From 158bcd9de6b2832d1a77b6ef572b7698bdc866cb Mon Sep 17 00:00:00 2001 From: Geoff Franks Date: Wed, 27 Apr 2016 11:25:02 -0400 Subject: [PATCH] Enabled Authentication, authorization, and HTTPS enforcement (#19) * Enabled Authentication, authorization, and HTTPS enforcement * Adressed feedback --- ci/release_notes.md | 14 ++++ jobs/nginx/monit | 5 ++ jobs/nginx/spec | 47 ++++++++++++ jobs/nginx/templates/mime.types | 73 +++++++++++++++++++ jobs/nginx/templates/nginx.conf.erb | 68 +++++++++++++++++ jobs/nginx/templates/nginx_ctl | 45 ++++++++++++ jobs/nginx/templates/ssl_crt.erb | 1 + jobs/nginx/templates/ssl_key.erb | 1 + jobs/shield-agent/spec | 5 ++ .../shield-agent/templates/bin/post-start.erb | 34 ++++++--- jobs/shield-daemon/spec | 56 +++++++++++++- .../templates/bin/post-start.erb | 42 ++++++++--- .../templates/config/shieldd.conf.erb | 30 +++++++- packages/nginx/packaging | 19 +++++ packages/nginx/spec | 5 ++ src/shield | 2 +- templates/jobs.yml | 18 ++++- 17 files changed, 439 insertions(+), 26 deletions(-) create mode 100644 jobs/nginx/monit create mode 100644 jobs/nginx/spec create mode 100644 jobs/nginx/templates/mime.types create mode 100644 jobs/nginx/templates/nginx.conf.erb create mode 100644 jobs/nginx/templates/nginx_ctl create mode 100644 jobs/nginx/templates/ssl_crt.erb create mode 100644 jobs/nginx/templates/ssl_key.erb create mode 100644 packages/nginx/packaging create mode 100644 packages/nginx/spec diff --git a/ci/release_notes.md b/ci/release_notes.md index fff9d4ee..71a604d9 100644 --- a/ci/release_notes.md +++ b/ci/release_notes.md @@ -1,3 +1,17 @@ +# New Features + +- **Authentication and Authorization!** + SHIELD now supports options for authenticating requests to it! + It supports HTTP Basic authentication, OAuth2 (currently the + only supported provider is github), and API Keys. If no authentication + configuration is provided, SHIELD will default to HTTP Basic Auth, + using a default user/password. +- **SSL Required** + SHIELD now runs behind an nginx instance doing SSL termination. + If you do not specify a key, one will be auto-generated for you, + making an easier transition. Additionally, non-encrypted requests + will be redirected to https for you. + # Bug Fixes - Remove console.log calls from frontend Web UI Javascript, diff --git a/jobs/nginx/monit b/jobs/nginx/monit new file mode 100644 index 00000000..88c40b3c --- /dev/null +++ b/jobs/nginx/monit @@ -0,0 +1,5 @@ +check process nginx + with pidfile /var/vcap/sys/run/nginx/nginx.pid + start program "/var/vcap/jobs/nginx/bin/nginx_ctl start" + stop program "/var/vcap/jobs/nginx/bin/nginx_ctl stop" + group vcap diff --git a/jobs/nginx/spec b/jobs/nginx/spec new file mode 100644 index 00000000..7ff01edf --- /dev/null +++ b/jobs/nginx/spec @@ -0,0 +1,47 @@ +--- +name: nginx +templates: + mime.types: config/mime.types + nginx.conf.erb: config/nginx.conf + nginx_ctl: bin/nginx_ctl + ssl_key.erb: config/ssl_key + ssl_crt.erb: config/ssl_crt + +packages: +- nginx + +properties: + shield.daemon.port: + default: 443 + description: "Port to listen on for encrypted traffic" + shield.daemon.http_port: + default: 80 + description: "Port non-encrypted traffic should listen on. Redirects to https_port" + shield.daemon.domain: + description: "Hostname/IP SHIELD is accessed with" + + nginx.worker_processes: + description: 'Number of nginx workers' + default: 2 + nginx.worker_connections: + description: 'Number of nginx connections per worker' + default: 8192 + nginx.keepalive_timeout: + description: 'Timeout for keep-alive connections' + default: '75 20' + nginx.proxy_connect_timeout: + description: 'Timeout for the connection to the upstream server' + default: 300 + nginx.proxy_read_timeout: + description: 'Timeout for read queries to the upstream server' + default: 120 + nginx.proxy_send_timeout: + description: 'Timeout for send queries to the upstream server' + default: 120 + nginx.ssl_timeout: + description: 'Timeout for reusing the previously negotiated cryptographic parameters' + default: 7200 + nginx.ssl_key: + description: 'SSL private key (PEM encoded)' + nginx.ssl_cert: + description: 'SSL Certificate (PEM encoded)' diff --git a/jobs/nginx/templates/mime.types b/jobs/nginx/templates/mime.types new file mode 100644 index 00000000..d3554a49 --- /dev/null +++ b/jobs/nginx/templates/mime.types @@ -0,0 +1,73 @@ +types { + text/html html htm shtml; + text/css css; + text/xml xml; + image/gif gif; + image/jpeg jpeg jpg; + application/x-javascript js; + application/atom+xml atom; + application/rss+xml rss; + + text/mathml mml; + text/plain txt; + text/vnd.sun.j2me.app-descriptor jad; + text/vnd.wap.wml wml; + text/x-component htc; + + image/png png; + image/tiff tif tiff; + image/vnd.wap.wbmp wbmp; + image/x-icon ico; + image/x-jng jng; + image/x-ms-bmp bmp; + image/svg+xml svg; + + application/java-archive jar war ear; + application/mac-binhex40 hqx; + application/msword doc; + application/pdf pdf; + application/postscript ps eps ai; + application/rtf rtf; + application/vnd.ms-excel xls; + application/vnd.ms-powerpoint ppt; + application/vnd.wap.wmlc wmlc; + application/vnd.wap.xhtml+xml xhtml; + application/vnd.google-earth.kml+xml kml; + application/vnd.google-earth.kmz kmz; + application/x-7z-compressed 7z; + application/x-cocoa cco; + application/x-java-archive-diff jardiff; + application/x-java-jnlp-file jnlp; + application/x-makeself run; + application/x-perl pl pm; + application/x-pilot prc pdb; + application/x-rar-compressed rar; + application/x-redhat-package-manager rpm; + application/x-sea sea; + application/x-shockwave-flash swf; + application/x-stuffit sit; + application/x-tcl tcl tk; + application/x-x509-ca-cert der pem crt; + application/x-xpinstall xpi; + application/zip zip; + + application/octet-stream bin exe dll; + application/octet-stream deb; + application/octet-stream dmg; + application/octet-stream eot; + application/octet-stream iso img; + application/octet-stream msi msp msm; + + audio/midi mid midi kar; + audio/mpeg mp3; + audio/x-realaudio ra; + + video/3gpp 3gpp 3gp; + video/mpeg mpeg mpg; + video/quicktime mov; + video/x-flv flv; + video/x-mng mng; + video/x-ms-asf asx asf; + video/x-ms-wmv wmv; + video/x-msvideo avi; +} \ No newline at end of file diff --git a/jobs/nginx/templates/nginx.conf.erb b/jobs/nginx/templates/nginx.conf.erb new file mode 100644 index 00000000..1849c3c0 --- /dev/null +++ b/jobs/nginx/templates/nginx.conf.erb @@ -0,0 +1,68 @@ +user vcap; +worker_processes <%= p('nginx.worker_processes') %>; +daemon off; + +error_log /var/vcap/sys/log/nginx/error.log; +pid /var/vcap/sys/run/nginx/nginx.pid; + +events { + use epoll; + worker_connections <%= p('nginx.worker_connections') %>; +} + +http { + include /var/vcap/jobs/nginx/config/mime.types; + default_type text/html; + server_tokens off; + + access_log /var/vcap/sys/log/nginx/access.log; + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + + underscores_in_headers on; + + keepalive_timeout <%= p('nginx.keepalive_timeout') %>; + + ssl_session_cache shared:SSL:10m; + + gzip on; + gzip_min_length 1250; + gzip_buffers 16 8k; + gzip_comp_level 2; + gzip_proxied any; + gzip_types application/json application/xml application/xhtml+xml application/javascript application/atom+xml application/rss+xml application/x-font-ttf application/x-javascript application/xml+rss image/svg+xml text/css text/javascript text/plain text/xml; + gzip_vary on; + gzip_disable "MSIE [1-6]\.