Commit d44a97f9 authored by Łukasz Nowak's avatar Łukasz Nowak

Implement optional key authorisation entry point.

parent 4bdba2e6
......@@ -74,10 +74,11 @@ class Recipe(BaseSlapRecipe):
if self.parameter_dict.get("slap_software_type", "").lower() == "cluster":
# Site access is done by HAProxy
zope_access, site_access = self.installZopeCluster()
zope_access, site_access, key_access = self.installZopeCluster(ca_conf)
else:
zope_access = self.installZopeStandalone()
site_access = zope_access
key_access = None
key, certificate = self.requestCertificate('Login Based Access')
apache_conf = dict(
......@@ -120,6 +121,8 @@ class Recipe(BaseSlapRecipe):
memcached_url=memcached_conf['memcached_url'],
kumo_url=kumo_conf['kumo_address']
))
if key_access is not None:
connection_dict['key_access'] = key_access
self.setConnectionDict(connection_dict)
return self.path_list
......@@ -144,7 +147,66 @@ class Recipe(BaseSlapRecipe):
with_timerservice=True,
thread_amount=thread_amount_per_zope)
def installZopeCluster(self):
def installKeyAuthorisationApache(self, ipv6, port, backend, key, certificate,
ca_conf, key_auth_path='/'):
if ipv6:
ip = self.getGlobalIPv6Address()
else:
ip = self.getLocalIPv4Address()
ssl_template = """SSLEngine on
SSLVerifyClient require
RequestHeader set REMOTE_USER %%{SSL_CLIENT_S_DN_CN}s
SSLCertificateFile %(key_auth_certificate)s
SSLCertificateKeyFile %(key_auth_key)s
SSLCACertificateFile %(ca_certificate)s
SSLCARevocationPath %(ca_crl)s"""
apache_conf = self._getApacheConfigurationDict('key_auth_apache', ip, port)
apache_conf['ssl_snippet'] = ssl_template % dict(
key_auth_certificate=certificate,
key_auth_key=key,
ca_certificate=ca_conf['ca_certificate'],
ca_crl=ca_conf['ca_crl']
)
prefix = 'ssl_key_auth_apache'
rewrite_rule_template = \
"RewriteRule (.*) http://%(backend)s%(key_auth_path)s$1 [L,P]"
path_template = pkg_resources.resource_string('slapos.recipe.erp5',
'template/apache.zope.conf.path.in')
path = path_template % dict(path='/')
d = dict(
path=path,
backend=backend,
backend_path='/',
port=apache_conf['port'],
vhname=path.replace('/', ''),
key_auth_path=key_auth_path,
)
rewrite_rule = rewrite_rule_template % d
apache_conf.update(**dict(
path_enable=path,
rewrite_rule=rewrite_rule
))
apache_config_file = self.createConfigurationFile(prefix + '.conf',
pkg_resources.resource_string('slapos.recipe.erp5',
'template/apache.zope.conf.in') % apache_conf)
self.path_list.append(apache_config_file)
self.path_list.extend(zc.buildout.easy_install.scripts([(
'key_auth_apache',
'slapos.recipe.erp5.apache', 'runApache')], self.ws,
sys.executable, self.wrapper_directory, arguments=[
dict(
required_path_list=[certificate, key, ca_conf['ca_certificate'],
ca_conf['ca_crl']],
binary=self.options['httpd_binary'],
config=apache_config_file
)
]))
if ipv6:
return 'https://[%(ip)s:%(port)s]' % apache_conf
else:
return 'https://%(ip)s:%(port)s' % apache_conf
def installZopeCluster(self, ca_conf=None):
""" Install ERP5 using ZEO Cluster
"""
site_check_path = '/%s/getId' % self.site_id
......@@ -157,6 +219,9 @@ class Recipe(BaseSlapRecipe):
user_node_amount = int(self.options.get(
"cluster_user_node_amount", 2))
key_auth_node_amount = int(self.options.get(
"key_auth_node_amount", 0))
ip = self.getLocalIPv4Address()
storage_dict = self._requestZeoFileStorage('Zeo Server 1', 'main')
......@@ -210,11 +275,28 @@ class Recipe(BaseSlapRecipe):
login_haproxy = self.installHaproxy(ip, 15001, 'login',
site_check_path, login_url_list)
key_access = None
if key_auth_node_amount > 0:
service_url_list = []
for i in range(key_auth_node_amount):
zope_port += 1
service_url_list.append(self.installZope(ip, zope_port,
'zope_service_%s' % i, with_timerservice=False,
zodb_configuration_string=zodb_configuration_string,
tidstorage_config=tidstorage_config))
service_haproxy = self.installHaproxy(ip, 15000, 'service',
site_check_path, service_url_list)
key_auth_key, key_auth_certificate = self.requestCertificate(
'Key Based Access')
key_access = self.installKeyAuthorisationApache(True, 15500,
service_haproxy, key_auth_key, key_auth_certificate, ca_conf)
self.installTidStorage(tidstorage_config['host'],
tidstorage_config['port'],
known_tid_storage_identifier_dict, 'http://' + login_haproxy)
return login_url_list[-1], login_haproxy
return login_url_list[-1], login_haproxy, key_access
def _requestZeoFileStorage(self, server_name, storage_name):
"""Local, slap.request compatible, call to ask for filestorage on Zeo
......
