diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 4d0a48a8b..059b4d09a 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -95,7 +95,7 @@ jobs:
shell: bash
env:
SKIP_ANSIBLE: 1
- run: "./start-vm"
+ run: "./start-vm --classic"
# Clean up old docker cruft
- name: Clean up old docker cruft
@@ -125,13 +125,13 @@ jobs:
# Deploy components
- name: Run start-vm
shell: bash
- run: "./start-vm"
+ run: "./start-vm --classic"
# Deploy components again for idempotency
- name: Run start-vm --diff
env:
REEANTRANT: 1
- run: "./start-vm --diff"
+ run: "./start-vm --classic --diff"
- name: Run idempotency check...
run: /usr/bin/python3 ./scripts/check-idempotency-status
diff --git a/.gitignore b/.gitignore
index 929576135..79081b23b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -27,3 +27,4 @@ screenshot.png
page.html
console.txt
ignore.main.yml
+surf-deploy-local
diff --git a/environments/docker/group_vars/container.yml b/environments/docker/group_vars/container.yml
index bb016945b..bee6f7e9b 100644
--- a/environments/docker/group_vars/container.yml
+++ b/environments/docker/group_vars/container.yml
@@ -171,3 +171,8 @@ sbs_ssid_identity_providers:
sbs_notifications_enabled: True
sbs_cron_hour_of_day: "4"
+
+# Any last_login_date in the past triggers suspension notification
+sbs_suspension_inactive_days: 0
+# Second suspension cron will suspend notified users
+sbs_suspension_reminder_days: -1
diff --git a/roles/apt/tasks/main.yml b/roles/apt/tasks/main.yml
index 6ccd7c418..f4b2f9215 100644
--- a/roles/apt/tasks/main.yml
+++ b/roles/apt/tasks/main.yml
@@ -62,6 +62,7 @@
- "vim"
- "wget"
- "xz-utils"
+ - "zstd"
- name: Upgrade packages
apt:
diff --git a/roles/backups/templates/upload-backup.sh.j2 b/roles/backups/templates/upload-backup.sh.j2
index 8bf1d0a7d..edcde1ddc 100644
--- a/roles/backups/templates/upload-backup.sh.j2
+++ b/roles/backups/templates/upload-backup.sh.j2
@@ -18,7 +18,7 @@ HOSTNAME=$( hostname )
cd "$BACKUP_DIR"
# find all backup files that were created more recently dan 30 minutes ago
-files=$( find -mindepth 2 -name '*.gz' -o -name '*.bz2' -cmin -30 )
+files=$( find -mindepth 2 -cmin -30 '(' -name '*.gz' -o -name '*.bz2' -o -name '*.zst' ')' )
if [ -z "$files" ]
then
diff --git a/roles/ci-test/files/resume.html b/roles/ci-test/files/resume.html
index c0768487b..8c6011346 100644
--- a/roles/ci-test/files/resume.html
+++ b/roles/ci-test/files/resume.html
@@ -1,5 +1,7 @@
-
+
+
-
+
+
diff --git a/roles/demo-apache/files/index.html b/roles/demo-apache/files/index.html
index 5c7ef5eb8..92b1a50e9 100644
--- a/roles/demo-apache/files/index.html
+++ b/roles/demo-apache/files/index.html
@@ -1,12 +1,13 @@
-
+
+ SRAM demos
-
-
- Etherpad Demo
-
-
- Wordpress Demo
-
-
+
+
+ Etherpad Demo
+
+
+ WordPress Demo
+
+
diff --git a/roles/demo-apache/templates/apache.conf.j2 b/roles/demo-apache/templates/apache.conf.j2
index b9784e61e..467a47338 100644
--- a/roles/demo-apache/templates/apache.conf.j2
+++ b/roles/demo-apache/templates/apache.conf.j2
@@ -1,4 +1,5 @@
{% if letsencrypt_enabled %}
+SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
{% else %}
@@ -17,11 +18,12 @@
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/{{demo_hosts.demo1}}/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/{{demo_hosts.demo1}}/privkey.pem
- SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
- SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
- SSLHonorCipherOrder on
- SSLCompression off
- SSLSessionTickets off
+
+ SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
+ SSLHonorCipherOrder off
+ SSLSessionTickets off
+
+ SSLUseStapling On
