From 3f5f44fa4dd1bbe190762eceb90e7da60df60e6b Mon Sep 17 00:00:00 2001 From: David Margery Date: Tue, 26 Sep 2017 07:41:33 +0000 Subject: [PATCH 1/4] Commit version 4.0.2 --- debian/changelog | 18 ++++++++++++++++++ lib/grid5000/version.rb | 2 +- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index 76f9a56e..38df184b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,21 @@ +g5k-api (4.0.2-1) jessie; urgency=low + + * 3863f5b Merge pull request #39 from grid5000/bug8030-rebased-add-job-noop + * e407526 Add noop jobs in test database and update existing tests + * e664b28 Merge pull request #43 from grid5000/deprecate_should + * a1944ec Make sure .should syntax does not come back + * f6c842d Migrate specs from deprecated .should syntax + * 2fd3084 Merge pull request #42 from grid5000/bugs/#8542 + * 3f24950 Use X_FORWARDED_HOST only for base_uri(:in) + * 7d94b4e Merge pull request #41 from grid5000/bugs/#8542 + * 8a994fb Overide protocol for servers:port when routing + * 5b21807 Update webui dev environment + * aa68065 Make reference to exhibit relative + * 9391686 Merge pull request #40 from grid5000/bugs/#8536 + * 17515ed Compute absolute urls using X-Forwarded-Host + + -- David Margery Tue, 26 Sep 2017 07:41:30 +0000 + g5k-api (4.0.1-1) jessie; urgency=low * 339f949 Merge pull request #37 from grid5000/bug#8489_API_ROOT_PATH diff --git a/lib/grid5000/version.rb b/lib/grid5000/version.rb index 94295723..9c20d07e 100644 --- a/lib/grid5000/version.rb +++ b/lib/grid5000/version.rb @@ -13,5 +13,5 @@ # limitations under the License. module Grid5000 - VERSION = "4.0.1" + VERSION = "4.0.2" end -- GitLab From 9289fc561ed2300a606976b89e25fc531cd80c2d Mon Sep 17 00:00:00 2001 From: David Margery Date: Wed, 18 Oct 2017 16:11:39 +0200 Subject: [PATCH 2/4] Implement support for tls options (bug #8379) With this commit, the following tls options are supported and used if present in the configuration file - uri_out_cert_chain_file - uri_out_private_key_file - uri_out_verify_peer - uri_out_fail_if_no_peer_cert - uri_out_cipher_list - uri_out_ecdh_curve - uri_out_dhparam - uri_out_ssl_version - uri_in_cert_chain_file - uri_in_private_key_file - uri_in_verify_peer - uri_in_fail_if_no_peer_cert - uri_in_cipher_list - uri_in_ecdh_curve - uri_in_dhparam - uri_in_ssl_version --- app/controllers/jobs_controller.rb | 8 ++++++-- app/helpers/application_helper.rb | 4 ++++ lib/grid5000/router.rb | 12 ++++++++++++ spec/lib/grid5000/router_spec.rb | 8 +++++++- 4 files changed, 29 insertions(+), 3 deletions(-) diff --git a/app/controllers/jobs_controller.rb b/app/controllers/jobs_controller.rb index 1d2e4c77..663fc79a 100644 --- a/app/controllers/jobs_controller.rb +++ b/app/controllers/jobs_controller.rb @@ -78,12 +78,14 @@ class JobsController < ApplicationController )+"/internal/oarapi/jobs/#{params[:id]}.json", :out ) + options=tls_options_for(url, :out) http = EM::HttpRequest.new(url).delete( :timeout => 5, :head => { 'X-Remote-Ident' => @credentials[:cn], 'Accept' => media_type(:json) - } + }, + :tls => options ) continue_if!(http, :is => [200,202,204,404]) @@ -122,6 +124,7 @@ class JobsController < ApplicationController url = uri_to( site_path(params[:site_id])+"/internal/oarapi/jobs.json", :out ) + options=tls_options_for(url, :out) http = EM::HttpRequest.new(url).post( :timeout => 20, :body => job_to_send.to_json, @@ -129,7 +132,8 @@ class JobsController < ApplicationController 'X-Remote-Ident' => @credentials[:cn], 'Content-Type' => media_type(:json), 'Accept' => media_type(:json) - } + }, + :tls => options ) continue_if!(http, :is => [201,202]) diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb index 88e4bf87..564ae15b 100644 --- a/app/helpers/application_helper.rb +++ b/app/helpers/application_helper.rb @@ -26,6 +26,10 @@ module ApplicationHelper Grid5000::Router.uri_to(request, path, in_or_out, relative_or_absolute) end + def tls_options_for(url, in_or_out = :in) + Grid5000::Router.tls_options_for(url, in_or_out) + end + def repository @repository ||= Grid5000::Repository.new( File.expand_path( diff --git a/lib/grid5000/router.rb b/lib/grid5000/router.rb index 18590bad..9290ec53 100644 --- a/lib/grid5000/router.rb +++ b/lib/grid5000/router.rb @@ -94,6 +94,18 @@ module Grid5000 Rails.my_config("base_uri_#{in_or_out}".to_sym) end end + + def tls_options_for(url, in_or_out = :in) + tls_options={} + [:cert_chain_file, :private_key_file, :verify_peer, :fail_if_no_peer_cert, + :cipher_list, :ecdh_curve, :dhparam, :ssl_version].each do |tls_param| + config_key=("uri_#{in_or_out.to_s}_"+tls_param.to_s).to_sym + if Rails.my_config(config_key) + tls_options[tls_param]=Rails.my_config(config_key) + end + end + tls_options + end end end end diff --git a/spec/lib/grid5000/router_spec.rb b/spec/lib/grid5000/router_spec.rb index 096b69ab..9c5ddaf9 100644 --- a/spec/lib/grid5000/router_spec.rb +++ b/spec/lib/grid5000/router_spec.rb @@ -220,5 +220,11 @@ describe Grid5000::Router do request = double(Rack::MockRequest, :env => {}) expect(Grid5000::Router.uri_to(request, "/sites/rennes/internal/oarapi/jobs/374172.json", :out)).to eq "http://api-out.local/sid/sites/rennes/internal/oarapi/jobs/374172.json" end - + + it "should take into account tls options" do + Api::Application::CONFIG["uri_out_verify_peer"] = true + Api::Application::CONFIG["uri_out_private_key_file"] = "/etc/ssl/certs/private/api.out.local.pem" + expect(tls_options_for("https://api-out.local/", :out)).to include ({private_key_file: "/etc/ssl/certs/private/api.out.local.pem"} ) + expect(tls_options_for("https://api-out.local/", :out)).to include ({verify_peer: true} ) + end end -- GitLab From dd2b0630c27d1201bc13e58eb337f8b24e6177cf Mon Sep 17 00:00:00 2001 From: David Margery Date: Fri, 20 Oct 2017 16:15:54 +0200 Subject: [PATCH 3/4] Update dev environment to be able to test ssl This creates a local virtualhost listening on 8443 and configured to require a ssl client cert. Rails config file is updated so as to go to that url for outgoing connection to the API using entries such as base_uri_out: https://127.0.0.1:8443 uri_out_private_key_file: /etc/ssl/certs/clientkey_nopass.pem uri_out_cert_chain_file: /etc/ssl/certs/clientcert.pem The complete environment can then be tested setup tunnels and running against the development rails server curl -kni http://127.0.0.1:8000/sites/rennes/jobs \ -H'Accept: application/json' -H'Content-Type: application/json' \ -d '{"resources": "nodes=1,walltime=00:05:00", "command": "while(true); do sleep 5; echo \"awake\"; done"}' --- config/defaults.yml | 5 +- .../modules/apache/manifests/init.pp | 72 ++++++++++++++++++- .../apache/templates/api-proxy-dev.erb | 35 +++++++++ 3 files changed, 108 insertions(+), 4 deletions(-) diff --git a/config/defaults.yml