Add TLS support for keystone via proxy

* Adds lib/tls to create test CA/certs
* Start proxy if 'tls-proxy' is enabled
* Configure keystone service catalog for TLS
* Tear down proxy in unstack.sh
* Set auth protocol and ca-cert chain in openrc
* Add DATA_DIR to stackrc

This is the first in a series of patches to enable TLS support
for the service API endpoints.

Change-Id: Ia1c91dc8f1aaf94fbec9dc71da322559a83d14b6

files/apts/tls-proxy

@@ -0,0 +1 @@
+stud

lib/keystone

@@ -4,7 +4,7 @@
 # Dependencies:
 # ``functions`` file
 # ``BASE_SQL_CONN``
-# ``SERVICE_HOST``
+# ``SERVICE_HOST``, ``SERVICE_PROTOCOL``
 # ``SERVICE_TOKEN``
 # ``S3_SERVICE_PORT`` (template backend only)
 
@@ -48,10 +48,14 @@ KEYSTONE_TOKEN_FORMAT=${KEYSTONE_TOKEN_FORMAT:-PKI}
 # Set Keystone interface configuration
 KEYSTONE_AUTH_HOST=${KEYSTONE_AUTH_HOST:-$SERVICE_HOST}
 KEYSTONE_AUTH_PORT=${KEYSTONE_AUTH_PORT:-35357}
-KEYSTONE_AUTH_PROTOCOL=${KEYSTONE_AUTH_PROTOCOL:-http}
+KEYSTONE_AUTH_PORT_INT=${KEYSTONE_AUTH_PORT_INT:-35358}
+KEYSTONE_AUTH_PROTOCOL=${KEYSTONE_AUTH_PROTOCOL:-$SERVICE_PROTOCOL}
+
+# Public facing bits
 KEYSTONE_SERVICE_HOST=${KEYSTONE_SERVICE_HOST:-$SERVICE_HOST}
 KEYSTONE_SERVICE_PORT=${KEYSTONE_SERVICE_PORT:-5000}
-KEYSTONE_SERVICE_PROTOCOL=${KEYSTONE_SERVICE_PROTOCOL:-http}
+KEYSTONE_SERVICE_PORT_INT=${KEYSTONE_SERVICE_PORT_INT:-5001}
+KEYSTONE_SERVICE_PROTOCOL=${KEYSTONE_SERVICE_PROTOCOL:-$SERVICE_PROTOCOL}
 
 
 # Entry Points
@@ -88,6 +92,13 @@ function configure_keystone() {
     # Rewrite stock ``keystone.conf``
     local dburl
     database_connection_url dburl keystone
+
+    if is_service_enabled tls-proxy; then
+        # Set the service ports for a proxy to take the originals
+        iniset $KEYSTONE_CONF DEFAULT public_port $KEYSTONE_SERVICE_PORT_INT
+        iniset $KEYSTONE_CONF DEFAULT admin_port $KEYSTONE_AUTH_PORT_INT
+    fi
+
     iniset $KEYSTONE_CONF DEFAULT admin_token "$SERVICE_TOKEN"
     iniset $KEYSTONE_CONF signing token_format "$KEYSTONE_TOKEN_FORMAT"
     iniset $KEYSTONE_CONF sql connection $dburl
@@ -213,9 +224,9 @@ create_keystone_accounts() {
         keystone endpoint-create \
             --region RegionOne \
             --service_id $KEYSTONE_SERVICE \
-            --publicurl "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:\$(public_port)s/v2.0" \
-            --adminurl "$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:\$(admin_port)s/v2.0" \
-            --internalurl "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:\$(public_port)s/v2.0"
+            --publicurl "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0" \
+            --adminurl "$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v2.0" \
+            --internalurl "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0"
     fi
 
     # TODO(dtroyer): This is part of a series of changes...remove these when
@@ -268,13 +279,25 @@ function install_keystone() {
 