......@@ -34,58 +34,6 @@ class Recipe(slapos.recipe.erp5.Recipe):
default_bt5_list = []
def installKeyAuthorisationApache(self, ip, port, backend, key, certificate,
ca_conf, key_auth_path='/erp5/portal_slap'):
ssl_template = """SSLEngine on
SSLVerifyClient require
RequestHeader set REMOTE_USER %%{SSL_CLIENT_S_DN_CN}s
SSLCertificateFile %(key_auth_certificate)s
SSLCertificateKeyFile %(key_auth_key)s
SSLCACertificateFile %(ca_certificate)s
SSLCARevocationPath %(ca_crl)s"""
apache_conf = self._getApacheConfigurationDict('key_auth_apache', ip, port)
apache_conf['ssl_snippet'] = ssl_template % dict(
key_auth_certificate=certificate,
key_auth_key=key,
ca_certificate=ca_conf['ca_certificate'],
ca_crl=ca_conf['ca_crl']
)
prefix = 'ssl_key_auth_apache'
rewrite_rule_template = \
"RewriteRule (.*) http://%(backend)s%(key_auth_path)s$1 [L,P]"
path_template = pkg_resources.resource_string('slapos.recipe.erp5',
'template/apache.zope.conf.path.in')
path = path_template % dict(path='/')
d = dict(
path=path,
backend=backend,
backend_path='/',
port=apache_conf['port'],
vhname=path.replace('/', ''),
key_auth_path=key_auth_path,
)
rewrite_rule = rewrite_rule_template % d
apache_conf.update(**dict(
path_enable=path,
rewrite_rule=rewrite_rule
))
apache_config_file = self.createConfigurationFile(prefix + '.conf',
pkg_resources.resource_string('slapos.recipe.erp5',
'template/apache.zope.conf.in') % apache_conf)
self.path_list.append(apache_config_file)
self.path_list.extend(zc.buildout.easy_install.scripts([(
'key_auth_apache',
'slapos.recipe.erp5.apache', 'runApache')], self.ws,
sys.executable, self.wrapper_directory, arguments=[
dict(
required_path_list=[certificate, key, ca_conf['ca_certificate'],
ca_conf['ca_crl']],
binary=self.options['httpd_binary'],
config=apache_config_file
)
]))
return 'https://%(ip)s:%(port)s' % apache_conf
def _getZeoClusterDict(self):
site_path = '/erp5/'
return {
......@@ -172,9 +120,9 @@ SSLCARevocationPath %(ca_crl)s"""
key_auth_key, key_auth_certificate = self.requestCertificate(
'Key Based Access')
apache_keyauth = self.installKeyAuthorisationApache(
self.getLocalIPv4Address(), 15500, service_haproxy, key_auth_key,
key_auth_certificate, ca_conf, key_auth_path=self.key_auth_path)
apache_keyauth = self.installKeyAuthorisationApache(False, 15500,
service_haproxy, key_auth_key, key_auth_certificate, ca_conf,
key_auth_path=self.key_auth_path)
memcached_conf = self.installMemcached(ip=self.getLocalIPv4Address(),
port=11000)
kumo_conf = self.installKumo(self.getLocalIPv4Address())
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment