Skip to content

Commit

Permalink
added README; added sudoers config
Browse files Browse the repository at this point in the history
  • Loading branch information
kgilpin committed Apr 11, 2015
1 parent e95d051 commit 8ff6a55
Show file tree
Hide file tree
Showing 15 changed files with 260 additions and 26 deletions.
7 changes: 2 additions & 5 deletions .kitchen.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,14 +12,11 @@ platforms:
suites:
- name: default
run_list:
- recipe[conjur::client]
- recipe[conjur::conjurrc]
- recipe[conjur::identity]
- recipe[conjur::default]
- recipe[conjur::install]
attributes:
conjur:
identity:
login: host/the-host
password: the-password
configuration:
account: demo
appliance_url: https://conjur/api
Expand Down
100 changes: 99 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,102 @@
# conjur

Installs and/or configures Conjur.
Installs and/or configures Conjur, including Conjur SSH and command-line tools.

This cookbook is composed of several recipes, which can be used at different stages of the continuous delivery lifecycle.

The lifecycle is roughly intended to operate like this:

* A base OS image from the CentOS or Ubuntu LTS family is selected.
* The "foundation" cookbooks run on the base OS image to configure the connection to Conjur (and other desired systems), install packages, and perform static configuration.
* A "foundation" image is captured after the foundation cookbooks have completed.
* Machines are launched from the "foundation" image. Each machine is provided with Conjur identity, then a Chef run finishes the machine configuration (e.g. configure the host credentials for LDAPS connection to Conjur). At this point, Chef (or other configuration management tools) may also install and configure applications on top of the base OS foundation.

### Foundation Recipes

These recipes can be used to build a "foundation" image, which is able to create a secure connection to Conjur, and has performed all package installation prior to the machine launch.

* **install [required]** Installs base packages which are needed for Conjur SSH. All installation and configuration steps performed by this recipe can be built into an image.
* **conjurrc [optiona]** Configures the connection to the Conjur server endpoint and establishes SSL verification. This information can be safely built into an image.
* **client [optional]** Installs the Conjur command-line tools. This is optional for Conjur SSH functionality. The CLI can be built into an image.

### Launch recipes

* **configure** Applies the Conjur host identity to finish the machine configuration.

## Requirements

### Platforms

* Ubuntu 12 LTS+
* CentOS 6+
* RHEL 6+
* Amazon Linux

### Dependency Cookbooks

* `sshd-service`

## Attributes

See `attributes/default.rb` for defaults.

### SSH

The following attributes pertain to login (ssh) functionality.


* `node['conjur']['group']['conjurers']['name']` Name of the Unix group corresponding to Conjur `update` privilege
* `node['conjur']['group']['conjurers']['gid']` GID number of the Unix group corresponding to Conjur `update` privilege
* `node['conjur']['group']['users']['name']` Name of the Unix group corresponding to Conjur `execute` privilege
* `node['conjur']['group']['users']['gid']` GID number of the Unix group corresponding to Conjur `execute` privilege
* `node['conjur']['service_provider']` Service provider to use for `logshipper`
* `node['conjur']['syslog_provider']` Syslog provider which is used on the machine, and will be hooked up to `logshipper`
* `node['conjur'['grant_passwordless_sudo_to_conjurers']` Whether to grant passwordless `sudo` privilege to the `conjurers` group.
* `node['conjur']['sshd']['debug']` Enable debug logging of `sshd`

### Conjur client tools

The following attributes pertain to installation of the [Conjur command-line tools](http://developer.conjur.net/client_setup/cli.html):

* `node['conjur']['client']['version']` Installer version of Conjur CLI tools (optional)

### Conjur connection configuration and SSL verification

The following attributes can be used to configure the secure connection to the Conjur server:

* `node['conjur']['configuration']['account']` Conjur organization account
* `node['conjur']['configuration']['appliance_url']` ULR to the Conjur appliance, in the form `https://conjur/api`.
* `node['conjur']['configuration']['ssl_certificate']` Conjur server SSL certificate
* `node['conjur']['configuration']['plugins']` List of activated CLI plugins

## Recipes

### default

Runs the `install` and `configure` recipes.

### install

Installs packages required for Conjur SSH. Packages install include:

* openssh
* PAM + LDAP
* Conjur `logshipper`, which receives `auth.log` lines from `syslog`, parses them, and sends them to Conjur as `login`, `logout`, and `sudo` records.

This recipe also applies base configuration, such as:

* Conjur `update` permission is mapped to a Unix user group
* Conjur `execute` permission is mapped to a Unix user group
* By default, the `update` Unix group is granted passwordless sudo access

### client

Installs the Conjur command-line tools.

