From bf56d22c15fe54579ca8eecf85258c0975d96ea3 Mon Sep 17 00:00:00 2001 From: ts Date: Wed, 7 Mar 2018 16:05:18 +0000 Subject: [PATCH] hunner-wordpress base module --- .../unix/webapp/wordpress/.fixtures.yml | 7 + .../unix/webapp/wordpress/.gitignore | 22 ++ .../unix/webapp/wordpress/.gitlab-ci.yml | 70 ++++++ .../unix/webapp/wordpress/.pdkignore | 22 ++ .../unix/webapp/wordpress/.rspec | 2 + .../unix/webapp/wordpress/.rubocop.yml | 107 +++++++++ .../unix/webapp/wordpress/.travis.yml | 48 ++++ .../unix/webapp/wordpress/.yardopts | 1 + .../unix/webapp/wordpress/CHANGELOG | 73 ++++++ .../unix/webapp/wordpress/Gemfile | 126 ++++++++++ .../unix/webapp/wordpress/Modulefile | 13 ++ .../unix/webapp/wordpress/README.markdown | 215 ++++++++++++++++++ .../unix/webapp/wordpress/Rakefile | 2 + .../unix/webapp/wordpress/appveyor.yml | 57 +++++ .../unix/webapp/wordpress/manifests/app.pp | 48 ++++ .../unix/webapp/wordpress/manifests/db.pp | 17 ++ .../unix/webapp/wordpress/manifests/init.pp | 139 +++++++++++ .../webapp/wordpress/manifests/instance.pp | 135 +++++++++++ .../wordpress/manifests/instance/app.pp | 146 ++++++++++++ .../webapp/wordpress/manifests/instance/db.pp | 30 +++ .../unix/webapp/wordpress/metadata.json | 61 +++++ .../unix/webapp/wordpress/secgen_metadata.xml | 61 +++++ .../acceptance/nodesets/centos-6-vcloud.yml | 15 ++ .../spec/acceptance/wordpress_spec.rb | 102 +++++++++ .../wordpress/spec/classes/wordpress_spec.rb | 36 +++ .../webapp/wordpress/spec/default_facts.yml | 8 + .../wordpress/spec/defines/wordpress_spec.rb | 45 ++++ .../unix/webapp/wordpress/spec/spec.opts | 4 + .../unix/webapp/wordpress/spec/spec_helper.rb | 30 +++ .../wordpress/spec/spec_helper_acceptance.rb | 35 +++ .../wordpress/templates/wp-config.php.erb | 114 ++++++++++ .../wordpress/templates/wp-keysalts.php.erb | 21 ++ .../unix/webapp/wordpress/tests/init.pp | 7 + .../unix/webapp/wordpress/wordpress.pp | 16 ++ 34 files changed, 1835 insertions(+) create mode 100644 modules/vulnerabilities/unix/webapp/wordpress/.fixtures.yml create mode 100644 modules/vulnerabilities/unix/webapp/wordpress/.gitignore create mode 100644 modules/vulnerabilities/unix/webapp/wordpress/.gitlab-ci.yml create mode 100644 modules/vulnerabilities/unix/webapp/wordpress/.pdkignore create mode 100644 modules/vulnerabilities/unix/webapp/wordpress/.rspec create mode 100644 modules/vulnerabilities/unix/webapp/wordpress/.rubocop.yml create mode 100644 modules/vulnerabilities/unix/webapp/wordpress/.travis.yml create mode 100644 modules/vulnerabilities/unix/webapp/wordpress/.yardopts create mode 100644 modules/vulnerabilities/unix/webapp/wordpress/CHANGELOG create mode 100644 modules/vulnerabilities/unix/webapp/wordpress/Gemfile create mode 100644 modules/vulnerabilities/unix/webapp/wordpress/Modulefile create mode 100644 modules/vulnerabilities/unix/webapp/wordpress/README.markdown create mode 100644 modules/vulnerabilities/unix/webapp/wordpress/Rakefile create mode 100644 modules/vulnerabilities/unix/webapp/wordpress/appveyor.yml create mode 100644 modules/vulnerabilities/unix/webapp/wordpress/manifests/app.pp create mode 100644 modules/vulnerabilities/unix/webapp/wordpress/manifests/db.pp create mode 100644 modules/vulnerabilities/unix/webapp/wordpress/manifests/init.pp create mode 100644 modules/vulnerabilities/unix/webapp/wordpress/manifests/instance.pp create mode 100644 modules/vulnerabilities/unix/webapp/wordpress/manifests/instance/app.pp create mode 100644 modules/vulnerabilities/unix/webapp/wordpress/manifests/instance/db.pp create mode 100644 modules/vulnerabilities/unix/webapp/wordpress/metadata.json create mode 100644 modules/vulnerabilities/unix/webapp/wordpress/secgen_metadata.xml create mode 100644 modules/vulnerabilities/unix/webapp/wordpress/spec/acceptance/nodesets/centos-6-vcloud.yml create mode 100644 modules/vulnerabilities/unix/webapp/wordpress/spec/acceptance/wordpress_spec.rb create mode 100644 modules/vulnerabilities/unix/webapp/wordpress/spec/classes/wordpress_spec.rb create mode 100644 modules/vulnerabilities/unix/webapp/wordpress/spec/default_facts.yml create mode 100644 modules/vulnerabilities/unix/webapp/wordpress/spec/defines/wordpress_spec.rb create mode 100644 modules/vulnerabilities/unix/webapp/wordpress/spec/spec.opts create mode 100644 modules/vulnerabilities/unix/webapp/wordpress/spec/spec_helper.rb create mode 100644 modules/vulnerabilities/unix/webapp/wordpress/spec/spec_helper_acceptance.rb create mode 100644 modules/vulnerabilities/unix/webapp/wordpress/templates/wp-config.php.erb create mode 100644 modules/vulnerabilities/unix/webapp/wordpress/templates/wp-keysalts.php.erb create mode 100644 modules/vulnerabilities/unix/webapp/wordpress/tests/init.pp create mode 100644 modules/vulnerabilities/unix/webapp/wordpress/wordpress.pp diff --git a/modules/vulnerabilities/unix/webapp/wordpress/.fixtures.yml b/modules/vulnerabilities/unix/webapp/wordpress/.fixtures.yml new file mode 100644 index 000000000..1d6ff32f3 --- /dev/null +++ b/modules/vulnerabilities/unix/webapp/wordpress/.fixtures.yml @@ -0,0 +1,7 @@ +fixtures: + repositories: + concat: "git://github.com/ripienaar/puppet-concat.git" + mysql: "git://github.com/puppetlabs/puppetlabs-mysql.git" + stdlib: "git://github.com/puppetlabs/puppetlabs-stdlib.git" + symlinks: + wordpress: "#{source_dir}" diff --git a/modules/vulnerabilities/unix/webapp/wordpress/.gitignore b/modules/vulnerabilities/unix/webapp/wordpress/.gitignore new file mode 100644 index 000000000..56efb9ca1 --- /dev/null +++ b/modules/vulnerabilities/unix/webapp/wordpress/.gitignore @@ -0,0 +1,22 @@ +.*.sw[op] +.metadata +.yardoc +.yardwarns +*.iml +/.bundle/ +/.idea/ +/.vagrant/ +/coverage/ +/bin/ +/doc/ +/Gemfile.local +/Gemfile.lock +/junit/ +/log/ +/pkg/ +/spec/fixtures/manifests/ +/spec/fixtures/modules/ +/tmp/ +/vendor/ +/convert_report.txt +.DS_Store diff --git a/modules/vulnerabilities/unix/webapp/wordpress/.gitlab-ci.yml b/modules/vulnerabilities/unix/webapp/wordpress/.gitlab-ci.yml new file mode 100644 index 000000000..35e420994 --- /dev/null +++ b/modules/vulnerabilities/unix/webapp/wordpress/.gitlab-ci.yml @@ -0,0 +1,70 @@ +--- +stages: + - test_2.4.1 + - test_2.1.9 + +before_script: + - bundle -v + - rm Gemfile.lock || true + - gem update --system + - gem update bundler + - gem --version + - bundle -v + - bundle install --without system_tests + +rubocop-2.4.1: + stage: test_2.4.1 + image: ruby:2.4.1 + script: + - bundle exec rake rubocop + +syntax-2.4.1: + stage: test_2.4.1 + image: ruby:2.4.1 + script: + - bundle exec rake syntax lint + +metadata-2.4.1: + stage: test_2.4.1 + image: ruby:2.4.1 + script: + - bundle exec rake metadata_lint + +rspec-puppet-2.4.1: + stage: test_2.4.1 + image: ruby:2.4.1 + variables: + PUPPET_GEM_VERSION: ~> 4.0 + CHECK: spec + script: + - bundle update + - bundle exec rake $CHECK + +rubocop-2.1.9: + stage: test_2.1.9 + image: ruby:2.1.9 + script: + - bundle exec rake rubocop + +syntax-2.1.9: + stage: test_2.1.9 + image: ruby:2.1.9 + script: + - bundle exec rake syntax lint + +metadata-2.1.9: + stage: test_2.1.9 + image: ruby:2.1.9 + script: + - bundle exec rake metadata_lint + +rspec-puppet-2.1.9: + stage: test_2.1.9 + image: ruby:2.1.9 + variables: + PUPPET_GEM_VERSION: ~> 4.0 + CHECK: spec + script: + - bundle update + - bundle exec rake $CHECK + diff --git a/modules/vulnerabilities/unix/webapp/wordpress/.pdkignore b/modules/vulnerabilities/unix/webapp/wordpress/.pdkignore new file mode 100644 index 000000000..56efb9ca1 --- /dev/null +++ b/modules/vulnerabilities/unix/webapp/wordpress/.pdkignore @@ -0,0 +1,22 @@ +.