Page MenuHomeDevCentral
Files F3767366

No OneTemporary
Actions

View Options

diff --git a/hotfixes/CVE-2017-6074.sls b/hotfixes/CVE-2017-6074.sls
index cf848d4..895b605 100644
--- a/hotfixes/CVE-2017-6074.sls
+++ b/hotfixes/CVE-2017-6074.sls
@@ -1,25 +1,25 @@
# -------------------------------------------------------------
# Salt — Hotfixes to mitigate bugs and security issues
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Created: 2017-02-27
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
# -------------------------------------------------------------
# CVE-2017-6074
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% if grains['os_family'] == 'Debian' %}
-/etc/modprobe.d/blacklist-dccp.conf:
+/etc/modprobe.d/blocklist-dccp.conf:
file.managed:
- - source: salt://hotfixes/files/CVE-2017-6074-blacklist-dccp.conf
+ - source: salt://hotfixes/files/CVE-2017-6074-blocklist-dccp.conf
- mode: 644
{% endif %}
{% if grains['os_family'] == 'RedHat' %}
/etc/modprobe.d/disable-dccp.conf:
file.managed:
- source: salt://hotfixes/files/CVE-2017-6074-disable-dccp.conf
- mode: 644
{% endif %}
diff --git a/hotfixes/files/CVE-2017-6074-blacklist-dccp.conf b/hotfixes/files/CVE-2017-6074-blocklist-dccp.conf
similarity index 100%
rename from hotfixes/files/CVE-2017-6074-blacklist-dccp.conf
rename to hotfixes/files/CVE-2017-6074-blocklist-dccp.conf
diff --git a/roles/paas-docker/containers/files/hauk/config.php.jinja b/roles/paas-docker/containers/files/hauk/config.php.jinja
index 8312011..946d311 100644
--- a/roles/paas-docker/containers/files/hauk/config.php.jinja
+++ b/roles/paas-docker/containers/files/hauk/config.php.jinja
@@ -1,282 +1,291 @@
<?php
const CONFIG = [
// The type of storage backend Hauk will use. Valid values include:
// MEMCACHED, REDIS
//
// For MEMCACHED, you need either the `memcached` or `memcache` extensions
// enabled in PHP.
//
// For REDIS, you need `redis` extension enabled. Note that `redis` depends on
// `igbinary`, so if you get an error that a redis extension was not found, even
// though you enabled `redis`, you may have to also install and enable
// `igbinary` in PHP.
"storage_backend" => MEMCACHED,
/*----------------------------------------------------------------------------*\
| MEMCACHED SPECIFIC SETTINGS |
\*----------------------------------------------------------------------------*/
// Connection to memcached for data storage. To connect via UNIX socket instead
// of TCP, set host to 'unix:///path/to/memcached.sock' and port to 0.
"memcached_host" => 'localhost',
"memcached_port" => 11211,
// If you use SASL authentication, change both `memcached_binary` and
// `memcached_use_sasl` to true, and enter your SASL username and password.
// Note: SASL authentication is only supported in the PHP `memcached` extension!
// If you are using `memcache` and need SASL, consider switching to `memcached`.
"memcached_binary" => false,
"memcached_use_sasl" => false,
"memcached_sasl_user" => "",
"memcached_sasl_pass" => "",
// A prefix to use for all variables sent to memcached. Useful if you have a
// shared memcached instance or run multiple instances of Hauk.
"memcached_prefix" => 'hauk',
/*----------------------------------------------------------------------------*\
| REDIS SPECIFIC SETTINGS |
\*----------------------------------------------------------------------------*/
// Connection to Redis for data storage. To connect via UNIX socket instead of
// TCP, set host to '/path/to/redis.sock'.
"redis_host" => 'localhost',
"redis_port" => 6379,
// If you use password authentication in Redis, set `redis_use_auth` to true and
// enter the password in `redis_auth`.
"redis_use_auth" => false,
"redis_auth" => '',
// A prefix to use for all variables sent to Redis. Useful if you have a shared
// Redis instance or run multiple instances of Hauk.
