From b971cc837b8783402899e0aba3755a1f89ca1e27 Mon Sep 17 00:00:00 2001
From: Martin Zobel-Helas <zobel@debian.org>
Date: Wed, 15 Feb 2012 17:19:10 +0100
Subject: [PATCH] add dacs module

---
 modules/dacs/files/common/acl-noauth.0  |   9 ++
 modules/dacs/files/common/acl-private.0 |  12 ++
 modules/dacs/files/common/dacs.conf     |  43 +++++++
 modules/dacs/files/common/site.conf     | 163 ++++++++++++++++++++++++
 modules/dacs/manifests/init.pp          | 101 +++++++++++++++
 5 files changed, 328 insertions(+)
 create mode 100644 modules/dacs/files/common/acl-noauth.0
 create mode 100644 modules/dacs/files/common/acl-private.0
 create mode 100644 modules/dacs/files/common/dacs.conf
 create mode 100644 modules/dacs/files/common/site.conf
 create mode 100644 modules/dacs/manifests/init.pp

diff --git a/modules/dacs/files/common/acl-noauth.0 b/modules/dacs/files/common/acl-noauth.0
new file mode 100644
index 00000000..4c573a60
--- /dev/null
+++ b/modules/dacs/files/common/acl-noauth.0
@@ -0,0 +1,9 @@
+<acl_rule status="enabled">
+  <services>
+      <service url_pattern="/public/*"/>
+  </services>
+  <rule order="allow,deny">
+   <allow>
+   </allow>
+  </rule>
+</acl_rule>
diff --git a/modules/dacs/files/common/acl-private.0 b/modules/dacs/files/common/acl-private.0
new file mode 100644
index 00000000..9c60c609
--- /dev/null
+++ b/modules/dacs/files/common/acl-private.0
@@ -0,0 +1,12 @@
+<acl_rule status="enabled">
+  <services>
+      <service url_expr="https://munin.debian.org"/>
+      <service url_pattern="/nagios3/*"/>
+  </services>
+  <rule order="allow,deny" pass_http_cookie="yes">
+   <allow>
+       user("auth")
+   </allow>
+  </rule>
+</acl_rule>
+
diff --git a/modules/dacs/files/common/dacs.conf b/modules/dacs/files/common/dacs.conf
new file mode 100644
index 00000000..d0085d04
--- /dev/null
+++ b/modules/dacs/files/common/dacs.conf
@@ -0,0 +1,43 @@
+<Configuration xmlns="http://dss.ca/dacs/v1.4">
+
+ <Default>
+   FEDERATION_DOMAIN "debian.org"
+   FEDERATION_NAME "DEBIANORG"
+   EVAL ${Conf::JURISDICTION_AUTHSERVER}="sso.debian.org"
+   LOG_LEVEL "info"
+ </Default>
+ <Jurisdiction uri="*.debian.org">
+   JURISDICTION_NAME "DEBIAN"
+   ADMIN_IDENTITY "DEBIAN:zobel"
+   <Auth id="guest-apache-htpasswd">
+     URL "https://sso.debian.org/cgi-bin/dacs/local_apache_authenticate"
+     STYLE "pass"
+     CONTROL "sufficient"
+     OPTION "AUTH_FILE=/etc/apache2/dsa-guest-web-passwords"
+     OPTION "AUTH_MODULE=mod_auth"
+   </Auth>
+   <Auth id="debian-apache-htpasswd">
+     URL "https://sso.debian.org/cgi-bin/dacs/local_apache_authenticate"
+     STYLE "pass"
+     CONTROL "required"
+     OPTION "AUTH_FILE=/var/lib/misc/thishost/web-passwords"
+     OPTION "AUTH_MODULE=mod_auth"
+   </Auth>
+
+   <!-- Authenticate using an LDAP bind 
+   <Auth id="ldap">
+     URL "https://sso.debian.org/cgi-bin/dacs/local_ldap_authenticate"
+     STYLE "password"
+     CONTROL "required"
+     LDAP_BIND_METHOD "direct"
+     LDAP_USERNAME_URL* '"ldap://127.0.0.1/uid=" \
+        . encode(url, ${Args::USERNAME}) . ",ou=users,dc=debian,dc=org"'
+     LDAP_USERNAME_EXPR* '"${LDAP::uid}"'
+     LDAP_ROLES_SELECTOR* '"${LDAP::attrname}" eq "supplementaryGid" \
+       ? strtr(ldap(rdn_attrvalue, \
+           ldap(dn_index, "${LDAP::attrvalue}", 1)), " ", "_") \
+       : 0'
+   </Auth>
+	-->
+ </Jurisdiction>
+</Configuration>
diff --git a/modules/dacs/files/common/site.conf b/modules/dacs/files/common/site.conf
new file mode 100644
index 00000000..306bb627
--- /dev/null
+++ b/modules/dacs/files/common/site.conf
@@ -0,0 +1,163 @@
+<!-- $Id: site.conf-std 2503 2010-06-23 16:56:53Z brachman $ -->
+
+<!-- ** DO NOT EDIT THIS FILE -->
+<!-- ** This is the standard site.conf file for your release of DACS. -->
+<!-- ** This file may be changed with each new release of DACS. -->
+<!-- ** Put customizations in your dacs.conf file. -->
+<!-- ** See dacs.conf(5) for information about these directives. -->
+
+<Configuration>
+
+<Default>
+# TURN OFF ONLY FOR TESTING PURPOSES!
