From e047fc42c67a789db07bb311c64155ac53688b49 Mon Sep 17 00:00:00 2001 From: "James E. Blair" Date: Sat, 29 May 2021 18:09:06 -0700 Subject: [PATCH] Combine fingergw certificate options This combines the client and server certificate options to make typical deployments simpler. The same certificate will be used by a fingergw acting as a client or a server. A new option is added to tell fingergw to use the cert only for client use; that way a fingergw can act as an unencrypted end-user gateway while still able to connect to encrypted servers. The options are renamed to tls_* to match zookeeper; once gearman is removed, we will have no ssl_* options. Documentation and a release note for TLS fingergw support is added. Change-Id: If3e445336de4644a5303f2ecc7c4a27e4320d042 --- doc/source/discussion/components.rst | 48 +++++++++++++++++ .../notes/finger-ssl-3548092b015e2844.yaml | 22 ++++++++ tests/fixtures/fingergw/README.rst | 10 +--- tests/fixtures/fingergw/client.csr | 17 ------ tests/fixtures/fingergw/client.key | 28 ---------- tests/fixtures/fingergw/client.pem | 20 ------- tests/fixtures/fingergw/fingergw.csr | 17 ++++++ tests/fixtures/fingergw/fingergw.key | 28 ++++++++++ tests/fixtures/fingergw/fingergw.pem | 20 +++++++ tests/fixtures/fingergw/root-ca.key | 52 +++++++++---------- tests/fixtures/fingergw/root-ca.pem | 32 ++++++------ tests/fixtures/fingergw/root-ca.srl | 2 +- tests/fixtures/fingergw/server.csr | 17 ------ tests/fixtures/fingergw/server.key | 28 ---------- tests/fixtures/fingergw/server.pem | 20 ------- tests/unit/test_streaming.py | 20 +++---- zuul/lib/fingergw.py | 52 +++++++++---------- zuul/web/__init__.py | 16 +++--- 18 files changed, 221 insertions(+), 228 deletions(-) create mode 100644 releasenotes/notes/finger-ssl-3548092b015e2844.yaml delete mode 100644 tests/fixtures/fingergw/client.csr delete mode 100644 tests/fixtures/fingergw/client.key delete mode 100644 tests/fixtures/fingergw/client.pem create mode 100644 tests/fixtures/fingergw/fingergw.csr create mode 100644 tests/fixtures/fingergw/fingergw.key create mode 100644 tests/fixtures/fingergw/fingergw.pem delete mode 100644 tests/fixtures/fingergw/server.csr delete mode 100644 tests/fixtures/fingergw/server.key delete mode 100644 tests/fixtures/fingergw/server.pem diff --git a/doc/source/discussion/components.rst b/doc/source/discussion/components.rst index 8a86231778..0e20ea7979 100644 --- a/doc/source/discussion/components.rst +++ b/doc/source/discussion/components.rst @@ -1264,6 +1264,18 @@ Finger gateway servers need to be able to connect to the Gearman server (usually the scheduler host), as well as the console streaming port on the executors (usually 7900). +Finger gateways are optional. They may be run for either or both of +the following purposes: + +* Allowing end-users to connect to the finger port to stream logs. + +* Providing an accessible log streaming port for remote zoned + executors which are otherwise inacessible. + + In this case, log streaming requests from finger gateways or + zuul-web will route to the executors via finger gateways in the same + zone. + Configuration ~~~~~~~~~~~~~ @@ -1327,6 +1339,42 @@ sections of ``zuul.conf`` are used by the finger gateway: also be zoned and unzoned finger gateway services. Omit the zone parameter for any unzoned finger gateway servers. + If the Zuul installation spans an untrusted network (for example, if + there are remote executor zones), it may be necessary to use TLS + between the components that handle log streaming (zuul-executor, + zuul-fingergw, and zuul-web). If so, set the following options. + + Note that this section is also read by zuul-web in order to load a + client certificate to use when connecting to a finger gateway which + requires TLS, and it is also read by zuul-executor to load a server + certificate for its console streaming port. + + If any of these are present, all three certificate options must be + provided. + + .. attr:: tls_cert + + The path to the PEM encoded certificate file. + + .. attr:: tls_key + + The path to the PEM encoded key file. + + .. attr:: tls_ca + + The path to the PEM encoded CA certificate