Added SSL configuration to qpid

The SSL option is disabled by default, it uses
the NSS database to store the certificates.

Added a separate configuration group for qpid SSL

Fixes: rhbz#1022312

Change-Id: I8d58710b5938307b3e2a25e821b640a46c48c97e

.gitmodules

@@ -88,3 +88,6 @@
 [submodule "packstack/puppet/modules/certmonger"]
 	path = packstack/puppet/modules/certmonger
 	url = git://github.com/rcritten/puppet-certmonger.git
+[submodule "packstack/puppet/modules/nssdb"]
+	path = packstack/puppet/modules/nssdb
+	url = https://github.com/rcritten/puppet-nssdb.git

packstack/plugins/puppet_950.py

@@ -82,7 +82,7 @@ def copyPuppetModules(config):
     os_modules = ' '.join(('apache', 'ceilometer', 'certmonger', 'cinder',
                            'concat', 'firewall', 'glance', 'heat', 'horizon',
                            'inifile', 'keystone', 'memcached', 'mongodb',
-                           'mysql', 'neutron', 'nova', 'openstack',
+                           'mysql', 'neutron', 'nova', 'nssdb', 'openstack',
                            'packstack', 'qpid', 'rsync', 'ssh', 'stdlib',
                            'swift', 'sysctl', 'tempest', 'vcsrepo', 'vlan',
                            'vswitch', 'xinetd'))

packstack/plugins/qpid_002.py

@@ -3,12 +3,17 @@ Installs and configures qpid
 """
 
 import logging
+import uuid
+import os
 
 from packstack.installer import validators
 from packstack.installer import basedefs
 from packstack.installer import utils
 
-from packstack.modules.ospluginutils import getManifestTemplate, appendManifestFile
+from packstack.modules.common import filtered_hosts
+from packstack.modules.ospluginutils import gethostlist,\
+                                            getManifestTemplate,\
+                                            appendManifestFile
 
 # Controller object will be initialized from main flow
 controller = None
@@ -36,8 +41,22 @@ def initConfig(controllerObject):
                    "USE_DEFAULT"     : False,
                    "NEED_CONFIRM"    : False,
                    "CONDITION"       : False },
+                  {"CMD_OPTION"      : "qpid-enable-ssl",
+                   "USAGE"           : "Enable SSL for the QPID service",
+                   "PROMPT"          : "Enable SSL for the QPID service?",
+                   "OPTION_LIST"     : ["y", "n"],
+                   "VALIDATORS"      : [validators.validate_options],
+                   "DEFAULT_VALUE"   : "n",
+                   "MASK_INPUT"      : False,
+                   "LOOSE_VALIDATION": False,
+                   "CONF_NAME"       : "CONFIG_QPID_ENABLE_SSL",
+                   "USE_DEFAULT"     : False,
+                   "NEED_CONFIRM"    : False,
+                   "CONDITION"       : False },
+
                   ]
 
+
     groupDict = { "GROUP_NAME"            : "QPIDLANCE",
                   "DESCRIPTION"           : "QPID Config parameters",
                   "PRE_CONDITION"         : "CONFIG_NOVA_INSTALL",
@@ -47,6 +66,77 @@ def initConfig(controllerObject):
 
     controller.addGroup(groupDict, paramsList)
 
+    paramsList = [
+                  {"CMD_OPTION"      : "qpid-nss-certdb-pw",
+                   "USAGE"           : "The password for the NSS certificate database of the QPID service",
+                   "PROMPT"          : "Enter the password for NSS certificate database",
+                   "OPTION_LIST"     : [],
+                   "VALIDATORS"      : [validators.validate_not_empty],
+                   "DEFAULT_VALUE"   : uuid.uuid4().hex[:32],
+                   "MASK_INPUT"      : False,
+                   "LOOSE_VALIDATION": True,
+                   "CONF_NAME"       : "CONFIG_QPID_NSS_CERTDB_PW",
+                   "USE_DEFAULT"     : False,
+                   "NEED_CONFIRM"    : False,
+                   "CONDITION"       : False },
+                  {"CMD_OPTION"      : "qpid-ssl-port",
+                   "USAGE"           : "The port in which the QPID service listens to SSL connections",
+                   "PROMPT"          : "Enter the SSL port for the QPID service",
+                   "OPTION_LIST"     : [],
+                   "VALIDATORS"      : [validators.validate_not_empty],
+                   "DEFAULT_VALUE"   : "5671",
+                   "MASK_INPUT"      : False,
+                   "LOOSE_VALIDATION": True,
+                   "CONF_NAME"       : "CONFIG_QPID_SSL_PORT",
+                   "USE_DEFAULT"     : False,
+                   "NEED_CONFIRM"    : False,
+                   "CONDITION"       : False },
+                  {"CMD_OPTION"      : "qpid-ssl-cert-file",
+                   "USAGE"           : "The filename of the certificate that the QPID service is going to use",
+                   "PROMPT"          : "Enter the filename of the SSL certificate for the QPID service",
+                   "OPTION_LIST"     : [],
+                   "VALIDATORS"      : [validators.validate_not_empty],
+                   "DEFAULT_VALUE"   : "/etc/pki/tls/certs/qpid_selfcert.pem",
+                   "MASK_INPUT"      : False,
+                   "LOOSE_VALIDATION": True,
+                   "CONF_NAME"       : "CONFIG_QPID_SSL_CERT_FILE",
+                   "USE_DEFAULT"     : False,
+                   "NEED_CONFIRM"    : False,
+                   "CONDITION"       : False },
+                  {"CMD_OPTION"      : "qpid-ssl-key-file",
+                   "USAGE"           : "The filename of the private key that the QPID service is going to use",
+                   "PROMPT"          : "Enter the private key filename",
+                   "OPTION_LIST"     : [],
+                   "VALIDATORS"      : [validators.validate_not_empty],
+                   "DEFAULT_VALUE"   : "/etc/pki/tls/private/qpid_selfkey.pem",
+                   "MASK_INPUT"      : False,
+                   "LOOSE_VALIDATION": True,
+                   "CONF_NAME"       : "CONFIG_QPID_SSL_KEY_FILE",
+                   "USE_DEFAULT"     : False,
+                   "NEED_CONFIRM"    : False,
+                   "CONDITION"       : False },
+                  {"CMD_OPTION"      : "qpid-ssl-self-signed",
+                   "USAGE"           : "Auto Generates self signed SSL certificate and key",
+                   "PROMPT"          : "Generate Self Signed SSL Certificate",
+                   "OPTION_LIST"     : ["y","n"],
+                   "VALIDATORS"      : [validators.validate_not_empty],
+                   "DEFAULT_VALUE"   : "y",
+                   "MASK_INPUT"      : False,
+                   "LOOSE_VALIDATION": True,
+                   "CONF_NAME"       : "CONFIG_QPID_SSL_SELF_SIGNED",
+                   "USE_DEFAULT"     : False,
+                   "NEED_CONFIRM"    : False,
+                   "CONDITION"       : False },
+                 ]
+
+    groupDict = { "GROUP_NAME"            : "QPIDSSL",
+                  "DESCRIPTION"           : "QPID Config SSL parameters",
+                  "PRE_CONDITION"         : "CONFIG_QPID_ENABLE_SSL",
+                  "PRE_CONDITION_MATCH"   : "y",
+                  "POST_CONDITION"        : False,
+                  "POST_CONDITION_MATCH"  : True}
+
+    controller.addGroup(groupDict, paramsList)
 