(?!.*SV1)"; + + upstream shield { + server localhost:8080; + } + + server { + listen <%= p('shield.daemon.http_port') %>; + server_name _; + ssl off; + return 301 https://<%= p('shield.daemon.domain') %>:<%= p('shield.daemon.port') %>$request_uri; + } + + server { + listen <%= p('shield.daemon.port') %>; + server_name _; + server_name_in_redirect off; + + ssl on; + ssl_prefer_server_ciphers on; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:HIGH:!MD5:!aNULL:!EDH; + ssl_certificate /var/vcap/jobs/nginx/config/ssl/ssl_crt; + ssl_certificate_key /var/vcap/jobs/nginx/config/ssl/ssl_key; + ssl_session_timeout <%= p('nginx.ssl_timeout') %>; + add_header Strict-Transport-Security max-age=15768000; + + location / { + proxy_pass http://shield; + } + } +} diff --git a/jobs/nginx/templates/nginx_ctl b/jobs/nginx/templates/nginx_ctl new file mode 100644 index 00000000..7479dd37 --- /dev/null +++ b/jobs/nginx/templates/nginx_ctl @@ -0,0 +1,45 @@ +#!/bin/bash + +RUN_DIR=/var/vcap/sys/run/nginx +LOG_DIR=/var/vcap/sys/log/nginx +JOB_DIR=/var/vcap/jobs/nginx +CONF_DIR=$JOB_DIR/config +CERTS_DIR=$CONF_DIR/ssl +PIDFILE=$RUN_DIR/nginx.pid + +case $1 in + + start) + mkdir -p $RUN_DIR $LOG_DIR $CERTS_DIR + + echo $$ > $PIDFILE + + # if the properties contain sslproxy.ssl.key & sslproxy.ssl.cert + # the two files below will contain key & cert, then copy them to + # the certificates dir + if [[ -n $(cat $CONF_DIR/ssl_key) && -n $(cat $CONF_DIR/ssl_crt) ]]; then + cp $CONF_DIR/ssl_key $CERTS_DIR + cp $CONF_DIR/ssl_crt $CERTS_DIR + # otherwise, if the key or cert doesn't exist create new ones + elif [[ ! -f $CERTS_DIR/ssl_key || ! -f $CERTS_DIR/ssl_crt ]]; then + openssl req -nodes -new -newkey rsa:2048 -out $CERTS_DIR/ssl.csr \ + -keyout $CERTS_DIR/ssl_key -subj '/O=Bosh/CN=*' + openssl x509 -req -days 3650 -in $CERTS_DIR/ssl.csr \ + -signkey $CERTS_DIR/ssl_key -out $CERTS_DIR/ssl_crt + fi + + exec /var/vcap/packages/nginx/sbin/nginx -c $JOB_DIR/config/nginx.conf \ + >>$LOG_DIR/nginx.stdout.log 2>>$LOG_DIR/nginx.stderr.log + ;; + + stop) + PID=$(head -1 $PIDFILE) + kill $PID + while [ -e /proc/$PID ]; do sleep 0.1; done + rm -f $PIDFILE + ;; + + *) + echo "Usage: nginx_ctl {start|stop}" ;; +esac +exit 0 diff --git a/jobs/nginx/templates/ssl_crt.erb b/jobs/nginx/templates/ssl_crt.erb new file mode 100644 index 00000000..485b27b9 --- /dev/null +++ b/jobs/nginx/templates/ssl_crt.erb @@ -0,0 +1 @@ +<% if_p('nginx.ssl_crt') do |cert| %><%= cert %><% end %> diff --git a/jobs/nginx/templates/ssl_key.erb b/jobs/nginx/templates/ssl_key.erb new file mode 100644 index 00000000..b90e532a --- /dev/null +++ b/jobs/nginx/templates/ssl_key.erb @@ -0,0 +1 @@ +<% if_p('nginx.ssl_key') do |key| %><%= key %><% end %> diff --git a/jobs/shield-agent/spec b/jobs/shield-agent/spec index 93a3abcb..5e0263da 100644 --- a/jobs/shield-agent/spec +++ b/jobs/shield-agent/spec @@ -43,6 +43,11 @@ properties: shield.log_level: description: "Log level for shield processes" default: "info" + shield.provisioning_key: + description: "API Key to use when