def configure_rabbit_ssl():
"""
The legacy config support adds some additional complications.
ssl_enabled = True, ssl = off -> ssl enabled
ssl_enabled = False, ssl = on -> ssl enabled
"""
ssl_mode, external_ca = _get_ssl_mode()
if ssl_mode == 'off':
if os.path.exists(rabbit.RABBITMQ_CONF):
os.remove(rabbit.RABBITMQ_CONF)
close_port(config('ssl_port'))
reconfigure_client_ssl()
return
ssl_key = _convert_from_base64(config('ssl_key'))
ssl_cert = _convert_from_base64(config('ssl_cert'))
ssl_ca = _convert_from_base64(config('ssl_ca'))
ssl_port = config('ssl_port')
# If external managed certs then we need all the fields.
if (ssl_mode in ('on', 'only') and any((ssl_key, ssl_cert)) and
not all((ssl_key, ssl_cert))):
log('If ssl_key or ssl_cert are specified both are required.',
level=ERROR)
sys.exit(1)
if not external_ca:
ssl_cert, ssl_key, ssl_ca = ServiceCA.get_service_cert()
rabbit.enable_ssl(
ssl_key, ssl_cert, ssl_port, ssl_ca,
ssl_only=(ssl_mode == "only"), ssl_client=False)
reconfigure_client_ssl(True)
open_port(ssl_port)
class CA(object):
"""
Represents the certificate authority for use in RabbitMQ amulet tests.
"""
# The name of the rabbit certificate authority.
CA_NAME = 'rabbit-server-ca'
# Put the certificate authority in a temporary location since
# it is rebuilt for each amulet run.
CA_PATH = '/tmp/rabbit-server-ca'
# The common name for the certificate itself.
COMMON_NAME = 'rabbitmq-server'
def __init__(self):
self.ca = ServiceCA(self.CA_NAME, self.CA_PATH)
self.ca.init()
self.ca.get_or_create_cert(self.COMMON_NAME)
def _load_file(self, path):
contents = None
with open(path) as f:
contents = f.read()
return contents
def get_key(self):
"""
Returns the contents of the rabbitmq private key.
"""
key_path = os.path.join(self.CA_PATH, 'certs', 'rabbitmq-server.key')
return self._load_file(key_path)
def get_cert(self):
"""
Returns the contents of the rabbitmq certificate.
"""
cert_path = os.path.join(self.CA_PATH, 'certs', 'rabbitmq-server.crt')
return self._load_file(cert_path)
def ca_cert_path(self):
"""
Returns the certificate authority certificate path.
"""
return os.path.join(self.CA_PATH, 'cacert.pem')
def configure_client_ssl(relation_data):
"""Configure client with ssl
"""
ssl_mode, external_ca = get_ssl_mode()
if ssl_mode == 'off':
return
relation_data['ssl_port'] = config('ssl_port')
if external_ca:
if config('ssl_ca'):
relation_data['ssl_ca'] = base64.b64encode(config('ssl_ca'))
return
ca = ServiceCA.get_ca()
relation_data['ssl_ca'] = base64.b64encode(ca.get_ca_bundle())
def __call__(self):
"""
The legacy config support adds some additional complications.
ssl_enabled = True, ssl = off -> ssl enabled
ssl_enabled = False, ssl = on -> ssl enabled
"""
ssl_mode, external_ca = ssl_utils.get_ssl_mode()
ctxt = {
'ssl_mode': ssl_mode,
}
if ssl_mode == 'off':
close_port(config('ssl_port'))
ssl_utils.reconfigure_client_ssl()
return ctxt
if ssl_mode == ssl_utils.CERTS_FROM_RELATION:
relation_certs = ssl_utils.get_relation_cert_data()
ctxt['ssl_mode'] = 'on'
ssl_key = convert_from_base64(relation_certs['key'])
ssl_cert = convert_from_base64(relation_certs['cert'])
ssl_ca = convert_from_base64(relation_certs['ca'])
ssl_port = config('ssl_port')
else:
ssl_key = convert_from_base64(config('ssl_key'))
ssl_cert = convert_from_base64(config('ssl_cert'))
ssl_ca = convert_from_base64(config('ssl_ca'))
ssl_port = config('ssl_port')