*.sw[op] +.metadata +.yardoc +.yardwarns +*.iml +/.bundle/ +/.idea/ +/.vagrant/ +/coverage/ +/bin/ +/doc/ +/Gemfile.local +/Gemfile.lock +/junit/ +/log/ +/pkg/ +/spec/fixtures/manifests/ +/spec/fixtures/modules/ +/tmp/ +/vendor/ +/convert_report.txt +.DS_Store diff --git a/modules/vulnerabilities/unix/webapp/wordpress/.rspec b/modules/vulnerabilities/unix/webapp/wordpress/.rspec new file mode 100644 index 000000000..16f9cdb01 --- /dev/null +++ b/modules/vulnerabilities/unix/webapp/wordpress/.rspec @@ -0,0 +1,2 @@ +--color +--format documentation diff --git a/modules/vulnerabilities/unix/webapp/wordpress/.rubocop.yml b/modules/vulnerabilities/unix/webapp/wordpress/.rubocop.yml new file mode 100644 index 000000000..40a58e071 --- /dev/null +++ b/modules/vulnerabilities/unix/webapp/wordpress/.rubocop.yml @@ -0,0 +1,107 @@ +--- +require: rubocop-rspec +AllCops: + DisplayCopNames: true + TargetRubyVersion: '2.1' + Include: + - "./**/*.rb" + Exclude: + - bin/* + - ".vendor/**/*" + - Gemfile + - Rakefile + - pkg/**/* + - spec/fixtures/**/* + - vendor/**/* +Metrics/LineLength: + Description: People have wide screens, use them. + Max: 200 +RSpec/BeforeAfterAll: + Description: Beware of using after(:all) as it may cause state to leak between tests. + A necessary evil in acceptance testing. + Exclude: + - spec/acceptance/**/*.rb +RSpec/HookArgument: + Description: Prefer explicit :each argument, matching existing module's style + EnforcedStyle: each +Style/BlockDelimiters: + Description: Prefer braces for chaining. Mostly an aesthetical choice. Better to + be consistent then. + EnforcedStyle: braces_for_chaining +Style/ClassAndModuleChildren: + Description: Compact style reduces the required amount of indentation. + EnforcedStyle: compact +Style/EmptyElse: + Description: Enforce against empty else clauses, but allow `nil` for clarity. + EnforcedStyle: empty +Style/FormatString: + Description: Following the main puppet project's style, prefer the % format format. + EnforcedStyle: percent +Style/FormatStringToken: + Description: Following the main puppet project's style, prefer the simpler template + tokens over annotated ones. + EnforcedStyle: template +Style/Lambda: + Description: Prefer the keyword for easier discoverability. + EnforcedStyle: literal +Style/RegexpLiteral: + Description: Community preference. See https://github.com/voxpupuli/modulesync_config/issues/168 + EnforcedStyle: percent_r +Style/TernaryParentheses: + Description: Checks for use of parentheses around ternary conditions. Enforce parentheses + on complex expressions for better readability, but seriously consider breaking + it up. + EnforcedStyle: require_parentheses_when_complex +Style/TrailingCommaInArguments: + Description: Prefer always trailing comma on multiline argument lists. This makes + diffs, and re-ordering nicer. + EnforcedStyleForMultiline: comma +Style/TrailingCommaInLiteral: + Description: Prefer always trailing comma on multiline literals. This makes diffs, + and re-ordering nicer. + EnforcedStyleForMultiline: comma +Style/SymbolArray: + Description: Using percent style obscures symbolic intent of array's contents. + EnforcedStyle: brackets +RSpec/MessageSpies: + EnforcedStyle: receive +Style/CollectionMethods: + Enabled: true +Style/MethodCalledOnDoEndBlock: + Enabled: true +Style/StringMethods: + Enabled: true +Layout/EndOfLine: + Enabled: false +Metrics/AbcSize: + Enabled: false +Metrics/BlockLength: + Enabled: false +Metrics/ClassLength: + Enabled: false +Metrics/CyclomaticComplexity: + Enabled: false +Metrics/MethodLength: + Enabled: false +Metrics/ModuleLength: + Enabled: false +Metrics/ParameterLists: + Enabled: false +Metrics/PerceivedComplexity: + Enabled: false +RSpec/DescribeClass: + Enabled: false +RSpec/ExampleLength: + Enabled: false +RSpec/MessageExpectation: + Enabled: false +RSpec/MultipleExpectations: + Enabled: false +RSpec/NestedGroups: + Enabled: false +Style/AsciiComments: + Enabled: false +Style/IfUnlessModifier: + Enabled: false +Style/SymbolProc: + Enabled: false diff --git a/modules/vulnerabilities/unix/webapp/wordpress/.travis.yml b/modules/vulnerabilities/unix/webapp/wordpress/.travis.yml new file mode 100644 index 000000000..6b1f5fbe4 --- /dev/null +++ b/modules/vulnerabilities/unix/webapp/wordpress/.travis.yml @@ -0,0 +1,48 @@ +--- +sudo: false +dist: trusty +language: ruby +cache: bundler +before_install: + - bundle -v + - rm Gemfile.lock || true + - gem update --system + - gem update bundler + - gem --version + - bundle -v +script: + - 'bundle exec rake $CHECK' +bundler_args: --without system_tests +rvm: + - 2.4.1 +env: + - PUPPET_GEM_VERSION="~> 5.0" CHECK=spec +matrix: + fast_finish: true + include: + - + env: CHECK=rubocop + - + env: CHECK="syntax lint" + - + env: CHECK=metadata_lint + - + env: CHECK=spec + - + env: PUPPET_GEM_VERSION="~> 4.0" CHECK=spec + rvm: 2.1.9 +branches: + only: + - master + - /^v\d/ +notifications: + email: false +deploy: + provider: puppetforge + user: puppet + password: + secure: "" + on: + tags: true + all_branches: true + condition: "$DEPLOY_TO_FORGE = yes" diff --git a/modules/vulnerabilities/unix/webapp/wordpress/.yardopts b/modules/vulnerabilities/unix/webapp/wordpress/.yardopts new file mode 100644 index 000000000..29c933bcf --- /dev/null +++ b/modules/vulnerabilities/unix/webapp/wordpress/.yardopts @@ -0,0 +1 @@ +--markup markdown diff --git a/modules/vulnerabilities/unix/webapp/wordpress/CHANGELOG b/modules/vulnerabilities/unix/webapp/wordpress/CHANGELOG new file mode 100644 index 000000000..50c8e26b0 --- /dev/null +++ b/modules/vulnerabilities/unix/webapp/wordpress/CHANGELOG @@ -0,0 +1,73 @@ +2014-10-15 Release 1.0.0 +Features +- Multiple instances ability via wordpress::instance +- New wp_debug, wp_debug_log, and wp_debug_display parameters for debug output +- New wp_config_content parameter for custom configuration + +Bugfixes: +- Convert rspec-system tests to beaker-rspec tests +- Updated readme + +2014-01-16 Release 0.6.0 +Features: +- Add `wordpress::wp_additional_config` parameter for custom template +fragments. +- Add `wordpress::wp_table_prefix` to customize the table prefix in mysql. + +Bugfixes: +- Fix idempotency for `mysql_grant` privileges. + +2013-12-17 Release 0.5.1 +Features: +- Update default version of wordpress to install to 3.8 +- Add `wordpress::wp_proxy_host` and `wordpress::wp_proxy_port` for proxying +plugin installation. +- Add `wordpress::wp_mulitsite` and `wordpress::wp_multisite` to enable +multisite support +- Update to work with latest 2.x puppetlabs-mysql +- Update to work with latest 1.x puppetlabs-concat +- Add rspec-system integration testing, travis testing, and autopublish + +Bugfixes: +- Fix ownership during installation to reduce log output and increase +idempotency. + +2013-12-17 Release 0.5.0 +This release is invalid and was removed. + +2013-09-19 Release 0.4.2 +Bugfixes: +- Correct Modulefile module name + +2013-09-19 Release 0.4.1 +Bugfixes: +- Escape \'s in the salt + +2013-06-17 Release 0.4.0 +Features: +- Add `wordpress::wp_lang` parameter +- Add `wordpress::wp_plugin_dir` parameter + +Bugfixes: +- Add class anchors +- Conditionalize directory management +- Fix `@db_host` template variable + +2012-12-31 Release 0.2.3 +Changes: +- Remove Apache php configuration; that responsibility falls outside of this module. + +2012-12-28 Release 0.2.2 +Bugfixes: +- Pass required parameters + +2012-12-28 Release 0.2.1 +Bugfixes: +- Remove extraneous files from module. + +2012-12-28 Release 0.2.0 +Changes: +- Add `install_url` parameter to download tarball from other location + +2012-12-28 Release 0.1.0 +- Initial rewrite from jonhadfield/master diff --git a/modules/vulnerabilities/unix/webapp/wordpress/Gemfile b/modules/vulnerabilities/unix/webapp/wordpress/Gemfile new file mode 100644 index 000000000..655b01465 --- /dev/null +++ b/modules/vulnerabilities/unix/webapp/wordpress/Gemfile @@ -0,0 +1,126 @@ +source ENV['GEM_SOURCE'] || 'https://rubygems.org' + +def location_for(place_or_version, fake_version = nil) + if place_or_version =~ %r{\A(git[:@][^#]*)#(.*)} + [fake_version, { git: Regexp.last_match(1), branch: Regexp.last_match(2), require: false }].compact + elsif place_or_version =~ %r{\Afile:\/\/(.*)} + ['>= 0', { path: File.expand_path(Regexp.last_match(1)), require: false }] + else + [place_or_version, { require: false }] + end +end + +def gem_type(place_or_version) + if place_or_version =~ %r{\Agit[:@]} + :git + elsif !place_or_version.nil? && place_or_version.start_with?