Adding SSL support to eole-redis.

Ubuntu don't build redis with SSL support so we
use Stunnel to fill the gap.

Here we add Stunnel full EOLE integration and Redis specifics.

Maybe later we will want to have a specific package for eole-stunnel.

ref #30338

Makefile

@@ -5,7 +5,7 @@
 SOURCE=eole-redis
 VERSION=0.0.1
 EOLE_VERSION=2.7
-EOLE_RELEASE=2.7.2
+EOLE_RELEASE=2.7.1
 PKGAPPS=non
 #FLASK_MODULE=<APPLICATION>
 

debian/compat

@@ -1 +0,0 @@
-9

debian/control

@@ -1,16 +0,0 @@
-Source: eole-redis
-Section: web
-Priority: optional
-Maintainer: Cadoles <eole@ac-dijon.fr>
-Build-Depends: debhelper (>= 9)
-Standards-Version: 3.9.3
-Homepage: https://forge.cadoles.com/Cadoles/eole-redis
-Vcs-Git: https://forge.cadoles.com/Cadoles/eole-redis.git
-Vcs-Browser: https://forge.cadoles.com/Cadoles/eole-redis
-
-Package: eole-redis
-Architecture: all
-Depends: ${misc:Depends}, redis-server
-Description: Dictionnaires et templates pour la configuration d'un serveur redis, testée uniquement avec eolebase
- .
- Pour toute information complémentaire, veuillez vous rendre sur la forge Cadoles.

debian/copyright

@@ -1,44 +0,0 @@
-Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
-Upstream-Name: {PROJECT}
-Source: {URL}
-
-Files: *
-Copyright: YEAR {UPSTREAM} {AUTHOR} <{MAIL}>
-License: {UPSTREAM LICENSE}
-
-Files: debian/*
-Copyright: 2012 Équipe EOLE <eole@ac-dijon.fr>
-License: CeCILL-2
-
-License: {UPSTREAM LICENSE}
- {TEXT OF THE LICENSE}
-
-License: CeCILL-2
- This software is governed by the CeCILL-2 license under French law and
- abiding by the rules of distribution of free software.  You can  use,
- modify and or redistribute the software under the terms of the CeCILL-2
- license as circulated by CEA, CNRS and INRIA at the following URL
- "http://www.cecill.info";.
- .
- As a counterpart to the access to the source code and  rights to copy,
- modify and redistribute granted by the license, users are provided only
- with a limited warranty  and the software's author,  the holder of the
- economic rights,  and the successive licensors  have only  limited
- liability.
- .
- In this respect, the user's attention is drawn to the risks associated
- with loading,  using,  modifying and/or developing or reproducing the
- software by the user in light of its specific status of free software,
- that may mean  that it is complicated to manipulate,  and  that  also
- therefore means  that it is reserved for developers  and  experienced
- professionals having in-depth computer knowledge. Users are therefore
- encouraged to load and test the software's suitability as regards their
- requirements in conditions enabling the security of their systems and/or
- data to be ensured and,  more generally, to use and operate it in the
- same conditions as regards security.
- .
- The fact that you are presently reading this means that you have had
- knowledge of the CeCILL-2 license and that you accept its terms.
- .
- On Eole systems, the complete text of the CeCILL-2 License can be found
- in '/usr/share/common-licenses/CeCILL-2-en'.

debian/eole-redis.redis2-server.service

@@ -1 +0,0 @@
-../init/redis2-server.service

debian/gbp.conf

@@ -1,3 +0,0 @@
-# Set per distribution debian tag
-[DEFAULT]
-debian-tag = debian/eole/%(version)s