b/config/defaults.yml index 940109b3..d405c909 100644 --- a/config/defaults.yml +++ b/config/defaults.yml @@ -28,7 +28,10 @@ defaults: &defaults development: <<: *defaults base_uri_in: http://localhost:8000 - base_uri_out: http://localhost:8000 + base_uri_out: https://127.0.0.1:8443 + uri_out_private_key_file: /etc/ssl/certs/clientkey_nopass.pem + uri_out_cert_chain_file: /etc/ssl/certs/clientcert.pem + uri_out_verify_peer: false notifications_uri: https://localhost:3443/sid/notifications reference_repository_path: ~/reference-repository smtp_host: localhost diff --git a/puppet/development/modules/apache/manifests/init.pp b/puppet/development/modules/apache/manifests/init.pp index 34ce9deb..cb0d24c3 100644 --- a/puppet/development/modules/apache/manifests/init.pp +++ b/puppet/development/modules/apache/manifests/init.pp @@ -36,12 +36,71 @@ class apache { file { '/vagrant/lib/tasks/tunneling.rake': mode => '0644', - owner => root, - group => root, + owner => vagrant, + group => vagrant, content => template('apache/tunneling.rake.erb'), } - exec { + file { "/etc/ssl/secret": + ensure => present, + content => "authority_pass\n", + mode => '0600', owner => root, group => root, + } + + file { "/etc/ssl/certs/ca.srl": + ensure => present, + content => "01\n", + mode => '0644', owner => root, group => root, + } + + exec { "Generate certificate authority": + command => "/usr/bin/openssl req -new -x509 -days 3650 -keyform PEM -keyout /etc/ssl/private/cakey.pem -outform PEM -out /etc/ssl/certs/ca.pem -passout file:/etc/ssl/secret -batch -subj \"/C=FR/ST=Bretagne/L=Rennes/O=dev/OU=Grid5000/CN=vagrant/emailAddress=support-staff@lists.grid5000.fr\"", + user => root, group => root, + require => File["/etc/ssl/secret"], + creates => "/etc/ssl/private/cakey.pem", + } + + exec { "Create client key and csr": + user => root, group => root, + command => "/usr/bin/openssl req -new -newkey rsa:2048 -keyout /etc/ssl/certs/clientkey.pem -out /etc/ssl/clientcsr.pem -batch -subj \"/C=FR/ST=Bretagne/L=Rennes/O=dev/OU=Grid5000/CN=client/emailAddress=support-staff@lists.grid5000.fr\" -passout file:/etc/ssl/secret", + creates => "/etc/ssl/clientcsr.pem", + } + + exec { "Sign client csr": + user => root, group => root, + require => [Exec["Create client key and csr","Generate certificate authority"], File["/etc/ssl/certs/ca.srl"]], + command => "/usr/bin/openssl x509 -days 3650 -CA /etc/ssl/certs/ca.pem -CAkey /etc/ssl/private/cakey.pem -req -in /etc/ssl/clientcsr.pem -outform PEM -out /etc/ssl/certs/clientcert.pem -extensions usr_cert -passin file:/etc/ssl/secret", + creates => "/etc/ssl/certs/clientcert.pem", + } + + exec { "Remove client key password": + user => root, group => root, + require => Exec["Sign client csr"], + command => "/usr/bin/openssl rsa -in /etc/ssl/certs/clientkey.pem -out /etc/ssl/certs/clientkey_nopass.pem -passin file:/etc/ssl/secret -passout pass:''", + creates => "/etc/ssl/certs/clientkey_nopass.pem" + } + + exec { "Create server key and csr": + user => root, group => root, + command => "/usr/bin/openssl req -new -newkey rsa:2048 -keyout /etc/ssl/private/serverkey.pem -out /etc/ssl/servercsr.pem -passout file:/etc/ssl/secret -batch -subj \"/C=FR/ST=Bretagne/L=Rennes/O=dev/OU=Grid5000/CN=server/emailAddress=support-staff@lists.grid5000.fr\"", + creates => ["/etc/ssl/servercsr.pem","/etc/ssl/private/serverkey.pem"] + } + + exec { "Sign server csr": + user => root, group => root, + require => [Exec["Create server key and csr","Generate certificate authority"], File["/etc/ssl/certs/ca.srl"]], + command => "/usr/bin/openssl x509 -days 3650 -CA /etc/ssl/certs/ca.pem -CAkey /etc/ssl/private/cakey.pem -req -in /etc/ssl/servercsr.pem -outform PEM -out /etc/ssl/certs/servercert.pem -passin file:/etc/ssl/secret", + creates => "/etc/ssl/certs/servercert.pem", + } + + exec { "Remove server key password": + user => root, group => root, + require => Exec["Sign server csr"], + command => "/usr/bin/openssl rsa -in /etc/ssl/private/serverkey.pem -out /etc/ssl/certs/serverkey_nopass.pem -passin file:/etc/ssl/secret -passout pass:''", + creates => "/etc/ssl/certs/serverkey_nopass.pem" + } + + exec { "enable site api-proxy-dev": command => "/usr/sbin/a2ensite api-proxy-dev", unless => "/usr/bin/test -f /etc/apache2/sites-enabled/api-proxy-dev.conf", @@ -95,6 +154,13 @@ class apache { require => Package["apache2"]; } + exec{ "enable apache ssl module": + command => "/usr/sbin/a2enmod ssl ", + notify => Service["apache2"], + creates => "/etc/apache2/mods-enabled/ssl.load", + require => Package["apache2-dev"]; + } + exec { "enable module deflate configuration": command => "/usr/sbin/a2enconf deflate", diff --git a/puppet/development/modules/apache/templates/api-proxy-dev.erb b/puppet/development/modules/apache/templates/api-proxy-dev.erb index cafb0724..0f9777be 100644 --- a/puppet/development/modules/apache/templates/api-proxy-dev.erb +++ b/puppet/development/modules/apache/templates/api-proxy-dev.erb @@ -5,6 +5,41 @@ <% oardbsite = scope.lookupvar('oardbsite') -%> <% developer = scope.lookupvar('developer') -%> + +Listen 8443 + + + TimeOut 300 + ServerName <%= @fqdn %> + ServerAlias server api.grid5000.fr + DocumentRoot /vagrant/public + + CustomLog /var/log/apache2/api-proxy-dev-ssl.log "%v %h %l %t %D \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" + ErrorLog syslog:local1 + + # Set up SSL proxy engine + SSLEngine On + SSLProtocol all + SSLCipherSuite HIGH:MEDIUM + SSLCertificateFile /etc/ssl/certs/servercert.pem + SSLCertificateKeyFile /etc/ssl/certs/serverkey_nopass.pem + + # Enable SSL client certificates verification + SSLCACertificateFile /etc/ssl/certs/ca.pem + SSLVerifyClient require + # the client certificate should be signed by the first CA (ca.grid5000.fr) + SSLVerifyDepth 1 + + + Require all granted + require ssl + + ProxyPass http://127.0.0.1:8080/ retry=1 + + + + + Listen 8080 -- GitLab From f24a7939fb948563ffbcccf446462aa98519609e Mon Sep 17 00:00:00 2001 From: David Margery Date: Fri, 20 Oct 2017 16:34:06 +0200 Subject: [PATCH 4/4] Add TLS as possible suspect for failed connexions --- app/controllers/application_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index c31fb72b..1cbb13a3 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -129,7 +129,7 @@ class ApplicationController < ActionController::Base when 502 raise BadGateway, msg else - raise ServerError, "Request to #{http.uri.to_s} failed with unexpected status #{status}: #{http.response} ; could be a problem with our version of eventmachine not supporting IPv6" + raise ServerError, "Request to #{http.uri.to_s} failed with unexpected status #{status}: #{http.response} ; could be a problem with our version of eventmachine not supporting IPv6, or TLS problems" end end -- GitLab