From e4f71e9b379cd95767d478ac8d1a7cdabc200702 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vincent=20Membr=C3=A9?= Date: Wed, 12 Oct 2022 16:28:55 +0200 Subject: [PATCH 1/9] Tagging plugin 1.12 of auth-backends --- auth-backends/build.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auth-backends/build.conf b/auth-backends/build.conf index d6c09daf2..414851f49 100644 --- a/auth-backends/build.conf +++ b/auth-backends/build.conf @@ -22,7 +22,7 @@ plugin-web-description="

This plugin provides additionnal authentication backe # - x.y(.z): plugin major.minor.micro. Micro should be omitted. When omitted, z is assumed to be 0. # For the build, we split the information between two properties, rudder branch and plugin version, # which must be concaneted with "-" to build the plugin version. -plugin-branch=1.12-SNAPSHOT +plugin-branch=1.12 # rudder branch comes from parent plugin-version=${rudder-branch}-${plugin-branch} From 04e45bd665ae35e0c2d6706b8b5cf2c190d622c5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vincent=20Membr=C3=A9?= Date: Wed, 12 Oct 2022 16:28:55 +0200 Subject: [PATCH 2/9] next version 1.13 of plugin auth-backends --- auth-backends/build.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auth-backends/build.conf b/auth-backends/build.conf index 414851f49..38e314dbc 100644 --- a/auth-backends/build.conf +++ b/auth-backends/build.conf @@ -22,7 +22,7 @@ plugin-web-description="

This plugin provides additionnal authentication backe # - x.y(.z): plugin major.minor.micro. Micro should be omitted. When omitted, z is assumed to be 0. # For the build, we split the information between two properties, rudder branch and plugin version, # which must be concaneted with "-" to build the plugin version. -plugin-branch=1.12 +plugin-branch=1.13-SNAPSHOT # rudder branch comes from parent plugin-version=${rudder-branch}-${plugin-branch} From 3cf9dbc3b8a6eaf69a3d34eb9d9ef7e6450c8097 Mon Sep 17 00:00:00 2001 From: ElaadF Date: Tue, 8 Nov 2022 10:29:30 +0100 Subject: [PATCH 3/9] Fixes #22057: Unbound variable INV for glpi-plugin send-one command --- glpi/bin/glpi-plugin | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/glpi/bin/glpi-plugin b/glpi/bin/glpi-plugin index 5e03f2af6..9aa15943c 100755 --- a/glpi/bin/glpi-plugin +++ b/glpi/bin/glpi-plugin @@ -27,9 +27,9 @@ case "${ACTION}" in ;; send-one) + INV=$(ls -1 "${INVENTORIES_DIR}" | egrep "$2.*\.ocs$") echo "[ ] Sending inventory ${INVENTORIES_DIR}/${INV} to GLPI..." #shellcheck disable=SC2012 - INV=$(ls -1 "${INVENTORIES_DIR}" | egrep "$2.*\.ocs$") FIC="${INVENTORIES_DIR}"/"${INV}" [ ! -r "${FIC}" ] && echo "No file candidate for $2" && exit 1 send_inventory "${INVENTORIES_DIR}"/"${INV}" From 1e58202be82ed7a26ded633a4bcb1d88308a9bee Mon Sep 17 00:00:00 2001 From: ElaadF Date: Fri, 20 Jan 2023 05:05:29 +0100 Subject: [PATCH 4/9] Fixes #22188: Changes made by validated users still need to be validated --- .../rudder/plugin/ChangeValidationConf.scala | 41 +++++++++++---- .../changevalidation/ValidationNeeded.scala | 52 ++----------------- 2 files changed, 35 insertions(+), 58 deletions(-) diff --git a/change-validation/src/main/scala/bootstrap/rudder/plugin/ChangeValidationConf.scala b/change-validation/src/main/scala/bootstrap/rudder/plugin/ChangeValidationConf.scala index b82aa5183..494a26226 100644 --- a/change-validation/src/main/scala/bootstrap/rudder/plugin/ChangeValidationConf.scala +++ b/change-validation/src/main/scala/bootstrap/rudder/plugin/ChangeValidationConf.scala @@ -59,7 +59,6 @@ import com.normation.plugins.changevalidation.RoWorkflowJdbcRepository import com.normation.plugins.changevalidation.SupervisedTargetsReposiory import com.normation.plugins.changevalidation.TopBarExtension import com.normation.plugins.changevalidation.TwoValidationStepsWorkflowServiceImpl -import com.normation.plugins.changevalidation.UserValidationNeeded import com.normation.plugins.changevalidation.ValidatedUserMapper import com.normation.plugins.changevalidation.ValidationNeeded import com.normation.plugins.changevalidation.WoChangeRequestJdbcRepository @@ -92,6 +91,9 @@ import net.liftweb.common.Full import com.normation.box._ import com.normation.plugins.changevalidation.EmailNotificationService import com.normation.plugins.changevalidation.NotificationService +import com.normation.plugins.changevalidation.RoValidatedUserRepository +import net.liftweb.common.EmptyBox +import net.liftweb.common.Failure /* * The validation workflow level @@ -102,6 +104,7 @@ class ChangeValidationWorkflowLevelService( , validationWorkflowService: TwoValidationStepsWorkflowServiceImpl , validationNeeded : Seq[ValidationNeeded] , workflowEnabledByUser : () => Box[Boolean] + , validatedUserRepo: RoValidatedUserRepository ) extends WorkflowLevelService { @@ -131,16 +134,34 @@ class ChangeValidationWorkflowLevelService( } /** - * Methode to use to combine several validationNeeded check. It's the same for all objects? + * Methode to use to combine several validationNeeded check. + * Note that a validated user will prevent workflow to be performed, no other validationNeeded check will be executed */ def combine[T](checkFn:(ValidationNeeded, EventActor, T) => Box[Boolean], checks: Seq[ValidationNeeded], actor: EventActor, change: T): Box[WorkflowService] = { - getWorkflow(validationNeeded.foldLeft(Full(false): Box[Boolean]) { case (shouldValidate, nextCheck) => - shouldValidate.flatMap { - // logic is "or": if previous should validate is true, don't check following - case true => Full(true) - case false => checkFn(nextCheck, actor, change) - } - }) + def getWorkflowAux = { + getWorkflow(validationNeeded.foldLeft(Full(false): Box[Boolean]) { case (shouldValidate, nextCheck) => + shouldValidate.flatMap { + // logic is "or": if previous should validate is true, don't check following + case true => Full(true) + case false => checkFn(nextCheck, actor, change) + } + }) + } + + /* + * Here we check if there is a validated user that should not be subject to any validation workflow + * if there is no validated user, we iterate over `checks: Seq[ValidationNeeded]` to verify if there + * there is a specific workflow. + * + * Check why we decided to separate the validated user logic from `ValidationNeeded` objects : + * https://issues.rudder.io/issues/22188#note-5 + */ + + validatedUserRepo.get(actor) match { + case Full(Some(_)) => getWorkflow(Full(false)) + case Full(None) => getWorkflowAux + case eb : EmptyBox => eb ?