From: Tim Meusel Date: Mon, 18 Sep 2017 13:23:36 +0000 (+0200) Subject: initial commit X-Git-Url: https://gitweb.fluxo.info/?a=commitdiff_plain;h=2d355a4c1baadc761d6b12645d0274da8866f722;p=puppet-ferm.git initial commit --- 2d355a4c1baadc761d6b12645d0274da8866f722 diff --git a/.fixtures.yml b/.fixtures.yml new file mode 100644 index 0000000..f2243e6 --- /dev/null +++ b/.fixtures.yml @@ -0,0 +1,5 @@ +--- +fixtures: + repositories: + stdlib: 'https://github.com/puppetlabs/puppetlabs-stdlib' + concat: 'https://github.com/puppetlabs/puppetlabs-concat' diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e9b3cf4 --- /dev/null +++ b/.gitignore @@ -0,0 +1,20 @@ +pkg/ +Gemfile.lock +Gemfile.local +vendor/ +.vendor/ +spec/fixtures/manifests/ +spec/fixtures/modules/ +.vagrant/ +.bundle/ +.ruby-version +coverage/ +log/ +.idea/ +.dependencies/ +.librarian/ +Puppetfile.lock +*.iml +.*.sw? +.yardoc/ +Guardfile diff --git a/.msync.yml b/.msync.yml new file mode 100644 index 0000000..4df90fb --- /dev/null +++ b/.msync.yml @@ -0,0 +1 @@ +modulesync_config_version: '1.8.0' diff --git a/.overcommit.yml b/.overcommit.yml new file mode 100644 index 0000000..31699e7 --- /dev/null +++ b/.overcommit.yml @@ -0,0 +1,63 @@ +# Managed by https://github.com/voxpupuli/modulesync_configs +# +# Hooks are only enabled if you take action. +# +# To enable the hooks run: +# +# ``` +# bundle exec overcommit --install +# # ensure .overcommit.yml does not harm to you and then +# bundle exec overcommit --sign +# ``` +# +# (it will manage the .git/hooks directory): +# +# Examples howto skip a test for a commit or push: +# +# ``` +# SKIP=RuboCop git commit +# SKIP=PuppetLint git commit +# SKIP=RakeTask git push +# ``` +# +# Don't invoke overcommit at all: +# +# ``` +# OVERCOMMIT_DISABLE=1 git commit +# ``` +# +# Read more about overcommit: https://github.com/brigade/overcommit +# +# To manage this config yourself in your module add +# +# ``` +# .overcommit.yml: +# unmanaged: true +# ``` +# +# to your modules .sync.yml config +--- +PreCommit: + RuboCop: + enabled: true + description: 'Runs rubocop on modified files only' + command: ['bundle', 'exec', 'rubocop'] + PuppetLint: + enabled: true + description: 'Runs puppet-lint on modified files only' + command: ['bundle', 'exec', 'puppet-lint'] + YamlSyntax: + enabled: true + JsonSyntax: + enabled: true + TrailingWhitespace: + enabled: true + +PrePush: + RakeTarget: + enabled: true + description: 'Run rake targets' + targets: + - 'test' + - 'rubocop' + command: [ 'bundle', 'exec', 'rake' ] diff --git a/.pmtignore b/.pmtignore new file mode 100644 index 0000000..fb58957 --- /dev/null +++ b/.pmtignore @@ -0,0 +1,20 @@ +docs/ +pkg/ +Gemfile.lock +Gemfile.local +vendor/ +.vendor/ +spec/fixtures/manifests/ +spec/fixtures/modules/ +.vagrant/ +.bundle/ +.ruby-version +coverage/ +log/ +.idea/ +.dependencies/ +.librarian/ +Puppetfile.lock +*.iml +.*.sw? +.yardoc/ diff --git a/.rspec b/.rspec new file mode 100644 index 0000000..8c18f1a --- /dev/null +++ b/.rspec @@ -0,0 +1,2 @@ +--format documentation +--color diff --git a/.rspec_parallel b/.rspec_parallel new file mode 100644 index 0000000..e4d136b --- /dev/null +++ b/.rspec_parallel @@ -0,0 +1 @@ +--format progress diff --git a/.rubocop.yml b/.rubocop.yml new file mode 100644 index 0000000..099a11c --- /dev/null +++ b/.rubocop.yml @@ -0,0 +1,545 @@ +require: rubocop-rspec +AllCops: + TargetRubyVersion: 1.9 + Include: + - ./**/*.rb + Exclude: + - files/**/* + - vendor/**/* + - .vendor/**/* + - pkg/**/* + - spec/fixtures/**/* + - Gemfile + - Rakefile + - Guardfile + - Vagrantfile +Lint/ConditionPosition: + Enabled: True + +Lint/ElseLayout: + Enabled: True + +Lint/UnreachableCode: + Enabled: True + +Lint/UselessComparison: + Enabled: True + +Lint/EnsureReturn: + Enabled: True + +Lint/HandleExceptions: + Enabled: True + +Lint/LiteralInCondition: + Enabled: True + +Lint/ShadowingOuterLocalVariable: + Enabled: True + +Lint/LiteralInInterpolation: + Enabled: True + +Style/HashSyntax: + Enabled: True + +Style/RedundantReturn: + Enabled: True + +Layout/EndOfLine: + Enabled: False + +Lint/AmbiguousOperator: + Enabled: True + +Lint/AssignmentInCondition: + Enabled: True + +Layout/SpaceBeforeComment: + Enabled: True + +Style/AndOr: + Enabled: True + +Style/RedundantSelf: + Enabled: True + +Metrics/BlockLength: + Enabled: False + +# Method length is not necessarily an indicator of code quality +Metrics/MethodLength: + Enabled: False + +# Module length is not necessarily an indicator of code quality +Metrics/ModuleLength: + Enabled: False + +Style/WhileUntilModifier: + Enabled: True + +Lint/AmbiguousRegexpLiteral: + Enabled: True + +Security/Eval: + Enabled: True + +Lint/BlockAlignment: + Enabled: True + +Lint/DefEndAlignment: + Enabled: True + +Lint/EndAlignment: + Enabled: True + +Lint/DeprecatedClassMethods: + Enabled: True + +Lint/Loop: + Enabled: True + +Lint/ParenthesesAsGroupedExpression: + Enabled: True + +Lint/RescueException: + Enabled: True + +Lint/StringConversionInInterpolation: + Enabled: True + +Lint/UnusedBlockArgument: + Enabled: True + +Lint/UnusedMethodArgument: + Enabled: True + +Lint/UselessAccessModifier: + Enabled: True + +Lint/UselessAssignment: + Enabled: True + +Lint/Void: + Enabled: True + +Layout/AccessModifierIndentation: + Enabled: True + +Style/AccessorMethodName: + Enabled: True + +Style/Alias: + Enabled: True + +Layout/AlignArray: + Enabled: True + +Layout/AlignHash: + Enabled: True + +Layout/AlignParameters: + Enabled: True + +Metrics/BlockNesting: + Enabled: True + +Style/AsciiComments: + Enabled: True + +Style/Attr: + Enabled: True + +Style/BracesAroundHashParameters: + Enabled: True + +Style/CaseEquality: + Enabled: True + +Layout/CaseIndentation: + Enabled: True + +Style/CharacterLiteral: + Enabled: True + +Style/ClassAndModuleCamelCase: + Enabled: True + +Style/ClassAndModuleChildren: + Enabled: False + +Style/ClassCheck: + Enabled: True + +# Class length is not necessarily an indicator of code quality +Metrics/ClassLength: + Enabled: False + +Style/ClassMethods: + Enabled: True + +Style/ClassVars: + Enabled: True + +Style/WhenThen: + Enabled: True + +Style/WordArray: + Enabled: True + +Style/UnneededPercentQ: + Enabled: True + +Layout/Tab: + Enabled: True + +Layout/SpaceBeforeSemicolon: + Enabled: True + +Layout/TrailingBlankLines: + Enabled: True + +Layout/SpaceInsideBlockBraces: + Enabled: True + +Layout/SpaceInsideBrackets: + Enabled: True + +Layout/SpaceInsideHashLiteralBraces: + Enabled: True + +Layout/SpaceInsideParens: + Enabled: True + +Layout/LeadingCommentSpace: + Enabled: True + +Layout/SpaceBeforeFirstArg: + Enabled: True + +Layout/SpaceAfterColon: + Enabled: True + +Layout/SpaceAfterComma: + Enabled: True + +Layout/SpaceAfterMethodName: + Enabled: True + +Layout/SpaceAfterNot: + Enabled: True + +Layout/SpaceAfterSemicolon: + Enabled: True + +Layout/SpaceAroundEqualsInParameterDefault: + Enabled: True + +Layout/SpaceAroundOperators: + Enabled: True + +Layout/SpaceBeforeBlockBraces: + Enabled: True + +Layout/SpaceBeforeComma: + Enabled: True + +Style/CollectionMethods: + Enabled: True + +Layout/CommentIndentation: + Enabled: True + +Style/ColonMethodCall: + Enabled: True + +Style/CommentAnnotation: + Enabled: True + +# 'Complexity' is very relative +Metrics/CyclomaticComplexity: + Enabled: False + +Style/ConstantName: + Enabled: True + +Style/Documentation: + Enabled: False + +Style/DefWithParentheses: + Enabled: True + +Style/PreferredHashMethods: + Enabled: True + +Layout/DotPosition: + EnforcedStyle: trailing + +Style/DoubleNegation: + Enabled: True + +Style/EachWithObject: + Enabled: True + +Layout/EmptyLineBetweenDefs: + Enabled: True + +Layout/IndentArray: + Enabled: True + +Layout/IndentHash: + Enabled: True + +Layout/IndentationConsistency: + Enabled: True + +Layout/IndentationWidth: + Enabled: True + +Layout/EmptyLines: + Enabled: True + +Layout/EmptyLinesAroundAccessModifier: + Enabled: True + +Style/EmptyLiteral: + Enabled: True + +# Configuration parameters: AllowURI, URISchemes. +Metrics/LineLength: + Enabled: False + +Style/MethodCallWithoutArgsParentheses: + Enabled: True + +Style/MethodDefParentheses: + Enabled: True + +Style/LineEndConcatenation: + Enabled: True + +Layout/TrailingWhitespace: + Enabled: True + +Style/StringLiterals: + Enabled: True + +Style/TrailingCommaInArguments: + Enabled: True + +Style/TrailingCommaInLiteral: + Enabled: True + +Style/GlobalVars: + Enabled: True + +Style/GuardClause: + Enabled: True + +Style/IfUnlessModifier: + Enabled: True + +Style/MultilineIfThen: + Enabled: True + +Style/NegatedIf: + Enabled: True + +Style/NegatedWhile: + Enabled: True + +Style/Next: + Enabled: True + +Style/SingleLineBlockParams: + Enabled: True + +Style/SingleLineMethods: + Enabled: True + +Style/SpecialGlobalVars: + Enabled: True + +Style/TrivialAccessors: + Enabled: True + +Style/UnlessElse: + Enabled: True + +Style/VariableInterpolation: + Enabled: True + +Style/VariableName: + Enabled: True + +Style/WhileUntilDo: + Enabled: True + +Style/EvenOdd: + Enabled: True + +Style/FileName: + Enabled: True + +Style/For: + Enabled: True + +Style/Lambda: + Enabled: True + +Style/MethodName: + Enabled: True + +Style/MultilineTernaryOperator: + Enabled: True + +Style/NestedTernaryOperator: + Enabled: True + +Style/NilComparison: + Enabled: True + +Style/FormatString: + Enabled: True + +Style/MultilineBlockChain: + Enabled: True + +Style/Semicolon: + Enabled: True + +Style/SignalException: + Enabled: True + +Style/NonNilCheck: + Enabled: True + +Style/Not: + Enabled: True + +Style/NumericLiterals: + Enabled: True + +Style/OneLineConditional: + Enabled: True + +Style/OpMethod: + Enabled: True + +Style/ParenthesesAroundCondition: + Enabled: True + +Style/PercentLiteralDelimiters: + Enabled: True + +Style/PerlBackrefs: + Enabled: True + +Style/PredicateName: + Enabled: True + +Style/RedundantException: + Enabled: True + +Style/SelfAssignment: + Enabled: True + +Style/Proc: + Enabled: True + +Style/RaiseArgs: + Enabled: True + +Style/RedundantBegin: + Enabled: True + +Style/RescueModifier: + Enabled: True + +# based on https://github.com/voxpupuli/modulesync_config/issues/168 +Style/RegexpLiteral: + EnforcedStyle: percent_r + Enabled: True + +Lint/UnderscorePrefixedVariableName: + Enabled: True + +Metrics/ParameterLists: + Enabled: False + +Lint/RequireParentheses: + Enabled: True + +Style/ModuleFunction: + Enabled: True + +Lint/Debugger: + Enabled: True + +Style/IfWithSemicolon: + Enabled: True + +Style/Encoding: + Enabled: True + +Style/BlockDelimiters: + Enabled: True + +Layout/MultilineBlockLayout: + Enabled: True + +# 'Complexity' is very relative +Metrics/AbcSize: + Enabled: False + +# 'Complexity' is very relative +Metrics/PerceivedComplexity: + Enabled: False + +Lint/UselessAssignment: + Enabled: True + +Layout/ClosingParenthesisIndentation: + Enabled: True + +# RSpec + +RSpec/BeforeAfterAll: + Exclude: + - spec/acceptance/**/* + +# We don't use rspec in this way +RSpec/DescribeClass: + Enabled: False + +# Example length is not necessarily an indicator of code quality +RSpec/ExampleLength: + Enabled: False + +RSpec/NamedSubject: + Enabled: False + +# disabled for now since they cause a lot of issues +# these issues aren't easy to fix +RSpec/RepeatedDescription: + Enabled: False + +RSpec/NestedGroups: + Enabled: False + +# this is broken on ruby1.9 +Layout/IndentHeredoc: + Enabled: False + +# disable Yaml safe_load. This is needed to support ruby2.0.0 development envs +Security/YAMLLoad: + Enabled: false + +# This affects hiera interpolation, as well as some configs that we push. +Style/FormatStringToken: + Enabled: false + +# This is useful, but sometimes a little too picky about where unit tests files +# are located. +RSpec/FilePath: + Enabled: false diff --git a/.sync.yml b/.sync.yml new file mode 100644 index 0000000..bdf750e --- /dev/null +++ b/.sync.yml @@ -0,0 +1,4 @@ +--- +.travis.yml: + secure: "J7AG0AHVdEVql4c7cwJZCjbXFp5tehPnlS3REkUKu9s3Px+XRb+073W7hM2alfxB5Qo3mqyMdgyjIRMQyXXqfb54QmDG6Y1XfRIcNK/C6TL9JscC7rXN1gXJhrdZiQOtfXa3HFcWJkbsQrjnPbQ5y+ +b5VdkzIthLkIa4IpQEYSQC5i88nDixF8dgApLGgC0CcmS+14iXZgJ2T89A7QiSbvhnIsszaIQucw91/Kled9mUT2cJlFrMXLfd3hycR/ftLJeBe6MvnlaflSqEWfz9UA7EW63JX13hhyNNaf26JsFyG7P7UiH6+dBGXX3xLPKeq032VysZzbmA1GFZYiGk0obAtqMlrfbcpsLceyg1FCku2/lv/6P9dkfjN0N0z7pgL0lGjjhN3lNwU997fIXq/tt3dxbXKFV2Ok16p/55VjV5i2U79bNTn6oZpqLzB6ZEc9WOb3DvBsLP5ooThSVtrZecTFZbjRFAT/Vd0nd/qIzdxEoaVVaSPOpaZf6v1Ojy3RMzSSOUdweDBNh0B+9p0tVDpiLhRYpAFbw1JH2X0dlPqtrKS+BNU8xwktfK5KGpvvfXdU+pWUKxP1MnzrmX5jDX3dIh7pkGRvaKSD5RTmufCVaR0neEBV3VERPPYLDKueGc3BgWtVqaEyZwuM5AMJJuWKkTIQsUPsXKbIqyP5c=" diff --git a/.travis.yml b/.travis.yml new file mode 100644 index 0000000..2369a17 --- /dev/null +++ b/.travis.yml @@ -0,0 +1,49 @@ +--- +sudo: false +dist: trusty +language: ruby +cache: bundler +before_install: + - rm -f Gemfile.lock +script: + - 'bundle exec rake $CHECK' +matrix: + fast_finish: true + include: + - rvm: 2.1.9 + bundler_args: --without system_tests development release + env: PUPPET_VERSION="~> 4.0" CHECK=test PARALLEL_TEST_PROCESSORS=12 + - rvm: 2.4.3 + bundler_args: --without system_tests development release + env: PUPPET_VERSION="~> 5.0" CHECK=test_with_coveralls + - rvm: 2.5.0 + bundler_args: --without system_tests development release + env: PUPPET_VERSION="~> 5.0" CHECK=test_with_coveralls + - rvm: 2.4.3 + bundler_args: --without system_tests development release + env: PUPPET_VERSION="~> 5.0" CHECK=rubocop + - rvm: 2.4.3 + bundler_args: --without system_tests development release + env: PUPPET_VERSION="~> 5.0" CHECK=build DEPLOY_TO_FORGE=yes +branches: + only: + - master + - /^v\d/ +notifications: + email: false + irc: + on_success: always + on_failure: always + channels: + - "chat.freenode.org#voxpupuli-notifications" +deploy: + provider: puppetforge + user: puppet + password: + secure: "J7AG0AHVdEVql4c7cwJZCjbXFp5tehPnlS3REkUKu9s3Px+XRb+073W7hM2alfxB5Qo3mqyMdgyjIRMQyXXqfb54QmDG6Y1XfRIcNK/C6TL9JscC7rXN1gXJhrdZiQOtfXa3HFcWJkbsQrjnPbQ5y+b5VdkzIthLkIa4IpQEYSQC5i88nDixF8dgApLGgC0CcmS+14iXZgJ2T89A7QiSbvhnIsszaIQucw91/Kled9mUT2cJlFrMXLfd3hycR/ftLJeBe6MvnlaflSqEWfz9UA7EW63JX13hhyNNaf26JsFyG7P7UiH6+dBGXX3xLPKeq032VysZzbmA1GFZYiGk0obAtqMlrfbcpsLceyg1FCku2/lv/6P9dkfjN0N0z7pgL0lGjjhN3lNwU997fIXq/tt3dxbXKFV2Ok16p/55VjV5i2U79bNTn6oZpqLzB6ZEc9WOb3DvBsLP5ooThSVtrZecTFZbjRFAT/Vd0nd/qIzdxEoaVVaSPOpaZf6v1Ojy3RMzSSOUdweDBNh0B+9p0tVDpiLhRYpAFbw1JH2X0dlPqtrKS+BNU8xwktfK5KGpvvfXdU+pWUKxP1MnzrmX5jDX3dIh7pkGRvaKSD5RTmufCVaR0neEBV3VERPPYLDKueGc3BgWtVqaEyZwuM5AMJJuWKkTIQsUPsXKbIqyP5c=" + on: + tags: true + # all_branches is required to use tags + all_branches: true + # Only publish the build marked with "DEPLOY_TO_FORGE" + condition: "$DEPLOY_TO_FORGE = yes" diff --git a/.yardopts b/.yardopts new file mode 100644 index 0000000..3687f51 --- /dev/null +++ b/.yardopts @@ -0,0 +1,2 @@ +--markup markdown +--output-dir docs/ diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..4ec65d5 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,29 @@ +# Changelog + +All notable changes to this project will be documented in this file. +Each new release typically also includes the latest modulesync defaults. +These should not affect the functionality of the module. + +## [v1.1.0](https://github.com/voxpupuli/puppet-ferm/tree/v1.1.0) (2018-02-26) + +[Full Changelog](https://github.com/voxpupuli/puppet-ferm/compare/v1.0.0...v1.1.0) + +**Implemented enhancements:** + +- use squeeze\(\) to remove duplicate whitespace [\#3](https://github.com/voxpupuli/puppet-ferm/pull/3) ([bastelfreak](https://github.com/bastelfreak)) + +**Merged pull requests:** + +- release 1.0.0 [\#2](https://github.com/voxpupuli/puppet-ferm/pull/2) ([bastelfreak](https://github.com/bastelfreak)) + +## [v1.0.0](https://github.com/voxpupuli/puppet-ferm/tree/v1.0.0) (2018-02-22) + +[Full Changelog](https://github.com/voxpupuli/puppet-ferm/compare/2c1be5b9f0413e27f0fceed71b1776a263356758...v1.0.0) + +**Merged pull requests:** + +- modulesync 1.8.0 [\#1](https://github.com/voxpupuli/puppet-ferm/pull/1) ([bastelfreak](https://github.com/bastelfreak)) + + + +\* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)* \ No newline at end of file diff --git a/Gemfile b/Gemfile new file mode 100644 index 0000000..57fcafa --- /dev/null +++ b/Gemfile @@ -0,0 +1,77 @@ +source ENV['GEM_SOURCE'] || "https://rubygems.org" + +def location_for(place, fake_version = nil) + if place =~ /^(git[:@][^#]*)#(.*)/ + [fake_version, { :git => $1, :branch => $2, :require => false }].compact + elsif place =~ /^file:\/\/(.*)/ + ['>= 0', { :path => File.expand_path($1), :require => false }] + else + [place, { :require => false }] + end +end + +group :test do + gem 'puppetlabs_spec_helper', '~> 2.6.0', :require => false + gem 'rspec-puppet', '~> 2.5', :require => false + gem 'rspec-puppet-facts', :require => false + gem 'rspec-puppet-utils', :require => false + gem 'puppet-lint-leading_zero-check', :require => false + gem 'puppet-lint-trailing_comma-check', :require => false + gem 'puppet-lint-version_comparison-check', :require => false + gem 'puppet-lint-classes_and_types_beginning_with_digits-check', :require => false + gem 'puppet-lint-unquoted_string-check', :require => false + gem 'puppet-lint-variable_contains_upcase', :require => false + gem 'metadata-json-lint', :require => false + gem 'redcarpet', :require => false + gem 'rubocop', '~> 0.49.1', :require => false if RUBY_VERSION >= '2.3.0' + gem 'rubocop-rspec', '~> 1.15.0', :require => false if RUBY_VERSION >= '2.3.0' + gem 'mocha', '>= 1.2.1', :require => false + gem 'coveralls', :require => false + gem 'simplecov-console', :require => false + gem 'rack', '~> 1.0', :require => false if RUBY_VERSION < '2.2.2' + gem 'parallel_tests', :require => false +end + +group :development do + gem 'travis', :require => false + gem 'travis-lint', :require => false + gem 'guard-rake', :require => false + gem 'overcommit', '>= 0.39.1', :require => false +end + +group :system_tests do + gem 'winrm', :require => false + if beaker_version = ENV['BEAKER_VERSION'] + gem 'beaker', *location_for(beaker_version) + else + gem 'beaker', '>= 3.9.0', :require => false + end + if beaker_rspec_version = ENV['BEAKER_RSPEC_VERSION'] + gem 'beaker-rspec', *location_for(beaker_rspec_version) + else + gem 'beaker-rspec', :require => false + end + gem 'serverspec', :require => false + gem 'beaker-puppet_install_helper', :require => false + gem 'beaker-module_install_helper', :require => false +end + +group :release do + gem 'github_changelog_generator', :require => false, :git => 'https://github.com/skywinder/github-changelog-generator' if RUBY_VERSION >= '2.2.2' + gem 'puppet-blacksmith', :require => false + gem 'voxpupuli-release', :require => false, :git => 'https://github.com/voxpupuli/voxpupuli-release-gem' + gem 'puppet-strings', '~> 1.0', :require => false +end + + + +if facterversion = ENV['FACTER_GEM_VERSION'] + gem 'facter', facterversion.to_s, :require => false, :groups => [:test] +else + gem 'facter', :require => false, :groups => [:test] +end + +ENV['PUPPET_VERSION'].nil? ? puppetversion = '~> 5.0' : puppetversion = ENV['PUPPET_VERSION'].to_s +gem 'puppet', puppetversion, :require => false, :groups => [:test] + +# vim: syntax=ruby diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..dbbe355 --- /dev/null +++ b/LICENSE @@ -0,0 +1,661 @@ + GNU AFFERO GENERAL PUBLIC LICENSE + Version 3, 19 November 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The GNU Affero General Public License is a free, copyleft license for +software and other kinds of works, specifically designed to ensure +cooperation with the community in the case of network server software. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +our General Public Licenses are intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + Developers that use our General Public Licenses protect your rights +with two steps: (1) assert copyright on the software, and (2) offer +you this License which gives you legal permission to copy, distribute +and/or modify the software. + + A secondary benefit of defending all users' freedom is that +improvements made in alternate versions of the program, if they +receive widespread use, become available for other developers to +incorporate. Many developers of free software are heartened and +encouraged by the resulting cooperation. However, in the case of +software used on network servers, this result may fail to come about. +The GNU General Public License permits making a modified version and +letting the public access it on a server without ever releasing its +source code to the public. + + The GNU Affero General Public License is designed specifically to +ensure that, in such cases, the modified source code becomes available +to the community. It requires the operator of a network server to +provide the source code of the modified version running there to the +users of that server. Therefore, public use of a modified version, on +a publicly accessible server, gives the public access to the source +code of the modified version. + + An older license, called the Affero General Public License and +published by Affero, was designed to accomplish similar goals. This is +a different license, not a version of the Affero GPL, but Affero has +released a new version of the Affero GPL which permits relicensing under +this license. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU Affero General Public License. + + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work based +on the Program. + + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. + + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. + + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Remote Network Interaction; Use with the GNU General Public License. + + Notwithstanding any other provision of this License, if you modify the +Program, your modified version must prominently offer all users +interacting with it remotely through a computer network (if your version +supports such interaction) an opportunity to receive the Corresponding +Source of your version by providing access to the Corresponding Source +from a network server at no charge, through some standard or customary +means of facilitating copying of software. This Corresponding Source +shall include the Corresponding Source for any work covered by version 3 +of the GNU General Public License that is incorporated pursuant to the +following paragraph. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the work with which it is combined will remain governed by version +3 of the GNU General Public License. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU Affero General Public License from time to time. Such new versions +will be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU Affero General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU Affero General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU Affero General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published + by the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + + If your software can interact with users remotely through a computer +network, you should also make sure that it provides a way for users to +get its source. For example, if your program is a web application, its +interface could display a "Source" link that leads users to an archive +of the code. There are many ways you could offer source, and different +solutions will be better for different programs; see section 13 for the +specific requirements. + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU AGPL, see +. diff --git a/README.md b/README.md new file mode 100644 index 0000000..788b1e6 --- /dev/null +++ b/README.md @@ -0,0 +1,183 @@ +# puppet-ferm + +[![Build Status](https://travis-ci.org/voxpupuli/puppet-ferm.svg?branch=master)](https://travis-ci.org/voxpupuli/puppet-ferm) +[![Puppet Forge](https://img.shields.io/puppetforge/v/puppet/ferm.svg)](https://forge.puppetlabs.com/puppet/ferm) +[![Puppet Forge - downloads](https://img.shields.io/puppetforge/dt/puppet/ferm.svg)](https://forge.puppetlabs.com/puppet/ferm) +[![Puppet Forge - endorsement](https://img.shields.io/puppetforge/e/puppet/ferm.svg)](https://forge.puppetlabs.com/puppet/ferm) +[![Puppet Forge - scores](https://img.shields.io/puppetforge/f/puppet/ferm.svg)](https://forge.puppetlabs.com/puppet/ferm) +[![Yard Docs](https://img.shields.io/badge/yard-docs-blue.svg)](https://voxpupuli.org/puppet-ferm) +[![AGPL v3 License](https://img.shields.io/github/license/voxpupuli/puppet-ferm.svg)](LICENSE) + +## Table of Contents + +* [Overview](#overview) +* [Setup](#setup) +* [Support](#support) +* [Reference](#reference) +* [Development](#development) +* [Authors](#authors) + +---- + +## Overview + +This module manages the [ferm](http://ferm.foo-projects.org/) firewalling +software. It allows you to configure the actual software, but also all related +rules. + +## Setup + +This is very easy: + +```puppet +include ferm +``` + +This will install the package, but nothing more. It won't explicitly enable it +or write any rules. Be careful here: The default Debian package enabled +autostart for the service and only allows incoming SSH/IPSec connections. + +You can easily define rules in Puppet (they don't need to be exported resources): + +```puppet + @@ferm::rule{"allow_kafka_server2server-${trusted['certname']}": + chain => 'INPUT', + policy => 'ACCEPT', + proto => 'tcp', + dport => '(9092 9093)', + saddr => "(${facts['networking']['ip6']}/128 ${facts['networking']['ip']}/32)", + tag => 'allow_kafka_server2server', + } +``` + +You can collect them like this: + +```puppet +# collect all exported resources with the tag allow_vault_server2server +Ferm::Rule <<| tag == 'allow_kafka_server2server' |>> +``` + +You can also define rules in hiera: + +```yaml +--- +ferm::rules: + 'allow_http_https': + chain: 'INPUT' + policy: 'ACCEPT' + proto: 'tcp' + dport: '(80 443)' + saddr: "%{hiera('some_other_hiera_key')}" +``` + +ferm::rules is a hash. configured for deep merge. Hiera will collect all +defined hashes and hand them over to the class. The main class will create +rules for all of them. It also collects all exported resources that are tagged +with the FQDN of a box. + +## Reference + +### Main class + +The main class has the following parameters: + +#### `manage_service` + +[Boolean] disable/enable the management of the ferm daemon + +#### `manage_configfile` + +[Boolean] disable/enable the management of the ferm default config + +#### `configfile` + +[Stdlib::Absolutepath] path to the config file + +#### `forward_policy` + +[Ferm::Policies] default policy for the FORWARD chain + +#### `output_policy` + +[Ferm::Policies] default policy for the OUTPUT chain + +#### `input_policy` + +[Ferm::Policies] default policy for the INPUT chain + +#### `rules` + +A hash that holds all data for ferm::rule + +### rule defined resource + +This creates an entry in the correct chain file for ferm. + +#### `chain` + +The chain where we place this rule + +#### `policy` + +The desired policy. Allowed values are Enum['ACCEPT','DROP', 'REJECT'] + +#### `protocol` + +the protocol we would like to filter. Allowed values are Enum['icmp', 'tcp', 'udp'] + +#### `comment` + +A comment that will be written into the file and into ip(6)tables + +#### `dport` + +The destination port we want to filter for. Can be any string from /etc/services or an integer + +#### `sport` + +Like the destination port above, just for the source port + +#### `saddr` + +Source IPv4/IPv6 address. Can be one or many of them. Multiple addresses are +always encapsulated in braces: +'(127.0.0.1 2003::)' + +IPv4 and IPv6 addresses can be mixed. CIDR notation is possible if you want to +block networks, otherwise /32 or /128 is assumed by ferm/ip(6)tables + +#### `daddr` + +Same as above, just for the destination IP address + +#### `ensure` + +Add or remove it from the ruleset + +### chain defined resource + +The module defines the three default chains for you, INPUT, FORWARD and OUTPUT. +You're able to define own chains if you want to + +#### `policy` + +The desired default policy for the chain + +#### `chain` + +The name of the chain + +## Development + +This project contains tests for [rspec-puppet](http://rspec-puppet.com/). + +Quickstart to run all linter and unit tests: + +```bash +bundle install --path .vendor/ --without system_tests --without development --without release +bundle exec rake test +``` + +## Authors + +puppet-ferm is maintained by [Vox Pupuli](https://voxpupuli.org), it was written by [Tim 'bastelfreak' Meusel](https://github.com/bastelfreak). diff --git a/Rakefile b/Rakefile new file mode 100644 index 0000000..279580a --- /dev/null +++ b/Rakefile @@ -0,0 +1,92 @@ +require 'puppetlabs_spec_helper/rake_tasks' + +# load optional tasks for releases +# only available if gem group releases is installed +begin + require 'puppet_blacksmith/rake_tasks' + require 'voxpupuli/release/rake_tasks' + require 'puppet-strings/tasks' +rescue LoadError +end + +PuppetLint.configuration.log_format = '%{path}:%{line}:%{check}:%{KIND}:%{message}' +PuppetLint.configuration.fail_on_warnings = true +PuppetLint.configuration.send('relative') +PuppetLint.configuration.send('disable_140chars') +PuppetLint.configuration.send('disable_class_inherits_from_params_class') +PuppetLint.configuration.send('disable_documentation') +PuppetLint.configuration.send('disable_single_quote_string_with_variables') + +exclude_paths = %w( + pkg/**/* + vendor/**/* + .vendor/**/* + spec/**/* +) +PuppetLint.configuration.ignore_paths = exclude_paths +PuppetSyntax.exclude_paths = exclude_paths + +desc 'Auto-correct puppet-lint offenses' +task 'lint:auto_correct' do + PuppetLint.configuration.fix = true + Rake::Task[:lint].invoke +end + +desc 'Run acceptance tests' +RSpec::Core::RakeTask.new(:acceptance) do |t| + t.pattern = 'spec/acceptance' +end + +desc 'Run tests metadata_lint, release_checks' +task test: [ + :metadata_lint, + :release_checks, +] + +desc "Run main 'test' task and report merged results to coveralls" +task test_with_coveralls: [:test] do + if Dir.exist?(File.expand_path('../lib', __FILE__)) + require 'coveralls/rake/task' + Coveralls::RakeTask.new + Rake::Task['coveralls:push'].invoke + else + puts 'Skipping reporting to coveralls. Module has no lib dir' + end +end + +desc "Print supported beaker sets" +task 'beaker_sets', [:directory] do |t, args| + directory = args[:directory] + + metadata = JSON.load(File.read('metadata.json')) + + (metadata['operatingsystem_support'] || []).each do |os| + (os['operatingsystemrelease'] || []).each do |release| + if directory + beaker_set = "#{directory}/#{os['operatingsystem'].downcase}-#{release}" + else + beaker_set = "#{os['operatingsystem'].downcase}-#{release}-x64" + end + + filename = "spec/acceptance/nodesets/#{beaker_set}.yml" + + puts beaker_set if File.exists? filename + end + end +end + +begin + require 'github_changelog_generator/task' + GitHubChangelogGenerator::RakeTask.new :changelog do |config| + version = (Blacksmith::Modulefile.new).version + config.future_release = "v#{version}" if version =~ /^\d+\.\d+.\d+$/ + config.header = "# Changelog\n\nAll notable changes to this project will be documented in this file.\nEach new release typically also includes the latest modulesync defaults.\nThese should not affect the functionality of the module." + config.exclude_labels = %w{duplicate question invalid wontfix wont-fix modulesync skip-changelog} + config.user = 'voxpupuli' + metadata_json = File.join(File.dirname(__FILE__), 'metadata.json') + metadata = JSON.load(File.read(metadata_json)) + config.project = metadata['name'] + end +rescue LoadError +end +# vim: syntax=ruby diff --git a/data/Ubuntu.yaml b/data/Ubuntu.yaml new file mode 100644 index 0000000..f580a8f --- /dev/null +++ b/data/Ubuntu.yaml @@ -0,0 +1,2 @@ +--- +ferm::configfile: /etc/ferm/ferm.conf diff --git a/data/common.yaml b/data/common.yaml new file mode 100644 index 0000000..2618909 --- /dev/null +++ b/data/common.yaml @@ -0,0 +1,8 @@ +--- +ferm::manage_service: false +ferm::manage_configfile: false +ferm::configfile: /etc/ferm.conf +ferm::input_policy: DROP +ferm::forward_policy: DROP +ferm::output_policy: ACCEPT +ferm::rules: {} diff --git a/docs/_index.html b/docs/_index.html new file mode 100644 index 0000000..14e51e6 --- /dev/null +++ b/docs/_index.html @@ -0,0 +1,154 @@ + + + + + + + Documentation by YARD 0.9.12 + + + + + + + + + + + + + + + + + +
+ +
+
+ +
+ + +