('file:') + :file + else + :gem + end +end + +ruby_version_segments = Gem::Version.new(RUBY_VERSION.dup).segments +minor_version = ruby_version_segments[0..1].join('.') + +group :development do + gem "fast_gettext", '1.1.0', require: false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.1.0') + gem "fast_gettext", require: false if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.1.0') + gem "json_pure", '<= 2.0.1', require: false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.0.0') + gem "json", '= 1.8.1', require: false if Gem::Version.new(RUBY_VERSION.dup) == Gem::Version.new('2.1.9') + gem "puppet-module-posix-default-r#{minor_version}", require: false, platforms: [:ruby] + gem "puppet-module-posix-dev-r#{minor_version}", require: false, platforms: [:ruby] + gem "puppet-module-win-default-r#{minor_version}", require: false, platforms: [:mswin, :mingw, :x64_mingw] + gem "puppet-module-win-dev-r#{minor_version}", require: false, platforms: [:mswin, :mingw, :x64_mingw] +end + +puppet_version = ENV['PUPPET_GEM_VERSION'] +puppet_type = gem_type(puppet_version) +facter_version = ENV['FACTER_GEM_VERSION'] +hiera_version = ENV['HIERA_GEM_VERSION'] + +def puppet_older_than?(version) + puppet_version = ENV['PUPPET_GEM_VERSION'] + !puppet_version.nil? && + Gem::Version.correct?(puppet_version) && + Gem::Requirement.new("< #{version}").satisfied_by?(Gem::Version.new(puppet_version.dup)) +end + +gems = {} + +gems['puppet'] = location_for(puppet_version) + +# If facter or hiera versions have been specified via the environment +# variables, use those versions. If not, and if the puppet version is < 3.5.0, +# use known good versions of both for puppet < 3.5.0. +if facter_version + gems['facter'] = location_for(facter_version) +elsif puppet_type == :gem && puppet_older_than?('3.5.0') + gems['facter'] = ['>= 1.6.11', '<= 1.7.5', require: false] +end + +if hiera_version + gems['hiera'] = location_for(ENV['HIERA_GEM_VERSION']) +elsif puppet_type == :gem && puppet_older_than?('3.5.0') + gems['hiera'] = ['>= 1.0.0', '<= 1.3.0', require: false] +end + +if Gem.win_platform? && (puppet_type != :gem || puppet_older_than?('3.5.0')) + # For Puppet gems < 3.5.0 (tested as far back as 3.0.0) on Windows + if puppet_type == :gem + gems['ffi'] = ['1.9.0', require: false] + gems['minitar'] = ['0.5.4', require: false] + gems['win32-eventlog'] = ['0.5.3', '<= 0.6.5', require: false] + gems['win32-process'] = ['0.6.5', '<= 0.7.5', require: false] + gems['win32-security'] = ['~> 0.1.2', '<= 0.2.5', require: false] + gems['win32-service'] = ['0.7.2', '<= 0.8.8', require: false] + else + gems['ffi'] = ['~> 1.9.0', require: false] + gems['minitar'] = ['~> 0.5.4', require: false] + gems['win32-eventlog'] = ['~> 0.5', '<= 0.6.5', require: false] + gems['win32-process'] = ['~> 0.6', '<= 0.7.5', require: false] + gems['win32-security'] = ['~> 0.1', '<= 0.2.5', require: false] + gems['win32-service'] = ['~> 0.7', '<= 0.8.8', require: false] + end + + gems['win32-dir'] = ['~> 0.3', '<= 0.4.9', require: false] + + if RUBY_VERSION.start_with?('1.') + gems['win32console'] = ['1.3.2', require: false] + # sys-admin was removed in Puppet 3.7.0 and doesn't compile under Ruby 2.x + gems['sys-admin'] = ['1.5.6', require: false] + end + + # Puppet < 3.7.0 requires these. + # Puppet >= 3.5.0 gem includes these as requirements. + # The following versions are tested to work with 3.0.0 <= puppet < 3.7.0. + gems['win32-api'] = ['1.4.8', require: false] + gems['win32-taskscheduler'] = ['0.2.2', require: false] + gems['windows-api'] = ['0.4.3', require: false] + gems['windows-pr'] = ['1.2.3', require: false] +elsif Gem.win_platform? + # If we're using a Puppet gem on Windows which handles its own win32-xxx gem + # dependencies (>= 3.5.0), set the maximum versions (see PUP-6445). + gems['win32-dir'] = ['<= 0.4.9', require: false] + gems['win32-eventlog'] = ['<= 0.6.5', require: false] + gems['win32-process'] = ['<= 0.7.5', require: false] + gems['win32-security'] = ['<= 0.2.5', require: false] + gems['win32-service'] = ['<= 0.8.8', require: false] +end + +gems.each do |gem_name, gem_params| + gem gem_name, *gem_params +end + +# Evaluate Gemfile.local and ~/.gemfile if they exist +extra_gemfiles = [ + "#{__FILE__}.local", + File.join(Dir.home, '.gemfile'), +] + +extra_gemfiles.each do |gemfile| + if File.file?(gemfile) && File.readable?(gemfile) + eval(File.read(gemfile), binding) + end +end +# vim: syntax=ruby diff --git a/modules/vulnerabilities/unix/webapp/wordpress/Modulefile b/modules/vulnerabilities/unix/webapp/wordpress/Modulefile new file mode 100644 index 000000000..a490a7cb7 --- /dev/null +++ b/modules/vulnerabilities/unix/webapp/wordpress/Modulefile @@ -0,0 +1,13 @@ +name 'hunner-wordpress' +version '1.0.0' +source 'https://github.com/hunner/puppet-wordpress' +author 'Hunter Haugen' +license 'Apache2' +summary 'Puppet module to set up an instance of wordpress' +description 'Installs wordpress and required mysql db/user.' +project_page 'https://github.com/hunner/puppet-wordpress' + +## Add dependencies, if any: +#dependency 'puppetlabs/concat', '>= 1.0.0' +#dependency 'puppetlabs/mysql', '>= 2.1.0' +#dependency 'puppetlabs/stdlib', '>= 2.3.1' diff --git a/modules/vulnerabilities/unix/webapp/wordpress/README.markdown b/modules/vulnerabilities/unix/webapp/wordpress/README.markdown new file mode 100644 index 000000000..ca6cc5bc9 --- /dev/null +++ b/modules/vulnerabilities/unix/webapp/wordpress/README.markdown @@ -0,0 +1,215 @@ +# WordPress Module + +## Overview + +This will set up one or more installations of Wordpress 3.8 on Debian and Redhat style distributions. + +## Capabilities + +#### Installation includes: + +- Configuration of WordPress DB connection parameters +- Generate secure keys and salts for `wp-config.php`. +- Optional creation of MySQL database/user/permissions. + +#### Requires: + +- Configuration of php-enabled webserver +- Configuration MySQL server +- PHP 5.3 or greater +- User specified by `wp_owner` must exist + +## Parameters + +### Class wordpress + +* `install_dir`
+ Specifies the directory into which wordpress should be installed. Default: `/opt/wordpress` + +* `install_url`
+ Specifies the url from which the wordpress tarball should be downloaded. Default: `http://wordpress.org` + +* `version`
+ Specifies the version of wordpress to install. Default: `3.8` + +* `create_db`
+ Specifies whether to create the db or not. Default: `true` + +* `create_db_user`
+ Specifies whether to create the db user or not. Default: `true` + +* `db_name`
+ Specifies the database name which the wordpress module should be configured to use. Default: `wordpress` + +* `db_host`
+ Specifies the database host to connect to. Default: `localhost` + +* `db_user`
+ Specifies the database user. Default: `wordpress` + +* `db_password`
+ Specifies the database user's password in plaintext. Default: `password` + +* `wp_owner`
+ Specifies the owner of the wordpress files. You must ensure this user exists as this module does not attempt to create it if missing. Default: `root` + +* `wp_group`
+ Specifies the group of the wordpress files. Default: `0` (\*BSD/Darwin compatible GID) + +* `wp_lang`
+ WordPress Localized Language. Default: '' + +* `wp_plugin_dir`
+ WordPress Plugin Directory. Full path, no trailing slash. Default: WordPress Default + +* `wp_additional_config`
+ Specifies a template to include near the end of the wp-config.php file to add additional options. Default: '' + +* `wp_config_content`
+ Specifies the entire content for wp-config.php. This causes many of the other parameters to be ignored and allows an entirely custom config to be passed. It is recommended to use `wp_additional_config` instead of this parameter when possible. + +* `wp_table_prefix`
+ Specifies the database table prefix. Default: wp_ + +* `wp_proxy_host`
+ Specifies a Hostname or IP of a proxy server for Wordpress to use to install updates, plugins, etc. Default: '' + +* `wp_proxy_port`
+ Specifies the port to use with the proxy host. Default: '' + +* `wp_site_url`
+ If your WordPress server is behind a proxy, you might need to set the WP_SITEURL with this parameter. Default: 'undef' + +* `wp_multisite`
+ Specifies whether to enable the multisite feature. Requires `wp_site_domain` to also be passed. Default: `false` + +* `wp_site_domain`
