caddy-frontend: Protect against slave's wrong certificate and key

Instead of relying on slapos.cookbook:certificate_authority recipe, which stops buildout processing, extract the minimal implementation to runtime key/certificate validator and reject slaves, which does not pass this test. This commits results in TODO item being done.

caddy-frontend: Protect against slave's wrong certificate and key
Instead of relying on slapos.cookbook:certificate_authority recipe, which stops buildout processing, extract the minimal implementation to runtime key/certificate validator and reject slaves, which does not pass this test. This commits results in TODO item being done.
6073096a · Łukasz Nowak · Łukasz Nowak · 9872a4dc · 6073096a · 6073096a
Commit 6073096a authored Aug 09, 2018 by Łukasz Nowak Committed by Łukasz Nowak Sep 06, 2018
6 changed files
--- a/software/caddy-frontend/TODO.rst
+++ b/software/caddy-frontend/TODO.rst
@@ -2,7 +2,6 @@ Generally things to be done with ``caddy-frontend``:

 * tests: add assertion with results of promises in etc/promise for each partition
 * check the whole frontend slave snippet with ``caddy -validate`` during buildout run, and reject if does not pass validation
- * check that all options from ``instance-slave-caddy-input-schema.json`` are safe to be used
 * ``apache-ca-certificate`` shall be merged with ``apache-certificate``

   * ``apache-ca-certificate`` shall be appended to ``apache-certificate`` if not already there

--- a/software/caddy-frontend/buildout.hash.cfg
+++ b/software/caddy-frontend/buildout.hash.cfg
@@ -14,7 +14,7 @@
 # not need these here).
 [template]
 filename = instance.cfg.in
-md5sum = 5360ac713bc1f00b2668238027dc253b
+md5sum = ae708bdef97812bad1223b94fae750b3

 [template-common]
 filename = instance-common.cfg.in
@@ -26,11 +26,11 @@ md5sum = 750e2b1c922bf14511a3bc8a42468b1b

 [template-apache-replicate]
 filename = instance-apache-replicate.cfg.in
-md5sum = 2f370174b18f27db5c0f9daf83df8104
+md5sum = 70d923e4fd5cfdb52bc4cbd04f9e01d2

 [template-slave-list]
 filename = templates/apache-custom-slave-list.cfg.in
-md5sum = c57a982d18cf7f36f5d34b80738ea726
+md5sum = ed1c086f0548a908661b294e845dc008

 [template-slave-configuration]
 filename = templates/custom-virtualhost.conf.in
@@ -46,7 +46,7 @@ md5sum = 7c987ad75fcce6f5b925c7696ff41971

 [template-custom-slave-list]
 filename = templates/apache-custom-slave-list.cfg.in
-md5sum = c57a982d18cf7f36f5d34b80738ea726
+md5sum = ed1c086f0548a908661b294e845dc008

 [caddy-backend-url-validator]
 filename = templates/caddy-backend-url-validator.in

--- a/software/caddy-frontend/instance-apache-replicate.cfg.in
+++ b/software/caddy-frontend/instance-apache-replicate.cfg.in
@@ -9,6 +9,7 @@ context =
    raw common_profile {{ common_profile }}
    ${:extra-context}

+{% set popen = functools_module.partial(subprocess_module.Popen, stdout=subprocess_module.PIPE, stderr=subprocess_module.STDOUT, stdin=subprocess_module.PIPE) %}
 {% set part_list = [] %}
 {% set single_type_key = 'single-' %}
 {% if slap_software_type == "replicate" %}
@@ -80,6 +81,15 @@ context =
 {%         do slave_dict.__setitem__('state', False) %}
 {%       endif %}
 {%     endif %}
+{%     if slave.get('ssl_key') and slave.get('ssl_crt') %}
+{%       set key_popen = popen([openssl, 'rsa', '-noout', '-modulus']) %}
+{%       set crt_popen = popen([openssl, 'x509', '-noout', '-modulus']) %}
+{%       set key_modulus = key_popen.communicate(slave['ssl_key'])[0] | trim %}
+{%       set crt_modulus = crt_popen.communicate(slave['ssl_crt'])[0] | trim %}
+{%       if not key_modulus or key_modulus != crt_modulus  %}
+{%         do slave_dict.__setitem__('state', False) %}
+{%       endif %}
+{%     endif %}
 {%     if slave.get('custom_domain') %}
 {%       if not validators.domain(slave['custom_domain']) %}
 {%         do slave_dict.__setitem__('state', False) %}

--- a/software/caddy-frontend/instance.cfg.in
+++ b/software/caddy-frontend/instance.cfg.in
@@ -48,9 +48,12 @@ depends = ${caddyprofiledeps:recipe}
 template = {{ template_caddy_replicate }}
 filename = instance-caddy-replicate.cfg
 extensions = jinja2.ext.do
+openssl = {{ template_frontend_parameter_dict['openssl'] ~ '/bin/openssl' }}
 extra-context =
    import subprocess_module subprocess
+    import functools_module functools
    import validators validators
+    key openssl :openssl
    raw caddy_backend_url_validator {{ caddy_backend_url_validator }}
    raw template_publish_slave_information {{ template_replicate_publish_slave_information }}
 # Must match the key id in [switch-softwaretype] which uses this section.

--- a/software/caddy-frontend/templates/apache-custom-slave-list.cfg.in
+++ b/software/caddy-frontend/templates/apache-custom-slave-list.cfg.in
@@ -169,25 +169,27 @@ value = {{ dumps(slave_instance.get(cert_name)) }}
 {%     set cert_file = '/'.join([custom_ssl_directory, cert_title.replace('-','.')]) %}
 {%     set key_file = '/'.join([custom_ssl_directory, key_title.replace('-','.')]) %}
 {%     do part_list.append(cert_title) %}
+{%     do part_list.append(key_title) %}
 {%     do slave_parameter_dict.__setitem__("ssl_crt", cert_file) %}
 {%     do slave_parameter_dict.__setitem__("ssl_key", key_file) %}
 {%     do slave_instance.__setitem__('path_to_ssl_crt', cert_file) %}
 {%     do slave_instance.__setitem__('path_to_ssl_key', key_file) %}

-[{{cert_title}}]
-recipe = slapos.cookbook:certificate_authority.request
-#openssl-binary = ${openssl:location}/bin/openssl
-
-requests-directory = ${cadirectory:requests}
-ca-private = ${cadirectory:private}
-ca-certs = ${cadirectory:certs}
-ca-newcerts = ${cadirectory:newcerts}
-ca-crl = ${cadirectory:crl}
-
-key-file = {{ key_file }}
-cert-file = {{ cert_file }}
+[{{key_title}}]
+< = jinja2-template-base
+template = {{ empty_template }}
+rendered = {{ key_file }}
 key-content = {{ dumps(slave_instance.get('ssl_key')) }}
-cert-content = {{ dumps(slave_instance.get('ssl_crt')) }} 
+extra-context =
+    key content :key-content
+
+[{{cert_title}}]
+< = jinja2-template-base
+template = {{ empty_template }}
+rendered = {{ cert_file }}
+cert-content = {{ dumps(slave_instance.get('ssl_crt')) }}
+extra-context =
+    key content :cert-content
 {%     endif %}

 {# ########################################## #}

--- a/software/caddy-frontend/test/test.py
+++ b/software/caddy-frontend/test/test.py
@@ -3063,6 +3063,10 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin):
      'monitor-ipv6-test-unsafe': {
        'monitor-ipv6-test': '${section:option}\nafternewline ipv6',
      },
+      'ssl_key-ssl_crt-unsafe': {
+        'ssl_key': '${section:option}ssl_keyunsafe\nunsafe',
+        'ssl_crt': '${section:option}ssl_crtunsafe\nunsafe',
+      },
    }

  def test_master_partition_state(self):
@@ -3073,10 +3077,11 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin):
      'monitor-base-url': None,
      'domain': 'example.com',
      'accepted-slave-amount': '7',
-      'rejected-slave-amount': '2',
-      'slave-amount': '9',
+      'rejected-slave-amount': '3',
+      'slave-amount': '10',
      'rejected-slave-list':
-      '["_server-alias-unsafe", "_custom_domain-unsafe"]'}
+      '["_server-alias-unsafe", "_custom_domain-unsafe", '
+      '"_ssl_key-ssl_crt-unsafe"]'}

    self.assertEqual(
      expected_parameter_dict,
@@ -3353,3 +3358,11 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin):
      '-a ${section:option} afternewline ipv6',
      subprocess.check_output(monitor_file).strip()
    )
+
+  def test_ssl_key_ssl_crt_unsafe(self):
+    parameter_dict = self.slave_connection_parameter_dict_dict[
+      'ssl_key-ssl_crt-unsafe']
+    self.assertEqual(
+      parameter_dict,
+      {}
+    )