inviqa / chef-config-driven-helper Goto Github PK

Pipeline servers are often locked down behind HTTP auth. As it stands this requires hacks to implement without copying the template.

Add the ability to enable basic auth to the default location block

Internal recipes iterate node[type]['sites'] where type is either nginx or apache.

Defaults are set on these attrs but are not available to the app_vhost definition separately.

Therefore, given a site definition in node['nginx']['sites] and a site definition from a cookbook using app_vhost directly, app_vhost will fail unless all parameters are provided whereas the attr version will work.

The defaults need refactoring (again) to internalize them in to app_vhost. In order to facilitate introspection of the sites attrs, perhaps we should do this in addition to what is there already.

This means that a little bit of redundant logic will occur when using the built in recipes but that resulting behavior should be consistent.

At present the only way to grant perms is with the database_name parameter to the mysql_database_user provider.

This parameter does not support multiple values, therefore it is only possible to grant a user access to one database.

This either needs expanding to support multiple database names or an additional grants section of the config needs creating. This can map on to the mysql_database_user provider with action :grant

Due to the way we send template variables to the web_app resource, the top level keys get converted to symbols for use in the template. However, the nested keys remain as strings.

In order to resolve I believe we need to stop using the apache2 web_app definition and create our own where variables can directly be passed through to the template with no key mangling.

At the moment it is not possible to augment or cuztomize the / location block for nginx.

Add an option to disable the default location block.

the existing restricted_dirs configuration uses Nginx locations and Apache Directories, which doesn't support restricting files as well.

A restricted_urls option should be added to use Nginx location blocks and Apache Location blocks.

Config-driven helper is doing too much and should not be responsible for deployment security.