From 1d57188a103a757f1eea7658b6bd9715607feec3 Mon Sep 17 00:00:00 2001
From: Thomas Gambier <thomas.gambier@nexedi.com>
Date: Wed, 2 Dec 2020 19:42:49 +0100
Subject: [PATCH] software/turnserver: add insecure configuration

---
 software/turnserver/buildout.hash.cfg         |  8 +-
 ...instance-insecure-turnserver.cfg.jinja2.in | 91 +++++++++++++++++++
 .../instance-turnserver.cfg.jinja2.in         |  1 +
 software/turnserver/instance.cfg.in           |  8 ++
 software/turnserver/software.cfg              |  3 +
 software/turnserver/test/test.py              | 58 ++++++++++++
 6 files changed, 167 insertions(+), 2 deletions(-)
 create mode 100644 software/turnserver/instance-insecure-turnserver.cfg.jinja2.in

diff --git a/software/turnserver/buildout.hash.cfg b/software/turnserver/buildout.hash.cfg
index 0a9f27690..f9535056f 100644
--- a/software/turnserver/buildout.hash.cfg
+++ b/software/turnserver/buildout.hash.cfg
@@ -15,8 +15,12 @@
 
 [instance-cfg]
 filename = instance.cfg.in
-md5sum = d027a2dccaf15ae6e7d3a28cc02d70c3
+md5sum = 776c7de2054f78ba79382c22d85018be
 
 [template-turnserver]
 filename = instance-turnserver.cfg.jinja2.in
-md5sum = 539417d669c15b853ac8525f8d5cbc44
+md5sum = df8768f165036dbe0435bd1678b9deb3
+
+[template-insecure-turnserver]
+filename = instance-insecure-turnserver.cfg.jinja2.in
+md5sum = 0e0807eef75a1ee6f9aef3a6a566a729
diff --git a/software/turnserver/instance-insecure-turnserver.cfg.jinja2.in b/software/turnserver/instance-insecure-turnserver.cfg.jinja2.in
new file mode 100644
index 000000000..8e7f9cf05
--- /dev/null
+++ b/software/turnserver/instance-insecure-turnserver.cfg.jinja2.in
@@ -0,0 +1,91 @@
+{% set part_list = [] -%}
+{% set server_name = slapparameter_dict.get('server-name', 'turn.example.com') -%}
+
+[directory]
+recipe = slapos.cookbook:mkdirectory
+etc = ${buildout:directory}/etc
+bin = ${buildout:directory}/bin
+srv = ${buildout:directory}/srv
+var = ${buildout:directory}/var
+run = ${:var}/run
+log = ${:var}/log
+scripts = ${:etc}/run
+services = ${:etc}/service
+plugins = ${:etc}/plugin
+
+[turnserver-password]
+recipe = slapos.cookbook:generate.password
+bytes = 8
+
+{% set turn_port = slapparameter_dict.get('port', 3478) -%}
+{% set turn_tls_port = slapparameter_dict.get('tls-port', 5349) -%}
+{% set listining_ip = slapparameter_dict.get('listening-ip', (ipv4 | list)[0]) -%}
+[turnserver-config]
+recipe = collective.recipe.template
+user = nxdturn
+input = inline:
+  listening-port={{ turn_port }}
+  lt-cred-mech
+  realm={{ server_name }}
+{% if slapparameter_dict.get('external-ip', '') %}
+  external-ip={{ slapparameter_dict['external-ip'] }}
+{% endif %}
+  fingerprint
+  listening-ip={{ listining_ip }}
+  server-name={{ server_name }}
+  no-stdout-log
+  simple-log
+  log-file=${directory:log}/turnserver.log
+  pidfile=${directory:run}/turnserver.pid
+  verbose
+  user=${:user}:${turnserver-password:passwd}
+output = ${directory:etc}/turnserver.conf
+mode = 644
+
+[turnserver-wrapper]
+recipe = slapos.cookbook:wrapper
+# XXX on first invocation of read-secret, the secret file is not yet generated
+# so on first buildout run turnserver-config has an empty secret.
+# We don't want to start the server when config file is not complete.
+command-line =
+  {{ parameter_dict['turnserver-location'] }}/bin/turnserver -c ${turnserver-config:output}
+wrapper-path = ${directory:services}/turnserver
+hash-existing-files = ${buildout:directory}/software_release/buildout.cfg
+
+[promise-check-turnserver-port]
+<= monitor-promise-base
+module = check_port_listening
+name = turnserver-port-listening.py
+config-hostname = {{ listining_ip }}
+config-port = {{ turn_port }}
+
+[promise-check-turnserver-tls-port]
+<= monitor-promise-base
+module = check_port_listening
+name = turnserver-tls-port-listening.py
+config-hostname = {{ listining_ip }}
+config-port = {{ turn_tls_port }}
+
+[publish-connection-information]
+<= monitor-publish
+recipe = slapos.cookbook:publish
+turn-url = {{ server_name ~ ':' ~ turn_port }}
+user = ${turnserver-config:user}
+password = ${turnserver-password:passwd}
+
+[buildout]
+
+extends = {{ template_monitor }}
+
+parts =
+  publish-connection-information
+# Complete parts with sections
+  {{ part_list | join('\n  ') }}
+# turn server
+  turnserver-wrapper
+  promise-check-turnserver-tls-port
+  promise-check-turnserver-port
+
+eggs-directory = {{ eggs_directory }}
+develop-eggs-directory = {{ develop_eggs_directory }}
+offline = true
diff --git a/software/turnserver/instance-turnserver.cfg.jinja2.in b/software/turnserver/instance-turnserver.cfg.jinja2.in
index e2431d85a..bc77af9ed 100644
--- a/software/turnserver/instance-turnserver.cfg.jinja2.in
+++ b/software/turnserver/instance-turnserver.cfg.jinja2.in
@@ -99,6 +99,7 @@ input = inline:
   no-tlsv1
   no-tlsv1_1
   no-stdout-log
+  simple-log
   log-file=${directory:log}/turnserver.log
   userdb=${directory:srv}/turndb
   pidfile=${directory:run}/turnserver.pid
diff --git a/software/turnserver/instance.cfg.in b/software/turnserver/instance.cfg.in
index 378798236..d874c4e07 100644
--- a/software/turnserver/instance.cfg.in
+++ b/software/turnserver/instance.cfg.in
@@ -10,6 +10,7 @@ offline = true
 [switch-softwaretype]
 recipe = slapos.cookbook:softwaretype
 default  = $${dynamic-template-turnserver:rendered}
+insecure  = $${dynamic-template-insecure-turnserver:rendered}
 RootSoftwareInstance = $${:default}
 