+ Specifies the `DOMAIN_CURRENT_SITE` value that will be used when configuring multisite. Typically this is the address of the main wordpress instance. Default: '' + +* `wp_debug`
+ Specifies the `WP_DEBUG` value that will control debugging. This must be true if you use the next two debug extensions. Default: 'false' + +* `wp_debug_log`
+ Specifies the `WP_DEBUG_LOG` value that extends debugging to cause all errors to also be saved to a debug.log logfile insdie the /wp-content/ directory. Default: 'false' + +* `wp_debug_display`
+ Specifies the `WP_DEBUG_DISPLAY` value that extends debugging to cause debug messages to be shown inline, in HTML pages. Default: 'false' + +### Define wordpress::instance + +* The parameters for `wordpress::instance` is exactly the same as the class `wordpress` except as noted below. +* The title will be used as the default value for `install_dir` unless otherwise specified. +* The `db_name` and `db_user` parameters are required. + +### Other classes and defines + +The classes `wordpress::app` and `wordpress::db` and defines `wordpress::instance::app` and `wordpress::instance::db` are technically private, but any PRs which add documentation and tests so that they may be made public for multi-node deployments are welcome! + +## Example Usage + +Default single deployment (insecure; default passwords and installed as root): + +```puppet +class { 'wordpress': } +``` + +Basic deployment (secure database password, installed as `wordpress` user/group. NOTE: in this example you must ensure the `wordpress` user already exists): + +```puppet +class { 'wordpress': + wp_owner => 'wordpress', + wp_group => 'wordpress', + db_user => 'wordpress', + db_password => 'hvyH(S%t(\"0\"16', +} +``` + +Basic deployment of multiple instances (secure database password, installed as `wordpress` user/group): + +```puppet +wordpress::instance { '/opt/wordpress1': + wp_owner => 'wordpress1', + wp_group => 'wordpress1', + db_user => 'wordpress1', + db_name => 'wordpress1', + db_password => 'hvyH(S%t(\"0\"16', +} +wordpress::instance { '/opt/wordpress2': + wp_owner => 'wordpress2', + wp_group => 'wordpress2', + db_user => 'wordpress2', + db_name => 'wordpress2', + db_password => 'bb69381b4b9de3a232', +} +``` + +Externally hosted MySQL DB: + +```puppet +class { 'wordpress': + db_user => 'wordpress', + db_password => 'hvyH(S%t(\"0\"16', + db_host => 'db.example.com', +} +``` + +Disable module's database/user creation (the database and db user must still exist with correct permissions): + +```puppet +class { 'wordpress': + db_user => 'wordpress', + db_password => 'hvyH(S%t(\"0\"16', + create_db => false, + create_db_user => false, +} +``` + +Install specific version of WordPress: + +```puppet +class { 'wordpress': + version => '3.4', +} +``` + +Install WordPress to a specific directory: + +```puppet +class { 'wordpress': + install_dir => '/var/www/wordpress', +} +``` + +Download `wordpress-${version}.tar.gz` from an internal server: + +```puppet +class { 'wordpress': + install_url => 'http://internal.example.com/software', +} +``` + +Configure wordpress to download updates and plugins through a proxy: + +```puppet +class { 'wordpress': + proxy_host => 'http://my.proxy.corp.com', + proxy_port => '8080', +} +``` + +Enable the multisite wordpress feature: + +```puppet +class { 'wordpress': + wp_multisite => true, + wp_site_domain => 'blog.domain.com', +} +``` + +Add custom configuration to wp-config.php: + +```puppet +class { 'wordpress': + wp_additional_config => 'foo/wp-config-extra.php.erb', +} +``` diff --git a/modules/vulnerabilities/unix/webapp/wordpress/Rakefile b/modules/vulnerabilities/unix/webapp/wordpress/Rakefile new file mode 100644 index 000000000..81381e0cf --- /dev/null +++ b/modules/vulnerabilities/unix/webapp/wordpress/Rakefile @@ -0,0 +1,2 @@ +require 'puppetlabs_spec_helper/rake_tasks' +require 'puppet-syntax/tasks/puppet-syntax' diff --git a/modules/vulnerabilities/unix/webapp/wordpress/appveyor.yml b/modules/vulnerabilities/unix/webapp/wordpress/appveyor.yml new file mode 100644 index 000000000..5fd5e8925 --- /dev/null +++ b/modules/vulnerabilities/unix/webapp/wordpress/appveyor.yml @@ -0,0 +1,57 @@ +version: 1.1.x.{build} +skip_commits: + message: /^\(?doc\)?.*/ +clone_depth: 10 +init: + - SET + - 'mkdir C:\ProgramData\PuppetLabs\code && exit 0' + - 'mkdir C:\ProgramData\PuppetLabs\facter && exit 0' + - 'mkdir C:\ProgramData\PuppetLabs\hiera && exit 0' + - 'mkdir C:\ProgramData\PuppetLabs\puppet\var && exit 0' +environment: + matrix: + - + RUBY_VERSION: 24-x64 + CHECK: syntax lint + - + RUBY_VERSION: 24-x64 + CHECK: metadata_lint + - + RUBY_VERSION: 24-x64 + CHECK: rubocop + - + PUPPET_GEM_VERSION: ~> 4.0 + RUBY_VERSION: 21 + CHECK: spec + - + PUPPET_GEM_VERSION: ~> 4.0 + RUBY_VERSION: 21-x64 + CHECK: spec + - + PUPPET_GEM_VERSION: ~> 5.0 + RUBY_VERSION: 24 + CHECK: spec + - + PUPPET_GEM_VERSION: ~> 5.0 + RUBY_VERSION: 24-x64 + CHECK: spec +matrix: + fast_finish: true +install: + - set PATH=C:\Ruby%RUBY_VERSION%\bin;%PATH% + - bundle install --jobs 4 --retry 2 --without system_tests + - type Gemfile.lock +build: off +test_script: + - bundle exec puppet -V + - ruby -v + - gem -v + - bundle -v + - bundle exec rake %CHECK% +notifications: + - provider: Email + to: + - nobody@nowhere.com + on_build_success: false + on_build_failure: false + on_build_status_changed: false diff --git a/modules/vulnerabilities/unix/webapp/wordpress/manifests/app.pp b/modules/vulnerabilities/unix/webapp/wordpress/manifests/app.pp new file mode 100644 index 000000000..fcefb1f99 --- /dev/null +++ b/modules/vulnerabilities/unix/webapp/wordpress/manifests/app.pp @@ -0,0 +1,48 @@ +class wordpress::app ( + $install_dir, + $install_url, + $version, + $db_name, + $db_host, + $db_user, + $db_password, + $wp_owner, + $wp_group, + $wp_lang, + $wp_config_content, + $wp_plugin_dir, + $wp_additional_config, + $wp_table_prefix, + $wp_proxy_host, + $wp_proxy_port, + $wp_site_url, + $wp_multisite, + $wp_site_domain, + $wp_debug, + $wp_debug_log, + $wp_debug_display, +) { + wordpress::instance::app { $install_dir: + install_dir => $install_dir, + install_url => $install_url, + version => $version, + db_name => $db_name, + db_host => $db_host, + db_user => $db_user, + db_password => $db_password, + wp_owner => $wp_owner, + wp_group => $wp_group, + wp_lang => $wp_lang, + wp_plugin_dir => $wp_plugin_dir, + wp_additional_config => $wp_additional_config, + wp_table_prefix => $wp_table_prefix, + wp_proxy_host => $wp_proxy_host, + wp_proxy_port => $wp_proxy_port, + wp_site_url => $wp_site_url, + wp_multisite => $wp_multisite, + wp_site_domain => $wp_site_domain, + wp_debug => $wp_debug, + wp_debug_log => $wp_debug_log, + wp_debug_display => $wp_debug_display, + } +} diff --git a/modules/vulnerabilities/unix/webapp/wordpress/manifests/db.pp b/modules/vulnerabilities/unix/webapp/wordpress/manifests/db.pp new file mode 100644 index 000000000..39cfd63f1 --- /dev/null +++ b/modules/vulnerabilities/unix/webapp/wordpress/manifests/db.pp @@ -0,0 +1,17 @@ +class wordpress::db ( + $create_db, + $create_db_user, + $db_name, + $db_host, + $db_user, + $db_password, +) { + wordpress::instance::db { "${db_host}/${db_name}": + create_db => $create_db, + create_db_user => $create_db_user, + db_name => $db_name, + db_host => $db_host, + db_user => $db_user, + db_password => $db_password, + } +} diff --git a/modules/vulnerabilities/unix/webapp/wordpress/manifests/init.pp b/modules/vulnerabilities/unix/webapp/wordpress/manifests/init.pp new file mode 100644 index 000000000..9eb83a5c5 --- /dev/null +++ b/modules/vulnerabilities/unix/webapp/wordpress/manifests/init.pp @@ -0,0 +1,139 @@ +# == Class: wordpress +# +# This module manages wordpress +# +# === Parameters +# +# [*install_dir*] +# Specifies the directory into which wordpress should be installed. Default: +# /opt/wordpress +# +# [*install_url*] +# Specifies the url from which the wordpress tarball should be downloaded. +# Default: http://wordpress.org +# +# [*version*] +# Specifies the version of wordpress to install. Default: 3.8 +# +# [*create_db*] +# Specifies whether to create the db or not. Default: true +# +# [*create_db_user*] +# Specifies whether to create the db user or not. Default: true +# +# [*db_name*] +# Specifies the database name which the wordpress module should be configured +# to use. Default: wordpress +# +# [*db_host*] +# Specifies the database host to connect to. Default: localhost +# +# [*db_user*] +# Specifies the database user. Default: wordpress +# +# [*db_password*] +# Specifies the database user's password in plaintext. Default: password +# +# [*wp_owner*] +# Specifies the owner of the wordpress files. You must ensure this user +# exists as this module does not attempt to create it if missing. Default: +# root +# +# [*wp_group*] +# Specifies the group of the wordpress files. Default: 0 (*BSD/Darwin +# compatible GID) +# +# [*wp_lang*] +# WordPress Localized Language. Default: '' +# +# +# [*wp_plugin_dir*] +# WordPress Plugin Directory. Full path, no trailing slash. Default: WordPress Default +# +# [*wp_additional_config*] +# Specifies a template to include near the end of the wp-config.php file to add additional options. Default: '' +# +# [*wp_table_prefix*] +# Specifies the database table prefix. Default: wp_ +# +# [*wp_proxy_host*] +# Specifies a Hostname or IP of a proxy server for Wordpress to use to install updates, plugins, etc. Default: '' +# +# [*wp_proxy_port*] +# Specifies the port to use with the proxy host. Default: '' +# +# [*wp_site_url*] +# If your WordPress server is behind a proxy, you might need to set the WP_SITEURL with this parameter. Default: `undef` +# +# [*wp_multisite*] +# Specifies whether to enable the multisite feature. Requires `wp_site_domain` to also be passed. Default: `false` +# +# [*wp_site_domain*] +# Specifies the `DOMAIN_CURRENT_SITE` value that will be used when configuring multisite. Typically this is the address of the main wordpress instance. Default: '' +# +# [*wp_debug*] +# Specifies the `WP_DEBUG` value that will control debugging. This must be true if you use the next two debug extensions. Default: 'false' +# +# [*wp_debug_log*] +# Specifies the `WP_DEBUG_LOG` value that extends debugging to cause all errors to also be saved to a debug.log logfile insdie the /wp-content/ directory. Default: 'false' +# +# [*wp_debug_display*] +# Specifies the `WP_DEBUG_DISPLAY` value that extends debugging to cause debug messages to be shown inline, in HTML pages. Default: 'false' +# +# === Requires +# +# === Examples +# +class wordpress ( + $install_dir = '/opt/wordpress', + $install_url = 'http://wordpress.org', + $version = '3.8', + $create_db = true, + $create_db_user = true, + $db_name = 'wordpress', + $db_host = 'localhost', + $db_user = 'wordpress', + $db_password = 'password', + $wp_owner = 'root', + $wp_group = '0', + $wp_lang = '', + $wp_config_content = undef, + $wp_plugin_dir = 'DEFAULT', + $wp_additional_config = 'DEFAULT', + $wp_table_prefix = 'wp_', + $wp_proxy_host = '', + $wp_proxy_port = '', + $wp_site_url = undef, + $wp_multisite = false, + $wp_site_domain = '', + $wp_debug = false, + $wp_debug_log = false, + $wp_debug_display = false, +) { + wordpress::instance { $install_dir: + install_dir => $install_dir, + install_url => $install_url, + version => $version, + create_db => $create_db, + create_db_user => $create_db_user, + db_name => $db_name, + db_host => $db_host, + db_user => $db_user, + db_password => $db_password, + wp_owner => $wp_owner, + wp_group => $wp_group, + wp_lang => $wp_lang, + wp_config_content => $wp_config_content, + wp_plugin_dir => $wp_plugin_dir, + wp_additional_config => $wp_additional_config, + wp_table_prefix => $wp_table_prefix, + wp_proxy_host => $wp_proxy_host, + wp_proxy_port => $wp_proxy_port, + wp_site_url => $wp_site_url, + wp_multisite => $wp_multisite, + wp_site_domain => $wp_site_domain, + wp_debug => $wp_debug, + wp_debug_log => $wp_debug_log, + wp_debug_display => $wp_debug_display, + } +} diff --git a/modules/vulnerabilities/unix/webapp/wordpress/manifests/instance.pp b/modules/vulnerabilities/unix/webapp/wordpress/manifests/instance.pp new file mode 100644 index 000000000..54e92fb85 --- /dev/null +++ b/modules/vulnerabilities/unix/webapp/wordpress/manifests/instance.pp @@ -0,0 +1,135 @@ +# == Definition: wordpress::instance +# +# This module manages wordpress +# +# === Parameters +# +# [*install_dir*] +# Specifies the directory into which wordpress should be installed. Default: +# /opt/wordpress +# +# [*install_url*] +# Specifies the url from which the wordpress tarball should be downloaded. +# Default: http://wordpress.org +# +# [*version*] +# Specifies the version of wordpress to install. Default: 3.8 +# +# [*create_db*] +# Specifies whether to create the db or not. Default: true +# +# [*create_db_user*] +# Specifies whether to create the db user or not. Default: true +# +# [*db_name*] +# Specifies the database name which the wordpress module should be configured +# to use. Required. +# +# [*db_host*] +# Specifies the database host to connect to. Default: localhost +# +# [*db_user*] +# Specifies the database user. Required. +# +# [*db_password*] +# Specifies the database user's password in plaintext. Default: password +# +# [*wp_owner*] +# Specifies the owner of the wordpress files. Default: root +# +# [*wp_group*] +# Specifies the group of the wordpress files. Default: 0 (*BSD/Darwin +# compatible GID) +# +# [*wp_lang*] +# WordPress Localized Language. Default: '' +# +# +# [*wp_plugin_dir*] +# WordPress Plugin Directory. Full path, no trailing slash. Default: WordPress Default +# +# [*wp_additional_config*] +# Specifies a template to include near the end of the wp-config.php file to add additional options. Default: '' +# +# [*wp_table_prefix*] +# Specifies the database table prefix. Default: wp_ +# +# [*wp_proxy_host*] +# Specifies a Hostname or IP of a proxy server for Wordpress to use to install updates, plugins, etc. Default: '' +# +# [*wp_proxy_port*] +# Specifies the port to use with the proxy host. Default: '' +# +# [*wp_site_url*] +# If your WordPress server is behind a proxy, you might need to set the WP_SITEURL with this parameter. Default: `undef` +# +# [*wp_multisite*] +# Specifies whether to enable the multisite feature. Requires `wp_site_domain` to also be passed. Default: `false` +# +# [*wp_site_domain*] +# Specifies the `DOMAIN_CURRENT_SITE` value that will be used when configuring multisite. Typically this is the address of the main wordpress instance. Default: '' +# +# === Requires +# +# === Examples +# +define wordpress::instance ( + $db_name, + $db_user, + $install_dir = $title, + $install_url = 'http://wordpress.org', + $version = '3.8', + $create_db = true, + $create_db_user = true, + $db_host = 'localhost', + $db_password = 'password', + $wp_owner = 'root', + $wp_group = '0', + $wp_lang = '', + $wp_config_content = undef, + $wp_plugin_dir = 'DEFAULT', + $wp_additional_config = 'DEFAULT', + $wp_table_prefix = 'wp_', + $wp_proxy_host = '', + $wp_proxy_port = '', + $wp_site_url = undef, + $wp_multisite = false, + $wp_site_domain = '', + $wp_debug = false, + $wp_debug_log = false, + $wp_debug_display = false, +) { + wordpress::instance::app { $install_dir: + install_dir => $install_dir, + install_url => $install_url, + version => $version, + db_name => $db_name, + db_host => $db_host, + db_user => $db_user, + db_password => $db_password, + wp_owner => $wp_owner, + wp_group => $wp_group, + wp_lang => $wp_lang, + wp_config_content => $wp_config_content, + wp_plugin_dir => $wp_plugin_dir, + wp_additional_config => $wp_additional_config, + wp_table_prefix => $wp_table_prefix, + wp_proxy_host => $wp_proxy_host, + wp_proxy_port => $wp_proxy_port, + wp_site_url => $wp_site_url, + wp_multisite => $wp_multisite, + wp_site_domain => $wp_site_domain, + wp_debug => $wp_debug, + wp_debug_log => $wp_debug_log, + wp_debug_display => $wp_debug_display, + } + + wordpress::instance::db { "${db_host}/${db_name}": + create_db => $create_db, + create_db_user => $create_db_user, + db_name => $db_name, + db_host => $db_host, + db_user => $db_user, + db_password => $db_password, + } +} diff --git a/modules/vulnerabilities/unix/webapp/wordpress/manifests/instance/app.pp b/modules/vulnerabilities/unix/webapp/wordpress/manifests/instance/app.pp new file mode 100644 index 000000000..4bc1291e3 --- /dev/null +++ b/modules/vulnerabilities/unix/webapp/wordpress/manifests/instance/app.pp @@ -0,0 +1,146 @@ +define wordpress::instance::app ( + $install_dir, + $install_url, + $version, + $db_name, + $db_host, + $db_user, + $db_password, + $wp_owner, + $wp_group, + $wp_lang, + $wp_config_content, + $wp_plugin_dir, + $wp_additional_config, + $wp_table_prefix, + $wp_proxy_host, + $wp_proxy_port, + $wp_site_url, + $wp_multisite, + $wp_site_domain, + $wp_debug, + $wp_debug_log, + $wp_debug_display, +) { + validate_string($install_dir,$install_url,$version,$db_name,$db_host,$db_user,$db_password,$wp_owner,$wp_group, $wp_lang, $wp_plugin_dir,$wp_additional_config,$wp_table_prefix,$wp_proxy_host,$wp_proxy_port,$wp_site_domain) + validate_bool($wp_multisite, $wp_debug, $wp_debug_log, $wp_debug_display) + validate_absolute_path($install_dir) + + if $wp_config_content and ($wp_lang or $wp_debug or $wp_debug_log or $wp_debug_display or $wp_proxy_host or $wp_proxy_port or $wp_multisite or $wp_site_domain) { + warning('When $wp_config_content is set, the following parameters are ignored: $wp_table_prefix, $wp_lang, $wp_debug, $wp_debug_log, $wp_debug_display, $wp_plugin_dir, $wp_proxy_host, $wp_proxy_port, $wp_multisite, $wp_site_domain, $wp_additional_config') + } + + if $wp_multisite and ! $wp_site_domain { + fail('wordpress class requires `wp_site_domain` parameter when `wp_multisite` is true') + } + + if $wp_debug_log and ! $wp_debug { + fail('wordpress class requires `wp_debug` parameter to be true, when `wp_debug_log` is true') + } + + if $wp_debug_display and ! $wp_debug { + fail('wordpress class requires `wp_debug` parameter to be true, when `wp_debug_display` is true') + } + + ## Resource defaults + File { + owner => $wp_owner, + group => $wp_group, + mode => '0644', + } + Exec { + path => ['/bin','/sbin','/usr/bin','/usr/sbin'], + cwd => $install_dir, + logoutput => 'on_failure', + } + + ## Installation directory + if ! defined(File[$install_dir]) { + file { $install_dir: + ensure => directory, + recurse => true, + } + } else { + notice("Warning: cannot manage the permissions of ${install_dir}, as another resource (perhaps apache::vhost?) is managing it.") + } + + ## tar.gz. file name lang-aware + if $wp_lang and $wp_lang != '' { + $install_file_name = "wordpress-${version}-${wp_lang}.tar.gz" + } else { + $install_file_name = "wordpress-${version}.tar.gz" + } + + ## Download and extract + exec { "Download wordpress ${install_url}/wordpress-${version}.tar.gz to ${install_dir}": + command => "wget ${install_url}/${install_file_name}", + creates => "${install_dir}/${install_file_name}", + require => File[$install_dir], + user => $wp_owner, + group => $wp_group, + } + -> exec { "Extract wordpress ${install_dir}": + command => "tar zxvf ./${install_file_name} --strip-components=1", + creates => "${install_dir}/index.php", + user => $wp_owner, + group => $wp_group, + } + ~> exec { "Change ownership ${install_dir}": + command => "chown -R ${wp_owner}:${wp_group} ${install_dir}", + refreshonly => true, + user => $wp_owner, + group => $wp_group, + } + + ## Configure wordpress + # + concat { "${install_dir}/wp-config.php": + owner => $wp_owner, + group => $wp_group, + mode => '0755', + require => Exec["Extract wordpress ${install_dir}"], + } + if $wp_config_content { + concat::fragment { "${install_dir}/wp-config.php body": + target => "${install_dir}/wp-config.php", + content => $wp_config_content, + order => '20', + } + } else { + # Template uses no variables + file { "${install_dir}/wp-keysalts.php": + ensure => present, + content => template('wordpress/wp-keysalts.php.erb'), + replace => false, + require => Exec["Extract wordpress ${install_dir}"], + } + concat::fragment { "${install_dir}/wp-config.php keysalts": + target => "${install_dir}/wp-config.php", + source => "${install_dir}/wp-keysalts.php", + order => '10', + require => File["${install_dir}/wp-keysalts.php"], + } + # Template uses: + # - $db_name + # - $db_user + # - $db_password + # - $db_host + # - $wp_table_prefix + # - $wp_lang + # - $wp_plugin_dir + # - $wp_proxy_host + # - $wp_proxy_port + # - $wp_site_url + # - $wp_multisite + # - $wp_site_domain + # - $wp_additional_config + # - $wp_debug + # - $wp_debug_log + # - $wp_debug_display + concat::fragment { "${install_dir}/wp-config.php body": + target => "${install_dir}/wp-config.php", + content => template('wordpress/wp-config.php.erb'), + order => '20', + } + } +} diff --git a/modules/vulnerabilities/unix/webapp/wordpress/manifests/instance/db.pp b/modules/vulnerabilities/unix/webapp/wordpress/manifests/instance/db.pp new file mode 100644 index 000000000..29672d0c3 --- /dev/null +++ b/modules/vulnerabilities/unix/webapp/wordpress/manifests/instance/db.pp @@ -0,0 +1,30 @@ +define wordpress::instance::db ( + $create_db, + $create_db_user, + $db_name, + $db_host, + $db_user, + $db_password, +) { + validate_bool($create_db,$create_db_user) + validate_string($db_name,$db_host,$db_user,$db_password) + + ## Set up DB using puppetlabs-mysql defined type + if $create_db { + mysql_database { "${db_host}/${db_name}": + name => $db_name, + charset => 'utf8', + } + } + if $create_db_user { + mysql_user { "${db_user}@${db_host}": + password_hash => mysql_password($db_password), + } + mysql_grant { "${db_user}@${db_host}/${db_name}.*": + table => "${db_name}.*", + user => "${db_user}@${db_host}", + privileges => ['ALL'], + } + } + +} diff --git a/modules/vulnerabilities/unix/webapp/wordpress/metadata.json b/modules/vulnerabilities/unix/webapp/wordpress/metadata.json new file mode 100644 index 000000000..db048d41d --- /dev/null +++ b/modules/vulnerabilities/unix/webapp/wordpress/metadata.json @@ -0,0 +1,61 @@ +{ + "name": "hunner-wordpress", + "version": "1.0.0", + "author": "Hunter Haugen", + "summary": "Puppet module to set up an instance of wordpress; and optionally a mysql db/user.", + "license": "Apache-2.0", + "source": "https://github.com/hunner/puppet-wordpress", + "dependencies": [ +// {"name":"puppetlabs/concat", "version_requirement":">= 1.0.0"}, +// {"name":"puppetlabs/mysql", "version_requirement":">= 2.1.0"}, +// {"name":"puppetlabs/stdlib", "version_requirement":">= 2.3.1"} + ], + "operatingsystem_support": [ + { + "operatingsystem": "CentOS", + "operatingsystemrelease": [ + "7" + ] + }, + { + "operatingsystem": "OracleLinux", + "operatingsystemrelease": [ + "7" + ] + }, + { + "operatingsystem": "RedHat", + "operatingsystemrelease": [ + "7" + ] + }, + { + "operatingsystem": "Scientific", + "operatingsystemrelease": [ + "7" + ] + }, + { + "operatingsystem": "Debian", + "operatingsystemrelease": [ + "8" + ] + }, + { + "operatingsystem": "Ubuntu", + "operatingsystemrelease": [ + "16.04" + ] + } + ], + "requirements": [ + { + "name": "puppet", + "version_requirement": ">= 4.7.0 < 6.0.0" + } + ], + "pdk-version": "1.4.1", + "template-url": "https://github.com/puppetlabs/pdk-templates", + "template-ref": "1.4.1-0-g52adbbb" +} + diff --git a/modules/vulnerabilities/unix/webapp/wordpress/secgen_metadata.xml b/modules/vulnerabilities/unix/webapp/wordpress/secgen_metadata.xml new file mode 100644 index 000000000..f1462a6c1 --- /dev/null +++ b/modules/vulnerabilities/unix/webapp/wordpress/secgen_metadata.xml @@ -0,0 +1,61 @@ + + + + wordpress + Thomas Shaw + MIT + wordpress + + webapp + info_leak + remote + linux + + port + dbname + dbhost + dbuser + dbpass + + + 80 + + + + userspice + + + + localhost + + + + userspice + + + + + + + https://www.exploit-db.com/exploits/44101/ + The authors of this website forgot to sanitise their database inputs! + + + Wheezy + + + + .*/handy_cli_tools + + + + .*/apache_kali.* + + + + .