Adding SSL support to eole-redis.

Ubuntu don't build redis with SSL support so we
use Stunnel to fill the gap.

Here we add Stunnel full EOLE integration and Redis specifics.

Maybe later we will want to have a specific package for eole-stunnel.

ref #30338

diagnose/70_redis

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+if [ $(CreoleGet activer_redis) = "oui" ];then
+    . /usr/lib/eole/diagnose.sh
+
+    EchoGras "*** Service Redis"
+    nbIface=$(CreoleGet nombre_interfaces)
+    ssl=$(CreoleGet redisSSL non)
+    if [ ${nbIface} -eq 1 ]
+    then
+        TestService "Redis master iface 0" $(CreoleGet "adresse_ip_eth0"):$(CreoleGet "redisPort")
+        if [ ${ssl}  = "oui" ]
+        then
+            TestService "Redis master SSL iface 0" $(CreoleGet "adresse_ip_eth0"):$(CreoleGet "redisSSLPort")
+        fi
+        echo
+    else
+        for iface in $(seq 0 ${nbIface})
+        do
+            TestService "Redis master iface ${iface}" $(CreoleGet "adresse_ip_eth${iface}"):$(CreoleGet "redisPort")
+            if [ ${ssl} = "oui" ]
+            then
+                TestService "Redis master SSL iface ${iface}" $(CreoleGet "adresse_ip_eth0"):$(CreoleGet "redisSSLPort")
+            fi
+            echo
+        done
+    fi
+fi
+
+exit 0

diagnose/70_stunnel

@@ -0,0 +1,23 @@
+#!/bin/bash
+
+if [ $(CreoleGet activer_stunnel) = "oui" ];then
+    if [ $(CreoleGet stunnel_add_tunnels non ) = "oui" ];then
+        . /usr/lib/eole/diagnose.sh
+
+        EchoGras "*** Service Stunnel"
+        name=($(CreoleGet stunnel_name))
+        acc_ip=($(CreoleGet stunnel_accept_ip))
+        acc_port=($(CreoleGet stunnel_accept_port))
+        conn_ip=($(CreoleGet stunnel_connect_ip))
+        conn_port=($(CreoleGet stunnel_connect_port))
+        
+        len=${#name[@]}
+        for (( i=0; i<$len; i++ ))
+        do 
+            TestService "Tunnel ${name[$i]}: ${acc_ip}:${acc_port} => ${conn_ip}:${conn_port}" ${acc_ip}:${acc_port}
+        done
+        echo
+    fi
+fi
+
+exit 0

dicos/90_redis.xml

@@ -6,10 +6,12 @@
         <file filelist='redis' name='/etc/redis/redis.conf' mkdir='True' rm='True'/>
         <file filelist='redisSlave' name='/etc/redis/redis-slave.conf' mkdir='True' rm='True'/>
         <file filelist='redisCl' name='/etc/redis/cluster.conf' source='redis-cluster.conf' mkdir='True' rm='True'/>
+	<file filelist='redisSSL' name='/etc/stunnel/redis-ssl.conf' mkdir='True' rm='True'/>
         <service servicelist="svredis">redis-server</service>
         <service servicelist="svredisSlave">redis2-server</service>
         <service_access service='redis-server'>
             <port service_accesslist='saRedis' protocol='tcp' port_type='SymLinkOption'>redisPort</port>
+            <port service_accesslist='saSSLRedis' protocol='tcp' port_type='SymLinkOption'>redisSSLPort</port>
             <port service_accesslist='saRedis' protocol='tcp' port_type='SymLinkOption'>redisClPort</port>
             <port service_accesslist='saRedisSlave' protocol='tcp' port_type='SymLinkOption'>redisPortSlave</port>
             <port service_accesslist='saRedisSlave' protocol='tcp' port_type='SymLinkOption'>redisClPortSlave</port>
@@ -29,6 +31,9 @@
             <variable name='redisMode' type='string' description="Mode d'utilisation de Redis">
                 <value>Local</value>
             </variable>
+	    <variable name='redisSSL' type='oui/non' description="Activer le support SSL pour redis">
+		    <value>non</value>
+	    </variable>
             <variable name='redisSlaveInstance' type='oui/non' description="Voulez-vous lancer une instance esclave Redis sur ce serveur ?">
                 <value>non</value>
             </variable>
@@ -38,6 +43,12 @@
             <variable name='redisPort' type='number' description="Port d'écoute du service Redis">
                 <value>6379</value>
             </variable>
+            <variable name='redisSSLPort' type='port' description="Port d'écoute SSL du service Redis">
+                <value>6380</value>
+            </variable>
+            <variable name='redisSSLVersion' type='string' description="Version du protocole SSL">
+                <value>TLSv1</value>
+            </variable>
             <variable name='redisClPort' type='number' description="Port d'écoute du service Cluster Redis"/>
             <variable name='redisMaxMemory' type='number' description="Quantité de mémoire utilisable par Redis en Mo">
                 <value>512</value>
@@ -127,6 +138,12 @@
             <target type='servicelist'>svredis</target>
         </condition>
 