"redis_prefix" => 'hauk',
/*----------------------------------------------------------------------------*\
| AUTHENTICATION |
\*----------------------------------------------------------------------------*/
// Users must be authenticated to use the Hauk server. The default
// authentication method is using a static server password that is shared by all
// users, without the need for a username. You can, however, use other
// authentication methods. Valid values here include:
//
// - PASSWORD: Use a static, shared server password for everyone
// - HTPASSWD: Require a username and separate password for each user
// - LDAP: Authenticate users against an LDAP server
"auth_method" => PASSWORD,
/*----------------------------------------------------------------------------*\
| PASSWORD AUTHENTICATION |
\*----------------------------------------------------------------------------*/
// A hashed password that is required for creating sessions and posting location
// data to Hauk. To generate this value on the terminal:
// - MD5 (insecure!): openssl passwd -1
// - bcrypt (secure): htpasswd -nBC 10 "" | tail -c +2
"password_hash" => '$2y$10$4ZP1iY8A3dZygXoPgsXYV.S3gHzBbiT9nSfONjhWrvMxVPkcFq1Ka',
// Default value above is empty string (no password) and is VERY INSECURE.
// Trust me, you really should change this unless you intentionally want a
// public instance that anyone in the world can use freely.
//
// Also note that users have the option to save the server password locally on
// their devices using a "Remember password" checkbox. If they choose to do so,
// the password will be stored in plain text (unhashed) on their devices. You
// are encouraged to generate a random password to prevent risks associated with
// credential reuse, should the password somehow be leaked from their devices.
/*----------------------------------------------------------------------------*\
| HTPASSWD AUTHENTICATION |
\*----------------------------------------------------------------------------*/
// A file that contains a pairing between users and hashed passwords. To
// generate this file on the terminal:
// - htpasswd -cBC 10 /etc/hauk/users.htpasswd <username>
// To add additional users to an existing file:
// - htpasswd -BC 10 /etc/hauk/users.htpasswd <username>
"htpasswd_path" => '/etc/hauk/users.htpasswd',
/*----------------------------------------------------------------------------*\
| LDAP AUTHENTICATION |
\*----------------------------------------------------------------------------*/
// URI that points to the LDAP server. Use "ldap://" for unencrypted LDAP as
// well as when using StartTLS, use "ldaps://" for regular LDAP over TLS. Port
// number is typically 389 (ldap) or 636 (ldaps).
"ldap_uri" => 'ldaps://ldap.example.com:636',
// Whether or not you wish to use StartTLS. StartTLS cannot be used in
// combination with `ldaps`.
"ldap_start_tls" => false,
// Base DN to search for users.
"ldap_base_dn" => 'ou=People,dc=example,dc=com',
// DN to bind to to perform user search. This should ideally be a read-only
// account as the password is stored in plain-text in this config file.
"ldap_bind_dn" => 'cn=admin,dc=example,dc=com',
"ldap_bind_pass" => 'Adm1nP4ssw0rd',
// A filter that finds the user trying to authenticate. %s is substituted with
// the username provided by the user in the app.
//
// You can also use this to restrict access to Hauk to only authorized users if
// you do not wish to grant all LDAP users permission to use your Hauk instance.
// For example, (&(uid=%s)(memberOf=cn=HaukUsers,ou=Groups,dc=example,dc=com))
// will only let the user connect if they are part of the "HaukUsers" group in
// the "Groups" OU.
"ldap_user_filter" => '(uid=%s)',
/*----------------------------------------------------------------------------*\
| GENERAL SETTINGS |
\*----------------------------------------------------------------------------*/
// Hauk v1.4 and on allows you to request a custom link ID instead of having the
// server randomly generate one. Custom links can use characters A-Z, a-z, 0-9,
// - (dash), and _ (underscore). If you want to disallow the option to request
// custom links, set this to false.
//
// If a user requests particular custom link that is already in use, that user
// will not have their request honored and will get a randomly generated link
// instead.
"allow_link_req" => true,
// If you want certain links to only be usable by some users, you can reserve
// them here. The following example reserves https://example.com/?WheresAlice
// for user "alice" only, and reserves https://example.com/?TheRealBob
// for use by both "bob" and "charlie".
//
// If you use Tasker or another automation platform to automatically start
// sharing to a specific link ID, it's a good idea to specify it here so that
// others cannot use it while you are inactive.