provisioning jobs, or targets. Required if shield.target or shield.job have data" + shield.skip_ssl_verify: + description: "Boolean to determine if SSL certs will be ignored when provisioning SHIELD data" + default: true shield.target.name: description: "Target name" diff --git a/jobs/shield-agent/templates/bin/post-start.erb b/jobs/shield-agent/templates/bin/post-start.erb index 4c2618c7..f0741359 100644 --- a/jobs/shield-agent/templates/bin/post-start.erb +++ b/jobs/shield-agent/templates/bin/post-start.erb @@ -9,21 +9,35 @@ done <% if_p("shield.agent.autoprovision") do |server| %> <% if_p("shield.target.name") do |target_name|%> -export SHIELD_API=<%= server %> +<%# + The SHIELD_API_TOKEN is set here so that the post-start script will fail to render + when provisioning_key is not specified, but the script is about to try to create targets + or jobs +%> +export SHIELD_API_TOKEN=<%= p("shield.provisioning_key") %> -TARGET=$(shield --raw show target <%= target_name %> | jq -r '.uuid // empty') + +<% if p("shield.skip_ssl_verify") %> +export SHIELD_SKIP_SSL_VERIFY=true +<% end %> + +<%# Create a specific config file for shield-agent stuff, to avoid race conditions + in case we are colocated with shield-daemon. %> +shield -c /tmp/.shield_agent_config create backend default https://<%= p("shield.daemon.domain") %>:<%= p("shield.daemon.port") %> + +TARGET=$(shield -c /tmp/.shield_agent_config --raw show target <%= target_name %> | jq -r '.uuid // empty') if [[ -z ${TARGET} ]]; then echo "Creating target" - cat /var/vcap/jobs/shield-agent/config/target.json | shield --raw create target + cat /var/vcap/jobs/shield-agent/config/target.json | shield -c /tmp/.shield_agent_config --raw create target else echo "Editing target" - cat /var/vcap/jobs/shield-daemon/config/target.json | shield --raw edit target + cat /var/vcap/jobs/shield-agent/config/target.json | shield -c /tmp/.shield_agent_config --raw edit target fi <% if_p("shield.job.name", "shield.job.store", "shield.job.retention", "shield.job.schedule") do |job_name, retention, schedule, store| %> -STORE=$(shield --raw show store <%= store %> | jq -r '.uuid // empty') -RETENTION=$(shield --raw show retention policy <%= retention %> | jq -r '.uuid // empty') -SCHEDULE=$(shield --raw show schedule <%= schedule %> | jq -r '.uuid // empty') +STORE=$(shield -c /tmp/.shield_agent_config --raw show store <%= store %> | jq -r '.uuid // empty') +RETENTION=$(shield -c /tmp/.shield_agent_config --raw show retention policy <%= retention %> | jq -r '.uuid // empty') +SCHEDULE=$(shield -c /tmp/.shield_agent_config --raw show schedule <%= schedule %> | jq -r '.uuid // empty') cat < /tmp/job.json {"name": "<%= job_name %>", @@ -35,13 +49,13 @@ cat < /tmp/job.json } EOF -JOB=$(shield --raw show job <%= job_name %> | jq -r '.uuid // empty') +JOB=$(shield -c /tmp/.shield_agent_config --raw show job <%= job_name %> | jq -r '.uuid // empty') if [[ -z ${JOB} ]]; then echo "Creating job" - cat /tmp/job.json | shield --raw create job + cat /tmp/job.json | shield -c /tmp/.shield_agent_config --raw create job else echo "Editing job" - cat /tmp/job.json | shield --raw edit job + cat /tmp/job.json | shield -c /tmp/.shield_agent_config --raw edit job fi # End Job diff --git a/jobs/shield-daemon/spec b/jobs/shield-daemon/spec index 43d9f9e9..96f38e96 100644 --- a/jobs/shield-daemon/spec +++ b/jobs/shield-daemon/spec @@ -28,8 +28,14 @@ properties: deployment-scoped default is used. default: "" shield.daemon.port: - description: "port to run daemon" - default: 8080 + description: "port to run daemon (https requests)" + default: 443 + shield.daemon.http_port: + description: "Port for http requests" + default: 80 + shield.daemon.domain: + description: "Hostname/IP SHIELD is accessed with" + shield.daemon.database.port: description: "port for postgres database" shield.daemon.database.host: @@ -40,10 +46,54 @@ properties: description: "password for postgres database" shield.daemon.database.db: description: "db for postgres database" + + shield.daemon.auth.oauth.provider: + description: "OAuth2 provider to use with SHIELD (supported values: 'github')" + shield.daemon.auth.oauth.key: + description: "Auth Key/Client ID to use with the OAuth2 provider" + shield.daemon.auth.oauth.secret: + description: "Auth Secret/Client Secret to use with the OAuth2 provider" + shield.daemon.auth.oauth.authorization.orgs: + description: "List of organizations that users must be members of to access SHIELD. This *MUST* be specified or no one will be able to access SHIELD." + shield.daemon.auth.oauth.sessions.db.port: + description: "port for postgres database" + shield.daemon.auth.oauth.sessions.db.host: + description: "host for postgres database" + shield.daemon.auth.oauth.sessions.db.username: + description: "username for postgres database" + shield.daemon.auth.oauth.sessions.db.password: + description: "password for postgres database" + shield.daemon.auth.oauth.sessions.db.name: + description: "db for postgres database" + shield.daemon.auth.oauth.sessions.max_age: + description: "Maximum age for an authenticated session in seconds" + default: 2592000 + + shield.daemon.auth.basic_user: + description: "Username to use with basic auth for SHIELD (disabled if oauth is enabled)" + default: "admin" + shield.daemon.auth.basic_password: + description: "Password to use with basic auth for SHIELD (disabled if oauth is enabled)" + default: "admin" + + shield.daemon.auth.api_keys: + description: "Map of API keys to grant script-level access to SHIELD (keys are names of keys, values are keys themselves)" + example: | + api_keys: + my_script: AwB6iMPhTHiE7V2ngLNv + autoprovision: KTocoRDwtasU22kiA3Go + shield.log_level: description: "Log level for shield processes" default: "info" + shield.provisioning_key: + description: "API Key to use when provisioning schedules, retention policies, or stores. Required if shield.schedule, shield.retention, or shield.store have data" + shield.skip_ssl_verify: + description: "Boolean to determine if SSL certs will be ignored when provisioning SHIELD data" + default: true + + shield.schedule.name: description: "schedule name" shield.schedule.when: @@ -59,4 +109,4 @@ properties: shield.store.plugin: description: "store plugin" shield.store.config: - description: "store config" \ No newline at end of file + description: "store config" diff --git a/jobs/shield-daemon/templates/bin/post-start.erb b/jobs/shield-daemon/templates/bin/post-start.erb index f84906f2..f98bf7a5 100644 --- a/jobs/shield-daemon/templates/bin/post-start.erb +++ b/jobs/shield-daemon/templates/bin/post-start.erb @@ -6,37 +6,59 @@ do export PATH=${package_bin_dir}:$PATH done -export SHIELD_API=http://localhost:<%= p("shield.daemon.port") %> +<%# Create a specific config file for shield-daemon stuff, to avoid race conditions + in case we are colocated with shield-agent. %> +shield -c /tmp/.shield_daemon_config create backend default https://<%= p("shield.daemon.domain") %>:<%= p("shield.daemon.port") %> + +<% if