debian/preinst

@@ -1,35 +0,0 @@
-#!/bin/sh
-# preinst script for eole-redis
-#
-# see: dh_installdeb(1)
-
-set -e
-
-# summary of how this script can be called:
-#        * <new-preinst> `install'
-#        * <new-preinst> `install' <old-version>
-#        * <new-preinst> `upgrade' <old-version>
-#        * <old-preinst> `abort-upgrade' <new-version>
-# for details, see https://www.debian.org/doc/debian-policy/ or
-# the debian-policy package
-
-case "$1" in
-    install|upgrade)
-        deb-systemd-helper mask redis-server.service
-    ;;
-
-    abort-upgrade)
-    ;;
-
-    *)
-        echo "preinst called with unknown argument \`$1'" >&2
-        exit 1
-    ;;
-esac
-
-# dh_installdeb will replace this with shell code automatically
-# generated by other debhelper scripts.
-
-#DEBHELPER#
-
-exit 0

debian/rules

@@ -1,18 +0,0 @@
-#!/usr/bin/make -f
-# -*- makefile -*-
-
-# Uncomment this to turn on verbose mode.
-#export DH_VERBOSE=1
-
-%:
-	dh $@
-
-# Force init script name
-override_dh_installinit:
-	dh_installinit --noscripts -peole-redis --name=redis2-server $@
-
-override_dh_systemd_enable:
-	dh_systemd_enable -peole-redis --name=redis2-server
-
-override_dh_systemd_start:
-	dh_systemd_start -peole-server --no-start --no-restart-on-upgrade redis2-server

debian/source/format

@@ -1 +0,0 @@
-3.0 (native)

diagnose/70_redis

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+if [ $(CreoleGet activer_redis) = "oui" ];then
+    . /usr/lib/eole/diagnose.sh
+
+    EchoGras "*** Service Redis"
+    nbIface=$(CreoleGet nombre_interfaces)
+    ssl=$(CreoleGet redisSSL non)
+    if [ ${nbIface} -eq 1 ]
+    then
+        TestService "Redis master iface 0" $(CreoleGet "adresse_ip_eth0"):$(CreoleGet "redisPort")
+        if [ ${ssl}  = "oui" ]
+        then
+            TestService "Redis master SSL iface 0" $(CreoleGet "adresse_ip_eth0"):$(CreoleGet "redisSSLPort")
+        fi
+        echo
+    else
+        for iface in $(seq 0 ${nbIface})
+        do
+            TestService "Redis master iface ${iface}" $(CreoleGet "adresse_ip_eth${iface}"):$(CreoleGet "redisPort")
+            if [ ${ssl} = "oui" ]
+            then
+                TestService "Redis master SSL iface ${iface}" $(CreoleGet "adresse_ip_eth0"):$(CreoleGet "redisSSLPort")
+            fi
+            echo
+        done
+    fi
+fi
+
+exit 0

diagnose/70_stunnel

@@ -0,0 +1,23 @@
+#!/bin/bash
+
+if [ $(CreoleGet activer_stunnel) = "oui" ];then
+    if [ $(CreoleGet stunnel_add_tunnels non ) = "oui" ];then
+        . /usr/lib/eole/diagnose.sh
+
+        EchoGras "*** Service Stunnel"
+        name=($(CreoleGet stunnel_name))
+        acc_ip=($(CreoleGet stunnel_accept_ip))
+        acc_port=($(CreoleGet stunnel_accept_port))
+        conn_ip=($(CreoleGet stunnel_connect_ip))
+        conn_port=($(CreoleGet stunnel_connect_port))
+        
+        len=${#name[@]}
+        for (( i=0; i<$len; i++ ))
+        do 
+            TestService "Tunnel ${name[$i]}: ${acc_ip}:${acc_port} => ${conn_ip}:${conn_port}" ${acc_ip}:${acc_port}
+        done
+        echo
+    fi
+fi
+
+exit 0

