Page Menu
Home
DevCentral
Search
Configure Global Search
Log In
Files
F3767366
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
22 KB
Referenced Files
None
Subscribers
None
View Options
diff --git a/hotfixes/CVE-2017-6074.sls b/hotfixes/CVE-2017-6074.sls
index cf848d4..895b605 100644
--- a/hotfixes/CVE-2017-6074.sls
+++ b/hotfixes/CVE-2017-6074.sls
@@ -1,25 +1,25 @@
# -------------------------------------------------------------
# Salt — Hotfixes to mitigate bugs and security issues
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Created: 2017-02-27
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
# -------------------------------------------------------------
# CVE-2017-6074
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% if grains['os_family'] == 'Debian' %}
-/etc/modprobe.d/blacklist-dccp.conf:
+/etc/modprobe.d/blocklist-dccp.conf:
file.managed:
- - source: salt://hotfixes/files/CVE-2017-6074-blacklist-dccp.conf
+ - source: salt://hotfixes/files/CVE-2017-6074-blocklist-dccp.conf
- mode: 644
{% endif %}
{% if grains['os_family'] == 'RedHat' %}
/etc/modprobe.d/disable-dccp.conf:
file.managed:
- source: salt://hotfixes/files/CVE-2017-6074-disable-dccp.conf
- mode: 644
{% endif %}
diff --git a/hotfixes/files/CVE-2017-6074-blacklist-dccp.conf b/hotfixes/files/CVE-2017-6074-blocklist-dccp.conf
similarity index 100%
rename from hotfixes/files/CVE-2017-6074-blacklist-dccp.conf
rename to hotfixes/files/CVE-2017-6074-blocklist-dccp.conf
diff --git a/roles/paas-docker/containers/files/hauk/config.php.jinja b/roles/paas-docker/containers/files/hauk/config.php.jinja
index 8312011..946d311 100644
--- a/roles/paas-docker/containers/files/hauk/config.php.jinja
+++ b/roles/paas-docker/containers/files/hauk/config.php.jinja
@@ -1,282 +1,291 @@
<?php
const CONFIG = [
// The type of storage backend Hauk will use. Valid values include:
// MEMCACHED, REDIS
//
// For MEMCACHED, you need either the `memcached` or `memcache` extensions
// enabled in PHP.
//
// For REDIS, you need `redis` extension enabled. Note that `redis` depends on
// `igbinary`, so if you get an error that a redis extension was not found, even
// though you enabled `redis`, you may have to also install and enable
// `igbinary` in PHP.
"storage_backend" => MEMCACHED,
/*----------------------------------------------------------------------------*\
| MEMCACHED SPECIFIC SETTINGS |
\*----------------------------------------------------------------------------*/
// Connection to memcached for data storage. To connect via UNIX socket instead
// of TCP, set host to 'unix:///path/to/memcached.sock' and port to 0.
"memcached_host" => 'localhost',
"memcached_port" => 11211,
// If you use SASL authentication, change both `memcached_binary` and
// `memcached_use_sasl` to true, and enter your SASL username and password.
// Note: SASL authentication is only supported in the PHP `memcached` extension!
// If you are using `memcache` and need SASL, consider switching to `memcached`.
"memcached_binary" => false,
"memcached_use_sasl" => false,
"memcached_sasl_user" => "",
"memcached_sasl_pass" => "",
// A prefix to use for all variables sent to memcached. Useful if you have a
// shared memcached instance or run multiple instances of Hauk.
"memcached_prefix" => 'hauk',
/*----------------------------------------------------------------------------*\
| REDIS SPECIFIC SETTINGS |
\*----------------------------------------------------------------------------*/
// Connection to Redis for data storage. To connect via UNIX socket instead of
// TCP, set host to '/path/to/redis.sock'.
"redis_host" => 'localhost',
"redis_port" => 6379,
// If you use password authentication in Redis, set `redis_use_auth` to true and
// enter the password in `redis_auth`.
"redis_use_auth" => false,
"redis_auth" => '',
// A prefix to use for all variables sent to Redis. Useful if you have a shared
// Redis instance or run multiple instances of Hauk.