*/mysql + + + diff --git a/modules/vulnerabilities/unix/webapp/wordpress/spec/acceptance/nodesets/centos-6-vcloud.yml b/modules/vulnerabilities/unix/webapp/wordpress/spec/acceptance/nodesets/centos-6-vcloud.yml new file mode 100644 index 000000000..ca9c1d329 --- /dev/null +++ b/modules/vulnerabilities/unix/webapp/wordpress/spec/acceptance/nodesets/centos-6-vcloud.yml @@ -0,0 +1,15 @@ +HOSTS: + 'centos-6-vcloud': + roles: + - master + platform: el-6-x86_64 + hypervisor: vcloud + template: centos-6-x86_64 +CONFIG: + type: foss + ssh: + keys: "~/.ssh/id_rsa-acceptance" + datastore: instance0 + folder: Delivery/Quality Assurance/Enterprise/Dynamic + resourcepool: delivery/Quality Assurance/Enterprise/Dynamic + pooling_api: http://vcloud.delivery.puppetlabs.net/ diff --git a/modules/vulnerabilities/unix/webapp/wordpress/spec/acceptance/wordpress_spec.rb b/modules/vulnerabilities/unix/webapp/wordpress/spec/acceptance/wordpress_spec.rb new file mode 100644 index 000000000..3d151a257 --- /dev/null +++ b/modules/vulnerabilities/unix/webapp/wordpress/spec/acceptance/wordpress_spec.rb @@ -0,0 +1,102 @@ +require 'spec_helper_acceptance' + +describe "setting up a wordpress instance" do + it 'deploys a wordpress instance' do + pp = %{ + class { 'apache': + mpm_module => 'prefork', + } + class { 'apache::mod::php': } + class { 'mysql::server': } + class { 'mysql::bindings': php_enable => true, } + host { 'wordpress.localdomain': ip => '127.0.0.1', } + + apache::vhost { 'wordpress.localdomain': + docroot => '/opt/wordpress', + port => '80', + } + + class { 'wordpress': + install_dir => '/opt/wordpress/blog', + require => Class['mysql::server'], + } + } + + expect(apply_manifest(pp, :catch_failures => true).stderr).to eq("") + expect(apply_manifest(pp, :catch_changes => true).stderr).to eq("") + + expect(shell("/usr/bin/curl wordpress.localdomain:80/blog/wp-admin/install.php").stdout).to match(/Install WordPress/) + end + + it 'deploys two wordpress instances' do + pp = %{ + class { 'apache': + mpm_module => 'prefork', + } + class { 'apache::mod::php': } + class { 'mysql::server': } + class { 'mysql::bindings': php_enable => true, } + host { 'wordpress1.localdomain': ip => '127.0.0.1', } + host { 'wordpress2.localdomain': ip => '127.0.0.1', } + + apache::vhost { 'wordpress1.localdomain': + docroot => '/opt/wordpress1', + port => '80', + } + apache::vhost { 'wordpress2.localdomain': + docroot => '/opt/wordpress2', + port => '80', + } + + wordpress::instance { '/opt/wordpress1/blog': + db_name => 'wordpress1', + db_user => 'wordpress1', + require => Class['mysql::server'], + } + wordpress::instance { '/opt/wordpress2/blog': + db_name => 'wordpress2', + db_user => 'wordpress2', + require => Class['mysql::server'], + } + } + + expect(apply_manifest(pp, :catch_failures => true).stderr).to eq("") + expect(apply_manifest(pp, :catch_changes => true).stderr).to eq("") + + expect(shell("/usr/bin/curl wordpress1.localdomain:80/blog/wp-admin/install.php").stdout).to match(/Install WordPress/) + expect(shell("/usr/bin/curl wordpress2.localdomain:80/blog/wp-admin/install.php").stdout).to match(/Install WordPress/) + end + + it 'deploys a wordpress instance as the httpd user with a secure DB password and a specific location' do + pp = %{ + class { 'apache': + mpm_module => 'prefork', + } + class { 'apache::mod::php': } + class { 'mysql::server': } + class { 'mysql::bindings::php': } + + apache::vhost { 'wordpress.localdomain': + docroot => '/var/www/wordpress', + port => '80', + } + + class { 'wordpress': + install_dir => '/var/www/wordpress/blog', + wp_owner => $apache::user, + wp_group => $apache::group, + db_name => 'wordpress', + db_host => 'localhost', + db_user => 'wordpress', + db_password => 'hvyH(S%t(\"0\"16', + } + } + + pending + end + + it 'deploys a wordpress instance with a remote DB' + it 'deploys a wordpress instance with a pre-existing DB' + it 'deploys a wordpress instance of a specific version' + it 'deploys a wordpress instance from an internal server' +end diff --git a/modules/vulnerabilities/unix/webapp/wordpress/spec/classes/wordpress_spec.rb b/modules/vulnerabilities/unix/webapp/wordpress/spec/classes/wordpress_spec.rb new file mode 100644 index 000000000..2ca2b6843 --- /dev/null +++ b/modules/vulnerabilities/unix/webapp/wordpress/spec/classes/wordpress_spec.rb @@ -0,0 +1,36 @@ +require 'spec_helper' + +describe 'wordpress', :type => :class do + context "on a RedHat 5 OS" do + let :facts do + { + :osfamily => 'RedHat', + :lsbmajdistrelease => '5', + :concat_basedir => '/dne', + } + end + it { should contain_wordpress__instance__app("/opt/wordpress") } + it { should contain_wordpress__instance__db("localhost/wordpress") } + end + context "on a RedHat 6 OS" do + let :facts do + { + :osfamily => 'RedHat', + :lsbmajdistrelease => '6', + :concat_basedir => '/dne', + } + end + it { should contain_wordpress__instance__app("/opt/wordpress") } + it { should contain_wordpress__instance__db("localhost/wordpress") } + end + context "on a Debian OS" do + let :facts do + { + :osfamily => 'Debian', + :concat_basedir => '/dne', + } + end + it { should contain_wordpress__instance__app("/opt/wordpress") } + it { should contain_wordpress__instance__db("localhost/wordpress") } + end +end diff --git a/modules/vulnerabilities/unix/webapp/wordpress/spec/default_facts.yml b/modules/vulnerabilities/unix/webapp/wordpress/spec/default_facts.yml new file mode 100644 index 000000000..3248be5aa --- /dev/null +++ b/modules/vulnerabilities/unix/webapp/wordpress/spec/default_facts.yml @@ -0,0 +1,8 @@ +# Use default_module_facts.yml for module specific facts. +# +# Facts specified here will override the values provided by rspec-puppet-facts. +--- +concat_basedir: "/tmp" +ipaddress: "172.16.254.254" +is_pe: false +macaddress: "AA:AA:AA:AA:AA:AA" diff --git a/modules/vulnerabilities/unix/webapp/wordpress/spec/defines/wordpress_spec.rb b/modules/vulnerabilities/unix/webapp/wordpress/spec/defines/wordpress_spec.rb new file mode 100644 index 000000000..794f1cf4f --- /dev/null +++ b/modules/vulnerabilities/unix/webapp/wordpress/spec/defines/wordpress_spec.rb @@ -0,0 +1,45 @@ +require 'spec_helper' + +describe 'wordpress::instance', :type => :define do + let :title do + '/opt/wordpress2' + end + let :params do + { + :db_user => 'test', + :db_name => 'test' + } + end + context "on a RedHat 5 OS" do + let :facts do + { + :osfamily => 'RedHat', + :lsbmajdistrelease => '5', + :concat_basedir => '/dne', + } + end + it { should contain_wordpress__instance__app("/opt/wordpress2") } + it { should contain_wordpress__instance__db("localhost/test") } + end + context "on a RedHat 6 OS" do + let :facts do + { + :osfamily => 'RedHat', + :lsbmajdistrelease => '6', + :concat_basedir => '/dne', + } + end + it { should contain_wordpress__instance__app("/opt/wordpress2") } + it { should contain_wordpress__instance__db("localhost/test") } + end + context "on a Debian OS" do + let :facts do + { + :osfamily => 'Debian', + :concat_basedir => '/dne', + } + end + it { should contain_wordpress__instance__app("/opt/wordpress2") } + it { should contain_wordpress__instance__db("localhost/test") } + end +end diff --git a/modules/vulnerabilities/unix/webapp/wordpress/spec/spec.opts b/modules/vulnerabilities/unix/webapp/wordpress/spec/spec.opts new file mode 100644 index 000000000..de653df4b --- /dev/null +++ b/modules/vulnerabilities/unix/webapp/wordpress/spec/spec.opts @@ -0,0 +1,4 @@ +--format s +--colour +--loadby mtime +--backtrace diff --git a/modules/vulnerabilities/unix/webapp/wordpress/spec/spec_helper.rb b/modules/vulnerabilities/unix/webapp/wordpress/spec/spec_helper.rb new file mode 100644 index 000000000..efd225b54 --- /dev/null +++ b/modules/vulnerabilities/unix/webapp/wordpress/spec/spec_helper.rb @@ -0,0 +1,30 @@ +require 'puppetlabs_spec_helper/module_spec_helper' +require 'rspec-puppet-facts' + +begin + require 'spec_helper_local' if File.file?(File.join(File.dirname(__FILE__), 'spec_helper_local.rb')) +rescue LoadError => loaderror + warn "Could not require spec_helper_local: #{loaderror.message}" +end + +include RspecPuppetFacts + +default_facts = { + puppetversion: Puppet.version, + facterversion: Facter.version, +} + +default_facts_path = File.expand_path(File.join(File.dirname(__FILE__), 'default_facts.yml')) +default_module_facts_path = File.expand_path(File.join(File.dirname(__FILE__), 'default_module_facts.yml')) + +if File.exist?(default_facts_path) && File.readable?(default_facts_path) + default_facts.merge!