From 4b177a7ae20c36dcbc02830cb317b6c8720508ec Mon Sep 17 00:00:00 2001
From: Ondrej Kosarko <ko_ok@centrum.cz>
Date: Fri, 26 Jun 2015 12:00:11 +0000
Subject: [PATCH] testing tomcat8 deploy

---
 .gitignore                            |   1 +
 hiera.yaml                            |   1 +
 manifests/.first.pp.swp               | Bin 12288 -> 0 bytes
 manifests/first.pp                    |   2 +
 modules/tomcat8/files/catalina.policy | 198 ++++++++++++++++++++++++++
 modules/tomcat8/manifests/init.pp     | 120 ++++++++++++++++
 6 files changed, 322 insertions(+)
 delete mode 100644 manifests/.first.pp.swp
 create mode 100755 modules/tomcat8/files/catalina.policy
 create mode 100644 modules/tomcat8/manifests/init.pp

diff --git a/.gitignore b/.gitignore
index be41323..e26240f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
 *.sw[pon]
+hieradata/local.yaml
diff --git a/hiera.yaml b/hiera.yaml
index 5e64c6c..90e0a1e 100644
--- a/hiera.yaml
+++ b/hiera.yaml
@@ -4,4 +4,5 @@
 :yaml:
   :datadir: ./hieradata
 :hierarchy:
+  - local
   - common
diff --git a/manifests/.first.pp.swp b/manifests/.first.pp.swp
deleted file mode 100644
index 82256bc9697a2c113775508c753b8b93354f4d4a..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 12288
zcmeI2zmFS56vro!0s<k?K?lXKXK6v$USHyaU@1t)PX!5@a93cRR^#2VZ|>H+%gn5U
zbsVW88Y+}jbW~IzI%*I#1tt6sG^r8a*<Jf==NyU@DAHTqM{Cc_&b;}&w<}q<gU;TK
zkN6wyF2iw|v0EEo?|yOqJi9YsY$8Tlq}KI3^e6^JYKyIIr`vkHoM+AGFY5_|yvTED
zTUHtyj76%3_+Wye(#E#)e9hI=Oa{onqZzo!u3p*dxH&exm-+J>yN@;<T}=ka02v?y
zWPl8i0Wv@a$iQP|z~<-JZAAP;9rbp7KDTnNztV{ekO4A42FL&zAOmE843GgbKnBPF
z8F&m0h?ueOo@VTu3kV+n|DXN-zki9bd*Cj(4fen%;3jwx{PP@Re}dn@uizK(DYyYT
zpbc8!1;D^x7a98r{0M#k--54z0`G#i!49|rUII^ozn^975AZX%2i^o5;4-)b?mvSV
zz#Sk!8#KXd;3@Ds_Vhit3*7#ufDST12FL&zAOmE843L5U!@vpS_`^{csrmJ{xUaL!
z`c2oiwu5W=S)sIa<KO#SMtyH2Q>lfOtwWU#GjG4Vo=4djFO|k_m{;U+*)JxdB@!!j
zDy*7F!&`<o4&$RxBuW^s$s{J^$J}3cf!|}SiY(F+Q<`%6pfEZ})F3#VjDvRLcs}Dv
zy9%j_Xd&=-5@Af=cLOsmqD1;<L~V*V<Bj89&q!-kIx@Z9IE#x!=E5GF1SZld#|yK|
z+i#nLv$wQ73>!J!IKR$4gtFDX*6xJeZEv>6g@E5ziR}A<N{tms0()6%W--TdD2l{}
zhtTVM3`JsO)8&=(O?#jWH&TubAL#5zrrae(rASYnNQ-euKF@BYyxI@XQeM4D%-r?$
zf?=$x0$EgD6$+n7Z4gd4C{$9W+u!Q0bXDnevH9KY<-W4<THPj7Q&g2zuPfswi(IZ;
zQ7mMu$2Q%;Z|;7~Kit{dS#K=MZD6uOM{@4V3O$mxTsT<luBzlThD4=DO*VvixB7gR
zc?mw49yi;WDOz1}dC-3>ygYcm{Ar*_j*M)kr}JnV<EcxTL6y~?P-A`WmHS<q&uiAL
zwWQVWL2Pmn$$9hA#j{SnKTE)AP$*KoPyWE2S3WX)k=s^P6t0M|z>yd^%Z)S(qbwbU
zb(7n`Y7=&Hpzy#6h1O#FiZ`D2db8nSJ=lA77SO_D$S;d`pwhrC?@FK!VgA@z2n(8B
wsQlR7?5<Y&URC>9B$B{jmQqRi<SCmLTb8<K9rH%luz%tzn17ID1Kh3bUqO@n3;+NC

diff --git a/manifests/first.pp b/manifests/first.pp
index 671d496..baec4cb 100644
--- a/manifests/first.pp
+++ b/manifests/first.pp
@@ -51,3 +51,5 @@
     require => Exec["generate-jinfo"],
     user => 'root',
 }
+
+#### Tomcat 8
diff --git a/modules/tomcat8/files/catalina.policy b/modules/tomcat8/files/catalina.policy
new file mode 100755
index 0000000..e952110
--- /dev/null
+++ b/modules/tomcat8/files/catalina.policy
@@ -0,0 +1,198 @@
+// AUTO-GENERATED FILE from /opt/tomcat8/conf/policy.d/
+
+// Licensed to the Apache Software Foundation (ASF) under one or more
+// contributor license agreements.  See the NOTICE file distributed with
+// this work for additional information regarding copyright ownership.