file. + + .. attr:: tls_client_only + :default: false + + In order to provide a finger gateway which can reach remote + finger gateways and executors which use TLS, but does not itself + serve end-users via TLS (i.e., it runs within a protected + network and users access it directly via the finger port), set + this to ``true`` and the finger gateway will not listen on TLS, + but will still use the supplied certificate to make remote TLS + connections. + Operation ~~~~~~~~~ diff --git a/releasenotes/notes/finger-ssl-3548092b015e2844.yaml b/releasenotes/notes/finger-ssl-3548092b015e2844.yaml new file mode 100644 index 0000000000..d204adbe4a --- /dev/null +++ b/releasenotes/notes/finger-ssl-3548092b015e2844.yaml @@ -0,0 +1,22 @@ +--- +features: + - | + The finger gateway and executor log streaming system now supports TLS + connections. + + Normally zuul-web makes a direct connection to an executor in + order to stream logs. With this new option, that connection can + be encrypted if it crosses an untrusted network. + + The ability to route log streaming connections through finger + gateway servers was recently added; these will also use TLS if + required. + + The finger gateway server can also be used by end-users; in that + case it may need a TLS certificate to use if it is required to + connect to an encrypted executor or finger gateway to stream logs. + An option to disable using TLS when acting as a server is provided + for this case, since there are no TLS-enable finger clients. + + See :attr:`fingergw.tls_cert` and related options to enable + encrypted connections for all three components. diff --git a/tests/fixtures/fingergw/README.rst b/tests/fixtures/fingergw/README.rst index 0f2ec8e948..8fb138249f 100644 --- a/tests/fixtures/fingergw/README.rst +++ b/tests/fixtures/fingergw/README.rst @@ -4,12 +4,6 @@ openssl req -new -newkey rsa:2048 -nodes -keyout root-ca.key -x509 -days 3650 -out root-ca.pem -subj "/C=US/ST=Texas/L=Austin/O=OpenStack Foundation/CN=fingergw-ca" # Generate server keys -CLIENT='server' -openssl req -new -newkey rsa:2048 -nodes -keyout $CLIENT.key -out $CLIENT.csr -subj "/C=US/ST=Texas/L=Austin/O=OpenStack Foundation/CN=fingergw-$CLIENT" -openssl x509 -req -days 3650 -in $CLIENT.csr -out $CLIENT.pem -CA root-ca.pem -CAkey root-ca.key -CAcreateserial - - -# Generate client keys -CLIENT='client' -openssl req -new -newkey rsa:2048 -nodes -keyout $CLIENT.key -out $CLIENT.csr -subj "/C=US/ST=Texas/L=Austin/O=OpenStack Foundation/CN=fingergw-$CLIENT" +CLIENT='fingergw' +openssl req -new -newkey rsa:2048 -nodes -keyout $CLIENT.key -out $CLIENT.csr -subj "/C=US/ST=Texas/L=Austin/O=OpenStack Foundation/CN=fingergw" openssl x509 -req -days 3650 -in $CLIENT.csr -out $CLIENT.pem -CA root-ca.pem -CAkey root-ca.key -CAcreateserial diff --git a/tests/fixtures/fingergw/client.csr b/tests/fixtures/fingergw/client.csr deleted file mode 100644 index 30d0d14c4c..0000000000 --- a/tests/fixtures/fingergw/client.csr +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN CERTIFICATE REQUEST----- -MIICrDCCAZQCAQAwZzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVRleGFzMQ8wDQYD -VQQHDAZBdXN0aW4xHTAbBgNVBAoMFE9wZW5TdGFjayBGb3VuZGF0aW9uMRgwFgYD -VQQDDA9maW5nZXJndy1jbGllbnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK -AoIBAQDPX5Gp5o1RcWHmZvhTl9HbHYpN83nOLtK9u6l258j7ggSh3H8O6slELCMy -0tIyv4ZYK7WwLtGpjpDegd/L5JOq40xtmDmxXuJI22GJdFsowq/Tc11ShHSrJh2j -JiqmRaCM2zPexya9Fqa6ZkIBI+V/VLVEWZZP2zEXeIZVHDrKLJ5plQkA2LiBYsz1 -U/ZiIfXmjYAXQorIVoCA6VWfQvdfkc8z893SJphrOXhNQkG37FRVrZIuMeF/0xV3 -eAMhLinfzOs5p8RYpvaNOtol0UglGV2xQZO8L0pXjwVue9NVui7vTVaXMzDUNBQF -PjLIuLsEnV8qhBOCCI7GI62Or8QJAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEA -j/VaictR9BOlM2W7H4GILyxOvIvHWLmXAoh73/TbLwGmzclGPDS3rnV+3oLNK+tk -mYzcHXBxidNg2nMAUiBgNPydy+OSUtuTrUP7lBOPPlV+gDJjx+raVSKEXIRDmHTP -dAcD02xCO8Gr5S6eI4k4lUT8ugQGsm+02MU8e+NzB/v0RFwXTUltcrxJo7CkPY71 -WFTs3t/ktAPzFOeIcVaiwa1fKBYnPM7S9LxpUOFTO77T3aq4drDYoZe3VBz9eJOB -Qu6UHiOuHkmKrY9UXfiqvK/AgKGZopc6kj0JP54J3v7jnNhIjcFm97QD1qXcFi6t -v6zk4eF4kvotv/N70gUx+w== ------END CERTIFICATE REQUEST----- diff --git a/tests/fixtures/fingergw/client.key b/tests/fixtures/fingergw/client.key