-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
15 changed files
with
260 additions
and
26 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,102 @@ | ||
# conjur | ||
|
||
Installs and/or configures Conjur. | ||
Installs and/or configures Conjur, including Conjur SSH and command-line tools. | ||
|
||
This cookbook is composed of several recipes, which can be used at different stages of the continuous delivery lifecycle. | ||
|
||
The lifecycle is roughly intended to operate like this: | ||
|
||
* A base OS image from the CentOS or Ubuntu LTS family is selected. | ||
* The "foundation" cookbooks run on the base OS image to configure the connection to Conjur (and other desired systems), install packages, and perform static configuration. | ||
* A "foundation" image is captured after the foundation cookbooks have completed. | ||
* Machines are launched from the "foundation" image. Each machine is provided with Conjur identity, then a Chef run finishes the machine configuration (e.g. configure the host credentials for LDAPS connection to Conjur). At this point, Chef (or other configuration management tools) may also install and configure applications on top of the base OS foundation. | ||
|
||
### Foundation Recipes | ||
|
||
These recipes can be used to build a "foundation" image, which is able to create a secure connection to Conjur, and has performed all package installation prior to the machine launch. | ||
|
||
* **install [required]** Installs base packages which are needed for Conjur SSH. All installation and configuration steps performed by this recipe can be built into an image. | ||
* **conjurrc [optiona]** Configures the connection to the Conjur server endpoint and establishes SSL verification. This information can be safely built into an image. | ||
* **client [optional]** Installs the Conjur command-line tools. This is optional for Conjur SSH functionality. The CLI can be built into an image. | ||
|
||
### Launch recipes | ||
|
||
* **configure** Applies the Conjur host identity to finish the machine configuration. | ||
|
||
## Requirements | ||
|
||
### Platforms | ||
|
||
* Ubuntu 12 LTS+ | ||
* CentOS 6+ | ||
* RHEL 6+ | ||
* Amazon Linux | ||
|
||
### Dependency Cookbooks | ||
|
||
* `sshd-service` | ||
|
||
## Attributes | ||
|
||
See `attributes/default.rb` for defaults. | ||
|
||
### SSH | ||
|
||
The following attributes pertain to login (ssh) functionality. | ||
|
||
|
||
* `node['conjur']['group']['conjurers']['name']` Name of the Unix group corresponding to Conjur `update` privilege | ||
* `node['conjur']['group']['conjurers']['gid']` GID number of the Unix group corresponding to Conjur `update` privilege | ||
* `node['conjur']['group']['users']['name']` Name of the Unix group corresponding to Conjur `execute` privilege | ||
* `node['conjur']['group']['users']['gid']` GID number of the Unix group corresponding to Conjur `execute` privilege | ||
* `node['conjur']['service_provider']` Service provider to use for `logshipper` | ||
* `node['conjur']['syslog_provider']` Syslog provider which is used on the machine, and will be hooked up to `logshipper` | ||
* `node['conjur'['grant_passwordless_sudo_to_conjurers']` Whether to grant passwordless `sudo` privilege to the `conjurers` group. | ||
* `node['conjur']['sshd']['debug']` Enable debug logging of `sshd` | ||
|
||
### Conjur client tools | ||
|
||
The following attributes pertain to installation of the [Conjur command-line tools](http://developer.conjur.net/client_setup/cli.html): | ||
|
||
* `node['conjur']['client']['version']` Installer version of Conjur CLI tools (optional) | ||
|
||
### Conjur connection configuration and SSL verification | ||
|
||
The following attributes can be used to configure the secure connection to the Conjur server: | ||
|
||
* `node['conjur']['configuration']['account']` Conjur organization account | ||
* `node['conjur']['configuration']['appliance_url']` ULR to the Conjur appliance, in the form `https://conjur/api`. | ||
* `node['conjur']['configuration']['ssl_certificate']` Conjur server SSL certificate | ||
* `node['conjur']['configuration']['plugins']` List of activated CLI plugins | ||
|
||
## Recipes | ||
|
||
### default | ||
|
||
Runs the `install` and `configure` recipes. | ||
|
||
### install | ||
|
||
Installs packages required for Conjur SSH. Packages install include: | ||
|
||
* openssh | ||
* PAM + LDAP | ||
* Conjur `logshipper`, which receives `auth.log` lines from `syslog`, parses them, and sends them to Conjur as `login`, `logout`, and `sudo` records. | ||
|
||
This recipe also applies base configuration, such as: | ||
|
||
* Conjur `update` permission is mapped to a Unix user group | ||
* Conjur `execute` permission is mapped to a Unix user group | ||
* By default, the `update` Unix group is granted passwordless sudo access | ||
|
||
### client | ||
|
||
Installs the Conjur command-line tools. | ||
|
||
### conjurrc | ||
|
||
Creates the `/etc/conjur.conf` and `/etc/conjur-[acct].pem` from Chef attributes. | ||
|
||
## Tests | ||
|
||
This cookbook is verified by both `chefspec` and `serverspec` tests. Conjur Inc also verifies the correct operation of the SSH functionality using Cucumber integration tests. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
# | ||
# Copyright (C) 2015 Conjur Inc | ||
# | ||
# Permission is hereby granted, free of charge, to any person obtaining a copy of | ||
# this software and associated documentation files (the "Software"), to deal in | ||
# the Software without restriction, including without limitation the rights to | ||
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of | ||
# the Software, and to permit persons to whom the Software is furnished to do so, | ||
# subject to the following conditions: | ||
# | ||
# The above copyright notice and this permission notice shall be included in all | ||
# copies or substantial portions of the Software. | ||
# | ||
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | ||
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS | ||
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR | ||
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER | ||
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN | ||
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. | ||
# | ||
|
||
file_name = "conjur-#{conjur_client_version node}.deb" | ||
target_path = File.join(Chef::Config[:file_cache_path], file_name) | ||
|
||
dpkg_package "conjur" do | ||
source target_path | ||
action :nothing | ||
end | ||
|
||
remote_file target_path do | ||
source "https://s3.amazonaws.com/conjur-releases/omnibus/conjur_#{conjur_client_version node}_amd64.deb" | ||
notifies :install, "dpkg_package[conjur]", :immediately | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
# | ||
# Copyright (C) 2014 Conjur Inc | ||
# | ||
# Permission is hereby granted, free of charge, to any person obtaining a copy of | ||
# this software and associated documentation files (the "Software"), to deal in | ||
# the Software without restriction, including without limitation the rights to | ||
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of | ||
# the Software, and to permit persons to whom the Software is furnished to do so, | ||
# subject to the following conditions: | ||
# | ||
# The above copyright notice and this permission notice shall be included in all | ||
# copies or substantial portions of the Software. | ||
# | ||
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | ||
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS | ||
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR | ||
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER | ||
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN | ||
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. | ||
# | ||
|
||
file_name = "conjur-#{conjur_client_version node}.rpm" | ||
target_path = File.join(Chef::Config[:file_cache_path], file_name) | ||
|
||
rpm_package "conjur" do | ||
source target_path | ||
action :nothing | ||
end | ||
|
||
remote_file target_path do | ||
source "https://s3.amazonaws.com/conjur-releases/omnibus/conjur-#{conjur_client_version node}.el6.x86_64.rpm" | ||
notifies :install, "rpm_package[conjur]", :immediately | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
include_recipe "conjur::_client_#{node['platform_family']}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
require "spec_helper" | ||
|
||
describe "conjur::client" do | ||
let :chef_run do | ||
ChefSpec::SoloRunner.new(platform: platform, version: version) do |node| | ||
node.set["platform_family"] = platform_family if platform_family | ||
node.set["conjur"]['client']["version"] = "4.5.1-0" | ||
end.converge described_recipe | ||
end | ||
let(:chef_cache) { Chef::Config[:file_cache_path] } | ||
subject { chef_run } | ||
|
||
context "ubuntu" do | ||
let(:platform) { "ubuntu" } | ||
let(:version) { "12.04" } | ||
let(:platform_family) { nil } | ||
it "installs conjur apt package" do | ||
expect(subject).to create_remote_file("#{chef_cache}/conjur-4.5.1-0.deb") | ||
expect(subject.remote_file("#{chef_cache}/conjur-4.5.1-0.deb")).to notify("dpkg_package[conjur]").to(:install) | ||
end | ||
end | ||
context "fedora" do | ||
let(:platform) { "centos" } | ||
let(:platform_family) { "rhel" } | ||
let(:version) { "6.2" } | ||
it "installs conjur rpm package" do | ||
expect(subject).to create_remote_file("#{chef_cache}/conjur-4.5.1-0.rpm") | ||
expect(subject.remote_file("#{chef_cache}/conjur-4.5.1-0.rpm")).to notify("rpm_package[conjur]").to(:install) | ||
end | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
require "spec_helper" | ||
|
||
describe "conjur::conjurrc" do | ||
let :chef_run do | ||
ChefSpec::SoloRunner.new do |node| | ||
node.override['conjur']['configuration']['account'] = 'demo' | ||
node.override['conjur']['configuration']['appliance_url'] = 'https://conjur/api' | ||
node.override['conjur']['configuration']['ssl_certificate'] = 'the-cert' | ||
end.converge described_recipe | ||
end | ||
subject { chef_run } | ||
|
||
it "creates /etc/conjur.conf" do | ||
expect(subject).to create_file("/etc/conjur.conf").with(content: YAML.dump({ | ||
'account' => 'demo', | ||
'appliance_url' => 'https://conjur/api', | ||
'plugins' => [], | ||
'netrc_path' => '/etc/conjur.identity', | ||
'cert_file' => '/etc/conjur-demo.pem' | ||
})) | ||
end | ||
it "creates /etc/conjur.pem" do | ||
expect(subject).to create_file("/etc/conjur-demo.pem").with(content: "the-cert") | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1 @@ | ||
%<%= node['conjur']['terminal_login']['groupnames']['conjurers'] %> ALL=(ALL) NOPASSWD:ALL | ||
%<%= node['conjur']['group']['conjurers']['name'] %> ALL=(ALL) NOPASSWD:ALL |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
require 'serverspec' | ||
|
||
describe command('conjur help') do | ||
its(:stdout) { should match(/conjur \[global options\] command/) } | ||
end |
This file was deleted.
Oops, something went wrong.