# If external managed certs then we need all the fields.
if (ssl_mode in ('on', 'only') and any((ssl_key, ssl_cert))
and not all((ssl_key, ssl_cert))):
log('If ssl_key or ssl_cert are specified both are required.',
level=ERROR)
sys.exit(1)
if not external_ca:
ssl_cert, ssl_key, ssl_ca = ServiceCA.get_service_cert()
ctxt.update(
self.enable_ssl(ssl_key,
ssl_cert,
ssl_port,
ssl_ca,
ssl_only=(ssl_mode == "only"),
ssl_client=False))
ssl_utils.reconfigure_client_ssl(True)
open_port(ssl_port)
return ctxt
def configure_client_ssl(relation_data):
"""Configure client with ssl
"""
ssl_mode, external_ca = _get_ssl_mode()
if ssl_mode == 'off':
return
relation_data['ssl_port'] = config('ssl_port')
if external_ca:
if config('ssl_ca'):
relation_data['ssl_ca'] = base64.b64encode(
config('ssl_ca'))
return
ca = ServiceCA.get_ca()
relation_data['ssl_ca'] = base64.b64encode(ca.get_ca_bundle())
def __call__(self):
"""
The legacy config support adds some additional complications.
ssl_enabled = True, ssl = off -> ssl enabled
ssl_enabled = False, ssl = on -> ssl enabled
"""
ssl_mode, external_ca = ssl_utils.get_ssl_mode()
ctxt = {
'ssl_mode': ssl_mode,
}
if ssl_mode == 'off':
close_port(config('ssl_port'))
ssl_utils.reconfigure_client_ssl()
return ctxt
if ssl_mode == ssl_utils.CERTS_FROM_RELATION:
relation_certs = ssl_utils.get_relation_cert_data()
ctxt['ssl_mode'] = 'on'
ssl_key = convert_from_base64(relation_certs['key'])
ssl_cert = convert_from_base64(relation_certs['cert'])
ssl_ca = convert_from_base64(relation_certs['ca'])
ssl_port = config('ssl_port')
else:
ssl_key = convert_from_base64(config('ssl_key'))
ssl_cert = convert_from_base64(config('ssl_cert'))
ssl_ca = convert_from_base64(config('ssl_ca'))
ssl_port = config('ssl_port')
# If external managed certs then we need all the fields.
if (ssl_mode in ('on', 'only') and any((ssl_key, ssl_cert)) and
not all((ssl_key, ssl_cert))):
log('If ssl_key or ssl_cert are specified both are required.',
level=ERROR)
sys.exit(1)
if not external_ca:
ssl_cert, ssl_key, ssl_ca = ServiceCA.get_service_cert()
ctxt.update(self.enable_ssl(
ssl_key, ssl_cert, ssl_port, ssl_ca,
ssl_only=(ssl_mode == "only"), ssl_client=False
))
ssl_utils.reconfigure_client_ssl(True)
open_port(ssl_port)
return ctxt
def configure_client_ssl(relation_data):
"""Configure client with ssl
"""
ssl_mode, external_ca = get_ssl_mode()
if ssl_mode == 'off':
return
relation_data['ssl_port'] = config('ssl_port')
if ssl_mode == CERTS_FROM_RELATION:
relation_certs = get_relation_cert_data()
ca_data = relation_certs['ca']
if relation_certs.get('chain'):
ca_data = ca_data + relation_certs.get('chain')
relation_data['ssl_ca'] = b64encoded_string(ca_data)
else:
if external_ca:
if config('ssl_ca'):
if "BEGIN CERTIFICATE" in config('ssl_ca'):
ssl_ca_encoded = b64encoded_string(config('ssl_ca'))
else:
ssl_ca_encoded = config('ssl_ca')
relation_data['ssl_ca'] = ssl_ca_encoded
return
ca = ServiceCA.get_ca()
relation_data['ssl_ca'] = b64encoded_string(ca.get_ca_bundle())
def configure_client_ssl(relation_data):
"""Configure client with ssl
"""
ssl_mode, external_ca = get_ssl_mode()
if ssl_mode == 'off':
return
relation_data['ssl_port'] = config('ssl_port')
if ssl_mode == CERTS_FROM_RELATION:
relation_certs = get_relation_cert_data()
ca_data = relation_certs['ca']
if relation_certs.get('chain'):
ca_data = ca_data + relation_certs.get('chain')
relation_data['ssl_ca'] = b64encoded_string(ca_data)
else:
if external_ca:
if config('ssl_ca'):
if "BEGIN CERTIFICATE" in config('ssl_ca'):
ssl_ca_encoded = b64encoded_string(config('ssl_ca'))
else:
ssl_ca_encoded = config('ssl_ca')
relation_data['ssl_ca'] = ssl_ca_encoded
return
ca = ServiceCA.get_ca()
relation_data['ssl_ca'] = b64encoded_string(ca.get_ca_bundle())
def __init__(self):
self.ca = ServiceCA(self.CA_NAME, self.CA_PATH)
self.ca.init()
self.ca.get_or_create_cert(self.COMMON_NAME)