"redis_prefix" => 'hauk',
/*----------------------------------------------------------------------------*\
| AUTHENTICATION |
\*----------------------------------------------------------------------------*/
// Users must be authenticated to use the Hauk server. The default
// authentication method is using a static server password that is shared by all
// users, without the need for a username. You can, however, use other
// authentication methods. Valid values here include:
//
// - PASSWORD: Use a static, shared server password for everyone
// - HTPASSWD: Require a username and separate password for each user
// - LDAP: Authenticate users against an LDAP server
"auth_method" => PASSWORD,
/*----------------------------------------------------------------------------*\
| PASSWORD AUTHENTICATION |
\*----------------------------------------------------------------------------*/
// A hashed password that is required for creating sessions and posting location
// data to Hauk. To generate this value on the terminal:
// - MD5 (insecure!): openssl passwd -1
// - bcrypt (secure): htpasswd -nBC 10 "" | tail -c +2
"password_hash" => '$2y$10$4ZP1iY8A3dZygXoPgsXYV.S3gHzBbiT9nSfONjhWrvMxVPkcFq1Ka',
// Default value above is empty string (no password) and is VERY INSECURE.
// Trust me, you really should change this unless you intentionally want a
// public instance that anyone in the world can use freely.
//
// Also note that users have the option to save the server password locally on
// their devices using a "Remember password" checkbox. If they choose to do so,
// the password will be stored in plain text (unhashed) on their devices. You
// are encouraged to generate a random password to prevent risks associated with
// credential reuse, should the password somehow be leaked from their devices.
/*----------------------------------------------------------------------------*\
| HTPASSWD AUTHENTICATION |
\*----------------------------------------------------------------------------*/
// A file that contains a pairing between users and hashed passwords. To
// generate this file on the terminal:
// - htpasswd -cBC 10 /etc/hauk/users.htpasswd <username>
// To add additional users to an existing file:
// - htpasswd -BC 10 /etc/hauk/users.htpasswd <username>
"htpasswd_path" => '/etc/hauk/users.htpasswd',
/*----------------------------------------------------------------------------*\
| LDAP AUTHENTICATION |
\*----------------------------------------------------------------------------*/
// URI that points to the LDAP server. Use "ldap://" for unencrypted LDAP as
// well as when using StartTLS, use "ldaps://" for regular LDAP over TLS. Port
// number is typically 389 (ldap) or 636 (ldaps).
"ldap_uri" => 'ldaps://ldap.example.com:636',
// Whether or not you wish to use StartTLS. StartTLS cannot be used in
// combination with `ldaps`.
"ldap_start_tls" => false,
// Base DN to search for users.
"ldap_base_dn" => 'ou=People,dc=example,dc=com',
// DN to bind to to perform user search. This should ideally be a read-only
// account as the password is stored in plain-text in this config file.
"ldap_bind_dn" => 'cn=admin,dc=example,dc=com',
"ldap_bind_pass" => 'Adm1nP4ssw0rd',
// A filter that finds the user trying to authenticate. %s is substituted with
// the username provided by the user in the app.
//
// You can also use this to restrict access to Hauk to only authorized users if
// you do not wish to grant all LDAP users permission to use your Hauk instance.
// For example, (&(uid=%s)(memberOf=cn=HaukUsers,ou=Groups,dc=example,dc=com))
// will only let the user connect if they are part of the "HaukUsers" group in
// the "Groups" OU.
"ldap_user_filter" => '(uid=%s)',
/*----------------------------------------------------------------------------*\
| GENERAL SETTINGS |
\*----------------------------------------------------------------------------*/
// Hauk v1.4 and on allows you to request a custom link ID instead of having the
// server randomly generate one. Custom links can use characters A-Z, a-z, 0-9,
// - (dash), and _ (underscore). If you want to disallow the option to request
// custom links, set this to false.
//
// If a user requests particular custom link that is already in use, that user
// will not have their request honored and will get a randomly generated link
// instead.
"allow_link_req" => true,
// If you want certain links to only be usable by some users, you can reserve
// them here. The following example reserves https://example.com/?WheresAlice
// for user "alice" only, and reserves https://example.com/?TheRealBob
// for use by both "bob" and "charlie".
//
// If you use Tasker or another automation platform to automatically start
// sharing to a specific link ID, it's a good idea to specify it here so that
// others cannot use it while you are inactive.