dicos/90_redis.xml

@@ -6,10 +6,12 @@
         <file filelist='redis' name='/etc/redis/redis.conf' mkdir='True' rm='True'/>
         <file filelist='redisSlave' name='/etc/redis/redis-slave.conf' mkdir='True' rm='True'/>
         <file filelist='redisCl' name='/etc/redis/cluster.conf' source='redis-cluster.conf' mkdir='True' rm='True'/>
+	<file filelist='redisSSL' name='/etc/stunnel/redis-ssl.conf' mkdir='True' rm='True'/>
         <service servicelist="svredis">redis-server</service>
         <service servicelist="svredisSlave">redis2-server</service>
         <service_access service='redis-server'>
             <port service_accesslist='saRedis' protocol='tcp' port_type='SymLinkOption'>redisPort</port>
+            <port service_accesslist='saSSLRedis' protocol='tcp' port_type='SymLinkOption'>redisSSLPort</port>
             <port service_accesslist='saRedis' protocol='tcp' port_type='SymLinkOption'>redisClPort</port>
             <port service_accesslist='saRedisSlave' protocol='tcp' port_type='SymLinkOption'>redisPortSlave</port>
             <port service_accesslist='saRedisSlave' protocol='tcp' port_type='SymLinkOption'>redisClPortSlave</port>
@@ -29,6 +31,9 @@
             <variable name='redisMode' type='string' description="Mode d'utilisation de Redis">
                 <value>Local</value>
             </variable>
+	    <variable name='redisSSL' type='oui/non' description="Activer le support SSL pour redis">
+		    <value>non</value>
+	    </variable>
             <variable name='redisSlaveInstance' type='oui/non' description="Voulez-vous lancer une instance esclave Redis sur ce serveur ?">
                 <value>non</value>
             </variable>
@@ -38,6 +43,12 @@
             <variable name='redisPort' type='number' description="Port d'écoute du service Redis">
                 <value>6379</value>
             </variable>
+            <variable name='redisSSLPort' type='port' description="Port d'écoute SSL du service Redis">
+                <value>6380</value>
+            </variable>
+            <variable name='redisSSLVersion' type='string' description="Version du protocole SSL">
+                <value>TLSv1</value>
+            </variable>
             <variable name='redisClPort' type='number' description="Port d'écoute du service Cluster Redis"/>
             <variable name='redisMaxMemory' type='number' description="Quantité de mémoire utilisable par Redis en Mo">
                 <value>512</value>
@@ -127,6 +138,12 @@
             <target type='servicelist'>svredis</target>
         </condition>
 
+	<condition name='disabled_if_in' source="redisSSL">
+	    <param>non</param>
+	    <target type='variable'>redisSSLPort</target>
+	    <target type='service_accesslist'>saSSLRedis</target>
+	</condition>
+
         <condition name='disabled_if_in' source='redisSlaveInstance'>
             <param>non</param>
             <target type='filelist'>redisSlave</target>

dicos/90_stunnel.xml

@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="utf-8"?>
+<creole>
+    <files>
+        <!-- System configuration -->
+        <file filelist='stunnel' name='/etc/default/stunnel4' source='stunnel_default' mkdir='True' rm='True'/>
+        <file filelist='stunnel-custom' name='/etc/stunnel/eole-tunnel.conf' source='stunnel.conf' mkdir='True' rm='True'/>
+        <file filelist='stunnel-custom' name='/usr/share/eole/bastion/data/90-stunnel_dynamic_rules' mode='0755' rm='True'/>
+        <service servicelist="stunnel">stunnel4</service>
+    </files>
+    <variables>
+        <family name='Services'>
+            <variable name='activer_stunnel' type='oui/non' description="Activer Stunnel (serveur mandataire SSL) ?">
+                <value>oui</value>
+            </variable>
+        </family>
+        <family name="stunnel" mode='expert'>
+            <variable name='stunnel_opts' type='string' description="Options complémentaires pour Stunnel"/>
+            <variable name='stunnel_add_tunnels' type='oui/non' description="Ajouter de entrées stunnel personnalisée">
+                <value>non</value>
+            </variable>
+            <variable name="stunnel_name" type='string' description="Nom du tunnel SSL" multi="True"/>
+            <variable name="stunnel_accept_ip" type='ip' description="IP d'écoute du tunnel"/>
+            <variable name="stunnel_accept_port" type="port" description=" Port d'écoute du tunnel"/>
+            <variable name="stunnel_connect_ip" type="ip" description="IP du service à la sortie du tunnel"/>
+            <variable name="stunnel_connect_port" type="port" description="Port d'écoute du service à la sortie du tunnel"/>
+            <variable name="stunnel_ssl_version" type="string" description="Version SSL">
+                <value>TLSv1</value>
+            </variable>
+        </family>
+    </variables>
+    <constraints>
+        <condition name='disabled_if_in' source='activer_stunnel'>
+            <param>non</param>
+            <target type='filelist'>stunnel-custom</target>
+            <target type='filelist'>stunnel</target>
+            <target type='family'>stunnel</target>
+            <target type='servicelist'>stunnel</target>
+            <target type='service_accesslist'>saStunnel</target>
+        </condition>
+        <condition name='disabled_if_in' source='stunnel_add_tunnels'>
+            <param>non</param>
+            <target type='filelist'>stunnel-custom</target>
+            <target type='variable'>stunnel_name</target>
+            <target type='variable'>stunnel_accept_ip</target>
+            <target type='variable'>stunnel_accept_port</target>
+            <target type='variable'>stunnel_connect_ip</target>
+            <target type='variable'>stunnel_connect_port</target>
+            <target type='variable'>stunnel_ssl_version</target>
+        </condition>
+        <group master='stunnel_name'>
+            <slave>stunnel_accept_ip</slave>
+            <slave>stunnel_accept_port</slave>
+            <slave>stunnel_connect_ip</slave>
+            <slave>stunnel_connect_port</slave>
+            <slave>stunnel_ssl_version</slave>
+        </group>
+
+    </constraints>
+    <help>
+        <variable name='activer_stunnel'>Activer le service mandataire SSL (stunnel)</variable>
+    </help>
+</creole>

tmpl/90-stunnel_dynamic_rules

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+%for %%tunnel in %%stunnel_name
+   %for %%int_idx in %%range(0, %%int(%%nombre_interfaces))
+/sbin/iptables -A eth%%{int_idx}-root -s 0.0.0.0/0.0.0.0  -p tcp -m tcp --dport %%tunnel.stunnel_accept_port --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
+   %end for
+%end for

tmpl/redis-ssl.conf

@@ -0,0 +1,12 @@
+pid = /var/run/redis-stunnel.pid
+
+%if %%redisMode == "Local"
+[redis-local]
+cert = %%server_cert
+key = %%server_key
+CApath  = %%os.path.dirname(%%server_cert)
+verify = 2
+SSLversion=%%redisSSLVersion
+accept = %%redisSSLPort
+connect = %%redisPort
+%end if

tmpl/stunnel.conf

@@ -0,0 +1,19 @@
+pid = /var/run/stunnel.pid
+%for %%tunnel in %%stunnel_name
+[%%tunnel]
+cert = %%server_cert
+key = %%server_key
+CApath  = %%os.path.dirname(%%server_cert)
+verify = 2
+SSLversion=%%tunnel.stunnel_ssl_version
+    %if %%is_empty(%%tunnel.stunnel_accept_ip)
+accept = %%tunnel.stunnel_accept_port
+    %else
+accept = %%{tunnel.stunnel_accept_ip}:%%{tunnel.stunnel_accept_port}
+    %end if
+    %if %%is_empty(%%tunnel.stunnel_connect_ip)
+connect = %%tunnel.stunnel_connect_port
+    %else
+connect = %%{tunnel.stunnel_connect_ip}:%%{tunnel.stunnel_connect_port}
+    %end if
+%end for

tmpl/stunnel_default

@@ -0,0 +1,18 @@
+# /etc/default/stunnel
+# Julien LEMOINE <speedblue@debian.org>
+# September 2003
+
+# Change to one to enable stunnel automatic startup
+ENABLED=1
+FILES="/etc/stunnel/*.conf"
+OPTIONS="%%stunnel_opts"
+
+# Change to one to enable ppp restart scripts
+PPP_RESTART=0
+
+# Change to enable the setting of limits on the stunnel instances
+# For example, to set a large limit on file descriptors (to enable
+# more simultaneous client connections), set RLIMITS="-n 4096"
+# More than one resource limit may be modified at the same time,
+# e.g. RLIMITS="-n 4096 -d unlimited"
+RLIMITS=""