From b82e20e47f07cc188282cc59234ada637f1d4b68 Mon Sep 17 00:00:00 2001
From: Grzegorz Grasza <xek@redhat.com>
Date: Mon, 7 Dec 2020 14:05:39 +0100
Subject: [PATCH] Add TLS context creation for Memcached backends

This patch specifies a set of options required to build a TLS context.
The context built from those options is passed to any of the django
backends supporting TLS connections (eg. pymemcache).

Change-Id: I3a31c8f27911022c51baceccd9613e6d5e732f60
---
 manifests/init.pp               | 34 +++++++++++++++++++++++++++++++++
 templates/local_settings.py.erb | 21 ++++++++++++++++++++
 2 files changed, 55 insertions(+)

diff --git a/manifests/init.pp b/manifests/init.pp
index b2d4a39d..ca77f323 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -47,6 +47,35 @@
 #  [*cache_server_port*]
 #    (optional) Memcached port. Defaults to '11211'.
 #
+#  [*cache_tls_enabled*]
+#    (optional) Global toggle for TLS usage when comunicating with
+#    the caching servers. Defaults to false.
+#
+#  [*cache_tls_cafile*]
+#    (optional) Path to a file of concatenated CA certificates in PEM
+#    format necessary to establish the caching server's authenticity.
+#    If tls_enabled is False, this option is ignored.
+#    Defaults to undef.
+#
+#  [*cache_tls_certfile*]
+#    (optional) Path to a single file in PEM format containing the
+#    client's certificate as well as any number of CA certificates
+#    needed to establish the certificate's authenticity. This file
+#    is only required when client side authentication is necessary.
+#    If tls_enabled is False, this option is ignored. Defaults to undef.
+#
+#  [*cache_tls_keyfile*]
+#    (optional) Path to a single file containing the client's private
+#    key in. Otherwhise the private key will be taken from the file
+#    specified in tls_certfile. If tls_enabled is False, this option
+#    is ignored. Defaults to undef.
+#
+#  [*cache_tls_allowed_ciphers*]
+#    (optional) Set the available ciphers for sockets created with
+#    the TLS context. It should be a string in the OpenSSL cipher
+#    list format. If not specified, all OpenSSL enabled ciphers will
+#    be available. Defaults to undef.
+#
 #  [*manage_memcache_package*]
 #    (optional) Boolean if we should manage the memcache package.
 #    Defaults to true
@@ -487,6 +516,11 @@ class horizon(
   $cache_server_url                    = undef,
   $cache_server_ip                     = undef,
   $cache_server_port                   = '11211',
+  $cache_tls_enabled                   = false,
+  $cache_tls_cafile                    = undef,
+  $cache_tls_certfile                  = undef,
+  $cache_tls_keyfile                   = undef,
+  $cache_tls_allowed_ciphers           = undef,
   $manage_memcache_package             = true,
   $horizon_app_links                   = false,
   $keystone_url                        = 'http://127.0.0.1:5000',
diff --git a/templates/local_settings.py.erb b/templates/local_settings.py.erb
index 8fc48df2..b367baa8 100644
--- a/templates/local_settings.py.erb
+++ b/templates/local_settings.py.erb
@@ -240,6 +240,27 @@ CACHES = {
     }
 }
 
+<% if @cache_tls_enabled %>
+
+## START TLS context configuration
+import ssl
+
+tls_context = ssl.create_default_context(<% if @cache_tls_cafile %>cafile='<%= @cache_tls_cafile %>'<% end %>)
+<% if @cache_tls_certfile and @cache_tls_keyfile %>
+tls_context.load_cert_chain('<%= @cache_tls_certfile %>', '<%= @cache_tls_keyfile %>')
+<% end %>
+<% if @cache_tls_certfile and not @cache_tls_keyfile %>
+tls_context.load_cert_chain('<%= @cache_tls_certfile %>')
+<% end %>
+<% if @cache_allowed_ciphers %>
+tls_context.set_ciphers('<%= @cache_tls_allowed_ciphers %>')
+<% end %>
+
+CACHES['default'].setdefault('OPTIONS', {})['tls_context'] = tls_context
+
+## END TLS context configuration
+<% end %>
+
 <% if @django_session_engine %>
 SESSION_ENGINE = "<%= @django_session_engine %>"
 <% end %>