Juju Charms Collection
rabbitmq-server package

Merge lp:~hazmat/charms/precise/rabbitmq-server/ssl-everywhere into lp:charms/rabbitmq-server

Proposed by Kapil Thangavelu on 2014-02-24

Status:	Superseded
Proposed branch:	lp:~hazmat/charms/precise/rabbitmq-server/ssl-everywhere
Merge into:	lp:charms/rabbitmq-server
Diff against target:	926 lines (+562/-105) (has conflicts) 12 files modified Makefile (+15/-0) charm-helpers.yaml (+2/-1) config.yaml (+22/-4) hooks/lib/utils.py (+8/-11) hooks/rabbit_utils.py (+30/-15) hooks/rabbitmq_server_relations.py (+82/-26) lib/charmhelpers/contrib/openstack/context.py (+104/-41) lib/charmhelpers/contrib/openstack/utils.py (+9/-5) lib/charmhelpers/contrib/ssl/service.py (+267/-0) lib/charmhelpers/core/hookenv.py (+6/-0) revision (+4/-0) templates/rabbitmq.config (+13/-2) Text conflict in revision
To merge this branch:	bzr merge lp:~hazmat/charms/precise/rabbitmq-server/ssl-everywhere
Related bugs:	Link a bug report

Reviewer	Date Requested	Status
Charles Butler (community)		Approve on 2014-03-04
charmers	2014-02-24	Pending
Review via email: mp+207912@code.launchpad.net

This proposal has been superseded by a proposal from 2014-03-04.

Description of the change

SSL Support for RabbitMQ

Adds a few additional configuration options for SSL.

'ssl' is the primary one, it can be 'off', 'on', or 'only'.

If its off, no changes. If its 'on' then ssl support is
enabled and ssl_ca cert is sent to clients along the relation.

If its only, then all clients must connect using ssl.

The server cert/key and ca cert can be provided via config. If
they are not, the service will act as its own ca and provide
the ssl_ca cert to its related clients.

https://codereview.appspot.com/68140043/

Revision history for this message

Kapil Thangavelu (hazmat) wrote on 2014-02-24:

Reviewers: mp+207912_code.launchpad.net,

Message:
Please take a look.

Description:
SSL Support for RabbitMQ

Adds a few additional configuration options for SSL.

'ssl' is the primary one, it can be 'off', 'on', or 'only'.

If its off, no changes. If its 'on' then ssl support is
enabled and ssl_ca cert is sent to clients along the relation.

If its only, then all clients must connect using ssl.

The server cert/key and ca cert can be provided via config. If
they are not, the service will act as its own ca and provide
the ssl_ca cert to its related clients.

https://code.launchpad.net/~hazmat/charms/precise/rabbitmq-server/ssl-everywhere/+merge/207912

(do not edit description out of merge proposal)

Please review this at https://codereview.appspot.com/68140043/

Affected files (+564, -106 lines):
   A Makefile
   A [revision details]
   M charm-helpers.yaml
   M config.yaml
   M hooks/lib/utils.py
   M hooks/rabbit_utils.py
   M hooks/rabbitmq_server_relations.py
   M lib/charmhelpers/contrib/openstack/context.py
   M lib/charmhelpers/contrib/openstack/utils.py
   A lib/charmhelpers/contrib/ssl/service.py
   M lib/charmhelpers/core/hookenv.py
   M revision
   M templates/rabbitmq.config

lp:~hazmat/charms/precise/rabbitmq-server/ssl-everywhere updated on 2014-02-25

51. By Kapil Thangavelu on 2014-02-24: sync helpers
52. By Kapil Thangavelu on 2014-02-24: incr rev for existing envs
53. By Kapil Thangavelu on 2014-02-24: sync helpers
54. By Kapil Thangavelu on 2014-02-24: sync charm-helpers
55. By Kapil Thangavelu on 2014-02-24: sync helpers
56. By Kapil Thangavelu on 2014-02-25: sync helpers

Revision history for this message

Charles Butler (lazypower) wrote on 2014-03-04:

On 2014/02/24 12:11:56, hazmat wrote:
> Please take a look.

