Version information
This version is compatible with:
- Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
- Puppet >= 4.8.2 < 7.0.0
- , , ,
Start using this module
Add this module to your Puppetfile:
mod 'goldenkiwi-thebastion', '1.1.5'Learn more about managing modules with a PuppetfileDocumentation
Puppet-Thebastion
Puppet module for Thebastion management.
Table of Contents
- Description
- Getting started
- Usage - Configuration options and additional functionality
- Limitations - OS compatibility
Description
This module manages:
- Software installation (with the use of git and github).
- Dependencies on supported OS (packages).
- Main configuration
- Addons configuration
- Plugins configuration
Setup
Setup Requirements
This module has two dependencies:
Install and configure thebastion
Simply call the main class in a Puppet manifest:
class{'thebastion': }
Usage
Customize Installation
To ease integration to more complex setups, you can decide whether you want to pull the code and/or install required system packages.
For instance, you can decide not to install dependencies packages with this module. Simply pass the relevant parameter to the class:
class {'thebastion':
install_packages => false,
}
Customize configuration and addons
This module allows every parameter to be customized via hiera, or via class instantiation.
You can, for instance, change interactive mode timeout to 30 seconds:
class {'thebastion':
interactive_mode_timeout => 30,
}
You can consult REFERENCE.md file for a complete list of available parameters.
Customize plugins configuration
For security reasons, or simple customization of a plugin, you might want to change a plugin configuration. You have multiple choices in order to do this:
- Instantiate a plugin configuration directly in your manifest:
thebastion::plugin {'selfResetIngressKeys':
configuration => {
disabled => true,
}
}
- Pass a list of plugins inside the main class:
class {'thebastion':
plugins => {
selfResetIngressKeys => {
configuration => {
disabled => true,
}
}
}
}
- Pass the same parameters via a hiera file:
thebastion::plugins:
selfResetIngressKeys:
configuration:
disabled: true
Limitations
Take a close look at the supported distributions in metadata.json file.
Although the main configuration offers sane default values in order to be
directly operable, the addons configuration will require some tweaks in order
to be fully operational (e.g sync_watcher_remote_host_list parameter).
Related
- The Bastion - The Bastion main repository
License
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Reference
Table of Contents
Classes
thebastion: Module to manage thebastionthebastion::addons: Handles the bastion's addons to easily manage your production tasksthebastion::config: main thebastion configurationthebastion::install: Installs bastion software if enabledthebastion::params: Default parameter values for thebastion module
Defined types
thebastion::plugin: Builds a bastion's plugin configuration
Classes
thebastion
Bastion's install
Bastion's main configuration
Bastion's addons configuration
Parameters
The following parameters are available in the thebastion class.
install_thebastion
Data type: Boolean
Whether to install bastion's software
Default value: $thebastion::params::install_thebastion
install_packages
Data type: Boolean
Whether to install package dependencies
Default value: $thebastion::params::install_packages
install_address
Data type: String
Address where to find source code of the bastion
Default value: $thebastion::params::install_address
account_create_default_personal_accesses
Data type: Array
List of accesses to add to the personal access list of newly created accounts.
Default value: $thebastion::params::account_create_default_personal_accesses
account_create_supplementary_groups
Data type: Array
List of groups to add a new account to
Default value: $thebastion::params::account_create_supplementary_groups
account_expired_message
Data type: String
Customizes the message that will be printed to a user attempting to connect with an expired account
Default value: $thebastion::params::account_expired_message
account_external_validation_program
Data type: String
Script that will be called by the bastion, with the account name in parameter, to check whether this account should be allowed to connect to the bastion
Default value: $thebastion::params::account_external_validation_program
account_ext_validation_deny_on_failure
Data type: Boolean
If we can't validate an account using the above configured program, this configuration option indicates whether we should deny or allow access.
Default value: $thebastion::params::account_ext_validation_deny_on_failure
account_max_inactive_days
Data type: Integer[0,default]
Deny access to accounts that didn't log in since at least that many days. A value of 0 means that this functionality is disabled
Default value: $thebastion::params::account_max_inactive_days
account_mfapolicy
Data type: Enum['enabled','disabled','totp-required', 'password-required', 'any-required']
Set a MFA policy for the bastion accounts.