deleted file mode 100644 index ae13603fc5..0000000000 --- a/tests/fixtures/fingergw/client.key +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDPX5Gp5o1RcWHm -ZvhTl9HbHYpN83nOLtK9u6l258j7ggSh3H8O6slELCMy0tIyv4ZYK7WwLtGpjpDe -gd/L5JOq40xtmDmxXuJI22GJdFsowq/Tc11ShHSrJh2jJiqmRaCM2zPexya9Fqa6 -ZkIBI+V/VLVEWZZP2zEXeIZVHDrKLJ5plQkA2LiBYsz1U/ZiIfXmjYAXQorIVoCA -6VWfQvdfkc8z893SJphrOXhNQkG37FRVrZIuMeF/0xV3eAMhLinfzOs5p8RYpvaN -Otol0UglGV2xQZO8L0pXjwVue9NVui7vTVaXMzDUNBQFPjLIuLsEnV8qhBOCCI7G -I62Or8QJAgMBAAECggEAIIMoUE3wTBuNsNTmDB0abtMj0vLgXv4iVlLsz9KpRR1u -Yn4ygYE4CvMslZROFlzG0F4R/0xn3MCYX/pWvx3YNQur+ObL7M4mhiu3EBjpDevw -KyPENuLDc+3m6aRbPXRfJpZbfIsWvMCnZUQRByK8oYkDXnL5SQ3hlX90+DUT1ox9 -4LV5sQeqW5xfEraRW9qSGzi9Ns/WokuiFfR+ur3gp1j20w2bEzkZ9Nz+Sipj48jO -uJSv5+upc/osIFiwGz59aPt+sOJq+bt3JJgxyJFvciMjOwLCoNrTsamv/0/Dsykk -UNvBthDcm4lNL3GMEgB/sUQ6UX7XJ1C6IAA11wTgcQKBgQD3HoErqi6D0+mkzhKw -3KkFMQlf+KxeTy9T00rZU3iVnccQUOZ5t1k3C6NRD5fzS3lDfqfD1KixlV3GJcy9 -dfxyhPErMJ3DttrIq90eTW1v9h95ZTYnoIoC8kzpwQSIEsEApl/VxQR6u1NHtoYW -ItBffsN1xhGN49JL2AvUxFxDBQKBgQDW02ceujc20Dx44BULwh3tZoo3/8QBhEiG -p+yNNRP4b7UEABE/6F7HZon9tDFxbLTHTnqrYQvIDgvEmuxdBAAxsy8S0WBpHwIy -nNeIc63ENmLfryGUoQ2iLEscYA+/ZD0WN5XQTcVOBJmGDdKbxluFgp1BH9pTb4ZG -5fZqQyuUNQKBgQCkykPLEW55XHxG+WC/bjaMDro4tISFU3q1BIa6TA5yf0d62ugG -rLyil3EuIh7rEB5qYvCPB6YC3h8tfpF8mkxhNcP5UC80jyBwhyMqDOn4qoEsm9C0 -NjsyYc/mZV+XOiJYQ5pO3FXzXi3X+aCK7GZV+Btx00Zrf0wCZazmEpeP3QKBgHfe -5IaPz+llDqlAGF5EReDHO879h4h1IOcKYoN0n50b7/y4cOehKOnI/Ky1VHV+++zO -jMJ+V02dENH2xHcumVEiM90jOdHOfLJzNA0ux0JaOpeoKGu/5lSctJizvXXFYBS6 -lXzzOGpNRME5i1BiwYThGhBRzsiJzXpYLUSkEHgVAoGATNJDp5kMDbzB8A8dlwL2 -LEbufOu9+SLJJB/3M24+WioMSGxoZvkF2rpYdvR83QuOdEKBQlao2gwPNNMckMfh -twLKj1EvkQzQ46y+R8Ay3Sc5XNeTZ7vG8ysewP41b+RDPSkC1jTbCrHvXDO4D7Zi -RJkw3prbAP8PblFPjaa0P9U= ------END PRIVATE KEY----- diff --git a/tests/fixtures/fingergw/client.pem b/tests/fixtures/fingergw/client.pem deleted file mode 100644 index 61a8954989..0000000000 --- a/tests/fixtures/fingergw/client.pem +++ /dev/null @@ -1,20 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDRjCCAi4CCQCTQgbVwTy7RzANBgkqhkiG9w0BAQsFADBjMQswCQYDVQQGEwJV -UzEOMAwGA1UECAwFVGV4YXMxDzANBgNVBAcMBkF1c3RpbjEdMBsGA1UECgwUT3Bl -blN0YWNrIEZvdW5kYXRpb24xFDASBgNVBAMMC2Zpbmdlcmd3LWNhMB4XDTIxMDUz -MDAwMzQ1MFoXDTMxMDUyODAwMzQ1MFowZzELMAkGA1UEBhMCVVMxDjAMBgNVBAgM -BVRleGFzMQ8wDQYDVQQHDAZBdXN0aW4xHTAbBgNVBAoMFE9wZW5TdGFjayBGb3Vu -ZGF0aW9uMRgwFgYDVQQDDA9maW5nZXJndy1jbGllbnQwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQDPX5Gp5o1RcWHmZvhTl9HbHYpN83nOLtK9u6l258j7 -ggSh3H8O6slELCMy0tIyv4ZYK7WwLtGpjpDegd/L5JOq40xtmDmxXuJI22GJdFso -wq/Tc11ShHSrJh2jJiqmRaCM2zPexya9Fqa6ZkIBI+V/VLVEWZZP2zEXeIZVHDrK -LJ5plQkA2LiBYsz1U/ZiIfXmjYAXQorIVoCA6VWfQvdfkc8z893SJphrOXhNQkG3 -7FRVrZIuMeF/0xV3eAMhLinfzOs5p8RYpvaNOtol0UglGV2xQZO8L0pXjwVue9NV -ui7vTVaXMzDUNBQFPjLIuLsEnV8qhBOCCI7GI62Or8QJAgMBAAEwDQYJKoZIhvcN -AQELBQADggEBAA/zWymoNTQBwfYf9sog2I1Dn0AdfjBFUaupbWBD/9iYmqZkesZF -GkrPkHGs4lWhHfLiS/je84/ZKZmdd5h+7d0xydh+DAquSIBxMf8jSxDG6wj51XVi -oTw3qmacncAK7U4EUCH3GCxBwxgFIFYxv2wfyvYfqyPRgLpajWwSkAoKCxIUAvqv -1gNA/Qj6YW8S9yRgwt0F7xxz1v5thnZw80N4OZsxY7kujMa+kBIg9eZj7jcrtVrQ -+1viNToHDb/ty+edZUwUSZmr1JGr0G6mArlQYeS7G4jMOCKdlqdDPbwwFAQGf+l4 -ZDnDHBKHUSXtJaCOfYHuAcRq+THmrv5LV+k= ------END CERTIFICATE----- diff --git a/tests/fixtures/fingergw/fingergw.csr b/tests/fixtures/fingergw/fingergw.csr new file mode 100644 index 0000000000..e0579a5159 --- /dev/null +++ b/tests/fixtures/fingergw/fingergw.csr @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICpTCCAY0CAQAwYDELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVRleGFzMQ8wDQYD +VQQHDAZBdXN0aW4xHTAbBgNVBAoMFE9wZW5TdGFjayBGb3VuZGF0aW9uMREwDwYD +VQQDDAhmaW5nZXJndzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALmR +Do2o+4Gf/EAEweWexbPe82xcIfx5JtnGIr5yNA8vq4xYYNLDb/qjzJuVhZ9nfGmI +dtH0ohEdsZKZszuKbTo0fJSXDbUkbddt3fk8b2Zn3k0FoinY6CQP2rTFo4MW0Yqr +7JTQAeo9cxuWqulT8jnJdNe2J4H2vfHBBpLQWoYGX+J0nMQg6jpz3gVYYEik46nS +W38ONcBGW2nKBemJUZtyA6Usynw087HM15zoUYMSF5oHTI3I8ivSK+8D9VB3gFT5 +ZOLuWYHnBLzKs2OajTZDvs7/066Qg9Nnefg5iMsiIwIGN42jGNnzUVQe9po1UTlz +5MqykxHup28e2rWNHp8CAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQB8Aoyfjk3Q +lX8Thz1ruEdmWuOfI+LPOYTL5Ea0XSA22qCzPVuBt29Ljlu3PZz1H3oU3hKm/pA6 +4BsOnLfZ4SHDnhLcPTHRSKsYfZyiTs3OUIoCBxWENow6TDiOx89dxcfB4fhplXsN +l7KTKeIEJFzassBSDPYkAuJ1npbA5GOpzv6CPCs2RPVfARgXkYtJWNPOUqM2JJ4w +M/9VOdADbGBRF5cyt9T0SSkvlea+vpjvGOg9sAMx7TjI+SjktYI6WbKKbWnAmMTM +DC9oJjwIHf5a09fNNbZOmttsJnELqgJutkIXP1SH0SE9QI8fYlPXSmiaaCGPsE98 +QKeaO2qlNvUK +-----END CERTIFICATE REQUEST----- diff --git a/tests/fixtures/fingergw/fingergw.key b/tests/fixtures/fingergw/fingergw.key new file mode 100644 index 0000000000..c0977eaa52 --- /dev/null +++ b/tests/fixtures/fingergw/fingergw.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEuwIBADANBgkqhkiG9w0BAQEFAASCBKUwggShAgEAAoIBAQC5kQ6NqPuBn/xA +BMHlnsWz3vNsXCH8eSbZxiK+cjQPL6uMWGDSw2/6o8yblYWfZ3xpiHbR9KIRHbGS +mbM7im06NHyUlw21JG3Xbd35PG9mZ95NBaIp2OgkD9q0xaODFtGKq+yU0AHqPXMb +lqrpU/I5yXTXtieB9r3xwQaS0FqGBl/idJzEIOo6c94FWGBIpOOp0lt/DjXARltp +ygXpiVGbcgOlLMp8NPOxzNec6FGDEheaB0yNyPIr0ivvA/VQd4BU+WTi7lmB5wS8 +yrNjmo02Q77O/9OukIPTZ3n4OYjLIiMCBjeNoxjZ81FUHvaaNVE5c+TKspMR7qdv +Htq1jR6fAgMBAAECgf8FzIKn6p/xbQ508bEde9ixxkXVHQvy19Ze99IeIXN/Bf5W +ZGyiKXlWW8gJFKMYWCOLKLiN1xc5cbQa4LK5KZpAN2OtQQssnfbQxJ4rK7hPeu93 +eLWYmS6n8dbjz0lMz2m866J5BAcLSuBN/Gda40SuiZ0dIJQbe5pz85RBAkHR7lNu +kJbMMpeVUllwlqynOEFPR2A7HrdnzstkJTDt3/Y6jrh0+ZE0TBdjfbPF0lK6NQoa +GbHCEIxjY45ZXNgGSdj9V50XH0sP/sAhtAjZW31HZlXz3Z4giOLxGlEjUykbWJDj +weqtrgvdQnb9U+1KOKZi1HkB/ziIuDSdEzAJs8ECgYEA4v+XW2cr5A/u+2kCZ1sW +Hx6LiLYnGKRVzeXAjc1iOsLv9oaJa7HuJqBw3tRZ6deA6Wb5DHnoofiybc7+v34m +uqhXLIUk3au54Lg65RdHiE8m61N6t4lC8z1aolx1yX7r+lIvI5rxIxFryTm2UBxK +nNQv2kZAxq4SA1JXH9xxYbsCgYEA0UZclcPIjS1HCj5SUTDxs5ow4nkIzEsqJyX2 +1boKk4fjrKhimQ6dVx65EFfLVhqYpE6UxJuWgbUhhoKfCW4U3MaO6oY9NezzH/YK +fJ/IMIqpKDUS3GBtIVZkj+c6MXwAoSV9Rf+axF69ACELUrksoPXoj7Vqe2XE+XPO +FzyiZm0CgYAvHOErJVSktvHg2ECZdvw2ZT6Ml1Gx+ZmdbEv0omX60C7BudaXtYw6 +FB6ZAPXQZNvqlWanQj4YL+fIhqe00tfy8bF2GgQ2xceEbng6yAQetF7dhKv5n9F3 +bop7HDmOInuTrq798tCNeLYoQ4QlSFnsBtYPtXkIQ2SVr+dJQ5V8tQKBgAFamy68 +3YdMS7FdRdsQnf+zd61/avcnZVZrgHVRhs/9iROM41ZqKcpugHQCnWYpNeOaPown +FYoxSc48+hptg+UJw9Lwm2TF66zBQsAbqIfn3cBM15plZU9Z57ymmlHHo5lnTLAv +PykWE9L0Y8ZdPFSuQprraYzy05tpjGPKGKLhAoGBALOw3YpWOGi5AJ0BFz9pX6wT +Wk56qYOO6kImKtgwGRXFlEOKUWpDGP0UV5slVnYE23SN5v9kvKnLI86YYDupYszt +MmvjxMNz1gfvvsZXv0KUxG8LDDZB11rP3fBAwQk6GMuUAKpQLVh4rgTi+Di3pzO6 +0p/czuW+jXpZ+0MsbPzT +-----END PRIVATE KEY----- diff --git a/tests/fixtures/fingergw/fingergw.pem b/tests/fixtures/fingergw/fingergw.pem new file mode 100644 index 0000000000..8a21c45621 --- /dev/null +++ b/tests/fixtures/fingergw/fingergw.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDPzCCAicCCQCTQgbVwTy7SDANBgkqhkiG9w0BAQsFADBjMQswCQYDVQQGEwJV +UzEOMAwGA1UECAwFVGV4YXMxDzANBgNVBAcMBkF1c3RpbjEdMBsGA1UECgwUT3Bl +blN0YWNrIEZvdW5kYXRpb24xFDASBgNVBAMMC2Zpbmdlcmd3LWNhMB4XDTIxMDUz +MDAwMzYxNFoXDTMxMDUyODAwMzYxNFowYDELMAkGA1UEBhMCVVMxDjAMBgNVBAgM +BVRleGFzMQ8wDQYDVQQHDAZBdXN0aW4xHTAbBgNVBAoMFE9wZW5TdGFjayBGb3Vu +ZGF0aW9uMREwDwYDVQQDDAhmaW5nZXJndzCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBALmRDo2o+4Gf/EAEweWexbPe82xcIfx5JtnGIr5yNA8vq4xYYNLD +b/qjzJuVhZ9nfGmIdtH0ohEdsZKZszuKbTo0fJSXDbUkbddt3fk8b2Zn3k0FoinY +6CQP2rTFo4MW0Yqr7JTQAeo9cxuWqulT8jnJdNe2J4H2vfHBBpLQWoYGX+J0nMQg +6jpz3gVYYEik46nSW38ONcBGW2nKBemJUZtyA6Usynw087HM15zoUYMSF5oHTI3I +8ivSK+8D9VB3gFT5ZOLuWYHnBLzKs2OajTZDvs7/066Qg9Nnefg5iMsiIwIGN42j +GNnzUVQe9po1UTlz5MqykxHup28e2rWNHp8CAwEAATANBgkqhkiG9w0BAQsFAAOC +AQEAPZsVEJCvwMx6ChglKMRlupmzR5amqv++I5z9RHfmig005pIF56HJhxQuxT4h +sOLcDHIceJBgVCRV4q38UDjTXYCmVPDrWvl1AMQ2hbaV8XV6/L7nHv8xK8YVYYlD +S31HvIDFeWMnRsYosCwqau8TzuSTtSmJGB+Ri64P5kcBMgToeRw24XhrRQHG8myz +oECzwsmcNtXseE1xuGl4UgE7bHlkyevqTOlJPXgVR4R7ocmReLK7g9wMGrSrDj4G +dzQQcNUS4r2fB/ksI35ZoLv4B6qi7ir7FQ78OTtl6lKAhZuu98QfwkhM/L6JVwTs +fAb0xxKYzGpcJpjjUzfGUIsEBQ== +-----END CERTIFICATE----- diff --git a/tests/fixtures/fingergw/root-ca.key b/tests/fixtures/fingergw/root-ca.key index 111dc13849..36344f3a9b 100644 --- a/tests/fixtures/fingergw/root-ca.key +++ b/tests/fixtures/fingergw/root-ca.key @@ -1,28 +1,28 @@ -----BEGIN PRIVATE KEY----- -MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC03ectwEf0Itw1 -u9ySo3VJOXWNLg0p01m4t3z4CyA15Oh2XlnDoTrio4FTZnZblZRd8kXZ0AGhC6Ln -eIJqJc+79Y8S2sKrl6nJuNcRt4UFdZqyyUCyU9EgY5nK28zge1OxNlSJ5ZTcM1I8 -YFhJDb7sM5ZChTaOp2OjuZOePoF7hp+lZTEdhczLC/e35LY84dd6i6QxBJ9reaOF -nan+EqX5CVmFCGWvmnTpxkZvSFtkhdvG+IC9r1SX9lZi1JZEKCVodgNozcwWTLFD -Pi2CxSY+HMXwYYNJfh7GOxsy6a13TtCJGwNM5F5Ol7iVK35zYrzE4HWnxP+P+TtB -rZ70a4EDAgMBAAECggEAY8/+D1KIouNGEWVOMaKBTFqoU7QxUX6wie7AyYYiTXu5 -CfHBqeNlQsOm0CbAdIRUr4/PGoffDkgEq6bmmbuqK3k1bttJCTcWXRtjnQRhJYUk -TTwhNwhoZW5x5fBs3QlSQ37PIpaPEwJDhMxKjG5IicNiTe2EES+xHh6Ap5ipDkhr -7fJ1WEEq2zerSA1K8d/BT7Fx1OCSqmemkfpQsaQ1Na71HT97XPMI2JVBLklKsr2U -aOiagYM6jsxwzVW+rBPmwZie8UC4+/ZKU9+yhkEOB8T/z2/kiuFwHyReYNWlFc4B -wiYk297r/ucwRz0lfMPrPDoUWoTrcLpBNP0wAAnm4QKBgQDmaMtMhldS+RB+CrO1 -JbR6o0ek2TN79p4L6klgFw/MLvpsRqsoZ/MPiRiOW3q+vud+wnfSkxD8fLWF2Sk/ -xTvgavIgnMiauea0pIlKPmPYcP/TrXT66ApHK/jfN7+M4a1jnqQE1mo3a6bPnjwZ -nBd4RRKM64q2CRrqrVWreeaMUwKBgQDI9HiETLqGnXNihLTqP20oaK7162kI0jJf -Pr04KE8VtvleJAHwf7CVxkeJ6oTySWo+tHfvjDVmsdCwwgXMVhAks+fQLpZv9qOf -U72Kqy5NjDKvyxdB4fVwNpJn/91HbUijfs/gN5wFu6tiyvgNddZiTgjlNo9BT7sW -LpVejqEikQKBgQDGsMnX1OWK7LL3Lj1oUfp/4zwOASuvk60Y81GRJnH+Duju5EYG -0xU8aWoeoO6JfNDec86mbSIxyU0z/l/e2TPYRAFGdE1deEBluJmXx5OMe21xWdxN -3jm2xEmaHFX3pElEZfJlJY10+0VfNsH3B68JjO8BTMFSVym6A/2joLxadwKBgGOw -GyUOZy2mZ/oEeTcHVeBI5hpquMU+eOyU1AtKu8i650PTOv8SaQgzv4NkSqVi1Ajd -P+4esNML/MnixjuSqhl7AdFdexV51buRMCLdPnALz40zg4sUS8xp1gEvhZcMWI96 -tia1j3msmp28sIcE4OANdA45HaG5qsabP1AUE01xAoGAbMheTH2x5YpY1mbd68Xf -SOrRuJQd8jjrptQxmdW4x/junLYIVlacth0Fdm8e69qdbOuk1I4+4xeC7+CzVIvX -RrfNrfyTjpY64Kl1xKJIShkKcH7rAKLnCrHJkt9oODtQpvHEqzj8ZYxYBHOVIejp -k8HR+8OE9GDvPXSgyRfz7b4= +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDaSw79QrdHET9c +VbI1u3xRetIJiPSPHS/i5mtd8bQfBpUn8m2MrDqPBI3evd0YFouElOpxpb3YtCPd +jvrGxx+EjLcBidCqNWnsM3KupD5dnmjvQXUC6Z3L3NqkYOF2FMF4TH98+LGTBc4V +3jxiSPjY4h6xzzy1pjpVUmvQqEXjetsgSFUQGCiZlqEbALYKTi8duBBZKIfACkDI +zeOQ3866wVeueSsSBEx3UXul1+xNxGu2D2YCFJv4sq8SPdFn13clJ001g/obOTWi +WFnoxR+4YaCmxrNj0SnGbbneFxU1nOeb4mutD/uWxy9fkN3laxos9rexoC2xlDTh +iNHMLvavAgMBAAECggEAM/6Q0W4krX7EMsAOtJG1qMqyYKcIaVYwY8Eybav2lTVC +LcOmqE0VnZ8eE6HxmZ01Gh1GQk+SCp3NtSYrQVGIhk/l/y3OT9xtIF+Yv1RLroze +va4/qrPua/Js+Z5B1ZhYBMljzGaIFVbaoYbPpzFuZGpnmT6dXT78wfnhyE9sZiQa +k/oRALkmoC6H57g9JhW8mHsZyyw3grdenNdP4H5MWoBof1yl6mu6haQF50mGnXJJ +Ecv7bUnLSavVg2sX/bkbozZoeRb+Mz907LlU57ORJ+LXj9TJZU4+pflA8x58RkJV +olC0nncT758EpNBm6dOMTGz5OMN1cxUjhZK/WNjc8QKBgQDtYLgJRvUBr3kUWhi7 +rwHWrtKSutFc+w76LhmyleNeAuqg51oNNuNbbwcIXgs2IaNkWdnHJzgxdeMMXKaQ +9J3YXTu2SvsV+o+VC1spitSV+XYVTNZSbI+OlHIHo2vnmiW3ho12T1+EKXcmTV3d +dfpz8feEd6otM/PNysJJv4qhXQKBgQDraw/FhkGy8kvcfCf0nIWaKOhGLtJy+odX +Moiv+7RueYHYZqwZxXQ8nN0STb7nldO2Pub65voOrmIZQkppiNJpJgVwz7aodhxj +zzQAwgkwcRZCIb9r/CY4K4X2tVkXSprXtfpqo0MS2jD4UDS2NNHdbrNoAU4ZDHVs +6mS1Ub87ewKBgQC4ZQJxCnK2XXXDzn0aBkd6WhFvM7oA7XFj/D2wEWkulTtnxG+a +hkG0vBmNcWhqI1VGVdmrL5ciLL4z0yD8x1h6Q2poH/TNzPaOQ+UL7zFWUxNcVnTC +UFxv2HZ/4n2myoJz/wySk/PRuVg6I60/pC7qtFKez0odlRbVjKTCHw10bQKBgQDX +HKDwsFjgFp5S/e/UiCFcV/zGBIqwHVQFzVsw0yJvv/9xqX+gnNg1enBXBUtneXRW +luugX+Yl/BoPUo+EF02MXv2hs2sIS8RtPywZdTPIW80m6IdtOJ4DvWFPqS2bJsSO +Tu5e+oeTdmRAwakoxOLvHvQ4GNkv8j5qI1OaivPeeQKBgAa/XxNKZz3WZuUATspR +7wuiB8mtXdk7ISVFMlNbLD1d/S1tYw0Nia09ofSJ/4ZnRYxu05nF4uI2Q9Acif9F +rZR5lyvNn38Kv3KHBgIG4NUugQtYtgG8CIVQxE6xPqkeiuaHHgk1xrXEBe/z5jql +E8l91fLR0Gvow/APAmTRRhEu -----END PRIVATE KEY----- diff --git a/tests/fixtures/fingergw/root-ca.pem b/tests/fixtures/fingergw/root-ca.pem index 48070434e7..1452db5af5 100644 --- a/tests/fixtures/fingergw/root-ca.pem +++ b/tests/fixtures/fingergw/root-ca.pem @@ -1,22 +1,22 @@ -----BEGIN CERTIFICATE----- -MIIDpzCCAo+gAwIBAgIUbe9RwznpVY2LaJxgFpfJls0ORlkwDQYJKoZIhvcNAQEL +MIIDpzCCAo+gAwIBAgIUZTc9dtkiuIEtkrqQW4xqxOyoi5YwDQYJKoZIhvcNAQEL BQAwYzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVRleGFzMQ8wDQYDVQQHDAZBdXN0 aW4xHTAbBgNVBAoMFE9wZW5TdGFjayBGb3VuZGF0aW9uMRQwEgYDVQQDDAtmaW5n -ZXJndy1jYTAeFw0yMTA1MzAwMDM0NTBaFw0zMTA1MjgwMDM0NTBaMGMxCzAJBgNV +ZXJndy1jYTAeFw0yMTA1MzAwMDM2MTRaFw0zMTA1MjgwMDM2MTRaMGMxCzAJBgNV BAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEPMA0GA1UEBwwGQXVzdGluMR0wGwYDVQQK DBRPcGVuU3RhY2sgRm91bmRhdGlvbjEUMBIGA1UEAwwLZmluZ2VyZ3ctY2EwggEi -MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC03ectwEf0Itw1u9ySo3VJOXWN -Lg0p01m4t3z4CyA15Oh2XlnDoTrio4FTZnZblZRd8kXZ0AGhC6LneIJqJc+79Y8S -2sKrl6nJuNcRt4UFdZqyyUCyU9EgY5nK28zge1OxNlSJ5ZTcM1I8YFhJDb7sM5ZC -hTaOp2OjuZOePoF7hp+lZTEdhczLC/e35LY84dd6i6QxBJ9reaOFnan+EqX5CVmF -CGWvmnTpxkZvSFtkhdvG+IC9r1SX9lZi1JZEKCVodgNozcwWTLFDPi2CxSY+HMXw -YYNJfh7GOxsy6a13TtCJGwNM5F5Ol7iVK35zYrzE4HWnxP+P+TtBrZ70a4EDAgMB -AAGjUzBRMB0GA1UdDgQWBBQ5IIU3pSweSOMfg/RpBqMRA8a7TzAfBgNVHSMEGDAW -gBQ5IIU3pSweSOMfg/RpBqMRA8a7TzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3 -DQEBCwUAA4IBAQBFj7FHoXxAC+jv2o/BeD2Sc+KntYi82Rtlt31aJ35zMk4/qE7Z -mM0pgc/xSZ+mchKzOIW+aVDxE/+WdptVZTiBmJao4hZ3tsCMZZiW9ocSBtlhYICq -vxCpK8ISQ3JjdVMgorsMPEd5pF9PKTbRSBSaDoHiduH4rHYzsBslnPfvx8vstVdI -4CvCEkNKvBfuqir0ZDObXTUT4Q80sZYWy/vcB+rxxofSQjP03Id+Wu0fIxPg6Ggi -ZjO33LNnNWEob1UV1A1VZMlGKHkVK5Ib4wtWdc8fnIbmpWGuGgJeaD+XiXprlrkY -wzMA2im8teUM+u6P0adI42ypyUJa056mHH79 +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaSw79QrdHET9cVbI1u3xRetIJ +iPSPHS/i5mtd8bQfBpUn8m2MrDqPBI3evd0YFouElOpxpb3YtCPdjvrGxx+EjLcB +idCqNWnsM3KupD5dnmjvQXUC6Z3L3NqkYOF2FMF4TH98+LGTBc4V3jxiSPjY4h6x +zzy1pjpVUmvQqEXjetsgSFUQGCiZlqEbALYKTi8duBBZKIfACkDIzeOQ3866wVeu +eSsSBEx3UXul1+xNxGu2D2YCFJv4sq8SPdFn13clJ001g/obOTWiWFnoxR+4YaCm +xrNj0SnGbbneFxU1nOeb4mutD/uWxy9fkN3laxos9rexoC2xlDThiNHMLvavAgMB +AAGjUzBRMB0GA1UdDgQWBBSPLANuMAsLh0dwqV7WMzR3Oxn/dTAfBgNVHSMEGDAW +gBSPLANuMAsLh0dwqV7WMzR3Oxn/dTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3 +DQEBCwUAA4IBAQDLTwrQv4C427U3I2hyBUYLKfhJvVgTvnTUMIFUvRbLRFIkAR63 +fPAMSfpTclS9DmmQ6Wcza4kIu4iWEQ9RzDVvdl/pIhAlT8pdpR5ejH1RNekw1Tf9 +LLVvx+RpGKWSP80ZYDmvGKcROOtVgXadRQeMewejXQ2SNPlgJLGmjHWi++ypBPqN +7v9gMi37JiL2gA/Iy2ZKkllh7u1NeAa5VLc27Et8ZowndWEdlMD2c00c9P3jcJHl +0qIrDfTRDRTaUxqrBW6HHJxz7tWFWANa7LCo+HbwUZQ+cBmlKQvMEO6EQ0h4bLpw +0nVkQVYw2FzBk9bmjE0QLGRz58VgKewTXEw3 -----END CERTIFICATE----- diff --git a/tests/fixtures/fingergw/root-ca.srl b/tests/fixtures/fingergw/root-ca.srl index 66703210af..15032a330a 100644 --- a/tests/fixtures/fingergw/root-ca.srl +++ b/tests/fixtures/fingergw/root-ca.srl @@ -1 +1 @@ -934206D5C13CBB47 +934206D5C13CBB48 diff --git a/tests/fixtures/fingergw/server.csr b/tests/fixtures/fingergw/server.csr deleted file mode 100644 index d29be5c490..0000000000 --- a/tests/fixtures/fingergw/server.csr +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN CERTIFICATE REQUEST----- -MIICrDCCAZQCAQAwZzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVRleGFzMQ8wDQYD -VQQHDAZBdXN0aW4xHTAbBgNVBAoMFE9wZW5TdGFjayBGb3VuZGF0aW9uMRgwFgYD -VQQDDA9maW5nZXJndy1zZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK -AoIBAQCq3XOVvoXw7TShJeqnJCoc6GoQppYMYcx9hmOs0P/B346fEVPuHi4LZEVO -Z/31tXJUA71LYBYJjhpG1Rk2foJnBaQbpbaFUqrpAWnfPaHIES8Tmty3tdMoDput -C7vCXDX6Dq4g9RkttRir8wPQTkiJ3N9WlnDN4G/4VxqgiGYvn4eK5R1DUd3fy8nL -9Df8l5J/1FuMCLasYJxYu6Q0dIyaqu2gQxvL4BU0pUhtG1Lgzk6hMl5l5/jIlBDP -t+tNNMDMnhtDORhipPwUfAXbu9jTeSOb912CYArGubhxq3Q6/wabhm9fU/ZnmOvc -Z0AMI1I3a8AJ6J9563EBb+DBQcsbAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEA -pHrR07XajgkT51ubWpCcV5yJpEUdBHPcUSsYXp0Ee0PcylAGdfqYhk1iynaToih1 -tisOb2p9+Q066Y8Z78OYD+yyMu+cJc96iU5OrP2x4/5QEkF1VBwOryhpAg9PT9sq -bnxN5AQM+q0oA/bJ72Sp1685kfd+bdxTXV5sdpckoCBZ7xVbakc6UM6kmvmAgAMi -2kzYH5r2AAesaT8OE2HYiWEQlK7f/y3rUt0BnazgzdHDjJegyZyAieqyhJ6Eaobq -nlqoftbbxz5fEhnMCy/YE0CcTD1awBThGsUo06K0xD/Um7hH29c+m4dEfSwxOaCq -K9oOg6FxiDg0EzT3KaSnbA== ------END CERTIFICATE REQUEST----- diff --git a/tests/fixtures/fingergw/server.key b/tests/fixtures/fingergw/server.key deleted file mode 100644 index 3b462dec60..0000000000 --- a/tests/fixtures/fingergw/server.key +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCq3XOVvoXw7TSh -JeqnJCoc6GoQppYMYcx9hmOs0P/B346fEVPuHi4LZEVOZ/31tXJUA71LYBYJjhpG -1Rk2foJnBaQbpbaFUqrpAWnfPaHIES8Tmty3tdMoDputC7vCXDX6Dq4g9RkttRir -8wPQTkiJ3N9WlnDN4G/4VxqgiGYvn4eK5R1DUd3fy8nL9Df8l5J/1FuMCLasYJxY -u6Q0dIyaqu2gQxvL4BU0pUhtG1Lgzk6hMl5l5/jIlBDPt+tNNMDMnhtDORhipPwU -fAXbu9jTeSOb912CYArGubhxq3Q6/wabhm9fU/ZnmOvcZ0AMI1I3a8AJ6J9563EB -b+DBQcsbAgMBAAECggEAKu9CoBoj5gp08xloAV/hBSqRnGV/xtS8Yb5nRYGvArR+ -ThI4mNkUkOA9WhpfgmJ5vArEgjA+2V/P0oSxtTPM6L5OInRdjNrc/3fPdr0x7egD -gFWlqLQTvzkMfUs5fvlUxuTxdG6iSQ38iRijmLBTIfFSXZun9NO0zx50Hmqn4sc2 -V9+CkZFmOv9VbIOs/tdFIWWAdb5hmEWTSDyHsr3YGHILcSp6d+nFbFnk3gPBGH4J -m0Wii+lWxi4g2MpvcZO/dgrX8SlBwO87uBnYMd4i7/o9jeKZK2Sl7MYhplmtpNX4 -yhMS1973vWVO/U59eOF2II51LPlu7uUVV8A22kOK4QKBgQDSOY8ZPSIdQvVMtDhV -/s1Ne/g6cMSwWroRXRHY0UtXf5ZtCG2XuCdN8qjp1Xay2YEji7f8ldd4ttPAdk4i -LzQPs8/qwRPa5rg+I4Jh6zfb2IcPdcOED0wq8yLTYfXwrUsKr7jPGwbKscc+TyD6 -C6T2NKtruLgjw+JlXUvL5s/RtQKBgQDQEeHiraQYt50WvqxgTfADlxBlFRDMM1Gs -KN81ir8VC/+8TKCLEPtqc05eGKjOGdhMFO4inNQ0dufwO+NojLKjY6LBk7lfZqS5 -2QLWrxCRP+Lh95BzsKvDM3jS1bRVIJS+bFV6Sl33OUD57pCpQL5MD50bneFj4/yq -77qk05FrjwKBgAEB2ZerXVB6k6ZMbsCqud0XLPdKtwaJSL7wjTdWuV+v8s6O7cd+ -UGHlOb31Ed6FgELlVnpVVXT0m0sexf0P8NXqbKKZTjkMRfG2RdemQtxAy1TdoZQu -ZpUGGTKeE4mVqvhgIyiK3pt2Aphf1K6eA6pSUkfv2KIDPEB0E/rkHjbJAoGBAIG2 -JDPEPECMdwnu5FdFPxN94WKit04V0BybfktKq8TbLhqdSphnhdTe/UP764BQ7F7B -zZMWYdQzLHS/YQ2UaOki/Bvhk/a9boPNnc9oY9OpGC/2vb7hrLKMLA6D22AWZ6Qu -tTr/kYTF1JP6/YQGMJwKP88vpYs4XhPST3Dh1A5RAoGBAMXjBqaV1+hWsNmbvbH3 -CrHXum1IQBXRCuhvc6yb4SnC8NSnyrBJC92W44IUmMURZuDY8R7creVTmzwVqWWR -adzcLrZOblcwi0ooW0D8nEZbORobPGGsCjYyvC9M4TQRZS7kWmux5UDWeAa9jORM -1fygOOLhWpOjH7z1NYMjOXgl ------END PRIVATE KEY----- diff --git a/tests/fixtures/fingergw/server.pem b/tests/fixtures/fingergw/server.pem deleted file mode 100644 index fd0e705d5f..0000000000 --- a/tests/fixtures/fingergw/server.pem +++ /dev/null @@ -1,20 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDRjCCAi4CCQCTQgbVwTy7RjANBgkqhkiG9w0BAQsFADBjMQswCQYDVQQGEwJV -UzEOMAwGA1UECAwFVGV4YXMxDzANBgNVBAcMBkF1c3RpbjEdMBsGA1UECgwUT3Bl -blN0YWNrIEZvdW5kYXRpb24xFDASBgNVBAMMC2Zpbmdlcmd3LWNhMB4XDTIxMDUz -MDAwMzQ1MFoXDTMxMDUyODAwMzQ1MFowZzELMAkGA1UEBhMCVVMxDjAMBgNVBAgM -BVRleGFzMQ8wDQYDVQQHDAZBdXN0aW4xHTAbBgNVBAoMFE9wZW5TdGFjayBGb3Vu -ZGF0aW9uMRgwFgYDVQQDDA9maW5nZXJndy1zZXJ2ZXIwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQCq3XOVvoXw7TShJeqnJCoc6GoQppYMYcx9hmOs0P/B -346fEVPuHi4LZEVOZ/31tXJUA71LYBYJjhpG1Rk2foJnBaQbpbaFUqrpAWnfPaHI -ES8Tmty3tdMoDputC7vCXDX6Dq4g9RkttRir8wPQTkiJ3N9WlnDN4G/4VxqgiGYv -n4eK5R1DUd3fy8nL9Df8l5J/1FuMCLasYJxYu6Q0dIyaqu2gQxvL4BU0pUhtG1Lg -zk6hMl5l5/jIlBDPt+tNNMDMnhtDORhipPwUfAXbu9jTeSOb912CYArGubhxq3Q6 -/wabhm9fU/ZnmOvcZ0AMI1I3a8AJ6J9563EBb+DBQcsbAgMBAAEwDQYJKoZIhvcN -AQELBQADggEBAJR0VngrPAMNdbSbVIT5AazqKIlmiEeDjatVhOZWBme9tN7VsKiS -1xnX70dbgyX2pii+xKF4QCzvizz/byDdO9Ckf7hZYR+D1j9qosu0XNdNb0Pcrddh -cSvWk9W5lryzPFs8SDPoVQ4UpdOTYDYBQB0BTtw1w/i8GAy1AobTqzaezmfcTApw -ySnCvqSiLWffKZYaqynw67Lk/tLG6H8kO7bSn9uZzvzvu0X1/E5nSaLu5GltPo5q -eiuj1nUm8m0IgU5VJhT3BsoV3M4A4Gj6yqvFZFIoSudpnfYG0NiXGamWR5K7Qg7c -KbW3b+1ihkhGFq2wyrZczI5TdALqjndTJXs= ------END CERTIFICATE----- diff --git a/tests/unit/test_streaming.py b/tests/unit/test_streaming.py index 60659bd21e..41f0040939 100644 --- a/tests/unit/test_streaming.py +++ b/tests/unit/test_streaming.py @@ -157,8 +157,8 @@ class TestStreamingBase(tests.base.AnsibleZuulTestCase): context.verify_mode = ssl.CERT_REQUIRED context.check_hostname = False context.load_cert_chain( - os.path.join(FIXTURE_DIR, 'fingergw/client.pem'), - os.path.join(FIXTURE_DIR, 'fingergw/client.key')) + os.path.join(FIXTURE_DIR, 'fingergw/fingergw.pem'), + os.path.join(FIXTURE_DIR, 'fingergw/fingergw.key')) context.load_verify_locations( os.path.join(FIXTURE_DIR, 'fingergw/root-ca.pem')) s = context.wrap_socket(s) @@ -189,18 +189,12 @@ class TestStreamingBase(tests.base.AnsibleZuulTestCase): if self.fingergw_use_ssl: self.log.info('SSL enabled for fingergw') - config.set('fingergw', 'server_ssl_ca', + config.set('fingergw', 'tls_ca', os.path.join(FIXTURE_DIR, 'fingergw/root-ca.pem')) - config.set('fingergw', 'server_ssl_cert', - os.path.join(FIXTURE_DIR, 'fingergw/server.pem')) - config.set('fingergw', 'server_ssl_key', - os.path.join(FIXTURE_DIR, 'fingergw/server.key')) - config.set('fingergw', 'client_ssl_ca', - os.path.join(FIXTURE_DIR, 'fingergw/root-ca.pem')) - config.set('fingergw', 'client_ssl_cert', - os.path.join(FIXTURE_DIR, 'fingergw/client.pem')) - config.set('fingergw', 'client_ssl_key', - os.path.join(FIXTURE_DIR, 'fingergw/client.key')) + config.set('fingergw', 'tls_cert', + os.path.join(FIXTURE_DIR, 'fingergw/fingergw.pem')) + config.set('fingergw', 'tls_key', + os.path.join(FIXTURE_DIR, 'fingergw/fingergw.key')) gateway = FingerGateway( config, diff --git a/zuul/lib/fingergw.py