_repo = $st2::manage_epel_repo, ) inherits st2 { # RHEL 8 Requires another repo in addition to epel to be installed @@ -127,7 +128,7 @@ } # RHEL needs EPEL installed prior to rabbitmq - if $facts['os']['family'] == 'RedHat' { + if (($facts['os']['family'] == 'RedHat') and ($manage_epel_repo == true)) { Class['epel'] -> Class['rabbitmq'] From 2f719d079e9626a7a59f002bdb0f662b781bca49 Mon Sep 17 00:00:00 2001 From: Bradley Bishop Date: Sat, 4 Feb 2023 16:16:21 -0500 Subject: [PATCH 3/8] Adding epel override. --- manifests/profile/python.pp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/manifests/profile/python.pp b/manifests/profile/python.pp index c3457a69..cd1f4996 100644 --- a/manifests/profile/python.pp +++ b/manifests/profile/python.pp @@ -20,7 +20,8 @@ # include st2::profile::python # class st2::profile::python ( - String $version = $st2::python_version, + String $version = $st2::python_version, + Boolean $manage_epel_repo = $st2::manage_epel_repo, ) inherits st2 { notice("Python version: ${version}") if !defined(Class['python']) { @@ -29,6 +30,7 @@ version => $version, dev => present, manage_pip_package => false, + use_epel => $manage_epel_repo, } } } From ceafc271732d9d86fb4768121f0ce3966af1525d Mon Sep 17 00:00:00 2001 From: Bradley Bishop Date: Sun, 5 Feb 2023 18:20:58 -0500 Subject: [PATCH 4/8] Adding individual overrides for each epel install. Adding datastore_key template and override to allow direct management of the keys for servers that need to share the same datastore_key. --- manifests/init.pp | 5 +++ manifests/params.pp | 7 ++++ manifests/profile/python.pp | 6 +-- manifests/profile/redis.pp | 6 ++- manifests/server/datastore_keys.pp | 53 +++++++++++++++++-------- templates/server/datastore_key.json.epp | 4 ++ 6 files changed, 59 insertions(+), 22 deletions(-) create mode 100644 templates/server/datastore_key.json.epp diff --git a/manifests/init.pp b/manifests/init.pp index fb771b02..cdb3ca07 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -263,6 +263,8 @@ String $python_version = 'system', St2::Repository $repository = $st2::params::repository, $manage_epel_repo = $st2::params::manage_epel_repo, + $python_use_epel_repo = $st2::params::python_use_epel_repo, + $redis_manage_repo = $st2::params::redis_manage_repo, $conf_dir = $st2::params::conf_dir, $conf_file = "${st2::params::conf_dir}/st2.conf", $use_ssl = $st2::params::use_ssl, @@ -308,6 +310,9 @@ $ng_init = true, $datastore_keys_dir = $st2::params::datstore_keys_dir, $datastore_key_path = "${st2::params::datstore_keys_dir}/datastore_key.json", + $manage_datastore_key = $st2::params::manage_datastore_key, + $datastore_aes_key = $st2::params::datastore_aes_key, + $datastore_hmac_key = $st2::params::datastore_hmac_key, $nginx_basicstatus_enabled = $st2::params::basicstatus_enabled, $nginx_basicstatus_port = $st2::params::basicstatus_port, $nginx_manage_repo = true, diff --git a/manifests/params.pp b/manifests/params.pp index e99bf938..c79648c8 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -55,7 +55,14 @@ $conf_dir = '/etc/st2' $datstore_keys_dir = "${conf_dir}/keys" + # Datastore + $manage_datastore_key = false + $datastore_aes_key = '' + $datastore_hmac_key = '' + $manage_epel_repo = true + $python_use_epel_repo = true + $redis_manage_repo = false $st2_server_packages = [ 'st2', diff --git a/manifests/profile/python.pp b/manifests/profile/python.pp index cd1f4996..3bab45ba 100644 --- a/manifests/profile/python.pp +++ b/manifests/profile/python.pp @@ -20,8 +20,8 @@ # include st2::profile::python # class st2::profile::python ( - String $version = $st2::python_version, - Boolean $manage_epel_repo = $st2::manage_epel_repo, + String $version = $st2::python_version, + Boolean $python_use_epel_repo = $st2::python_use_epel_repo, ) inherits st2 { notice("Python version: ${version}") if !defined(Class['python']) { @@ -30,7 +30,7 @@ version => $version, dev => present, manage_pip_package => false, - use_epel => $manage_epel_repo, + use_epel => $python_use_epel_repo, } } } diff --git a/manifests/profile/redis.pp b/manifests/profile/redis.pp index dc81e6e0..e313af85 100644 --- a/manifests/profile/redis.pp +++ b/manifests/profile/redis.pp @@ -12,11 +12,13 @@ # } # class st2::profile::redis ( - String $bind_ip = $st2::redis_bind_ip, + String $bind_ip = $st2::redis_bind_ip, + Boolean $redis_manage_repo = $st2::redis_manage_repo, ) inherits st2 { class { 'redis': - bind => $bind_ip, + bind => $bind_ip, + manage_repo => $redis_manage_repo } contain redis diff --git a/manifests/server/datastore_keys.pp b/manifests/server/datastore_keys.pp index 269ee225..34b6e938 100644 --- a/manifests/server/datastore_keys.pp +++ b/manifests/server/datastore_keys.pp @@ -17,9 +17,12 @@ # } # class st2::server::datastore_keys ( - $conf_file = $st2::conf_file, - $keys_dir = $st2::datastore_keys_dir, - $key_path = $st2::datastore_key_path, + $conf_file = $st2::conf_file, + $keys_dir = $st2::datastore_keys_dir, + $key_path = $st2::datastore_key_path, + $manage_datastore_key = $st2::manage_datastore_key, + $datastore_aes_key = $st2::datastore_aes_key, + $datastore_hmac_key = $st2::datastore_hmac_key, ) inherits st2 { ## Directory file { $keys_dir: @@ -30,21 +33,37 @@ require => Package['st2'], } - ## Generate - exec { "generate datastore key ${key_path}": - command => "st2-generate-symmetric-crypto-key --key-path ${key_path}", - creates => $key_path, - path => ['/opt/stackstorm/st2/bin'], - notify => Service['st2api'], - } + if $manage_datastore_key { + file { $key_path: + ensure => file, + path => $key_path, + content => epp('st2/server/datastore_key.json.epp', { + datastore_hmac_key => $datastore_hmac_key, + datastore_aes_key => $datastore_aes_key, + }), + owner => 'st2', + group => 'st2', + mode => '0600', + notify => Service['st2api'], + require => Package['st2'], + } + } else { + ## Generate + exec { "generate datastore key ${key_path}": + command => "st2-generate-symmetric-crypto-key --key-path ${key_path}", + creates => $key_path, + path => ['/opt/stackstorm/st2/bin'], + notify => Service['st2api'], + } - ## Permissions - file { $key_path: - ensure => file, - owner => 'st2', - group => 'st2', - mode => '0600', - require => Package['st2'], + ## Permissions + file { $key_path: + ensure => file, + owner => 'st2', + group => 'st2', + mode => '0600', + require => Package['st2'], + } } ## Config diff --git a/templates/server/datastore_key.json.epp b/templates/server/datastore_key.json.epp new file mode 100644 index 00000000..5422aefe --- /dev/null +++ b/templates/server/datastore_key.json.epp @@ -0,0 +1,4 @@ +<%- | String $datastore_hmac_key, + String $datastore_aes_key, +| -%> +{"hmacKey":{"hmacKeyString":"<%= $datastore_hmac_key %>","size":256},"aesKeyString":"<%= $datastore_aes_key %>","mode":"CBC","size":256} \ No newline at end of file From 7c7c4e3110187c7c70803c9d8d630a4a16fd6d9f Mon Sep 17 00:00:00 2001 From: Bradley Bishop Date: Sun, 5 Feb 2023 18:43:35 -0500 Subject: [PATCH 5/8] Fixing dependancy tree --- manifests/server/datastore_keys.pp | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/manifests/server/datastore_keys.pp b/manifests/server/datastore_keys.pp index 34b6e938..9250ceb0 100644 --- a/manifests/server/datastore_keys.pp +++ b/manifests/server/datastore_keys.pp @@ -76,8 +76,15 @@ tag => 'st2::config', } - Package['st2'] - -> File[$keys_dir] - -> Exec["generate datastore key ${key_path}"] - -> File[$key_path] + + if $manage_datastore_key { + Package['st2'] + -> File[$keys_dir] + -> File[$key_path] + } else { + Package['st2'] + -> File[$keys_dir] + -> Exec["generate datastore key ${key_path}"] + -> File[$key_path] + } } From ccba0ae84ce6fac8acc41bc21c3e0ae5a5b51297 Mon Sep 17 00:00:00 2001 From: Bradley Bishop Date: Mon, 6 Feb 2023 00:17:28 -0500 Subject: [PATCH 6/8] Adding parameters for the rest of the options in the datastore key --- manifests/init.pp | 5 ++++- manifests/params.pp | 3 +++ manifests/server/datastore_keys.pp | 12 +++++++++--- templates/server/datastore_key.json.epp | 5 ++++- 4 files changed, 20 insertions(+), 5 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index cdb3ca07..4c06f8ec 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -311,8 +311,11 @@ $datastore_keys_dir = $st2::params::datstore_keys_dir, $datastore_key_path = "${st2::params::datstore_keys_dir}/datastore_key.json", $manage_datastore_key = $st2::params::manage_datastore_key, - $datastore_aes_key = $st2::params::datastore_aes_key, + $datastore_hmac_size = $st2::params::datastore_hmac_size, $datastore_hmac_key = $st2::params::datastore_hmac_key, + $datastore_aes_key = $st2::params::datastore_aes_key, + $datastore_aes_mode = $st2::params::datastore_aes_mode, + $datastore_aes_size = $st2::params::datastore_aes_size, $nginx_basicstatus_enabled = $st2::params::basicstatus_enabled, $nginx_basicstatus_port = $st2::params::basicstatus_port, $nginx_manage_repo = true, diff --git a/manifests/params.pp b/manifests/params.pp index c79648c8..e50b5714 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -59,6 +59,9 @@ $manage_datastore_key = false $datastore_aes_key = '' $datastore_hmac_key = '' + $datastore_hmac_size = 256 + $datastore_aes_mode = 'CBC' + $datastore_aes_size = 256 $manage_epel_repo = true $python_use_epel_repo = true diff --git a/manifests/server/datastore_keys.pp b/manifests/server/datastore_keys.pp index 9250ceb0..eaa511ea 100644 --- a/manifests/server/datastore_keys.pp +++ b/manifests/server/datastore_keys.pp @@ -21,8 +21,11 @@ $keys_dir = $st2::datastore_keys_dir, $key_path = $st2::datastore_key_path, $manage_datastore_key = $st2::manage_datastore_key, - $datastore_aes_key = $st2::datastore_aes_key, + $datastore_hmac_size = $st2::datastore_hmac_size, $datastore_hmac_key = $st2::datastore_hmac_key, + $datastore_aes_key = $st2::datastore_aes_key, + $datastore_aes_mode = $st2::datastore_aes_mode, + $datastore_aes_size = $st2::datastore_aes_size, ) inherits st2 { ## Directory file { $keys_dir: @@ -38,8 +41,11 @@ ensure => file, path => $key_path, content => epp('st2/server/datastore_key.json.epp', { - datastore_hmac_key => $datastore_hmac_key, - datastore_aes_key => $datastore_aes_key, + datastore_hmac_key => $datastore_hmac_key, + datastore_hmac_size => $datastore_hmac_size, + datastore_aes_mode => $datastore_aes_mode, + datastore_aes_key => $datastore_aes_key, + datastore_aes_size => $datastore_aes_size, }), owner => 'st2', group => 'st2', diff --git a/templates/server/datastore_key.json.epp b/templates/server/datastore_key.json.epp index 5422aefe..2cfaabc5 100644 --- a/templates/server/datastore_key.json.epp +++ b/templates/server/datastore_key.json.epp @@ -1,4 +1,7 @@ <%- | String $datastore_hmac_key, + Integer $datastore_hmac_size, String $datastore_aes_key, + String $datastore_aes_mode, + Integer $datastore_aes_size, | -%> -{"hmacKey":{"hmacKeyString":"<%= $datastore_hmac_key %>","size":256},"aesKeyString":"<%= $datastore_aes_key %>","mode":"CBC","size":256} \ No newline at end of file +{"hmacKey":{"hmacKeyString":"<%= $datastore_hmac_key %>","size":<%= $datastore_hmac_size %>},"aesKeyString":"<%= $datastore_aes_key %>","mode":"<%= $datastore_aes_mode %>","size":<%= $datastore_aes_size %>} \ No newline at end of file From 476ec14df24a271bf33f1f3a67ba1690c6a4ac6f Mon Sep 17 00:00:00 2001 From: Bradley Bishop Date: Mon, 10 Apr 2023 11:26:51 -0400 Subject: [PATCH 7/8] Adding files to fix tests. --- manifests/profile/redis.pp | 2 +- test/unit/test_tasks_key_decrypt.py | 15 +++++++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) create mode 100644 test/unit/test_tasks_key_decrypt.py diff --git a/manifests/profile/redis.pp b/manifests/profile/redis.pp index e313af85..ade37729 100644 --- a/manifests/profile/redis.pp +++ b/manifests/profile/redis.pp @@ -18,7 +18,7 @@ class { 'redis': bind => $bind_ip, - manage_repo => $redis_manage_repo + manage_repo => $redis_manage_repo, } contain redis diff --git a/test/unit/test_tasks_key_decrypt.py b/test/unit/test_tasks_key_decrypt.py new file mode 100644 index 00000000..51959333 --- /dev/null +++ b/test/unit/test_tasks_key_decrypt.py @@ -0,0 +1,15 @@ +from test.unit.st2_test_case import St2TestCase +# import mock +import os +import sys +from key_decrypt import AESKey + +sys.path.append(os.path.join(os.path.dirname(__file__), '..', '..', 'tasks')) + + +class AESKeyTestCase(St2TestCase): + __test__ = True + + def test_init(self): + task = AESKey('test', 'test', 256) + self.assertIsInstance(task, object) From f581716c9fdca018907912050386e26841d86ded Mon Sep 17 00:00:00 2001 From: Bradley Bishop Date: Wed, 12 Apr 2023 09:07:17 -0400 Subject: [PATCH 8/8] Updated changelog --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a1137aeb..a86a856e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,10 @@ ## Development +## 2.6.0 (April 12, 2023) + +- Fixing tests. Contributed by @bishopbm1 + ## 2.5.0 (June 29, 2022) - Move CentOS -> RockyLinux and Python 3.6 -> 3.8. Contributed by @rush-skills