### conjurrc

Creates the `/etc/conjur.conf` and `/etc/conjur-[acct].pem` from Chef attributes.

## Tests

This cookbook is verified by both `chefspec` and `serverspec` tests. Conjur Inc also verifies the correct operation of the SSH functionality using Cucumber integration tests.
6 changes: 6 additions & 0 deletions attributes/default.rb
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,14 @@
default['conjur']['service_provider'] = 'upstart'
# Also supported: syslog-ng
default['conjur']['syslog_provider'] = 'rsyslog'
# Write a sudoers.d which gives passwordless sudo to the 'conjurers' group
default['conjur']['grant_passwordless_sudo_to_conjurers'] = true
# Configure verbose logging for SSHD
default['conjur']['sshd']['debug'] = false

# These attributes are used only by the client.rb recipe
default['conjur']['client']['version'] = '4.21.0-1'

# These attributes are used only by the conjurrc recipe, which can be used
# to install the initial Conjur configuration and certificate.
default['conjur']['configuration']['account'] = nil
Expand Down
17 changes: 13 additions & 4 deletions libraries/conjur_helper_methods.rb
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,15 @@ def logshipper_fifo_path
end
end

module ConjurClientVersion
def conjur_client_version node
node.conjur.client.version
end
end

module ConjurHelperMethods
include ConjurClientVersion

def conjur_cacertfile
conjur_require_file("Conjur server certificate (conjur-acct.pem)", [ File.expand_path(conjur_conf['cert_file'], File.dirname(conjur_conf_filename)), File.expand_path("~/conjur-#{conjur_account}.pem") ])
end
Expand All @@ -17,16 +25,16 @@ def conjur_account
ENV['CONJUR_ACCOUNT'] || conjur_conf['account'] or raise "Conjur account is not available"
end

def conjur_host_id
id = [ ENV['CONJUR_AUTHN_LOGIN'], (node.conjur['identity']||{})['login'], conjur_netrc[0] ].compact.first
def conjur_host_id node = nil
id = [ ENV['CONJUR_AUTHN_LOGIN'], (node ? (node.conjur['identity']||{}) : {})['login'], conjur_netrc[0] ].compact.first
raise "No host identity is available" unless id
tokens = id.split('/')
raise "Expecting 'host' id, got #{tokens[0]}" unless tokens[0] == 'host'
tokens[1..-1].join('/')
end

def conjur_host_api_key
ENV['CONJUR_AUTHN_API_KEY'] || (node.conjur['identity']||{})['password'] || conjur_netrc[1] or raise "No host api key is available"
def conjur_host_api_key node = nil
ENV['CONJUR_AUTHN_API_KEY'] || (node ? (node.conjur['identity']||{}) : {})['password'] || conjur_netrc[1] or raise "No host api key is available"
end

def conjur_ldap_url
Expand Down Expand Up @@ -75,4 +83,5 @@ class Chef::Resource

class Chef::Recipe
include LogshipperHelperMethods
include ConjurClientVersion
end
33 changes: 33 additions & 0 deletions recipes/_client_debian.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
#
# Copyright (C) 2015 Conjur Inc
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of
# this software and associated documentation files (the "Software"), to deal in
# the Software without restriction, including without limitation the rights to
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
# the Software, and to permit persons to whom the Software is furnished to do so,
# subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
#

file_name = "conjur-#{conjur_client_version node}.deb"
target_path = File.join(Chef::Config[:file_cache_path], file_name)

dpkg_package "conjur" do
source target_path
action :nothing
end

remote_file target_path do
source "https://s3.amazonaws.com/conjur-releases/omnibus/conjur_#{conjur_client_version node}_amd64.deb"
notifies :install, "dpkg_package[conjur]", :immediately
end
33 changes: 33 additions & 0 deletions recipes/_client_rhel.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
#
# Copyright (C) 2014 Conjur Inc
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of
# this software and associated documentation files (the "Software"), to deal in
# the Software without restriction, including without limitation the rights to
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
# the Software, and to permit persons to whom the Software is furnished to do so,
# subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
#

file_name = "conjur-#{conjur_client_version node}.rpm"
target_path = File.join(Chef::Config[:file_cache_path], file_name)

rpm_package "conjur" do
source target_path
action :nothing
end

remote_file target_path do
source "https://s3.amazonaws.com/conjur-releases/omnibus/conjur-#{conjur_client_version node}.el6.x86_64.rpm"
notifies :install, "rpm_package[conjur]", :immediately
end
7 changes: 7 additions & 0 deletions recipes/_configure_ssh.rb
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,13 @@
end
end

if node.conjur.grant_passwordless_sudo_to_conjurers == true
template "/etc/sudoers.d/conjurers" do
source "sudoers.d_conjurers.erb"
mode 0440
end
end

ruby_block "Enable DEBUG logging for sshd" do
block do
edit = Chef::Util::FileEdit.new('/etc/ssh/sshd_config')
Expand Down
1 change: 1 addition & 0 deletions recipes/client.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
include_recipe "conjur::_client_#{node['platform_family']}"
3 changes: 2 additions & 1 deletion recipes/conjurrc.rb
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
#
# Copyright (C) 2014 Conjur Inc
# Copyright (C) 2015 Conjur Inc
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of
# this software and associated documentation files (the "Software"), to deal in
Expand Down Expand Up @@ -28,6 +28,7 @@
"account" => account,
"appliance_url" => node.conjur.configuration.appliance_url,
"plugins" => node.conjur.configuration.plugins.to_a,
"netrc_path" => "/etc/conjur.identity",
"cert_file" => "/etc/conjur-#{account}.pem"
}

Expand Down
4 changes: 2 additions & 2 deletions recipes/identity.rb
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@

content """
machine #{conjur_appliance_url}/authn
login host/#{conjur_host_id}
password #{conjur_host_api_key}
login host/#{conjur_host_id node}
password #{conjur_host_api_key node}
"""
end.run_action(:create)
31 changes: 31 additions & 0 deletions spec/client_spec.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
require "spec_helper"

describe "conjur::client" do
let :chef_run do
ChefSpec::SoloRunner.new(platform: platform, version: version) do |node|
node.set["platform_family"] = platform_family if platform_family
node.set["conjur"]['client']["version"] = "4.5.1-0"
end.converge described_recipe
end
let(:chef_cache) { Chef::Config[:file_cache_path] }
subject { chef_run }

context "ubuntu" do
let(:platform) { "ubuntu" }
let(:version) { "12.04" }
let(:platform_family) { nil }
it "installs conjur apt package" do
expect(subject).to create_remote_file("#{chef_cache}/conjur-4.5.1-0.deb")
expect(subject.remote_file("#{chef_cache}/conjur-4.5.1-0.deb")).to notify("dpkg_package[conjur]").to(:install)
end
end
context "fedora" do
let(:platform) { "centos" }
let(:platform_family) { "rhel" }
let(:version) { "6.2" }
it "installs conjur rpm package" do
expect(subject).to create_remote_file("#{chef_cache}/conjur-4.5.1-0.rpm")
expect(subject.remote_file("#{chef_cache}/conjur-4.5.1-0.rpm")).to notify("rpm_package[conjur]").to(:install)
end
end
end
25 changes: 25 additions & 0 deletions spec/conjurrc_spec.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
require "spec_helper"

describe "conjur::conjurrc" do
let :chef_run do
ChefSpec::SoloRunner.new do |node|
node.override['conjur']['configuration']['account'] = 'demo'
node.override['conjur']['configuration']['appliance_url'] = 'https://conjur/api'
node.override['conjur']['configuration']['ssl_certificate'] = 'the-cert'
end.converge described_recipe
end
subject { chef_run }

it "creates /etc/conjur.conf" do
expect(subject).to create_file("/etc/conjur.conf").with(content: YAML.dump({
'account' => 'demo',
'appliance_url' => 'https://conjur/api',
'plugins' => [],
'netrc_path' => '/etc/conjur.identity',
'cert_file' => '/etc/conjur-demo.pem'
}))
end
it "creates /etc/conjur.pem" do
expect(subject).to create_file("/etc/conjur-demo.pem").with(content: "the-cert")
end
end
2 changes: 1 addition & 1 deletion templates/default/sudoers.d_conjurers.erb
Original file line number Diff line number Diff line change
@@ -1 +1 @@
%<%= node['conjur']['terminal_login']['groupnames']['conjurers'] %> ALL=(ALL) NOPASSWD:ALL
%<%= node['conjur']['group']['conjurers']['name'] %> ALL=(ALL) NOPASSWD:ALL
5 changes: 5 additions & 0 deletions test/integration/default/serverspec/client_spec.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
require 'serverspec'

describe command('conjur help') do
its(:stdout) { should match(/conjur \[global options\] command/) }
end
12 changes: 0 additions & 12 deletions test/integration/default/serverspec/conjurrc_spec.rb

This file was deleted.

0 comments on commit 8ff6a55

Please sign in to comment.