From 0e8479e0e72babcbf4de5ce099860e3c42ad5266 Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <adellam@isti.cnr.it>
Date: Wed, 6 Dec 2017 16:28:19 +0100
Subject: [PATCH] tomcat-multiple-instances: conditionally enable and the
 manager and host-manager applications. Configure the tomcat-users
 opportunely, and optionally setup additional users and roles.

---
 tomcat-multiple-instances/defaults/main.yml   | 23 +++++++++
 .../files/tomcat-users.xml                    | 36 --------------
 tomcat-multiple-instances/tasks/main.yml      | 34 ++++++++++++-
 .../templates/tomcat-host-manager.xml.j2      |  3 ++
 .../templates/tomcat-manager.xml.j2           |  3 ++
 .../templates/tomcat-users.xml.j2             | 48 +++++++++++++++++++
 6 files changed, 110 insertions(+), 37 deletions(-)
 delete mode 100644 tomcat-multiple-instances/files/tomcat-users.xml
 create mode 100644 tomcat-multiple-instances/templates/tomcat-host-manager.xml.j2
 create mode 100644 tomcat-multiple-instances/templates/tomcat-manager.xml.j2
 create mode 100644 tomcat-multiple-instances/templates/tomcat-users.xml.j2

diff --git a/tomcat-multiple-instances/defaults/main.yml b/tomcat-multiple-instances/defaults/main.yml
index 2751862..6855f68 100644
--- a/tomcat-multiple-instances/defaults/main.yml
+++ b/tomcat-multiple-instances/defaults/main.yml
@@ -6,6 +6,29 @@ tomcat_service_enabled: False
 
 tomcat_m_instances_install: True
 
+tomcat_m_host_manager_install: False
+tomcat_m_manager_install: False
+# Users and roles for the manager
+tomcat_m_manager_gui_user_enabled: False
+tomcat_m_manager_gui_user: guiadmin
+tomcat_m_manager_gui_r: "manager-gui"
+#tomcat_m_manager_gui_pwd: *Use a vault file*
+tomcat_m_manager_script_user_enabled: True
+tomcat_m_manager_script_user: scriptadmin
+tomcat_m_manager_script_r: "manager-script"
+#tomcat_m_manager_script_pwd: *Use a vault file*
+tomcat_m_manager_jmx_user_enabled: False
+tomcat_m_manager_jmx_user: jmxadmin
+tomcat_m_manager_jmx_r: "manager-jmx"
+#tomcat_m_manager_jmx_pwd: *Use a vault file*
+tomcat_m_manager_status_user_enabled: False
+tomcat_m_manager_status_user: statusadmin
+tomcat_m_manager_status_r: "manager-status"
+#tomcat_m_manager_status_pwd: *Use a vault file*
+
+#tomcat_m_manager_other_roles:
+#  - { role: '', user: '', password: '', user_roles: '' }
+
 tomcat_m_instances_base_path: '/var/lib/tomcat_instances'
 tomcat_m_instances_logdir_base: '/var/log/tomcat_instances'
 tomcat_m_cache_base: '/var/cache/tomcat-instances'
diff --git a/tomcat-multiple-instances/files/tomcat-users.xml b/tomcat-multiple-instances/files/tomcat-users.xml
deleted file mode 100644
index 7f022ff..0000000
--- a/tomcat-multiple-instances/files/tomcat-users.xml
+++ /dev/null
@@ -1,36 +0,0 @@
-<?xml version='1.0' encoding='utf-8'?>
-<!--
-  Licensed to the Apache Software Foundation (ASF) under one or more
-  contributor license agreements.  See the NOTICE file distributed with
-  this work for additional information regarding copyright ownership.
-  The ASF licenses this file to You under the Apache License, Version 2.0
-  (the "License"); you may not use this file except in compliance with
-  the License.  You may obtain a copy of the License at
-
-      http://www.apache.org/licenses/LICENSE-2.0
-
-  Unless required by applicable law or agreed to in writing, software
-  distributed under the License is distributed on an "AS IS" BASIS,
-  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  See the License for the specific language governing permissions and
-  limitations under the License.
--->
-<tomcat-users>
-<!--
-  NOTE:  By default, no user is included in the "manager-gui" role required
-  to operate the "/manager/html" web application.  If you wish to use this app,
-  you must define such a user - the username and password are arbitrary.
--->
-<!--
-  NOTE:  The sample user and role entries below are wrapped in a comment
-  and thus are ignored when reading this file. Do not forget to remove
-  <!.. ..> that surrounds them.
--->
-<!--
-  <role rolename="tomcat"/>
-  <role rolename="role1"/>
-  <user username="tomcat" password="tomcat" roles="tomcat"/>
-  <user username="both" password="tomcat" roles="tomcat,role1"/>
-  <user username="role1" password="tomcat" roles="role1"/>
--->
-</tomcat-users>
diff --git a/tomcat-multiple-instances/tasks/main.yml b/tomcat-multiple-instances/tasks/main.yml
index 792556a..ff9d0d8 100644
--- a/tomcat-multiple-instances/tasks/main.yml
+++ b/tomcat-multiple-instances/tasks/main.yml
@@ -66,7 +66,7 @@
   copy: src={{ item[1] }} dest={{ item.0.instance_path }}/conf/{{ item[1] }} owner={{ item.0.user }} group={{ item.0.user }} mode=0640
   with_nested:
     - '{{ tomcat_m_instances }}'
-    - [ 'context.xml', 'tomcat-users.xml', 'web.xml' ]
+    - [ 'context.xml', 'web.xml' ]
   register: restart_needed
   notify:
     - tomcat restart instances with changed configs 
@@ -113,6 +113,38 @@
     - tomcat restart instances with changed configs 
   tags: [ 'tomcat', 'tomcat_instances', 'tomcat_conf', 'tomcat_serverxml' ]
 