b/zuul/lib/fingergw.py index a61a58ccc5..b9abb1f5d7 100644 --- a/zuul/lib/fingergw.py +++ b/zuul/lib/fingergw.py @@ -56,10 +56,9 @@ class RequestHandler(streamer_utils.BaseFingerRequestHandler): context = ssl.SSLContext(ssl.PROTOCOL_TLS) context.verify_mode = ssl.CERT_REQUIRED context.check_hostname = False - context.load_cert_chain(self.fingergw.finger_client_ssl_cert, - self.fingergw.finger_client_ssl_key) - context.load_verify_locations( - self.fingergw.finger_client_ssl_ca) + context.load_cert_chain(self.fingergw.tls_cert, + self.fingergw.tls_key) + context.load_verify_locations(self.fingergw.tls_ca) s = context.wrap_socket(s, server_hostname=server) # timeout only on the connection, let recv() wait forever @@ -168,21 +167,16 @@ class FingerGateway(object): self.command_socket_path = command_socket self.command_socket = None - # Fingergw server ssl settings - self.finger_server_ssl_key = get_default( - config, 'fingergw', 'server_ssl_key') - self.finger_server_ssl_cert = get_default( - config, 'fingergw', 'server_ssl_cert') - self.finger_server_ssl_ca = get_default( - config, 'fingergw', 'server_ssl_ca') - - # Fingergw client ssl settings - self.finger_client_ssl_key = get_default( - config, 'fingergw', 'client_ssl_key') - self.finger_client_ssl_cert = get_default( - config, 'fingergw', 'client_ssl_cert') - self.finger_client_ssl_ca = get_default( - config, 'fingergw', 'client_ssl_ca') + self.tls_key = get_default(config, 'fingergw', 'tls_key') + self.tls_cert = get_default(config, 'fingergw', 'tls_cert') + self.tls_ca = get_default(config, 'fingergw', 'tls_ca') + client_only = get_default(config, 'fingergw', 'tls_client_only', + default=False) + if (all([self.tls_key, self.tls_cert, self.tls_ca]) + and not client_only): + self.tls_listen = True + else: + self.tls_listen = False self.command_map = dict( stop=self.stop, @@ -200,8 +194,7 @@ class FingerGateway(object): if self.zone is not None: self.component_info.zone = self.zone self.component_info.public_port = self.public_port - if all([self.finger_server_ssl_key, - self.finger_server_ssl_cert, self.finger_server_ssl_ca]): + if self.tls_listen: self.component_info.use_ssl = True self.component_info.register() @@ -232,14 +225,21 @@ class FingerGateway(object): self.gear_ssl_ca, client_id='Zuul Finger Gateway') + kwargs = dict( + user=self.user, + pid_file=self.pid_file, + ) + if self.tls_listen: + kwargs.update(dict( + server_ssl_ca=self.tls_ca, + server_ssl_cert=self.tls_cert, + server_ssl_key=self.tls_key, + )) + self.server = streamer_utils.CustomThreadingTCPServer( self.address, functools.partial(self.handler_class, fingergw=self), - server_ssl_ca=self.finger_server_ssl_ca, - server_ssl_cert=self.finger_server_ssl_cert, - server_ssl_key=self.finger_server_ssl_key, - user=self.user, - pid_file=self.pid_file) + **kwargs) # Update port that we really use if we configured a port of 0 if self.public_port == 0: diff --git a/zuul/web/__init__.py b/zuul/web/__init__.py index d6dfcabbba..d0694fc7b7 100755 --- a/zuul/web/__init__.py +++ b/zuul/web/__init__.py @@ -198,8 +198,8 @@ class LogStreamer(object): context.verify_mode = ssl.CERT_REQUIRED context.check_hostname = False context.load_cert_chain( - self.zuulweb.finger_ssl_cert, self.zuulweb.finger_ssl_key) - context.load_verify_locations(self.zuulweb.finger_ssl_ca) + self.zuulweb.finger_tls_cert, self.zuulweb.finger_tls_key) + context.load_verify_locations(self.zuulweb.finger_tls_ca) self.finger_socket = context.wrap_socket( self.finger_socket, server_hostname=server) @@ -1300,12 +1300,12 @@ class ZuulWeb(object): 'norepl': self.stop_repl, } - self.finger_ssl_key = get_default( - self.config, 'fingergw', 'client_ssl_key') - self.finger_ssl_cert = get_default( - self.config, 'fingergw', 'client_ssl_cert') - self.finger_ssl_ca = get_default( - self.config, 'fingergw', 'client_ssl_ca') + self.finger_tls_key = get_default( + self.config, 'fingergw', 'tls_key') + self.finger_tls_cert = get_default( + self.config, 'fingergw', 'tls_cert') + self.finger_tls_ca = get_default( + self.config, 'fingergw', 'tls_ca') route_map = cherrypy.dispatch.RoutesDispatcher() api = ZuulWebAPI(self)