+// The ASF licenses this file to You under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance with
+// the License.  You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// ============================================================================
+// catalina.corepolicy - Security Policy Permissions for Tomcat 6
+//
+// This file contains a default set of security policies to be enforced (by the
+// JVM) when Catalina is executed with the "-security" option.  In addition
+// to the permissions granted here, the following additional permissions are
+// granted to the codebase specific to each web application:
+//
+// * Read access to the document root directory
+//
+// $Id: catalina.policy 609294 2008-01-06 11:43:46Z markt $
+// ============================================================================
+
+
+// ========== SYSTEM CODE PERMISSIONS =========================================
+
+
+// These permissions apply to javac
+grant codeBase "file:${java.home}/lib/-" {
+        permission java.security.AllPermission;
+};
+
+// These permissions apply to all shared system extensions
+grant codeBase "file:${java.home}/jre/lib/ext/-" {
+        permission java.security.AllPermission;
+};
+
+// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre
+grant codeBase "file:${java.home}/../lib/-" {
+        permission java.security.AllPermission;
+};
+
+// These permissions apply to all shared system extensions when
+// ${java.home} points at $JAVA_HOME/jre
+grant codeBase "file:${java.home}/lib/ext/-" {
+        permission java.security.AllPermission;
+};
+// These permissions apply to all JARs from Debian packages
+grant codeBase "file:/usr/share/java/-" {
+  permission java.security.AllPermission;
+};
+grant codeBase "file:/usr/share/maven-repo/-" {
+  permission java.security.AllPermission;
+};
+grant codeBase "file:/usr/share/ant/lib/-" {
+  permission java.security.AllPermission;
+};
+// ========== CATALINA CODE PERMISSIONS =======================================
+
+
+// These permissions apply to the logging API
+grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
+        //permission java.util.PropertyPermission "java.util.logging.config.class", "read";
+        //permission java.util.PropertyPermission "java.util.logging.config.file", "read";
+	permission java.security.AllPermission;
+        permission java.lang.RuntimePermission "shutdownHooks";
+        permission java.io.FilePermission "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read";
+        permission java.util.PropertyPermission "catalina.base", "read";
+        permission java.util.logging.LoggingPermission "control";
+        permission java.io.FilePermission "${catalina.base}${file.separator}logs", "read, write";
+        permission java.io.FilePermission "${catalina.base}${file.separator}logs${file.separator}*", "read, write";
+        permission java.lang.RuntimePermission "getClassLoader";
+        permission java.lang.RuntimePermission "setContextClassLoader";
+        // To enable per context logging configuration, permit read access to the appropriate file.
+        // Be sure that the logging configuration is secure before enabling such access
+        // eg for the examples web application:
+        // permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read";
+};
+
+// These permissions apply to the server startup code
+grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
+        permission java.security.AllPermission;
+};
+
+// These permissions apply to the servlet API classes
+// and those that are shared across all class loaders
+// located in the "lib" directory
+grant codeBase "file:${catalina.home}/lib/-" {
+        permission java.security.AllPermission;
+};
+// ========== WEB APPLICATION PERMISSIONS =====================================
+
+
+// These permissions are granted by default to all web applications
+// In addition, a web application will be given a read FilePermission
+// and JndiPermission for all files and directories in its document root.