 # start_keystone() - Start running processes, including screen
 function start_keystone() {
+    # Get right service port for testing
+    local service_port=$KEYSTONE_SERVICE_PORT
+    if is_service_enabled tls-proxy; then
+        service_port=$KEYSTONE_SERVICE_PORT_INT
+    fi
+
     # Start Keystone in a screen window
     screen_it key "cd $KEYSTONE_DIR && $KEYSTONE_DIR/bin/keystone-all --config-file $KEYSTONE_CONF $KEYSTONE_LOG_CONFIG -d --debug"
     echo "Waiting for keystone to start..."
-    if ! timeout $SERVICE_TIMEOUT sh -c "while ! http_proxy= curl -s $KEYSTONE_AUTH_PROTOCOL://$SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0/ >/dev/null; do sleep 1; done"; then
+    if ! timeout $SERVICE_TIMEOUT sh -c "while ! http_proxy= curl -s http://$SERVICE_HOST:$service_port/v2.0/ >/dev/null; do sleep 1; done"; then
       echo "keystone did not start"
       exit 1
     fi
+
+    # Start proxies if enabled
+    if is_service_enabled tls-proxy; then
+        start_tls_proxy '*' $KEYSTONE_SERVICE_PORT $KEYSTONE_SERVICE_HOST $KEYSTONE_SERVICE_PORT_INT &
+        start_tls_proxy '*' $KEYSTONE_AUTH_PORT $KEYSTONE_AUTH_HOST $KEYSTONE_AUTH_PORT_INT &
+    fi
 }
 
