merge

apply.sh

+#!/bin/bash
+
+modulepath="$(pwd)/.."
+
+set -x
+
+puppet parser validate --strict_variables --modulepath="$modulepath" manifests/
+
+for file in $*
+do
+    class=$(basename $file .pp)
+    # Sudo is needed for modules that do something with yum for example.
+    sudo /opt/puppetlabs/bin/puppet apply --test --modulepath="$modulepath" -e "include aes::$class"
+done

files/auth/auth.service

+[Unit]
+Description=Exam System Message Broker
+After=network.target
+
+[Service]
+Type=simple
+User=auth
+WorkingDirectory=/srv/auth/
+ExecStart=/srv/auth/start.sh
+Restart=on-failure
+RestartSec=10
+
+# No limit. We won't overload the system anyway.
+StartLimitIntervalSec=0
+
+[Install]
+WantedBy=multi-user.target

files/auth/config.json

+// The client strips C++-style comments from this file. There are some restrictions as follows:
+// - Only C++-style single line comments are allowed.
+// - They must be the only thing on the line, except for leading whitespace (space and tab)
+// These are in place to make it easy to strip the comments without knowledge of JSON before passing
+// it to the JSON parser.
+{
+    // Timeout for all authentications, in minutes
+    "timeout" : 1,
+
+    // All groups known to the system, and what permissions we assign each group.
+    "groups" : {
+	// Each entry consists of the group's name, followed by properties for that group.
+	"TEST" : {
+	    // Maximum message size for this group.
+	    "message_size" : 10240,
+
+	    // Allow communicating to these groups. The empty string is the broadcast "group".
+	    "groups" : [ "TEST" ]
+	},
+
+	// Admin clients.
+	"ADMC" : {
+	    "message_size" : 1024000,
+	    "groups" : [ "", "ADMC", "DB", "MS" ]
+	},
+
+	// Examiner clients.
+	"EC" : {
+	    "message_size" : 1024000,
+	    "groups" : [ "", "MS" ]
+	},
+
+	// Student clients.
+	"SC" : {
+	    "message_size" : 102400,
+	    "groups" : [ "MS" ]
+	},
+
+	// Message server.
+	"MS" : {
+	    "message_size" : 1024000,
+	    "groups" : [ "", "EC", "SC" ]
+	},
+
+	// The "large" DB server.
+	// Note: If using the kerberos authentication, the DB needs to be able to reply to AUTH-messages.
+	"DB" : {
+	    "message_size" : 1024000,
+	    "groups" : [ "", "ADMC", "MS", "AUTH" ]
+	}
+    },
+
+    // All authentication methods the auth server is going to support. Each method may appear multiple
+    // times with different configuration if different groups are to be guarded with different levels
+    // of security.
+    "methods" : [
+	{
+	    // A list of groups that we allow authenticating using this method. This is mandatory
+	    // for all elements in here.
+	    "allow" : [ "TEST" ],
+
+	    // The debug auth is the simplest. It just allows whatever the connected client
+	    // claimed. It is not good to use in production, and is always disabled unless the
+	    // "--debug" flag is given on the command line.
+	    "type" : "debug"
+	},
+	{
+	    "allow" : [ "DB", "MS" ],
+
+	    // File system authentication. This works for clients on the same system as the
+	    // authentication server (e.g. DB, ARLA, etc.), and relies on UNIX permissions. This
+	    // means we don't have to bother with certificates and the like.
+	    "type" : "fs",
+
+	    // Where to store the key files in the filesystem.
+	    "path" : "/tmp",
+
+	    // Permissions of the file.
+	    "permissions" : "0770",
+
+	    // Group of the file. If not present or null, we won't change the group.
+	    "group" : null
+	},
+	{
+	    // Slightly different requirements for ADMC.
+	    "allow" : [ "ADMC" ],
+	    "type" : "fs",
+	    "path" : "/tmp",
+	    "permissions" : "0777",
+	    "group" : null
+	},
+	{
+	    // Allow FS auth for the TEST group as well.
+	    "allow" : [ "TEST" ],
+	    "type" : "fs",
+	    "path" : "/tmp",
+	    "permissions" : "0777",
+	    "group" : null
+	},
+	{
+	    // Allow authenticating EC with Kerberos.
+	    "allow" : [ "EC" ],
+	    "type" : "kerberos",
+
+	    // What is the address of the database server we shall query for information?
+	    "db" : {
+		"group" : "DB",
+		"id" : 1
+	    },
+
+	    "user_type" : "staff"
+	},
+	{
+	    // Allow authenticating SC with Kerberos.
+	    "allow" : [ "SC" ],
+	    "type" : "kerberos",
+
+	    "db" : {
+		"group" : "DB",
+		"id" : 1
+	    },
+
+	    "user_type" : "student"
+	}
+    ]
+}

files/auth/on_update.sh

+#!/bin/bash
+
+run_as_broker=$(cat <<'EOF'
+cd
+# To make sure we have a decent GCC in our path.
+source /opt/rh/devtoolset-7/enable
+cd src/auth
+make clean
+make
+
+cd
+mkdir -p bin/
+cp src/auth/auth bin/
+EOF
+)
+
+# Compile as the auth user
+sudo --user auth --group auth --set-home -- bash -c "$run_as_broker"
+
+# Then, we can restart the services.
+systemctl service restart aes_auth.service
+

files/auth/start.sh

+#!/bin/bash
+
+if grep "aes-devel" /etc/hostname > /dev/null
+then
+    # Allow debug auth when on the devel system.
+    exec bin/auth --debug 31338 config.json
+else
+    # Not on the real system, however.
+    exec bin/auth 31338 config.json
+fi

files/broker/broker.service

+[Unit]
+Description=Exam System Message Broker
+After=network.target
+
+[Service]
+Type=simple
+User=broker
+WorkingDirectory=/srv/broker/
+ExecStart=/srv/broker/bin/broker 31337 localhost 31338
+Restart=on-failure
+RestartSec=10
+
+# No limit. We won't overload the system anyway.
+StartLimitIntervalSec=0
+
+[Install]
+WantedBy=multi-user.target

files/broker/on_update.sh

+#!/bin/bash
+
+run_as_broker=$(cat <<'EOF'
+cd
+# To make sure we have a decent GCC in our path.
+source /opt/rh/devtoolset-7/enable
+cd src/broker
+make clean
+make
+
+cd
+mkdir -p bin/
+cp src/broker/broker bin/
+EOF
+)
+
+# Compile as "broker".
+sudo --user broker --group broker --set-home -- bash -c "$run_as_broker"
+
+# Then, we can restart the services.
+systemctl service restart aes_broker.service
+

files/opendsa/.ssh/id_rsa

------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA1GjnhseuHiZdIpo5vpn8nhX94ZG8PS5LFgyy03VZQigC6NSJ
-G0HeVV5PoiJNsisDh251d/50kALNpNCuiAZqBGw8SuKxIbev8M4hLyy3IMLK9frY
-Ap6cefolxq5d/ZEz46kkrEFCg7oJiqvADtrhPYwz1jcKiTzdL6936POnrKv6Pcq5
-yhCu+cJ9avWUhCuk41tIX0SI7hl0Lm2KtP8jfyBepWc6Lq8E0xVOmwqQtf0flddu
-g8RfuHFTscl8wnyMSGLWa4Ps+Ihu1zsis7bSfGZjdHbxQT382VxemfkzE6FNGTZM
-4CtafhvF3ZuxjIrx658pCA34JSiKe/4Zlm/c3wIDAQABAoIBAES3k3+FBg1299aD
-8n55LsKt9q6NCUr5uQzvGsNSSYgfjaFpcNnCm30ev8CCPISRadjcoWAqj+cvIPxb
-Druu54l6wp6vbAKufFr5NL8gRjZxDlw5xLxEN/c2OBZovruTyCe0xsp7altXSlL0
-cXPc19Wjj/mTYPM5H42XxME2Yl53xUPi8OKrnZzyEJjrcdLeq8a4yusjdJOidW6O
-wXkk/cDvtMeZZWEEu4nBL3vnU7hXvdF90crwNYqScd1lWIriqjfKhEpAvyrlASSW
-tqURkbw0WIYas+jSexLV/bqmgPydsOHJ15TXKtIYUejpPKB5WEdiMECc286fMLCx
-ogVGoZECgYEA/z/bl2/+El3smoEgNv2xpQIyXgKKp19figxm9xJIqbAcN66JAn1R
-EiOFiEy5o33q6Yz1sZ5/n4e3zoj8HiVZHNqkpBtuleZJJ7XBM/NcUH+OUrke+tlV
-q7arNlx9uN6liGp9SfJwKYtUSH13Z3O7sEAt7OX+mzWj527zDROZQHMCgYEA1QjM
-bFkZx83Nj4Qklo+GvgJhq0+Vr4hQd/hLZmgGo3dKZ3McXUmM70A0ETOxyp4zzMep
-Hi5wYa/qdtdVi25S38NExqxFO+JbuXrHoM1XyxzQ3DooV1goaKPybJjoB64zmycx
-D+Ni9MEwMsP1X8kxGQr4A1Nh37sm2hAhWoZCcuUCgYEA7oGG+SyGpjbpfT2nEntf
-4SX6VmndkaPGrEIGfFuzVgvfchA+qfrbJC3Y+pFm7WQde3phokTOUA0LLYxGuQyB
-BjsvmMChRqRWOyrUi2ydGAL4xEeCsTcfnEImHbezKmmxF5UZ2V0WfVtZuBq01hAI
-kxqFT1Vh4TnwG7NKnS9xBg0CgYBouXeMt8xlnXU03PgDj7DkTVVoGqpx7Ofp4gRm
-5jKFP0ozSrIh5dtDbeNqpWf8PAMo4unvLVMPoqP3IeoqreRNnbd8lwk95AvFRWdH
-VEqZTaQa7vgP4AWVUysEWbKOvAMgfYav0c8+lI22FwDTwprBPdQoBmBx1JXH0vAi
-iSe3RQKBgQCPutMegWA+vLupD12XWdde3M5hi4Cd/PxcvJwJrUSjjwlbkHr8EAkZ
-3MXK9o+1Ssj4Ipf1T7VUfdE5uaFJjGLLiPmMAoHbqqPo/0nnsk5JCqJuagmMup0O
-rOQmrvbbDLRXndhb3YeoCtehTiONTMzW+dsdbCrrdnx5AzV4Akwlqw==
------END RSA PRIVATE KEY-----

files/opendsa/.ssh/id_rsa.pub

-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUaOeGx64eJl0imjm+mfyeFf3hkbw9LksWDLLTdVlCKALo1IkbQd5VXk+iIk2yKwOHbnV3/nSQAs2k0K6IBmoEbDxK4rEht6/wziEvLLcgwsr1+tgCnpx5+iXGrl39kTPjqSSsQUKDugmKq8AO2uE9jDPWNwqJPN0vr3fo86esq/o9yrnKEK75wn1q9ZSEK6TjW0hfRIjuGXQubYq0/yN/IF6lZzourwTTFU6bCpC1/R+V126DxF+4cVOxyXzCfIxIYtZrg+z4iG7XOyKzttJ8ZmN0dvFBPfzZXF6Z+TMToU0ZNkzgK1p+G8Xdm7GMivHrnykIDfglKIp7/hmWb9zf opendsa@aes-devel.edu.liu.se

files/opendsa/.ssh/known_hosts

-gitlab.ida.liu.se,130.236.180.82 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAYihlTjGKAun+fT/4v1c7zW0+HmsniwuuxWMmHM+/Y1RK/31DyxV+oLpiACP+2cR/FJ5Ab2wGai4sgnrZqY+yDHHZFbTAThqXylJmIvm57U1J8yL1ayOJe7wQNwan13rmEfzBjrNCxn/aFcvwLutZx+sRsYYfFnGhLeULbaoIeysXm+qufL2TQib+GJzanL6uksiccJ9RiWVg7YewzsdP23DzBSZBJobggaX5bIGzVp2omwe0F4X0YgMZvUHBNWJRjbit56c92jirmLaHJNvl3J+xSIty1XaCp/0kg5Ws8jRV9iGDXRafPPcWn2T8p1S4vIYsAD6QH9Ec6hAKT9qn

files/opendsa/on_update.sh

+#!/bin/bash
+
+# This file is called whenever the OpenDSA repo was updated. This means we should re-check
+# the requirements.txt file and restart the service.
+
+# Note: This file is executed as root, so we drop back to the opendsa user before starting pip.
+
+update_pip_fn=$(cat <<'EOF'
+cd
+python3 -m pip install --user -r OpenDSA/server/requirements.txt
+
+# Initialize the DB if required.
+if [[ ! -f OpenDSA/server/openDSA.db ]]
+then
+    cd OpenDSA/server/
+    ./main.py init_db
+fi
+EOF
+)
+
+# Run PIP as OpenDSA.
+sudo --user opendsa --group opendsa --set-home -- bash -c "$update_pip_fn"
+
+# Then, we can restart the service.
+systemctl service restart opendsa.service

files/squid/helpers/rules.d/opendsa.rules

@@ -2,6 +2,8 @@
 
 // ^.* false
 
+^https?://www\.ida\.liu\.se/edu/ugrad/datortenta/OpenDSA/Books/TDDD86_200317/.*  true
+
 ^https?://www\.ida\.liu\.se/edu/ugrad/datortenta/OpenDSA/Books/.*                false
 ^https?://www\.ida\.liu\.se/edu/ugrad/datortenta/OpenDSA/lib/.*                  true
 ^https?://www\.ida\.liu\.se/edu/ugrad/datortenta/OpenDSA/JSAV/.*                 true

files/update_repo.sh

+#!/bin/bash
+
+# Keep a Git repository updated. Optionally execute a command whenever it has been updated in order
+# to trigger further processing of some kind (e.g. restarting services).
+
+# The command is called as follows:
+# update_repo.sh <destination path> <source repo> <source branch>
+
+# If REPO_ON_UPDATE is set, then that command will be executed whenever the repo is created and/or
+# updated to a new revision. This can be used to trigger further processing of some sort, such as
+# compiling the contained source and/or restarting system services as appropriate.
+
+# This script is designed to be executed as a privillegied user so that the update command could do
+# privillegied operations. Thus, the git commands will be isolated to a user as described by
+# REPO_USER and REPO_GROUP, if they are is set. It is, of course, also possible to just run this
+# script as a regular user without setting REPO_USER.
+
+
+# "function" that keeps the repo updated. Returns 0 if nothing was done, 100 if the repo was updated,
+# and something else on some kind of error. This function will be executed as the user indicated in
+# the environment variables.
+# I'm sorry for this thing... Turns out that sudo does not allow passing bash functions as environment
+# variables, so I simply pass the entire "function" to Bash as a string.
+update_repo_fn=$(cat <<'EOF'
+if [[ ! -d "$repo_path" ]]
+then
+    # Does not exist. We need to checkout the repository.
+    git clone --single-branch --branch "$repo_branch" "$repo_source" "$repo_path" || exit 1
+    exit 100
+else
+    # It does exist. Make sure it is updated.
+    cd "$repo_path"
+    old_sha=$(git rev-parse HEAD)
+    git fetch -f "$repo_source" "$repo_branch":remotes/origin/"$repo_branch" || exit 1
+    new_sha=$(git rev-parse remotes/origin/"$repo_branch")
+    if [[ "$old_sha" == "$new_sha" ]]
+    then
+	# They are the same, we don't need to do anything.
+	exit 0
+    else
+	# They differ. Check out the new revision.
+	git checkout -f "$new_sha" || exit 1
+	git branch -f "$repo_branch" "$new_sha" || exit 1
+	# This is not strictly necessary, but it makes it look like we have the correct branch
+	# checked out. Good if someone inspects the repo at a later time.
+	git checkout -f "$repo_branch" || exit 1
+	exit 100
+    fi
+fi
+EOF
+)
+
+# Check for enough parameters.
+if [[ "$#" < 3 ]]
+then
+    echo "Not enough parameters."
+    echo "Usage: update_repo.sh <path> <source> <branch>"
+    exit 2
+fi
+
+# Setup variables for calling "update_repo"...
+repo_path="$1"
+repo_source="$2"
+repo_branch="$3"
+
+export repo_path repo_source repo_branch
+
+if [[ -z "$REPO_USER" ]]
+then
+    # Just run it in a subshell
+    bash -c "$update_repo_fn"
+else
+    # Perhaps group was not supplied.
+    if [[ -z "$REPO_GROUP" ]]
+    then
+	REPO_GROUP="$REPO_USER"
+    fi
+    sudo --preserve-env=repo_path,repo_source,repo_branch,update_repo --set-home --user="$REPO_USER" --group="$REPO_GROUP" -- bash -c "$update_repo_fn"
+fi
+# Note: We cannot put any commands between the if-statement and here. We need the result code from
+# invoking bash, which is the last command in both the if- and else- branches.
+result="$?"
+if [[ $result == 0 ]]
+then
+    # All is well, nothing needed to be done.
+    exit 0
+elif [[ $result == 100 ]]
+then
+    # All is well, but we need to tell the environment that we updated the repo.
+    if [[ ! -z "$REPO_ON_UPDATE" ]]
+    then
+	# Run it if it is there.
+	eval "$REPO_ON_UPDATE"
+    fi
+    exit 0
+else
+    # Something went awry, forward the exit code.
+    exit $result
+fi

manifests/aes_sw.pp

@@ -91,39 +91,15 @@ class aes::aes_sw {
     ensure => "running",
   }
 
-  file { "${examadm_home}/.ssh/known_hosts":
-    ensure => present,
-    owner  => "${examadm_user}",
-    group  => "${examadm_group}",
-    mode => '0644',
-    content => @(KNOWNHOST)
-    gitlab.liu.se,2001:6b0:17:f003::44 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF3yWjkuKo7f3OH4BhGwcd71lkWZqdyk7cxOCn5exPoqLldt2OfbhEA7lM+89Gr/AqRbHlbrS1M8An7j4Lj77hc=
-    | KNOWNHOST
-  }
-
-  exec { 'script-repo-clone':
-# TODO
-# git config user.name "aes-devel.edu.liu.se"
-# git config user.email "klas.arvidsson@liu.se"
-    command => '/usr/bin/git clone --quiet --single-branch --branch master --depth 1 git@gitlab.liu.se:examadm/scripts.git',
+  exec { 'script-repo-updated':
+    command => "/opt/utils/update_repo.sh ${examadm_home}/scripts https://oauth2:iAyewr9Jq5E-tnsVrmbj@gitlab.liu.se/examadm/scripts.git master",
     cwd => "${examadm_home}",
-    creates => "${examadm_home}/scripts",
     user => "${examadm_user}",
     group => "${examadm_group}",
-    require => File["${examadm_home}/.ssh/known_hosts"],
   }
 
   schedule { 'everyday':
     period => daily,
     range => '01:00 - 04:00',
   }
-
-  exec { 'script-repo-pull':
-    cwd => "${examadm_home}", # 'cwd' is set before 'onlyif' and 'command'
-    onlyif => "/usr/bin/test -d scripts/.git",
-    command => "/usr/bin/git --git-dir scripts/.git --work-tree scripts pull --depth 1",
-    user => "${examadm_user}",
-    group => "${examadm_group}",
-#    schedule => 'everyday',
-  }
 }

manifests/auth.pp

+class aes::auth {
+
+  $auth_user = auth
+  $auth_group = "${auth_user}"
+  $auth_home = "/srv/${auth_user}"
+  $auth_service = "aes_auth"
+
+  # Note: We rely on Boost being installed by the broker. It seems Puppet does not like
+  # that we specify "boost" multiple times, even though it would look nice, modularity-wise
+  # since both the auth server and the broker requires boost.
+  package {
+    [
+	'krb5-libs',
+	'krb5-devel',
+    ]:
+      ensure => installed,
+  }
+
+  user { "${auth_user}" :
+    ensure => present,
+    home => "${auth_home}",
+    comment => 'Authentication server for AES',
+    managehome => false,
+    membership => inclusive,
+    system => true,
+    shell => '/sbin/nologin',
+  }
+
+  file { "${auth_home}" :
+    ensure => directory,
+    owner => "${auth_user}",
+    group => "${auth_group}",
+    mode => '0755',
+  }
+
+  file { "/etc/systemd/system/${auth_service}.service" :
+    ensure => present,
+    owner  => root,
+    group  => root,
+    mode   => '0644',
+    source => "puppet:///modules/${module_name}/auth/auth.service",
+  }
+
+  file { "${auth_home}/on_update.sh" :
+    ensure => present,
+    owner  => root,
+    group  => root,
+    mode   => '0700',
+    source => "puppet:///modules/${module_name}/auth/on_update.sh",
+  }
+
+  file { "${auth_home}/config.json" :
+    ensure => present,
+    owner  => auth,
+    group  => auth,
+    mode   => '0644',
+    source => "puppet:///modules/${module_name}/auth/config.json",
+  }
+
+  file { "${auth_home}/start.sh" :
+    ensure => present,
+    owner  => auth,
+    group  => auth,
+    mode   => '0755',
+    source => "puppet:///modules/${module_name}/auth/start.sh",
+  }
+
+  exec { 'update-auth-repo' :
+    command => "/opt/utils/update_repo.sh ${auth_home}/src https://oauth2:F-agHaRXCdyFy38q4c-N@gitlab.liu.se/upp-aes/communication.git production",
+    environment => [ "REPO_USER=${auth_user}", "REPO_GROUP=${auth_group}", "REPO_ON_UPDATE=${auth_home}/on_update.sh" ],
+    # This command will need to run "on_update" as root in order to restart the service.
+    user => root,
+    group => root,
+    cwd => "${auth_home}",
+    require => File["${auth_home}/on_update.sh"],
+  }
+
+  service { "${auth_service}" : 
+    ensure => "running",
+  }
+
+}
\ No newline at end of file

manifests/aes_broker.pp → manifests/broker.pp

-class aes::aes_broker {
+class aes::broker {
 
   $broker_user = broker
   $broker_group = "${broker_user}"
   $broker_home = "/srv/${broker_user}"
-  $broker_service = "${broker_user}"
+  $broker_service = "aes_broker"
 
   # Sadly, it does not seem like we can only install asio, so we need
   # to install the Boost as a whole.
@@ -14,15 +14,13 @@ class aes::aes_broker {
     [
 	'boost',
 	'boost-devel',
-	'krb5-libs',
-	'krb5-devel',
     ]:
       ensure => installed,
   }
 
   user { "${broker_user}" :
     ensure => present,
-    home => "${broker_user}",
+    home => "${broker_home}",
     comment => 'Message broker for AES',
     managehome => false,
     membership => inclusive,
@@ -37,7 +35,34 @@ class aes::aes_broker {
     mode => '0755',
   }
 
-  # TODO: We still need to download the source from Git as needed and update the broker and auth service.
-  # To compile the broker, we need to do "source /opt/rh/devtoolset-7/enable" first. Otherwise, we will not get a good enough GCC.
+  file { "/etc/systemd/system/${broker_service}.service" :
+    ensure => present,
+    owner  => root,
+    group  => root,
+    mode   => '0644',
+    source => "puppet:///modules/${module_name}/broker/broker.service",
+  }
+
+  file { "${broker_home}/on_update.sh" :
+    ensure => present,
+    owner  => root,
+    group  => root,
+    mode   => '0700',
+    source => "puppet:///modules/${module_name}/broker/on_update.sh",
+  }
+
+  exec { 'update-broker-repo' :
+    command => "/opt/utils/update_repo.sh ${broker_home}/src https://oauth2:F-agHaRXCdyFy38q4c-N@gitlab.liu.se/upp-aes/communication.git production",
+    environment => [ "REPO_USER=${broker_user}", "REPO_GROUP=${broker_group}", "REPO_ON_UPDATE=${broker_home}/on_update.sh" ],
+    # This command will need to run "on_update" as root in order to restart the service.
+    user => root,
+    group => root,
+    cwd => "${broker_home}",
+    require => File["${broker_home}/on_update.sh"],
+  }
+
+  service { "${broker_service}" : 
+    ensure => "running",
+  }
 
-}
+}
\ No newline at end of file

manifests/init.pp

@@ -5,6 +5,7 @@ class aes {
   include aes::squid_filter
   include aes::latex
   include aes::broker
+  include aes::auth
   include ::liurepo::centos_sclo_rh
 
   package {
@@ -32,6 +33,30 @@ class aes {
     content => file("${module_name}/anacrontab"),
   }
 
+  # File for updating repositories.
+  file { '/opt/utils':
+    ensure  => directory,
+    mode    => '0755',
+    owner   => root,
+    group   => root,
+  }
+  file { '/opt/utils/update_repo.sh':
+    ensure  => file,
+    mode    => '0755',
+    owner   => root,
+    group   => root,
+    content => file("${module_name}/update_repo.sh"),
+  }
+
+  # File to easily see when Puppet was last executed.
+  # Ideally, we would like to know if it is devel or production as well.
+  exec { '/usr/bin/touch /var/last_puppet_run' : 
+    cwd => "/var",
+    creates => "/var/last_puppet_run",
+    user => root,
+    group => root,
+  }
+
   ::users::liu_user { 'klaar36':
     commonname => 'Klas Arvidsson',
     shell      => '/bin/bash',
@@ -68,14 +93,14 @@ class aes {
     service sclogin is tcp/23431
     service aesmsi is tcp/23816
     service aesmso is tcp/23817
-#    service opendsa is tcp/12000
+    service aesbroker is tcp/31337
 
     policy chain INPUT is
       accept service:squid from class:liu-nets
       accept service:sclogin from class:liu-nets
       accept service:aesmsi from class:liu-nets
       accept service:aesmso from class:liu-nets
-#      accept service:opendsa from class:liu-nets
+      accept service:aesbroker from class:liu-nets
     end policy
     |-EOF
   }

manifests/opendsa.pp

@@ -22,40 +22,31 @@ class aes::opendsa {
     mode => '0755',
   }
 
-  file { "${opendsa_home}/.ssh":
-    ensure => directory,
-    recurse => true,
-  # Is modes copied correctly by "recurse" option above? NO, but works
-  # chmod 0700 .ssh/id_rsa
-  # chmod 0744 .ssh/id_rsa.pub .ssh/known_hosts
-    purge => true,
-    force => true,
-    owner  => "${opendsa_user}",
-    group  => "${opendsa_group}",
-    mode => '0700',
-    source => "puppet:///modules/${module_name}/opendsa/.ssh",
+  # This file will be executed as root, which is why we don't let anyone but root examine it.
+  file { "${opendsa_home}/on_update.sh":
+    ensure => present,
+    owner => root,
+    group => root,
+    mode  => '0700',
+    source => "puppet:///modules/${module_name}/opendsa/on_update.sh",
   }
 
-  exec { '/usr/bin/git clone --single-branch --branch exam git@gitlab.ida.liu.se:filst04/OpenDSA.git' : 
-    cwd => "${opendsa_home}",
-    creates => "${opendsa_home}/OpenDSA",
-    user => "${opendsa_user}",
-    group => "${opendsa_group}",
+  file { "/etc/systemd/system/${opendsa_service}.service":
+    ensure => present,
+    owner  => root,
+    group  => root,
+    mode   => '0644',
+    source => "puppet:///modules/${module_name}/opendsa/opendsa.service",
   }
 
- # Will this work? DANGEROUS, need service restart! Not needed.
-  # exec { '/usr/bin/git pull' : 
-  #   cwd => "${opendsa_home}/OpenDSA",
-  #   onlyif => "/bin/test -d ${opendsa_home}/OpenDSA/.git",
-  #   user => "${opendsa_user}",
-  #   group => "${opendsa_group}",
-  # }
-
- # Install python packets. Can this be run several times safely? (Idempotent?) YES
-  exec { '/usr/bin/python3 -m pip install --user -r OpenDSA/server/requirements.txt' : 
+  exec { 'update-repo':
+    command => "/opt/utils/update_repo.sh ${opendsa_home}/OpenDSA https://oauth2:taNPRZid9Hv6jJtdW_T8@gitlab.liu.se/opendsa/OpenDSA.git exam",
+    environment => [ "REPO_USER=${opendsa_user}", "REPO_GROUP=${opendsa_group}", "REPO_ON_UPDATE=${opendsa_home}/on_update.sh" ],
+    # This command will need to run "on_update" as root in order to restart the service.
+    user => root,
+    group => root,
     cwd => "${opendsa_home}",
-    user => "${opendsa_user}",
-    group => "${opendsa_group}",
+    require => File["${opendsa_home}/on_update.sh"],
   }
 
   file { "${opendsa_home}/manage.sh":
@@ -66,21 +57,6 @@ class aes::opendsa {
     source => "puppet:///modules/${module_name}/opendsa/manage.sh",
   }
 
-  exec { "${opendsa_home}/OpenDSA/server/main.py init_db" : 
-    cwd => "${opendsa_home}/OpenDSA/server/",
-    creates => "${opendsa_home}/OpenDSA/server/openDSA.db",
-    user => "${opendsa_user}",
-    group => "${opendsa_group}",
-  }
-
-  file { "/etc/systemd/system/${opendsa_service}.service":
-    ensure => present,
-    owner  => root,
-    group  => root,
-    mode => '0644',
-    source => "puppet:///modules/${module_name}/opendsa/opendsa.service",
-  }
-
  # Do we need port 12000 open? NO
   service { "${opendsa_service}" : 
     ensure => "running",

validate.sh

@@ -9,5 +9,6 @@ puppet parser validate --strict_variables --modulepath="$modulepath" manifests/
 for file in $*
 do
     class=$(basename $file .pp)
-    puppet apply --noop --test --modulepath="$modulepath" -e "include aes::$class"
+    # Sudo is needed for modules that do something with yum for example.
+    sudo /opt/puppetlabs/bin/puppet apply --noop --test --modulepath="$modulepath" -e "include aes::$class"
 done