+grant { 
+    // Required for JNDI lookup of named JDBC DataSource's and
+    // javamail named MimePart DataSource used to send mail
+    permission java.util.PropertyPermission "java.home", "read";
+    permission java.util.PropertyPermission "java.naming.*", "read";
+    permission java.util.PropertyPermission "javax.sql.*", "read";
+
+    // OS Specific properties to allow read access
+    permission java.util.PropertyPermission "os.name", "read";
+    permission java.util.PropertyPermission "os.version", "read";
+    permission java.util.PropertyPermission "os.arch", "read";
+    permission java.util.PropertyPermission "file.separator", "read";
+    permission java.util.PropertyPermission "path.separator", "read";
+    permission java.util.PropertyPermission "line.separator", "read";
+
+    // JVM properties to allow read access
+    permission java.util.PropertyPermission "java.version", "read";
+    permission java.util.PropertyPermission "java.vendor", "read";
+    permission java.util.PropertyPermission "java.vendor.url", "read";
+    permission java.util.PropertyPermission "java.class.version", "read";
+    permission java.util.PropertyPermission "java.specification.version", "read";
+    permission java.util.PropertyPermission "java.specification.vendor", "read";
+    permission java.util.PropertyPermission "java.specification.name", "read";
+
+    permission java.util.PropertyPermission "java.vm.specification.version", "read";
+    permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
+    permission java.util.PropertyPermission "java.vm.specification.name", "read";
+    permission java.util.PropertyPermission "java.vm.version", "read";
+    permission java.util.PropertyPermission "java.vm.vendor", "read";
+    permission java.util.PropertyPermission "java.vm.name", "read";
+
+    // Required for OpenJMX
+    permission java.lang.RuntimePermission "getAttribute";
+
+    // Allow read of JAXP compliant XML parser debug
+    permission java.util.PropertyPermission "jaxp.debug", "read";
+
+    // Precompiled JSPs need access to this package.
+    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime";
+    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*";
+
+    // Example JSPs need those to work properly
+    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.el";
+    permission java.lang.RuntimePermission "accessDeclaredMembers";
+    
+    // Precompiled JSPs need access to this system property.
+    permission java.util.PropertyPermission "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read";
+
+    // java.io.tmpdir should be usable as a temporary file directory
+    permission java.util.PropertyPermission "java.io.tmpdir", "read";
+    permission java.io.FilePermission "${java.io.tmpdir}/-", "read,write,delete";
+
+};
+// You can assign additional permissions to particular web applications by
+// adding additional "grant" entries here, based on the code base for that
+// application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files.
+//
+// Different permissions can be granted to JSP pages, classes loaded from
+// the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/
+// directory, or even to individual jar files in the /WEB-INF/lib/ directory.
+//
+// For instance, assume that the standard "examples" application
+// included a JDBC driver that needed to establish a network connection to the
+// corresponding database and used the scrape taglib to get the weather from
+// the NOAA web server.  You might create a "grant" entries like this:
+//
+// The permissions granted to the context root directory apply to JSP pages.