Header always set Content-Security-Policy "default-src 'self'; base-uri 'self'; frame-src 'none'; form-action 'self' https://*.{{base_domain}}; frame-ancestors 'none'; block-all-mixed-content;"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;"
diff --git a/roles/demo-sp/files/index.html b/roles/demo-sp/files/index.html
index 426475926..76597076b 100644
--- a/roles/demo-sp/files/index.html
+++ b/roles/demo-sp/files/index.html
@@ -1,4 +1,5 @@
+
diff --git a/roles/docker_ldap/tasks/main.yml b/roles/docker_ldap/tasks/main.yml
index d439e8634..b64fef5ad 100644
--- a/roles/docker_ldap/tasks/main.yml
+++ b/roles/docker_ldap/tasks/main.yml
@@ -112,7 +112,7 @@
state: started
# pull: true
ports:
- - 389:1389
+ - 127.0.0.1:389:1389
# - 636:1636
env:
LDAP_ROOT: "{{ services_ldap.basedn }}"
diff --git a/roles/docker_sbs/defaults/main.yml b/roles/docker_sbs/defaults/main.yml
index fc5ddbf1e..5dbf6bcf2 100644
--- a/roles/docker_sbs/defaults/main.yml
+++ b/roles/docker_sbs/defaults/main.yml
@@ -82,6 +82,7 @@ sbs_second_factor_authentication_required: True
sbs_totp_token_name: "SRAM-example"
sbs_notifications_enabled: True
sbs_invitation_reminders_enabled: True
+sbs_invitation_expirations_enabled: True
sbs_open_requests_enabled: True
sbs_scim_sweep: False
sbs_impersonation_allowed: True
@@ -91,6 +92,7 @@ sbs_mock_scim_enabled: True
sbs_delete_orphaned: True
sbs_suspension_inactive_days: 365
+sbs_suspension_reminder_days: 14
sbs_suspension_notify_admin: False
sbs_oidc_config_url: "http://localhost/.well-known/openid-configuration"
diff --git a/roles/docker_sbs/templates/sbs-apache.j2 b/roles/docker_sbs/templates/sbs-apache.j2
index bba8fbe27..182d61ec4 100644
--- a/roles/docker_sbs/templates/sbs-apache.j2
+++ b/roles/docker_sbs/templates/sbs-apache.j2
@@ -5,9 +5,6 @@ DocumentRoot /var/www/html
Header set Content-Security-Policy "default-src 'self'; base-uri 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-src 'none'; form-action 'self' https://*.{{ base_domain }}; frame-ancestors 'none'; block-all-mixed-content;"
Header set Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(self), gamepad=(), speaker-selection=()"
-
- Header set Cache-Control: "public, max-age=31536000, immutable"
-
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/(api|pam-weblogin|flasgger_static|swagger|health|config|info|socket.io)
@@ -20,6 +17,14 @@ ProxyPassReverse /socket.io/ ws://{{ containers.sbs }}:{{sbs_backend_port}}/sock
ProxyPassMatch ^/(api|pam-weblogin|flasgger_static|swagger|health|config|info) http://{{ containers.sbs }}:{{sbs_backend_port}}/
ProxyPassReverse / http://{{ containers.sbs }}:{{sbs_backend_port}}/
+
+ Header set Cache-Control: "public, max-age=31536000, immutable"
+
+
+ Header set Cache-Control: "no-cache, private"
+
+
+
Require all granted
Options -Indexes
diff --git a/roles/http_redirect/templates/http-redirect.conf.j2 b/roles/http_redirect/templates/http-redirect.conf.j2
index 2982d4910..eef4113ce 100644
--- a/roles/http_redirect/templates/http-redirect.conf.j2
+++ b/roles/http_redirect/templates/http-redirect.conf.j2
@@ -6,7 +6,6 @@ server {
add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options "sameorigin";
- add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header Content-Security-Policy "default-src 'self'; base-uri 'self'; frame-src 'none'; form-action 'self' https://*.{{base_domain}}; frame-ancestors 'none'; block-all-mixed-content;";
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), speaker-selection=()";
@@ -25,7 +24,6 @@ server {
add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options "sameorigin";
- add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header Content-Security-Policy "default-src 'self'; base-uri 'self'; frame-src 'none'; form-action 'self' https://*.{{base_domain}}; frame-ancestors 'none'; block-all-mixed-content;";