+1 LGTM

https://codereview.appspot.com/68140043/

Revision history for this message

Charles Butler (lazypower) wrote on 2014-03-04:

+1 LGTM

review: Approve

Unmerged revisions

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Csaba TOTH

Kapil Thangavelu

Landscape

charmers

 === added file 'Makefile'
 --- Makefile	1970-01-01 00:00:00 +0000
 +++ Makefile	2014-02-25 14:24:12 +0000
@@ -0,0 +1,15 @@
++#!/usr/bin/make
++
++lint:
++	@echo -n "Running flake8 tests: "
++	@flake8 --exclude hooks/charmhelpers hooks
++	@flake8 unit_tests
++	@echo "OK"
++	@echo -n "Running charm proof: "
++	@charm proof
++	@echo "OK"
++
++sync:
++	@charm-helper-sync -c charm-helpers.yaml
++
++all: test lint
 === modified file 'charm-helpers.yaml'
 --- charm-helpers.yaml	2014-01-16 13:47:32 +0000
 +++ charm-helpers.yaml	2014-02-25 14:24:12 +0000
@@ -1,6 +1,7 @@
  destination: lib/charmhelpers
--branch: lp:charm-helpers
++branch: lp:~hazmat/charm-helpers/ssl-everywhere
  include:
      - core
      - contrib.charmsupport
      - contrib.openstack
++    - contrib.ssl
 === modified file 'config.yaml'
 --- config.yaml	2014-02-11 14:18:05 +0000
 +++ config.yaml	2014-02-25 14:24:12 +0000
@@ -1,12 +1,23 @@
  options:
--  ssl_enabled:
--    type: boolean
--    default: False
--    description: enable SSL
    management_plugin:
      type: boolean
      default: False
      description: enable the management plugin
++
++  # SSL Configuration options
++  ssl:
++    type: string
++    default: "off"
++    description: |
++      Enable SSL connections on rabbitmq, valid values are 'off', 'on', 'only'. If ssl_key,
++      ssl_cert, ssl_ca are provided then then those values will be used. Otherwise
++      the service will act as its own certificate authority and pass its ca cert to clients.
++      For HA or clustered rabbits ssl key/cert must be provided.
++  ssl_enabled:
++    type: boolean
++    default: False
++    description: |
++      (DEPRECATED see 'ssl' config option.) enable SSL
    ssl_port:
      type: int
      default: 5671
@@ -19,6 +30,13 @@
      type: string
      description: X.509 certificate in PEM format (starts "-----BEGIN CERTIFICATE-----")
      default: ""
++  ssl_ca:
++    type: string
++    description: |
++      Certificate authority cert that signed pem. Optional if the ssl_cert is signed by a ca
++      recognized by the os.
++    default: ""
++
    nagios_context:
      default: "juju"
      type: string
 === modified file 'hooks/lib/utils.py'
 --- hooks/lib/utils.py	2014-01-08 15:22:21 +0000
 +++ hooks/lib/utils.py	2014-02-25 14:24:12 +0000
@@ -261,18 +261,15 @@
  @cached
--def config_get(attribute):
--    cmd = [
--        'config-get',
--        '--format',
--        'json',
--        ]
--    out = subprocess.check_output(cmd).strip()  # IGNORE:E1103
--    cfg = json.loads(out)
--
++def config_get(scope=None):
++    """Juju charm configuration"""
++    config_cmd_line = ['config-get']
++    if scope is not None:
++        config_cmd_line.append(scope)
++    config_cmd_line.append('--format=json')
      try:
--        return cfg[attribute]
--    except KeyError:
++        return json.loads(subprocess.check_output(config_cmd_line))
++    except ValueError:
          return None
 === modified file 'hooks/rabbit_utils.py'
 --- hooks/rabbit_utils.py	2014-01-13 12:15:05 +0000
 +++ hooks/rabbit_utils.py	2014-02-25 14:24:12 +0000
@@ -218,24 +218,39 @@
  ssl_key_file = "/etc/rabbitmq/rabbit-server-privkey.pem"
  ssl_cert_file = "/etc/rabbitmq/rabbit-server-cert.pem"
--
--
--def enable_ssl(ssl_key, ssl_cert, ssl_port):
++ssl_ca_file = "/etc/rabbitmq/rabbit-server-ca.pem"
++
++
++def enable_ssl(ssl_key, ssl_cert, ssl_port,
++               ssl_ca=None, ssl_only=False, ssl_client=None):
      uid = pwd.getpwnam("root").pw_uid
      gid = grp.getgrnam("rabbitmq").gr_gid
--    with open(ssl_key_file, 'w') as key_file:
--        key_file.write(ssl_key)
--    os.chmod(ssl_key_file, 0640)
--    os.chown(ssl_key_file, uid, gid)
--    with open(ssl_cert_file, 'w') as cert_file:
--        cert_file.write(ssl_cert)
--    os.chmod(ssl_cert_file, 0640)
--    os.chown(ssl_cert_file, uid, gid)
++
++    for contents, path in (
++            (ssl_key, ssl_key_file),
++            (ssl_cert, ssl_cert_file),
++            (ssl_ca, ssl_ca_file)):
++        if not contents:
++            continue
++        with open(path, 'w') as fh:
++            fh.write(contents)
++        os.chmod(path, 0640)
++        os.chown(path, uid, gid)
++
