From 4365b7974ae4b5f4412bf33e12e0a47d647220c0 Mon Sep 17 00:00:00 2001
From: Philippe Caseiro <pcaseiro@cadoles.com>
Date: Wed, 17 Jun 2020 16:12:58 +0200
Subject: [PATCH] Adding SSL support to eole-redis.

Ubuntu don't build redis with SSL support so we
use Stunnel to fill the gap.

Here we add Stunnel full EOLE integration and Redis specifics.

Maybe later we will want to have a specific package for eole-stunnel.

ref #30338
---
 diagnose/70_redis             | 30 +++++++++++++++++
 diagnose/70_stunnel           | 23 +++++++++++++
 dicos/90_redis.xml            | 17 ++++++++++
 dicos/90_stunnel.xml          | 62 +++++++++++++++++++++++++++++++++++
 tmpl/90-stunnel_dynamic_rules |  7 ++++
 tmpl/redis-ssl.conf           | 12 +++++++
 tmpl/stunnel.conf             | 19 +++++++++++
 tmpl/stunnel_default          | 18 ++++++++++
 8 files changed, 188 insertions(+)
 create mode 100644 diagnose/70_redis
 create mode 100644 diagnose/70_stunnel
 create mode 100644 dicos/90_stunnel.xml
 create mode 100644 tmpl/90-stunnel_dynamic_rules
 create mode 100644 tmpl/redis-ssl.conf
 create mode 100644 tmpl/stunnel.conf
 create mode 100644 tmpl/stunnel_default

diff --git a/diagnose/70_redis b/diagnose/70_redis
new file mode 100644
index 0000000..245ec1d
--- /dev/null
+++ b/diagnose/70_redis
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+if [ $(CreoleGet activer_redis) = "oui" ];then
+    . /usr/lib/eole/diagnose.sh
+
+    EchoGras "*** Service Redis"
+    nbIface=$(CreoleGet nombre_interfaces)
+    ssl=$(CreoleGet redisSSL non)
+    if [ ${nbIface} -eq 1 ]
+    then
+        TestService "Redis master iface 0" $(CreoleGet "adresse_ip_eth0"):$(CreoleGet "redisPort")
+        if [ ${ssl}  = "oui" ]
+        then
+            TestService "Redis master SSL iface 0" $(CreoleGet "adresse_ip_eth0"):$(CreoleGet "redisSSLPort")
+        fi
+        echo
+    else
+        for iface in $(seq 0 ${nbIface})
+        do
+            TestService "Redis master iface ${iface}" $(CreoleGet "adresse_ip_eth${iface}"):$(CreoleGet "redisPort")
+            if [ ${ssl} = "oui" ]
+            then
+                TestService "Redis master SSL iface ${iface}" $(CreoleGet "adresse_ip_eth0"):$(CreoleGet "redisSSLPort")
+            fi
+            echo
+        done
+    fi
+fi
+
+exit 0
diff --git a/diagnose/70_stunnel b/diagnose/70_stunnel
new file mode 100644
index 0000000..5dc2b30
--- /dev/null
+++ b/diagnose/70_stunnel
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+if [ $(CreoleGet activer_stunnel) = "oui" ];then
+    if [ $(CreoleGet stunnel_add_tunnels non ) = "oui" ];then
+        . /usr/lib/eole/diagnose.sh
+
+        EchoGras "*** Service Stunnel"
+        name=($(CreoleGet stunnel_name))
+        acc_ip=($(CreoleGet stunnel_accept_ip))
+        acc_port=($(CreoleGet stunnel_accept_port))
+        conn_ip=($(CreoleGet stunnel_connect_ip))
+        conn_port=($(CreoleGet stunnel_connect_port))
+        
+        len=${#name[@]}
+        for (( i=0; i<$len; i++ ))
+        do 
+            TestService "Tunnel ${name[$i]}: ${acc_ip}:${acc_port} => ${conn_ip}:${conn_port}" ${acc_ip}:${acc_port}
+        done
+        echo
+    fi
+fi
+
+exit 0
\ No newline at end of file
diff --git a/dicos/90_redis.xml b/dicos/90_redis.xml
index 8ed3d21..b6bb934 100644
--- a/dicos/90_redis.xml
+++ b/dicos/90_redis.xml
@@ -6,10 +6,12 @@
         <file filelist='redis' name='/etc/redis/redis.conf' mkdir='True' rm='True'/>
         <file filelist='redisSlave' name='/etc/redis/redis-slave.conf' mkdir='True' rm='True'/>
         <file filelist='redisCl' name='/etc/redis/cluster.conf' source='redis-cluster.conf' mkdir='True' rm='True'/>
+	<file filelist='redisSSL' name='/etc/stunnel/redis-ssl.conf' mkdir='True' rm='True'/>
         <service servicelist="svredis">redis-server</service>
         <service servicelist="svredisSlave">redis2-server</service>
         <service_access service='redis-server'>
             <port service_accesslist='saRedis' protocol='tcp' port_type='SymLinkOption'>redisPort</port>
+            <port service_accesslist='saSSLRedis' protocol='tcp' port_type='SymLinkOption'>redisSSLPort</port>
             <port service_accesslist='saRedis' protocol='tcp' port_type='SymLinkOption'>redisClPort</port>
             <port service_accesslist='saRedisSlave' protocol='tcp' port_type='SymLinkOption'>redisPortSlave</port>
             <port service_accesslist='saRedisSlave' protocol='tcp' port_type='SymLinkOption'>redisClPortSlave</port>
@@ -29,6 +31,9 @@
             <variable name='redisMode' type='string' description="Mode d'utilisation de Redis">
                 <value>Local</value>
             </variable>
+	    <variable name='redisSSL' type='oui/non' description="Activer le support SSL pour redis">
+		    <value>non</value>
+	    </variable>
             <variable name='redisSlaveInstance' type='oui/non' description="Voulez-vous lancer une instance esclave Redis sur ce serveur ?">
                 <value>non</value>
             </variable>
@@ -38,6 +43,12 @@
             <variable name='redisPort' type='number' description="Port d'écoute du service Redis">
                 <value>6379</value>
             </variable>
+            <variable name='redisSSLPort' type='port' description="Port d'écoute SSL du service Redis">
+                <value>6380</value>
+            </variable>
+            <variable name='redisSSLVersion' type='string' description="Version du protocole SSL">
+                <value>TLSv1</value>
+            </variable>
             <variable name='redisClPort' type='number' description="Port d'écoute du service Cluster Redis"/>
             <variable name='redisMaxMemory' type='number' description="Quantité de mémoire utilisable par Redis en Mo">
                 <value>512</value>
@@ -127,6 +138,12 @@
             <target type='servicelist'>svredis</target>
         </condition>
 
