{"host": "alert1002.wikimedia.org", "state": "core_diff", "description": "Differences to core resources", "diff": {"full": {"total": 9571, "only_in_self": ["File[/var/cache/apache2/mod_auth_cas/requestctl.wikimedia.org/]", "Monitoring::Service[https-requestctl.wikimedia.org-expiry]", "Monitoring::Service[https-requestctl.wikimedia.org-unauthorized]", "Nagios_service[alert1002 https-requestctl.wikimedia.org-expiry]", "Nagios_service[alert1002 https-requestctl.wikimedia.org-unauthorized]", "Profile::Idp::Client::Httpd::Site[requestctl.wikimedia.org]"], "only_in_other": [], "resource_diffs": [{"resource": "Httpd::Conf[requestctl.wikimedia.org]"}, {"resource": "Profile::Idp::Client::Httpd::Site[requestctl.wikimedia.org]", "parameters": "--- Profile::Idp::Client::Httpd::Site[requestctl.wikimedia.org].orig\n+++ Profile::Idp::Client::Httpd::Site[requestctl.wikimedia.org]\n\n-    attribute_delimiter  => :\n-    enable_slo           => True\n-    protected_uri        => /\n-    environment          => production\n-    vhost_settings       => {'proxy_pass': 'http://localhost:8080'}\n-    debug                => False\n-    validate_saml        => False\n-    enable_monitor       => True\n-    session_idle_timeout => 3600\n-    virtual_host         => requestctl.wikimedia.org\n-    cookie_same_site     => Lax\n-    vhost_content        => profile/conftool/httpd-hiddenparma.conf.erb\n-    session_timeout      => 7200\n-    cookie_scope         => /\n-    require              => ['Acme_chief::Cert[icinga]']\n-    authn_header         => CAS-User\n-    required_groups      => ['cn=ops,ou=groups,dc=wikimedia,dc=org', 'cn=wmf,ou=groups,dc=wikimedia,dc=org']\n-    attribute_prefix     => X-CAS-\n-    priority             => 50\n-    server_aliases       => []\n-    document_root        => /var/www\n-    proxied_as_https     => False\n-    cookie_secure        => On\n"}, {"resource": "File[/var/cache/apache2/mod_auth_cas/requestctl.wikimedia.org/]", "parameters": "--- File[/var/cache/apache2/mod_auth_cas/requestctl.wikimedia.org/].orig\n+++ File[/var/cache/apache2/mod_auth_cas/requestctl.wikimedia.org/]\n\n-    ensure => directory\n-    owner  => www-data\n-    path   => /var/cache/apache2/mod_auth_cas/requestctl.wikimedia.org\n-    group  => www-data\n"}, {"resource": "Monitoring::Service[https-requestctl.wikimedia.org-expiry]", "parameters": "--- Monitoring::Service[https-requestctl.wikimedia.org-expiry].orig\n+++ Monitoring::Service[https-requestctl.wikimedia.org-expiry]\n\n-    check_command  => check_https_expiry!requestctl.wikimedia.org!443\n-    ensure         => present\n-    retry_interval => 1\n-    check_interval => 1\n-    passive        => False\n-    freshness      => 36000\n-    description    => requestctl.wikimedia.org tls expiry\n-    host           => alert1002\n-    migration_task => T367065\n-    retries        => 3\n-    notes_url      => https://wikitech.wikimedia.org/wiki/CAS-SSO/Administration\n-    config_dir     => /etc/nagios\n-    notify         => Service[icinga]\n-    critical       => False\n"}, {"resource": "Httpd::Site[requestctl.wikimedia.org]", "parameters": "--- Httpd::Site[requestctl.wikimedia.org].orig\n+++ Httpd::Site[requestctl.wikimedia.org]\n\n+    require => ['Acme_chief::Cert[icinga]']\n"}, {"resource": "File[/etc/default/hiddenparma]", "content": "--- /etc/default/hiddenparma.orig\n+++ /etc/default/hiddenparma\n@@ -5,6 +5,12 @@\n CSRF_SHARED_SECRET=\"snakeoil\"\n DATACENTERS=\"eqiad,codfw,esams,ulsfo,eqsin,drmrs,magru\"\n DBSTORE_DSN=\"mariadb+pymysql://lolo:placeholder@m2-master.eqiad.wmnet/requestctl?charset=utf8mb4\"\n+WEB_AUTH_BACKEND=\"native_cas\"\n API_AUTH_BACKEND=\"api_token_from_db\"\n API_ROOT_TOKEN=\"t00r\"\n API_TOKEN_ENCRYPTION_KEY=\"snakeoil\"\n+# Native CAS configuration\n+CAS_SERVER_URL=\"'https://idp.wikimedia.org/login'\"\n+CAS_SERVICE_URL=\"https://requestctl.wikimedia.org/cas/callback\"\n+SESSION_SECRET_KEY=\"a secret\"\n+AUTHORIZED_GROUPS=\"cn=ops,ou=groups,dc=wikimedia,dc=org:cn=wmf,ou=groups,dc=wikimedia,dc=org\""}, {"resource": "Class[Profile::Conftool::Hiddenparma]", "parameters": "--- Class[Profile::Conftool::Hiddenparma].orig\n+++ Class[Profile::Conftool::Hiddenparma]\n\n+    session_secret_key => a secret\n"}, {"resource": "Nagios_service[alert1002 https-requestctl.wikimedia.org-unauthorized]", "parameters": "--- Nagios_service[alert1002 https-requestctl.wikimedia.org-unauthorized].orig\n+++ Nagios_service[alert1002 https-requestctl.wikimedia.org-unauthorized]\n\n-    check_command          => check_https_sso_redirect!requestctl.wikimedia.org!/\n-    ensure                 => present\n-    host_name              => alert1002\n-    notification_interval  => 0\n-    check_interval         => 1\n-    passive_checks_enabled => 1\n-    active_checks_enabled  => 1\n-    servicegroups          => alerting_eqiad\n-    service_description    => requestctl.wikimedia.org requires authentication\n-    notes_url              => https://wikitech.wikimedia.org/wiki/CAS-SSO/Administration\n-    notification_period    => 24x7\n-    max_check_attempts     => 3\n-    check_period           => 24x7\n-    retry_interval         => 1\n-    is_volatile            => 0\n-    notifications_enabled  => 1\n-    contact_groups         => admins\n-    notification_options   => c,r,f\n-    check_freshness        => 0\n"}, {"resource": "Nagios_service[alert1002 https-requestctl.wikimedia.org-expiry]", "parameters": "--- Nagios_service[alert1002 https-requestctl.wikimedia.org-expiry].orig\n+++ Nagios_service[alert1002 https-requestctl.wikimedia.org-expiry]\n\n-    check_command          => check_https_expiry!requestctl.wikimedia.org!443\n-    ensure                 => present\n-    host_name              => alert1002\n-    notification_interval  => 0\n-    check_interval         => 1\n-    passive_checks_enabled => 1\n-    active_checks_enabled  => 1\n-    servicegroups          => alerting_eqiad\n-    service_description    => requestctl.wikimedia.org tls expiry\n-    notes_url              => https://wikitech.wikimedia.org/wiki/CAS-SSO/Administration\n-    notification_period    => 24x7\n-    max_check_attempts     => 3\n-    check_period           => 24x7\n-    retry_interval         => 1\n-    is_volatile            => 0\n-    notifications_enabled  => 1\n-    contact_groups         => admins\n-    notification_options   => c,r,f\n-    check_freshness        => 0\n"}, {"resource": "Monitoring::Service[https-requestctl.wikimedia.org-unauthorized]", "parameters": "--- Monitoring::Service[https-requestctl.wikimedia.org-unauthorized].orig\n+++ Monitoring::Service[https-requestctl.wikimedia.org-unauthorized]\n\n-    check_command  => check_https_sso_redirect!requestctl.wikimedia.org!/\n-    ensure         => present\n-    retry_interval => 1\n-    check_interval => 1\n-    passive        => False\n-    freshness      => 36000\n-    description    => requestctl.wikimedia.org requires authentication\n-    host           => alert1002\n-    migration_task => T367065\n-    retries        => 3\n-    notes_url      => https://wikitech.wikimedia.org/wiki/CAS-SSO/Administration\n-    config_dir     => /etc/nagios\n-    notify         => Service[icinga]\n-    critical       => False\n"}, {"resource": "File[/etc/apache2/sites-available/50-requestctl-wikimedia-org.conf]", "content": "--- /etc/apache2/sites-available/50-requestctl-wikimedia-org.conf.orig\n+++ /etc/apache2/sites-available/50-requestctl-wikimedia-org.conf\n@@ -22,54 +22,18 @@\n     SSLOpenSSLConfCmd DHParameters \"/etc/ssl/dhparam.pem\"\n     Header always set Strict-Transport-Security \"max-age=106384710; includeSubDomains; preload\"\n \n-    CASLoginURL https://idp.wikimedia.org/login\n-    CASValidateURL https://idp.wikimedia.org/serviceValidate\n-    CASDebug Off\n-    CASVersion 2\n-    CASCertificatePath /etc/ssl/certs\n-    CASCookiePath /var/cache/apache2/mod_auth_cas/requestctl.wikimedia.org/\n-    CASAttributePrefix X-CAS-\n-    CASAttributeDelimiter :\n-    CASValidateSAML Off\n-    CASSSOEnabled On\n-    CASCookieSameSite Lax\n-    CASCookieSecure On\n-    CASTimeout 7200\n-    CASIdleTimeout 3600\n-    <Directory />\n-        AllowOverride None\n-        Require all granted\n-    </Directory>\n-\n     <Location />\n-          AuthType CAS\n-          CASAuthNHeader CAS-User\n-          CASScope /\n-          Require cas-attribute memberOf:cn=ops,ou=groups,dc=wikimedia,dc=org\n-          Require cas-attribute memberOf:cn=wmf,ou=groups,dc=wikimedia,dc=org\n         ProxyPass http://localhost:8080/\n         ProxyPassReverse http://localhost:8080/\n     </Location>\n \n     <Location /health_check>\n-        Require all granted\n         Alias /var/www/health_check\n         ProxyPass !\n     </Location>\n \n-    <Location /api>\n-        Require all granted\n-        ProxyPass http://localhost:8080/api\n-        ProxyPassReverse http://localhost:8080/api\n-    </Location>\n-\n     # Static files\n     Alias \"/static\" \"/srv/deployment/hiddenparma/deploy/src/static\"\n-    # Static assets are not protected by the CAS auth\n-    <Directory /srv/deployment/hiddenparma/deploy/src/static\">\n-        AllowOverride None\n-        Require all granted\n-    </Directory>\n \n \n     CustomLog /var/log/apache2/requestctl.wikimedia.org-access.log wmf"}], "perc_changed": "0.18%"}, "core": {"total": 9571, "only_in_self": ["File[/var/cache/apache2/mod_auth_cas/requestctl.wikimedia.org/]", "Nagios_service[alert1002 https-requestctl.wikimedia.org-expiry]", "Nagios_service[alert1002 https-requestctl.wikimedia.org-unauthorized]"], "only_in_other": [], "resource_diffs": [{"resource": "File[/etc/default/hiddenparma]", "content": "--- /etc/default/hiddenparma.orig\n+++ /etc/default/hiddenparma\n@@ -5,6 +5,12 @@\n CSRF_SHARED_SECRET=\"snakeoil\"\n DATACENTERS=\"eqiad,codfw,esams,ulsfo,eqsin,drmrs,magru\"\n DBSTORE_DSN=\"mariadb+pymysql://lolo:placeholder@m2-master.eqiad.wmnet/requestctl?charset=utf8mb4\"\n+WEB_AUTH_BACKEND=\"native_cas\"\n API_AUTH_BACKEND=\"api_token_from_db\"\n API_ROOT_TOKEN=\"t00r\"\n API_TOKEN_ENCRYPTION_KEY=\"snakeoil\"\n+# Native CAS configuration\n+CAS_SERVER_URL=\"'https://idp.wikimedia.org/login'\"\n+CAS_SERVICE_URL=\"https://requestctl.wikimedia.org/cas/callback\"\n+SESSION_SECRET_KEY=\"a secret\"\n+AUTHORIZED_GROUPS=\"cn=ops,ou=groups,dc=wikimedia,dc=org:cn=wmf,ou=groups,dc=wikimedia,dc=org\""}, {"resource": "File[/etc/apache2/sites-available/50-requestctl-wikimedia-org.conf]", "content": "--- /etc/apache2/sites-available/50-requestctl-wikimedia-org.conf.orig\n+++ /etc/apache2/sites-available/50-requestctl-wikimedia-org.conf\n@@ -22,54 +22,18 @@\n     SSLOpenSSLConfCmd DHParameters \"/etc/ssl/dhparam.pem\"\n     Header always set Strict-Transport-Security \"max-age=106384710; includeSubDomains; preload\"\n \n-    CASLoginURL https://idp.wikimedia.org/login\n-    CASValidateURL https://idp.wikimedia.org/serviceValidate\n-    CASDebug Off\n-    CASVersion 2\n-    CASCertificatePath /etc/ssl/certs\n-    CASCookiePath /var/cache/apache2/mod_auth_cas/requestctl.wikimedia.org/\n-    CASAttributePrefix X-CAS-\n-    CASAttributeDelimiter :\n-    CASValidateSAML Off\n-    CASSSOEnabled On\n-    CASCookieSameSite Lax\n-    CASCookieSecure On\n-    CASTimeout 7200\n-    CASIdleTimeout 3600\n-    <Directory />\n-        AllowOverride None\n-        Require all granted\n-    </Directory>\n-\n     <Location />\n-          AuthType CAS\n-          CASAuthNHeader CAS-User\n-          CASScope /\n-          Require cas-attribute memberOf:cn=ops,ou=groups,dc=wikimedia,dc=org\n-          Require cas-attribute memberOf:cn=wmf,ou=groups,dc=wikimedia,dc=org\n         ProxyPass http://localhost:8080/\n         ProxyPassReverse http://localhost:8080/\n     </Location>\n \n     <Location /health_check>\n-        Require all granted\n         Alias /var/www/health_check\n         ProxyPass !\n     </Location>\n \n-    <Location /api>\n-        Require all granted\n-        ProxyPass http://localhost:8080/api\n-        ProxyPassReverse http://localhost:8080/api\n-    </Location>\n-\n     # Static files\n     Alias \"/static\" \"/srv/deployment/hiddenparma/deploy/src/static\"\n-    # Static assets are not protected by the CAS auth\n-    <Directory /srv/deployment/hiddenparma/deploy/src/static\">\n-        AllowOverride None\n-        Require all granted\n-    </Directory>\n \n \n     CustomLog /var/log/apache2/requestctl.wikimedia.org-access.log wmf"}], "perc_changed": "0.05%"}, "main": {"total": 9571, "only_in_self": ["File[/var/cache/apache2/mod_auth_cas/requestctl.wikimedia.org/]", "Monitoring::Service[https-requestctl.wikimedia.org-expiry]", "Monitoring::Service[https-requestctl.wikimedia.org-unauthorized]", "Nagios_service[alert1002 https-requestctl.wikimedia.org-expiry]", "Nagios_service[alert1002 https-requestctl.wikimedia.org-unauthorized]", "Profile::Idp::Client::Httpd::Site[requestctl.wikimedia.org]"], "only_in_other": [], "resource_diffs": [{"resource": "Httpd::Conf[requestctl.wikimedia.org]"}, {"resource": "Httpd::Site[requestctl.wikimedia.org]", "parameters": "--- Httpd::Site[requestctl.wikimedia.org].orig\n+++ Httpd::Site[requestctl.wikimedia.org]\n\n+    require => ['Acme_chief::Cert[icinga]']\n"}, {"resource": "File[/etc/default/hiddenparma]", "content": "--- /etc/default/hiddenparma.orig\n+++ /etc/default/hiddenparma\n@@ -5,6 +5,12 @@\n CSRF_SHARED_SECRET=\"snakeoil\"\n DATACENTERS=\"eqiad,codfw,esams,ulsfo,eqsin,drmrs,magru\"\n DBSTORE_DSN=\"mariadb+pymysql://lolo:placeholder@m2-master.eqiad.wmnet/requestctl?charset=utf8mb4\"\n+WEB_AUTH_BACKEND=\"native_cas\"\n API_AUTH_BACKEND=\"api_token_from_db\"\n API_ROOT_TOKEN=\"t00r\"\n API_TOKEN_ENCRYPTION_KEY=\"snakeoil\"\n+# Native CAS configuration\n+CAS_SERVER_URL=\"'https://idp.wikimedia.org/login'\"\n+CAS_SERVICE_URL=\"https://requestctl.wikimedia.org/cas/callback\"\n+SESSION_SECRET_KEY=\"a secret\"\n+AUTHORIZED_GROUPS=\"cn=ops,ou=groups,dc=wikimedia,dc=org:cn=wmf,ou=groups,dc=wikimedia,dc=org\""}, {"resource": "Class[Profile::Conftool::Hiddenparma]", "parameters": "--- Class[Profile::Conftool::Hiddenparma].orig\n+++ Class[Profile::Conftool::Hiddenparma]\n\n+    session_secret_key => a secret\n"}, {"resource": "File[/etc/apache2/sites-available/50-requestctl-wikimedia-org.conf]", "content": "--- /etc/apache2/sites-available/50-requestctl-wikimedia-org.conf.orig\n+++ /etc/apache2/sites-available/50-requestctl-wikimedia-org.conf\n@@ -22,54 +22,18 @@\n     SSLOpenSSLConfCmd DHParameters \"/etc/ssl/dhparam.pem\"\n     Header always set Strict-Transport-Security \"max-age=106384710; includeSubDomains; preload\"\n \n-    CASLoginURL https://idp.wikimedia.org/login\n-    CASValidateURL https://idp.wikimedia.org/serviceValidate\n-    CASDebug Off\n-    CASVersion 2\n-    CASCertificatePath /etc/ssl/certs\n-    CASCookiePath /var/cache/apache2/mod_auth_cas/requestctl.wikimedia.org/\n-    CASAttributePrefix X-CAS-\n-    CASAttributeDelimiter :\n-    CASValidateSAML Off\n-    CASSSOEnabled On\n-    CASCookieSameSite Lax\n-    CASCookieSecure On\n-    CASTimeout 7200\n-    CASIdleTimeout 3600\n-    <Directory />\n-        AllowOverride None\n-        Require all granted\n-    </Directory>\n-\n     <Location />\n-          AuthType CAS\n-          CASAuthNHeader CAS-User\n-          CASScope /\n-          Require cas-attribute memberOf:cn=ops,ou=groups,dc=wikimedia,dc=org\n-          Require cas-attribute memberOf:cn=wmf,ou=groups,dc=wikimedia,dc=org\n         ProxyPass http://localhost:8080/\n         ProxyPassReverse http://localhost:8080/\n     </Location>\n \n     <Location /health_check>\n-        Require all granted\n         Alias /var/www/health_check\n         ProxyPass !\n     </Location>\n \n-    <Location /api>\n-        Require all granted\n-        ProxyPass http://localhost:8080/api\n-        ProxyPassReverse http://localhost:8080/api\n-    </Location>\n-\n     # Static files\n     Alias \"/static\" \"/srv/deployment/hiddenparma/deploy/src/static\"\n-    # Static assets are not protected by the CAS auth\n-    <Directory /srv/deployment/hiddenparma/deploy/src/static\">\n-        AllowOverride None\n-        Require all granted\n-    </Directory>\n \n \n     CustomLog /var/log/apache2/requestctl.wikimedia.org-access.log wmf"}], "perc_changed": "0.11%"}}}