 # stop_keystone() - Stop running processes

lib/tls

@@ -0,0 +1,314 @@
+# lib/tls
+# Functions to control the configuration and operation of the TLS proxy service
+
+# Dependencies:
+# !! source _before_ any services that use ``SERVICE_HOST``
+# ``functions`` file
+# ``DEST``, ``DATA_DIR`` must be defined
+# ``HOST_IP``, ``SERVICE_HOST``
+# ``KEYSTONE_TOKEN_FORMAT`` must be defined
+
+# Entry points:
+# configure_CA
+# init_CA
+
+# configure_proxy
+# start_tls_proxy
+
+# make_root_ca
+# make_int_ca
+# new_cert $INT_CA_DIR int-server "abc"
+# start_tls_proxy HOST_IP 5000 localhost 5000
+
+
+if is_service_enabled tls-proxy; then
+    # TODO(dtroyer): revisit this below after the search for HOST_IP has been done
+    TLS_IP=${TLS_IP:-$SERVICE_IP}
+
+    # Set the default ``SERVICE_PROTOCOL`` for TLS
+    SERVICE_PROTOCOL=https
+fi
+
+# Make up a hostname for cert purposes
+# will be added to /etc/hosts?
+DEVSTACK_HOSTNAME=secure.devstack.org
+DEVSTACK_CERT_NAME=devstack-cert
+DEVSTACK_CERT=$DATA_DIR/$DEVSTACK_CERT_NAME.pem
+
+# CA configuration
+ROOT_CA_DIR=${ROOT_CA_DIR:-$DATA_DIR/CA/root-ca}
+INT_CA_DIR=${INT_CA_DIR:-$DATA_DIR/CA/int-ca}
+
+ORG_NAME="OpenStack"
+ORG_UNIT_NAME="DevStack"
+
+# Stud configuration
+STUD_PROTO="--tls"
+STUD_CIPHERS='TLSv1+HIGH:!DES:!aNULL:!eNULL:@STRENGTH'
+
+
+# CA Functions
+# ============
+
+# There may be more than one, get specific
+OPENSSL=${OPENSSL:-/usr/bin/openssl}
+
+# Do primary CA configuration
+function configure_CA() {
+    # build common config file
+
+    # Verify ``TLS_IP`` is good
+    if [[ -n "$HOST_IP" && "$HOST_IP" != "$TLS_IP" ]]; then
+        # auto-discover has changed the IP
+        TLS_IP=$HOST_IP
+    fi
+}
+
+# Creates a new CA directory structure
+# create_CA_base ca-dir
+function create_CA_base() {
+    local ca_dir=$1
+
+    if [[ -d $ca_dir ]]; then
+        # Bail out it exists
+        return 0
+    fi
+
+    for i in certs crl newcerts private; do
+        mkdir -p $ca_dir/$i
+    done
+    chmod 710 $ca_dir/private
+    echo "01" >$ca_dir/serial
+    cp /dev/null $ca_dir/index.txt
+}
+
+
+# Create a new CA configuration file
+# create_CA_config ca-dir common-name
+function create_CA_config() {
+    local ca_dir=$1
+    local common_name=$2
+
+    echo "
+[ ca ]
+default_ca = CA_default
+
+[ CA_default ]
+dir                     = $ca_dir
+policy                  = policy_match
+database                = \$dir/index.txt
+serial                  = \$dir/serial
+certs                   = \$dir/certs
+crl_dir                 = \$dir/crl
+new_certs_dir           = \$dir/newcerts
+certificate             = \$dir/cacert.pem
+private_key             = \$dir/private/cacert.key
+RANDFILE                = \$dir/private/.rand
+default_md              = default
+
+[ req ]
+default_bits            = 1024
+default_md              = sha1
+
+prompt                  = no
+distinguished_name      = ca_distinguished_name
+
+x509_extensions         = ca_extensions
+
+[ ca_distinguished_name ]
+organizationName        = $ORG_NAME
+organizationalUnitName  = $ORG_UNIT_NAME Certificate Authority
+commonName              = $common_name
+
+[ policy_match ]
+countryName             = optional
+stateOrProvinceName     = optional
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+
+[ ca_extensions ]
+basicConstraints        = critical,CA:true
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid:always, issuer
+keyUsage                = cRLSign, keyCertSign
+
+" >$ca_dir/ca.conf
+}
+
+# Create a new signing configuration file
+# create_signing_config ca-dir
+function create_signing_config() {
+    local ca_dir=$1
+
+    echo "
+[ ca ]
+default_ca = CA_default
+
+[ CA_default ]
+dir                     = $ca_dir
+policy                  = policy_match
+database                = \$dir/index.txt
+serial                  = \$dir/serial
+certs                   = \$dir/certs
+crl_dir                 = \$dir/crl
+new_certs_dir           = \$dir/newcerts
+certificate             = \$dir/cacert.pem
+private_key             = \$dir/private/cacert.key
+RANDFILE                = \$dir/private/.rand
+default_md              = default
+
+[ req ]
+default_bits            = 1024
+default_md              = sha1
+