+	<condition name='disabled_if_in' source="redisSSL">
+	    <param>non</param>
+	    <target type='variable'>redisSSLPort</target>
+	    <target type='service_accesslist'>saSSLRedis</target>
+	</condition>
+
         <condition name='disabled_if_in' source='redisSlaveInstance'>
             <param>non</param>
             <target type='filelist'>redisSlave</target>
diff --git a/dicos/90_stunnel.xml b/dicos/90_stunnel.xml
new file mode 100644
index 0000000..aaa2ff1
--- /dev/null
+++ b/dicos/90_stunnel.xml
@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="utf-8"?>
+<creole>
+    <files>
+        <!-- System configuration -->
+        <file filelist='stunnel' name='/etc/default/stunnel4' source='stunnel_default' mkdir='True' rm='True'/>
+        <file filelist='stunnel-custom' name='/etc/stunnel/eole-tunnel.conf' source='stunnel.conf' mkdir='True' rm='True'/>
+        <file filelist='stunnel-custom' name='/usr/share/eole/bastion/data/90-stunnel_dynamic_rules' mode='0755' rm='True'/>
+        <service servicelist="stunnel">stunnel4</service>
+    </files>
+    <variables>
+        <family name='Services'>
+            <variable name='activer_stunnel' type='oui/non' description="Activer Stunnel (serveur mandataire SSL) ?">
+                <value>oui</value>
+            </variable>
+        </family>
+        <family name="stunnel" mode='expert'>
+            <variable name='stunnel_opts' type='string' description="Options complémentaires pour Stunnel"/>
+            <variable name='stunnel_add_tunnels' type='oui/non' description="Ajouter de entrées stunnel personnalisée">
+                <value>non</value>
+            </variable>
+            <variable name="stunnel_name" type='string' description="Nom du tunnel SSL" multi="True"/>
+            <variable name="stunnel_accept_ip" type='ip' description="IP d'écoute du tunnel"/>
+            <variable name="stunnel_accept_port" type="port" description=" Port d'écoute du tunnel"/>
+            <variable name="stunnel_connect_ip" type="ip" description="IP du service à la sortie du tunnel"/>
+            <variable name="stunnel_connect_port" type="port" description="Port d'écoute du service à la sortie du tunnel"/>
+            <variable name="stunnel_ssl_version" type="string" description="Version SSL">
+                <value>TLSv1</value>
+            </variable>
+        </family>
+    </variables>
+    <constraints>
+        <condition name='disabled_if_in' source='activer_stunnel'>
+            <param>non</param>
+            <target type='filelist'>stunnel-custom</target>
+            <target type='filelist'>stunnel</target>
+            <target type='family'>stunnel</target>
+            <target type='servicelist'>stunnel</target>
+            <target type='service_accesslist'>saStunnel</target>
+        </condition>
+        <condition name='disabled_if_in' source='stunnel_add_tunnels'>
+            <param>non</param>
+            <target type='filelist'>stunnel-custom</target>
+            <target type='variable'>stunnel_name</target>
+            <target type='variable'>stunnel_accept_ip</target>
