From eea0c23020f6f38c632925941d3d4b5fe8784c9e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Beno=C3=AEt=20Peccatte?= <benoit.peccatte@normation.com>
Date: Wed, 21 Jun 2017 11:47:13 +0200
Subject: [PATCH] Fixes #10962:  Add ssl based authentication to policies

---
 .../system/distributePolicy/1.0/apache-acl.st | 71 +++++++++++++++++++
 .../system/distributePolicy/1.0/ca.cert.st    |  1 +
 .../system/distributePolicy/1.0/metadata.xml  | 16 ++++-
 .../1.0/rudder-share-acl-24.conf.st           |  8 +++
 .../1.0/rudder-share-acl.conf.st              |  7 ++
 5 files changed, 102 insertions(+), 1 deletion(-)
 create mode 100644 techniques/system/distributePolicy/1.0/apache-acl.st
 create mode 100644 techniques/system/distributePolicy/1.0/ca.cert.st
 create mode 100644 techniques/system/distributePolicy/1.0/rudder-share-acl-24.conf.st
 create mode 100644 techniques/system/distributePolicy/1.0/rudder-share-acl.conf.st

diff --git a/techniques/system/distributePolicy/1.0/apache-acl.st b/techniques/system/distributePolicy/1.0/apache-acl.st
new file mode 100644
index 000000000..0915aeba9
--- /dev/null
+++ b/techniques/system/distributePolicy/1.0/apache-acl.st
@@ -0,0 +1,71 @@
+#####################################################################################
+# Copyright 2017 Normation SAS
+#####################################################################################
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, Version 3.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+#####################################################################################
+
+bundle agent apache_acl
+{
+
+  vars:
+      "destination"        string => "/opt/rudder/etc";
+      "acl_file[nodes_22]" string => "rudder-share-acl.conf";
+      "acl_file[nodes_24]" string => "rudder-share-acl-24.conf";
+      "ssl_ca_file"        string => "ca.cert"
+
+      "index"             slist => getindices("acl_file");
+
+    redhat::
+      "apache_service" string => "httpd";
+
+    !redhat::
+      "apache_service" string => "apache2";
+
+  files:
+
+      "${destination}/${acl_file[${index}]}"
+        create        => "true",
+        perms         => mog("600", "root", "0"),
+        copy_from     => local_cp("${this.promise_dirname}/${acl_file[${index}]}")
+        classes       => rudder_common_classes("rudder_apache_acl"),
+        comment       => "Writing rudder apache ACL";
+
+      "${destination}/ssl/${ssl_ca_file}"
+        create        => "true",
+        perms         => mog("600", "root", "0"),
+        copy_from     => local_cp("${this.promise_dirname}/${ssl_ca_file}")
+        classes       => rudder_common_classes("rudder_apache_acl"),
+        comment       => "Writing rudder apache ACL";
+
+  methods:
+    rudder_apache_acl_repaired::
+      "any" usebundle => service_reload("${apache_service}");
+
+    rudder_apache_acl_ok.!rudder_apache_acl_repaired.!rudder_apache_acl_error::
+      "any" usebundle => rudder_common_report("DistributePolicy", "result_success", "&TRACKINGKEY&", "Configure apache ACL", "None", "Apache ACLs are correct");
+
+    rudder_apache_acl_repaired.!rudder_apache_acl_error::
+      "any" usebundle => rudder_common_report("DistributePolicy", "result_repaired", "&TRACKINGKEY&", "Configure apache ACL", "None", "Apache ACLs have been repaired");
+
+    rudder_apache_acl_error::
+      "any" usebundle => rudder_common_report("DistributePolicy", "result_error", "&TRACKINGKEY&", "Configure apache ACL", "None", "Apache ACLs could not be edited");
+
+    rudder_apache_acl_repaired::
+      "any" usebundle => rudder_common_report("DistributePolicy", "log_info", "&TRACKINGKEY&", "Configure apache ACL", "None", "Apache has been reloaded successfully"),
+            ifvarclass => "${apache_service}_repaired"
+
+      "any" usebundle => rudder_common_report("DistributePolicy", "result_error", "&TRACKINGKEY&", "Configure apache ACL", "None", "Apache failed to reload"),
+            ifvarclass => "${apache_service}_error"
+}
diff --git a/techniques/system/distributePolicy/1.0/ca.cert.st b/techniques/system/distributePolicy/1.0/ca.cert.st
new file mode 100644
index 000000000..846f59dee
--- /dev/null
+++ b/techniques/system/distributePolicy/1.0/ca.cert.st
@@ -0,0 +1 @@
+&MANAGED_NODES_CERT_PEM&
diff --git a/techniques/system/distributePolicy/1.0/metadata.xml b/techniques/system/distributePolicy/1.0/metadata.xml
index 6163f3900..3d86442d1 100644
--- a/techniques/system/distributePolicy/1.0/metadata.xml
+++ b/techniques/system/distributePolicy/1.0/metadata.xml
@@ -23,12 +23,23 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
     <NAME>install_rsyslogd</NAME>
     <NAME>propagatePromises</NAME>
     <NAME>sendInventoryToCmdb</NAME>
+    <NAME>apache-acl</NAME>
   </BUNDLES>
 
   <TMLS>
     <!-- Note that the policy server is set via the common.xml -->
     <TML name="propagatePromises"/>
     <TML name="rsyslogConf"/>
+    <TML name="apache_acl"/>
+    <TML name="ca.cert">
+      <INCLUDED>false</INCLUDED>
+    </TML>
+    <TML name="rudder-share-acl.conf">
+      <INCLUDED>false</INCLUDED>
+    </TML>
+    <TML name="rudder-share-acl-24.conf">
+      <INCLUDED>false</INCLUDED>
+    </TML>
     <TML name="clientlist">
       <OUTPATH>clientlist/clientlist.cf</OUTPATH>
       <INCLUDED>false</INCLUDED>
@@ -42,7 +53,6 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
       <INCLUDED>false</INCLUDED>
     </TML>
     <TML name="nodeslist.json">
-      <OUTPATH>distributePolicy/1.0/nodeslist.json</OUTPATH>
       <INCLUDED>false</INCLUDED>
     </TML>
   </TMLS>
@@ -61,6 +71,9 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
     <NAME>SHARED_FILES_FOLDER</NAME>
     <NAME>STORE_ALL_CENTRALIZED_LOGS_IN_FILE</NAME>
     <NAME>MANAGED_NODES_IP</NAME>
+    <NAME>MANAGED_NODES_CERT_UUID</NAME>
+    <NAME>MANAGED_NODES_CERT_CN</NAME>
+    <NAME>MANAGED_NODES_CERT_PEM</NAME>
     <NAME>AUTHORIZED_NETWORKS</NAME>
     <NAME>NOVA</NAME>
     <NAME>RUDDER_REPORTS_DB_NAME</NAME>
@@ -76,5 +89,6 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
     <SECTION name="Propagate promises" component="true"/>
     <SECTION name="Send inventories to CMDB" component="true"/>
     <SECTION name="Configure ncf" component="true"/>
+    <SECTION name="Configure apache ACL" component="true"/>
   </SECTIONS>
 </TECHNIQUE>
diff --git a/techniques/system/distributePolicy/1.0/rudder-share-acl-24.conf.st b/techniques/system/distributePolicy/1.0/rudder-share-acl-24.conf.st
new file mode 100644
index 000000000..fd5934b8a
--- /dev/null
+++ b/techniques/system/distributePolicy/1.0/rudder-share-acl-24.conf.st
@@ -0,0 +1,8 @@
+&MANAGED_NODES_CERT_UUID, MANAGED_NODES_CERT_CN: {uuid, cn |
+Alias /policies/&uuid& /var/rudder/share/&uuid&
+<Location /policies/&uuid&>
+  AuthMerging And
+  Require user &cn&
+</Location>
+
+&
diff --git a/techniques/system/distributePolicy/1.0/rudder-share-acl.conf.st b/techniques/system/distributePolicy/1.0/rudder-share-acl.conf.st
new file mode 100644
index 000000000..1078d9d9d
--- /dev/null
+++ b/techniques/system/distributePolicy/1.0/rudder-share-acl.conf.st
@@ -0,0 +1,7 @@
+&MANAGED_NODES_CERT_UUID, MANAGED_NODES_CERT_CN: {uuid, cn |
+Alias /policies/&uuid& /var/rudder/share/&uuid&
+<Location /policies/&uuid&>
+  Require user &cn&
+</Location>
+
+&