Default value: $thebastion::params::account_mfapolicy
account_uid_max
Data type: Integer[1001,default]
Maximum allowed UID for accounts on the bastion
Default value: $thebastion::params::account_uid_max
account_uid_min
Data type: Integer[1000,default]
Minimum allowed UID for accounts on the bastion
Default value: $thebastion::params::account_uid_min
admin_accounts
Data type: Array
accounts that are Admins of the bastion
Default value: $thebastion::params::admin_accounts
allowed_egress_ssh_algorithms
Data type: Array[Enum['dsa', 'rsa', 'ecdsa', 'ed25519']]
the algorithms authorized for egress ssh public keys generated on the bastion
Default value: $thebastion::params::allowed_egress_ssh_algorithms
allowed_ingress_ssh_algorithms
Data type: Array[Enum['dsa', 'rsa', 'ecdsa', 'ed25519']]
the algorithms authorized for ingress ssh public keys added to the bastion
Default value: $thebastion::params::allowed_ingress_ssh_algorithms
allowed_networks
Data type: Array[Stdlib::IP::Address::V4]
Restricts egress connection attempts to those listed networks only
Default value: $thebastion::params::allowed_networks
always_active_accounts
Data type: Array
List of accounts which should NOT be checked against the accountExternalValidationProgram mechanism
Default value: $thebastion::params::always_active_accounts
bastion_basedir
Data type: Stdlib::AbsolutePath
Bastion basedir, where the bastion's code will be hosted
Default value: $thebastion::params::bastion_basedir
bastion_identifier
Data type: Variant[Stdlib::Fqdn,Stdlib::IP::Address::V4::Nosubnet]
Bastion identifier, to help build the bastion command parameter. Defaults to fqdn fact of the machine
Default value: $thebastion::params::bastion_identifier
bastion_listen_port
Data type: Integer[1,65535]
Port used to connect to the bastion. Must be linked to an ssh instance which listens to it
Default value: $thebastion::params::bastion_listen_port
bastion_name
Data type: String
Name advertised in the aliases admins will give to bastion users
Default value: $thebastion::params::bastion_name
debug
Data type: Boolean
Enables or disables debug globally
Default value: $thebastion::params::debug
default_account_egress_key_algorithm
Data type: Enum['rsa', 'ecdsa', 'ed25519']
The default algorithm to use to create the egress key of a newly created account
Default value: $thebastion::params::default_account_egress_key_algorithm
default_account_egress_key_size
Data type: Integer[256,8192]
The default size to use to create the egress key of a newly created account
Default value: $thebastion::params::default_account_egress_key_size
default_login
Data type: String
The default remote user to use for egress ssh connections where no user has been specified by bastion's caller
Default value: $thebastion::params::default_login
display_last_login
Data type: Boolean
Whether to display last login information on connection
Default value: $thebastion::params::display_last_login
dns_support_level
Data type: Integer[0,2]
Manage DNS Level resolution, 0 being no resolution, 1 forced resolution, 2 full resolution
Default value: $thebastion::params::dns_support_level
documentation_url
Data type: Stdlib::HTTPUrl
The URL of the documentation where users will be pointed to, for example when displaying help
Default value: $thebastion::params::documentation_url
egress_keys_from
Data type: Array[Stdlib::IP::Address::V4]
The IPs which will be added to the from="..." of the personal account keys and the group keys
Default value: $thebastion::params::egress_keys_from
enable_account_access_log
Data type: Boolean
Whether to log all accesses in the user's home /home/USER/USER-log-YYYYMM.log
Default value: $thebastion::params::enable_account_access_log
enable_account_sql_log
Data type: Boolean
Whether to log all accesses (in a detailed SQL format) in the user's home /home/USER/USER-log-YYYYMM.sqlite
Default value: $thebastion::params::enable_account_sql_log
enable_global_access_log
Data type: Boolean
Whether to log all accesses in the old /home/osh.log (never rotated, world-writable -> discouraged)
Default value: $thebastion::params::enable_global_access_log