p("shield.skip_ssl_verify") %> +export SHIELD_SKIP_SSL_VERIFY=true +<% end %> <% if_p("shield.schedule.name") do |schedule| %> -SCHEDULE=$(shield --raw show schedule <%= schedule %> | jq -r '.uuid // empty') +<%# + The SHIELD_API_TOKEN is set here so that the post-start script will fail to render + when provisioning_key is not specified, but the script is about to try to create schedules +%> +export SHIELD_API_TOKEN=<%= p("shield.provisioning_key") %> +SCHEDULE=$(shield -c /tmp/.shield_daemon_config --raw show schedule <%= schedule %> | jq -r '.uuid // empty') if [[ -z ${SCHEDULE} ]]; then echo "Creating schedule" - cat /var/vcap/jobs/shield-daemon/config/schedule.json | shield --raw create schedule + cat /var/vcap/jobs/shield-daemon/config/schedule.json | shield -c /tmp/.shield_daemon_config --raw create schedule else echo "Editing schedule" - cat /var/vcap/jobs/shield-daemon/config/schedule.json | shield --raw edit schedule + cat /var/vcap/jobs/shield-daemon/config/schedule.json | shield -c /tmp/.shield_daemon_config --raw edit schedule fi <% end %> <% if_p("shield.retention.name") do |retention| %> -RETENTION=$(shield --raw show retention policy <%= retention %> | jq -r '.uuid // empty') +<%# + The SHIELD_API_TOKEN is set here so that the post-start script will fail to render + when provisioning_key is not specified, but the script is about to try to create retention + policies +%> +export SHIELD_API_TOKEN=<%= p("shield.provisioning_key") %> +RETENTION=$(shield -c /tmp/.shield_daemon_config --raw show retention policy <%= retention %> | jq -r '.uuid // empty') if [[ -z ${RETENTION} ]]; then echo "Creating retention" - cat /var/vcap/jobs/shield-daemon/config/retention.json | shield --raw create retention policy + cat /var/vcap/jobs/shield-daemon/config/retention.json | shield -c /tmp/.shield_daemon_config --raw create retention policy else echo "Editing retention" - cat /var/vcap/jobs/shield-daemon/config/retention.json | shield --raw edit retention policy + cat /var/vcap/jobs/shield-daemon/config/retention.json | shield -c /tmp/.shield_daemon_config --raw edit retention policy fi <% end %> <% if_p("shield.store.name") do |store| %> -STORE=$(shield --raw show store <%= store %> | jq -r '.uuid // empty') +<%# + The SHIELD_API_TOKEN is set here so that the post-start script will fail to render + when provisioning_key is not specified, but the script is about to try to create storess +%> +export SHIELD_API_TOKEN=<%= p("shield.provisioning_key") %> +STORE=$(shield -c /tmp/.shield_daemon_config --raw show store <%= store %> | jq -r '.uuid // empty') if [[ -z ${STORE} ]]; then echo "Creating store" - cat /var/vcap/jobs/shield-daemon/config/store.json | shield --raw create store + cat /var/vcap/jobs/shield-daemon/config/store.json | shield -c /tmp/.shield_daemon_config --raw create store else echo "Editing store" - cat /var/vcap/jobs/shield-daemon/config/store.json | shield --raw edit store + cat /var/vcap/jobs/shield-daemon/config/store.json | shield -c /tmp/.shield_daemon_config --raw edit store fi <% end %> diff --git a/jobs/shield-daemon/templates/config/shieldd.conf.erb b/jobs/shield-daemon/templates/config/shieldd.conf.erb index cfe4cb66..0d74f32d 100644 --- a/jobs/shield-daemon/templates/config/shieldd.conf.erb +++ b/jobs/shield-daemon/templates/config/shieldd.conf.erb @@ -1,10 +1,38 @@ --- database_type: postgres database_dsn: "postgres://<%= p("shield.daemon.database.username") %>:<%= p("shield.daemon.database.password") %>@<%= p("shield.daemon.database.host") %>:<%= p("shield.daemon.database.port") %>/<%= p("shield.daemon.database.db") %>?sslmode=disable" -port: <%= p("shield.daemon.port") %> +listen_addr: 127.0.0.1:8080 <% if p("shield.daemon.host_key") != "" %> \ private_key: /var/vcap/jobs/shield-daemon/shared/id_rsa <% else %> private_key: /var/vcap/packages/generated_daemon_key/id_rsa <% end %> web_root: /var/vcap/packages/shield/webui + + +auth: +<% if_p("shield.daemon.auth.api_keys") do |tokens| %> + api_tokens: +<% tokens.each do |k, v| %> + <%= k %>: <%= v %> +<% end %> +<% end %> + basic: + user: <%= p("shield.daemon.auth.basic_user") %> + password: <%= p("shield.daemon.auth.basic_password") %> +<% if_p("shield.daemon.auth.oauth.provider") do |provider| %> + oauth: + provider: <%= provider %> + key: <%= p("shield.daemon.auth.oauth.key") %> + secret: <%= p("shield.daemon.auth.oauth.secret") %> + base_url: https://<%= p("shield.daemon.domain") %>:<%= p("shield.daemon.port") %> + authorization: + orgs: +<% p("shield.daemon.auth.oauth.authorization.orgs").each do |org| %> + - <%= org %> +<% end %> + sessions: + type: "postgres" + dsn: "postgres://<%= p("shield.daemon.auth.oauth.sessions.db.username") %>:<%= p("shield.daemon.auth.oauth.sessions.db.password") %>@<%= p("shield.daemon.auth.oauth.sessions.db.host") %>:<%= p("shield.daemon.auth.oauth.sessions.db.port") %>/<%= p("shield.daemon.auth.oauth.sessions.db.name") %>?sslmode=disable" + max_age: <%= p("shield.daemon.auth.oauth.sessions.max_age") %> +<% end %> diff --git a/packages/nginx/packaging b/packages/nginx/packaging new file mode 100644 index 00000000..ffb4c131 --- /dev/null +++ b/packages/nginx/packaging @@ -0,0 +1,19 @@ +set -e -x + +echo "Extracting pcre..." +tar xzvf nginx/pcre-8.37.tar.gz + +echo "Extracting nginx..." +tar xzvf nginx/nginx-1.8.0.tar.gz + +echo "Building nginx..." +pushd nginx-1.8.0 + ./configure \ + --prefix=${BOSH_INSTALL_TARGET} \ + --with-pcre=../pcre-8.37 \ + --with-http_stub_status_module \ + --with-http_ssl_module + + make + make install +popd diff --git a/packages/nginx/spec b/packages/nginx/spec new file mode 100644 index 00000000..29efcc9e --- /dev/null +++ b/packages/nginx/spec @@ -0,0 +1,5 @@ +--- +name: nginx +files: +- nginx/nginx-1.8.0.tar.gz +- nginx/pcre-8.37.tar.gz diff --git a/src/shield b/src/shield index 0a8d8f1c..e4d06890 160000 --- a/src/shield +++ b/src/shield @@ -1 +1 @@ -Subproject commit 0a8d8f1c0cdd161e9c0f76ad2627634c620d1a5b +Subproject commit e4d068906ec085c9c74a131038cff7fe1e53c134 diff --git a/templates/jobs.yml b/templates/jobs.yml index b12163a1..1ce9a2ce 100644 --- a/templates/jobs.yml +++ b/templates/jobs.yml @@ -13,6 +13,8 @@ jobs: templates: - name: postgres release: shield + - name: nginx + release: shield - name: shield-daemon release: shield - name: shield-agent @@ -31,6 +33,9 @@ properties: - citext: true name: shielddb tag: shield + - citext: true + name: sessionsdb + tag: sessions db_scheme: postgres port: 5524 roles: @@ -40,11 +45,22 @@ properties: shield: daemon: + domain: (( grab jobs.shield.networks.shield1.static_ips.[0] )) database: host: (( grab jobs.shield.networks.shield1.static_ips.[0] )) port: 5524 username: shieldadmin password: admin db: shielddb + auth: + oauth: + sessions: + db: + host: (( grab jobs.shield.networks.shield1.static_ips.[0] )) + port: 5524 + username: shieldadmin + password: admin + name: sessionsdb + agent: - autoprovision: http://localhost:8080 + autoprovision: (( concat "http://" properties.shield.daemon.domain ))