Documentation by YARD 0.9.12

+
+

Alphabetic Index

+ +

Puppet Class Listing A-Z

+ + + + + + +
+ + + + +
+ + +

Defined Type Listing A-Z

+ + + + + + +
+ + + + +
+ + + + + +

File Listing

+ + +
+ + +
+ +
+ + + +
+ + \ No newline at end of file diff --git a/docs/css/common.css b/docs/css/common.css new file mode 100644 index 0000000..d28b093 --- /dev/null +++ b/docs/css/common.css @@ -0,0 +1,8 @@ +/* Ensure the search bar doesn't overlap with links */ +.fixed_header { + padding-bottom: 25px; +} + +#full_list { + padding-top: 15px; +} diff --git a/docs/css/full_list.css b/docs/css/full_list.css new file mode 100644 index 0000000..fa35982 --- /dev/null +++ b/docs/css/full_list.css @@ -0,0 +1,58 @@ +body { + margin: 0; + font-family: "Lucida Sans", "Lucida Grande", Verdana, Arial, sans-serif; + font-size: 13px; + height: 101%; + overflow-x: hidden; + background: #fafafa; +} + +h1 { padding: 12px 10px; padding-bottom: 0; margin: 0; font-size: 1.4em; } +.clear { clear: both; } +.fixed_header { position: fixed; background: #fff; width: 100%; padding-bottom: 10px; margin-top: 0; top: 0; z-index: 9999; height: 70px; } +#search { position: absolute; right: 5px; top: 9px; padding-left: 24px; } +#content.insearch #search, #content.insearch #noresults { background: url(data:image/gif;base64,R0lGODlhEAAQAPYAAP///wAAAPr6+pKSkoiIiO7u7sjIyNjY2J6engAAAI6OjsbGxjIyMlJSUuzs7KamppSUlPLy8oKCghwcHLKysqSkpJqamvT09Pj4+KioqM7OzkRERAwMDGBgYN7e3ujo6Ly8vCoqKjY2NkZGRtTU1MTExDw8PE5OTj4+PkhISNDQ0MrKylpaWrS0tOrq6nBwcKysrLi4uLq6ul5eXlxcXGJiYoaGhuDg4H5+fvz8/KKiohgYGCwsLFZWVgQEBFBQUMzMzDg4OFhYWBoaGvDw8NbW1pycnOLi4ubm5kBAQKqqqiQkJCAgIK6urnJyckpKSjQ0NGpqatLS0sDAwCYmJnx8fEJCQlRUVAoKCggICLCwsOTk5ExMTPb29ra2tmZmZmhoaNzc3KCgoBISEiIiIgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH/C05FVFNDQVBFMi4wAwEAAAAh/hpDcmVhdGVkIHdpdGggYWpheGxvYWQuaW5mbwAh+QQJCAAAACwAAAAAEAAQAAAHaIAAgoMgIiYlg4kACxIaACEJCSiKggYMCRselwkpghGJBJEcFgsjJyoAGBmfggcNEx0flBiKDhQFlIoCCA+5lAORFb4AJIihCRbDxQAFChAXw9HSqb60iREZ1omqrIPdJCTe0SWI09GBACH5BAkIAAAALAAAAAAQABAAAAdrgACCgwc0NTeDiYozCQkvOTo9GTmDKy8aFy+NOBA7CTswgywJDTIuEjYFIY0JNYMtKTEFiRU8Pjwygy4ws4owPyCKwsMAJSTEgiQlgsbIAMrO0dKDGMTViREZ14kYGRGK38nHguHEJcvTyIEAIfkECQgAAAAsAAAAABAAEAAAB2iAAIKDAggPg4iJAAMJCRUAJRIqiRGCBI0WQEEJJkWDERkYAAUKEBc4Po1GiKKJHkJDNEeKig4URLS0ICImJZAkuQAhjSi/wQyNKcGDCyMnk8u5rYrTgqDVghgZlYjcACTA1sslvtHRgQAh+QQJCAAAACwAAAAAEAAQAAAHZ4AAgoOEhYaCJSWHgxGDJCQARAtOUoQRGRiFD0kJUYWZhUhKT1OLhR8wBaaFBzQ1NwAlkIszCQkvsbOHL7Y4q4IuEjaqq0ZQD5+GEEsJTDCMmIUhtgk1lo6QFUwJVDKLiYJNUd6/hoEAIfkECQgAAAAsAAAAABAAEAAAB2iAAIKDhIWGgiUlh4MRgyQkjIURGRiGGBmNhJWHm4uen4ICCA+IkIsDCQkVACWmhwSpFqAABQoQF6ALTkWFnYMrVlhWvIKTlSAiJiVVPqlGhJkhqShHV1lCW4cMqSkAR1ofiwsjJyqGgQAh+QQJCAAAACwAAAAAEAAQAAAHZ4AAgoOEhYaCJSWHgxGDJCSMhREZGIYYGY2ElYebi56fhyWQniSKAKKfpaCLFlAPhl0gXYNGEwkhGYREUywag1wJwSkHNDU3D0kJYIMZQwk8MjPBLx9eXwuETVEyAC/BOKsuEjYFhoEAIfkECQgAAAAsAAAAABAAEAAAB2eAAIKDhIWGgiUlh4MRgyQkjIURGRiGGBmNhJWHm4ueICImip6CIQkJKJ4kigynKaqKCyMnKqSEK05StgAGQRxPYZaENqccFgIID4KXmQBhXFkzDgOnFYLNgltaSAAEpxa7BQoQF4aBACH5BAkIAAAALAAAAAAQABAAAAdogACCg4SFggJiPUqCJSWGgkZjCUwZACQkgxGEXAmdT4UYGZqCGWQ+IjKGGIUwPzGPhAc0NTewhDOdL7Ykji+dOLuOLhI2BbaFETICx4MlQitdqoUsCQ2vhKGjglNfU0SWmILaj43M5oEAOwAAAAAAAAAAAA==) no-repeat center left; } +#full_list { padding: 0; list-style: none; margin-left: 0; margin-top: 80px; font-size: 1.1em; } +#full_list ul { padding: 0; } +#full_list li { padding: 0; margin: 0; list-style: none; } +#full_list li .item { padding: 5px 5px 5px 12px; } +#noresults { padding: 7px 12px; background: #fff; } +#content.insearch #noresults { margin-left: 7px; } +li.collapsed ul { display: none; } +li a.toggle { cursor: default; position: relative; left: -5px; top: 4px; text-indent: -999px; width: 10px; height: 9px; margin-left: -10px; display: block; float: left; background: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAASCAYAAABb0P4QAAAABHNCSVQICAgIfAhkiAAAAAlwSFlzAAAK8AAACvABQqw0mAAAABx0RVh0U29mdHdhcmUAQWRvYmUgRmlyZXdvcmtzIENTM5jWRgMAAAAVdEVYdENyZWF0aW9uIFRpbWUAMy8xNC8wOeNZPpQAAAE2SURBVDiNrZTBccIwEEXfelIAHUA6CZ24BGaWO+FuzZAK4k6gg5QAdGAq+Bxs2Yqx7BzyL7Llp/VfzZeQhCTc/ezuGzKKnKSzpCxXJM8fwNXda3df5RZETlIt6YUzSQDs93sl8w3wBZxCCE10GM1OcWbWjB2mWgEH4Mfdyxm3PSepBHibgQE2wLe7r4HjEidpnXMYdQPKEMJcsZ4zs2POYQOcaPfwMVOo58zsAdMt18BuoVDPxUJRacELbXv3hUIX2vYmOUvi8C8ydz/ThjXrqKqqLbDIAdsCKBd+Wo7GWa7o9qzOQHVVVXeAbs+yHHCH4aTsaCOQqunmUy1yBUAXkdMIfMlgF5EXLo2OpV/c/Up7jG4hhHcYLgWzAZXUc2b2ixsfvc/RmNNfOXD3Q/oeL9axJE1yT9IOoUu6MGUkAAAAAElFTkSuQmCC) no-repeat bottom left; } +li.collapsed a.toggle { opacity: 0.5; cursor: default; background-position: top left; } +li { color: #888; cursor: pointer; } +li.deprecated { text-decoration: line-through; font-style: italic; } +li.odd { background: #f0f0f0; } +li.even { background: #fafafa; } +.item:hover { background: #ddd; } +li small:before { content: "("; } +li small:after { content: ")"; } +li small.search_info { display: none; } +a, a:visited { text-decoration: none; color: #05a; } +li.clicked > .item { background: #05a; color: #ccc; } +li.clicked > .item a, li.clicked > .item a:visited { color: #eee; } +li.clicked > .item a.toggle { opacity: 0.5; background-position: bottom right; } +li.collapsed.clicked a.toggle { background-position: top right; } +#search input { border: 1px solid #bbb; border-radius: 3px; } +#full_list_nav { margin-left: 10px; font-size: 0.9em; display: block; color: #aaa; } +#full_list_nav a, #nav a:visited { color: #358; } +#full_list_nav a:hover { background: transparent; color: #5af; } +#full_list_nav span:after { content: ' | '; } +#full_list_nav span:last-child:after { content: ''; } + +#content h1 { margin-top: 0; } +li { white-space: nowrap; cursor: normal; } +li small { display: block; font-size: 0.8em; } +li small:before { content: ""; } +li small:after { content: ""; } +li small.search_info { display: none; } +#search { width: 170px; position: static; margin: 3px; margin-left: 10px; font-size: 0.9em; color: #888; padding-left: 0; padding-right: 24px; } +#content.insearch #search { background-position: center right; } +#search input { width: 110px; } + +#full_list.insearch ul { display: block; } +#full_list.insearch .item { display: none; } +#full_list.insearch .found { display: block; padding-left: 11px !important; } +#full_list.insearch li a.toggle { display: none; } +#full_list.insearch li small.search_info { display: block; } diff --git a/docs/css/style.css b/docs/css/style.css new file mode 100644 index 0000000..57e8f9d --- /dev/null +++ b/docs/css/style.css @@ -0,0 +1,499 @@ +html { + width: 100%; + height: 100%; +} +body { + font-family: "Lucida Sans", "Lucida Grande", Verdana, Arial, sans-serif; + font-size: 13px; + width: 100%; + margin: 0; + padding: 0; + display: flex; + display: -webkit-flex; + display: -ms-flexbox; +} + +#nav { + position: relative; + width: 100%; + height: 100%; + border: 0; + border-right: 1px dotted #eee; + overflow: auto; +} +.nav_wrap { + margin: 0; + padding: 0; + width: 20%; + height: 100%; + position: relative; + display: flex; + display: -webkit-flex; + display: -ms-flexbox; + flex-shrink: 0; + -webkit-flex-shrink: 0; + -ms-flex: 1 0; +} +#resizer { + position: absolute; + right: -5px; + top: 0; + width: 10px; + height: 100%; + cursor: col-resize; + z-index: 9999; +} +#main { + flex: 5 1; + -webkit-flex: 5 1; + -ms-flex: 5 1; + outline: none; + position: relative; + background: #fff; + padding: 1.2em; + padding-top: 0.2em; +} + +@media (max-width: 920px) { + .nav_wrap { width: 100%; top: 0; right: 0; overflow: visible; position: absolute; } + #resizer { display: none; } + #nav { + z-index: 9999; + background: #fff; + display: none; + position: absolute; + top: 40px; + right: 12px; + width: 500px; + max-width: 80%; + height: 80%; + overflow-y: scroll; + border: 1px solid #999; + border-collapse: collapse; + box-shadow: -7px 5px 25px #aaa; + border-radius: 2px; + } +} + +@media (min-width: 920px) { + body { height: 100%; overflow: hidden; } + #main { height: 100%; overflow: auto; } + #search { display: none; } +} + +#main img { max-width: 100%; } +h1 { font-size: 25px; margin: 1em 0 0.5em; padding-top: 4px; border-top: 1px dotted #d5d5d5; } +h1.noborder { border-top: 0px; margin-top: 0; padding-top: 4px; } +h1.title { margin-bottom: 10px; } +h1.alphaindex { margin-top: 0; font-size: 22px; } +h2 { + padding: 0; + padding-bottom: 3px; + border-bottom: 1px #aaa solid; + font-size: 1.4em; + margin: 1.8em 0 0.5em; + position: relative; +} +h2 small { font-weight: normal; font-size: 0.7em; display: inline; position: absolute; right: 0; } +h2 small a { + display: block; + height: 20px; + border: 1px solid #aaa; + border-bottom: 0; + border-top-left-radius: 5px; + background: #f8f8f8; + position: relative; + padding: 2px 7px; +} +.clear { clear: both; } +.inline { display: inline; } +.inline p:first-child { display: inline; } +.docstring, .tags, #filecontents { font-size: 15px; line-height: 1.5145em; } +.docstring p > code, .docstring p > tt, .tags p > code, .tags p > tt { + color: #c7254e; background: #f9f2f4; padding: 2px 4px; font-size: 1em; + border-radius: 4px; +} +.docstring h1, .docstring h2, .docstring h3, .docstring h4 { padding: 0; border: 0; border-bottom: 1px dotted #bbb; } +.docstring h1 { font-size: 1.2em; } +.docstring h2 { font-size: 1.1em; } +.docstring h3, .docstring h4 { font-size: 1em; border-bottom: 0; padding-top: 10px; } +.summary_desc .object_link a, .docstring .object_link a { + font-family: monospace; font-size: 1.05em; + color: #05a; background: #EDF4FA; padding: 2px 4px; font-size: 1em; + border-radius: 4px; +} +.rdoc-term { padding-right: 25px; font-weight: bold; } +.rdoc-list p { margin: 0; padding: 0; margin-bottom: 4px; } +.summary_desc pre.code .object_link a, .docstring pre.code .object_link a { + padding: 0px; background: inherit; color: inherit; border-radius: inherit; +} + +/* style for */ +#filecontents table, .docstring table { border-collapse: collapse; } +#filecontents table th, #filecontents table td, +.docstring table th, .docstring table td { border: 1px solid #ccc; padding: 8px; padding-right: 17px; } +#filecontents table tr:nth-child(odd), +.docstring table tr:nth-child(odd) { background: #eee; } +#filecontents table tr:nth-child(even), +.docstring table tr:nth-child(even) { background: #fff; } +#filecontents table th, .docstring table th { background: #fff; } + +/* style for
    */ +#filecontents li > p, .docstring li > p { margin: 0px; } +#filecontents ul, .docstring ul { padding-left: 20px; } +/* style for
    */ +#filecontents dl, .docstring dl { border: 1px solid #ccc; } +#filecontents dt, .docstring dt { background: #ddd; font-weight: bold; padding: 3px 5px; } +#filecontents dd, .docstring dd { padding: 5px 0px; margin-left: 18px; } +#filecontents dd > p, .docstring dd > p { margin: 0px; } + +.note { + color: #222; + margin: 20px 0; + padding: 10px; + border: 1px solid #eee; + border-radius: 3px; + display: block; +} +.docstring .note { + border-left-color: #ccc; + border-left-width: 5px; +} +.note.todo { background: #ffffc5; border-color: #ececaa; } +.note.returns_void { background: #efefef; } +.note.deprecated { background: #ffe5e5; border-color: #e9dada; } +.note.title.deprecated { background: #ffe5e5; border-color: #e9dada; } +.note.private { background: #ffffc5; border-color: #ececaa; } +.note.title { padding: 3px 6px; font-size: 0.9em; font-family: "Lucida Sans", "Lucida Grande", Verdana, Arial, sans-serif; display: inline; } +.summary_signature + .note.title { margin-left: 7px; } +h1 .note.title { font-size: 0.5em; font-weight: normal; padding: 3px 5px; position: relative; top: -3px; text-transform: capitalize; } +.note.title { background: #efefef; } +.note.title.constructor { color: #fff; background: #6a98d6; border-color: #6689d6; } +.note.title.writeonly { color: #fff; background: #45a638; border-color: #2da31d; } +.note.title.readonly { color: #fff; background: #6a98d6; border-color: #6689d6; } +.note.title.private { background: #d5d5d5; border-color: #c5c5c5; } +.note.title.not_defined_here { background: transparent; border: none; font-style: italic; } +.discussion .note { margin-top: 6px; } +.discussion .note:first-child { margin-top: 0; } + +h3.inherited { + font-style: italic; + font-family: "Lucida Sans", "Lucida Grande", Verdana, Arial, sans-serif; + font-weight: normal; + padding: 0; + margin: 0; + margin-top: 12px; + margin-bottom: 3px; + font-size: 13px; +} +p.inherited { + padding: 0; + margin: 0; + margin-left: 25px; +} + +.box_info dl { + margin: 0; + border: 0; + width: 100%; + font-size: 1em; + display: flex; + display: -webkit-flex; + display: -ms-flexbox; +} +.box_info dl dt { + flex-shrink: 0; + -webkit-flex-shrink: 1; + -ms-flex-shrink: 1; + width: 100px; + text-align: right; + font-weight: bold; + border: 1px solid #aaa; + border-width: 1px 0px 0px 1px; + padding: 6px 0; + padding-right: 10px; +} +.box_info dl dd { + flex-grow: 1; + -webkit-flex-grow: 1; + -ms-flex: 1; + max-width: 420px; + padding: 6px 0; + padding-right: 20px; + border: 1px solid #aaa; + border-width: 1px 1px 0 0; + overflow: hidden; + position: relative; +} +.box_info dl:last-child > * { + border-bottom: 1px solid #aaa; +} +.box_info dl:nth-child(odd) > * { background: #eee; } +.box_info dl:nth-child(even) > * { background: #fff; } +.box_info dl > * { margin: 0; } + +ul.toplevel { list-style: none; padding-left: 0; font-size: 1.1em; } +.index_inline_list { padding-left: 0; font-size: 1.1em; } + +.index_inline_list li { + list-style: none; + display: inline-block; + padding: 0 12px; + line-height: 30px; + margin-bottom: 5px; +} + +dl.constants { margin-left: 10px; } +dl.constants dt { font-weight: bold; font-size: 1.1em; margin-bottom: 5px; } +dl.constants dd { width: 75%; white-space: pre; font-family: monospace; margin-bottom: 18px; } +dl.constants .docstring .note:first-child { margin-top: 5px; } + +.summary_desc { + margin-left: 32px; + display: block; + font-family: sans-serif; + font-size: 1.1em; + margin-top: 8px; + line-height: 1.5145em; + margin-bottom: 0.8em; +} +.summary_desc tt { font-size: 0.9em; } +dl.constants .note { padding: 2px 6px; padding-right: 12px; margin-top: 6px; } +dl.constants .docstring { margin-left: 32px; font-size: 0.9em; font-weight: normal; } +dl.constants .tags { padding-left: 32px; font-size: 0.9em; line-height: 0.8em; } +dl.constants .discussion *:first-child { margin-top: 0; } +dl.constants .discussion *:last-child { margin-bottom: 0; } + +.method_details { border-top: 1px dotted #ccc; margin-top: 25px; padding-top: 0; } +.method_details.first { border: 0; margin-top: 5px; } +.method_details.first h3.signature { margin-top: 1em; } +p.signature, h3.signature { + font-size: 1.1em; font-weight: normal; font-family: Monaco, Consolas, Courier, monospace; + padding: 6px 10px; margin-top: 1em; + background: #E8F4FF; border: 1px solid #d8d8e5; border-radius: 5px; +} +p.signature tt, +h3.signature tt { font-family: Monaco, Consolas, Courier, monospace; } +p.signature .overload, +h3.signature .overload { display: block; } +p.signature .extras, +h3.signature .extras { font-weight: normal; font-family: sans-serif; color: #444; font-size: 1em; } +p.signature .not_defined_here, +h3.signature .not_defined_here, +p.signature .aliases, +h3.signature .aliases { display: block; font-weight: normal; font-size: 0.9em; font-family: sans-serif; margin-top: 0px; color: #555; } +p.signature .aliases .names, +h3.signature .aliases .names { font-family: Monaco, Consolas, Courier, monospace; font-weight: bold; color: #000; font-size: 1.2em; } + +.tags .tag_title { font-size: 1.05em; margin-bottom: 0; font-weight: bold; } +.tags .tag_title tt { color: initial; padding: initial; background: initial; } +.tags ul { margin-top: 5px; padding-left: 30px; list-style: square; } +.tags ul li { margin-bottom: 3px; } +.tags ul .name { font-family: monospace; font-weight: bold; } +.tags ul .note { padding: 3px 6px; } +.tags { margin-bottom: 12px; } + +.tags .examples .tag_title { margin-bottom: 10px; font-weight: bold; } +.tags .examples .inline p { padding: 0; margin: 0; font-weight: bold; font-size: 1em; } +.tags .examples .inline p:before { content: "▸"; font-size: 1em; margin-right: 5px; } + +.tags .overload .overload_item { list-style: none; margin-bottom: 25px; } +.tags .overload .overload_item .signature { + padding: 2px 8px; + background: #F1F8FF; border: 1px solid #d8d8e5; border-radius: 3px; +} +.tags .overload .signature { margin-left: -15px; font-family: monospace; display: block; font-size: 1.1em; } +.tags .overload .docstring { margin-top: 15px; } + +.defines { display: none; } + +#method_missing_details .notice.this { position: relative; top: -8px; color: #888; padding: 0; margin: 0; } + +.showSource { font-size: 0.9em; } +.showSource a, .showSource a:visited { text-decoration: none; color: #666; } + +#content a, #content a:visited { text-decoration: none; color: #05a; } +#content a:hover { background: #ffffa5; } + +ul.summary { + list-style: none; + font-family: monospace; + font-size: 1em; + line-height: 1.5em; + padding-left: 0px; +} +ul.summary a, ul.summary a:visited { + text-decoration: none; font-size: 1.1em; +} +ul.summary li { margin-bottom: 5px; } +.summary .summary_signature { + padding: 4px 8px; + background: #f8f8f8; + border: 1px solid #f0f0f0; + border-radius: 5px; +} +.summary_signature:hover { background: #CFEBFF; border-color: #A4CCDA; cursor: pointer; } +ul.summary.compact li { display: inline-block; margin: 0px 5px 0px 0px; line-height: 2.6em;} +ul.summary.compact .summary_signature { padding: 5px 7px; padding-right: 4px; } +#content .summary_signature:hover a, +#content .summary_signature:hover a:visited { + background: transparent; + color: #049; +} + +p.inherited a { font-family: monospace; font-size: 0.9em; } +p.inherited { word-spacing: 5px; font-size: 1.2em; } + +p.children { font-size: 1.2em; } +p.children a { font-size: 0.9em; } +p.children strong { font-size: 0.8em; } +p.children strong.modules { padding-left: 5px; } + +ul.fullTree { display: none; padding-left: 0; list-style: none; margin-left: 0; margin-bottom: 10px; } +ul.fullTree ul { margin-left: 0; padding-left: 0; list-style: none; } +ul.fullTree li { text-align: center; padding-top: 18px; padding-bottom: 12px; background: url(data:image/gif;base64,iVBORw0KGgoAAAANSUhEUgAAAAoAAAAKCAYAAACNMs+9AAAACXBIWXMAAAsTAAALEwEAmpwYAAAKT2lDQ1BQaG90b3Nob3AgSUNDIHByb2ZpbGUAAHjanVNnVFPpFj333vRCS4iAlEtvUhUIIFJCi4AUkSYqIQkQSoghodkVUcERRUUEG8igiAOOjoCMFVEsDIoK2AfkIaKOg6OIisr74Xuja9a89+bN/rXXPues852zzwfACAyWSDNRNYAMqUIeEeCDx8TG4eQuQIEKJHAAEAizZCFz/SMBAPh+PDwrIsAHvgABeNMLCADATZvAMByH/w/qQplcAYCEAcB0kThLCIAUAEB6jkKmAEBGAYCdmCZTAKAEAGDLY2LjAFAtAGAnf+bTAICd+Jl7AQBblCEVAaCRACATZYhEAGg7AKzPVopFAFgwABRmS8Q5ANgtADBJV2ZIALC3AMDOEAuyAAgMADBRiIUpAAR7AGDIIyN4AISZABRG8lc88SuuEOcqAAB4mbI8uSQ5RYFbCC1xB1dXLh4ozkkXKxQ2YQJhmkAuwnmZGTKBNA/g88wAAKCRFRHgg/P9eM4Ors7ONo62Dl8t6r8G/yJiYuP+5c+rcEAAAOF0ftH+LC+zGoA7BoBt/qIl7gRoXgugdfeLZrIPQLUAoOnaV/Nw+H48PEWhkLnZ2eXk5NhKxEJbYcpXff5nwl/AV/1s+X48/Pf14L7iJIEyXYFHBPjgwsz0TKUcz5IJhGLc5o9H/LcL//wd0yLESWK5WCoU41EScY5EmozzMqUiiUKSKcUl0v9k4t8s+wM+3zUAsGo+AXuRLahdYwP2SycQWHTA4vcAAPK7b8HUKAgDgGiD4c93/+8//UegJQCAZkmScQAAXkQkLlTKsz/HCAAARKCBKrBBG/TBGCzABhzBBdzBC/xgNoRCJMTCQhBCCmSAHHJgKayCQiiGzbAdKmAv1EAdNMBRaIaTcA4uwlW4Dj1wD/phCJ7BKLyBCQRByAgTYSHaiAFiilgjjggXmYX4IcFIBBKLJCDJiBRRIkuRNUgxUopUIFVIHfI9cgI5h1xGupE7yAAygvyGvEcxlIGyUT3UDLVDuag3GoRGogvQZHQxmo8WoJvQcrQaPYw2oefQq2gP2o8+Q8cwwOgYBzPEbDAuxsNCsTgsCZNjy7EirAyrxhqwVqwDu4n1Y8+xdwQSgUXACTYEd0IgYR5BSFhMWE7YSKggHCQ0EdoJNwkDhFHCJyKTqEu0JroR+cQYYjIxh1hILCPWEo8TLxB7iEPENyQSiUMyJ7mQAkmxpFTSEtJG0m5SI+ksqZs0SBojk8naZGuyBzmULCAryIXkneTD5DPkG+Qh8lsKnWJAcaT4U+IoUspqShnlEOU05QZlmDJBVaOaUt2ooVQRNY9aQq2htlKvUYeoEzR1mjnNgxZJS6WtopXTGmgXaPdpr+h0uhHdlR5Ol9BX0svpR+iX6AP0dwwNhhWDx4hnKBmbGAcYZxl3GK+YTKYZ04sZx1QwNzHrmOeZD5lvVVgqtip8FZHKCpVKlSaVGyovVKmqpqreqgtV81XLVI+pXlN9rkZVM1PjqQnUlqtVqp1Q61MbU2epO6iHqmeob1Q/pH5Z/YkGWcNMw09DpFGgsV/jvMYgC2MZs3gsIWsNq4Z1gTXEJrHN2Xx2KruY/R27iz2qqaE5QzNKM1ezUvOUZj8H45hx+Jx0TgnnKKeX836K3hTvKeIpG6Y0TLkxZVxrqpaXllirSKtRq0frvTau7aedpr1Fu1n7gQ5Bx0onXCdHZ4/OBZ3nU9lT3acKpxZNPTr1ri6qa6UbobtEd79up+6Ynr5egJ5Mb6feeb3n+hx9L/1U/W36p/VHDFgGswwkBtsMzhg8xTVxbzwdL8fb8VFDXcNAQ6VhlWGX4YSRudE8o9VGjUYPjGnGXOMk423GbcajJgYmISZLTepN7ppSTbmmKaY7TDtMx83MzaLN1pk1mz0x1zLnm+eb15vft2BaeFostqi2uGVJsuRaplnutrxuhVo5WaVYVVpds0atna0l1rutu6cRp7lOk06rntZnw7Dxtsm2qbcZsOXYBtuutm22fWFnYhdnt8Wuw+6TvZN9un2N/T0HDYfZDqsdWh1+c7RyFDpWOt6azpzuP33F9JbpL2dYzxDP2DPjthPLKcRpnVOb00dnF2e5c4PziIuJS4LLLpc+Lpsbxt3IveRKdPVxXeF60vWdm7Obwu2o26/uNu5p7ofcn8w0nymeWTNz0MPIQ+BR5dE/C5+VMGvfrH5PQ0+BZ7XnIy9jL5FXrdewt6V3qvdh7xc+9j5yn+M+4zw33jLeWV/MN8C3yLfLT8Nvnl+F30N/I/9k/3r/0QCngCUBZwOJgUGBWwL7+Hp8Ib+OPzrbZfay2e1BjKC5QRVBj4KtguXBrSFoyOyQrSH355jOkc5pDoVQfujW0Adh5mGLw34MJ4WHhVeGP45wiFga0TGXNXfR3ENz30T6RJZE3ptnMU85ry1KNSo+qi5qPNo3ujS6P8YuZlnM1VidWElsSxw5LiquNm5svt/87fOH4p3iC+N7F5gvyF1weaHOwvSFpxapLhIsOpZATIhOOJTwQRAqqBaMJfITdyWOCnnCHcJnIi/RNtGI2ENcKh5O8kgqTXqS7JG8NXkkxTOlLOW5hCepkLxMDUzdmzqeFpp2IG0yPTq9MYOSkZBxQqohTZO2Z+pn5mZ2y6xlhbL+xW6Lty8elQfJa7OQrAVZLQq2QqboVFoo1yoHsmdlV2a/zYnKOZarnivN7cyzytuQN5zvn//tEsIS4ZK2pYZLVy0dWOa9rGo5sjxxedsK4xUFK4ZWBqw8uIq2Km3VT6vtV5eufr0mek1rgV7ByoLBtQFr6wtVCuWFfevc1+1dT1gvWd+1YfqGnRs+FYmKrhTbF5cVf9go3HjlG4dvyr+Z3JS0qavEuWTPZtJm6ebeLZ5bDpaql+aXDm4N2dq0Dd9WtO319kXbL5fNKNu7g7ZDuaO/PLi8ZafJzs07P1SkVPRU+lQ27tLdtWHX+G7R7ht7vPY07NXbW7z3/T7JvttVAVVN1WbVZftJ+7P3P66Jqun4lvttXa1ObXHtxwPSA/0HIw6217nU1R3SPVRSj9Yr60cOxx++/p3vdy0NNg1VjZzG4iNwRHnk6fcJ3/ceDTradox7rOEH0x92HWcdL2pCmvKaRptTmvtbYlu6T8w+0dbq3nr8R9sfD5w0PFl5SvNUyWna6YLTk2fyz4ydlZ19fi753GDborZ752PO32oPb++6EHTh0kX/i+c7vDvOXPK4dPKy2+UTV7hXmq86X23qdOo8/pPTT8e7nLuarrlca7nuer21e2b36RueN87d9L158Rb/1tWeOT3dvfN6b/fF9/XfFt1+cif9zsu72Xcn7q28T7xf9EDtQdlD3YfVP1v+3Njv3H9qwHeg89HcR/cGhYPP/pH1jw9DBY+Zj8uGDYbrnjg+OTniP3L96fynQ89kzyaeF/6i/suuFxYvfvjV69fO0ZjRoZfyl5O/bXyl/erA6xmv28bCxh6+yXgzMV70VvvtwXfcdx3vo98PT+R8IH8o/2j5sfVT0Kf7kxmTk/8EA5jz/GMzLdsAAAAgY0hSTQAAeiUAAICDAAD5/wAAgOkAAHUwAADqYAAAOpgAABdvkl/FRgAAAHtJREFUeNqMzrEJAkEURdGzuhgZbSoYWcAWoBVsB4JgZAGmphsZCZYzTQgWNCYrDN9RvMmHx+X916SUBFbo8CzD1idXrLErw1mQttgXtyrOcQ/Ny5p4Qh+2XqLYYazsPWNTiuMkRxa4vcV+evuNAUOLIx5+c2hyzv7hNQC67Q+/HHmlEwAAAABJRU5ErkJggg==) no-repeat top center; } +ul.fullTree li:first-child { padding-top: 0; background: transparent; } +ul.fullTree li:last-child { padding-bottom: 0; } +.showAll ul.fullTree { display: block; } +.showAll .inheritName { display: none; } + +#search { position: absolute; right: 12px; top: 0px; z-index: 9000; } +#search a { + display: block; float: left; + padding: 4px 8px; text-decoration: none; color: #05a; fill: #05a; + border: 1px solid #d8d8e5; + border-bottom-left-radius: 3px; border-bottom-right-radius: 3px; + background: #F1F8FF; + box-shadow: -1px 1px 3px #ddd; +} +#search a:hover { background: #f5faff; color: #06b; fill: #06b; } +#search a.active { + background: #568; padding-bottom: 20px; color: #fff; fill: #fff; + border: 1px solid #457; + border-top-left-radius: 5px; border-top-right-radius: 5px; +} +#search a.inactive { color: #999; fill: #999; } +.inheritanceTree, .toggleDefines { + float: right; + border-left: 1px solid #aaa; + position: absolute; top: 0; right: 0; + height: 100%; + background: #f6f6f6; + padding: 5px; + min-width: 55px; + text-align: center; +} + +#menu { font-size: 1.3em; color: #bbb; } +#menu .title, #menu a { font-size: 0.7em; } +#menu .title a { font-size: 1em; } +#menu .title { color: #555; } +#menu a, #menu a:visited { color: #333; text-decoration: none; border-bottom: 1px dotted #bbd; } +#menu a:hover { color: #05a; } + +#footer { margin-top: 15px; border-top: 1px solid #ccc; text-align: center; padding: 7px 0; color: #999; } +#footer a, #footer a:visited { color: #444; text-decoration: none; border-bottom: 1px dotted #bbd; } +#footer a:hover { color: #05a; } + +#listing ul.alpha { font-size: 1.1em; } +#listing ul.alpha { margin: 0; padding: 0; padding-bottom: 10px; list-style: none; } +#listing ul.alpha li.letter { font-size: 1.4em; padding-bottom: 10px; } +#listing ul.alpha ul { margin: 0; padding-left: 15px; } +#listing ul small { color: #666; font-size: 0.7em; } + +li.r1 { background: #f0f0f0; } +li.r2 { background: #fafafa; } + +#content ul.summary li.deprecated .summary_signature a, +#content ul.summary li.deprecated .summary_signature a:visited { text-decoration: line-through; font-style: italic; } + +#toc { + position: relative; + float: right; + overflow-x: auto; + right: -3px; + margin-left: 20px; + margin-bottom: 20px; + padding: 20px; padding-right: 30px; + max-width: 300px; + z-index: 5000; + background: #fefefe; + border: 1px solid #ddd; + box-shadow: -2px 2px 6px #bbb; +} +#toc .title { margin: 0; } +#toc ol { padding-left: 1.8em; } +#toc li { font-size: 1.1em; line-height: 1.7em; } +#toc > ol > li { font-size: 1.1em; font-weight: bold; } +#toc ol > ol { font-size: 0.9em; } +#toc ol ol > ol { padding-left: 2.3em; } +#toc ol + li { margin-top: 0.3em; } +#toc.hidden { padding: 10px; background: #fefefe; box-shadow: none; } +#toc.hidden:hover { background: #fafafa; } +#filecontents h1 + #toc.nofloat { margin-top: 0; } +@media (max-width: 560px) { + #toc { + margin-left: 0; + margin-top: 16px; + float: none; + max-width: none; + } +} + +/* syntax highlighting */ +.source_code { display: none; padding: 3px 8px; border-left: 8px solid #ddd; margin-top: 5px; } +#filecontents pre.code, .docstring pre.code, .source_code pre { font-family: monospace; } +#filecontents pre.code, .docstring pre.code { display: block; } +.source_code .lines { padding-right: 12px; color: #555; text-align: right; } +#filecontents pre.code, .docstring pre.code, +.tags pre.example { + padding: 9px 14px; + margin-top: 4px; + border: 1px solid #e1e1e8; + background: #f7f7f9; + border-radius: 4px; + font-size: 1em; + overflow-x: auto; + line-height: 1.2em; +} +pre.code { color: #000; tab-size: 2; } +pre.code .info.file { color: #555; } +pre.code .val { color: #036A07; } +pre.code .tstring_content, +pre.code .heredoc_beg, pre.code .heredoc_end, +pre.code .qwords_beg, pre.code .qwords_end, pre.code .qwords_sep, +pre.code .words_beg, pre.code .words_end, pre.code .words_sep, +pre.code .qsymbols_beg, pre.code .qsymbols_end, pre.code .qsymbols_sep, +pre.code .symbols_beg, pre.code .symbols_end, pre.code .symbols_sep, +pre.code .tstring, pre.code .dstring { color: #036A07; } +pre.code .fid, pre.code .rubyid_new, pre.code .rubyid_to_s, +pre.code .rubyid_to_sym, pre.code .rubyid_to_f, +pre.code .dot + pre.code .id, +pre.code .rubyid_to_i pre.code .rubyid_each { color: #0085FF; } +pre.code .comment { color: #0066FF; } +pre.code .const, pre.code .constant { color: #585CF6; } +pre.code .label, +pre.code .symbol { color: #C5060B; } +pre.code .kw, +pre.code .rubyid_require, +pre.code .rubyid_extend, +pre.code .rubyid_include { color: #0000FF; } +pre.code .ivar { color: #318495; } +pre.code .gvar, +pre.code .rubyid_backref, +pre.code .rubyid_nth_ref { color: #6D79DE; } +pre.code .regexp, .dregexp { color: #036A07; } +pre.code a { border-bottom: 1px dotted #bbf; } +/* inline code */ +p > code { + padding: 1px 3px 1px 3px; + border: 1px solid #E1E1E8; + background: #F7F7F9; + border-radius: 4px; +} + +/* Color fix for links */ +#content .summary_desc pre.code .id > .object_link a, /* identifier */ +#content .docstring pre.code .id > .object_link a { color: #0085FF; } +#content .summary_desc pre.code .const > .object_link a, /* constant */ +#content .docstring pre.code .const > .object_link a { color: #585CF6; } diff --git a/docs/file.README.html b/docs/file.README.html new file mode 100644 index 0000000..2392596 --- /dev/null +++ b/docs/file.README.html @@ -0,0 +1,248 @@ + + + + + + + File: README + + — Documentation by YARD 0.9.12 + + + + + + + + + + + + + + + + + +
    + +
    +
    + +
    + + +

    puppet-ferm

    + +

    Build Status +Puppet Forge +Puppet Forge - downloads +Puppet Forge - endorsement +Puppet Forge - scores +Yard Docs +AGPL v3 License

    + +

    Table of Contents

    + + + +
    + +

    Overview

    + +

    This module manages the ferm firewalling +software. It allows you to configure the actual software, but also all related +rules.

    + +

    Setup

    + +

    This is very easy:

    + +
    include ferm
+
    + +

    This will install the package, but nothing more. It won't explicitly enable it +or write any rules. Be careful here: The default Debian package enabled +autostart for the service and only allows incoming SSH/IPSec connections.

    + +

    You can easily define rules in Puppet (they don't need to be exported resources):

    + +
      @@ferm::rule{"allow_kafka_server2server-${trusted['certname']}":
+    chain  => 'INPUT',
+    policy => 'ACCEPT',
+    proto  => 'tcp',
+    dport  => '(9092 9093)',
+    saddr  => "(${facts['networking']['ip6']}/128 ${facts['networking']['ip']}/32)",
+    tag    => 'allow_kafka_server2server',
+  }
+
    + +

    You can collect them like this:

    + +
    # collect all exported resources with the tag allow_vault_server2server
+Ferm::Rule <<| tag == 'allow_kafka_server2server' |>>
+
    + +

    You can also define rules in hiera:

    + +
    ---
+ferm::rules:
+  'allow_http_https':
+    chain: 'INPUT'
+    policy: 'ACCEPT'
+    proto: 'tcp'
+    dport: '(80 443)'
+    saddr: "%{hiera('some_other_hiera_key')}"
+
    + +

    ferm::rules is a hash. configured for deep merge. Hiera will collect all +defined hashes and hand them over to the class. The main class will create +rules for all of them. It also collects all exported resources that are tagged +with the FQDN of a box.

    + +

    Reference

    + +

    Main class

    + +

    The main class has the following parameters:

    + +

    manage_service

    + +

    [Boolean] disable/enable the management of the ferm daemon

    + +

    manage_configfile

    + +

    [Boolean] disable/enable the management of the ferm default config

    + +

    configfile

    + +

    [Stdlib::Absolutepath] path to the config file

    + +

    forward_policy

    + +

    [Ferm::Policies] default policy for the FORWARD chain

    + +

    output_policy

    + +

    [Ferm::Policies] default policy for the OUTPUT chain

    + +

    input_policy

    + +

    [Ferm::Policies] default policy for the INPUT chain

    + +

    rules

    + +

    A hash that holds all data for ferm::rule

    + +

    rule defined resource

    + +

    This creates an entry in the correct chain file for ferm.

    + +

    chain

    + +

    The chain where we place this rule

    + +

    policy

    + +

    The desired policy. Allowed values are Enum['ACCEPT','DROP', 'REJECT']

    + +

    protocol

    + +

    the protocol we would like to filter. Allowed values are Enum['icmp', 'tcp', 'udp']

    + +

    comment

    + +

    A comment that will be written into the file and into ip(6)tables

    + +

    dport

    + +

    The destination port we want to filter for. Can be any string from /etc/services or an integer

    + +

    sport

    + +

    Like the destination port above, just for the source port

    + +

    saddr

    + +

    Source IPv4/IPv6 address. Can be one or many of them. Multiple addresses are +always encapsulated in braces: +'(127.0.0.1 2003::)'

    + +

    IPv4 and IPv6 addresses can be mixed. CIDR notation is possible if you want to +block networks, otherwise /32 or /128 is assumed by ferm/ip(6)tables

    + +

    daddr

    + +

    Same as above, just for the destination IP address

    + +

    ensure

    + +

    Add or remove it from the ruleset

    + +

    chain defined resource

    + +

    The module defines the three default chains for you, INPUT, FORWARD and OUTPUT. +You're able to define own chains if you want to

    + +

    policy

    + +

    The desired default policy for the chain

    + +

    chain

    + +

    The name of the chain

    + +

    Development

    + +

    This project contains tests for rspec-puppet.

    + +

    Quickstart to run all linter and unit tests:

    + +
    bundle install --path .vendor/ --without system_tests --without development --without release
+bundle exec rake test
+
    + +

    Authors

    + +

    puppet-ferm is maintained by Vox Pupuli, it was written by Tim 'bastelfreak' Meusel.

    +
    + + + +
    + + \ No newline at end of file diff --git a/docs/frames.html b/docs/frames.html new file mode 100644 index 0000000..42ca6b6 --- /dev/null +++ b/docs/frames.html @@ -0,0 +1,17 @@ + + + + + Documentation by YARD 0.9.12 + + + + diff --git a/docs/index.html b/docs/index.html new file mode 100644 index 0000000..12f972f --- /dev/null +++ b/docs/index.html @@ -0,0 +1,248 @@ + + + + + + + File: README + + — Documentation by YARD 0.9.12 + + + + + + + + + + + + + + + + + +
    + +
    +
    + +
    + + +

    puppet-ferm

    + +

    Build Status +Puppet Forge +Puppet Forge - downloads +Puppet Forge - endorsement +Puppet Forge - scores +Yard Docs +AGPL v3 License

    + +

    Table of Contents

    + + + +
    + +

    Overview

    + +

    This module manages the ferm firewalling +software. It allows you to configure the actual software, but also all related +rules.

    + +

    Setup

    + +

    This is very easy:

    + +
    include ferm
+
    + +

    This will install the package, but nothing more. It won't explicitly enable it +or write any rules. Be careful here: The default Debian package enabled +autostart for the service and only allows incoming SSH/IPSec connections.

    + +

    You can easily define rules in Puppet (they don't need to be exported resources):

    + +
      @@ferm::rule{"allow_kafka_server2server-${trusted['certname']}":
+    chain  => 'INPUT',
+    policy => 'ACCEPT',
+    proto  => 'tcp',
+    dport  => '(9092 9093)',
+    saddr  => "(${facts['networking']['ip6']}/128 ${facts['networking']['ip']}/32)",
+    tag    => 'allow_kafka_server2server',
+  }
+
    + +

    You can collect them like this:

    + +
    # collect all exported resources with the tag allow_vault_server2server
+Ferm::Rule <<| tag == 'allow_kafka_server2server' |>>
+
    + +

    You can also define rules in hiera:

    + +
    ---
+ferm::rules:
+  'allow_http_https':
+    chain: 'INPUT'
+    policy: 'ACCEPT'
+    proto: 'tcp'
+    dport: '(80 443)'
+    saddr: "%{hiera('some_other_hiera_key')}"
+
    + +

    ferm::rules is a hash. configured for deep merge. Hiera will collect all +defined hashes and hand them over to the class. The main class will create +rules for all of them. It also collects all exported resources that are tagged +with the FQDN of a box.

    + +

    Reference

    + +

    Main class

    + +

    The main class has the following parameters:

    + +

    manage_service

    + +

    [Boolean] disable/enable the management of the ferm daemon

    + +

    manage_configfile

    + +

    [Boolean] disable/enable the management of the ferm default config

    + +

    configfile

    + +

    [Stdlib::Absolutepath] path to the config file

    + +

    forward_policy

    + +

    [Ferm::Policies] default policy for the FORWARD chain

    + +

    output_policy

    + +

    [Ferm::Policies] default policy for the OUTPUT chain

    + +

    input_policy

    + +

    [Ferm::Policies] default policy for the INPUT chain

    + +

    rules

    + +

    A hash that holds all data for ferm::rule

    + +

    rule defined resource

    + +

    This creates an entry in the correct chain file for ferm.

    + +

    chain

    + +

    The chain where we place this rule

    + +

    policy

    + +

    The desired policy. Allowed values are Enum['ACCEPT','DROP', 'REJECT']

    + +

    protocol

    + +

    the protocol we would like to filter. Allowed values are Enum['icmp', 'tcp', 'udp']

    + +

    comment

    + +

    A comment that will be written into the file and into ip(6)tables

    + +

    dport

    + +

    The destination port we want to filter for. Can be any string from /etc/services or an integer

    + +

    sport

    + +

    Like the destination port above, just for the source port

    + +

    saddr

    + +

    Source IPv4/IPv6 address. Can be one or many of them. Multiple addresses are +always encapsulated in braces: +'(127.0.0.1 2003::)'

    + +

    IPv4 and IPv6 addresses can be mixed. CIDR notation is possible if you want to +block networks, otherwise /32 or /128 is assumed by ferm/ip(6)tables

    + +

    daddr

    + +

    Same as above, just for the destination IP address

    + +

    ensure

    + +

    Add or remove it from the ruleset

    + +

    chain defined resource

    + +

    The module defines the three default chains for you, INPUT, FORWARD and OUTPUT. +You're able to define own chains if you want to

    + +

    policy

    + +

    The desired default policy for the chain

    + +

    chain

    + +

    The name of the chain

    + +

    Development

    + +

    This project contains tests for rspec-puppet.

    + +

    Quickstart to run all linter and unit tests:

    + +
    bundle install --path .vendor/ --without system_tests --without development --without release
+bundle exec rake test
+
    + +

    Authors

    + +

    puppet-ferm is maintained by Vox Pupuli, it was written by Tim 'bastelfreak' Meusel.

    +
    + + + +
    + + \ No newline at end of file diff --git a/docs/js/app.js b/docs/js/app.js new file mode 100644 index 0000000..b9f2120 --- /dev/null +++ b/docs/js/app.js @@ -0,0 +1,248 @@ +(function() { + +var localStorage = {}, sessionStorage = {}; +try { localStorage = window.localStorage; } catch (e) { } +try { sessionStorage = window.sessionStorage; } catch (e) { } + +function createSourceLinks() { + $('.method_details_list .source_code'). + before("[View source]"); + $('.toggleSource').toggle(function() { + $(this).parent().nextAll('.source_code').slideDown(100); + $(this).text("Hide source"); + }, + function() { + $(this).parent().nextAll('.source_code').slideUp(100); + $(this).text("View source"); + }); +} + +function createDefineLinks() { + var tHeight = 0; + $('.defines').after(" more..."); + $('.toggleDefines').toggle(function() { + tHeight = $(this).parent().prev().height(); + $(this).prev().css('display', 'inline'); + $(this).parent().prev().height($(this).parent().height()); + $(this).text("(less)"); + }, + function() { + $(this).prev().hide(); + $(this).parent().prev().height(tHeight); + $(this).text("more..."); + }); +} + +function createFullTreeLinks() { + var tHeight = 0; + $('.inheritanceTree').toggle(function() { + tHeight = $(this).parent().prev().height(); + $(this).parent().toggleClass('showAll'); + $(this).text("(hide)"); + $(this).parent().prev().height($(this).parent().height()); + }, + function() { + $(this).parent().toggleClass('showAll'); + $(this).parent().prev().height(tHeight); + $(this).text("show all"); + }); +} + +function searchFrameButtons() { + $('.full_list_link').click(function() { + toggleSearchFrame(this, $(this).attr('href')); + return false; + }); + window.addEventListener('message', function(e) { + if (e.data === 'navEscape') { + $('#nav').slideUp(100); + $('#search a').removeClass('active inactive'); + $(window).focus(); + } + }); + + $(window).resize(function() { + if ($('#search:visible').length === 0) { + $('#nav').removeAttr('style'); + $('#search a').removeClass('active inactive'); + $(window).focus(); + } + }); +} + +function toggleSearchFrame(id, link) { + var frame = $('#nav'); + $('#search a').removeClass('active').addClass('inactive'); + if (frame.attr('src') === link && frame.css('display') !== "none") { + frame.slideUp(100); + $('#search a').removeClass('active inactive'); + } + else { + $(id).addClass('active').removeClass('inactive'); + if (frame.attr('src') !== link) frame.attr('src', link); + frame.slideDown(100); + } +} + +function linkSummaries() { + $('.summary_signature').click(function() { + document.location = $(this).find('a').attr('href'); + }); +} + +function summaryToggle() { + $('.summary_toggle').click(function(e) { + e.preventDefault(); + localStorage.summaryCollapsed = $(this).text(); + $('.summary_toggle').each(function() { + $(this).text($(this).text() == "collapse" ? "expand" : "collapse"); + var next = $(this).parent().parent().nextAll('ul.summary').first(); + if (next.hasClass('compact')) { + next.toggle(); + next.nextAll('ul.summary').first().toggle(); + } + else if (next.hasClass('summary')) { + var list = $('
      '); + list.html(next.html()); + list.find('.summary_desc, .note').remove(); + list.find('a').each(function() { + $(this).html($(this).find('strong').html()); + $(this).parent().html($(this)[0].outerHTML); + }); + next.before(list); + next.toggle(); + } + }); + return false; + }); + if (localStorage.summaryCollapsed == "collapse") { + $('.summary_toggle').first().click(); + } else { localStorage.summaryCollapsed = "expand"; } +} + +function generateTOC() { + if ($('#filecontents').length === 0) return; + var _toc = $('
        '); + var show = false; + var toc = _toc; + var counter = 0; + var tags = ['h2', 'h3', 'h4', 'h5', 'h6']; + var i; + if ($('#filecontents h1').length > 1) tags.unshift('h1'); + for (i = 0; i < tags.length; i++) { tags[i] = '#filecontents ' + tags[i]; } + var lastTag = parseInt(tags[0][1], 10); + $(tags.join(', ')).each(function() { + if ($(this).parents('.method_details .docstring').length != 0) return; + if (this.id == "filecontents") return; + show = true; + var thisTag = parseInt(this.tagName[1], 10); + if (this.id.length === 0) { + var proposedId = $(this).attr('toc-id'); + if (typeof(proposedId) != "undefined") this.id = proposedId; + else { + var proposedId = $(this).text().replace(/[^a-z0-9-]/ig, '_'); + if ($('#' + proposedId).length > 0) { proposedId += counter; counter++; } + this.id = proposedId; + } + } + if (thisTag > lastTag) { + for (i = 0; i < thisTag - lastTag; i++) { + var tmp = $('
          '); toc.append(tmp); toc = tmp; + } + } + if (thisTag < lastTag) { + for (i = 0; i < lastTag - thisTag; i++) toc = toc.parent(); + } + var title = $(this).attr('toc-title'); + if (typeof(title) == "undefined") title = $(this).text(); + toc.append('
        1. ' + title + '
          2. '); + lastTag = thisTag; + }); + if (!show) return; + html = ''; + $('#content').prepend(html); + $('#toc').append(_toc); + $('#toc .hide_toc').toggle(function() { + $('#toc .top').slideUp('fast'); + $('#toc').toggleClass('hidden'); + $('#toc .title small').toggle(); + }, function() { + $('#toc .top').slideDown('fast'); + $('#toc').toggleClass('hidden'); + $('#toc .title small').toggle(); + }); +} + +function navResizeFn(e) { + if (e.which !== 1) { + navResizeFnStop(); + return; + } + + sessionStorage.navWidth = e.pageX.toString(); + $('.nav_wrap').css('width', e.pageX); + $('.nav_wrap').css('-ms-flex', 'inherit'); +} + +function navResizeFnStop() { + $(window).unbind('mousemove', navResizeFn); + window.removeEventListener('message', navMessageFn, false); +} + +function navMessageFn(e) { + if (e.data.action === 'mousemove') navResizeFn(e.data.event); + if (e.data.action === 'mouseup') navResizeFnStop(); +} + +function navResizer() { + $('#resizer').mousedown(function(e) { + e.preventDefault(); + $(window).mousemove(navResizeFn); + window.addEventListener('message', navMessageFn, false); + }); + $(window).mouseup(navResizeFnStop); + + if (sessionStorage.navWidth) { + navResizeFn({which: 1, pageX: parseInt(sessionStorage.navWidth, 10)}); + } +} + +function navExpander() { + var done = false, timer = setTimeout(postMessage, 500); + function postMessage() { + if (done) return; + clearTimeout(timer); + var opts = { action: 'expand', path: pathId }; + document.getElementById('nav').contentWindow.postMessage(opts, '*'); + done = true; + } + + window.addEventListener('message', function(event) { + if (event.data === 'navReady') postMessage(); + return false; + }, false); +} + +function mainFocus() { + var hash = window.location.hash; + if (hash !== '' && $(hash)[0]) { + $(hash)[0].scrollIntoView(); + } + + setTimeout(function() { $('#main').focus(); }, 10); +} + +$(document).ready(function() { + navResizer(); + navExpander(); + createSourceLinks(); + createDefineLinks(); + createFullTreeLinks(); + searchFrameButtons(); + linkSummaries(); + summaryToggle(); + generateTOC(); + mainFocus(); +}); + +})(); diff --git a/docs/js/full_list.js b/docs/js/full_list.js new file mode 100644 index 0000000..59069c5 --- /dev/null +++ b/docs/js/full_list.js @@ -0,0 +1,216 @@ +(function() { + +var $clicked = $(null); +var searchTimeout = null; +var searchCache = []; +var caseSensitiveMatch = false; +var ignoreKeyCodeMin = 8; +var ignoreKeyCodeMax = 46; +var commandKey = 91; + +RegExp.escape = function(text) { + return text.replace(/[-[\]{}()*+?.,\\^$|#\s]/g, "\\$&"); +} + +function escapeShortcut() { + $(document).keydown(function(evt) { + if (evt.which == 27) { + window.parent.postMessage('navEscape', '*'); + } + }); +} + +function navResizer() { + $(window).mousemove(function(e) { + window.parent.postMessage({ + action: 'mousemove', event: {pageX: e.pageX, which: e.which} + }, '*'); + }).mouseup(function(e) { + window.parent.postMessage({action: 'mouseup'}, '*'); + }); + window.parent.postMessage("navReady", "*"); +} + +function clearSearchTimeout() { + clearTimeout(searchTimeout); + searchTimeout = null; +} + +function enableLinks() { + // load the target page in the parent window + $('#full_list li').on('click', function(evt) { + $('#full_list li').removeClass('clicked'); + $clicked = $(this); + $clicked.addClass('clicked'); + evt.stopPropagation(); + + if (evt.target.tagName === 'A') return true; + + var elem = $clicked.find('> .item .object_link a')[0]; + var e = evt.originalEvent; + var newEvent = new MouseEvent(evt.originalEvent.type); + newEvent.initMouseEvent(e.type, e.canBubble, e.cancelable, e.view, e.detail, e.screenX, e.screenY, e.clientX, e.clientY, e.ctrlKey, e.altKey, e.shiftKey, e.metaKey, e.button, e.relatedTarget); + elem.dispatchEvent(newEvent); + evt.preventDefault(); + return false; + }); +} + +function enableToggles() { + // show/hide nested classes on toggle click + $('#full_list a.toggle').on('click', function(evt) { + evt.stopPropagation(); + evt.preventDefault(); + $(this).parent().parent().toggleClass('collapsed'); + highlight(); + }); +} + +function populateSearchCache() { + $('#full_list li .item').each(function() { + var $node = $(this); + var $link = $node.find('.object_link a'); + if ($link.length > 0) { + searchCache.push({ + node: $node, + link: $link, + name: $link.text(), + fullName: $link.attr('title').split(' ')[0] + }); + } + }); +} + +function enableSearch() { + $('#search input').keyup(function(event) { + if (ignoredKeyPress(event)) return; + if (this.value === "") { + clearSearch(); + } else { + performSearch(this.value); + } + }); + + $('#full_list').after(""); +} + +function ignoredKeyPress(event) { + if ( + (event.keyCode > ignoreKeyCodeMin && event.keyCode < ignoreKeyCodeMax) || + (event.keyCode == commandKey) + ) { + return true; + } else { + return false; + } +} + +function clearSearch() { + clearSearchTimeout(); + $('#full_list .found').removeClass('found').each(function() { + var $link = $(this).find('.object_link a'); + $link.text($link.text()); + }); + $('#full_list, #content').removeClass('insearch'); + $clicked.parents().removeClass('collapsed'); + highlight(); +} + +function performSearch(searchString) { + clearSearchTimeout(); + $('#full_list, #content').addClass('insearch'); + $('#noresults').text('').hide(); + partialSearch(searchString, 0); +} + +function partialSearch(searchString, offset) { + var lastRowClass = ''; + var i = null; + for (i = offset; i < Math.min(offset + 50, searchCache.length); i++) { + var item = searchCache[i]; + var searchName = (searchString.indexOf('::') != -1 ? item.fullName : item.name); + var matchString = buildMatchString(searchString); + var matchRegexp = new RegExp(matchString, caseSensitiveMatch ? "" : "i"); + if (searchName.match(matchRegexp) == null) { + item.node.removeClass('found'); + item.link.text(item.link.text()); + } + else { + item.node.addClass('found'); + item.node.removeClass(lastRowClass).addClass(lastRowClass == 'r1' ? 'r2' : 'r1'); + lastRowClass = item.node.hasClass('r1') ? 'r1' : 'r2'; + item.link.html(item.name.replace(matchRegexp, "$&")); + } + } + if(i == searchCache.length) { + searchDone(); + } else { + searchTimeout = setTimeout(function() { + partialSearch(searchString, i); + }, 0); + } +} + +function searchDone() { + searchTimeout = null; + highlight(); + if ($('#full_list li:visible').size() === 0) { + $('#noresults').text('No results were found.').hide().fadeIn(); + } else { + $('#noresults').text('').hide(); + } + $('#content').removeClass('insearch'); +} + +function buildMatchString(searchString, event) { + caseSensitiveMatch = searchString.match(/[A-Z]/) != null; + var regexSearchString = RegExp.escape(searchString); + if (caseSensitiveMatch) { + regexSearchString += "|" + + $.map(searchString.split(''), function(e) { return RegExp.escape(e); }). + join('.+?'); + } + return regexSearchString; +} + +function highlight() { + $('#full_list li:visible').each(function(n) { + $(this).removeClass('even odd').addClass(n % 2 == 0 ? 'odd' : 'even'); + }); +} + +/** + * Expands the tree to the target element and its immediate + * children. + */ +function expandTo(path) { + var $target = $(document.getElementById('object_' + path)); + $target.addClass('clicked'); + $target.removeClass('collapsed'); + $target.parentsUntil('#full_list', 'li').removeClass('collapsed'); + if($target[0]) { + window.scrollTo(window.scrollX, $target.offset().top - 250); + highlight(); + } +} + +function windowEvents(event) { + var msg = event.data; + if (msg.action === "expand") { + expandTo(msg.path); + } + return false; +} + +window.addEventListener("message", windowEvents, false); + +$(document).ready(function() { + escapeShortcut(); + navResizer(); + enableLinks(); + enableToggles(); + populateSearchCache(); + enableSearch(); +}); + +})(); diff --git a/docs/js/jquery.js b/docs/js/jquery.js new file mode 100644 index 0000000..198b3ff --- /dev/null +++ b/docs/js/jquery.js @@ -0,0 +1,4 @@ +/*! jQuery v1.7.1 jquery.com | jquery.org/license */ +(function(a,b){function cy(a){return f.isWindow(a)?a:a.nodeType===9?a.defaultView||a.parentWindow:!1}function cv(a){if(!ck[a]){var b=c.body,d=f("<"+a+">").appendTo(b),e=d.css("display");d.remove();if(e==="none"||e===""){cl||(cl=c.createElement("iframe"),cl.frameBorder=cl.width=cl.height=0),b.appendChild(cl);if(!cm||!cl.createElement)cm=(cl.contentWindow||cl.contentDocument).document,cm.write((c.compatMode==="CSS1Compat"?"":"")+""),cm.close();d=cm.createElement(a),cm.body.appendChild(d),e=f.css(d,"display"),b.removeChild(cl)}ck[a]=e}return ck[a]}function cu(a,b){var c={};f.each(cq.concat.apply([],cq.slice(0,b)),function(){c[this]=a});return c}function ct(){cr=b}function cs(){setTimeout(ct,0);return cr=f.now()}function cj(){try{return new a.ActiveXObject("Microsoft.XMLHTTP")}catch(b){}}function ci(){try{return new a.XMLHttpRequest}catch(b){}}function cc(a,c){a.dataFilter&&(c=a.dataFilter(c,a.dataType));var d=a.dataTypes,e={},g,h,i=d.length,j,k=d[0],l,m,n,o,p;for(g=1;g0){if(c!=="border")for(;g=0===c})}function S(a){return!a||!a.parentNode||a.parentNode.nodeType===11}function K(){return!0}function J(){return!1}function n(a,b,c){var d=b+"defer",e=b+"queue",g=b+"mark",h=f._data(a,d);h&&(c==="queue"||!f._data(a,e))&&(c==="mark"||!f._data(a,g))&&setTimeout(function(){!f._data(a,e)&&!f._data(a,g)&&(f.removeData(a,d,!0),h.fire())},0)}function m(a){for(var b in a){if(b==="data"&&f.isEmptyObject(a[b]))continue;if(b!=="toJSON")return!1}return!0}function l(a,c,d){if(d===b&&a.nodeType===1){var e="data-"+c.replace(k,"-$1").toLowerCase();d=a.getAttribute(e);if(typeof d=="string"){try{d=d==="true"?!0:d==="false"?!1:d==="null"?null:f.isNumeric(d)?parseFloat(d):j.test(d)?f.parseJSON(d):d}catch(g){}f.data(a,c,d)}else d=b}return d}function h(a){var b=g[a]={},c,d;a=a.split(/\s+/);for(c=0,d=a.length;c)[^>]*$|#([\w\-]*)$)/,j=/\S/,k=/^\s+/,l=/\s+$/,m=/^<(\w+)\s*\/?>(?:<\/\1>)?$/,n=/^[\],:{}\s]*$/,o=/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g,p=/"[^"\\\n\r]*"|true|false|null|-?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g,q=/(?:^|:|,)(?:\s*\[)+/g,r=/(webkit)[ \/]([\w.]+)/,s=/(opera)(?:.*version)?[ \/]([\w.]+)/,t=/(msie) ([\w.]+)/,u=/(mozilla)(?:.*? rv:([\w.]+))?/,v=/-([a-z]|[0-9])/ig,w=/^-ms-/,x=function(a,b){return(b+"").toUpperCase()},y=d.userAgent,z,A,B,C=Object.prototype.toString,D=Object.prototype.hasOwnProperty,E=Array.prototype.push,F=Array.prototype.slice,G=String.prototype.trim,H=Array.prototype.indexOf,I={};e.fn=e.prototype={constructor:e,init:function(a,d,f){var g,h,j,k;if(!a)return this;if(a.nodeType){this.context=this[0]=a,this.length=1;return this}if(a==="body"&&!d&&c.body){this.context=c,this[0]=c.body,this.selector=a,this.length=1;return this}if(typeof a=="string"){a.charAt(0)!