enable_global_sql_log
Data type: Boolean
Whether to log all accesses (in a short SQL format) in /home/logkeeper/*.sqlite
Default value: $thebastion::params::enable_global_sql_log
enable_syslog
Data type: Boolean
Whether to send logs through syslog
Default value: $thebastion::params::enable_syslog
forbidden_networks
Data type: Array[Stdlib::IP::Address::V4]
Prevents egress connection to the listed networks, even if they match configured allowed networks
Default value: $thebastion::params::forbidden_networks
idle_lock_timeout
Data type: Integer[0,default]
The number of seconds of input idle time after which the session is locked. 0 means disabled
Default value: $thebastion::params::idle_lock_timeout
idle_kill_timeout
Data type: Integer[0,default]
The number of seconds of input idle time after which the session is killed. 0 means disabled
Default value: $thebastion::params::idle_kill_timeout
ingress_keys_from
Data type: Array[Stdlib::IP::Address::V4]
IPs used to build the from="" in front of the ingress account public keys used to connect to the bastion
Default value: $thebastion::params::ingress_keys_from
ingress_keys_from_allow_override
Data type: Boolean
Whether to ignore the IP passed and replaced by the IPs in the ingressKeysFrom configuration option
Default value: $thebastion::params::ingress_keys_from_allow_override
ingress_to_egress_rules
Data type: Array
Fine-grained rules (netfilter like) to apply global restrictions to possible egress destinations given ingress IPs.
Default value: $thebastion::params::ingress_to_egress_rules
interactive_mode_allowed
Data type: Boolean
Whether to activate interactive mode
Default value: $thebastion::params::interactive_mode_allowed
interactive_mode_timeout
Data type: Integer[0,default]
Idle seconds after which the user is disconnected from the bastion when in interactive mode
Default value: $thebastion::params::interactive_mode_timeout
keyboard_interactive_allowed
Data type: Boolean
Whether to allow keyboard-interactive authentication when publickey auth is requested for egress connections, this is needed e.g. for 2FA
Default value: $thebastion::params::keyboard_interactive_allowed
maximum_ingress_rsa_key_size
Data type: Integer[0,default]
The maximum allowed size for ingress RSA keys (user->bastion)
Default value: $thebastion::params::maximum_ingress_rsa_key_size
maximum_egress_rsa_key_size
Data type: Integer[0,default]
The maximum allowed size for ingress RSA keys (bastion->server)
Default value: $thebastion::params::maximum_egress_rsa_key_size
minimum_ingress_rsa_key_size
Data type: Integer[0,default]
The minimum allowed size for ingress RSA keys (user->bastion)
Default value: $thebastion::params::minimum_ingress_rsa_key_size
minimum_egress_rsa_key_size
Data type: Integer[0,default]
The minimum allowed size for egress RSA keys (bastion->server)
Default value: $thebastion::params::minimum_egress_rsa_key_size
mfa_password_inactive_days
Data type: Integer[-1,default]
For the PAM UNIX password MFA, the account will be blocked after the password is expired (and not renewed) for this amount of days
Default value: $thebastion::params::mfa_password_inactive_days
mfa_password_max_days
Data type: Integer[0,default]
For the PAM UNIX password MFA, sets the maximum amount of days after which the password must be changed
Default value: $thebastion::params::mfa_password_max_days
mfa_password_min_days
Data type: Integer[0,default]
For the PAM UNIX password MFA, sets the minimum amount of days between two password changes
Default value: $thebastion::params::mfa_password_min_days
mfa_password_warn_days
Data type: Integer[0,default]
For the PAM UNIX password MFA, sets the number of days before expiration on which the user will be warned to change his password
Default value: $thebastion::params::mfa_password_warn_days
mfa_post_command
Data type: Array
When using JIT MFA (i.e. not directly by calling PAM from SSHD's configuration, but using pamtester from within the code), exec this command on success
Default value: $thebastion::params::mfa_post_command
mosh_allowed
Data type: Boolean
