Merge branch 'master' of gitops.sunet.se:eid-ops

2020-06-10 12:04:13 +02:00 · 2020-06-10 12:04:13 +02:00 · b28aedec41
commit b28aedec41
parent 8348fc7c9c 370debb9b5
6 changed files with 131 additions and 23 deletions
--- a/eidas-proxy-common/overlay/etc/eidas-proxy/se/cfg/application-se.properties
+++ b/eidas-proxy-common/overlay/etc/eidas-proxy/se/cfg/application-se.properties
@ -100,4 +100,4 @@ management.server.port=8444
 management.server.ssl.enabled=true
 proxy-service.syslog.enabled=true
-proxy-service.signature-algorithm.md=http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1
+
--- a/global/overlay/etc/puppet/cosmos-db.yaml
+++ b/global/overlay/etc/puppet/cosmos-db.yaml
@ -67,7 +67,7 @@ classes:
    autoupdate: null
    common: null
    eid::dockerhost: null
-    eidas_connector: &id003 {hostname: connector.eidas.swedenconnect.se, version: 1.6.0}
+    eidas_connector: &id003 {hostname: connector.eidas.swedenconnect.se, version: 1.6.1}
    entropyclient: null
    infra_ca_rp: null
    konsulter: null
@ -126,7 +126,7 @@ classes:
  eidas-node-1.qa.sveidas.se:
    autoupdate: null
    common: null
-    eidas_connector: {hostname: qa.connector.eidas.swedenconnect.se, version: 1.6.0}
+    eidas_connector: {hostname: qa.connector.eidas.swedenconnect.se, version: 1.6.2}
    entropyclient: null
    infra_ca_rp: null
    konsulter: null
@ -146,7 +146,7 @@ classes:
    autoupdate: null
    common: null
    eidas_proxy: {hostname: qa.proxy.eidas.swedenconnect.se, spring_config_param: SPRING_CONFIG_ADDITIONAL_LOCATION,
-      version: 1.3.4}
+      version: 1.3.5}
    entropyclient: null
    infra_ca_rp: null
    konsulter: null
@ -168,7 +168,7 @@ classes:
    common: null
    eid::dockerhost: null
    eidas_proxy: &id005 {hostname: proxy.eidas.swedenconnect.se, spring_config_param: SPRING_CONFIG_ADDITIONAL_LOCATION,
-      version: 1.3.4}
+      version: 1.3.5}
    entropyclient: null
    infra_ca_rp: null
    konsulter: null
--- a/global/overlay/etc/puppet/cosmos-rules.yaml
+++ b/global/overlay/etc/puppet/cosmos-rules.yaml
@ -690,7 +690,7 @@ md-eu1.qa.komreg.net:
   konsulter:
   autoupdate:
   eidas_connector:
-     version: 1.6.0
+     version: 1.6.1
     hostname: connector.eidas.swedenconnect.se
   sunet::frontend::register_sites:
     sites:
@ -716,7 +716,7 @@ md-eu1.qa.komreg.net:
   autoupdate:
   servicemonitor:
   eidas_proxy:
-      version: 1.3.4
+      version: 1.3.5
      hostname: proxy.eidas.swedenconnect.se
      spring_config_param: SPRING_CONFIG_ADDITIONAL_LOCATION
   sunet::frontend::register_sites:
@ -754,7 +754,7 @@ md-eu1.qa.komreg.net:
   sunet_iaas_cloud:
   autoupdate:
   eidas_connector:
-     version: 1.6.0
+     version: 1.6.2
     hostname: qa.connector.eidas.swedenconnect.se
   sunet::frontend::register_sites:
     sites:
@ -771,7 +771,7 @@ md-eu1.qa.komreg.net:
   autoupdate:
   servicemonitor:
   eidas_proxy:
-      version: 1.3.4
+      version: 1.3.5
      hostname: qa.proxy.eidas.swedenconnect.se
      spring_config_param: SPRING_CONFIG_ADDITIONAL_LOCATION
   sunet::frontend::register_sites:
--- a/global/overlay/etc/puppet/manifests/cosmos-site.pp
+++ b/global/overlay/etc/puppet/manifests/cosmos-site.pp
@ -666,13 +666,20 @@ class pages($version=undef) {
 }
 class metadatamgrs {
-   ssh_authorized_key {'bjorn_mattsson':
+   ssh_authorized_key {'bjorn_mattsson+000606447540':
-      ensure => present,
+      ensure => absent,
-      name   => 'bjorn.mattsson@bth.se',
+      name   => 'bjorn.mattsson@bth.se-cardno:000606447540',
      type   => 'ssh-rsa',