=="<"||a.charAt(a.length-1)!==">"||a.length<3?g=i.exec(a):g=[null,a,null];if(g&&(g[1]||!d)){if(g[1]){d=d instanceof e?d[0]:d,k=d?d.ownerDocument||d:c,j=m.exec(a),j?e.isPlainObject(d)?(a=[c.createElement(j[1])],e.fn.attr.call(a,d,!0)):a=[k.createElement(j[1])]:(j=e.buildFragment([g[1]],[k]),a=(j.cacheable?e.clone(j.fragment):j.fragment).childNodes);return e.merge(this,a)}h=c.getElementById(g[2]);if(h&&h.parentNode){if(h.id!==g[2])return f.find(a);this.length=1,this[0]=h}this.context=c,this.selector=a;return this}return!d||d.jquery?(d||f).find(a):this.constructor(d).find(a)}if(e.isFunction(a))return f.ready(a);a.selector!==b&&(this.selector=a.selector,this.context=a.context);return e.makeArray(a,this)},selector:"",jquery:"1.7.1",length:0,size:function(){return this.length},toArray:function(){return F.call(this,0)},get:function(a){return a==null?this.toArray():a<0?this[this.length+a]:this[a]},pushStack:function(a,b,c){var d=this.constructor();e.isArray(a)?E.apply(d,a):e.merge(d,a),d.prevObject=this,d.context=this.context,b==="find"?d.selector=this.selector+(this.selector?" ":"")+c:b&&(d.selector=this.selector+"."+b+"("+c+")");return d},each:function(a,b){return e.each(this,a,b)},ready:function(a){e.bindReady(),A.add(a);return this},eq:function(a){a=+a;return a===-1?this.slice(a):this.slice(a,a+1)},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},slice:function(){return this.pushStack(F.apply(this,arguments),"slice",F.call(arguments).join(","))},map:function(a){return this.pushStack(e.map(this,function(b,c){return a.call(b,c,b)}))},end:function(){return this.prevObject||this.constructor(null)},push:E,sort:[].sort,splice:[].splice},e.fn.init.prototype=e.fn,e.extend=e.fn.extend=function(){var a,c,d,f,g,h,i=arguments[0]||{},j=1,k=arguments.length,l=!1;typeof i=="boolean"&&(l=i,i=arguments[1]||{},j=2),typeof i!="object"&&!e.isFunction(i)&&(i={}),k===j&&(i=this,--j);for(;j0)return;A.fireWith(c,[e]),e.fn.trigger&&e(c).trigger("ready").off("ready")}},bindReady:function(){if(!A){A=e.Callbacks("once memory");if(c.readyState==="complete")return setTimeout(e.ready,1);if(c.addEventListener)c.addEventListener("DOMContentLoaded",B,!1),a.addEventListener("load",e.ready,!1);else if(c.attachEvent){c.attachEvent("onreadystatechange",B),a.attachEvent("onload",e.ready);var b=!1;try{b=a.frameElement==null}catch(d){}c.documentElement.doScroll&&b&&J()}}},isFunction:function(a){return e.type(a)==="function"},isArray:Array.isArray||function(a){return e.type(a)==="array"},isWindow:function(a){return a&&typeof a=="object"&&"setInterval"in a},isNumeric:function(a){return!isNaN(parseFloat(a))&&isFinite(a)},type:function(a){return a==null?String(a):I[C.call(a)]||"object"},isPlainObject:function(a){if(!a||e.type(a)!=="object"||a.nodeType||e.isWindow(a))return!1;try{if(a.constructor&&!D.call(a,"constructor")&&!D.call(a.constructor.prototype,"isPrototypeOf"))return!1}catch(c){return!1}var d;for(d in a);return d===b||D.call(a,d)},isEmptyObject:function(a){for(var b in a)return!1;return!0},error:function(a){throw new Error(a)},parseJSON:function(b){if(typeof b!="string"||!b)return null;b=e.trim(b);if(a.JSON&&a.JSON.parse)return a.JSON.parse(b);if(n.test(b.replace(o,"@").replace(p,"]").replace(q,"")))return(new Function("return "+b))();e.error("Invalid JSON: "+b)},parseXML:function(c){var d,f;try{a.DOMParser?(f=new DOMParser,d=f.parseFromString(c,"text/xml")):(d=new ActiveXObject("Microsoft.XMLDOM"),d.async="false",d.loadXML(c))}catch(g){d=b}(!d||!d.documentElement||d.getElementsByTagName("parsererror").length)&&e.error("Invalid XML: "+c);return d},noop:function(){},globalEval:function(b){b&&j.test(b)&&(a.execScript||function(b){a.eval.call(a,b)})(b)},camelCase:function(a){return a.replace(w,"ms-").replace(v,x)},nodeName:function(a,b){return a.nodeName&&a.nodeName.toUpperCase()===b.toUpperCase()},each:function(a,c,d){var f,g=0,h=a.length,i=h===b||e.isFunction(a);if(d){if(i){for(f in a)if(c.apply(a[f],d)===!1)break}else for(;g0&&a[0]&&a[j-1]||j===0||e.isArray(a));if(k)for(;i1?i.call(arguments,0):b,j.notifyWith(k,e)}}function l(a){return function(c){b[a]=arguments.length>1?i.call(arguments,0):c,--g||j.resolveWith(j,b)}}var b=i.call(arguments,0),c=0,d=b.length,e=Array(d),g=d,h=d,j=d<=1&&a&&f.isFunction(a.promise)?a:f.Deferred(),k=j.promise();if(d>1){for(;c
    a",d=q.getElementsByTagName("*"),e=q.getElementsByTagName("a")[0];if(!d||!d.length||!e)return{};g=c.createElement("select"),h=g.appendChild(c.createElement("option")),i=q.getElementsByTagName("input")[0],b={leadingWhitespace:q.firstChild.nodeType===3,tbody:!q.getElementsByTagName("tbody").length,htmlSerialize:!!q.getElementsByTagName("link").length,style:/top/.test(e.getAttribute("style")),hrefNormalized:e.getAttribute("href")==="/a",opacity:/^0.55/.test(e.style.opacity),cssFloat:!!e.style.cssFloat,checkOn:i.value==="on",optSelected:h.selected,getSetAttribute:q.className!=="t",enctype:!!c.createElement("form").enctype,html5Clone:c.createElement("nav").cloneNode(!0).outerHTML!=="<:nav>",submitBubbles:!0,changeBubbles:!0,focusinBubbles:!1,deleteExpando:!0,noCloneEvent:!0,inlineBlockNeedsLayout:!1,shrinkWrapBlocks:!1,reliableMarginRight:!0},i.checked=!0,b.noCloneChecked=i.cloneNode(!0).checked,g.disabled=!0,b.optDisabled=!h.disabled;try{delete q.test}catch(s){b.deleteExpando=!1}!q.addEventListener&&q.attachEvent&&q.fireEvent&&(q.attachEvent("onclick",function(){b.noCloneEvent=!1}),q.cloneNode(!0).fireEvent("onclick")),i=c.createElement("input"),i.value="t",i.setAttribute("type","radio"),b.radioValue=i.value==="t",i.setAttribute("checked","checked"),q.appendChild(i),k=c.createDocumentFragment(),k.appendChild(q.lastChild),b.checkClone=k.cloneNode(!0).cloneNode(!0).lastChild.checked,b.appendChecked=i.checked,k.removeChild(i),k.appendChild(q),q.innerHTML="",a.getComputedStyle&&(j=c.createElement("div"),j.style.width="0",j.style.marginRight="0",q.style.width="2px",q.appendChild(j),b.reliableMarginRight=(parseInt((a.getComputedStyle(j,null)||{marginRight:0}).marginRight,10)||0)===0);if(q.attachEvent)for(o in{submit:1,change:1,focusin:1})n="on"+o,p=n in q,p||(q.setAttribute(n,"return;"),p=typeof q[n]=="function"),b[o+"Bubbles"]=p;k.removeChild(q),k=g=h=j=q=i=null,f(function(){var a,d,e,g,h,i,j,k,m,n,o,r=c.getElementsByTagName("body")[0];!r||(j=1,k="position:absolute;top:0;left:0;width:1px;height:1px;margin:0;",m="visibility:hidden;border:0;",n="style='"+k+"border:5px solid #000;padding:0;'",o="
    "+""+"
    ",a=c.createElement("div"),a.style.cssText=m+"width:0;height:0;position:static;top:0;margin-top:"+j+"px",r.insertBefore(a,r.firstChild),q=c.createElement("div"),a.appendChild(q),q.innerHTML="
    t
    ",l=q.getElementsByTagName("td"),p=l[0].offsetHeight===0,l[0].style.display="",l[1].style.display="none",b.reliableHiddenOffsets=p&&l[0].offsetHeight===0,q.innerHTML="",q.style.width=q.style.paddingLeft="1px",f.boxModel=b.boxModel=q.offsetWidth===2,typeof q.style.zoom!="undefined"&&(q.style.display="inline",q.style.zoom=1,b.inlineBlockNeedsLayout=q.offsetWidth===2,q.style.display="",q.innerHTML="
    ",b.shrinkWrapBlocks=q.offsetWidth!==2),q.style.cssText=k+m,q.innerHTML=o,d=q.firstChild,e=d.firstChild,h=d.nextSibling.firstChild.firstChild,i={doesNotAddBorder:e.offsetTop!==5,doesAddBorderForTableAndCells:h.offsetTop===5},e.style.position="fixed",e.style.top="20px",i.fixedPosition=e.offsetTop===20||e.offsetTop===15,e.style.position=e.style.top="",d.style.overflow="hidden",d.style.position="relative",i.subtractsBorderForOverflowNotVisible=e.offsetTop===-5,i.doesNotIncludeMarginInBodyOffset=r.offsetTop!==j,r.removeChild(a),q=a=null,f.extend(b,i))});return b}();var j=/^(?:\{.*\}|\[.*\])$/,k=/([A-Z])/g;f.extend({cache:{},uuid:0,expando:"jQuery"+(f.fn.jquery+Math.random()).replace(/\D/g,""),noData:{embed:!0,object:"clsid:D27CDB6E-AE6D-11cf-96B8-444553540000",applet:!0},hasData:function(a){a=a.nodeType?f.cache[a[f.expando]]:a[f.expando];return!!a&&!m(a)},data:function(a,c,d,e){if(!!f.acceptData(a)){var g,h,i,j=f.expando,k=typeof c=="string",l=a.nodeType,m=l?f.cache:a,n=l?a[j]:a[j]&&j,o=c==="events";if((!n||!m[n]||!o&&!e&&!m[n].data)&&k&&d===b)return;n||(l?a[j]=n=++f.uuid:n=j),m[n]||(m[n]={},l||(m[n].toJSON=f.noop));if(typeof c=="object"||typeof c=="function")e?m[n]=f.extend(m[n],c):m[n].data=f.extend(m[n].data,c);g=h=m[n],e||(h.data||(h.data={}),h=h.data),d!==b&&(h[f.camelCase(c)]=d);if(o&&!h[c])return g.events;k?(i=h[c],i==null&&(i=h[f.camelCase(c)])):i=h;return i}},removeData:function(a,b,c){if(!!f.acceptData(a)){var d,e,g,h=f.expando,i=a.nodeType,j=i?f.cache:a,k=i?a[h]:h;if(!j[k])return;if(b){d=c?j[k]:j[k].data;if(d){f.isArray(b)||(b in d?b=[b]:(b=f.camelCase(b),b in d?b=[b]:b=b.split(" ")));for(e=0,g=b.length;e-1)return!0;return!1},val:function(a){var c,d,e,g=this[0];{if(!!arguments.length){e=f.isFunction(a);return this.each(function(d){var g=f(this),h;if(this.nodeType===1){e?h=a.call(this,d,g.val()):h=a,h==null?h="":typeof h=="number"?h+="":f.isArray(h)&&(h=f.map(h,function(a){return a==null?"":a+""})),c=f.valHooks[this.nodeName.toLowerCase()]||f.valHooks[this.type];if(!c||!("set"in c)||c.set(this,h,"value")===b)this.value=h}})}if(g){c=f.valHooks[g.nodeName.toLowerCase()]||f.valHooks[g.type];if(c&&"get"in c&&(d=c.get(g,"value"))!==b)return d;d=g.value;return typeof d=="string"?d.replace(q,""):d==null?"":d}}}}),f.extend({valHooks:{option:{get:function(a){var b=a.attributes.value;return!b||b.specified?a.value:a.text}},select:{get:function(a){var b,c,d,e,g=a.selectedIndex,h=[],i=a.options,j=a.type==="select-one";if(g<0)return null;c=j?g:0,d=j?g+1:i.length;for(;c=0}),c.length||(a.selectedIndex=-1);return c}}},attrFn:{val:!0,css:!0,html:!0,text:!0,data:!0,width:!0,height:!0,offset:!0},attr:function(a,c,d,e){var g,h,i,j=a.nodeType;if(!!a&&j!==3&&j!==8&&j!==2){if(e&&c in f.attrFn)return f(a)[c](d);if(typeof a.getAttribute=="undefined")return f.prop(a,c,d);i=j!==1||!f.isXMLDoc(a),i&&(c=c.toLowerCase(),h=f.attrHooks[c]||(u.test(c)?x:w));if(d!==b){if(d===null){f.removeAttr(a,c);return}if(h&&"set"in h&&i&&(g=h.set(a,d,c))!==b)return g;a.setAttribute(c,""+d);return d}if(h&&"get"in h&&i&&(g=h.get(a,c))!==null)return g;g=a.getAttribute(c);return g===null?b:g}},removeAttr:function(a,b){var c,d,e,g,h=0;if(b&&a.nodeType===1){d=b.toLowerCase().split(p),g=d.length;for(;h=0}})});var z=/^(?:textarea|input|select)$/i,A=/^([^\.]*)?(?:\.(.+))?$/,B=/\bhover(\.\S+)?\b/,C=/^key/,D=/^(?:mouse|contextmenu)|click/,E=/^(?:focusinfocus|focusoutblur)$/,F=/^(\w*)(?:#([\w\-]+))?(?:\.([\w\-]+))?$/,G=function(a){var b=F.exec(a);b&&(b[1]=(b[1]||"").toLowerCase(),b[3]=b[3]&&new RegExp("(?:^|\\s)"+b[3]+"(?:\\s|$)"));return b},H=function(a,b){var c=a.attributes||{};return(!b[1]||a.nodeName.toLowerCase()===b[1])&&(!b[2]||(c.id||{}).value===b[2])&&(!b[3]||b[3].test((c["class"]||{}).value))},I=function(a){return f.event.special.hover?a:a.replace(B,"mouseenter$1 mouseleave$1")}; +f.event={add:function(a,c,d,e,g){var h,i,j,k,l,m,n,o,p,q,r,s;if(!(a.nodeType===3||a.nodeType===8||!c||!d||!(h=f._data(a)))){d.handler&&(p=d,d=p.handler),d.guid||(d.guid=f.guid++),j=h.events,j||(h.events=j={}),i=h.handle,i||(h.handle=i=function(a){return typeof f!="undefined"&&(!a||f.event.triggered!==a.type)?f.event.dispatch.apply(i.elem,arguments):b},i.elem=a),c=f.trim(I(c)).split(" ");for(k=0;k=0&&(h=h.slice(0,-1),k=!0),h.indexOf(".")>=0&&(i=h.split("."),h=i.shift(),i.sort());if((!e||f.event.customEvent[h])&&!f.event.global[h])return;c=typeof c=="object"?c[f.expando]?c:new f.Event(h,c):new f.Event(h),c.type=h,c.isTrigger=!0,c.exclusive=k,c.namespace=i.join("."),c.namespace_re=c.namespace?new RegExp("(^|\\.)"+i.join("\\.(?:.*\\.)?")+"(\\.|$)"):null,o=h.indexOf(":")<0?"on"+h:"";if(!e){j=f.cache;for(l in j)j[l].events&&j[l].events[h]&&f.event.trigger(c,d,j[l].handle.elem,!0);return}c.result=b,c.target||(c.target=e),d=d!=null?f.makeArray(d):[],d.unshift(c),p=f.event.special[h]||{};if(p.trigger&&p.trigger.apply(e,d)===!1)return;r=[[e,p.bindType||h]];if(!g&&!p.noBubble&&!f.isWindow(e)){s=p.delegateType||h,m=E.test(s+h)?e:e.parentNode,n=null;for(;m;m=m.parentNode)r.push([m,s]),n=m;n&&n===e.ownerDocument&&r.push([n.defaultView||n.parentWindow||a,s])}for(l=0;le&&i.push({elem:this,matches:d.slice(e)});for(j=0;j0?this.on(b,null,a,c):this.trigger(b)},f.attrFn&&(f.attrFn[b]=!0),C.test(b)&&(f.event.fixHooks[b]=f.event.keyHooks),D.test(b)&&(f.event.fixHooks[b]=f.event.mouseHooks)}),function(){function x(a,b,c,e,f,g){for(var h=0,i=e.length;h0){k=j;break}}j=j[a]}e[h]=k}}}function w(a,b,c,e,f,g){for(var h=0,i=e.length;h+~,(\[\\]+)+|[>+~])(\s*,\s*)?((?:.|\r|\n)*)/g,d="sizcache"+(Math.random()+"").replace(".",""),e=0,g=Object.prototype.toString,h=!1,i=!0,j=/\\/g,k=/\r\n/g,l=/\W/;[0,0].sort(function(){i=!1;return 0});var m=function(b,d,e,f){e=e||[],d=d||c;var h=d;if(d.nodeType!==1&&d.nodeType!==9)return[];if(!b||typeof b!="string")return e;var i,j,k,l,n,q,r,t,u=!0,v=m.isXML(d),w=[],x=b;do{a.exec(""),i=a.exec(x);if(i){x=i[3],w.push(i[1]);if(i[2]){l=i[3];break}}}while(i);if(w.length>1&&p.exec(b))if(w.length===2&&o.relative[w[0]])j=y(w[0]+w[1],d,f);else{j=o.relative[w[0]]?[d]:m(w.shift(),d);while(w.length)b=w.shift(),o.relative[b]&&(b+=w.shift()),j=y(b,j,f)}else{!f&&w.length>1&&d.nodeType===9&&!v&&o.match.ID.test(w[0])&&!o.match.ID.test(w[w.length-1])&&(n=m.find(w.shift(),d,v),d=n.expr?m.filter(n.expr,n.set)[0]:n.set[0]);if(d){n=f?{expr:w.pop(),set:s(f)}:m.find(w.pop(),w.length===1&&(w[0]==="~"||w[0]==="+")&&d.parentNode?d.parentNode:d,v),j=n.expr?m.filter(n.expr,n.set):n.set,w.length>0?k=s(j):u=!1;while(w.length)q=w.pop(),r=q,o.relative[q]?r=w.pop():q="",r==null&&(r=d),o.relative[q](k,r,v)}else k=w=[]}k||(k=j),k||m.error(q||b);if(g.call(k)==="[object Array]")if(!u)e.push.apply(e,k);else if(d&&d.nodeType===1)for(t=0;k[t]!=null;t++)k[t]&&(k[t]===!0||k[t].nodeType===1&&m.contains(d,k[t]))&&e.push(j[t]);else for(t=0;k[t]!=null;t++)k[t]&&k[t].nodeType===1&&e.push(j[t]);else s(k,e);l&&(m(l,h,e,f),m.uniqueSort(e));return e};m.uniqueSort=function(a){if(u){h=i,a.sort(u);if(h)for(var b=1;b0},m.find=function(a,b,c){var d,e,f,g,h,i;if(!a)return[];for(e=0,f=o.order.length;e":function(a,b){var c,d=typeof b=="string",e=0,f=a.length;if(d&&!l.test(b)){b=b.toLowerCase();for(;e=0)?c||d.push(h):c&&(b[g]=!1));return!1},ID:function(a){return a[1].replace(j,"")},TAG:function(a,b){return a[1].replace(j,"").toLowerCase()},CHILD:function(a){if(a[1]==="nth"){a[2]||m.error(a[0]),a[2]=a[2].replace(/^\+|\s*/g,"");var b=/(-?)(\d*)(?:n([+\-]?\d*))?/.exec(a[2]==="even"&&"2n"||a[2]==="odd"&&"2n+1"||!/\D/.test(a[2])&&"0n+"+a[2]||a[2]);a[2]=b[1]+(b[2]||1)-0,a[3]=b[3]-0}else a[2]&&m.error(a[0]);a[0]=e++;return a},ATTR:function(a,b,c,d,e,f){var g=a[1]=a[1].replace(j,"");!f&&o.attrMap[g]&&(a[1]=o.attrMap[g]),a[4]=(a[4]||a[5]||"").replace(j,""),a[2]==="~="&&(a[4]=" "+a[4]+" ");return a},PSEUDO:function(b,c,d,e,f){if(b[1]==="not")if((a.exec(b[3])||"").length>1||/^\w/.test(b[3]))b[3]=m(b[3],null,null,c);else{var g=m.filter(b[3],c,d,!0^f);d||e.push.apply(e,g);return!1}else if(o.match.POS.test(b[0])||o.match.CHILD.test(b[0]))return!0;return b},POS:function(a){a.unshift(!0);return a}},filters:{enabled:function(a){return a.disabled===!1&&a.type!=="hidden"},disabled:function(a){return a.disabled===!0},checked:function(a){return a.checked===!0},selected:function(a){a.parentNode&&a.parentNode.selectedIndex;return a.selected===!0},parent:function(a){return!!a.firstChild},empty:function(a){return!a.firstChild},has:function(a,b,c){return!!m(c[3],a).length},header:function(a){return/h\d/i.test(a.nodeName)},text:function(a){var b=a.getAttribute("type"),c=a.type;return a.nodeName.toLowerCase()==="input"&&"text"===c&&(b===c||b===null)},radio:function(a){return a.nodeName.toLowerCase()==="input"&&"radio"===a.type},checkbox:function(a){return a.nodeName.toLowerCase()==="input"&&"checkbox"===a.type},file:function(a){return a.nodeName.toLowerCase()==="input"&&"file"===a.type},password:function(a){return a.nodeName.toLowerCase()==="input"&&"password"===a.type},submit:function(a){var b=a.nodeName.toLowerCase();return(b==="input"||b==="button")&&"submit"===a.type},image:function(a){return a.nodeName.toLowerCase()==="input"&&"image"===a.type},reset:function(a){var b=a.nodeName.toLowerCase();return(b==="input"||b==="button")&&"reset"===a.type},button:function(a){var b=a.nodeName.toLowerCase();return b==="input"&&"button"===a.type||b==="button"},input:function(a){return/input|select|textarea|button/i.test(a.nodeName)},focus:function(a){return a===a.ownerDocument.activeElement}},setFilters:{first:function(a,b){return b===0},last:function(a,b,c,d){return b===d.length-1},even:function(a,b){return b%2===0},odd:function(a,b){return b%2===1},lt:function(a,b,c){return bc[3]-0},nth:function(a,b,c){return c[3]-0===b},eq:function(a,b,c){return c[3]-0===b}},filter:{PSEUDO:function(a,b,c,d){var e=b[1],f=o.filters[e];if(f)return f(a,c,b,d);if(e==="contains")return(a.textContent||a.innerText||n([a])||"").indexOf(b[3])>=0;if(e==="not"){var g=b[3];for(var h=0,i=g.length;h=0}},ID:function(a,b){return a.nodeType===1&&a.getAttribute("id")===b},TAG:function(a,b){return b==="*"&&a.nodeType===1||!!a.nodeName&&a.nodeName.toLowerCase()===b},CLASS:function(a,b){return(" "+(a.className||a.getAttribute("class"))+" ").indexOf(b)>-1},ATTR:function(a,b){var c=b[1],d=m.attr?m.attr(a,c):o.attrHandle[c]?o.attrHandle[c](a):a[c]!=null?a[c]:a.getAttribute(c),e=d+"",f=b[2],g=b[4];return d==null?f==="!=":!f&&m.attr?d!=null:f==="="?e===g:f==="*="?e.indexOf(g)>=0:f==="~="?(" "+e+" ").indexOf(g)>=0:g?f==="!="?e!==g:f==="^="?e.indexOf(g)===0:f==="$="?e.substr(e.length-g.length)===g:f==="|="?e===g||e.substr(0,g.length+1)===g+"-":!1:e&&d!==!1},POS:function(a,b,c,d){var e=b[2],f=o.setFilters[e];if(f)return f(a,c,b,d)}}},p=o.match.POS,q=function(a,b){return"\\"+(b-0+1)};for(var r in o.match)o.match[r]=new RegExp(o.match[r].source+/(?![^\[]*\])(?![^\(]*\))/.source),o.leftMatch[r]=new RegExp(/(^(?:.|\r|\n)*?)/.source+o.match[r].source.replace(/\\(\d+)/g,q));var s=function(a,b){a=Array.prototype.slice.call(a,0);if(b){b.push.apply(b,a);return b}return a};try{Array.prototype.slice.call(c.documentElement.childNodes,0)[0].nodeType}catch(t){s=function(a,b){var c=0,d=b||[];if(g.call(a)==="[object Array]")Array.prototype.push.apply(d,a);else if(typeof a.length=="number")for(var e=a.length;c",e.insertBefore(a,e.firstChild),c.getElementById(d)&&(o.find.ID=function(a,c,d){if(typeof c.getElementById!="undefined"&&!d){var e=c.getElementById(a[1]);return e?e.id===a[1]||typeof e.getAttributeNode!="undefined"&&e.getAttributeNode("id").nodeValue===a[1]?[e]:b:[]}},o.filter.ID=function(a,b){var c=typeof a.getAttributeNode!="undefined"&&a.getAttributeNode("id");return a.nodeType===1&&c&&c.nodeValue===b}),e.removeChild(a),e=a=null}(),function(){var a=c.createElement("div");a.appendChild(c.createComment("")),a.getElementsByTagName("*").length>0&&(o.find.TAG=function(a,b){var c=b.getElementsByTagName(a[1]);if(a[1]==="*"){var d=[];for(var e=0;c[e];e++)c[e].nodeType===1&&d.push(c[e]);c=d}return c}),a.innerHTML="",a.firstChild&&typeof a.firstChild.getAttribute!="undefined"&&a.firstChild.getAttribute("href")!=="#"&&(o.attrHandle.href=function(a){return a.getAttribute("href",2)}),a=null}(),c.querySelectorAll&&function(){var a=m,b=c.createElement("div"),d="__sizzle__";b.innerHTML="