++    data = {
++        "ssl_port": ssl_port,
++        "ssl_cert_file": ssl_cert_file,
++        "ssl_key_file": ssl_key_file,
++        "ssl_client": ssl_client,
++        "ssl_ca_file": "",
++        "ssl_only": ssl_only}
++
++    if ssl_ca:
++        data["ssl_ca_file"] = ssl_ca_file
++
      with open(RABBITMQ_CONF, 'w') as rmq_conf:
--        rmq_conf.write(utils.render_template(os.path.basename(RABBITMQ_CONF),
--                                             {"ssl_port": ssl_port,
--                                              "ssl_cert_file": ssl_cert_file,
--                                              "ssl_key_file": ssl_key_file}))
++        rmq_conf.write(utils.render_template(
++            os.path.basename(RABBITMQ_CONF), data))
  def execute(cmd, die=False, echo=False):
 === modified file 'hooks/rabbitmq_server_relations.py'
 --- hooks/rabbitmq_server_relations.py	2014-02-10 09:25:06 +0000
 +++ hooks/rabbitmq_server_relations.py	2014-02-25 14:24:12 +0000
@@ -1,5 +1,5 @@
  #!/usr/bin/python
--
++import base64
  import os
  import shutil
  import sys
@@ -20,6 +20,7 @@
  from charmhelpers.core import hookenv
  from charmhelpers.core.host import rsync
  from charmhelpers.contrib.charmsupport.nrpe import NRPE
++from charmhelpers.contrib.ssl.service import ServiceCA
  SERVICE_NAME = os.getenv('JUJU_UNIT_NAME').split('/')[0]
@@ -69,18 +70,16 @@
      relation_settings = {}
      settings = hookenv.relation_get(rid=relation_id, unit=remote_unit)
--    singleset = set([
--        'username',
--        'vhost'
--        ])
++    singleset = set(['username', 'vhost'])
      if singleset.issubset(settings):
          if None in [settings['username'], settings['vhost']]:
              utils.juju_log('INFO', 'amqp_changed(): Relation not ready.')
              return
--        relation_settings['password'] = configure_amqp(username=settings['username'],
--                                                       vhost=settings['vhost'])
++        relation_settings['password'] = configure_amqp(
++            username=settings['username'],
++            vhost=settings['vhost'])
      else:
          queues = {}
          for k, v in settings.iteritems():
@@ -89,13 +88,15 @@
              if amqp not in queues:
                  queues[amqp] = {}
              queues[amqp][x] = v
--        relation_settings = {}
          for amqp in queues:
              if singleset.issubset(queues[amqp]):
--                relation_settings['_'.join([amqp, 'password'])] = configure_amqp(queues[amqp]['username'],
--                                                                                 queues[amqp]['vhost'])
++                relation_settings[
++                    '_'.join([amqp, 'password'])] = configure_amqp(
++                        queues[amqp]['username'],
++                        queues[amqp]['vhost'])
      relation_settings['hostname'] = utils.unit_get('private-address')
++    configure_client_ssl(relation_settings)
      if cluster.is_clustered():
          relation_settings['clustered'] = 'true'
@@ -361,6 +362,76 @@
  MAN_PLUGIN = 'rabbitmq_management'
++def configure_client_ssl(relation_data):
++    """Configure client with ssl
++    """
++    ssl_mode, external_ca = _get_ssl_mode()
++    if ssl_mode == 'off':
++        return
++    relation_data['ssl_port'] = utils.config_get('ssl_port')
++    if external_ca:
++        if utils.config_get('ssl_ca'):
++            relation_data['ssl_ca'] = base64.b64encode(
++                utils.config_get('ssl_ca'))
++        return
++    ca = ServiceCA.get_ca()
++    relation_data['ssl_ca'] = base64.b64encode(ca.get_ca_bundle())
++
++
++def _get_ssl_mode():
++    config = utils.config_get()
++    ssl_mode = config.get('ssl')
++    external_ca = False
++    # Legacy config boolean option
++    ssl_on = config.get('ssl_enabled')
++    if ssl_mode == 'off' and ssl_on is False:
++        ssl_mode = 'off'
++    elif ssl_mode == 'off' and ssl_on:
++        ssl_mode = 'on'
++    ssl_key = utils.config_get('ssl_key')
++    ssl_cert = utils.config_get('ssl_cert')
++    if all((ssl_key, ssl_cert)):
++        external_ca = True
++    return ssl_mode, external_ca
++
++
++def configure_rabbit_ssl():
++    """
++    The legacy config support adds some additional complications.
++
++    ssl_enabled = True, ssl = off -> ssl enabled
++    ssl_enabled = False, ssl = on -> ssl enabled
++    """
++    ssl_mode, external_ca = _get_ssl_mode()
++
++    if ssl_mode == 'off':
