From 1d57188a103a757f1eea7658b6bd9715607feec3 Mon Sep 17 00:00:00 2001 From: Thomas Gambier <thomas.gambier@nexedi.com> Date: Wed, 2 Dec 2020 19:42:49 +0100 Subject: [PATCH] software/turnserver: add insecure configuration --- software/turnserver/buildout.hash.cfg | 8 +- ...instance-insecure-turnserver.cfg.jinja2.in | 91 +++++++++++++++++++ .../instance-turnserver.cfg.jinja2.in | 1 + software/turnserver/instance.cfg.in | 8 ++ software/turnserver/software.cfg | 3 + software/turnserver/test/test.py | 58 ++++++++++++ 6 files changed, 167 insertions(+), 2 deletions(-) create mode 100644 software/turnserver/instance-insecure-turnserver.cfg.jinja2.in diff --git a/software/turnserver/buildout.hash.cfg b/software/turnserver/buildout.hash.cfg index 0a9f27690..f9535056f 100644 --- a/software/turnserver/buildout.hash.cfg +++ b/software/turnserver/buildout.hash.cfg @@ -15,8 +15,12 @@ [instance-cfg] filename = instance.cfg.in -md5sum = d027a2dccaf15ae6e7d3a28cc02d70c3 +md5sum = 776c7de2054f78ba79382c22d85018be [template-turnserver] filename = instance-turnserver.cfg.jinja2.in -md5sum = 539417d669c15b853ac8525f8d5cbc44 +md5sum = df8768f165036dbe0435bd1678b9deb3 + +[template-insecure-turnserver] +filename = instance-insecure-turnserver.cfg.jinja2.in +md5sum = 0e0807eef75a1ee6f9aef3a6a566a729 diff --git a/software/turnserver/instance-insecure-turnserver.cfg.jinja2.in b/software/turnserver/instance-insecure-turnserver.cfg.jinja2.in new file mode 100644 index 000000000..8e7f9cf05 --- /dev/null +++ b/software/turnserver/instance-insecure-turnserver.cfg.jinja2.in @@ -0,0 +1,91 @@ +{% set part_list = [] -%} +{% set server_name = slapparameter_dict.get('server-name', 'turn.example.com') -%} + +[directory] +recipe = slapos.cookbook:mkdirectory +etc = ${buildout:directory}/etc +bin = ${buildout:directory}/bin +srv = ${buildout:directory}/srv +var = ${buildout:directory}/var +run = ${:var}/run +log = ${:var}/log +scripts = ${:etc}/run +services = ${:etc}/service +plugins = ${:etc}/plugin + +[turnserver-password] +recipe = slapos.cookbook:generate.password +bytes = 8 + +{% set turn_port = slapparameter_dict.get('port', 3478) -%} +{% set turn_tls_port = slapparameter_dict.get('tls-port', 5349) -%} +{% set listining_ip = slapparameter_dict.get('listening-ip', (ipv4 | list)[0]) -%} +[turnserver-config] +recipe = collective.recipe.template +user = nxdturn +input = inline: + listening-port={{ turn_port }} + lt-cred-mech + realm={{ server_name }} +{% if slapparameter_dict.get('external-ip', '') %} + external-ip={{ slapparameter_dict['external-ip'] }} +{% endif %} + fingerprint + listening-ip={{ listining_ip }} + server-name={{ server_name }} + no-stdout-log + simple-log + log-file=${directory:log}/turnserver.log + pidfile=${directory:run}/turnserver.pid + verbose + user=${:user}:${turnserver-password:passwd} +output = ${directory:etc}/turnserver.conf +mode = 644 + +[turnserver-wrapper] +recipe = slapos.cookbook:wrapper +# XXX on first invocation of read-secret, the secret file is not yet generated +# so on first buildout run turnserver-config has an empty secret. +# We don't want to start the server when config file is not complete. +command-line = + {{ parameter_dict['turnserver-location'] }}/bin/turnserver -c ${turnserver-config:output} +wrapper-path = ${directory:services}/turnserver +hash-existing-files = ${buildout:directory}/software_release/buildout.cfg + +[promise-check-turnserver-port] +<= monitor-promise-base +module = check_port_listening +name = turnserver-port-listening.py +config-hostname = {{ listining_ip }} +config-port = {{ turn_port }} + +[promise-check-turnserver-tls-port] +<= monitor-promise-base +module = check_port_listening +name = turnserver-tls-port-listening.py +config-hostname = {{ listining_ip }} +config-port = {{ turn_tls_port }} + +[publish-connection-information] +<= monitor-publish +recipe = slapos.cookbook:publish +turn-url = {{ server_name ~ ':' ~ turn_port }} +user = ${turnserver-config:user} +password = ${turnserver-password:passwd} + +[buildout] + +extends = {{ template_monitor }} + +parts = + publish-connection-information +# Complete parts with sections + {{ part_list | join('\n ') }} +# turn server + turnserver-wrapper + promise-check-turnserver-tls-port + promise-check-turnserver-port + +eggs-directory = {{ eggs_directory }} +develop-eggs-directory = {{ develop_eggs_directory }} +offline = true diff --git a/software/turnserver/instance-turnserver.cfg.jinja2.in b/software/turnserver/instance-turnserver.cfg.jinja2.in index e2431d85a..bc77af9ed 100644 --- a/software/turnserver/instance-turnserver.cfg.jinja2.in +++ b/software/turnserver/instance-turnserver.cfg.jinja2.in @@ -99,6 +99,7 @@ input = inline: no-tlsv1 no-tlsv1_1 no-stdout-log + simple-log log-file=${directory:log}/turnserver.log userdb=${directory:srv}/turndb pidfile=${directory:run}/turnserver.pid diff --git a/software/turnserver/instance.cfg.in b/software/turnserver/instance.cfg.in index 378798236..d874c4e07 100644 --- a/software/turnserver/instance.cfg.in +++ b/software/turnserver/instance.cfg.in @@ -10,6 +10,7 @@ offline = true [switch-softwaretype] recipe = slapos.cookbook:softwaretype default = $${dynamic-template-turnserver:rendered} +insecure = $${dynamic-template-insecure-turnserver:rendered} RootSoftwareInstance = $${:default} [slap-configuration] @@ -50,3 +51,10 @@ template = ${template-turnserver:location}/${template-turnserver:filename} filename = instance-turnserver.cfg extra-context = section parameter_dict dynamic-template-turnserver-parameters + +[dynamic-template-insecure-turnserver] +<= jinja2-template-base +template = ${template-insecure-turnserver:location}/${template-insecure-turnserver:filename} +filename = instance-insecure-turnserver.cfg +extra-context = + section parameter_dict dynamic-template-turnserver-parameters diff --git a/software/turnserver/software.cfg b/software/turnserver/software.cfg index b1bebb40e..8d894c2b7 100644 --- a/software/turnserver/software.cfg +++ b/software/turnserver/software.cfg @@ -28,5 +28,8 @@ output = ${buildout:directory}/instance.cfg [template-turnserver] <= download-base +[template-insecure-turnserver] +<= download-base + [versions] slapos.recipe.template = 4.4 diff --git a/software/turnserver/test/test.py b/software/turnserver/test/test.py index b3672bdc5..c1e2a92ce 100644 --- a/software/turnserver/test/test.py +++ b/software/turnserver/test/test.py @@ -188,3 +188,61 @@ verbose""" % {'instance_path': self.partition_path, current_config = f.read().strip() self.assertEqual(current_config.splitlines(), expected_config.splitlines()) + +class TestInsecureServices(TurnServerTestCase): + + @classmethod + def getInstanceSoftwareType(cls): + return 'insecure' + + def test_process_list(self): + hash_list = [ + 'software_release/buildout.cfg', + ] + expected_process_names = [ + 'bootstrap-monitor', + 'turnserver-{hash}-on-watch', + 'certificate_authority-{hash}-on-watch', + 'crond-{hash}-on-watch', + 'monitor-httpd-{hash}-on-watch', + 'monitor-httpd-graceful', + ] + + with self.slap.instance_supervisor_rpc as supervisor: + process_name_list = [process['name'] + for process in supervisor.getAllProcessInfo()] + + hash_file_list = [os.path.join(self.computer_partition_root_path, path) + for path in hash_list] + + for name in expected_process_names: + h = generateHashFromFiles(hash_file_list) + expected_process_name = name.format(hash=h) + + self.assertIn(expected_process_name, process_name_list) + + def test_default_deployment(self): + self.assertTrue(os.path.exists(self.partition_path)) + connection_parameter_dict = self.computer_partition\ + .getConnectionParameterDict() + password = connection_parameter_dict['password'] + + + expected_config = """listening-port=3478 +lt-cred-mech +realm=turn.example.com +fingerprint +listening-ip=%(ipv4)s +server-name=turn.example.com +no-stdout-log +simple-log +log-file=%(instance_path)s/var/log/turnserver.log +pidfile=%(instance_path)s/var/run/turnserver.pid +verbose +user=nxdturn:%(password)""" % {'instance_path': self.partition_path, 'password': password, 'ipv4': self._ipv4_address} + + with open(os.path.join(self.partition_path, 'etc/turnserver.conf')) as f: + current_config = f.read().strip() + + self.assertEqual(current_config.splitlines(), expected_config.splitlines()) + -- 2.30.9