//
// Note that for this setting to have any effect, you have to specify an
// auth_method that requires both a username and a password, such as HTPASSWD.
"reserved_links" => [
'WheresAlice' => ['alice'],
'TheRealBob' => ['bob', 'charlie'],
],
-// If you want to enable pre-approved custom links only, you can choose to
-// enable reservation whitelist mode. If this setting is set to true, custom
+// Nasqueron note:
+// ---------------
+// The following expression can be potentially considered as offensive.
+// The Nasqueron project would so prefer "reserve_allowlist".
+//
+// We use this wording for compatibility pending upstream improvement.
+//
+// Upstream project note:
+// ----------------------
+// "If you want to enable pre-approved custom links only, you can choose to
+// enable reservation [allowlist] mode. If this setting is set to true, custom
// link IDs will only be accepted if they are present in the reserved_links
// array above - requests to share to other links than those in the array will
-// not be honored.
+// not be honored."
"reserve_whitelist" => false,
// The type of links to generate when making new links for shares. Can be any
// of the following:
//
// | Link style | Example | No. of combinations | Avg. bruteforce time |
// +----------------------------+---------------------------------------+-----------------------+-------------------------------+
// | LINK_4_PLUS_4_UPPER_CASE | V8LQ-H2UM | 1.79 * 10^12 (34^8) | 28.3 years |
// | LINK_4_PLUS_4_LOWER_CASE | qae3-ulna | 2.82 * 10^12 (36^8) | 44.7 years |
// | LINK_4_PLUS_4_MIXED_CASE | HEq3-tgJ1 | 1.28 * 10^14 (58^8) | 2030 years |
// | LINK_UUID_V4 | 09c8a3b1-e78f-48b1-a604-0da49e99cb5d | 5.32 * 10^36 (2^122) | 84.2 septillion years |
// | LINK_16_HEX | 6cde14c4c6551b41 | 1.84 * 10^19 (2^64) | 292 million years |
// | LINK_16_UPPER_CASE | WVHA2FNMRT9HSKJK | 3.19 * 10^24 (34^16) | 50.6 trillion years |
// | LINK_16_LOWER_CASE | bdyslxszs14cj359 | 7.95 * 10^24 (36^16) | 126 trillion years |
// | LINK_16_MIXED_CASE | 1Ayh2yUXDe3sdF3S | 1.64 * 10^28 (58^16) | 260 quadrillion years |
// | LINK_32_HEX | 22adf21f11491ae8f3ae128e23a6782f | 3.40 * 10^38 (2^128) | 5.39 octillion years |
// | LINK_32_UPPER_CASE | R88M1Z2KPL27XN8MF73KCRYPHJD4QQMT | 1.02 * 10^49 (34^32) | 161 undecillion years |
// | LINK_32_LOWER_CASE | itgbolrbq1c02eot5o46c5wixhdrdb5m | 6.33 * 10^49 (36^32) | 1 duodecillion years |
// | LINK_32_MIXED_CASE | qf5pqr2UKTUT6vREPPSTuqSKkCMojF17 | 2.69 * 10^56 (58^32) | 4.26 quattuordecillion years |
//
// For any MIXED_CASE variants, upper-case I and lower-case L will not appear
// because they are visually very similar and are easily confused. For the same
// reason, MIXED_CASE and UPPER_CASE variants will not generate 0 and O.
//
// The default value is LINK_4_PLUS_4_UPPER_CASE, which is still considered very
// secure. The bruteforce times in the table below are the average time it would
// take to find a valid sharing link, when there is one link active, at 1000
// guesses per second. For the default setting, this means it would take almost
// 45 years to find the link.
//
// This is assuming that the link is active 24/7 for that entire time. If you
// only have a link active 2% of the time, it would take over 2200 years.
//
// At 1000 guesses per second, you will likely notice that your server is
// noticeably slower and rapidly filling up with access logs.
//
// Very long links are also time-consuming to type, should you find yourself
// in need of typing in a link manually on another computer. This is the reason
// that short links are default.
//
// ---- PLEASE NOTE ----
// This option is provided to you only because several people have requested it
// as a convenience. You are free to change it, but you should know that
// changing the default here gives you, for all intents and purposes, no
// security advantage in practice.
//
"link_style" => LINK_4_PLUS_4_UPPER_CASE,
// Leaflet tile URI template for the map frontend. Here are some examples:
//
// - OpenStreetMap directly:
// https://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png
// - Mapbox:
// https://api.tiles.mapbox.com/v4/mapbox.streets/{z}/{x}/{y}.png?access_token=YOUR_ACCESS_TOKEN
// - Thunderforest:
// https://{s}.tile.thunderforest.com/neighbourhood/{z}/{x}/{y}.png?apikey=YOUR_API_KEY
// - Esri:
// https://server.arcgisonline.com/ArcGIS/rest/services/World_Street_Map/MapServer/tile/{z}/{y}/{x}
// - OpenMapSurfer:
// https://maps.heigit.org/openmapsurfer/tiles/roads/webmercator/{z}/{x}/{y}.png
// - Hydda (OSM Sweden):
// https://{s}.tile.openstreetmap.se/hydda/full/{z}/{x}/{y}.png
//
// Make sure you have permission to use the source you choose, and also use a
// proper attribution for that provider.
"map_tile_uri" => 'https://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png',
// Attribution HTML code to be displayed in the bottom right corner of the map.
// The default value is suitable for OpenStreetMap tiles.
"map_attribution" => 'Map data © <a href="https://www.openstreetmap.org/">OpenStreetMap</a> contributors, <a href="https://creativecommons.org/licenses/by-sa/2.0/">CC-BY-SA</a>',
// Default and maximum zoom levels allowed on the map (0-20), higher value means
// closer zooming.
"default_zoom" => 14,
"max_zoom" => 19,
// Maximum duration of a single location share, in seconds.
"max_duration" => 86400,
// Minimum time between each location update, in seconds.
"min_interval" => 1,
// The time that should pass without any location updates received, in seconds,
// before the user is marked "offline" on the map.
"offline_timeout" => 30,
// The timeout in seconds for map update requests from the map view. If a web
// request takes this long without a response, the map viewer is considered
// offline and will get a warning notifying them that they have lost their
// network connection.
"request_timeout" => 10,
// Maximum number of data points stored for each share before old points are
// deleted. Map clients will see up to this amount of data points when they load
// the page.
"max_cached_pts" => 3,
// Maximum number of data points that may be visible on the map at any time.
// This is used to draw trails behind the current location map marker. Higher
// values will show longer trails, but may reduce performance.
"max_shown_pts" => 100,
// Number of seconds of data that should be used to calculate velocity.
"v_data_points" => 2,
// The color of the marker trails. HTML color name or #rrggbb hex color code.
"trail_color" => '#d80037',
// The unit of measurement of velocity. Valid are:
// KILOMETERS_PER_HOUR, MILES_PER_HOUR, METERS_PER_SECOND
"velocity_unit" => KILOMETERS_PER_HOUR,
// The publicly accessible URL to reach Hauk, with trailing slash.
"public_url" => '{{ url }}'
];
diff --git a/roles/paas-docker/letsencrypt/files/acme-dns-auth.py b/roles/paas-docker/letsencrypt/files/acme-dns-auth.py
index f47c876..0a233bd 100755
--- a/roles/paas-docker/letsencrypt/files/acme-dns-auth.py
+++ b/roles/paas-docker/letsencrypt/files/acme-dns-auth.py
@@ -1,161 +1,161 @@
#!/usr/bin/env python
# -------------------------------------------------------------
# PaaS Docker
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Author: Joona Hoikkala
# License: MIT
# Source file: roles/paas-docker/letsencrypt/files/acme-dns-auth.py
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
import json
import os
import requests
import sys
ACMEDNS_URL = "https://acme.nasqueron.org"
STORAGE_PATH = "/etc/letsencrypt/acmedns.json"
ALLOW_FROM = []
FORCE_REGISTER = False
DOMAIN = os.environ["CERTBOT_DOMAIN"]
if DOMAIN.startswith("*."):
DOMAIN = DOMAIN[2:]
VALIDATION_DOMAIN = "_acme-challenge." + DOMAIN
VALIDATION_TOKEN = os.environ["CERTBOT_VALIDATION"]
class AcmeDnsClient(object):
"""
Handles the communication with ACME-DNS API
"""
def __init__(self, acmedns_url):
self.acmedns_url = acmedns_url
def register_account(self, allowfrom):
"""Registers a new ACME-DNS account"""
if allowfrom:
- # Include whitelisted networks to the registration call
+ # Include allowed networks to the registration call
reg_data = {"allowfrom": allowfrom}
res = requests.post(self.acmedns_url + "/register",
data=json.dumps(reg_data))
else:
res = requests.post(self.acmedns_url + "/register")
if res.status_code == 201:
# The request was successful
return res.json()
else:
# Encountered an error
msg = ("Encountered an error while trying to register a new "
"acme-dns account. HTTP status {}, Response body: {}")
print(msg.format(res.status_code, res.text))
sys.exit(1)
def update_txt_record(self, account, txt):
"""Updates the TXT challenge record to ACME-DNS subdomain."""
update = {"subdomain": account['subdomain'], "txt": txt}
headers = {"X-Api-User": account['username'],
"X-Api-Key": account['password'],
"Content-Type": "application/json"}
res = requests.post(self.acmedns_url + "/update",
headers=headers,
data=json.dumps(update))
if res.status_code == 200:
# Successful update
return
else:
msg = ("Encountered an error while trying to update TXT record in "
"acme-dns. \n"
"------- Request headers:\n{}\n"
"------- Request body:\n{}\n"
"------- Response HTTP status: {}\n"
"------- Response body: {}")
s_headers = json.dumps(headers, indent=2, sort_keys=True)
s_update = json.dumps(update, indent=2, sort_keys=True)
s_body = json.dumps(res.json(), indent=2, sort_keys=True)
print(msg.format(s_headers, s_update, res.status_code, s_body))
sys.exit(1)
class Storage(object):
def __init__(self, storagepath):
self.storagepath = storagepath
self._data = self.load()
def load(self):
"""Reads the storage content from the disk to a dict structure"""
data = dict()
filedata = ""
try:
with open(self.storagepath, 'r') as fh:
filedata = fh.read()
except IOError:
if os.path.isfile(self.storagepath):
# Only error out if file exists, but cannot be read
print("ERROR: Storage file exists but cannot be read")
sys.exit(1)
try:
data = json.loads(filedata)
except ValueError:
if len(filedata) > 0:
# Storage file is corrupted
print("ERROR: Storage JSON is corrupted")
sys.exit(1)
return data
def save(self):
"""Saves the storage content to disk"""
serialized = json.dumps(self._data)
try:
with os.fdopen(os.open(self.storagepath, os.O_WRONLY | os.O_CREAT,
0o600), 'w') as fh:
fh.truncate()
fh.write(serialized)
except IOError:
print("ERROR: Could not write storage file.")
sys.exit(1)
def put(self, key, value):
"""Puts the configuration value to storage and sanitize it"""
# If wildcard domain, remove the wildcard part as this will use the
# same validation record name as the base domain
if key.startswith("*."):
key = key[2:]
self._data[key] = value
def fetch(self, key):
"""Gets configuration value from storage"""
try:
return self._data[key]
except KeyError:
return None
if __name__ == "__main__":
# Init
client = AcmeDnsClient(ACMEDNS_URL)
storage = Storage(STORAGE_PATH)
# Check if an account already exists in storage
account = storage.fetch(DOMAIN)
if FORCE_REGISTER or not account:
# Create and save the new account
account = client.register_account(ALLOW_FROM)
storage.put(DOMAIN, account)
storage.save()
# Display the notification for the user to update the main zone
print("Please add the following CNAME record to your main DNS zone:\n")
print("{} CNAME {}.".format(VALIDATION_DOMAIN, account["fulldomain"]))
# Update the TXT record in acme-dns instance
client.update_txt_record(account, VALIDATION_TOKEN)
File Metadata
Details
Attached
Mime Type
text/x-diff
Expires
Sun, Nov 24, 23:46 (14 h, 14 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2259205
Default Alt Text
(22 KB)
Attached To
Mode
rOPS Nasqueron Operations
Attached
Detach File
Event Timeline
Log In to Comment