~ s"Could get user from validated user list when checking validation workflow" + } } override def getForRule(actor: EventActor, change: RuleChangeRequest): Box[WorkflowService] = { @@ -248,9 +269,9 @@ object ChangeValidationConf extends RudderPluginModule { , RudderConfig.roNodeGroupRepository , RudderConfig.nodeInfoService ) - , new UserValidationNeeded(roValidatedUserRepository) ) , () => RudderConfig.configService.rudder_workflow_enabled().toBox + , roValidatedUserRepository ) ) diff --git a/change-validation/src/main/scala/com/normation/plugins/changevalidation/ValidationNeeded.scala b/change-validation/src/main/scala/com/normation/plugins/changevalidation/ValidationNeeded.scala index 620cc2807..4ac320886 100644 --- a/change-validation/src/main/scala/com/normation/plugins/changevalidation/ValidationNeeded.scala +++ b/change-validation/src/main/scala/com/normation/plugins/changevalidation/ValidationNeeded.scala @@ -15,7 +15,6 @@ import com.normation.rudder.services.workflows.NodeGroupChangeRequest import com.normation.rudder.services.workflows.RuleChangeRequest import net.liftweb.common.Box import net.liftweb.common.Full - import com.normation.box._ object bddMock { @@ -28,6 +27,9 @@ object bddMock { /** * Check is an external validation is needed for the change, given some * arbitrary rules defined in implementation. + * + * Validated user will be checked directly in `combine` method, it will not follow this logic + * (see https://issues.rudder.io/issues/22188#note-5) */ trait ValidationNeeded { def forRule (actor: EventActor, change: RuleChangeRequest ): Box[Boolean] @@ -36,53 +38,6 @@ trait ValidationNeeded { def forGlobalParam(actor: EventActor, change: GlobalParamChangeRequest): Box[Boolean] } -class UserValidationNeeded(repo: RoValidatedUserRepository) extends ValidationNeeded { - - override def forDirective(actor: EventActor, change: DirectiveChangeRequest): Box[Boolean] = { - repo.get(actor) match { - case Full(ea) => - ea match { - case Some(_) => Full(false) - case None => Full(true) - } - case _ => Full(true) - } - } - - override def forGlobalParam(actor: EventActor, change: GlobalParamChangeRequest): Box[Boolean] = { - repo.get(actor) match { - case Full(ea) => - ea match { - case Some(_) => Full(false) - case None => Full(true) - } - case _ => Full(true) - } - } - - override def forNodeGroup(actor: EventActor, change: NodeGroupChangeRequest): Box[Boolean] = { - repo.get(actor) match { - case Full(ea) => - ea match { - case Some(_) => Full(false) - case None => Full(true) - } - case _ => Full(true) - } - } - override def forRule(actor: EventActor, change: RuleChangeRequest): Box[Boolean] = { - repo.get(actor) match { - case Full(ea) => - ea match { - case Some(_) => Full(false) - case None => Full(true) - } - case _ => Full(true) - } - } -} - - /* * A version of the "validationNeeded" plugin which bases its oracle on a list * of group. The list of group is used to mark nodes. @@ -96,6 +51,7 @@ class UserValidationNeeded(repo: RoValidatedUserRepository) extends ValidationNe * - a modification in a directive is validated if it as at least configured in one rule where modification * are supervised. * + * Note that a validated user will always bypass this validation (see https://issues.rudder.io/issues/22188#note-5) */ class NodeGroupValidationNeeded( monitoredTargets: () => Box[Set[SimpleTarget]] From a63f3816abe71b82eee9d840bec55b1df28dc21a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vincent=20Membr=C3=A9?= Date: Fri, 3 Mar 2023 12:01:52 +0100 Subject: [PATCH 5/9] Nightly version was not update to 6.2.21 --- main-build.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main-build.conf b/main-build.conf index 7708c3c3b..8d68e7299 100644 --- a/main-build.conf +++ b/main-build.conf @@ -24,4 +24,4 @@ lib-common-private=1.3 # Version of Rudder used to build the plugin. # It defined the API/ABI used and it is important for binary compatibility rudder-build-version=6.2.13 -rudder-build-version-nightly=6.2.20-SNAPSHOT +rudder-build-version-nightly=6.2.21-SNAPSHOT From 686af4e7270bd70acbc45976f3dca2d8647e8886 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vincent=20Membr=C3=A9?= Date: Fri, 3 Mar 2023 14:09:41 +0100 Subject: [PATCH 6/9] Set release version to 6.2.20 because there is some issues with 6.2.13 --- main-build.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main-build.conf b/main-build.conf index 8d68e7299..8cdb3d0c4 100644 --- a/main-build.conf +++ b/main-build.conf @@ -23,5 +23,5 @@ lib-common-private=1.3 # Version of Rudder used to build the plugin. # It defined the API/ABI used and it is important for binary compatibility -rudder-build-version=6.2.13 +rudder-build-version=6.2.20 rudder-build-version-nightly=6.2.21-SNAPSHOT From 5d700ea9e3e8f97ac88e36d3bcfc60f4897e1b04 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vincent=20Membr=C3=A9?= Date: Fri, 3 Mar 2023 16:20:10 +0100 Subject: [PATCH 7/9] Prepare Change validation 6.2-1.16 release --- change-validation/build.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/change-validation/build.conf b/change-validation/build.conf index dfa66f286..755a4d53c 100644 --- a/change-validation/build.conf +++ b/change-validation/build.conf @@ -22,7 +22,7 @@ plugin-web-description=

Enable configuration change requests and validation wo # - x.y(.z): plugin major.minor.micro. Micro should be omitted. When omitted, z is assumed to be 0. # For the build, we split the information between two properties, rudder branch and plugin version, # which must be concaneted with "-" to build the plugin version. -plugin-branch=1.16-SNAPSHOT +plugin-branch=1.16 # rudder branch comes from parent plugin-version=${rudder-branch}-${plugin-branch} From 45ea5d71508d0801f01dab8cfd39b17831506e49 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vincent=20Membr=C3=A9?= Date: Fri, 3 Mar 2023 16:21:15 +0100 Subject: [PATCH 8/9] Set to Change validation to next nightly version --- change-validation/build.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/change-validation/build.conf b/change-validation/build.conf index 755a4d53c..f40a6dae6 100644 --- a/change-validation/build.conf +++ b/change-validation/build.conf @@ -22,7 +22,7 @@ plugin-web-description=

Enable configuration change requests and validation wo # - x.y(.z): plugin major.minor.micro. Micro should be omitted. When omitted, z is assumed to be 0. # For the build, we split the information between two properties, rudder branch and plugin version, # which must be concaneted with "-" to build the plugin version. -plugin-branch=1.16 +plugin-branch=1.17-SNAPSHOT # rudder branch comes from parent plugin-version=${rudder-branch}-${plugin-branch} From 5403de6c32510723fc2766e9c6a45101a6a22bf1 Mon Sep 17 00:00:00 2001 From: Nicolas Charles Date: Tue, 7 Mar 2023 22:14:17 +0100 Subject: [PATCH 9/9] Fixes #22441: secrets are leaking at the install of the plugin --- ansible-policies/packaging/postinst | 2 +- ansible-policies/packaging/prerm | 2 +- api-authorizations/packaging/postinst | 2 +- auth-backends/packaging/postinst | 2 +- branding/packaging/postinst | 2 +- change-validation/packaging/postinst | 2 +- cis/packaging/postinst | 2 +- cis/packaging/prerm | 2 +- create-node-api/packaging/postinst | 2 +- datasources/packaging/postinst | 2 +- glpi/packaging/postinst | 2 +- helloworld/packaging/postinst | 2 +- node-external-reports/packaging/postinst | 2 +- notify/packaging/postinst | 2 +- openscap/packaging/postinst | 2 +- openscap/packaging/prerm | 2 +- qa-test | 6 +++--- scale-out-relay/packaging/postinst | 2 +- user-management/packaging/postinst | 2 +- zabbix/packaging/postinst | 2 +- 20 files changed, 22 insertions(+), 22 deletions(-) diff --git a/ansible-policies/packaging/postinst b/ansible-policies/packaging/postinst index 7fd1fd03f..de9592099 100755 --- a/ansible-policies/packaging/postinst +++ b/ansible-policies/packaging/postinst @@ -1,5 +1,5 @@ #!/bin/bash -set -xe +set -e PLUGIN_FULL_NAME="rudder-plugin-ansible-policies" PRETTY_NAME="Ansible Policies" CONFIGURATION_PATH=/var/rudder/packages/$PLUGIN_FULL_NAME diff --git a/ansible-policies/packaging/prerm b/ansible-policies/packaging/prerm index 1abd502ff..2420805ff 100755 --- a/ansible-policies/packaging/prerm +++ b/ansible-policies/packaging/prerm @@ -1,5 +1,5 @@ #!/bin/bash -set -xe +set -e PLUGIN_FOLDER="/var/rudder/packages/rudder-plugin-ansible-policies" # Remove techniques diff --git a/api-authorizations/packaging/postinst b/api-authorizations/packaging/postinst index cad6a108a..d61d104c1 100755 --- a/api-authorizations/packaging/postinst +++ b/api-authorizations/packaging/postinst @@ -1,5 +1,5 @@ #!/bin/bash -set -xe +set -e # create table for Rudder data sources plugin: # note that if you installed Rudder 4.1~alpha or 4.1~beta1, or a previous version # of the plugin, you can skip that step (which would fail with a "table exists" error) diff --git a/auth-backends/packaging/postinst b/auth-backends/packaging/postinst index dcdb13c3f..09a558bf5 100755 --- a/auth-backends/packaging/postinst +++ b/auth-backends/packaging/postinst @@ -1,5 +1,5 @@ #!/bin/bash -set -xe +set -e # add post-installation script, like: # psql -U rudder -h localhost -d rudder -f /opt/rudder/share/plugins/authbackends/AuthBackends-schema.sql diff --git a/branding/packaging/postinst b/branding/packaging/postinst index ffbf42c70..ad66c9bd0 100755 --- a/branding/packaging/postinst +++ b/branding/packaging/postinst @@ -1,3 +1,3 @@ #!/bin/bash -set -xe +set -e diff --git a/change-validation/packaging/postinst b/change-validation/packaging/postinst index e3bd01cc8..843b70621 100755 --- a/change-validation/packaging/postinst +++ b/change-validation/packaging/postinst @@ -1,5 +1,5 @@ #!/bin/bash -set -xe +set -e SQL_CREDENTIALS=$(grep -c -E "^rudder.jdbc.(username|password)[ \t]*=" /opt/rudder/etc/rudder-web.properties || true) if [ -f /opt/rudder/etc/rudder-web.properties -a ${SQL_CREDENTIALS} -eq 2 ]; then diff --git a/cis/packaging/postinst b/cis/packaging/postinst index 9dc6647d6..f23d07606 100755 --- a/cis/packaging/postinst +++ b/cis/packaging/postinst @@ -1,5 +1,5 @@ #!/bin/bash -set -xe +set -e CONFIG_REPO=/var/rudder/configuration-repository CATEGORY="{category}" C_CATEGORY=$(echo $CATEGORY | sed "s/[^a-zA-Z0-9_]/_/g") diff --git a/cis/packaging/prerm b/cis/packaging/prerm index e7af186b1..dcae9d802 100755 --- a/cis/packaging/prerm +++ b/cis/packaging/prerm @@ -1,5 +1,5 @@ #!/bin/bash -set -xe +set -e NAME="{plugin-id}" PLUGIN_FOLDER="/var/rudder/packages/rudder-plugin-${NAME}" diff --git a/create-node-api/packaging/postinst b/create-node-api/packaging/postinst index cbfb9f6c2..056aa863d 100755 --- a/create-node-api/packaging/postinst +++ b/create-node-api/packaging/postinst @@ -1,4 +1,4 @@ #!/bin/bash -set -xe +set -e # add post-installation script, like: diff --git a/datasources/packaging/postinst b/datasources/packaging/postinst index 4a0f183d9..8ca07f7ae 100755 --- a/datasources/packaging/postinst +++ b/datasources/packaging/postinst @@ -1,5 +1,5 @@ #!/bin/bash -set -xe +set -e # Postinstall for Rudder datasource plugin RUDDER_OPT="/opt/rudder" diff --git a/glpi/packaging/postinst b/glpi/packaging/postinst index 340b051cc..c9a993626 100755 --- a/glpi/packaging/postinst +++ b/glpi/packaging/postinst @@ -1,5 +1,5 @@ #!/bin/bash -set -xe +set -e CONFFILE="/opt/rudder/etc/glpi.conf" echo "15 7 * * * /opt/rudder/bin/glpi-plugin send-all" > /etc/cron.d/glpi-rudder diff --git a/helloworld/packaging/postinst b/helloworld/packaging/postinst index d2577bb0a..2005ff9b3 100755 --- a/helloworld/packaging/postinst +++ b/helloworld/packaging/postinst @@ -1,2 +1,2 @@ #!/bin/bash -set -xe +set -e diff --git a/node-external-reports/packaging/postinst b/node-external-reports/packaging/postinst index ffbf42c70..ad66c9bd0 100755 --- a/node-external-reports/packaging/postinst +++ b/node-external-reports/packaging/postinst @@ -1,3 +1,3 @@ #!/bin/bash -set -xe +set -e diff --git a/notify/packaging/postinst b/notify/packaging/postinst index 93617268f..482c3e17e 100755 --- a/notify/packaging/postinst +++ b/notify/packaging/postinst @@ -1,5 +1,5 @@ #!/bin/bash -set -xe +set -e CONFFILE="/opt/rudder/etc/notify.conf" diff --git a/openscap/packaging/postinst b/openscap/packaging/postinst index e38d31df8..d75e6c42f 100755 --- a/openscap/packaging/postinst +++ b/openscap/packaging/postinst @@ -1,5 +1,5 @@ #!/bin/bash -set -xe +set -e PLUGIN_NAME="openscap" PRETTY_NAME="OpenSCAP Policies" CONFIGURATION_PATH=/opt/rudder/share/plugins/$PLUGIN_NAME diff --git a/openscap/packaging/prerm b/openscap/packaging/prerm index 04ea675c0..6183f19b0 100755 --- a/openscap/packaging/prerm +++ b/openscap/packaging/prerm @@ -1,5 +1,5 @@ #!/bin/bash -set -xe +set -e PLUGIN_FOLDER="/var/rudder/packages/rudder-plugin-openscap" # Remove techniques diff --git a/qa-test b/qa-test index 4ae57dbfe..2eb6d00cb 100755 --- a/qa-test +++ b/qa-test @@ -46,15 +46,15 @@ test_typos() test_scripts() { - # plugin packaging scripts (postinst, etc...) must have the set -xe enabled + # plugin packaging scripts (postinst, etc...) must have the set -e enabled RESULT=0 find . -name "packaging" -type d -not -path "./src/*"| while IFS="" read -r directory do for file in $directory/*; do if sed -n '1p' $file | grep -q "#\!/bin/bash"; then - if ! grep -q "set -xe" "$file"; then - echo "$file does not seem to contain mandatory 'set -xe' line" + if ! grep -q "set -e" "$file"; then + echo "$file does not seem to contain mandatory 'set -e' line" RESULT=1 fi fi diff --git a/scale-out-relay/packaging/postinst b/scale-out-relay/packaging/postinst index d4d74eedf..f552bab52 100755 --- a/scale-out-relay/packaging/postinst +++ b/scale-out-relay/packaging/postinst @@ -1,5 +1,5 @@ #!/bin/bash -set -xe +set -e # Force policy regeneration at restart touch /opt/rudder/etc/trigger-policy-generation cp /opt/rudder/share/plugins/scale-out-relay/server-node-to-relay /opt/rudder/share/commands/ diff --git a/user-management/packaging/postinst b/user-management/packaging/postinst index 31e405989..1079d4756 100755 --- a/user-management/packaging/postinst +++ b/user-management/packaging/postinst @@ -1,5 +1,5 @@ #!/bin/bash -set -xe +set -e # add post-installation script, like: diff --git a/zabbix/packaging/postinst b/zabbix/packaging/postinst index a44ad099f..12acd1cd3 100755 --- a/zabbix/packaging/postinst +++ b/zabbix/packaging/postinst @@ -1,5 +1,5 @@ #!/bin/bash -set -xe +set -e CONFFILE="/opt/rudder/etc/zabbix.conf"