      key    => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQDEWat69rLNIV4CXzsYKJwfT57vZJPLAiJE6jEdSWkl4yTHHl/d/fPzcCPH7FRl4O56xS0WwDn6HDeUvUBFMMH+1Jto98jhlTEcRjdn/BR9VA2nIfuEpvhZ7/m12nUeDDKISJOT9/vMZBWD3x3E4YscJm+gbyImhQ8iERTjur3eC4O4o7l9t0Uy6+wn37CwoyGCsxUVOBoptZOtA6pJ+BTEfzbt8hW2udTqg0pvSpKFQfP87Ioi1mfhRXBbvjS53sbmD/CMj8X6cs8n6zXriggaB2Iy0jfDsgLQHqUxaP2qKR4O76I1ewzkt0OXpanbgljjsDBA+cHWe1A5ViITika7Wf9qiIPKYQdknmKuuckg5c+3K+HRokwSH/2gDjIx1Ziw9eRvF3g3wctGwjAqmu+7CQmXEAlRBeMEGzj9plXOeUbo/a7VJiBIMdfs/gVUTvfnCjq1P/Wz4VO6DhWsC7GFiW7Df2El1kjKDIRwO5KypHSBOleagSLZIt3yn+mEQE+gBfoMin/KJ6C0dnWaA398AZ/pLyjL2C5ZHArt/1MwmVzHbG7JGseHXMcrLPzDUmfB0J1pmrJfEStfwmenynG+xE7ZLf6HrSjEKT+6nzxBNC7C6v4oNlwEkS/EccQQK3STO4fbfYWiY9FhSNidAFZmcNVU5roaeyx5rJ7nt+X/uw==',
      user   => 'root'
   }
   ssh_authorized_key {'bjorn_mattsson+000606484562':
      ensure => present,
      name   => 'bjorn.mattsson@bth.se-cardno:000604539918',
      type   => 'ssh-rsa',
      key    => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQDgsv4gJdi9oaylsrCC/F5fVa67jpAy8WMJPsjYUq1QkVwO+ZuN0ozTqslJf7tATw9YA8jOKahzfc+x1NFOCNkkmW+YaKtF7i8UYjGxRmwDSRCLWSSeXUuQUqz7NBRgPYu/6r/VjqrbHATpHftoAB5RkfzBPUTiLetqC8PHBorM/zrWj2CpBP6vQ4XveCq5GSBh4q4bi0SOaFKOJ+pPJR6L3PiVr76u3ryB5ZQZBZHG0gHI9wXFZcbEOzsSWHU/FKcHDI2QSWXaPtgk+sxHOoL1ZFuUS6i79sV4AFD/VaQAB+3P/QJf6seIM5AcC5fqrfBcVQe5RzC9mypbGuXim325DQBaNTtz3IZhH1IbJpA3b4x06fgjpp+2Z9qKtAZaZzNQPk+bguvyqtEZmI99l/Pa+qNTIe3x8W1960xO/jiyansd5uTBAq1+CGq5ccmVlvPlBuHPLNoV0WY4fnv8yTBj2LNYCvC9SWzmYkQ2ihZD/xauvdoV05A3iKBwxDT/LxPGfBY8YAGF5Cj3KpdTYFlUTOT3BHi3YXhcm4nzdhO4h1NP3HeEQGKPevx/POYADHUA3U7+uSkZxlT5lUl7mdHqNc+zVVHpz7PUBmdq3qVGG72K+X1G8ETtNrkfv/r7Mg7oXEjh5pkSUw8Yj1cQUcHE4js4PRqeC4n1/5hH90sweQ==',
      user   => 'root'
   }
   ssh_authorized_key {'paul_scott':
      ensure => present,
      name   => 'paul.scott@kau.se',
@ -925,7 +932,7 @@ class nagios_monitor {
   $web_admin_pw   = safe_hiera('nagios_nagiosadmin_password');
   $web_admin_user = 'nagiosadmin';
-   package { 'libxml2-utils': ensure => installed}
+   package { 'xsltproc': ensure => installed}
   class { 'webserver': }
   class { 'nagioscfg':
@ -1130,13 +1137,13 @@ class nagios_monitor {
   }
   nagioscfg::service {'check_country_eIDAS_QA':
      host_name      => ['qa.md.eidas.swedenconnect.se'],
-      check_command  => 'check_country_count!qa.md.eidas.swedenconnect.se!23!2!3',
+      check_command  => 'check_country_count!qa.md.eidas.swedenconnect.se!UK LU IT ES HR DE EE BE IS XB CY PL SK XC LT NO DK CZ SE GR XA MT SI!1!3',
      description    => 'check number of countries in eIDAS QA',
      contact_groups => ['alerts'],
   }
   nagioscfg::service {'check_country_eIDAS':
      host_name      => ['md.eidas.swedenconnect.se'],
-      check_command  => 'check_country_count!md.eidas.swedenconnect.se!8!1!2',
+      check_command  => 'check_country_count!md.eidas.swedenconnect.se!UK LU IT ES HR DE EE BE!1!3',
      description    => 'check number of countries in eIDAS',
      contact_groups => ['alerts'],
   }
--- a/global/overlay/usr/lib/nagios/plugins/check_eidas_country_count.sh
+++ b/global/overlay/usr/lib/nagios/plugins/check_eidas_country_count.sh
@ -1,33 +1,73 @@
 #!/bin/bash
 set +x
 . /usr/lib/nagios/plugins/utils.sh
 abs() { 
    [[ $[ $@ ] -lt 0 ]] && echo "$[ ($@) * -1 ]" || echo "$[ $@ ]"
 }
-count=$(wget -qO- https://$1/role/idp.xml | xmllint --format - | grep eidas:NodeCountry | wc -l)
+tmpx=$(mktemp)
 finish() {
   rm -f $tmpx
 }
 trap finish EXIT
 cat>$tmpx<<EOF
 <?xml version="1.0"?>
 <xsl:stylesheet version="1.0"
                xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