    ";if(!b.querySelectorAll||b.querySelectorAll(".TEST").length!==0){m=function(b,e,f,g){e=e||c;if(!g&&!m.isXML(e)){var h=/^(\w+$)|^\.([\w\-]+$)|^#([\w\-]+$)/.exec(b);if(h&&(e.nodeType===1||e.nodeType===9)){if(h[1])return s(e.getElementsByTagName(b),f);if(h[2]&&o.find.CLASS&&e.getElementsByClassName)return s(e.getElementsByClassName(h[2]),f)}if(e.nodeType===9){if(b==="body"&&e.body)return s([e.body],f);if(h&&h[3]){var i=e.getElementById(h[3]);if(!i||!i.parentNode)return s([],f);if(i.id===h[3])return s([i],f)}try{return s(e.querySelectorAll(b),f)}catch(j){}}else if(e.nodeType===1&&e.nodeName.toLowerCase()!=="object"){var k=e,l=e.getAttribute("id"),n=l||d,p=e.parentNode,q=/^\s*[+~]/.test(b);l?n=n.replace(/'/g,"\\$&"):e.setAttribute("id",n),q&&p&&(e=e.parentNode);try{if(!q||p)return s(e.querySelectorAll("[id='"+n+"'] "+b),f)}catch(r){}finally{l||k.removeAttribute("id")}}}return a(b,e,f,g)};for(var e in a)m[e]=a[e];b=null}}(),function(){var a=c.documentElement,b=a.matchesSelector||a.mozMatchesSelector||a.webkitMatchesSelector||a.msMatchesSelector;if(b){var d=!b.call(c.createElement("div"),"div"),e=!1;try{b.call(c.documentElement,"[test!='']:sizzle")}catch(f){e=!0}m.matchesSelector=function(a,c){c=c.replace(/\=\s*([^'"\]]*)\s*\]/g,"='$1']");if(!m.isXML(a))try{if(e||!o.match.PSEUDO.test(c)&&!/!=/.test(c)){var f=b.call(a,c);if(f||!d||a.document&&a.document.nodeType!==11)return f}}catch(g){}return m(c,null,null,[a]).length>0}}}(),function(){var a=c.createElement("div");a.innerHTML="
    ";if(!!a.getElementsByClassName&&a.getElementsByClassName("e").length!==0){a.lastChild.className="e";if(a.getElementsByClassName("e").length===1)return;o.order.splice(1,0,"CLASS"),o.find.CLASS=function(a,b,c){if(typeof b.getElementsByClassName!="undefined"&&!c)return b.getElementsByClassName(a[1])},a=null}}(),c.documentElement.contains?m.contains=function(a,b){return a!==b&&(a.contains?a.contains(b):!0)}:c.documentElement.compareDocumentPosition?m.contains=function(a,b){return!!(a.compareDocumentPosition(b)&16)}:m.contains=function(){return!1},m.isXML=function(a){var b=(a?a.ownerDocument||a:0).documentElement;return b?b.nodeName!=="HTML":!1};var y=function(a,b,c){var d,e=[],f="",g=b.nodeType?[b]:b;while(d=o.match.PSEUDO.exec(a))f+=d[0],a=a.replace(o.match.PSEUDO,"");a=o.relative[a]?a+"*":a;for(var h=0,i=g.length;h0)for(h=g;h=0:f.filter(a,this).length>0:this.filter(a).length>0)},closest:function(a,b){var c=[],d,e,g=this[0];if(f.isArray(a)){var h=1;while(g&&g.ownerDocument&&g!==b){for(d=0;d-1:f.find.matchesSelector(g,a)){c.push(g);break}g=g.parentNode;if(!g||!g.ownerDocument||g===b||g.nodeType===11)break}}c=c.length>1?f.unique(c):c;return this.pushStack(c,"closest",a)},index:function(a){if(!a)return this[0]&&this[0].parentNode?this.prevAll().length:-1;if(typeof a=="string")return f.inArray(this[0],f(a));return f.inArray(a.jquery?a[0]:a,this)},add:function(a,b){var c=typeof a=="string"?f(a,b):f.makeArray(a&&a.nodeType?[a]:a),d=f.merge(this.get(),c);return this.pushStack(S(c[0])||S(d[0])?d:f.unique(d))},andSelf:function(){return this.add(this.prevObject)}}),f.each({parent:function(a){var b=a.parentNode;return b&&b.nodeType!==11?b:null},parents:function(a){return f.dir(a,"parentNode")},parentsUntil:function(a,b,c){return f.dir(a,"parentNode",c)},next:function(a){return f.nth(a,2,"nextSibling")},prev:function(a){return f.nth(a,2,"previousSibling")},nextAll:function(a){return f.dir(a,"nextSibling")},prevAll:function(a){return f.dir(a,"previousSibling")},nextUntil:function(a,b,c){return f.dir(a,"nextSibling",c)},prevUntil:function(a,b,c){return f.dir(a,"previousSibling",c)},siblings:function(a){return f.sibling(a.parentNode.firstChild,a)},children:function(a){return f.sibling(a.firstChild)},contents:function(a){return f.nodeName(a,"iframe")?a.contentDocument||a.contentWindow.document:f.makeArray(a.childNodes)}},function(a,b){f.fn[a]=function(c,d){var e=f.map(this,b,c);L.test(a)||(d=c),d&&typeof d=="string"&&(e=f.filter(d,e)),e=this.length>1&&!R[a]?f.unique(e):e,(this.length>1||N.test(d))&&M.test(a)&&(e=e.reverse());return this.pushStack(e,a,P.call(arguments).join(","))}}),f.extend({filter:function(a,b,c){c&&(a=":not("+a+")");return b.length===1?f.find.matchesSelector(b[0],a)?[b[0]]:[]:f.find.matches(a,b)},dir:function(a,c,d){var e=[],g=a[c];while(g&&g.nodeType!==9&&(d===b||g.nodeType!==1||!f(g).is(d)))g.nodeType===1&&e.push(g),g=g[c];return e},nth:function(a,b,c,d){b=b||1;var e=0;for(;a;a=a[c])if(a.nodeType===1&&++e===b)break;return a},sibling:function(a,b){var c=[];for(;a;a=a.nextSibling)a.nodeType===1&&a!==b&&c.push(a);return c}});var V="abbr|article|aside|audio|canvas|datalist|details|figcaption|figure|footer|header|hgroup|mark|meter|nav|output|progress|section|summary|time|video",W=/ jQuery\d+="(?:\d+|null)"/g,X=/^\s+/,Y=/<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:]+)[^>]*)\/>/ig,Z=/<([\w:]+)/,$=/",""],legend:[1,"
    ","
    "],thead:[1,"","
    "],tr:[2,"","
    "],td:[3,"","
    "],col:[2,"","
    "],area:[1,"",""],_default:[0,"",""]},bh=U(c);bg.optgroup=bg.option,bg.tbody=bg.tfoot=bg.colgroup=bg.caption=bg.thead,bg.th=bg.td,f.support.htmlSerialize||(bg._default=[1,"div
    ","
    "]),f.fn.extend({text:function(a){if(f.isFunction(a))return this.each(function(b){var c=f(this);c.text(a.call(this,b,c.text()))});if(typeof a!="object"&&a!==b)return this.empty().append((this[0]&&this[0].ownerDocument||c).createTextNode(a));return f.text(this)},wrapAll:function(a){if(f.isFunction(a))return this.each(function(b){f(this).wrapAll(a.call(this,b))});if(this[0]){var b=f(a,this[0].ownerDocument).eq(0).clone(!0);this[0].parentNode&&b.insertBefore(this[0]),b.map(function(){var a=this;while(a.firstChild&&a.firstChild.nodeType===1)a=a.firstChild;return a}).append(this)}return this},wrapInner:function(a){if(f.isFunction(a))return this.each(function(b){f(this).wrapInner(a.call(this,b))});return this.each(function(){var b=f(this),c=b.contents();c.length?c.wrapAll(a):b.append(a)})},wrap:function(a){var b=f.isFunction(a);return this.each(function(c){f(this).wrapAll(b?a.call(this,c):a)})},unwrap:function(){return this.parent().each(function(){f.nodeName(this,"body")||f(this).replaceWith(this.childNodes)}).end()},append:function(){return this.domManip(arguments,!0,function(a){this.nodeType===1&&this.appendChild(a)})},prepend:function(){return this.domManip(arguments,!0,function(a){this.nodeType===1&&this.insertBefore(a,this.firstChild)})},before:function(){if(this[0]&&this[0].parentNode)return this.domManip(arguments,!1,function(a){this.parentNode.insertBefore(a,this)});if(arguments.length){var a=f.clean(arguments);a.push.apply(a,this.toArray());return this.pushStack(a,"before",arguments)}},after:function(){if(this[0]&&this[0].parentNode)return this.domManip(arguments,!1,function(a){this.parentNode.insertBefore(a,this.nextSibling)});if(arguments.length){var a=this.pushStack(this,"after",arguments);a.push.apply(a,f.clean(arguments));return a}},remove:function(a,b){for(var c=0,d;(d=this[c])!=null;c++)if(!a||f.filter(a,[d]).length)!b&&d.nodeType===1&&(f.cleanData(d.getElementsByTagName("*")),f.cleanData([d])),d.parentNode&&d.parentNode.removeChild(d);return this},empty:function() +{for(var a=0,b;(b=this[a])!=null;a++){b.nodeType===1&&f.cleanData(b.getElementsByTagName("*"));while(b.firstChild)b.removeChild(b.firstChild)}return this},clone:function(a,b){a=a==null?!1:a,b=b==null?a:b;return this.map(function(){return f.clone(this,a,b)})},html:function(a){if(a===b)return this[0]&&this[0].nodeType===1?this[0].innerHTML.replace(W,""):null;if(typeof a=="string"&&!ba.test(a)&&(f.support.leadingWhitespace||!X.test(a))&&!bg[(Z.exec(a)||["",""])[1].toLowerCase()]){a=a.replace(Y,"<$1>");try{for(var c=0,d=this.length;c1&&l0?this.clone(!0):this).get();f(e[h])[b](j),d=d.concat(j)}return this.pushStack(d,a,e.selector)}}),f.extend({clone:function(a,b,c){var d,e,g,h=f.support.html5Clone||!bc.test("<"+a.nodeName)?a.cloneNode(!0):bo(a);if((!f.support.noCloneEvent||!f.support.noCloneChecked)&&(a.nodeType===1||a.nodeType===11)&&!f.isXMLDoc(a)){bk(a,h),d=bl(a),e=bl(h);for(g=0;d[g];++g)e[g]&&bk(d[g],e[g])}if(b){bj(a,h);if(c){d=bl(a),e=bl(h);for(g=0;d[g];++g)bj(d[g],e[g])}}d=e=null;return h},clean:function(a,b,d,e){var g;b=b||c,typeof b.createElement=="undefined"&&(b=b.ownerDocument||b[0]&&b[0].ownerDocument||c);var h=[],i;for(var j=0,k;(k=a[j])!=null;j++){typeof k=="number"&&(k+="");if(!k)continue;if(typeof k=="string")if(!_.test(k))k=b.createTextNode(k);else{k=k.replace(Y,"<$1>");var l=(Z.exec(k)||["",""])[1].toLowerCase(),m=bg[l]||bg._default,n=m[0],o=b.createElement("div");b===c?bh.appendChild(o):U(b).appendChild(o),o.innerHTML=m[1]+k+m[2];while(n--)o=o.lastChild;if(!f.support.tbody){var p=$.test(k),q=l==="table"&&!p?o.firstChild&&o.firstChild.childNodes:m[1]===""&&!p?o.childNodes:[];for(i=q.length-1;i>=0;--i)f.nodeName(q[i],"tbody")&&!q[i].childNodes.length&&q[i].parentNode.removeChild(q[i])}!f.support.leadingWhitespace&&X.test(k)&&o.insertBefore(b.createTextNode(X.exec(k)[0]),o.firstChild),k=o.childNodes}var r;if(!f.support.appendChecked)if(k[0]&&typeof (r=k.length)=="number")for(i=0;i=0)return b+"px"}}}),f.support.opacity||(f.cssHooks.opacity={get:function(a,b){return br.test((b&&a.currentStyle?a.currentStyle.filter:a.style.filter)||"")?parseFloat(RegExp.$1)/100+"":b?"1":""},set:function(a,b){var c=a.style,d=a.currentStyle,e=f.isNumeric(b)?"alpha(opacity="+b*100+")":"",g=d&&d.filter||c.filter||"";c.zoom=1;if(b>=1&&f.trim(g.replace(bq,""))===""){c.removeAttribute("filter");if(d&&!d.filter)return}c.filter=bq.test(g)?g.replace(bq,e):g+" "+e}}),f(function(){f.support.reliableMarginRight||(f.cssHooks.marginRight={get:function(a,b){var c;f.swap(a,{display:"inline-block"},function(){b?c=bz(a,"margin-right","marginRight"):c=a.style.marginRight});return c}})}),c.defaultView&&c.defaultView.getComputedStyle&&(bA=function(a,b){var c,d,e;b=b.replace(bs,"-$1").toLowerCase(),(d=a.ownerDocument.defaultView)&&(e=d.getComputedStyle(a,null))&&(c=e.getPropertyValue(b),c===""&&!f.contains(a.ownerDocument.documentElement,a)&&(c=f.style(a,b)));return c}),c.documentElement.currentStyle&&(bB=function(a,b){var c,d,e,f=a.currentStyle&&a.currentStyle[b],g=a.style;f===null&&g&&(e=g[b])&&(f=e),!bt.test(f)&&bu.test(f)&&(c=g.left,d=a.runtimeStyle&&a.runtimeStyle.left,d&&(a.runtimeStyle.left=a.currentStyle.left),g.left=b==="fontSize"?"1em":f||0,f=g.pixelLeft+"px",g.left=c,d&&(a.runtimeStyle.left=d));return f===""?"auto":f}),bz=bA||bB,f.expr&&f.expr.filters&&(f.expr.filters.hidden=function(a){var b=a.offsetWidth,c=a.offsetHeight;return b===0&&c===0||!f.support.reliableHiddenOffsets&&(a.style&&a.style.display||f.css(a,"display"))==="none"},f.expr.filters.visible=function(a){return!f.expr.filters.hidden(a)});var bD=/%20/g,bE=/\[\]$/,bF=/\r?\n/g,bG=/#.*$/,bH=/^(.*?):[ \t]*([^\r\n]*)\r?$/mg,bI=/^(?:color|date|datetime|datetime-local|email|hidden|month|number|password|range|search|tel|text|time|url|week)$/i,bJ=/^(?:about|app|app\-storage|.+\-extension|file|res|widget):$/,bK=/^(?:GET|HEAD)$/,bL=/^\/\//,bM=/\?/,bN=/)<[^<]*)*<\/script>/gi,bO=/^(?:select|textarea)/i,bP=/\s+/,bQ=/([?&])_=[^&]*/,bR=/^([\w\+\.\-]+:)(?:\/\/([^\/?#:]*)(?::(\d+))?)?/,bS=f.fn.load,bT={},bU={},bV,bW,bX=["*/"]+["*"];try{bV=e.href}catch(bY){bV=c.createElement("a"),bV.href="",bV=bV.href}bW=bR.exec(bV.toLowerCase())||[],f.fn.extend({load:function(a,c,d){if(typeof a!="string"&&bS)return bS.apply(this,arguments);if(!this.length)return this;var e=a.indexOf(" ");if(e>=0){var g=a.slice(e,a.length);a=a.slice(0,e)}var h="GET";c&&(f.isFunction(c)?(d=c,c=b):typeof c=="object"&&(c=f.param(c,f.ajaxSettings.traditional),h="POST"));var i=this;f.ajax({url:a,type:h,dataType:"html",data:c,complete:function(a,b,c){c=a.responseText,a.isResolved()&&(a.done(function(a){c=a}),i.html(g?f("
    ").append(c.replace(bN,"")).find(g):c)),d&&i.each(d,[c,b,a])}});return this},serialize:function(){return f.param(this.serializeArray())},serializeArray:function(){return this.map(function(){return this.elements?f.makeArray(this.elements):this}).filter(function(){return this.name&&!this.disabled&&(this.checked||bO.test(this.nodeName)||bI.test(this.type))}).map(function(a,b){var c=f(this).val();return c==null?null:f.isArray(c)?f.map(c,function(a,c){return{name:b.name,value:a.replace(bF,"\r\n")}}):{name:b.name,value:c.replace(bF,"\r\n")}}).get()}}),f.each("ajaxStart ajaxStop ajaxComplete ajaxError ajaxSuccess ajaxSend".split(" "),function(a,b){f.fn[b]=function(a){return this.on(b,a)}}),f.each(["get","post"],function(a,c){f[c]=function(a,d,e,g){f.isFunction(d)&&(g=g||e,e=d,d=b);return f.ajax({type:c,url:a,data:d,success:e,dataType:g})}}),f.extend({getScript:function(a,c){return f.get(a,b,c,"script")},getJSON:function(a,b,c){return f.get(a,b,c,"json")},ajaxSetup:function(a,b){b?b_(a,f.ajaxSettings):(b=a,a=f.ajaxSettings),b_(a,b);return a},ajaxSettings:{url:bV,isLocal:bJ.test(bW[1]),global:!0,type:"GET",contentType:"application/x-www-form-urlencoded",processData:!0,async:!0,accepts:{xml:"application/xml, text/xml",html:"text/html",text:"text/plain",json:"application/json, text/javascript","*":bX},contents:{xml:/xml/,html:/html/,json:/json/},responseFields:{xml:"responseXML",text:"responseText"},converters:{"* text":a.String,"text html":!0,"text json":f.parseJSON,"text xml":f.parseXML},flatOptions:{context:!0,url:!0}},ajaxPrefilter:bZ(bT),ajaxTransport:bZ(bU),ajax:function(a,c){function w(a,c,l,m){if(s!==2){s=2,q&&clearTimeout(q),p=b,n=m||"",v.readyState=a>0?4:0;var o,r,u,w=c,x=l?cb(d,v,l):b,y,z;if(a>=200&&a<300||a===304){if(d.ifModified){if(y=v.getResponseHeader("Last-Modified"))f.lastModified[k]=y;if(z=v.getResponseHeader("Etag"))f.etag[k]=z}if(a===304)w="notmodified",o=!0;else try{r=cc(d,x),w="success",o=!0}catch(A){w="parsererror",u=A}}else{u=w;if(!w||a)w="error",a<0&&(a=0)}v.status=a,v.statusText=""+(c||w),o?h.resolveWith(e,[r,w,v]):h.rejectWith(e,[v,w,u]),v.statusCode(j),j=b,t&&g.trigger("ajax"+(o?"Success":"Error"),[v,d,o?r:u]),i.fireWith(e,[v,w]),t&&(g.trigger("ajaxComplete",[v,d]),--f.active||f.event.trigger("ajaxStop"))}}typeof a=="object"&&(c=a,a=b),c=c||{};var d=f.ajaxSetup({},c),e=d.context||d,g=e!==d&&(e.nodeType||e instanceof f)?f(e):f.event,h=f.Deferred(),i=f.Callbacks("once memory"),j=d.statusCode||{},k,l={},m={},n,o,p,q,r,s=0,t,u,v={readyState:0,setRequestHeader:function(a,b){if(!s){var c=a.toLowerCase();a=m[c]=m[c]||a,l[a]=b}return this},getAllResponseHeaders:function(){return s===2?n:null},getResponseHeader:function(a){var c;if(s===2){if(!o){o={};while(c=bH.exec(n))o[c[1].toLowerCase()]=c[2]}c=o[a.toLowerCase()]}return c===b?null:c},overrideMimeType:function(a){s||(d.mimeType=a);return this},abort:function(a){a=a||"abort",p&&p.abort(a),w(0,a);return this}};h.promise(v),v.success=v.done,v.error=v.fail,v.complete=i.add,v.statusCode=function(a){if(a){var b;if(s<2)for(b in a)j[b]=[j[b],a[b]];else b=a[v.status],v.then(b,b)}return this},d.url=((a||d.url)+"").replace(bG,"").replace(bL,bW[1]+"//"),d.dataTypes=f.trim(d.dataType||"*").toLowerCase().split(bP),d.crossDomain==null&&(r=bR.exec(d.url.toLowerCase()),d.crossDomain=!(!r||r[1]==bW[1]&&r[2]==bW[2]&&(r[3]||(r[1]==="http:"?80:443))==(bW[3]||(bW[1]==="http:"?80:443)))),d.data&&d.processData&&typeof d.data!="string"&&(d.data=f.param(d.data,d.traditional)),b$(bT,d,c,v);if(s===2)return!1;t=d.global,d.type=d.type.toUpperCase(),d.hasContent=!bK.test(d.type),t&&f.active++===0&&f.event.trigger("ajaxStart");if(!d.hasContent){d.data&&(d.url+=(bM.test(d.url)?"&":"?")+d.data,delete d.data),k=d.url;if(d.cache===!1){var x=f.now(),y=d.url.replace(bQ,"$1_="+x);d.url=y+(y===d.url?(bM.test(d.url)?"&":"?")+"_="+x:"")}}(d.data&&d.hasContent&&d.contentType!==!1||c.contentType)&&v.setRequestHeader("Content-Type",d.contentType),d.ifModified&&(k=k||d.url,f.lastModified[k]&&v.setRequestHeader("If-Modified-Since",f.lastModified[k]),f.etag[k]&&v.setRequestHeader("If-None-Match",f.etag[k])),v.setRequestHeader("Accept",d.dataTypes[0]&&d.accepts[d.dataTypes[0]]?d.accepts[d.dataTypes[0]]+(d.dataTypes[0]!=="*"?", "+bX+"; q=0.01":""):d.accepts["*"]);for(u in d.headers)v.setRequestHeader(u,d.headers[u]);if(d.beforeSend&&(d.beforeSend.call(e,v,d)===!1||s===2)){v.abort();return!1}for(u in{success:1,error:1,complete:1})v[u](d[u]);p=b$(bU,d,c,v);if(!p)w(-1,"No Transport");else{v.readyState=1,t&&g.trigger("ajaxSend",[v,d]),d.async&&d.timeout>0&&(q=setTimeout(function(){v.abort("timeout")},d.timeout));try{s=1,p.send(l,w)}catch(z){if(s<2)w(-1,z);else throw z}}return v},param:function(a,c){var d=[],e=function(a,b){b=f.isFunction(b)?b():b,d[d.length]=encodeURIComponent(a)+"="+encodeURIComponent(b)};c===b&&(c=f.ajaxSettings.traditional);if(f.isArray(a)||a.jquery&&!f.isPlainObject(a))f.each(a,function(){e(this.name,this.value)});else for(var g in a)ca(g,a[g],c,e);return d.join("&").replace(bD,"+")}}),f.extend({active:0,lastModified:{},etag:{}});var cd=f.now(),ce=/(\=)\?(&|$)|\?\?/i;f.ajaxSetup({jsonp:"callback",jsonpCallback:function(){return f.expando+"_"+cd++}}),f.ajaxPrefilter("json jsonp",function(b,c,d){var e=b.contentType==="application/x-www-form-urlencoded"&&typeof b.data=="string";if(b.dataTypes[0]==="jsonp"||b.jsonp!==!1&&(ce.test(b.url)||e&&ce.test(b.data))){var g,h=b.jsonpCallback=f.isFunction(b.jsonpCallback)?b.jsonpCallback():b.jsonpCallback,i=a[h],j=b.url,k=b.data,l="$1"+h+"$2";b.jsonp!==!1&&(j=j.replace(ce,l),b.url===j&&(e&&(k=k.replace(ce,l)),b.data===k&&(j+=(/\?/.test(j)?"&":"?")+b.jsonp+"="+h))),b.url=j,b.data=k,a[h]=function(a){g=[a]},d.always(function(){a[h]=i,g&&f.isFunction(i)&&a[h](g[0])}),b.converters["script json"]=function(){g||f.error(h+" was not called");return g[0]},b.dataTypes[0]="json";return"script"}}),f.ajaxSetup({accepts:{script:"text/javascript, application/javascript, application/ecmascript, application/x-ecmascript"},contents:{script:/javascript|ecmascript/},converters:{"text script":function(a){f.globalEval(a);return a}}}),f.ajaxPrefilter("script",function(a){a.cache===b&&(a.cache=!1),a.crossDomain&&(a.type="GET",a.global=!1)}),f.ajaxTransport("script",function(a){if(a.crossDomain){var d,e=c.head||c.getElementsByTagName("head")[0]||c.documentElement;return{send:function(f,g){d=c.createElement("script"),d.async="async",a.scriptCharset&&(d.charset=a.scriptCharset),d.src=a.url,d.onload=d.onreadystatechange=function(a,c){if(c||!d.readyState||/loaded|complete/.test(d.readyState))d.onload=d.onreadystatechange=null,e&&d.parentNode&&e.removeChild(d),d=b,c||g(200,"success")},e.insertBefore(d,e.firstChild)},abort:function(){d&&d.onload(0,1)}}}});var cf=a.ActiveXObject?function(){for(var a in ch)ch[a](0,1)}:!1,cg=0,ch;f.ajaxSettings.xhr=a.ActiveXObject?function(){return!this.isLocal&&ci()||cj()}:ci,function(a){f.extend(f.support,{ajax:!!a,cors:!!a&&"withCredentials"in a})}(f.ajaxSettings.xhr()),f.support.ajax&&f.ajaxTransport(function(c){if(!c.crossDomain||f.support.cors){var d;return{send:function(e,g){var h=c.xhr(),i,j;c.username?h.open(c.type,c.url,c.async,c.username,c.password):h.open(c.type,c.url,c.async);if(c.xhrFields)for(j in c.xhrFields)h[j]=c.xhrFields[j];c.mimeType&&h.overrideMimeType&&h.overrideMimeType(c.mimeType),!c.crossDomain&&!e["X-Requested-With"]&&(e["X-Requested-With"]="XMLHttpRequest");try{for(j in e)h.setRequestHeader(j,e[j])}catch(k){}h.send(c.hasContent&&c.data||null),d=function(a,e){var j,k,l,m,n;try{if(d&&(e||h.readyState===4)){d=b,i&&(h.onreadystatechange=f.noop,cf&&delete ch[i]);if(e)h.readyState!==4&&h.abort();else{j=h.status,l=h.getAllResponseHeaders(),m={},n=h.responseXML,n&&n.documentElement&&(m.xml=n),m.text=h.responseText;try{k=h.statusText}catch(o){k=""}!j&&c.isLocal&&!c.crossDomain?j=m.text?200:404:j===1223&&(j=204)}}}catch(p){e||g(-1,p)}m&&g(j,k,m,l)},!c.async||h.readyState===4?d():(i=++cg,cf&&(ch||(ch={},f(a).unload(cf)),ch[i]=d),h.onreadystatechange=d)},abort:function(){d&&d(0,1)}}}});var ck={},cl,cm,cn=/^(?:toggle|show|hide)$/,co=/^([+\-]=)?([\d+.\-]+)([a-z%]*)$/i,cp,cq=[["height","marginTop","marginBottom","paddingTop","paddingBottom"],["width","marginLeft","marginRight","paddingLeft","paddingRight"],["opacity"]],cr;f.fn.extend({show:function(a,b,c){var d,e;if(a||a===0)return this.animate(cu("show",3),a,b,c);for(var g=0,h=this.length;g=i.duration+this.startTime){this.now=this.end,this.pos=this.state=1,this.update(),i.animatedProperties[this.prop]=!0;for(b in i.animatedProperties)i.animatedProperties[b]!==!0&&(g=!1);if(g){i.overflow!=null&&!f.support.shrinkWrapBlocks&&f.each(["","X","Y"],function(a,b){h.style["overflow"+b]=i.overflow[a]}),i.hide&&f(h).hide();if(i.hide||i.show)for(b in i.animatedProperties)f.style(h,b,i.orig[b]),f.removeData(h,"fxshow"+b,!0),f.removeData(h,"toggle"+b,!0);d=i.complete,d&&(i.complete=!1,d.call(h))}return!1}i.duration==Infinity?this.now=e:(c=e-this.startTime,this.state=c/i.duration,this.pos=f.easing[i.animatedProperties[this.prop]](this.state,c,0,1,i.duration),this.now=this.start+(this.end-this.start)*this.pos),this.update();return!0}},f.extend(f.fx,{tick:function(){var a,b=f.timers,c=0;for(;c-1,k={},l={},m,n;j?(l=e.position(),m=l.top,n=l.left):(m=parseFloat(h)||0,n=parseFloat(i)||0),f.isFunction(b)&&(b=b.call(a,c,g)),b.top!=null&&(k.top=b.top-g.top+m),b.left!=null&&(k.left=b.left-g.left+n),"using"in b?b.using.call(a,k):e.css(k)}},f.fn.extend({position:function(){if(!this[0])return null;var a=this[0],b=this.offsetParent(),c=this.offset(),d=cx.test(b[0].nodeName)?{top:0,left:0}:b.offset();c.top-=parseFloat(f.css(a,"marginTop"))||0,c.left-=parseFloat(f.css(a,"marginLeft"))||0,d.top+=parseFloat(f.css(b[0],"borderTopWidth"))||0,d.left+=parseFloat(f.css(b[0],"borderLeftWidth"))||0;return{top:c.top-d.top,left:c.left-d.left}},offsetParent:function(){return this.map(function(){var a=this.offsetParent||c.body;while(a&&!cx.test(a.nodeName)&&f.css(a,"position")==="static")a=a.offsetParent;return a})}}),f.each(["Left","Top"],function(a,c){var d="scroll"+c;f.fn[d]=function(c){var e,g;if(c===b){e=this[0];if(!e)return null;g=cy(e);return g?"pageXOffset"in g?g[a?"pageYOffset":"pageXOffset"]:f.support.boxModel&&g.document.documentElement[d]||g.document.body[d]:e[d]}return this.each(function(){g=cy(this),g?g.scrollTo(a?f(g).scrollLeft():c,a?c:f(g).scrollTop()):this[d]=c})}}),f.each(["Height","Width"],function(a,c){var d=c.toLowerCase();f.fn["inner"+c]=function(){var a=this[0];return a?a.style?parseFloat(f.css(a,d,"padding")):this[d]():null},f.fn["outer"+c]=function(a){var b=this[0];return b?b.style?parseFloat(f.css(b,d,a?"margin":"border")):this[d]():null},f.fn[d]=function(a){var e=this[0];if(!e)return a==null?null:this;if(f.isFunction(a))return this.each(function(b){var c=f(this);c[d](a.call(this,b,c[d]()))});if(f.isWindow(e)){var g=e.document.documentElement["client"+c],h=e.document.body;return e.document.compatMode==="CSS1Compat"&&g||h&&h["client"+c]||g}if(e.nodeType===9)return Math.max(e.documentElement["client"+c],e.body["scroll"+c],e.documentElement["scroll"+c],e.body["offset"+c],e.documentElement["offset"+c]);if(a===b){var i=f.css(e,d),j=parseFloat(i);return f.isNumeric(j)?j:i}return this.css(d,typeof a=="string"?a:a+"px")}}),a.jQuery=a.$=f,typeof define=="function"&&define.amd&&define.amd.jQuery&&define("jquery",[],function(){return f})})(window); \ No newline at end of file diff --git a/docs/puppet_class_list.html b/docs/puppet_class_list.html new file mode 100644 index 0000000..193d529 --- /dev/null +++ b/docs/puppet_class_list.html @@ -0,0 +1,75 @@ + + + + + + + + + + + + + + + + + + Puppet Class List + + + +
    +
    +

    Puppet Class List

    + + + +
    + + +
    + + diff --git a/docs/puppet_classes/ferm.html b/docs/puppet_classes/ferm.html new file mode 100644 index 0000000..74c4b67 --- /dev/null +++ b/docs/puppet_classes/ferm.html @@ -0,0 +1,297 @@ + + + + + + + Puppet Class: ferm + + — Documentation by YARD 0.9.12 + + + + + + + + + + + + + + + + + +
    + +
    +
    + +
    + + +

    Puppet Class: ferm

    +
    + + +
    +
    Defined in:
    +
    + manifests/init.pp +
    +
    +
    + +

    Overview

    +
    +
    +

    Class: ferm

    + +

    This class manages ferm installation and rule generation on modern linux systems

    + +

    class{'ferm': + manage_service => true, +}

    + +
    +
    +
    + +
    +

    Examples:

    + + +

    deploy ferm and start it

    +

    + +
    + +
    +

    Parameters:

    +
      + +
    • + + manage_service + + + (Boolean) + + + + — +

      disable/enable the management of the ferm daemon +Default value: false +Allowed values: (true|false)

      +
      + +
      • + +
    • + + manage_configfile + + + (Boolean) + + + + — +

      disable/enable the management of the ferm default config +Default value: false +Allowed values: (true|false)

      +
      + +
      • + +
    • + + configfile + + + (Stdlib::Absolutepath) + + + + — +

      path to the config file +Default value: /etc/ferm.conf +Allowed values: Stdlib::Absolutepath

      +
      + +
      • + +
    • + + forward_policy + + + (Ferm::Policies) + + + + — +

      default policy for the FORWARD chain +Default value: DROP +Allowed values: (ACCEPT|DROP|REJECT)

      +
      + +
      • + +
    • + + output_policy + + + (Ferm::Policies) + + + + — +

      default policy for the OUTPUT chain +Default value: ACCEPT +Allowed values: (ACCEPT|DROP|REJECT)

      +
      + +
      • + +
    • + + input_policy + + + (Ferm::Policies) + + + + — +

      default policy for the INPUT chain +Default value: DROP +Allowed values: (ACCEPT|DROP|REJECT)

      +
      + +
      • + +
    • + + rules + + + (Hash) + + + + — +

      a hash that holds all data for ferm::rule +Default value: Empty Hash +Allowed value: Any Hash

      +
      + +
      • + +
    + + +
    +
    + + + + +
    + 
    +
+
+31
+32
+33
+34
+35
+36
+37
+38
+39
+40
+41
+42
+43
+44
+45
+46
+47
+48
+49
+50
+51
+52
+53
+54
+55
    +     		+ 
    # File 'manifests/init.pp', line 31
+
+class ferm (
+  Boolean $manage_service,
+  Boolean $manage_configfile,
+  Stdlib::Absolutepath $configfile,
+  Ferm::Policies $forward_policy,
+  Ferm::Policies $output_policy,
+  Ferm::Policies $input_policy,
+  Hash $rules,
+) {
+  contain ferm::install
+  contain ferm::config
+  contain ferm::service
+
+  Class['ferm::install']
+  -> Class['ferm::config']
+  ~> Class['ferm::service']
+
+  $rules.each |$rulename, $attributes| {
+    ferm::rule{$rulename:
+      * => $attributes,
+    }
+  }
+  # import all exported resources with ferm rules for this node
+  Ferm::Rule <<| tag == $trusted['certname'] |>>
+}
    +
    + + + + + + + + \ No newline at end of file diff --git a/docs/puppet_classes/ferm_3A_3Aconfig.html b/docs/puppet_classes/ferm_3A_3Aconfig.html new file mode 100644 index 0000000..3d9813e --- /dev/null +++ b/docs/puppet_classes/ferm_3A_3Aconfig.html @@ -0,0 +1,195 @@ + + + + + + + Puppet Class: ferm::config + + — Documentation by YARD 0.9.12 + + + + + + + + + + + + + + + + + +
    + +
    +
    + +
    + + +

    Puppet Class: ferm::config

    +
    + + +
    +
    Defined in:
    +
    + manifests/config.pp +
    +
    +
    + +

    Overview

    +
    +
    +

    This class handles the configuration file. Avoid modifying private classes.