+SECURE_MODE "on"
+
+STATUS_LINE "off"
+
+NAME_COMPARE "case"
+
+# Establish default URL prefixes for the default access control rules.
+# Examine acls/acl-* in the distribution directory to see how these
+# variables are used.
+# Adjust or override these as necessary for your environment.
+EVAL ${Conf::dacs_cgi_bin_prefix} = "/cgi-bin/dacs"
+#EVAL ${Conf::dacs_sbin_prefix} = "${Conf::DACS_HOME}/sbin"
+EVAL ${Conf::dacs_htdocs_prefix} = ""
+
+# You might consider setting this to ".cgi" or ".exe" so that the default
+# access control rules work for DACS CGI executables.
+#EVAL ${Conf::dacs_cgi_bin_suffix} = ${Conf::CGI_SUFFIX}
+
+# Used by ustamp(), this must be a pathname, not a vfs object
+#EVAL ${Conf::ustamp_seqno} = "${Conf::DACS_HOME}/federations/seqno"
+
+# Enable for testing purposes only!
+ALLOW_HTTP_COOKIE "no"
+
+# See dacs_auth_agent(8)
+AUTH_AGENT_ALLOW_ADMIN_IDENTITY "no"
+
+#LOG_FILE "${Conf::DACS_HOME}/logs/${Conf::JURISDICTION_NAME}-" . strftime("%d-%b-%y") . ".log"
+LOG_FILE "/var/log/dacs/${Conf::JURISDICTION_NAME}.log"
+#LOG_FORMAT ${Env::REMOTE_ADDR:e} ? "[%t] [%l] [%p,%c,%F] [%sp:\"%sm\",%sf:%sl]" : "%a[%l]:"
+#LOG_LEVEL ${Env::REMOTE_ADDR:e} ? "INFO" : undef()
+LOG_LEVEL "notice"
+LOG_SENSITIVE "no"
+# Since it produces a lot of logging when tracing, override the default log
+# level for messages produced by the file crypt.c; for that file only, set
+# the log level to "debug"
+LOG_FILTER 'filename exact debug "crypto.c"'
+
+
+AUTH_FAIL_DELAY_SECS 2
+
+VERIFY_IP "no"
+
+# Override this if you must, but this default will avoid potential problems
+# and assorted complications if a request can be associated with multiple
+# identities
+ACS_CREDENTIALS_LIMIT "1"
+
+# The backward compatible default is to chuck the arguments and continue
+# if there is a problem with POST arguments
+#ACS_POST_EXCEPTION_MODE "discard"
+
+AUTH_CREDENTIALS_ADMIN_LIFETIME_SECS "20"
+AUTH_CREDENTIALS_DEFAULT_LIFETIME_SECS "43200"
+
+# Optional: A single DACS username eligible for administrative rights
+# This directive may be repeated to define multiple admins
+#ADMIN_IDENTITY "METALOGIC:rmorriso"
+
+# Default access control handlers
+# Note that these error handlers use local web-paths (relative to the
+# DocumentRoot), not full file pathnames.  For the default configuration to
+# work properly, they require an Apache Alias directive to be configured to map
+# "/handlers" to "${Conf::DACS_HOME}/www/handlers".
+ACS_ERROR_HANDLER    "* /handlers/acs_failed.html"
+
+# Default authentication and signout handlers
+# Since these are relative URLs, the Alias directive must be used as
+# explained above.
+# Note that the syntaxes of these directives are different from that of
+# ACS_ERROR_HANDLER.
+#AUTH_SUCCESS_HANDLER "url /handlers/auth_ok.html"
+AUTH_SUCCESS_HANDLER "url /cgi-bin/dacs/dacs_prenv"
+AUTH_ERROR_HANDLER   "* url /handlers/auth_failed.html"
+SIGNOUT_HANDLER      "url /handlers/signout_ok.html"
+
+# These handlers can only be URLs (absolute or relative)
+NOTICES_ACCEPT_HANDLER "/handlers/notices_accepted.html"
+NOTICES_DECLINE_HANDLER "/handlers/notices_declined.html"
+
+NOTICES_ACK_HANDLER ""
+NOTICES_SECURE_HANDLER "yes"
+NOTICES_WORKFLOW_LIFETIME_SECS 120
+NOTICES_NAT_NAME_PREFIX "NAT-DACS"
+
+SSL_PROG "${Conf::DACS_HOME}/bin/sslclient"
+# Override this if you need it - this example is undoubtedly incorrect
+#SSL_PROG_CA_CRT "${Conf::APACHE_HOME}/conf/dacs.example.com/ssl.crt/server.crt"
+SSL_PROG_CA_CRT "/usr/share/ca-certificates/spi-inc.org/spi-cacert-2008.crt"
+
+# The default digest algorithm to use for DACS password entries
+PASSWORD_DIGEST "SHA1"
+
+# The URLs for schemas and DTDs used by DACS
+# Configure for your environment
+XSD_BASE_URL "/dtd-xsd"
+DTD_BASE_URL "/dtd-xsd"
+
+# The location of a directory containing the DTDs
+VFS "[dtds]dacs-fs:${Conf::DACS_HOME}/www/dtd-xsd"
+
+# The location of a file containing federation-wide encryption keys
+VFS "[federation_keys]dacs-fs:${Conf::FEDERATIONS_ROOT}/${Conf::FEDERATION_DOMAIN}/federation_keyfile"
+
+# The location of a file containing jurisdiction-specific encryption keys
+VFS "[jurisdiction_keys]dacs-fs:${Conf::FEDERATIONS_ROOT}/${Conf::FEDERATION_DOMAIN}/${Conf::JURISDICTION_NAME}/jurisdiction_keyfile"
+
+# The location of a directory containing the revocation file ("revocations")
+VFS "[revocations]dacs-fs:${Conf::FEDERATIONS_ROOT}/${Conf::FEDERATION_DOMAIN}/${Conf::JURISDICTION_NAME}/acls/revocations"
+
+# The location of the root directory containing jurisdictional ACLs
+VFS "[acls]dacs-fs:${Conf::FEDERATIONS_ROOT}/${Conf::FEDERATION_DOMAIN}/${Conf::JURISDICTION_NAME}/acls"
+
+# The location of the root directory containing default ACLs for DACS services
+#VFS "[dacs_acls]dacs-fs:${Conf::DACS_HOME}/acls"
+VFS "[dacs_acls]dacs-fs:/etc/dacs/acls"
+
+# The location of the root directory for groups
+VFS "[groups]dacs-fs:${Conf::FEDERATIONS_ROOT}/${Conf::FEDERATION_DOMAIN}/${Conf::JURISDICTION_NAME}/groups"
+
+# The pseudo-type mounted on the DACS password file
+VFS "[passwds]dacs-kwv-fs:${Conf::FEDERATIONS_ROOT}/${Conf::FEDERATION_DOMAIN}/${Conf::JURISDICTION_NAME}/passwd"
+
+# The pseudo-type mounted on the DACS roles file
+VFS "[roles]dacs-kwv-fs:${Conf::FEDERATIONS_ROOT}/${Conf::FEDERATION_DOMAIN}/${Conf::JURISDICTION_NAME}/roles"
+
+# For dacstoken/local_token_authenticate
+VFS "[auth_token]dacs-kwv-fs:${Conf::FEDERATIONS_ROOT}/${Conf::FEDERATION_DOMAIN}/${Conf::JURISDICTION_NAME}/auth_tokens"
+VFS "[auth_token_keys]dacs-fs:${Conf::FEDERATIONS_ROOT}/${Conf::FEDERATION_DOMAIN}/${Conf::JURISDICTION_NAME}/auth_token_keys"
+VFS "[auth_token_keys_prev]dacs-fs:${Conf::FEDERATIONS_ROOT}/${Conf::FEDERATION_DOMAIN}/${Conf::JURISDICTION_NAME}/auth_token_keys.prev"
+
+# This partially determines when a user agent will send a DACS cookie.