++        if os.path.exists(rabbit.RABBITMQ_CONF):
++            os.remove(rabbit.RABBITMQ_CONF)
++        utils.close_port(utils.config_get('ssl_port'))
++        return
++
++    ssl_key = utils.config_get('ssl_key')
++    ssl_cert = utils.config_get('ssl_cert')
++    ssl_ca = utils.config_get('ssl_ca')
++    ssl_port = utils.config_get('ssl_port')
++
++    # If external managed certs then we need all the fields.
++    if (ssl_mode in ('on', 'only') and any((ssl_key, ssl_cert)) and
++            not all((ssl_key, ssl_cert))):
++        utils.juju_log(
++            'ERROR',
++            'If ssl_key or ssl_cert are specified both are required.')
++        sys.exit(1)
++
++    if not external_ca:
++        ssl_cert, ssl_key, ssl_ca = ServiceCA.get_service_cert()
++
++    rabbit.enable_ssl(
++        ssl_key, ssl_cert, ssl_port, ssl_ca,
++        ssl_only=(ssl_mode == "only"), ssl_client=False)
++    utils.open_port(ssl_port)
++
++
  def config_changed():
      unison.ensure_user(user=rabbit.SSH_USER, group='rabbit')
      ensure_unison_rabbit_permissions()
@@ -372,22 +443,7 @@
          rabbit.disable_plugin(MAN_PLUGIN)
          utils.close_port(55672)
--    if utils.config_get('ssl_enabled') is True:
--        ssl_key = utils.config_get('ssl_key')
--        ssl_cert = utils.config_get('ssl_cert')
--        ssl_port = utils.config_get('ssl_port')
--        if None in [ssl_key, ssl_cert, ssl_port]:
--            utils.juju_log('ERROR',
--                           'Please provide ssl_key, ssl_cert and ssl_port'
--                           ' config when enabling SSL support')
--            sys.exit(1)
--        else:
--            rabbit.enable_ssl(ssl_key, ssl_cert, ssl_port)
--            utils.open_port(ssl_port)
--    else:
--        if os.path.exists(rabbit.RABBITMQ_CONF):
--            os.remove(rabbit.RABBITMQ_CONF)
--        utils.close_port(utils.config_get('ssl_port'))
++    configure_rabbit_ssl()
      if cluster.eligible_leader('res_rabbitmq_vip'):
          utils.restart('rabbitmq-server')
 === modified file 'lib/charmhelpers/contrib/openstack/context.py'
 --- lib/charmhelpers/contrib/openstack/context.py	2014-01-16 13:47:32 +0000
 +++ lib/charmhelpers/contrib/openstack/context.py	2014-02-25 14:24:12 +0000
@@ -1,5 +1,6 @@
  import json
  import os
++import time
  from base64 import b64decode
@@ -67,6 +68,43 @@
      return True
++def config_flags_parser(config_flags):
++    if config_flags.find('==') >= 0:
++        log("config_flags is not in expected format (key=value)",
++            level=ERROR)
++        raise OSContextError
++    # strip the following from each value.
++    post_strippers = ' ,'
++    # we strip any leading/trailing '=' or ' ' from the string then
++    # split on '='.
++    split = config_flags.strip(' =').split('=')
++    limit = len(split)
++    flags = {}
++    for i in xrange(0, limit - 1):
++        current = split[i]
++        next = split[i + 1]
++        vindex = next.rfind(',')
++        if (i == limit - 2) or (vindex < 0):
++            value = next
++        else:
++            value = next[:vindex]
++
++        if i == 0:
++            key = current
++        else:
++            # if this not the first entry, expect an embedded key.
++            index = current.rfind(',')
++            if index < 0:
++                log("invalid config value(s) at index %s" % (i),
++                    level=ERROR)
++                raise OSContextError
++            key = current[index + 1:]
++
++        # Add to collection.
++        flags[key.strip(post_strippers)] = value.rstrip(post_strippers)
++    return flags
++
++
  class OSContextGenerator(object):
      interfaces = []
@@ -77,7 +115,8 @@
  class SharedDBContext(OSContextGenerator):
      interfaces = ['shared-db']
--    def __init__(self, database=None, user=None, relation_prefix=None):
++    def __init__(self,
++                 database=None, user=None, relation_prefix=None, ssl_dir=None):
          '''
          Allows inspecting relation for settings prefixed with relation_prefix.
          This is useful for parsing access for multiple databases returned via
@@ -86,6 +125,7 @@
          self.relation_prefix = relation_prefix
          self.database = database
          self.user = user
++        self.ssl_dir = ssl_dir
      def __call__(self):
          self.database = self.database or config('database')
@@ -103,19 +143,44 @@
          for rid in relation_ids('shared-db'):
              for unit in related_units(rid):