+prompt                  = no
+distinguished_name      = req_distinguished_name
+
+x509_extensions         = req_extensions
+
+[ req_distinguished_name ]
+organizationName        = $ORG_NAME
+organizationalUnitName  = $ORG_UNIT_NAME Server Farm
+
+[ policy_match ]
+countryName             = optional
+stateOrProvinceName     = optional
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+
+[ req_extensions ]
+basicConstraints        = CA:false
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid:always, issuer
+keyUsage                = digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = serverAuth, clientAuth
+subjectAltName          = \$ENV::SUBJECT_ALT_NAME
+
+" >$ca_dir/signing.conf
+}
+
+# Create root and intermediate CAs and an initial server cert
+# init_CA
+function init_CA {
+    # Ensure CAs are built
+    make_root_CA $ROOT_CA_DIR
+    make_int_CA $INT_CA_DIR $ROOT_CA_DIR
+
+    # Create the CA bundle
+    cat $ROOT_CA_DIR/cacert.pem $INT_CA_DIR/cacert.pem >>$INT_CA_DIR/ca-chain.pem
+
+    if [[ ! -r $DEVSTACK_CERT ]]; then
+        if [[ -n "$TLS_IP" ]]; then
+            # Lie to let incomplete match routines work
+            TLS_IP="DNS:$TLS_IP"
+        fi
+        make_cert $INT_CA_DIR $DEVSTACK_CERT_NAME $DEVSTACK_HOSTNAME "$TLS_IP"
+
+        # Create a cert bundle
+        cat $INT_CA_DIR/private/$DEVSTACK_CERT_NAME.key $INT_CA_DIR/$DEVSTACK_CERT_NAME.crt $INT_CA_DIR/cacert.pem >$DEVSTACK_CERT
+    fi
+}
+
+
+# make_cert creates and signs a new certificate with the given commonName and CA
+# make_cert ca-dir cert-name "common-name" ["alt-name" ...]
+function make_cert() {
+    local ca_dir=$1
+    local cert_name=$2
+    local common_name=$3
+    local alt_names=$4
+
+    # Generate a signing request
+    $OPENSSL req \
+        -sha1 \
+        -newkey rsa \
+        -nodes \
+        -keyout $ca_dir/private/$cert_name.key \
+        -out $ca_dir/$cert_name.csr \
+        -subj "/O=${ORG_NAME}/OU=${ORG_UNIT_NAME} Servers/CN=${common_name}"
+
+    if [[ -z "$alt_names" ]]; then
+        alt_names="DNS:${common_name}"
+    else
+        alt_names="DNS:${common_name},${alt_names}"
+    fi
+
+    # Sign the request valid for 1 year
+    SUBJECT_ALT_NAME="$alt_names" \
+    $OPENSSL ca -config $ca_dir/signing.conf \
+        -extensions req_extensions \
+        -days 365 \
+        -notext \
+        -in $ca_dir/$cert_name.csr \
+        -out $ca_dir/$cert_name.crt \
+        -subj "/O=${ORG_NAME}/OU=${ORG_UNIT_NAME} Servers/CN=${common_name}" \
+        -batch
+}
+
+
+# Make an intermediate CA to sign everything else
+# make_int_CA ca-dir signing-ca-dir
+function make_int_CA() {
+    local ca_dir=$1
+    local signing_ca_dir=$2
+
+    # Create the root CA
+    create_CA_base $ca_dir
+    create_CA_config $ca_dir 'Intermediate CA'
+    create_signing_config $ca_dir
+
+    # Create a signing certificate request
+    $OPENSSL req -config $ca_dir/ca.conf \
+        -sha1 \
+        -newkey rsa \
+        -nodes \
+        -keyout $ca_dir/private/cacert.key \
+        -out $ca_dir/cacert.csr \
+        -outform PEM
+
+    # Sign the intermediate request valid for 1 year
+    $OPENSSL ca -config $signing_ca_dir/ca.conf \
+        -extensions ca_extensions \
+        -days 365 \
+        -notext \
+        -in $ca_dir/cacert.csr \
+        -out $ca_dir/cacert.pem \
+        -batch
+}
+
+# Make a root CA to sign other CAs
+# make_root_CA ca-dir
+function make_root_CA() {
+    local ca_dir=$1
+
+    # Create the root CA
+    create_CA_base $ca_dir
+    create_CA_config $ca_dir 'Root CA'
+
+    # Create a self-signed certificate valid for 5 years
+    $OPENSSL req -config $ca_dir/ca.conf \
+        -x509 \
+        -nodes \
+        -newkey rsa \
+        -days 21360 \
+        -keyout $ca_dir/private/cacert.key \
+        -out $ca_dir/cacert.pem \
+        -outform PEM
+}
+
+
+# Proxy Functions
+# ===============
+
+# Starts the TLS proxy for the given IP/ports
+# start_tls_proxy front-host front-port back-host back-port
+function start_tls_proxy() {
+    local f_host=$1
+    local f_port=$2
+    local b_host=$3
+    local b_port=$4
+
+    stud $STUD_PROTO -f $f_host,$f_port -b $b_host,$b_port $DEVSTACK_CERT 2>/dev/null
+}

