new cookbook: fb_sasl (facebook#284)

Summary:
A pretty simple cookbook to setup SASL.

Signed-off-by: Phil Dibowitz <phil@ipom.com>

Pull Request resolved: facebook#284

Differential Revision: D70207096

fbshipit-source-id: 96d065d461c4c80c14163adac8d07b6bf476ca45

Author: jaymzh

cookbooks/fb_sasl/README.md

@@ -0,0 +1,61 @@
+fb_sasl Cookbook
+================
+
+Requirements
+------------
+
+Attributes
+----------
+* node['fb_sasl']['enable_saslauthd']
+* node['fb_sasl']['manage_packages']
+* node['fb_sasl']['modules']
+* node['fb_sasl']['sysconfig']
+
+Usage
+-----
+
+### Packages
+
+By default, this cookbook will install relevant SASL packages. To disable this,
+set `node['fb_sasl']['enable_saslauthd']` to `false`.
+
+By default this cookbook installs on the basic SASL package for your distro. If
+you need additional modules, you can add them to `node['fb_sasl']['modules']`
+and the additional packages will be installed. Note that this configuration is
+used to build the package name, so it may be distribution dependent. Here's an
+example:
+
+```ruby
+node.default['fb_sasl']['modules'] << 'ldap'
+```
+
+This will add `libsasl2-modules-ldap` to the list of packages to install on
+Debian-like distros while on Fedora-like distros it'll add `cyrus-sasl-ldap`.
+
+### saslauthd
+
+Most simple configurations do not require running `saslauthd`, and as such, the
+default in this cookbook is to disable it. You can enable it by setting
+`node['fb_sasl']['enable_saslauthd']` to `true`.
+
+Note that while Debian-like distros have support for running multiple
+instances, this cookbook does not support such a configuration. Only the
+default single-instance is supported by this cookbook.
+
+### sysconfig
+
+`saslauthd` does not have a configuration file and it's configuration is
+specified by options passed to it, and those options are controlled in the
+sysconfig file.
+
+You can specify the various configs via `node['fb_sasl']['sysconfig']`, but you
+should check the documentation for your distro, as they options are different,
+for example, `mech` vs. `mechanism`. We have provided appropriate defaults that
+are valid for each distro.
+
+There are two important things to remember about setting `sysconfig`:
+
+* Use **lowercase** for the keys. We will upcase them when we generate the
+  file, but using all lowercase ensures no conflicts.
+* Do **not** specify `start` (for those of you on Debian-like distros). We
+  will set this based on `node['fb_sasl']['enable_saslauthd']`.

cookbooks/fb_sasl/attributes/default.rb

@@ -0,0 +1,48 @@
+#
+# vim: syntax=ruby:expandtab:shiftwidth=2:softtabstop=2:tabstop=2
+#
+# Copyright (c) 2025-present, Meta Platforms, Inc.
+# Copyright (c) 2025-present, Phil Dibowitz
+# All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# because the attributes file is consumed in the node context,
+# 'debian?' will be fb_helper's node.debian? which is not what we
+# want, so specify full path
+if fedora_derived?
+  sysconfig = {
+    'socketdir' => '/run/saslauthd',
+    'mech' => 'pam',
+    'flags' => '',
+  }
+elsif ChefUtils.debian?
+  sysconfig = {
+    'desc' => 'SASL Authentication Daemon',
+    'name' => 'saslauthd',
+    'mechanisms' => 'pam',
+    'mech_options' => '',
+    'threads' => 5,
+    'options' => '-c -m /var/run/saslauthd',
+  }
+else
+  fail "fb_sasl: Unknown platform_family: #{node['platform_family']}"
+end
+
+default['fb_sasl'] = {
+  'manage_packages' => true,
+  'modules' => [],
+  'enable_saslauthd' => false,
+  'sysconfig' => sysconfig,
+}

cookbooks/fb_sasl/metadata.rb

@@ -0,0 +1,6 @@
+name 'fb_sasl'
+maintainer 'Meta Platforms, Inc.'
+maintainer_email 'noreply@meta.com'
+license 'Apache-2.0'
+description 'Installs/Configures Cyrus SASL'
+version '0.1.0'

cookbooks/fb_sasl/recipes/default.rb

@@ -0,0 +1,76 @@
+#
+# Cookbook:: fb_sasl
+# Recipe:: default
+#
+# Copyright (c) 2025-present, Meta Platforms, Inc.
+# Copyright (c) 2025-present, Phil Dibowitz
+# All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+if fedora_derived?
+  packages = %w{cyrus-sasl}
+  modules_package_prefix = 'cyrus-sasl'
+  sysconfig_path = '/etc/sysconfig/saslauthd'
+elsif debian?
+  packages = %w{sasl2-bin}
+  modules_package_prefix = 'libsasl2-modules'
+  sysconfig_path = '/etc/default/saslauthd'
+else
+  fail "fb_sasl: Unknown platform_family: #{node['platform_family']}"
+end
+
+package 'sasl packages' do
+  only_if { node['fb_sasl']['manage_packages'] }
+  package_name lazy {
+    packages + node['fb_sasl']['modules'].map do |mod|
+      "#{modules_package_prefix}-#{mod}"
+    end
+  }
+  action :upgrade
+  notifies :restart, 'service[saslauthd]'
+end
+
+whyrun_safe_ruby_block 'validate config' do
+  block do
+    node['fb_sasl']['sysconfig'].each_key do |key|
+      if key != key.downcase
+        fail "fb_sasl: invalid casing for key #{key} - please use downcase"
+      end
+      if key == 'start'
+        fail 'fb_sasl: do not specify "start" in sysconfig, use ' +
+          'enable_saslauthd instead'
+      end
+    end
+  end
+end
+
+template sysconfig_path do
+  source 'sysconfig.erb'
+  owner node.root_user
+  group node.root_group
+  mode '0644'
+  notifies :restart, 'service[saslauthd]'
+end
+
+service 'saslauthd' do
+  only_if { node['fb_sasl']['enable_saslauthd'] }
+  action [:enable, :start]
+end
+
+service 'disable saslauthd' do
+  not_if { node['fb_sasl']['enable_saslauthd'] }
+  service_name 'saslauthd'
+  action [:stop, :disable]
+end

cookbooks/fb_sasl/templates/sysconfig.erb

@@ -0,0 +1,5 @@
+# This file is controlled by Chef, do not modify!
+START="<%= node['fb_sasl']['enable_saslauthd'] ? 'yes' : 'no' %>"
+<% node['fb_sasl']['sysconfig'].each do |key, val| %>
+<%=  key.upcase %>="<%= val %>"
+<% end %>

cookbooks/test_services/metadata.rb

@@ -13,6 +13,7 @@
 depends 'fb_ejabberd'
 depends 'fb_influxdb'
 depends 'fb_reprepro'
+depends 'fb_sasl'
 depends 'fb_smokeping'
 depends 'fb_spamassassin'
 depends 'fb_vsftpd'

cookbooks/test_services/recipes/default.rb

@@ -18,6 +18,7 @@
 # limitations under the License.
 #
 
+include_recipe 'fb_sasl'
 include_recipe 'fb_bind'
 
 # Currently fb_vsftpd is broken on debian