+- name: Install the tomcat-admin package if the host-manager or manager apps are required
+  apt: pkg={{ item }} state={{ tomcat_pkg_state }} cache_valid_time=1800 update_cache=yes
+  with_items: 'tomcat{{ tomcat_version }}-admin'
+  when: tomcat_m_host_manager_install or tomcat_m_manager_install
+  tags: [ 'tomcat', 'tomcat_instances', 'tomcat_conf', 'tomcat_host_manager', 'tomcat_manager' ]
+
+- name: Install the catalina configuration for the tomcat manager
+  template: src=tomcat-manager.xml.j2 dest={{ item.instance_path }}/conf/Catalina/localhost/manager.xml owner={{ item.user }} group={{ item.user }} mode=0640
+  with_items: '{{ tomcat_m_instances }}'
+  register: restart_needed
+  when: tomcat_m_manager_install
+  notify:
+    - tomcat restart instances with changed configs 
+  tags: [ 'tomcat', 'tomcat_instances', 'tomcat_conf', 'tomcat_manager' ]
+
+- name: Install the catalina configuration for the tomcat host manager
+  template: src=tomcat-host-manager.xml.j2 dest={{ item.instance_path }}/conf/Catalina/localhost/host-manager.xml owner={{ item.user }} group={{ item.user }} mode=0640
+  with_items: '{{ tomcat_m_instances }}'
+  register: restart_needed
+  when: tomcat_m_host_manager_install
+  notify:
+    - tomcat restart instances with changed configs 
+  tags: [ 'tomcat', 'tomcat_instances', 'tomcat_conf', 'tomcat_host_manager' ]
+
+- name: Install the catalina configuration for the tomcat manager
+  template: src=tomcat-users.xml.j2 dest={{ item.instance_path }}/conf/tomcat-users.xml owner={{ item.user }} group={{ item.user }} mode=0640
+  with_items: '{{ tomcat_m_instances }}'
+  register: restart_needed
+  notify:
+    - tomcat restart instances with changed configs 
+  tags: [ 'tomcat', 'tomcat_instances', 'tomcat_conf', 'tomcat_host_manager', 'tomcat_manager' ]
+
 - name: Install the instances startup scripts
   template: src=tomcat-instance.init.j2 dest=/etc/init.d/tomcat-instance-{{ item.http_port }} mode=0755 owner=root group=root
   with_items: '{{ tomcat_m_instances }}'
diff --git a/tomcat-multiple-instances/templates/tomcat-host-manager.xml.j2 b/tomcat-multiple-instances/templates/tomcat-host-manager.xml.j2
new file mode 100644
index 0000000..73081d0
--- /dev/null
+++ b/tomcat-multiple-instances/templates/tomcat-host-manager.xml.j2
@@ -0,0 +1,3 @@
+<Context path="/host-manager"
+    docBase="/usr/share/tomcat{{ tomcat_version }}-admin/host-manager"
+    antiResourceLocking="false" privileged="true" />
diff --git a/tomcat-multiple-instances/templates/tomcat-manager.xml.j2 b/tomcat-multiple-instances/templates/tomcat-manager.xml.j2
new file mode 100644
index 0000000..13ca522
--- /dev/null
+++ b/tomcat-multiple-instances/templates/tomcat-manager.xml.j2
@@ -0,0 +1,3 @@
+<Context path="/manager"
+    docBase="/usr/share/tomcat{{ tomcat_version }}-admin/manager"
+    antiResourceLocking="false" privileged="true" />
diff --git a/tomcat-multiple-instances/templates/tomcat-users.xml.j2 b/tomcat-multiple-instances/templates/tomcat-users.xml.j2
new file mode 100644
index 0000000..61a52ca
--- /dev/null
+++ b/tomcat-multiple-instances/templates/tomcat-users.xml.j2
@@ -0,0 +1,48 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<tomcat-users>
+<!--
+  NOTE:  By default, no user is included in the "manager-gui" role required
+  to operate the "/manager/html" web application.  If you wish to use this app,
+  you must define such a user - the username and password are arbitrary.
+-->
+{% if tomcat_m_host_manager_install or tomcat_m_manager_install %}
+  <role rolename="manager-gui"/>
+  <role rolename="manager-script"/>
+  <role rolename="manager-jmx"/>
+  <role rolename="manager-status"/>
+{% if tomcat_manager_gui_user_enabled %}
+  <user username="{{ tomcat_manager_gui_user }}" password="{{ tomcat_manager_gui_pwd }}" roles="{{ tomcat_manager_gui_r }}"/>
+{% endif %}
+{% if tomcat_manager_script_user_enabled %}
+  <user username="{{ tomcat_manager_script_user }}" password="{{ tomcat_manager_script_pwd }}" roles="{{ tomcat_manager_script_r }}"/>
+{% endif %}
+{% if tomcat_manager_jmx_user_enabled %}
+  <user username="{{ tomcat_manager_jmx_user }}" password="{{ tomcat_manager_jmx_pwd }}" roles="{{ tomcat_manager_jmx_r }}"/>
+{% endif %}
+{% if tomcat_manager_status_user_enabled %}
+  <user username="{{ tomcat_manager_status_user }}" password="{{ tomcat_manager_status_pwd }}" roles="{{ tomcat_manager_status_r }}"/>
+{% endif %}
+
+{% if tomcat_m_manager_other_roles is defined %}
+{% for t_adm in  tomcat_m_manager_other_roles %}
+  <role rolename="t_adm.role"/>
+  <user username="{{ t_adm.user }}" password="{{ t_adm.password }}" roles="{{ t_adm. user_roles }}"/>
+{% endfor %}
+{% endif %}
+</tomcat-users>