 [slap-configuration]
@@ -50,3 +51,10 @@ template = ${template-turnserver:location}/${template-turnserver:filename}
 filename = instance-turnserver.cfg
 extra-context =
   section parameter_dict dynamic-template-turnserver-parameters
+
+[dynamic-template-insecure-turnserver]
+<= jinja2-template-base
+template = ${template-insecure-turnserver:location}/${template-insecure-turnserver:filename}
+filename = instance-insecure-turnserver.cfg
+extra-context =
+  section parameter_dict dynamic-template-turnserver-parameters
diff --git a/software/turnserver/software.cfg b/software/turnserver/software.cfg
index b1bebb40e..8d894c2b7 100644
--- a/software/turnserver/software.cfg
+++ b/software/turnserver/software.cfg
@@ -28,5 +28,8 @@ output = ${buildout:directory}/instance.cfg
 [template-turnserver]
 <= download-base
 
+[template-insecure-turnserver]
+<= download-base
+
 [versions]
 slapos.recipe.template = 4.4
diff --git a/software/turnserver/test/test.py b/software/turnserver/test/test.py
index b3672bdc5..c1e2a92ce 100644
--- a/software/turnserver/test/test.py
+++ b/software/turnserver/test/test.py
@@ -188,3 +188,61 @@ verbose""" % {'instance_path': self.partition_path,
       current_config = f.read().strip()
 
     self.assertEqual(current_config.splitlines(), expected_config.splitlines())
+
+class TestInsecureServices(TurnServerTestCase):
+
+  @classmethod
+  def getInstanceSoftwareType(cls):
+    return 'insecure'
+
+  def test_process_list(self):
+    hash_list = [
+      'software_release/buildout.cfg',
+    ]
+    expected_process_names = [
+      'bootstrap-monitor',
+      'turnserver-{hash}-on-watch',
+      'certificate_authority-{hash}-on-watch',
+      'crond-{hash}-on-watch',
+      'monitor-httpd-{hash}-on-watch',
+      'monitor-httpd-graceful',
+    ]
+
+    with self.slap.instance_supervisor_rpc as supervisor:
+      process_name_list = [process['name']
+                     for process in supervisor.getAllProcessInfo()]
+
+    hash_file_list = [os.path.join(self.computer_partition_root_path, path)
+                      for path in hash_list]
+
+    for name in expected_process_names:
+      h = generateHashFromFiles(hash_file_list)
+      expected_process_name = name.format(hash=h)
+
+      self.assertIn(expected_process_name, process_name_list)
+
+  def test_default_deployment(self):
+    self.assertTrue(os.path.exists(self.partition_path))
+    connection_parameter_dict = self.computer_partition\
+      .getConnectionParameterDict()
+    password = connection_parameter_dict['password']
+
+
+    expected_config = """listening-port=3478
+lt-cred-mech
+realm=turn.example.com
+fingerprint
+listening-ip=%(ipv4)s
+server-name=turn.example.com
+no-stdout-log
+simple-log
+log-file=%(instance_path)s/var/log/turnserver.log
+pidfile=%(instance_path)s/var/run/turnserver.pid
+verbose
+user=nxdturn:%(password)""" % {'instance_path': self.partition_path, 'password': password, 'ipv4': self._ipv4_address}
+
+    with open(os.path.join(self.partition_path, 'etc/turnserver.conf')) as f:
+      current_config = f.read().strip()
+
+    self.assertEqual(current_config.splitlines(), expected_config.splitlines())
+
-- 
2.30.9