+            <target type='variable'>stunnel_accept_port</target>
+            <target type='variable'>stunnel_connect_ip</target>
+            <target type='variable'>stunnel_connect_port</target>
+            <target type='variable'>stunnel_ssl_version</target>
+        </condition>
+        <group master='stunnel_name'>
+            <slave>stunnel_accept_ip</slave>
+            <slave>stunnel_accept_port</slave>
+            <slave>stunnel_connect_ip</slave>
+            <slave>stunnel_connect_port</slave>
+            <slave>stunnel_ssl_version</slave>
+        </group>
+
+    </constraints>
+    <help>
+        <variable name='activer_stunnel'>Activer le service mandataire SSL (stunnel)</variable>
+    </help>
+</creole>
diff --git a/tmpl/90-stunnel_dynamic_rules b/tmpl/90-stunnel_dynamic_rules
new file mode 100644
index 0000000..cc3d2c6
--- /dev/null
+++ b/tmpl/90-stunnel_dynamic_rules
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+%for %%tunnel in %%stunnel_name
+   %for %%int_idx in %%range(0, %%int(%%nombre_interfaces))
+/sbin/iptables -A eth%%{int_idx}-root -s 0.0.0.0/0.0.0.0  -p tcp -m tcp --dport %%tunnel.stunnel_accept_port --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
+   %end for
+%end for
diff --git a/tmpl/redis-ssl.conf b/tmpl/redis-ssl.conf
new file mode 100644
index 0000000..feafc20
--- /dev/null
+++ b/tmpl/redis-ssl.conf
@@ -0,0 +1,12 @@
+pid = /var/run/redis-stunnel.pid
+
+%if %%redisMode == "Local"
+[redis-local]
+cert = %%server_cert
+key = %%server_key
+CApath  = %%os.path.dirname(%%server_cert)
+verify = 2
+SSLversion=%%redisSSLVersion
+accept = %%redisSSLPort
+connect = %%redisPort
+%end if
diff --git a/tmpl/stunnel.conf b/tmpl/stunnel.conf
new file mode 100644
index 0000000..6d9429e
--- /dev/null
+++ b/tmpl/stunnel.conf
@@ -0,0 +1,19 @@
+pid = /var/run/stunnel.pid
+%for %%tunnel in %%stunnel_name
+[%%tunnel]
+cert = %%server_cert
+key = %%server_key
+CApath  = %%os.path.dirname(%%server_cert)
+verify = 2
+SSLversion=%%tunnel.stunnel_ssl_version
+    %if %%is_empty(%%tunnel.stunnel_accept_ip)
+accept = %%tunnel.stunnel_accept_port
+    %else
+accept = %%{tunnel.stunnel_accept_ip}:%%{tunnel.stunnel_accept_port}
+    %end if
+    %if %%is_empty(%%tunnel.stunnel_connect_ip)
+connect = %%tunnel.stunnel_connect_port
+    %else
+connect = %%{tunnel.stunnel_connect_ip}:%%{tunnel.stunnel_connect_port}
+    %end if
+%end for
diff --git a/tmpl/stunnel_default b/tmpl/stunnel_default
new file mode 100644
index 0000000..5daefcf
--- /dev/null
+++ b/tmpl/stunnel_default
@@ -0,0 +1,18 @@
+# /etc/default/stunnel
+# Julien LEMOINE <speedblue@debian.org>
+# September 2003
+
+# Change to one to enable stunnel automatic startup
+ENABLED=1
+FILES="/etc/stunnel/*.conf"
+OPTIONS="%%stunnel_opts"
+
+# Change to one to enable ppp restart scripts
+PPP_RESTART=0
+
+# Change to enable the setting of limits on the stunnel instances
+# For example, to set a large limit on file descriptors (to enable
+# more simultaneous client connections), set RLIMITS="-n 4096"
+# More than one resource limit may be modified at the same time,
+# e.g. RLIMITS="-n 4096 -d unlimited"
+RLIMITS=""