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), speaker-selection=()";
diff --git a/roles/nginx/files/security_headers b/roles/nginx/files/security_headers
index 45bff46d8..359442088 100644
--- a/roles/nginx/files/security_headers
+++ b/roles/nginx/files/security_headers
@@ -1,5 +1,4 @@
add_header X-Frame-Options "sameorigin";
-add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
add_header Referrer-Policy "strict-origin-when-cross-origin";
diff --git a/roles/oidc-op/files/sram_user_pass.jinja2 b/roles/oidc-op/files/sram_user_pass.jinja2
index fda1716da..1fbc5c327 100644
--- a/roles/oidc-op/files/sram_user_pass.jinja2
+++ b/roles/oidc-op/files/sram_user_pass.jinja2
@@ -1,5 +1,6 @@
+
diff --git a/roles/sbs/defaults/main.yml b/roles/sbs/defaults/main.yml
index 2c8256b84..f3eae16c0 100644
--- a/roles/sbs/defaults/main.yml
+++ b/roles/sbs/defaults/main.yml
@@ -79,6 +79,7 @@ sbs_second_factor_authentication_required: True
sbs_totp_token_name: "SRAM"
sbs_notifications_enabled: True
sbs_invitation_reminders_enabled: True
+sbs_invitation_expirations_enabled: True
sbs_open_requests_enabled: True
sbs_scim_sweep: False
sbs_impersonation_allowed: False
@@ -88,6 +89,7 @@ sbs_mock_scim_enabled: False
sbs_delete_orphaned: True
sbs_suspension_inactive_days: 365
+sbs_suspension_reminder_days: 14
sbs_suspension_notify_admin: False
sbs_oidc_config_url: "http://localhost/.well-known/openid-configuration"
diff --git a/roles/sbs/templates/backup-database.sh.j2 b/roles/sbs/templates/backup-database.sh.j2
index 52a783035..0f16dd426 100644
--- a/roles/sbs/templates/backup-database.sh.j2
+++ b/roles/sbs/templates/backup-database.sh.j2
@@ -25,6 +25,6 @@ mysqldump --host="{{ sbs_db_host }}" \
--disable-keys --extended-insert \
--databases "{{ sbs_db_name }}" \
> "${BACKUP_FILE}"
-bzip2 "${BACKUP_FILE}"
+zstd -qq --rm "${BACKUP_FILE}"
exit 0
diff --git a/roles/sbs/templates/config.yml.j2 b/roles/sbs/templates/config.yml.j2
index 693af494e..1020e77b8 100644
--- a/roles/sbs/templates/config.yml.j2
+++ b/roles/sbs/templates/config.yml.j2
@@ -132,14 +132,6 @@ metadata:
idp_url: "{{sbs_idp_metadata_url}}"
parse_at_startup: True
-service_bus:
- enabled: False
- host: "localhost"
- client_id: "sbs"
- user: "sbs"
- password: "unused"
-
-
platform_admin_notifications:
# Do we daily check for CO join_requests and CO requests and send a summary mail to beheer_email?
enabled: False
@@ -162,9 +154,11 @@ user_requests_retention:
retention:
cron_hour_of_day: {{ sbs_cron_hour_of_day }}
# how many days of inactivity before a user is suspended
+ # 0 allows for any last_login_date in the past to trigger suspension notification
allowed_inactive_period_days: {{ sbs_suspension_inactive_days }}
# how many days before suspension do we send a warning
- reminder_suspend_period_days: 14
+ # -1 will suspend notified users on second suspension cron
+ reminder_suspend_period_days: {{ sbs_suspension_reminder_days }}
# how many days after suspension do we delete the account
remove_suspended_users_period_days: 90
# how many days before deletion do we send a reminder
@@ -208,6 +202,15 @@ invitation_reminders:
# How many days before expiration of an invitation do we remind the user?
invitation_reminders_threshold: 5
+invitation_expirations:
+ # Do we daily check for invitations that are expired / accepted and are eligible for deletion ?
+ enabled: {{ sbs_invitation_expirations_enabled }}
+ cron_hour_of_day: {{ sbs_cron_hour_of_day }}
+ # How long after expiration of an invitation do we delete the invitation?
+ nbr_days_remove_expired_invitations: 10
+ # How long after expiration of an API created invitation do we delete the invitation?
