++changelog

__sshd_config: Whitelist OpenBMC

See merge request ungleich-public/cdist!980

cdist/conf/type/__letsencrypt_cert/explorer/certbot-path

@@ -0,0 +1,3 @@
+#!/bin/sh -e
+
+command -v certbot 2>/dev/null || true

cdist/conf/type/__letsencrypt_cert/explorer/certificate-data

@@ -1,78 +0,0 @@
-#!/bin/sh -e
-certbot_path="$(command -v certbot 2>/dev/null || true)"
-# Defaults
-certificate_exists="no"
-certificate_is_test="no"
-
-if [ -n "${certbot_path}" ]; then
-	# Find python executable that has access to certbot's module
-	python_path=$(sed -n '1s/^#! *//p' "${certbot_path}")
-
-	# Use a lock for cdist due to certbot not exiting with failure
-	# or having any flags for concurrent use.
-	_certbot() {
-		${python_path} - 2>/dev/null <<EOF
-from certbot.main import main
-import fcntl
-lock_file = "/tmp/certbot.cdist.lock"
-timeout=60
-with open(lock_file, 'w') as fd:
-    for i in range(timeout):
-        try:
-            # Get exclusive lock
-            fcntl.flock(fd, fcntl.LOCK_EX | fcntl.LOCK_NB)
-            break
-        except:
-            # Wait if that fails
-            import time
-            time.sleep(1)
-    else:
-        # Timed out, exit with failure
-        import sys
-        sys.exit(1)
-    # Do list certificates
-    main(["certificates", "--cert-name", "${__object_id:?}"])
-EOF
-	}
-
-
-	_certificate_exists() {
-		if grep -q "  Certificate Name: ${__object_id:?}$"; then
-			echo yes
-		else
-			echo no
-		fi
-	}
-
-	_certificate_is_test() {
-		if grep -q 'INVALID: TEST_CERT'; then
-			echo yes
-		else
-			echo no
-		fi
-	}
-
-	_certificate_domains() {
-		grep '    Domains: ' | cut -d ' ' -f 6- | tr ' ' '\n'
-	}
-
-	# Get data about all available certificates
-	certificates="$(_certbot)"
-
-	# Check whether or not the certificate exists
-	certificate_exists="$(echo "${certificates}" | _certificate_exists)"
-
-	# Check whether or not the certificate is for testing
-	certificate_is_test="$(echo "${certificates}" | _certificate_is_test)"
-
-	# Get domains for certificate
-	certificate_domains="$(echo "${certificates}" | _certificate_domains)"
-fi
-
-# Return received data
-cat <<EOF
-certbot_path:${certbot_path}
-certificate_exists:${certificate_exists}
-certificate_is_test:${certificate_is_test}
-${certificate_domains}
-EOF

cdist/conf/type/__letsencrypt_cert/explorer/certificate-domains

@@ -0,0 +1,8 @@
+#!/bin/sh -e
+
+certbot_path=$("${__type_explorer}/certbot-path")
+if [ -n "${certbot_path}" ]
+then
+	certbot certificates --cert-name "${__object_id:?}" | grep '    Domains: ' | \
+		cut -d ' ' -f 6- | tr ' ' '\n'
+fi

cdist/conf/type/__letsencrypt_cert/explorer/certificate-exists

@@ -0,0 +1,13 @@
+#!/bin/sh -e
+
+certbot_path=$("${__type_explorer}/certbot-path")
+if [ -n "${certbot_path}" ]
+then
+	if certbot certificates | grep -q "  Certificate Name: ${__object_id:?}$"; then
+		echo yes
+	else
+		echo no
+	fi
+else
+	echo no
+fi

cdist/conf/type/__letsencrypt_cert/explorer/certificate-is-test

@@ -0,0 +1,14 @@
+#!/bin/sh -e
+
+certbot_path=$("${__type_explorer}/certbot-path")
+if [ -n "${certbot_path}" ]
+then
+	if certbot certificates --cert-name "${__object_id:?}" | \
+		grep -q 'INVALID: TEST_CERT'; then
+		echo yes
+	else
+		echo no
+	fi
+else
+	echo no
+fi

cdist/conf/type/__letsencrypt_cert/gencode-remote

@@ -1,10 +1,6 @@
 #!/bin/sh -e
 
-_explorer_var() {
-	grep "^$1:" "${__object:?}/explorer/certificate-data" | cut -d ':' -f 2-
-}
-
-certificate_exists="$(_explorer_var certificate_exists)"
+certificate_exists=$(cat "${__object:?}/explorer/certificate-exists")
 name="${__object_id:?}"
 state=$(cat "${__object}/parameter/state")
 