+# Set it to the most specific URL path under which all DACS-wrapped
+# services appear.  This is particularly important if some CGI programs
+# at the jurisdiction are not trusted, since they might be used to steal
+# DACS identities.
+COOKIE_PATH "/"
+
+HTTP_PROG "${Conf::DACS_HOME}/bin/http"
+
+# InfoCard-related defaults
+# This assumes there is an Apache 'Alias' directive; e.g.,
+#     Alias /infocards "/usr/local/dacs/www/infocards/"
+INFOCARD_CARD_IMAGE_BASE_URL  "${Conf::DACS_HOME}/www/infocards"
+INFOCARD_CARD_OUTPUTDIR       "${Conf::DACS_HOME}/www/infocards/output"
+INFOCARD_IP_PRIVACY_URL       "/infocards/managed_privacy_default.txt"
+INFOCARD_IP_PRIVACY_VERSION   "1"
+
+</Default>
+
+</Configuration>
diff --git a/modules/dacs/manifests/init.pp b/modules/dacs/manifests/init.pp
new file mode 100644
index 00000000..a9e703de
--- /dev/null
+++ b/modules/dacs/manifests/init.pp
@@ -0,0 +1,101 @@
+class dacs {
+    package {
+        "dacs": ensure => installed;
+        "libapache2-mod-dacs": ensure => installed;
+    }
+
+    file {
+        "/etc/dacs/federations":
+             ensure  => directory,
+             owner   => root,
+             group   => www-data,
+             mode    => 750,
+             purge   => true
+             ;
+
+        "/etc/dacs/federations/debian.org/":
+             ensure  => directory,
+             owner   => root,
+             group   => www-data,
+             mode    => 750,
+             purge   => true
+             ;
+
+        "/etc/dacs/federations/debian.org/DEBIAN":
+             ensure  => directory,
+             owner   => root,
+             group   => www-data,
+             mode    => 750,
+             purge   => true
+             ;
+
+        "/etc/dacs/federations/debian.org/DEBIAN/acls":
+             ensure  => directory,
+             owner   => root,
+             group   => www-data,
+             mode    => 750,
+             purge   => true
+             ;
+        
+        "/etc/dacs/federations/debian.org/DEBIAN/groups":
+             ensure  => directory,
+             owner   => root,
+             group   => www-data,
+             mode    => 750,
+             purge   => true
+             ;
+
+        "/etc/dacs/federations/site.conf":
+             source  => [ "puppet:///modules/dacs/per-host/$fqdn/site.conf",
+                          "puppet:///modules/dacs/common/site.conf" ],
+             mode    => 640,
+             owner   => root,
+             group   => www-data
+             ;
+
+        "/etc/dacs/federations/debian.org/DEBIAN/dacs.conf":
+             source  => [ "puppet:///modules/dacs/per-host/$fqdn/dacs.conf",
+                          "puppet:///modules/dacs/common/dacs.conf" ],
+             mode    => 640,
+             owner   => root,
+             group   => www-data
+             ;
+
+        "/etc/dacs/federations/debian.org/DEBIAN/acls/revocations":
+             source  => [ "puppet:///modules/dacs/per-host/$fqdn/revocations",
+                          "puppet:///modules/dacs/common/revocations" ],
+             mode    => 640,
+             owner   => root,
+             group   => www-data
+             ;
+
+        "/etc/dacs/federations/debian.org/DEBIAN/acls/acl-noauth.0":
+             source  => [ "puppet:///modules/dacs/per-host/$fqdn/acl-noauth.0",
+                          "puppet:///modules/dacs/common/acl-noauth.0" ],
+             mode    => 640,
+             owner   => root,
+             group   => www-data
+             notify  => Exec["dacsacl"]
+             ;
+
+        "/etc/dacs/federations/debian.org/DEBIAN/acls/acl-private.0":
+             source  => [ "puppet:///modules/dacs/per-host/$fqdn/acl-private.0",
+                          "puppet:///modules/dacs/common/acl-private.0" ],
+             mode    => 640,
+             owner   => root,
+             group   => www-data
+             notify  => Exec["dacsacl"]
+             ;
+    }
+
+    exec {
+        "dacsacl":
+            command     => "dacsacl -uj DEBIAN",
+            refreshonly => true,
+    }
+
+
+}
+# vim:set et:
+# vim:set sts=4 ts=4:
+# vim:set shiftwidth=4:
-- 
2.39.2