(YAML.safe_load(File.read(default_facts_path))) +end + +if File.exist?(default_module_facts_path) && File.readable?(default_module_facts_path) + default_facts.merge!(YAML.safe_load(File.read(default_module_facts_path))) +end + +RSpec.configure do |c| + c.default_facts = default_facts +end diff --git a/modules/vulnerabilities/unix/webapp/wordpress/spec/spec_helper_acceptance.rb b/modules/vulnerabilities/unix/webapp/wordpress/spec/spec_helper_acceptance.rb new file mode 100644 index 000000000..b0f000afc --- /dev/null +++ b/modules/vulnerabilities/unix/webapp/wordpress/spec/spec_helper_acceptance.rb @@ -0,0 +1,35 @@ +require 'beaker-rspec/spec_helper' +require 'beaker-rspec/helpers/serverspec' + +unless ENV['RS_PROVISION'] == 'no' or ENV['BEAKER_provision'] == 'no' + if hosts.first.is_pe? + install_pe + else + install_puppet({ :version => '3.6.2', + :facter_version => '2.1.0', + :hiera_version => '1.3.4', + :default_action => 'gem_install' }) + hosts.each {|h| on h, "/bin/echo '' > #{h['hieraconf']}" } + end + hosts.each do |host| + on host, "mkdir -p #{host['distmoduledir']}" + on host, puppet('module','install','puppetlabs-stdlib'), :acceptable_exit_codes => [0,1] + on host, puppet('module','install','puppetlabs-concat'), :acceptable_exit_codes => [0,1] + on host, puppet('module','install','puppetlabs-mysql' ), :acceptable_exit_codes => [0,1] + on host, puppet('module','install','puppetlabs-apache'), :acceptable_exit_codes => [0,1] + end +end + +RSpec.configure do |c| + # Project root + proj_root = File.expand_path(File.join(File.dirname(__FILE__), '..')) + + # Readable test descriptions + c.formatter = :documentation + + # Configure all nodes in nodeset + c.before :suite do + # Install module and dependencies + puppet_module_install(:source => proj_root, :module_name => 'wordpress') + end +end diff --git a/modules/vulnerabilities/unix/webapp/wordpress/templates/wp-config.php.erb b/modules/vulnerabilities/unix/webapp/wordpress/templates/wp-config.php.erb new file mode 100644 index 000000000..f29611e64 --- /dev/null +++ b/modules/vulnerabilities/unix/webapp/wordpress/templates/wp-config.php.erb @@ -0,0 +1,114 @@ +/** + * The base configurations of the WordPress. + * + * This file has the following configurations: MySQL settings, Table Prefix, + * Secret Keys, WordPress Language, and ABSPATH. You can find more information + * by visiting {@link http://codex.wordpress.org/Editing_wp-config.php Editing + * wp-config.php} Codex page. You can get the MySQL settings from your web host. + * + * This file is used by the wp-config.php creation script during the + * installation. You don't have to use the web site, you can just copy this file + * to "wp-config.php" and fill in the values. + * + * @package WordPress + */ + +// ** MySQL settings - You can get this info from your web host ** // +/** The name of the database for WordPress */ +define('DB_NAME', '<%= @db_name %>'); + +/** MySQL database username */ +define('DB_USER', '<%= @db_user %>'); + +/** MySQL database password */ +define('DB_PASSWORD', '<%= @db_password %>'); + +/** MySQL hostname */ +define('DB_HOST', '<%= @db_host %>'); + +/** Database Charset to use in creating database tables. */ +define('DB_CHARSET', 'utf8'); + +/** The Database Collate type. Don't change this if in doubt. */ +define('DB_COLLATE', ''); + +/** + * WordPress Database Table prefix. + * + * You can have multiple installations in one database if you give each a unique + * prefix. Only numbers, letters, and underscores please! + */ +$table_prefix = '<%= @wp_table_prefix %>'; + +/** + * WordPress Localized Language, defaults to English. + * + * Change this to localize WordPress. A corresponding MO file for the chosen + * language must be installed to wp-content/languages. For example, install + * de_DE.mo to wp-content/languages and set WPLANG to 'de_DE' to enable German + * language support. + */ + +define('WPLANG', '<%= @wp_lang %>'); + +/** + * For developers: WordPress debugging mode. + * + * Change this to true to enable the display of notices during development. + * It is strongly recommended that plugin and theme developers use WP_DEBUG + * in their development environments. + * + * WP_DEBUG_LOG is a companion to WP_DEBUG that causes all errors to also be + * saved to a debug.log log file inside the /wp-content/ directory. This is + * useful if you want to review all notices later or need to view notices + * generated off-screen (e.g. during an AJAX request or wp-cron run). + * + * WP_DEBUG_DISPLAY is another companion to WP_DEBUG that controls whether + * debug messages are shown inside the HTML of pages or not. The default + * is 'true' which shows errors and warnings as they are generated. Setting + * this to false will hide all errors. This should be used in conjunction with + * WP_DEBUG_LOG so that errors can be reviewed later. + */ +define('WP_DEBUG', <%= @wp_debug %>); +define('WP_DEBUG_LOG', <%= @wp_debug_log %>); +define('WP_DEBUG_DISPLAY', <%= @wp_debug_display %>); + +<% if @wp_plugin_dir != 'DEFAULT' %> +define('WP_PLUGIN_DIR', '<%= @wp_plugin_dir %>'); +<% end %> + +<% if @wp_proxy_host and ! @wp_proxy_host.empty? %> +/* Proxy Settings */ +define('WP_PROXY_HOST', '<%= @wp_proxy_host %>'); +<% if @wp_proxy_port and ! @wp_proxy_port.empty? %> +define('WP_PROXY_PORT', '<%= @wp_proxy_port %>'); +<% end %> +<% end %> + +<% if @wp_site_url %> +define('WP_SITEURL', '<%= @wp_site_url %>'); +<% end %> + +<% if @wp_multisite %> +/* Multisite */ +define('WP_ALLOW_MULTISITE', true); +define('MULTISITE', true); +define('SUBDOMAIN_INSTALL', true); +define('DOMAIN_CURRENT_SITE', '<%= @wp_site_domain %>'); +define('PATH_CURRENT_SITE', '/'); +define('SITE_ID_CURRENT_SITE', 1); +define('BLOG_ID_CURRENT_SITE', 1); +<% end %> + +<% if @wp_additional_config != 'DEFAULT' -%> +<%= scope.function_template([@wp_additional_config]) %> +<% end -%> +/* That's all, stop editing! Happy blogging. */ + +/** Absolute path to the WordPress directory. */ +if ( !defined('ABSPATH') ) + define('ABSPATH', dirname(__FILE__) . '/'); + +/** Sets up WordPress vars and included files. */ +require_once(ABSPATH . 'wp-settings.php'); + diff --git a/modules/vulnerabilities/unix/webapp/wordpress/templates/wp-keysalts.php.erb b/modules/vulnerabilities/unix/webapp/wordpress/templates/wp-keysalts.php.erb new file mode 100644 index 000000000..9f6a4c6dd --- /dev/null +++ b/modules/vulnerabilities/unix/webapp/wordpress/templates/wp-keysalts.php.erb @@ -0,0 +1,21 @@ +'); +define('SECURE_AUTH_KEY', '<%= (1..50).map{(rand(86)+40).chr}.join.gsub(/\\/,'\&\&') %>'); +define('LOGGED_IN_KEY', '<%= (1..50).map{(rand(86)+40).chr}.join.gsub(/\\/,'\&\&') %>'); +define('NONCE_KEY', '<%= (1..50).map{(rand(86)+40).chr}.join.gsub(/\\/,'\&\&') %>'); +define('AUTH_SALT', '<%= (1..50).map{(rand(86)+40).chr}.join.gsub(/\\/,'\&\&') %>'); +define('SECURE_AUTH_SALT', '<%= (1..50).map{(rand(86)+40).chr}.join.gsub(/\\/,'\&\&') %>'); +define('LOGGED_IN_SALT', '<%= (1..50).map{(rand(86)+40).chr}.join.gsub(/\\/,'\&\&') %>'); +define('NONCE_SALT', '<%= (1..50).map{(rand(86)+40).chr}.join.gsub(/\\/,'\&\&') %>'); + +/**#@-*/ + diff --git a/modules/vulnerabilities/unix/webapp/wordpress/tests/init.pp b/modules/vulnerabilities/unix/webapp/wordpress/tests/init.pp new file mode 100644 index 000000000..4d39bb34f --- /dev/null +++ b/modules/vulnerabilities/unix/webapp/wordpress/tests/init.pp @@ -0,0 +1,7 @@ +class { 'wordpress': + install_dir => '/var/www/wordpress', + db_name => 'wordpress', + db_host => 'localhost', + db_user => 'wordpress', + db_password => 'insecure password', +} diff --git a/modules/vulnerabilities/unix/webapp/wordpress/wordpress.pp b/modules/vulnerabilities/unix/webapp/wordpress/wordpress.pp new file mode 100644 index 000000000..c483c0d0f --- /dev/null +++ b/modules/vulnerabilities/unix/webapp/wordpress/wordpress.pp @@ -0,0 +1,16 @@ +class { 'apache': + mpm_module => 'prefork', +} + +class { 'apache::mod::php': } +class { 'mysql::server': } +class { 'mysql::bindings': php_enable => true, } + +apache::vhost { 'wordpress': + docroot => '/opt/wordpress', + port => '80', +} + +class { 'wordpress': + # version => '3.4', +} \ No newline at end of file