+	<condition name='disabled_if_in' source="redisSSL">
+	    <param>non</param>
+	    <target type='variable'>redisSSLPort</target>
+	    <target type='service_accesslist'>saSSLRedis</target>
+	</condition>
+
         <condition name='disabled_if_in' source='redisSlaveInstance'>
             <param>non</param>
             <target type='filelist'>redisSlave</target>

dicos/90_stunnel.xml

@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="utf-8"?>
+<creole>
+    <files>
+        <!-- System configuration -->
+        <file filelist='stunnel' name='/etc/default/stunnel4' source='stunnel_default' mkdir='True' rm='True'/>
+        <file filelist='stunnel-custom' name='/etc/stunnel/eole-tunnel.conf' source='stunnel.conf' mkdir='True' rm='True'/>
+        <file filelist='stunnel-custom' name='/usr/share/eole/bastion/data/90-stunnel_dynamic_rules' mode='0755' rm='True'/>
+        <service servicelist="stunnel">stunnel4</service>
+    </files>
+    <variables>
+        <family name='Services'>
+            <variable name='activer_stunnel' type='oui/non' description="Activer Stunnel (serveur mandataire SSL) ?">
+                <value>oui</value>
+            </variable>
+        </family>
+        <family name="stunnel" mode='expert'>
+            <variable name='stunnel_opts' type='string' description="Options complémentaires pour Stunnel"/>
+            <variable name='stunnel_add_tunnels' type='oui/non' description="Ajouter de entrées stunnel personnalisée">
+                <value>non</value>
+            </variable>
+            <variable name="stunnel_name" type='string' description="Nom du tunnel SSL" multi="True"/>
+            <variable name="stunnel_accept_ip" type='ip' description="IP d'écoute du tunnel"/>
+            <variable name="stunnel_accept_port" type="port" description=" Port d'écoute du tunnel"/>
+            <variable name="stunnel_connect_ip" type="ip" description="IP du service à la sortie du tunnel"/>
+            <variable name="stunnel_connect_port" type="port" description="Port d'écoute du service à la sortie du tunnel"/>
+            <variable name="stunnel_ssl_version" type="string" description="Version SSL">
+                <value>TLSv1</value>
+            </variable>
+        </family>
+    </variables>
+    <constraints>
+        <condition name='disabled_if_in' source='activer_stunnel'>
+            <param>non</param>
+            <target type='filelist'>stunnel-custom</target>
+            <target type='filelist'>stunnel</target>
+            <target type='family'>stunnel</target>
+            <target type='servicelist'>stunnel</target>
+            <target type='service_accesslist'>saStunnel</target>
+        </condition>
+        <condition name='disabled_if_in' source='stunnel_add_tunnels'>
+            <param>non</param>
+            <target type='filelist'>stunnel-custom</target>
+            <target type='variable'>stunnel_name</target>
+            <target type='variable'>stunnel_accept_ip</target>
+            <target type='variable'>stunnel_accept_port</target>
+            <target type='variable'>stunnel_connect_ip</target>
+            <target type='variable'>stunnel_connect_port</target>
+            <target type='variable'>stunnel_ssl_version</target>
+        </condition>
+        <group master='stunnel_name'>
+            <slave>stunnel_accept_ip</slave>
+            <slave>stunnel_accept_port</slave>
+            <slave>stunnel_connect_ip</slave>
+            <slave>stunnel_connect_port</slave>
+            <slave>stunnel_ssl_version</slave>
+        </group>
+
+    </constraints>
+    <help>
+        <variable name='activer_stunnel'>Activer le service mandataire SSL (stunnel)</variable>
+    </help>
+</creole>

tmpl/90-stunnel_dynamic_rules

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+%for %%tunnel in %%stunnel_name
+   %for %%int_idx in %%range(0, %%int(%%nombre_interfaces))
+/sbin/iptables -A eth%%{int_idx}-root -s 0.0.0.0/0.0.0.0  -p tcp -m tcp --dport %%tunnel.stunnel_accept_port --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
+   %end for
+%end for

tmpl/redis-ssl.conf

@@ -0,0 +1,12 @@
+pid = /var/run/redis-stunnel.pid
+
+%if %%redisMode == "Local"
+[redis-local]
+cert = %%server_cert
+key = %%server_key
+CApath  = %%os.path.dirname(%%server_cert)
+verify = 2
+SSLversion=%%redisSSLVersion
+accept = %%redisSSLPort
+connect = %%redisPort
+%end if

tmpl/stunnel.conf

@@ -0,0 +1,19 @@
+pid = /var/run/stunnel.pid
+%for %%tunnel in %%stunnel_name
+[%%tunnel]
+cert = %%server_cert
+key = %%server_key
+CApath  = %%os.path.dirname(%%server_cert)
+verify = 2
+SSLversion=%%tunnel.stunnel_ssl_version
+    %if %%is_empty(%%tunnel.stunnel_accept_ip)
+accept = %%tunnel.stunnel_accept_port
+    %else
+accept = %%{tunnel.stunnel_accept_ip}:%%{tunnel.stunnel_accept_port}
+    %end if
+    %if %%is_empty(%%tunnel.stunnel_connect_ip)
+connect = %%tunnel.stunnel_connect_port
+    %else
+connect = %%{tunnel.stunnel_connect_ip}:%%{tunnel.stunnel_connect_port}
+    %end if
+%end for

tmpl/stunnel_default

@@ -0,0 +1,18 @@
+# /etc/default/stunnel
+# Julien LEMOINE <speedblue@debian.org>
+# September 2003
+
+# Change to one to enable stunnel automatic startup
+ENABLED=1
+FILES="/etc/stunnel/*.conf"
+OPTIONS="%%stunnel_opts"
+
+# Change to one to enable ppp restart scripts
+PPP_RESTART=0
+
+# Change to enable the setting of limits on the stunnel instances
+# For example, to set a large limit on file descriptors (to enable
+# more simultaneous client connections), set RLIMITS="-n 4096"
+# More than one resource limit may be modified at the same time,
+# e.g. RLIMITS="-n 4096 -d unlimited"
+RLIMITS=""