Whether mosh is allowed on the bastion
Default value: $thebastion::params::mosh_allowed
mosh_command_line
Data type: String
Additional parameters that will be passed as-is to mosh-server
Default value: $thebastion::params::mosh_command_line
mosh_timeout_network
Data type: Integer[1,default]
Number of seconds of inactivity (network-wise) after a mosh-server will exit
Default value: $thebastion::params::mosh_timeout_network
mosh_timeout_signal
Data type: Integer[1,default]
Number of seconds of inactivity (network-wise) a mosh-server will wait after receiving a SIGUSR1 before exiting
Default value: $thebastion::params::mosh_timeout_signal
password_allowed
Data type: Boolean
Whether to password authentication for egress ssh
Default value: $thebastion::params::password_allowed
plugins
Data type: Hash
A hash of plugins definitions to instantiate for the bastion
Default value: {}
read_only_slave_mode
Data type: Boolean
Whether the instance of the bastion is slave or not
Default value: $thebastion::params::read_only_slave_mode
remote_command_escape_by_default
Data type: Boolean
Whether to escape simple quotes in remote commands by default
Default value: $thebastion::params::remote_command_escape_by_default
ssh_client_debug_level
Data type: Integer[0,3]
The number of -v that will be added to the ssh client command line when starting a session
Default value: $thebastion::params::ssh_client_debug_level
ssh_client_has_option_e
Data type: Boolean
Set to 1 if your ssh client supports the -E option and you want to use it to log debug info on opened sessions
Default value: $thebastion::params::ssh_client_has_option_e
super_owner_accounts
Data type: Array
List of accounts that are considered as super group owners
Default value: $thebastion::params::super_owner_accounts
syslog_description
Data type: String
Sets the description that will be used for syslog
Default value: $thebastion::params::syslog_description
syslog_facility
Data type: String
Sets the facility that will be used for syslog
Default value: $thebastion::params::syslog_facility
telnet_allowed
Data type: Boolean
Whether to allow telnet egress connections
Default value: $thebastion::params::telnet_allowed
ttyrec_additional_parameters
Data type: Array
Additional parameters you want to pass to ttyrec invocation
Default value: $thebastion::params::ttyrec_additional_parameters
ttyrec_filename_format
Data type: String
Sets the filename format of the output files of ttyrec for a given session
Default value: $thebastion::params::ttyrec_filename_format
ttyrec_group_id_offset
Data type: Integer[1002,default]
Offset to apply on user group uid to create -tty group
Default value: $thebastion::params::ttyrec_group_id_offset
ttyrec_stealth_stdout_pattern
Data type: Optional[String]
Regex which will be matched against a potential remote command specified when connecting through SSH to a remote server. If the regex matches, then we'll instruct ttyrec to NOT record stdout for this session.
Default value: $thebastion::params::ttyrec_stealth_stdout_pattern
warn_before_kill_seconds
Data type: Integer[0,default]
Seconds before idleKillTimeout where the user will receive a warning message about the upcoming kill of his session
Default value: $thebastion::params::warn_before_kill_seconds
warn_before_lock_seconds
Data type: Integer[0,default]
Seconds before idleLockTimeout where the user will receive a warning message about the upcoming lock of his session
Default value: $thebastion::params::warn_before_lock_seconds
backup_acl_keys_destdir
Data type: Stdlib::AbsolutePath
Directory where to put the .tar.gz files
Default value: $thebastion::params::backup_acl_keys_destdir
backup_acl_keys_days_to_keep
Data type: Integer[0,default]
Number of days to keep backups locally
Default value: $thebastion::params::backup_acl_keys_days_to_keep
backup_acl_keys_logfacility
Data type: Optional[String]
Will use syslog with the following facility to log, won't use syslog otherwise
Default value: $thebastion::params::backup_acl_keys_logfacility
backup_acl_keys_logfile
Data type: Optional[Stdlib::AbsolutePath]