--                passwd = relation_get(password_setting, rid=rid, unit=unit)
++                rdata = relation_get(rid=rid, unit=unit)
                  ctxt = {
--                    'database_host': relation_get('db_host', rid=rid,
--                                                  unit=unit),
++                    'database_host': rdata.get('db_host'),
                      'database': self.database,
                      'database_user': self.user,
--                    'database_password': passwd,
++                    'database_password': rdata.get(password_setting)
+                 }
                  if context_complete(ctxt):
++                    db_ssl(rdata, ctxt, self.ssl_dir)
                      return ctxt
          return {}
++def db_ssl(rdata, ctxt, ssl_dir):
++    if 'ssl_ca' in rdata and ssl_dir:
++        ca_path = os.path.join(ssl_dir, 'db-client.ca')
++        with open(ca_path, 'w') as fh:
++            fh.write(b64decode(rdata['ssl_ca']))
++        ctxt['database_ssl_ca'] = ca_path
++    elif 'ssl_ca' in rdata:
++        log("Charm not setup for ssl support but ssl ca found")
++        return ctxt
++    if 'ssl_cert' in rdata:
++        cert_path = os.path.join(
++            ssl_dir, 'db-client.cert')
++        if not os.path.exists(cert_path):
++            log("Waiting 1m for ssl client cert validity")
++            time.sleep(60)
++        with open(cert_path, 'w') as fh:
++            fh.write(b64decode(rdata['ssl_cert']))
++        ctxt['database_ssl_cert'] = cert_path
++        key_path = os.path.join(ssl_dir, 'db-client.key')
++        with open(key_path, 'w') as fh:
++            fh.write(b64decode(rdata['ssl_key']))
++        ctxt['database_ssl_key'] = key_path
++    return ctxt
++
++
  class IdentityServiceContext(OSContextGenerator):
      interfaces = ['identity-service']
@@ -150,6 +215,9 @@
  class AMQPContext(OSContextGenerator):
      interfaces = ['amqp']
++    def __init__(self, ssl_dir=None):
++        self.ssl_dir = ssl_dir
++
      def __call__(self):
          log('Generating template context for amqp')
          conf = config()
@@ -160,7 +228,6 @@
              log('Could not generate shared_db context. '
                  'Missing required charm config options: %s.' % e)
              raise OSContextError
--
          ctxt = {}
          for rid in relation_ids('amqp'):
              for unit in related_units(rid):
@@ -177,7 +244,24 @@
                                                        unit=unit),
                      'rabbitmq_virtual_host': vhost,
                  })
++                ssl_port = relation_get('ssl_port', rid=rid, unit=unit)
++                if ssl_port:
++                    ctxt['rabbit_ssl_port'] = ssl_port
++                ssl_ca = relation_get('ssl_ca', rid=rid, unit=unit)
++                if ssl_ca:
++                    ctxt['rabbit_ssl_ca'] = ssl_ca
++
                  if context_complete(ctxt):
++                    if 'rabbit_ssl_ca' in ctxt:
++                        if not self.ssl_dir:
++                            log(("Charm not setup for ssl support "
++                                 "but ssl ca found"))
++                            break
++                        ca_path = os.path.join(
++                            self.ssl_dir, 'rabbit-client-ca.pem')
++                        with open(ca_path, 'w') as fh:
++                            fh.write(b64decode(ctxt['rabbit_ssl_ca']))
++                            ctxt['rabbit_ssl_ca'] = ca_path
                      # Sufficient information found = break out!
                      break
              # Used for active/active rabbitmq >= grizzly
@@ -430,6 +514,11 @@
          elif self.plugin == 'nvp':
              ctxt.update(self.nvp_ctxt())
++        alchemy_flags = config('neutron-alchemy-flags')
++        if alchemy_flags:
++            flags = config_flags_parser(alchemy_flags)
++            ctxt['neutron_alchemy_flags'] = flags
++
          self._save_flag_file()
          return ctxt
@@ -450,41 +539,7 @@
              if not config_flags:
                  return {}
--            if config_flags.find('==') >= 0:
--                log("config_flags is not in expected format (key=value)",
--                    level=ERROR)
--                raise OSContextError
--
--            # strip the following from each value.
--            post_strippers = ' ,'
--            # we strip any leading/trailing '=' or ' ' from the string then
--            # split on '='.
--            split = config_flags.strip(' =').split('=')
--            limit = len(split)
--            flags = {}
--            for i in xrange(0, limit - 1):
--                current = split[i]
--                next = split[i + 1]
--                vindex = next.rfind(',')
--                if (i == limit - 2) or (vindex < 0):
--                    value = next
--                else:
--                    value = next[:vindex]
--
--                if i == 0:
--                    key = current
--                else:
--                    # if this not the first entry, expect an embedded key.
--                    index = current.rfind(',')
--                    if index < 0:
--                        log("invalid config value(s) at index %s" % (i),
--                            level=ERROR)
--                        raise OSContextError
--                    key = current[index + 1:]
--
--                # Add to collection.
--                flags[key.strip(post_strippers)] = value.rstrip(post_strippers)
--
++            flags = config_flags_parser(config_flags)
              return {'user_config_flags': flags}
@@ -575,3 +630,11 @@
              ctxt['sections'] = {}
          return ctxt
++
++
++class SyslogContext(OSContextGenerator):
++    def __call__(self):
++        ctxt = {
++            'use_syslog': config('use-syslog')
++        }
++        return ctxt
 === modified file 'lib/charmhelpers/contrib/openstack/utils.py'
 --- lib/charmhelpers/contrib/openstack/utils.py	2014-01-16 13:47:32 +0000
 +++ lib/charmhelpers/contrib/openstack/utils.py	2014-02-25 14:24:12 +0000
@@ -415,7 +415,7 @@
      return ns_query(hostname)
--def get_hostname(address):
++def get_hostname(address, fqdn=True):
      """
      Resolves hostname for given IP, or returns the input
      if it is already a hostname.
@@ -434,7 +434,11 @@
      if not result:
          return None
--    # strip trailing .
--    if result.endswith('.'):
--        return result[:-1]
--    return result
++    if fqdn:
++        # strip trailing .
++        if result.endswith('.'):
++            return result[:-1]
++        else:
++            return result
++    else:
++        return result.split('.')[0]
 === added file 'lib/charmhelpers/contrib/ssl/service.py'
 --- lib/charmhelpers/contrib/ssl/service.py	1970-01-01 00:00:00 +0000
 +++ lib/charmhelpers/contrib/ssl/service.py	2014-02-25 14:24:12 +0000
@@ -0,0 +1,267 @@
++import logging
++import os
++from os.path import join as path_join
++from os.path import exists
++import subprocess
++
++
++log = logging.getLogger("service_ca")
++
++logging.basicConfig(level=logging.DEBUG)
++
++STD_CERT = "standard"
++
++# Mysql server is fairly picky about cert creation
++# and types, spec its creation separately for now.
++MYSQL_CERT = "mysql"
++
++
++class ServiceCA(object):
++
++    default_expiry = str(365 * 2)
++    default_ca_expiry = str(365 * 6)
++
++    def __init__(self, name, ca_dir, cert_type=STD_CERT):
++        self.name = name
++        self.ca_dir = ca_dir
++        self.cert_type = cert_type
++
++    ###############
++    # Hook Helper API
++    @staticmethod
++    def get_ca(type=STD_CERT):
++        service_name = os.environ['JUJU_UNIT_NAME'].split('/')[0]
++        ca_path = os.path.join(os.environ['CHARM_DIR'], 'ca')
++        ca = ServiceCA(service_name, ca_path, type)
++        ca.init()
++        return ca
++
++    @classmethod
++    def get_service_cert(cls, type=STD_CERT):
++        service_name = os.environ['JUJU_UNIT_NAME'].split('/')[0]
++        ca = cls.get_ca()
++        crt, key = ca.get_or_create_cert(service_name)
++        return crt, key, ca.get_ca_bundle()
++
++    ###############
++
++    def init(self):
++        log.debug("initializing service ca")
++        if not exists(self.ca_dir):
++            self._init_ca_dir(self.ca_dir)
++            self._init_ca()
++
++    @property
++    def ca_key(self):
++        return path_join(self.ca_dir, 'private', 'cacert.key')
++
++    @property
++    def ca_cert(self):
++        return path_join(self.ca_dir, 'cacert.pem')
++
++    @property
++    def ca_conf(self):
++        return path_join(self.ca_dir, 'ca.cnf')
++
++    @property
++    def signing_conf(self):
++        return path_join(self.ca_dir, 'signing.cnf')
++
++    def _init_ca_dir(self, ca_dir):
++        os.mkdir(ca_dir)
++        for i in ['certs', 'crl', 'newcerts', 'private']:
++            sd = path_join(ca_dir, i)
++            if not exists(sd):
++                os.mkdir(sd)
++
++        if not exists(path_join(ca_dir, 'serial')):
++            with open(path_join(ca_dir, 'serial'), 'wb') as fh:
++                fh.write('02\n')
++
++        if not exists(path_join(ca_dir, 'index.txt')):
++            with open(path_join(ca_dir, 'index.txt'), 'wb') as fh:
++                fh.write('')
++
++    def _init_ca(self):
++        """Generate the root ca's cert and key.
++        """
++        if not exists(path_join(self.ca_dir, 'ca.cnf')):
++            with open(path_join(self.ca_dir, 'ca.cnf'), 'wb') as fh:
++                fh.write(
++                    CA_CONF_TEMPLATE % (self.get_conf_variables()))
++
++        if not exists(path_join(self.ca_dir, 'signing.cnf')):
++            with open(path_join(self.ca_dir, 'signing.cnf'), 'wb') as fh:
++                fh.write(
++                    SIGNING_CONF_TEMPLATE % (self.get_conf_variables()))
++
++        if exists(self.ca_cert) or exists(self.ca_key):
++            raise RuntimeError("Initialized called when CA already exists")
++        cmd = ['openssl', 'req', '-config', self.ca_conf,
++               '-x509', '-nodes', '-newkey', 'rsa',
++               '-days', self.default_ca_expiry,
++               '-keyout', self.ca_key, '-out', self.ca_cert,
++               '-outform', 'PEM']
++        output = subprocess.check_output(cmd, stderr=subprocess.STDOUT)
++        log.debug("CA Init:\n %s", output)
++
++    def get_conf_variables(self):
++        return dict(
++            org_name="juju",
++            org_unit_name="%s service" % self.name,
++            common_name=self.name,
++            ca_dir=self.ca_dir)
++
++    def get_or_create_cert(self, common_name):
++        if common_name in self:
++            return self.get_certificate(common_name)
++        return self.create_certificate(common_name)
++
++    def create_certificate(self, common_name):
++        if common_name in self:
++            return self.get_certificate(common_name)
++        key_p = path_join(self.ca_dir, "certs", "%s.key" % common_name)
++        crt_p = path_join(self.ca_dir, "certs", "%s.crt" % common_name)
++        csr_p = path_join(self.ca_dir, "certs", "%s.csr" % common_name)
++        self._create_certificate(common_name, key_p, csr_p, crt_p)
++        return self.get_certificate(common_name)
++
++    def get_certificate(self, common_name):
++        if not common_name in self:
++            raise ValueError("No certificate for %s" % common_name)
++        key_p = path_join(self.ca_dir, "certs", "%s.key" % common_name)
++        crt_p = path_join(self.ca_dir, "certs", "%s.crt" % common_name)
++        with open(crt_p) as fh:
++            crt = fh.read()
++        with open(key_p) as fh:
++            key = fh.read()
++        return crt, key
++
++    def __contains__(self, common_name):
++        crt_p = path_join(self.ca_dir, "certs", "%s.crt" % common_name)
++        return exists(crt_p)
++
++    def _create_certificate(self, common_name, key_p, csr_p, crt_p):
++        template_vars = self.get_conf_variables()
++        template_vars['common_name'] = common_name
++        subj = '/O=%(org_name)s/OU=%(org_unit_name)s/CN=%(common_name)s' % (
++            template_vars)
++
++        log.debug("CA Create Cert %s", common_name)
++        cmd = ['openssl', 'req', '-sha1', '-newkey', 'rsa:2048',
++               '-nodes', '-days', self.default_expiry,
++               '-keyout', key_p, '-out', csr_p, '-subj', subj]
++        subprocess.check_call(cmd)
++        cmd = ['openssl', 'rsa', '-in', key_p, '-out', key_p]
++        subprocess.check_call(cmd)
++
++        log.debug("CA Sign Cert %s", common_name)
++        if self.cert_type == MYSQL_CERT:
++            cmd = ['openssl', 'x509', '-req',
++                   '-in', csr_p, '-days', self.default_expiry,
++                   '-CA', self.ca_cert, '-CAkey', self.ca_key,
++                   '-set_serial', '01', '-out', crt_p]
++        else:
++            cmd = ['openssl', 'ca', '-config', self.signing_conf,
++                   '-extensions', 'req_extensions',
++                   '-days', self.default_expiry, '-notext',
++                   '-in', csr_p, '-out', crt_p, '-subj', subj, '-batch']
++        log.debug("running %s", " ".join(cmd))
++        subprocess.check_call(cmd)
++
++    def get_ca_bundle(self):
++        with open(self.ca_cert) as fh:
++            return fh.read()
++
++
++CA_CONF_TEMPLATE = """
++[ ca ]
++default_ca = CA_default
++
++[ CA_default ]
++dir                     = %(ca_dir)s
++policy                  = policy_match
++database                = $dir/index.txt
++serial                  = $dir/serial
++certs                   = $dir/certs
++crl_dir                 = $dir/crl
++new_certs_dir           = $dir/newcerts
++certificate             = $dir/cacert.pem
++private_key             = $dir/private/cacert.key
++RANDFILE                = $dir/private/.rand
++default_md              = default
++
++[ req ]
++default_bits            = 1024
++default_md              = sha1
++
++prompt                  = no
++distinguished_name      = ca_distinguished_name
++
++x509_extensions         = ca_extensions
++
++[ ca_distinguished_name ]
++organizationName        = %(org_name)s
++organizationalUnitName  = %(org_unit_name)s Certificate Authority
++
++
++[ policy_match ]
++countryName             = optional
++stateOrProvinceName     = optional
++organizationName        = match
++organizationalUnitName  = optional
++commonName              = supplied
++
++[ ca_extensions ]
++basicConstraints        = critical,CA:true
++subjectKeyIdentifier    = hash
++authorityKeyIdentifier  = keyid:always, issuer
++keyUsage                = cRLSign, keyCertSign
++"""
++
++
++SIGNING_CONF_TEMPLATE = """
++[ ca ]
++default_ca = CA_default
++
++[ CA_default ]
++dir                     = %(ca_dir)s
++policy                  = policy_match
++database                = $dir/index.txt
++serial                  = $dir/serial
++certs                   = $dir/certs
++crl_dir                 = $dir/crl
++new_certs_dir           = $dir/newcerts
++certificate             = $dir/cacert.pem
++private_key             = $dir/private/cacert.key
++RANDFILE                = $dir/private/.rand
++default_md              = default
++
++[ req ]
++default_bits            = 1024
++default_md              = sha1
++
++prompt                  = no
++distinguished_name      = req_distinguished_name
++
++x509_extensions         = req_extensions
++
++[ req_distinguished_name ]
++organizationName        = %(org_name)s
++organizationalUnitName  = %(org_unit_name)s machine resources
++commonName              = %(common_name)s
++
++[ policy_match ]
++countryName             = optional
++stateOrProvinceName     = optional
++organizationName        = match
++organizationalUnitName  = optional
++commonName              = supplied
++
++[ req_extensions ]
++basicConstraints        = CA:false
++subjectKeyIdentifier    = hash
++authorityKeyIdentifier  = keyid:always, issuer
++keyUsage                = digitalSignature, keyEncipherment, keyAgreement
++extendedKeyUsage        = serverAuth, clientAuth
++"""
 === modified file 'lib/charmhelpers/core/hookenv.py'
 --- lib/charmhelpers/core/hookenv.py	2013-11-15 19:15:16 +0000
 +++ lib/charmhelpers/core/hookenv.py	2014-02-25 14:24:12 +0000
@@ -8,6 +8,7 @@
  import json
  import yaml
  import subprocess
++import sys
  import UserDict
  from subprocess import CalledProcessError
@@ -149,6 +150,11 @@
      return local_unit().split('/')[0]
++def hook_name():
++    """The name of the currently executing hook"""
++    return os.path.basename(sys.argv[0])
++
++
  @cached
  def config(scope=None):
      """Juju charm configuration"""
 === modified file 'revision'
 --- revision	2014-02-10 09:25:06 +0000
 +++ revision	2014-02-25 14:24:12 +0000
@@ -1,1 +1,5 @@
++<<<<<<< TREE
++=======
++124
++>>>>>>> MERGE-SOURCE
 === modified file 'templates/rabbitmq.config'
 --- templates/rabbitmq.config	2013-05-21 05:59:02 +0000
 +++ templates/rabbitmq.config	2014-02-25 14:24:12 +0000
@@ -1,10 +1,21 @@
+ [
      {rabbit, [
++{% if ssl_only %}
++        {tcp_listeners, []},
++{% else %}
++    	{tcp_listeners, [5672]},
++{% endif %}
      	{ssl_listeners, [{{ ssl_port }}]},
      	{ssl_options, [
++ 	        {verify, verify_peer},
++{% if ssl_client %}
++                {fail_if_no_peer_cert, true},
++{% else %}
++                {fail_if_no_peer_cert, false},
++{% endif %}{% if ssl_ca_file %}
++                {cacertfile, "{{ ssl_ca_file }}"}, {% endif %}
          	{certfile, "{{ ssl_cert_file }}"},
          	{keyfile, "{{ ssl_key_file }}"}
--    	]},
--    	{tcp_listeners, [5672]}
++    	]}
      ]}
  ].
 \ No newline at end of file

Juju Charms Collectionrabbitmq-server package

Merge lp:~hazmat/charms/precise/rabbitmq-server/ssl-everywhere into lp:charms/rabbitmq-server

Commit message

Description of the change

Unmerged revisions

Preview Diff

Subscribers

Juju Charms Collection
rabbitmq-server package