From fa3b8f48690a6cf0589f39b5b398a4259201d33e Mon Sep 17 00:00:00 2001
From: Monty Taylor <mordred@inaugust.com>
Date: Thu, 6 Mar 2014 12:27:42 -0800
Subject: [PATCH] Make storyboard run over ssl

We're doing auth now, so we should really do it over SSL.

The cert contents are already in hiera.

Change-Id: Ia939e228785168705840acd6d377e6c25ba3370d
---
 manifests/site.pp                             | 14 +++---
 .../openstack_project/manifests/storyboard.pp | 21 ++++++--
 modules/storyboard/manifests/init.pp          | 40 ++++++++++++++-
 .../storyboard/templates/storyboard.vhost.erb | 50 +++++++++++++++++--
 4 files changed, 108 insertions(+), 17 deletions(-)

diff --git a/manifests/site.pp b/manifests/site.pp
index 562b0bd619..315c585060 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -454,13 +454,13 @@ node 'summit.openstack.org' {
 # A machine to run Storyboard
 node 'storyboard.openstack.org' {
   class { 'openstack_project::storyboard':
-    sysadmins           => hiera('sysadmins'),
-    mysql_host          => hiera('storyboard_db_host'),
-    mysql_user          => hiera('storyboard_db_user'),
-    mysql_password      => hiera('storyboard_db_password'),
-#    ssl_cert_file_contents  => hiera('storyboard_ssl_cert_file_contents'),
-#    ssl_key_file_contents   => hiera('storyboard_ssl_key_file_contents'),
-#    ssl_chain_file_contents => hiera('storyboard_ssl_chain_file_contents'),
+    sysadmins               => hiera('sysadmins'),
+    mysql_host              => hiera('storyboard_db_host'),
+    mysql_user              => hiera('storyboard_db_user'),
+    mysql_password          => hiera('storyboard_db_password'),
+    ssl_cert_file_contents  => hiera('storyboard_ssl_cert_file_contents'),
+    ssl_key_file_contents   => hiera('storyboard_ssl_key_file_contents'),
+    ssl_chain_file_contents => hiera('storyboard_ssl_chain_file_contents'),
   }
 }
 
diff --git a/modules/openstack_project/manifests/storyboard.pp b/modules/openstack_project/manifests/storyboard.pp
index ace22f69e7..bc395bb0b2 100644
--- a/modules/openstack_project/manifests/storyboard.pp
+++ b/modules/openstack_project/manifests/storyboard.pp
@@ -5,18 +5,29 @@ class openstack_project::storyboard(
   $mysql_password = '',
   $mysql_user = '',
   $sysadmins = [],
+  $ssl_cert_file_contents = '',
+  $ssl_key_file_contents = '',
+  $ssl_chain_file_contents = '',
 ) {
   class { 'openstack_project::server':
     sysadmins                 => $sysadmins,
-    iptables_public_tcp_ports => [80],
+    iptables_public_tcp_ports => [80, 443],
   }
 
   class { '::storyboard':
-    mysql_host     => $mysql_host,
-    mysql_password => $mysql_password,
-    mysql_user     => $mysql_user,
-    projects_file  =>
+    mysql_host              => $mysql_host,
+    mysql_password          => $mysql_password,
+    mysql_user              => $mysql_user,
+    projects_file           =>
       'puppet:///modules/openstack_project/review.projects.yaml',
+    ssl_cert_file           =>
+      '/etc/ssl/certs/storyboard.openstack.org.pem',
+    ssl_key_file            =>
+      '/etc/ssl/private/storyboard.openstack.org.key',
+    ssl_chain_file          => '/etc/ssl/certs/intermediate.pem',
+    ssl_cert_file_contents  => $ssl_cert_file_contents,
+    ssl_key_file_contents   => $ssl_key_file_contents,
+    ssl_chain_file_contents => $ssl_chain_file_contents,
   }
 
 }
diff --git a/modules/storyboard/manifests/init.pp b/modules/storyboard/manifests/init.pp
index 504e580faf..d697047eb7 100644
--- a/modules/storyboard/manifests/init.pp
+++ b/modules/storyboard/manifests/init.pp
@@ -20,10 +20,16 @@ class storyboard (
   $mysql_password,
   $mysql_user,
   $projects_file,
+  $ssl_cert_file,
+  $ssl_key_file,
+  $ssl_chain_file,
   $storyboard_git_source_repo = 'https://git.openstack.org/openstack-infra/storyboard/',
   $storyboard_revision = 'master',
-  $storyboard_webclient_url = 'http://tarballs.openstack.org/storyboard-webclient/storyboard-webclient-latest.tar.gz'
-
+  $storyboard_webclient_url = 'http://tarballs.openstack.org/storyboard-webclient/storyboard-webclient-latest.tar.gz',
+  $serveradmin = "webmaster@${::fqdn}",
+  $ssl_cert_file_contents = '',
+  $ssl_key_file_contents = '',
+  $ssl_chain_file_contents = ''
 ) {
   include apache
   include mysql::python
@@ -162,6 +168,7 @@ class storyboard (
     priority => '50',
     template => 'storyboard/storyboard.vhost.erb',
     require  => Package['libapache2-mod-wsgi'],
+    ssl      => true,
   }
 
   a2mod { 'proxy':
@@ -177,4 +184,33 @@ class storyboard (
     require => Package['libapache2-mod-wsgi'],
   }
 
+  if $ssl_cert_file_contents != '' {
+    file { $ssl_cert_file:
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0640',
+      content => $ssl_cert_file_contents,
+      before  => Apache::Vhost[$vhost_name],
+    }
+  }
+
+  if $ssl_key_file_contents != '' {
+    file { $ssl_key_file:
+      owner   => 'root',
+      group   => 'ssl-cert',
+      mode    => '0640',
+      content => $ssl_key_file_contents,
+      before  => Apache::Vhost[$vhost_name],
+    }
+  }
+
+  if $ssl_chain_file_contents != '' {
+    file { $ssl_chain_file:
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0640',
+      content => $ssl_chain_file_contents,
+      before  => Apache::Vhost[$vhost_name],
+    }
+  }
 }
diff --git a/modules/storyboard/templates/storyboard.vhost.erb b/modules/storyboard/templates/storyboard.vhost.erb
index 73f076e65e..0d3aa8d99c 100644
--- a/modules/storyboard/templates/storyboard.vhost.erb
+++ b/modules/storyboard/templates/storyboard.vhost.erb
@@ -1,7 +1,49 @@
-<VirtualHost *:80>
+<VirtualHost <%= scope.lookupvar("storyboard::vhost_name") %>:80>
+  ServerAdmin <%= scope.lookupvar("storyboard::serveradmin") %>
+
+  ErrorLog ${APACHE_LOG_DIR}/storyboard-error.log
+
+  LogLevel warn
+
+  CustomLog ${APACHE_LOG_DIR}/storyboard-access.log combined
+
+  Redirect / https://<%= scope.lookupvar("storyboard::vhost_name") %>/
+
+</VirtualHost>
+
+<IfModule mod_ssl.c>
+<VirtualHost <%= scope.lookupvar("storyboard::vhost_name") %>:443>
+  ServerName <%= scope.lookupvar("storyboard::vhost_name") %>
+  ServerAdmin <%= scope.lookupvar("storyboard::serveradmin") %>
+
+  ErrorLog ${APACHE_LOG_DIR}/storyboard-ssl-error.log
+
+  LogLevel warn
+
+  CustomLog ${APACHE_LOG_DIR}/storyboard-ssl-access.log combined
+
+  SSLEngine on
+
+  SSLCertificateFile      <%= scope.lookupvar("storyboard::ssl_cert_file") %>
+  SSLCertificateKeyFile   <%= scope.lookupvar("storyboard::ssl_key_file") %>
+<% if scope.lookupvar("storyboard::ssl_chain_file") != "" %>
+  SSLCertificateChainFile <%= scope.lookupvar("storyboard::ssl_chain_file") %>
+<% end %>
+
+  <FilesMatch "\.(cgi|shtml|phtml|php)$">
+      SSLOptions +StdEnvVars
+  </FilesMatch>
+  <Directory /usr/lib/cgi-bin>
+      SSLOptions +StdEnvVars
+  </Directory>
+
+  BrowserMatch "MSIE [2-6]" \
+      nokeepalive ssl-unclean-shutdown \
+      downgrade-1.0 force-response-1.0
+  # MSIE 7 and newer should be able to use keepalive
+  BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
+
   DocumentRoot /var/lib/storyboard/www
-  ErrorLog /var/log/apache2/storyboard-error.log
-  CustomLog /var/log/apache2/storyboard-access.log common
 
   WSGIDaemonProcess storyboard user=storyboard group=storyboard threads=5 python-path=/usr/local/lib/python2.7/dist-packages
   WSGIScriptAlias /api /usr/local/lib/python2.7/dist-packages/storyboard/api/app.wsgi
@@ -15,4 +57,6 @@
              Order deny,allow
              Allow from all
   </Directory>
+
 </VirtualHost>
+</IfModule>