openrc

@@ -26,6 +26,9 @@ source $RC_DIR/functions
 # Load local configuration
 source $RC_DIR/stackrc
 
+# Get some necessary configuration
+source $RC_DIR/lib/tls
+
 # The introduction of Keystone to the OpenStack ecosystem has standardized the
 # term **tenant** as the entity that owns resources.  In some places references
 # still exist to the original Nova term **project** for this use.  Also,
@@ -49,6 +52,7 @@ export OS_NO_CACHE=${OS_NO_CACHE:-1}
 # which is convenient for some localrc configurations.
 HOST_IP=${HOST_IP:-127.0.0.1}
 SERVICE_HOST=${SERVICE_HOST:-$HOST_IP}
+SERVICE_PROTOCOL=${SERVICE_PROTOCOL:-http}
 
 # Some exercises call glance directly.  On a single-node installation, Glance
 # should be listening on HOST_IP.  If its running elsewhere, it can be set here
@@ -61,7 +65,10 @@ GLANCE_HOST=${GLANCE_HOST:-$HOST_IP}
 #
 # *NOTE*: Using the 2.0 *identity api* does not mean that compute api is 2.0.  We
 # will use the 1.1 *compute api*
-export OS_AUTH_URL=http://$SERVICE_HOST:5000/v2.0
+export OS_AUTH_URL=$SERVICE_PROTOCOL://$SERVICE_HOST:5000/v2.0
+
+# Set the pointer to our CA certificate chain.  Harmless if TLS is not used.
+export OS_CACERT=$INT_CA_DIR/ca-chain.pem
 
 # Currently novaclient needs you to specify the *compute api* version.  This
 # needs to match the config of your catalog returned by Keystone.

stack.sh

@@ -288,6 +288,7 @@ fi
 
 # Allow the use of an alternate hostname (such as localhost/127.0.0.1) for service endpoints.
 SERVICE_HOST=${SERVICE_HOST:-$HOST_IP}
+SERVICE_PROTOCOL=${SERVICE_PROTOCOL:-http}
 
 # Configure services to use syslog instead of writing to individual log files
 SYSLOG=`trueorfalse False $SYSLOG`
@@ -305,6 +306,7 @@ SERVICE_TIMEOUT=${SERVICE_TIMEOUT:-60}
 # ==================
 
 # Get project function libraries
+source $TOP_DIR/lib/tls
 source $TOP_DIR/lib/horizon
 source $TOP_DIR/lib/keystone
 source $TOP_DIR/lib/glance
@@ -847,6 +849,12 @@ if [[ $TRACK_DEPENDS = True ]] ; then
     exit 0
 fi
 
+if is_service_enabled tls-proxy; then
+    configure_CA
+    init_CA
+    # Add name to /etc/hosts
+    # don't be naive and add to existing line!
+fi
 
 # Syslog
 # ------
@@ -923,12 +931,17 @@ screen -r $SCREEN_NAME -X hardstatus alwayslastline "$SCREEN_HARDSTATUS"
 
 if is_service_enabled key; then
     echo_summary "Starting Keystone"
-    configure_keystone
     init_keystone
     start_keystone
 
     # Set up a temporary admin URI for Keystone
-    SERVICE_ENDPOINT=$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v2.0
+    SERVICE_ENDPOINT=$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v2.0
+
+    if is_service_enabled tls-proxy; then
+        export OS_CACERT=$INT_CA_DIR/ca-chain.pem
+        # Until the client support is fixed, just use the internal endpoint
+        SERVICE_ENDPOINT=http://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT_INT/v2.0
+    fi
 
     # Do the keystone-specific bits from keystone_data.sh
     export OS_SERVICE_TOKEN=$SERVICE_TOKEN

stackrc

@@ -6,6 +6,9 @@ RC_DIR=$(cd $(dirname "$BASH_SOURCE") && pwd)
 # Destination path for installation
 DEST=/opt/stack
 
+# Destination for working data
+DATA_DIR=${DEST}/data
+
 # Select the default database
 DATABASE_TYPE=mysql
 

unstack.sh

@@ -62,6 +62,11 @@ if is_service_enabled horizon; then
     stop_horizon
 fi
 
+# Kill TLS proxies
+if is_service_enabled tls-proxy; then
+    killall stud
+fi
+
 SCSI_PERSIST_DIR=$CINDER_STATE_PATH/volumes/*
 
 # Get the iSCSI volumes