@@ -33,9 +29,8 @@ case "${state}" in
 		fi
 
 		if [ "${certificate_exists}" = "yes" ]; then
-			existing_domains=$(mktemp "${TMPDIR:-/tmp}/existing_domains.cdist.XXXXXXXXXX")
-			tail -n +4 "${__object:?}/explorer/certificate-data" | grep -v '^$' > "${existing_domains}"
-			certificate_is_test="$(_explorer_var certificate_is_test)"
+			existing_domains="${__object}/explorer/certificate-domains"
+			certificate_is_test=$(cat "${__object}/explorer/certificate-is-test")
 
 			sort -uo "${requested_domains}" "${requested_domains}"
 			sort -uo "${existing_domains}" "${existing_domains}"

cdist/conf/type/__letsencrypt_cert/manifest

@@ -1,6 +1,6 @@
 #!/bin/sh
 
-certbot_fullpath="$(grep "^certbot_path:" "${__object:?}/explorer/certificate-data" | cut -d ':' -f 2-)"
+certbot_fullpath="$(cat "${__object:?}/explorer/certbot-path")"
 state=$(cat "${__object}/parameter/state")
 os="$(cat "${__global:?}/explorer/os")"
 

cdist/conf/type/__pyvenv/man.rst

@@ -61,7 +61,7 @@ EXAMPLES
     __pyvenv /home/foo/fooenv --pyvenv /usr/local/bin/pyvenv-3.4
 
     # Create python virtualenv for user foo.
-    __pyvenv /home/foo/fooenv --group foo --user foo
+    __pyvenv /home/foo/fooenv --group foo --owner foo
 
     # Create python virtualenv with specific parameters.
     __pyvenv /home/services/djangoenv --venvparams "--copies --system-site-packages"

cdist/conf/type/__ssh_authorized_key/explorer/entry

@@ -25,6 +25,7 @@ type_and_key="$(tr ' ' '\n' < "$__object/parameter/key"| awk '/^(ssh|ecdsa)-[^ ]
 if [ -n "${type_and_key}" ]
 then
     file="$(cat "$__object/parameter/file")"
+    test -e "$file" || exit 0
 
     # get any entries that match the type and key
 

cdist/conf/type/__ssh_authorized_key/gencode-remote

@@ -37,9 +37,9 @@ tmpfile=\$(mktemp ${file}.cdist.XXXXXXXXXX)
 # preserve ownership and permissions of existing file
 if [ -f "$file" ]; then
    cp -p "$file" "\$tmpfile"
+   grep -v -F -x '$line' '$file' >\$tmpfile
 fi
-grep -v -F -x '$line' '$file' > \$tmpfile || true
-mv -f "\$tmpfile" "$file"
+cat "\$tmpfile" >"$file"
 DONE
 }
 

cdist/conf/type/__sshd_config/manifest

@@ -39,7 +39,14 @@ in
 	(freebsd|netbsd|openbsd)
 		# whitelist
 		;;
+	(openbmc-phosphor)
+		# whitelist
+		# OpenBMC can be configured with dropbear and OpenSSH.
+		# If dropbear is used, the state explorer will already fail because it
+		# cannot find the sshd binary.
+		;;
 	(*)
+		: "${__type:?}"  # make shellcheck happy
 		printf 'Your operating system (%s) is currently not supported by this type (%s)\n' \
 			"${os}" "${__type##*/}" >&2
 		printf 'Please contribute an implementation for it if you can.\n' >&2

cdist/config.py

@@ -420,6 +420,9 @@ class Config:
                 exec_path=sys.argv[0],
                 save_output_streams=args.save_output_streams)
 
+            # Make __global state dir available to custom remote scripts.
+            os.environ['__global'] = local.base_path
+
             remote = cdist.exec.remote.Remote(
                 target_host=target_host,
                 remote_exec=remote_exec,

docs/changelog

@@ -2,6 +2,12 @@ Changelog
 ---------
 
 next:
+	* Type __pyvenv: Fix user example in man page (Dennis Camera)
+	* Core: config: Make local state directory available to custom remotes (Steven Armstrong
+	* Type __ssh_authorized_key: grep only if file exists (Dennis Camera)
+	* Type __sshd_config: Whitelist OpenBMC (Dennis Camera)
+
+6.9.5: 2021-02-28
 	* Core: preos: Fix passing cdist debug parameter (Darko Poljak)
 	* Type __sshd_config: Produce error if invalid config is generated, fix processing of AuthenticationMethods and AuthorizedKeysFile, document explorer bug (Dennis Camera)
 	* Explorer memory: Fix result units; support Solaris (Dennis Camera)