+// grant codeBase "file:${catalina.base}/webapps/examples/-" {
+//      permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
+//      permission java.net.SocketPermission "*.noaa.gov:80", "connect";
+// };
+//
+// The permissions granted to the context WEB-INF/classes directory
+// grant codeBase "file:${catalina.base}/webapps/examples/WEB-INF/classes/-" {
+// };
+//
+// The permission granted to your JDBC driver
+// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/driver.jar!/-" {
+//      permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
+// };
+// The permission granted to the scrape taglib
+// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/scrape.jar!/-" {
+//      permission java.net.SocketPermission "*.noaa.gov:80", "connect";
+// };
+
+grant codebase "file:/installations/dspace/-" {
+  permission java.security.AllPermission;
+};
+
+grant codeBase "file:${catalina.home}/webapps/manager/-" {
+    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
+    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager";
+    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util";
+    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.*";
+};
diff --git a/modules/tomcat8/manifests/init.pp b/modules/tomcat8/manifests/init.pp
new file mode 100644
index 0000000..4f8734a
--- /dev/null
+++ b/modules/tomcat8/manifests/init.pp
@@ -0,0 +1,120 @@
+class tomcat8(
+  $install_dir    = hiera('tomcat8::install_dir',    '/opt' ),
+  $ensure         = 'installed',
+  $from           = hiera('tomcat8::from'),
+  $keypath           = hiera('tomcat8::keypath'),
+  ) {
+
+  if $ensure == 'installed' {
+    # Set default exec path for this module
+    Exec { path  => ['/usr/bin', '/usr/sbin', '/bin'] }
+
+	#fixed mirror, version
+        $downloadURI = "http://mirror.hosting90.cz/apache/tomcat/tomcat-8/v8.0.23/bin/apache-tomcat-8.0.23.tar.gz"
+
+    if ! defined(File[$install_dir]) {
+      file { $install_dir:
+        ensure  => directory,
+      }
+    }
+
+    $installerFilename = inline_template('<%= File.basename(@downloadURI) %>')
+
+      exec { 'get_tomcat':
+        cwd     => $install_dir,
+        creates => "${install_dir}/${installerFilename}",
+        command => "wget -c --no-cookies --no-check-certificate \"${downloadURI}\" -O ${installerFilename}",
+        timeout => 600,
+        require => Package['wget'],
+      }
+
+      file { "${install_dir}/${installerFilename}":
+        mode    => '0755',
+        require => Exec['get_tomcat'],
+      }
+
+      if ! defined(Package['wget']) {
+        package { 'wget':
+          ensure =>  present,
+        }
+      }
+
+    # tarball so just extract it.
+      $dirname = regsubst($installerFilename, '(.*)\.tar\.gz', '\1')
+      exec { 'extract_tomcat':
+        cwd     => "${install_dir}/",
+        command => "tar -xzf ${installerFilename}",
+        creates => "${install_dir}/${dirname}",
+        require => Exec['get_tomcat'],
+      }
+
+      file { "${install_dir}/tomcat8":
+    	ensure => link,
+	    target => "${install_dir}/${dirname}",
+	    require => Exec['extract_tomcat'],
+      }
+
+    $var_dirs = ["/var/lib/tomcat8", "/var/lib/tomcat8/temp", "/var/lib/tomcat8/webapps",
+    "/var/log/tomcat8", "/var/cache/tomcat8", "/var/cache/tomcat8/Catalina"]
+    file {$var_dirs:
+        ensure => directory,
+    }
+    file { '/var/lib/tomcat8/logs':
+        ensure => link,
+        target => '/var/log/tomcat8',
+    }
+    file { '/var/lib/tomcat8/work':
+        ensure => link,
+        target => '/var/cache/tomcat8',
+    }
+    file { '/var/lib/tomcat8/conf':
+        ensure => link,
+        target => "${install_dir}/tomcat8/conf",
+    }
+    file{ '/var/lib/tomcat8/work/catalina.policy':
+        ensure => file,
+        source => 'puppet:///modules/tomcat8/catalina.policy',
+    }
+    exec { 'scp_policy.d':
+        command => "scp -r -i ${keypath} -o StrictHostKeyChecking=no ${from}:/opt/tomcat8/conf/policy.d ${install_dir}/tomcat8/conf/",
+        creates => "${install_dir}/tomcat8/conf/policy.d",
+        require => File["${install_dir}/tomcat8"],
+    }
+    exec { 'scp_init_script':
+        command => "scp -r -i ${keypath} -o StrictHostKeyChecking=no ${from}:/etc/init.d/tomcat8 /etc/init.d/",
+        creates => "/etc/init.d/tomcat8",
+        require => File["${install_dir}/tomcat8"],
+        notify => Exec['cleanup_init']
+    }
+    exec {'cleanup_init':
+        command => "sed -i -e \"s/tomcat6/tomcat/g\" -e \"s#/opt/\$NAME#${install_dir}/tomcat8#g\" /etc/init.d/tomcat8"
+    }
+    #user { "tomcat":
+    #    ensure => present,
+    #    managehome => true,
+    #    shell => '/bin/bash',
+    #}
+    #service { "tomcat8":
+    #    ensure => running,
+    #    enable => true,
+    #    reguire => Exec['scp_init_scrip'],
+    #}
+
+#probe
+#native
+#user on files
+
+
+    # Ensure that files belong to tomcat
+    #file {$java_home:
+    #  recurse   => true,
+    #  owner     => root,
+    #  group     => root,
+    #  subscribe => Exec['extract_tomcat'],
+    #}
+
+    # Set links depending on osfamily or operating system fact
+  }
+}
+
+class { 'tomcat8':}