+ nbr_days_remove_api_expired_invitations: 30
+
orphan_users:
# Do we daily check for users that are orphans soo they can be deleted?
enabled: {{ sbs_delete_orphaned }}
diff --git a/roles/sbs/templates/sbs-nginx.j2 b/roles/sbs/templates/sbs-nginx.j2
index 5cc0a0019..d67ba4153 100644
--- a/roles/sbs/templates/sbs-nginx.j2
+++ b/roles/sbs/templates/sbs-nginx.j2
@@ -33,10 +33,23 @@ server {
}
location ~ /(api|pam-weblogin|flasgger_static|swagger|health|config|info) {
+ include proxy_params;
+ proxy_pass http://127.0.0.1:8080;
+
+ proxy_hide_header Content-Security-Policy;
add_header Content-Security-Policy $csp;
+ proxy_hide_header Cache-Control;
add_header Cache-Control "nocache, private";
+ }
+
+ location ^~ /api/images {
include proxy_params;
proxy_pass http://127.0.0.1:8080;
+
+ proxy_hide_header Content-Security-Policy;
+ add_header Content-Security-Policy $csp;
+ proxy_hide_header Cache-Control;
+ add_header Cache-Control "max-age=31536000, public, immutable";
}
location /socket.io {
diff --git a/roles/scim_monitor/tasks/main.yml b/roles/scim_monitor/tasks/main.yml
index cd33b2f38..b04130864 100644
--- a/roles/scim_monitor/tasks/main.yml
+++ b/roles/scim_monitor/tasks/main.yml
@@ -78,6 +78,7 @@
name: "letsencrypt"
public: true
vars:
+ letsencrypt_enabled: true
letsencrypt_staging: false
letsencrypt_hosts:
- "{{ scim_monitor_hostname }}"
@@ -151,5 +152,5 @@
dest: "/etc/zabbix/zabbix_agent2.d/{{item}}"
mode: "0644"
with_items:
- - sram-scimmonitor.conf
+ - "sram-scimmonitor.conf"
notify: "restart zabbix-agent"
diff --git a/roles/scim_monitor/templates/scimmonitor.sh.j2 b/roles/scim_monitor/templates/scimmonitor.sh.j2
index 0d3191574..c8f979bfd 100644
--- a/roles/scim_monitor/templates/scimmonitor.sh.j2
+++ b/roles/scim_monitor/templates/scimmonitor.sh.j2
@@ -26,8 +26,9 @@ DIFF=$(
)
# output to status file
-date '+%s' > $STATUSFILE
-echo -n "$DIFF" | wc -l >> $STATUSFILE
+NOW=$(date '+%s')
+DIFFNR=$(echo -n "$DIFF"| wc -l)
+echo '{"time":'$NOW',"diff":'$DIFFNR'}' > $STATUSFILE
echo -n "$DIFF" >> $STATUSFILE
if [ -z "$DIFF" ]
diff --git a/roles/scim_monitor/templates/sram-scimmonitor.conf.j2 b/roles/scim_monitor/templates/sram-scimmonitor.conf.j2
index f3468bb4c..4ee300b3a 100644
--- a/roles/scim_monitor/templates/sram-scimmonitor.conf.j2
+++ b/roles/scim_monitor/templates/sram-scimmonitor.conf.j2
@@ -1,4 +1,3 @@
-# two parameters:
-# first is env name (tst, acc, prd) corresponding to statsu file
-# second is line in file to request (1==timestamp, 2==diff lines)
-UserParameter=sram.scimmonitor[*],cat {{scim_monitor_status_dir}}/status-$1 | head -n $2 | tail -n 1
+# parameter is env name (tst, acc, prd) corresponding to status file
+# returns json with data from status file
+UserParameter=sram.scimmonitor[*],cat {{scim_monitor_status_dir}}/status-$1 | head -n 1
diff --git a/roles/scim_monitor/templates/sram-scimmonitor.timer.j2 b/roles/scim_monitor/templates/sram-scimmonitor.timer.j2
index c4cf1f323..6ff3d0c9b 100644
--- a/roles/scim_monitor/templates/sram-scimmonitor.timer.j2
+++ b/roles/scim_monitor/templates/sram-scimmonitor.timer.j2
@@ -2,7 +2,7 @@
Description=SCIM Monitor timer
[Timer]
-OnCalendar=*:{{2+extra_min}}/15
+OnCalendar=*:{{7+extra_min}}/15
[Install]
WantedBy=multi-user.target
diff --git a/scripts/check-idempotency-status b/scripts/check-idempotency-status
index 0d37db025..73712bc79 100755
--- a/scripts/check-idempotency-status
+++ b/scripts/check-idempotency-status
@@ -12,6 +12,9 @@ WHITELIST = {
class Color(Enum):
+ def __str__(self):
+ return self.value
+
# Foreground
F_Default = "\x1b[39m"
F_Black = "\x1b[30m"
diff --git a/scripts/sbs-login.py b/scripts/sbs-login.py
index 5f9527f23..e83350725 100755
--- a/scripts/sbs-login.py
+++ b/scripts/sbs-login.py
@@ -13,15 +13,14 @@
from selenium.webdriver.support.expected_conditions import staleness_of, presence_of_element_located
from selenium.webdriver.common.by import By
-
# check that we have selenium version 4
assert selenium_version.startswith('4.'), f"Expected selenium version 4.x.x, got {selenium_version}"
class CustomChrome(webdriver.Chrome):
- def get(self, url) -> None:
- print(f"Fetching page '{url}'")
- return super(CustomChrome, self).get(url)
+ def get(self, get_url) -> None:
+ print(f"Fetching page '{get_url}'")
+ return super(CustomChrome, self).get(get_url)
options = webdriver.chrome.options.Options()
@@ -101,8 +100,8 @@ def get(self, url) -> None:
# Test admin attributes
attributes = browser.find_elements(By.XPATH, "//table[@class='my-attributes']/*/*/*")
- # for a in attributes:
- # print(f"a.text: {a.text}")
+ # for attr in attributes:
+ # print(f"attr.text: {attr.text}")
assert ('SCZ Admin' in [a.text for a in attributes]), "No valid admin profile found"
print(" - profile ok")
@@ -164,6 +163,7 @@ def get(self, url) -> None:
print(" ", tr.line)
from bs4 import BeautifulSoup
+
page = BeautifulSoup(browser.page_source, 'html.parser').prettify()
with open("page.html", "w") as f:
f.write(page)
diff --git a/scripts/vault-rekey.py b/scripts/vault-rekey.py
index 5952298a9..31e77bab3 100644
--- a/scripts/vault-rekey.py
+++ b/scripts/vault-rekey.py
@@ -17,7 +17,6 @@
from os.path import join as join_path
from tempfile import gettempdir
from ansible.parsing.vault import VaultEditor, VaultLib, VaultSecret
-from ansible.constants import DEFAULT_VAULT_IDENTITY
from ansible.errors import AnsibleError
from getpass import getpass
@@ -25,6 +24,7 @@
temp_count = 0
+DEFAULT_VAULT_IDENTITY='default'
class ReKeyError(Exception):
__slots__ = 'lineno', 'cause'
diff --git a/start-vm b/start-vm
index 995ff91b7..c57cb54fc 100755
--- a/start-vm
+++ b/start-vm
@@ -28,6 +28,12 @@ while getopts -- '-:h' OPT; do
echo " --skip-vm: skip bringing up VMs, only run Ansible"
echo " --container: Use container-in-container based deploy"
echo " --no-mitogen: Disable use of mitogen"
+ echo " --stop: Stop all containers"
+ exit 0
+ ;;
+ s | stop ) docker exec -ti docker-docker1-1 bash -c 'docker stop $(docker ps -q) || true'
+ docker exec -ti docker-docker2-1 bash -c 'docker stop $(docker ps -q) || true'
+ docker compose -f docker/docker-compose.yml stop
exit 0
;;
ci ) CI_OPTION="--ci"
@@ -36,6 +42,8 @@ while getopts -- '-:h' OPT; do
container ) IN_CONTAINER="--container"
ENV_DIR="./environments/docker"
;;
+ classic ) CLASSIC="1"
+ ;;
skip-ansible | \
sa | no ) SKIP_ANSIBLE=1
;;
@@ -53,6 +61,13 @@ while getopts -- '-:h' OPT; do
done
shift $OPTPROCESSED # remove parsed options and args from $@ list
+if [ -z "$IN_CONTAINER" ] && [ -z "$CI_OPTION" ] && [ -z "$CLASSIC" ]; then
+ read -p "Continue without --container? [Yes/No] " yn
+ if [[ "$yn" == [Nn]* ]]; then
+ exit 0
+ fi
+fi
+
if [ "$SKIP_VM" ]
then
echo "Skipping docker spin-up"
diff --git a/surf-deploy b/surf-deploy
index ed7503ac0..0af3a021b 100755
--- a/surf-deploy
+++ b/surf-deploy
@@ -72,62 +72,61 @@ echo "$0 $*" >> $LOG
# first check that deploy and config repos are clean and are using the same version
# deploy
-# echo -n "Checking if SRAM-deploy is clean... "
-# if ! git diff-index --quiet HEAD --
-# then
-# echo -e "$FAIL"
-# git status | sed 's/^/ > /'
-# echo
-# WARNING=1
-# else
-# echo -e "$OK"
-# fi
-# branch_deploy=$(git symbolic-ref HEAD 2> /dev/null || git describe --exact)
-
-# config
-# cwd=$(pwd)
-# cd "$CONFDIR"
-# echo -en "Checking if Environment repo is clean... "
-# if ! git diff-index --quiet HEAD --
-# then
-# echo -e "$FAIL"
-# git status | sed "s/^/ > /"
-# echo
-# WARNING=1
-# else
-# echo -e "$OK"
-# fi
-# branch_config=$(git symbolic-ref HEAD 2> /dev/null || git describe --exact)
-# cd "$cwd"
-
-# echo -n "Checking whether deploy and config are in sync... "
-# if [ "$branch_deploy" != "$branch_config" ]
-# then
-# echo -e "$FAIL"
-# echo " > Deploy branch: ${RED}'$branch_deploy'${RESET}"
-# echo " > Config branch: ${RED}'$branch_config'${RESET}"
-# echo
-# WARNING=1
-# else
-# echo -e "$OK ($branch_deploy)"
-# fi
-#
-# if [ "$WARNING" != "0" ]
-# then
-# if [ "$STRICT" != "0" ]
-# then
-# echo "Warnings encountered, refusing to deploy in strict mode"
-# exit 1
-# fi
-# echo
-# read -p "Warning encountered, are you sure you want to continue (yes/no)? " result
-# if [ "$result" != "yes" ]
-# then
-# echo "Exiting..."
-# exit 1
-# fi
-# fi
-
+ echo -n "Checking if SRAM-deploy is clean... "
+ if ! git diff-index --quiet HEAD --
+ then
+ echo -e "$FAIL"
+ git status | sed 's/^/ > /'
+ echo
+ WARNING=1
+ else
+ echo -e "$OK"
+ fi
+ branch_deploy=$(git symbolic-ref HEAD 2> /dev/null || git describe --exact)
+
+ # config
+ cwd=$(pwd)
+ cd "$CONFDIR"
+ echo -en "Checking if Environment repo is clean... "
+ if ! git diff-index --quiet HEAD --
+ then
+ echo -e "$FAIL"
+ git status | sed "s/^/ > /"
+ echo
+ WARNING=1
+ else
+ echo -e "$OK"
+ fi
+ branch_config=$(git symbolic-ref HEAD 2> /dev/null || git describe --exact)
+ cd "$cwd"
+
+ echo -n "Checking whether deploy and config are in sync... "
+ if [ "$branch_deploy" != "$branch_config" ]
+ then
+ echo -e "$FAIL"
+ echo " > Deploy branch: ${RED}'$branch_deploy'${RESET}"
+ echo " > Config branch: ${RED}'$branch_config'${RESET}"
+ echo
+ WARNING=1
+ else
+ echo -e "$OK ($branch_deploy)"
+ fi
+
+ if [ "$WARNING" != "0" ]
+ then
+ if [ "$STRICT" != "0" ]
+ then
+ echo "Warnings encountered, refusing to deploy in strict mode"
+ exit 1
+ fi
+ echo
+ read -p "Warning encountered, are you sure you want to continue (yes/no)? " result
+ if [ "$result" != "yes" ]
+ then
+ echo "Exiting..."
+ exit 1
+ fi
+ fi
# try to find mitogen
MITOGEN_PATH=
@@ -154,8 +153,7 @@ CMD="ansible-playbook provision.yml \
--limit=${ENV} \
--diff \
${EXTRA} \
- "$@" \
-"
+ ""$@"
CMD=$( echo $CMD | sed 's/\s\+/ /g' )