                xmlns:shibmeta="urn:mace:shibboleth:metadata:1.0"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
                xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
                xmlns:exsl="http://exslt.org/common"
                extension-element-prefixes="exsl"
                xmlns:xi="http://www.w3.org/2001/XInclude"
                xmlns:eidas="http://eidas.europa.eu/saml-extensions"
                xmlns:shibmd="urn:mace:shibboleth:metadata:1.0">
  <xsl:output method="text" indent="yes" encoding="UTF-8"/>
  <xsl:template match="md:EntitiesDescriptor"><xsl:apply-templates select="//eidas:NodeCountry"/></xsl:template>
  <xsl:template match="eidas:NodeCountry">
    <xsl:value-of select="text()"/><xsl:text> </xsl:text>
  </xsl:template>
  <xsl:template match="*"></xsl:template>
 </xsl:stylesheet>
 EOF
 missing() {
   m=""
   for x in $1; do
      echo $2 | grep -q $x || m="$m $x"
   done
   echo $m
 }
 list=$(wget -qO- https://$1/role/idp.xml | xsltproc $tmpx -)
 if [ $? -ne 0 ]; then
   echo "CRITICAL - Service FAIL"
   echo $status
   exit $STATE_CRITICAL
 fi
-count_expected=$2
+list_expected=$2
 list_missing=$(missing "$list_expected" "$list")
 count=$(echo $list_missing | wc -w)
 count_diff_warn=$3
 count_diff_crit=$4
-d=$(abs $count - $count_expected)
+if [ $count -ge $count_diff_crit ]; then
-if [ $d -ge $count_diff_crit ]; then
+   echo "CRITICAL - $count countries missing: $list_missing"
   echo "CRITICAL - country count is $count expected $count_expected"
   echo $status
   exit $STATE_CRITICAL
-elif [ $d -ge $count_diff_warn ]; then
+elif [ $count -ge $count_diff_warn ]; then
-   echo "WARNING - country count is $count expected $count_expected"
+   echo "WARNING - $count countries missing: $list_missing"
   echo $status
   exit $STATE_WARNING
 else
-   echo "OK - Service healthy ($count countries)"
+   echo "OK - Service healthy"
   echo $status
   exit $STATE_OK
 fi
--- a/global/overlay/usr/lib/nagios/plugins/check_eidas_metadata.age.sh
+++ b/global/overlay/usr/lib/nagios/plugins/check_eidas_metadata.age.sh
@ -0,0 +1,61 @@
 #!/bin/bash
 . /usr/lib/nagios/plugins/utils.sh
 abs() {
    [[ $[ $@ ] -lt 0 ]] && echo "$[ ($@) * -1 ]" || echo "$[ $@ ]"
 }
 diff_warn=$2
 diff_crit=$3
 tmpx=$(mktemp)
 function finish {
   rm -f $tmpx
 }
 trap finish EXIT
 cat>$tmpx<<EOF
 <?xml version="1.0"?>
 <xsl:stylesheet version="1.0"
                xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
                xmlns:shibmeta="urn:mace:shibboleth:metadata:1.0"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
                xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
                xmlns:exsl="http://exslt.org/common"
                extension-element-prefixes="exsl"
                xmlns:xi="http://www.w3.org/2001/XInclude"
                xmlns:shibmd="urn:mace:shibboleth:metadata:1.0">
  <xsl:output method="text" indent="yes" encoding="UTF-8"/>
  <xsl:template match="md:EntitiesDescriptor">
    <xsl:value-of select="@validUntil"/>
  </xsl:template>
 </xsl:stylesheet>
 EOF
 dstr=$(wget -qO- $1 | xsltproc $tmpx -)
 if [ $? -ne 0 ]; then
   echo "CRITICAL - Service $1 FAIL"
   echo $status
   exit $STATE_CRITICAL
 fi
 exp=$(date -d $dstr +%s)
 now=$(date +%s)
 d=$(expr $exp - $now)
 if [ $d -ge $diff_crit ]; then
   echo "CRITICAL - metadata in $1 expires in $d seconds"
   echo $status
   exit $STATE_CRITICAL
 elif [ $d -ge $diff_warn ]; then
   echo "WARNING - metadata in $1 expires in $d seconds"
   echo $status
   exit $STATE_WARNING
 else
   echo "OK - metadata in $1 expires in $d seconds"
   echo $status
   exit $STATE_OK
 fi