 def initSequences(controller):
     # If we don't want Nova we don't need qpid
@@ -58,6 +148,35 @@ def initSequences(controller):
     controller.addSequence("Installing QPID", [], [], qpidsteps)
 
 def createmanifest(config):
-    manifestfile = "%s_qpid.pp"%controller.CONF['CONFIG_QPID_HOST']
+    manifestfile = "%s_qpid.pp"%config['CONFIG_QPID_HOST']
-    manifestdata = getManifestTemplate("qpid.pp")
+    manifestdata = ""
+    ssl_manifestdata = ""
+    server = utils.ScriptRunner(config['CONFIG_QPID_HOST'])
+    ports = set(["'5672'"])
+    if config['CONFIG_QPID_ENABLE_SSL'] == 'y':
+        ports.add("'%s'" % (config['CONFIG_QPID_SSL_PORT']))
+        config['CONFIG_QPID_ENABLE_SSL'] = 'true'
+        if config['CONFIG_QPID_SSL_SELF_SIGNED'] == 'y':
+            server.append( "openssl req -batch -new -x509 -nodes -keyout %s -out %s -days 1095"
+                % (config['CONFIG_QPID_SSL_KEY_FILE'], config['CONFIG_QPID_SSL_CERT_FILE']) )
+            server.execute()
+        ssl_manifestdata = getManifestTemplate('qpid_ssl.pp')
+    else:
+        #Set default values 
+        config['CONFIG_QPID_SSL_PORT'] = "5671"
+        config['CONFIG_QPID_SSL_CERT_FILE'] = ""
+        config['CONFIG_QPID_SSL_KEY_FILE'] = ""
+        config['CONFIG_QPID_NSS_CERTDB_PW'] = ""
+        config['CONFIG_QPID_ENABLE_SSL'] = 'false'
+
+    manifestdata = getManifestTemplate('qpid.pp')
+    manifestdata += ssl_manifestdata
+
+    #All hosts should be able to talk to qpid
+    hosts = ["'%s'" % i for i in filtered_hosts(config, exclude=False)]
+    config['FIREWALL_ALLOWED'] = ','.join(hosts)
+    config['FIREWALL_SERVICE_NAME'] = "qpid"
+    config['FIREWALL_PORTS'] = ','.join(ports)
+    manifestdata += getManifestTemplate("firewall.pp")
+
     appendManifestFile(manifestfile, manifestdata, 'pre')

packstack/puppet/templates/qpid.pp

@@ -1,4 +1,3 @@
-
 class {"qpid::server":
     config_file => $::operatingsystem? {
         'Fedora' => '/etc/qpid/qpidd.conf',
@@ -6,6 +5,11 @@ class {"qpid::server":
         },
     auth => "no",
     clustered => false,
+    ssl_port      => '%(CONFIG_QPID_SSL_PORT)s',
+    ssl           => %(CONFIG_QPID_ENABLE_SSL)s,
+    ssl_cert      => '%(CONFIG_QPID_SSL_CERT_FILE)s',
+    ssl_key       => '%(CONFIG_QPID_SSL_KEY_FILE)s',
+    ssl_database_password => '%(CONFIG_QPID_NSS_CERTDB_PW)s',
 }
 
 firewall { '001 qpid incoming':

packstack/puppet/templates/qpid_ssl.pp

@@ -0,0 +1,27 @@
+# User and group for the nss database
+
+group { 'qpidd':
+    ensure => 'present',
+}
+
+user { 'qpidd':
+    ensure     => 'present',
+    managehome => true,
+    home       => '/var/run/qpidd',
+    require => Group['qpidd']
+}
+
+file { 'pid_dir':
+    path => '/var/run/qpidd',
+    ensure => directory,
+    owner => 'qpidd',
+    group => 'qpidd',
+    require => User['qpidd'],
+}
+
+file_line { 'pid_dir_conf':
+   path => $qpid::server::config_file,
+   line => 'pid-dir=/var/run/qpidd',
+   require => File['pid_dir'],
+}
+