File where to put script logs, if not defined, will not log into a file
Default value: $thebastion::params::backup_acl_keys_logfile
backup_acl_keys_gpgkeys
Data type: Optional[String]
List of gpg keys to encrypt to
Default value: $thebastion::params::backup_acl_keys_gpgkeys
backup_acl_keys_push_options
Data type: String
Additional options to pass to scp
Default value: $thebastion::params::backup_acl_keys_push_options
backup_acl_keys_push_remote
Data type: String
Scp remote host push backups to
Default value: $thebastion::params::backup_acl_keys_push_remote
encrypt_rsync_and_move_to_directory
Data type: Stdlib::AbsolutePath
After encryption (and compression), move ttyrec files to subdirs of this directory
Default value: $thebastion::params::encrypt_rsync_and_move_to_directory
encrypt_rsync_delay_before_remove_days
Data type: Integer[0,default]
After encryption/compression, and successful rsync to remote, wait for this amount of days before removing the files locally
Default value: $thebastion::params::encrypt_rsync_delay_before_remove_days
encrypt_rsync_move_delay_days
Data type: Integer[0,default]
Don't touch ttyrec files that have a modification time more recent than this
Default value: $thebastion::params::encrypt_rsync_move_delay_days
encrypt_rsync_destination
Data type: String
String passed to rsync as a destination. If empty, will DISABLE rsync
Default value: $thebastion::params::encrypt_rsync_destination
encrypt_rsync_logfile
Data type: Optional[Stdlib::AbsolutePath]
File where the logs will be written to
Default value: $thebastion::params::encrypt_rsync_logfile
encrypt_rsync_recipients
Data type: Array[Array[String]]
Ttyrecs will be encrypted with those GPG keys, possibly using multi-layer GPG encryption
Default value: $thebastion::params::encrypt_rsync_recipients
encrypt_rsync_rsh
Data type: String
Useful to specify an SSH key or an alternate SSH port for example
Default value: $thebastion::params::encrypt_rsync_rsh
encrypt_rsync_signing_key
Data type: Optional[String]
ID of the key used to sign the ttyrec files (must be in the local keyring)
Default value: $thebastion::params::encrypt_rsync_signing_key
encrypt_rsync_signing_key_passphrase
Data type: Optional[String]
Will be used by the script to unlock the key and sign with it
Default value: $thebastion::params::encrypt_rsync_signing_key_passphrase
encrypt_rsync_syslog_facility
Data type: Optional[String]
Syslog facility to log to if defined
Default value: $thebastion::params::encrypt_rsync_syslog_facility
http_proxy_ciphers
Data type: String
Ordered list the TLS server ciphers, in openssl classic format.
Default value: $thebastion::params::http_proxy_ciphers
http_proxy_enabled
Data type: Boolean
Whether to enable the http proxy daemon
Default value: $thebastion::params::http_proxy_enabled
http_proxy_insecure
Data type: Boolean
Whether to ignore SSL certificate verification for the connection between the bastion and the devices
Default value: $thebastion::params::http_proxy_insecure
http_proxy_min_servers
Data type: Integer[1,512]
Number of child processes to start at launch
Default value: $thebastion::params::http_proxy_min_servers
http_proxy_min_spare_servers
Data type: Integer[1,512]
The daemon will ensure that there is at least this number of children idle & ready to accept new connections
Default value: $thebastion::params::http_proxy_min_spare_servers
http_proxy_max_servers
Data type: Integer[1,512]
Hard maximum number of child processes that can be active at any given time no matter what
Default value: $thebastion::params::http_proxy_max_servers
http_proxy_max_spare_servers
Data type: Integer[1,512]
The daemon will kill idle children to keep their number below this maximum when traffic is low
Default value: $thebastion::params::http_proxy_max_spare_servers
http_proxy_port
Data type: Integer[1,65535]
Port to listen to
Default value: $thebastion::params::http_proxy_port
http_proxy_ssl_certificate
Data type: Stdlib::AbsolutePath
File that contains the server SSL certificate in PEM format
Default value: $thebastion::params::http_proxy_ssl_certificate
http_proxy_ssl_key
Data type: Stdlib::AbsolutePath
File that contains the server SSL key in PEM format
Default value: $thebastion::params::http_proxy_ssl_key
http_proxy_timeout
Data type: Integer
Timeout delay (in seconds) for the connection between the bastion and the devices
Default value: $thebastion::params::http_proxy_timeout
piv_grace_reaper_syslog
Data type: Optional[String]
Syslog facility to log to if defined
Default value: $thebastion::params::piv_grace_reaper_syslog
sync_watcher_enabled
Data type: Boolean
Whether to enable the script
Default value: $thebastion::params::sync_watcher_enabled
sync_watcher_logdir
Data type: Optional[Stdlib::AbsolutePath]
Directory where to log output from the script, if defined
Default value: $thebastion::params::sync_watcher_logdir
sync_watcher_remote_host_list
Data type: Array[String]
Remote hosts to connect to while rsyncing
Default value: $thebastion::params::sync_watcher_remote_host_list
sync_watcher_remote_user
Data type: String
Remote user to connect as while rsyncing
Default value: $thebastion::params::sync_watcher_remote_user
sync_watcher_rsh_cmd
Data type: String
This will be passed as the --rsh parameter of rsync
Default value: $thebastion::params::sync_watcher_rsh_cmd
sync_watcher_syslog
Data type: String
Syslog facility to use, if defined
Default value: $thebastion::params::sync_watcher_syslog
sync_watcher_timeout
Data type: Integer[0,default]
This will be the maximum delay, in seconds, after which rsync will be launched even if no change was detected
Default value: $thebastion::params::sync_watcher_timeout
thebastion::addons
Handles the bastion's addons to easily manage your production tasks
thebastion::config
class thebastion::config inherits thebastion {
thebastion::install
Installs bastion software if enabled
thebastion::params
Default parameter values for thebastion module
Defined types
thebastion::plugin
Builds a bastion's plugin configuration
Parameters
The following parameters are available in the thebastion::plugin defined type.
configuration
Data type: Hash
Configuration to pass as a json disabled key value must be boolean mfa_required key value must be in password totp any none
Default value: {}
Changelog
All notable changes to this project will be documented in this file.
v1.1.5 (2024-04-22)
- fix: dns level is called dns_support_level
v1.1.4 (2024-03-25)
- enh : Add ttyrecStealthStdoutPattern and dnsLevel parameter (#14)
- fix references.md github action
- fixes #13
v1.1.3 (2023-09-25)
- fix: netcat is now netcat-traditional for recent Debian and Ubuntu versions
v1.1.2 (2022-02-01)
- fix: Correct accountMFAPolicy Enum to be compliant with bastion validation
v1.1.1 (2021-12-14)
- fix: upgrade version on push on forge action
v1.1.0 (2021-12-08)
- [unit tests] fix rspec test to comply with stdlib ensure_package status installed
- [pdk] update version
v1.0.10 (2021-01-14)
- [addons] fix http-proxy rights as there is no drop privileges but rather non root User into unitfile instead
v1.0.9 (2021-01-08)
- fix: git checkout command
v1.0.8 (2021-01-08)
- fix: add exec return code 2 acceptable, avoids unnecessary fails if admin user doesn't exist yet
v1.0.7 (2021-01-07)
- [install] add install_address parameter to clone from wherever you want
v1.0.6 (2021-01-06)
- [documentation] Fix documenation link to github
v1.0.5 (2020-12-10)
- [plugins] sync_watcher : fix type as :port format is supported
v1.0.4 (2020-12-07)
- [plugins] Remove useless comment inside epp
v1.0.3 (2020-12-04)
- fix: skip undef values when outputing pretty JSON
v1.0.2 (2020-12-03)
- Add puppet forge publish automation
- Add changelog file
- Fix module name in metadata.json file
v1.0.1 (2020-11-30)
- fix: rename REFERENCES to REFERENCE to match puppet forge conventions
- fix: invert logic of osh-admin group inclusion, add /usr/sbin to path
v1.0.0 (2020-11-27)
- Initial Release
Dependencies
- puppetlabs/concat (>= 4.1.0 < 7.0.0)
- puppetlabs/stdlib (>= 5.0.0 < 7.0.0)
Copyright 2020 OVHcloud
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
A copy of the license terms follows:
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS