deployment: ship /var/lib/jenkins/config.xml and user jenkins-debian-glue with custom password

Avoid that the user gets a fully open Jenkins system. User can set custom password for user jenkins-debian-glue now.
10 years ago · f85d9b4661
2 changed files with 119 additions and 7 deletions
--- a/puppet/apply.sh
+++ b/puppet/apply.sh
@ -1,16 +1,56 @@
 #!/bin/bash

-date
+start_seconds=$(cut -d . -f 1 /proc/uptime)
+[ -n "$start_seconds" ] && SECONDS="$[$(cut -d . -f 1 /proc/uptime)-$start_seconds]" || SECONDS="unknown"

-if ! [ -r jenkins_debian_glue.pp ] ; then
-  # support executing custom jenkins_debian_glue.pp
-  if [ -n "$1" ] ; then
-    wget -O jenkins_debian_glue.pp --no-check-certificate "$1"
+if [ -r /var/lib/jenkins/config.xml ] ; then
+  echo "Configuration file /var/lib/jenkins/config.xml exists already." >&2
+  echo "Exiting to avoid possible data loss." >&2
+  exit 1
+fi
+
+if [ $# -lt 1 ] ; then
+  echo "Usage: $0 <password> [<http://path/to/some/puppetfile.pp>]" >&2
+  exit 1
+fi
+
+PASSWORD_HASH=$(echo -n "${1}{jenkins-debian-glue}" | sha256sum | awk '{print $1}')
+
+if [ -z "$PASSWORD_HASH" ] ; then
+  echo "Error calculating password hash. :(" >&2
+  exit 1
+fi
+
+if [ -n "$2" ] ; then
+  if [ -r jenkins_debian_glue.pp ] ; then
+    echo "Error: file jenkins_debian_glue.pp exists already. Exiting to avoid possible data loss." >&2
+    exit 1
  else
+    echo "Retrieving $2 and storing as jenkins_debian_glue.pp"
+    wget -O jenkins_debian_glue.pp --no-check-certificate "$2"
+  fi
+else
+  if ! [ -r jenkins_debian_glue.pp ] ; then
    wget --no-check-certificate https://raw.github.com/mika/jenkins-debian-glue/master/puppet/jenkins_debian_glue.pp
  fi
 fi

+if ! grep -q PASSWORD_HASH_TO_BE_ADJUSTED jenkins_debian_glue.pp ; then
+  echo "################################################################################"
+  echo "Warning: string PASSWORD_HASH_TO_BE_ADJUSTED not found in jenkins_debian_glue.pp"
+  echo "Notice that rerunning $0 with a different password might not work as expected."
+  echo "To make sure adjusting the password works please execute:
+
+  rm jenkins_debian_glue.pp
+  $0 <your_password> https://raw.github.com/mika/jenkins-debian-glue/master/puppet/jenkins_debian_glue.pp"
+  echo
+  echo "################################################################################"
+else
+  printf "Adjusting password in jenkins_debian_glue.pp: "
+  sed -i "s/PASSWORD_HASH_TO_BE_ADJUSTED/$PASSWORD_HASH/" jenkins_debian_glue.pp || exit 1
+  echo OK
+fi
+
 if ! [ -r jenkins_debian_glue.pp ] ; then
  echo "Error: can not find jenkins_debian_glue.pp." >&2
  echo "Either manually grab https://raw.github.com/mika/jenkins-debian-glue/master/puppet/jenkins_debian_glue.pp" >&2
@ -39,12 +79,12 @@ $IP $(hostname).example.org $(hostname)
 fi

 if puppet apply jenkins_debian_glue.pp ; then
-  echo "jenkins-debian-glue deployment finished. \o/"
+  [ -n "$start_seconds" ] && SECONDS="$[$(cut -d . -f 1 /proc/uptime)-$start_seconds]" || SECONDS="unknown"
+  echo "jenkins-debian-glue deployment finished after ${SECONDS} seconds."
 else
  echo "Fatal error during puppet run. :(" >&2
  exit 1
 fi

-date

 echo "Now point your browser to http://${IP}:8080"
--- a/puppet/jenkins_debian_glue.pp
+++ b/puppet/jenkins_debian_glue.pp
@ -351,6 +351,78 @@ class jenkins::config {
    <runSequentially>true</runSequentially>
  </executionStrategy>
 </matrix-project>
+"
+  }
+
+  file { '/var/lib/jenkins/config.xml':
+    ensure  => present,
+    mode    => '0644',
+    owner   => 'jenkins',
+    require => Package['jenkins'],
+    notify  => Service['jenkins'],
+    content => "<?xml version='1.0' encoding='UTF-8'?>
+<hudson>
+  <useSecurity>true</useSecurity>
+  <authorizationStrategy class='hudson.security.FullControlOnceLoggedInAuthorizationStrategy'/>
+  <securityRealm class='hudson.security.HudsonPrivateSecurityRealm'>
+    <disableSignup>true</disableSignup>
+    <enableCaptcha>false</enableCaptcha>
+  </securityRealm>
+  <systemMessage>&lt;h1&gt;&lt;a href=&quot;http://jenkins-debian-glue.org/&quot;&gt;jenkins-debian-glue&lt;/a&gt; Continuous Integration labs&lt;/h1&gt;</systemMessage>
+</hudson>
+"
+  }
+
+  file { '/var/lib/jenkins/users/':
+    ensure  => directory,
+    mode    => '0755',
+    owner   => 'jenkins',
+    require => Package['jenkins'],
+  }
+
+  file { '/var/lib/jenkins/users/jenkins-debian-glue/':
+    ensure  => directory,
+    mode    => '0755',
+    owner   => 'jenkins',
+    require => File['/var/lib/jenkins/users/'],
+  }
+
+  # PASSWORD_HASH will be adjusted by jenkins-debian-glue's apply.sh script
+  file { '/var/lib/jenkins/users/jenkins-debian-glue/config.xml':
+    ensure       => present,
+    mode         => '0644',
+    owner        => 'jenkins',
+    require      => File['/var/lib/jenkins/users/jenkins-debian-glue/'],
+    notify       => Service['jenkins'],
+    content      => "<?xml version='1.0' encoding='UTF-8'?>
+<user>
+  <fullName>Jenkins Debian Glue</fullName>
+  <properties>
+    <jenkins.security.ApiTokenProperty>
+      <apiToken>R5A9eoSreMtS3iYuvmCyrIJ1q3DQGGquBgkr7sJapuYNPLWvy5cfaT6EOAnb10kY</apiToken>
+    </jenkins.security.ApiTokenProperty>
+    <hudson.model.MyViewsProperty>
+      <views>
+        <hudson.model.AllView>
+          <owner class='hudson.model.MyViewsProperty' reference='../../..'/>
+          <name>All</name>
+          <filterExecutors>false</filterExecutors>
+          <filterQueue>false</filterQueue>
+          <properties class='hudson.model.View$PropertyList'/>
+        </hudson.model.AllView>
+      </views>
+    </hudson.model.MyViewsProperty>
+    <hudson.search.UserSearchProperty>
+      <insensitiveSearch>false</insensitiveSearch>
+    </hudson.search.UserSearchProperty>
+    <hudson.security.HudsonPrivateSecurityRealm_-Details>
+      <passwordHash>jenkins-debian-glue:PASSWORD_HASH_TO_BE_ADJUSTED</passwordHash>
+    </hudson.security.HudsonPrivateSecurityRealm_-Details>
+    <hudson.tasks.Mailer_-UserProperty>
+      <emailAddress>jenkins@example.org</emailAddress>
+    </hudson.tasks.Mailer_-UserProperty>
+  </properties>
+</user>
 "
  }
 }