//
// Note that for this setting to have any effect, you have to specify an
// auth_method that requires both a username and a password, such as HTPASSWD.
"reserved_links" => [
'WheresAlice' => ['alice'],
'TheRealBob' => ['bob', 'charlie'],
],
-// If you want to enable pre-approved custom links only, you can choose to
-// enable reservation whitelist mode. If this setting is set to true, custom
+// Nasqueron note:
+// ---------------
+// The following expression can be potentially considered as offensive.
+// The Nasqueron project would so prefer "reserve_allowlist".
+//
+// We use this wording for compatibility pending upstream improvement.
+//
+// Upstream project note:
+// ----------------------
+// "If you want to enable pre-approved custom links only, you can choose to
+// enable reservation [allowlist] mode. If this setting is set to true, custom
// link IDs will only be accepted if they are present in the reserved_links
// array above - requests to share to other links than those in the array will
-// not be honored.
+// not be honored."
"reserve_whitelist" => false,
// The type of links to generate when making new links for shares. Can be any
// of the following:
//
// | Link style | Example | No. of combinations | Avg. bruteforce time |
// +----------------------------+---------------------------------------+-----------------------+-------------------------------+
// | LINK_4_PLUS_4_UPPER_CASE | V8LQ-H2UM | 1.79 * 10^12 (34^8) | 28.3 years |
// | LINK_4_PLUS_4_LOWER_CASE | qae3-ulna | 2.82 * 10^12 (36^8) | 44.7 years |
// | LINK_4_PLUS_4_MIXED_CASE | HEq3-tgJ1 | 1.28 * 10^14 (58^8) | 2030 years |
// | LINK_UUID_V4 | 09c8a3b1-e78f-48b1-a604-0da49e99cb5d | 5.32 * 10^36 (2^122) | 84.2 septillion years |
// | LINK_16_HEX | 6cde14c4c6551b41 | 1.84 * 10^19 (2^64) | 292 million years |
// | LINK_16_UPPER_CASE | WVHA2FNMRT9HSKJK | 3.19 * 10^24 (34^16) | 50.6 trillion years |
// | LINK_16_LOWER_CASE | bdyslxszs14cj359 | 7.95 * 10^24 (36^16) | 126 trillion years |
// | LINK_16_MIXED_CASE | 1Ayh2yUXDe3sdF3S | 1.64 * 10^28 (58^16) | 260 quadrillion years |
// | LINK_32_HEX | 22adf21f11491ae8f3ae128e23a6782f | 3.40 * 10^38 (2^128) | 5.39 octillion years |
// | LINK_32_UPPER_CASE | R88M1Z2KPL27XN8MF73KCRYPHJD4QQMT | 1.02 * 10^49 (34^32) | 161 undecillion years |
// | LINK_32_LOWER_CASE | itgbolrbq1c02eot5o46c5wixhdrdb5m | 6.33 * 10^49 (36^32) | 1 duodecillion years |
// | LINK_32_MIXED_CASE | qf5pqr2UKTUT6vREPPSTuqSKkCMojF17 | 2.69 * 10^56 (58^32) | 4.26 quattuordecillion years |
//
// For any MIXED_CASE variants, upper-case I and lower-case L will not appear
// because they are visually very similar and are easily confused. For the same
// reason, MIXED_CASE and UPPER_CASE variants will not generate 0 and O.
//
// The default value is LINK_4_PLUS_4_UPPER_CASE, which is still considered very
// secure. The bruteforce times in the table below are the average time it would
// take to find a valid sharing link, when there is one link active, at 1000
// guesses per second. For the default setting, this means it would take almost
// 45 years to find the link.
//
// This is assuming that the link is active 24/7 for that entire time. If you
// only have a link active 2% of the time, it would take over 2200 years.
//
// At 1000 guesses per second, you will likely notice that your server is
// noticeably slower and rapidly filling up with access logs.
//
// Very long links are also time-consuming to type, should you find yourself
// in need of typing in a link manually on another computer. This is the reason
// that short links are default.