    + +
    +
    +
    + + +
    + + + + + +
    + 
    +
+
+3
+4
+5
+6
+7
+8
+9
+10
+11
+12
+13
+14
+15
+16
+17
+18
+19
+20
+21
+22
+23
+24
+25
+26
+27
+28
+29
+30
+31
+32
+33
+34
+35
+36
+37
+38
+39
+40
+41
+42
+43
+44
+45
+46
    +     		+ 
    # File 'manifests/config.pp', line 3
+
+class ferm::config {
+
+  # this is a private class
+  assert_private("You're not supposed to do that!")
+
+  # copy static files to ferm
+  # on a long term point of view, we want to package this
+  file{'/etc/ferm.d':
+    ensure => 'directory',
+  }
+  -> file{'/etc/ferm.d/definitions':
+    ensure => 'directory',
+  }
+  -> file{'/etc/ferm.d/chains':
+    ensure => 'directory',
+  }
+
+  if $ferm::manage_configfile {
+    concat{$ferm::configfile:
+      ensure  => 'present',
+    }
+    concat::fragment{'ferm_header.conf':
+      target  => $ferm::configfile,
+      content => epp("${module_name}/ferm_header.conf.epp"),
+      order   => '01',
+    }
+
+    concat::fragment{'ferm.conf':
+      target  => $ferm::configfile,
+      content => epp("${module_name}/ferm.conf.epp"),
+      order   => '50',
+    }
+  }
+
+  ferm::chain{'INPUT':
+    policy => $ferm::input_policy,
+  }
+  ferm::chain{'FORWARD':
+    policy => $ferm::forward_policy,
+  }
+  ferm::chain{'OUTPUT':
+    policy => $ferm::output_policy,
+  }
+}
    +
    +
    +
    + + + +
    + + \ No newline at end of file diff --git a/docs/puppet_classes/ferm_3A_3Ainstall.html b/docs/puppet_classes/ferm_3A_3Ainstall.html new file mode 100644 index 0000000..c6e1b12 --- /dev/null +++ b/docs/puppet_classes/ferm_3A_3Ainstall.html @@ -0,0 +1,125 @@ + + + + + + + Puppet Class: ferm::install + + — Documentation by YARD 0.9.12 + + + + + + + + + + + + + + + + + +
    + +
    +
    + +
    + + +

    Puppet Class: ferm::install

    +
    + + +
    +
    Defined in:
    +
    + manifests/install.pp +
    +
    +
    + +

    Overview

    +
    +
    +

    This class handles the configuration file. Avoid modifying private classes.

    + +
    +
    +
    + + +
    + + + + + +
    + 
    +
+
+3
+4
+5
+6
+7
+8
+9
+10
+11
    +     		+ 
    # File 'manifests/install.pp', line 3
+
+class ferm::install {
+
+  # this is a private class
+  assert_private("You're not supposed to do that!")
+
+  package{'ferm':
+    ensure => 'latest',
+  }
+}
    +
    +
    +
    + + + +
    + + \ No newline at end of file diff --git a/docs/puppet_classes/ferm_3A_3Aservice.html b/docs/puppet_classes/ferm_3A_3Aservice.html new file mode 100644 index 0000000..cfa5022 --- /dev/null +++ b/docs/puppet_classes/ferm_3A_3Aservice.html @@ -0,0 +1,149 @@ + + + + + + + Puppet Class: ferm::service + + — Documentation by YARD 0.9.12 + + + + + + + + + + + + + + + + + +
    + +
    +
    + +
    + + +

    Puppet Class: ferm::service

    +
    + + +
    +
    Defined in:
    +
    + manifests/service.pp +
    +
    +
    + +

    Overview

    +
    +
    +

    This class handles the configuration file. Avoid modifying private classes.

    + +
    +
    +
    + + +
    + + + + + +
    + 
    +
+
+3
+4
+5
+6
+7
+8
+9
+10
+11
+12
+13
+14
+15
+16
+17
+18
+19
+20
+21
+22
+23
    +     		+ 
    # File 'manifests/service.pp', line 3
+
+class ferm::service {
+
+  # this is a private class
+  assert_private("You're not supposed to do that!")
+
+  if $ferm::manage_service {
+    service{'ferm':
+      ensure => 'running',
+      enable => true,
+    }
+
+    # on Ubuntu, we can't start the service, unless we set ENABLED=true in /etc/default/ferm...
+    if ($facts['os']['name'] == 'Ubuntu') {
+      file_line{'enable_ferm':
+        path  => '/etc/default/ferm',
+        line  => 'ENABLED="yes"',
+        match => 'ENABLED=',
+      }
+    }
+  }
+}
    +
    +
    +
    + + + +
    + + \ No newline at end of file diff --git a/docs/puppet_defined_type_list.html b/docs/puppet_defined_type_list.html new file mode 100644 index 0000000..db71c1f --- /dev/null +++ b/docs/puppet_defined_type_list.html @@ -0,0 +1,61 @@ + + + + + + + + + + + + + + + + + + Defined Type List + + + +
    +
    +

    Defined Type List

    + + + +
    + + +
    + + diff --git a/docs/puppet_defined_types/ferm_3A_3Achain.html b/docs/puppet_defined_types/ferm_3A_3Achain.html new file mode 100644 index 0000000..a3576c1 --- /dev/null +++ b/docs/puppet_defined_types/ferm_3A_3Achain.html @@ -0,0 +1,175 @@ + + + + + + + Defined Type: ferm::chain + + — Documentation by YARD 0.9.12 + + + + + + + + + + + + + + + + + +
    + +
    +
    + +
    + + +

    Defined Type: ferm::chain

    +
    +
    +
    Defined in:
    +
    + manifests/chain.pp +
    +
    +
    + +

    Overview

    +
    +
    +

    defined resource which creates all rules for one chain

    + +
    +
    +
    +

    Parameters:

    +
      + +
    • + + policy + + + (Ferm::Policies) + + + + — +

      Set the default policy for a CHAIN

      +
      + +
      • + +
    • + + chain + + + (Ferm::Chains) + + + (defaults to: $name) + + + — +

      name of the chain that should be managed

      +
      + +
      • + +
    + + +
    + + + + + +
    + 
    +
+
+4
+5
+6
+7
+8
+9
+10
+11
+12
+13
+14
+15
+16
+17
+18
+19
+20
    +     		+ 
    # File 'manifests/chain.pp', line 4
+
+define ferm::chain (
+  Ferm::Policies $policy,
+  Ferm::Chains $chain = $name,
+) {
+
+  # concat resource for the chain
+  $filename = downcase($chain)
+  concat{"/etc/ferm.d/chains/${chain}.conf":
+    ensure  => 'present',
+  }
+
+  concat::fragment{"${chain}-policy":
+    target  => "/etc/ferm.d/chains/${chain}.conf",
+    content => epp("${module_name}/ferm_chain_header.conf.epp", {'policy' => $policy }),
+    order   => '01',
+  }
+}
    +
    +
    +
    + + + +
    + + \ No newline at end of file diff --git a/docs/puppet_defined_types/ferm_3A_3Arule.html b/docs/puppet_defined_types/ferm_3A_3Arule.html new file mode 100644 index 0000000..cad82f6 --- /dev/null +++ b/docs/puppet_defined_types/ferm_3A_3Arule.html @@ -0,0 +1,297 @@ + + + + + + + Defined Type: ferm::rule + + — Documentation by YARD 0.9.12 + + + + + + + + + + + + + + + + + +
    + +
    +
    + +
    + + +

    Defined Type: ferm::rule

    +
    +
    +
    Defined in:
    +
    + manifests/rule.pp +
    +
    +
    + +

    Overview

    +
    +
    + +
    +
    +
    +

    Parameters:

    +
      + +
    • + + chain + + + (Ferm::Chains) + + + +
      • + +
    • + + policy + + + (Ferm::Policies) + + + +
      • + +
    • + + proto + + + (Ferm::Protocols) + + + +
      • + +
    • + + comment + + + (String) + + + (defaults to: $name) + + +
      • + +
    • + + dport + + + (Optional[Variant[Integer,String]]) + + + (defaults to: undef) + + +
      • + +
    • + + sport + + + (Optional[Variant[Integer,String]]) + + + (defaults to: undef) + + +
      • + +
    • + + saddr + + + (Optional[String]) + + + (defaults to: undef) + + +
      • + +
    • + + daddr + + + (Optional[String]) + + + (defaults to: undef) + + +
      • + +
    • + + ensure + + + (Enum['absent','present']) + + + (defaults to: 'present') + + +
      • + +
    + + +
    + + + + + +
    + 
    +
+
+1
+2
+3
+4
+5
+6
+7
+8
+9
+10
+11
+12
+13
+14
+15
+16
+17
+18
+19
+20
+21
+22
+23
+24
+25
+26
+27
+28
+29
+30
+31
+32
+33
+34
+35
+36
+37
+38
+39
    +     		+ 
    # File 'manifests/rule.pp', line 1
+
+define ferm::rule (
+  Ferm::Chains $chain,
+  Ferm::Policies $policy,
+  Ferm::Protocols $proto,
+  String $comment = $name,
+  Optional[Variant[Integer,String]] $dport = undef,
+  Optional[Variant[Integer,String]] $sport = undef,
+  Optional[String] $saddr = undef,
+  Optional[String] $daddr = undef,
+  Enum['absent','present'] $ensure = 'present',
+){
+  $proto_real = "proto ${proto}"
+
+  $dport_real = $dport ? {
+    undef   => '',
+    default => "dport ${dport}",
+  }
+  $sport_real = $sport ? {
+    undef   => '',
+    default => "sport ${sport}",
+  }
+  $saddr_real = $saddr ? {
+    undef   => '',
+    default => "saddr @ipfilter(${saddr})",
+  }
+  $daddr_real = $daddr ? {
+    undef =>  '',
+    default => "daddr @ipfilter(${daddr})"
+  }
+  $comment_real = "mod comment comment '${comment}'"
+
+  $rule = squeeze("${comment_real} ${proto_real} ${dport_real} ${sport_real} ${daddr_real} ${saddr_real} ${policy};", ' ')
+  if $ensure == 'present' {
+    concat::fragment{"${chain}-${name}":
+      target  => "/etc/ferm.d/chains/${chain}.conf",
+      content => "${rule}\n",
+    }
+  }
+}
    +
    +
    +
    + + + +
    + + \ No newline at end of file diff --git a/docs/top-level-namespace.html b/docs/top-level-namespace.html new file mode 100644 index 0000000..0526879 --- /dev/null +++ b/docs/top-level-namespace.html @@ -0,0 +1,98 @@ + + + + + + + Top Level Namespace + + — Documentation by YARD 0.9.12 + + + + + + + + + + + + + + + + + +
    + +
    +
    + +
    + + +

    Top Level Namespace + + + +

    +
    + + + + + + + + + + + +
    + + + + + + + + + + +
    + + + +
    + + \ No newline at end of file diff --git a/files/ferm.conf b/files/ferm.conf new file mode 100644 index 0000000..27eea58 --- /dev/null +++ b/files/ferm.conf @@ -0,0 +1,38 @@ +# -*- shell-script -*- +# +# Ferm example script +# +# Firewall configuration for a workstation which accepts remote ssh login. +# +# Author: Max Kellermann +# + +table filter { + chain INPUT { + policy DROP; + + # connection tracking + mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + + # allow local connections + interface lo ACCEPT; + + # respond to ping + proto icmp icmp-type echo-request ACCEPT; + + # allow SSH connections + proto tcp dport ssh ACCEPT; + + # ident connections are also allowed + proto tcp dport auth ACCEPT; + + # the rest is dropped by the above policy + } + + # outgoing connections are not limited + chain OUTPUT policy ACCEPT; + + # this is not a router + chain FORWARD policy DROP; +} diff --git a/hiera.yaml b/hiera.yaml new file mode 100644 index 0000000..6b62091 --- /dev/null +++ b/hiera.yaml @@ -0,0 +1,22 @@ +--- +version: 5 + +defaults: + datadir: 'data' + data_hash: 'yaml_data' + +hierarchy: + - name: 'Full Version' + path: '%{facts.os.name}-%{facts.os.release.full}.yaml' + + - name: 'Major Version' + path: '%{facts.os.name}-%{facts.os.release.major}.yaml' + + - name: 'Distribution Name' + path: '%{facts.os.name}.yaml' + + - name: 'Operating System Family' + path: '%{facts.os.family}.yaml' + + - name: 'common' + path: 'common.yaml' diff --git a/manifests/chain.pp b/manifests/chain.pp new file mode 100644 index 0000000..6f2ee1d --- /dev/null +++ b/manifests/chain.pp @@ -0,0 +1,20 @@ +# defined resource which creates all rules for one chain +# @param policy [Ferm::Policies] Set the default policy for a CHAIN +# @param chain [Ferm::Chains] name of the chain that should be managed +define ferm::chain ( + Ferm::Policies $policy, + Ferm::Chains $chain = $name, +) { + + # concat resource for the chain + $filename = downcase($chain) + concat{"/etc/ferm.d/chains/${chain}.conf": + ensure => 'present', + } + + concat::fragment{"${chain}-policy": + target => "/etc/ferm.d/chains/${chain}.conf", + content => epp("${module_name}/ferm_chain_header.conf.epp", {'policy' => $policy }), + order => '01', + } +} diff --git a/manifests/config.pp b/manifests/config.pp new file mode 100644 index 0000000..43c68ee --- /dev/null +++ b/manifests/config.pp @@ -0,0 +1,46 @@ +# @api private +# This class handles the configuration file. Avoid modifying private classes. +class ferm::config { + + # this is a private class + assert_private("You're not supposed to do that!") + + # copy static files to ferm + # on a long term point of view, we want to package this + file{'/etc/ferm.d': + ensure => 'directory', + } + -> file{'/etc/ferm.d/definitions': + ensure => 'directory', + } + -> file{'/etc/ferm.d/chains': + ensure => 'directory', + } + + if $ferm::manage_configfile { + concat{$ferm::configfile: + ensure => 'present', + } + concat::fragment{'ferm_header.conf': + target => $ferm::configfile, + content => epp("${module_name}/ferm_header.conf.epp"), + order => '01', + } + + concat::fragment{'ferm.conf': + target => $ferm::configfile, + content => epp("${module_name}/ferm.conf.epp"), + order => '50', + } + } + + ferm::chain{'INPUT': + policy => $ferm::input_policy, + } + ferm::chain{'FORWARD': + policy => $ferm::forward_policy, + } + ferm::chain{'OUTPUT': + policy => $ferm::output_policy, + } +} diff --git a/manifests/init.pp b/manifests/init.pp new file mode 100644 index 0000000..17ebeff --- /dev/null +++ b/manifests/init.pp @@ -0,0 +1,55 @@ +# Class: ferm +# +# This class manages ferm installation and rule generation on modern linux systems +# +# @example deploy ferm and start it +# class{'ferm': +# manage_service => true, +# } +# +# @param manage_service [Boolean] disable/enable the management of the ferm daemon +# Default value: false +# Allowed values: (true|false) +# @param manage_configfile [Boolean] disable/enable the management of the ferm default config +# Default value: false +# Allowed values: (true|false) +# @param configfile [Stdlib::Absolutepath] path to the config file +# Default value: /etc/ferm.conf +# Allowed values: Stdlib::Absolutepath +# @param forward_policy [Ferm::Policies] default policy for the FORWARD chain +# Default value: DROP +# Allowed values: (ACCEPT|DROP|REJECT) +# @param output_policy [Ferm::Policies] default policy for the OUTPUT chain +# Default value: ACCEPT +# Allowed values: (ACCEPT|DROP|REJECT) +# @param input_policy [Ferm::Policies] default policy for the INPUT chain +# Default value: DROP +# Allowed values: (ACCEPT|DROP|REJECT) +# @param rules a hash that holds all data for ferm::rule +# Default value: Empty Hash +# Allowed value: Any Hash +class ferm ( + Boolean $manage_service, + Boolean $manage_configfile, + Stdlib::Absolutepath $configfile, + Ferm::Policies $forward_policy, + Ferm::Policies $output_policy, + Ferm::Policies $input_policy, + Hash $rules, +) { + contain ferm::install + contain ferm::config + contain ferm::service + + Class['ferm::install'] + -> Class['ferm::config'] + ~> Class['ferm::service'] + + $rules.each |$rulename, $attributes| { + ferm::rule{$rulename: + * => $attributes, + } + } + # import all exported resources with ferm rules for this node + Ferm::Rule <<| tag == $trusted['certname'] |>> +} diff --git a/manifests/install.pp b/manifests/install.pp new file mode 100644 index 0000000..2834dc3 --- /dev/null +++ b/manifests/install.pp @@ -0,0 +1,11 @@ +# @api private +# This class handles the configuration file. Avoid modifying private classes. +class ferm::install { + + # this is a private class + assert_private("You're not supposed to do that!") + + package{'ferm': + ensure => 'latest', + } +} diff --git a/manifests/rule.pp b/manifests/rule.pp new file mode 100644 index 0000000..679f09d --- /dev/null +++ b/manifests/rule.pp @@ -0,0 +1,39 @@ +define ferm::rule ( + Ferm::Chains $chain, + Ferm::Policies $policy, + Ferm::Protocols $proto, + String $comment = $name, + Optional[Variant[Integer,String]] $dport = undef, + Optional[Variant[Integer,String]] $sport = undef, + Optional[String] $saddr = undef, + Optional[String] $daddr = undef, + Enum['absent','present'] $ensure = 'present', +){ + $proto_real = "proto ${proto}" + + $dport_real = $dport ? { + undef => '', + default => "dport ${dport}", + } + $sport_real = $sport ? { + undef => '', + default => "sport ${sport}", + } + $saddr_real = $saddr ? { + undef => '', + default => "saddr @ipfilter(${saddr})", + } + $daddr_real = $daddr ? { + undef => '', + default => "daddr @ipfilter(${daddr})" + } + $comment_real = "mod comment comment '${comment}'" + + $rule = squeeze("${comment_real} ${proto_real} ${dport_real} ${sport_real} ${daddr_real} ${saddr_real} ${policy};", ' ') + if $ensure == 'present' { + concat::fragment{"${chain}-${name}": + target => "/etc/ferm.d/chains/${chain}.conf", + content => "${rule}\n", + } + } +} diff --git a/manifests/service.pp b/manifests/service.pp new file mode 100644 index 0000000..ddc6129 --- /dev/null +++ b/manifests/service.pp @@ -0,0 +1,23 @@ +# @api private +# This class handles the configuration file. Avoid modifying private classes. +class ferm::service { + + # this is a private class + assert_private("You're not supposed to do that!") + + if $ferm::manage_service { + service{'ferm': + ensure => 'running', + enable => true, + } + + # on Ubuntu, we can't start the service, unless we set ENABLED=true in /etc/default/ferm... + if ($facts['os']['name'] == 'Ubuntu') { + file_line{'enable_ferm': + path => '/etc/default/ferm', + line => 'ENABLED="yes"', + match => 'ENABLED=', + } + } + } +} diff --git a/metadata.json b/metadata.json new file mode 100644 index 0000000..a2992cf --- /dev/null +++ b/metadata.json @@ -0,0 +1,74 @@ +{ + "name": "puppet-ferm", + "version": "1.1.1-rc0", + "author": "Vox Pupuli", + "summary": "deploy and manage ferm", + "license": "AGPL-3.0", + "source": "https://github.com/voxpupuli/puppet-ferm.git", + "project_page": "https://github.com/voxpupuli/puppet-ferm", + "issues_url": "https://github.com/voxpupuli/puppet-ferm/issues", + "dependencies": [ + { + "name": "puppetlabs/stdlib", + "version_requirement": ">= 4.13.1 < 5.0.0" + }, + { + "name": "puppetlabs/concat", + "version_requirement": ">= 4.0.1 < 5.0.0" + } + ], + "operatingsystem_support": [ + { + "operatingsystem": "CentOS", + "operatingsystemrelease": [ + "5.0", + "6.0", + "7.0" + ] + }, + { + "operatingsystem": "RedHat", + "operatingsystemrelease": [ + "5.0", + "6.0", + "7.0" + ] + }, + { + "operatingsystem": "Debian", + "operatingsystemrelease": [ + "6.0", + "7.0", + "8.0", + "9.0" + ] + }, + { + "operatingsystem": "FreeBSD", + "operatingsystemrelease": [ + "9", + "10", + "11" + ] + }, + { + "operatingsystem": "Fedora", + "operatingsystemrelease": [ + "22", + "23", + "24", + "25", + "26" + ] + }, + { + "operatingsystem": "Archlinux" + } + ], + "requirements": [ + { + "name": "puppet", + "version_requirement": ">= 4.9.4 < 6.0.0" + } + ] +} diff --git a/spec/acceptance/nodesets/archlinux-2-x64.yml b/spec/acceptance/nodesets/archlinux-2-x64.yml new file mode 100644 index 0000000..89b6300 --- /dev/null +++ b/spec/acceptance/nodesets/archlinux-2-x64.yml @@ -0,0 +1,13 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +HOSTS: + archlinux-2-x64: + roles: + - master + platform: archlinux-2-x64 + box: archlinux/archlinux + hypervisor: vagrant +CONFIG: + type: foss diff --git a/spec/acceptance/nodesets/centos-511-x64.yml b/spec/acceptance/nodesets/centos-511-x64.yml new file mode 100644 index 0000000..089d646 --- /dev/null +++ b/spec/acceptance/nodesets/centos-511-x64.yml @@ -0,0 +1,15 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +HOSTS: + centos-511-x64: + roles: + - master + platform: el-5-x86_64 + box: puppetlabs/centos-5.11-64-nocm + hypervisor: vagrant +CONFIG: + type: foss +... +# vim: syntax=yaml diff --git a/spec/acceptance/nodesets/centos-6-x64.yml b/spec/acceptance/nodesets/centos-6-x64.yml new file mode 100644 index 0000000..16abc8f --- /dev/null +++ b/spec/acceptance/nodesets/centos-6-x64.yml @@ -0,0 +1,15 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +HOSTS: + centos-6-x64: + roles: + - master + platform: el-6-x86_64 + box: centos/6 + hypervisor: vagrant +CONFIG: + type: aio +... +# vim: syntax=yaml diff --git a/spec/acceptance/nodesets/centos-66-x64-pe.yml b/spec/acceptance/nodesets/centos-66-x64-pe.yml new file mode 100644 index 0000000..1e7aea6 --- /dev/null +++ b/spec/acceptance/nodesets/centos-66-x64-pe.yml @@ -0,0 +1,17 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +HOSTS: + centos-66-x64: + roles: + - master + - database + - dashboard + platform: el-6-x86_64 + box: puppetlabs/centos-6.6-64-puppet-enterprise + hypervisor: vagrant +CONFIG: + type: pe +... +# vim: syntax=yaml diff --git a/spec/acceptance/nodesets/centos-7-x64.yml b/spec/acceptance/nodesets/centos-7-x64.yml new file mode 100644 index 0000000..e05a3ae --- /dev/null +++ b/spec/acceptance/nodesets/centos-7-x64.yml @@ -0,0 +1,15 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +HOSTS: + centos-7-x64: + roles: + - master + platform: el-7-x86_64 + box: centos/7 + hypervisor: vagrant +CONFIG: + type: aio +... +# vim: syntax=yaml diff --git a/spec/acceptance/nodesets/debian-78-x64.yml b/spec/acceptance/nodesets/debian-78-x64.yml new file mode 100644 index 0000000..6ef6de8 --- /dev/null +++ b/spec/acceptance/nodesets/debian-78-x64.yml @@ -0,0 +1,15 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +HOSTS: + debian-78-x64: + roles: + - master + platform: debian-7-amd64 + box: puppetlabs/debian-7.8-64-nocm + hypervisor: vagrant +CONFIG: + type: foss +... +# vim: syntax=yaml diff --git a/spec/acceptance/nodesets/debian-82-x64.yml b/spec/acceptance/nodesets/debian-82-x64.yml new file mode 100644 index 0000000..9897a8f --- /dev/null +++ b/spec/acceptance/nodesets/debian-82-x64.yml @@ -0,0 +1,15 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +HOSTS: + debian-82-x64: + roles: + - master + platform: debian-8-amd64 + box: puppetlabs/debian-8.2-64-nocm + hypervisor: vagrant +CONFIG: + type: foss +... +# vim: syntax=yaml diff --git a/spec/acceptance/nodesets/docker/centos-5.yml b/spec/acceptance/nodesets/docker/centos-5.yml new file mode 100644 index 0000000..c17bc3d --- /dev/null +++ b/spec/acceptance/nodesets/docker/centos-5.yml @@ -0,0 +1,19 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +HOSTS: + centos-5-x64: + platform: el-5-x86_64 + hypervisor: docker + image: centos:5 + docker_preserve_image: true + docker_cmd: '["/sbin/init"]' + docker_image_commands: + - 'yum install -y crontabs initscripts iproute openssl sysvinit-tools tar wget which' + - 'sed -i -e "/mingetty/d" /etc/inittab' +CONFIG: + trace_limit: 200 + masterless: true +... +# vim: syntax=yaml diff --git a/spec/acceptance/nodesets/docker/centos-6.yml b/spec/acceptance/nodesets/docker/centos-6.yml new file mode 100644 index 0000000..d93f884 --- /dev/null +++ b/spec/acceptance/nodesets/docker/centos-6.yml @@ -0,0 +1,20 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +HOSTS: + centos-6-x64: + platform: el-6-x86_64 + hypervisor: docker + image: centos:6 + docker_preserve_image: true + docker_cmd: '["/sbin/init"]' + docker_image_commands: + - 'rm -rf /var/run/network/*' + - 'yum install -y crontabs initscripts iproute openssl sysvinit-tools tar wget which' + - 'rm /etc/init/tty.conf' +CONFIG: + trace_limit: 200 + masterless: true +... +# vim: syntax=yaml diff --git a/spec/acceptance/nodesets/docker/centos-7.yml b/spec/acceptance/nodesets/docker/centos-7.yml new file mode 100644 index 0000000..41e924b --- /dev/null +++ b/spec/acceptance/nodesets/docker/centos-7.yml @@ -0,0 +1,19 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +HOSTS: + centos-7-x64: + platform: el-7-x86_64 + hypervisor: docker + image: centos:7 + docker_preserve_image: true + docker_cmd: '["/usr/sbin/init"]' + docker_image_commands: + - 'yum install -y crontabs initscripts iproute openssl sysvinit-tools tar wget which ss' + - 'systemctl mask getty@tty1.service' +CONFIG: + trace_limit: 200 + masterless: true +... +# vim: syntax=yaml diff --git a/spec/acceptance/nodesets/docker/debian-7.yml b/spec/acceptance/nodesets/docker/debian-7.yml new file mode 100644 index 0000000..41b284d --- /dev/null +++ b/spec/acceptance/nodesets/docker/debian-7.yml @@ -0,0 +1,18 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +HOSTS: + debian-7-x64: + platform: debian-7-amd64 + hypervisor: docker + image: debian:7 + docker_preserve_image: true + docker_cmd: '["/sbin/init"]' + docker_image_commands: + - 'apt-get update && apt-get install -y cron locales-all net-tools wget' +CONFIG: + trace_limit: 200 + masterless: true +... +# vim: syntax=yaml diff --git a/spec/acceptance/nodesets/docker/debian-8.yml b/spec/acceptance/nodesets/docker/debian-8.yml new file mode 100644 index 0000000..a630b7e --- /dev/null +++ b/spec/acceptance/nodesets/docker/debian-8.yml @@ -0,0 +1,20 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +HOSTS: + debian-8-x64: + platform: debian-8-amd64 + hypervisor: docker + image: debian:8 + docker_preserve_image: true + docker_cmd: '["/sbin/init"]' + docker_image_commands: + - 'apt-get update && apt-get install -y cron locales-all net-tools wget' + - 'rm -f /usr/sbin/policy-rc.d' + - 'systemctl mask getty@tty1.service getty-static.service' +CONFIG: + trace_limit: 200 + masterless: true +... +# vim: syntax=yaml diff --git a/spec/acceptance/nodesets/docker/debian-9.yml b/spec/acceptance/nodesets/docker/debian-9.yml new file mode 100644 index 0000000..dfc8e9c --- /dev/null +++ b/spec/acceptance/nodesets/docker/debian-9.yml @@ -0,0 +1,20 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/theforeman/foreman-installer-modulesync +HOSTS: + debian-9-x64: + platform: debian-9-amd64 + hypervisor: docker + image: debian:9 + docker_preserve_image: true + docker_cmd: '["/sbin/init"]' + docker_image_commands: + - 'apt-get update && apt-get install -y cron locales-all net-tools wget systemd-sysv' + - 'rm -f /usr/sbin/policy-rc.d' + - 'systemctl mask getty@tty1.service getty-static.service' +CONFIG: + trace_limit: 200 + masterless: true +... +# vim: syntax=yaml diff --git a/spec/acceptance/nodesets/docker/ubuntu-12.04.yml b/spec/acceptance/nodesets/docker/ubuntu-12.04.yml new file mode 100644 index 0000000..ab77cda --- /dev/null +++ b/spec/acceptance/nodesets/docker/ubuntu-12.04.yml @@ -0,0 +1,19 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +HOSTS: + ubuntu-1204-x64: + platform: ubuntu-12.04-amd64 + hypervisor: docker + image: ubuntu:12.04 + docker_preserve_image: true + docker_cmd: '["/sbin/init"]' + docker_image_commands: + - 'apt-get install -y net-tools wget' + - 'locale-gen en_US.UTF-8' +CONFIG: + trace_limit: 200 + masterless: true +... +# vim: syntax=yaml diff --git a/spec/acceptance/nodesets/docker/ubuntu-14.04.yml b/spec/acceptance/nodesets/docker/ubuntu-14.04.yml new file mode 100644 index 0000000..ae45304 --- /dev/null +++ b/spec/acceptance/nodesets/docker/ubuntu-14.04.yml @@ -0,0 +1,21 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +HOSTS: + ubuntu-1404-x64: + platform: ubuntu-14.04-amd64 + hypervisor: docker + image: ubuntu:14.04 + docker_preserve_image: true + docker_cmd: '["/sbin/init"]' + docker_image_commands: + - 'rm /usr/sbin/policy-rc.d' + - 'rm /sbin/initctl; dpkg-divert --rename --remove /sbin/initctl' + - 'apt-get install -y net-tools wget apt-transport-https' + - 'locale-gen en_US.UTF-8' +CONFIG: + trace_limit: 200 + masterless: true +... +# vim: syntax=yaml diff --git a/spec/acceptance/nodesets/docker/ubuntu-16.04.yml b/spec/acceptance/nodesets/docker/ubuntu-16.04.yml new file mode 100644 index 0000000..2d173c5 --- /dev/null +++ b/spec/acceptance/nodesets/docker/ubuntu-16.04.yml @@ -0,0 +1,19 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +HOSTS: + ubuntu-1604-x64: + platform: ubuntu-16.04-amd64 + hypervisor: docker + image: ubuntu:16.04 + docker_preserve_image: true + docker_cmd: '["/sbin/init"]' + docker_image_commands: + - 'apt-get install -y net-tools wget locales apt-transport-https' + - 'locale-gen en_US.UTF-8' +CONFIG: + trace_limit: 200 + masterless: true +... +# vim: syntax=yaml diff --git a/spec/acceptance/nodesets/ec2/amazonlinux-2016091.yml b/spec/acceptance/nodesets/ec2/amazonlinux-2016091.yml new file mode 100644 index 0000000..19dd43e --- /dev/null +++ b/spec/acceptance/nodesets/ec2/amazonlinux-2016091.yml @@ -0,0 +1,31 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +# +# Additional ~/.fog config file with AWS EC2 credentials +# required. +# +# see: https://github.com/puppetlabs/beaker/blob/master/docs/how_to/hypervisors/ec2.md +# +# Amazon Linux is not a RHEL clone. +# +HOSTS: + amazonlinux-2016091-x64: + roles: + - master + platform: centos-6-x86_64 + hypervisor: ec2 + # refers to image_tempaltes.yaml AMI[vmname] entry: + vmname: amazonlinux-2016091-eu-central-1 + # refers to image_tempaltes.yaml entry inside AMI[vmname][:image]: + snapshot: aio + # t2.micro is free tier eligible (https://aws.amazon.com/en/free/): + amisize: t2.micro + # required so that beaker sanitizes sshd_config and root authorized_keys: + user: ec2-user +CONFIG: + type: aio + :ec2_yaml: spec/acceptance/nodesets/ec2/image_templates.yaml +... +# vim: syntax=yaml diff --git a/spec/acceptance/nodesets/ec2/image_templates.yaml b/spec/acceptance/nodesets/ec2/image_templates.yaml new file mode 100644 index 0000000..e50593e --- /dev/null +++ b/spec/acceptance/nodesets/ec2/image_templates.yaml @@ -0,0 +1,34 @@ +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +# +# see also: https://github.com/puppetlabs/beaker/blob/master/docs/how_to/hypervisors/ec2.md +# +# Hint: image IDs (ami-*) for the same image are different per location. +# +AMI: + # Amazon Linux AMI 2016.09.1 (HVM), SSD Volume Type + amazonlinux-2016091-eu-central-1: + :image: + :aio: ami-af0fc0c0 + :region: eu-central-1 + # Red Hat Enterprise Linux 7.3 (HVM), SSD Volume Type + rhel-73-eu-central-1: + :image: + :aio: ami-e4c63e8b + :region: eu-central-1 + # SUSE Linux Enterprise Server 12 SP2 (HVM), SSD Volume Type + sles-12sp2-eu-central-1: + :image: + :aio: ami-c425e4ab + :region: eu-central-1 + # Ubuntu Server 16.04 LTS (HVM), SSD Volume Type + ubuntu-1604-eu-central-1: + :image: + :aio: ami-fe408091 + :region: eu-central-1 + # Microsoft Windows Server 2016 Base + windows-2016-base-eu-central-1: + :image: + :aio: ami-88ec20e7 + :region: eu-central-1 diff --git a/spec/acceptance/nodesets/ec2/rhel-73-x64.yml b/spec/acceptance/nodesets/ec2/rhel-73-x64.yml new file mode 100644 index 0000000..7fac823 --- /dev/null +++ b/spec/acceptance/nodesets/ec2/rhel-73-x64.yml @@ -0,0 +1,29 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +# +# Additional ~/.fog config file with AWS EC2 credentials +# required. +# +# see: https://github.com/puppetlabs/beaker/blob/master/docs/how_to/hypervisors/ec2.md +# +HOSTS: + rhel-73-x64: + roles: + - master + platform: el-7-x86_64 + hypervisor: ec2 + # refers to image_tempaltes.yaml AMI[vmname] entry: + vmname: rhel-73-eu-central-1 + # refers to image_tempaltes.yaml entry inside AMI[vmname][:image]: + snapshot: aio + # t2.micro is free tier eligible (https://aws.amazon.com/en/free/): + amisize: t2.micro + # required so that beaker sanitizes sshd_config and root authorized_keys: + user: ec2-user +CONFIG: + type: aio + :ec2_yaml: spec/acceptance/nodesets/ec2/image_templates.yaml +... +# vim: syntax=yaml diff --git a/spec/acceptance/nodesets/ec2/sles-12sp2-x64.yml b/spec/acceptance/nodesets/ec2/sles-12sp2-x64.yml new file mode 100644 index 0000000..8542154 --- /dev/null +++ b/spec/acceptance/nodesets/ec2/sles-12sp2-x64.yml @@ -0,0 +1,29 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +# +# Additional ~/.fog config file with AWS EC2 credentials +# required. +# +# see: https://github.com/puppetlabs/beaker/blob/master/docs/how_to/hypervisors/ec2.md +# +HOSTS: + sles-12sp2-x64: + roles: + - master + platform: sles-12-x86_64 + hypervisor: ec2 + # refers to image_tempaltes.yaml AMI[vmname] entry: + vmname: sles-12sp2-eu-central-1 + # refers to image_tempaltes.yaml entry inside AMI[vmname][:image]: + snapshot: aio + # t2.micro is free tier eligible (https://aws.amazon.com/en/free/): + amisize: t2.micro + # required so that beaker sanitizes sshd_config and root authorized_keys: + user: ec2-user +CONFIG: + type: aio + :ec2_yaml: spec/acceptance/nodesets/ec2/image_templates.yaml +... +# vim: syntax=yaml diff --git a/spec/acceptance/nodesets/ec2/ubuntu-1604-x64.yml b/spec/acceptance/nodesets/ec2/ubuntu-1604-x64.yml new file mode 100644 index 0000000..9cf59d5 --- /dev/null +++ b/spec/acceptance/nodesets/ec2/ubuntu-1604-x64.yml @@ -0,0 +1,29 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +# +# Additional ~/.fog config file with AWS EC2 credentials +# required. +# +# see: https://github.com/puppetlabs/beaker/blob/master/docs/how_to/hypervisors/ec2.md +# +HOSTS: + ubuntu-1604-x64: + roles: + - master + platform: ubuntu-16.04-amd64 + hypervisor: ec2 + # refers to image_tempaltes.yaml AMI[vmname] entry: + vmname: ubuntu-1604-eu-central-1 + # refers to image_tempaltes.yaml entry inside AMI[vmname][:image]: + snapshot: aio + # t2.micro is free tier eligible (https://aws.amazon.com/en/free/): + amisize: t2.micro + # required so that beaker sanitizes sshd_config and root authorized_keys: + user: ubuntu +CONFIG: + type: aio + :ec2_yaml: spec/acceptance/nodesets/ec2/image_templates.yaml +... +# vim: syntax=yaml diff --git a/spec/acceptance/nodesets/ec2/windows-2016-base-x64.yml b/spec/acceptance/nodesets/ec2/windows-2016-base-x64.yml new file mode 100644 index 0000000..0932e29 --- /dev/null +++ b/spec/acceptance/nodesets/ec2/windows-2016-base-x64.yml @@ -0,0 +1,29 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +# +# Additional ~/.fog config file with AWS EC2 credentials +# required. +# +# see: https://github.com/puppetlabs/beaker/blob/master/docs/how_to/hypervisors/ec2.md +# +HOSTS: + windows-2016-base-x64: + roles: + - master + platform: windows-2016-64 + hypervisor: ec2 + # refers to image_tempaltes.yaml AMI[vmname] entry: + vmname: windows-2016-base-eu-central-1 + # refers to image_tempaltes.yaml entry inside AMI[vmname][:image]: + snapshot: aio + # t2.micro is free tier eligible (https://aws.amazon.com/en/free/): + amisize: t2.micro + # required so that beaker sanitizes sshd_config and root authorized_keys: + user: ec2-user +CONFIG: + type: aio + :ec2_yaml: spec/acceptance/nodesets/ec2/image_templates.yaml +... +# vim: syntax=yaml diff --git a/spec/acceptance/nodesets/fedora-25-x64.yml b/spec/acceptance/nodesets/fedora-25-x64.yml new file mode 100644 index 0000000..54dd330 --- /dev/null +++ b/spec/acceptance/nodesets/fedora-25-x64.yml @@ -0,0 +1,16 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +# +HOSTS: + fedora-25-x64: + roles: + - master + platform: fedora-25-x86_64 + box: fedora/25-cloud-base + hypervisor: vagrant +CONFIG: + type: aio +... +# vim: syntax=yaml diff --git a/spec/acceptance/nodesets/fedora-26-x64.yml b/spec/acceptance/nodesets/fedora-26-x64.yml new file mode 100644 index 0000000..598822b --- /dev/null +++ b/spec/acceptance/nodesets/fedora-26-x64.yml @@ -0,0 +1,16 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +# +HOSTS: + fedora-26-x64: + roles: + - master + platform: fedora-26-x86_64 + box: fedora/26-cloud-base + hypervisor: vagrant +CONFIG: + type: aio +... +# vim: syntax=yaml diff --git a/spec/acceptance/nodesets/fedora-27-x64.yml b/spec/acceptance/nodesets/fedora-27-x64.yml new file mode 100644 index 0000000..c2b61eb --- /dev/null +++ b/spec/acceptance/nodesets/fedora-27-x64.yml @@ -0,0 +1,18 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +# +# platform is fedora 26 because there is no puppet-agent +# for fedora 27 as of 2017-11-17 +HOSTS: + fedora-27-x64: + roles: + - master + platform: fedora-26-x86_64 + box: fedora/27-cloud-base + hypervisor: vagrant +CONFIG: + type: aio +... +# vim: syntax=yaml diff --git a/spec/acceptance/nodesets/ubuntu-server-1204-x64.yml b/spec/acceptance/nodesets/ubuntu-server-1204-x64.yml new file mode 100644 index 0000000..29102c5 --- /dev/null +++ b/spec/acceptance/nodesets/ubuntu-server-1204-x64.yml @@ -0,0 +1,15 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +HOSTS: + ubuntu-server-1204-x64: + roles: + - master + platform: ubuntu-12.04-amd64 + box: puppetlabs/ubuntu-12.04-64-nocm + hypervisor: vagrant +CONFIG: + type: foss +... +# vim: syntax=yaml diff --git a/spec/acceptance/nodesets/ubuntu-server-1404-x64.yml b/spec/acceptance/nodesets/ubuntu-server-1404-x64.yml new file mode 100644 index 0000000..054e658 --- /dev/null +++ b/spec/acceptance/nodesets/ubuntu-server-1404-x64.yml @@ -0,0 +1,15 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +HOSTS: + ubuntu-server-1404-x64: + roles: + - master + platform: ubuntu-14.04-amd64 + box: puppetlabs/ubuntu-14.04-64-nocm + hypervisor: vagrant +CONFIG: + type: foss +... +# vim: syntax=yaml diff --git a/spec/acceptance/nodesets/ubuntu-server-1604-x64.yml b/spec/acceptance/nodesets/ubuntu-server-1604-x64.yml new file mode 100644 index 0000000..bc85e0e --- /dev/null +++ b/spec/acceptance/nodesets/ubuntu-server-1604-x64.yml @@ -0,0 +1,15 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +HOSTS: + ubuntu-server-1604-x64: + roles: + - master + platform: ubuntu-16.04-amd64 + box: puppetlabs/ubuntu-16.04-64-nocm + hypervisor: vagrant +CONFIG: + type: foss +... +# vim: syntax=yaml diff --git a/spec/classes/coverage_spec.rb b/spec/classes/coverage_spec.rb new file mode 100644 index 0000000..de44654 --- /dev/null +++ b/spec/classes/coverage_spec.rb @@ -0,0 +1,4 @@ +require 'rspec-puppet' + +at_exit { RSpec::Puppet::Coverage.report! } +# vim: syntax=ruby diff --git a/spec/classes/ferm_spec.rb b/spec/classes/ferm_spec.rb new file mode 100644 index 0000000..e039c14 --- /dev/null +++ b/spec/classes/ferm_spec.rb @@ -0,0 +1,58 @@ +require 'spec_helper' + +describe 'ferm' do + let :node do + 'example.com' + end + + on_supported_os.each do |os, facts| + context "on #{os} " do + let :facts do + facts + end + + context 'with all defaults' do + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_class('ferm::config') } + it { is_expected.to contain_class('ferm::service') } + it { is_expected.to contain_class('ferm::install') } + it { is_expected.to contain_package('ferm') } + it { is_expected.to contain_file('/etc/ferm.d') } + it { is_expected.to contain_file('/etc/ferm.d/definitions') } + it { is_expected.to contain_file('/etc/ferm.d/chains') } + it { is_expected.not_to contain_service('ferm') } + it { is_expected.not_to contain_file('/etc/ferm.conf') } + end + + context 'with managed service' do + let :params do + { manage_service: true } + end + + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_service('ferm') } + end + context 'with managed configfile' do + let :params do + { manage_configfile: true } + end + + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_concat('/etc/ferm.conf') } + it { is_expected.to contain_concat__fragment('ferm_header.conf') } + it { is_expected.to contain_concat__fragment('ferm.conf') } + end + context 'it creates chains' do + it { is_expected.to contain_concat__fragment('FORWARD-policy') } + it { is_expected.to contain_concat__fragment('INPUT-policy') } + it { is_expected.to contain_concat__fragment('OUTPUT-policy') } + it { is_expected.to contain_concat('/etc/ferm.d/chains/FORWARD.conf') } + it { is_expected.to contain_concat('/etc/ferm.d/chains/INPUT.conf') } + it { is_expected.to contain_concat('/etc/ferm.d/chains/OUTPUT.conf') } + it { is_expected.to contain_ferm__chain('FORWARD') } + it { is_expected.to contain_ferm__chain('OUTPUT') } + it { is_expected.to contain_ferm__chain('INPUT') } + end + end + end +end diff --git a/spec/default_facts.yml b/spec/default_facts.yml new file mode 100644 index 0000000..13c4165 --- /dev/null +++ b/spec/default_facts.yml @@ -0,0 +1,14 @@ +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +# +# use default_module_facts.yaml for module specific +# facts. +# +# Hint if using with rspec-puppet-facts ("on_supported_os.each"): +# if a same named fact exists in facterdb it will be overridden. +--- +concat_basedir: "/tmp" +ipaddress: "172.16.254.254" +is_pe: false +macaddress: "AA:AA:AA:AA:AA:AA" diff --git a/spec/defines/chain_spec.rb b/spec/defines/chain_spec.rb new file mode 100644 index 0000000..110f1d0 --- /dev/null +++ b/spec/defines/chain_spec.rb @@ -0,0 +1,20 @@ +require 'spec_helper' + +describe 'ferm::chain', type: :define do + on_supported_os.each do |os, facts| + context "on #{os} " do + let :facts do + facts + end + let(:title) { 'INPUT' } + let(:params) { { policy: 'DROP' } } + + context 'default params creates INPUT chain' do + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_concat__fragment('INPUT-policy') } + it { is_expected.to contain_concat('/etc/ferm.d/chains/INPUT.conf') } + it { is_expected.to contain_ferm__chain('INPUT') } + end + end + end +end diff --git a/spec/defines/rule_spec.rb b/spec/defines/rule_spec.rb new file mode 100644 index 0000000..0926432 --- /dev/null +++ b/spec/defines/rule_spec.rb @@ -0,0 +1,27 @@ +require 'spec_helper' + +describe 'ferm::rule', type: :define do + on_supported_os.each do |os, facts| + context "on #{os} " do + let :facts do + facts + end + let(:title) { 'filter-ssh' } + let :params do + { + chain: 'INPUT', + policy: 'ACCEPT', + proto: 'tcp', + dport: '22', + saddr: '127.0.0.1' + } + end + + context 'default params create simple rule' do + it { is_expected.to compile.with_all_deps } + # it { is_expected.to contain_concat__fragment('INPUT-filter-ssh').with_content("proto tcp dport ssh saddr @ipfilter(127.0.0.1) ACCEPT;") } + it { is_expected.to contain_concat__fragment('INPUT-filter-ssh') } + end + end + end +end diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb new file mode 100644 index 0000000..cdd4935 --- /dev/null +++ b/spec/spec_helper.rb @@ -0,0 +1,31 @@ +require 'puppetlabs_spec_helper/module_spec_helper' +require 'rspec-puppet-facts' +include RspecPuppetFacts + +if Dir.exist?(File.expand_path('../../lib', __FILE__)) + require 'coveralls' + require 'simplecov' + require 'simplecov-console' + SimpleCov.formatters = [ + SimpleCov::Formatter::HTMLFormatter, + SimpleCov::Formatter::Console + ] + SimpleCov.start do + track_files 'lib/**/*.rb' + add_filter '/spec' + add_filter '/vendor' + add_filter '/.vendor' + end +end + +RSpec.configure do |c| + default_facts = { + puppetversion: Puppet.version, + facterversion: Facter.version + } + default_facts.merge!(YAML.load(File.read(File.expand_path('../default_facts.yml', __FILE__)))) if File.exist?(File.expand_path('../default_facts.yml', __FILE__)) + default_facts.merge!(YAML.load(File.read(File.expand_path('../default_module_facts.yml', __FILE__)))) if File.exist?(File.expand_path('../default_module_facts.yml', __FILE__)) + c.default_facts = default_facts +end + +# vim: syntax=ruby diff --git a/templates/ferm.conf.epp b/templates/ferm.conf.epp new file mode 100644 index 0000000..42a44be --- /dev/null +++ b/templates/ferm.conf.epp @@ -0,0 +1,16 @@ +# End custom section + +domain (ip ip6) table filter { + chain INPUT { + interface lo ACCEPT; + @include '/etc/ferm.d/chains/INPUT.conf'; + } + + chain OUTPUT { + @include '/etc/ferm.d/chains/OUTPUT.conf'; + } + + chain FORWARD { + @include '/etc/ferm.d/chains/FORWARD.conf'; + } +} diff --git a/templates/ferm_chain_header.conf.epp b/templates/ferm_chain_header.conf.epp new file mode 100644 index 0000000..b8c444c --- /dev/null +++ b/templates/ferm_chain_header.conf.epp @@ -0,0 +1,8 @@ +<%- | Ferm::Policies $policy, +| -%> +# Default policy for this chain +policy <%= $policy %>; + +# connection tracking +mod state state INVALID DROP; +mod state state (ESTABLISHED RELATED) ACCEPT; diff --git a/templates/ferm_header.conf.epp b/templates/ferm_header.conf.epp new file mode 100644 index 0000000..66922d7 --- /dev/null +++ b/templates/ferm_header.conf.epp @@ -0,0 +1,8 @@ +# Currently managed by Puppet +# Author: Tim Meusel +# + +# get all ip definitions +@include '/etc/ferm.d/definitions/'; + +# Begin custom section diff --git a/types/chains.pp b/types/chains.pp new file mode 100644 index 0000000..3ddf0f8 --- /dev/null +++ b/types/chains.pp @@ -0,0 +1 @@ +type Ferm::Chains = Enum['INPUT', 'FORWARD', 'OUTPUT'] diff --git a/types/policies.pp b/types/policies.pp new file mode 100644 index 0000000..ffc8a6e --- /dev/null +++ b/types/policies.pp @@ -0,0 +1 @@ +type Ferm::Policies = Enum['ACCEPT','DROP', 'REJECT'] diff --git a/types/protocols.pp b/types/protocols.pp new file mode 100644 index 0000000..5397542 --- /dev/null +++ b/types/protocols.pp @@ -0,0 +1 @@ +type Ferm::Protocols = Enum['icmp', 'tcp', 'udp']