//
// ---- PLEASE NOTE ----
// This option is provided to you only because several people have requested it
// as a convenience. You are free to change it, but you should know that
// changing the default here gives you, for all intents and purposes, no
// security advantage in practice.
//
"link_style" => LINK_4_PLUS_4_UPPER_CASE,
// Leaflet tile URI template for the map frontend. Here are some examples:
//
// - OpenStreetMap directly:
// https://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png
// - Mapbox:
// https://api.tiles.mapbox.com/v4/mapbox.streets/{z}/{x}/{y}.png?access_token=YOUR_ACCESS_TOKEN
// - Thunderforest:
// https://{s}.tile.thunderforest.com/neighbourhood/{z}/{x}/{y}.png?apikey=YOUR_API_KEY
// - Esri:
// https://server.arcgisonline.com/ArcGIS/rest/services/World_Street_Map/MapServer/tile/{z}/{y}/{x}
// - OpenMapSurfer:
// https://maps.heigit.org/openmapsurfer/tiles/roads/webmercator/{z}/{x}/{y}.png
// - Hydda (OSM Sweden):
// https://{s}.tile.openstreetmap.se/hydda/full/{z}/{x}/{y}.png
//
// Make sure you have permission to use the source you choose, and also use a
// proper attribution for that provider.
"map_tile_uri" => 'https://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png',
// Attribution HTML code to be displayed in the bottom right corner of the map.
// The default value is suitable for OpenStreetMap tiles.
"map_attribution" => 'Map data &copy; <a href="https://www.openstreetmap.org/">OpenStreetMap</a> contributors, <a href="https://creativecommons.org/licenses/by-sa/2.0/">CC-BY-SA</a>',
// Default and maximum zoom levels allowed on the map (0-20), higher value means
// closer zooming.
"default_zoom" => 14,
"max_zoom" => 19,
// Maximum duration of a single location share, in seconds.
"max_duration" => 86400,
// Minimum time between each location update, in seconds.
"min_interval" => 1,
// The time that should pass without any location updates received, in seconds,
// before the user is marked "offline" on the map.
"offline_timeout" => 30,
// The timeout in seconds for map update requests from the map view. If a web
// request takes this long without a response, the map viewer is considered
// offline and will get a warning notifying them that they have lost their
// network connection.
"request_timeout" => 10,
// Maximum number of data points stored for each share before old points are
// deleted. Map clients will see up to this amount of data points when they load
// the page.
"max_cached_pts" => 3,
// Maximum number of data points that may be visible on the map at any time.
// This is used to draw trails behind the current location map marker. Higher
// values will show longer trails, but may reduce performance.
"max_shown_pts" => 100,
// Number of seconds of data that should be used to calculate velocity.
"v_data_points" => 2,
// The color of the marker trails. HTML color name or #rrggbb hex color code.
"trail_color" => '#d80037',
// The unit of measurement of velocity. Valid are:
// KILOMETERS_PER_HOUR, MILES_PER_HOUR, METERS_PER_SECOND
"velocity_unit" => KILOMETERS_PER_HOUR,
// The publicly accessible URL to reach Hauk, with trailing slash.
"public_url" => '{{ url }}'
];
diff --git a/roles/paas-docker/letsencrypt/files/acme-dns-auth.py b/roles/paas-docker/letsencrypt/files/acme-dns-auth.py
index f47c876..0a233bd 100755
--- a/roles/paas-docker/letsencrypt/files/acme-dns-auth.py
+++ b/roles/paas-docker/letsencrypt/files/acme-dns-auth.py
@@ -1,161 +1,161 @@
#!/usr/bin/env python
# -------------------------------------------------------------
# PaaS Docker
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Author: Joona Hoikkala
# License: MIT
# Source file: roles/paas-docker/letsencrypt/files/acme-dns-auth.py
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
import json
import os
import requests
import sys
ACMEDNS_URL = "https://acme.nasqueron.org"
STORAGE_PATH = "/etc/letsencrypt/acmedns.json"
ALLOW_FROM = []
FORCE_REGISTER = False
DOMAIN = os.environ["CERTBOT_DOMAIN"]
if DOMAIN.startswith("*."):
DOMAIN = DOMAIN[2:]
VALIDATION_DOMAIN = "_acme-challenge." + DOMAIN
VALIDATION_TOKEN = os.environ["CERTBOT_VALIDATION"]
class AcmeDnsClient(object):
"""
Handles the communication with ACME-DNS API
"""
def __init__(self, acmedns_url):
self.acmedns_url = acmedns_url
def register_account(self, allowfrom):
"""Registers a new ACME-DNS account"""
if allowfrom:
- # Include whitelisted networks to the registration call
+ # Include allowed networks to the registration call
reg_data = {"allowfrom": allowfrom}
res = requests.post(self.acmedns_url + "/register",
data=json.dumps(reg_data))
else:
res = requests.post(self.acmedns_url + "/register")
if res.status_code == 201:
# The request was successful
return res.json()
else:
# Encountered an error
msg = ("Encountered an error while trying to register a new "
"acme-dns account. HTTP status {}, Response body: {}")
print(msg.format(res.status_code, res.text))
sys.exit(1)
def update_txt_record(self, account, txt):
"""Updates the TXT challenge record to ACME-DNS subdomain."""
update = {"subdomain": account['subdomain'], "txt": txt}
headers = {"X-Api-User": account['username'],
"X-Api-Key": account['password'],
"Content-Type": "application/json"}
res = requests.post(self.acmedns_url + "/update",
headers=headers,
data=json.dumps(update))
if res.status_code == 200:
# Successful update
return
else:
msg = ("Encountered an error while trying to update TXT record in "
"acme-dns. \n"
"------- Request headers:\n{}\n"
"------- Request body:\n{}\n"
"------- Response HTTP status: {}\n"
"------- Response body: {}")
s_headers = json.dumps(headers, indent=2, sort_keys=True)
s_update = json.dumps(update, indent=2, sort_keys=True)
s_body = json.dumps(res.json(), indent=2, sort_keys=True)
print(msg.format(s_headers, s_update, res.status_code, s_body))
sys.exit(1)
class Storage(object):
def __init__(self, storagepath):
self.storagepath = storagepath
self._data = self.load()
def load(self):
"""Reads the storage content from the disk to a dict structure"""
data = dict()
filedata = ""
try:
with open(self.storagepath, 'r') as fh:
filedata = fh.read()
except IOError:
if os.path.isfile(self.storagepath):
# Only error out if file exists, but cannot be read
print("ERROR: Storage file exists but cannot be read")
sys.exit(1)
try:
data = json.loads(filedata)
except ValueError:
if len(filedata) > 0:
# Storage file is corrupted
print("ERROR: Storage JSON is corrupted")
sys.exit(1)
return data
def save(self):
"""Saves the storage content to disk"""
serialized = json.dumps(self._data)
try:
with os.fdopen(os.open(self.storagepath, os.O_WRONLY | os.O_CREAT,
0o600), 'w') as fh:
fh.truncate()
fh.write(serialized)
except IOError:
print("ERROR: Could not write storage file.")
sys.exit(1)
def put(self, key, value):
"""Puts the configuration value to storage and sanitize it"""
# If wildcard domain, remove the wildcard part as this will use the
# same validation record name as the base domain
if key.startswith("*."):
key = key[2:]
self._data[key] = value
def fetch(self, key):
"""Gets configuration value from storage"""
try:
return self._data[key]
except KeyError:
return None
if __name__ == "__main__":
# Init
client = AcmeDnsClient(ACMEDNS_URL)
storage = Storage(STORAGE_PATH)
# Check if an account already exists in storage
account = storage.fetch(DOMAIN)
if FORCE_REGISTER or not account:
# Create and save the new account
account = client.register_account(ALLOW_FROM)
storage.put(DOMAIN, account)
storage.save()
# Display the notification for the user to update the main zone
print("Please add the following CNAME record to your main DNS zone:\n")
print("{} CNAME {}.".format(VALIDATION_DOMAIN, account["fulldomain"]))
# Update the TXT record in acme-dns instance
client.update_txt_record(account, VALIDATION_TOKEN)

File Metadata

Mime Type
text/x-diff
Expires
Sun, Nov 24, 23:46 (16 h, 26 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2259205
Default Alt Text
(22 KB)

Event Timeline

Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator